Breaches & Data Leaks

More than 30 npm packages in Red Hat's @redhat-cloud-services namespace were compromised and used to deliver credential-stealing malware to developers who installed them. Researchers say attackers likely took over a Red Hat employee GitHub account, added malicious GitHub Actions workflows, and abused npm trusted publishing to release 96 backdoored package versions. The malware, a new Shai-Hulud variant dubbed Miasma, targeted GitHub Actions secrets, cloud credentials, SSH keys, package publishing tokens, Vault tokens, Kubernetes service-account tokens, Docker credentials, GPG keys, and .env files. — Developers and organizations that installed the affected packages may have had sensitive keys and tokens stolen, which can lead to wider compromise of code, cloud systems, and build pipelines. This is urgent: identify affected installs, remove the packages, and rotate all credentials and secrets that were present on impacted machines or CI/CD systems.

Oracle PeopleSoft customers are being hit in ongoing break-ins and extortion attacks that ShinyHunters says have affected more than 100 organizations and 300 PeopleSoft instances. The campaign reportedly targets both cloud and on-premises PeopleSoft deployments, with the attackers claiming to use a chain of older bugs and at least one zero-day, though no CVE has been confirmed by Oracle. Reported evidence includes extortion notes, exposed attacker tooling, and IP-based indicators of compromise tied to infrastructure previously linked to ShinyHunters. — PeopleSoft is widely used for payroll, HR, finance, procurement, and student systems, so a compromise can expose highly sensitive employee, customer, or student data. Organizations running PeopleSoft should urgently review logs for the listed IPs, investigate possible unauthorized SSH access, and prepare incident response while waiting for Oracle guidance.

A cyberattack forced Mackay Sugar, one of Australia's largest sugar producers, to shut down two mills in Queensland and stop sugarcane harvesting in the Mackay region. The company said the incident affected parts of its operations and that cybersecurity experts and authorities are investigating while systems are restored. No ransomware claim, data-theft disclosure, or technical details about the intrusion method have been confirmed yet. — This is a real-world operational technology and business disruption incident affecting food production and local growers, not just office IT. Organizations in agriculture and other industrial sectors should review incident response plans, segmentation between business and plant systems, and contingency procedures for outages.

ServiceNow told affected customers that attackers accessed data from some hosted customer instances through a flaw in an API endpoint. The company said it applied a security update on June 5, 2026 to require authentication for the affected endpoint, reportedly /api/now/related_list_edit/create, after detecting anomalous activity. ServiceNow has not yet assigned a CVE, and says the issue mainly affects customers on the Australia release or older releases with certain configuration changes. — Organizations using affected ServiceNow instances may have exposed sensitive ticket, employee, asset, and incident-response data, including credentials or tokens pasted into support workflows. This is urgent for affected customers: review logs and exposed records immediately, check for requests to the vulnerable endpoint, and rotate any secrets that may have been accessible.

France's government says an attacker got into Tchap, the encrypted messaging service used by public-sector workers, by taking over a valid user account. DINUM said ANSSI detected the intrusion on June 8 and blocked the compromised account, while investigators review logs to determine what conversations and data were accessed or stolen. A threat actor claimed the access came from social engineering on an education-related Tchap shard and alleged theft of 13.5GB of files, roughly 650,000 messages, and data on more than 73,000 accounts, plus a flaw allowing shared media files to be downloaded without a token. — This affects a government communications platform with more than 300,000 monthly users, so exposed chats, files, and account metadata could have broad public-sector impact. French agencies and users should treat the incident as potentially sensitive, review what was shared in public rooms, investigate account takeover paths, and reset or harden credentials where appropriate.

Mid and South Essex NHS Foundation Trust says the 2024 Qilin ransomware attack on pathology provider Synnovis exposed about 2,380 records tied to specialist diagnostic testing, and the total may rise as records are matched to individual patients. The incident is the same long-running data theft and service-disruption event that hit NHS pathology services in southeast London on June 3, 2024; patient data was later published after failed extortion, and affected trusts are still identifying who must be notified. — This shows the fallout from a major healthcare ransomware breach is still growing years later, with more patients and hospitals discovering exposed records. Affected NHS organizations need to keep tracing exposed data and notifying people, while patients contacted about past diagnostic testing should treat breach notices seriously and watch for scams or misuse of their information.

