⚡ Threat of the Week GitHub Breached via Nx Console VS Code Extension —GitHub officially confirmed that the breach of its internal repositories was the result of a compromise of an employee device involving a poisoned version of the Nx Console Microsoft Visual Studio Code (VS Code) extension. The attack is said to have allowed the threat actor, a cybercriminal group known as TeamPCP, to exfiltrate about 3,800 repositories. GitHub said it has taken steps to contain the incident and rotated critical secrets, adding it's continuing to monitor the situation for follow-on activity. The Nx team revealed that the extension, nrwl.angular-console, was breached after one of its developers' systems was hacked in the wake of the recent TanStack supply chain attack. Other companies that were impacted by the TanStack compromise include OpenAI, Mistral AI, and Grafana Labs. Grafana Labs was also the target of an extortion attempt, but the company said it refused to pay the hackers who had threatened to release the company's codebase. The incidents are just some examples of the long tail of downstream victims emerging from the Mini Shai-Hulud campaign. This, coupled with TeamPCP's public release of the Shai-Hulud code, marks a significant evolution in software supply chain threats, as it gives attackers a ready-made blueprint for fleshing out similar worms targeting open-source repositories and developer environments. 🔔 Top News Microsoft Took Down Fox Tempest —Microsoft has cracked down on Fox Tempest, a cyber threat actor that fueled Rhysida ransomware attacks and other infections involving Oyster, Lumma Stealer, and Vidar. The group operates upstream in the malware and ransomware supply chain, acting as an enabler and providing tools for other threat actors to carry out attacks. This included a fraudulent code-signing service that let cybercriminals deploy malware "through the front door" without being detected. While bad actors have been known to resell code-signing certificates for at least a decade, Fox Tempest's operation stood out because it provided a scalable service for extortion, phishing, SEO poisoning, or malware-laced advertising. 9-Year-Old Linux Kernel Flaw Enables Root Command Execution —A new vulnerability disclosed in the Linux kernel remained undetected for nine years. The vulnerability, tracked as CVE-2026-46333 (CVSS score: 5.5), is a case of improper privilege management that could permit an unprivileged local user to disclose sensitive files and execute arbitrary commands as root on default installations of several major distributions like Debian, Fedora, and Ubuntu. The issue was introduced in November 2016. Microsoft Warned of Two Actively Exploited Defender Vulnerabilities —Microsoft has disclosed that a privilege escalation and a denial-of-service flaw in Defender have come under active exploitation in the wild. While CVE-2026-41091 could allow an attacker to gain SYSTEM privileges, CVE-2026-45498 relates to a case of denial-of-service. Although Microsoft has not formally confirmed, the vulnerability descriptions for CVE-2026-41091 and CVE-2026-45498 overlap with those of RedSun and UnDefend, two Defender zero-days that were disclosed by Chaotic Eclipse (aka Nightmare-Eclipse) last month. Newly Disclosed Drupal Core Flaw Under Attack —A critical security flaw impacting Drupal Core has come under active exploitation within days of public disclosure. The vulnerability in question is CVE-2026-9082 (CVSS score: 6.5), an SQL injection vulnerability affecting all supported versions of Drupal Core. Drupal acknowledged that "exploit attempts are now being detected in the wild." Thales-owned Imperva said it has observed over 15,000 attack attempts targeting almost 6,000 individual sites across 65 countries. Claude Mythos AI Finds 10K High-Severity Flaws in Popular Software —Anthropic revealed that Project Glasswing has helped uncover more than 10,000 high- or critical-severity vulnerabilities across some of the most "systemically" important software across the world since the cybersecurity initiative went live last month. Of these vulnerabilities, 6,202 have been classified as high- or critical-severity flaws impacting more than 1,000 open-source projects. Subsequent analysis of these vulnerability candidates has identified that 1,726 are valid true positives. As many as 1,094 flaws are assessed to be either high- or critical-severity. In total, these