Welcome back to the overnight — I’m about to go clock in, so you know what that means. Weekly roundup. Here’s the briefing.
01 / 05 — GitHub Breached via Weaponized VS Code Extension
May 18 | Supply Chain | Critical
GitHub confirmed a breach on May 18 after attackers slipped a weaponized Visual Studio Code extension onto an employee’s machine. That’s it — that’s the entry point. Not a zero-day in their infrastructure, not a nation-state exploit. A bad extension in a developer’s editor.
This is a supply chain attack hitting one of the most trusted platforms in software development. Every repo — public and private — lives on GitHub. The attack vector is especially concerning because VS Code extensions are how developers work every single day, and most don’t scrutinize them the way they would a binary download. The lesson here is simple and brutal: your IDE is part of your attack surface. Audit your extensions, remove what you’re not actively using, and be suspicious of anything asking for elevated permissions.
02 / 05 — Microsoft Defender Vulnerabilities Hit — SYSTEM-Level Takeover Possible
May 21 | Privilege Escalation | Active Exploit
Microsoft disclosed two vulnerabilities in Defender being actively exploited in the wild. The first — CVE-2026-41091, CVSS 7.8 — is a privilege escalation flaw. If an attacker already has a foothold on your machine, this bug lets them go from regular user to SYSTEM. Full control. The second, CVE-2026-45498, is a denial-of-service flaw against Defender itself — meaning attackers can disable the thing that’s supposed to protect you.
These are already being exploited. Not theoretical, not a proof-of-concept — real attacks in the wild. Both are patched in Defender Antimalware Platform versions 1.1.26040.8 and 4.18.26040.7. If Windows Update is on you’re probably already covered, but verify. The bigger picture: your AV getting weaponized against you is a genuinely nasty situation. Patch now.
03 / 05 — 9-Year-Old Linux Kernel Bug Surfaces — CVE-2026-46333 “ssh-keysign-pwn”
May 21 | Local Privilege Escalation | High Severity
Qualys dropped a nasty one. CVE-2026-46333 — codenamed ssh-keysign-pwn — is a local privilege escalation flaw sitting in the Linux kernel’s __ptrace_may_access() function. It was introduced in November 2016. Nine years in the wild, undetected.
Here’s what it does: any unprivileged local user can read /etc/shadow (every user’s hashed password), expose SSH private keys, and execute arbitrary commands as root. Qualys described the primitive as “reliable” — meaning this isn’t a flaky race condition, it’s consistent. Affects Debian, Fedora, and Ubuntu on default installs. The researcher’s own words: “turns any local shell into a path to root.” If you’re running Linux — patch your kernel and patch it today.
04 / 05 — Grafana Labs GitHub Environment Compromised in npm Supply Chain Attack
May 19–20 | Supply Chain | Source Code Exposure
Grafana Labs — the company behind one of the most widely used observability platforms in DevOps — confirmed their GitHub environment was breached on May 19. The attack vector was a malicious TanStack npm package, a wildly popular JavaScript library. Attackers used it to pivot into Grafana’s GitHub, exposing both public and private source code repos along with internal repositories.
Grafana says no customer production systems were touched and the investigation is ongoing. But here’s the real takeaway: this is two supply chain attacks in one week — GitHub and Grafana, both through the developer tooling ecosystem. VS Code extensions, npm packages. The software supply chain is the hottest attack surface right now. If you’re doing any kind of dev work, your dependencies are a threat model you need to take seriously. Lock your package versions. Use lock files. Audit what you’re pulling in.
05 / 05 — Drupal Critical SQL Injection Being Actively Exploited
May 20–22 | Active Exploitation | Highly Critical
Drupal — which powers a massive chunk of the internet’s CMS infrastructure — issued a warning that hackers are actively exploiting a highly critical SQL injection vulnerability disclosed earlier this week. SQL injection in a CMS at this scale is a serious problem. Attackers who successfully exploit it can dump databases, extract credentials, manipulate content, and in many cases escalate further into the underlying server.
Drupal sites are everywhere — government pages, university portals, enterprise platforms. The combination of “highly critical” and “active exploitation” with basically no gap between disclosure and attacks means threat actors were ready the moment this dropped. If you run Drupal or know someone who does, the patch needed to happen yesterday. This is also a textbook case of why coordinated disclosure timing matters.
The Overnight Summary
- GitHub got hit through a malicious VS Code extension — your dev tools are part of your attack surface
- Two Microsoft Defender flaws are being actively exploited — one hands attackers full SYSTEM privileges
- A 9-year-old Linux kernel bug just went public — local shell to root on Debian, Ubuntu, and Fedora
- Grafana’s GitHub was breached via a poisoned npm package — second supply chain hit this week
- Drupal SQL injection is being actively exploited — patch immediately if you or your org runs it
Stay patched out there. — OvernightHacker
Leave a Reply