Summary5 min read

Cybersecurity Today – May 22, 2026

Host: Jim Love
Episode: GitHub Breach Exposes 3,800 Repos | Microsoft Kills SMS Authentication | Proton Fights Canada Bill

Episode Overview

This episode delivers a rapid and insightful update on major cybersecurity developments affecting businesses and users alike. Jim Love spotlights a high-profile GitHub supply chain breach, Microsoft’s move away from SMS-based authentication, a critical Linux vulnerability, and Proton’s strong opposition to new Canadian surveillance legislation. The episode centers on the escalating threats targeting software supply chains, shifting authentication standards, persistent risks in open-source ecosystems, and the intense policy debates around encryption and privacy.

Key Discussion Points & Insights

1. GitHub Supply Chain Breach

Incident Summary (01:10–03:30):
- GitHub confirmed that approximately 3,800 internal repositories were accessed in a supply chain attack attributed to the hacking group Team PCP.
- The breach resulted from an employee installing a malicious Visual Studio Code extension. GitHub has not publicly identified the extension or specific compromised data but maintains that only internal repos were affected.
Attack Path & Broader Risks:
- Developer workstations are now high-value targets, holding credentials, SSH keys, and cloud access secrets.
- Charlie Erickson (Aikido Security) notes VS Code extensions “can access everything on a developer machine, including credentials, SSH keys, cloud access keys and other secrets.” (02:05)
- The attack is part of a troubling trend: Team PCP has also targeted Trivi, Checkmarks, Bitwarden, CLI, and Tanstack via developer tooling this year.
- The breach parallels previous incidents, including exposure of CISA credentials due to a contractor bypassing security procedures.
Key Takeaway:
- Jim Love: “One poisoned extension on one developer machine was apparently enough to expose thousands of GitHub repositories. That suggests organizations may need to treat developer workstations not simply as endpoints to protect, but as high value internal attack surfaces requiring the same scrutiny as production infrastructure." (03:00)

2. Microsoft Moves Away from SMS Authentication

Announcement Details (03:35–06:10):
- Microsoft is phasing out SMS as an authentication and account recovery method for personal Microsoft accounts, citing SMS as a leading source of fraud.
- The industry is moving to "phishing resistant authentication” (per NIST), not reliant on users spotting phishing, with a push toward passkeys and cryptographically strong authenticators.
Why SMS Is Vulnerable:
- Susceptible to SIM swapping, interception, phishing, and delays.
- SMS was once better than passwords alone, but security standards have evolved.
Notable Moment:
- Jim Love: “The significance is broader than Microsoft – one of the world’s largest technology companies is effectively declaring SMS no longer meets the modern baseline for secure authentication, to which we can only say hooray.” (05:55)
Scope:
- Applies to personal Microsoft accounts, not enterprise Microsoft Entra environments.
- No firm sunset date provided yet.

3. Linux Privilege Escalation Flaw (SSH Keysign PWN)

Vulnerability Disclosure (06:15–08:00):
- Researchers disclosed a 9-year-old Linux vulnerability (CVE-2026-46333, “SSH Keysign PWN”) present in major distros like Debian, Ubuntu, and Fedora.
- The flaw, due to improper privilege management in the SSH key sign component, can allow a local attacker to gain root via default configs.
Severity & Impact:
- Medium severity (CVSS 5.5) because it requires local access, but could be serious on multi-user systems like laptops, university computers, or shared environments.
Being Practical About the Threat:
- Jim Love: “For laptops, shared systems, university environments, or any machine where physical or local access is possible, a medium rated flaw can still become a serious operational problem.” (07:25)