SoFi says hackers got into a database used by SoFi Securities (Hong Kong) Limited through a third-party vendor, potentially exposing customer information. The company said it detected the unauthorized access on April 30, 2026 and is still investigating what data and how many customers were affected. SoFi has not named the vendor, disclosed the attack method, or said whether extortion was involved. — Customers of SoFi Hong Kong could face phishing, fraud, or account-targeting attempts even though the full scope is still unknown. Affected users should be cautious of unsolicited messages, change passwords, enable two-factor authentication where available, and closely monitor financial accounts.

A separate cyberattack in Powys, Wales affected systems used by 13 schools, and the council says personal data belonging to staff and pupils was accessed. Current information indicates data was taken from one of the affected schools, but officials have not named the schools involved, the number of people affected, or the exact data types because of the sensitivity of the incident. The council has not confirmed ransomware or identified the attacker. — This affects children, school staff, and families, and may carry identity-fraud and privacy risks even though schools remain open. People connected to Powys schools should monitor official notifications and be cautious about phishing or scam messages that use school-related details.

Lansing Community College says hackers got into some of its systems in February 2025 and exposed personal information belonging to more than 174,000 people. The school says the intrusion began with compromised credentials and affected data can include names, addresses, dates of birth, driver's license details, and Social Security numbers, with the exact data varying by person. LCC says it found the incident about a week after the access began and has not identified the threat actor publicly. — This is a large education-sector breach involving identity data that can be used for fraud, tax scams, and account takeover. Affected people should watch for notice letters, enroll in credit monitoring, and consider fraud alerts or credit freezes.

Oxford University says a separate breach at its CareerConnect jobs platform exposed users’ full names and email addresses, and encrypted passwords for people not using single sign-on. The affected service is provided by Group GTI and runs on its TargetConnect platform, which Oxford said was compromised on May 28 through an unspecified security vulnerability that has since been fixed; affected alumni, research staff, and employer users had passwords reset, and GTI has not publicly disclosed the flaw or total scope. — Students, alumni, staff, and recruiters who used the platform may now face phishing or credential-stuffing attempts, especially if they reused passwords elsewhere. Affected users should reset reused passwords, watch for convincing job-related scam emails, and universities using GTI TargetConnect should press the vendor for technical details and mitigation guidance.

The FBI says Silent Ransom Group is targeting U.S. law firms by pretending to be IT support, then stealing data and extorting victims without encrypting files. In 2026 attacks, the group reportedly used callback phishing emails, phone-based social engineering, remote desktop access, and in some cases sent an operative on site to insert a USB or external drive after a failed remote-access attempt; the attackers then used tools such as WinSCP and Rclone to exfiltrate data. — Law firms and other organizations should treat unsolicited IT calls, emails, and in-person support visits as potential attack vectors, not just remote phishing. The warning is urgent because the attackers use legitimate admin tools and leave few traces, so organizations should verify IT identities, restrict external-drive use, and harden remote-access workflows now.

Attackers used Meta’s automated Instagram support assistant to take over accounts, including the Obama White House account and the U.S. Space Force chief master sergeant account, and briefly deface them with pro-Iran messages. According to KrebsOnSecurity and Telegram posts cited in the report, the abuse involved the password-recovery flow: attackers asked the AI bot to add a new email address to a target account, then used the one-time code sent there to reset the password. No CVE is given, Meta reportedly pushed an emergency patch, and accounts with multi-factor authentication enabled were said to resist the takeover. — This matters because it shows AI-driven customer support can become a new social-engineering path to account takeover even without a backend database breach. Instagram users, especially high-value or public-facing accounts, should enable multi-factor authentication now and review account recovery email addresses and recent login activity.

The U.N. World Food Programme says attackers accessed personal data submitted by Palestinians seeking food and cash assistance in Gaza. The incident affected the agency's Self-Registration Application used only in Palestine and exposed names, identification numbers, phone numbers, and neighborhood location details; WFP said the breach occurred on May 14, shut down the platform, and is still investigating how the intrusion happened and whether data was further leaked. — This is not just a privacy breach: exposed aid-recipient data in a war zone can put vulnerable civilians at real physical risk. People who registered for assistance may need to watch for phishing, impersonation, or other misuse of their personal details, while aid organizations should review exposure risks and incident response urgently.

