Leaks and the AI, Privacy, and Security Weekly Update for the Week Ending May 19th., 2026
EP 292.
Let's go get soaked!
US: CISA Admin Leaked AWS GovCloud Keys on Github
A contractor working with the Cybersecurity and Infrastructure Security Agency accidentally exposed highly sensitive government credentials in a public GitHub repository, according to a report from KrebsOnSecurity.
The leak reportedly included access keys tied to Amazon AWS GovCloud systems, internal passwords, security tokens, and deployment files connected to federal infrastructure. Researchers who reviewed the data described it as one of the most serious government-related credential leaks seen in years.
The exposed repository, reportedly named 'Private-CISA,' was maintained publicly until this past weekend.
Security researcher Guillaume Valadon said his company detected the leak while scanning public repositories for exposed secrets. He claimed repeated attempts to alert the account owner went unanswered.
The files allegedly contained plaintext passwords stored in spreadsheets, internal logs, and administrative credentials linked to multiple AWS GovCloud environments used by the federal government.
Investigators also found evidence that GitHub's automated secret scanning protections had been manually disabled on the account.
Researchers said the repository exposed details about how the agency builds and deploys software internally, including references to a secure development environment believed to support DevSecOps operations.
Several observers in the cybersecurity community said the incident reflects broader operational weaknesses around credential management and contractor oversight inside government systems.
The incident quickly spread across cybersecurity forums and social media, where professionals criticized the use of plaintext credentials and long-lived access keys in sensitive environments.
Others pointed to the growing dependence on contractors inside federal agencies, arguing that human error continues to outweigh technical safeguards in many modern breaches.
The exposure also renewed debate around whether platforms like GitHub should block sensitive government credentials from ever being published publicly.
So what's the upshot for you?
Even agencies responsible for national cybersecurity can be undone by basic operational mistakes, proving that in modern security, the weakest control is often not the technologies but the processes surrounding them.
CA: Canada Enters the Encryption Fight With Bill C-22
Canada’s Bill C-22, titled “An Act respecting lawful access,” has drawn attention because it appears to reopen the familiar fight between lawful access demands and end-to-end privacy.
Privacy-focused providers and civil society critics are concerned that the bill could pressure technology companies to retain metadata, enable surveillance capabilities, or weaken trust in encrypted services.
So what's the upshot for you?
Any organization operating in Canada should watch this closely because privacy architecture, data retention, and cross-border service availability may soon become board-level compliance questions.
Global: Mystery Microsoft bug leaker keeps the zero-days coming
A security researcher locked in a public dispute with Microsoft has released two more unpatched Windows exploits, escalating a months-long standoff that is rattling cybersecurity teams. The researcher, known online as 'Chaotic Eclipse' and 'Nightmare-Eclipse,' published proof-of-concept code for flaws called YellowKey and GreenPlasma shortly after Microsoft's May Patch Tuesday update.
YellowKey reportedly allows attackers with physical access to bypass BitLocker encryption on Windows systems using a specially prepared USB drive. GreenPlasma is a privilege escalation flaw that could give attackers SYSTEM-level access, effectively handing them deep control over a compromised machine. Security analysts say the public release of exploit code sharply raises the risk of criminal abuse because attackers can adapt the techniques quickly.
The researcher claims the disclosures are retaliation for how Microsoft handled earlier bug reports. In online posts, Chaotic Eclipse accused the company of intimidation and poor communication during the vulnerability disclosure process. Microsoft has not addressed those accusations directly but said it is investigating the claims and remains committed to coordinated vulnerability disclosure practices.
This is not the first clash between the researcher and Microsoft. Earlier exploits tied to the same figure, including BlueHammer, RedSun, and UnDefend, targeted Windows Defender and were later linked to real-world attacks. Federal agencies were even ordered to patch some of the flaws after security firms observed active exploitation attempts.
So what's the upshot for you?
The growing feud has become more than a technical dispute. It is exposing how fragile the relationship between major software vendors and independent researchers can become when trust breaks down, and in cybersecurity, that fracture can turn private vulnerabilities into public weapons overnight. The best treatment of anyone is respectfully.
Global: Anthropic's Mythos Helped Build a Working macOS Exploit in Five Days
'The vulnerability is simple in practice,' writes Tom's Hardware: 'run a command as a standard user and gain root (administrator) access to the machine.'
