Last Updated On
Defenders Under Siege: GitHub Breach, Drupal SQLi, Defender Zero-Days Strike
Today’s report combines six incident themes: a Drupal core SQL injection, a GitHub internal repository breach tied to a malicious VS Code extension, the TanStack supply chain compromise, Microsoft Defender zero day exploitation, YellowKey BitLocker bypass activity, PinTheft Linux privilege escalation, and an ongoing SonicWall VPN MFA bypass. The common pattern is abuse of trusted infrastructure layers rather than classic malware delivery.
6.8
CVSS Score
0
IOC Count
22
Source Count
85
Confidence Score
CVE-2026-9082, CVE-2026-45585, CVE-2024-12802
TeamPCP (confirmed, medium confidence), Nightmare Eclipse (confirmed, context-limited), Under Attribution (SonicWall ransomware operator), Under Attribution (Drupal CVE-2026-9082 exploitation activity)
Technology, Software Development, Web CMS and Digital Experience, Enterprise IT, Public Sector, Government, Financial Services, Linux Server Operators and Hosting Providers, Healthcare
Global
Chapter 01 - Executive Overview
Five incidents define today’s risk picture.
GitHub confirmed a breach of roughly 3,800 internal repositories after a malicious VS Code extension was installed on an employee device. That same compromise chain is tied to the TanStack npm supply chain attack, where TeamPCP used stolen OIDC credentials to publish malicious package versions.
Drupal disclosed CVE 2026 9082, a highly critical SQL injection in the core Database API affecting PostgreSQL backed deployments. The advisory required emergency patching and is relevant to public facing CMS environments.
Microsoft reported and patched Windows Defender zero days on 21 May 2026 that were already being exploited in the wild. The exact CVE IDs were not yet published in retrievable sources at report generation time.
YellowKey, tracked as CVE 2026 45585, exposes Windows 11 and Windows Server 2022/2025 systems through a BitLocker security feature bypass in WinRE. Microsoft had published mitigations, but no full patch was available in the available reporting.
PinTheft is a newly disclosed Linux kernel local privilege escalation with public exploit code, most relevant to systems running RDS and io_uring, especially Arch Linux and custom builds.
SonicWall CVE 2024 12802 remains an active ransomware access path because patching alone does not remove the vulnerable LDAP configuration.
Operationally, this is a foundational infrastructure day. The common theme is abuse of trusted layers: developer tooling, recovery environments, kernel subsystems, endpoint security controls, and authentication pathways. That makes the blast radius broader than a typical application bug.
Chapter 02 - Threat & Exposure Analysis
Drupal CVE 2026 9082: The issue sits in the Database abstraction API and is confirmed for PostgreSQL backed installations. It is a web facing risk that can affect public sites, internal portals, and regulated environments that rely on Drupal core.
YellowKey CVE 2026 45585: The vulnerability does not break BitLocker cryptography directly. It abuses WinRE behavior and FsTx auto recovery logic to bypass the protection on affected Windows systems when an attacker has physical access.
PinTheft: The Linux flaw uses an RDS zerocopy double free and io_uring fixed buffer behavior to obtain root. Exposure depends heavily on kernel configuration, but systems with RDS enabled should treat it as a real local privilege escalation risk.
GitHub breach and TanStack compromise: This is a software delivery problem, not just a credential theft incident. The malicious extension and compromised packages turned trusted developer tooling into the delivery channel.
Microsoft Defender zero days: The reporting shows exploitation of endpoint security tooling itself. This is especially concerning because Defender is broadly deployed and often trusted by default.
SonicWall CVE 2024 12802: The vulnerability remains operationally relevant because attackers can still bypass MFA where LDAP configuration was not changed after patching.
The exposure pattern is consistent across incidents. Defenders are being forced to trust components they usually treat as safe. That includes recovery environments, package managers, CI/CD tokens, and endpoint protection processes.
Chapter 03 - Operational Response
Immediate priorities:
Patch all Drupal core deployments urgently, with special focus on PostgreSQL backed sites.
