Forem: BeyondMachines

TanStack npm Packages Compromised in "Mini Shai-Hulud" Supply Chain Attack

BeyondMachines — Tue, 12 May 2026 15:01:07 +0000

Summary

The TanStack npm ecosystem was hit by a supply chain attack that hijacked legitimate build pipelines to distribute malware with valid SLSA provenance. The attack harvests cloud credentials and includes a destructive dead-man's switch that deletes home directories if stolen tokens are revoked.

Take Action:

If you installed any @tanstack/* packages on May 11, 2026, treat your entire environment as compromised — but before rotating any credentials, first disable the dead-man's switch service (systemctl --user stop gh-token-monitor.service on Linux or launchctl unload ~/Library/LaunchAgents/com.user.gh-token-monitor.plist on macOS) and remove persistence hooks from .claude/ and .vscode/ directories, because revoking tokens before disabling the monitor will trigger destruction of your home directory. After disabling persistence, rotate all secrets (GitHub tokens, AWS keys, npm tokens, SSH keys, Vault tokens — everything), block *.getsession.org at DNS level, and audit your GitHub Actions workflows to pin OIDC trusted publishers to specific branches.

Read the full article on BeyondMachines

This article was originally published on BeyondMachines

Institute of Public Accountants Reports Data Leak Caused by Database Automation Error

BeyondMachines — Tue, 12 May 2026 10:01:08 +0000

Summary

The Institute of Public Accountants (IPA) suffered a data breach due to a human error in an automated database process that leaked member names and ID numbers to other members. The organization disabled the affected process and is working with its technology partner to improve security controls.

Read the full article on BeyondMachines

This article was originally published on BeyondMachines

ShinyHunters Strikes Canvas Again: Second Compromise Defaces 330 School Login Pages

BeyondMachines — Tue, 12 May 2026 09:01:08 +0000

Summary

Instructure's Canvas platform was breached a second time on May 7, 2026, by ShinyHunters, who exploited a vulnerability in the Free-For-Teacher program's support-ticket function to pivot into shared back-end infrastructure, deface ~330 institutional login pages with a ransom note, and pressure payment for data stolen in the prior April 25 breach.

Read the full article on BeyondMachines

This article was originally published on BeyondMachines

SailPoint Discloses GitHub Repository Breach Linked to Third-Party Vulnerability

BeyondMachines — Tue, 12 May 2026 08:01:08 +0000

Summary

SailPoint reports that hackers exploited a third-party application vulnerability to access a subset of its GitHub repositories on April 20, 2026. The company claims that production environments remained secure and has notified affected customers directly.

Read the full article on BeyondMachines

This article was originally published on BeyondMachines

State of (in)security - Week 19, 2026

BeyondMachines — Mon, 11 May 2026 17:01:07 +0000

Summary

Between May 4–11, 2026, the cybersecurity landscape saw 13 advisories and 14 incidents, with active exploits hitting Ivanti EPMM, Palo Alto PAN-OS, and DAEMON Tools (supply chain), along critical flaws in Chrome, MOVEit, PostgreSQL/MariaDB, and Ollama AI servers. Major breaches included ransomware attacks on Fiserv, Liberty Mutual, and Champion Homes, an AWS data center overheating outage disrupting financial platforms, and a $155,000 prompt injection theft from a Grok-linked crypto wallet.

Take Action:

Patch your browser (Chrome/Edge/Brave/Opera) and your Android phone today, both have critical flaws. And never run .exe files sent by "recruiters" on social media, no matter who the message appears to come from.

Read the full article on BeyondMachines

This article was originally published on BeyondMachines

M3rx Ransomware Group Claims Breach of Australian Toy Distributor KB Toys

BeyondMachines — Mon, 11 May 2026 12:01:08 +0000

Summary

The Australian toy distributor KB Toys was targeted by the M3rx ransomware group, resulting in the alleged theft of 140 GB of sensitive business data and invoices.

