May 21's Top Cyber News NOW! - Ep 1137

At a glance

Supply chain attacks dominated today's brief, with malicious npm packages, GitHub repository breaches, and token theft hitting critical infrastructure. Microsoft released fixes for a serious BitLocker bypass, while new AI security tools and sandbox vulnerabilities underscore the growing challenge of securing agentic AI deployments.

Stories covered

How did 3,800 GitHub repositories get compromised via VS Code extension?

What happened: GitHub disclosed that around 3,800 internal repositories were breached after an employee installed a malicious Visual Studio Code extension. The Team PCP group, linked by researchers, accessed only internal repos with no evidence of customer data exposure, and allegedly tried to sell the stolen code for at least $50,000.

Why it matters: Team PCP has a history of supply chain attacks across GitHub, PyPI, npm, and Docker. This highlights the ongoing risk of developer tooling compromise and the difficulty of detecting malicious extensions in trusted platforms.

What to do: Enforce extension allowlists in your development environments. Implement code review and static analysis on all pulled dependencies. Maintain an SBOM to track where external code is used across your codebase.

Why did 600 malicious npm packages spread across the ecosystem in one hour?

What happened: Researchers from Socket, Endor Labs, Aikido Security, and Microsoft identified 639 malicious package versions across 323 unique npm packages, primarily targeting the Node.js ecosystem. The malware stole developer and CI/CD credentials, self-propagated using stolen npm tokens, exfiltrated data via encrypted channels, and created nearly 3,000 GitHub repositories to store stolen data.

Why it matters: The attack demonstrated automation at scale—roughly 2 malicious versions per unique package. Persistent backdoors were found in VS Code and Claude Code configs, showing attackers are targeting developer environments directly. This reflects the increasing sophistication of supply chain attacks leveraging CI/CD pipelines.

What to do: Audit your npm dependencies immediately. Implement credential rotation policies for npm tokens. Use dependency scanning tools to detect known malicious packages. Isolate CI/CD credentials with minimal required permissions and rotate them frequently.

What caused Luxembourg's telecom network to go offline for 3 hours?

What happened: A previously undisclosed zero-day vulnerability in Huawei routers caused a July 2025 cyber attack that knocked Luxembourg's telecom network offline for over 3 hours, disrupting landline, mobile, and emergency services nationwide. Specially crafted traffic triggered routers to continuously reboot. No CVE has been issued and Huawei has not publicly acknowledged the flaw.

Why it matters: Ten months passed without public warning or patch. Other telecom operators worldwide may still be vulnerable. This affects critical infrastructure—emergency services, landline communication, and mobile networks all depend on these systems. The lack of transparency from the vendor creates lasting risk.

What to do: If you operate Huawei networking infrastructure, contact your vendor immediately to determine if you are affected. Develop incident response procedures for critical infrastructure outages. Document fallback communication channels in case telecom systems fail.

Does the BitLocker "Yellow Key" bypass mean physical security is meaningless?

What happened: Microsoft released mitigations for a BitLocker bypass flaw (Yellow Key, CVSS 6.8) that allows attackers with physical access to use a USB drive and reboot a Windows system into recovery mode to access encrypted data. The exploit abuses the Windows Recovery Environment by manipulating the FSTX auto recovery utility and can succeed even with BitLocker configured for both TPM and PIN protection.

Why it matters: For years, BitLocker has been the primary defense against stolen laptops. This bypass eliminates that guarantee. No credentials, software installation, or network connection is required—just physical access and a USB drive.

What to do: Do not wait for Patch Tuesday. Apply Microsoft's WinRE mitigation tool now for Windows 11 and Server 2025. Enforce TPM + PIN policies (not TPM-only mode). Review your stolen laptop procedures and assume physical access is now a viable attack vector. Update your threat model accordingly.

Did Grafana miss token rotation as a root cause or a symptom?

What happened: Grafana disclosed a breach stemming from a missed GitHub workflow token rotation. The attack chain began when malicious Tanstack npm packages infected with Shyhalid malware executed in Grafana's CI/CD environments. The attacker stole workflow tokens and used an unrotated token to access private repositories, exfiltrating source code and business contact information. No customer production systems were impacted.

Why it matters: The root cause was not just a missed rotation—it was an undetected compromise in the CI/CD pipeline followed by token reuse. This represents a failure in both detection and credential lifecycle management. It underscores the cascading risks of supply chain attacks targeting build systems.

