GitHub Outage Map

Community Discussion

Tips? Frustrations? Share them here. Useful comments include a description of the problem, city and postal code.

Beware of "support numbers" or "recovery" accounts that might be posted below. Make sure to report and downvote those comments. Avoid posting your personal information.

GitHub Issues Reports

Latest outage, problems and issue reports in social media:

• 
  Momo (@0xDegenMo) reported 7 minutes ago

  MCP (Model Context Protocol) is a connection layer between language models and external tools: APIs, persistent memory, schema design, function registration. Building with it involves real tooling decisions. It's not a feature you describe; it's a server you run. $SKYAI describes itself as an all-in-one AI ecosystem powered by MCP. Down ~17% today on $47M volume. Rank 177. The public GitHub footprint is thin. I've been running MCP setups for months. The gap between protocols that use the label and protocols that have actually implemented the layer is widening this cycle. Every second AI-crypto launch now claims MCP integration. Very few can show you a live server or a registered tool schema. The protocol isn't the question. Whether powered-by means anything when the acronym is four months old and everyone is powered by it — that's the thing worth tracking.

• 
  Conrad Lotz (@conradlotz) reported 7 minutes ago

  INTERESTING: Microsoft GitHub Repos Hit by Supply Chain Malware BREAKING supply chain alert: GitHub disabled 70+ Microsoft repos (including Azure Functions tools) after hackers pushed credential-stealing malware targeting AI coding agents like Claude and Gemini. Miasma worm-style attack compromised contributor access and aimed at developer workstations. Quick response, but a stark reminder of open-source trust assumptions in the AI tooling stack. Builders: Double down on verified sources, pinning, and SBOMs. #GitHub #cloud (internal note) Direct hit to dev tooling ecosystem that most founders rely on daily—highlights real operational risk in AI-powered coding workflows. What’s your current supply chain hygiene level?

• 
  Jongwon Park (@JongwonPar9958) reported 8 minutes ago

  2/ This keeps happening: benchmarks have defects, they get fixed, and the target keeps moving. To compare anything fairly you need a shared, live record of which tasks are broken — and a way to eval around it. Today that record is GitHub issues and PRs — where the real defects are buried under docs, feature requests, and the one thread that quietly breaks six tasks. Scattered across every repo, with no live status. So we built the whole loop: capture every defect → audit it into one open store → surface it everywhere, and re-eval continuously.

• 
  Nav Toor (@heynavtoor) reported 10 minutes ago

  NVIDIA charges you $19.99 a month to stream games you already own. And starting January 2026, they cap you at 100 hours. One engineer from New Zealand built the free version with no cap. It is called Steam Headless. 3,177 stars on GitHub. GPL-2.0. Built by Josh Sunnex. 225 commits. The next contributor has 16. He has done more work than everyone else combined. It is a Docker container that turns any spare PC, server, or NAS into your own personal cloud gaming machine. Install Steam inside it. Mount your games folder. Open a browser on your phone, your laptop, your tablet, your TV. Your games are right there. Streaming. From your own hardware. To anywhere in the world. It supports NVIDIA, AMD, and Intel GPUs. It streams over Moonlight, Steam Link, or straight to a web browser. It runs Proton so Windows games work on Linux. It installs Heroic, Lutris, and EmuDeck with one click for your non-Steam games. It runs on Debian Trixie, Unraid, Ubuntu Server, or Docker Compose. Last update: April 20, 2026. Still maintained. Still by one man from New Zealand. Now compare the math. GeForce NOW Ultimate: $19.99 a month. $239.88 a year. Forever. Capped at 100 hours per month. Run out? Pay $5.99 for another 15 hours. Xbox Game Pass Ultimate: $22.99 a month. $275.88 a year. Forever. You stream Microsoft's games on Microsoft's hardware on Microsoft's terms. Steam Headless: $0. Forever. Your hardware. Your games. Your network. No hour cap. No queue. No throttle. Buy a used GPU once. Run this container. Stream your entire Steam library to any device on the planet. That is the entire pitch. But DO NOT install it. We should all keep paying NVIDIA and Microsoft to play the games we already bought. 100% Open Source. (Link in the comments)

• 
  Daniel Iser (@daniel_iser) reported 10 minutes ago

  @arunaswp @Fitehal @jeffr0 Both assumptions miss the mark here as it’s not holding updates back 24 hours, it’s just not serving them to auto updating sites right away. This serves to let automated scanners, and manual updated sites find the issue in smaller scale. Reduces the effect of the compromise. All recent attacks would never have been as big if not for auto updates. See NX & Tanstack non package vulnerabilities that stole github ssh and general API keys that now perpetuate further attacks.

