THIS WEEK, TL;DR

GitHub says hackers stole data from thousands of internal repos after a staffer's plugin was compromised
Bleeping Computer: GitHub was hacked and some 3,800 of its internal repos breached after hackers compromised an employee's VS Code extension that they used for writing and editing source code. The poisoned extension, Nx Console, was itself hacked by an earlier attack on open source web stack Tanstack, allowing the hackers to steal sensitive private keys and tokens, and hop from one hacked company to another. Nx Console also has indicators of compromise for affected customers beyond GitHub. If this seems like a trend, it's because it is, per Wired ($). Lock down your developer pipelines, people! GitHub said no customer information was taken, but it's a bruising incident for an already degraded GitHub. TeamPCP took credit for this latest breach (as it did with Tanstack), saying it was selling the stolen data, rather than extorting GitHub. Meanwhile: Grafana's post-breach report is out, which blamed last week's hack on one token that wasn't rotated after Tanstack's breach. Grafana decided not to pay the hackers' ransom.
More: The Record | ThreatLocker | Wiz | IFIN | Nx Console | @jeffbcross | Grafana

Google publishes exploit code affecting millions of Chromium users
Ars Technica: Come for the interesting Chromium bug writeup, stay for the "oh f—k" moment when the researcher realizes Google thought it fixed the bug but hadn't. As a result, Google released the proof-of-concept code that allowed anyone to use it. The code was subsequently pulled. The bug in Chromium browsers (think Chrome, Edge, Brave, and any other browser that relies on the core Chromium engine) meant attackers could create a persistent connection to the user's browser as a way to proxy data through their internet connection, or used for denial-of-service attacks. This is similar to how botnet hosts use residential home networks to funnel their malicious traffic, so while this Chromium bug won't let hackers read your emails or see what websites you're browsing, this is still not good. The bug has been unfixed for ~3.5 years. 
More: Bleeping Computer | @rebane2001 thread | @lukOlejnik

CISA admin exposed AWS GovCloud keys and credentials on GitHub
Krebs on Security: Embarrassing moment for U.S. cyber agency CISA after a contractor admin with access to government cloud credentials left them exposed to the internet in a public GitHub repo — including spreadsheets full of passwords and one plaintext file that simply read: "Important AWS Tokens." While a rookie mistake, it's ultimately not a good look for the agency who's charged with …*checks notes*... federal cybersecurity! Krebs had the scoop, and by the end of the week, lawmakers were clambering for answers. CISA has faced cuts, furloughs, and layoffs throughout the past year-plus under Trump, and still doesn't have a permanent Senate-approved director leading the place. 
More: Krebs on Security | Cyberscoop | TechCrunch ($) | @briankrebs 

THE STUFF YOU MIGHT'VE MISSED

Kash Patel's apparel website down after serving ClickFix attacks
PCMag: FBI director Kash Patel has pulled down his side hustle clothing business (which, admittedly, I didn't know was a thing) after the website was served with a ClickFix attack. This is where websites are hacked and trick visitors into thinking they're facing a Captcha-style screen, but are prompted to copy and paste malicious code into their computer, which plants malware. For subscribers: My deep-dive read on ClickFix.

HIPAA security rule is expected to be overhauled
Shostack + Associates: HIPAA, the decades-old complicated healthcare law that actually doesn't do half the things people think, is set to have its security rules overhauled. The Department of Health & Human Services has until the end of May to finalize the rule, which will matter a great deal to HIPAA-covered entities. Shostack's team explores some of the changes, as does BankInfoSecurity. Expect more to come soon.

Fears of unfettered hacking sprees 'looking overstated' after Mythos release
Reuters ($): Good stuff here from @ajvicens examining the security fallout (or lack of, frankly) following last month's restricted release of Anthropic's Mythos. Cyber experts say the AI model's abilities are largely overstated, and the reactions were measured. This was an important read and a good leveler for anyone needing a splash of cold water to the face on all-things AI security. Meanwhile: The White House scrapped an anticipated AI executive order, slated to allow federal agencies to get pre-release access to frontier AI models to test for flaws and dangerous capabilities. But tech executives didn't like it, per the Washington Post ($), even though their invites had already gone out.

Microsoft fixes Defender zero-day; Cisco fixes new 10/10 bug
Bleeping Computer, The Register: Microsoft fixed two zero-day bugs under attack in its Defender anti-malware engine that allowed malware to gain system-level privileges on a target's computer. The company also said it's released mitigations for a BitLocker bug (*cough* backdoor *cough*) dubbed YellowKey, which was published online as a zero-day and allows access to data on protected drives. Meanwhile: Not to be outdone, Cisco struck yet another 10/10 max-severity bug, this time in Cisco Secure Workload; though, on the bright side, no evidence of exploitation just yet… but give it time. Patch today! Last up: Trend Micro warned of a zero-day under attack in its Apex One product.

