By the N2K CyberWire staff
Top stories.
- GitHub discloses breach of 3,800 internal code repositories.
- CISA contractor exposed AWS GovCloud keys on GitHub.
- Researchers craft a kernel exploit on Apple's M5 chips, with help from Mythos.
- President Trump delays signing of AI executive order.
- International law enforcement efforts disrupt cybercrime operations.
GitHub discloses breach of 3,800 internal code repositories.
GitHub has confirmed that a Trojanized VS Code extension compromised around 3,800 internal repositories, BleepingComputer reports. GitHub stated, "[W]e detected and contained a compromise of an employee device involving a poisoned VS Code extension. We removed the malicious extension version, isolated the endpoint, and began incident response immediately." The company added, "While we currently have no evidence of impact to customer information stored outside of GitHub’s internal repositories (such as our customers’ enterprises, organizations, and repositories), we are closely monitoring our infrastructure for follow-on activity."
The TeamPCP threat actor claimed responsibility for the breach, and is selling the stolen data for $50,000. The group says it will release the data for free if a buyer isn't found. GitHub noted, "The attacker’s current claims of ~3,800 repositories are directionally consistent with our investigation so far."
WIRED notes that TeamPCP has conducted at least 20 waves of supply-chain attacks in recent months, Trojanizing more than 500 pieces of software and breaching hundreds of companies.
Iran’s evolving cyber playbook.
Iran’s cyber operations have evolved beyond destructive malware, with actors pivoting to target identity systems. Dave Bittner sat down with Sam Rubin, Senior Vice President at Palo Alto Networks, to discuss how Iranian groups are weaponizing stolen credentials and trusted access to reach high-value targets. Whether it be attacking vulnerable trusted parties or crafting documents loaded with malware, listen to the conversation to learn how Iran’s pivot is impacting the cybersecurity landscape.
CISA contractor exposed AWS GovCloud keys on GitHub.
KrebsOnSecurity reports that a contractor for the US Cybersecurity and Infrastructure Security Agency (CISA) ran a public GitHub repository that exposed credentials to several sensitive AWS GovCloud accounts and internal CISA systems. The repository contained files detailing how the agency builds and deploys software internally.
GitGuardian researcher Guillaume Valadon discovered the repository, which was dubbed "Private-CISA," and contacted Krebs after the repo's owner failed to respond. Valadon said, "Passwords stored in plain text in a csv, backups in git, explicit commands to disable GitHub secrets detection feature. I honestly believed that it was all fake before analyzing the content deeper. This is indeed the worst leak that I’ve witnessed in my career. It is obviously an individual's mistake, but I believe that it might reveal internal practices." Likewise, Philippe Caturegli, founder of the security consultancy Seralys, told Krebs that the GitHub account showed "a pattern consistent with an individual operator using the repository as a working scratchpad or synchronization mechanism rather than a curated project repository."
The repository has since been secured, and CISA is investigating the exposure. An agency spokesperson stated, "Currently, there is no indication that any sensitive data was compromised as a result of this incident. While we hold our team members to the highest standards of integrity and operational awareness, we are working to ensure additional safeguards are implemented to prevent future occurrences."
Infosecurity Europe 2026
Infosecurity Europe is the leading gathering for the cybersecurity industry in Europe. Each year, we bring the community together to share the latest innovations, learn from one another, and test and benchmark solutions. Join us in London!
Researchers craft a kernel exploit on Apple's M5 chips, with help from Mythos.
Researchers at Calif developed the first public macOS kernel memory-corruption exploit on Apple's M5 chips, despite the company's hardware-assisted Memory Integrity Enforcement (MIE) protections. Calif says the exploit was developed with assistance from Anthropic's Mythos model, which "discovered the bugs quickly because they belong to known bug classes." Bypassing MIE required human expertise, however.
The researchers state, "The exploit is a data-only kernel local privilege escalation chain targeting macOS 26.4.1 (25E253). It starts from an unprivileged local user, uses only normal system calls, and ends with a root shell. The implementation path involves two vulnerabilities and several techniques, targeting bare-metal M5 hardware with kernel MIE enabled." Calif has shared its findings with Apple, and is withholding technical details until Apple issues a fix.
President Trump delays signing of AI executive order.
Axios reports that President Trump has delayed the signing of an executive order on AI and cybersecurity after speaking with his AI advisor David Sacks and several tech executives, including Mark Zuckerberg and Elon Musk. Trump told reporters on Thursday, "I think it gets in the way of — you know, we're leading China, we're leading everybody, and I didn't want to do anything to get in the way of that lead."
Sources familiar with the situation told Axios that the executive order was "unnecessary" and "just something doomers wanted," adding that the main reason it was delayed was that President Trump "just hates regulation." The order was supported by those who have been calling for stricter regulation of AI model development, while critics maintain that regulation will hamper a rapidly evolving industry.
International law enforcement efforts disrupt cybercrime operations.
An INTERPOL operation dubbed "Operation Ramz" resulted in the arrests of more than 200 suspects across the Middle East and North Africa, BleepingComputer reports. Thirteen countries in the region participated in the operation, seizing 53 servers and identifying a further 382 suspects who are still at large. The operation focused on shutting down malware, phishing, and scam infrastructure. Private sector partners, including Kaspersky, Group-IB, and Team Cymru, assisted in the effort.
Separately, Europol operation led by France and the Netherlands dismantled First VPN, a VPN service that openly catered to cybercriminals on underground forums. First VPN was widely used by ransomware gangs and other criminal threat actors. Europol said the VPN service was used in "almost every major cybercrime investigation supported by Europol in recent years." Law enforcement arrested the alleged administrator of the service in Ukraine, shut down 33 servers, and seized several domains. Police also identified thousands of users, and shared information on 506 of these suspects with international law enforcement agencies.
Finally, Microsoft used a court order to disrupt the Fox Tempest malware-signing-as-a-service (MSaaS), which allowed threat actors to disguise malware as legitimate software by abusing code-signing tools.
