Microsoft Defender Zero-Days, GitHub Supply Chain Breaches, and Python Package Compromises
Today's Highlights
This week's top security news includes actively exploited zero-days in Microsoft Defender granting SYSTEM access, a major breach of GitHub's internal repositories via a malicious VS Code extension, and a targeted supply chain attack on Microsoft's Python Durable Task client.
Two Microsoft Defender vulnerabilities actively exploited. One grants full SYSTEM access. CISA has a June 3 federal deadline. Here is what to check. (r/cybersecurity)
Source: https://reddit.com/r/cybersecurity/comments/1tjnaub/two_microsoft_defender_vulnerabilities_actively/
Microsoft has issued an urgent warning regarding two critical vulnerabilities (CVE-2026-41091 and CVE-2026-45498) within its Defender antivirus software, both of which are actively being exploited in the wild as zero-days. The more severe of the two, CVE-2026-41091, allows for local privilege escalation, enabling attackers to gain full SYSTEM-level access on compromised Windows machines. This provides adversaries with complete control over affected systems, bypassing standard user permissions. The second flaw, CVE-2026-45498, is a denial-of-service (DoS) bug.
Given the active exploitation and the severity of the SYSTEM-level access, the Cybersecurity and Infrastructure Security Agency (CISA) has issued a directive, imposing a federal deadline of June 3 for agencies to apply patches. Organizations and individual users are strongly advised to verify their Defender installations are fully updated or to manually apply the necessary patches immediately to mitigate the risk of exploitation. Proactive patching and continuous monitoring are crucial to defend against these sophisticated attacks.
Comment: This is a wake-up call for anyone relying solely on default AV. Active exploitation of a SYSTEM-level vuln in Defender means your endpoints are exposed; prioritize immediate patching and verify updates rigorously.
GitHub ~3,800 internal repos compromised through a malicious VS Code extension (r/netsec)
Source: https://reddit.com/r/netsec/comments/1tjfjjv/github_3800_internal_repos_compromised_through_a/
GitHub has disclosed a significant security incident where approximately 3,800 of its internal repositories were compromised. The breach's entry point was not a traditional CVE, but rather a malicious VS Code extension installed by a single GitHub employee. This highlights a critical and increasingly common supply chain vector: developer tools. Once installed, the extension allowed attackers to access secrets stored on the employee's machine, which were subsequently used to access and potentially exfiltrate data from the internal repositories.
This incident underscores the pervasive risk of compromised developer environments and the need for stringent software supply chain security, even for internal tools and systems. Organizations must implement robust controls for developer workstations, including strict vetting of third-party extensions, endpoint detection and response (EDR) solutions, and principle of least privilege for secret access. Regular rotation and auditing of secrets are also paramount.
Comment: This GitHub breach is a stark reminder that developer workstations are prime targets. We need to rethink security beyond network perimeters to include every tool and extension our teams use daily, especially when sensitive credentials are involved.
durabletask (Microsoft's Python Durable Task client) compromised by TeamPCP | same Mini Shai-Hulud payload as last week's TanStack wave (r/netsec)
Source: https://reddit.com/r/netsec/comments/1tjvryy/durabletask_microsofts_python_durable_task_client/
The Python package durabletask, a client for Microsoft's Durable Task Framework, has been identified as compromised by the threat actor group TeamPCP. This incident is part of a broader, ongoing supply chain attack campaign that has previously affected other popular open-source packages, including Trivy and TanStack, utilizing a consistent "Mini Shai-Hulud" payload. Attackers injected malicious code into the legitimate package, making it available to anyone installing durabletask from PyPI.
The compromise of durabletask specifically targets Python developers and projects relying on this library. This attack vector emphasizes the critical need for robust dependency verification in software development workflows. Developers should review their requirements.txt and pyproject.toml files, pin dependencies to known good versions, and utilize tools for software composition analysis (SCA) to detect malicious or tampered packages. Promptly updating or removing affected versions of durabletask is crucial for protecting projects from the Mini Shai-Hulud payload and potential downstream impacts.
Comment: Another Python package, another supply chain attack. This is why we can't blindly pip install. Implement strong dependency pinning, audit your requirements.txt, and use SCA tools to scan for known compromised packages – especially when a consistent attacker group is at play.
Top comments (0)