GitHub Code Leak, 7-Eleven Breached, NYC Patient Exposure – Cybersecurity News [May 18, 2026]

Here’s your weekly roundup of the most important cybersecurity stories from the past seven days, covering major breaches, critical vulnerabilities, law enforcement operations, and emerging threats shaping the global security landscape.

GitHub’s Internal Code Repositories Breached by TeamPCP Hackers!

One of the biggest stories of the week: GitHub, the Microsoft-owned developer platform used by over 180 million developers worldwide, confirmed that threat actors accessed and exfiltrated approximately 3,800 of its internal repositories. The threat actor self-identified as TeamPCP (also tracked as UNC6780) and compromised an employee’s developer device through a malicious Visual Studio Code extension, using that foothold to clone roughly 3,800 of GitHub’s internal repositories.

The breach was detected on May 19 and likely originated from a “poisoned” Visual Studio Code extension found by the GitHub security team on an employee device. The LAPSUS$ cybercrime group subsequently teamed up with TeamPCP for a joint sale of GitHub repositories for $95,000 on cybercrime forums.

The good news for GitHub’s 4+ million organizational clients: GitHub confirmed the breach of approximately 3,800 internal repositories and said it currently has no evidence that customer data stored outside its internal repositories has been affected.

TeamPCP (aka UNC6780) is a cybercrime group that specializes in supply chain attacks targeting open-source security utilities and AI middleware. They have previously compromised Aqua’s Trivy security scanner, CheckMarx’s KICS, the LiteLLM library, the Telnyx SDK, TanStack, MistralAI, and other packages.

7-Eleven Confirms Massive Data Breach by ShinyHunters!

Convenience store chain giant 7-Eleven confirmed that its systems were breached in a cyberattack claimed by the ShinyHunters extortion group. Founded in 1927, 7-Eleven now operates, franchises, and licenses over 86,000 stores globally, including 13,000 stores in the US and Canada, while its 7Rewards and Speedy Rewards loyalty programs have more than 100 million members.

The breach exposed over 600,000 Salesforce records containing sensitive franchisee and corporate data, highlighting critical vulnerabilities in SaaS security. The types of consumer information confirmed as exposed included names, driver’s licenses, Social Security numbers, and addresses. On April 17, 2026, a threat actor known as ShinyHunters posted a claim on the Tor network.

The breach specifically targeted systems storing franchisee application documents, meaning it primarily affected individuals who had applied to become franchisees not general store customers. 7-Eleven has begun notifying affected individuals and is evaluating further notification steps.

NYC Health + Hospitals Notifying 1.8 Million Patients of Months-Long Breach!

New York City’s public hospital system disclosed one of the largest healthcare breaches of the year. NYC Health + Hospitals (NYC H+H) posted a data breach notice about a months-long breach via a third-party vendor that exposed highly sensitive patient and employee data for at least 1.8 million people, including medical records, government IDs, geolocation data, and even fingerprint and palm-print biometrics.

The hackers had access to its network from November 2025 until February 2026, during which the hackers copied files from its systems. The healthcare system said hackers broke in due to a breach at a third-party vendor, which it did not name. The exposed data includes patients’ health insurance plan and policy information, medical information (e.g., diagnoses, medications, tests, and imagery), billing, claims, and payment information. Other government-issued identity documents, such as Social Security numbers, passports, and driver’s licenses, were also compromised.

The breach is particularly alarming because of the biometric data stolen fingerprints and palm prints cannot be reset like passwords, creating a permanent and irreversible privacy risk for affected individuals.

Grafana Labs GitHub Breached via TanStack Supply Chain Attack!

Visualization and observability software maker Grafana Labs disclosed a significant breach of its own GitHub environment, also tied to TeamPCP’s ongoing “Mini Shai-Hulud” supply chain campaign. On May 16, 2026, Grafana Labs confirmed a targeted attack by a cybercrime group that gained unauthorized access to its GitHub repositories and downloaded its codebase, followed by a ransom demand under threat of data disclosure.

The Grafana data breach was caused by a single GitHub workflow token that slipped through the rotation process following the TanStack npm supply-chain attack. In the ongoing Shai-Hulud malware campaign, dozens of TanStack packages infected with credential-stealing code were published on the npm index, compromising developer environments, including Grafana’s.

TanStack said the threat actors published 84 malicious versions across 42 @tanstack/* packages on May 11. The infostealer targeted not only GitHub Actions tokens but also GitLab, CircleCI, AWS, Google Cloud Platform, Azure, Kubernetes, HashiCorp Vault and package registry tokens. The campaign also impacted OpenSearch npm versions, PyPI mistralai 2.4.6, PyPI guardrails-ai 0.10.1, and further packages.

Grafana confirmed it refused the ransom demand and that no customer production systems were compromised.

