Massive Supply Chain Attacks Rock GitHub &amp; Laravel; CISA Contractor Leaks GovCloud Keys

Unprotected API at Trump Mobile Exposes Personal Information of 27,000 T1 Smartphone Pre-Order Customers

Trump Mobile is investigating a significant data exposure incident affecting approximately 27,000 customers who pre-ordered the company's T1 smartphone. A security researcher discovered an unprotected API endpoint that allowed public access to customer records, including names, email addresses, mailing addresses, and phone numbers. The vulnerability, which did not require authentication, could be queried to retrieve customer data in batches. While Trump Mobile stated that sensitive financial data was not compromised, the incident highlights critical security gaps in customer data protection, potentially stemming from a third-party platform used by the company.

API SecurityData LeakPIIBOLAInsecure API +2 more

Trump Mobile API Flaw Exposes Personal Data of 27,000 Smartphone Pre-Order Customers

CISA Contractor Leaks AWS GovCloud Keys and Internal System Credentials on Public GitHub Repo

Major Security Lapse at CISA: Contractor Exposes GovCloud Keys and Internal Credentials on Public GitHub Repository

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is under congressional investigation after a contractor exposed highly sensitive credentials on a public GitHub repository. The repository, named 'Private-CISA,' contained plaintext credentials for AWS GovCloud accounts, SSH keys, and access tokens for internal CISA systems like Artifactory. The data, totaling 844 MB, was reportedly exposed for months, having been active since November 2025. It was used by the contractor to sync files between work and home. Researchers from GitGuardian discovered the leak and noted that the contractor appeared to have deliberately disabled GitHub's secret-scanning protections. While CISA states there is no evidence of compromise, the incident raises severe concerns about the agency's vendor management and internal data handling policies.

CISAData LeakGitHubAWS GovCloudCredential Leak +2 more

6 min read

CISA Contractor Leaks AWS GovCloud Keys and Internal System Credentials on Public GitHub Repo

‘Megalodon’ Campaign Hits 5,500+ GitHub Repos in Automated CI/CD Supply Chain Attack

CRITICAL

Automated 'Megalodon' Attack Compromises Over 5,500 GitHub Repos by Injecting Malicious CI/CD Workflows

A massive, automated supply chain attack dubbed 'Megalodon' has compromised over 5,500 public GitHub repositories in just six hours. The attackers pushed thousands of malicious commits that altered CI/CD workflow files, backdooring the build processes of the affected projects. Research from Hudson Rock indicates the attack was enabled by the large-scale theft of GitHub credentials from developers infected with information-stealing malware. Over a third of the compromised repository owners were found on lists of known infostealer victims. This campaign, along with similar attacks from the group TeamPCP, signals a new era of widespread, automated assaults on the software supply chain, prompting defensive measures from platforms like npm.

MegalodonSupply Chain AttackGitHubCI/CDInfostealer +2 more

6 min read

‘Megalodon’ Campaign Hits 5,500+ GitHub Repos in Automated CI/CD Supply Chain Attack

TeamPCP Threat Actor Breaches TanStack in 'Mini Shai-Hulud' Supply Chain Campaign

Financially Motivated Threat Actor TeamPCP Compromises TanStack Library in 'Mini Shai-Hulud' Supply Chain Attack

The financially motivated threat group 'TeamPCP' has been identified as the actor behind the 'Mini Shai-Hulud' supply chain campaign, which recently compromised the popular TanStack open-source library. The attack, which also targeted the npm and PyPI ecosystems, involved publishing malicious packages that, when downloaded by developers, execute a credential-stealing payload. The compromise of TanStack, a widely used suite of tools for web application development, represents a significant threat to the numerous downstream projects that depend on it. This incident is part of a growing trend of software supply chain poisoning attacks aimed at compromising developer environments to steal sensitive secrets.

TeamPCPMini Shai-HuludTanStackSupply Chain Attacknpm +2 more

TeamPCP Threat Actor Breaches TanStack in 'Mini Shai-Hulud' Supply Chain Campaign

Akamai Report: Financial Sector Under Siege from AI-Powered Botnets and Escalating DDoS Attacks

INFORMATIONAL

New Akamai Report Finds Financial Services Targeted by AI-Empowered Botnets and Sustained DDoS Campaigns

According to a new 'State of the Internet' report from Akamai, the financial services sector is facing a growing threat from increasingly sophisticated cyberattacks. The report highlights the use of AI-empowered botnets that operate with greater speed and autonomy, launching what Akamai's Advisory CISO calls a 'sustained siege' rather than simple nuisance attacks. Digital transformation has expanded the attack surface, with API vulnerabilities being a key area of risk. The report, echoed by other industry leaders, concludes that financial institutions must adopt AI-driven defensive technologies to combat AI-weaponizing adversaries, particularly against threats like Authorized Push Payment (APP) fraud and advanced DDoS attacks.

