All news in category “Incidents and Data Breaches”

🔒 Microsoft says it disrupted a malware-signing-as-a-service operation, codenamed OpFauxSign, that abused Artifact Signing to produce short-lived fraudulent code-signing certificates and deliver signed malware. The company seized the SignSpace site signspace[.]cloud, took hundreds of virtual machines offline, and blocked hosting for the underlying code. Operators tied to the group, called Fox Tempest, sold signing services for $5,000–$9,000 and facilitated distribution of Rhysida ransomware and loaders like Oyster. Microsoft added the actor likely used stolen U.S. and Canadian identities to pass verification and repeatedly adapted its tradecraft as defenders revoked certificates.

🛡️ SentinelOne researchers describe a new SHub variant named Reaper that targets macOS users by impersonating Apple, Google, and Microsoft across a single attack chain. The campaign uses fake security alerts and a ClickFix-style workflow to trick victims into running malicious AppleScript via the applescript:// URI handler and the Script Editor, bypassing Terminal paste protections. Reaper performs environment checks, drops payloads, and establishes persistence through LaunchAgents, then harvests credentials, Keychain items, cryptocurrency wallets, and messaging data. Defenders are advised to shift toward behavior-based detection and monitor Script Editor, osascript, and suspicious LaunchAgent activity.

🔒 ESET researchers report that the China-aligned APT group Webworm expanded operations in 2025 to target European government organizations in Belgium, Italy, Poland, Serbia and Spain, and also compromised a university in South Africa. Analysis presented at ESET World on 19 May by Robert Lipovsky described the campaign as largely semi-opportunistic, with some cases linked to legacy vulnerabilities such as a discontinued SquirrelMail flaw. The group introduced two new backdoors — Discord-based EchoCreep and Microsoft Graph-based GraphWorm — and continues to use a complex set of proxy tools and cloud-based data exfiltration techniques.

🔒 GitHub confirmed that a third party accessed roughly 3,800 internal repositories after a likely “poisoned” Visual Studio Code extension was found on an employee device on May 19. The intrusion was claimed by the TeamPCP group, which posted on the Breached forum and linked the access to private source code. GitHub says it has contained the incident, removed the malicious extension, isolated the endpoint and prioritized rotation of critical secrets. The company will publish a more detailed report when its investigation is complete.

🔒 Security researchers warn of a new scareware strain, CypherLoc, used in around 2.8 million attacks since early 2026. The campaign starts with phishing that directs victims to a malicious page which only activates when specific URL fragments and cryptographic checks pass. Once triggered, the code forces full-screen browser lockdowns, disables controls, displays fake security warnings and a fraudulent support number, with operators posing as Microsoft support. Barracuda urges anti-phishing, browser and endpoint protections and user education to mitigate the threat.

🛡️ ESET researchers analyzed Webworm’s 2025 campaigns and found a shift from traditional RATs to stealthier proxy tools and two new backdoors, EchoCreep and GraphWorm, which abuse Discord and the Microsoft Graph API for C2. They decrypted over 400 Discord messages, uncovered GitHub staging repositories and a compromised Amazon S3 bucket, linking infrastructure to Vultr and IT7 Networks. Victims across Europe and South Africa were targeted; identified services have been taken down and impacted parties notified.

⚠️ The FBI's IC3 issued an advisory on 15 May 2026 about the ShinyHunters extortion gang breaching an online learning management system used by US educational institutions. Although the advisory avoided naming the vendor, reporting and Instructure's confirmation made clear Canvas was affected and the company reportedly paid a ransom after receiving alleged 'shred logs'. The FBI warns victims not to engage with extortionists, enable multi‑factor authentication, and remain vigilant against phishing, harassment, and swatting; students and staff should assume their data may be exposed and await official guidance.

🔒 GitHub confirmed that roughly 3,800 internal repositories were breached after an employee installed a trojanized VS Code extension; the company removed the malicious version from the Marketplace and isolated the compromised device. It says its current assessment indicates exfiltration was limited to GitHub-internal repositories and that it has found no evidence so far of customer data outside the affected repos being impacted. The incident is under active investigation while GitHub continues incident response.

🔒 Grafana Labs said an investigation into its May 11, 2026 incident found no evidence that customer production systems or Grafana Cloud operations were compromised. The company said the scope was limited to its GitHub environment, where both public and private source code and internal repositories containing business contact names and emails were accessed. Grafana attributed the breach to the TanStack npm supply chain attack by TeamPCP, rotated tokens, enhanced monitoring, and audited commits to secure its repositories.

🔒 GitHub is investigating unauthorized access to its internal repositories after the hacker group TeamPCP posted on the Breached forum claiming possession of approximately 4,000 private code repositories and seeking at least $50,000. GitHub said it currently has no evidence that customer data stored outside its internal repositories was affected and is monitoring infrastructure for follow-on activity. The company will notify any affected customers through established incident channels. TeamPCP has been linked to previous supply-chain compromises, raising broader concerns.