CISA Contractor Accidentally Exposes AWS GovCloud Credentials on Public GitHub!

In a deeply embarrassing incident for the agency responsible for US cybersecurity, a contractor for the Cybersecurity and Infrastructure Security Agency (CISA) maintained a public GitHub repository that exposed credentials to several highly privileged AWS GovCloud accounts and a large number of internal CISA systems. Security experts said the public archive included files detailing how CISA builds, tests, and deploys software internally.

The repository, named “Private-CISA,” had been live since November 13, 2025, and contained 844 MB of data, including Kubernetes files, GitHub Actions workflows, internal documentation backups, plain-text passwords, AWS tokens, and GitHub access tokens.

According to KrebsOnSecurity, the repository was linked to a contractor from Nightwing, a US-based government services firm. Despite the repository being taken offline shortly after disclosure, the exposed AWS credentials reportedly remained valid for nearly 48 hours afterward. CISA confirmed it is actively investigating and said there is currently no evidence of active exploitation.

Drupal Patches Highly Critical SQL Injection Vulnerability Actively Exploited in the Wild!

Millions of websites powered by the popular open-source CMS Drupal faced an urgent race against threat actors this week. Drupal patched a highly critical vulnerability tracked as CVE-2026-9082, rated 20 out of 25 by NIST, which affects an API designed to ensure that database queries are sanitized to prevent SQL injection attacks. A vulnerability in this API allows an attacker to send specially crafted requests, resulting in arbitrary SQL injection for sites using PostgreSQL databases. The flaw can be exploited without authentication to obtain information and in some cases for privilege escalation and remote code execution.

Drupal is warning users that it has already seen attempts to exploit CVE-2026-9082 and security firms are seeing attacks against thousands of websites. Drupal predicted that an exploit for CVE-2026-9082 may be created within hours or days of disclosure and alerted users prior to the patch’s release on May 20.

Patches are available for Drupal versions 11.3, 11.2, 10.6, and 10.5.x. CISA subsequently added the flaw to its Known Exploited Vulnerabilities catalog. Any Drupal administrator running PostgreSQL should apply this patch immediately.

‘Underminr’ Vulnerability Puts 88 Million Domains at Risk!

A newly disclosed vulnerability in shared CDN infrastructure is raising serious alarm bells across the cybersecurity community. Dubbed Underminr, the issue is a variant of domain fronting that enables threat actors to place a trusted domain’s details in network requests while secretly routing traffic to a malicious destination. There are approximately 88 million domains potentially affected, with internet infrastructure in the US, the UK, and Canada most impacted.

The vulnerability is under active abuse and could be scaled by AI-orchestrated malware campaigns to overwhelm defenses worldwide. ADAMnetworks discovered the vulnerability, noting that Underminr exploits shared hosting ecosystems using a novel technique, allowing attackers to circumvent common network security practices.

Threat actors’ increased reliance on AI is expected to lead to a surge in attacks. “Once Underminr becomes parametric information for AI-generated malware, we could expect to see it in every attack that needs to evade protective DNS as part of the attack chain,” warned ADAMnetworks CEO David Redekop.

INTERPOL’s Operation Ramz Nets 201 Cybercriminals Across MENA Region!

Global law enforcement scored a significant win this week with the results of a landmark cybercrime operation. Operation Ramz, a first-of-its-kind cybercrime operation in the MENA region, led to the arrest of 201 individuals and the identification of a further 382 suspects. Thirteen countries from the Middle East and North Africa took part in the operation (October 2025“February 2026), which aimed to investigate and disrupt malicious infrastructure, identify and arrest suspects, and prevent future losses.

The operation focused on neutralizing phishing and malware threats, as well as tackling cyber scams. In addition to the arrests, 3,867 victims were identified, and 53 servers were seized. One of the highlights was the disruption of a phishing-as-a-service (PhaaS) platform by Algerian authorities after its server was confiscated.

In one striking discovery, a raid uncovered 15 individuals carrying out scams who turned out to be victims of human trafficking, recruited under false promises of employment from their home countries in Asia. Upon arrival in Jordan, their passports were confiscated and they were forced to commit cybercrimes.

Trump Mobile Website Exposes Personal Data of 27,000+ Customers!

The newly launched Trump Mobile faced an embarrassing cybersecurity incident just as its T1 phone began shipping. Trump Mobile confirmed that customer names, emails, physical addresses, cell numbers, and order identifiers spilled onto the public internet through what the company calls a third-party platform failure” not a direct breach of their own systems.

The exposed data reveals that roughly 30,000 orders were placed for the device, coming from around 10,000 distinct customers. Researchers demonstrated they were able to access the entire database. The issue was brought to public attention by two popular YouTubers, Coffeezilla and penguinz0, after an anonymous security researcher alerted them. Trump Mobile said it is evaluating whether it needs to formally notify affected customers.

