I go through about 25 cybersecurity news portals and blogs every week and pull out the most interesting stories. Then I turn them into this short, digestible summary, so you can stay up to date without trying to follow 25 different sources yourself. đŸ˜±

My aim is to create a summary that gives you the gist without needing to open up the source article. But if you do want to dig deeper, all the sources covering the event are linked below each story.

If you enjoy these, come back next Monday

scroll to the bottom to subscribe to the e-mail newsletter.

Public GitHub repo exposed privileged CISA AWS GovCloud keys and internal system credentials, prompting congressional briefings

Lawmakers demanded briefings after a contractor-maintained public GitHub repository exposed privileged AWS GovCloud credentials and numerous internal CISA system passwords/tokens for months. CISA said it removed the repository after being alerted and is investigating, stating it has no indication so far that sensitive data was compromised as a result of the exposure.

Key Details

  • Security experts said the public archive included files detailing how CISA builds, tests and deploys software internally, and that it represents one of the most egregious government data leaks in recent history.
  • GitGuardian said it found the public repo (“Private-CISA”) containing CISA/DHS secrets dating back to November, and reported it after the owner was unresponsive.
  • Valadon said the exposed CISA credentials represent a textbook example of poor security hygiene, noting that the commit logs in the offending GitHub account show that the CISA administrator disabled the default setting in GitHub that blocks users from publishing SSH keys or other secrets in public code repositories.

Next Steps

  • Never say never, but it’s never a good idea to disable existing built-in security measures in any platform or service.

Read more at KrebsOnSecurity, KrebsOnSecurity, CyberScoop

Deleted Google Cloud API keys can keep authenticating for up to 23 minutes due to revocation propagation delays

Testing by Aikido Security found that Google Cloud API keys can continue to authenticate for up to ~23 minutes after deletion, even though the GCP console immediately shows them as removed. The delay is attributed to eventual consistency in Google’s distributed authentication infrastructure, creating a short window where a leaked key can still be accepted by backend servers that haven’t yet received the revocation update.

Key Details

  • 10 controlled trials over two days measured a median revocation window of ~16 minutes, with the shortest observed around ~8 minutes and the longest near ~23 minutes.
  • The window can be exploited by sending repeated authenticated requests to “hit” global auth servers that haven’t synced, resulting in uneven success rates across regions shortly after deletion.
  • Researchers observed that deleted keys could still reach enabled services including Gemini (cached conversations and uploaded files), BigQuery, and Maps APIs during the revocation window.
  • In GCP’s “Traffic by Credential” reporting, post-deletion attempts are grouped under apikey:UNKNOWN, which can make it harder to attribute activity to a specific deleted key during incident response.
  • Aikido reported the behavior to Google and said it was closed as “won’t fix,” framed as expected behavior of an eventually consistent system; the researchers noted other credential types revoke faster (service account keys ~5 seconds; newer Gemini-format keys with an AQ prefix ~1 minute).

Next Steps

  • For incident response playbooks, treat Google API key deletion as a ~30-minute containment step rather than immediate revocation, and plan response actions accordingly.

Read more at Cybersecurity News, The Register, Dark Reading, Hackread

Microsoft to retire SMS codes for personal account sign-in and recovery, pushing passkeys instead

Microsoft says it will stop using SMS codes for personal Microsoft account authentication and recovery, calling plaintext texts an active security liability. The company is steering users to passwordless sign-in options—especially passkeys and verified secondary email—via a redesigned sign-in flow that encourages creating an on-device passkey.

Key Details

  • Microsoft cites common abuses of SMS—including phishing and SIM-swapping—as reasons SMS codes are no longer fit for secure authentication.
  • The replacement options Microsoft highlights include passkeys, passwordless accounts, and verified secondary email addresses for sign-in and recovery.

Next Steps

Read more at Microsoft Support, TechSpot

Anthropic reports on Mythos results so far

Anthropic says its Project Glasswing used Claude Mythos Preview to autonomously discover more than 10,000 high- or critical-severity vulnerabilities across systemically important software and 1,000+ open-source projects. The reported results also highlight an operational gap: despite high true-positive rates, only a small fraction of findings have been patched and publicly advised so far.