DentaQuest says hackers accessed part of its network, and leaked data reviewed by Have I Been Pwned indicates about 2.6 million accounts were exposed. The company was listed by the ShinyHunters extortion group, which claimed to have stolen more than 234 GB of data and later leaked it publicly; exposed fields reportedly include email addresses, full names, phone numbers, dates of birth, gender, government-issued IDs, and health-insurance information. — This is a major breach affecting customers of one of the largest U.S. dental benefits administrators, and the exposed identity and insurance data can fuel phishing, impersonation, and fraud. Affected people should watch for breach notices, be wary of calls or emails claiming to be from insurers or providers, and monitor accounts and insurance activity.

City of York Council accidentally exposed the email addresses of hundreds of Blue Badge holders by sending messages without using blind carbon copy (BCC). Because the list was for Blue Badge-related communications, recipients could also infer that others on the list were disabled or had mobility impairments, making the breach especially sensitive. The council said it triggered its breach procedures, warned recipients to watch for suspicious messages, and the UK Information Commissioner's Office said it received a breach report and closed the case with advice. — This is a meaningful privacy breach because it exposed not just contact details but sensitive status information about disabled residents. Affected people should be alert for phishing or harassment, and public-sector organizations should review bulk-email controls and handling of special-category personal data.

RCI Hospitality says a cyberattack exposed sensitive personal data belonging to roughly 40,000 people. The company previously disclosed that its RCI Internet Services subsidiary found an insecure direct object reference, or IDOR, flaw on an IIS web server on March 23 that allowed unauthorized access to personal information, and it later determined files were stolen. Exposed data included names, contact details, dates of birth, Social Security numbers, and driver’s license numbers. — People affected face a real risk of identity theft because the stolen files included high-value personal data. Organizations should review web applications for IDOR-style authorization flaws, and affected individuals should watch for fraud and consider credit monitoring or freezes.

A newly identified extortion group called Pink is calling employees while pretending to be IT support, then stealing account credentials and company data to demand payment. Palo Alto Networks Unit 42 says the group, tracked as CL-CRI-1147 and likely linked to the criminal network known as The Com, uses voice phishing and fake help-desk interactions to capture passwords and multifactor authentication (MFA) approvals, then raids services such as SharePoint, OneDrive, and Microsoft Teams. Unit 42 said Pink's leak site went live on May 31 and published domains and IP addresses tied to the campaign as indicators of compromise. — This matters to organizations that rely on cloud productivity tools because attackers do not need malware or software flaws if they can talk staff into handing over access. Companies should warn staff about unsolicited help-desk calls, tighten help-desk identity checks, review Microsoft 365 logs, and block or investigate the listed phishing infrastructure immediately.

Two former RAC employees in the UK were ordered to repay more than £118,000 after illegally selling personal data belonging to car crash victims. The Information Commissioner's Office said the pair were previously convicted under the Computer Misuse Act 1990 and Data Protection Act 2018 after about 29,500 records were copied from RAC systems and shared over WhatsApp with an unknown buyer; one defendant now faces 18 months in prison if she does not repay the proceeds within three months. — This matters because insiders abused access to sensitive data from people involved in road accidents, showing how personal information can be monetized after a breach from inside an organization. For defenders and regulated firms, it underscores the need for monitoring, least-privilege access, and rapid response to suspicious data exports.

Hackers secretly monitored and stole email data from a senior executive at a major global stock exchange for about five months. Broadcom’s Symantec and Carbon Black teams said the intrusion began in October 2025 and lasted until March 2026, with malware on the victim’s device disguised as Adobe and OneDrive software, scheduled-task persistence masked as Adobe, Lenovo, and OneDrive services, and exfiltration of Outlook mailbox data in small archives via Dropbox and OneDrive. The initial access method and the victim exchange were not disclosed, but investigators published indicators of compromise. — This is a high-impact espionage case because a stock exchange executive’s mailbox can expose market-moving information, internal deliberations, contacts, and travel details. Financial institutions and other high-value targets should hunt for the published indicators, review executive mailbox and endpoint activity, and scrutinize cloud-storage exfiltration and suspicious scheduled tasks.

