LAPSUS GitHub, NoName Ukraine DDoS Lead 120-Event Forum Day

Summary

Forum-posted breach claims dominated today's libaisec telemetry, but the more telling pattern is the steady recurrence of the same low-effort crews against the same opportunistic verticals -- US healthcare, Indonesian universities, Israeli government and real-estate listings, NATO and an OpenAI/ChatGPT DDoS slate that adds AI infrastructure to the standard target list. Defender exposure for the next 48 hours sits in the patch cadence rather than the forum cycle, with Microsoft Defender zero-days, a Drupal Core unauthenticated RCE and a Cisco Secure Workload critical CVE all landing on the same day.

Today's developments

Of 120 events tracked across libaisec on May 21, 32 are alleged data-breach or data-leak posts. LAPSUS-GROUP posted what it called a data sale for GitHub, Inc. The BlackH4t MD-Ghost named NATO directly in a separate listing alongside a US dental-services provider, Commerce Dental Group, and a US coffee-service vendor, Pot O' Gold Coffee Service -- a portfolio mix the actor has run repeatedly. Vyntra claimed two US victims of note: a hospital and health-care dataset labelled only "USA Health Care" and Salesforce, a posting that has not been independently verified. ShinyHunters posted two Asia-Pacific online-education and logistics targets. Other named pairings included Niles in Cyber Threat Intelligence Feeds claiming Dragonica Lunaris; courtika naming Uber Eats; huntertrace naming Call The Car, Inc.; MDGhost666 advertising what it called an Israeli Government Database; 0cx00iq naming Kuwait's Central Statistical Bureau; NoHeartz naming an Israeli real-estate listing (Lead Estate) and an Indian Creative Cultural Centre; Mr. Hanz Xploit naming Universitas Airlangga (UNAIR) in Indonesia; and DarkMafiaX naming AYUSH Haryana in India.

Ransomware activity stayed on a pattern of geographically distributed listings. Payload posted four victims in a single batch -- A-Sonic Logistics Pte Ltd (Singapore), G. Theodor Freese GmbH (Germany), Robinsons Department Stores Online (Singapore) and a Cullman, Alabama internal-medicine and pediatrics practice; CoinbaseCartel named Panasonic Avionics Corporation; Nova claimed Soft Seba (Bangladesh) and Neubox (Mexico); SPY CORPORATE named Cleveland law firm Hahn Loeser & Parks LLP; Brain Cipher named The Shepparton Adviser in Australia; ThreeAM named Consultic in Belgium.

DDoS volume tracked the war picture. NoName057(16) ran 11 strikes against Ukrainian targets, including Iskra Scientific and Production Complex, Kharkiv Aggregate Design Bureau, Busin Insurance Company and Velta Insurance Company. 313 Team named OpenAI and ChatGPT in two listings against US AI infrastructure. Israel drew a packed slate from Investigation Anonymous, BD Anonymous and RipperSec, all targeting financial-services and energy entities including Delek and Emtan Karmiel.

External analysis cycled through the same week's headline vulnerabilities. Microsoft Defender saw two actively exploited zero-days -- CVE-2026-41091 (privilege escalation, CVSS 7.8) and a parallel denial-of-service flaw -- both publicly disclosed alongside the firm's UnDefend and RedSun patches. Drupal pushed an out-of-band update for CVE-2026-9082, a "highly critical" Core flaw exposing PostgreSQL sites to unauthenticated information disclosure, privilege escalation and remote code execution. Cisco patched a critical authentication-validation flaw in Secure Workload REST APIs that grants remote attackers Site Admin privileges. A nine-year-old Linux kernel use-after-free regression, CVE-2026-46333, was disclosed; researchers showed root-command execution on major distros. European authorities took down First VPN, the cybercrime-VPN service Europol said had "appeared in almost every major recent cybercrime investigation." The Hacker News reported that GitHub has now publicly confirmed the breach of its internal repositories was carried out through a poisoned Nx Console Microsoft VS Code extension, putting a recognisable supply-chain face on the LAPSUS-style activity that returned to forum lists this week.

Threat landscape signals

The forum throughput concentrates around a small set of crews: the top three actors today -- NoName057(16) with 11 listings, Hax.or with 10, BABAYO EROR SYSTEM with 6 -- ran 27 of the day's 120 events, a 22.5% share. The Defacement-DDoS-Ransomware mix held its usual proportions (34 / 27 / 18); defacement remained the largest category, which on libaisec is a leading indicator of low-cost crew activity rather than serious data exposure. The geographic distribution stays heavily US (27 listings) with secondary clustering in France, Indonesia, Israel and Ukraine -- IT Services and Government Administration each appeared on more than ten listings, the same pair that has led the libaisec target distribution for most of the second quarter.

For the next 48 hours, defender priority sits in the patch cadence rather than the forum cycle: the Microsoft Defender zero-days, the Drupal Core unauthenticated RCE and the Cisco Secure Workload critical CVE are the items that move the actual exposure surface. The Nx Console supply-chain compromise of GitHub internal repositories suggests another round of VS Code extension audits is overdue for any organisation tolerating broad-permission editor extensions on developer workstations.