GitHub says malicious VS Code extension compromised 3,800 internal repositories

Metacurity is the only daily cybersecurity briefing built for clarity, not agendas—no vendor spin, no echo chamber, just sharp, original aggregation and analysis of what actually matters to security leaders.

If you rely on Metacurity to cut through the noise on policy, industry shifts, and security research, consider supporting us with a paid subscription. Independent coverage like this only exists because readers decide it’s worth it.

GitHub has confirmed that roughly 3,800 internal repositories were breached after one of its employees installed a malicious VS Code extension.

The company has since removed the unnamed trojanized extension from the VS Code marketplace and has secured the compromised device.

"Yesterday we detected and contained a compromise of an employee device involving a poisoned VS Code extension. We removed the malicious extension version, isolated the endpoint, and began incident response immediately," the company said.

"Our current assessment is that the activity involved exfiltration of GitHub-internal repositories only. The attacker's current claims of ~3,800 repositories are directionally consistent with our investigation so far."

This comes after GitHub said that it was investigating claims of unauthorized access to its internal repositories and added that it has no evidence that customer data stored outside the affected repos has been affected.

While GitHub has yet to attribute the breach, the TeamPCP hacker group claimed access to GitHub source code and "~4,000 repos of private code" on the Breached cybercrime forum on Tuesday, asking for at least $50,000 for the stolen data.

"As always this is not a ransom, We do not care about extorting Github, 1 buyer and we shred the data on our end, it looks like our retirement is soon so if no buyer is found we will leak it free," the cybercriminals said. "If you are interested. Send your offers to the communications below, we are not interested in under 50k, the best offer will get it."

​TeamPCP was previously linked to massive supply chain attacks targeting developer code platforms, including GitHub, PyPI, NPM, and Docker, and, more recently, to the "Mini Shai-Hulud" supply chain campaign(which also impacted two OpenAI employees). (Sergiu Gatlan / Bleeping Computer)

Related: Xcancel, Cyber Security News, Security Affairs, Benzinga, SecurityWeek, Digit, Blockonomi, crypto.news, Coinpedia Fintech News, CoinGape, The Register, Hacker News, Coinfomania

Sources say the White House plans to release its much-discussed executive order on cybersecurity and AI safety as soon as this week.

In its current form, the order seeks to bolster cybersecurity around advanced AI models and outlines plans for a voluntary framework for AI developers to inform the government about new releases, according to a readout shared with Axios and confirmed by a second source familiar with the plans.

Should the plan work as intended, the Trump White House will have made good on its promise to address AI safety after the latest cyber-capable models like Anthropic's Mythos spooked the government. (Ashley Gold / Axios)

Related: Gizmodo

Microsoft said it took down a critical service that helped cybercriminals slip through defenses by making malware look like legitimate software.

The company unsealed a legal case in the US District Court on Tuesday detailing the disruption of Fox Tempest — a popular service that has operated since May 2025 and provides cybercriminals with code-signing tools. 

The group abused Microsoft’s Artifact Signing, which is designed to verify that software is legitimate and hasn’t been tampered with. 

Steven Masada, assistant general counsel at Microsoft’s Digital Crimes Unit, said cybercriminals used the service to deliver malware and enable ransomware, infecting thousands of machines and compromising networks worldwide.

“Malicious software that should have been blocked or flagged by antivirus and other safeguards was more likely to be opened, allowed to run, or pass security checks — essentially allowing malware to hide in plain sight,” he said. 

“Instead of forcing their way in, attackers could slip through the front door by masquerading as a welcomed guest.”

Masada explained that when legitimate code signing services are weaponized, everything downstream gets easier: malware looks legitimate, security warnings are less likely to trigger, and attacks are more likely to succeed. 

Ransomware affiliates tied to large groups like Rhysida, INC, Qilin, and Akira would upload their malware to the Fox Tempest site, have it legitimized, and then create fake websites masquerading as real platforms to download safe software. 

