Accelerated by:
Certifications:
Light Eyes is part of Apolo Cybersecurity
ENG
ENG
%402x.svg){kind=icon}
A week of supply chain attacks, uncomfortable truths about patching, and two Microsoft on-premises platforms under active fire. The summary you need before the weekend.
🔴 TeamPCP breached GitHub in 18 minutes via a VS Code extension
The Nx Console extension — 2.2 million installs, verified publisher — was poisoned for just 18 minutes on the VS Code Marketplace. A GitHub developer had it installed. Result: 3,800 internal repositories exfiltrated and credentials from 1Password, Anthropic Claude Code, npm, GitHub and AWS silently stolen. The vector: a GitHub token stolen weeks earlier in TeamPCP’s TanStack campaign. GitHub confirmed customer repositories are not affected.
→ What you should do: Audit VS Code extensions installed on corporate endpoints and implement a security-team-approved extension allowlist. Full analysis →
🔴 Verizon 2026 DBIR: vulnerability exploitation overtakes credential theft for the first time
For the first time in 19 years of the DBIR, vulnerability exploitation (31%) overtakes credential theft (13%) as the leading initial access vector in breaches. Only 26% of critical CVEs in CISA’s KEV catalogue were patched in 2025. The median patching time rose to 43 days. Organisations are managing 50% more critical CVEs than the previous year.
→ What you should do: Treat KEV catalogue CVEs as active incidents with 72-hour deadlines. Those 43 median days are the window during which attackers have been active. Full analysis →
🔴 Ghost CMS CVE-2026-26980 (CVSS 9.4): mass ClickFix campaign compromises Harvard, Oxford and DuckDuckGo blogs
An active campaign exploits this unauthenticated SQL injection in Ghost CMS’s Content API to inject malicious JavaScript that triggers ClickFix attacks against the blog’s own readers. The reader receives a fake error message asking them to execute a command in their terminal. Patch available: Ghost 5.120.1.
→ What you should do: Update Ghost self-hosted to 5.120.1 with ghost update and review your pages’ source code for unauthorised JavaScript scripts. Full analysis →
🔴 SharePoint under double threat: April zero-day still being exploited and Microsoft releases new RCE
CVE-2026-32201 has had a patch available for 44 days and is still being actively exploited across more than 1,300 internet-exposed on-premises servers. Yesterday Microsoft published CVE-2026-45659 (CVSS 8.8), a new RCE via deserialization that any authenticated user can exploit. Patches available for both.
→ What you should do: Apply SharePoint SE CU3 / KB5002659 (2016) / KB5002658 (2019) for the April CVE. Apply the May Patch Tuesday for the new RCE. Full analysis →
Every Friday we break down the news that really matters for your organisation’s security. If you want to know how exposed your business is to any of these threats, we’re one click away.
