On this week’s show Patrick Gray, Adam Boileau and James Wilson discuss the week’s cybersecurity news. They cover:

• TeamPCP breached GitHub’s internal repos. Now what?
• Some absolute plonker glued Coruna to a hijacked npm package
• CISA is worried about about open source and wants third party submissions for KEV
• AI infrastructure is “systemically” insecure
• Much, much more

This week’s episode is sponsored by allowlisting vendor Airlock Digital. Airlock’s founders David Cottingham and Daniel Schell join Patrick Gray to talk about Microsoft briefly flagging DigitCert’s root certificate as malware. Fun!

Show notes:

GitHub confirms being hacked by TeamPCP, says customer data unaffected | therecord.media https://therecord.media/github-confirms-teampcp-hack-customers-unaffected

Grafana Labs links GitHub environment breach to TanStack npm supply chain attack | Cybersecurity Dive https://www.cybersecuritydive.com/news/grafana-labs-github-environment-breach-tanstack-npm-supply-chain/820866

Coruna Respawned: Compromised art-template npm Package Leads… | Socket https://socket.dev/blog/coruna-respawned-compromised-art-template-npm-package

CISA chief frets about open-source vulnerabilities, delayed security improvements | cyberscoop.com https://cyberscoop.com/cisa-chief-frets-about-open-source-vulnerabilities-delayed-security-improvements

Anthropic: Mythos finds more than 10,000 software flaws in first month | cyberscoop.com https://cyberscoop.com/anthropic-mythos-software-flaws-glasswing

Pardon MIE? | ironPeak Blog https://ironpeak.be/blog/bypassing-apple-mie

CISA asks cybersecurity community to alert it to vulnerability exploitation | Cybersecurity Dive https://www.cybersecuritydive.com/news/cisa-cve-vulnerability-exploitation-nominations/820870

Lawmakers Demand Answers as CISA Tries to Contain Data Leak | krebsonsecurity.com https://krebsonsecurity.com/2026/05/lawmakers-demand-answers-as-cisa-tries-to-contain-data-leak

Google publishes exploit code threatening millions of Chromium users | arstechnica.com https://arstechnica.com/security/2026/05/google-publishes-exploit-code-threatening-millions-of-chromium-users

Millions of AI agents imperiled by critical vulnerability in open source package | arstechnica.com https://arstechnica.com/information-technology/2026/05/millions-of-ai-agents-imperiled-by-critical-vulnerability-in-open-source-package

Discord migrates all users to end-to-end encryption by default | The Record https://therecord.media/discord-migrates-users-to-end-to-end-encryption

Texas AG sues Meta over claims that WhatsApp doesn’t provide end-to-end encryption | arstechnica.com https://arstechnica.com/security/2026/05/texas-ag-sues-meta-over-claims-that-whatsapp-doesnt-provide-end-to-end-encryption

Alleged Kimwolf Botmaster ‘Dort’ Arrested, Charged in U.S. and Canada | krebsonsecurity.com https://krebsonsecurity.com/2026/05/alleged-kimwolf-botmaster-dort-arrested-charged-in-u-s-and-canada

Iran-linked hackers target key US, allied sectors with sophisticated spear-phishing messages | Cybersecurity Dive https://www.cybersecuritydive.com/news/iran-cyberattacks-espionage-us-israel-uae/820990

FBI warns about fast-growing phishing kit targeting Microsoft 365 users | cyberscoop.com https://cyberscoop.com/fbi-phishing-kali365-microsoft365-access-tokens

Analyzing the rise in device code phishing attacks in 2026 | Push Security https://pushsecurity.com/blog/device-code-phishing

Trump Mobile confirms it exposed customers’ personal data, including phone numbers and home addresses | TechCrunch Security https://techcrunch.com/2026/05/22/trump-mobile-confirms-it-exposed-customers-personal-data-including-phone-numbers-and-home-addresses

Kash Patel’s clothing brand website shut down after reports it was hacked | TechCrunch Security https://techcrunch.com/2026/05/22/kash-patels-clothing-brand-website-shut-down-after-reports-it-was-hacked

Tulsi Gabbard resigns as US director of national intelligence | Social Signals https://www.bbc.com/news/articles/cvgj2gkv1x1o

When Certificate Trust Fails: The DigiCert Code-Signing Incident and Microsoft Defender False Positive | https://www.airlockdigital.com/airlock-blog/digicert-incident-and-microsoft-defender-false-positive-what-happened-and-what-it-means