Supply Chains Hit, Drupal SQLi Fix, And New Cloud Security Tools

Threat activity against developer ecosystems and build pipelines dominated the day, alongside a maximum‑severity CMS fix and new cloud security capabilities. Organizations face concurrent pressures to patch, rotate secrets, and harden CI/CD, while major providers introduced features aimed at reducing identity risk and improving operational scale for modern workloads.

Developer Supply Chains Under Pressure

GitHub is investigating claims by the threat actor TeamPCP that roughly 3,800 internal repositories were exfiltrated. The activity was traced to a compromised employee device via a poisoned Visual Studio Code extension; the company says current findings indicate GitHub‑internal repositories only and no evidence so far of customer data beyond those repos. GitHub reports the compromise has been contained, critical secrets have been rotated with priority on highest‑impact credentials, and customers will be notified via established channels if additional impact is discovered.

Microsoft detailed a supply‑chain compromise of the @antv npm account that introduced a ~499 KB obfuscated payload executing during npm install, selectively targeting Linux GitHub Actions runners. The code harvested secrets from platforms including GitHub, AWS, HashiCorp Vault, npm, Kubernetes, and 1Password, attempted privilege escalation and DNS manipulation, and used dual exfiltration paths via encrypted HTTPS C2 and the Git Data API. The blast radius extended downstream into dependent packages such as echarts‑for‑react. In response, GitHub removed hundreds of malicious packages and invalidated tens of thousands of npm granular access tokens with write permissions, while Microsoft published hunting queries, detections, and mitigations (for example, using --ignore-scripts), urging audits of dependencies and rotation of exposed credentials.

Microsoft also announced disruption of a malware‑signing‑as‑a‑service operation (OpFauxSign) run by a group it tracks as Fox Tempest. The actor abused Artifact Signing to obtain short‑lived fraudulent certificates (reportedly ~72 hours) that let malicious binaries appear legitimate, enabling distribution of payloads tied to ransomware and infostealers. Microsoft seized the SignSpace site, took hundreds of virtual machines offline, and revoked illicit certificates after testing the service between February and March 2026. The campaign reportedly leveraged stolen U.S. and Canadian identities for validation, evolved to preconfigured VMs hosted on Cloudzy, and distributed signed malware via purchased ads and fake download pages.

Urgent Fixes and Mitigations

Drupal released emergency updates for CVE‑2026‑9082, a maximum‑severity SQL injection flaw in the database abstraction API affecting sites using PostgreSQL. Anonymous remote exploitation could lead to information disclosure, privilege escalation, remote code execution, and downstream attacks. The coordinated update also addresses upstream dependencies, with fixes for Symfony and Twig (Twig updated to 3.26.0), and is available for supported branches 11.3, 11.2, 10.6, and 10.5. Versions below certain branches are end‑of‑life, with best‑effort unsupported patches planned; Drupal 7 is not affected. Sites using Drupal Steward WAF have protection against known vectors but should still upgrade. Guidance emphasizes applying the core update immediately, auditing Twig template update permissions, reviewing PostgreSQL and WAF logs for suspicious anonymous activity, and migrating EOL instances.

Microsoft provided interim mitigations for a publicly disclosed Windows BitLocker zero‑day dubbed YellowKey (CVE‑2026‑45585). A proof‑of‑concept by an anonymous researcher showed exploitation via specially crafted FsTx files on a USB drive or EFI partition with execution in WinRE, enabling access to BitLocker‑protected volumes. Mitigations include removing the autofstx.exe entry from the Session Manager’s BootExecute value, reestablishing BitLocker trust for WinRE, and reconfiguring encrypted devices from TPM‑only to TPM+PIN, with policy guidance for enforcing a startup PIN through Intune or Group Policy.

Cloud Security and Operations Updates

AWS expanded Security Hub to surface identity risks from unused IAM permissions, roles, and credentials across an organization. A service‑linked IAM Access Analyzer is automatically provisioned per account, and findings are based on 90 days of observed activity to prioritize least‑privilege remediation. Security Hub correlates identity findings with exposure context and generates on‑demand recommended policies, with capabilities included in Security Hub Essentials. In parallel, AWS broadened the Security Hub Extended plan to 21 curated partner solutions across nine categories, adding seven new integrations and standardizing pay‑as‑you‑go procurement, single‑invoice billing, OCSF‑normalized findings, and unified support for AWS Enterprise Support customers.

AWS enabled federated permissions for AWS Transfer Family web apps across Regions via IAM Identity Center multi‑Region replication, allowing immediate SSO access without reconfiguring user credentials. The change reduces latency for regional users, improves reliability through geographic distribution, and simplifies governance with consistent workforce identities. Additionally, AWS brought native EBS task attachment for Amazon ECS to GovCloud Regions, automating volume lifecycle tasks (provisioning, attach, format, de‑provision) and supporting creation from snapshots across EC2, Fargate, and Managed Instances to streamline stateful container workloads under stricter compliance regimes.

AWS launched a new Local Zone in Istanbul, Türkiye, delivering single‑digit millisecond latency for metro‑area workloads and supporting services including EC2 (C7i, M7i, R7i), S3 (One Zone‑IA), EBS (with Local Snapshots and multiple volume types), ECS, EKS, VPC, Direct Connect, and Application Load Balancer. The deployment targets data residency needs and performance‑sensitive use cases such as AI/ML inference, gaming, and real‑time applications. For ML operations, SageMaker HyperPod added data capture for inference workloads, enabling asynchronous recording of requests and responses to S3 with configurable sampling and KMS encryption. Capture points can be placed at the endpoint, load balancer, or model pod to improve monitoring, compliance, debugging, and drift detection.

AI Engineering and Agent Infrastructure

Microsoft open‑sourced RAMPART and Clarity to embed agent safety into standard development workflows. RAMPART, built atop PyRIT, lets teams encode adversarial and benign scenarios as pytest‑style tests that run in CI, with composable evaluators that examine tool use and observable outcomes. Clarity provides a structured environment for problem definition, failure analysis, and decision capture as human‑readable markdown stored in a .clarity‑protocol directory, with multiple independent AI “thinkers” highlighting security, human factors, adversarial, and operational concerns. Together, they aim to turn red‑team findings into reproducible tests and maintain living safety artifacts across a system’s lifecycle.

Google moved GKE Agent Sandbox to general availability and introduced the open‑source Agent Substrate to meet agentic workload scale and latency needs. Agent Sandbox delivers a secure runtime for untrusted agent logic with pod snapshots, an integrated warm pool, and standby suspended VMs, targeting allocations of up to 300 sandboxes per second per cluster at sub‑second latency (90% within 200 ms). Security and isolation features include gVisor, default‑deny network policy, and pluggable kernel isolation such as Kata Containers, with reported price‑performance gains on Axion processors. Agent Substrate complements the runtime with a minimal control plane and scheduler innovations to handle millions of short‑lived tool calls.

Google also added benchmarking and debugging capabilities in AI Edge Portal to optimize on‑device LLMs across diverse Android hardware. The service automates generative AI benchmarks across a lab of 120+ device types, supports CPU and GPU runs for LiteRT‑LM models, and profiles initialization time, prefill and decode speeds, and peak memory to surface latency bottlenecks and OOM risks. A built‑in Model Explorer offers graph visualization, node search, tensor tracing, and side‑by‑side comparison, with collaboration features to accelerate debugging. The portal is in private preview at no charge for allowlisted Google Cloud customers during the preview period.