{"id":97371,"date":"2026-05-23T09:03:16","date_gmt":"2026-05-23T06:03:16","guid":{"rendered":"https:\/\/forklog.com\/en\/?p=97371"},"modified":"2026-05-23T09:06:20","modified_gmt":"2026-05-23T06:06:20","slug":"hack-of-thousands-of-github-repositories-interpols-shutdown-of-first-vpn-and-other-cybersecurity-stories","status":"publish","type":"post","link":"https:\/\/forklog.com\/en\/hack-of-thousands-of-github-repositories-interpols-shutdown-of-first-vpn-and-other-cybersecurity-stories\/","title":{"rendered":"Hack of thousands of GitHub repositories, Interpol\u2019s shutdown of First VPN, and other cybersecurity stories"},"content":{"rendered":"<p>We\u2019ve compiled the week\u2019s key cybersecurity news.<\/p>\n<div class=\"wp-block-text-wrappers-keypoints article_keypoints\">\n<ul class=\"wp-block-list\">\n<li>A new crypto-stealing tool bypassed Apple\u2019s protections.<\/li>\n<li>Hackers gained access to thousands of GitHub repositories.<\/li>\n<li>Interpol made large-scale arrests in the Middle East and North Africa.<\/li>\n<li>A critical flaw was found in ChromaDB, a database for AI developers.<\/li>\n<\/ul>\n<\/div>\n<h2 class=\"wp-block-heading\">New crypto-stealing malware bypasses Apple protections<\/h2>\n<p>The new infostealer Reaper bypasses macOS protections by using a fake security update prompt. It targets browser secrets and crypto wallets. Researchers at <a href=\"https:\/\/www.sentinelone.com\/blog\/shub-reaper-macos-stealer-spoofs-apple-google-and-microsoft-in-a-single-attack-chain\/\">SentinelOne<\/a> reported the threat.<\/p>\n<p>Unlike earlier attacks using an initial SHub build that relied on <a href=\"https:\/\/forklog.com\/en\/news\/stealth-bitcoin-address-swaps-a-sex-toy-makers-data-leak-and-other-cybersecurity-news\">ClickFix<\/a>, the new campaign uses a special applescript:\/\/ link. Following it automatically opens macOS\u2019s built-in script editor and executes malicious code.<\/p>\n<p>According to SentinelOne, the attackers spread the malware via fake installers for WeChat and Miro. Some lookalike domains spoofing Microsoft and QQ remained active at publication.<\/p>\n<p>Before invoking AppleScript, the malicious sites fingerprint the visitor\u2019s device to filter out researchers and terminals with Russian locales. The code checks for virtual machines and VPNs, as well as installed browser extensions for password managers and crypto wallets. All data is exfiltrated to the attacker via a Telegram bot.<\/p>\n<p>After launch, the user sees a fake Apple update notification. The programme downloads a shell script and prompts for the macOS password.<\/p>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/forklog.com\/wp-content\/uploads\/img-b81cd53c62ff07a9-5083360139745133.webp\" alt=\"SHub_reaper_9\" class=\"wp-image-280369\"\/><figcaption class=\"wp-element-caption\">Password prompt. Source: SentinelOne.\u00a0<\/figcaption><\/figure>\n<p>The infostealer then targets:<\/p>\n<ul class=\"wp-block-list\">\n<li>data from Google Chrome, Mozilla Firefox, Brave, Microsoft Edge, Opera, Vivaldi, Arc and Orion;<\/li>\n<li>browser extensions of crypto wallets, including MetaMask and Phantom;<\/li>\n<li>browser extensions of the 1Password, Bitwarden and LastPass password managers;<\/li>\n<li>desktop cryptocurrency wallet apps, including Exodus, Atomic Wallet, Ledger Live, Electrum and Trezor Suite;<\/li>\n<li>iCloud and Telegram account data;<\/li>\n<li>configuration files related to programming.<\/li>\n<\/ul>\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"https:\/\/forklog.com\/wp-content\/uploads\/img-438dff466a25440d-5083025245275949.webp\" alt=\"image\" class=\"wp-image-280368\"\/><figcaption class=\"wp-element-caption\">Searching for browser password managers and crypto wallets. Source: SentinelOne.<\/figcaption><\/figure>\n<p>Reaper also includes a Filegrabber module that searches the desktop and Documents folder for file types likely to contain sensitive information. It collects target files smaller than 2 MB (or up to 6 MB for PNG images), with a total data cap of 150 MB.<\/p>\n<p>Researchers warned the malware persists on the system, masquerading as Google updates.<\/p>\n<p>SentinelOne stressed that SHub operators are expanding the stealer\u2019s capabilities by adding remote-access functions to compromised devices, enabling additional payload delivery in future.