Threat Briefing: May 22, 2026

Attackers are intensifying focus on developer tooling and supply chains, a malicious VS Code extension compromised 3,800 GitHub repositories, and 600+ npm packages were poisoned in under an hour. Verizon’s 2026 DBIR marks a first: vulnerability exploitation now leads all breach vectors at 31%, surpassing stolen credentials.

AI is compressing attacker timelines from months to hours, accelerating exploitation and enabling hyper-personalized phishing at scale. Phishing is also shifting toward OAuth token hijacking, granting persistent access that survives password resets and evades traditional monitoring.

Microsoft’s Fox Tempest takedown exposed the maturity of cybercrime-as-a-service: a fully operational malware-signing service that let criminal groups bypass security controls without technical expertise.

• Malicious VS Code Extension Breaches 3,800 GitHub Repositories – A malicious extension on the official VS Code marketplace compromised 3,800 GitHub internal repositories before being contained. No customer data was impacted, but the incident highlights how trusted developer platforms can be weaponized to bypass traditional security controls. BleepingComputer
• Verizon: Vulnerability Exploitation Now the Leading Breach Vector – Verizon’s 2026 DBIR finds vulnerability exploitation has surpassed stolen credentials as the top breach vector for the first time, accounting for 31% of all breaches. AI is accelerating the trend, shrinking exploitation timelines from months to hours and leaving organizations less time to patch. Hackread
• 600+ npm Packages Poisoned in Under an Hour – A new wave of the Shai-Hulud supply chain attack pushed 639 malicious package versions in roughly one hour, primarily targeting the @antv ecosystem. Because the updates appeared in trusted packages, developers risk unknowingly pulling compromised code through routine dependency updates. BleepingComputer
• Microsoft Disrupts Malware-Signing-as-a-Service Operation – Microsoft took down Fox Tempest, a cybercrime group running a malware-signing service that generated fraudulent certificates to make malicious software appear legitimate. The operation lowered the technical barrier for ransomware groups and reflects the growing specialization of the cybercrime-as-a-service ecosystem. The Hacker News
• Phishing Evolves from Password Theft to OAuth Token Hijacking – Attackers are shifting from stealing passwords to hijacking OAuth tokens by tricking users into completing legitimate MFA flows. The resulting access is persistent, survives password resets, and is nearly invisible to standard identity monitoring tools. The Hacker News