Podcasts
CyberWire Daily
Ep 2555
The CyberWire Daily Podcast 5.19.26
Ep 2555 | 5.19.26

CISA secrets left sitting on GitHub.

Show Notes
Transcript

A CISA contractor leaks GovCloud credentials on GitHub. INTERPOL cracks down on phishing infrastructure across the Middle East and North Africa. Microsoft patches a critical Authenticator flaw, while Poland moves officials off Signal after targeted phishing campaigns. A stealthier SHub macOS infostealer emerges. Universal Robots fixes a critical vulnerability. A Dark Web marketplace dumps millions of stolen payment cards. Echo Protocol loses $76 million in a synthetic Bitcoin breach. Our guest is Chris Cochran, Field CISO & Vice President of AI Security at SANS, discussing their AI maturity model. Nathan Detroit rolls malware snake eyes.

Today is Tuesday May 19th 2026. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

CISA contractor exposed sensitive AWS GovCloud credentials in a public GitHub repository.

A public GitHub repository maintained by a contractor for the Cybersecurity and Infrastructure Security Agency, or CISA, exposed highly privileged AWS GovCloud credentials and internal agency systems until it was taken offline this weekend.

Researchers at GitGuardian and Seralys say the repository contained plaintext passwords, cloud keys, tokens, logs, and internal deployment files tied to CISA and the Department of Homeland Security. According to available reports, exposed credentials authenticated to at least three AWS GovCloud accounts with elevated privileges. Researchers also found credentials for CISA’s internal software development and code package systems. The repository reportedly included evidence that GitHub’s secret scanning protections had been disabled.

Exposed administrative credentials and software build systems could provide attackers a pathway for persistence or lateral movement inside sensitive government environments. Researchers described the leak as an example of poor credential management and weak operational security practices.

INTERPOL operation targets phishing, malware infrastructure across the Middle East and North Africa.

INTERPOL says its latest cybercrime crackdown, dubbed Operation Ramz, led to more than 200 arrests and the seizure of 53 servers tied to phishing, malware, and online fraud operations across the Middle East and North Africa.

Authorities across 13 countries also identified 382 additional suspects and linked the seized infrastructure to at least 3,867 confirmed victims. INTERPOL says the operation disrupted phishing-as-a-service platforms, malware distribution systems, and investment fraud schemes. Private sector partners including Kaspersky, Group-IB, and Team Cymru assisted with threat intelligence and infrastructure tracking.

The operation highlights growing international coordination between law enforcement and cybersecurity firms to disrupt cybercriminal infrastructure before it can be reused or expanded.

Microsoft patches a critical Authenticator flaw.

Microsoft has released emergency updates for its Authenticator app on Android and iOS to fix a critical vulnerability that could allow attackers to steal authentication tokens and access corporate resources.

The flaw, tracked as CVE-2026-41615 with a CVSS score of 9.6, could be exploited by tricking users into approving a malicious authentication request disguised as legitimate. According to Microsoft, the app could then generate and transmit access tokens to an attacker-controlled server. Affected versions include Android releases before 6.2605.2973 and iOS releases before 6.8.47.

The issue highlights ongoing risks around push-based authentication and user approval fatigue, even in multi-factor authentication workflows.

Poland moves officials off Signal.

Poland is directing government officials to stop using Signal for sensitive communications after a series of phishing and account takeover campaigns targeting politicians, military personnel, and public servants. Officials say the activity is linked to advanced persistent threat groups associated with Russian state interests.

According to Poland’s national Computer Security Incident Response Teams, attackers posed as Signal support staff and tricked users into sharing verification codes or linking attacker-controlled devices through malicious QR codes and phishing links. Authorities emphasized that Signal’s encryption was not broken. Instead, attackers exploited users through social engineering techniques.

Poland will shift officials to government-controlled platforms, including mSzyfr Messenger and the classified communications system SKR-Z. The move reflects broader concerns across Europe that user-targeted phishing remains one of the biggest weaknesses in secure messaging environments.

