Daily cybersecurity briefing for CISOs and security leaders.

🎧 Listen to this episode

Today's episode covers 9 stories across 4 topic areas, including: CISA credential leak raises alarms, and Capitol Hill demands answers; Ukraine says Russia is deploying AI-powered malware on the battlefield; Huawei zero-day attack behind last year’s crash of Luxembourg's entire telecoms network.

CyberScoop · May 19 · Relevance: █████████░ 9/10

Why it matters to CISOs: The agency responsible for defending federal networks leaked plaintext passwords and GovCloud keys publicly — this undermines trust in government security guidance and raises questions about contractor security posture that affects any enterprise working with federal systems.

📖 Read full article

The Record (Recorded Future) · May 19 · Relevance: ████████░░ 8/10

Why it matters to CISOs: Russia's documented escalation of AI-powered cyber operations in Ukraine provides a preview of techniques likely to proliferate against Western enterprises — CISOs should use this intelligence to model adversarial AI capabilities in threat assessments.

📖 Read full article

The Record (Recorded Future) · May 19 · Relevance: ████████░░ 8/10

Why it matters to CISOs: A previously unexplained national telecom outage traced to a Huawei zero-day raises serious questions about critical infrastructure supply chain trust — CISOs in telecom and enterprises dependent on telecom resilience should factor this into vendor risk assessments.

📖 Read full article

Help Net Security · May 20 · Relevance: █████████░ 9/10

Why it matters to CISOs: The DBIR is a benchmark report for board-level risk communication — vulnerability exploitation overtaking credential theft as the #1 initial access vector for the first time in 19 years demands a reassessment of patch management investment and prioritization strategies.

📖 Read full article

BleepingComputer · May 19 · Relevance: ████████░░ 8/10

Why it matters to CISOs: Fox Tempest's malware-signing-as-a-service enabled ransomware operators to bypass code-signing trust controls — CISOs should review their code-signing validation and allowlisting policies given this trust model was systematically abused.

📖 Read full article

The Hacker News · May 20 · Relevance: █████████░ 9/10

Why it matters to CISOs: A supply-chain-critical platform used by virtually every enterprise dev team was compromised via a poisoned VS Code extension — CISOs must assess exposure to GitHub-hosted internal tooling and review IDE extension policies immediately.

📖 Read full article

CyberScoop · May 19 · Relevance: ████████░░ 8/10

Why it matters to CISOs: This ongoing supply-chain campaign is stealing publishing tokens and installing OS-level backdoors in CI/CD pipelines — CISOs need to validate software composition analysis controls and audit developer environment integrity immediately.

📖 Read full article

BleepingComputer · May 19 · Relevance: ███████░░░ 7/10

Why it matters to CISOs: ShinyHunters continues to target large retail brands — CISOs in retail and consumer-facing industries should review this incident for applicable TTPs and ensure extortion response plans are current.

📖 Read full article

Cybersecurity Dive · May 19 · Relevance: ███████░░░ 7/10

Why it matters to CISOs: Major telecoms creating a private ISAC to avoid federal government involvement signals a shift in public-private threat sharing dynamics — CISOs should monitor whether this model proliferates to other critical sectors and how it affects intelligence quality.

📖 Read full article

Jordan: The agency responsible for telling the rest of us how to secure federal networks just leaked plaintext passwords and cloud keys on a public GitHub repository. Let that sit for a second.

Alex: Welcome to Cleartext. It's Wednesday, May 20th, 2026. I'm Alex Chen.

Jordan: And I'm Jordan Reeves.

Alex: Today we're covering a lot of ground. The CISA credential leak and what it means for anyone operating in or adjacent to federal environments. The 2026 Verizon DBIR dropped this morning with a historic shift in how attackers are getting in. GitHub is investigating a major internal breach via a malicious IDE extension. Russia is deploying AI-enabled malware in Ukraine and the implications reach well beyond the battlefield. And a fresh wave of npm supply chain compromises is hitting CI/CD pipelines right now. That's the menu. Let's get into it.

Jordan: So CISA. The Nightwing contractor situation. A researcher described the leaked repository as one of the worst he'd ever seen, and he's not being dramatic. We're talking plaintext passwords, GovCloud keys, live credentials for government environments — sitting on a public GitHub repo. Senator Hassan has formally demanded answers from CISA's acting director, which tells you this is not going away quietly.

Alex: Here's the board-level framing on this. CISA is the authority. They write the guidance. They issue the directives. They tell federal agencies and critical infrastructure operators what good looks like. When they are the breach, it doesn't just create an operational problem — it creates a credibility problem that cascades. If you're a CISO at a company with federal contracts, GovCloud deployments, or any FedRAMP-adjacent posture, you need to audit your contractor security posture right now. Not because you caused this. Because this incident demonstrates that contractor hygiene across the federal ecosystem is genuinely broken, and you can't assume your contractors are the exception.

Jordan: And the contractor dynamic here matters. Nightwing is the entity linked to this leak, not CISA employees directly. That's actually the harder governance problem. You can control your own staff. Controlling what your contractors do with privileged credentials in their own development environments is a different kind of problem. Most enterprises haven't solved it either.

Alex: Agreed. Now let's shift to the DBIR because it dropped this morning and it's relevant to every conversation we're about to have. For the first time in nineteen years, vulnerability exploitation has knocked credential theft off the top spot as the leading initial access vector. Thirty-one percent of breaches started with exploitation. That's not a marginal change — that's a structural shift.

Jordan: And the underlying driver isn't that attackers suddenly love CVEs more than stolen passwords. It's that the volume and speed of exploitation has changed. The window between disclosure and weaponization has compressed to hours in some cases. And patching lag across the industry is still measured in weeks to months. That gap is where attackers live.

