North America
GitHub repositories
More than 5,000 GitHub repositories were impacted by an automated malicious campaign dubbed “Megalodon,” which used fake pull requests to steal sensitive information.
Supply-chain attacks targeting open-source JavaScript and Python repositories continue to surge. One recent incident prompted Microsoft-owned GitHub to warn that attackers had stolen around 3,800 internal repositories after a developer installed a poisoned Visual Studio Code extension. The supply-chain hacking group TeamPCP claimed responsibility for the attack.
Rather than modifying application code directly, the campaign inserted a malicious workflow file into repositories through GitHub Actions, GitHub’s cloud-based CI/CD platform for building, testing and deploying software. In total, the Megalodon campaign reportedly executed 5,718 malicious commits across 5,561 repositories within six hours.
SourceHow it could affect your business
Once a repository owner merges a malicious commit, the malware can execute within the CI/CD pipeline and potentially spread further across connected environments. As supply-chain attacks continue to surge, organizations should strengthen code review processes, verify third-party dependencies and continuously monitor development pipelines for suspicious activity and unauthorized workflow changes.
Europe
Unimed
German university hospitals are grappling with a large-scale patient data breach after unknown hackers targeted an external billing service provider used by medical centers across the country.
The breach reportedly affected Unimed, a company that manages billing services for privately insured and self-paying patients on behalf of numerous German hospitals. According to reports, the attack occurred in mid-April and impacted tens of thousands of patients connected to university hospitals in Cologne, Freiburg, Ulm, Heidelberg and Tubingen.
The compromised data reportedly includes names, addresses, physician information, health-related communications with the billing provider and bank and payment details.
SourceHow it could affect your business
Health care data breaches like this can expose highly sensitive personally identifiable information (PII) and protected health information (PHI), increasing the risk of identity theft, insurance fraud and targeted phishing attacks. Health care organizations should strengthen third-party security oversight, enforce strict access controls, continuously monitor for suspicious activity and ensure sensitive patient data is encrypted and securely segmented.
North America
Beacon Mutual Insurance Company
Beacon Mutual Insurance Company, a leading workers’ compensation insurer based in Rhode Island, has begun notifying individuals whose personal information was exposed in a recent ransomware attack.
The company detected the attack on January 14, 2026, and an investigation later revealed that attackers had access to certain systems between January 7 and January 14. During that time, threat actors reportedly copied data files containing sensitive information such as names, Social Security numbers, driver’s license numbers, financial account details, health insurance information and medical treatment records.
Approximately 162,000 individuals may have been affected, including more than 131,000 Rhode Island residents. Beacon Mutual said it is notifying impacted individuals and urged anyone who believes they may be affected to contact the company.
SourceHow it could affect your business
Exposure of financial, medical and identity-related data can significantly increase the risk of fraud, identity theft and targeted phishing attacks. Organizations handling sensitive customer information should strengthen network monitoring, enforce strict data access controls and maintain encrypted, segmented storage environments to reduce the impact of breaches.
North America
American Lending Center
American Lending Center, a California-based non-bank lender specializing in loans for small businesses and startups, reported a ransomware attack that compromised the sensitive personal information of 123,158 individuals.
The breach was discovered on July 27, 2025, and an investigation later determined that attackers had access to files between July 24 and July 30, 2025. The exposed data may include names, dates of birth and Social Security numbers. The forensic investigation was not completed until April 8, 2026, nearly nine months after the incident was first identified.
No known ransomware group has publicly claimed responsibility for the attack, suggesting either that a ransom was paid or that the responsible actors do not operate a public leak site.
SourceHow it could affect your business
Ransom payments do not guarantee that attackers will keep their word or permanently delete stolen data, making prevention and recovery readiness critical. Organizations should invest in proactive threat monitoring, maintain encrypted, regularly tested backups and ensure they have a strong business continuity and disaster recovery (BCDR) plan in place to recover quickly without relying on attackers.
North America
Grafana Labs
Grafana Labs, the company behind the AI-powered analytics and visualization platform Grafana, disclosed that a threat actor exploited a misconfigured GitHub Actions workflow known as a “Pwn Request” to steal a privileged GitHub App token. The exploit reportedly enabled the attacker to exfiltrate private source code and attempt to extort the company.
In a series of posts on X (formerly Twitter), Grafana Labs said an unauthorized party obtained a token that granted access to its GitHub environment and allowed source code downloads. A Pwn Request is a CI/CD vulnerability in GitHub Actions workflows in which untrusted code from external contributors is automatically executed, potentially exposing repository secrets and granting attackers write permissions.
The attack was publicly claimed by Coinbase Cartel, a data theft and extortion group reportedly linked to the SLSH ecosystem. According to reports, the group demanded a ransom, which Grafana Labs refused to pay, citing FBI guidance that ransom payments do not guarantee the return or deletion of stolen data.
SourceHow it could affect your business
Misconfigured CI/CD workflows can give attackers direct access to sensitive repositories, secrets and development environments. Organizations should review GitHub Actions permissions, restrict execution of untrusted code, continuously monitor CI/CD pipelines and enforce least-privilege access controls to reduce the risk of supply-chain compromise.
