{"id":219012,"date":"2026-05-23T02:23:00","date_gmt":"2026-05-23T06:23:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/05\/23\/hack-of-thousands-of-github-repositories-interpols-shutdown-of-first-vpn-and-other-cybersecurity-stories\/"},"modified":"2026-05-23T04:05:12","modified_gmt":"2026-05-23T08:05:12","slug":"hack-of-thousands-of-github-repositories-interpols-shutdown-of-first-vpn-and-other-cybersecurity-stories","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/05\/23\/hack-of-thousands-of-github-repositories-interpols-shutdown-of-first-vpn-and-other-cybersecurity-stories\/","title":{"rendered":"Hack of thousands of GitHub repositories, Interpol\u2019s shutdown of First VPN, and other cybersecurity stories"},"content":{"rendered":"

Hack of thousands of GitHub repositories, Interpol\u2019s shutdown of First VPN, and other cybersecurity stories<\/a><\/p>\n

https:\/\/forklog.com\/en\/hack-of-thousands-of-github-repositories-interpols-shutdown-of-first-vpn-and-other-cybersecurity-stories\/<\/a><\/p>\n

Publish Date: 2026-05-23 02:23:00<\/a><\/p>\n

Source Domain: forklog.com<\/a><\/p>\n

Author: <\/a><\/p>\n

Using an unordered list, summarize the following article with between 4 and 8 key points. <\/p>\n

This week: macOS malware, a GitHub breach, Interpol arrests, and a critical ChromaDB flaw.<\/p>\n

\t\t\t We\u2019ve compiled the week\u2019s key cybersecurity news.<\/p>\n

A new crypto-stealing tool bypassed Apple\u2019s protections.
\nHackers gained access to thousands of GitHub repositories.
\nInterpol made large-scale arrests in the Middle East and North Africa.
\nA critical flaw was found in ChromaDB, a database for AI developers.<\/p>\n

New crypto-stealing malware bypasses Apple protections
\nThe new infostealer Reaper bypasses macOS protections by using a fake security update prompt. It targets browser secrets and crypto wallets. Researchers at SentinelOne reported the threat.
\nUnlike earlier attacks using an initial SHub build that relied on ClickFix, the new campaign uses a special applescript:\/\/ link. Following it automatically opens macOS\u2019s built-in script editor and executes malicious code.
\nAccording to SentinelOne, the attackers spread the malware via fake installers for WeChat and Miro. Some lookalike domains spoofing Microsoft and QQ remained active at publication.
\nBefore invoking AppleScript, the malicious sites fingerprint the visitor\u2019s device to filter out researchers and terminals with Russian locales. The code checks for virtual machines and VPNs, as well as installed browser extensions for password managers and crypto wallets. All data is exfiltrated to the attacker via a Telegram bot.
\nAfter launch, the user sees a fake Apple update notification. The programme downloads a shell script and prompts for the macOS password.
\nPassword prompt. Source: SentinelOne.\u00a0
\nThe infostealer then targets:<\/p>\n

data from Google Chrome, Mozilla Firefox, Brave, Microsoft Edge, Opera, Vivaldi, Arc and Orion;
\nbrowser extensions of crypto wallets, including MetaMask and Phantom;
\nbrowser extensions of the 1Password, Bitwarden and LastPass password managers;
\ndesktop cryptocurrency wallet apps, including Exodus, Atomic Wallet, Ledger Live, Electrum and Trezor Suite;
\niCloud and Telegram account data;
\nconfiguration files related to programming.<\/p>\n

Searching for browser password managers and crypto wallets. Source: SentinelOne.
\nReaper also includes a Filegrabber module that searches the desktop and Documents folder for file types likely to contain sensitive information. It collects target files smaller than 2 MB (or up to 6 MB for PNG images), with a total data cap of 150 MB.
\nResearchers warned the malware persists on the system, masquerading as Google updates.
\nSentinelOne stressed that SHub operators are expanding the stealer\u2019s capabilities by adding remote-access functions to compromised devices, enabling additional payload delivery in future.
\nHackers gained access to thousands of GitHub repositories\u00a0
\nOn 19 May hackers breached 3,800 internal GitHub repositories, accessing them via a malicious extension for the VS Code editor. The incident was disclosed by the company\u2019s chief information security officer, Alexis Wales.
\nThe breach occurred after a GitHub employee installed a tainted version of the popular Nx Console plugin (version 18.95.0). The malicious code aimed to steal developer credentials and secrets for cloud platforms, including AWS, Kubernetes, GitHub and Docker.
\nThe cybercriminal group TeamPCP claimed responsibility. They listed the stolen code for sale on the Breached forum, asking at least $50,000. The group had previously been linked to attacks on Mistral AI, UiPath, OpenSearch and OpenAI staff.
\nThe Nx Console developers explained that one of their own employees had earlier fallen victim to a supply-chain attack on the TanStack npm packages. Through the GitHub CLI utility, the hackers stole his tokens, logged into his work account and injected malicious code into the extension update.
\nThe infected version of Nx Console was available in the Visual Studio Marketplace for only 18 minutes (and 36 minutes on OpenVSX). Fewer than 70 downloads occurred in that time.
\nGitHub said it swiftly isolated the compromised device and performed an emergency rotation of all critical secrets and access keys.
\nInterpol made large-scale arrests in the Middle East and North Africa
\nLaw enforcement from 13 Middle Eastern and North African countries arrested 201 suspects during Operation Ramz, aimed at combating cybercrime, Interpol said.
\nDuring the operation, the identities of 382 suspects were established in Algeria, Bahrain, Egypt, Iraq, Jordan, Lebanon, Libya, Morocco, the UAE, Oman, Palestine, Qatar and Tunisia.
\nAuthorities also seized 53 servers used for phishing, malware distribution and online fraud. Analysis of the data taken from this equipment showed 3,867 victims.
\nTo track the hacker infrastructure, Interpol engaged private cybersecurity firms, including Kaspersky Lab, Group-IB, The Shadowserver Foundation, Team Cymru and TrendAI.
\nA critical vulnerability found in the ChromaDB database for AI developers
\nA top-severity critical vulnerability was found in ChromaDB, a database widely used to build AI applications, according to HiddenLayer.
\nChromaDB is an open-source vector database and retrieval backend heavily used in agentic AI systems and related applications.
\nAccording to HiddenLayer, the flaw affects the Python version of the API (based on FastAPI) and stems from broken security checks. Upon receiving a request, the system first downloads and executes the specified ML model (for example, a malicious payload from Hugging Face), and only then verifies the user\u2019s authenticity. The server duly returns an authorisation error, but by that time the attacker\u2019s code has already executed.
\nThe researchers estimate that about 73% of Chroma nodes run vulnerable versions. Local builds and projects using the Rust frontend are not at risk. The ChromaDB team is ignoring the researchers\u2019 requests, and it is currently unclear whether the vulnerability has been fixed in the latest 1.5.9 release.
\nPending official guidance and patches, experts advised users to:<\/p>\n