EvilTokens and Kali365: New PhaaS Platforms Bypassing MFA to Hijack Microsoft 365!

Two new Phishing-as-a-Service (PhaaS) platforms are supercharging attacks on Microsoft 365 users by completely bypassing multi-factor authentication. In February 2026, a PhaaS platform called EvilTokens went live. Within five weeks, it had compromised more than 340 Microsoft 365 organizations across five countries. The targets received a message asking them to enter a short code at a legitimate Microsoft login page and complete their normal MFA challenge” but they had actually handed the operator a valid refresh token scoped to their mailbox, drive, calendar, and contacts.

Separately, the FBI warned about a platform called Kali365, first observed in April 2026, which has been distributed through Telegram, allowing cybercriminals to obtain Microsoft 365 access tokens and bypass MFA without stealing user credentials. “Kali365 lowers the barrier of entry, providing less-technical attackers access to AI-generated phishing lures, automated campaign templates, real-time targeted individual/entity tracking dashboards, and OAuth token capture capabilities,” the FBI said.

Both platforms exploit the device code authentication flow, making the attack invisible to traditional security tools since victims authenticate through legitimate Microsoft pages.

FBI Warns: Dozens of Ransomware Groups Using “First VPN” for Network Intrusions!

The FBI released a FLASH advisory revealing that the First VPN Service has been used by at least 25 ransomware groups, such as Avaddon Ransomware, to perform network reconnaissance and intrusions. The service has been active since approximately 2014 and currently provides 32 exit node servers in 27 countries. First VPN Service was almost exclusively advertised in known criminal dark web forums such as Exploit[.]in and XSS[.]is, two of the most prominent Russian-language online forums which provide marketplaces for cybercriminals.

The advisory released indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) to help defenders identify and block First VPN traffic on their networks.

Trellix” A Cybersecurity Giant” Gets Hacked, Source Code Stolen!

Cybersecurity firm Trellix disclosed a data breach after attackers gained access to a portion of its source code repository. Trellix is a global cybersecurity company formed from the October 2021 merger of McAfee Enterprise and FireEye, providing services to over 50,000 business and government customers worldwide, protecting more than 200 million endpoints.

On May 7, 2026, a ransomware group known as RansomHouse claimed responsibility for the hack, listing the company on its data leak site. The irony of a cybersecurity company itself being targeted is not lost on experts” and the downstream risk is real. If attackers studied Trellix’s source code, they may have gained insights into how to evade or disable the company’s security products, which protect hundreds of millions of endpoints globally.

OpenAI Also Hit by TanStack Supply Chain Attack!

The week’s supply chain wave did not spare even OpenAI. On May 11, 2026 UTC, TanStack, a widely used open-source library, was compromised as part of the broader Mini Shai-Hulud supply chain attack. Two employee devices in OpenAI’s corporate environment were impacted. The company observed activity consistent with unauthorized access and credential-focused exfiltration activity in a limited subset of internal source code repositories.

OpenAI confirmed that no products or user data were compromised. However, signing keys for Windows, macOS, iOS, and Android were impacted, meaning all applications are being re-signed and released with new certificates. macOS users will need to take action to update by June 12, 2026 for applications to continue functioning.

Critical NGINX Vulnerability CVE-2026-42945 Actively Exploited ” Patch Now!

A newly disclosed security flaw impacting NGINX Plus and NGINX Open Source has come under active exploitation in the wild, days after its public disclosure. The vulnerability, tracked as CVE-2026-42945 with a CVSS score of 9.2, is a heap buffer overflow in ngx_http_rewrite_module affecting NGINX versions 0.6.27 through 1.30.0.

Security experts warn the flaw can lead to denial-of-service on default configurations and to remote code execution if ASLR is disabled. Given how widely NGINX is deployed as a web server and reverse proxy, administrators are urged to apply the available patch immediately.

ShinyHunters on a Rampage” Zara, Carnival, Pitney Bowes and More Hit!

The prolific ShinyHunters cybercrime group that confirmed the 7-Eleven breach (see above) has been on a wide-ranging rampage, listing multiple major organizations as victims. ShinyHunters listed newly added victims including Carnival, Zara, and Pitney Bowes in an alleged data release, with claimed data releases after failed negotiations. Several organizations named in the campaign now have varying levels of confirmation, ranging from verified breach listings to unverified claims.

ShinyHunters has become one of the most active and brazen data extortion groups operating today, having previously been responsible for high-profile breaches including Ticketmaster, Santander, and numerous other global brands. Organizations using Salesforce and other SaaS platforms are urged to audit their access controls and third-party integrations immediately.