And it was Mythos Preview that helped the security researchers at Palo Alto-based Calif bypass a five-year Apple security effort in just five days. Last year, Apple introduced Memory Integrity Enforcement (MIE), a hardware-assisted memory safety system designed to make memory corruption exploits much harder to execute. [The researchers note it's built into all models of the iPhone 17 and iPhone Air, and some MacBooks]
They explain they have a 55-page technical report on the hack, but they won't release it until Apple ships a fix for the exploit. But they do note in broad terms that Anthropic's Mythos Preview model helped them identify the bugs and assisted them throughout the entire collaborative exploit development process.
'Mythos Preview is powerful: once it has learned how to attack a class of problems, it generalizes to nearly any problem in that class. Mythos discovered the bugs quickly because they belong to known bug classes. But MIE is a new best-in-class mitigation, so autonomously bypassing it can be tricky. This is where human expertise comes in. Part of our motivation was to test what's possible when the best models are paired with experts. Landing a kernel memory corruption exploit against the best protections in a week is noteworthy, and says something strong about this pairing....'
So what's the upshot for you?
In a time when even small teams, with the help of AI, can make discoveries such as this one, 'we're about to learn how the best mitigation technology on Earth holds up during the first AI bugmageddon.'
Global: Daybreak and MDASH Signal the Start of AI-Native Vulnerability Management
OpenAI is positioning Daybreak as a cyber defense offering that uses frontier models and Codex to help with secure code review, threat modeling, patch validation, dependency risk analysis, and remediation. Microsoft, meanwhile, says its MDASH system found 16 vulnerabilities across Windows networking and authentication, including four critical remote code execution flaws, using a multi-model agentic scanning harness with more than 100 specialized agents.
So what's the upshot for you?
The next serious Governance, Risk, and Compliance question is not whether AI belongs in vulnerability management. It is how organizations prove that AI-found issues are validated, prioritized, remediated, and auditable.
Linus Torvalds is pushing back against a growing wave of AI-generated bug reports flooding the Linux kernel security team. In a recent post announcing a new Linux release candidate, Torvalds said the volume of duplicate reports has become so large that it is overwhelming maintainers and wasting time. Many of the reports come from different people using the same AI tools to identify the same issues.
The Linux security team has now updated its documentation to address the problem directly. According to the new guidance, many AI-assisted findings are not true security vulnerabilities at all. Instead, they are often ordinary software bugs that reporters mistakenly classify as security threats because they do not fully understand the Linux kernel's threat model.
Torvalds argued that treating these reports as confidential security matters no longer makes sense because the same bugs are frequently discovered simultaneously by multiple researchers. Maintainers are often left responding with reminders that the issue was already fixed or publicly discussed weeks earlier, creating what he described as pointless administrative churn.
While Torvalds acknowledged that AI tools can still be useful, he stressed that they only help when paired with real technical understanding. He urged contributors to go beyond automated scans by studying the documentation, preparing patches, and contributing meaningful analysis instead of submitting what he described as 'drive-by' reports.
So what's the upshot for you?
Linus is addressing what is happening across open source development, where AI is making it easier to find software flaws but harder to separate genuine expertise from automated noise, turning technical credibility into the real scarce resource.
US: The US is betting on AI to catch insider trading in prediction markets
Federal regulators are turning to artificial intelligence to police a fast-growing corner of online finance: prediction markets. Platforms like Polymarket and Kalshi let users bet on real-world events ranging from elections to military action, and officials now fear those markets are becoming magnets for insider trading.
The Commodity Futures Trading Commission says it is using AI systems to scan huge volumes of trades for suspicious behavior. Regulators are reportedly combining blockchain tracking tools with software designed to detect market abuse patterns that humans might miss. Officials say the technology helps flag unusual timing, coordinated trades, and accounts that suddenly place large bets before major events become public.
The pressure intensified after federal prosecutors charged a US Army special forces soldier accused of using classified information to profit from bets tied to Venezuelan political events. Authorities claim the case exposed how prediction markets can reward people with access to confidential government or military intelligence. That investigation became a warning shot for traders who believed offshore platforms were outside US enforcement reach.
Prediction markets have exploded in popularity over the past year, pulling in billions of dollars and attracting growing political scrutiny. Some lawmakers argue these platforms operate too much like gambling, while regulators insist they function more like financial exchanges. At the same time, companies behind the markets are racing to strengthen monitoring systems as concerns over manipulation continue to grow.
So what's the upshot for you?
The bigger story is not just about betting anymore. It is about how governments are quietly building AI systems that can watch digital behavior at a scale no human investigator ever could, turning every suspicious trade into a potential data trail.
