The Lyceum: Cyber Intelligence Daily — May 20, 2026

One threat actor — TeamPCP — has now compromised the platform that hosts almost everyone else's code. GitHub confirmed overnight that its own internal repositories were breached through a poisoned VS Code extension on an employee's machine, the same campaign that hit Grafana last week and may already be reaching into Microsoft's PyPI packages. The day's other big story — a max-severity, three-month-unpatched hole in ChromaDB that's currently exposed on roughly 73% of internet-facing AI deployments — would have led most weeks. This one, it's the undercard.

• CVE-2026-42897 — Microsoft Exchange Server (on-prem): added to CISA KEV, actively exploited via crafted emails, due date May 29. Operational maturity per KEV.
• CVE-2026-20182 — Cisco Catalyst SD-WAN Controller & Manager: authentication bypass, in KEV with a due date of May 17 (already past for federal agencies). Operational maturity.
• CVE-2026-45829 — ChromaDB (Python FastAPI server): no patch, no vendor response after three months of disclosure attempts, pre-auth RCE, ~73% of internet-exposed instances vulnerable per Shodan queries cited by HiddenLayer. No NVD score yet.
• CVE-2026-41179 — Rclone (1.48.0–1.73.4): unauthenticated operations/fsinfo RC endpoint lets attackers instantiate arbitrary backends. Fixed in 1.73.5. No NVD score yet.
• CVE-2026-41205 — Mako template library (Python): path traversal via TemplateLookup.get_template() when URI starts with //. Fixed in 1.3.11. No NVD score yet.
• CVE-2026-40175 — Axios HTTP client: prototype pollution gadget chain enables unsanitized header injection. Fixed in 1.15.0 and 0.3.1. No NVD score yet.
• Apache HertzBeat 1.8.0 RCE PoC — Working unauthenticated RCE proof-of-concept on Exploit-DB targeting the open-source monitoring platform. No patch confirmed.

The platform that hosts the world's source code just had its own source code stolen. Read that sentence twice — that's the day.

GitHub confirmed overnight that unauthorized access to its internal repositories began with a malicious Visual Studio Code extension installed on an employee's machine. The company isolated the device, removed the extension, and rotated credentials starting with the highest-impact secrets. GitHub says the impact is limited to internal repositories — no public or customer-hosted code was touched — and that TeamPCP's claim of accessing approximately 3,800 repositories is "directionally consistent" with what investigators have found.

TeamPCP — formally tracked by Google's Threat Intelligence Group as UNC6780 — listed "GitHub's source code and internal orgs" for sale on the Breached forum, opening at $50,000, according to The Hacker News. The same group is behind last week's TanStack npm poisoning that compromised Grafana, and The Hacker News reports the group's "Mini Shai-Hulud" worm has now hit Microsoft's durabletask PyPI package (versions 1.4.1–1.4.3) — a Linux-only infostealer that spreads through AWS SSM and Kubernetes.

The vector here is the story. Internal repositories aren't customer data — they're blueprints: infrastructure configurations, deployment scripts, staging credentials, undocumented services, feature flag logic, the hooks that wire production together. If signing keys or Actions runner credentials were in that 3,800-repository haul, the blast radius extends to every downstream pipeline that trusts GitHub's infrastructure. The attack path — a trusted developer tool on a trusted developer's machine — is the exact seam that most enterprise security programs do not monitor.

Watch for GitHub's full incident report. The single most important detail will be the name of the extension. If it turns out to be Nx Console — which suffered its own credential-stealing compromise that The Hacker News reported on Monday, affecting an extension with 2.2 million installs — then every organization with a VS Code marketplace allowlist needs to audit, today, what their developers are running. If it's something else, the marketplace problem just got bigger.

To understand why GitHub got hit, you need to understand what happened to Grafana first — and why one missed automation token may be the most expensive oversight in software supply chain history.

Grafana Labs disclosed on Tuesday that its breach traced back to the TanStack npm supply chain attack that also hit OpenAI and Mistral AI. The company detected the activity on May 11, "performed analysis and quickly rotated a significant number of GitHub workflow tokens, but a missed token led to the attackers gaining access to our GitHub repositories." On May 16, attackers demanded a ransom. Grafana refused, citing the FBI's position that paying doesn't guarantee security and only funds the next attack. The full timeline is in Grafana's own postmortem.

The mechanics of TanStack are what should keep build engineers up at night. Per TanStack's postmortem, an attacker published 84 malicious versions across 42 packages in a six-minute window on May 11 by combining the pull_request_target "Pwn Request" pattern, GitHub Actions cache poisoning across the fork-to-base trust boundary, and runtime memory extraction of an OIDC token from the GitHub Actions runner process. An OIDC token is a short-lived cryptographic credential that proves identity — stealing it from runner memory is pickpocketing someone's keycard while they're using it.

The packages passed SLSA provenance checks. They carried valid signed certificates. They looked legitimate to every security tool checking cryptographic proof of origin. The malicious packages had valid, signed supply chain certificates — the exact controls designed to prevent this.

If you pulled from npm between May 11 and 12, check for the persistence daemon at ~/Library/LaunchAgents/com.user.gh-token-monitor.plist on macOS or ~/.config/systemd/user/gh-token-monitor.service on Linux. Then audit lockfiles, scan .claude/ and .vscode/ directories for router_runtime.js or setup.mjs (these survive npm uninstall), and rotate everything from any affected machine, Orca Security recommends.

Watch whether TeamPCP follows through on leaking Grafana's code, now that GitHub is also in the queue. If they do, it signals a shift from extortion to disruption — and the second wave will be every threat actor with a code review tool poring through internal infrastructure for new pivots.

