FCC, Github, MiniShai-hulud, Stated of Supply Chain, Itron, CRA, NIS2, and more!! – PSW #927

David Johnson

1. Sure you could “nuke all routers”, but this ESP32-C5 wireless postage stamp is far more useful for other things.

   I saw this GitHub project mentioned in Hacker News and it's a pretty standard deauther program program. I haven't investigated it to determine if it's better or worse than others in the past. But then I spotted the hardware it runs on. I immediately lost interest in the deauther program and dug into this new (to me) hardware.

   The ESP32-C5 (and C6 I learned) runs in minimal power, has built in Usb-c (10+ points in my book) and has wifi6, BT 5 BLE, thread, and ZigBee and its only $8. The C6 (a lower powered version) is only $6. It also is built to support IOT software.

   In the days where the cost of RAM is as much as a car, this was a refreshing find with lots of potential. It's immediately applicable to all sorts of small cheap projects.

   https://www.seeedstudio.com/Seeed-Studio-XIAO-ESP32C5-Pre-Soldered-p-6610.html

   Big Eval board for those interested https://www.olimex.com/Products/IoT/ESP32-C5/ESP32-C5-EVB/

   Really nice ExpressIF explainer chart of all their different similar SoC products. https://products.espressif.com/static/Espressif%20SoC%20Product%20Portfolio.pdf

2. Virtual OS Museum Tour

   There have been lots of different operating systems over the history of computing. Some have stuck around, some haven't. The VirtualOS Museum is an app with more than 570 preinstalled virtual OS's ready for you to use.

3. Anna’s Archive smacked with nearly $20M lawsuit

   Fans of the XTEink e-reader products have probably stumbled across mention of "Anna's archive" in the search for eBooks to download.

   One of the major drawbacks of non-kindle devices is that you don't have access to many eBooks due to licensing. The team of Anna's archive created their library to get around this. And they are being sued, again...

   Copyright Free/Public Domain alternatives for ebooks: Standardebooks.com Guttenberg.com

4. Say goodbye to those insightly watermarks

   A handy tool for removing watermarks in AI generated images. MIT licensed project.

   Remove visible and invisible AI watermarks from images generated by Google Gemini (Nano Banana), ChatGPT / DALL-E, Stable Diffusion, Adobe Firefly, Midjourney, and other AI models.

   Strips SynthID, C2PA Content Credentials, EXIF/XMP "Made with AI" labels, and visible sparkle overlays — all in one command.

   Also includes a legal logic diagram of when this is likely to be legal/illegal.

   This may also help with privacy, assuming you are using it for lawful purposes.

Jeff Man

1. Peter G. Neumann, Who Warned of Computer Security Risks, Dies at 93

   I've often here his name bandied about, but what was he known for, really? Definitely one of the pioneers of computer security, but if he is best known for tolling the bell for computer security risks is that really all that special?

2. GitHub Breached — Employee Device Hack Led to Exfiltration of 3,800+ Internal Repos

   Source code for sale, but no client data has been released. Whew.

3. L0phtDay 2026

   I mean, wasn't the L0pht also warning of computer/internet security risks?

4. Microsoft surprises with its first server Linux distribution: Azure Linux 4.0

   Probably should save this for Paul but w00t!?!

5. The 4th Linux kernel flaw this month can lead to stolen SSH host keys

   Before you get too excited, buried in the article on the Azure linux distribution is a link to this article. "The good news is there's already a patch. The bad news is that the fix isn't available for all Linux distributions yet."

6. 7-Eleven Data Breach Confirmed After ShinyHunters Ransom Demand

   What is wrong with this world where the badguys even go after Slurpees???

7. Vulnerability exploitation top breach entry point, 2026 industry-wide DBIR finds

   The new Verizon DBIR report is here! What a surprise - "the Data Breach Investigations Report (DBIR) confirms AI-driven speed as a new challenge, pushing security strategy toward fundamental resilience." Weren't we just talking about the [lack of] security fundamentals a few weeks ago???

8. Anthropic workshop on how to actually do prompts for Claude

   If you still have a Twitter account, you might find this interesting. I didn't, but you might. "27-minute workshop on how to actually do prompts for Claude." Taught by the people who built it. Free. No registration. No paywall.