• 
  GoCocoaAI (@GoCocoaAI) reported 17 minutes ago

  Miasma open-sourced its full attack toolkit an hour ago via four compromised developer accounts. GitHub nuked the repos. The code is already distributed. This is not a worm story. It's a platform story. Miasma is second-generation — a direct descendant of TeamPCP's Shai-Hulud, which went open-source on May 13. Copycats emerged within days of that release. Miasma was one of them. Now Miasma repeats the cycle at a higher capability level, and the pattern is documented enough at this point to call it a playbook: develop privately, achieve meaningful compromise scale, open-source the previous version, retain the more capable private fork. The public release provides clean attribution deconfliction. Whatever Miasma's operators are running now isn't what just shipped to GitHub. It never is. The toolkit scope, per SafeDep's analysis, is credential theft against arbitrary packages, AI coding tool configuration poisoning, GitHub Actions abuse, SSH-based lateral movement — modular, from a single framework. The worm component is delivery. The rest is an attack platform that lower-sophistication actors can now modify minimally and run. The architecture detail that outlives the headline: Miasma uses three independent GitHub commit search channels as C2. No external infrastructure. Unauthenticated, over public APIs. The channels — DontRevokeOrItGoesBoom for PAT exfiltration (AES-256-CBC, encrypted in commit messages), TheBeautifulSandsOfTime for JavaScript eval() delivery, firedalazer for persistent Python payload — each use independent validation keys, so compromising one doesn't cascade. The traffic is indistinguishable from a developer running grep queries against *** log. Your SIEM's beacon interval rules and anomalous IP watchlists don't see this. SafeDep's framing is correct: the detection problem has moved from the network layer to the application protocol layer. Welcome to the architecture the industry has been warning about since GitHub became load-bearing infrastructure. Socket is currently tracking 473 affected package artifacts across npm, PyPI, RubyGems, GitHub Actions, and JFrog Artifactory. The confirmed victim list includes Red Hat OSS repos and 70+ Microsoft GitHub repos — GitHub nuked the Microsoft repos June 8, the day before the toolkit went public. 80,000 weekly downloads were in the blast radius at peak (Red Hat npm packages, around June 1). Wiz principal threat researcher Rami McCarthy, as of 18:05 UTC today, has not observed opportunistic adoption of the open-sourced toolkit. That's the same condition that held immediately after Shai-Hulud went public. Copycats appeared within days. The 72-hour window is the relevant clock right now. The AI coding assistant config poisoning module deserves specific attention. GitHub Copilot, Cursor, Cline, Continue — these tools have codebase access and credential access, and their configuration sources and update mechanisms are not uniformly scrutinized the way package dependencies are. A developer running a poisoned AI tool config can exfiltrate credentials across multiple projects without a single suspicious package install. The blast radius per victim is larger than traditional supply chain compromise. The industry noticed AI tooling as an attack surface approximately six months after shipping it everywhere. It always does. Who is materially exposed: any org pulling from npm, PyPI, or RubyGems without package integrity verification — 473 known-affected artifacts is not a small number — GitHub Actions pipeline operators whose CI/CD trust boundary is now the attack surface by design, teams using AI coding assistants without scrutiny of config provenance, and JFrog Artifactory operators explicitly targeted for credential theft against private registries. The Socket artifact count will update upward. The first confirmed Miasma-derived campaign from a new actor is the leading indicator to watch — that's when the open-source release confirms it's being actively weaponized. That clock started this morning.