If your team is building AI applications, there's a good chance you're running ChromaDB. There's also roughly a 73% chance your deployment is exploitable right now by anyone with an internet connection.

CVE-2026-45829 is a maximum-severity flaw in the Python FastAPI version of the ChromaDB project — an open-source vector database used as the memory layer for retrieval-augmented generation in countless AI applications. It allows unauthenticated remote code execution. HiddenLayer's writeup, cited by BleepingComputer, traces the root cause to two compounding failures: the server trusts client-supplied model identifiers without restriction, and acts on that trust before authenticating the request. Either bug alone would be exploitable. Together, anyone who can send an HTTP request to a vulnerable instance gets a shell.

The disclosure story is worse than the bug. HiddenLayer says it tried to reach Chroma through multiple channels starting February 17 — three months ago — and received no response. Independent researcher Azraelxuemo reported the same flaw in November 2025 and got the same silence, SecurityWeek reports. Shodan queries cited by BleepingComputer show roughly 73% of internet-exposed Chroma instances are running a vulnerable version. The maintainers' implied workaround is to use the Rust frontend or not expose the Python server publicly — because there is no patch.

What changes if this gets weaponized: a single Shodan query becomes a kill list for AI infrastructure across the industry. The vector databases attackers compromise contain not just code but the embedded knowledge base of whatever the AI agent was built to know — customer documents, internal wikis, source code chunks indexed for code assistants.

A public exploit dropping before a patch is acknowledged is what failure looks like. The maintainer's three-month silence on a max-severity flaw is itself a signal — about how immature security disclosure practices are in the AI tooling ecosystem, and how that immaturity is now a structural liability for every company building on top of it.

For roughly a decade, the security industry has had a consensus answer to "where do breaches start?" — stolen credentials. That answer just changed.

Verizon's 2026 Data Breach Investigations Report, released Tuesday, finds that vulnerability exploitation has overtaken credential abuse as the leading breach vector. Exploits now account for 31% of initial access in breaches Verizon investigated, SecurityWeek reports. Verizon attributes the shift to AI accelerating exploit development, patching velocity falling further behind disclosure, and ransomware groups professionalizing their vulnerability research pipelines.

The Hacker News, citing GitGuardian CEO Eric Fourrier, frames the same shift through a different metric: "Time-to-Revoke." As zero-day exploitation collapses to hours, what matters isn't whether you detect — it's how long an exposed credential stays valid after discovery. The board-level question for 2026 is no longer "do you have MFA?" but "how fast can you kill a compromised token across every system that honors it?"

What this changes: a decade of security investment has gone into identity hygiene — MFA, conditional access, identity providers. That work is not wasted, but it's no longer the highest-leverage place to spend the marginal dollar. Patching velocity, exposure management, and credential revocation speed are. The Verizon data, the GitHub breach, the Grafana incident, and the ChromaDB silence all point at the same picture: the perimeter has moved from the login page to the build pipeline, and most defenders are still staffing the login page.

Watch whether enterprise security budgets shift in the next planning cycle. If they do, expect a wave of M&A in exposure management and CI/CD security tooling. If they don't, expect more 2026 to look like today.

CERT-UA published a detailed advisory overnight on the cluster it tracks as UAC-0247 (also UAC-0244), describing a campaign that simultaneously targets Ukrainian hospitals, organs of local government, and operators of First-Person-View combat drones. The combination is unusual — and intentional. The advisory describes spearphishing with malicious LNK and JS files that abuse mshta.exe, powershell.exe, and wscript.exe, paired with backdoors that beacon via Telegram bot APIs. The Telegram-as-C2 detail is operationally significant: it forces defenders to shift from network-egress monitoring to process-initiation monitoring, because the destination IP looks legitimate. The targeting profile — medical infrastructure plus drone operators in the same operation — is consistent with Russian intelligence priorities, though CERT-UA has not made a formal attribution. Source: CERT-UA Advisory #6288271 — Ukrainian. No English-language coverage confirmed at time of publication.

Russian-language security outlet Xakep reported overnight that the first real-world exploitation attempts of CVE-2026-42945 — the heap-based buffer overflow in NGINX's ngx_http_rewrite_module that has been sitting in the codebase since roughly 2008 — have been observed in the wild. Xakep does not name the targets but describes the activity as opportunistic scanning. NGINX runs roughly a third of the internet's busiest sites. If CISA adds this to the KEV catalog in the next 48 hours, it will confirm that mass exploitation has begun, and every NGINX deployment becomes a same-day patching priority. Source: Xakep.ru — Russian. No English-language coverage confirmed at time of publication.

Xakep also published a researcher's claim that Microsoft declined to act on a reported flaw in Azure Backup for Azure Kubernetes Service, which the researcher alleges could allow privilege escalation in AKS environments. No CVE has been assigned. This pattern — researcher disclosure followed by vendor silence followed by Russian-language coverage — is increasingly how vulnerabilities first surface publicly. The ChromaDB story today is the same pattern with three months more silence. Source: Xakep.ru — Russian. No English-language coverage confirmed at time of publication.

GitHub is being held hostage with its own keys, an AI database that 73% of the internet runs on has been bleeding out for three months while its maintainers don't pick up the phone, and the Windows Snipping Tool — the Snipping Tool — is now apparently a credential harvester. Verizon spent twelve months counting breaches to discover that exploits beat stolen passwords; TeamPCP spent twelve minutes proving it by publishing 84 malicious packages with valid cryptographic signatures, and somewhere a CISO is staring at a Shodan query and a coffee that's gone cold.

Stay patched, stay paranoid, stay off the Breached forum.

Forward this to the engineer who installs every VS Code extension that promises to make their life easier — they need it more than they know.