🔒 GitHub is investigating unauthorized access to internal repositories after threat actor TeamPCP listed what it claims is the platform's source code and internal org data for sale. The company says it has no current evidence of customer impact outside internal repositories and has rotated critical secrets while monitoring for follow-on activity. GitHub reported the compromise involved a poisoned Visual Studio Code extension and directional consistency with the attacker's claim of ~3,800 repositories.

🔒 Microsoft says it disrupted a malware-signing-as-a-service operation that abused its Azure Artifact Signing platform to generate fraudulent short-lived code-signing certificates used by ransomware gangs and other cybercriminals. The actor, tracked as Fox Tempest, created over 1,000 certificates and hundreds of Azure tenants and subscriptions. Microsoft seized the signspace[.]cloud domain, took virtual machines offline, revoked certificates, and filed a lawsuit in the Southern District of New York.

🔒 A public GitHub repository tied to a suspected CISA contractor exposed plain-text credentials—AWS tokens, GitHub access tokens, Kubernetes files, workflows and internal documents—discovered on May 14 by GitGuardian. The repo, active since November 13, 2025, contained roughly 844 MB of data and was taken offline within a day after disclosure. CISA is investigating and reports no current indication of sensitive compromise. Experts recommend centralized secret management, automated secret scanning, strict vendor controls and MFA to prevent similar exposures.

🔐 Microsoft reports that a threat actor tracked as Storm-2949 is abusing Self-Service Password Reset (SSPR) and social engineering to steal Microsoft Entra ID credentials and bypass MFA for privileged users. The attackers trick targets into approving authentication prompts, reset passwords, remove MFA, and enroll Microsoft Authenticator on attacker devices. Using Microsoft Graph and custom scripts they enumerate tenants, exfiltrate files from OneDrive and SharePoint, and pivot into Azure to harvest secrets from Key Vaults, storage accounts, and SQL databases. Microsoft recommends least privilege, conditional access, phishing-resistant MFA for admins, limiting RBAC, and extended Key Vault logging to mitigate these attacks.

🔒 The npm registry suffered a fast-moving supply-chain compromise on May 19 after attackers gained access to a high-privilege maintainer account (atool), pushing 637 malicious versions across 317 packages and infecting a large portion of the AntV namespace. The payload, a Mini-Shai-Hulud worm, steals npm/GitHub tokens and credentials and exfiltrates data to public GitHub repositories. AntV maintainers deleted infected versions, deprecated remaining packages, and advised users to audit, rotate credentials, and install known-safe releases.

🔒 Fox Tempest operated a malware-signing-as-a-service that abused Microsoft Artifact Signing to generate short-lived fraudulent code-signing certificates, allowing signed malware to bypass controls. Microsoft tracked the actor since September 2025 and disrupted the MSaaS in May 2026, revoking over one thousand certificates and targeting the infrastructure. The group used hundreds of Azure tenants, preconfigured VMs on Cloudzy, and charged customers thousands for signing malicious binaries; Microsoft provides detections, IOCs, and mitigations to help defenders respond.

🔒 Microsoft exposed and disrupted Fox Tempest, a criminal service selling malware-signing-as-a-service that helped disguise malware like Oyster, Lumma Stealer and Vidar as legitimate software. The Digital Crimes Unit used undercover personas to map the group's infrastructure and worked with hosting providers to sinkhole domains, disable virtual machines and suspend accounts. Microsoft filed a civil action in early May and unsealed a New York case on May 19.

⚠️ The Shai-Hulud campaign rapidly published more than 600 malicious npm package versions across 323 unique packages, primarily targeting the @antv ecosystem but also compromising other widely used libraries. The injected, obfuscated payloads harvest developer and CI/CD secrets and exfiltrate data via the Session P2P network, with GitHub used as a fallback repository to publish stolen artifacts. Researchers from Socket and Endor Labs report the attack includes self-propagation, token reuse, and abuse of CI OIDC tokens, allowing malicious packages to appear legitimately signed. Developers should uninstall affected packages and rotate any exposed credentials immediately.

🔒 7-Eleven disclosed that an unauthorized party accessed systems used to store franchisee documents on April 8, 2026, and began notifying affected individuals on May 1. The company has not provided details on the number of affected people or specific data types exposed. The extortion group ShinyHunters claimed responsibility on April 17, alleging the theft of over 600,000 records from the company's Salesforce environment and later leaking a 9.4GB archive after ransom talks failed. 7-Eleven said it launched an investigation but has not commented further.

🔒 Grafana Labs disclosed that an unauthorized party obtained a token granting access to its GitHub environment and downloaded portions of its source code. The company says its investigation found no customer data or personal information were accessed and no customer systems were impacted. It invalidated the compromised credentials, initiated forensic analysis, and implemented additional security controls. Reported extortion demands were received but Grafana has declined to pay.