isolate the Python server from public access (restrict access to the API port via a firewall);
\nuse the Rust frontend as an alternative for exposed environments;
\ncarefully vet third-party ML models for backdoors before running them, especially if trust in remote code is enabled.<\/p>\n

Europol dismantled First VPN over criminal use
\nLaw enforcement disabled the First VPN service, which was used for extortion and data theft. The international operation was announced by Europol.
\nAccording to police, the service was advertised on hacker forums as a privacy-focused tool that kept no user activity logs and ignored law-enforcement requests. First VPN was named in virtually every major cybercrime case supported by the agency.
\nThe investigation began in December 2021 under the leadership of authorities in France and the Netherlands. At one stage, agents infiltrated the VPN\u2019s infrastructure, built a user database and identified connections used by hackers.
\nAs a result of the 19\u201320 May operation, core infrastructure was disrupted. Officers seized 33 servers in 27 countries, confiscated domains, arrested the administrator and searched a suspect\u2019s home in Ukraine.
\nAlso on ForkLog:<\/p>\n

Polymarket confirmed a private key compromise.
\nThe MAPO token fell 96% after a hack.
\nMedia: the Pentagon created a group to deploy hacking AI models.
\nOpinion: AI and quantum technologies will put existing security systems at risk.
\nThe BTCFi protocol Echo was hacked for $816,000.
\nHackers drained $11.5 million from the Verus protocol.
\nThe THORChain team disclosed details of a $10 million hack.<\/p>\n

What to read this weekend?
\nIn a new piece, ForkLog explains how to try AI models that work without an internet connection for free and which resources to use as a beginner.<\/p>\n

\t\t\t\t\u041f\u043e\u0434\u043f\u0438\u0441\u044b\u0432\u0430\u0439\u0442\u0435\u0441\u044c \u043d\u0430 ForkLog \u0432 \u0441\u043e\u0446\u0438\u0430\u043b\u044c\u043d\u044b\u0445 \u0441\u0435\u0442\u044f\u0445<\/p>\n

\u041d\u0430\u0448\u043b\u0438 \u043e\u0448\u0438\u0431\u043a\u0443 \u0432 \u0442\u0435\u043a\u0441\u0442\u0435? \u0412\u044b\u0434\u0435\u043b\u0438\u0442\u0435 \u0435\u0435 \u0438 \u043d\u0430\u0436\u043c\u0438\u0442\u0435 CTRL+ENTER<\/p>\n

\t\t\t\t\u0420\u0430\u0441\u0441\u044b\u043b\u043a\u0438 ForkLog: \u0434\u0435\u0440\u0436\u0438\u0442\u0435 \u0440\u0443\u043a\u0443 \u043d\u0430 \u043f\u0443\u043b\u044c\u0441\u0435 \u0431\u0438\u0442\u043a\u043e\u0438\u043d-\u0438\u043d\u0434\u0443\u0441\u0442\u0440\u0438\u0438!<\/p>\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

Hack of thousands of GitHub repositories, Interpol\u2019s shutdown of First VPN, and other cybersecurity stories…<\/p>\n","protected":false},"author":1,"featured_media":219013,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/forklog.com\/wp-content\/uploads\/img-66d050fbc289a484-4082036415917875.webp","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[26,30,24,35,36,32,25,27],"class_list":["post-219012","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-ai","tag-breach","tag-cybersecurity","tag-hacker","tag-infostealer","tag-malware","tag-phishing","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/219012"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=219012"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/219012\/revisions"}],"predecessor-version":[{"id":219014,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/219012\/revisions\/219014"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/219013"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=219012"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=219012"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=219012"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}