About 3,800 repositories were exfiltrated from GitHub after an employee device was compromised by a poisoned version of the Nx Console VS Code extension, GitHub has confirmed.
GitHub breach via the Nx Console VS Code extension
GitHub says the intrusion into its internal repositories resulted from a compromised employee device running a tampered Nx Console extension (nrwl.angular-console). The attack allowed a threat actor known as TeamPCP to exfiltrate roughly 3,800 repositories, GitHub said, and the company reported it has "taken steps to contain the incident and rotated critical secrets" while continuing to monitor for follow-on activity. The Nx team added that a developer’s system was hacked in the wake of the recent TanStack supply chain attack.
The incident sits within a cascade of supply-chain compromises: the TanStack campaign also affected OpenAI, Mistral AI, and Grafana Labs. Grafana Labs told reporters it refused to pay extortionists who threatened to release the company’s codebase. The public release of the Shai-Hulud code by TeamPCP raises the prospect that attackers now have a ready-made blueprint for worms targeting open-source repositories and developer environments.
Mini Shai-Hulud, TeamPCP, and the downstream supply-chain fallout
The Mini Shai-Hulud campaign has produced a growing list of downstream victims and law-enforcement activity. Separately, the Netherlands Fiscal Intelligence and Investigation Service (FIOD) arrested two men and seized 800 servers tied to a web hosting company assessed to be Stark Industries, which the E.U. sanctioned in May 2025. FIOD said the new Dutch-based company "actually acts as a cover for the sanctioned entities," and attributed directorship and ownership links to the suspects. These moves underline how supply-chain and infrastructure abuse now creates extended, cross-border harm beyond single-product flaws.
Microsoft: Fox Tempest takedown, Defender zero-days, and YellowKey mitigation
Microsoft says it disrupted Fox Tempest, an actor that supplied tools and services — including a fraudulent code-signing service — to enable malware and extortion campaigns such as Rhysida ransomware and commodity malware families like Oyster, Lumma Stealer, and Vidar. Separately, Microsoft warned of two actively exploited vulnerabilities in Defender: CVE-2026-41091 (a privilege-escalation issue that could allow an attacker to gain SYSTEM privileges) and CVE-2026-45498 (a denial-of-service issue). The descriptions overlap with two Defender zero-days publicly disclosed last month by Chaotic Eclipse (aka Nightmare-Eclipse), known as RedSun and UnDefend.
Microsoft also released mitigations for a BitLocker bypass dubbed YellowKey, now tracked as CVE-2026-45585 (CVSS 6.8). Microsoft said successful exploitation could permit an attacker with physical access to sidestep BitLocker device encryption and access encrypted data on affected Windows 11 and Windows Server builds.
RondoDox, Void Botnet, and the expanding router-botnet threat
Botnets continue to broaden their reach by weaponizing old and unpatched network devices. The RondoDox operators added CVE-2018-5999 — a critical ASUS router flaw (CVSS 9.8) — to their toolkit and were observed exploiting it in the wild starting May 17, 2026. Vulnerability researchers recorded payloads that flip an ateCommand_flag and enable the infosvr interface to accept arbitrary configuration changes, according to VulnCheck CTO Jacob Baines.
Meanwhile, a new Rust-based malware called Void Botnet uses Ethereum smart contracts for seizure-resistant command-and-control: operators write instructions to a contract and infected machines poll public RPC endpoints to retrieve tasks within three to five minutes. Void’s operator — using the handle TheVoidStl in advertisements — also offers a direct web-panel C2 mode with sub-30-second tasking, allowing operators to switch modes at will. Exploitation of older industrial-router flaws has also been massive: CrowdSec tracked large-scale exploitation of CVE-2024-9643 in Four-Faith F3x36 cellular routers, escalating to "mass exploitation" by May 12.
What this means for security teams, developer communities, and end users
- Security teams: The Verizon data cited in this briefing shows vulnerability exploitation accounted for 31% of data breaches over the past year (up from 20% in 2024), while credential abuse fell from 22% to 13%. Only 26% of critical vulnerabilities in CISA’s KEV catalog were fully remediated by organizations in 2025, down from 38% the previous year, and median time to full resolution rose to 43 days from 32. The practical takeaway: rapid detection and patch prioritization must outpace the shrinking window between patch and exploit.
- Developer communities and open-source maintainers: The GitHub and TanStack-related compromises illustrate how a single compromised developer workstation or extension can cascade into thousands of victims. Anthropic’s Project Glasswing reported uncovering more than 10,000 high- or critical-severity candidates, with 1,726 validated true positives and 1,094 assessed as high- or critical — a sign the attack surface in commonly used projects remains large and actively scrutinized.
- End users and administrators: The week’s advisories include a long list of high-risk CVEs — from CVE-2026-46333 in the Linux kernel to CVE-2026-9082 in Drupal Core and CVE-2026-20223 in Cisco Secure Workload — that are already being probed or exploited. Drupal itself warned that "exploit attempts are now being detected in the wild," and Imperva observed more than 15,000 attack attempts across almost 6,000 sites. For defenders, patching exposed, internet-facing services and reassessing trust in code-signing and extension supply chains are immediately actionable steps.
For now, the headline is simple: attackers reuse old flaws, weaponize developer tooling, and adopt resilient C2 techniques — and defenders are, as the briefing bluntly puts it, still "patching old boxes and forgotten servers." The months ahead will show whether containment, mitigations such as Microsoft’s YellowKey guidance, and new reporting pathways like CISA’s KEV nomination form can blunt the momentum of these fast-moving threats.




