In today’s cybersecurity news…
‘Megalodon’ infects GitHub repositories
Researchers at SafeDep say a supply chain attack dubbed Megalodon infected more than 5,500 GitHub repositories after attackers pushed 5,718 malicious automated commits in a six-hour window on May 18th. The commits inserted GitHub Actions workflows that stole CI secrets including cloud credentials, SSH keys, API tokens, and database strings, while planting dormant backdoors that could be triggered later through GitHub’s API. The campaign surfaced after compromised versions of Tiledesk were published from a poisoned GitHub repository, adding to a growing wave of software supply chain attacks targeting developers. (SecurityWeek)
Netherlands seizes 800 servers over cyberattacks
Dutch authorities have arrested two men and seized more than 800 servers tied to hosting providers MIRhosting and WorkTitans BV, accusing both of helping provide infrastructure used by Russia-linked groups for cyberattacks, influence operations, and disinformation across the EU. The investigation centers on Stark Industries Solutions, a network previously linked to DDoS attacks and proxy services used in Russian cyber operations, whose infrastructure was allegedly transferred to the Dutch companies after earlier EU sanctions. (Krebs on Security)
Ghost CMS exploited for ClickFix attacks
Researchers at QiAnXin (chee-an sheen) XLab say attackers are actively exploiting a critical Ghost CMS flaw to hijack more than 700 websites and inject malicious JavaScript tied to ClickFix attacks. The bug was discovered by Anthropic using Claude and patched in February, and lets attackers steal a site’s admin API key and bulk-modify published articles with malware loaders. Victims visiting compromised sites are funneled to fake CAPTCHA pages that trick them into running malicious commands, ultimately installing persistent malware. (The Hacker News)
Nigel Farage’s hack claimed to be ‘without any merit’
Former UK cyber chief Ciaran Martin says Nigel Farage, Leader of Reform UK, has provided no evidence for his recent claim that Russia hacked him and leaked information behind a Guardian report on an undeclared £5 million donation from crypto billionaire Christopher Harborne. Martin called the allegation a serious national security claim “without any merit” unless backed by technical proof, and said Farage should report any evidence to the UK’s National Cyber Security Centre immediately. (The Guardian)
Huge thanks to our sponsor, Guardsquare
Fake streams, counterfeit merch, and scams, oh my!
According to the Bitdefender Cybersecurity Grand Prix Fan Threat Index, cybercriminals have built a broad scam ecosystem around Formula One, targeting fans with fake streaming apps, counterfeit merchandise, bogus ticket offers, and social media scams. This is all to steal personal and payment data, spread malware, or monetize victims through ads and redirects, with some fake streaming tools even enrolling devices into botnets. Researchers say the pace and popularity of F1 make fans especially vulnerable. (Infosecurity Magazine)
Mythos-class models headed to the public
Anthropic says it plans to eventually release public versions of its Mythos bug-finding models once it can build stronger safeguards against misuse. For now, access remains limited under Project Glasswing, though it’s expanding to governments and some other partners. Anthropic says Mythos has scanned more than 1,000 open-source projects and found more than 6,200 high or critical severity vulnerabilities, including a major flaw in wolfSSL, but the volume of AI-generated findings is also adding strain to security teams. (The Register)
Lazarus deploys RemotePE memory-only RAT
Researchers at Fox-IT say the North Korea-linked Lazarus Group is using a stealthy memory-only remote access trojan called RemotePE in attacks on financial and cryptocurrency firms. It’s delivered through social engineering on Telegram and fake scheduling sites and loads entirely in memory, evades endpoint detection, and leaves almost no forensic traces while giving attackers persistent access for surveillance, data theft, or potential financial heists. (The Hacker News)
Oncology Institute discloses breach
The Oncology Institute (TOI), which delivers specialized cancer care through a network of clinics across five US states, says a previously disclosed cybersecurity incident at a third-party software vendor exposed patient data across its systems. While the vendor wasn’t named, the timeline points to TriZetto Provider Solutions, which earlier reported a breach affecting multiple healthcare customers and about 3.4 million people. The full scope of the impact and who was behind the attack are still unclear. (SecurityWeek)