CyberheistNews Vol 16 #21 | May 27th, 2026
[Heads Up] GitHub Breach Shows Developer Tools Are Social Engineering Targets
GitHub disclosed that attackers accessed its internal repositories after compromising an employee device through a poisoned Visual Studio Code extension.
The company said the activity appears limited to GitHub-owned internal repositories, with the attacker's claim of roughly 3,800 repositories being "directionally consistent" with its investigation. GitHub also said it found no evidence that customers' own enterprises, org or repositories were impacted.
That is reassuring, but it is not the whole story.
The bigger takeaway is that this was not just a code security incident. It was a trust incident. An engineer downloaded what appeared to be a legitimate developer tool, and that trusted workflow became the attacker's way in.
That is social engineering in a modern developer environment. It does not always arrive as a sketchy email with a bad link. It can show up as a helpful extension, a routine update, a useful package, a fake support prompt, or a "productivity tool" that looks like it belongs in the workflow.
For InfoSec teams, this is a big deal. Developer endpoints are not ordinary laptops. They often have access to source code, cloud environments, secrets, build systems, package registries and CI/CD pipelines. Compromise one trusted developer machine, and an attacker may gain a map of how the organization builds, ships and secures software.
Internal repositories can also be extremely valuable. Even when customer data is not stolen, internal code may expose architecture details, deployment scripts, API references, test data, support snippets, credentials or clues that help attackers plan follow-on attacks.
Organizations should use this incident as a reason to tighten controls around developer tools. Inventory approved IDE extensions. Review publishers and permissions. Watch for unusual repository cloning, unexpected token use and new tools installed on developer machines. Rotate secrets quickly when exposure is possible, and move toward short-lived, tightly scoped credentials wherever practical.
But do not make this only a technical control problem. Train developers for the social engineering they actually face. Teach them to question unexpected extensions, verify publishers, be cautious with auto-updates, report suspicious tool behavior and use trusted internal channels before installing anything that touches code or credentials.
The bottom line: attackers are not just phishing inboxes anymore. They are phishing workflows.
Treat developer tools like production infrastructure. Monitor them, govern them and make sure your people know when trust is being abused.
Blog post with links:
https://blog.knowbe4.com/heads-up-github-breach-shows-developer-tools-are-social-engineering-targets
Shadow AI and Agentic Risk: New Global Research on the Gold Standard Approach
While 58% of cybersecurity leaders have AI agents executing actions within their workflows, a dangerous governance gap remains. Fifty-two percent admit their company's AI use is not clearly governed or outright unapproved. Without proper governance, your security can't keep pace with a workforce already running on AI.
Join Kawin Boonyapredee, KnowBe4 CISO Advisor, for an exclusive briefing of our latest report, From Agentic Risk to Human Wins. Drawing on insights from 800 cybersecurity leaders and 3,200 employees globally, Kawin will reveal how AI agents and employees have merged into a single, interconnected layer. Learn why only 19% of organizations have adopted the "gold standard" approach required to secure it.
In this session, Kawin will share the latest global research and actionable takeaways, including:
- Global findings on how the rapid integration of AI agents is fundamentally shifting the criminal attack surface and organizational risk
- How "shadow AI" is inadvertently manufacturing new vulnerabilities
- A deep dive into the everyday work mistakes that 58% of leaders identify as their organization's greatest security threat
- Insights into developing an agentic security approach to bridge the gap between policy and culture
Don't let your governance gap widen. Gain the knowledge needed to transform agentic risk to human wins, and earn CPE credits for attending.
Date/Time: Wednesday, June 3 @ 2:00 PM (ET)
Can't attend live? No worries — register now and you will receive a link to view the presentation on-demand afterward.
Save My Spot:
https://info.knowbe4.com/shadow-ai-agentic-risk?partnerref=CHN
Report: Romance Scams Cost UK Victims £102 Million Last Year
UK residents lost £102 million (U.S. $138 million) to romance scams in 2025, according to a new report from the City of London Police.
"Data shows 10,784 reports of romance fraud were made to report fraud last year - a 29 percent increase compared with 2024," the report says. "Police believe this rise is partly driven by increased awareness and confidence in reporting, but it also highlights the ongoing scale and impact of a crime that often unfolds over weeks or months.
