> TritonInfoSec News

# Archive

Browse past daily curated stories

May 26 May 24 May 23 May 22 May 21 May 20 May 19 May 18 May 17 May 15 May 14 May 13 May 12 May 10 May 09 May 08 May 05 May 03 May 02 May 01 Apr 30 Apr 28 Apr 26 Apr 25 Apr 24 Apr 23 Apr 22 Apr 21 Apr 20 Apr 19

Thursday, May 21, 2026

  1. 1
    0
    BleepingComputer general
    GitHub confirms breach of 3,800 repos via malicious VSCode extension

    GitHub confirmed that approximately 3,800 internal repositories were breached after a GitHub employee installed a malicious VS Code extension (nrwl.angular-console). The attack was attributed to threat actor TeamPCP, who advertised stolen source code on a cybercrime forum. GitHub stated customer data was unaffected, but the incident exposes critical supply-chain risk in developer tooling ecosystems — specifically poisoned VS Code extensions targeting developer workstations.

  2. 2
    0
    The Hacker News general
    Microsoft Takes Down Malware-Signing Service Behind Ransomware Attacks

    Microsoft disrupted Fox Tempest, a malware-signing-as-a-service (MSaaS) operation active since May 2025 that weaponized Microsoft's Artifact Signing system to deliver ransomware and other malware disguised as legitimate software. The disruption was formalized via a legal case unsealed in U.S. District Court. The operation compromised thousands of machines globally, making it a significant threat to organizations relying on code-signing trust chains.

  3. 3
    0
    The Record threat-intel
    Microsoft disrupts Fox Tempest malware-signing-as-a-service platform tied to ransomware gangs

    Microsoft's legal action against Fox Tempest details a code-signing abuse platform that provided cybercriminals with tools to sign malicious code since May 2025, enabling ransomware distribution at scale. The service exploited Microsoft's own software verification infrastructure, allowing malware to bypass security controls. Security teams should audit signed software from unknown publishers and monitor for misuse of trusted signing certificates.

  4. 4
    0
    The Hacker News general
    Microsoft Releases Mitigation for YellowKey BitLocker Bypass CVE-2026-45585 Exploit

    Microsoft released mitigations for CVE-2026-45585, a Windows BitLocker security feature bypass zero-day dubbed 'YellowKey' with a CVSS score of 6.8, following its public disclosure. The mitigation blocks the FsTx Auto Recovery Utility from launching within the WinRE image. This is part of a continuing wave of Windows zero-days — including GreenPlasma and MiniPlasma — disclosed by a single researcher over six weeks post-Patch Tuesday.

  5. 5
    0
    Dark Reading general
    CISA Exposes Secrets, Credentials in 'Private' Repo

    CISA's GitHub repository, publicly accessible since November 2025 and ironically named 'Private-CISA,' was found to contain exposed secrets and credentials. Senator Maggie Hassan (D-NH) sent a letter to CISA's acting director demanding answers, and a researcher described it as one of the worst credential leaks they had witnessed. The incident undermines confidence in federal cybersecurity posture and highlights the risk of misconfigured public repositories in sensitive government contexts.

  6. 6
    0
    CyberScoop general
    Attackers hit vulnerabilities hard last year, making exploits the top entry point for breaches

    Verizon's 2026 Data Breach Investigations Report (DBIR) found that exploits are now involved in 31% of initial access vectors for breaches, marking a significant increase and making vulnerability exploitation the top entry point. The report emphasizes that patching velocity across industries lags dangerously behind attacker exploitation timelines. Security practitioners should treat unpatched edge devices and VPN appliances as critical exposure points.

  7. 7
    0
    BleepingComputer general
    7-Eleven confirms data breach claimed by the ShinyHunters gang

    7-Eleven confirmed a data breach attributed to the ShinyHunters extortion group, with the company stating attackers gained access to 'certain 7-Eleven systems used to store franchisee documents,' discovered on April 8. The FBI has separately warned that ShinyHunters, emboldened after receiving a ransom payment for its Canvas LMS attack, is likely to escalate similar extortion campaigns. Organizations in retail and franchise sectors should review third-party document storage exposure.

  8. 8
    0
    BleepingComputer general
    Grafana breach caused by missed token rotation after TanStack attack

    Grafana's data breach was traced to a single GitHub workflow token that was missed during credential rotation following the TanStack npm supply-chain attack. The breach was limited to Grafana Labs' GitHub environment, exposing public and private source code and internal repositories, with no customer production systems affected. The incident illustrates how a single unrotated token in CI/CD pipelines can cascade into a significant source code exposure event.

  9. 9
    0
    SecurityWeek general
    Over 320 NPM Packages Hit by Fresh Mini Shai-Hulud Supply Chain Attack

    A fresh supply chain attack dubbed 'Mini Shai-Hulud' compromised over 320 npm packages across the @antv namespace by hijacking a maintainer account to publish malicious versions. The malware steals publishing tokens, installs OS-level backdoors, and persists in developer tools and CI pipelines. This follows a pattern of repeated npm ecosystem compromises and directly threatens any developer or build pipeline consuming @antv packages.

  10. 10
    0
    BleepingComputer general
    Microsoft Self-Service Password Reset abused in Azure data theft attacks

    A threat actor is abusing Microsoft's Self-Service Password Reset (SSPR) feature to steal data from Microsoft 365 and Azure production environments, leveraging legitimate Microsoft administration features to evade detection. The attacks target Azure production environments and exploit trusted built-in tools, making them difficult to distinguish from legitimate administrative activity. Security teams managing Azure tenants should audit SSPR configurations and monitor for anomalous administrative tool usage.