efforts have led to 97 findings being patched upstream and 88 advisories being issued. Cisco Patched CVSS 10.0 Secure Workload Flaw —Cisco rolled out updates for a maximum-severity security flaw impacting Secure Workload that could allow an unauthenticated, remote attacker to access sensitive data. Tracked as CVE-2026-20223 (CVSS score: 10.0), the vulnerability arises from insufficient validation and authentication when accessing REST API endpoints. "An attacker could exploit this vulnerability if they are able to send a crafted API request to an affected endpoint," Cisco said. "A successful exploit could allow the attacker to read sensitive information and make configuration changes across tenant boundaries with the privileges of the Site Admin user." Microsoft Released Mitigations for YellowKey —Microsoft released a mitigation for a BitLocker bypass vulnerability named YellowKey following its public disclosure last week. The zero-day flaw, now tracked as CVE-2026-45585, carries a CVSS score of 6.8. It has been described as a BitLocker security feature bypass. The issue impacts Windows 11 version 26H1 for x64-based Systems, Windows 11 Version 24H2 for x64-based Systems, Windows 11 Version 25H2 for x64-based Systems, Windows Server 2025, and Windows Server 2025 (Server Core installation). Microsoft noted that successful exploitation could permit an attacker with physical access to sidestep the BitLocker Device Encryption feature on the system storage device and gain access to encrypted data. 🔥 Trending CVEs Bugs drop weekly, and the gap between a patch and an exploit is shrinking fast. These are the heavy hitters for the week: high-severity, widely used, or already being poked at in the wild. Check the list, patch what you have, and hit the ones marked urgent first — CVE-2026-48172 (LiteSpeed User-End cPanel Plugin), CVE-2026-34926 (Trend Micro Apex One), CVE-2026-20223 (Cisco Secure Workload), CVE-2026-41091, CVE-2026-45498, CVE-2026-45584 (Microsoft Defender), CVE-2026-46333 (Linux Kernel), CVE-2026-9082 (Drupal Core), CVE-2026-45585 (Microsoft Windows BitLocker), CVE-2026-2743 (SEPPMail), CVE-2026-7301, CVE-2026-7302, CVE-2026-7304 (SGLang), CVE-2026-29205 (cPanel), CVE-2026-8178 (Amazon Redshift JDBC driver), CVE-2026-8053 (MongoDB), CVE-2026-45829 aka ChromaToast (ChromaDB), CVE-2026-8153 (Universal Robots PolyScope 5), CVE-2026-3102 (ExifTool), CVE-2026-9110, CVE-2026-9111 , from CVE-2026-8511 through CVE-2026-8522 (Google Chrome), CVE-2026-45434 (Apache OFBiz), CVE-2026-33000, CVE-2026-34908, CVE-2026-34909, CVE-2026-34910, CVE-2026-34911 (UniFi OS), CVE-2026-45401 (Open WebUI), CVE-2026-9256 , CVE‐2026‐8711 (F5 NGINX Plus and NGINX Open Source), CVE-2026-20239 (Splunk Enterprise and Splunk Cloud Platform), CVE-2026-46376 (FreePBX), CVE‐2026‐6637 (PostgreSQL), and CVE-2026-35194 (Apache Flink). 📰 Around the Cyber World Vulnerability Exploitation Overtakes Compromised Credentials in a Long Time —Vulnerability exploitation has overtaken compromised credentials for the first time in nearly two decades as the most common initial access vector for data breaches, per Verizon . Nearly a third (31%) of data breaches over the past year started with vulnerability exploitation, up from 20% in 2024. Credential abuse declined from 22% to 13%. What's more, only 26% of critical vulnerabilities listed in the U.S. Cybersecurity Infrastructure and Security Agency Known Exploited Vulnerabilities (KEV) catalog were fully remediated by organizations in 2025, a drop from 38% the previous year. "The median time for full resolution went up to 43 days, almost two weeks more than the previous year’s 32 days," the report said. "In the median case, organizations had 50% more critical vulnerabilities to patch in this year’s reporting dataset compared to the previous year." Ransomware accounted for 48% of all breaches last year, up from 44% in 2024. But in a positive development, ransom payments have continued to decline, with the median payment sliding from $150,000 in 2024 to almost $140,000. Attackers Go After India's Education Ecosystem —Threat actors are abusing student data within India's education ecosystem, spanning educational institutions, third-party vendors, and online services, for phishing, impersonation, social engineering, and financially motivated fraud operations. "Attackers commonly leverage exposed or misused student information to create highly convincing