4. Proton’s Stand Against Canadian Surveillance Bill

Policy Battle (08:05–10:10):
- Proton (Proton VPN, ProtonMail) is opposing new Canadian legislation that would mandate decryption or backdoor access, intended to help law enforcement tackle serious crimes.
- Proton’s stance is unequivocal: “There is no universe in which Proton would compromise our no logs policy.” (08:45, quoting Proton)
Possible Consequence:
- If forced, Proton may exit the Canadian market entirely to uphold its privacy guarantees.
The Broader Encryption Debate:
- Echoes the persistent “good guys need a backdoor” argument, but, as opponents (and Jim Love) warn, such access always leaks: "Once exceptional access exists, control over who uses it won’t last." (09:45)
- Recent breaches, such as the CISA credential exposure and the U.S. SALT Typhoon espionage campaign, highlight the risks of mandated backdoors.
Memorable Analogy:
- Jim Love: “Proton appears to be doing more than that. This looks closer to dropping the gloves.” (08:15, referencing hockey fights to highlight Proton's combative stance)

Notable Quotes & Memorable Moments

On Software Supply Chain Security:
- Charlie Erickson (Aikido Security): “VS Code extensions can access everything on a developer machine, including credentials, SSH keys, cloud access keys and other secrets.” (02:05)
On Authentication Standards:
- Jim Love: “SMS based authentication is now a leading source of fraud.” (03:50)
- “Microsoft...is effectively declaring SMS no longer meets the modern baseline for secure authentication, to which we can only say hooray.” (05:55)
On Linux Vulnerability Impact:
- “...for laptops, shared systems, university environments...a medium rated flaw can still become a serious operational problem.” (07:25)
On Encryption and Government Backdoors:
- Quoting Proton: “There is no universe in which Proton would compromise our no logs policy.” (08:45)
- Jim Love: “Once exceptional access exists, control over who uses it won’t last.” (09:45)

Timestamps for Major Segments

| Time | Topic | |-----------|-----------------------------------------------------| | 01:10 | GitHub 3,800 repository breach and supply chain risk| | 03:35 | Microsoft SMS authentication retirement | | 06:15 | Linux SSH Keysign vulnerability | | 08:05 | Proton vs. Canadian surveillance legislation |

Summary Tone & Flow

Jim Love’s delivery blends urgency and expertise. He provides clear explanations accessible to both technical and business audiences, uses vivid analogies (like hockey references), and ties each news item to larger industry trends and operational lessons.

For those who missed it:
This episode highlights the escalating risks in the software development supply chain, the evolving standards for secure authentication, the enduring vulnerabilities in open-source platforms, and the relentless policy battles over privacy. With memorable quotes and expert perspective, Jim Love makes cybersecurity’s high-stakes drama both clear and compelling.

