TL;DR
GitHub saw exposed AWS credentials and CISA secrets; Drupal CVE-2026-9082 and LiteSpeed CVE-2026-48172 are actively exploited; Laravel-Lang packages compromised for credential theft. Patch Drupal and cPanel plugins immediately; secure GitHub access with MFA.
Executive Summary
- A critical credential leak exposed AWS GovCloud keys and CISA internal systems on GitHub; lawmakers are demanding accountability [11,13].
- Drupal vulnerability CVE-2026-9082 is under active exploitation with thousands of websites targeted [27].
- Supply-chain attacks on Laravel-Lang and Packagist packages delivered credential-stealing malware to developers [2,4,6].
- LiteSpeed cPanel Plugin CVE-2026-48172 (CVSS 10.0) is actively exploited to execute arbitrary scripts with root privileges [5].
- GitHub expanded npm publishing controls with 2FA-gated staged releases to prevent unauthorized package deployment [1].
Top Threats Today
1. CISA AWS Credential Leak on GitHub
Severity: CRITICAL Affected: Government
Until this past weekend, a contractor for the Cybersecurity & Infrastructure Security Agency (CISA) maintained a public GitHub repository that exposed credentials to highly privileged AWS GovCloud accounts and a large number of internal CISA systems [1][2]. Lawmakers in both houses of Congress are demanding answers from CISA regarding the scope and remediation of the leak [1].
Sources:[1] Krebs on Security[2] Krebs on Security
Recommended Action
- If your organization uses AWS GovCloud or integrates with CISA systems, immediately audit access logs for unauthorized activity
- Contact CISA directly for a detailed timeline of exposure and affected services
- Rotate all AWS credentials and API keys; enforce MFA on all privileged accounts
- Scan GitHub repositories within your organization for hardcoded credentials and establish pre-commit hooks to prevent future leaks
2. Drupal CVE-2026-9082 Actively Exploited at Scale
Severity: HIGH Affected: Technology, Education
Drupal is warning users that it has already seen attempts to exploit CVE-2026-9082, and security firms are seeing attacks against thousands of websites [1].
Sources:[1] SecurityWeek
Recommended Action
- Identify all Drupal instances in your environment and determine which are vulnerable to CVE-2026-9082
- Apply the latest security patch from Drupal immediately
- Monitor web server and application logs for exploitation attempts (look for unusual POST requests or error patterns)
- If patching is delayed, implement WAF rules to block known attack signatures
3. Laravel-Lang Supply-Chain Attack Delivers Credential Stealer
Severity: HIGH Affected: Technology
A coordinated supply-chain attack has compromised multiple PHP packages belonging to Laravel-Lang, including laravel-lang/lang and laravel-lang/http-statuses, to deliver a comprehensive credential-stealing framework [1]. Attackers abused GitHub version tags to distribute malicious code through Composer packages [2].
Sources:[1] The Hacker News[2] BleepingComputer
Recommended Action
- Search your codebase and lock files for any dependency on Laravel-Lang packages; list affected versions
- Remove or isolate affected Laravel-Lang packages immediately
- Audit development and production servers that may have executed the malicious code; check for credential access (SSH keys, API tokens, database credentials)
- Reset all credentials used by developers or services that may have been exposed
- Update to a patched version of Laravel-Lang once available; review package source code and commit history
4. Packagist Supply-Chain Attack Infects Eight Packages with Linux Malware
Severity: HIGH Affected: Technology
A coordinated supply-chain attack campaign has impacted eight packages on Packagist, including malicious code designed to run a Linux binary retrieved from a GitHub Releases URL [1]. Although the affected packages were Composer packages, the malicious code was not added to composer.json, suggesting a more subtle injection technique [1].
Sources:[1] The Hacker News
Recommended Action
- Audit Packagist dependency manifests for the eight affected packages; identify which versions are in use
- Review Composer lock files to pinpoint exact versions and installation dates
- Inspect execution logs on Linux servers for unsigned or unexpected binary downloads from GitHub
- Update to patched versions and review recent commits and release tags for anomalies
5. LiteSpeed cPanel Plugin CVE-2026-48172 Under Active Exploitation
Severity: HIGH Affected: Technology
A maximum-severity security vulnerability impacting LiteSpeed User-End cPanel Plugin, tracked as CVE-2026-48172 (CVSS score: 10.0), relates to incorrect privilege assignment that an attacker could abuse to run arbitrary scripts with root privileges [1]. The flaw is coming under active exploitation in the wild [1].
Sources:[1] The Hacker News
Recommended Action
- Immediately verify the LiteSpeed and cPanel Plugin versions running on affected servers
- Apply the latest security patch from LiteSpeed without delay
- Review cPanel audit logs and system command history for unauthorized script execution or privilege escalation attempts
- If patching is not immediately possible, restrict cPanel access to trusted networks and enforce strict authentication controls
Today’s Action Checklist
- ☐ URGENT: Rotate AWS GovCloud credentials and audit CISA-related integrations for unauthorized access
- ☐ URGENT: Patch Drupal to address CVE-2026-9082; monitor logs for active exploitation
- ☐ URGENT: Audit Laravel-Lang and Packagist dependencies; remove malicious versions and reset developer credentials
- ☐ URGENT: Patch LiteSpeed cPanel Plugin CVE-2026-48172; check server logs for privilege escalation attempts
- ☐ Enable 2FA on all GitHub accounts and implement pre-commit hooks to scan for credential leaks
- ☐ Review Composer and npm lock files for supply-chain vulnerabilities; establish dependency scanning in CI/CD pipelines