Introduction

In this second edition of The Security Drop, we are looking at a month that kept both cybercriminals and law enforcement busy. A malicious VS Code extension led to the compromise of thousands of GitHub repositories, ransomware actors continued to target organisations for profit, and several long-running cybercrime operations found themselves on the receiving end of coordinated law enforcement action.

Across Africa, cyber threats continued to evolve, with hacktivist activity making headlines in South Africa and growing concerns around cybercrime in Zimbabwe. Below are the stories that stood out in May.

A Single Malicious VS Code Extension Just Handed Hackers 3,800 GitHub Repositories

GitHub has confirmed that around 3,800 of its internal repositories were breached after one of its own employees installed a trojanised VS Code extension. The extension was a malicious plugin that slipped through the VS Code Marketplace and quietly compromised the employee's device. Git Hub has since removed the extension, isolated the affected machine, and launched an incident response. The good news, for now at least, is that the company says there's no evidence that customer data stored outside the affected repositories was affected.

What is more is that, Team PCP  the same group linked to the European Commission cloud breach has claimed responsibility, and are demanding a whooping sum of $50,000 for the data.

Extensions and plugins are an attack surface that doesn't nearly get enough attention. If your organisation has developers using VS Code 4-or any code editor with a plugin marketplace, audit what has been installed across your team's machine and establish a policy that approves certain extensions and restricts the installation of unapproved ones.

Microsoft Just Shut a Service That was Selling Fake "Microsoft-Approved" Malware.

Microsoft has disrupted a malware-signing-as-a-service operation run by Fox Tempest. Fox Tempest is a threat actor Micorosft has been tracking for abusing Microsoft's own Artifact Signing service to generate legitimate-looking code-signing certificates for malware.

Microsoft's Digital Crimes Unit moved in this month, seizing the signspace[.]cloud domain, taking hundreds of virtual machines offline, revoking over a thousand fraudulent certificates, and filing a lawsuit in the US District Court for the Southern District of New York. This move is a good reminder that a digital signature is only as trustworthy as the process behind it.

For organisations, the lesson is to stop treating code signing as the final word on its safety. Layer your defences as an organisation while ensuring your employees exercise due caution with software installers that arrive outside of office channels.

Grafana's Source Code was Stolen, And They Are Refusing to Pay

Grafana, the widely used open source analytics and visualisation platform, has confirmed it was reached after a compromised token granted attackers access to its GitHub environment. The hackers downloaded Grafana's codebase and then demanded a ransom to keep it from being leaked. Grafana's response? No.

To Grafana's credit, the company has been upfront about what happened: the credentials have been reset, a forensic investigation is underway, and they have committed to sharing more details once it wraps us. They are also clear that no personal or customer data was stolen and that customer systems and operations were not affected.

For organisations, this is a prompt to audit your access tokens and API keys. Ensure to apply the principle of least privilege and carry out regular reviews of potential entry points. Know what exists, what it has access to, and rotate anything that has not been touched in a while.

Crimenetwork's Resurrection Stalled by Another Shutdown

German police have announced the takedown of Crimenetwork for the second time.

The original marketplace, which has been running for over 12 years and was considered the largest German-speaking criminal marketplace online, was shut in December 2024 with an administrator arrested. Within days, it was back up on a newly rebuilt infrastructure. By the time law enforcement caught up with it again, the resurrected version had grown to over 22,000 users and more than 100 sellers trading the usual catalogue, including stolen data, drugs, falsified documents.

This time, a 35-year-old German national suspected of being the administrator was arrested in Mallorca by Spanish authorities, as evidence suggests that the relaunched marketplace was already generating over 3.6 million euros in revenue before it was shut down again, utilising digital assets such as Bitcoin, Litecoin, and even Monero to process transactions.

The practical takeaway here is your data: consider running regular dark web monitoring to check whether your organisation's data is being traded. For individuals, routinely change passwords that may have been re-used across several platforms.

Europol Just Took Down the VPN that Ransomware Gangs Couldn't Stop Talking About

European law enforcement, coordinated by France and the Netherlands with Europol and Eurojust backing, has dismantled First VPN, a service that, according to Europol, showed up in almost every major cybercrime investigation the agency has supported in recent years. The takedown happened between May 19 and May 20, with more than 33 servers seized, multiple domains taken offline, and the alleged administrator identified and interviewed in Ukraine.

The investigation has been running since December 2021, and at some point, authorities managed to infiltrate the service and access its user database. From this database, Europol has already distributed 83 intelligence packages to partner agencies, shared information linked to 506 users internationally, and used intelligence from the operation to advance 21 separate investigations.