Loading summary

Transcript1 lines

[00:00]
A
Cybersecurity Today we'd like to thank Material Security for sponsoring this podcast. Material Security provides faster, more complete detection and response for email identity and data threats inside Google Workspace and Microsoft365. You can contact them at Material Security GitHub confirms supply chain breach hit 3,800 internal repositories Microsoft moves to a stronger authentication standard 9 year old Linux Flaw can hand root access to local attackers and Proton drops the gloves over Canada's surveillance bill. This is Cybersecurity today. I'm your host Jim Love. GitHub has confirmed that approximately 3,800 internal repositories were accessed in a supply chain attack linked to the hacking group Team PCP. According to GitHub, the breach began when an employee installed a malicious Visual Studio code extension. The company has not identified the extension and hasn't disclosed what data was present on the compromised device, but GitHub says its current assessment is that the incident involved exfiltration of GitHub internal repositories only, and that Team PCP's public claim of roughly 4,000 repositories is directionally consistent with its own investigation. The attack path matters because developer workstations increasingly hold some of the most sensitive assets in an organization. Aikido security researcher Charlie Erickson says VS code extensions can access everything on a developer machine, including credentials, SSH keys, cloud access keys and other secrets. Aikido's Mackenzie Jackson says Team PCP has already compromised Trivi, Checkmarks, Bitwarden, CLI and Tanstack this year through similar attacks on developer tooling. This follows another recent example where the exposure of sensitive CISA credentials was reportedly tied to a contractor bypassing established security procedures. Different incident, same underlying issue Trusted insiders and trusted endpoints with privileged access One poisoned extension on one developer machine was apparently enough to expose thousands of GitHub repositories. That suggests organizations may need to treat developer workstations not simply as endpoints to protect, but as high value internal attack services requiring the same scrutiny and as production infrastructure. Microsoft says it's phasing out SMS as a method of authentication and account recovery for personal Microsoft accounts because, in its words, SMS based authentication is now a leading source of fraud. The replacement is not just something newer. It follows the industry move to what NIST calls phishing resistant authentication, defined as authentication that prevents disclosure of authentication secrets or a valid authenticator outputs to an imposter without relying on users spotting the fraud. In practical terms, this is going to mean some authentication methods, such as passkeys, where there's no six digit code for an attacker to steal, relay or trick a user into surrendering. And this matters because SMS based multi factor authentication has well known weaknesses. SIM swapping can redirect messages one time, codes can be captured through phishing pages, messages can be intercepted or delayed. SMS was better and probably still is better than passwords alone. But security standards have moved on. Microsoft has not provided a firm end date for the change, and from what we're reading, this applies to personal Microsoft accounts, not enterprise Microsoft entra environments. But the significance is broader than Microsoft, one of the world's largest technology companies, is effectively declaring SMS no longer meets the modern baseline for secure authentication, to which we can only say hooray. Security researchers have disclosed a Linux privilege escalation flaw that appears to have existed for about nine years, potentially allowing an unprivileged local user to gain root access on default installations of several major Linux distributions. The vulnerability, tracked as CVE2026 46333 and nicknamed SSH Keysign PWN, affects systems including Debian, Ubuntu, Fedora and others that ship with vulnerable default configurations. Researchers say the flaw stems from improper privilege management in the SSH key sign component. The vulnerability was reported to carry a CVSS score of 5.5, which puts it in a medium severity range. But that score reflects an important limitation. This is not a remote Internet attack. An attacker needs local access to the machine to make it work. But if that access exists, Qualsys says the flaw can allow disclosure of sensitive files and execution of arbitrary commands as root in data centers. This may be a limited concern, but for laptops, shared systems, university environments, or any machine where physical or local access is possible, a medium rated flaw can still become a serious operational problem. Our Canadian listeners and American hockey fans will understand the phrase elbows up, but Proton appears to be doing more than that. This looks closer to dropping the gloves. Proton, the company behind Proton VPN and ProtonMail, is publicly opposing Canada's proposed surveillance legislation, which supporters say is needed to help law enforcement investigate serious crimes, including things like child sexual exploitation. But Proton's position is explicit. There is no universe in which Proton would compromise our no logs policy. The implication is equally clear. If compliance means weakening that promise, Proton appears willing to leave the Canadian market. Opponents argue this is the same debate governments keep returning to you need to create a backdoor for the good guys, opponents say. Somebody always finds it. That risk then extends beyond privacy. Advocates, journalists, dissidents, abuse victims, corporations and governments themselves all rely on strong encryption and the warning's not theoretical. This week alone brought the CISA credentials exposure. Canada Revenue Agency in Canada has faced repeated breaches. And in the United States, we can't forget the SALT Typhoon espionage campaign reportedly exploiting lawful intercept capabilities built into the telecom infrastructure at the request of law enforcement. So the core argument remains simple. Once exceptional access exists, control over who uses it won't last. And it appears that Proton isn't about to back down, even if they get thrown out of the game. That's our show for today. Hopefully you catch us on the weekend. But if not, David will be back in Monday morning with more cybersecurity news. I'm your host Jim Love. Thanks for listening. Here's a question worth asking. What happens after a phishing email slips past your filters? Most email security tools only guard the front door, but attackers are already inside. Material Security is different. It's a unified detection and response platform purpose built for Google Workspace and Microsoft 365, protecting email files and accounts all in one place. We're talking automated phishing, remediation, account takeover containment and sensitive data protection without alert fatigue. Find out why companies like Figma, Reddit and Lyft trust material to stop the threats. Other tools Ms. See workspace security in action at Material Security. That's Material Security. And if you do contact them, take a second and say thanks for sponsoring cybersecurity today.