"Overall losses equate to almost £280,000 every day, with individual victims losing an average of £9,500. In some cases, reported individual losses reached as high as £1 million."
Romance fraud is a particularly cruel form of social engineering that exploits victims' loneliness and pity to trick them into sending money.
"Romance fraud typically involves sustained contact, with offenders carefully building trust and emotional attachment with the victim before requesting money, often using stories linked to emergencies, investment opportunities or plans to meet in person," the report says, adding, "Romance fraud remains closely linked to online platforms, particularly social media and dating sites, where offenders can easily create convincing false profiles.
"Investigators are also seeing increased use of AI‑generated images and messages to support fraudulent identities. In many cases, romance fraud is linked with fake investment opportunities, including cryptocurrency, further increasing the financial risk to victims."
City of London Police Detective Superintendent Oliver Little stated, "Romance fraud is particularly harmful because it targets trust and emotional connection. Offenders will often spend significant time building what appears to be a genuine relationship before attempting to exploit their victim financially.
"While the monetary losses can be substantial, the emotional impact is often just as damaging. This crime can affect anyone, and by reporting it, victims help us build intelligence, disrupt offenders and protect others from harm."
The police offer the following advice to help users recognize these scams:
- "Be cautious of individuals who develop relationships very quickly or express strong feelings early on
- Be wary of excuses not to meet in person or to avoid live video calls
- Never send money, cryptocurrency or gift cards to someone you have not met face‑to‑face
- Be alert to requests linked to investments, medical emergencies or travel costs
- Speak to a trusted friend or family member if something feels unusual or pressured"
Blog post with links:
https://blog.knowbe4.com/uk-romance-scams-cost-102-million-report
KnowBe4 Launches a New Family Hub Providing Cyber Safety Training for Children and Adults
KnowBe4, the global leader in digital workforce security, securing both AI agents and humans, today announced the launch of "CAPY: Cyber Awareness Program for You." A new, one-stop, free online hub providing cybersecurity training for the entire family.
Recognizing that 1.2 million children have reported having their images manipulated into deepfakes and that 40% have spoken to a stranger online, KnowBe4 has developed its family-focused cybersecurity education.
Through a streamlined, Netflix-style interface, CAPY offers family-friendly exploration of key digital safety topics such as phishing and good password hygiene. It makes learning about cybersecurity fun with games and coloring books for younger children. For tweens and teens there is content on cyberbullying, AI safety and sextortion.
Warning: Phishing Attacks Are Abusing the Kuse AI App
Attackers are abusing the storage and sharing features of Kuse, a free AI app, to assist in phishing campaigns, according to researchers at Trend Micro. Kuse is a legitimate agentic AI platform used by employees to streamline workflows.
Users can share files with coworkers, which generates a link hosted by Kuse's domain. In this case, attackers are abusing the share feature to generate legitimate-looking phishing links.
"The URL used the legitimate domain app[.]kuse[.]ai and contained spaces, commas and periods," Trend Micro explains. "Moreover, the URL mimicked a legitimate document using the compromised vendor's company name. These links were presumably put in emails sent from mailboxes belonging to the compromised vendor, aimed at the target organization.
"This tactic was meant to confuse users and automated scanners. Because the Markdown file extension (.md) is less commonly used in phishing attempts than document (e.g., .pdf, .docx) and webpage (e.g., .html, .aspx) file extensions, it can bypass filter signatures and heuristic rules that focus on more typical malicious file extensions."
If a user clicked the link, they'd be taken to a legitimate Kuse workspace that displayed a blurred document preview accompanied by another link to reveal the document. This link led to a spoofed Microsoft login page designed to steal the user's credentials.
"Threat actors are always looking for new vectors to exploit the inherent trust placed in legitimate platforms," Trend Micro says. "They abuse the storage and sharing capabilities of free services, as well as the growing interest in AI-powered web applications.
