PhantomRPC flaw, Checkmarx GitHub dark web data, PyPI package infostealer - Cybersecurity Headlines

Summary4 min read

Cybersecurity Headlines — April 28, 2026
Host: Sarah Lane, CISO Series
Episode Theme:
A concise, rapid-fire roundup of the day’s major cybersecurity incidents and trends, with a focus on supply chain vulnerabilities, software flaws, state-sponsored threats, and law enforcement actions in cybercrime.

Key Discussion Points and Insights

1. Phantom RPC Flaw: Unpatched Windows Privilege Escalation

[00:10]

What Happened:
- Kaspersky researcher uncovered a Windows vulnerability named Phantom RPC enabling privilege escalation.
- Exploits the OS remote procedure call (RPC) mechanism, specifically targeting how connections to inactive services are handled.
- Attackers with limited access can create rogue RPC servers, impersonate legitimate services, and "capture high privilege connections."
Impact:
- Five exploit paths validated on recent Windows Server versions.
- Potential outcome: escalation to system-level control.
Microsoft’s Stance:
- Classified as “moderate severity” because attackers need some privileges to exploit.
- No fix will be released; focus is on mitigation via monitoring and restricting impersonation privileges.
Quote:
- “Microsoft classified the issue as moderate severity due to required privileges and is not issuing a fix, so monitoring RPC activity and restricting impersonation privileges is key to reduce risk.” — Sarah Lane [00:25]

2. Checkmarx GitHub Data Breach Hits the Dark Web

[01:01]

Incident Details:
- Checkmarx confirms data from its GitHub was posted on the dark web after a supply chain attack on March 23.
- Attackers tampered with GitHub Actions and VS Code extensions, spreading credential-stealing malware.
Threat Actors & Exposure:
- Linked to Lapsus and Team pcp.
- Stolen data may include source code, credentials (yet “customer environments were reportedly unaffected”).
- Company response includes restricting access and ongoing investigation with customer notifications if needed.

3. Malicious PyPI Package Infects Over a Million Users

[01:50]

Overview:
- Popular PyPI package (>1.1 million monthly downloads) was hijacked in a supply chain attack.
- Malicious version included an infostealer targeting developer credentials and crypto wallets.
Attack Method:
- Step Security researchers found a GitHub Action script injection that let the attacker steal a workflow token, forge a release, and distribute the compromised package and Docker image.
Remediation:
- Issue fixed in version 0.23.4.
- Users must rotate secrets and restore systems — “malicious release could automatically propagate… using unpinned dependencies.”

4. Italy Extradites Alleged Chinese State Hacker to U.S.

[02:38]

Who:
- Xu Xue, extradited by Italian authorities, faces U.S. charges.
- Alleged member of the “hafnium”/“Silk Typhoon” Chinese state-backed group targeting Microsoft Exchange servers and thousands globally.
Allegations:
- Active in 2020–2021 intrusions targeting universities and COVID-19 research data, allegedly under Chinese intelligence direction.
Legal Aftermath:
- Xu denies allegations; faces up to 77 years if convicted.
- China has criticized the extradition.

5. U.S. Sanctions Major Cambodian Scam Ring

[03:31]

Sanctions Announced By:
- U.S. Treasury’s Office of Foreign Assets Control.
Target:
- Cambodian cybercrime network (including Senator Koch) exploiting large-scale cryptocurrency scams — romance and fake investment fraud.
Operation Details:
- Victims transfer funds to fake platforms; trafficked workers run scams in coercive conditions from casino compounds.
- Sanctions coordinated with DOJ, FBI, and Secret Service; included domain seizures and criminal charges.

6. Glassworm Malware: Stealthy Return via VSX Extensions

[04:11]

Discovery:
- Socket researchers identified a new Glassworm supply chain campaign.
- Attackers abused 73 open VSX extensions (cloned to mimic legitimate tools).
- Initially benign, extensions later switched to malicious, stealing credentials, crypto wallets, and sensitive data.
Recommendations:
- Remove affected packages, rotate secrets ASAP.

7. Itron Utilities Supplier Discloses Breach

[04:52]

Details:
- Unauthorized access to Itron’s IT systems detected and contained.
- No impact to customer systems or operations; ongoing investigation.
Financial Impact:
- Insurance expected to cover most incident costs.
- No material business impact anticipated.

8. Five-Year Sentence for Crypto Money Launderer

[05:28]

Case Overview:
- Evan Tangeman sentenced to 70 months for laundering millions in stolen crypto tied to the Social Engineering Enterprise (which stole ~$260M).
Modus Operandi:
- The group used social engineering and physical attacks targeting high-value cryptocurrency holders.
- Tangeman converted stolen funds into cash and luxury assets, attempted coverup after arrests.
- He is one of nine individuals to plead guilty in the case.

Notable Quotes & Memorable Moments

Phantom RPC flaw mitigation:
- “Monitoring RPC activity and restricting impersonation privileges is key to reduce risk.” — Sarah Lane [00:25]
PyPI supply chain lessons:
- “The malicious release could automatically propagate to environments using unpinned dependencies.” — Sarah Lane [02:20]
Glassworm’s stealth:
- “The campaign reflects a shift towards stealthier sleeper tactics, with cloned extensions mimicking legitimate tools.” — Sarah Lane [04:25]

Important Segment Timestamps

Phantom RPC flaw: [00:10 – 01:01]
Checkmarx GitHub leak: [01:01 – 01:50]
PyPI package infostealer: [01:50 – 02:38]
Italian extradition of alleged Chinese state hacker: [02:38 – 03:31]
U.S. sanctions Cambodian cybercrime network: [03:31 – 04:11]
Glassworm malware campaign: [04:11 – 04:52]
Itron utilities data breach: [04:52 – 05:28]
Crypto money laundering sentencing: [05:28 – 06:07]

Summary Tone

Sarah Lane delivers fast-paced, factual reporting with a focus on actionable information and risk mitigation, blending expert security insight with urgency and accessibility for industry professionals.