scams related to admissions, scholarships, internships, fee payments, and academic services," CYFIRMA said . "In several instances, threat actors exploited trusted educational branding, fraudulent portals, and insider access to obtain credentials, financial information, or direct payments. Additionally, some cases indicated the misuse of student-linked bank accounts within broader fraud and mule account operations." RondoDox Adds ASUS Router Flaw to its Arsenal —The operators of the RondoDox botnet have incorporated CVE-2018-5999 (CVSS score: 9.8), a critical ASUS router flaw, to their arsenal, marking the first observation of in-the-wild exploitation of the vulnerability. The activity was first detected on May 17, 2026, against its honeypots. "The attack pattern: payloads that set the ateCommand_flag to 1, enabling the infosvr interface to accept arbitrary configuration changes," VulnCheck CTO Jacob Baines said in a post on LinkedIn. Fake Microsoft Teams Sites Deliver ValleyRAT —Fake Microsoft Teams distribution sites shared on X are being used to trick unsuspecting users into downloading a trojanized installer packaged as a ZIP archive, ultimately leading to the deployment of ValleyRAT , a malware associated with a Chinese cybercrime group called Silver Fox. "The delivered payload leverages a DLL sideloading chain via a legitimate executable (GameBox.exe) developed by Tencent, ultimately deploying a ValleyRAT variant," K7 Labs said . "This malware campaign stands out for its clean execution chain, combining social engineering with staged payload delivery, in-memory decryption, and stealthy persistence mechanisms." Malicious Activity Targeting Malaysian Entities —An attacker-controlled infrastructure hosted on Microsoft Azure infrastructure in the Malaysia West region has been used to conduct a targeted intrusion campaign against multiple Malaysian organizations, per Oasis Security. "The operation demonstrates a high degree of operational planning, with the attacker developing purpose-built Python tooling for each target — covering internal network enumeration, database access, and external data exfiltration," the company said . The infrastructure hosts target-specific Python scripts, webshell deployment tools, a Laravel remote code execution exploit chain, and source code for custom command-and-control (C2) components. Texas Attorney General Sues Meta Over WhatsApp Encryption Claims —The Texas Attorney General has sued Meta over allegations that the company's WhatsApp messenger doesn't provide the end-to-end encryption (E2EE) it has long claimed. "Reports suggest that employees of WhatsApp have been able to access user communications," the Office of the Texas Attorney General said . "Additional reporting and investigations indicate that message content can be pulled and viewed after the message has been sent. This is a complete and total misrepresentation of Meta’s privacy policies." The lawsuit hinges on a report from Bloomberg from last month about how the U.S. Commerce Department's Bureau of Industry and Security had abruptly closed an investigation into allegations that Meta could access encrypted WhatsApp messages. Preliminary findings from the department claimed that "there is no limit to the type of WhatsApp message that can be viewed by Meta." Meta has called the allegations "baseless." FIOD Arrests Two in Connection with Stark Industries —The Netherlands Fiscal Intelligence and Investigation Service (FIOD) arrested two men and seized 800 servers in connection with a web hosting company that enabled cyber attacks, interference operations, and disinformation campaigns. The arrested individuals included a 57-year-old man from Amsterdam and a 39-year-old man from The Hague. Although the name of the company was not explicitly mentioned, it is assessed to be Stark Industries , which was sanctioned by the E.U. in May 2025. Following the sanctions, a significant chunk of the technical infrastructure was transferred to a Dutch-based entity known as THE.Hostingaka WorkTitans. "This new company actually acts as a cover for the sanctioned entities," FIOD said . "The director and (indirect) sole shareholder of this company is the 57-year-old suspect." A second unnamed Dutch company is said to have played a facilitating role. "This company, of which the 39-year-old is a suspected director and sole shareh

Source: The Hacker News

Read Original Source →