AkamaiThreat IntelligenceAIBotnetDDoS +2 more

Akamai Report: Financial Sector Under Siege from AI-Powered Botnets and Escalating DDoS Attacks

'Trapdoor' Android Ad Fraud Campaign Used 455 Malicious Apps to Hijack Millions of Devices

Massive 'Trapdoor' Android Ad Fraud Operation Generated 659 Million Fake Ad Requests Daily via 455 Malicious Apps

A sophisticated and large-scale Android ad fraud operation named 'Trapdoor' has been uncovered by security researchers. The campaign involved a network of 455 malicious apps, downloaded over 24 million times from the Google Play Store, that worked together to generate massive fraudulent ad revenue. The operation used a two-stage approach: initial 'dropper' apps would trick users into installing a secondary, more malicious app. This second app would then load hidden browser windows to generate fake ad clicks, at its peak creating 659 million fraudulent ad bid requests in a single day. The malware cleverly evaded detection by remaining dormant unless the user had been acquired through a paid malvertising campaign. Google has since removed the identified apps.

TrapdoorAndroidMalwareAd FraudGoogle Play Store +1 more

6 min read

'Trapdoor' Android Ad Fraud Campaign Used 455 Malicious Apps to Hijack Millions of Devices

Updated Articles (5)

TanStack Details Sophisticated Supply Chain Attack That Compromised 42 npm Packages

CRITICAL

TanStack Reveals Novel Supply Chain Attack Using GitHub Actions Cache Poisoning and OIDC Token Theft

Grafana Labs confirmed theft of source code and internal data by 'CoinbaseCartel' extortion group. This breach was a direct consequence of the TanStack supply chain attack. Attackers exploited a single workflow token, stolen via the malicious TanStack npm package, which was missed during Grafana's credential rotation. This incident demonstrates the severe, cascading impact of supply chain compromises and the critical need for thorough remediation. The stolen code could be weaponized, increasing systemic risk.

May 19, 2026

TanStacknpmSupply Chain AttackGitHub ActionsOIDC +3 more

TanStack Details Sophisticated Supply Chain Attack That Compromised 42 npm Packages

NYC Health + Hospitals Breach May Affect 1.8 Million Patients and Employees

Massive Data Breach at NYC Health + Hospitals Exposes Data of 1.8 Million Individuals

New details reveal the NYC Health + Hospitals data breach, affecting 1.8 million individuals, stemmed from a compromise at an unnamed third-party vendor. Attackers maintained network access from November 2025 to February 2026, indicating a significant dwell time. Crucially, the exposed data now includes highly sensitive biometric information such as fingerprints and palm prints, in addition to medical records, diagnoses, Social Security numbers, and financial details. The inclusion of immutable biometric data significantly escalates the long-term risk of identity theft for affected individuals, as this information cannot be changed or revoked, posing a permanent threat.

May 20, 2026

Data BreachHealthcareHIPAAProtected Health InformationNYC

NYC Health + Hospitals Breach May Affect 1.8 Million Patients and Employees

Chinese APT 'Webworm' Uses Discord and MS Graph API for C2 in New Backdoor Attacks

'Webworm' APT Group Deploys 'EchoCreep' and 'GraphWorm' Backdoors Targeting Government and Enterprise

New research from ESET confirms Webworm's expanded targeting to specific government entities in Belgium, Italy, Poland, Spain, and South Africa. The GraphWorm backdoor is now detailed to leverage OneDrive as a dead-drop for C2 and exfiltration, with compromised AWS S3 buckets also used for data exfiltration. ESET successfully decrypted over 400 Discord webhook messages from EchoCreep, providing deeper insights into its operation. The update also includes more specific hunting hints, such as URL patterns for Discord webhooks and Microsoft Graph API, and process names to monitor for anomalous activity.

May 20, 2026

APTWebwormThreat ActorChinaDiscord +2 more

Chinese APT 'Webworm' Uses Discord and MS Graph API for C2 in New Backdoor Attacks

New 'Underminr' Flaw in CDNs Puts 88 Million Domains at Risk of Evasive Attacks

'Underminr' Vulnerability in Shared CDN Infrastructure Exposes 88 Million Domains to Advanced Evasion Techniques

This update provides a more detailed technical analysis of the 'Underminr' vulnerability, outlining the reconnaissance, setup, exploitation, and bypass steps. It maps the technique to several MITRE ATT&CK techniques, including T1071.001, T1090.002, T1573.002, and T1572. New hunting hints are introduced, such as looking for JA3/JA3S hash mismatches and uncommon User-Agents for specific domains. The article further emphasizes that the ultimate mitigation responsibility lies with CDN providers to reconfigure their routing logic, while organizations should focus on TLS inspection and egress filtering.

May 23, 2026

UnderminrCDNDomain FrontingEvasionC2

New 'Underminr' Flaw in CDNs Puts 88 Million Domains at Risk of Evasive Attacks

Critical 18-Year-Old 'NGINX Rift' Vulnerability (CVE-2026-42945) Under Active Attack

CRITICAL

Active Exploitation of Critical 'NGINX Rift' Vulnerability (CVE-2026-42945) Threatens Web Servers with RCE

The NGINX Rift vulnerability (CVE-2026-42945) continues to be actively exploited, with new analysis emphasizing its critical impact on NGINX instances used as API gateways. Additional detection methods include vulnerability scanning and deploying WAF/IPS with specific signatures. For mitigation, disabling the `ngx_http_rewrite_module` entirely is suggested if rewrite functionality is not essential, alongside existing patching recommendations. The threat of DoS and RCE remains high, urging immediate action.

May 18, 2026