IMA Diligence Services says attackers stole sensitive personal data from a legacy server managed by a third party, affecting 525,306 people. The company says the intruders accessed the server between December 8 and December 16 and exfiltrated files containing names, addresses, Social Security numbers, driver's license numbers, financial account and credit card data, medical and health insurance information, and in some cases passport and taxpayer ID numbers. SecurityWeek says the Genesis ransomware group previously claimed the attack and said it stole 700 GB of data. — This is a high-impact breach because it exposed the kinds of data that can be used for identity theft, fraud, and medical or financial scams. Affected people should watch for the company's notice, enroll in credit monitoring, and consider fraud alerts or account monitoring, while defenders should review third-party legacy systems and data-retention exposure.

Dashlane says it temporarily locked some customer accounts after attackers repeatedly tried to register new devices and failed the required verification step. The company said the activity began Sunday, triggered automatic protections, and later moved to monitoring after restoring affected accounts. Dashlane said its internal systems were not compromised, but did not disclose how many users were hit or whether any account takeovers succeeded. — Password managers hold access to many other accounts, so even unsuccessful attacks are high-impact for users. Dashlane customers should verify recent login alerts, ensure multi-factor authentication is working, and contact support if their account was suspended or shows unfamiliar device activity.

Spanish police arrested a suspect accused of leaking sensitive personal data belonging to employees at key state bodies including INCIBE, the National Police, the Civil Guard, the State Attorney General's Office, and the National Security Council. Authorities say the mass publication created immediate security risks for affected staff and institutions. INCIBE previously said its own systems were not directly breached and that the leak appeared to be assembled from older breaches, credential dumps, and open-source intelligence, with some records posted on BreachForums and Doxbin. — This is a real-world exposure of personal data tied to government and security personnel, which can enable harassment, phishing, impersonation, and physical-safety risks. Affected organizations and employees should treat exposed details as compromised, review account security, and watch for targeted social-engineering attempts.

Atlas Menu, a cheat service for Grand Theft Auto V and Counter-Strike 2, was breached and data on about 64,000 users was published to GitHub. The leaked database reportedly includes email addresses, usernames, IP addresses, support tickets, signup dates, license keys, Rockstar account identifiers, and passwords stored as bcrypt hashes, along with internal records such as banned-user lists and administrator logs. The attacker claimed access to all Atlas systems. — Affected users face account, privacy, and follow-on phishing risks, especially if they reused passwords elsewhere. Users should reset any reused passwords, watch for scams referencing Atlas or Rockstar accounts, and treat the exposed support and purchase data as potentially sensitive.

California has sued 23andMe, now operating as Chrome Holding Co., alleging the company failed to adequately protect customers’ genetic and account data in the 2023 breach affecting nearly 7 million people. The complaint says attackers used credential stuffing—trying usernames and passwords stolen elsewhere—to access about 14,000 accounts, then scrape broader data through 23andMe’s DNA Relatives features; the state also alleges 23andMe failed to require stronger safeguards such as multifactor authentication, missed warning signs for months, and only acted after stolen data was advertised for sale and ransom demands were made. — This matters because the stolen information included highly sensitive genetic and health-related data, and the lawsuit may shape how companies are expected to protect and handle biometric and genomic records. Affected users should reset reused passwords, enable multifactor authentication where available, and review what personal and relative-sharing data remains in their account.

A Trump Mobile website flaw reportedly let anyone pull customer order records, exposing personal details of people who preordered the company’s phone service and handset. According to The Register and the finder, a simple HTTP POST request to exposed application programming interface (API) endpoints returned batches of records containing names, postal addresses, email addresses, phone numbers, customer numbers, enrollment IDs, and order-channel details; no CVE is assigned, and the issue was reportedly fixed after disclosure attempts. — Affected customers could face phishing, impersonation, or account-targeted fraud if their contact and order data was exposed. Trump Mobile users should watch for suspicious calls, texts, and emails referencing orders or account setup, while the company should clarify scope and notify affected users if exposure is confirmed.

Charter Communications says it suffered a security incident after the ShinyHunters extortion group threatened to leak stolen data. The attackers claim they breached Charter on April 1 by using voice phishing (vishing) to compromise an employee's Microsoft Entra account, then used access to Charter's Salesforce environment to export about 40 million customer records, including names, contact details, plan information, support tickets, and some customer proprietary network information (CPNI); Charter disputes that sensitive personal data or CPNI was exfiltrated. — Charter serves tens of millions of customers, so even partial account and service data exposure could create follow-on phishing, fraud, and impersonation risks. Affected users should watch for targeted calls and emails referencing Spectrum or account details, while defenders should review identity-provider protections, help-desk verification, and Salesforce access logs.

