Vulnerable U

More on this and the rest of this week’s cybersecurity news: vulnu.com/p/vulnerable-u…

Thousands of internal repos were compromised through a single malicious VS Code extension. Normal developer tools are becoming one of the easiest ways into major organizations 🗝️

Check out the full newsletter for more: vulnu.com/p/vulnerable-u…

IDE extensions are quietly becoming one of the most overlooked attack surfaces in your stack. If you're not auditing them the same way you audit your dependencies, this week is a good time to start.

Newsletter #169 is out now 📧 GitHub just confirmed 3,800 internal repositories were stolen because one employee installed a malicious VS Code extension. And yes, GitHub owns NPM, which sits at the center of every supply chain campaign we've been covering for weeks.

🌅 Newsletter drops tomorrow morning. Subscribe so you never miss an update: vulnu.com/subscribe

Technically impressive and genuinely alarming. Here's the video from last week if you missed it: youtu.be/cv1Kba1T83E?si…

Dark Sword is a five-stage exploit chain that starts entirely in JavaScript, works through Safari, and ends with read-write access on iOS 📲

@mattjay talks through more of these stats from Mimecast's 2026 State of Human Risk Report. Watch here: youtu.be/JMeu2CeCKfE?si…

Insider threats are averaging $13.1 million per incident, and 8% of employees are responsible for 80% of your organization's security risk. The threat isn't evenly distributed and most teams are still treating it like it is.

This feels less like a warning about what's coming and more like a record of what's already underway. Read more: vulnu.com/p/vulnerable-u…

Compromising an AI gateway gives attackers keys to everything downstream. The report documents autonomous attack workflows, AI-powered recon, and vibe-coded payloads already being used in the wild.

The latest Google threat intelligence report adds more evidence that AI is already being used in active threat actor operations. 👇