ESET has documented Chinese-aligned threat actor Webworm adding two new custom backdoors to its toolset: EchoCreep, which uses a Discord channel for command-and-control, and GraphWorm, which routes C2 through the Microsoft Graph API and uploads exfiltrated files to OneDrive. Webworm is staging tools out of a GitHub repository disguised as a WordPress fork and has been observed targeting government organizations in Belgium, Italy, Serbia, Poland, Spain, and a university in South Africa. The earliest EchoCreep Discord commands date to March 21, 2024; about 433 messages have been sent through the channel. Initial access is still unclear, but dirsearch and nuclei are involved.
Ukrainian cyberpolice working with US law enforcement have identified an 18-year-old man from Odesa as the suspected operator of an infostealer operation that ran from 2024 through 2025 against customers of a California online retailer. The malware harvested 28,000 customer accounts; the operators used about 5,800 of them to make $721,000 in unauthorized purchases, leaving the retailer with around $250,000 in direct losses including chargebacks. The suspect ran the back-end infrastructure for processing and selling stolen session tokens. Police searched two residences and seized computers, phones, and bank cards. No arrest has been announced yet.
B1ack's Stash, a dark-web carding marketplace operating since at least 2023, has released roughly 4.6 million stolen credit-card records as a free download. The market frames the dump as punishment for sellers caught reselling its data on rival platforms; SOCRadar says the marketplace also suspended about 8 million additional CVV2 records. The records include full PAN, CVV2, expiration date, billing address, full name, email, phone number, and IP address, which makes them directly usable for card-not-present fraud and account-opening fraud. This is the third free dump B1ack's Stash has used as a customer-acquisition tactic since its 2024 emergence.
GitHub said it is investigating after the cybercrime group TeamPCP listed 'GitHub's source code and internal orgs' for sale on the Breached forum, claiming access to about 4,000 internal repositories and asking at least $50,000. GitHub told BleepingComputer it has 'no evidence of impact to customer information stored outside of GitHub's internal repositories' and that customers will be alerted if that changes. TeamPCP is the same group behind the TanStack supply-chain attack that hit OpenAI and Grafana, the Aqua Trivy compromise, the LiteLLM infection, and the Mistral AI source-code theft. GitHub hosts code for 4 million organizations and 180 million developers.
Between 01:56 and 02:56 UTC on May 19, a Shai-Hulud-flavored attack published 639 malicious versions across 323 npm packages, mostly in the @antv chart and graph namespace, after compromising the maintainer account 'atool.' Affected libraries include @antv/g2, @antv/g6, echarts-for-react, timeago.js, and jest-canvas-mock (still 10M monthly downloads despite three years dormant). A linked attack hijacked 15 tags of the 'actions-cool' GitHub Action and replaced them with a credential stealer that reads runner memory and exfils to t.m-kosche[.]com - the same domain as the @antv campaign. Socket and Aikido say there are now 2,900+ GitHub repos generated by this wave.
The Nx team has confirmed that version 18.95.0 of its VS Code extension was malicious and that a few users were compromised. The bad version was available on the marketplace for only 11 minutes on May 18 (12:36 to 12:47 UTC), but that was enough to plant Python-based persistence under ~/.local/share/kitty/cat.py and a macOS LaunchAgent at com.user.kitty-monitor.plist, then steal tokens, secrets, and SSH keys reachable from the machine. The Nx team has shipped a clean 18.100.0 release and published indicators of compromise. This is the second time Nx has been targeted within a year, after the August 2025 s1ngularity supply-chain attack on its npm packages.
Grafana Labs has confirmed that its previously disclosed GitHub breach started with the TanStack npm supply-chain attack run by TeamPCP, the same one that hit OpenAI and Mistral AI. Grafana detected the activity on May 11, rotated a significant number of GitHub workflow tokens, but one token slipped through and the attacker used it to pull Grafana's codebase. The downstream extortion attempt under the CoinbaseCartel banner came on May 16 and Grafana refused to pay, citing FBI guidance. The incident chains TeamPCP's TanStack OIDC-token theft into a directly observable secondary breach at a major observability vendor.
HiddenLayer has disclosed a maximum-severity unauthenticated remote-code-execution vulnerability, CVE-2026-45829, in ChromaDB's Python FastAPI server. ChromaDB is one of the most popular vector databases backing retrieval-augmented-generation pipelines, with about 14 million monthly PyPI downloads. A vulnerable endpoint marked as authenticated lets an attacker embed model settings before authentication is checked, so a crafted request makes ChromaDB load a malicious model from Hugging Face and execute it locally. The auth check fires only after the payload has already run. The bug was introduced in 1.0.0 and was still present in 1.5.8. HiddenLayer's Shodan sweep shows ~73% of internet-exposed Chroma instances are vulnerable.
Microsoft is tracking a financially motivated actor it calls Storm-2949 that abuses the Microsoft 365 Self-Service Password Reset flow to hijack high-value identities and then exfiltrate as much data as possible. The actor socially engineers IT staff and senior leaders, kicks off an SSPR reset, then poses as IT support and convinces the victim to approve the resulting MFA prompt. Once in, Storm-2949 uses Graph API and custom Python to enumerate the tenant, downloads thousands of OneDrive and SharePoint files in single actions, and pivots into Azure - VMs, Key Vaults, SQL, storage - via privileged custom RBAC roles.
Microsoft's Digital Crimes Unit, supported by law enforcement, has disrupted Fox Tempest, a 'malware-signing-as-a-service' offering that abused Azure Artifact Signing (formerly Trusted Signing) to issue legitimate Microsoft-signed certificates for malware. Operators created more than 1,000 certificates and hundreds of Azure tenants using stolen US and Canadian identities, all valid for 72 hours to reduce takedown risk. Microsoft has revoked the certificates, seized the signspace[.]cloud domain, and taken hundreds of supporting VMs offline. The service signed Oyster, Lumma Stealer, Vidar, and ransomware payloads for Rhysida, Akira, INC, Qilin, and BlackByte, used by groups including Vanilla Tempest and Storm-0501.