"Using the Markdown (.md) file extension as the delivery format, combined with a VEC to establish trust at the point of delivery, demonstrates a multi-layered social engineering approach designed to evade both automated defenses and human scrutiny, which in turn highlights the need for layered protection and heightened user awareness."
KnowBe4 empowers your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.
Blog post with links:
https://blog.knowbe4.com/warning-phishing-attacks-are-abusing-the-kuse-ai-app
Personalized Security Awareness Training Proven to Reduce Risk by 87%
Sixty-eight percent of breaches still involve a human element, and as attackers use AI to create hyper-personalized messages, even highly security-conscious users can be fooled. Yet, your users still receive generic training that ignores these real-world risks.
Join us for a live demo to see how our AI-native SAT combines 15+ years of threat data with KnowBe4's AI Defense Agents to transform your workforce. With our newly added 12th agent, Content Creation Agent, you can instantly create custom, localized training modules and quizzes using simple AI prompts or internal policy documents.
See how KnowBe4 SAT empowers you to:
- Deliver personalized training that actually changes behavior with targeted learning experiences based on each user's role, behavior patterns and risk level
- Reduce administrative burden and manual work with AI Defense Agents that create more strategic impact by fully automating training assignments, phishing simulations and program optimization
- Make data-driven decisions with our SmartRisk™ Engine that analyzes user behavior to provide insights into human risk
- Measurably reduce risk, with SAT proven to drop Phish-prone™ Percentage from an industry average of 33.1% to 4.1% within one year—an 87% reduction in human-related cyber risk
- Create custom training in minutes with generative AI. Turn your internal policies and documents into bespoke training modules and quizzes tailored to your organization's unique requirements
Don't miss out on seeing how the platform trusted by over 70,000 organizations reduces human risk and saves your teams hours of work every week.
Date/Time: Wednesday June 10, @ 2:00 PM (ET)
Save My Spot:
https://info.knowbe4.com/kmsat-demo-3?partnerref=CHN
Let's stay safe out there.
Warm regards,
Stu Sjouwerman, SACP
Executive Chairman
KnowBe4, Inc.
PS: [RECOMMENDED] KnowBe4 CEO Bryan Palma Q&A From KB4-CON 2026:
https://blog.knowbe4.com/kb4-con-2026-bryan-palma-ceo-qa-ai-security
PPS: [NEW!] Build Your Own Custom, High-Impact Training with KnowBe4’s Content Creation Agent:
https://blog.knowbe4.com/build-custom-training-content-creation-agent
- Albert Camus - Philosopher (1913 - 1960)
- Lucius Annaeus Seneca - Philosopher, Statesman, Dramatist (5 BC - 65 AD)
You can read CyberheistNews online at our Blog
https://blog.knowbe4.com/cyberheistnews-vol-16-21-heads-up-github-breach-shows-developer-tools-are-social-engineering-targets
Verizon’s DBIR Finds That Social Engineering Remains a Top Initial Access Vector
Verizon's latest Data Breach Investigations Report has found that the human element is involved in 62% of breaches, up from 60% in last year's report.
While email is still the preferred vector for most social engineering breaches, the researchers found that users are 40% more likely to fall for mobile-centric phishing attacks sent via text message (smishing) or phone call (vishing).
The researchers have also added "pretexting" as a distinct social engineering category, defining this as "an attacker tactic in which a trusted relationship is built through concocted scenarios to trick the user into taking an action that unknowingly compromises the organization, frequently by voice communications but also seen via email or text messaging."
These targeted social engineering attacks were responsible for "a significant number of high-profile ransomware breaches" over the past year.
The researchers are also tracking the growing popularity of ClickFix attacks, in which attackers trick the user into copying and pasting a malicious command and running it on their computer.
"While this may seem obvious in a controlled setting, these attacks are not reserved exclusively for use against non-technically savvy users," the researchers explain. "In practice, attackers skillfully combine technical instructions with Social Engineering to instill a sense of both urgency and distraction.
"These psychological pressures are designed to bypass users' typical caution, leading them to execute commands (in this case, press Ctrl-Alt-R and then Ctrl-V) they would otherwise recognize as a threat."