Verizon reports surge of exploited security vulnerabilities
Cyberscoop: Verizon's annual data breach report is out. According to the data, 31% of intrusions (up from 20%) exploited security flaws in software code, like zero day bugs. The issue was blamed on too many bugs and not enough time to patch. Financially motivated crims made up most of the attacks, and ransomware is still a big deal, so doing the security basics will help you a lot. Verizon always deserves the flak that it gets, but I will say, props for not putting the report behind a paywall; the direct PDF is readable here.

Scammers are abusing an internal Microsoft email to send spam
TechCrunch ($): An internal email address that Microsoft uses for sending actual account notifications to users, such as two-factor codes, is being abused to send spam emails. Microsoft said (belatedly) that it was aware of the issue, but anti-spam nonprofit Spamhaus said this has been going on for months already. (Disclosure: I wrote this story!)

OTHER NEWSY NUGGETS

Crypto 'wrench' attacks on the rise: Physical attacks on crypto holders are rising, with at least 72 confirmed incidents during 2025, allowing the theft of $41 million in crypto. These are called wrench attacks because bad people use violence (hence the wrench) to force crypto owners to give up their passwords. Many of the attacks have been in France. (via Bloomberg ($), Cointelegraph)

How many government demands does Oura get? Health wearable gadget maker Oura says it receives government demands for users' data. The big question is how many. (via this week in security) 

KimWolf botnet boss busted: A Canadian man has been nicked and is set to be extradited across the border to the U.S. for allegedly running the notorious KimWolf botnet, used for launching DDoS-for-hire attacks. Some attacks were measured at 30 terabits per second, which the DOJ says was a "record" in known DDoS attacks at the time. (via Justice Department, Krebs on Security, GovInfoSecurity)

New gov app, who dis? The White House plans to auto-install its official app on all federal phones in the executive branch. Notwithstanding the weirdness of it all, the app is known to have some security bugs, but it's unclear if those bugs are fixed or if the app is the same version in the public app stores. (via Government Executive, NASA Watch)

Trump Mobile exposed customer order details: Trump Mobile, the hilariously bad Trump-themed cell provider and phone maker, exposed 10,000 unique customer order details. Two YouTubers disclosed the leak after hearing nothing from Trump Mobile, which later confirmed it had publicly spilled customers' data. (via PCMag, TechCrunch ($))

SMS blaster at Eurovision: Incredible headline… a Chinese scammer was caught with an SMS blaster outside the Eurovision Song Contest in Vienna, and likely used to send several million SMS phishing text messages. Commsrisk has high-resolution photos of the device for your viewing. Although, I will say, it's extremely bad form for this guy to have his 6-year-old son in the car. That's far too young to be handling cellular equipment.

Hackers' favorite VPN is no more: Authorities have dismantled First VPN, a VPN provider that was allegedly used by ransomware gangs to hide their malicious traffic. French and Dutch authorities took down dozens of servers, and notified those who used the service "who mistakenly believed themselves to be safe." Savage. (via Help Net Security, Operation Saffron, @ransomwaresommelier)

THE HAPPY CORNER

Welcome to another happy corner, where everything is ~chill~.

A new bipartisan(!) amendment, if passed, would effectively ban automatic license plate readers across the United States, per Wired ($). This would be very good if it passes, and strikes at the heart of surveillance companies like Flock.

Congrats to those kids young adults, vx-underground, the world-renown group of friendly malware collectors, who marked their 7-year-anniversary this week. If you're ever in the mood to research or rip apart some malware, vx has everything you need. Plus, their tweets always make me smile, and much like this newsletter, it also features cats. 

Excellent news from Discord, which switched on end-to-end encryption across its entire platform, meaning anyone who makes voice and video calls can now chat in privacy — not even Discord can access your content. No action is needed by users.

And lastly, this week: How many of us feel at the best of times:

Got good news to share? Get in touch! this@weekinsecurity.com.

CYBER CATS & FRIENDS

This week's cyber pup is Ginger, who we're very fortunate to have featured in a newsletter a couple of years ago. Ginger recently passed over the rainbow bridge, and though I know we're all really sad to see her go, she was deeply loved, and lived a happy and wonderful life. Thanks to Jason T. for the photo, and we're sending all our love and support.

Send in your cyber cats! ‍ Got a cat or a non-feline friend? Send me an email with their photo and name and they will be featured in a later newsletter!

SUGGESTION BOX

That's all there is for this week's edition. Thank you so much for reading! I won't keep you for another moment. I hope you have a good rest of your long weekend (if you're here in the United States) and a great rest of your week wherever you are in the world.

Please email me if you want to see anything in next week's newsletter that you think would be a good fit. If you like what you read, please share this newsletter!

Peace, my friends,
@zackwhittaker