CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership May 22, 2026

Breach Roundup: Shai-Hulud Copycat Hits npm

Data Breach Today Archived May 22, 2026 ✓ Full text saved

Also, YellowKey Gets CVE, 7-Eleven Breach, Linux Maintainers Warn on AI Bug Spam This week, more incidents that we can here list. Among them: cloned Shai-Hulud malware, a new maximum CVSS Cisco flaw. Edge to stop loading passwords in plaintext. Tycoon 2FA offers a way around Microsoft multifactor. Convenience, taquitos and data breach: The 7-Eleven story. A MENA crackdown.

Full text archived locally
✦ AI Summary · Claude Sonnet


    Cybercrime , Fraud Management & Cybercrime , Incident & Breach Response Breach Roundup: Shai-Hulud Copycat Hits npm Also, YellowKey Gets CVE, 7-Eleven Breach, Linux Maintainers Warn on AI Bug Spam Pooja Tikekar (@PoojaTikekar) • May 21, 2026     Share Post Share Credit Eligible Get Permission Image: Shutterstock/ISMG Every week, ISMG rounds up cybersecurity incidents and breaches around the world. This week, cloned Shai-Hulud malware resurfaced in npm supply-chain attacks, the U.S. Cybersecurity and Infrastructure Security Agency investigated a GitHub leak and Cisco identified another maximum security flaw. Microsoft changed Edge's password handling. Microsoft assigned a CVE to the YellowKey BitLocker bypass flaw. Linux kernel developers warned of a flood of artificial intelligence-generated vulnerability reports, Tycoon 2FA operators found a way around Microsoft's OAuth login flow. Taquito vendor 7-Eleven disclosed a Salesforce-linked breach. Poland warned of Russian-linked Signal hijacking campaigns. Huawei flaw caused a nation-wide telephone outage in Luxembourg last year. European police took down a criminal VPN. Interpol-backed authorities arrested 201 suspects in a MENA cybercrime crackdown. CISA now accepts nominations for new known exploited vulnerabilities. See Also: Know Thy Enemy: Threats to Cyber Resilience Copycat Shai-Hulud Malware Surfaces in Fresh Supply-Chain Campaigns Threat actors are deploying variants of TeamPCP's Shai-Hulud malware in new software supply-chain attacks targeting the npm ecosystem, Ox Security wrote in a Sunday blogpost. The new campaign involves four malicious npm packages, including chalk-tempalte, described as a near-identical Shai-Hulud clone with modified command-and-control infrastructure and credential theft functionality. The packages were uploaded from a single npm account and also included typo-squatted Axios-themed packages and a DDoS botnet payload. TeamPCP published the Shai-Hulud source code on GitHub earlier this month before the repositories were removed, though forks and copies quickly spread online. Shai-Hulud, first observed in September 2025, is a self-propagating supply-chain worm designed to steal developer credentials, API keys and cloud secrets, then automatically poison additional npm packages using compromised accounts. It shares a name with the giant worms depicted in the "Dune" space opera. The malware has been linked to attacks impacting hundreds of packages across npm and PyPI (see: Mass Supply-Chain Attack Slams npm and PyPi, Hits Mistral AI). According to Ox Security, one of the newly identified packages also added persistence mechanisms to survive package removal and contained code capable of launching HTTP, TCP and UDP flooding attacks. Another variant targeted cryptocurrency wallets and geolocation data. Researchers warned the open-sourcing of Shai-Hulud significantly lowers the barrier for less sophisticated actors to launch supply-chain campaigns. TeamPCP is highly active as a threat actor, spotted only days ago stealing 3,800 internal repositories from GitHub (see: GitHub Hacked, Internal Repositories Offered for Sale). CISA Probes GitHub Leak Exposing Passwords, Cloud Keys and Internal Files The U.S. Cybersecurity and Infrastructure Security Agency launched an investigation after a public GitHub repository named "Private-CISA" exposed plaintext passwords, cloud keys, tokens and internal operational files tied to the federal cyber defense agency. The 844 megabyte repository was first flagged by GitGuardian researcher Guillaume Valadon and appeared to include potentially sensitive data, such as GitHub personal access tokens, Azure registry keys, AWS credentials and Entra ID SAML certificates, reported El Reg. Valadon said in a blog post he initially thought the repository was a hoax since it included files with unusually direct names, including "external-secret-repo-creds.yaml," "Important AWS