Key Details

  • Initial open-source scanning produced 23,019 candidate findings; 1,900 were externally reviewed and 1,726 (90.8%) were confirmed valid, with 1,094 assessed as high/critical severity.
  • Anthropic says it has reported 1,596 vetted findings to maintainers, but only 97 have been patched upstream and 88 security advisories published at the time of reporting.
  • A highlighted example is CVE-2026-5194 in wolfSSL (CVSS 9.1), described as enabling certificate forgery that could let an attacker masquerade as a legitimate service.
  • Anthropic says Mythos Preview is being withheld from public release and limited to a ~50-member defensive consortium due to dual-use concerns, including the model’s ability to construct functional exploits.
  • Partner-reported outcomes include Cloudflare citing 2,000 bugs found (400 high/critical) and claiming a false-positive rate that outperforms human testers.

Next Steps

  • Prioritize remediation planning around CVE-2026-5194 (wolfSSL) by identifying where wolfSSL is used in your products/dependencies and tracking upstream fixes/advisories. (Reference: https://nvd.nist.gov/vuln/detail/CVE-2026-5194)
  • If you maintain or rely heavily on open-source components, consider a process to rapidly triage high-confidence AI-origin vulnerability reports (dedicated on-call rotation, pre-defined severity thresholds, and fast-track patch/release paths) to reduce backlog.

Read more at Anthropic, The Hacker News, Cybersecurity News

Europol-backed Operation Saffron seizes “First VPN” service used by ransomware and other criminals to hide

French and Dutch authorities, backed by Europol/Eurojust, took down the “First VPN” service used by ransomware and other cybercriminals to hide infrastructure and identities, seizing servers and domains and detaining the alleged administrator in Ukraine. Investigators say they accessed the service before shutdown and obtained its user database, turning the “anonymous” VPN into an intelligence source for ongoing investigations.

Key Details

  • Europol said investigators gained access to First VPN’s user database and identified VPN connections tied to suspected cybercriminal activity.
  • The FBI stated First VPN was active since at least 2014 and operated exit nodes in 27 countries.
  • Authorities seized 1vpns[.]com, 1vpns[.]net, and 1vpns[.]org (and associated onion domains), which now display a seizure banner.

Read more at The Hacker News, The Cyber Express, BleepingComputer, SecurityWeek, CyberScoop, HackRead, CSO Online

Torvalds says AI-generated duplicate bug reports are overwhelming the Linux kernel security mailing list

Linus Torvalds said the Linux kernel security mailing list has become “almost entirely unmanageable” due to a flood of AI-found bug reports with heavy duplication. He argued that many AI-detected issues aren’t secret and that handling them privately increases duplicate work because reporters can’t see each other’s submissions.

Key Details

  • Torvalds said maintainers are spending time on triage and re-routing—forwarding reports, telling reporters issues were already fixed, and pointing to existing public discussions.
  • Torvalds emphasized that duplication is worsened because reporters can’t see other reports on a private list, so multiple people submit the same findings independently.
  • He urged AI-using reporters to read the project’s documentation and include a patch to add value beyond an automated finding, rather than sending “drive-by” reports.
  • The Register noted the comments contrast with Greg Kroah-Hartman’s earlier view that AI bug reports have become increasingly useful for the FOSS community.

Next Steps

  • For open-source projects: Consider Requiring AI-assisted vulnerability reports to include a proposed patch (or reproduction + clear analysis) before submitting to private/security channels, to reduce low-signal duplicates.
  • **Consider making as many reports public as possible (consider the risks), to avoid duplicates. **so reporters can see existing discussions and avoid duplicate submissions.

Read more at The Register

A vulnerability in Anthropic’s Claude Code CLI meant that clicking a crafted claude-cli:// deeplink could inject attacker-controlled settings and trigger automatic command execution. The issue came from context-blind parsing that treated a settings string embedded inside another flag’s value as a real —settings override, enabling RCE via Claude Code’s hooks feature.

Key Details

  • The bug was in an eager flag parser that searched all argv entries for strings starting with —settings= without distinguishing flags from flag values.
  • Claude Code’s deeplink handler uses —prefill to populate prompt content from the deeplink’s q parameter, which could be abused to smuggle a —settings payload inside q.
  • Attackers could inject a malicious hooks configuration (e.g., a SessionStart command) so code runs automatically when the session starts.
  • The report says the exploit could bypass the workspace trust dialog by setting the deeplink repo parameter to a repository already cloned and trusted locally.

Next Steps

  • Update Claude Code to version 2.1.118 (or later) to pick up the patched argument parsing.

