Laptop screen showing lines of code in a dark room

Today in Surveillance:

  • GitHub confirmed hackers stole 3,800 internal repositories. A poisoned VS Code extension (Nx Console) gave TeamPCP access to GitHub's own private codebase. The group is selling the data for $95,000. The same supply chain worm already hit OpenAI, Mistral AI, and Grafana Labs.
  • Syracuse unanimously banned facial recognition in businesses. Grocery stores, retail shops, and other public-facing establishments can no longer scan your face in New York's fifth-largest city. Financial institutions are exempt.
  • Louisiana unanimously passed a comprehensive privacy law. SB-386 gives consumers the right to access, correct, and delete their data. Takes effect January 1, 2027. Louisiana becomes the 23rd state with comprehensive privacy protections.
  • DragonForce is leaking 1,000 lines of patient data per day from AdvancedHEALTH. The ransomware group claims 2.3 million lines of records including minors' medical information from a network of 550+ healthcare providers.
  • FISA Section 702 expires in 21 days. The House is expected to bring two competing reform bills to a floor vote next week. Neither includes a warrant requirement.

GitHub Got Hacked Through Its Own Developer Tools. 3,800 Repositories Stolen.

GitHub confirmed on May 20 that the hacking group TeamPCP breached its internal codebase and exfiltrated approximately 3,800 private repositories. The attack vector: a poisoned VS Code extension that a GitHub employee installed on their work machine [1][2].

The compromised extension was Nx Console (nrwl.angular-console, version 18.95.0), published on May 18. When installed, it deployed Mini Shai-Hulud, a self-replicating supply chain worm that steals CI/CD credentials and uses them to publish infected versions of further packages. The worm was first documented in 2025, but TeamPCP's adapted version largely automates the cascade [1][3][4].

This isn't an isolated attack. The Nx Console compromise traces back to the TanStack supply chain attack earlier this month. Other confirmed victims include OpenAI, Mistral AI, and Grafana Labs. TeamPCP (also tracked as UNC6780) specializes in targeting open-source security utilities and AI middleware, meaning the tools developers trust most are the ones being weaponized [3][4].

GitHub says customer data wasn't affected and the breach was limited to internal repositories. TeamPCP is selling the stolen data for $95,000 and threatening to leak it if no buyer materializes [1][2].

The surveillance angle here is structural. Every supply chain compromise turns trusted software into a potential surveillance vector. When the tools you use to build software are themselves compromised, the entire downstream ecosystem, from enterprise apps to government systems, becomes vulnerable to data exfiltration.

Related: TeamPCP's Earlier PyPI Supply Chain Attack | 2026 Supply Chain Attack Tracker

Syracuse Just Banned Facial Recognition in Businesses. Your Grocery Store Can't Scan You Anymore.

Syracuse's Common Council voted unanimously on May 19 to ban biometric surveillance in businesses open to the public. The "Biometric Surveillance Law" prohibits any system capable of identifying people through facial recognition, retina scans, movement patterns, or other biometric data [5][6].

Syracuse is now the second municipality in New York with a facial recognition ban for businesses. The law specifically targets grocery stores, retail settings, and other public-facing establishments, the exact places where companies like Rite Aid and Wegmans have been quietly rolling out facial recognition systems [5][7].

Financial institutions are exempt. The law now goes to Mayor Sharon Owens, who must hold a public hearing before deciding whether to sign [6].

The council modeled its law on a proposed statewide ban introduced by state Senator Rachel May (D-Syracuse). Councilors and cybersecurity experts cited privacy risks, data breach exposure, and the documented problem of misidentification: facial recognition systems consistently perform worst on people of color, women, and children [5][6][7].

This is part of a growing wave. New York City is weighing sweeping restrictions on private sector biometric surveillance. The state Senate passed a Facial Recognition Technology Study Act. And yesterday's briefing covered the New York Biometric Privacy Act advancing through committee. New York is building a regulatory wall against biometric surveillance piece by piece.

Related: Disney Facial Recognition Class Action

Louisiana Unanimously Passes Privacy Law. That's 23 States Now.

The Louisiana legislature passed SB-386, the Louisiana Data Privacy Act, with a 34-0 Senate vote concurring with House amendments on May 20. If signed by the governor, Louisiana becomes the 23rd state with a comprehensive consumer privacy law [8][9].

The law gives residents the right to access, correct, and delete their personal data. They can opt out of data sales, targeted advertising, and profiling that produces significant legal effects. Companies can't sell sensitive personal data without prior consent [8][9].

It applies to businesses with annual gross revenues exceeding $25 million, those processing data from 75,000+ consumers, or those deriving 50% or more of revenue from data sales. The attorney general enforces violations. Effective January 1, 2027 [8].

The unanimous vote is notable. Privacy legislation usually faces industry opposition. Louisiana's bill sailed through both chambers without a single dissent, a signal that even in conservative states, voter frustration over data exploitation is outpacing corporate lobbying.

Three years ago, only five states had comprehensive privacy laws. Now 23 do, with several more in active consideration. The federal government still has nothing. The SECURE Data Act would actually preempt these state protections. The states aren't waiting.

