End-of-Day report
Timeframe: Dienstag 19-05-2026 18:00 - Mittwoch 20-05-2026 18:00
Handler: Guenes Holler
Co-Handler: Michael Schlagenhaufer
News
Datenklau: Hacker wollen 4.000 private Github-Repos geplündert haben
Die Cybergang TeamPCP setzt Github unter Druck. Sie will an Daten aus Tausenden privaten Code-Repos gelangt sein und stellt diese nun zum Verkauf.
https://www.golem.de/news/datenklau-hacker-wollen-4-000-private-github-repos-gepluendert-haben-2605-208851.html
Microsoft shares mitigation for YellowKey Windows zero-day
Microsoft has shared mitigations for YellowKey, a recently disclosed Windows BitLocker zero-day vulnerability that grants access to protected drives.
https://www.bleepingcomputer.com/news/microsoft/microsoft-shares-mitigation-for-yellowkey-windows-zero-day/
Stealer Spoofs Google, Microsoft & Apple, Then Backdoors macOS
The SHub Reaper stealer, which hides behind fake WeChat and Miro installers, marks a shift from ClickFix social engineering to Apple script-based execution.
https://www.darkreading.com/threat-intelligence/stealer-spoofs-google-microsoft-apple-backdoors-macos
How an image could compromise your Mac: understanding an ExifTool vulnerability (CVE-2026-3102)
We explain how a flaw in ExifTool allows attackers to compromise macOS systems via a malicious image (CVE-2026-3102).
https://securelist.com/exiftool-compromise-mac/119866/
Trapdoor Android Ad Fraud Scheme Hit 659 Million Daily Bid Requests Using 455 Apps
Cybersecurity researchers have disclosed details of a new ad fraud and malvertising operation dubbed Trapdoor targeting Android device users.The activity, per HUMANs Satori Threat Intelligence and Research Team, encompassed 455 malicious Android apps and 183 threat actor-owned command-and-control (C2) domains, turning the infrastructure into a pipeline for multi-stage fraud.
https://thehackernews.com/2026/05/trapdoor-android-ad-fraud-scheme-hit.html
Microsoft shuts down illegal code-signing operation used by ransomware crims to mask their malware
Thousands of US victims, including 12+ machines owned and operated by Redmond.
https://www.theregister.com/security/2026/05/19/microsoft-disrupts-alleged-malware-signing-operation-used-by-ransomware-gangs/5243013
Neue Phishing-Masche: Gutschrift nach "Fehler" von booking.com als Köder
Kriminelle versenden via WhatsApp Nachrichten, in denen sie sich als Gästebetreuung eines Hotels ausgeben und eine Rückbuchung versprechen. Angeblich sei aufgrund eines technischen Fehlers bei booking.com ein falscher Betrag eingezogen worden. Besonders problematisch: Die Eckdaten stimmen mit einer echten Buchung überein! Wer der aufgebauten Falle folgt, liefert den Drahtziehern seine Logindaten fürs Onlinebanking.
https://www.watchlist-internet.at/news/phishing-gutschrift-booking/
Tracking TamperedChef Clusters via Certificate and Code Reuse
Unit 42 analyzes TamperedChef malware clusters that use trojanized productivity apps and malvertising to deliver stealthy payloads to targets. The post Tracking TamperedChef Clusters via Certificate and Code Reuse appeared first on Unit 42.
https://unit42.paloaltonetworks.com/tracking-tampered-chef-clusters/
Huawei zero-day attack behind last year-s crash of Luxembourgs entire telecoms network
There is no evidence that the incident has recurred, but the flaw remains unexplained and has not been publicly acknowledged by the company.
https://therecord.media/huawei-zero-day-behind-last-year-luxembourg-telecom-outage
How OLTs may have exposed entire ISP networks
This is the fifteenth article I have written over the past three years at Quarkslab, and without a doubt, it has been the most thrilling and fun to put together. The hidden world of ISP (Internet Service Provider) network security might sound complex, but what I am about to reveal could shake up how you see network defenses. In this post, I dive deep into how vulnerabilities in critical devices can lead to the complete takeover of service provider networks.
http://blog.quarkslab.com/how-olts-may-have-exposed-entire-isp-networks.html
durabletask: TeamPCPs Latest PyPi Compromise
Discover the latest on malicious versions of the pypi package durabletask, matching TeamPCP tactics.
https://www.wiz.io/blog/durabletask-teampcp-supply-chain-attack
Popular Go Decimal Library Targeted by Long-Running Typosquat with DNS Backdoor
Sockets Threat Research Team identified a malicious Go module published as github.com/shopsprint/decimal, a typosquat of the widely used github.com/shopspring/decimal arbitrary precision arithmetic library. The typosquatted module has been present on the Go ecosystem since 2017-11-08 and was weaponized on 2023-08-19 when version v1.3.3 added a malicious init() function that opens a DNS TXT record command and control channel to a threat actor controlled subdomain on a free dynamic DNS provider.
https://socket.dev/blog/popular-go-decimal-library-typosquat-dns-backdoor?utm_medium=feed
Vulnerabilities
Max-severity flaw in ChromaDB for AI apps allows server hijacking
A max-severity vulnerability in the latest Python FastAPI version of the ChromaDB project allows unauthenticated attackers to run arbitrary code on exposed servers.
https://www.bleepingcomputer.com/news/security/max-severity-flaw-in-chromadb-for-ai-apps-allows-server-hijacking/
Node.js: Vier kritische Sicherheitslücken mit Höchstwertung in vm2 geschlossen
Angreifer können abermals aus der Node.js-Sandbox vm2 ausbrechen und Schadcode im Hostsystem ausführen. Sicherheitsupdates schaffen Abhilfe.
https://www.heise.de/news/Node-js-Vier-kritische-Sicherheitsluecken-mit-Hoechstwertung-in-vm2-geschlossen-11300256.html
Hunderte bösartige npm-Pakete im AntV-Ökosystem entdeckt
In einer neuen Mini-Shai-Hulud-Lieferkettenattacke haben Bedrohungsakteure am 19. Mai mehr als 600 bösartige Versionen von npm-Paketen verbreitet. Hauptziel der Attacke war das Datenvisualisierungs-Ökosystem AntV. Die infizierten Versionen sind mittlerweile entfernt.
https://heise.de/-11300242
LWN Security updates for Wednesday
https://lwn.net/Articles/1073713/
MISP 2.5.38 - UI and security update
https://github.com/MISP/MISP/releases/tag/v2.5.38