This is a useful reminder for organisations to take a hard look at the VPN and anonymisation tools being used across their networks, not just by employees, but contractors and third parties with system access. For individuals, reputable and transparent providers are a no-brainer, as chap or obscure VPNs with vague ownership are rarely a safebet.

An 18-Year-Old Info-stealer From Odesa Just Got Identified for Stealing 28,000 Accounts

Ukrainian cyber-police, working alongside US law enforcement, have identified an 18-year-old from Odesa suspected of running a fairly sophisticated info-stealer operation that targeted customers of an online store in California.

Between 2024-2025, the suspect allegedly used info-stealer malware to quietly infect user's devices and harvest browser sessions, login credentials, and session tokens. What stands out even more, is that out of the 28,000 customer accounts compromised, around 5,800 were actively used to make unauthorised purchases totalling approximately $721,000, with chargebacks hovering round $250,000.

For organisations running e-commerce platforms or any customer-facing service, the lesson is to invest in session management controls: implement short session timeouts, enforce re-authentication for sensitive actions, and monitor for unusual login patterns.

Nvidia GeForce NOW Users in Armenia Had Their Data Stolen, And Someone's Impersonating Shiny Hunters Again

GFN.am, an Armenia-based third-party partner that operates Nvidia's GeForce NOW cloud gaming service in the region, has confirmed a data breach after a threat actor posted a database of millions of user records for sale on BreachForums with a $100,000 price tag. The stolen data reportedly included names, email addresses, usernames, dates of birth, phone numbers, membership status, and two-factor authentication status. However, passwords were not compromised, and users who had apparently registered after March 9 were not affected.

Now here's the interesting wrinkle: the forum post was made under a "ShinyHunters" handle, but the real ShinyHunters group has come out and denied any involvement, saying the poster was an impersonator.

Where organisations work with regional partners, the question to ask is: what data do they hold on your behalf, and what security standards are they held to? Always remember that vendor risk assessments and contractual security requirements are not optional extras.

INTERPOL Just Swept Through the Middle East and North Africa

INTERPOL is having quite the year, and Operation Ramz is the latest proof of that.

In what is being described as a first-of-its-kind cybercrime operation focused specifically on the MENA region, INTERPOL wrapped up Operation Ramz with over 200 arrests and 382 additional suspects identified across 13 countries --including Algeria, Bahrain, Egypt, Iraq, Jordan, Lebanon, Libya, Morroco, Oman, Palestine, Qatar, Tunisia and the UAE. Authorities also seized 53 serves tied to phishing, malware and online fraud operations, with nearly 8,000 intelligence packages recovered from the equipment and at least 3,867 confirmed victims identified from the data.

Operations like Ramz are encouraging, but take-downs happen after the damage has already been done. For organisations operating in the MENA region, now is a good time to revisit your email security controls and verify that your employees can efficiently recognise phishing attempts.

South Africa's Xenophobia Problem Just Became a Cyber Problem Too

Following South Africa's latest round of anti-immigration protests dubbed "March and March", hacktivist groups including Nullsec Nigeria, the 404 Crew, and Infernalis have launched a coordinated campaign targeting South Afican government institutions under the banner #OpSouthAfrica. The attacks are being framed as direct retaliation for the xenophobic violence, and according to the hackers' own claims, several major institutions have already been hit, including the South African Civil Aviation Authority, the South African National Space Agency, the Departments of Human Settlements, and the National Housing Finance Corporation.

When tensions rise in the physical world, cyber activity follows. That means security teams need to be paying attention to the news, not just their dashboards. Organisations need to ensure adequate review of access controls for sensitive databases, and ensure incident response plans are current and tested.

Zimbabwe is Waking Up to a Cybercrime Problem It Can't Ignore Anymore

Add Zimbabwe to the growing list of African countries actively grappling with a cybercrime surge they weren't quite prepared for.

Authorities in the country's ICT and security sectors are reporting a notable and accelerating rise in cyber offences, and the Postal and Telecommunications Regulatory Authority of Zimbabwe (POTRAZ) is now ramping up awareness campaigns and working closely with the Zimbabwe Republic Police to respond. Zimbabwe's internet penetration climbed from about 49% in 2015 to nearly 83% in 2025, with mobile internet following a similar trajectory. And more people online means more targets.

The key takeaway is for organisations to invest in basic security awareness training for everyone. This is because your customers, partners, and even employees may be encountering cyber threats for the first time and may not recognise them.

‍