<\/p>\n<h2 class=\"wp-block-heading\">Hackers gained access to thousands of GitHub repositories\u00a0<\/h2>\n<p>On 19 May hackers breached 3,800 internal GitHub repositories, accessing them via a malicious extension for the VS Code editor. The incident was <a href=\"https:\/\/github.blog\/security\/investigating-unauthorized-access-to-githubs-internal-repositories\/\">disclosed<\/a> by the company\u2019s chief information security officer, Alexis Wales.<\/p>\n<p>The breach occurred after a GitHub employee installed a tainted version of the popular Nx Console plugin (version 18.95.0). The malicious code aimed to steal developer credentials and secrets for cloud platforms, including <span data-descr=\"Amazon Web Services\" class=\"old_tooltip\">AWS<\/span>, Kubernetes, GitHub and Docker.<\/p>\n<p>The cybercriminal group TeamPCP claimed responsibility. They listed the stolen code for sale on the Breached forum, asking at least $50,000. The group had previously been linked to attacks on Mistral AI, UiPath, OpenSearch and OpenAI staff.<\/p>\n<p>The Nx Console developers <a href=\"https:\/\/nx.dev\/blog\/nx-console-v18-95-0-postmortem\">explained<\/a> that one of their own employees had earlier fallen victim to a supply-chain attack on the TanStack npm packages. Through the GitHub CLI utility, the hackers stole his tokens, logged into his work account and injected malicious code into the extension update.<\/p>\n<p>The infected version of Nx Console was available in the Visual Studio Marketplace for only 18 minutes (and 36 minutes on OpenVSX). Fewer than 70 downloads occurred in that time.<\/p>\n<p>GitHub said it swiftly isolated the compromised device and performed an emergency rotation of all critical secrets and access keys.<\/p>\n<h2 class=\"wp-block-heading\">Interpol made large-scale arrests in the Middle East and North Africa<\/h2>\n<p>Law enforcement from 13 Middle Eastern and North African countries arrested 201 suspects during Operation Ramz, aimed at combating cybercrime, <a href=\"https:\/\/www.interpol.int\/en\/News-and-Events\/News\/2026\/201-arrests-in-first-of-its-kind-cybercrime-operation-in-MENA-region\">Interpol<\/a> said.<\/p>\n<p>During the operation, the identities of 382 suspects were established in Algeria, Bahrain, Egypt, Iraq, Jordan, Lebanon, Libya, Morocco, the UAE, Oman, Palestine, Qatar and Tunisia.<\/p>\n<p>Authorities also seized 53 servers used for phishing, malware distribution and online fraud. Analysis of the data taken from this equipment showed 3,867 victims.<\/p>\n<p>To track the hacker infrastructure, Interpol engaged private cybersecurity firms, including Kaspersky Lab, Group-IB, The Shadowserver Foundation, Team Cymru and TrendAI.<\/p>\n<h2 class=\"wp-block-heading\">A critical vulnerability found in the ChromaDB database for AI developers<\/h2>\n<p>A top-severity critical vulnerability was found in ChromaDB, a database widely used to build AI applications, according to <a href=\"https:\/\/www.hiddenlayer.com\/research\/chromatoast-served-pre-auth\">HiddenLayer.<\/a><\/p>\n<p>ChromaDB is an open-source vector database and retrieval backend heavily used in agentic AI systems and related applications.<\/p>\n<p>According to HiddenLayer, the flaw affects the Python version of the <span data-descr=\"application programming interface\" class=\"old_tooltip\">API<\/span> (based on FastAPI) and stems from broken security checks. Upon receiving a request, the system first downloads and executes the specified <span data-descr=\"machine learning\" class=\"old_tooltip\">ML<\/span> model (for example, a malicious payload from Hugging Face), and only then verifies the user\u2019s authenticity. The server duly returns an authorisation error, but by that time the attacker\u2019s code has already executed.<\/p>\n<p>The researchers estimate that about 73% of Chroma nodes run vulnerable versions. Local builds and projects using the Rust frontend are not at risk. The ChromaDB team is ignoring the researchers\u2019 requests, and it is currently unclear whether the vulnerability has been fixed in the latest 1.5.9 release.