GitHub Breached via VS Code Supply Chain; CISA Secrets Were Stored in Public Repo; Verizon 2026 Data Breach Investigations Report

On Monday, May 18, 2026, GitHub detected that an employee device had been compromised through a malicious third-party VS Code extension, resulting in unauthorized access to and exfiltration of internal repositories. Upon discovery, the company removed the extension, isolated the endpoint, began incident response, and rotated secrets, prioritizing high-impact credentials first. GitHub disclosed the incident two days later via social media and a blog post, in which the company confirmed an unnamed "attacker's current claims" that approximately 3,800 GitHub-internal repositories were stolen, and that the extension enabling compromise of the employee machine was Nx Console version 18.95.0, published for 18 minutes on Visual Studio Marketplace and 36 minutes on OpenVSX before being removed. This extension was likely poisoned during last week’s supply chain attack on the TanStack npm library. Any impacted GitHub customers will be contacted directly via established channels, but GitHub states that the only customer information that may have been present could include excerpts of support interactions. GitHub is continuing to analyze logs, validate secret rotation, and monitor their infrastructure, and promises a full report after investigation is complete. The attacker claim mentioned by GitHub aligns with the details of a claim allegedly posted by TeamPCP, a threat actor group believed to be behind several significant supply chain attacks in 2026.

GitGuardian researcher Guillaume Valadon contacted KrebsOnSecurity on May 15, 2026 to report that his company had discovered a public GitHub repository containing sensitive information belonging to the US Cybersecurity and Infrastructure Security Agency (CISA), and that the repository's owner was not responding when contacted. The repository contained "a vast number of internal CISA/DHS credentials and files, including cloud keys, tokens, plaintext passwords, logs and other sensitive CISA assets," including plaintext credentials for CISA's internal software development resources. A third-party government contractor, Nightwing, maintained this publicly accessible repository, called "Private-CISA," and had disabled the default setting blocking users from publishing SSH keys and other secrets. Seralys founder Philippe Caturegli independently verified that the exposed credentials still authenticated to three high-privileged AWS GovCloud accounts, and stated that this repository was created on November 13, 2025, and was most likely used "to synchronize files between a work laptop and a home computer." While the repository and GitHub account were taken down shortly after KrebsOnSecurity and Seralys notified CISA, "the exposed AWS keys inexplicably continued to remain valid for another 48 hours." Many passwords revealed in the exposed files were easily guessable, such as the platform followed by the current year. CISA stated, "there is no indication that any sensitive data was compromised as a result of this incident," and that investigation and additional safeguards are underway. Nightwing has declined to comment. US Senator Maggie Hassan (D-NH) wrote a letter to CISA Acting Director Nick Andersen on May 19, requesting an urgent classified briefing on 12 topics covering the details of the exposure, CISA's awareness, response, security controls, contractor requirements, systemic weaknesses, correctives, and training, and the question of possible exploitation.

Verizon has published its 2026 Data Breach Investigations Report (DBIR), analyzing the details of over 31,000 security incidents, among those being more than 22,000 data breaches in 145 countries. The report offers detailed analysis across incident classification patterns, industries, regions, and other focused domains. Exploitation of vulnerabilities has become the most common initial access vector, accounting for 31% of intrusions, while credential abuse has decreased to account for just 13%. From 2024 to 2025, the median time for full resolution rose from 32 days to 43 days, with median organizations now having 50% more critical flaws to patch compared to the previous year. What's more, while organizations fully remediated 38% of critical vulnerabilities in 2024, that number dropped to 26% in 2025. Ransomware was involved in 48% of all breaches, but the proportion of victims who paid the ransom (31%) and the median payment (US$139,875) are trending downward. Third-party compromises were also involved in 48% of all breaches, a 60% increase from 2024. Third parties took almost eight months to resolve half of their weak passwords and permission configurations, and one month to resolve half of their missing or improperly secured MFA, with only 23% of organizations fully remediating their MFA. 62% of breaches involved a human element, and social engineering via pretexting is becoming a more common initial access vector; voice and text message phishing yielded 40% more engagement than email. AI is being used by threat actors to develop malware and tools, but most stick to well-defined attacks, with less than 2.5% being uncommon techniques; the median threat actor researched or used AI for 15 different techniques. Unauthorized use of generative AI by insiders, known as Shadow AI, was the third most common non-malicious insider action, exposing source code, images, structured data, and research and technical documentation. 67% of employees are using unauthorized non-corporate GenAI accounts on corporate devices. Incident classification patterns, from most to least common in 2025, were: 61% system intrusion, up from 53%; 17% social engineering, level with 2025; 10% basic web application attacks, down from 18%; 8% miscellaneous errors; and 3% privilege misuse, down from 7%. Verizon's stated theme for the report is "keeping a strong foundation in the face of change." The researchers contend that "organizations that stay grounded in strong cybersecurity basics (clear visibility into assets and third parties, disciplined patch management, and well-practiced response plans along with a culture that supports and enables secure behavior) are better positioned to handle today’s realities and whatever comes next."

