Summary5 min read

Risky Bulletin: Microsoft Ends SMS MFA for Personal Accounts

Podcast: Risky Bulletin (Risky Business Media)
Episode Date: May 22, 2026
Host/Reader: Claire Aird (prepared by Catalyn Kim Panu)

Episode Overview

This episode of Risky Bulletin provides a rapid-fire roundup of recent developments in cybersecurity. The main theme focuses on Microsoft’s decision to end SMS-based multi-factor authentication (MFA) and pivots through a diverse set of breaking news, including software supply chain attacks, major arrests, critical vulnerabilities, and regulatory actions across the cybersecurity landscape.

Key Discussion Points and Insights

1. Microsoft Deprecates SMS MFA for Personal Accounts

[00:05] Microsoft is phasing out SMS-based two-factor authentication and recovery for personal accounts.
Going forward, users will be required to set up a passkey.
Rationale: “SMS is a leading source of fraud and the most targeted vector for account takeovers. Microsoft is the first major platform to abandon SMS MFA.” — Claire Aird ([00:13])
Significance: Positions Microsoft as the first major provider to fully abandon SMS-based MFA for consumers.

2. GitHub Supply Chain Attack via VS Code Extension

[00:21] Hackers exfiltrated more than 3,800 internal GitHub repositories after an employee installed a malicious VS Code extension (NX Console), itself compromised in a wider supply chain attack (Tanstaq).
Stolen code assets are reportedly for sale on hacking forums.
GitHub is rotating critical secret tokens to secure its assets.
The breach has been claimed by the group “Team PCP.”

3. Russian Disinformation Campaign on Bluesky

[00:37] Russian actors have been compromising Bluesky accounts since April to spread pro-Kremlin, anti-Ukraine propaganda.
The disinformation group “Matryoshka” is behind the campaign.
Bluesky has responded by suspending compromised accounts.

4. CISA Expands KEV Vulnerability Reporting

[00:46] The US CISA now allows third-party researchers to submit reports for the Known Exploited Vulnerabilities (KEV) database.
Researchers can file through a new web form; CISA vets before inclusion.
The KEV has faced criticism for lagging behind on new threats.

5. Major Arrests: Cybercrime at Eurovision, Botnet Mastermind, and More

[01:03] Austrian police arrested a Chinese national with an SMS blaster at the Eurovision Song Contest, raising concerns over SMS-based cybercrime tools.
[01:17] In Canada, Jacob Butler was arrested for operating the “Kimwolf” DDoS botnet, responsible for 25,000+ attacks; US authorities are pursuing extradition.
[01:33] French and Dutch authorities shut down “First VPN,” a criminal VPN service used for fraud, data theft, and ransomware attacks—33 servers and 4 domains seized.
[01:51] Ukrainian cyber police detained an 18-year-old alleged infostealer operator, charged with hijacking over 28,000 accounts and stealing $721,000.

6. Global Data Leaks and Breaches

[02:04] Northern Mariana Islands: Government email disrupted by an unspecified cyberattack, slowing administrative tasks.
[02:15] Walap (Chinese Arcade Game Maker): Exposed personal details of 19 million users (linked to WeChat) due to a misconfigured Elasticsearch database left online for months.
[02:27] Trump Mobile: Website bug exposed preorder customers’ emails, addresses, and names. Patch only after YouTuber coverage.

7. The State of Russian Enterprise Software

[02:40] Despite sanctions, about one-third of Russian companies continue to use pre-2022 Western software—especially in email systems—with Microsoft products remaining dominant.

8. Emerging Malware and Exploited Vulnerabilities

[02:53] Karuna iOS Exploit Kit: Delivered to iPhones via a compromised NPM package (infected Art-template), targeting crypto wallet data. The kit, once for espionage, is now linked to Chinese cybercrime.
[03:13] Ghost CMS Campaigns: Parallel malware campaigns exploiting a February-disclosed Ghost CMS flaw; 700+ websites hacked through fake CAPTCHAs and malware.
[03:23] GitHub Automated Attacks: Thousands of repositories targeted with malicious commits deploying actions to exfiltrate secrets (CI tokens, SSH keys, etc.).

9. Browser and Software Vulnerabilities

[03:34] Chromium Zero-Day: Google accidentally revealed an unpatched remote code execution bug affecting Chromium browsers. The report was briefly public before being retracted.
[03:44] Microsoft Windows Defender: Emergency patch released for two Defender zero-days, previously exploited for privilege escalation and DoS.
[03:50] Drupal: Patched a critical SQL injection vulnerability, trivial to exploit but limited to PostgreSQL users.
[03:57] Cisco Secure Workload (Tetration): Patched a 10/10 CVSS vulnerability.
[04:03] Linux: New local privilege escalation flaw discovered by Qualys, related to ptrace process authorization bypass.

