Cybersecurity News | Daily Recap [20 May 2026]

GitHub Breaches

• GitHub confirmed and investigated multiple internal repository compromises tied to a malicious VS Code extension, with claims ranging from about 3,800 to 4,000 repos affected and source code exposure at Grafana via a TanStack npm attack – GitHub Breach, Repo Breach, Grafana Leak, TeamPCP Claim

Supply Chain Attacks

• Shai-Hulud resurfaced in a fresh npm wave hitting 600 packages, while a related Mini Shai-Hulud campaign compromised over 320 and then hundreds more packages across the ecosystem – Mini Wave, Shai-Hulud Wave, Mini Return
• Microsoft disrupted a cybercrime service abusing its verification/signing infrastructure, including a malware-signing operation linked to Fox Tempest – Signing Abuse, Fox Tempest, DCU Disruption

Microsoft & Windows

• Microsoft issued mitigation for the YellowKey Windows zero-day, while also warning that critical Microsoft flaws are increasing and plans to improve Windows 11 driver quality in 2026 – YellowKey Mitigation, MS Vulnerabilities, Driver Quality
• Azure data theft attacks abused Self-Service Password Reset, highlighting another identity-path weakness in Microsoft environments – Azure Theft

Web App Patching

• Drupal pushed an urgent update for a highly critical vulnerability judged at risk of quick exploitation – Drupal Fix, Drupal Patch

AI & Cloud Risks

• A max-severity flaw in ChromaDB for AI apps could allow server hijacking, underscoring the security gap in production AI stacks – ChromaDB Flaw
• UK regulators plan to require tech firms to tackle deepfakes and non-consensual intimate images, signaling stronger platform accountability for AI abuse – UK AI Rules
• A discussion on securing AI after deployment and another on real-world ICS security highlighted operational lessons from production environments – AI Security, ICS Lessons

Linux & Open Source

• Exploit code was released for the PinTheft Arch Linux root escalation bug, and a separate PoC surfaced for Linux kernel CVE-2026-31635 local privilege escalation – PinTheft Exploit, DirtyDecrypt PoC

Phishing & Identity

• Researchers warned that OAuth consent phishing can bypass MFA, showing how user-authorized apps remain a high-value attack path – OAuth Phishing

Fraud & Abuse

• The Trapdoor Android ad fraud scheme drove 659 million daily bid requests through 455 apps, while the FBI said Americans lost over $388 million to crypto-ATM scams in 2025 – Trapdoor Fraud, Crypto ATM Scams
• 7-Eleven confirmed a data breach claimed by the ShinyHunters gang, adding another major retail victim to the group’s list – 7-Eleven Breach

Critical Infrastructure

• A Huawei zero-day was blamed for last year’s crash of Luxembourg’s entire telecom network, illustrating how a single flaw can trigger nationwide disruption – Huawei Outage

Credential Exposure

• A CISA credential leak drew Congress scrutiny as lawmakers demanded answers over the security lapse – CISA Leak

Product Updates

• Discord rolled out end-to-end encryption for voice and video calls, while Microsoft also addressed a macOS-related Teams location prompt bug – Discord E2EE, Teams Bug

Industry Trends

• Verizon’s DBIR 2026 found vulnerability exploitation overtook credential theft as the top breach vector, reinforcing the rise of exploit-driven intrusions – DBIR 2026, Breach Vector

Cybersecurity News | Daily Recap – hendryadrian.com