On Wednesday, May 20, Cisco released updates to address a critical unauthorized API access vulnerability in Cisco Secure Workload (CVE-2026-20223). In the advisory, Cisco writes, "This vulnerability is due to insufficient validation and authentication when accessing REST API endpoints." The issue lies "in the access validation of internal REST APIs of Cisco Secure Workload [and] could allow an unauthenticated, remote attacker to access site resources with the privileges of the Site Admin role." Users running Cisco Secure Workload release 3.10 are urged to update to 3.10.8.3; users running Cisco Secure Workload release 4.0 are urged to update to 4.0.3.17. Users running Cisco Secure Workload release 3.9 and earlier are urged to update to a fixed release. Cisco also released updates this week for three medium-severity vulnerabilities: an authenticated remote code execution vulnerability in Cisco ThousandEyes Virtual Appliance (CVE-2026-20199); a command injection vulnerability in the Cisco ThousandEyes Enterprise Agent BrowserBot Component (CVE-2026-20206); and a denial-of-service vulnerability in Cisco Nexus 3000 and 9000 Series Switches Border Gateway Protocol (CVE-2026-20171). In addition, Cisco published an informational advisory, “Continued Evolution of Persistence Mechanism Against Cisco Secure Firewall Adaptive Security Appliance and Secure Firewall Threat Defense,” related to the U.S. Cybersecurity and Infrastructure Security Agency's (CISA's) April 23, 2026 update to V1: “Emergency Directive (ED) 25-03: Identify and Mitigate Potential Compromise of Cisco Devices related to Cisco Secure Firewall Adaptive Security Appliance (ASA) and Cisco Secure Firewall Threat Defense (FTD) products.”

Microsoft has released fixes for two vulnerabilities in Microsoft Defender: a privilege elevation vulnerability due to improper link resolution before file access (CVE-2026-41091), and denial-of-service vulnerability (CVE-2026-45498). The US Cybersecurity and Infrastructure Security Agency (CISA) has added both to the Known Exploited Vulnerabilities (KEV) catalog with a mitigation due date of June 3, 2026 for Federal Civilian Executive Branch (FCEB) agencies. Microsoft has also addressed a third vulnerability in Defender, a remote code execution flaw due to a heap-based buffer overflow (CVE-2026-45584). All three vulnerabilities are fixed in Windows Antivirus Platform 4.18.26040.7 and Engine 1.1.26040.8.

A telecommunications outage in Luxembourg last July has been attributed to an attack that exploited an undisclosed vulnerability in Huawei router software. Mobile service, along with landlines and emergency services communications, were disrupted for several hours on July 23, 2025. The exploited flaw has never been disclosed and has not been assigned a CVE, and there has been no public warning for operators using that same equipment. The likelihood that "products from Chinese manufacturer Huawei [were] central" to the outage emerged just days after the incident, according to a July 30, 2025 story in the Luxembourg Times. More recently, The Record reports that the outage "was caused by specially crafted network traffic that sent Huawei enterprise routers into a continuous restart loop, crashing critical parts of POST’s infrastructure. When connectivity was restored more than three hours later, the country’s emergency call center received hundreds of additional calls." An investigation conducted by police and Iron Monkey Threat Research "suggest[s] the outage may have been triggered by maliciously crafted network traffic simply passing through POST’s infrastructure. Instead of forwarding the data onward, Huawei routers appear to have hit an undocumented failure condition that caused them to repeatedly stop and reboot."

