Run Before Review: When Trust Arrives Too Late
Poisoned extensions, malicious workflows, and trusted signatures all point to the same shift. Attackers are reaching execution before many defenders make the trust decision.
INTRODUCTION
This week’s signals are not about attackers bypassing review. They are about attackers getting execution before review ever happens.
TeamPCP reached GitHub through a poisoned VS Code extension. Megalodon pushed malicious CI/CD commits across thousands of repositories in hours. Fox Tempest turned code signing into a paid service for ransomware operators. Chinese APT clusters shared Linux backdoors across telecommunications environments where endpoint-grade visibility is often weakest.
Modern engineering environments are built to move fast, so they execute constantly. Extensions update, workflows trigger, binaries run, packages install, and infrastructure processes communicate in the background. Security review often arrives after that execution path has already opened. The attacker advantage this week was not stealth alone. It was timing.
If your controls make trust decisions after code has already run, what exactly are they protecting?
If you enjoy reading our newsletter, share it!
Thanks for supporting The Monday Brief.
WEEKLY SIGNALS ANALYSIS
The developer toolchain has become the primary lateral movement path, not just an initial access vector. Assess whether your security monitoring covers VS Code extensions, GitHub Actions workflows, and npm postinstall scripts with the same telemetry depth you apply to endpoint detection. The GitHub breach via a poisoned extension proves the gap is real and already exploited.
Code-signing trust is now available as a criminal service, invalidating the assumption that signed binaries are safe binaries. Review your allowlisting and application control policies to ensure they do not implicitly trust all signed executables. Fox Tempest’s signing-as-a-service model means a valid signature no longer indicates a legitimate publisher.
Automated supply chain attacks now operate at speeds that exceed human review capacity. The Megalodon campaign pushed thousands of malicious commits in hours. If your dependency ingestion or CI/CD pipeline relies on manual pull-request review as the primary security gate, that gate is too slow.
Shared backdoor tooling across distinct Chinese APT groups signals industrialized espionage infrastructure. Telco and infrastructure operators should assume that compromise by one group exposes them to others sharing the same access tools. Segment detection and response by technique, not just by attributed actor.
What not to over-index on: package vulnerability scanning alone. This week’s highest-impact activity was not just vulnerable dependencies. It was malicious behavior inside extensions, CI/CD workflows, signing infrastructure, and Linux post-exploitation tooling. Scanning known packages matters, but it will not catch a workflow that executes before trust is established.
THIS WEEK’S SIGNALS
Signal 1: TeamPCP Breaches GitHub Through a Poisoned VS Code Extension
Why it matters: A threat actor group called TeamPCP compromised a Visual Studio Code extension, used it to pivot through a GitHub employee’s device, and stole approximately 4,000 internal repositories. This is not a hypothetical supply chain risk. It is a confirmed breach of one of the world’s largest code hosting platforms, achieved by exploiting the trust developers place in their own tooling.
What is being misread: The industry is framing this as a “GitHub breach,” focusing on the victim rather than the technique. The broken assumption is architectural. Organizations treat IDE extensions as productivity tools rather than executable code running with the developer’s full permissions and network access. Extension marketplaces have no security review process comparable to what enterprises demand of production software, yet extensions execute in the same trust context as the developer’s credentials and repository access.
Think Red (Douglas McKee): The ROI calculation here is trivial. A poisoned IDE extension is attractive because it lands where credentials, code, and developer context already live. One compromised extension update gives me execution inside a workflow the organization has already approved. Every auto-update becomes distribution, and every developer workstation becomes a potential bridge into private repositories. I only need one developer identity with enough repository reach to make the rest of the environment visible. The IDE is not just where code is written. It is where access is concentrated.
Act Blue (Ismael Valenzuela): The reality is that most organizations have zero visibility into what VS Code extensions are installed across their developer fleet, let alone what those extensions do at runtime. Start by inventorying installed extensions across all developer endpoints using your EDR or endpoint management tooling. Restrict extension installation to an approved list and block sideloading via Group Policy or MDM configuration. But do not stop there. Extensions that are already installed and compromised will not be caught by an allowlist alone. Deploy behavioral monitoring on developer workstations that flags unusual outbound connections from IDE processes, unexpected file access outside project directories, and credential store reads that do not align with normal git operations. The principle here is direct. If a tool has the same access as the developer, it needs the same scrutiny as the developer.
Sources:
Dark Reading: GitHub confirmed a data breach involving the theft of thousands of developer code repositories, with TeamPCP taking credit
Signal 2: Megalodon Automates CI/CD Poisoning Across 5,561 GitHub Repositories in Six Hours
Why it matters: A campaign dubbed Megalodon pushed 5,718 malicious commits into 5,561 GitHub repositories within a six-hour window, using throwaway accounts and forged bot identities to inject malicious CI/CD workflows designed to steal cloud credentials. This demonstrates that supply chain poisoning has reached industrial automation scale, where human review processes cannot keep pace.
