05/13/2026-05/20/2026 GitHub Breached, Nx Console VS Code Extension Compromised, Leaked Shai-Hulud Malware Fuels New npm Infostealer Campaign And More.

1. GitHub Breached — Employee Device Hack Led to Exfiltration of 3,800+ Internal Repos

GitHub is investigating unauthorized access to its internal repositories after threat actor TeamPCP listed the platform’s source code for sale on a cybercrime forum for at least $50,000, claiming to have around 4,000 repositories. GitHub traced the breach to a compromised employee device infected via a poisoned Visual Studio Code extension. The company has since rotated critical credentials and confirmed the attack affected only internal repositories, with no evidence of customer data exposure.

Meanwhile, TeamPCP’s self-replicating malware campaign has expanded to compromise durabletask, Microsoft’s official Python client for the Durable Task framework. Three malicious versions (1.4.1–1.4.3) were published to PyPI after attackers stole credentials from a previously compromised GitHub account. The embedded malware targets cloud credentials, password managers, SSH keys, and developer tools, and can propagate across AWS EC2 instances and Kubernetes clusters. The package receives roughly 417,000 monthly downloads, and any system that installed an affected version should be considered fully compromised.

2. Grafana GitHub Breach Exposes Source Code via TanStack npm Attack

On May 19, 2026, Grafana Labs said its recent breach was limited to its GitHub environment and did not affect customer production systems or operations. The stolen data included source code, internal repositories, and some business contact information, but no customer production or Grafana Cloud data. The company said the breach stemmed from the TanStack npm supply chain attack linked to TeamPCP, which also impacted OpenAI and Mistral AI. Grafana detected the activity on May 11, but a missed GitHub workflow token later allowed attackers to access additional repositories. After receiving an extortion demand on May 16, Grafana refused to pay, citing no guarantee the stolen data would be deleted. The company has since rotated tokens, increased monitoring, audited commits, and strengthened GitHub security measures.

3. DirtyDecrypt: PoC Released For Yet Another Linux Flaw

DirtyDecrypt (CVE-2026-31635) is a newly publicized Linux kernel local privilege escalation flaw with a working PoC already on GitHub. The bug stems from a missing copy-on-write guard in rxgk_decrypt_skb(), allowing attackers to write directly into shared page-cache memory — potentially corrupting /etc/shadow, /etc/sudoers, or SUID binaries to gain root.

Only systems compiled with CONFIG_RXGK are affected (Fedora, Arch, openSUSE Tumbleweed); standard Ubuntu and Debian installs are not. In Kubernetes environments, the flaw could enable container escape.

DirtyDecrypt is part of a growing family of related page-cache write vulnerabilities, alongside Copy Fail, Dirty Frag, and Fragnesia. Two other recent Linux flaws round out a busy few weeks: Pack2TheRoot (CVE-2026-41651, CVSS 8.8) targeting PackageKit, and ssh-keysign-pwn (CVE-2026-46333), which lets unprivileged users read root SSH keys.

Patches are available — apply them promptly, as a public PoC significantly shortens the exploitation window.

4. Nx Console VS Code Extension Compromised to Steal Developer and Cloud Secrets

 
Version 18.95.0 of the Nx Console VS Code extension (2.2M+ installs) was compromised on May 18, 2026, after attackers used stolen publishing credentials to push a malicious update to the official Marketplace. The extension was live for just 11 minutes before removal, but any developer who opened a workspace between 12:36–12:47 UTC should consider all credentials on that machine compromised.

The attack was a multi-stage supply chain operation. A contributor’s GitHub token — stolen in an earlier incident — was used to push a hidden orphan commit containing an obfuscated 498 KB payload. Once triggered, it harvested credentials from GitHub, AWS, npm, HashiCorp Vault, Kubernetes, 1Password, and notably Claude Code config files. Data was exfiltrated via HTTPS, GitHub API, and DNS tunneling simultaneously. On macOS, a persistent hourly Python backdoor was installed.

Developers should update to v18.100.0+, remove the macOS backdoor (~/.local/share/kitty/cat.py), and immediately rotate all tokens, SSH keys, and secrets.

