Read Time: 9 minutes

Brought to you by:

Howdy friends!

It’s felt impossible to keep up lately. It certainly feels like we’re now dealing with updates hourly instead of daily on types of vulns or breaches. Some deep research is certainly happening assisted by AI - but all of the breaches we’re reading about are still all the security basics.

I went on a rant last week about what I thought everyone’s priorities should be to build out their security program and I’m sticking to it. Everything we’re seeing by threat actors is telegraphed, and I know budgets and resource prioritization is hard, but we need to shift our defenses to meet the threat actors where they are at.

Let’s get into it.

ICYMI

🖊️ Something I wrote: we knew Claude would be competing with security companies, well with this announcement that is confirmed.

🎧️ Something I heard: This new (to me) YouTube channel I found where they outline cyber criminals. Went through the case of a hacker who just kept hacking celebrities.

🎤 Something I said: AI Didn't Cause These Breaches, You're Just Now Paying Attention

🔖 Something I read: Best blog I’ve read all year. Must read if you’re subbed here. Niels Provos duplicates Mythos and Mythos like findings with currently available models using his custom harness. Finding Zero-Days with Any Model

Vulnerable News

Securing GitHub: Wiz Research uncovers Remote Code Execution in GitHub.com and GitHub Enterprise Server

This one got voted top story in my live stream but it was a hard choice with so much news this week. This is crazy - AI assisted fuzzing using IDA Pro MCP by the Wiz team found a critical RCE in closed source, blackbox appliance of GitHub Enterprise. With a small tweak, this bug also worked on GitHub dot com. With a single git push a user with access to any repo, even one they just created themselves, would be able to execute code on the server itself and get read/write to any other repo on that server.

This is a huge deal on GitHub dot com because of their multi tenant architecture leading potentially millions of repos exposed. They had the fix out in under 2 hours which deserves huge kudos. It took a few days to package the fix into GitHub Enterprise and at the time of Wiz publishing the research 88% of servers out there were still vulnerable. So if you’re a GitHub Enterprise customer, get to patching. (read more)

Ensure Only Trusted Devices Access Your Cloud Apps*

ThreatLocker Zero Trust Cloud Access prevents direct access to cloud applications by routing all connections through a secure, controlled broker. This ensures that only authorized devices can connect—regardless of valid credentials. By removing direct exposure and enforcing strict device-based policies, organizations can stop unauthorized access and maintain full control over their SaaS environment.

Explore ZTCA

*Sponsored

New Linux ‘Copy Fail’ flaw gives hackers root on major distros

Alright, this one is hard to understand but easy to know what you need to do about it. It is a privilege escalation bug in basically every Linux distro that came out after 2017. And like all good and serious vulnerabilities, it has a name and a web page of its own. The vulnerability research dropped at the same time as the POC, and it says that they gave the distros about a month to get ahead of this instead of 90 days. They didn't really say why. I'm assuming it's because if the distro has started putting out updates, it was gonna be hard to keep a lid on this one.

The gist is any user on a box can turn into root. So this is really important for shared boxes, things like CI/CD build machines, Kubernetes cluster machines, or any sort of cloud SaaS offering that lets users execute code on a shared box. Much less important to patch on just single-user Linux workstations or anything like that, but obviously still patch if you can. (read more)

Critical cPanel and WHM bug exploited as a zero-day, PoC now available

cPanel was released to the world in 1997. Why the hell are we still chasing serious, actively exploited vulnerabilities in it across millions of endpoints?

A critical auth bypass bug (CVE-2026-41940) has been getting exploited in the wild since late February, and now there's a public PoC floating around courtesy of watchTowr. The vulnerability is a CRLF injection in the login process that lets attackers bypass authentication. With ~1.5 million cPanel instances sitting on the internet, I can’t believe we’re still chasing this.

Patches dropped on April 28th, but active exploitation goes back way before patches were available. Consider yourself owned if you’ve been on the internet with these vulnerable machines the last few weeks. cPanel also threw together a detection script to check if you've been impacted. (read more)

Checkmarx Confirms LAPSUS$ Hackers Leaked Its Stolen GitHub Data

Checkmarx finally confirmed what actually happened here, and it ties straight back to the same supply-chain mess we’ve been watching unfold for weeks. The access vector was the Trivy supply chain attack. Trivy got hacked, attackers got credentials, and then they used those to get into Checkmarx’s GitHub and push malicious code. That was back on March 23rd. About a week later, data got exfiltrated, and now Lapsus$ has dumped that data publicly.

There was a second wave of malicious artifacts a month later. That means whatever containment they did the first time didn’t fully remove the attacker, or they got back in. Docker images and VSCode extensions that were designed to steal credentials and config files seem to have been used against Checkmarx devs. If you were pinned to latest, you might’ve been pulling malicious code from a security vendor. (read more)

Robinhood Account Creation Flaw Abused to Send Phishing Emails

This Robinhood attack is a nasty one that a lot of people in my comments say they fell for. I don’t blame them! This is one of those phishing emails where everything checks out. It’s actually from Robinhood, it passes every filter, it lands clean in your inbox, and there’s nothing about it that looks off at first glance. What the attacker did was abuse the Gmail dot trick to create a separate Robinhood account tied to your email, then trigger a legit “unrecognized activity” alert.