Nation-state threat actors continue to rely on social engineering by targeting individual employees at organizations. "One such tactic these attackers leverage is by weaponizing a job hiring process, such as attempting to recruit employees of the target organization as a means of getting internal information," Verizon says.
"Alternatively, they may try getting the user to download and troubleshoot a git repository that happens to have malware embedded in it. As our analysis on bring your own device (BYOD) and infostealers in the 2025 DBIR shows, even on personal devices, it was relatively common for employees to have corporate account credentials or information that is ripe to be compromised.
"When it comes down to helping employees protect themselves in situations like these, the focus should also be on promoting the same discerning sensibility at home in their personal lives as they do at work."
Security awareness training remains an essential layer of defense against social engineering attacks. KnowBe4 empowers your workforce to make smarter security decisions every day.
Verizon has the story:
https://www.verizon.com/business/resources/T1c3/reports/2026-dbir-data-breach-investigations-report.pdf
Ransomware Attacks Drive a Surge in Cyber Insurance Claims
Cyber insurance claims surged by 40% over the past 18 months, while ransomware payments have dropped by 44%, according to a new report from Cowbell Cyber. The three most common incident types were data breaches, cybercrime (including phishing and business email compromise) and extortion attacks (including ransomware).
"U.S. cyber insurance premiums declined for the first time to $9.14B, while claims rose 40%, signaling increased loss activity despite reduced premium volume," the report says. "This signals a more active risk environment, even as pricing adjusts.
"Ransomware remains a consistent part of that landscape, representing 19% of Cowbell claims between 2022 and 2025. At the same time, average ransom payments have decreased by approximately 44%, reflecting stronger negotiation strategies and more effective claims handling."
Social engineering remains the most effective initial access vector, with AI tools amplifying the potency of these threats.
"Human error and manipulations prevail as the most common entry point for threat actors," the report says. "Based on 2025 APWG data identifying approximately 3.8 million phishing attacks globally, phishing and spoofing remain the most prevalent cyber threats, underscoring the need for strong employee awareness, email security and proactive threat detection as critical first lines of defense.
"Often delivered at scale and designed to appear credible, threat actors continue to refine these scam tactics using AI, making messages more convincing and harder to detect."
The researchers add, "Variants of phishing, like smishing (text messages) or vishing (phone calls) expand these risks across channels. These tactics are designed to exploit trust and create a sense of urgency to bypass security protocols.
"Practical defenses like multi-factor authentication (MFA), employee training and rapid response remain some of the most effective ways to reduce exposure."
Risk & Insurance has the story:
https://riskandinsurance.com/ransom-payments-drop-44-even-as-cyber-claims-surge-cowbell-reports/
What KnowBe4 Customers Say
"I had the pleasure of connecting with my Managed Services Engineer, Rae H., this week at KB4-CON. I was really looking forward to meeting her in person. We ran into each other purely by chance right at the beginning of KB4-CON and continued to see each other throughout the conference.
"She checked in with me periodically and we were able to meet for an hour or so Wednesday before the big gala event. It was a very productive meeting. We got to talk in-depth and exchanged some great ideas and helpful feedback with each other. We discussed campaigns, new products and additional resources for me as a relatively new user of KB4.
"Being my first time at the conference and traveling solo, having Rae there to connect with was a definite highlight of the conference for me. Rae is easy to interact with, always ready to assist, knowledgeable and so fun to talk to!
"She listened attentively and answered all my questions and offered useful suggestions and resources. I noticed the culture of the KB4 employees as a group at the conference and sensed the passion and true camaraderie of them working as a team toward common goals.
"It was impressive, as was Rae! Please recognize her for going above and beyond to ensure my first KB4-CON was a total success! Thank you for your time and looking forward to KB4-CON 2027!"