A North Carolina man was sentenced to prison for selling elderly Americans' personal information to scammers who used it in lottery fraud schemes. Troy Murray pleaded guilty to conspiracy to commit wire fraud and was sentenced to 121 months after prosecutors said he sold at least 22,000 lead lists between 2016 and 2023 containing names, phone numbers, physical addresses, and email addresses of over 7 million seniors; authorities said the scheme generated more than $5.2 million for him and caused over $9.5 million in victim losses. — This matters because it shows how stolen or traded personal data directly fuels large-scale fraud against older adults. People, especially seniors and their families, should be wary of unsolicited calls or messages about prizes or lotteries, and defenders and policymakers can use the case as a concrete indicator of fraud infrastructure and data-broker abuse.

Carnival Corporation says attackers stole customer data after socially engineering an employee and accessing part of its IT systems, affecting 5,995,277 people. The company says the intrusion was identified on April 14, 2026 and data theft was confirmed on April 22; ShinyHunters had claimed the breach in April and said it stole millions of records. Exposed data reportedly includes names, dates of birth, email addresses, gender, location, and loyalty-program details tied to Holland America's Mariner Society. — This is a major consumer data breach involving sensitive personal information that could fuel phishing, impersonation, and account-targeting scams. Affected customers should watch for breach notices, be cautious of unsolicited calls or emails referencing cruises or loyalty programs, and change passwords anywhere they were reused.

A Romanian hacker was sentenced in the United States for breaking into an Oregon state government office and selling that network access to others. Catalin Dragomir admitted hacking the state office in June 2021, selling access for $3,000 in Bitcoin, and trafficking data from at least 10 other U.S. organizations; the Justice Department said the broader activity caused more than $250,000 in losses. He received a 4 year and 8 month prison sentence after extradition from Romania. — This is a reminder that stolen network access to government systems is an active criminal market, not just a one-off intrusion. Public agencies and contractors should review identity controls, monitor for unauthorized remote access, and ensure former or unusual accounts and access paths are investigated quickly.

Dutch police arrested a 35-year-old man suspected of repeatedly breaking into Ajax Amsterdam's computer systems earlier in 2026. Ajax previously said the attacker exploited vulnerabilities in its IT systems to access data on a few hundred people, while reporting indicated exposed application programming interfaces (APIs) and shared keys could let someone view more than 300,000 accounts, alter 538 supporter stadium bans, and reassign 42,000 season tickets; no CVE was cited. — This matters to Ajax fans and the club because the intrusion reportedly reached both personal data and operational controls like bans and ticket transfers. Anyone affected should watch for account abuse or phishing, and organizations should review exposed APIs, shared credentials, and access controls in customer and ticketing systems.

Researchers say the March cyberattack on Los Angeles Metro was likely carried out by Iranian state-linked hackers, not just a self-described hacktivist group. LA Metro said the breach caused internal operational disruption and required hundreds of servers to be checked before restoration, while the attackers claimed to have wiped hundreds of terabytes and stolen more than 1 terabyte of data. Gambit linked the operation to infrastructure associated with Black Shadow, a group previously attributed to Iran's Ministry of Intelligence and Security, and said the attackers also accessed systems including virtualization management, Microsoft IIS servers, and a train-monitoring operational technology system. — A breach at a major transit agency raises concern not only about data theft but also about disruption to public services and potential access to operational systems. Transit operators and other public-sector defenders should review exposure of administrative platforms and monitoring systems, hunt for data theft and destructive activity, and treat claimed hacktivist incidents as possible state-backed operations.

Play ransomware operators have posted MyPillow to their leak site, claiming they stole sensitive internal data and will publish it if the company does not pay. According to the gang’s dark-web extortion post, the alleged haul includes personal and confidential data, client documents, budgets, payroll records, IDs, tax files, and finance information. The article does not provide technical details on the intrusion method, affected systems, or data volume, and MyPillow had not confirmed the breach at publication time. — If the claim is accurate, employees, customers, and business partners could face privacy risks, fraud, or follow-on phishing using stolen records. Defenders should watch for confirmation, review for signs of Play ransomware activity, and prepare incident-response, notification, and credential-reset steps if exposure is verified.