Tokens.txt," "AWS-Workspace-Firefox-Passwords.csv" and "Kube-Config.txt." GitGuardian said the repository had been public since November 2025 and was taken just 26 hours after the company reported the exposure to federal officials. Independent cybersecurity reporter Brian Krebs reported the GitHub account was maintained by an employee of government contractor Nightwing, which declined to comment. "We hold our team members to the highest standards of integrity and operational awareness and are working to ensure additional safeguards are implemented to prevent future occurrences," a CISA spokesperson told ISMG on Wednesday. Cisco Identifies Another Perfect 10 Flaw Networking giant Cisco disclosed Wednesday a flaw in its zero trust micro-segmentation platform, warning users that an unauthenticated hacker could gain system admin privileges by sending a crafted request to internal REST APIs. It rates the flaw in Cisco Secure Workload, tracked as CVE-2026-20223, as 10 out of 10 on the CVSS scale. Cisco has been racking up maximum severity flaws recently, including an actively exploited flaw in Cisco Catalyst SD-WAN Controller disclosed earlier this month and two maximum severity firewall management flaws it patched in March (see: Breach Roundup: Patches and Hacks on Cisco Equipment). The company released a patch for this latest flaw and warned that no workaround exist. Cisco touts the product as a method for multitenant cloud security. Cisco said it hasn't seen hackers yet exploiting the vulnerability. Plaintext Edge Passwords Trigger Microsoft Overhaul Microsoft is changing how internet browser Edge handles saved passwords after a researcher showed they could be extracted in plaintext from memory. Edge will "no longer load passwords into memory on startup," the tech giant said May 14. The decision follows disclosures by security researcher Tom Jøran Sønstebyseter Rønning, who found Edge decrypted all saved passwords and retained them in process memory during browser sessions, even when users never accessed related websites (see: Breach Roundup: Microsoft Edge Loads Saved Passwords Into Memory in Plaintext). Chrome and other Chromium-based browsers such as Edge typically decrypt passwords only when required. Chrome also uses application-bound encryption to restrict password access to authenticated browser processes, Rønning said. Microsoft initially said the behavior was "by design," and attackers would already need local or administrative access to a compromised system. The company described the change as a "defense-in-depth" improvement but did not classify the issue as a vulnerability. YellowKey BitLocker Bypass Gets CVE Identifier Microsoft assigned a CVE to the YellowKey BitLocker bypass flaw after public proof-of-concept code triggered fresh scrutiny of Windows recovery and boot security (see: YellowKey and GreenPlasma Flaws Target Windows 11 and Server 2025). The vulnerability, now tracked as CVE-2026-45585, allows attackers with physical access to extract data from BitLocker-protected systems through the Windows Recovery Environment. Microsoft said the flaw does not break BitLocker encryption itself but instead abuses trusted recovery components that operate after the drive has already been unlocked by the TPM. "Mitigation's too fiddly to actually deploy," wrote cybersecurity researcher Kevin Beaumont. "BitLocker+PIN and BIOS password mitigates and should be used if you are sensitive to BitLocker bypass threats." Linux Kernel Developers Push Back on Duplicate AI-Generated Security Findings Linux kernel creator Linus Torvalds on Sunday warned in a note accompanying a mid-May update that the kernel security mailing list has become "almost entirely unmanageable" due to vulnerability submissions generated by artificial intelligence-assisted scanning tools. He said developers are increasingly receiving identical reports from multiple researchers running the same automated tools. Kernel maintainers have added new documentation stating that AI-generated vulnerability reports carry no expectation of confidentiality and should be submitted through public channels, so issues can be tracked and de-duplicated efficiently. Tycoon 2FA Offers Microsoft Login Flow to Hijack Accounts Threat actors behind the Tycoon 2FA phishing-as-a-service kit are shifting tactics to bypass multifactor authentication without stealing credentials, research from cybersecurity company eSentire found. The operators are now abusing Microsoft's OAuth device authorization flow to hijack Microsoft 365 accounts using legitimate