Apply Microsoft’s YellowKey mitigations on high value Windows endpoints, especially laptops and devices with weak physical controls.
Remove or disable RDS where possible on Linux systems that match the PinTheft preconditions.
Freeze new IDE extensions and review developer endpoint hygiene after the GitHub breach.
Validate Defender platform updates across Windows fleets and confirm offline or unmanaged endpoints are remediated.
Reconfigure SonicWall LDAP authentication so that the bypass path is removed, not just patched.
Short term actions:
Rotate CI/CD and cloud credentials that may have been exposed during the TanStack compromise window.
Review GitHub Actions workflow permissions, especially pull_request_target usage.
Audit authentication logs on SonicWall appliances for SAM format logins without corresponding MFA events.
Check Windows telemetry for unexpected WinRE activity or unusual recovery boots.
Hunt for anomalous repository cloning and package installation patterns across developer systems.
The response posture should be emergency change rather than normal patch cadence. Several of these issues are already exploitable or were exploited before patches were available.
Drupal CVE 2026 9082
2026 05 18. Drupal Security Team issued a public service announcement warning of an upcoming highly critical core security release affecting PostgreSQL sites.
2026 05 20. Drupal advisory SA CORE 2026 004 was published and CVE 2026 9082 was assigned. Fixed core versions were released the same day.
2026 05 20 to 21. Community analyses summarized impact and emphasized rapid patching. No public exploitation was confirmed in the available sources at the time of this report.
YellowKey CVE 2026 45585
2026 05 12. Proof of concept exploits for YellowKey and GreenPlasma were publicly released, demonstrating a BitLocker bypass path in WinRE.
2026 05 19. Microsoft acknowledged the issue, assigned CVE 2026 45585, and published mitigation guidance.
2026 05 19 to 20. Security vendors and journalists validated the exploit and mitigation steps. Available reporting did not confirm widespread in the wild exploitation as of the reporting window.
PinTheft Linux LPE
2026 05 18. The oss sec mailing list referenced a new Linux local privilege escalation named PinTheft based on a V12 Security disclosure.
2026 05 19. Vendor and security journalist coverage explained the RDS zerocopy double free and highlighted Arch Linux as especially exposed.
2026 05 19 to 20. Public analysis and advisories stressed that PoC code was available and that administrators should patch or disable RDS modules.
GitHub internal repository breach
2026 05 19. TeamPCP claimed access to around 4,000 GitHub internal repositories and offered the data for sale.
2026 05 19. GitHub acknowledged it was investigating unauthorized access to internal repositories but said no customer data exposure had been confirmed at that time.
2026 05 20. GitHub confirmed that about 3,800 internal repositories were exfiltrated after an employee installed a malicious VS Code extension. Independent analysis followed.
2026 05 21. The breach was linked to the TanStack supply chain attack in subsequent reporting, with the compromised developer tool path clarified.
TanStack supply chain compromise
2026 05 10 17:16 UTC. The pre attack cache poisoning phase began according to the official TanStack postmortem.
2026 05 11 19:20 to 19:26 UTC. Attackers published 84 malicious versions across 42 TanStack packages using stolen OIDC tokens.
2026 05 11 to 12. The broader compromise scope was disclosed, including additional package ecosystems.
2026 05 14. ThreatLocker published technical analysis of the TeamPCP chain.
2026 05 20 to 21. GitHub linked the internal breach to the same attack chain involving the malicious developer extension.
Microsoft Defender zero days
2026 04 early. Nightmare Eclipse began a public series of Windows zero day releases, starting with BlueHammer.
2026 04 14. BlueHammer CVE 2026 33825 was patched in April 2026.
2026 05 21. Microsoft began rolling out patches for two Defender vulnerabilities being exploited in the wild.
2026 05 21. CVE IDs for the new Defender flaws were not yet published in retrievable sources at report generation time.
SonicWall CVE 2024 12802
SonicWall originally identified and patched the vulnerability.
2026 02. Reliaquest observed active exploitation of CVE 2024 12802 despite the patch.
2026 05 18. Public reporting highlighted that the patch alone was insufficient because the LDAP configuration still enabled the bypass.
2026 05 20. Reporting confirmed ongoing exploitation and ransomware deployment.
Chapter 04 - Detection Intelligence
Drupal CVE 2026 9082 is a Database API SQL injection in Drupal core. The confirmed exposure is strongest for PostgreSQL backed deployments, where crafted input can manipulate query behavior. The public reporting emphasizes patching the core releases rather than relying on compensating controls.
YellowKey CVE 2026 45585 is a BitLocker security feature bypass that abuses WinRE and FsTx recovery behavior. The public proof of concept shows that physical access plus a crafted USB or EFI payload can yield a shell in the recovery context. Microsoft mitigations focus on WinRE image changes and enforcing TPM plus PIN.
PinTheft uses an RDS zerocopy double free plus io_uring fixed buffer abuse to overwrite a SUID root binary’s page cache. The result is local root on affected Linux hosts where the required kernel features are enabled. This is a configuration sensitive exploit rather than a universal Linux issue.
GitHub and TanStack together show a trust chain collapse in developer tooling. The malicious extension and npm payloads used credentials and trusted publishing paths to spread. The technical risk is not only source exfiltration but also the poisoning of downstream build and deployment pipelines.
Microsoft Defender zero days are still partially opaque in public reporting, but the confirmed fact is exploitation in the wild before the patches released on 21 May 2026. That alone justifies urgent patch deployment and hunting for post exploitation artifacts. SonicWall CVE 2024 12802 remains dangerous because the patch did not fully remove the LDAP based bypass condition.
Drupal CVE 2026 9082
No concrete durable IOC values such as IP addresses, domains, file hashes, or URLs were published in the retrievable public reporting for this incident. The public material focused on the vulnerable Drupal core Database API, PostgreSQL exposure, and patch guidance rather than attacker infrastructure.
Indicator type | Value | Status |
|---|---|---|
CVE ID | CVE 2026 9082 | Confirmed |
Network IOC | [INSUFFICIENT SOURCE DATA] | Not published |
File hash | [INSUFFICIENT SOURCE DATA] | Not published |
Domain | [INSUFFICIENT SOURCE DATA] | Not published |
YellowKey CVE 2026 45585
The reporting identified the recovery workflow components FsTx and autofstx.exe, but did not provide stable hashes or malicious infrastructure suitable for direct blocklisting. The exploit is physical access driven, so the most relevant artifacts are endpoint and recovery environment state rather than external command and control.
Indicator type | Value | Status |
|---|---|---|
CVE ID | CVE 2026 45585 | Confirmed |
File or artifact | FsTx | Confirmed artifact reference |
File or artifact | autofstx.exe | Confirmed artifact reference |
Network IOC | [INSUFFICIENT SOURCE DATA] | Not published |
PinTheft Linux LPE
Public reporting described the exploit mechanics around RDS, io_uring, and SUID page cache abuse, but did not publish durable IPs, domains, or hashes. The actionable artifacts are kernel configuration and local privilege escalation behavior, not attacker infrastructure.
Indicator type | Value | Status |
|---|---|---|
Vulnerability | PinTheft | Confirmed disclosure name |
Kernel component | rds | Relevant module |
Kernel component | rds_tcp | Relevant module |
Network IOC | [INSUFFICIENT SOURCE DATA] | Not published |
GitHub breach and TanStack compromise
The strongest indicators are package and workflow level artifacts rather than external infrastructure. Consulted sources confirmed malicious @tanstack/* package versions, the compromised VS Code extension path, pull_request_target workflow abuse, cache poisoning, and OIDC token theft, but did not provide a complete stable IOC list with hashes or domains in retrievable text.
Indicator type | Value | Status |
|---|---|---|
Package family | @tanstack/* | Confirmed affected scope |
Package versions | 84 malicious versions | Confirmed in reporting |
Extension path | Nx Console | Confirmed in reporting context |
Workflow pattern | pull_request_target | Confirmed abuse pattern |
Token type | OIDC token | Confirmed abused credential type |
Microsoft Defender zero days
Public reporting confirmed exploitation in the wild and same day patching, but the retrievable material did not include durable attacker infrastructure, hashes, or network IOCs for the newly patched Defender flaws. The report therefore keeps this section at the behavioral and product level.
Indicator type | Value | Status |
|---|---|---|
Product | Windows Defender | Confirmed target |
CVE IDs | [PENDING] | Not yet published in retrievable sources |
Network IOC | [INSUFFICIENT SOURCE DATA] | Not published |
File hash | [INSUFFICIENT SOURCE DATA] | Not published |
SonicWall CVE 2024 12802
The public reporting emphasized LDAP authentication behavior, SAM versus UPN login handling, and ransomware use after successful VPN access. It did not publish durable attacker infrastructure suitable for direct IOC use in the retrievable text.
Indicator type | Value | Status |
|---|---|---|
CVE ID | CVE 2024 12802 | Confirmed |
Auth behavior | LDAP SAM format login | Relevant detection artifact |
Auth behavior | UPN versus SAM split | Relevant detection artifact |
Network IOC | [INSUFFICIENT SOURCE DATA] | Not published |
IOC enrichment status
Pending.
The public reporting did not provide stable extractable indicators that can be safely enriched against reputation systems or internal telemetry. For operational use, the report should be paired with private telemetry from endpoint, identity, cloud, and source control logs.
Drupal CVE 2026 9082
Alert on suspicious HTTP requests that produce abnormal SQL patterns against PostgreSQL backends.
Correlate web requests with database errors and spikes in query failures.
Watch for unusual 500 class errors on Drupal routes that touch the database abstraction layer.
SIEM logic
YellowKey CVE 2026 45585
Alert on unexpected WinRE boots.
Correlate USB insertion with reboot or recovery activity.
Monitor for
autofstx.exeand recovery environment anomalies.
SIEM logic
PinTheft Linux LPE
Watch for unexpected loading of
rdsandrds_tcp.Flag unusual
io_uringusage by non standard binaries.Hunt for SUID binaries behaving like they were modified in memory.
SIEM logic
GitHub breach and TanStack compromise
Alert on unusually large repository clone or download volume.
Monitor
pull_request_targetworkflows from forks.Detect cloud API calls from GitHub Actions runner ranges that do not match baseline build behavior.
Audit VS Code extension installations, especially around the exposure window.
SIEM logic
Microsoft Defender zero days
Alert on suspicious privilege escalation from Defender related processes.
Monitor event IDs 4672 and 4673 around unexpected SYSTEM transitions.
Look for NTFS junction activity in user writable paths.
SIEM logic
SonicWall CVE 2024 12802
Correlate successful VPN logins with absence of MFA challenge completion.
Flag SAM format logins where UPN format should have enforced MFA.
Review authentication logs for brute force followed by success.
SIEM logic
Operational hunt priorities
Deploy behavior based alerts first, because public reporting does not provide durable IOC lists.
Prioritize Windows endpoint telemetry, source control logs, cloud audit logs, and VPN authentication logs.
Treat developer workstation extension governance as part of supply chain defense, not desktop hygiene.
Behavioral basis that may support later mapping, pending source confirmation:
Drupal CVE 2026 9082: unauthenticated web request leading to database query manipulation.
YellowKey CVE 2026 45585: physical access plus recovery environment abuse.
PinTheft: local privilege escalation through kernel memory and page cache manipulation.
GitHub breach and TanStack compromise: supply chain compromise, credential theft, and developer tooling abuse.
Microsoft Defender zero days: local privilege escalation against endpoint security components.
SonicWall CVE 2024 12802: authentication bypass through LDAP and VPN session abuse.
Chapter 05 - Governance, Risk & Compliance
The main governance issue is failure of trust boundaries.
Developer tooling trust was broken by the GitHub breach and TanStack compromise.
Endpoint trust was broken by Microsoft Defender zero days and YellowKey.
Authentication trust was broken by SonicWall CVE 2024 12802.
Platform trust was broken by Drupal core and PinTheft on Linux.
For governance, this means patching alone is insufficient. Administrators need configuration validation, credential rotation, extension governance, and monitoring for abnormal behavior. Organizations with regulated workloads should treat the day as a test of emergency change discipline rather than a normal patch event.
Risk prioritization should favor externally reachable systems first, then developer systems, then physical access constrained endpoints. Drupal and SonicWall affect direct attack paths into exposed services. GitHub and TanStack affect supply chain trust. YellowKey and PinTheft are narrower in access requirements but still serious for high value assets.
Chapter 06 - Adversary Emulation
Drupal CVE 2026 9082
Reproduce the attack only in a controlled lab with a Drupal instance backed by PostgreSQL and a non production dataset.
Send crafted input to the vulnerable web path and observe whether it produces abnormal SQL behavior or database errors.
Validate that patched Drupal core releases block the request path and that database errors disappear after remediation.
Measure whether WAF rules, application logging, and PostgreSQL logging detect the attempt before and after patching.
YellowKey CVE 2026 45585
Use an isolated Windows 11 or Windows Server 2025 test system with BitLocker enabled and full rollback capability.
Simulate the physical access requirement by using a controlled lab device and a removable USB test medium.
Verify that WinRE mitigation steps prevent the FsTx recovery path from opening a shell.
Confirm that TPM plus PIN enforcement blocks the bypass path and that boot controls reduce exposure.
PinTheft Linux LPE
Use a lab host with a kernel build that intentionally includes RDS and io_uring so the exposure conditions can be reproduced safely.
Observe module loading, io_uring activity, and SUID behavior before and after mitigation.
Validate that disabling or blocking RDS modules breaks the exploit precondition.
Confirm that patched kernels or hardened builds prevent privilege escalation to root.
GitHub breach and TanStack compromise
Build a test GitHub Actions workflow that mirrors the risky
pull_request_targetpattern inside a private sandbox repository.Simulate cache poisoning and confirm whether untrusted fork input can affect privileged workflow behavior.
Verify that secret rotation, token scope reduction, and workflow hardening block the same abuse path.
Test whether IDE extension review controls and build pipeline protections stop malicious extension or package based secret theft.
Microsoft Defender zero days
Use only a non production Windows lab because the exploit affects endpoint security tooling.
Recreate the conditions that trigger privilege escalation from a standard user context and watch for process, token, and event log changes.
Validate that Defender platform updates eliminate the exploit path and that detection rules catch suspicious MsMpEng.exe behavior.
Confirm that NTFS junction monitoring and privilege event correlation surface the attack.
SonicWall CVE 2024 12802
Reproduce the LDAP integrated VPN configuration in a lab that matches the vulnerable SAM and UPN authentication split.
Test whether patching alone still allows the bypass and then verify that LDAP reconfiguration removes the path.
Check whether MFA challenge absence appears in the logs during successful SAM format logins.
Validate that brute force plus successful VPN login sequences are detected by your SIEM logic.
Emulation priorities
Start with the incidents that have the clearest business impact and easiest lab reproducibility: GitHub and TanStack, SonicWall, and YellowKey.
Treat Drupal and Defender as higher risk validation targets because they can affect broad enterprise fleets.
Use the emulation results to tune detections, response playbooks, and patch verification checks.
Factor | Weight |
|---|---|
Multiple confirmed platform and vendor disclosures for Drupal, GitHub, TanStack, YellowKey, and SonicWall | High |
Strong corroboration across independent security journalism and vendor analysis | High |
Public proof of concept or confirmed exploitation for several incidents | High |
Some major gaps remain for IOC detail, MITRE mapping, and full actor attribution | Medium |
No CISA KEV confirmation for all incidents in scope | Medium |