Alex: For CISOs, this is a board conversation. If your security narrative has been built around identity and credential controls — and a lot of programs have been, because that was the right call for a long time — you need to rebalance. Not abandon identity work, but make a credible argument for why your patch management program and your exposure management posture are funded at the level this threat demands. The DBIR gives you the citation. Use it.

Jordan: Now let's talk about GitHub, because this one hits close to home for a lot of security teams. The threat actor TeamPCP exfiltrated approximately 3,800 internal GitHub repositories. GitHub says no evidence of customer data compromise outside their internal systems so far, but the initial access vector is what every CISO needs to pay attention to: a malicious VS Code extension installed by an employee.

Alex: Think about your developer population. How many of them are installing extensions from the marketplace with minimal scrutiny? IDE extensions run with the same privileges as the developer. They can read files, exfiltrate tokens, access environment variables, reach secrets in config files. This is not a theoretical attack surface. It just played out against GitHub itself.

Jordan: And GitHub is not a naive target. They have sophisticated security engineering. If a poisoned extension got through their controls and reached internal repositories at this scale, the question every CISO has to ask is: what's our extension allowlisting policy? Do we have one? Is it enforced? If the answer is no, that's a gap you're fixing this week.

Alex: Connect this to the npm story as well, because they're thematically linked. The Mini Shai-Hulud campaign — and yes, that's a real threat actor name — published over 600 malicious npm packages in the latest wave. The malware steals publishing tokens, installs OS-level backdoors, and persists inside CI/CD pipelines. Several widely-used open source projects have already been compromised.

Jordan: What makes this particularly nasty is the persistence model. This isn't just a compromised package that you patch and move on from. If the malware is in your CI pipeline, it's watching every build. It can poison future artifacts. You have to treat this as an incident, not a software update.

Alex: If you haven't validated that your software composition analysis tooling is current and that your developer environment integrity is intact, that's the action item. SCA alone isn't sufficient here — you need to be looking at your pipeline integrity holistically.

Jordan: Let's spend a minute on Russia's AI cyber operations because this one deserves serious analytical attention, not just a headline. Ukraine's National Security and Defense Council is reporting a dramatic expansion of Russia's AI-enabled offensive capabilities over the past year. AI applied to social engineering, malware development, and attack automation. Ukrainian officials are explicitly describing a growing imbalance between attackers and defenders.

Alex: The Ukraine theater has functioned as a live test environment for Russian offensive cyber capabilities for years now. Techniques that appear there tend to proliferate. AI-accelerated malware development means faster variant generation, more personalized phishing, and reduced operational cost for the attacker. That attacker-defender imbalance comment is not hyperbole. It's a preview.

Jordan: The practical implication for threat modeling: if your threat assessments don't include adversarial AI capability as a factor, they're already out of date. Nation-state level AI offensive tooling will diffuse into criminal ecosystems. It always does. The timeline is compressing.

Alex: Two more items worth flagging. On the Huawei zero-day: Luxembourg's entire national telecom network going down last year has now been attributed to a Huawei zero-day exploit. Huawei has not acknowledged the vulnerability. There's no evidence of recurrence, but the flaw remains unexplained. For CISOs in telecom or industries with deep telecom infrastructure dependencies, this goes into your vendor risk model. Full stop.

Jordan: And Microsoft's disruption of Fox Tempest — the group running malware-signing-as-a-service — is a win, but a qualified one. They were systematically abusing Microsoft's own Artifact Signing service to generate fraudulent code-signing certificates for ransomware operators. The trust model for code signing was being sold as a commodity service. Review your allowlisting policies. A signed binary is not a safe binary.

Alex: Briefly on 7-Eleven and the ShinyHunters confirmation: they've confirmed the breach, scope is still under investigation. If you're in retail or consumer-facing industries, pull the TTPs and pressure-test your extortion response plans. ShinyHunters is prolific and methodical.

Jordan: And on the telecom ISAC story — major providers launching a private ISAC explicitly to avoid federal government involvement — I think this is actually a signal worth watching carefully. The stated reason is that federal presence was chilling candid threat intelligence sharing.

Alex: That tells you something about the current state of public-private trust in the security space. If the model proliferates to other critical sectors, the intelligence sharing ecosystem fragments. That may mean better signal quality within sectors and worse cross-sector visibility. For CISOs in critical infrastructure, think about where you're getting your intelligence and whether that sourcing changes if this model spreads.

Jordan: Stepping back to the week's theme — what we're really seeing is a coherent picture of institutional trust under stress. CISA leaks its own credentials. A trusted platform like GitHub gets compromised through a trusted tool category. Code-signing certificates are being commoditized for malware. The controls that enterprises have built their security programs around — trust in government guidance, trust in signed code, trust in vetted extensions — are all being systematically challenged at the same time.

Alex: Which means the posture that wins right now is one that assumes less and verifies more. Not paranoia — operational skepticism applied consistently. Zero trust as a philosophy, not just an architecture. That's the board message this week.

Jordan: Watch for CISA's formal response to Senator Hassan's inquiry. And watch the GitHub investigation closely — if customer data exposure surfaces, the scope of this changes significantly.

Alex: That's Cleartext for Wednesday, May 20th. Show notes and links to every story we covered today are at cleartext.fm. If this was useful, share it with a peer who needs it. We'll be back tomorrow.

Jordan: Stay sharp.

Cleartext is an automated daily podcast for CISOs and security leaders. Generated 2026-05-20.

Sources are pulled from: CyberScoop, The Record, SecurityWeek, Krebs on Security, Dark Reading, Cybersecurity Dive, BleepingComputer, Wired, Ars Technica, TechCrunch, Help Net Security, VentureBeat, Risky Business News, The Hacker News, CISA, and BankInfoSecurity.