Daily Briefing for 05.19.26

Top stories.

1. CISA contractor exposed AWS GovCloud keys on GitHub.
2. Microsoft fixes critical Authenticator flaw.
3. INTERPOL operation nabs 200 suspected cybercriminals.

CISA contractor exposed AWS GovCloud keys on GitHub.

KrebsOnSecurity reports that a contractor for the US Cybersecurity and Infrastructure Security Agency (CISA) ran a public GitHub repository that exposed credentials to several sensitive AWS GovCloud accounts and internal CISA systems. The repository contained files detailing how the agency builds and deploys software internally.

GitGuardian researcher Guillaume Valadon discovered the repository, which was dubbed "Private-CISA," and contacted Krebs after the repo's owner failed to respond. Valadon said, "Passwords stored in plain text in a csv, backups in git, explicit commands to disable GitHub secrets detection feature. I honestly believed that it was all fake before analyzing the content deeper. This is indeed the worst leak that I’ve witnessed in my career. It is obviously an individual's mistake, but I believe that it might reveal internal practices." Likewise, Philippe Caturegli, founder of the security consultancy Seralys, told Krebs that the GitHub account showed "a pattern consistent with an individual operator using the repository as a working scratchpad or synchronization mechanism rather than a curated project repository."

The repository has since been secured, and CISA is investigating the exposure. An agency spokesperson stated, "Currently, there is no indication that any sensitive data was compromised as a result of this incident. While we hold our team members to the highest standards of integrity and operational awareness, we are working to ensure additional safeguards are implemented to prevent future occurrences."

Microsoft fixes critical Authenticator flaw.

Microsoft has released a patch for a critical information disclosure flaw in its Authenticator app, BeyondMachines reports. The vulnerability (CVE-2026-41615) could expose sign-in access tokens for users' work accounts. Microsoft states, "An attacker could attempt to trick a user into interacting with a malicious request that appears legitimate. When the user approves the request, the attacker could cause the app to obtain an access token on the user’s behalf and send it to a location controlled by the attacker, without the user being clearly informed about what access is being granted."

Android users should ensure their apps are updated to version 6.2605.2973 or later, while iOS users should update to version 6.8.47 or later.

INTERPOL operation nabs 200 suspected cybercriminals.

An INTERPOL operation dubbed "Operation Ramz" resulted in the arrests of more than 200 suspects across the Middle East and North Africa, BleepingComputer reports. Thirteen countries in the region participated in the operation, seizing 53 servers and identifying a further 382 suspects who are still at large. The operation focused on shutting down malware, phishing, and scam infrastructure. Private sector partners, including Kaspersky, Group-IB, and Team Cymru, assisted in the effort.