Here are today’s top cybersecurity stories for Wednesday, May 20, 2026.
TeamPCP Breaches GitHub’s Internal Repositories via Poisoned VS Code Extension
GitHub confirmed that roughly 3,800 internal repositories were exfiltrated after an employee installed a malicious version of the Nx Console VS Code extension (nrwl.angular-console v18.95.0). The threat group TeamPCP claimed responsibility, offering the stolen source code for sale at $50,000 on cybercrime forums. GitHub states no evidence exists of customer data exposure outside its internal repositories, though the investigation remains ongoing. BleepingComputer
BeyondTrust CVE-2026-1731 Now Exploited in Ransomware Attacks — Canada Among Targeted Countries
CISA has updated its Known Exploited Vulnerabilities catalog entry for CVE-2026-1731, a CVSS 9.9 pre-authentication RCE affecting BeyondTrust Remote Support and Privileged Remote Access, to confirm its use in ransomware campaigns. Targeted sectors include financial services, healthcare, higher education, and legal services across the US, Canada, Australia, Germany, and France. The Canadian Centre for Cyber Security previously issued advisory AL26-003 on this flaw. SecurityWeek
Drupal Patches Highly Critical SQL Injection Flaw CVE-2026-9082 — Exploits Expected Within Hours
Drupal released emergency security updates across all supported branches (11.3, 11.2, 10.6, 10.5) on May 20 to address CVE-2026-9082, a highly critical SQL injection flaw in the core database abstraction API. The vulnerability affects PostgreSQL-backed sites and is exploitable by anonymous, unauthenticated users, with potential for information disclosure, privilege escalation, and remote code execution. The Drupal Security Team warned exploits arrive within hours or days of release. Drupal Security Advisory
Nx Console VS Code Extension Compromised to Steal Developer and Cloud Secrets
The supply chain attack behind the GitHub breach involved a compromised version of the Nx Console extension with over 2.2 million installations. The malicious payload harvested tokens from GitHub, npm, AWS, HashiCorp Vault, Kubernetes, and 1Password, exfiltrating data over HTTPS, the GitHub API, and DNS tunneling. The malicious version was live for approximately 11 minutes before removal. Developers who had version 18.95.0 installed should treat their systems as compromised. The Hacker News
Burst Statistics WordPress Plugin CVE-2026-8181 Under Active Attack — 200,000 Sites at Risk
Hackers are actively exploiting CVE-2026-8181, an authentication bypass flaw in the Burst Statistics WordPress analytics plugin, to gain admin-level access to affected sites. Wordfence reports blocking over 7,400 attacks targeting this flaw in a single 24-hour period. The flaw was introduced in version 3.4.0 and patched in version 3.4.2 on May 12. Site administrators still running older versions face full compromise. BleepingComputer
Verizon 2026 DBIR: Vulnerability Exploitation Overtakes Credential Theft as Top Breach Vector
The Verizon 2026 Data Breach Investigations Report found that vulnerability exploitation now accounts for 31 percent of all breach entry points — the first time in 19 years it has surpassed stolen credentials. Only 26 percent of CISA KEV-listed vulnerabilities were fully remediated in 2025, down from 38 percent the prior year. AI-accelerated exploit development is shrinking the window between disclosure and active attack from months to hours. SecurityWeek
CISA Adds ASUS Live Update Backdoor CVE-2025-59374 to KEV Catalog
CISA added CVE-2025-59374, an embedded malicious code vulnerability in ASUS Live Update originally introduced via the 2018 Operation ShadowHammer supply chain attack, to its Known Exploited Vulnerabilities catalog. The utility is end-of-life and no longer receives patches, so CISA advises organizations to discontinue use entirely. Federal agencies have three weeks to confirm they have removed the software from their environments. SecurityWeek
Windows Zero-Click Flaw CVE-2026-32202 Added to CISA KEV — APT28 Linked to Exploitation
CISA added CVE-2026-32202, an authentication coercion vulnerability arising from an incomplete Microsoft patch, to its Known Exploited Vulnerabilities catalog. The flaw allows zero-click credential theft via auto-parsed LNK files and has been linked to APT28 attacks targeting Ukraine and EU countries. Microsoft released a fix in the April 2026 Patch Tuesday cycle and the CISA deadline has passed for federal agencies. SecurityWeek
OpenAI Widens Access to GPT-5.4-Cyber Cybersecurity Model After Anthropic Mythos Reveal
OpenAI announced it is scaling its Trusted Access for Cyber program to thousands of verified defenders and hundreds of security teams, granting access to GPT-5.4-Cyber — a fine-tuned variant with relaxed guardrails for legitimate offensive security research and vulnerability analysis. The announcement followed Anthropic’s disclosure of its Claude Mythos model aimed at the same professional defender market. SecurityWeek
Drupal CVE-2026-9082 Exploited in Drive-By Attacks Within Hours of Patch Release
Bitdefender reported that threat actors launched drive-by exploitation attempts against Drupal sites vulnerable to CVE-2026-9082 shortly after the patch window closed on May 20. PostgreSQL-backed Drupal sites not updated during the scheduled release window face active scanning and automated attack attempts. Administrators should verify patch status immediately across all managed Drupal installations. Bitdefender
Stay tuned for today’s in-depth analysis posts.
