Skip to content
Briefings are running a touch slower this week while we rebuild the foundations.See roadmap
Cybersecurity: Threats and Defences
29MAY

GitHub's own code cloned via VS Code add-on

3 min read
14:17UTC

A poisoned Nx Console extension sat on the VS Code Marketplace for 18 minutes, long enough to steal a GitHub employee's tokens and clone roughly 3,800 internal repositories. The same actor that hit Cisco's source last fortnight has now breached the registry operator itself. CISA added two AI-tier flaws and a Drupal SQL bug to KEV; the UK cyber sector cleared 14.7 billion pounds.

TechnologyAWSNHS
Key takeaway

The developer and AI toolchain is the new perimeter; network-edge defences have no view into it.

This briefing mapped
Loading map…
Infrastructure
Economic
Legal

A poisoned Nx Console extension sat on the VS Code Marketplace for 18 minutes, long enough for UNC6780 to steal one GitHub developer's tokens and clone roughly 3,800 internal repositories.

Sources profile:This story draws on neutral-leaning sources
Deep dive into this story →

A corrupted version of the Nx Console editor extension was live on the Visual Studio Marketplace for 18 minutes on 18 May 2026. One GitHub developer installed it; the extension harvested every credential on the machine and the attackers cloned roughly 3,800 GitHub internal private repositories before being cut off. CISA added the flaw to its mandatory patch list on 27 May.

The attack works because VS Code extensions run with the full privilege of the developer's account and the Marketplace does not require cryptographic proof that a new version came from the publisher's own build pipeline. GitHub says no customer data was taken, but the breach shows how a single poisoned extension on one developer's machine can reach an organisation's entire internal code estate. 

Sources:The Hacker News·Sophos·CISA
1 The Hacker News2 Sophos3 The Hacker News4 CISA

DSIT put the UK cyber sector at 14.7 billion pounds and announced 90 million pounds aimed at SMEs and NHS suppliers, the exact chain that recent breaches exposed.

Sources profile:This story draws on mixed-leaning sources from United Kingdom (includes United Kingdom state media)
United Kingdom
Deep dive into this story →

The UK's cybersecurity sector reached £14.7 billion in annual revenue in 2026, growing 11% year on year across 2,603 firms. DSIT announced £90 million in targeted funding for small businesses supplying the NHS, alongside a voluntary Cyber Resilience Pledge requiring board-level cyber ownership and basic supply-chain certification.

The Pledge is voluntary for now, but the Cyber Security and Resilience Bill working through Parliament would make comparable requirements legally binding. Research on earlier UK voluntary schemes shows that uncertified smaller suppliers only adopt in meaningful numbers once procurement mandates follow, not when pledges launch. 

Sources:GOV.UK (Department for Science, Innovation and Technology)
1 GOV.UK (Department for Science, Innovation and Technology)

CISA added a CVSS 9.4 Langflow flaw and a Trend Micro Apex One bug to its exploited-vulnerabilities catalogue on 21 May, with a 4 June federal patch deadline.

Sources profile:This story draws on neutral-leaning sources
Deep dive into this story →

CISA added two flaws to its mandatory patch list on 21 May 2026: a CVSS 9.4 flaw in Langflow, a popular tool for building AI agent pipelines, and a directory-traversal flaw in Trend Micro Apex One. The federal deadline is 4 June. Iran-linked group MuddyWater was documented exploiting the Langflow flaw in March 2026, two months before CISA acted.

Langflow is dangerous to attack because it stores access keys for every service it connects to in one place. Many deployments were set up by data science Teams without IT security oversight, meaning they often sit outside standard patch management programmes entirely. 

Sources:The Hacker News·CISA
1 The Hacker News

Drupal rated CVE-2026-9082 Highly Critical at 23 out of 25; attackers logged 15,000 attempts within 48 hours, yet the flaw touches under 5 per cent of installs.

Sources profile:This story draws on neutral-leaning sources
Deep dive into this story →

A SQL injection flaw in Drupal, rated Highly Critical by the Drupal project despite a moderate CVSS score of 6.5, was added to CISA's mandatory patch list on 22 May 2026 with a five-day deadline. Imperva recorded over 15,000 attacks against roughly 6,000 sites within 48 hours. The flaw affects only Drupal installations backed by PostgreSQL, which is less than 5% of all Drupal deployments.

Government and university sites are over-represented in that minority because they are more likely to run PostgreSQL than shared-hosting sites. The gap between Drupal's urgency rating and the CVSS score illustrates why organisations relying purely on CVSS for patch prioritisation can underestimate CMS-layer database flaws. 

Sources:The Hacker News·Tenable·CISA
1 The Hacker News2 CISA3 Tenable

Ontario Provincial Police arrested Jacob Butler, 23, alleged operator of the Kimwolf botnet behind a record 30 Tbps flood on US Department of Defense ranges.

Sources profile:This story draws on neutral-leaning sources from United States
United States
Deep dive into this story →

Jacob Butler, 23, of Ottawa, known online as 'Dort', was arrested on 21 May 2026 and charged in the US and Canada as the alleged operator of Kimwolf, an IoT botnet of over a million enslaved consumer devices. The botnet generated a claimed record 30 terabits per second of DDoS traffic targeting US military networks and caused over $1 million in losses.

The botnet's infrastructure had been seized on 19 March 2026 alongside three competing networks. The arrest follows a now-established pattern: seize infrastructure first to remove attack capacity, then arrest the operator once evidence is consolidated. The enslaved devices remain compromised and can be recruited by a new operator. 

Sources:Krebs on Security
1 Krebs on Security
Closing comments

Trending up in the developer-toolchain tier. UNC6780's progression from registry package to vendor source to registry operator has been consistent and accelerating: a three-month campaign arc that GTIG attributes to a financially motivated cluster with no apparent saturation point. The next logical target is either GitHub's customer repository infrastructure — which GitHub has assessed is not affected — or the credentials in the 3,800 cloned internal repositories themselves, which may include GitHub Actions secrets, internal deployment tooling, and infrastructure configuration. CISA's KEV velocity (nine CVEs in 30 days across AI, perimeter, and CMS tiers) continues regardless of the proposed $707 million budget cut, which has not yet cleared appropriations. The Kimwolf arrest removes one DDoS operator but not the million-device botnet capacity he assembled, which remains re-enlistable. The specific mechanism that would tip the AI-toolchain trajectory toward stabilisation: mandatory SLSA Level 3 attestation for VS Code Marketplace releases, which Microsoft has not committed to and GTIG's AA26-148A advisory does not require.

Different Perspectives
GitHub / Microsoft
GitHub / Microsoft
GitHub confirmed that no customer repositories or user data were affected by the Nx Console breach, but acknowledged approximately 3,800 internal repositories were cloned and referred to CISA Alert AA26-148A's allow-listing guidance. The incident puts Microsoft in the position of operating a marketplace whose publisher-verification gap is now a documented attack vector in a federal advisory.
DSIT / UK Government
DSIT / UK Government
DSIT framed the £14.7 billion sector figure and the Cyber Resilience Pledge as a paired signal: commercial strength alongside supply-chain accountability, with £90 million targeting the NHS supplier exposure this briefing's threat events directly illustrate. The voluntary Pledge's enforceability gap, prior to the Cyber Security and Resilience Bill reaching Royal Assent, is the question its launch does not answer.
Enterprise security buyers / CISO community
Enterprise security buyers / CISO community
For enterprise security leaders, two KEV AI-orchestration entries in three weeks (LiteLLM 8 May, Langflow 21 May) convert shadow AI tooling from a governance risk to a confirmed attack surface requiring immediate software asset inventory. The 65 per cent gap in enterprise AI tool inventories documented by Wiz Research is now a liability rather than a compliance footnote.
Google Threat Intelligence Group
Google Threat Intelligence Group
GTIG's attribution of the GitHub breach extends UNC6780's documented arc from SAP npm through Cisco AI Defense to GitHub's own estate; its 36-hour LiteLLM exploitation set the speed benchmark CISA AA26-148A is designed to address. GTIG's published tracking gives defenders the actor profile needed to assess their own developer-toolchain exposure.