GitHub has confirmed that approximately 3,800 internal repositories were compromised after a TeamPCP supply chain attack that began with a single employee installing a poisoned Visual Studio Code extension. The breach was announced on Tuesday after TeamPCP posted claims on an underground forum offering GitHub's stolen source
A compromised version of the Nx Console extension — a popular VS Code plugin with over 2.2 million installations — was published to the Visual Studio Code Marketplace after an attacker leveraged stolen developer credentials to inject a multi-stage credential stealer into the official nrwl/nx GitHub repository. The malicious version
Grafana Labs has confirmed a data breach after attackers used a compromised token to access the company's GitHub environment and download its entire codebase. The open source visualization and analytics platform disclosed the incident on Sunday, two days after cybercrime group Coinbase Cartel listed Grafana on its leak
Symantec and Carbon Black have published a definitive analysis confirming that Fast16, a Lua-based malware framework first surfaced by SentinelOne weeks ago, was purpose-built to sabotage nuclear weapons testing simulations. The findings establish Fast16 as the earliest known cyber sabotage tool targeting nuclear weapons research — predating the first known version
Chaotic Eclipse has released a third wave of Windows zero-day disclosures, publishing a proof-of-concept for a privilege escalation vulnerability codenamed MiniPlasma that grants SYSTEM privileges on fully patched Windows systems — including those running the latest May 2026 updates. The flaw resides in cldflt.sys, the Windows Cloud Files Mini Filter
Bitdefender Labs has documented a sustained espionage campaign by Chinese-aligned APT group FamousSparrow against an oil and gas company in Azerbaijan, carried out across three distinct waves between December 2025 and February 2026. The campaign marks a strategic pivot for the group toward South Caucasus energy infrastructure and demonstrates how
The anonymous security researcher known as Chaotic Eclipse — responsible for the BlueHammer, RedSun, and UnDefend Microsoft Defender zero-days that ZDW covered last month — has returned with two additional Windows zero-days, escalating an increasingly public confrontation with Microsoft over vulnerability disclosure handling. The first vulnerability, codenamed YellowKey, is a BitLocker bypass
SAP has released 15 security notes as part of its May 2026 Security Patch Day, including fixes for two critical vulnerabilities carrying CVSS scores of 9.6 in S/4HANA and Commerce Cloud. The S/4HANA flaw, tracked as CVE-2026-34260, is an SQL injection caused by missing input validation and
West Pharmaceutical Services, a Pennsylvania-based pharmaceutical manufacturing giant, has confirmed a ransomware attack that disrupted operations across its global footprint after attackers exfiltrated data and deployed file-encrypting ransomware. The attack occurred on May 4 and prompted the company to proactively shut down and isolate affected on-premise infrastructure. In an SEC
A threat actor tracked as TeamPCP is behind a widening supply chain attack campaign called Mini Shai-Hulud, which has compromised packages across both the npm and PyPI ecosystems belonging to TanStack, Mistral AI, Guardrails AI, OpenSearch, and UiPath, among others. The compromised packages contain an obfuscated JavaScript file named "
Instructure, the company behind Canvas LMS — used by over 30 million educators and students across more than 8,000 institutions worldwide — has confirmed it reached a financial agreement with the ShinyHunters extortion group to prevent the release of stolen data from a recent breach. The company stated that ShinyHunters returned
Microsoft has disclosed a large-scale credential theft campaign that targeted more than 35,000 users across 13,000 organizations in 26 countries over a three-day window between April 14 and 16, 2026. The campaign combined polished enterprise-style lures with adversary-in-the-middle (AiTM) phishing to harvest Microsoft credentials and authentication tokens in
Alerts
Two critical vulnerabilities in widely deployed Chinese enterprise software are under active exploitation, with threat actors leveraging unauthenticated remote code execution flaws in MetInfo CMS and Weaver E-cology to compromise servers without requiring any credentials. CVE-2026-29014 (CVSS 9.8) affects MetInfo, a PHP and MySQL-based enterprise content management system popular
Threats
ESET researchers have uncovered a supply chain espionage campaign by North Korean APT group ScarCruft that compromised a video game platform popular with ethnic Koreans living in China's Yanbian region — a border area known as a primary transit point for North Korean defectors crossing the Tumen River into
Alerts
Wiz researchers have disclosed a critical remote code execution vulnerability in GitHub's internal Git infrastructure that exposed millions of repositories across both GitHub.com and GitHub Enterprise Server. Tracked as CVE-2026-3854, the flaw allowed any authenticated user to execute arbitrary commands on GitHub's backend servers using
Alerts
A privilege escalation vulnerability in Microsoft Defender is under active exploitation using publicly available proof-of-concept code, with Huntress confirming attacks began on April 10 — four days before Microsoft released a patch. CISA added the flaw to its Known Exploited Vulnerabilities catalog on Wednesday, setting a May 6 federal patching deadline.
Alerts
A critical sandbox escape vulnerability has been disclosed in Terrarium, an open-source Python sandbox developed by Cohere AI for running untrusted code in Docker-deployed containers. Tracked as CVE-2026-5752 with a CVSS score of 9.3, the flaw allows attackers to break out of the sandbox and execute arbitrary system commands
Alerts
Microsoft has pushed an emergency out-of-band security update to address CVE-2026-40372, a critical privilege escalation vulnerability in ASP.NET Core's Data Protection cryptographic APIs that allows unauthenticated attackers to forge authentication cookies and gain SYSTEM-level access on affected systems. The flaw originated from a regression introduced in the
Threats
Acronis researchers have identified a new variant of the LOTUSLITE backdoor being deployed by Mustang Panda in campaigns targeting India's banking sector and South Korean policy communities. The updated malware demonstrates incremental refinements over its predecessor, confirming active maintenance by the Chinese nation-state group as it broadens its
Alerts
CISA added eight new vulnerabilities to its Known Exploited Vulnerabilities catalog on Monday, setting aggressive federal patching deadlines after confirming active exploitation across a range of enterprise products. Three of the flaws target Cisco Catalyst SD-WAN Manager, while the remaining five affect Quest KACE, PaperCut, JetBrains TeamCity, Kentico Xperience, and
Breaches
Angelo Martino, a 41-year-old former ransomware negotiator at cybersecurity incident response firm DigitalMint, has pleaded guilty to targeting U.S. companies with BlackCat (ALPHV) ransomware while simultaneously working as a negotiator supposedly helping victims resolve attacks. Martino is the third defendant to plead guilty in a case that exposes one
Breaches
Tyler Robert Buchanan, a 24-year-old from Dundee, Scotland, has pleaded guilty in a California federal court to conspiracy to commit wire fraud and aggravated identity theft for his role in a hacking operation that breached at least twelve companies and stole $8 million in cryptocurrency from individual victims across the
Threats
CyberProof researchers have uncovered a campaign by Iranian APT group Seedworm that uses Microsoft Teams as an initial access vector, deploying a custom backdoor called Dindoor through social engineering that impersonates IT support personnel. The campaign emerged in early March 2026, coinciding with a surge in Iranian-linked cyber activity following
Breaches
A threat actor has breached Vercel's developer infrastructure through an identity supply chain attack that bypassed multi-factor authentication entirely — without stealing a single credential. The compromise, disclosed in April 2026, exploited a breached third-party OAuth integration to inherit valid Google Workspace sessions belonging to Vercel developers, representing a