10. Call for Regulatory Action Against Tech Giants

[04:10] Dutch consumer protection agency urges EU to action against Google, Meta, and TikTok for failing to remove malicious ads and ignoring user reports.
According to claims, “Meta and TikTok are accused of leaving up to 80% of malicious ads in place,” echoing similar Polish accusations last year.

Notable Quotes & Memorable Moments

On Microsoft’s MFA changes:
“SMS is a leading source of fraud and the most targeted vector for account takeovers. Microsoft is the first major platform to abandon SMS MFA.”
— Claire Aird ([00:13])
On First VPN takedown:
“Authorities arrested the services admin in Ukraine, took down 33 servers and seized four domains.”
— Claire Aird ([01:37])
On the Ghost CMS campaign:
“At least two threat actors are conducting parallel campaigns. More than 700 websites have been hacked so far.”
— Claire Aird ([03:13])
Regulatory pressure on tech giants:
“Meta and TikTok are accused of leaving up to 80% of malicious ads in place. Polish authorities accused Meta of the same behaviour last year.”
— Claire Aird ([04:14])

Timestamps for Key Segments

Microsoft ends SMS MFA for personal accounts: [00:05]
GitHub breached via malicious VS Code extension: [00:21]
Russian propaganda on Bluesky: [00:37]
CISA opens KEV to third-party reports: [00:46]
Eurovision SMS blaster arrest: [01:03]
Kimwolf DDoS botnet operator arrested: [01:17]
First VPN seized: [01:33]
New major data breaches (Walap, Trump Mobile): [02:15]-[02:27]
Ongoing Western software use in Russia: [02:40]
Karuna iOS exploit kit distributed: [02:53]
Ghost CMS malware campaigns: [03:13]
Chromium unpatched bug revealed: [03:34]
Windows Defender, Drupal, Cisco, Linux vulnerabilities patched: [03:44]-[04:03]
Push for EU action on malicious ads: [04:10]

Tone and Style

This episode maintains a brisk, newsy pace, distilling complex stories into punchy summaries with authoritative delivery. The tone is urgent yet matter-of-fact, focusing on incident facts, response actions, notable actors, and impact.

Summary

A must-listen for anyone tracking cybersecurity trends, this edition covers a decisive step against insecure authentication, major cybercrime enforcement wins, concerning new vulnerabilities, and the persistent problem of Big Tech oversight. Stay vigilant—today’s threats are as varied as they are relentless.

Loading summary

Transcript1 lines

[00:04]
A
Microsoft ends support for SMS FMA on personal accounts GitHub was hacked via a malicious VS code extension, CISA will let researchers submit new KEV entries and an SMS blaster was detained at Eurovision. This is the risky bulletin prepared by Catalyn Kim Panu and read by me, Claire aird. Today is the 22nd of May and this podcast episode is brought to you by Push Security. In today's top story, Microsoft is phasing out SMS based two factor authentication and account recovery for personal accounts. Users will be prompted to add a passkey the next time they log in. The company says SMS is a leading source of fraud and the most targeted vector for account takeovers. Microsoft is the first major platform to abandon SMS MFA in other news hackers stole GitHub's internal repositories after an employee installed a malicious VS code extension. More than 3,800 internal code repositories were exfiltrated from GitHub and are for sale on a hacking forum. GitHub says it's rotating critical secret tokens to prevent future access to its assets. The malicious VS code extension was identified as NX Console, which itself was compromised in the Tanstaq supply chain attack last week. Team PCP has claimed credit for the breach. Russia has been hacking Bluesky accounts and posting pro Kremlin and anti Ukraine propaganda on them since April. Blue sky has been suspending the accounts until owners can re secure them. The Russian disinformation group known as Matryoshka is behind the propaganda posted on the hacked accounts. CISA will allow third parties to report the active exploitation of vulnerabilities so they can be added to the KEV database. The agency has launched a web form where researchers can file reports. CISA will confirm the reports before adding them to the KEV list. CISA's KEV database has been criticised for falling behind in recent months. Austrian tactical police have arrested a 32 year old Chinese national on cybercrime charges. The suspect was arrested with an SMS blaster in his car outside the Eurovision Song Contest in Vienna last weekend. The man was also charged with endangering his six year old son who was also in the car with him. A Canadian national has been arrested and charged with running the Kimwolf DDoS botnet. Jacob Butler was detained in Ottawa by Canadian police this week. He is charged with building and renting out the botnet, which was used in more than 25,000 attacks last year. US and European authorities took down the botnet in a joint operation in March. He's been charged in Alaska and US authorities are seeking his extradition. French and Dutch authorities have seized a VPN service used by cybercrime gangs. First VPN has operated for years and was mainly advertised on Russian speaking hacking forums. It was used in large scale fraud, data theft and ransomware attacks. Authorities arrested the services admin in Ukraine, took down 33 servers and seized four domains. Ukraine's cyber police have arrested an 18 year old who used an info stealer to hijack online accounts and make unauthorised transactions. The teen allegedly hacked more than 28,000 accounts and stole $721,000. He was also selling access to the hacked accounts. A cyber attack has disrupted the government email service of the Northern Mariana Islands. Officials from the US territory did not specify if this was a ransomware attack. The incident is expected to slow down administrative tasks. Chinese arcade game maker Walap left the personal details of almost 19 million customers exposed online. The data leaked via an Elasticsearch database that was left unprotected on the Internet. The data was tied to customers WeChat accounts and included phone numbers and full names. It remained online for at least two months before the server was secured. Trump Mobile has fixed a bug on its website that exposed the data of users who signed up for the company's gold coloured smartphone. The website allegedly exposed emails, physical addresses and full names. The company was reportedly notified of the bug in advance but didn't fix it. It patched the bug only after several YouTubers covered the leak. Trump Mobile is yet to ship the pre ordered Trump themed phones. About one third of Russian companies are using Western software acquired before Russia's invasion of Ukraine in 2022. Most of the software doesn't receive technical support or security updates. The highest concentration of Western software is in the corporate email vertical. Microsoft still holds 50% of the Russian market through its Exchange and Microsoft 365 products. A version of the Karuna iOS exploit kit is being delivered to iPhones via a compromised NPM package. The exploit kit was the final payload hidden in Art template, a popular JavaScript template engine. The infected template engine deployed Karuna to search for iOS users, hack their devices and steal crypto wallet data. The Karuna exploit kit was initially used for espionage campaigns but was later linked to Chinese e crime operations after its code was stolen and sold. A hacking campaign is planting fake capture pages and malware on websites built with the Ghost cms. The attacks began this month and are exploiting a vulnerability disclosed in February. At least two threat actors are conducting parallel campaigns. More than 700 websites have been hacked. So far an automated campaign has targeted thousands of GitHub repositories. The attackers used malicious commits that deployed a GitHub action on the targeted repositories. The action ran a bash script that stole CI secrets, cloud credentials, SSH keys and other tokens. There's no word on how many repositories were successfully compromised in the campaign. Google has accidentally revealed details about an unpatched vulnerability in Chromium based browsers. The bug allows threat actors to execute remote code and maintain persistent connections to affected browsers. The issue was first reported in 2022 remains unfixed. The bug report was set to private again after a few hours. Microsoft has released an out of band security Update to fix 2 Windows Defender 0 days. The bugs have been exploited in the wild to crash the Defender service and elevate attackers privileges. The two bugs were added to Syskev database on Wednesday along with five further Adobe and Microsoft vulnerabilities. Drupal has patched a highly critical SQL injection bug affecting all current versions of the CMS. The vulnerability only impacts Drupal sites running on PostgreSQL databases. It can be exploited by remote unauthenticated users. The Drupal team estimates that only 5% of all installs are impacted, but exploiting the bug is trivial. Cisco has patched a critical vulnerability in its secure workload platform, previously known as Tetration. The Cisco secure workload is used to micro segment networks spread across multiple cloud platforms. The vulnerability has a CVSS rating of 10 out of 10. The Linux project has published patches for yet another local privilege escalation vulnerability. It exploits an authorization bypass and race condition in the Linux PTrace process to allow malicious local apps to run commands as root. Security firm Qualys discovered the bug. And finally, the Dutch consumer protection agency is urging EU regulators to take action against Google, Meta and TikTok. The agency says the companies are not removing malicious ads from their platforms and are not replying to reports. Meta and TikTok are accused of leaving up to 80% of malicious ads in place. Polish authorities accused Meta of the same behaviour last year and that is all for this podcast edition. Today's show was brought to you by our sponsor, Push Security. Find them@PushSecurity.com thanks for your company.