Read more at Cyber Security News

Microsoft open-sources RAMPART and Clarity to bake red-teaming and safety checks into AI agent development

Microsoft has released two open-source tools—RAMPART and Clarity—aimed at making AI agent safety and security testing a continuous part of the development workflow rather than a one-time review. RAMPART lets engineers write and run repeatable tests (including prompt-injection-style scenarios) against agents during build and fix cycles. Clarity is designed to help teams pressure-test and document safety/security assumptions before code is written.

Key Details

  • RAMPART is a Pytest-native testing framework for writing/running safety and security tests against AI agents, and it only requires an adapter to connect the agent to the test suite.
  • Clarity can run as a desktop app, web interface, or embedded into a coding agent to guide early design decisions, track assumptions/decisions, and surface downstream security implications and more secure-by-design alternatives.

Next Steps

  • Evaluate the projects and pilot RAMPART/Clarity on one agentic workflow (e.g., an internal tool-calling agent) to see how they fit your existing SDLC and testing pipeline:

Read more at Clarity Agent (Github), RAMPART (Github), Microsoft Security Blog, CyberScoop, The Hacker News, SC World, CSO Online

SHub Reaper macOS infostealer uses AppleScript “security update” prompts and a fake Google Update to add persistent backdoor access

A new SHub macOS infostealer variant (“Reaper”) uses a multi-stage lure that impersonates multiple brands and executes via the applescript:// scheme to load a malicious AppleScript in Script Editor instead of Terminal. It steals browser credentials/financial data and crypto-wallet artifacts, then adds persistence via a fake Google Software Update framework that beacons for command execution.

Key Details

  • Initial lures include fake WeChat and Miro installers delivered from lookalike/typosquatted domains (examples cited: qq-0732gwh22[.]com, mlcrosoft[.]co[.]com, mlroweb[.]com).
  • The infection chain “rebrands” at each stage: payloads may be hosted from Microsoft-lookalike infrastructure, presented as an Apple security update, and persisted under Google-update-themed naming conventions.
  • The AppleScript displays a fake Apple security update referencing XProtectRemediator, then uses curl/zsh to fetch and run the next-stage payload after the user clicks “Run.”
  • Backdoor behavior includes a recurring beacon (reported as every ~60 seconds) that supports arbitrary command execution, turning a “smash-and-grab” stealer infection into persistent access.

Next Steps

  • Use MDM to block Script Editor.app and restrict osascript execution where not operationally required to limit AppleScript usage.
  • Hunt for AppleScript-based execution chains: unexpected Script Editor.app launches, osascript spawning curl or shell interpreters, and browser-to-AppleScript execution originating from unusual URL handlers.
  • Block/flag known lure infrastructure associated with the campaign (e.g., qq-0732gwh22[.]com, mlcrosoft[.]co[.]com, mlroweb[.]com) and review web filtering for newly registered lookalike domains.

Read more at CSO Online, Dark Reading, BleepingComputer

CISA launches public nomination form to add actively exploited bugs to the KEV catalog

CISA introduced a new submission pathway so researchers, vendors, and industry partners can nominate vulnerabilities for inclusion in the Known Exploited Vulnerabilities (KEV) catalog. Nominations require evidence of real-world exploitation, aiming to speed how quickly CISA can validate and publish exploited-bug intelligence that many organizations use to prioritize patching.

Key Details

  • Submissions can be made via an online Qualtrics nomination form or by email, and must include details about the vulnerability plus evidence it is being exploited.
  • CISA’s KEV consideration criteria include an assigned CVE, credible in-the-wild exploitation evidence, and an effective mitigation available.

Read more at SC World, The Record

Megalodon mass-poisoned 5,561 GitHub repos with malicious Actions workflows to steal CI secrets and cloud credentials

SafeDep reports an automated campaign dubbed Megalodon that pushed 5,718 malicious commits into 5,561 GitHub repositories in about six hours, primarily by injecting or modifying GitHub Actions CI workflows. Once merged, the workflows run attacker-supplied scripts in CI runners to exfiltrate secrets (including cloud credentials and CI tokens) to attacker infrastructure.