A Ransomware Group Is Leaking Patient Records From 550 Healthcare Providers. Daily.

DragonForce claimed on May 16 that it exfiltrated 390 GB of data from AdvancedHEALTH, a network of over 550 healthcare providers. The group says it holds 2.3 million lines of patient information, including records tied to 83,162 minors [10][11].

The threat: DragonForce is publishing 1,000 lines of patient data per day until payment is made or the deadline expires. The data allegedly includes full patient records, partner agreements, payroll data, and HR files [10][11][12].

AdvancedHEALTH hasn't officially confirmed a breach, but at least one affiliated clinic has notified patients. Class-action attorneys at ClassAction.org are already investigating and seeking affected patients and employees [10].

This follows the pattern set by ShinyHunters with Canvas and Medtronic earlier this month. Ransomware groups are increasingly using slow-drip data releases to pressure victims rather than one-time publication threats. The psychological pressure on healthcare organizations with minor patients' records at stake is obvious and deliberate. It is part of a wider healthcare ransomware epidemic that exposed tens of millions of patients.

If your healthcare provider uses AdvancedHEALTH's network, assume your data may be compromised. Monitor credit reports. Place fraud alerts. Freeze minor children's credit files, something you should do regardless, since children's credit records are prime identity theft targets.

21 Days Until Section 702 Expires. Congress Has Two Bills and No Agreement.

The 45-day FISA Section 702 extension that Congress passed on April 30 expires June 12. Three weeks out, the House is expected to bring two competing bills to the floor next week: the Protect Liberty and End Warrantless Surveillance Act and the FISA Reform and Reauthorization Act [13][14].

Neither bill includes what privacy advocates actually want: a probable cause-based warrant requirement before the government can search Americans' communications collected under Section 702. The bipartisan Government Surveillance Reform Act, introduced by Senators Wyden and Lee with Representatives Lofgren and Davidson, includes that warrant requirement and closes the data broker loophole. But leadership hasn't brought it up for a vote [13][14][15].

Meanwhile, the FBI confirmed in March that it's actively purchasing Americans' location data from data brokers, no warrant needed. FBI Director Kash Patel told the Senate Intelligence Committee that the bureau buys "commercially available information" for investigations, including location histories from vendor Venntel [16].

The March FISA Court opinion (declassified as part of the April extension deal) revealed that the problem isn't limited to the FBI. The court found that improper filtering of Americans' communications from Section 702 queries extends "across the intelligence community" [13].

The question is whether Congress will pass meaningful reform or just do another clean extension. History says they'll punt. But 21 days is 21 days.

Related: FISA 702 Extension Analysis | Government Surveillance Reform Act Breakdown | The Data Broker Loophole Explained

What to Watch

  • FISA Section 702 floor votes expected next week. The House Rules Committee must set the terms. Watch whether the warrant amendment gets a standalone vote or gets buried. Our coverage.
  • May 29 state legislative deadline looms. New York's Biometric Privacy Act (S1422), California's surveillance pricing ban (AB 2564), and New Jersey's biometric protections all need to clear their chambers of origin by the 29th.
  • DragonForce daily leaks continue. The AdvancedHEALTH data drip is ongoing. Patient notification obligations will trigger once the breach is officially confirmed.
  • GitHub supply chain fallout. The Mini Shai-Hulud worm is still propagating. More victims beyond OpenAI, Mistral, and Grafana are likely. Check your VS Code extensions.
  • Disney facial recognition hearing date pending. No date set in the $5M class action. Full report.

Sources

  1. Help Net Security: TeamPCP breached GitHub's internal codebase via poisoned VS Code extension (May 20, 2026)
  2. The Record: GitHub confirms being hacked by TeamPCP, says customer data unaffected (May 2026)
  3. The Hacker News: GitHub Internal Repositories Breached via Malicious Nx Console VS Code Extension (May 2026)
  4. VentureBeat: GitHub confirms 3,800 internal repos stolen through poisoned VS Code extension (May 2026)
  5. GovTech: Syracuse, N.Y., Bans Facial Recognition Tech by Businesses (May 2026)
  6. CNY Central: Syracuse Common Council unanimously passes law banning business biometric surveillance (May 2026)
  7. Central Current: Syracuse lawmakers pass law banning biometric surveillance in public places (May 2026)
  8. Privacy Daily: Louisiana Legislature Unanimously Passes Comprehensive Privacy Bill (May 20, 2026)
  9. LegiScan: Louisiana SB386: Louisiana Data Privacy Act (2026)
  10. ClassAction.org: Possible AdvancedHEALTH Data Breach Reported; Attorneys Investigating (May 2026)
  11. TechRepublic: AdvancedHEALTH Ransomware Claim Includes 2.3M Patient Data Lines (May 2026)
  12. Security Boulevard: Multiple US Healthcare Data Breaches Expose Millions of Patient Records (May 2026)
  13. Security Boulevard: Congress Punts FISA Section 702 Renewal to June (May 2026)
  14. EPIC: FISA Section 702: Reform or Sunset (2026)
  15. Senator Wyden: Government Surveillance Reform Act Introduction (2026)
  16. TechCrunch: FBI is buying location data to track US citizens, director confirms (March 18, 2026)