📰 The CyberSignal Daily — May 3, 2026

A single git push was all it took to access millions of GitHub private repositories, SAP's npm packages were backdoored to steal browser passwords and cloud credentials in the latest Mini Shai-Hulud wave, 276 suspects were arrested in an unprecedented US-China crypto fraud crackdown, Vietnamese hackers stole 30,000 Facebook Business accounts by sending phishing emails from a legitimate Google address, and a critical LiteLLM vulnerability was exploited within 36 hours of disclosure — with AI provider API keys as the payload.

Vulnerabilities

Wiz researchers disclosed CVE-2026-3854, a critical GitHub RCE (CVSS 8.7) where a single crafted git push command gave attackers cross-tenant code execution on GitHub's backend infrastructure and access to millions of private repositories belonging to other organizations. The flaw lived in GitHub's internal X-Stat protocol — push options passed by a developer were embedded in backend metadata headers without sanitization, allowing injection that pivoted from the git proxy into unsandboxed execution as the git service user.

GitHub.com was patched 75 minutes after Wiz reported the issue in March. The problem: as of public disclosure on April 28, 88% of GitHub Enterprise Server instances were still running vulnerable versions. GHES administrators must upgrade to 3.14.25 or later immediately — there is no workaround.

→ Read the full story

Supply Chain Attack

Official SAP npm packages were backdoored on April 29 in the latest wave of the TeamPCP-linked Mini Shai-Hulud campaign — the same operation that previously hit PyTorch Lightning, LiteLLM, Telnyx, and Checkmarx. A preinstall hook executes a Bun JavaScript runtime payload that harvests GitHub tokens, npm tokens, GitHub Actions secrets, and cloud credentials from AWS, Azure, GCP, and Kubernetes. New in this wave: browser credential theft across Chrome, Safari, Edge, Brave, and Chromium — dramatically expanding what's at risk from a single compromised developer machine.

Over 1,100 GitHub repositories carried the Mini Shai-Hulud signature at the time of disclosure. The shared RSA public key, Russian locale check, and GitHub exfiltration pattern confirm these are all the same threat actor systematically targeting the developer trust graph — security tools, AI gateways, communication SDKs, and now SAP enterprise packages.

→ Read the full story

Policy & Government

The FBI and DOJ announced 276 arrests and the dismantling of 9 cryptocurrency investment fraud centers in a joint operation with Chinese law enforcement — what the DOJ called "unprecedented" bilateral cooperation. Three suspects face federal charges in the Southern District of California. Pig-butchering operations work by posing as friends or romantic partners over weeks, then gradually steering victims into fraudulent crypto investment platforms before disappearing with all deposited funds. The FBI's IC3 2025 report documented over $5.8 billion in crypto fraud losses last year — the majority from pig-butchering schemes.

The US-China cooperation angle is diplomatically significant. Joint law enforcement action between the two nations on cybercrime has been rare and strained — this operation suggests pig-butchering, which victimizes both US and Chinese citizens and operates from Southeast Asian fraud compounds, may represent an area where bilateral action is achievable despite broader tensions.

→ Read the full story

Phishing

Guardio researchers exposed AccountDumpling — a Vietnamese-linked operation that has compromised approximately 30,000 Facebook Business accounts by sending phishing emails from Google's legitimate [email protected] address. Because the emails originate from Google's own mail servers with Google's DMARC, DKIM, and SPF records intact, traditional spam filters pass them through undetected. Victims are directed to Netlify-hosted fake Meta support pages that harvest credentials, session cookies, and government ID details in staged verification flows.

The same group that steals the accounts runs a criminal storefront selling access, business identity, ad reputation, and account recovery services separately — maximizing revenue from every compromised account. Facebook Business accounts are the target specifically because they carry established ad spend history, verified status, and payment methods that can immediately launch fraudulent ad campaigns before Meta's fraud detection responds.

→ Read the full story

Vulnerabilities

CVE-2026-42208, a critical SQL injection in LiteLLM — the open-source AI gateway with 45,000 GitHub stars used to route requests across OpenAI, Anthropic, AWS Bedrock, Azure, and 60+ LLM providers — was exploited within 36 hours of disclosure with no public proof-of-concept available. Sysdig documented attackers building working exploits directly from the advisory description and beginning credential extraction within three minutes of initial access.

The blast radius is not a typical SQL injection: a single LiteLLM credentials table extraction typically yields OpenAI organization keys with five-figure monthly spend caps, Anthropic workspace admin keys, and AWS Bedrock IAM credentials. Update to the latest LiteLLM release immediately. If patching is not possible, set disable_error_logs: true under general_settings as an interim mitigation.

→ Read the full story

Yesterday's stories have a common thread that runs deeper than the individual incidents: every attack exploited something the victim trusted completely.

GitHub developers trust that git push is a safe, bounded operation. SAP developers trust that official SAP npm packages are what they claim to be. Pig-butchering victims trust the person they've built a relationship with over weeks. Facebook Business owners trust an email from a Google address. LiteLLM users trust that a widely-used open-source AI gateway has been hardened. In every case, that trust was the attack surface.

This is the defining offensive pattern of 2026 — not zero-days, not sophisticated malware, not nation-state tradecraft. It's the systematic exploitation of legitimate trust relationships: between developers and package registries, between users and cloud platforms, between people and the digital identities they encounter online. The Mini Shai-Hulud campaign is the clearest example — TeamPCP specifically targets tools that sit at privileged trust nodes in the developer ecosystem, because those tools are installed automatically and never questioned.

The defensive implication is uncomfortable: the controls that matter most right now are not technical detections. They are verification habits. Did this package actually come from SAP, or just from an account claiming to be SAP? Did this email actually originate from Google, or just use Google's infrastructure? Is this git push option value being sanitized before it touches an internal protocol? Verification at trust boundaries — not signatures, not heuristics — is where the current attack wave is being won and lost.

Stay sharp. Stay ahead.

Till next time,

Our News Site | Get the Weekly Briefing

The AI Report keeps 400,000+ executives ahead of every major AI move — in 5 minutes a day. Trusted by leaders at the world's top companies. The question isn't whether AI is changing your industry. It's whether you'll see it coming.

Get the edge free

Your browser gets you to a page. Norton Neo gets you to the answer. The first safe AI-native browser built by Norton moves with you from idea to action without slowing you down. Magic Box understands your intent before you finish typing. AI that works inside your flow, not beside it. No prompting. No copy-pasting. No switching apps.

Built-in AI, instantly and for free. Privacy handled by Norton. Built-in VPN and ad blocking protect you by default. No configuration. No extra apps. Nothing to think about.

Fast. Safe. Intelligent. That's Neo.

Download Norton Neo