This use of short-life certificates from a trusted source allowed malware and ransomware to resemble legitimate software like AnyDesk, Teams, Putty, and Webex to bypass security controls, significantly increasing the likelihood of execution and successful delivery.

Masada noted that they seized Fox Tempest’s website, took hundreds of virtual machines offline, and blocked access to a site hosting the underlying code. He said Microsoft obtained evidence showing cybercriminals complaining about the actions. (Jonathan Greig / The Record)

Related: Microsoft, Security Week, CyberScoop, Axios, NextGov/FCW, Infosecurity Magazine, Bleeping Computer, Cybersecurity Insiders, CSO Online

An attack exploiting a previously unknown vulnerability in Huawei enterprise router software caused a nationwide telecoms outage in Luxembourg last year, according to multiple sources briefed on the matter, disrupting mobile, landline, and emergency communications for more than three hours.

The vulnerability has never been publicly disclosed. No CVE identifier — used by cybersecurity professionals worldwide to track software flaws and protect their systems — has been filed in any public database in the ten months since the incident, and no public warning has been issued to other operators running the same equipment.

Paul Rausch, the head of communications at POST Luxembourg, the state-owned operator whose network failed, said the incident was a denial-of-service (DoS) attack targeting a network device. He confirmed it exploited “a non-public, non-documented behaviour, for which no patch was available at the time” and was “not related to the exploitation of any known or previously documented vulnerabilities.”

Rausch said Huawei told POST it had never encountered the attack among any of its customers and had no ready-made solution.

Multiple sources briefed on the matter, who spoke on condition of anonymity to discuss confidential briefings, described the incident as a zero-day attack. There is no evidence that the incident has recurred, but the flaw remains unexplained and has not been publicly acknowledged by the company. (Alexander Martin / The Record)

Related: Security Affairs

Researchers at Aikido Security report that the self-replicating malware campaign known as Mini Shai-Hulud has resurfaced, this time embedding itself across hundreds of npm packages.

The threat actor behind it, identified as TeamPCP, has been linked to earlier waves of the same campaign, with this latest variant more capable than previous waves.

They found a worm that spreads autonomously, installs persistent backdoors at the operating system level, and is specifically engineered to survive the most common first response: removing the package.

The malware executes the moment an affected software package is installed, whether in a developer’s local environment or inside a CI/CD pipeline. A hook fires before any other step, giving the payload immediate access to the machine.

It harvests GitHub tokens, npm tokens, SSH keys, cloud provider credentials, and database connection strings. In automated build environments, it uses the pipeline’s own trusted identity to obtain publishing credentials, allowing it to push poisoned package versions to the registry under a legitimate maintainer’s name. The stolen data is sent to attacker-controlled GitHub repositories.

After it steals a publishing token, the malware checks every package that token can access, adds its code to those packages, and publishes new poisoned versions using the maintainer’s account. One infected CI runner — the machine or virtual server that automatically builds, tests, and publishes code for a project — can therefore taint every package that runner is allowed to publish. It also searches a developer’s computer for other Node.js projects and copies itself into them so that a single infected install can compromise an entire workstation.

Multiple security companies have pointed out which popular dependencies are being targeted. In this wave, it’s been popular data visualization software, including Alibaba’s open-source AntV and TallyUI. The campaign also touched widely used utilities such as echarts-for-react (a React wrapper for ECharts) and timeago.js (a small JavaScript library that allows developers to format timestamps). (Greg Otto / CyberScoop)

Related: TechCrunch, Economic Times, Bleeping Computer, Aikido Security's Blog, Aikido Security's Blog, Endor Labs, Step Security Blog, Semgrep, CSO, Snyk

Delphos Labs' senior security researcher, Kamil Leoniak, shared a technical write-up and proof-of-concept of a recently patched local privilege escalation vulnerability in the Linux kernel's rxgk module that allows attackers to gain root access on some Linux systems.

