Close-up of a brass padlock resting on an illuminated green circuit board

Today in Surveillance:

  • CISA left its passwords on GitHub for six months. A contractor at Nightwing stored 844 MB of plaintext credentials (AWS GovCloud keys, GitHub tokens, deploy secrets) in a public repo called "Private-CISA." GitGuardian found it. Congress is demanding answers.
  • Laravel-Lang PHP packages were hijacked to steal everything. Attackers rewrote all 233 existing git tags across four popular Composer packages, injecting a credential stealer that scrapes cloud keys, CI/CD tokens, SSH material, crypto wallets, and browser data. Over 700 GitHub repos impacted.
  • Megalodon poisoned 5,500+ GitHub repos in six hours. An automated campaign pushed 5,718 malicious commits using forged identities, injecting GitHub Actions workflows that exfiltrate CI secrets and cloud credentials to a command-and-control server.
  • DHS says ICE has "no relationship" with spyware maker Paragon. But the department won't clarify whether ICE still has access to Paragon's phone-hacking tools through a third party. ICE reactivated the contract last year, then terminated it, allegedly.
  • London police used live facial recognition at protests for the first time. 80,000+ people were scanned at dueling marches on May 16. Big Brother Watch called it "a frightening escalation."
  • NYC Health + Hospitals breach exposed fingerprints of 1.8 million people. You can change a password. You can't change a fingerprint.

CISA Left Its Passwords on GitHub. For Six Months.

The agency that tells every other organization in America to use strong passwords and rotate credentials left its own on a public GitHub repository for half a year [1][2].

A contractor at Nightwing (a government services firm based in Dulles, Virginia) maintained a public GitHub repository called "Private-CISA" that contained 844 MB of plaintext credentials, internal documentation, Kubernetes configurations, and operational scripts for the Cybersecurity and Infrastructure Security Agency. The repo was created on November 13, 2025. It wasn't taken offline until May 15, 2026, roughly 26 hours after GitGuardian researcher Guillaume Valadon discovered it [1][2][3].

What was in there: AWS GovCloud access keys, GitHub tokens, deploy secrets, SSH keys, plain-text passwords, and files detailing how CISA builds, tests, and deploys software internally. The contractor was syncing files between a work laptop and a home computer. They'd also disabled GitHub's default setting that blocks publishing of secrets, meaning they had to actively override a safety mechanism to make this leak possible [1][2].

Krebs on Security reported that Congress is now demanding answers. Gizmodo called it "the worst leak that I've witnessed," a quote from a cybersecurity industry source. The Register noted the filenames were "incredibly obvious," you didn't need special tools to know what you were looking at [2][3][4].

CISA publishes binding operational directives telling federal agencies to implement credential rotation, secrets management, and zero-trust architecture. Its own contractor kept passwords in a public repo named "Private" with no apparent irony.

What you should do: If your organization works with CISA systems or has shared credentials with the agency, treat those credentials as compromised and rotate immediately.

Laravel-Lang PHP Packages Hijacked: Every Tag Rewritten to Steal Your Cloud Keys

On May 22, a threat actor compromised four widely-used Composer packages maintained by the Laravel-Lang organization (laravel-lang/lang, laravel-lang/attributes, laravel-lang/http-statuses, and laravel-lang/actions) by rewriting every existing git tag to point at malicious commits [5][6][7].

This wasn't the usual "publish a new bad version" supply chain attack. The attacker rewrote all 233 existing version tags, meaning developers who had pinned a specific "safe" version and ran composer update would get compromised code without the version number changing. Aikido Security, which detected the attack, found more than 700 versions associated with the poisoned packages [5][6].

The payload is a file called src/helpers.php added to the Composer autoload map. Every Laravel and Symfony application loads vendor/autoload.php on startup, so the malicious code runs automatically. It reaches out to flipboxstudio.info, downloads a cross-platform second stage, and deploys a credential stealer that scrapes: AWS, GCP, and Azure cloud keys; Kubernetes and Vault secrets; CI/CD tokens including GITHUB_TOKEN; SSH keys and deploy credentials; environment files; browser data and password manager vaults; crypto wallets; and messaging tokens [5][6][7].

This is the fifth major supply chain attack we've covered this month, after TeamPCP, Bitwarden CLI, and others. The pattern is accelerating: attackers are targeting dependency ecosystems because one compromised package can propagate to thousands of applications.