For a deeper dive into any headline, visit cisoseries.com.

Loading summary

Transcript3 lines

[00:00]
A
From the CISO series, it's Cybersecurity Headlines
[00:07]
B
these are the cybersecurity headlines for Tuesday, April 28, 2026. I'm Sarah Lane. Phantom RPC flaw enables privilege escalation A Kaspersky researcher disclosed an unpatched Windows vulnerability dubbed Phantom RPC that allows privilege escalation by exploiting how the OS's remote procedure call, or RPC mechanism handles connection to inactive services. The flaw lets attackers with limited access spin up rogue RPC servers that impersonate legitimate services and capture high privilege connections, potentially escalating to system level control with five exploit paths validated on recent Windows Server versions. Microsoft classified the issue as moderate severity due to required privileges and is not issuing a fix, so monitoring RPC activity and restricting impersonation privileges is key to reduce risk. Checkmarks confirms GitHub data leak hit the Dark Web Checkmarks confirmed that Data from its GitHub repository has been posted on the Dark web following a March 23 supply chain attack that compromised development tools and workflows. The breach involved tampered GitHub actions and VS code extensions, distributing credential stealing malware, with researchers linking subsequent leaks to groups like Lapsus and activity attributed to Team pcp. Exposed data may include source code and credentials, though customer environments were reportedly unaffected. The company has restricted access to the impacted repository and is continuing its investigation, noting it will notify customers of sensitive data exposure. PYPI package hacked to push Infostealer a widely used PyPi package with more than 1.1 million monthly downloads was compromised in a supply chain attack that pushed a malicious version containing an info stealer targeting developer credentials and crypto wallets. Researchers at Step Security found the attacker exploited a GitHub action script injection flaw to steal a workflow token, forge a legitimate release, and then distribute the backdoored package and docker image. The issue has been Fixed in version 0.23.4. The but affected users should rotate secrets and restore systems since the malicious release could automatically propagate to environments using unpinned dependencies. Italy extradites alleged Chinese state hacker to the U.S. italian authorities extradited Xu Xue to the U.S. where he faces charges tied to alleged involvement in the state backed hafnium, also known as Silk Typhoon campaign that targeted Microsoft Exchange servers and thousands of global victims. US prosecutors say he participated in intrusions between 2020 and 2021, including attacks on universities and researchers to steal COVID 19 related data allegedly under direction from Chinese intelligence services. Xu denies the allegations but could face up to 77 years in prison if convicted. China has criticized the extradition. Huge thanks to our sponsor Guard Square. Your back end is only as secure as your front end. Research shows that client side compromise is now a primary driver of API risk, with 63% of leaders detecting mobile app tampering or cloning last year. Don't leave your mobile app security to chance. Get multi layered protection for your entire mobile app ecosystem for from the outside in. Learn more@guardsquare.com US sanctions target Cambodian scams the US Treasury's Office of Foreign Assets Control sanctioned a Cambodian cybercrime network including Senator Koch on over large scale cryptocurrency scams that have defrauded Americans of millions of dollars through romance and fake investment schemes. Authorities say the operation runs from scam compounds tied to casinos where victims send funds to fraudulent platforms while trafficked workers carry out the scams under coercive conditions. The action was coordinated with the doj, FBI and Secret Service, including domain seizures and criminal charges intended to disrupt both the financial infrastructure and human trafficking tied to the network. Glassworm malware attacks return Researchers at Socket identified a new wave of the Glass worm supply chain campaign, abusing 73 open VSX extensions designed to appear benign before turning malicious through later updates. Six extensions have already been activated, using loader techniques to fetch and execute hidden payloads that can steal developer credentials, cross crypto wallets and sensitive environment data. The campaign reflects a shift towards stealthier sleeper tactics, with cloned extensions mimicking legitimate tools. Developers should remove affected packages and rotate secrets. Utilities Tech supplier Itron discloses attack Itron disclosed a cybersecurity breach involving unauthorized access to its IT systems, but said it has since contained and remediated the incident, with no ongoing malicious activity detected. The company reported no impact to customer hosted systems or core operations, which continued without disruption and expects insurance to cover most of the associated costs. Itron is still investigating the scope of the breach and evaluating any required regulatory disclosures, but doesn't currently expect a material business impact. Crypto Money launderer given five year sentence California based Evan Tangeman was sentenced to 70 months in prison for laundering millions in stolen cryptocurrency tied to a cybercriminal group known as the Social Engineering Enterprise, which stole roughly $260 million from victims. Prosecutors say the group used social engineering and physical tactics to target high value crypto holders, while Tangemon helped convert stolen funds into cash and assets, including luxury homes used in operations. He also attempted to cover up the scheme after arrests and is one of nine individuals to plead guilty. In this case, the rush to not fall behind with the latest AI tooling is creating a vicious cycle. Is there any way to enable teams to use these new tools without abandoning security best practices? That's one of the segments we try to get answers for on the latest episode of the CISO Series podcast. Look for the episode Step 1 Deploy new AI tool Step 2 Discover security flaws Step 3 Repeat wherever you get your podcasts. And if you have some thoughts on the news from today or about our show in general, be sure to reach out to us@feedbacksoseries.com we'd love to hear from you. I am Sarah Lane, reporting for the CISO Series. You stay safe out there. Milky Way and Beyond
[07:31]
A
cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories behind the headlines.