Named DirtyDecrypt and also known as DirtyCBC, this security flaw was also autonomously found and reported by Delphos Labs and the V12 security team earlier this month, but maintainers informed V12 that it was a duplicate that had already been patched in the mainline.

"We found and reported this on May 9, 2026, but was informed it was a duplicate by the maintainers," V12 said. "It's a rxgk pagecache write due to missing COW guard in rxgk_decrypt_skb. See poc.c for more details."

While there is no official CVE ID associated with this security flaw, according to Will Dormann (principal vulnerability analyst at Tharros), the information from the security researchers aligns with the details of CVE-2026-31635, which was patched on April 25.

Successful exploitation requires running a Linux kernel with the CONFIG_RXGK configuration option, which enables RxGK security support for the Andrew File System (AFS) client and network transport. (Sergiu Gatlan / Bleeping Computer)

Related: GitHub, Delphos Labs, Security Affairs

Microsoft has shared mitigations for YellowKey, a recently disclosed Windows BitLocker zero-day vulnerability that grants access to protected drives.

The security flaw was disclosed last week by an anonymous security researcher known as 'Nightmare Eclipse,' who described it as a backdoor and published a proof-of-concept (PoC) exploit.

Microsoft said it is now tracking the YellowKey flaw under CVE-2026-45585 and shared mitigation measures to defend against potential attacks exploiting it in the wild.

"Microsoft is aware of a security feature bypass vulnerability in Windows publicly referred to as 'YellowKey'. The proof of concept for this vulnerability has been made public, violating coordinated vulnerability best practices," Microsoft said.

"We are issuing this CVE to provide mitigation guidance that can be implemented to protect against this vulnerability until the security update is made available."

To mitigate YellowKey attacks, Microsoft recommended removing the autofstx.exe entry from the Session Manager's BootExecute REG_MULTI_SZ value, then reestablishing BitLocker trust for WinRE by following the procedure detailed under "Mitigations" in the CVE-2026-33825 advisory. (Sergiu Gatlan / Bleeping Computer)

Related: Microsoft, Help Net Security, Cyber Security News

A cybersecurity researcher has released a proof-of-concept exploit for a Windows privilege escalation zero-day dubbed "MiniPlasma" that lets attackers gain SYSTEM privileges on fully patched Windows systems.

The exploit was published by a researcher known as Chaotic Eclipse, or Nightmare Eclipse, who released both the source code and a compiled executable on GitHub after claiming that Microsoft failed to properly patch a previously reported 2020 vulnerability.

According to the researcher, the flaw impacts the 'cldflt.sys' Cloud Filter driver and its 'HsmOsBlockPlaceholderAccess' routine, which was originally reported to Microsoft by Google Project Zero researcher James Forshaw in September 2020.

At the time, the flaw was assigned the CVE-2020-17103 identifier and reportedly fixed in December 2020.

"After investigating, it turns out the exact same issue that was reported to Microsoft by Google Project Zero is actually still present, unpatched," explains Chaotic Eclipse.

Chaotic Eclipse has previously stated that they are publicly disclosing these Windows zero-days in protest of Microsoft's bug bounty and vulnerability-handling process. (Lawrence Abrams / Bleeping Computer)

Related: ThreatLocker, Nightmare Eclipse, r/cybersecurity, Security Week, Dark Reading

At the I/O conference, Google announced that it was inviting select groups of experts to test the API for CodeMender, an “AI agent for code security” it debuted last October.

Now, however, Google is making the tool more widely available externally — and marketing it as a way to, as Google DeepMind CTO Koray Kavukcuoglu put it, “help secure the world’s code bases” by both flagging and fixing vulnerabilities.