Lithuania says more than 600,000 entries from national data registers were leaked after someone used login credentials belonging to authorized institutions. Prosecutors said the exposed data mainly came from real-estate and legal-entity registers, authorities suspect a foreign country was involved, and access was tightened by blocking suspected accounts and forcing credential updates. — This is a major government-data exposure with potential risks to ordinary citizens as well as officials, diplomats, and security personnel. Organizations with access to Lithuanian state registers should urgently review account use, rotate credentials, and check for unauthorized queries or data exports.

7-Eleven disclosed that attackers accessed systems used to store franchisee documents, with stolen data including names, addresses, and Social Security numbers. The company said it discovered the breach on April 8 and reported it to state regulators in Maine, Vermont, and Massachusetts. The disclosure follows ShinyHunters' late-April claim that it stole 7-Eleven data allegedly stored on Salesforce. — The breach exposes sensitive personal data tied to U.S. franchise operations, creating identity theft and follow-on phishing risk for affected individuals. Defenders and franchisees should watch for extortion fallout, credential abuse, and notices clarifying scope and attack path.

The Oncology Institute says a breach at an outside software services provider affected patient information in its systems. TOI said Kroll notified it on May 20, 2026 that the vendor detected unauthorized access to TOI information systems, including systems containing patient data; the vendor was not named, but the timeline and disclosure process point to Cognizant-owned TriZetto Provider Solutions as a possible match. TOI operates more than 100 clinics across five U.S. states. — Cancer patients and healthcare staff may face privacy risks and follow-on fraud if their information was exposed. Affected users should watch for breach notices and suspicious calls or emails, while healthcare organizations using the same vendor should review exposure and incident-response steps immediately.

Radiology Associates of Richmond disclosed that hackers stole files containing sensitive patient information, affecting 266,183 people. The organization says attackers accessed internal systems on or about July 25, 2025, and a forensic investigation completed in April 2026 found unauthorized acquisition of files with protected health information. State filings indicate exposed data may include names, Social Security numbers, government ID numbers, financial account or payment-card details, and medical and health insurance information. — This is significant because it involves health data plus identity and financial information, raising risks of medical-identity fraud and broader identity theft. Affected people should watch for official notice letters, use offered credit monitoring if eligible, and monitor medical, insurance, and financial accounts for misuse.

Attackers compromised Laravel Lang localization packages and made legitimate-looking Composer installs fetch malware instead. The attackers rewrote existing GitHub release tags across laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes, and possibly laravel-lang/actions to point to malicious commits in a fork, affecting hundreds of historical versions; the payload drops a PHP stealer that targets cloud keys, CI/CD secrets, SSH keys, browser data, crypto wallets, and on Windows launches a helper executable dubbed DebugElevator to decrypt Chromium-based browser credentials. — Developers and organizations that installed these packages could have had passwords, cloud credentials, and deployment secrets stolen without realizing it. Treat this as urgent: identify affected installs, remove compromised versions, rotate any exposed secrets, and review developer and build systems for follow-on access.

DocketWise says hackers accessed data tied to more than 143,000 people after cloning third-party partner repositories used in its data migration pipeline. The exposed records may include names, addresses, dates of birth, Social Security numbers, passport and driver's license data, financial account and payment card information, tax IDs, health insurance details, and medical condition or treatment information. The company says it began investigating in October 2025 and later determined some cloned repositories contained DocketWise law firm records. — People whose information was exposed face a real risk of identity theft, account fraud, and targeted scams, especially because the stolen data includes government IDs, financial details, and medical information. Affected users should watch for notice letters, enable fraud alerts or credit freezes where appropriate, and be cautious of messages claiming to help with immigration or legal matters.

A new automated attack dubbed Megalodon pushed malicious commits to more than 5,500 GitHub repositories, putting developers and organizations that merge those changes at risk of credential theft. Researchers say the malware runs in continuous integration and continuous delivery (CI/CD) pipelines after a poisoned commit is merged, then steals GitHub, Bitbucket, AWS, Google Cloud, Azure, SSH, Docker, Kubernetes, Vault, and Terraform secrets and can spread further; SafeDep also linked backdoored Tiledesk npm releases 2.18.6 through 2.18.12 to a compromised GitHub repository rather than a stolen npm account. — This can turn a routine code merge into a cloud-account and source-code compromise, especially for organizations that automatically build code from GitHub. Repo maintainers and security teams should review recent pull requests and commits, block suspicious automation, rotate CI/CD and cloud secrets, and check whether affected packages or repositories were used.

