GitHub VS Code extension breach, Shai-Hulud npm package compromise, Huawei/Luxembourg telecom link

GitHub says about 3,800 internal repositories were breached after an employee installed a malicious Visual Studio Code extension that compromised their device. The attacker, linked by researchers to the TeamPCP group, accessed only internal repos with no evidence of customer data exposure otherwise. TeamPCP claimed responsibility and allegedly tried to sell the stolen code for at least $50,000, and has a history of supply chain attacks across GitHub, PyPI, npm, and Docker. (BleepingComputer)

Socket, Endor Labs, Aikido Security, and Microsoft say a new Shai-Hulud supply chain attack published more than 600 malicious npm packages, mainly targeting the @antv (ant-vee) ecosystem. Researchers found the malware steals developer and CI/CD credentials, self-propagates using stolen npm tokens, exfiltrates data through the encrypted Session network, and generates legitimate-looking Sigstore attestations to evade detection. Aikido also found persistence backdoors in VS Code and Claude Code configs, while nearly 3,000 GitHub repos were automatically created to store stolen data. (BleepingComputer)

The Record’s sources say a previously undisclosed Huawei router flaw caused a July 2025 cyberattack that knocked Luxembourg’s telecom network offline for more than three hours, disrupting landline, mobile, and emergency communications nationwide. Investigators said specially crafted traffic triggered Huawei routers to continuously reboot, though there was no evidence Luxembourg was specifically targeted. Huawei has not publicly acknowledged the flaw, no CVE has been issued, and it remains unclear whether other operators are still vulnerable. (The Record)

Microsoft released mitigations for a BitLocker bypass flaw known as YellowKey, which lets attackers with physical access use a USB drive and reboot a Windows system into recovery mode to access encrypted data. The exploit abuses the Windows Recovery Environment by manipulating the FsTx Auto Recovery utility and deleting a key configuration file, causing WinRE to launch a command shell with BitLocker already unlocked instead of the normal recovery interface. The exploit’s creator claims the attack can still work even when BitLocker uses both TPM and PIN protection. (SecurityWeek)

Huge thanks to our episode sponsor,
ThreatLocker

Grafana says its breach stemmed from a missed GitHub workflow token rotation after malicious TanStack npm packages infected with Shai-Hulud malware executed in its CI/CD environment. The attackers stole workflow tokens via the infected dependency and used an unrotated token to access private repositories, later exfiltrating source code and some business contact information. Grafana says no customer production systems were impacted, codebase was not altered, and users don’t need to take action. (BleepingComputer)

Zimperium researchers say a 10-month Android malware campaign called Premium Deception used nearly 250 fake apps impersonating brands like TikTok, Minecraft, and Instagram Threads to secretly enroll users in premium mobile billing services. The malware targeted users in Malaysia, Thailand, Romania, and Croatia, abusing Google’s SMS Retriever API, hidden webviews, and carrier billing workflows to automate fraudulent subscriptions. Researchers also found Telegram-based alerts, dynamic C2 infrastructure, and tracking systems designed to optimize infections and evade detection. (Infosecurity Magazine)

Microsoft has open-sourced two AI security tools called RAMPART and Clarity to help developers test and secure AI agents during development. RAMPART is a Pytest-based framework for red teaming AI systems against issues like prompt injection, data exfiltration, and behavioral regressions. Clarity acts as an AI-assisted design review tool that helps teams identify risky assumptions before coding starts. Microsoft says the tools are designed to turn AI safety testing into an ongoing engineering process rather than a one-time review. (The Hacker News)

Aonan Guan, a cloud and AI security researcher at Wyze Labs, found two patched vulnerabilities in Anthropic’s Claude Code sandbox that could allow network sandbox bypass and data exfiltration when combined with prompt injection. The flaws include a SOCKS5 hostname null-byte injection to expose credentials, GitHub tokens, and cloud metadata, but were silently fixed. Anthropic says the issue was already patched before disclosure. Guan argues the lack of clear public notice leaves users unaware their sandbox boundary may have been ineffective for months. (The Register)

Spotify, Apple Podcasts, YouTube, RSS link, Amazon Music, add as an Alexa Skill, or search “Cybersecurity Headlines” on your favorite podcast app.

Cybersecurity Headlines for Thursday, May 21, 2026… #cybersecurity #news