May 27th – This Week’s Top Cybersecurity and Dark Web Stories

The FBI’s Warning You Shouldn’t Ignore

Most of us have been told that turning on multi-factor authentication is enough. Set it up and sleep easy. A new FBI alert issued this week suggests that advice is no longer the full story.

A phishing platform called Kali365, first spotted in April 2026 and distributed primarily via Telegram, is enabling attackers to capture Microsoft 365 OAuth tokens and bypass MFA entirely, without ever needing to steal your password.

The attack is deceptively simple. A victim receives a phishing email impersonating a trusted cloud service, containing a device code and instructions to visit a legitimate Microsoft verification page. When the victim enters the code, they unknowingly authorise the attacker’s device to access their account. The attacker then captures OAuth access and refresh tokens, gaining persistent access to Outlook, Teams, and OneDrive, no password required, no MFA challenge triggered.

What makes Kali365 particularly alarming is how low the barrier to entry is. The platform provides less-technical attackers with AI-generated phishing lures, automated campaign templates, and real-time tracking dashboards. You don’t need to be a sophisticated hacker anymore, you just need a Telegram account and a subscription fee.

The FBI recommends organisations create conditional access policies to block device code flow, audit existing usage before doing so, and exclude emergency access accounts to avoid accidental lockouts. If you’ve been relying on MFA as your last line of defence, it’s time to think one layer deeper.

GitHub Confirms Breach of 3,800 Repos

On 19 May, GitHub began investigating something no software platform ever wants to announce, someone had gotten inside.

The culprit was a poisoned VS Code extension installed on an employee’s device, which gave an attacker access to roughly 3,800 of GitHub’s internal repositories. Hours later, a hacking group called TeamPCP posted on a cybercrime forum claiming they’d accessed GitHub’s source code and around 4,000 private repositories, putting the stolen data up for sale at a minimum of $50,000.

GitHub moved quickly, removing the malicious extension, isolating the affected device, and rotating critical credentials overnight, prioritising the highest-impact secrets first. The company stated there is currently no evidence that customer data or enterprise accounts were affected, though the investigation is ongoing.

The broader context is unsettling. The GitHub breach didn’t land in isolation, it arrived the same day a new wave of malicious npm packages appeared with forged cryptographic provenance, one day after attackers compromised a VS Code extension with 2.2 million installs, and the same day TeamPCP was found to have compromised Microsoft’s Python SDK on PyPI. Five supply chain surfaces failed in 48 hours.

The lesson isn’t that VS Code is unsafe, it’s that developer tooling has become one of the most attractive attack surfaces going. Every extension is a small act of trust. Right now, that trust is being exploited systematically.

B1ack’s Stash Marketplace Gives Away 4.6 Million Stolen Credit Cards

B1ack’s Stash, a dark web carding marketplace, released 4.6 million stolen credit card records as a free download, not because of a law enforcement action, but allegedly because some of its own sellers were caught reselling card data on competing platforms. Rather than simply deleting the inventory, the operators suspended around 8 million stolen CVV2 records and released roughly 4.6 million of them publicly, directing users to the marketplace’s Freebies section.

The data itself is remarkably complete. Each record includes full card numbers, expiration dates, CVV2 codes, cardholder names, billing addresses, email addresses, phone numbers, and IP addresses, with around 70% of the cards sourced from the US, followed by Canada, the UK, France, and Malaysia.

For anyone whose card data might be in this set, and given the volume and US-heavy distribution, that’s a realistic concern for a significant number of people, the standard advice applies: watch your statements closely, consider a temporary credit freeze if you have reason to worry, and be especially sceptical of any messages that reference your personal or financial details with unusual specificity. That last point matters more than usual here, because the leaked data includes email addresses and phone numbers alongside card details. Targeted phishing built on accurate personal information is considerably more convincing than the generic kind.