🏢 Major Breaches & Incidents - CISA credential exposure, 7-Eleven breach, Grafana source-code theft

🚨 Emerging Threats & Vulnerabilities - Shai-Hulud npm wave, GitHub VSCode extension breach, ChromaDB server takeover bug, NGINX exploitation, Universal Robots flaw

🛰️ APTs and State Sponsored Attacks - Cisco SD-WAN zero-day, Microsoft SSPR abuse in Azure attacks

🤖 AI in Cyber - Google AI-generated zero-day, Mythos hacking fears update

🫠 CISA Contractor Repo Exposes Passwords and Cloud Keys to the Open Web
A security researcher found plaintext credentials in a public GitHub repository tied to a CISA contractor. TechCrunch reported the exposed materials included access tokens, cloud keys, and sensitive files, while CISA said it was investigating and had no indication sensitive data was compromised. Still, the optics are rough when the agency telling everyone else to clean up credential hygiene lands in the “public repo with secrets” category.
👉️ Key takeaway: Contractor repositories need secret scanning, exposure monitoring, and rapid key revocation, especially when the customer is the federal cyber agency.

🛒 7-Eleven Confirms ShinyHunters-Claimed Breach After Franchisee Documents Were Accessed
7-Eleven confirmed that an unauthorized third party accessed systems storing franchisee documents after the company discovered the incident in early April. ShinyHunters claimed it stole more than 600,000 Salesforce records and later leaked a large archive after the company refused to pay. 7-Eleven has not publicly confirmed the full scope claimed by the gang, but the incident fits the broader pattern of SaaS-linked extortion pressure on large brands.
👉️ Key takeaway: SaaS data stores need breach-grade monitoring, token governance, and extortion response planning because “it was in Salesforce” does not make it less stolen.

📊 Grafana Labs Says Hackers Stole Its Code and It Refused to Pay
Grafana Labs said attackers abused a stolen token to access its GitHub environment and steal source code. The company said the token did not provide access to customer or financial data and that it refused to pay the ransom demand. The open-source angle matters because stolen code can still fuel vulnerability hunting, extortion, and trust erosion even when customer systems are not directly exposed.
👉️ Key takeaway: Developer tokens need short lifetimes, tight scopes, monitoring, and rotation because source-code access is still high-value access.

🧬 Shai-Hulud Returns With a 600-Package npm Supply-Chain Mess
Attackers published hundreds of malicious npm package versions in a new Shai-Hulud wave, including packages tied to widely used JavaScript ecosystems. BleepingComputer reported 639 malicious versions across 323 unique packages in about one hour, which is less “package incident” and more “developer supply-chain fire drill with confetti.” The malware targets developer and CI/CD secrets, creating risk across GitHub, npm, cloud services, Kubernetes, Vault, Docker, databases, SSH, Jenkins, Azure DevOps, Vercel, Netlify, and more.
👉️ Key takeaway: Remove or downgrade compromised packages, rotate developer and cloud credentials, and inspect CI/CD environments for persistence.

🧩 GitHub Confirms 3,800 Repositories Breached Through Malicious VSCode Extension
GitHub confirmed a breach involving thousands of repositories after attackers abused a malicious VSCode extension. The company said it had no evidence customer data outside the affected repositories was impacted, but source-code exposure is still a major developer-trust problem. Browser extensions get attention, but editor extensions deserve the same side-eye because they often sit right next to code, credentials, and developer workflows.
👉️ Key takeaway: Review approved IDE extensions, audit repository access, rotate exposed tokens, and treat developer tooling as part of the enterprise attack surface.

🧠 ChromaDB Bug Can Let Attackers Take Over AI App Servers Before Login
CVE-2026-45829 is an unpatched ChromaDB vulnerability that can expose affected deployments to server takeover. The issue matters because ChromaDB is widely used in AI and vector-search application stacks, where API keys, environment variables, and application secrets are often close by. AI infrastructure keeps getting treated like experimental plumbing, while attackers keep treating it like production infrastructure with better snacks.
👉️ Key takeaway: Restrict ChromaDB exposure, avoid untrusted model sources, and secure vector databases like real production systems.

🌐 Critical NGINX Vulnerability Moves Into Active Exploitation
Exploitation has begun for CVE-2026-42945, a critical NGINX vulnerability affecting NGINX Plus and NGINX Open Source under specific conditions. The bug can cause denial of service by default and may enable remote code execution if ASLR is disabled. Since NGINX sits in front of plenty of public-facing services, this is exactly the sort of flaw that turns a patch window into a calendar argument nobody wins.
👉️ Key takeaway: Patch NGINX, review rewrite module exposure, verify ASLR is enabled, and expect scanning now that exploitation has started.

🦾 Universal Robots Flaw Exposes Industrial Robot Fleets to Hacking
CVE-2026-8153 affects Universal Robots PolyScope 5 and can be exploited for OS command injection. Claroty warned that impact could range from control of a single cobot to compromise of an entire fleet in exposed or flat OT environments. That is a reminder that “collaborative robot” should not mean “collaborates with whoever finds the open interface first.”
👉️ Key takeaway: Patch PolyScope, restrict Dashboard Server access, and segment robot control networks before one exposed cobot becomes a fleet problem.

🧭 Cisco SD-WAN Zero-Day Under Attack by Persistent Threat Group
Attackers are exploiting a max-severity zero-day affecting Cisco Catalyst SD-WAN Controller and Manager. Cisco Talos attributed the activity to UAT-8616 and warned of broader exploitation against Cisco SD-WAN infrastructure vulnerabilities. When the controller that helps manage the network becomes the target, defenders are not dealing with “just another appliance,” they are dealing with the steering wheel.
👉️ Key takeaway: Patch Cisco SD-WAN controllers urgently, hunt for unauthorized administrative activity, and limit controller access before attackers treat the network brain like a lobby kiosk.

🔐 Microsoft SSPR Abuse Fuels Azure Data Theft Attacks
Microsoft says Storm-2949 is targeting Microsoft 365 and Azure production environments by abusing legitimate applications and administration features. The actor expanded into Azure infrastructure including virtual machines, storage accounts, key vaults, app services, and SQL databases. The uncomfortable part is that the campaign leans on valid platform workflows, not exotic malware, which makes sloppy identity governance the attacker’s favorite shortcut.
👉️ Key takeaway: Lock down SSPR, monitor privileged reset flows, review Azure audit logs, and treat cloud admin features as attack paths, not just convenience buttons.

🧪 Google Spots What It Says Is the First AI-Generated Zero-Day Exploit
Google said it identified a zero-day exploit believed to have been developed with AI assistance. The exploit targeted an open-source administration tool and was designed to bypass two-factor authentication, with Google saying it worked with the vendor before mass exploitation could happen. The bigger point is that AI-assisted exploit development is no longer just conference speculation with dramatic lighting.
👉️ Key takeaway: AI-assisted exploit development is moving from theory into practice, so defenders should expect faster proof-of-concept creation and lower barriers for weaponization.

🧯 Reuters Says Mythos Hacking Panic May Be Overstated, But Not Imaginary
Reuters reported that early fears around Anthropic’s Mythos model may be overstated, even as practitioners acknowledge real improvements in vulnerability discovery. The bigger bottleneck may be validation, prioritization, and remediation, because finding more bugs does not magically produce more patch windows. That is not exactly comforting, but it is more useful than pretending AI is either cyber doom or cyber glitter.
👉️ Key takeaway: AI vulnerability discovery may raise finding volume faster than teams can triage, so remediation capacity becomes the real constraint.