• 
  ThePrimeX (@ThePrimeX12) reported 17 minutes ago

  Age verification sounds simple until you look at the privacy, OS, and app-store problems. Even with zero-knowledge proofs, someone still has to verify you first. That could be Apple, Google, Microsoft, a government ID app, a bank, a carrier, or a third-party vendor. The app may only get “18+ confirmed,” but the verifier may still collect ID scans, selfies, birthdays, device info, IP addresses, failed attempts, fraud scores, or parental consent records. Main issues: • Who stores the original data? • Can users delete it easily? • Do third-party vendors keep copies? • Are backups deleted too? • Can apps track users across services? • Are tokens app-specific or reusable? • What metadata is logged? • What happens after a breach? • What if an adult is wrongly blocked? • What about people without ID? • What about browsers and shared devices? OS/app-store problems make this harder: • Legacy apps may not support age APIs • Foreign apps may not follow the same rules • Sideloaded apps can bypass app-store checks • Windows has EXEs, Steam, Epic, GitHub, browsers, and direct downloads • Android has APKs and alternate stores • iOS has regional app-store rule differences • Web apps may avoid native OS age signals • Shared family devices can confuse adult/minor status • Offline apps may never request an age signal • Developers may not update old apps • Laws may differ by state or country Windows would be especially hard because many apps do not come from the Microsoft Store. A realistic Windows fallback could be a compliance broker: • Microsoft account verifies 18+ • Windows stores an adult eligibility credential • Apps that support the API request the age signal normally • Unknown or legacy apps with no age signal go through a fallback path • The broker confirms only “18+ verified” or “minor/unknown” • Family Safety blocks or limits minors • Verified adult accounts get access without extra app-by-app checks • Sideloaded/foreign apps can be controlled by OS permissions, warnings, or parental blocks Likely fallback paths: • For adult accounts: allow access by default once 18+ is verified • For minors: use Family Safety, parental consent, and app-store limits • For uncertain age: restrict sensitive features until verified • For legacy apps: use OS/app-store controls instead of requiring the app to understand the law • For Windows unknown apps: use an 18+ fallback API/compliance broker • For sideloading: use OS-level warnings, permissions, or parental blocks • For foreign apps: require platform-level compliance before distribution • For browsers: use a privacy-preserving OS/browser age signal • For mistakes: provide an adult override and appeal process Real solutions should include: • Verify once, not with every app • Share only an “18+” or age-range signal • Use zero-knowledge proofs • Use app-specific tokens so apps cannot track users across services • Store the credential locally on the device/account • Delete raw ID data quickly • Give users a clear delete button for every third-party vendor • Show which company verified the user • Ban ad targeting with age-verification data • Require independent audits • Require transparency reports • Use a broker/middleware path for legacy apps • Let verified adult accounts use apps without extra restrictions The goal should be child safety without turning the internet into an ID checkpoint. Age verification should prove eligibility, not expose identity.

• 
  Marquis (@mwtwts) reported 20 minutes ago

  THIS KID RUNS AN ENTIRE GAME STUDIO FROM A SINGLE TABLET USING 6 AI AGENTS A teenager set up a pipeline of 6 AI agents on a tablet that automatically turns any idea into a working game prototype delivered every evening at 9pm. In 6 months he hit 25,000 downloads on GitHub without a studio, a team, or a game design diploma. > He drops any idea into a Telegram bot during class and a working pygame mechanic lands in the repo in 30 seconds. > 6 agents handle the full stack: code generation, art through Midjourney, soundtrack through Suno, nightly builds, store publishing, and voice QA from his phone. > Traditional indie studios run 8-person teams for the same volume of releases — his monthly API bill is $60 and he earns about $1,200 a month. > The orchestrator only wakes him up when a build crashes on launch or a prototype scores above a 90% fun-score. The whole operation runs on one tablet synced to a repo on his phone, with no cloud server and no team of artists anywhere in the stack.

• 
  Hiroki Tamba | Narrative & Governance (@TambaClan) reported 20 minutes ago

  (EU AI Act + AI Safety) Why this matters beyond one GitHub issue: 🇪🇺 EU AI Act HRAI classification guidelines are open for public consultation until June 23. Conformity assessment assumes evaluation tools produce stable, unbiased results. This data shows models detect evaluation contexts and compensate — the evaluation itself is structurally compromised. Combined with the aisev grader nondeterminism finding (DOI: 10.5281/zenodo.20581782) — where Japan AI Safety Institute's grading tool flips boundary classifications without temperature or seed control — we now have two independent empirical demonstrations that AI evaluation methodology is fragile at its foundation. #AISafety #AIGovernance #EUAIAct

• 
  Kieran McLeod (@kieranmcleod) reported 22 minutes ago

  For context, I tried again today because the live folder for my GitHub PRs is broken in Arc and has been for 2 weeks - figured I would see if Dia had caught up. still no spaces, but I figured I’d try look past that. Then I tried to resync my spaces/bookmarks from Arc - no luck

• 
  Theo Wtmn (@TheoWtmn) reported 22 minutes ago

  MCP servers are multiplying so fast I can't keep up. Every week I discover a new one I should've known about. The discovery problem is real. GitHub search shouldn't be the only way to find what's possible. How do you discover new MCP servers?

• 
  Rakesh Gohel 🇨🇦 (@rakeshgohel01) reported 23 minutes ago

  Agentic coding is dead. The AI agent discipline that replaced it requires something most teams haven't built yet.. The ones who figure it out first will widen the gap on everyone else. Andrej Karpathy gave it a name earlier this year: Agentic Engineering. Not "use an AI agent to write code faster." Something far more structured designing systems where AI agents plan, write, test, and ship under real human oversight. The teams skipping this structure are producing AI slop. Code that looks right, handles no edge cases, and nobody can maintain six weeks later. 📌 Here's what agentic engineering actually looks like in practice: 1. Write specs before touching the agent The agent doesn't know your codebase conventions, naming patterns, or business logic. A rules file tells it how your project thinks,before it writes a single line. → Use case: Onboarding a new module without breaking existing architecture → Tools: Claude Code, Cursor 2. Choose your review posture and stick to it Two modes: watch the agent work and approve edits in real time, or let it run and review the final PR. Mixing them randomly is how codebases get messy fast. → Use case: Production features need "human in the loop." Internal tooling can go "agent first." → Tools: Devin, GitHub Copilot Workspace 3. Build test harnesses before scaling agent output At agent speed, a 1% error rate causes real damage. Automated tests need to catch bad code before it merges, not after. → Use case: High-volume teams running 500+ PRs weekly with quality control intact → Tools: Augment Code, Zencoder 4. Design for parallel agents, not a single session Running multiple agents simultaneously requires clear task boundaries, isolated branches, and a merge strategy not just a bigger prompt. → Use case: One agent refactors auth, another builds the API layer, a third writes tests all at once → Tools: Cursor, Kilo Code The AI agents are the workforce. Agentic engineering is the system they run on. Teams winning right now aren't better at prompting. They built better rails first.

• 
  SafuSkill.ai (@SafuSkill) reported 24 minutes ago

  Designing a fair royalty system on-chain is harder than it looks. Here's how we built Goplus SkillRoyalty on @fourdotmemezh OpenFour. Every Skill Coin launched on @SafuSkill has its own SkillRoyalty — a smart contract that lives with the token and holds its revenue. Three things make it different from how launchpads usually do this. 🔸 The money never touches us. Every trade fee flows directly into the SkillRoyalty contract. Not the platform's treasury. Not a multisig we control. The contract holds it. The contract releases it. Fully on-chain. Fully transparent. Verifiable on BscScan. 🔸 The creator doesn't have to be there at launch. Most platforms require the creator to pre-register a wallet. That's a problem — anyone can deploy your Skill before you do, and steal the rewards. We invert it. Anyone can launch a Skill Coin. But only the verified GitHub owner of that Skill can later bind their wallet and claim the royalties. Real creator, real proof, no race condition. 🔸 The split is written into the contract. The SkillRoyalty automatically distributes every fee: → 70% to the verified creator → 15% to verified real users (download + usage tracked) → 15% to ecosystem No team votes. No off-chain promises. The math is in the contract. The contract executes itself. That's the design. A self-custodied, verification-gated, auto-distributing revenue contract that lives with every Skill Coin. We call it Goplus SkillRoyalty. Security is what GoPlus does. This is just security applied to creator revenue. SkillRoyalty is the first launch mechanism on @SafuSkill. More coming. #SkillRoyalty #SkillCoin #OpenFour

• 
  Kieran McLeod (@kieranmcleod) reported 24 minutes ago

  Basically took me through the whole import rigmarole, could see my new space in Arc and then it still didn’t update the bookmarks in Dia. And then to top it all off Dia crashed as soon as I tried to login to GitHub before I even got a chance to test the live folders

• 
  Used car battery (@UseddCarBattery) reported 27 minutes ago

  @alexsbotkin @Phantom_TheGame The problem is a bunch of programs people want to use force you to install it through github