Microsoft login infrastructure. A phishing campaign discovered in late April that traces to Tycoon 2FA tricks users into entering attacker-generated device codes at Microsoft's official device login portal, microsoft.com/devicelogin. Instead of harvesting passwords, the attackers obtain OAuth access and refresh tokens that provide access to Outlook, OneDrive and Microsoft Graph services. The platform previously relied on adversary-in-the-middle phishing to intercept credentials and MFA sessions. The technique does not bypass MFA outright. Instead, victims unknowingly use MFA to authorize token issuance to an attacker-controlled device while believing they are authenticating a voicemail application. "The lure type changed; the kit did not," eSentire wrote. The attack chain begins with emails carrying click-tracking URLs that redirect victims through multiple filtering and anti-analysis layers before presenting a fake Microsoft voicemail notice. Victims are instructed to copy a device code into Microsoft's legitimate login page, unknowingly authorizing an attacker-controlled session while traditional phishing indicators remain largely absent. CrowdStrike researchers earlier reported that Tycoon 2FA snapped back almost immediately after a March takedown effort led by Microsoft and Europol (see: Tycoon2FA Phishing Platform Rebounds Days After Global Takedown). 7-Eleven Says Hackers Accessed Franchise Applicant Data Hackers stole more than 600,000 applicant records from ubiquitous convenience store 7-Eleven, filching data from its Salesforce environment and leaking the data online after the roller-grill taquito retailer refused to pay a ransom demand from the ShinyHunters extortion group. The stolen records contained names, addresses, Social Security numbers and driver's licenses, 7-Eleven said in a breach notification sent to affected individuals. The retailer said it detected the intrusion on April 8. ShinyHunters issued a ransom demand with a deadline of April 21 before advertising the dataset for sale on a cybercrime forum for $250,000. The hackers later published a 9.4-gigabyte archive of the stolen files. The breach is part of a ShinyHunters campaign targeting misconfigured Salesforce environments. The group has stolen data from an estimated 300 to 400 organizations since at least mid-2025 (see: Salesforce Sounds Alarm Over Fresh Data Extortion Campaign). Poland Flags Signal as Target in Russian-Linked Espionage Campaigns The Polish government recommended its officials cease using Signal for sensitive communications, warning that Russian-linked threat actors are actively targeting the encrypted messaging app through phishing and social engineering campaigns. Authorities said attackers are exploiting legitimate account recovery and device-linking features to hijack accounts belonging to politicians, military personnel and government employees. A number of governments have published similar warnings about Signal social engineering attacks, including agencies in Ukraine, Germany and the United States (Germany Caught Up in Likely Russian Signal Phishing). Polish officials said attackers impersonate Signal support staff or security bots to trick victims into revealing SMS verification codes and PINs. In other cases, malicious QR codes are used to connect attacker-controlled devices to victims’ accounts. The government says public-sector entities should migrate to domestically controlled communications platforms, including mSzyfr, an encrypted messaging platform developed by the Ministry of Digital Affairs, and SKR-Z, a classified communications network. Undisclosed Huawei Flaw Linked to Luxembourg Telecom Disruption A previously undisclosed vulnerability in Huawei enterprise router software caused last year's nationwide telecom outage in Luxembourg. The flaw, which has still not received a CVE identifier or public disclosure, knocked out mobile, landline and emergency communications for more than three hours. The July 2025 incident affected Post Luxembourg, the country's state-owned telecom operator. Attackers sent specially crafted network traffic that forced Huawei enterprise routers into a continuous reboot loop, crippling 4G, 5G and landline services nationwide. Emergency call systems and electronic banking services were also disrupted. Post Luxembourg communications head Paul Rausch said the attack exploited "a non-public, non-documented behavior" for which no patch existed at the time. Huawei allegedly told the operator it had never encountered the issue before and had no