Microsoft has open-sourced two AI tools designed to help engineers develop and maintain safer AI agents. RAMPART, or Risk Assessment and Measurement Platform for Agentic Red Teaming, "is an open-source testing framework that brings red teaming techniques directly into the development workflow. It is built on top of PyRIT, Microsoft’s open automation framework for red teaming generative AI systems .... Where PyRIT is optimized for black-box discovery by security researchers after the system is built, RAMPART is built for engineers as the system is being built." RAMPART is built for prompt injection attacks, for probabilistic behavior, and to reproduce AI red team findings and AI incidents. Clarity helps AI teams ask the right questions at the outset of a project. Microsoft's Ram Shankar Siva Kumar (Data Cowboy, AI Red Team) writes that the company "wanted to give product managers and engineers a way to pressure-test their assumptions at the start of a project, when changing course is cheap and the right conversation can save months of rework." Clarity "runs as a desktop app, a web UI, or [can be] embedded directly in a coding agent." Both tools are available as open-source projects.

Microsoft has unsealed a legal case in the US District Court for the Southern District of New York against a cybercrime service dubbed Fox Tempest, which has been active since May 2025. Microsoft has taken steps to disrupt the malware-signing-as-a-service (MSaaS) operation that sold code-signing certificates to malware purveyors. The scheme targeted Microsoft's Artifact Signing code-signing service, which lets developers sign their code and appear to Windows as "verified" software. In a blog post, Steven Masada, Assistant General Counsel, Microsoft’s Digital Crimes Unit, writes, "Behind the scenes, the operators built access at scale. Using fabricated identities and impersonating legitimate organizations, they created hundreds of fraudulent Microsoft accounts to obtain real code-signing credentials in volume. Customers who paid for Fox Tempest’s services could then upload malicious files via an online portal for them to be signed using Fox Tempest-controlled certificates." Microsoft seized the signspace[.]cloud website, took down virtual machines acting as the operation's command-and-control infrastructure, and blocked access to a site hosting the operation's underlying code. They also disabled fraudulent accounts and revoked more than 1,000 fraudulent code-signing certificates. Microsoft's lawsuit targets not only the Fox Tempest group, but also a ransomware group, Vanilla Tempest, that used the MSaaS to deploy multiple strains of ransomware against schools, hospitals, and other organizations. Microsoft notes that it has been working with "Resecurity, whose insights help us better understand how Fox Tempest operates, ... [as well as] Europol’s European Cybercrime Centre (EC3) and the Federal Bureau of Investigation (FBI)."

Eight US telecommunications firms have launched a new Information Sharing and Analysis Center, C2 ISAC, focused on the needs of the industry. C2 ISAC's founding comes less than two years after the detection of broad attacks conducted by Salt Typhoon, a state-sponsored threat actor with ties to China, that infiltrated major telecommunications firms' networks around the world. Valerie Moon, executive director for the Institute for Critical Infrastructure Technology, will serve as C2 ISAC's executive director. Moon is a former Cybersecurity and Infrastructure Security Agency (CISA) and FBI official. AT&T CISO Rich Baich will serve as C2 ISAC's inaugural chair. "C2 ISAC builds on decades of public-private collaboration with the National Coordinating Center for Communications, also known as the Communications ISAC or COMM-ISAC. It was established in 1984 to promote resilience and information sharing among government agencies and private communications and IT companies." C2 ISAC founding members are AT&T, Charter, Comcast, Cox, Lumen Technologies, T-Mobile, Verizon, and Zayo; they "formed C2 ISAC because no single company has full visibility into every threat or can address every risk alone. By sharing resources, expertise, and real-time intelligence, C2 ISAC helps members anticipate, identify and respond to cyber threats more quickly and effectively."