IT News Roundup: GitHub Breach, Microsoft Zero-Days, and Critical Vulnerabilities - May 22, 2026

The past 24 hours have been dominated by the cascading fallout from the TanStack npm supply-chain attack, which has now been linked to breaches at both GitHub and Grafana. Alongside the supply-chain drama, Microsoft is patching actively exploited Defender zero-days, Google accidentally leaked details of an unfixed Chromium remote code execution flaw, and several critical vulnerabilities in enterprise infrastructure products are demanding immediate attention.

GitHub Confirms Breach of 3,800 Repositories via Malicious VS Code Extension

GitHub has confirmed that hackers breached approximately 3,800 internal repositories through a compromised version of the Nx Console VS Code extension. The malicious extension was introduced during last week's TanStack npm supply-chain attack, in which attackers took over the popular TanStack package on the npm registry.

The Nx Console extension is widely used for managing monorepo projects, making it a high-value target. The breach underscores the systemic risk that supply-chain compromises pose to development workflows — a single poisoned package in a popular toolchain can cascade into far-reaching access to internal systems.

Source: BleepingComputer

Microsoft Warns of New Defender Zero-Days Actively Exploited in Attacks

Microsoft began rolling out emergency security patches on Wednesday for two vulnerabilities in Microsoft Defender that have already been exploited in the wild as zero-day attacks. The patches address flaws that allow attackers to bypass Defender's real-time protection capabilities.

The fact that threat actors were actively exploiting these vulnerabilities before any public disclosure highlights the ongoing arms race between security vendors and attackers. Organizations running Microsoft Defender are urged to apply the latest updates immediately, as the window between exploitation and patching was already open.

Source: BleepingComputer

Google Accidentally Exposed Details of Unfixed Chromium RCE Flaw

Google has inadvertently leaked information about an unfixed vulnerability in Chromium that allows JavaScript to continue running in the background even after the browser is closed. This behavior can be exploited for remote code execution on the affected device.

The flaw is particularly concerning because it means malicious scripts can persist beyond the normal browser session lifecycle. Users of Chrome, Edge, and other Chromium-based browsers should remain cautious until an official patch is released. The accidental disclosure has raised questions about Google's internal vulnerability tracking and disclosure processes.

Source: BleepingComputer

Cisco Releases Emergency Fix for Maximum-Severity Secure Workload Vulnerability

Cisco has released critical security updates addressing a maximum-severity vulnerability in Cisco Secure Workload that allows unauthenticated attackers to gain Site Admin privileges. The flaw effectively grants full administrative control over the Secure Workload platform.

Secure Workload is Cisco's container security platform, widely deployed in enterprise environments to protect containerized workloads. A maximum-severity rating indicates the vulnerability is trivially exploitable and carries severe impact. Administrators should prioritize patching this vulnerability immediately, especially in environments where Secure Workload manages production container infrastructure.

Source: BleepingComputer

Grafana Breach Traced to Missed Token Rotation After TanStack Attack

Grafana has confirmed that its recent data breach was caused by a single GitHub workflow token that was missed during the credential rotation process following the TanStack npm supply-chain attack. This is another downstream consequence of the same supply-chain compromise that affected GitHub.

The incident serves as a stark reminder that credential rotation after a supply-chain attack must be exhaustive and systematic. A single overlooked token — in this case a GitHub workflow token — was enough to give attackers access to Grafana's internal systems. Organizations affected by the TanStack incident should audit all workflow tokens, API keys, and service credentials for completeness.

Source: BleepingComputer

Chinese Hackers Target Telecommunications Providers with New Malware

Security researchers have uncovered a Chinese cyber-espionage campaign targeting telecommunications providers worldwide using newly discovered malware families dubbed Showboat (for Linux systems) and JFMBackdoor (for Windows systems). The dual-platform approach suggests attackers are attempting to compromise the full stack of telecom infrastructure.

Telecommunications networks are critical infrastructure, and persistent targeting by state-sponsored actors reflects the strategic value of intercepting communications data. Network operators and telecom providers should monitor for indicators of compromise associated with both malware families and review access controls on both Linux and Windows systems in their environments.

Source: BleepingComputer

Hackers Bypass SonicWall VPN MFA Through Incomplete Patching

Threat actors have been successfully brute-forcing VPN credentials and bypassing multi-factor authentication on SonicWall Gen6 SSL-VPN appliances to deploy ransomware tooling. The bypass is reportedly made possible by incomplete patching, leaving known vulnerabilities unaddressed even after security updates were available.

This case illustrates a persistent problem in enterprise security: patches being available is not the same as patches being applied. Organizations relying on SonicWall VPN infrastructure should verify that all Gen6 appliances are running the latest firmware and that MFA configurations are properly enforced. The attacks demonstrate that even MFA-protected systems are vulnerable when underlying platform vulnerabilities remain unpatched.

Source: BleepingComputer