immediate mitigation available. Investigators later concluded the outage was not a traditional volumetric DDoS attack but rather a denial-of-service condition triggered by malformed traffic passing through Post's infrastructure. Luxembourg authorities said there was no evidence the operator itself was specifically targeted. European Cybercrime Centre Destroys Cybercriminal VPN European police seized servers of a VPN promoted on Russian-speaking cybercrime forums and arrested its suspected administrator in Ukraine. The multi-national operation coordinated by Europol took down the service known as First VPN. The service "had become deeply embedded in the cybercrime ecosystem, appearing in almost every major cybercrime investigation supported by Europol in recent years," Europol said Thursday. The VPN offered anonymous payment options, concealed infrastructure and services tailored to cybercriminal activity. "Taking it offline removes a critical layer of protection that criminals depended on to operate, communicate and evade law enforcement," said Edvardas Šileris, head of Europol's European Cybercrime Centre. Customers included hackers behind ransomware attacks, large-scale fraud and data theft. Over the course of the two day operation led by France and the Netherlands, authorities conducted a house search in Ukraine, seized 33 servers and took control of online domains including 1vpns.com, 1vpns.net and 1vpns.org. "For years, cybercriminals saw this VPN service as a gateway to anonymity. They believed it would keep them beyond the reach of law enforcement. This operation proves them wrong," Šileris said. 201 Arrested in Interpol-Backed MENA Cybercrime Crackdown Police across 13 countries in the Middle East and North Africa arrested 201 suspected cybercriminals during a coordinated Interpol-backed crackdown targeting phishing, fraud and malware operations. A four-month campaign dubbed Operation Ramz ran between October 2025 and February. Authorities identified 382 additional suspects, seized 53 servers and linked nearly 3,900 victims to the criminal activity. Investigators exchanged nearly 8,000 intelligence artifacts tied to malicious infrastructure, fraud schemes and cybercriminal networks. Algerian authorities dismantled a phishing-as-a-service operation and seized devices containing phishing kits and attack scripts. Moroccan investigators confiscated computers, smartphones and storage media containing banking credentials, and phishing infrastructure. In Jordan, police uncovered a fraudulent investment platform operation where 15 people were allegedly trafficked into running scams after being recruited through fake job offers. Authorities said victims had their passports confiscated. Two organizers were arrested. Qatari authorities identified compromised devices used to facilitate malicious cyber activity without the owners' knowledge, while investigators in Oman disabled a malware-infected server operating from a private residence. CISA Now Accepting Nominations for KEV Entries The U.S. federal cyber defense agency is hoping to streamline and speed up the process for researchers, vendors and industry partners to report known exploited vulnerabilities to the federal government. The Cybersecurity and Infrastructure Security Agency rolled out Thursday an online nomination form aimed at streamlining how vulnerabilities are added to its Known Exploited Vulnerabilities catalog. The agency said the updated reporting process is meant to improve the quality and speed of submissions as the agency continues relying on external researchers, security firms and vendors to identify emerging exploitation activity. "CISA strongly encourages researchers and organizations to share vulnerability threats and help us secure the systems Americans rely on every day," CISA’s Acting Executive Assistant Director for Cybersecurity Chris Butera said in a statement. Other Stories From This Week Report: Mythos-Like AI Tools Raising Healthcare Cyber Stakes Verizon Breach Report: Vulnerability Exploitation Surges Legacy Microsoft Utility Fuels New Wave of Malware GitHub Hacked, Internal Repositories Offered for Sale AI Botnets Drive Surge in Financial Sector DDoS Attacks With reporting from ISMG's Chris Riotta in Washington, D.C., David Perera in Northern Virginia and Tiffany Wang in Manhattan.
    💬 Team Notes
    Article Info
    Source
    Data Breach Today
    Category
    ◇ Industry News & Leadership
    Published
    May 22, 2026
    Archived
    May 22, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