- M.E., Information Security Analyst
- Kimsuky Uses LNK and JSE Lures to Target Recruiters, Crypto Users and Defense Officials:
https://gbhackers.com/kimsuky-uses-lnk-jse-lures/ - IBM executive floated for CISA director as concerns persist for agency:
https://www.scworld.com/news/ibm-executive-floated-for-cisa-director-as-concerns-persist-for-agency - KREBS: CISA Admin Leaked AWS GovCloud Keys on GitHub:
https://krebsonsecurity.com/2026/05/cisa-admin-leaked-aws-govcloud-keys-on-github/ - UK regulator to require tech firms to tackle deepfakes, non-consensual intimate images:
https://therecord.media/uk-regulator-to-require-tech-firms-to-tackle-deepfakes-nudification-ai - FBI: "Americans lost over $388 million to scams using crypto ATMs in 2025":
https://www.bleepingcomputer.com/news/security/fbi-americans-lost-over-388-million-to-scams-using-crypto-atms-in-2025/ - Top 5 Phishing-Driven Social Engineering Attacks on Companies in 2026:
https://any.run/cybersecurity-blog/social-engineering-attacks-2026/ - Microsoft warns hackers are exploiting password resets to gain access to user accounts:
https://www.microsoft.com/en-us/security/blog/2026/05/18/storm-2949-turned-compromised-identity-into-cloud-wide-breach/ - "First VPN Service" Used by Ransomware Actors to Compromise Systems:
https://www.bleepingcomputer.com/news/security/police-seize-first-vpn-service-used-in-ransomware-data-theft-attacks/ - Australian Signals Directorate warns of a phishing campaign targeting Microsoft 365 accounts:
https://www.cyberdaily.au/security/13628-australian-signals-directorate-warns-of-device-code-phishing-activity-targeting-microsoft-365-users - Interpol operation cracks down on phishing infrastructure:
https://www.trendmicro.com/en_us/research/26/e/inside-the-influence-and-fraud-patriot-bait-campaign.html
- Virtual Vaca #1 - CIVITA DI BAGNOREGIO: The City With Only 11 Residents — You Can Only Enter on Foot:
https://youtu.be/kgV1h3dEcpI - Virtual Vaca #2 - SOUTH AFRICA 2026 Western Road Trip Itinerary from Cape Town to the Northern Cape
https://youtu.be/TMnBi-nM6iU - Virtual Vaca #3 - Top 15 BEST Things To Do In Great Smoky Mountains National Park:
https://youtu.be/jYucWypzYYI - Atlas, can you bring me a drink? (And magickally disappear the power cord?) Boston Dynamics:
https://www.instagram.com/reel/DYh2ZVxJ0lh/?igsh=MXRyaWUwZWJ3YmRmbA== - Inside Berlin’s Abandoned Tegel Airport:
https://youtu.be/d-LArPe1Rk0 - Trip to the Seaside 1923: Restored to Life in 4K Color & Sound:
https://youtu.be/jcFu18Ii5wc - Not a wingsuit but --carpet-- flying!:
https://www.instagram.com/reels/DYhvDaVN07f/ - This super innovative Oar Board® is available in two options! I want both:
https://www.instagram.com/reels/DYch4UkG3pY/ - Best Of The Week - 7th May 2026 Guinness World Records:
https://youtu.be/uYBGk2ss8Bo - All New Xiaomi YU7 GT Breaking the Nürburgring SUV Lap Record... Holy $#!+:
https://www.youtube.com/watch?v=Fx6d-K_8QXg - The Most VISUAL wingsuit BASE jump exit!:
https://youtu.be/A9O6OVs8DQ8 - [MythBusters Classic] Can Blue Ice Really Fall From A Plane And Hit Like A Missile?:
https://youtu.be/FOiOLuhJ-0g - For Da Kids #1 - The Cat Whose Peaceful Life Was Destroyed by 5 Ferrets… Became Their Loving Big Brother:
https://youtu.be/JyB8Bg88ajU - For Da Kids #2 - Little Foal Grows Into the Goofiest Horse Ever:
https://youtu.be/dHNDI1GIGCQ - For Da Kids #3 - Woman Had Her Soul Dog Since Age 15 And Includes Him In Everything:
https://youtu.be/VZlsmO_wPus - For Da Kids #4 - Tiniest Tiger Cub Is Now A Wild, Pouncing Big Cat:
https://youtu.be/19IAwHsWy58 - For Da Kids #5 - Grumpy old street cat has hilarious reaction to kindness:
https://youtu.be/eP4Z35xd_2k