What is being misread: Most defenders still think of supply chain attacks as targeted operations against specific high-value packages. Megalodon inverts that model. It operates at volume, betting that even a small percentage of repositories with auto-merge or weak branch protection will execute the malicious workflow. The broken design assumption is that GitHub Actions and CI/CD pipelines enforce the same trust boundary as the repository itself. They do not. In weakly configured repositories, external contributions and automated workflow triggers can become execution paths before a trusted maintainer has reviewed the change.
Think Red (Douglas McKee): Volume changes the math. Five thousand repositories in six hours turns CI/CD abuse into a probability game, not a precision operation. I use bot-like accounts, forged commit identities, and malicious workflows because the target’s automation moves faster than its reviewers. One exposed cloud token, one secret, or one deploy credential is enough to make the campaign worth running. At this scale, success is not about picking the perfect target. It is about making human review mathematically irrelevant.
Act Blue (Ismael Valenzuela): GitHub Actions workflows that trigger on pull_request_target from forks represent an architectural exposure that most teams have never audited. Immediately review all repository workflow configurations and restrict fork-based workflow execution. Set GITHUB_TOKEN permissions to read-only by default and require explicit elevation. Enable branch protection rules that prevent direct pushes and require status checks from trusted sources only. But do not stop there. Monitor your CI/CD runner logs for credential access patterns that deviate from normal build behavior, particularly outbound connections to unfamiliar endpoints during build execution. Set up alerts for bulk commit activity from accounts with bot-like naming conventions across your organization’s repositories. The lesson is clear. If your pipeline executes code before a human approves it, your pipeline is an attacker’s execution environment.
Sources:
The Hacker News: Megalodon campaign pushed 5,718 malicious commits to 5,561 GitHub repositories within a six-hour window using throwaway accounts and forged identities
Signal 3: Fox Tempest Operationalizes Malware-Signing-as-a-Service for Ransomware Distribution
Why it matters: Microsoft exposed Fox Tempest, a financially motivated threat actor running a malware-signing-as-a-service operation that weaponized Microsoft’s own Artifact Signing system. Multiple ransomware operators, including Vanilla Tempest and Storm groups, purchased signing services from Fox Tempest to make their payloads appear legitimate. This converts code-signing trust from a security control into an attacker commodity.
What is being misread: Security teams treat code signing as a strong trust indicator. Application allowlisting, SmartScreen, and endpoint protection all grant elevated trust to signed binaries. The architectural flaw is that code-signing validation checks whether a signature is technically valid, not whether the signer is trustworthy. Fox Tempest exploited this gap by signing malware with legitimate certificates obtained through abuse of the signing infrastructure. The result is that a “signed” binary provides almost no assurance about intent.
Think Red (Douglas McKee): Code signing gives me something more useful than stealth. It gives me legitimacy at the exact moment your controls are deciding whether to trust the binary. A signed payload gets treated differently by users, operating systems, and security tools because the signature lowers friction. I am not trying to be invisible forever. I am trying to survive the first execution decision. The signature is not proof of safety. It is a receipt for access to your assumptions.
Act Blue (Ismael Valenzuela): The uncomfortable truth is that most application control and allowlisting policies were built on the assumption that a valid code signature equals a trustworthy publisher. That assumption is now operationally broken. Audit your allowlisting rules to identify any that permit execution based solely on signature validity without restricting to specific known publisher identities. Tighten App Control for Business (WDAC or AppLocker, where you have not yet migrated) policies to require publisher-level restrictions, not just “signed” status. But do not stop there. Implement runtime behavioral monitoring that evaluates what signed processes actually do after execution, not just whether they were allowed to run. Flag signed binaries that exhibit behaviors inconsistent with their declared purpose, such as network reconnaissance, credential access, or lateral movement tooling. Signing is an identity claim. Treat it like any other identity claim and verify the behavior behind it.
Sources:
Microsoft Security Blog: Fox Tempest operates a malware-signing-as-a-service operation using Microsoft’s Artifact Signing system, serving ransomware operators including Vanilla Tempest and Storm groups
Signal 4: Chinese APT Clusters Share “Showboat” Linux Backdoor Across Central Asian Telco Targets
Why it matters: Multiple Chinese-aligned APT groups have deployed a shared Linux backdoor called Showboat against telecommunications providers in Central Asia and the Middle East, alongside a Windows counterpart dubbed JFMBackdoor. The sharing of modular post-exploitation tooling across distinct groups signals an industrialized espionage supply chain where access and capability are pooled rather than siloed by individual mandates.
What is being misread: Attribution-focused defense leads teams to track individual APT groups and build detections around group-specific TTPs. When multiple groups share the same backdoor, detections keyed to a single actor’s behavioral profile miss the others. The architectural blind spot is deeper. Telco Linux infrastructure, particularly systems running billing, call routing, and subscriber databases, often sits outside the scope of enterprise EDR because it runs on hardened or embedded Linux distributions that agents do not support. Defenders assume these systems are protected by network segmentation, but Showboat’s SOCKS5 proxy capability is specifically designed to tunnel through segmented environments.
