Issue #006 · May 20, 2026

Cyber Threat Brief — Issue #006

What's active. What matters. What to do about it.

Active Campaigns

[ ESCALATING ]TeamPCP Breaches GitHub Itself — 3,800 Internal Repositories Exfiltrated via Poisoned VS Code Extension
ACTOR: TeamPCP (UNC6780) — financially motivated, supply chain specialistTARGETS: GitHub internal engineering infrastructure, developer tooling, CI/CD credentials

On May 19, 2026, TeamPCP compromised GitHub's internal infrastructure after a GitHub employee installed a malicious Visual Studio Code extension downloaded directly from the official VS Code Marketplace. The extension had full access to the developer's machine including source code, credentials stored in the system keychain, SSH keys, cloud provider keys, GitHub authentication tokens, and shell history. TeamPCP used the harvested credentials to exfiltrate approximately 3,800 of GitHub's internal code repositories. The group offered the stolen repositories for sale on a cybercrime forum for $50,000, threatening to leak them for free if no buyer came forward. GitHub confirmed the breach on May 20th, stating the intrusion was detected and contained, and that no customer repositories or data stored outside GitHub's internal systems were impacted. The attack is the most significant escalation yet in TeamPCP's 2026 Mini Shai-Hulud campaign, which has now compromised Trivy, LiteLLM, Checkmarx, TanStack, and GitHub in a continuous chain of developer tooling attacks since March.

[ ACTIVE ]Coinbase Cartel Breaches Grafana Labs — Source Code Stolen, Ransom Refused
ACTOR: Coinbase Cartel (SLSH cluster) — data theft and extortion, no ransomwareTARGETS: Developer infrastructure, open-source platform providers, engineering teams

Grafana Labs confirmed on May 17, 2026 that an unauthorized party obtained a GitHub access token and used it to download the company's entire codebase. Grafana operates an open-source observability platform with more than 25 million users and 7,000 enterprise customers including Nvidia, Microsoft, and Anthropic. The attackers, identified as Coinbase Cartel by researchers at Sophos and Halcyon, demanded a ransom payment to prevent the source code from being leaked publicly. Grafana refused, citing FBI guidance that payment incentivizes future attacks and offers no guarantee data will be deleted. Coinbase Cartel emerged in September 2025 as an offshoot of the ShinyHunters, Scattered Spider, and Lapsus$ ecosystems. The group does not use file-encrypting ransomware. Its model is steal, threaten, and leak, with documented cases of returning to demand a second ransom after the first is paid. The group has claimed 170 victims across healthcare, technology, transportation, and manufacturing since its emergence.

[ ACTIVE ]Drupal Critical Vulnerability — Exploitation Expected Within Hours of Disclosure
ACTOR: Multiple threat actors — exploitation anticipated imminentlyTARGETS: Any organization running Drupal CMS on internet-facing web servers

Drupal disclosed a critical vulnerability on May 18, 2026 and warned that attackers may develop a working exploit within hours or days of the advisory's publication. Drupal powers millions of websites worldwide including government portals, university systems, and enterprise content management deployments. The combination of Drupal's widespread deployment, its history of rapid weaponization following critical disclosures, and the explicit vendor warning about fast exploitation timelines makes this a patch-immediately situation regardless of perceived exposure. Organizations running Drupal on internet-facing infrastructure should treat this as same-day remediation.

CVE Watch

CVE-2026-PENDINGCVSS 9.1[ ESCALATING ]

PRODUCT: Visual Studio Code Extension Marketplace (malicious extensions)

WHAT IT MEANS:

The GitHub breach demonstrates that the VS Code extension marketplace is an active attack surface. A single malicious extension installed by one developer gave TeamPCP access to 3,800 internal GitHub repositories. VS Code extensions run with full access to the developer's machine by design, meaning a compromised extension can access every credential, key, token, and secret on that machine without triggering standard endpoint security alerts. The official marketplace does not perform real-time behavioral analysis of published extensions. Extensions can be legitimate at publication and malicious after an update. Every developer installing extensions from the marketplace is trusting that Microsoft's vetting process caught everything. The GitHub breach confirms it did not.

ACTION:Audit all VS Code extensions installed across your engineering team immediately, remove any extensions that are unused, unverified, or from publishers with no organizational track record, restrict extension installation to an approved list via VS Code policy settings, and enable Workspace Trust settings to prevent unverified extensions from executing in sensitive project directories.

