Supply Chain/Breaches/NHI: GitHub Extension, Grafana npm, Iranian APTs, Glassworm
Key Questions
How was GitHub breached via a poisoned VS Code extension?
Attackers associated with TeamPCP used a malicious extension to gain access to thousands of internal repositories. The supply-chain attack affected around 3,800 repos before detection.
What new Iranian APT activity was observed in 2026?
Screening Serpens used DLL sideloading and MiniJunk malware for espionage. The group targeted entities with refined tactics similar to other Iranian actors.
Which China-linked groups expanded operations recently?
Webworm APT evolved tactics and expanded to European targets, while Red Lamassu (Calypso APT) deployed Showboat malware against telecoms and governments. Cloud Atlas also refined SSH tunnel techniques.
What are the main risks with non-human identities (NHI) in cloud environments?
Orchid highlighted gaps in NHI management that attackers exploit for persistence. Okta is advancing agentic IAM to address identity-based attack paths in CI/CD and cloud setups.
How are supply-chain worms targeting CI/CD pipelines?
Attackers abuse stolen CI/CD tokens and automated publishing to harvest credentials and spread malware. Tools for malware detection in CI/CD are increasingly recommended to counter these threats.
What identity attack paths are commonly exploited?
Cached credentials on Windows machines and weak identity controls allow lateral movement. Reports emphasize mapping these paths to prevent escalation from initial access.
What recent data breaches involved vendor or imaging data?
Lumexa Imaging reported exposure of patient records including SSNs, while Oracle Health faced a separate incident under investigation. These highlight ongoing third-party risks.
How does shift-left security help mitigate supply-chain threats?
Integrating security earlier in cloud-native development using containers and Kubernetes reduces exposure. Combined with CI/CD scanning, it addresses worms and poisoned artifacts proactively.
GitHub poisoned VS Code extension (~3800 repos); Grafana npm supply-chain breach; Iranian APTs target aviation/oil-gas via fake jobs (Unit 42); Glassworm Unicode malware in 151+ repos. New: Trivy CI/CD compromise. Status developing.