May 18, 2026 by sig9

Hacker Wars - May 18, 2026

bulletin-feature-image

Your daily dose of infosec chaos

If today’s headlines are any indication, supply chain security is still the gift that keeps on giving. Grafana joins the growing list of companies whose source code walked out the door thanks to a stolen token, while 7-Eleven confirmed that ShinyHunters made off with over half a million customer records from their Salesforce instance. Throw in a fresh chain of OpenClaw exploits and a batch of critical patches across Ivanti, Fortinet, SAP, VMware, and n8n, and you’ve got yourself a proper Monday.

Grafana Source Code Swiped via Stolen GitHub Token

Grafana Labs confirmed that attackers used a compromised GitHub access token to download the company’s entire source code repository. While Grafana says there’s no evidence the token was used to inject malicious code, the sheer fact that a single leaked credential gave full read access to the codebase is a textbook example of why token hygiene matters more than ever.

What to do: Audit your CI/CD pipelines and GitHub token scopes. If you’re not pinning tokens to specific repos and actions with minimal privileges, today is the day to fix that.

7-Eleven Confirms Data Breach After ShinyHunters Ransom Demand

The convenience store giant confirmed a breach after ShinyHunters claimed to have exfiltrated over 600,000 Salesforce records containing personal information and corporate data. The group is now demanding a ransom, which 7-Eleven has reportedly declined to pay - setting up a potential data dump scenario.

What to do: If you rely on Salesforce or similar CRM platforms, enforce strict access controls and enable enhanced logging. Breaches through third-party SaaS are becoming the new normal.

Claw Chain: Four OpenClaw Bugs Chained for Full Sandbox Escape

Researchers demonstrated that four distinct vulnerabilities in OpenClaw can be chained together to steal credentials, break out of the sandbox environment, and install persistent backdoors on the host system. The exploit chain, dubbed Claw Chain, targets the application’s privilege model and IPC mechanisms in a way that makes each individual bug look relatively harmless on its own.

What to do: Update OpenClaw immediately if you’re running it. Sandboxes are a defense-in-depth measure, not a security boundary - plan accordingly.

Critical Patches: Ivanti Xtraction (CVSS 9.6) Leads a Busy Patch Tuesday

Ivanti, Fortinet, SAP, VMware, and n8n all shipped security updates this week, led by a critical unauthenticated RCE flaw in Ivanti Xtraction (CVE-2026-8043, CVSS 9.6) that allows remote attackers to execute arbitrary code. Fortinet, SAP, and VMware also patched privilege escalation and authentication bypass bugs worth your attention.

What to do: Prioritize the Ivanti Xtraction patch if you’re running it. Then work through the rest - these vendors’ products are prime targets for initial access brokers.

Until next time, may your logs be clean and your alerts be false positives.

Brought to you by sig9 - sig9.ch | Protecting the unseen, securing the unknown

This bulletin is provided for informational purposes. Contact us for tailored security analysis.