r/SecOpsDaily | reddlx

GitHub confirms breach of 3,800 repos via malicious VSCode extension

GitHub Confirms Breach of 3,800 Repos via Malicious VSCode Extension

GitHub has confirmed that approximately 3,800 of its internal repositories were breached after one of its employees inadvertently installed a malicious VS Code extension. This incident highlights a significant supply chain risk for organizations relying on developer tools.

Technical Breakdown

Initial Access: An employee installed a malicious VS Code extension, serving as the initial compromise vector. This could fall under T1195.002 (Supply Chain Compromise: Compromise Software Dependencies and Development Tools) or T1566.001 (Phishing: Spearphishing Attachment) depending on how the employee was led to install it.
Impact: Access to 3,800 internal GitHub repositories. The specifics of the data accessed (e.g., code, credentials, API keys) are critical but not detailed in the summary.
Affected Entity: GitHub's internal systems and codebases.

Defense

Implement stringent supply chain security for developer tools, enforce least privilege for development environments, and conduct regular employee training on identifying malicious software and phishing attempts. Consider endpoint detection and response (EDR) solutions that monitor for unusual activity related to developer tools and processes.

Source: https://www.bleepingcomputer.com/news/security/github-confirms-breach-of-3-800-repos-via-malicious-vscode-extension/

u/falconupkid — 1 day ago

▲ 12 r/SecOpsDaily+6 crossposts

The Qday Attack, Silent Yet Devastatingly a Disaster

https://www.cnn.com/2026/05/17/science/quantum-computing-cybersecurity-q-day

QDay, the timeline is narrowing quickly
Which country will take the prize?
What if it’s China?
Decryption Gambit explores the possibility
Available here

https://www.amazon.com/dp/B0GZLDMQB5

u/Silientium — 3 days ago

▲ 1 r/SecOpsDaily

Built a runtime AI enforcement engine - open challenge to find bypasses (8 levels)

We built the Veto Protocol - a pre-execution enforcement layer for enterprise AI agents. Sits between the agent and the action, evaluates every prompt against explicit rules + context filtering, blocks or escalates before execution fires.

Running an open challenge - 8 levels of increasing difficulty against our live model. Curious what this community can break.

Technical breakdown: fast path is deterministic rule evaluation, slow path is semantic context filtering. Two separate layers. Most bypass attempts that work on model-level jailbreaks don't transfer here because we're not asking the model whether something is safe - we're enforcing before it gets there.

Link in comments.

reddit.com

u/nukonai — 6 days ago

▲ 6 r/SecOpsDaily

Hackers Used AI to Develop First Known Zero-Day 2FA Bypass for Mass Exploitation

Google has reported a novel cybercrime campaign where threat actors leveraged AI to develop a zero-day exploit, specifically a 2FA bypass for mass exploitation. This marks the first confirmed instance of AI being used in the wild for vulnerability discovery and exploit generation.

Threat Actor: An unknown cybercrime group.
Exploit Type: Zero-day bypass for Two-Factor Authentication (2FA).
Exploit Development: AI systems were likely used for vulnerability discovery and exploit generation, representing a significant shift in adversarial capabilities.
Target: Designed for mass exploitation.
TTPs/IOCs: Specific TTPs, IOCs, or affected services were not detailed in the initial disclosure.

Defense: Organizations should enhance monitoring for novel attack patterns and consider advanced authentication methods beyond traditional 2FA, such as FIDO2, which are generally more resilient to common bypass techniques.

Source: https://thehackernews.com/2026/05/hackers-used-ai-to-develop-first-known.html

u/falconupkid — 10 days ago

▲ 6 r/SecOpsDaily+1 crossposts

One Vulnerability. 9,000 Educational Institutions. One Massive SaaS Failure.

What happens when you fail to consider the risk that is actually relevant to the service you provide?

You get a cyberattack that hits exactly the service you provide.

Late April 2026.

An intrusion begins into the systems of Instructure, the company behind Canvas LMS, one of the world’s largest learning platforms used by approximately 9,000 educational institutions and universities worldwide, including Harvard University, Princeton University, University of Pennsylvania, and Arizona State University.

May 1.

The company announces for the first time that it is investigating a “cybersecurity incident” in its systems and activates external forensic teams.

May 2.

Instructure announces that the incident has been “contained,” but confirms that data was stolen, including: • Usernames

• Email addresses

• Student IDs

• Private messages between users

• Additional information from the learning systems

At this stage, no widespread system outage has been reported.

May 3.

The threat actor group ShinyHunters claims responsibility and details its “achievements”: • Approximately 3.65TB of data

• More than 275 million user records, including billions of private messages

• Data from approximately 9,000 educational institutions worldwide

May 6.

Deadline for an undisclosed ransom payment expires, although it was reported that approximately $1 million was demanded from the University of Pennsylvania.

At the same time, institutions were allowed to contact the attackers directly in order to prevent exposure of their own data.

Meanwhile, Instructure applies software updates and announces that the system has returned to full operation:

“ongoing unauthorized activity.”

“At this stage, we believe the incident has been contained.”

May 7.

But as usual with threat groups that dislike others setting the rules for them, the situation escalates.

ShinyHunters claims that Instructure attempted remediation and security patches instead of negotiating, stating:

“Instead of contacting us to resolve it they ignored us and did some ‘security patches’.”

And, almost predictably, a bit of humor as well:

“Instructure didn’t fix all the vulnerabilities, we have more.”

When control is in the hands of the attacker, it does not take much for ransom messages to appear simultaneously across the login screens of approximately 330 educational institutions.

ShinyHunters takes over Canvas login pages and displays public extortion messages to users, together with a new ultimatum: May 12 before everything is leaked.

May 8.

All learning platforms are moved into maintenance mode.

The impact, in some institutions: • Complete disruption of access to the system

• Exams postponed

• Academic tasks halted

• Faculty temporarily shifting to email and Microsoft Teams

And once again, a lesson for everyone claiming there is only one path, one protection model, one type of solution. For those who rely entirely on technology. On spreadsheets.

Instead of attacking a single university, the attackers targeted one central vendor connected to thousands of institutions simultaneously.

Instead of investing energy into a wide range of attack methods, one vulnerability in a SaaS system and… Game Over.

And this does not mean SaaS solutions are illegitimate. Of course they are legitimate.

But organizations need to understand that together with the excitement of adopting the functionality, they are also adopting the vendor’s entire attack surface, including the features that appear least threatening.

When an attacker takes control of the login interface, they are not only stealing information.

They gain leverage over a company’s ability to maintain business continuity for hundreds of customers and millions of users.

They probably had ISO 27001 too.

#cyberresiliece

#CyberSecurity #CyberAttack #CyberResilience #Ransomware #DataBreach #SupplyChainAttack #SaaS #Canvas #Instructure #ShinyHunters #HigherEducation #InformationSecurity #BusinessContinuity

#CyberCrisis #CISO #CyberRisk #IncidentResponse #CyberDefense #Infosec #CyberAwareness

u/EinatMeyron — 11 days ago