Google CEO Sundar Pichai told reporters, “What Mythos has done, and credit to them, is to show that there is a value for the largest-sized model in these kinds of security use cases. But I think it’s something we are capable of doing as well.” (Hayden Field / The Verge)

Related: Crypto Briefing, Digit

A DC Circuit panel appeared likely to find the Pentagon overstepped its authority by banning and labeling artificial intelligence company Anthropic a “supply chain risk” over certain use restrictions built into its AI product Claude.

The three-judge panel heard arguments in one of two ongoing challenges against the Department of Defense’s designation — Anthropic also sued in US District Court for the Northern District of California — and seemed critical of the government’s reasoning that the company granted itself an “operational veto” over military operations via a “remote kill switch” in Claude.

US Circuit Judge Karen Henderson, a George H. W. Bush appointee, called the move “a spectacular overreach by the department.”

Henderson noted that the statue cited by the government in its determination was specifically crafted to address risks from hostile nations and other bad actors, none of which seemed to apply to Anthropic.

Hegseth’s determination relied on Section 4713 of the Supply Chain Security Act, which empowers the secretary to address risks that a bad actor will “sabotage, maliciously introduce unwanted function, extract data or otherwise manipulate” military systems to “surveil, deny, disrupt or otherwise manipulate” them.

Henderson said she saw no evidence of any “maliciousness, malintent or sabotage” from Anthropic and asked Kelly Dunbar — WilmerHale attorney and the AI company’s attorney — whether his client was a bad actor. (Ryan Knappenberger / Courthouse News Service)

Related: Axios, The Hill, GovInfoSecurity, Quartz

Vulnerability exploitation has overtaken compromised credentials for the first time in nearly two decades as the most common initial access vector for data breaches, according to Verizon's 2026 Data Breach Investigations Report (DBIR).

Verizon revealed that nearly a third (31%) of data breaches over the past year started with vulnerability exploitation. This is up from 20% in last year’s report.

That made it the top initial access vector, with credential abuse down from 22% to 13%.

However, it’s not just zero-days that are at issue. The report revealed that firms aren’t patching known bugs quickly enough.

Only 26% of critical vulnerabilities listed in the Cybersecurity Infrastructure and Security Agency Known Exploited Vulnerabilities (CISA KEV) catalog were fully remediated by organizations in 2025, a drop from 38% the previous year.

That could be due to the increased patch load. Organizations had 50% more critical vulnerabilities to patch in this year’s reporting dataset versus 2025, Verizon said.

AI is more obviously growing as a threat, according to Verizon. “The median threat actor researched or used AI assistance in 15 different documented techniques, with some actors leveraging as many as 40 or 50,” it noted.

Shadow AI is also a growing enterprise threat: it’s now the third most common “non-malicious insider action” detected in Verizon’s data loss prevention (DLP) dataset, a fourfold percentage increase from last year.

Some 45% of employees are now regular users of managed and unmanaged AI on their corporate devices, up from 15% last year. (Phil Muncaster / Infosecurity Magazine)

Related: Verizon, BH Consulting, Databreach Today, Dark Reading, Security Week, PYMNTS

Congressional Democrats want answers from the Cybersecurity and Infrastructure Security Agency about the reported public exposure of sensitive agency credential data on GitHub in an incident that the security researcher who discovered it called one of the worst leaks he’s ever seen.

Mississippi Rep. Bennie Thompson, the top Democrat on the Homeland Security Committee, and Delia Ramirez, the top Democrat on the panel’s cyber subcommittee, demanded a briefing Tuesday in a letter to CISA’s acting director, Nick Andersen.

They said they wanted to learn “how this serious security lapse occurred, any potential security consequences, remediation activities, corrective actions related to the contractor personnel involved, and efforts to monitor for and prevent similar activity from occurring in the future.”

Sen. Maggie Hassan, D-N.H., also sent a letter Tuesday to Andersen, seeking a classified briefing to answer questions about which systems were exposed, what forensic work CISA did to evaluate potential damage, and what corrective action it has taken. (Tim Starks / CyberScoop)

Related: Axios, Senator Hassan

Discord announced that all voice and video calls through the communication platform are now protected by default with end-to-end encryption (E2EE).