Joshua Marpet

1. FCC Router Waiver Extension to 2029

   The FCC reversed course on its March 2026 ruling that prohibited foreign-made consumer routers in the US. Waivers issued in January and March public notices have been extended at least until January 1, 2029. Updates now include "all software and firmware updates to ensure the continued functionality of the devices, such as those that patch vulnerabilities."

   The point: Regulators acknowledged that completely blocking software support could create a worse cybersecurity problem than the ban was solving. Pulling security patches to enforce a procurement ban leaves millions of existing devices unpatched. This is the regulators learning the lesson the security community has been arguing for years.

2. Foxconn Cyberattack (5/12)

   "While this is undoubtedly a blow to Foxconn, the damage this could cause to the general public is immensely greater. Fake iPhones, fake laptops, fake merchandise of any kind, with sub-standard build quality, is not going to do the original corporate reputations any good. Plus, with the firmware and code running around, we've got an issue where any flaws in that firmware and software will be exploited quickly."

   The story: Foxconn confirmed a cyberattack on North American factories. Nitrogen ransomware group claimed it stole 8TB of data and over 11 million files, including allegedly Apple and NVIDIA-related material. Industrial Cyber covered it alongside West Pharmaceutical as part of a manufacturing-sector cyber risk pattern.

3. Connected Cars Data — WSJ

   Data harvested from drivers — geolocation, in-cabin biometrics, telematics — is enticing to both OEMs (for monetization) and attackers (for surveillance). FTC reached a settlement with GM/OnStar finalized January 2026 including a five-year ban on disclosing geolocation and driver behavior data to consumer reporting agencies. Northeastern University researchers published research on Tesla Model 3 and Cybertruck wireless system exploitation. Australia's OAIC has launched a landmark investigation into in-cabin biometrics collection.

   The structural point: Auto OEMs are becoming OT vendors with privacy law on top. The cybersecurity surface and the privacy surface are converging into one problem class.

4. CRA Mandatory 24-Hour Vulnerability Reporting Starts Sept 11 2026

   Manufacturers of connected products must report actively exploited vulnerabilities to ENISA within 24 hours starting Sept 11. This is a big operational change.

5. GitHub Breach of 3,800 Internal Repos

   GitHub confirmed in a five-post thread on X (May 20) that approximately 3,800 internal repositories were breached after one of its employees installed a malicious Visual Studio Code extension. Threat group TeamPCP claimed responsibility on underground forums and is asking $50K+ for the stolen dataset. GitHub has removed the trojanized extension from the VS Code marketplace, isolated the compromised endpoint, and begun incident response. GitHub states there is currently no evidence of impact to customer data, enterprise accounts, or user repositories.

   The point: This is the third major GitHub-related security event in six weeks (also CVE-2026-3854 RCE in late April, see B3). GitHub is the substrate the entire software industry rests on. Three different attack vectors in 45 days.

6. Mini Shai-Hulud — TanStack + 160+ npm/PyPI Packages

   Mass supply chain campaign affecting 170+ npm packages and 2 PyPI packages, totaling 404 malicious versions. Largest coordinated registry poisoning event observed in 2026 and the first to span both npm and PyPI in a single campaign. Hit 42 TanStack packages, 65 UiPath packages, Mistral AI's PyPI packages, OpenSearch JavaScript client, Guardrails AI PyPI package. Two phases: 2026-04-29 and 2026-05-11.

   Technical method: Chained three known vulnerability classes — pullrequesttarget "Pwn Request" misconfiguration, GitHub Actions cache poisoning across the fork↔base trust boundary, and runtime memory extraction of the OIDC token from the Actions runner process. This is professional supply-chain attack tradecraft, not script-kiddie.

   Payload behavior: Heavily obfuscated. Harvests GitHub and npm tokens, CI/CD secrets, cloud credentials, API keys. Self-propagates through the npm ecosystem. Persistent destructive daemon that can wipe developer home directories.

7. **VCRI SCSC PREVIEW** — Monday’s Drop

   VCRI publishes our inaugural State of Supply Chain quarterly report on Monday. Here's the headline a few days early: by the time you hear about an exploit, you're 11 days late. Seal Security measured commit-to-advisory: 11-day median, 167 days for Maven. GreyNoise measured exploit-traffic-to-advisory: also 11 days. Two different sides of the same gap. The advisory is the lagging indicator.