If you use Laravel-Lang packages: Check your composer.lock immediately. Look for src/helpers.php in your vendor directory. Rotate any credentials that may have been accessible in your CI/CD environment. StepSecurity and Snyk have published detailed advisories [6][7].

Megalodon: 5,718 Malicious Commits Pushed to 5,500+ GitHub Repos in Six Hours

On May 18, an automated attack campaign called Megalodon pushed 5,718 malicious commits to 5,561 GitHub repositories between 11:36 a.m. and 5:48 p.m. UTC, a six-hour window [8][9].

Using throwaway accounts with forged author identities (build-bot, auto-ci, ci-bot, pipeline-bot), the attacker injected GitHub Actions workflows containing base64-encoded bash payloads. When triggered, these workflows exfiltrate CI secrets, cloud credentials, SSH keys, OIDC tokens, and source code secrets to a command-and-control server at 216.126.225.129:8443 [8][9].

Two payload variants were deployed. The mass variant adds a new workflow triggered on every push and pull request, maximizing automated execution. A targeted variant replaces existing workflows with dormant backdoors that the attacker can fire on demand via the GitHub API [8][9].

The damage went beyond individual repos. At least one maintainer (unaware their Tiledesk repositories were poisoned) published nine compromised package versions to npm, propagating the backdoor into the package registry. That's the nightmare scenario: a GitHub repo attack that crosses the boundary into a published package [8].

DHS Says ICE Has "No Relationship" With Spyware Maker Paragon. The Denials Don't Add Up.

NPR reported on May 22 that the Department of Homeland Security says ICE has "no current contract or relationship" with Paragon Solutions, the Israeli company that makes commercial spyware capable of remotely hacking cell phones [10][11].

The timeline tells a different story. ICE reactivated a previously paused contract with Paragon last year. In an April 1 letter to lawmakers, ICE's then-acting Director Todd Lyons acknowledged he had approved Homeland Security Investigations to use a commercial spyware tool against foreign terrorist organizations and fentanyl traffickers. Then the contract was supposedly terminated [10][11].

Advocates told NPR they still have questions about what "terminated" means in practice. DHS declined to clarify whether ICE can still access Paragon's tools through a third party. That's a significant gap: government agencies regularly access surveillance capabilities through intermediaries and subcontractors, and a "terminated contract" doesn't necessarily mean terminated access [10][11].

This follows a broader pattern. A 2023 executive order restricted commercial spyware use, but the Trump administration appears broadly receptive to lifting those restrictions. NSO Group (maker of Pegasus) is actively lobbying for rehabilitation. Meanwhile, NPR's earlier investigation found that DHS internal documents show the department preparing to spend hundreds of millions on surveillance technology in 2026 [11].

Related: ICE's $8.5 Billion Surveillance Arsenal and ICE Bought Spyware That Reads Your Signal and WhatsApp Messages

London Police Used Live Facial Recognition at Protests for the First Time

On May 16, the Metropolitan Police deployed live facial recognition cameras as part of a protest policing operation for the first time. Two dueling demonstrations, Tommy Robinson's "Unite the Kingdom" march (50,000+ attendees) and the Nakba Day rally (30,000+), saw 80,000+ people scanned against a police watchlist in the London borough of Camden [12][13].

Big Brother Watch's Head of Research called it "a frightening escalation," stating that "a biometric identity check cannot become a prerequisite for free speech in this country." The UK's Information Commissioner's Office warned of legal risks. Civil liberties groups argued that the deployment treats every protester as a potential suspect, undermining the presumption of innocence [13][14].

The police operation involved 4,000 officers (including reinforcements from outside the city) at an estimated cost of 4.5 million pounds. Live facial recognition was deployed in an area likely to be used by those attending the Unite the Kingdom march [12][13].

This sets a precedent. Once facial recognition is normalized at protests, the chilling effect on free assembly becomes permanent. People won't show up if they know a biometric database check is the price of admission. And London's Metropolitan Police have been steadily expanding their use of live facial recognition on regular streets, and this was simply the next step [14].

NYC Health + Hospitals Breach: 1.8 Million People Had Their Fingerprints Stolen

NYC Health + Hospitals disclosed that hackers stole personal data, medical records, and biometric information (including fingerprint and palm-print scans) belonging to at least 1.8 million people during a breach that ran from November 25, 2025 to February 11, 2026 [15][16].

The exposed data includes health insurance details, diagnoses and medications, billing and payment data, Social Security numbers, passport and driver's license numbers, and geolocation data. But the biometric theft is what makes this breach permanent. You can change a password. You can cancel a credit card. You can freeze your credit. You cannot change your fingerprints [15][16].

