May 20, 2026 by sig9

Hacker Wars - May 20, 2026

bulletin-feature-image

Your daily dose of infosec chaos

GitHub got popped, BitLocker got bypassed, and Grafana’s source code walked out the door. Supply chain attacks are the gift that keeps on giving - if by “gift” you mean “incident response nightmares.” Three stories, three different ways your trust model just got wrecked.

GitHub Breached - TeamPCP Steals 3,800 Internal Repos Via Malicious VS Code Extension

The TeamPCP hacking group confirmed what many feared: they accessed roughly 3,800 GitHub internal repositories after an employee installed a poisoned VS Code extension. The compromised employee device gave the attackers a foothold into GitHub’s internal codebase, including private source code and internal tooling. GitHub says there’s no evidence of customer data impact, but the exposure of internal repos is a significant intellectual property and security concern.

What to do: Audit your VS Code extensions inventory and implement allowlisting for developer tooling. If you’re using GitHub, review your organization’s access controls and monitor for anomalous API activity.

Microsoft Drops Mitigation for YellowKey BitLocker Zero-Day (CVE-2026-45585)

Microsoft released a mitigation for YellowKey, a BitLocker security feature bypass vulnerability that carries a CVSS score of 6.8. The zero-day, now tracked as CVE-2026-45585, was publicly disclosed last week and allows attackers to circumvent full-disk encryption protections. Microsoft is aware of active exploitation but a full patch isn’t available yet - just a workaround.

What to do: Apply the Microsoft mitigation immediately if you rely on BitLocker for endpoint encryption. Consider layering additional encryption controls and monitor for physical access indicators on high-value endpoints.

Grafana Breach Deepens - TanStack npm Attack Vector Exposed

Grafana Labs confirmed that its recent GitHub breach, initially disclosed on May 19, involved a compromised npm package in the TanStack supply chain. The attackers leveraged the poisoned dependency to gain access to Grafana’s GitHub environment, exfiltrating both public and private source code. Grafana says customer production systems and data were not affected, but the source code exposure could fuel future vulnerability research.

What to do: If you use Grafana products, pin your dependencies and monitor for security advisories. Review your software supply chain security posture and consider using tools like Sigstore or SLSA to verify package integrity.

Catch you tomorrow. In the meantime, go check your attack surface.

Brought to you by sig9 - sig9.ch | Protecting the unseen, securing the unknown

This bulletin is provided for informational purposes. Contact us for tailored security analysis.