The new SHub “Reaper” macOS malware variant adds stealthier infection and persistent backdoor capabilities.

Researchers at SentinelOne have identified a new variant of the SHub macOS infostealer, dubbed Reaper, that uses AppleScript and fake security update prompts to compromise Apple devices and install persistent backdoor access.

Unlike earlier SHub campaigns that relied on Terminal-based social engineering, the new variant abuses the applescript:// URL scheme to launch malicious scripts through macOS Script Editor. Researchers say the malware steals browser data, cryptocurrency wallets, password manager information, Telegram sessions, and sensitive files from infected systems. Reaper also hijacks cryptocurrency wallet applications by replacing legitimate application files with malicious versions and establishes persistence through fake Google software update LaunchAgents.

The campaign highlights how macOS-focused threat actors are adapting to Apple’s recent security mitigations by shifting toward new execution methods and broader post-compromise access capabilities.

Universal Robots patches critical remote code execution flaw in collaborative robot platform.

Universal Robots has patched a critical vulnerability in its PolyScope 5 operating system that could allow attackers to remotely execute commands on industrial collaborative robots, or cobots.

The flaw, tracked as CVE-2026-8153 with a CVSS score of 9.8, affects the Dashboard Server interface and stems from improper handling of user input. According to CISA and the vendor, an unauthenticated attacker with network access could compromise affected robot controllers. Researchers warn that flat industrial networks and remote management connections could increase exposure and potentially allow attackers to move between connected systems.

The issue underscores continuing risks around operational technology security and network segmentation in industrial environments.

A Dark Web marketplace releases millions of stolen payment cards for free.

The Dark Web carding marketplace B1ack’s Stash has released roughly 4.6 million stolen credit card records for free, claiming the move was punishment for sellers who allegedly resold stolen cards through competing criminal platforms.

According to SOCRadar, the leaked records include full payment card details, billing addresses, phone numbers, email addresses, and IP data. Researchers estimate roughly 4.3 million of the cards may be previously unseen and potentially active. The majority of affected victims appear to be based in the United States, with additional exposure across Canada, the United Kingdom, and parts of Asia.

Security researchers warn the release could fuel a spike in card-not-present fraud, identity theft, phishing campaigns, and credential stuffing attacks in the coming weeks as threat actors redistribute the data.

Echo Protocol breach leads to unauthorized minting of $76 million in synthetic Bitcoin.

Echo Protocol is investigating a major security breach after an attacker minted roughly 1,000 unauthorized eBTC tokens, creating about $76.7 million in synthetic Bitcoin on the Monad blockchain.

Blockchain security firms PeckShield and Lookonchain say the attacker moved portions of the funds through decentralized finance platforms, bridged assets to Ethereum, and laundered some proceeds through Tornado Cash. Researchers suspect the incident stemmed from an administrative private key compromise rather than a flaw in the protocol’s smart contracts. Echo Protocol has suspended cross-chain transactions while the investigation continues.

The breach highlights ongoing operational security risks in decentralized finance, particularly around privileged account management and bridge infrastructure.

 

Nathan Detroit rolls malware snake eyes. 

The Chanhassen Dinner Theatres in Minnesota has cancelled two more performances of Guys and Dolls after a one-two punch of norovirus and a cyberattack sidelined both cast members and online systems.

The theater says performances scheduled for May 19 and the May 20 matinee will not go on while staff work with the Minnesota Department of Health to disinfect facilities and give performers time to recover. At the same time, officials are responding to a cyberattack that disrupted the theater’s computer network and online operations. According to theater leadership, efforts are underway to securely restore affected systems.

It is an unusually modern backstage problem: one part public health response, one part incident response plan. For now, the show, quite literally, cannot go on.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

 

N2K’s lead producer is Liz Stokes. We’re mixed by  Tré Hester, with original music by and sound design Elliott Peltzman. Our contributing host is Maria Varmazis. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher. And I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: N2K Networks, Inc.