In today’s cybersecurity news…
Microsoft disrupts malware-signing-as-a-service
According to unsealed court documents, Microsoft said it took down Fox Tempest, a malware code-signing service in operation since May 2025. Fox Tempest was used by several prominent ransomware groups, including Rhysida, INC, Qilin, and Akira for attacks across the U.S., China, France, and India. They abused Microsoft’s Artifact Signing to issue short-lived certificates that allowed malware to evade typical Windows defenses. The takedown saw Fox Tempest’s website seized, hundreds of virtual machines taken offline, and over 1,000 certificates revoked.
Critical flaw found in industrial robot OS
The Danish company Universal Robots released a patch for a critical command injection vulnerability in its PolyScope 5 operating system. This could allow an unauthorized user with network access to perform remote code execution on robotics controllers. This would require that the robot’s Dashboard Server be directly accessible over the internet, or an attacker to have access to an Ethernet port on a control box. Generally, these industrial robots run on flat, unsegmented networks, which could make it significantly easier to access the vulnerable dashboards.
CISA admin leaks keys
Security reporter Brian Krebs was contacted by researchers at GitGuardian, warning that a GitHub repository exposed credentials for several AWS GovCloud accounts. GitGuardian routinely scans for exposed secrets and notifies account holders. In this case, the owner didn’t respond to their notification. The GitHub repository was named “Private-CISA” and contained cloud keys, tokens, passwords in plaintext, and other sensitive CISA and DHS assets. The account owner also disabled a default GitHub feature to prevent sharing secrets. While the repo was eventually set to private, researchers at Seralys confirmed the credentials were working up to 48 hours later. CISA said it was aware of the exposed assets but said there was “no indication that any sensitive data was compromised.”
Urgent patch announced for Drupal core
The Drupal Security Team issued a PSA about an upcoming urgent patch, scheduled for release on May 20th. This patch only impacts Drupal core, not Drupal CMS. Drupal Steward customers are recommended to install the patch too. The PSA urged users to install the patch quickly after release, saying that “exploits might be developed within hours or days.” The flaw applies to those using “uncommon module configurations,” but the PSA says it is easy to leverage, doesn’t require elevated privileges, and could expose non-public data. Drupal will release patches for all impacted versions, including out-of-support versions 8.9 and 9.5.
Huge thanks to our sponsor, ThreatLocker
Ethereum looking at AI-assisted “formal verification”
Everyone is trying to deal with the increase in AI-assisted cyberattacks; cryptocurrency is no different. In a blog post this week, Ethereum co-founder Vitalik Buterin (Boo-tear-in) said AI has advanced the possibilities of using “formal verification” to better secure blockchain networks against software flaws. In the most general sense, verification uses mathematical proofs to ensure that software operates correctly. Buterin said this approach “is particularly well-suited for situations where the goal is much simpler than the implementation,” but cautioned that it was not “a panacea.”
(Decrypt)
Patching errors in restricted Windows networks
In a service alert, Microsoft said that customers in restricted network environments may see Windows Update failures after installing the January 2026 optional non-security preview update (catchy name guys). This would apply to isolated or air-gapped systems. This issue stems from a change in Windows download timeout requirements. Microsoft is working on a fix, but has released a set of group policies in its Known Issue Rollback feature for IT admins to use as a workaround.
Google wants people to remember CodeMender
At its I/O conference, Google announced it’s making its CodeMender tool available to select groups of experts. Google initially announced CodeMender in October 2025, an AI agent, similar to Anthropic’s Mythos, that can debug and fix software vulnerabilities. At the initial announcement, Google said it was taking “a cautious approach, focusing on reliability” with CodeMender, with all patches reviewed by human researchers. Google DeepMind CTO Koray Kavukcuoglu (Kavook-coo-oh-glue) confirmed they have been in discussions with governments and enterprises to audit systems with CodeMender
Abuse of Microsoft HTML Applications on the rise
Microsoft HTML Application (MSHTA) was first released in 1999 as part of Internet Explorer 5.0. Windows 11 continues to support these through Edge’s IE mode. While legitimate use of MSHTA has fallen over its more than quarter-century of life, researchers at BitDefender warn abuse is on the rise. That’s because an HTML application file can be manipulated to run VBScript in memory, where it’s harder to see malicious activity. BitDefender saw this used to deliver Lumma, Amatera, ClipBanker, and PurpleFox malware, usually paired with phishing campaigns.