   And our piece — the trailing clock — measures whether the package is even capable of receiving a patch when the advisory finally arrives. Headline: 53% of Go dependency-pulls, weighted by how many repos depend on each package, lands on a package whose maintainers have stopped responding, whose repo has been archived, or whose successor has been named. The full intersection list — out-of-band packages cross-referenced with OSV.dev compromise history — drops Monday at vcri.org/state-of-supply-chain/2026-Q2.

8. CMMC Phase 2 / HIPAA Security Rule Overhaul / CCPA Cybersecurity Audits

   Multiple US regulatory regimes are tightening in parallel. CMMC Phase 2 for defense contractors, HIPAA Security Rule overhaul, CCPA cybersecurity audit requirements.

   The point: The 2026 compliance landscape is the most active in a decade. Multi-regime compliance is now the default posture for any non-trivial company.

Lee Neely

1. Experts Confirm the Fast16 Malware Was Sabotaging Nuclear Weapons Tests, Likely in Iran

   Fast16 didn't predate Stuxnet but was contemporaneous with it. It also wasn't aimed at altering nuclear weapons but was simply feeding false data to engineers about the nuclear detonation tests they were conducting, in order to trick them into believing the tests were failing. Modern AI was needed to decipher this malware despite sample being found in 2019.

   Stuxnet madę people think all was well when the centrifuges were failing. Fast16 makes people think the tests failed when they succeeded. Both are extremely sophisticated malware. From 2005...

2. CISA Admin Leaked AWS GovCloud Keys on Github – Krebs on Security

   This past weeken security researchers discovered CISA's "Private-CISA" GitHub repository exposed secrets including credentials to several highly privileged AWS GovCloud accounts and a large number of CISA internal systems. Guillame Valadon from security firm GitGuardian reached out to KrebsOnSecurity as no response from the repository ownere after the discoveryent was reported and the information was highly sensitive. The private repository was maintained by an employee of Nightwing, a government contractor based in Dulles VA. The repository was taken offline after both KrebsOnSecurity and Seralys notified CISA about the exposure. [Editor Comments] [Neely] Before we start throwing stones at Nightwing or CISA, we need to check we're not in the same boat. Make sure you're not disabling secrets detection and that you're scanning your repositories for secrets. The credentials were discovered by a process which scans public GitHub repos for secrets. The likely root cause is synchronization from a home PC to a work laptops, resulting in the secrets being stored in the publc repository. We should all be scanning our repositories, public or private, not only to discover secrets, but also to verify the public and private scope remains as desired.

3. The 4th Linux kernel flaw this month can lead to stolen SSH host keys

   Another day, another Linux bug. There is a patch out now. However, it's not available yet in most distros. Linux's latest kernel flaw doesn't have a fancy name; it's just called "ssh‑keysign‑pwn." It's the fourth high‑profile local security hole to hit Linux in just a few weeks.

   This one allows for SSH private key and /etc/shadow access by unprivileged users.

   May be time to investigate locking down kernel modules so only approved modules load.

   KnightLi Blog writeup: https://www.knightli.com/en/2026/05/17/ssh-keysign-pwn-cve-2026-46333/

4. ‘Claw Chain’ OpenClaw Flaws Allow Sandbox Escape, Backdoor Delivery

   Four vulnerabilities in the OpenClaw AI assistant can be chained together to plant backdoors on the underlying host, cybersecurity firm Cyera warns. The bugs, collectively known as Claw Chain, allow an attacker with code execution privileges inside the sandbox to control the agent runtime and abuse it to compromise the system.

   Double down on OpenClaw isolation, update to 2026.4.22

5. 201 arrests in first-of-its-kind cybercrime operation in MENA region

   A first-of-its-kind cybercrime operation in the MENA region has led to the arrest of 201 individuals, with a further 382 suspects identified.

   Thirteen countries from the Middle East and North Africa took part in Operation Ramz (October 2025 – 28 February 2026) which aimed to investigate and disrupt malicious infrastructure, identify and arrest suspects, and prevent future losses.

6. Grafana Labs admits all its codebase are belong to someone who popped its GitHub account

   Observability outfit Grafana Labs has revealed that an attacker accessed its GitHub repository and stole its codebase.

   In social media posts the company blamed the situation on an “unauthorized party” who was somehow able to obtain a token that offered access to its GitHub environment.

   The company thinks it has identified the source of the credential leak, and therefore “invalidated the compromised credentials and implemented additional security measures to further secure our environment against unauthorized access.”