5. Leaked Shai-Hulud Malware Fuels New npm Infostealer Campaign

Following last week’s Shai-Hulud source code leak, copycat attackers have already deployed it on npm. A threat actor using the account deadcode09284814 published four malicious packages over the weekend, targeting developers via typosquatting on popular libraries like Axios:

• chalk-tempalte – unobfuscated Shai-Hulud clone (credential/crypto stealer)
• @deadcode09284814/axios-util – credential and cloud config stealer
• axois-utils – infostealer + persistent DDoS botnet (“phantom bot”)
• color-style-utils – basic infostealer targeting crypto wallets

Researchers at OXsecurity confirmed the chalk-tempalte package is the first documented Shai-Hulud clone on npm, though it’s unsophisticated — an unmodified copy with no obfuscation. Stolen data is exfiltrated to a C2 server and uploaded to auto-generated public GitHub repositories. The axois-utils package adds HTTP, TCP, and UDP flood capabilities on top of standard credential theft.

The four packages had a combined 2,678 downloads. Developers should remove any affected packages immediately and rotate all credentials and API keys.

6. Ivanti, Fortinet, SAP, VMware, n8n Patch RCE, SQL Injection, Privilege Escalation Flaws

Several major vendors have shipped critical security patches this week:

• Ivanti fixed CVE-2026-8043 (CVSS 9.6) in Xtraction, allowing remote authenticated attackers to read sensitive files and write arbitrary HTML, enabling information disclosure and client-side attacks. Fortinet patched two CVSS 9.1 flaws: CVE-2026-44277 in FortiAuthenticator and CVE-2026-26083 in FortiSandbox/Cloud/PaaS, both allowing unauthenticated remote code execution via crafted requests.
• SAP addressed two CVSS 9.6 vulnerabilities: an SQL injection in S/4HANA (CVE-2026-34260) exposing sensitive data, and a missing authentication check in SAP Commerce Cloud (CVE-2026-34263) enabling unauthenticated arbitrary code execution via malicious configuration upload.
• VMware Fusion received a fix for CVE-2026-41702 (CVSS 7.8), a TOCTOU vulnerability in a SETUID binary enabling local privilege escalation to root, addressed in version 26H1.
• n8n patched five CVSS 9.4 RCE vulnerabilities (CVE-2026-42231 through CVE-2026-44791) involving prototype pollution via XML parsing, HTTP pagination parameters, and Git CLI flag injection — all fixed in versions 1.123.43, 2.20.7, and 2.22.1.

05/06/2026-05/13/2026 PCPJack’ Worm Removes TeamPCP Infections, New ZiChatBot Malware, Ollama Out-of-Bounds Read Vulnerability And More.

1. ‘PCPJack’ Worm Removes TeamPCP Infections, Steals Credentials

A threat actor has launched a campaign to evict the TeamPCP hacking group from infected environments and deploy its own malicious tools.  Active since late April, the campaign uses a malware framework called PCPJack that targets credentials across multiple cloud environments and can self-propagate. It begins with a Linux shell script that scans for and removes TeamPCP artifacts, then sets up a Python environment, downloads six modules from an AWS S3 bucket, establishes persistence, and deletes itself. PCPJack steals credentials, SSH keys, .env files, and tokens for services including AWS, Kubernetes, Docker, Gmail, GitHub, Slack, and WordPress. It performs lateral movement, conducts internet-wide scanning via Common Crawl data, and exploits several known CVEs to spread further. Command-and-control is handled via Telegram.

SentinelOne also identified a second toolset linked to the same actor, targeting dozens of additional cloud services. Both toolsets are well-developed and modular, though the actor left Telegram credentials unencrypted — a notable operational security lapse.

2. New ZiChatBot Malware Uses Zulip REST APIs as Command and Control Server 

Researchers have discovered ZiChatBot, a cross-platform malware that uses Zulip’s legitimate REST API for command-and-control, allowing it to blend malicious traffic with normal developer communications. Rather than contacting a suspicious private server, it routes commands through a legitimate chat platform — making it harder to detect via standard network monitoring. The malware was distributed through three fake PyPI packages — uuid32-utils, colorinal, and termncolor — designed to mimic common developer libraries. Once installed, they silently dropped the ZiChatBot payload. Kaspersky analysts noted a 64% code similarity between ZiChatBot’s dropper and tooling linked to OceanLotus (APT32), suggesting possible attribution.

ZiChatBot exfiltrates system data and executes shellcode received via Zulip channel messages, signaling completion with a heart emoji. On Windows it persists via a registry entry; on Linux via crontab. The malicious PyPI packages have since been removed and the attacker’s Zulip organization deactivated, though already-infected systems may still attempt contact.

3. RubyGems Suspends New Signups After Hundreds of Malicious Packages Are Uploaded

RubyGems, the official package manager for Ruby, has temporarily stopped new account registrations after a major malicious attack. The attack involved hundreds of packages, mostly targeting Mend.io, with some containing exploits. Visitors to the RubyGems sign-up page now see a notice stating that new account registration has been disabled temporarily. Mend.io, which helps secure RubyGems, said more details will be shared once the situation is under control. The attackers have not yet been identified. 