Key Details

  • Attackers used throwaway GitHub accounts with random 8-character usernames and forged “build-bot/auto-ci/ci-bot/pipeline-bot” author identities to make the commits look like routine CI maintenance.
  • SafeDep observed two variants: SysDiag (adds a new workflow that triggers on push/PR) and Optimize-Build (dormant until manually triggered via workflow_dispatch), trading off reach for stealth.
  • The payloads were described as base64-encoded bash scripts embedded in GitHub Actions workflow files designed to run inside CI/CD pipelines after repository owners merge the changes.
  • Exfiltration in the reports was tied to 216.126.225.129:8443 (IP:port listed as the C2 destination).
  • One downstream impact cited: @tiledesk/tiledesk-server versions 2.18.6 through 2.18.12 were reportedly published to npm after poisoning of multiple Tiledesk GitHub repos (the workflow-triggered payload targeted CI runners rather than executing on package install, per the report).

Next Steps

  • Hunt for and revert unexpected changes to .github/workflows/ (especially newly added ci.yml)* in commits dated May 18, 2026 that appear to come from “build-bot/auto-ci/ci-bot/pipeline-bot” identities.
  • Block or alert on outbound connections from CI runners to 216.126.225.129:8443 while investigating potential exposure.
  • If affected repos were merged/run, rotate GitHub Actions secrets and cloud credentials/tokens that could have been exposed (including any OIDC-related tokens mentioned in the workflow).

Read more at Safedep, The Register, Hackread, The Hacker News

Fake Android apps abuse carrier billing to silently enroll users in premium SMS subscriptions across four countries

Researchers tied a mobile billing fraud campaign to roughly 250 Android apps that silently subscribe victims to paid premium SMS/text services via carrier billing. The malware validates a victim’s mobile operator from the SIM and then automates the sign-up flow (including OTP/TAC interception), allowing charges to be added to the phone bill without meaningful user awareness.

Key Details

  • The operation showed operator-level targeting based on SIM checks, focusing on carriers in Thailand, Croatia, Romania, and Malaysia
  • Attackers used brand-impersonation lures—fake apps posing as Facebook Messenger, Instagram Threads, TikTok, Minecraft, and GTA—to drive installs via social engineering.
  • To enable carrier-billing flows, the apps could disable Wi‑Fi to force cellular data and then run hidden WebViews automation to click through subscription steps.
  • The campaign abused Google’s SMS Retriever API to capture OTP/TAC codes used in subscription confirmation flows, enabling unattended enrollment.

Next Steps

  • For users on the affected carriers/regions, consider disabling premium SMS / third‑party billing at the carrier account level where supported.
  • For fleets with mobile management, block sideloading and restrict unknown app sources to reduce exposure to off-store impersonation lures.

Read more at Cybersecurity News, Hackread, Dark Reading

CrossMPI uses near-invisible image changes to prompt-inject multimodal AI without touching the text

Researchers described CrossMPI, an image-only prompt injection technique where nearly imperceptible pixel perturbations can change how vision-language models interpret an otherwise benign user request. This new vector raises concerns for AI agents and workflows that rely on screenshots, PDFs, and other visual inputs.

Key Details

  • Demonstrated misclassification and task distortion: a subtly modified airplane image led a model asked about airline ownership to answer as if the object were “a mobile phone.”
  • Tested across multiple open-source LVLMs (Large Vision-Language Models) including MiniGPT4, BLIP-2, InstructBLIP, BLIVA, and Qwen2.5-VL
  • Defenses reduced but didn’t fully eliminate the attack: SmoothVLM cut success rates to below 5% in several scenarios, and JPEG compression also weakened attacks by suppressing high-frequency artifacts.

Next Steps

  • Add image pre-processing hardening (e.g., JPEG re-encoding and basic geometric transforms) for untrusted images before they reach LVLM-based agents, and measure the impact on both accuracy and adversarial robustness.

Read more at CSO Online

Poland builds its own Signal amid security concerns

Poland’s government is urging public officials and entities in its National Cybersecurity System to stop using Signal after CSIRTs identified APT-linked phishing and social engineering that can lead to Signal account takeover. Poland is directing officials to use mSzyfr Messenger, an encrypted app developed by the Ministry of Digital Affairs and NASK, described as being fully under Polish jurisdiction.

Key Details

  • mSzyfr is invite-only for approved organizations; it replaces Threema (endorsed by Poland since 2022), and messages cannot be transferred between apps due to end-to-end encryption.
  • mSzyfr relies on MFA from Microsoft (recommended), Google, or FreeOTP, and users who want access to messages after logging out must set a recovery key

Read more at The Register

Subscribe

Subscribe to receive this weekly cybersecurity news summary to your inbox every Monday.