KrebsOnSecurity reports that a public GitHub repository maintained by a CISA contractor exposed sensitive internal files, plaintext passwords, tokens, and administrative credentials for three AWS GovCloud accounts and other CISA systems. Researchers said some credentials were valid and could authenticate to high-privilege GovCloud environments, and the repository also exposed internal software build and artifactory access details. — This is a major breach-risk event affecting a U.S. federal cybersecurity agency, with potential impact on internal systems, software supply-chain integrity, and government cloud environments. Affected parties need credential rotation, repository auditing, and investigation of possible unauthorized access.

Grafana says attackers gained access to its private GitHub repositories after a GitHub workflow token was missed during rotation following the TanStack npm supply-chain attack. The malicious TanStack package executed in Grafana's CI/CD environment, exfiltrated workflow tokens, and led to theft of source code plus some operational business contact information. Grafana says no customer production systems or cloud data were affected. — This matters to defenders because it shows how downstream victims of an npm supply-chain compromise can remain exposed if token rotation is incomplete. Organizations using GitHub Actions and affected TanStack packages should review CI/CD secrets, token scope, and repository access logs.

Several German university hospitals say hackers stole patient and billing data after breaching Unimed, an external provider used to process invoices for privately insured and self-paying patients. Disclosures from Cologne, Freiburg, Heidelberg, Tübingen, Ulm and Mannheim say the intrusion occurred in mid-April and exposed names, addresses, physician details, and in some cases diagnosis, treatment, communications, and limited bank or payment data. Hospitals said their own clinical systems were not breached and patient care was not disrupted. — This affects highly sensitive medical data, including some diagnosis and treatment information, so impacted patients may face privacy harms, impersonation attempts, or fraud. Affected hospitals have stopped sending data to Unimed; patients should watch for breach notices and be cautious of unsolicited calls, emails, or billing messages referencing their care.

The Register reports that data from a January 2021 breach of the Myspace93 parody social-network site has now been ingested by Have I Been Pwned, with more than 46,000 accounts affected. Exposed data included plaintext usernames and passwords, email addresses, and IP addresses. The site's co-creator said trusted community members abused access to a beta app to download server files and an unencrypted credential store. — Affected users face credential-stuffing and account-takeover risk anywhere they reused passwords, especially because the passwords were stored in plaintext. The story also highlights severe password-handling failures and a delayed public accounting of the breach.

The Register reports that attackers compromised an American city's network by using a long-active account belonging to a former employee, "Greg from Auditing," whose privileges reportedly included domain admin, SCADA operator, and help desk access. The intruders moved through municipal systems, manipulated conference-room devices, and changed water utility settings by turning multiple controls off. — This is a real-world critical-infrastructure compromise caused by basic identity and access management failures, with potential public-safety impact. Municipal and ICS operators should review dormant accounts, privilege assignments, and password reuse risks immediately.

GitHub confirmed that an employee device was compromised after installing a trojanized VS Code extension, leading to exfiltration of roughly 3,800 internal repositories. The company says it removed the malicious extension from the VS Code Marketplace, isolated the endpoint, and found no evidence that customer data stored outside the affected repos was impacted. TeamPCP claimed responsibility and advertised the stolen code for sale. — This is a significant source-code breach at a core software development platform, with potential downstream supply-chain and trust implications. GitHub users and defenders should watch for follow-on disclosures about exposed secrets, internal tooling, or abuse tied to the stolen repositories.

Ukrainian cyberpolice, working with U.S. law enforcement, identified an 18-year-old suspect from Odesa as a central operator in an infostealer campaign that stole browser sessions and credentials from users of a California online store between 2024 and 2025. Authorities say 28,000 accounts were compromised, 5,800 were used for unauthorized purchases totaling about $721,000, and devices and crypto-related evidence were seized in searches. — The case highlights ongoing risk from infostealers and stolen session tokens, which can enable account takeover and sometimes bypass MFA. Online retailers, fraud teams, and users should treat session theft as a significant threat and review account security, monitoring, and token invalidation practices.