IR: Iran Now Threatens Fees for Subsea Internet Cables in the Strait of Hormuz
Iran is signaling that the next battleground in the Strait of Hormuz may not just involve oil tankers. According to reports cited by CNN, Tehran is now turning its attention to the undersea internet cables that carry massive amounts of global financial and communications traffic between Europe, Asia, and the Gulf region.
Iranian state-linked media floated the idea of charging foreign companies fees to use cables running through or near the strategic waterway. Officials also hinted that companies refusing to comply with Iranian regulations could face disruptions. The proposal comes after months of heightened military tensions and renewed focus on Hormuz as one of the world's most important choke points.
Experts say the threat is technically and legally complicated. Many of the cables do not directly cross Iranian territory, and global internet systems are designed with backup routes to reduce the impact of outages. Analysts also note that damaging or interfering with subsea infrastructure would likely trigger an aggressive international response and intensify already fragile regional tensions.
Even so, the discussion reflects how modern geopolitical conflicts are expanding beyond traditional military targets. Energy routes, shipping lanes, cloud infrastructure, banking systems, and internet connectivity are increasingly tied together. A disruption in one area can quickly spill into global markets, communications, and supply chains.
So what's the upshot for you?
It's not only the world's oil economy that depends on a handful of physical choke points, but the world's digital economy too, and the countries controlling them are learning that data can be leveraged just as powerfully as oil with no leakage at all!
OK, to round it all up...
CISA AWS GovCloud Keys Leaked on Github When the agency responsible for plugging the nation's security gaps becomes the source of the leak, it's a reminder that no organization is above the operational basics. The most expensive security stack in the world still springs a leak the moment a contractor pastes credentials into the wrong repository.
Canada Enters the Encryption Fight With Bill C-22: Lawful access legislation has a way of starting as a narrow law enforcement tool and expanding into something far broader over time. Any organization handling Canadian user data should be pressure-testing its privacy architecture now, before compliance becomes a retrofit rather than a design choice.
Mystery Microsoft Bug Leaker Keeps the Zero-Days Coming What started as a private dispute between a researcher and a vendor has become a steady drip of weaponizable exploits into the public domain. When trust between vendors and researchers is ruptured, the resulting flood of unpatched zero-days becomes everyone's emergency.
Apple's most advanced memory protection turned out to have a slow leak that a frontier Anthropic's Mythos helped find, map, and exploit in less than a working week. The pipeline from hidden flaw to working exploit is no longer measured in months, and that gap is only going to narrow.
Daybreak and MDASH Signal the Start of AI-Native Vulnerability Management. AI-native scanning tools are already finding cracks in enterprise software faster than traditional processes can contain them. The real risk isn't that vulnerabilities run through undetected, it's that the governance frameworks for handling AI-found flaws haven't even been built yet.
Linus Torvalds: AI Bug Reports Making Kernel Security List 'Almost Entirely Unmanageable'. AI tooling is flooding the Linux kernel security pipeline with so much noise that genuine vulnerabilities risk floating right through unaddressed in the deluge. The first consideration for every team adopting AI-assisted scanning is that an unfiltered firehose of reports is... just a different kind of security failure.
Prediction markets have been quietly plumbing privileged government and military intelligence into financial trades, and regulators have finally decided that only AI can seal the gap. The deeper implication is that any digital behavior leaving a data trail, however obscure the platform, is now within reach of machine-scale surveillance.
Iran Now Threatens Fees for Subsea Internet Cables in the Strait of Hormuz. The world's financial and communications data has been flowing through a handful of physical chokepoints for decades; most people just never noticed who was watching. State actors are now making clear that controlling the pipes that data flows through is leverage as potent as controlling the oil that powers the ships above them.
And our quote of the week: "Information wants to be free." Stewart Brand
Stewart Brand first said this at a hacker conference in 1984, and it has haunted the technology industry ever since. His point was that the natural pressure of information is always toward disclosure, that secrets, credentials, exploits, and intelligence all carry an inherent tendency to escape the containers we build for them, no matter how carefully we construct those containers.
Every story in this week's update is a variation on that same theme: a government contractor's credentials finding their way to GitHub, zero-day exploits leaking from a researcher's frustration, AI models cracking open security layers that took years to build, and state actors leveraging the data flowing through undersea cables. Brand wasn't celebrating leaks; he was warning us that the effort required to keep information contained is constant, costly, and never quite enough.
That's it for this week. Stay safe, stay secure, check for leaks, and we’ll see you in se7en.
YouTube
Comments
Post a Comment