InfoSec.Watch - Issue #139

CISA contractor leak turns secret handling into the week’s clearest failure mode

KrebsOnSecurity reported that a CISA contractor maintained a public GitHub repository exposing highly privileged AWS GovCloud credentials and internal CISA system details. GitGuardian separately described finding an 844 MB repository named Private-CISA and getting it taken down after escalation. A follow-up Krebs report said lawmakers are demanding answers while CISA works to contain the exposure.

Sources: KrebsOnSecurity · GitGuardian · Krebs follow-up

💡 Key Takeaway: Cloud credentials are production access, not documentation artifacts. Require secret scanning on all repos, rotate credentials found in Git history, and verify that contractor environments follow the same controls as internal engineering teams.

Developer tooling became a direct path into high-trust code environments

GitHub said it detected and contained a compromise of an employee device involving a poisoned VS Code extension, with reporting describing exfiltration of internal repositories. Grafana separately said attackers downloaded its codebase after a TanStack npm supply-chain incident. Together, the incidents point to developer endpoints, extensions, package managers, and tokens as one connected attack surface.

Sources: GitHub · The Hacker News · Grafana

💡 Key Takeaway: Treat developer workstations as privileged systems. Restrict extension installation, enforce package provenance checks, rotate tokens after supply-chain incidents, and monitor CI/CD environments for unexpected secret access.

First VPN takedown disrupted infrastructure used by ransomware actors

Europol said a global operation dismantled First VPN, a service used by cybercriminals to conceal ransomware attacks, data theft, scanning, and other serious offenses. The disruption was coordinated with multiple countries and targeted infrastructure that helped criminal actors hide their origin.

Source: Europol

💡 Key Takeaway: Ransomware defense is also an infrastructure-intelligence problem. Track known bulletproof VPNs, suspicious hosting providers, and anonymization services in authentication logs, EDR telemetry, and incident scoping.

Drupal Core SQL injection flaw moved quickly from patch to high-priority remediation

Drupal disclosed SA-CORE-2026-004 for CVE-2026-9082, a highly critical SQL injection vulnerability affecting PostgreSQL-backed Drupal sites through the database abstraction API. Drupal says the flaw can be exploited by anonymous users and may lead to information disclosure, privilege escalation, remote code execution, or other attacks.

Source: Drupal

💡 Key Takeaway: Patch Drupal immediately, especially PostgreSQL-backed deployments. Confirm version coverage, review WAF logs for crafted database abstraction API requests, and prioritize public-facing sites first.

Microsoft Defender zero-days show security tooling can become part of the attack chain

Microsoft rolled out fixes for CVE-2026-41091 and CVE-2026-45498, affecting the Microsoft Malware Protection Engine and Defender Antimalware Platform. BleepingComputer and Help Net Security reported that both flaws were exploited in the wild and added to CISA’s Known Exploited Vulnerabilities catalog.

Sources: BleepingComputer · Help Net Security

💡 Key Takeaway: Do not assume automatic Defender updates completed successfully. Verify engine and platform versions across endpoints, servers, and legacy System Center Endpoint Protection deployments.

TrendAI patched an exploited Apex One flaw affecting on-prem deployments

TrendAI patched CVE-2026-34926, an Apex One directory traversal issue that can be abused to modify a key table on the server and inject malicious code for deployment to agents. TrendAI says exploitation requires access to the Apex One server and previously obtained administrative credentials, but it has observed at least one exploitation attempt in the wild.

Sources: TrendAI · SecurityWeek

💡 Key Takeaway: Patch on-prem Apex One servers and review administrative access paths. Since exploitation requires meaningful server access, investigate suspicious admin logins, remote-access paths, and agent deployment changes.

Trusted systems are now the attacker’s favorite shortcut

The pattern across this week is not random. Credentials, developer extensions, package managers, endpoint protection engines, CMS platforms, observability codebases, and criminal VPN infrastructure all represent leverage points. Attackers are focusing on places where trust is already granted and where one compromise can cascade into many downstream systems.

💡 Key Takeaway: Build a high-trust systems list that includes developer endpoints, CI/CD, secrets stores, cloud admin paths, security consoles, and externally exposed platforms. Review ownership, logging, emergency patch paths, and token-rotation procedures weekly.

Cisco patched a maximum-severity Secure Workload API flaw — Cisco disclosed CVE-2026-20223, a Secure Workload internal REST API access-validation issue that could let an unauthenticated remote attacker access sensitive data or perform administrative actions.

Source: Cisco

💡 Key Takeaway: Identify Secure Workload ownership and patch on-prem deployments. SaaS fixes do not remove the need to validate your tenant, logs, and emergency contacts.

Microsoft disrupted Fox Tempest’s malware-signing-as-a-service operation — Microsoft said Fox Tempest used fraudulent accounts and abused code-signing workflows to make malware appear legitimate, enabling customers to distribute signed malicious files through fake downloads and ads.

Source: Microsoft

💡 Key Takeaway: Add certificate reputation, unexpected signer checks, and signed-binary execution review to malware triage. Signed does not mean safe.

Megalodon campaign injected malicious GitHub Actions workflows at scale — StepSecurity reported that Megalodon pushed malicious workflow commits into more than 5,500 public GitHub repositories in roughly six hours, targeting CI secrets, cloud credentials, SSH keys, OIDC tokens, and source-code secrets.

Source: StepSecurity

💡 Key Takeaway: Audit recent workflow-file changes, restrict who can modify CI/CD definitions, and alert on new outbound connections from runners.

Ghostwriter used Prometheus-themed lures against Ukrainian government entities — The Hacker News reported that the Belarus-aligned Ghostwriter actor used phishing emails with Prometheus-themed lures and compromised accounts to target Ukrainian government organizations.

Source: The Hacker News

💡 Key Takeaway: Treat trusted-account phishing as a control gap. Add attachment detonation, link rewriting, and alerting for unusual sending behavior from legitimate accounts.

Run a Secrets and Developer Tooling Exposure Review

Open a short, time-boxed review across engineering, security, and infrastructure teams.

Action: Identify where secrets, tokens, developer extensions, package managers, CI/CD workflows, and security-console credentials can create downstream compromise.

Check these specifically:

• Public and private repositories for secrets in current files and Git history
• Developer extension allowlists and approval ownership
• CI/CD workflow-file change permissions
• OIDC token issuance and runner egress
• Rotation plans for cloud keys, package tokens, signing credentials, and security-tool admin accounts

Evidence you’re done: A reviewed list of exposed secrets and high-trust developer tooling paths, with owners, rotation status, logging source, and next action date.

💡 Key Takeaway: The goal is not perfect inventory. The goal is to know which trusted development and security systems could turn one compromised token into broad operational access.