The implementation was completed in March. Extensive at-scale testing has given Discord the confidence to announce the E2EE deployment now formally, and to start removing client code that supports unencrypted fallback.

The migration to E2EE was achieved by extending the open-source encryption protocol DAVE to support all platforms where Discord clients run, including desktop, mobile, web browsers, PlayStation, Xbox, and Discord SDKs. (Bill Toulas / Bleeping Computer)

Related: TechCrunch, 9to5Mac, Engadget, XDA, Business Standard, TechRepublic, Tech Times, Help Net Security, The Indian Express, gHacks, MediaNama, PC Gamer, Dataconomy

Eight US telecom operators are setting up a cybersecurity threat intelligence sharing group to coordinate the sector's defense and response to more sophisticated and persistent threats to critical communications infrastructure.

AT&T, Charter Communications, Comcast, Cox Communications, Lumen Technologies, T-Mobile, Verizon, and Zayo are the founding members of the Communications Cybersecurity Information Sharing and Analysis Center (C2 ISAC) that will start operations next month. The board of the nonprofit organization will comprise the chief information and security officers from each of the eight operators, led by AT&T CISO Rich Baich as chairman.

The group formalizes the information sharing that already happens among telco security teams so that they can collaborate on preparation for new cyberthreats, alert each other to unusual network activity, and, in the event of a cyberattack, quickly convene to coordinate a collective response. (Michelle Donegan / Light Reading)

Related: ATT.com, Fierce Network, Mobile World Live, The Cyber Express, NextGov/FCW, sdxCentral, Telecoms.com

Marks & Spencer Group Plc expects annual profit to exceed the level seen before the British fashion and food chain was knocked off course by a cyberattack last year.

Adjusted pretax profit will resume growth this financial year and surpass the £875.5 million ($1.2 billion) posted in the 12 months ended March 2025, which was the highest level in more than 15 years, the retailer said.

The 24% drop in adjusted pretax profit in its latest full year — which included the cyberattack — was slightly better than analysts expected after a strong second half. Food sales rose 7%, while fashion and homeware fell 7.7%.

Chief Executive Officer Stuart Machin is pushing ahead with a turnaround plan that was showing significant momentum before online sales were disrupted for almost four months last year. The strategy includes boosting M&S’s online presence and expanding overseas. (Katie Linsell / Bloomberg)

Related: Fashion Network, The Times, Global Banking and Finance, Drapers, Retail Bulletin, City AM, Yahoo Finance, The Times, Independent

Ocean, an AI-based email security platform, has raised $20 million in a Series A funding round.

Lightspeed Venture Partners led the round, with participation from Picture Capital, the fund of Island founders Mike Fey and Dan Amiga, as well as Transmit founders Rakesh Loonkar and Mickey Boodaei, and Cerca Partners. Angel investors include Wiz CEO Assaf Rappaport, Armis founders Yevgeny Dibrov and Nadir Izrael, Sharin Fisher Dibrov, and Axis Security CEO Dor Knafo, who is also a partner at Cyberstarts, along with other leading investors. (Meir Orbach / Calcalist)

Related: The SaaS News, Tech in Asia

Best Thing of the Day: That's What You Call a Coup

Researchers at NetAskari got exclusive access to a Chinese web front-end demonstrating a remote tracking system especially for foreigners, developed for the Public Security Bureau in the region of Zhangjiakou, gaining insight into the capabilities of security organs to track individuals in real time

Bonus Best Thing of the Day: Good Thing the Pics Were Before Paying $28 for a Turkey Leg

In a class-action suit, Disney has been sued for deploying facial recognition technology at park entrances to verify tickets.

Worst Thing of the Day: The Day AI Officially Killed Google Search

Google unveiled an AI-powered overhaul of Search centered around a reimagined “intelligent search box."

Closing Thought