The incident highlights the growing threat of software supply chain attacks on open-source ecosystems. Cybercriminal groups have increasingly compromised popular packages to spread credential-stealing malware, steal sensitive data, and expand attacks.

4. New cPanel Vulnerabilities Could Allow File Access And Remote Code Execution

cPanel has patched three vulnerabilities in cPanel & WHM that could allow file reads, arbitrary code execution, and privilege escalation. The three flaws are: CVE-2026-29201 (CVSS 4.3), an input validation issue enabling arbitrary file reads; CVE-2026-29202 (CVSS 8.8), improper validation in the create_user API allowing authenticated attackers to execute arbitrary Perl code; and CVE-2026-29203 (CVSS 8.8), unsafe symlink handling that could let users manipulate file permissions via chmod, potentially enabling privilege escalation or denial-of-service. Fixes are available across versions 11.136.0.9, 11.134.0.25, 11.132.0.31, and newer builds. No active exploitation of these three flaws has been reported, though the disclosure follows closely on the heels of CVE-2026-41940 — a critical authentication bypass (CVSS 9.3) already added to CISA’s KEV catalog and actively used to deploy Mirai botnet variants. 

5. Ollama Out-of-Bounds Read Vulnerability Allows Remote Process Memory Leak

Cybersecurity researchers have disclosed a critical vulnerability in Ollama that could let remote attackers leak sensitive process memory from exposed servers. The flaw, tracked as CVE-2026-7482 and nicknamed “Bleeding Llama,” affects Ollama before version 0.17.1 and has a CVSS score of 9.1. Researchers estimate more than 300,000 servers may be exposed. The issue stems from an out-of-bounds read vulnerability in Ollama’s GGUF model loader. By uploading a specially crafted GGUF file through the /api/create endpoint, attackers can force the server to read beyond allocated memory and potentially steal API keys, environment variables, system prompts, and user conversations. The stolen data can then be exfiltrated using the /api/push endpoint.

Researchers also uncovered two unpatched Windows update flaws that can enable persistent code execution. Users are urged to update Ollama, restrict network exposure, disable automatic updates, and secure instances behind authentication proxies and firewalls.

6. Mini Shai-Hulud Worm Compromises TanStack, Mistral AI, Guardrails AI & More Packages

TeamPCP, the threat group behind recent supply chain attacks, has been linked to a new “Mini Shai-Hulud” campaign targeting npm and PyPI packages tied to TanStack, Mistral AI, UiPath, OpenSearch, and Guardrails AI. More than 170 compromised packages with over 518 million downloads were affected.

The malicious packages contained obfuscated JavaScript malware designed to steal credentials from cloud providers, cryptocurrency wallets, AI tools, GitHub Actions, and developer environments. The malware also established persistence in IDEs like VS Code and Claude Code, injected malicious GitHub Actions workflows, and exfiltrated stolen data through multiple channels. Researchers said the attackers abused GitHub Actions and trusted publishing workflows to distribute validly signed malicious packages, marking one of the first known npm worms with legitimate SLSA Level 3 attestations. Some variants also included destructive “wiper” behavior that could erase developer systems if malicious npm tokens were revoked improperly.

7. Quasar Linux RAT Steals Developer Credentials for Software Supply Chain Compromise

Trend Micro researchers have uncovered a previously undocumented Linux implant called Quasar Linux RAT (QLNX), designed to silently compromise developer environments and enable extensive post-exploitation activity.

QLNX specifically targets supply chain credentials, harvesting secrets from files such as .npmrc, .pypirc, .aws/credentials, .kube/config, GitHub CLI tokens, and .env files — giving attackers potential access to NPM/PyPI publishing pipelines, cloud infrastructure, and CI/CD systems.

The implant runs fileless from memory, disguises itself as a kernel thread, wipes system logs, and establishes persistence via up to seven methods including systemd, crontab, and .bashrc injection. It supports 58 commands covering shell execution, file management, keylogging, screenshots, SOCKS proxying, and P2P mesh networking. A PAM hook backdoor intercepts plaintext credentials during authentication events.

QLNX employs a two-tiered rootkit: a userland component using LD_PRELOAD and a kernel-level eBPF module that hides processes, files, and network ports from standard tools. Its delivery method remains unknown.

04/29/2026-05/06/2026 Palo Alto PAN-OS Flaw, Critical cPanel Vulnerability, Linux Kernel Flaw And More.

