Breaking BREAKING: TanStack → Nx Console → GitHub breached — 3,800 repos exfiltrated, OpenAI & Mistral AI compromised, same TeamPCP / Mini Shai-Hulud campaign • Microsoft Defender zero-day patched today — two bugs exploited in the wild • CVE-2026-42897 — Exchange OWA zero-day, active exploitation, CISA deadline May 29 • MiniPlasma — Windows SYSTEM zero-day, no patch until June 10 • CVE-2026-46300 Fragnesia — Linux kernel LPE, 3rd in 2 weeks • CVE-2026-20182 — Cisco SD-WAN CVSS 10.0
VS Code editor representing the TanStack Nx Console supply chain attack that breached GitHub OpenAI Mistral AI
Cover Story 🚨 GitHub Breached OpenAI Compromised 3,800 Repos

18 Minutes: How a Poisoned VS Code Extension
Breached GitHub, OpenAI & Mistral AI

TeamPCP published a malicious Nx Console update at 12:30 UTC on May 18. VS Code auto-updated 2.2 million installs silently. One was a GitHub employee. By 12:48 UTC the extension was removed — but 3,800 GitHub internal repositories had already been exfiltrated. OpenAI and Mistral AI fell the same way. Same threat actor as PyTorch Lightning. Now operating at SolarWinds scale.

Supply Chain May 21, 2026 16 min read
Read Full Story →
Latest

Threats & Attacks

Supply Chain Attack
TanStack → Nx Console → GitHub: One VS Code Extension Breaches GitHub, OpenAI & Mistral AI in 18 Minutes

TeamPCP’s poisoned Nx Console update auto-delivered to 2.2M installs. One GitHub employee compromised. 3,800 internal repos exfiltrated. OpenAI, Mistral AI, Grafana Labs all hit. Mini Shai-Hulud at SolarWinds scale.

May 21, 2026
 Email Security
CVE-2026-42897: Exchange OWA Zero-Day Exploited in the Wild — No Patch, CISA Deadline May 29

One crafted email triggers JavaScript in an authenticated OWA session. No credentials needed. No permanent patch. CISA KEV. Exchange Online users are safe. On-prem admins must act now.

May 19, 2026
 Windows Zero-Day
MiniPlasma: Microsoft “Fixed” This in 2020 — Still Gives SYSTEM on Every Fully Patched Windows PC

Standard user in, SYSTEM shell out. Public PoC on GitHub. No patch until June 10. 6th zero-day in 6 weeks. The first 3 were confirmed used in real attacks.

May 19, 2026
 Linux Kernel
Fragnesia (CVE-2026-46300): The Linux LPE That the Dirty Frag Patch Accidentally Created

No race condition. Public PoC. Container escape. Dirty Frag kernel patch does NOT protect you. Third Linux root exploit in two weeks. Separate patch required.

May 18, 2026
 Network Infrastructure
CVE-2026-20182: CVSS 10.0 Cisco SD-WAN Auth Bypass — 11 Threat Clusters Exploiting Now

Four DTLS packets. No credentials. Full admin access to the enterprise SD-WAN fabric. CISA Emergency Directive. Nation-state-linked UAT-8616 confirmed exploiting.

May 16, 2026
 Web Server
NGINX Rift (CVE-2026-42945): 18-Year Heap Overflow — Now Actively Exploited in the Wild

VulnCheck confirms real-world attacks. CVSS 9.2. ~34% of all internet web servers exposed. Patch to NGINX 1.30.1 immediately.

May 14, 2026
Deep Dive

Analysis & Intelligence

01
Application Security
ASPM Is the Cybersecurity Blind Spot Behind Today’s Biggest Enterprise Breaches
Jan 23, 2026Analysis
02
Supply Chain
Third-Party & Supply-Chain Cyber Risk: The Enterprise Blind Spot Behind “Surprise” Breaches
Jan 7, 2026Intelligence
03
AI Risk
AI Model Poisoning & LLM Data Leakage: The Silent Cyber Threat Reshaping Enterprise Security
Dec 11, 2025Investigation
04
APT
From Perimeter Defense to Continuous Trust: Enterprise Strategies for Managing APT Risk
Feb 25, 2026Deep Dive
More

Further Coverage

Critical RCE
Dead.Letter (CVE-2026-45185): Exim CVSS 9.8 Unauthenticated RCE — AI-Built Exploit

One SMTP sequence. Heap corrupted. Shell opened. An autonomous AI built the full working exploit in 7 days. Patch to Exim 4.99.3 immediately.

May 13, 2026
 Linux Kernel
Copy Fail (CVE-2026-31431): The 9-Year Linux LPE That Gives Anyone Root in Seconds

732 bytes of Python. Root on every major Linux distro since 2017. No race condition. No disk trace. Container escape. CISA KEV listed.

May 7, 2026
 Supply Chain
PyTorch Lightning Supply Chain Attack: The Mini Shai-Hulud Campaign’s First Strike

The same TeamPCP campaign that just hit GitHub started here. Malicious PyPI packages, credential-stealing worm, IDE persistence hooks. The origin story.

Apr 30, 2026
 DevSecOps
Secrets Management: The Silent Security Failure Hiding in Code, Pipelines & Cloud Infrastructure

Hardcoded credentials and exposed API keys are a silent epidemic. Most teams don’t discover them until it’s too late.

Apr 15, 2026
 Vulnerabilities
Zero-Day Exploits: Why They’re Crushing Enterprise Organizations

A zero-day gives attackers a window defenders can’t close in time. Here’s how enterprises reduce damage before patches exist.

Dec 22, 2025
 Security Operations
The Death of the Traditional SOC: Why Legacy Security Operations Can’t Keep Up

Alert fatigue, talent shortages, and attacker velocity are breaking the classic SOC model. AI-driven ops are no longer optional.

Nov 28, 2025

The DataWater Intelligence Brief

Weekly cybersecurity analysis and CISO-level insights — no noise, no vendor pitches. Just signal.