The hackers accessed NYC H+H systems through a compromised third-party vendor, which the hospital system declined to name. The breach was reported to HHS on March 24. Kroll is providing 24 months of identity monitoring, a gesture that does nothing for the biometric data that will remain compromised for life [15][16].

Related: Our earlier coverage of the NYC H+H breach

Congress Quietly Funded DHS's Biometric Surveillance Infrastructure Last Month

The Homeland Security and Further Additional Continuing Appropriations Act, signed April 30, didn't look like a surveillance bill. But buried in the text are provisions that fund and preserve the building blocks of DHS's expanding biometric surveillance architecture [17].

The law authorizes USCIS funds for "the collection and use of biometrics" at Application Support Centers that can be "overseen virtually," meaning remote biometric collection without in-person oversight. It also specifies that CBP border security funds can only be used for surveillance systems that are autonomous, effectively mandating automation over human-operated alternatives [17].

Looking ahead, DHS is requesting $7.5 million in its fiscal year 2027 budget for biometric "smart glasses" for ICE and CBP field agents. Senators have already pushed back on the smart glasses plan. But the broader trajectory is clear: Congress is funding the surveillance infrastructure first and debating the rules later [17][18].

What to Watch

  • FISA Section 702: 18 days left. The 45-day extension expires June 12. Congress returned from recess on May 12 and has done nothing. Watch for floor activity this week. Our coverage.
  • CISA credential leak fallout. Congressional hearings are likely. The question is whether other contractors have similar repos, and whether anyone is checking.
  • Supply chain attack acceleration. Three major attacks in one week (Laravel-Lang, Megalodon, and ongoing TeamPCP cleanup). Package registries are becoming the frontline.
  • ICE spyware transparency. Advocates are pressing DHS to clarify whether ICE can still access Paragon tools through third parties. The distinction between "no contract" and "no access" matters.
  • Meta v. New Mexico Phase 2. Trial wrapping up late May / early June. If the court orders algorithm redesign, it's unprecedented.
  • DragonForce daily leaks continue. AdvancedHEALTH patient data drip ongoing: 2.3+ million records, including minors.

Sources

  1. Krebs on Security: CISA Admin Leaked AWS GovCloud Keys on GitHub (May 2026)
  2. TechCrunch: US Cyber Agency CISA Exposed Reams of Passwords and Cloud Keys to the Open Web (May 19, 2026)
  3. Krebs on Security: Lawmakers Demand Answers as CISA Tries to Contain Data Leak (May 2026)
  4. The Register: America's Top Cyber-Defense Agency Left a GitHub Repo Open with Passwords, Keys, Tokens (May 19, 2026)
  5. The Hacker News: Laravel-Lang PHP Packages Compromised to Deliver Cross-Platform Credential Stealer (May 2026)
  6. StepSecurity: Laravel-Lang Supply Chain Attack: Every Tag Rewritten to Steal CI Secrets (May 2026)
  7. BleepingComputer: Laravel-Lang Packages Hijacked to Deploy Credential-Stealing Malware (May 2026)
  8. The Hacker News: Megalodon GitHub Attack Targets 5,561 Repos with Malicious CI/CD Workflows (May 2026)
  9. StepSecurity: Megalodon: Mass GitHub Actions Secret Exfiltration Across 5,500+ Public Repositories (May 2026)
  10. NPR: DHS Says ICE Has 'No Relationship' With Spyware Maker Paragon Solutions (May 22, 2026)
  11. NPR: What We Know About How the U.S. Government Uses Spyware (May 19, 2026)
  12. LADbible: Live Facial Recognition Cameras Used for First Time at London Protests (May 16, 2026)
  13. ITV News: Facial Recognition to Be Used in Policing Operation of Protests (May 15, 2026)
  14. Big Brother Watch: Response to the Use of Live Facial Recognition at Protests (May 2026)
  15. TechCrunch: NYC Health + Hospitals: Hackers Stole Medical Data and Fingerprints of 1.8 Million People (May 18, 2026)
  16. Malwarebytes: Biometrics, Diagnoses, and Bank Details Exposed in Major Healthcare Breach (May 2026)
  17. Biometric Update: DHS Funding Law Quietly Advances Biometric Surveillance Infrastructure (May 2026)
  18. FedScoop: Lawmakers Push Back on Proposed DHS Data Collection Expansion (May 2026)