1. Palo Alto PAN-OS Flaw Under Active Exploitation Enables Remote Code Execution

Palo Alto Networks has warned of active exploitation of a critical buffer overflow flaw in its PAN-OS software (CVE-2026-0300). The vulnerability enables unauthenticated remote code execution with root privileges via the User-ID Authentication Portal (Captive Portal). It has a CVSS score of 9.3 when the portal is exposed to the internet, and 8.7 when restricted to trusted internal networks. The issue is under limited real-world exploitation, mainly targeting publicly accessible portals. Affected versions include multiple releases across PAN-OS 10.2, 11.1, 11.2, and 12.1. No patch is currently available, though fixes are expected starting May 13, 2026. The flaw only impacts PA-Series and VM-Series firewalls using the User-ID Authentication Portal. To reduce risk, users should restrict portal access to trusted networks or disable it if unnecessary. Systems following standard security practices face significantly lower exposure.

2. Critical cPanel Vulnerability Weaponized to Target Government and MSP Networks

A previously unknown threat actor has been observed targeting government and military entities in Southeast Asia — alongside MSPs and hosting providers in the Philippines, Laos, Canada, South Africa, and the U.S. — by exploiting CVE-2026-41940, the critical cPanel authentication bypass. Activity was detected by Ctrl-Alt-Intel on May 2, 2026, with attacks originating from IP address 95.111.250[.]175 and using publicly available PoCs. The actor separately deployed a custom exploit chain against an Indonesian defense training portal, combining authenticated SQL injection with RCE after defeating CAPTCHA by reading the expected value directly from the server-issued session cookie. Post-compromise tooling includes the AdaptixC2 framework, OpenVPN, Ligolo, and systemd persistence, used to pivot internally and exfiltrate Chinese railway-sector documents. Censys confirmed multiple independent threat actors weaponized CVE-2026-41940 within 24 hours of disclosure, including Mirai botnet operators and a ransomware strain called Sorry. Shadowserver recorded at least 44,000 compromised IPs conducting honeypot scanning on April 30, dropping to 3,540 by May 3. 

3. Nine-year-old Linux Kernel Flaw Enables Reliable Local Privilege Escalation (CVE-2026-31431)

Security researchers have revealed CVE-2026-31431, a high-severity Linux kernel local privilege escalation flaw dubbed “Copy Fail.” It affects most distributions released since 2017, and a public proof-of-concept exploit is already available. The bug stems from combined kernel changes over time and allows an unprivileged user to overwrite 4 bytes in the page cache of readable files, enabling root access. While it requires local access, attackers can chain it with other entry points like web RCE, SSH access, or CI compromises.

Unlike earlier flaws such as Dirty COW or Dirty Pipe, Copy Fail is reliable, requires no race condition, leaves no disk traces, and works across many systems. It can also escape containers.

Admins should prioritize patching multi-tenant systems, CI environments, and cloud platforms. If patching isn’t possible, mitigation includes blocking AF_ALG sockets or disabling the algif_aead module.

4. Progress  Warns of Critical MOVEit Automation Auth Bypass Flaw

Progress Software has urged customers to patch a critical authentication bypass flaw in its MOVEit Automation managed file transfer solution.

Tracked as CVE-2026-4670, the vulnerability affects versions before 2025.1.5, 2025.0.9, and 2024.1.8. It allows remote, unauthenticated attackers to exploit systems with low effort and no user interaction. Progress says upgrading to a patched version is the only fix and requires system downtime.

The company also patched a high-severity privilege escalation bug (CVE-2026-5174). Over 1,400 MOVEit Automation instances are exposed online, including some tied to U.S. government agencies, though it’s unclear how many are secured.

While these flaws are not yet known to be exploited, MOVEit products have been targeted before. Notably, the Clop ransomware group used a MOVEit Transfer zero-day in 2023, impacting over 2,100 organizations and 62 million people.

5. CISA Adds Actively Exploited Linux Root Access Bug CVE-2026-31431 to KEV

CISA has added CVE-2026-31431, a Linux kernel flaw known as “Copy Fail,” to its KEV catalog, citing active attacks. The bug is a local privilege escalation issue that lets unprivileged users gain root access. Affecting Linux systems since 2017, the flaw stems from a logic error in the kernel’s authentication cryptographic template. Attackers can exploit it with a small script to overwrite memory in the page cache, effectively modifying binaries at runtime without changing files on disk. This enables code injection into privileged programs and full system compromise.

Security firms like Kaspersky warn it also threatens container environments, potentially breaking isolation and exposing host systems. Exploitation is simple, reliable, and hard to detect.

CISA urges organizations to patch immediately or apply mitigations such as disabling affected features, restricting access, and isolating systems.