Security news.
Today's threat landscape is dominated by critical infrastructure breaches and zero-day exploits. GitHub suffered a major breach exposing 3,800+ internal repositories via a malicious VS Code extension, while Drupal faces an imminent critical vulnerability with high exploitation risk. Supply chain attacks continue to escalate, with 320+ NPM packages compromised and multiple AI/developer tools targeted.
GitHub Confirms Breach of 3,800 Internal Repos via Malicious VS Code Extension
The TeamPCP hacking group accessed GitHub's internal repositories after a GitHub employee installed a poisoned VS Code extension, exposing source code and internal organizations.
Drupal Critical Update Scheduled for Today to Fix High-Risk Vulnerability
Drupal is releasing a "core security release" today with warnings that threat actors may develop exploits within hours of disclosure.
Over 320 NPM Packages Hit by Fresh Mini Shai-Hulud Supply Chain Attack
A compromised maintainer account was used to publish malicious versions across the @antv namespace, affecting hundreds of packages.
EvilTokens Phishing-as-a-Service Compromises 340+ Microsoft 365 Organizations via OAuth Consent Bypass
The PhaaS platform bypasses MFA by abusing OAuth consent screens, compromising organizations across five countries within five weeks of launch.
Anthropic Silently Patches Claude Code Sandbox Bypass
A researcher discovered the vulnerability could be chained with prompt injection to exfiltrate data from the AI platform.
Max-Severity Flaw in ChromaDB for AI Apps Allows Server Hijacking
A critical vulnerability in ChromaDB's Python FastAPI version allows unauthenticated attackers to execute arbitrary code on exposed servers.
Exploit Released for PinTheft Arch Linux Root Escalation Flaw
A publicly available PoC exploit now exists for the recently patched Linux privilege escalation vulnerability, allowing local attackers to gain root access.
Microsoft Releases Mitigation for YellowKey BitLocker Bypass (CVE-2026-45585)
Microsoft released a mitigation for the publicly disclosed zero-day BitLocker security feature bypass with a CVSS score of 6.8.