Think Red (Douglas McKee): Telco Linux systems are valuable because the server is only part of the prize. The real value is the traffic, routing context, subscriber data, and access paths that system can expose. Showboat gives me a modular framework, and the SOCKS5 capability turns segmentation into a tunnel instead of a wall. Durable positioning on a system defenders monitor less aggressively than its importance deserves is enough to create long-term leverage. In telecom, the machine is not the target. The paths through it are.
Act Blue (Ismael Valenzuela): Critical infrastructure operators need to confront the reality that their Linux fleet is likely the least monitored part of their environment, despite being the most valuable to nation-state adversaries. Deploy or extend EDR coverage to Linux systems where supported, particularly those handling call data records, subscriber databases, network routing, OT process control, or grid telemetry. For hardened or embedded Linux that does not accept EDR agents, invest in network-layer telemetry and host instrumentation such as auditd, eBPF, or Sysmon for Linux. Prioritize detection of SOCKS5 proxy establishment and unexpected outbound tunneling from systems that should only communicate within defined network segments. But do not stop there. Develop detection logic based on the shared tooling indicators rather than individual actor attribution. Hunt for Showboat’s modular loader behavior, unusual shared library injection, and certificate reuse patterns documented by researchers. When adversaries pool their tools, defenders must pool their detections. Attribution tells you who is interested. Technique detection tells you who is inside.
Sources:
Bleeping Computer: Chinese cyber-espionage campaign targeting telecommunications providers with newly discovered Linux and Windows malware dubbed Showboat and JFMBackdoor
Dark Reading: Multiple Chinese APTs share the Showboat Linux backdoor in attacks against Central Asian telecommunications providers
The Hacker News: Showboat is a modular post-exploitation framework for Linux systems with SOCKS5 proxy backdoor capability, active since at least mid-2022
MEME OF THE WEEK
Your security architecture trusts everything that is signed, everything that runs in CI, and everything installed from a marketplace. This week, adversaries exploited all three.
ROLE-BASED TAKEAWAYS
Executive / CISO / Board Level
Developer tooling is now a confirmed breach vector for platform-scale incidents. The GitHub breach via a poisoned VS Code extension resulted in 4,000 internal repositories being stolen. Brief the board that development environment security requires the same investment and governance as production infrastructure.
Code-signing trust has been commoditized. Fox Tempest’s signing-as-a-service operation means ransomware payloads now arrive with valid signatures. Existing application control policies built on “trust signed software” need re-evaluation and budget allocation for behavioral-based controls.
Supply chain attack automation has crossed the threshold where manual review is insufficient. Megalodon’s 5,561-repo attack in six hours demonstrates that human-gated code review cannot keep pace. Invest in automated CI/CD security controls and restrict pipeline execution permissions at the platform level.
Enterprise Architect
Design Principle Impact: The implicit trust boundary around developer tooling, including IDE extensions, CI/CD runners, and package managers, must be reclassified as an untrusted execution environment. Architect controls that treat build infrastructure with the same zero-trust posture applied to production workloads.
New Constraint/Dependency: Code-signing validation must now include publisher identity verification and post-execution behavioral analysis, not just signature validity. Application control architectures that rely on “signed equals trusted” require a supplementary behavioral layer.
Telemetry parity across operating systems is a hard requirement. Linux infrastructure, particularly hardened or embedded systems supporting critical functions, cannot remain outside the EDR or host-instrumentation perimeter.
Security Operations
Implementation Watch Item: Monitor for bulk commit activity across organizational GitHub repositories from accounts with bot-like naming patterns (build-bot, auto-ci, ci-bot, pipeline-bot). The Megalodon campaign used these exact conventions.
Common Failure Mode: CI/CD workflows configured with pull_request_target that execute on fork-based pull requests without restricting permissions. This is the exact configuration Megalodon exploited at scale.
Monitoring Patterns: Watch for VS Code extension processes making outbound connections to unfamiliar domains, particularly during off-hours. On Linux infrastructure, hunt for SOCKS5 proxy establishment from processes that should not be performing network tunneling, and monitor for unexpected shared library injection consistent with Showboat’s loader behavior.
Signal vs Noise Guidance: A signed binary executing reconnaissance commands (net group, nltest, whoami /all) is a genuine threat indicator this week given Fox Tempest’s signing service. Do not dismiss alerts on signed processes exhibiting post-exploitation behavior. Conversely, a single failed fork-based PR to a public repository is noise. The signal is volume, specifically multiple rapid PRs from newly created accounts targeting CI-enabled repositories.
Take the adversary by surprise: Create a controlled CI/CD “tripwire workflow” that should never execute from an external fork or newly created account. It should contain no real secrets, but it should emit high-fidelity alerts when triggered. The goal is not to bait attackers with fake data. It is to detect unauthorized workflow execution before the same pattern reaches production repositories.
See you next Monday!
The Monday Brief is produced by Douglas McKee and Ismael Valenzuela. The opinions expressed are our own and do not reflect those of our employers.