   A cyber-extortion gang known as the "Coinbase Cartel" is taking claim for this attack. FBI guidance remains not to pay the demand as there is no guarantee you're going to get your data back, and further incentivises others to get into the Ransomware/Extortion game. In this case, as there is no customer data or personal information, only their code, the question becomes one of what IP is in that code and how does it need to be changed to negate it's release.

7. NYC Health and Hospitals says hackers stole medical data and fingerprints during breach affecting at least 1.8 million people

   NYC Health and Hospitals (NYCHHC) says a breach in which intruders had access to systems for months resulted in the theft of medical records and other personal information of at least 1.8 million individuals. The compromised data include health insurance plan and policy information, medical record numbers, diagnoses, medications, test results, images, treatment plans, biometric information (fingerprints and palm prints), billing, claims, and payment information, Social Security numbers, tax ID numbers, passports, driver’s licenses, payment card information, and other financial account information.

   This appears to be one of the largest breaches for 2026 so far. Looks like a third-party breach. That means it's time to make sure you've got ALL your third-party processors accounted for, that they are securely accessing, handling and processing your data as well as haveacceptable monitoring and incident response. Tripple check that they will notify you, and at what interval, when there is an issue with your data, or related security incident. Make sure that notification doesn't just go to your contract analyst; they are a valuable ally but are not in the incident response business so reliance on forwarding of notifications isn't ideal.

8. A hotel check-in system left a million passports and driver’s licenses open for anyone to see

   A misconfigured AWS bucket was exposing data from the Tabiq hotel check-in system. Security researcher Anurag Sen discovered the vulnerability in the Tabiq system that was leaking customer information because the bucket was set up as public. Sen contacted TechCrunch for help notifying Japanese tech company Reqrea, which maintains Tabiq. After TechCrunch reached out to Reqrea and Japan's JPCERT, Reqrea locked down the bucket in question, which had been leaking customers' passport and driver's license scans, as well as facial images.

   Looks like this has been a public bucket for six years or more. Recall that S3 buckets have a global namespace, so if you know the name of a bucket you can access it as long as the permissions allow it. It's a lot harder to make this mistake today, but maybe double check to see if any of your S3 buckets are public, pay close attention to older ones created before AWS implemented their latest controls. Even if a developer pinky swears the data really is public, it's not a bad idea to make sure that the data owner concurrs.

9. Known Exploited Vulnerabilities Catalog

   CISA adds Exchange CSS flaw (CVE-2026-42897) and Cisco Catalyst SD-WAN flaw (CVE-2026-20182) to KEV catalog, due 5/29 and 5/17 respectively.

   Make sure you're following Cisco SD-WAN hardening guidance. Do we really still need to host Exchange ourselves?

Sam Bowne

1. NYC Health + Hospitals says hackers stole medical data and fingerprints during breach affecting at least 1.8 million people

   The attackers got in due to a breach at a third-party vendor, which it did not name. the exposed data varies by individual and includes patients’ health insurance plan and policy information, medical information (e.g., diagnoses, medications, tests, and imagery), billing, claims, and payment information. Other government-issued identity documents, such as Social Security numbers, passports, and driver’s licenses, were also compromised.

   The breach notice also says “precise geolocation data” was taken in the breach, suggesting that the user-uploaded photos of their identity documents may have also contained the exact location of where the document was captured.

   The breach is particularly sensitive because hackers stole biometric information, including fingerprints and palm prints, which affected individuals have for life and cannot replace.

2. Sysadmin Creates ‘ModuleJail’ To Automatically Blacklist Unused Kernel Modules

   Many modern Linux privilege escalation bugs target obscure or rarely used kernel functionality that is still enabled by default on servers that do not actually need it.

3. Notable Researchers Join $4 Billion Effort to Build Self-Improving A.I.

   A.I. will soon be powerful enough to improve itself with little or no help from human developers.

4. Nearly 50,000 Lake Tahoe residents have to find a new power source after their energy source looks to redirect lines to data centers

   Short-term replacement power is likely available from elsewhere in the West—but they're not optimistic about what comes after.

5. Microsoft shares mitigation for YellowKey Windows zero-day

   To mitigate YellowKey attacks, Microsoft recommended removing the autofstx.exe entry from the Session Manager's BootExecute REGMULTISZ value, then reestablishing BitLocker trust for WinRE.