What to do: Implement automated token revocation systems. Establish clear token rotation timelines tied to risk indicators—quarterly at minimum, immediately upon suspected compromise. Add detection rules for anomalous CI/CD activity. Test incident response procedures for credential theft scenarios.

How are malicious Android apps silently charging users without permission?

What happened: Imperium researchers identified a 10-month Android malware campaign called Premium Deception using nearly 250 fake apps impersonating TikTok, Minecraft, and Instagram Threads. The malware targeted users in Malaysia, Thailand, Romania, and Croatia, abusing Google's SMS Retriever API, hidden web views, and carrier billing workflows to automate fraudulent subscriptions. Attackers tracked infections via Telegram-based alerts and dynamic C2 infrastructure.

Why it matters: The attackers operated as a well-organized commercial operation, analyzing which fake personas and distribution channels were most effective. The use of carrier billing automation bypasses standard payment controls. Users in targeted regions were systematically enrolled in premium services without awareness.

What to do: Only install apps from the official Google Play Store. For work devices, enforce mobile device management (MDM) policies restricting app installation to approved applications. Educate users not to sideload apps from third-party sources. Monitor carrier billing statements for unauthorized charges.

Can Microsoft's open-source AI security tools prevent agentic AI attacks?

What happened: Microsoft open-sourced two AI security tools—Rampart and Clarity—to help developers test and secure AI agents. Rampart is a Python-based red teaming framework that tests against prompt injection, data exfiltration, and behavioral regressions. Clarity acts as a design-time review tool to identify risky assumptions before coding begins.

Why it matters: Agentic AI deployments are expanding rapidly, but security tooling for these systems lags behind development velocity. Rampart and Clarity shift AI safety testing from one-time reviews to ongoing engineering processes. This addresses a critical gap as organizations implement AI agents with access to production systems.

What to do: If deploying agentic AI, inventory it (AIBOM—artificial intelligence bill of materials). Apply principle of least privilege: constrain each agent to perform one or two specific tasks with minimal permissions. Use Rampart to red team agents against prompt injection and data exfiltration. Treat AI agents as non-human identities requiring the same access controls as service accounts.

Did Anthropic's silent patch of Claude Code sandbox vulnerabilities undermine trust?

What happened: Researcher Anon Guan discovered two vulnerabilities in Anthropic's Claude Code sandbox that could allow network sandbox bypass and data exfiltration when combined with prompt injection. The flaws included SOCKS5 hostname injection and null byte injection to expose credentials, GitHub tokens, and cloud metadata. Anthropic patched both issues but provided no clear public notice, leaving users unaware their sandbox boundaries were ineffective for months.

Why it matters: A sandbox without clear public disclosure of its compromise is worse than no sandbox at all. Users believed they were protected when they were not. The lack of transparency prevented organizations from assessing their own risk exposure during the vulnerable window.

What to do: If using Claude Code, ensure you are on version 2.190 or later. Do not rely solely on sandbox isolation—treat Claude Code outputs as untrusted and apply code review and static analysis. Verify that any credentials or tokens exposed to agentic tools are rotated and have minimal permissions.

Key takeaways

• Supply chain attacks via npm, GitHub, and CI/CD pipelines are now the primary vector for organizational compromise; enforce dependency scanning, token rotation, and credential isolation immediately.
• BitLocker's physical security guarantee is broken; implement TPM + PIN enforcement, refresh stolen laptop procedures, and assume physical access is a viable threat.
• Agentic AI deployment requires the same access controls as service accounts—enforce least privilege, sandbox agents to single tasks, maintain an AIBOM, and red team against prompt injection before production rollout.
• Vendor transparency on security patches (or lack thereof) directly impacts your risk posture; contact vendors proactively on Huawei networking, Claude Code, and other critical tools.
• Supply chain risk now extends to the tools developers use daily—VS Code extensions, npm packages, GitHub Actions—making developer environment security a CISO priority.

Topics covered

supply chain attacks, malicious npm packages, GitHub breach, VS Code extensions, CI/CD security, BitLocker bypass, token rotation, Android malware, agentic AI security, Claude Code sandbox, Huawei routers, zero-day vulnerabilities, credential management, SBOM, mobile device management

Show notes generated from the live transcript using AI on Thu, 21 May 2026 19:23:51 GMT. Errors? Open the YouTube replay for the source of truth.