<\/p>\n<p>Pending official guidance and patches, experts advised users to:<\/p>\n<ul class=\"wp-block-list\">\n<li>isolate the Python server from public access (restrict access to the API port via a firewall);<\/li>\n<li>use the Rust frontend as an alternative for exposed environments;<\/li>\n<li>carefully vet third-party ML models for backdoors before running them, especially if trust in remote code is enabled.<\/li>\n<\/ul>\n<h2 class=\"wp-block-heading\">Europol dismantled First VPN over criminal use<\/h2>\n<p>Law enforcement disabled the First VPN service, which was used for extortion and data theft. The international operation was announced by <a href=\"https:\/\/www.europol.europa.eu\/media-press\/newsroom\/news\/cybercriminal-vpn-used-ransomware-actors-dismantled-in-global-crackdown\">Europol<\/a>.<\/p>\n<p>According to police, the service was advertised on hacker forums as a privacy-focused tool that kept no user activity logs and ignored law-enforcement requests. First VPN was named in virtually every major cybercrime case supported by the agency.<\/p>\n<p>The investigation began in December 2021 under the leadership of authorities in France and the Netherlands. At one stage, agents infiltrated the VPN\u2019s infrastructure, built a user database and identified connections used by hackers.<\/p>\n<p>As a result of the 19\u201320 May operation, core infrastructure was disrupted. Officers seized 33 servers in 27 countries, confiscated domains, arrested the administrator and searched a suspect\u2019s home in Ukraine.<\/p>\n<p>Also on ForkLog:<\/p>\n<ul class=\"wp-block-list\">\n<li>Polymarket <a href=\"https:\/\/forklog.com\/en\/news\/polymarket-confirms-private-key-compromise\">confirmed<\/a> a private key compromise.<\/li>\n<li>The MAPO token <a href=\"https:\/\/forklog.com\/en\/news\/mapo-token-plummets-96-following-hack\">fell<\/a> 96% after a hack.<\/li>\n<li>Media: the Pentagon <a href=\"https:\/\/forklog.com\/en\/news\/pentagon-forms-task-force-to-deploy-advanced-hacking-ai-models\">created<\/a> a group to deploy hacking AI models.<\/li>\n<li>Opinion: AI and quantum technologies <a href=\"https:\/\/forklog.com\/en\/news\/opinion-ai-and-quantum-technologies-threaten-corporate-security\">will put<\/a> existing security systems at risk.<\/li>\n<li>The BTCFi protocol Echo <a href=\"https:\/\/forklog.com\/en\/news\/echo-protocol-suffers-816000-hack\">was hacked<\/a> for $816,000.<\/li>\n<li>Hackers <a href=\"https:\/\/forklog.com\/en\/news\/hackers-extract-11-5-million-from-verus-protocol\">drained<\/a> $11.5 million from the Verus protocol.<\/li>\n<li>The THORChain team <a href=\"https:\/\/forklog.com\/en\/news\/thorchain-team-reveals-details-of-10-million-hack\">disclosed<\/a> details of a $10 million hack.<\/li>\n<\/ul>\n<h2 class=\"wp-block-heading\">What to read this weekend?<\/h2>\n<p>In a new piece, ForkLog explains how to try AI models that work without an internet connection for free and which resources to use as a beginner.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>We\u2019ve compiled the week\u2019s key cybersecurity news.<\/p>\n","protected":false},"author":1,"featured_media":97372,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"1","news_style_id":"1","cryptorium_level":"","_short_excerpt_text":"This week: macOS malware, a GitHub breach, Interpol arrests, and a critical ChromaDB flaw.","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[1238,1233],"class_list":["post-97371","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-cybersecurity-digest","tag-industry-digests"],"aioseo_notices":[],"amp_enabled":true,"views":"19","promo_type":"1","layout_type":"1","short_excerpt":"This week: macOS malware, a GitHub breach, Interpol arrests, and a critical ChromaDB flaw.","is_update":"","_links":{"self":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/97371","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/comments?post=97371"}],"version-history":[{"count":1,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/97371\/revisions"}],"predecessor-version":[{"id":97373,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/97371\/revisions\/97373"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media\/97372"}],"wp:attachment":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media?parent=97371"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/categories?post=97371"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/tags?post=97371"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}