The vuln that enabled this was HTML injection. They shoved attacker-controlled HTML into the device name field, so when Robinhood sent the email, the bottom half of it was basically the attacker’s phishing page rendered inside a legit message. This is why a lot of anti-phishing advice sucks, you can’t “check the sender” here to make sure it’s legit. It IS legit. The only real defense is after the click: If you land on that phishing page and you’re using a password manager, it’s not going to autofill because the domain isn’t Robinhood. (read more)

Learn how browser-based attacks have evolved — get the 2026 report (no gates!)*

Most breaches today start with an attacker targeting cloud and SaaS apps directly over the internet. In most cases, there’s no malware or exploits. Attackers are abusing legitimate functionality, dumping sensitive data, and holding companies to ransom. This is now the standard playbook.

The common thread? It's all happening in the browser.

Get the report from Push Security to understand how browser-based attacks work and where they’ve been used in the wild, breaking down AitM attacks, ClickFix, malicious extensions, OAuth consent attacks (read more)

*Sponsored

I couldn’t possible cover all of this in one newsletter.

Look at all this. First of all I couldn’t possible cover all the supply chain stuff that happened this week individually. Quick recap - Open VSX extensions are dealing with new variations and waves of GlassWorm, TeamPCP is still kicking around this time in SAP’s repos, a bunch of npm Typo Squats are out there stealing secrets out of env variables, and popular PyPi packages tied to ‘lightning’ were compromised.

On top of all of that Socket acquired Secre Annex - and not to take credit or anything but Feross and Tuckner are the only two founders that have been on my YouTube channel and here they are succeeding together. Causation or Correlation, you decide. (read more)

Evolving the Android & Chrome VRPs for the AI Era

Is bug bounty dying? It’s certainly changing. Google just announced it’s reducing a bunch of its bug bounty rewards, and the cited reasons make it sound like they’ve just gotten too damn good and efficient internally with the use of AI vuln scanning. They are prioritizing rewarding things that AI is bad at currently, like exploit development. They don’t want your lengthy vuln description thanks to Opus 4.7 - they can do that themselves. They want a PoC.

They're also ditching some bonuses like renderer code execution rewards because AI has made demonstrating those techniques "almost routine." Absolutely wild to think about where we were just a few months ago. While individual bug payouts might drop, they expect total rewards in 2026 to actually increase. Gotta wonder what this means for non-Google bounty programs. (read more)

Iranian hackers expose personal details of thousands of US Marines in Middle East

This one is wild, but also frustrating because we don’t actually have the details that matter yet. Handala is out there claiming they dumped personal data on 2,379 U.S. Marines in the Middle East: emails, family details, home addresses, even “shopping habits” and “nightly activities.” The messaging is full-on cartoon villain stuff. Pure propaganda. But underneath that, there’s a real question I care about: where did this data actually come from and how did they build these profiles?

That’s the part we don’t have yet, and it’s the only part that really matters. War stuff is war stuff,  we all get that. But when this kind of targeting starts bleeding into private individuals, families, and potentially companies, that’s when it crosses into something we should be paying attention to. Right now, it’s noise and threats. I’m watching for how they got the data and whether this starts hitting closer to home. (read more)

Police Arrest 3 People In Cybercrime Investigation, Seize ‘SMS Blasters’ Used to Defraud Victims

The normies ate this one up. This story was all over the news with this terrifying looking hacking machine in the trunk driving around HACKING PHONES!!11 But it’s actually just a fake cell tower. This stuff has been around forever. It’s not like if this thing drives past your house you instantly get hacked. It’s just an SMS blaster mimicking a tower so phones connect to it and it can send phishing texts directly.

What is real is the scale and why they’re doing it. Instead of sending scam texts through normal telecom networks where they might get blocked, they just run their own “network” and blast messages straight to nearby devices. That’s why tens of thousands of phones connected and why you see numbers like millions of disruptions. It’s just SMS phishing at scale. (read more)

Home Security Giant ADT Data Breach Affects 5.5 Million People

ADT home security company just had data on about 5.5 million customers exposed. (Out of about 6 million total customers. So basically all of them.) Names, phone numbers, addresses, emails, the kind of stuff you’d expect, but still not great when it’s tied to people’s homes. From everything I’ve seen, this wasn’t some crazy technical exploit. This looks like the same thing we keep seeing over and over again. Someone gets access through an employee account and just pulls the data out.

I call this kind of thing out as priority number 1 to address a lot. I wrote it up in last week’s newsletter if you missed it. The threat actors are screaming their MO from the rooftops on this stuff. If you don’t have your phishing (SMS, Voice, or otherwise) playbook locked down, they’re going to take advantage of it. (read more)

Money Launderer for Crypto Thieves Given 5-Year Sentence

This one is pretty straightforward, but it says a lot about how this whole ecosystem works. You’ve got a 22-year-old in California who just got sentenced to about five years for laundering crypto tied to a group that stole something like $260 million. His job wasn’t the hack. His job was taking the money after the fact, buying assets, moving funds around, basically helping clean it so it looks legit.

The judge wasn't impressed with his "young man who got swept up" defense, especially considering he was driving around in a $300k Rolls Royce Ghost courtesy of his laundering fees. What people miss with a story like this is that the hack is one thing, but none of it works without someone on the back end turning stolen crypto into something usable. You steal it, move it, cash it out. What stands out to me is how young these guys are. Early 20s, already deep in this world, moving millions, part of an entire ecosystem built around making stolen money usable. (read more)

Miscellaneous mattjay

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay