剣 KENSAI
← All posts · security · 2026-03-29

Fake VS Code Alerts Weaponize GitHub at Scale, Dutch Police Breached via Phishing, Pro-Iranian Hackers Compromise FBI Director's Account


🔴 Fake VS Code Security Alerts Flood GitHub Discussions

⚠️ Active Campaign — Developers Targeted

Thousands of GitHub repositories are being spammed with fake VS Code vulnerability alerts. If you maintain open-source projects, check your Discussions tab for suspicious posts immediately.

Application security firm Socket has uncovered a large-scale, coordinated campaign targeting developers through GitHub Discussions. Threat actors are posting fake security alerts impersonating legitimate vulnerability advisories, complete with realistic titles like "Severe Vulnerability — Immediate Update Required" and fabricated CVE IDs.

How the Attack Works

  • Mass posting: Newly created or low-activity accounts spam identical posts across thousands of repositories within minutes
  • Notification abuse: GitHub Discussions trigger email notifications to all participants and watchers, delivering lures directly to inboxes
  • Social engineering: Attackers impersonate real code maintainers and security researchers for credibility
  • External hosting: Links point to Google Drive for supposed "patched" VS Code extensions
  • Cookie-driven TDS: Clicking triggers a redirection chain to drnatashachinn[.]com, which runs JS reconnaissance collecting timezone, locale, user agent, and OS details
  • Filtering: The traffic distribution system profiles victims, filtering out bots and researchers before delivering stage-2 payloads

Defensive Recommendations

  • Verify CVE IDs against NVD, CISA KEV, or MITRE CVE before acting
  • Never download VS Code extensions from Google Drive or other third-party hosting
  • Watch for mass-tagged users and external download links in Discussions
  • Consider restricting Discussions posting permissions on your repositories

🔴 Dutch National Police Breached After Phishing Attack

The Dutch National Police (Politie) has confirmed a security breach resulting from a successful phishing attack. The agency's Security Operations Center detected the incident quickly and immediately blocked the attackers' access.

Key details: The police stated that the impact "appears to be limited" and that citizens' data and investigative information were not exposed or accessed. A criminal investigation has been launched. The agency has not yet disclosed which specific systems or accounts were compromised.

This marks the second major breach of the Dutch police in recent years. In September 2024, a cyberattack attributed to a "state actor" stole work-related contact information for multiple officers, including names, email addresses, phone numbers, and private data. That investigation remains ongoing.

Context

Following the 2024 breach, the Dutch police implemented enhanced security measures including continuous monitoring and more frequent two-factor authentication prompts. Despite these measures, the latest phishing attack still succeeded — underscoring that even hardened organizations remain vulnerable to well-crafted social engineering.


🔴 Pro-Iranian Hackers Claim Hack of FBI Director Kash Patel's Account

⚠️ High-Profile Compromise

A pro-Iranian hacking group claims to have compromised FBI Director Kash Patel's personal account, making emails and documents available for download.

According to SecurityWeek, a pro-Iranian threat group has claimed responsibility for hacking FBI Director Kash Patel's personal account. The group stated it is making emails and other documents from Patel's account available for download.

While the full scope and authenticity of the claimed breach remain under investigation, the incident — if confirmed — represents a significant intelligence compromise targeting one of the highest-ranking US law enforcement officials. It follows a pattern of Iranian-linked groups targeting US government officials and political figures.

Why This Matters

  • Intelligence risk: Personal accounts of senior officials often contain sensitive communications outside classified systems
  • Geopolitical context: Tensions between the US and Iran continue to drive state-sponsored cyber operations
  • Personal vs. official accounts: Government officials' personal accounts remain a persistent weak point in national security posture

🟠 CISA Flags Critical PTC Windchill Vulnerability — German Police Physically Warned Organizations

🔧 CVE-2026-4681 — Critical Severity

PTC Windchill, widely used in manufacturing and engineering PLM environments, has a critical vulnerability severe enough that German police physically visited organizations to warn them.

CISA has flagged a critical vulnerability in PTC Windchill, tracked as CVE-2026-4681. The flaw is significant enough that law enforcement in Germany took the extraordinary step of physically dispatching officers to warn affected organizations in person.

PTC Windchill is a Product Lifecycle Management (PLM) platform used extensively in manufacturing, aerospace, defense, and automotive industries. A critical vulnerability in this system could expose proprietary designs, trade secrets, and supply chain data.

Recommended Actions

  • Check your PTC Windchill deployment and apply available patches immediately
  • Review CISA's advisory for specific indicators of compromise
  • Audit access logs for any anomalous activity in PLM environments
  • Segment Windchill instances from general network access

🟢 RedLine Malware Administrator Extradited to United States

Hambardzum Minasyan of Armenia has been extradited to the United States, accused of being involved in the development and administration of the RedLine infostealer malware.

RedLine has been one of the most prolific information-stealing malware families in recent years, responsible for harvesting credentials, financial data, and cryptocurrency wallets from millions of victims worldwide. The extradition represents a significant law enforcement victory in the ongoing battle against the malware-as-a-service ecosystem.

Impact: RedLine has been linked to countless data breaches and credential theft operations globally. Its administrators operated a malware-as-a-service model, selling subscriptions to cybercriminals who then deployed it in phishing campaigns and drive-by downloads.


📊 Quick Hits

StoryImpact
TP-Link patches high-severity router vulnerabilities — Auth bypass, command execution, config decryption🟠 High
BIND updates patch high-severity vulnerabilities — Crafted domains cause OOM conditions and memory leaks🟠 High
Cisco patches multiple IOS vulnerabilities — DoS, secure boot bypass, info disclosure, privilege escalation🟠 High
Hightower Holding data breach — 130,000 affected; names, SSNs, driver's licenses stolen🔴 Critical
OpenAI launches bug bounty for abuse and safety risks — Rewards for design/implementation issues leading to material harm🟢 Notable

Protect Your Organization with KENSAI

From supply chain attacks to phishing campaigns targeting law enforcement — the threat landscape demands proactive security. Let KENSAI help you stay ahead.

Get Started →

Stay safe out there. See you tomorrow. 🛡️

— KENSAI Security Briefing

All posts · Permalink