> TritonInfoSec News

# Archive

Browse past daily curated stories

May 26 May 24 May 23 May 22 May 21 May 20 May 19 May 18 May 17 May 15 May 14 May 13 May 12 May 10 May 09 May 08 May 05 May 03 May 02 May 01 Apr 30 Apr 28 Apr 26 Apr 25 Apr 24 Apr 23 Apr 22 Apr 21 Apr 20 Apr 19

Wednesday, May 20, 2026

  1. 1
    0
    The Hacker News general
    GitHub Investigating TeamPCP Claimed Breach of ~4,000 Internal Repositories

    GitHub is investigating a claim by threat actor TeamPCP of unauthorized access to approximately 4,000 internal repositories, with source code and internal organization data allegedly listed for sale on a cybercrime forum. GitHub stated there is currently no evidence of impact to customer data stored outside its internal repositories. The breach, if confirmed, would represent a significant supply chain risk given GitHub's central role in global software development.

  2. 2
    0
    SecurityWeek general
    Verizon DBIR 2026: Vulnerability Exploitation Overtakes Credential Theft as Top Breach Vector

    Verizon's 2026 Data Breach Investigations Report finds vulnerability exploitation now accounts for 31% of initial access vectors in breaches, surpassing credential theft as the leading entry point for the first time. The report also flags worsening patching delays, surging ransomware, and growing third-party compromise rates, with AI accelerating attacker capabilities. Security practitioners should prioritize remediation velocity alongside detection controls given exploitation's new primacy.

  3. 3
    0
    BleepingComputer general
    Cybercrime service disrupted for abusing Microsoft platform to sign malware

    Microsoft disrupted Fox Tempest, a malware-signing-as-a-service (MSaaS) operation active since May 2025 that abused Microsoft's Artifact Signing service to generate fraudulent code-signing certificates for ransomware gangs and other cybercriminals. The company unsealed a legal case in U.S. District Court detailing the takedown, which is notable because it weaponized Microsoft's own legitimate signing infrastructure. Security teams should audit code-signing trust chains and verify certificate provenance for software deployed in their environments.

  4. 4
    0
    Ars Technica Security general
    In stunning display of stupid, secret CISA credentials found in public GitHub repo

    A publicly accessible GitHub repository named 'Private-CISA' exposed CISA credentials including SSH keys and plaintext passwords since at least November 2025, prompting Congressional demands for answers. A researcher who analyzed the leaked repository described it as among the worst credential exposures he had witnessed. The incident is particularly damaging given CISA's role as the U.S. government's lead cybersecurity agency and has triggered Capitol Hill scrutiny.

  5. 5
    0
    BleepingComputer general
    New Shai-Hulud malware wave compromises 600 npm packages

    Threat actors published over 600 malicious packages to the npm index as part of a new Shai-Hulud supply-chain campaign, with the Mini Shai-Hulud wave also compromising packages in the @antv ecosystem including echarts-for-react, which has approximately 1.1 million weekly downloads. The attacks leverage compromised maintainer accounts to steal publishing tokens, install OS-level backdoors, and persist in CI/CD pipelines. The release of Shai-Hulud source code has enabled clone campaigns, dramatically scaling the threat to developer environments.

  6. 6
    0
    BleepingComputer general
    Max-severity flaw in ChromaDB for AI apps allows server hijacking

    A max-severity vulnerability in the latest Python FastAPI version of ChromaDB, a popular vector database used in AI applications, allows unauthenticated remote attackers to execute arbitrary code and leak sensitive information from exposed servers. The flaw was unpatched at time of disclosure, and SecurityWeek confirmed it can be exploited without authentication. Organizations running AI pipelines with ChromaDB exposed to the internet should isolate or take down affected instances immediately.

  7. 7
    0
    The Hacker News general
    Drupal to Release Urgent Core Security Updates on May 20, Sites Told to Prepare

    Drupal's Security Team issued an urgent advisory warning that core security updates for all supported branches would be released May 20, 2026, between 5–9 p.m. UTC, cautioning that exploits for the vulnerability could be developed within hours or days of release. The PHP-based CMS powers a significant portion of government and enterprise websites, making rapid patching critical. Administrators were explicitly instructed to reserve time for immediate updates given the high exploitation likelihood.

  8. 8
    0
    The Hacker News general
    DirtyDecrypt PoC Released for Linux Kernel CVE-2026-31635 LPE Vulnerability

    A proof-of-concept exploit dubbed DirtyDecrypt (also called DirtyCBC) has been released for CVE-2026-31635, a Linux kernel local privilege escalation vulnerability discovered by the Zellic and V12 security team on May 9, 2026, and patched in April. The PoC enables local attackers to escalate privileges to root, and its public availability significantly raises exploitation risk for unpatched Linux systems. Administrators running affected kernel versions should prioritize applying the patch given the now-public exploit code.

  9. 9
    0
    The Hacker News general
    The New Phishing Click: How OAuth Consent Bypasses MFA

    A phishing-as-a-service platform called EvilTokens, launched in February 2026, compromised more than 340 Microsoft 365 organizations across five countries within five weeks by exploiting OAuth device code flow to bypass MFA. Victims were tricked into entering a short code at microsoft.com/devicelogin, completing their normal MFA challenge while unknowingly granting the attacker a persistent OAuth token. Security teams should audit conditional access policies for device code flow restrictions and monitor for anomalous OAuth consent grants.

  10. 10
    0
    The Hacker News general
    GitHub Actions Supply Chain Attack Redirects Tags to Steal CI/CD Credentials

    Threat actors compromised the popular GitHub Actions workflow actions-cool/issues-helper, redirecting all existing repository tags to point to malicious imposter commits that harvest CI/CD credentials and exfiltrate them to an attacker-controlled server. The attack is notable because the malicious commits do not appear in the action's normal commit history, making detection difficult for teams relying on tag integrity. Organizations using this action in their pipelines should immediately audit workflow logs, rotate any exposed secrets, and pin actions to specific commit SHAs rather than tags.