CVE-2026-PENDINGCVSS 8.9[ ACTIVE ]

PRODUCT: Drupal CMS (version range pending vendor confirmation)

WHAT IT MEANS:

Drupal's own advisory warned that a working exploit could be developed within hours of disclosure, which is a rare and significant admission from a major CMS vendor. Drupal has a documented history of critical vulnerabilities being rapidly weaponized, including Drupalgeddon2 in 2018 which was exploited within hours of patch publication and used to install cryptocurrency miners and backdoors across hundreds of thousands of sites. The current vulnerability affects internet-facing Drupal installations. Government agencies, universities, and enterprises running Drupal as a public-facing CMS should treat this as an emergency remediation regardless of current patch cycle schedules.

ACTION:Apply the Drupal security update immediately and monitor for anomalous web server process behavior, unexpected file creation, or outbound connections from web server processes.

CVE-2026-31431CVSS 7.8[ MONITORING ]

PRODUCT: Linux Kernel (Copy Fail — all major distributions, kernels 2017-present)

WHAT IT MEANS:

Copy Fail was covered in Issue #005 as an actively exploited local privilege escalation. The CISA remediation deadline of May 15, 2026 has now passed for federal agencies. For non-federal organizations that have not yet patched, the window for doing so before an attacker with any foothold on a Linux system uses this to escalate to root is closing. The 732-byte Python exploit remains publicly available and works unmodified across all major Linux distributions.

ACTION:If Linux kernel patching was not completed by May 15, treat it as overdue and escalate internally — patches to versions 6.18.22, 6.19.12, or 7.0 are available for all major distributions.

Threat Actor Activity

TeamPCP (UNC6780)[ ESCALATING ]

Breached GitHub itself via a poisoned VS Code extension, exfiltrating approximately 3,800 internal repositories. The attack is the most visible escalation yet in the Mini Shai-Hulud campaign and demonstrates TeamPCP's strategic focus on compromising the tools developers trust most. GitHub is the infrastructure that underpins the entire software development ecosystem. One poisoned extension on one employee's machine was the entry point.

Coinbase Cartel (SLSH cluster)[ ACTIVE ]

Claimed the Grafana Labs breach, successfully exfiltrating the company's codebase via a stolen GitHub access token and demanding ransom. Grafana refused to pay. The group's documented repeat extortion model means organizations that do pay have no guarantee the data is deleted. Coinbase Cartel now lists 170 victims across multiple sectors.

Scattered Spider[ ACTIVE ]

Confirmed operational overlap with Coinbase Cartel through shared infrastructure, personnel, and TTPs documented by Sophos and Halcyon. The SLSH cluster, combining ShinyHunters, Lapsus$, and Scattered Spider alumni, is now operating as a coordinated ecosystem rather than distinct groups. Tyler Buchanan pleaded guilty in April 2026 for Scattered Spider-linked activity. The brand continued operating through the arrest.

Salt Typhoon[ MONITORING ]

No new confirmed activity. Congressional scrutiny of carrier remediation continues with full eviction from US telecommunications infrastructure still unconfirmed by independent sources.

Volt Typhoon[ MONITORING ]

No new confirmed activity. Pre-positioning in US critical infrastructure from prior periods remains unresolved. Operational silence consistent with established long-dwell pattern.

Key Takeaway

The defining story of this issue broke this morning. TeamPCP has compromised GitHub, the platform that hosts code for more than 100 million developers worldwide, through a single malicious extension in Microsoft's own VS Code Marketplace. One developer. One installed extension. 3,800 internal repositories. The attack did not require a zero-day vulnerability, a sophisticated nation-state operation, or months of quiet reconnaissance. It required one person to install a tool they had every reason to trust from a marketplace they had every reason to believe was safe. Separately, the Grafana Labs breach this week confirms that GitHub access tokens have become one of the most valuable credentials in the current threat landscape. Three significant GitHub-related incidents occurred in May 2026 alone. The software development pipeline, the infrastructure that every organization relies on to build and deploy the tools they use, is now the most actively targeted attack surface in the ecosystem. If your organization has not audited its VS Code extensions, reviewed its GitHub token hygiene, and scoped its developer credential exposure this month, that is the work for this week.

Sources

  • The Record from Recorded Future News
  • Help Net Security
  • SecurityWeek
  • The Hacker News
  • Hackread
  • Cybersecurity Dive
  • Sophos
  • Halcyon
  • GitHub Security Advisory
  • Grafana Labs Security Notice
  • CISA Known Exploited Vulnerabilities Catalog
Prev
Home