Read the full article on BeyondMachines

This article was originally published on BeyondMachines

JDownloader Website Hijacked to Distribute Malware via CMS Exploit

BeyondMachines — Sun, 10 May 2026 20:01:08 +0000

Summary

JDownloader's official website was compromised via a CMS vulnerability, allowing attackers to replace legitimate Windows and Linux installers with malware-laden versions. Existing installations remain safe due to cryptographic signing, users who downloaded and executed the affected files on May 6-7 are advised to change all passwords, and enable multi-factor authentication or reinstall their operating systems.

Take Action:

If you downloaded and ran the JDownloader Windows Alternative Installer or Linux shell script between May 6 and May 7, 2026, you should assume your system is compromised. Remove the systems, or ideally reinstall your system. Standard antivirus scans cannot guarantee the removal of this malware. Affected users must change all passwords and enable multi-factor authentication (MFA) on all accounts.

Read the full article on BeyondMachines

This article was originally published on BeyondMachines

MemberSource Credit Union Ransomware Attack Exposes 50 GB of Member Data

BeyondMachines — Sun, 10 May 2026 16:01:08 +0000

Summary

MemberSource Credit Union suffered a ransomware attack by the Safepay group that resulted in the theft of 50 GB of sensitive data, including Social Security numbers and financial account details. The breach affected branch networks but did not compromise the institution's core member management system.

Read the full article on BeyondMachines

This article was originally published on BeyondMachines

Critical Rancher Fleet Vulnerability Allows Full Kubernetes Cluster Takeover

BeyondMachines — Sun, 10 May 2026 15:01:07 +0000

Summary

SUSE Rancher Fleet contains a critical vulnerability (CVE-2026-41050) that allows attackers to bypass multi-tenant isolation and gain cluster-admin privileges by exploiting the Helm deployer's failure to enforce ServiceAccount impersonation.

Take Action:

If you're using Rancher Fleet to manage Kubernetes clusters, update ASAP to a patched version (Fleet 0.11.13/0.12.14/0.13.10/0.14.5, or Rancher 2.10.11/2.11.13/2.12.9/2.13.5/2.14.1). If you can't patch right away, disable Fleet-monitored repositories for untrusted tenants, audit your Helm charts for use of the lookup function, and rotate any secrets that may have been exposed.

Read the full article on BeyondMachines

This article was originally published on BeyondMachines

AWS Data Center Overheating Disrupts Global Financial Platforms

BeyondMachines — Sun, 10 May 2026 14:01:08 +0000

Summary

AWS experienced a major service disruption in its Northern Virginia region due to data center overheating and power loss, impacting global platforms like Coinbase and CME Group.

Read the full article on BeyondMachines

This article was originally published on BeyondMachines

NVIDIA GeForce NOW Regional Partner Breach Exposes Armenian User Data

BeyondMachines — Sun, 10 May 2026 13:01:07 +0000

Summary

NVIDIA confirmed a data breach at its Armenian partner, GFN.am, which exposed personal information of GeForce NOW users.

Read the full article on BeyondMachines

This article was originally published on BeyondMachines

Fake Recruiter Campaign on LinkedIn Delivers Info-Stealers via Hijacked Accounts

BeyondMachines — Sun, 10 May 2026 08:01:08 +0000

Summary

A malware campaign on LinkedIn impersonates known brands to deliver info-stealers through hijacked accounts, Google Forms, and bloated ZIP files. The attack targets session cookies and credentials to bypass MFA and gain persistent access to corporate and personal accounts.

Take Action:

Never trust unexpected social media and messenger messages, even from people you know. Hijacked accounts are how this scam spreads. Don't rush, don't fill out forms from strangers, and NEVER download or run executable files (.exe) sent by a "recruiter". Legitimate companies never send EXEs to job candidates.

Read the full article on BeyondMachines

This article was originally published on BeyondMachines