Check Point Weekly Report: 7-Eleven Breach, GitHub VS Code Attack, and Kali365 PhaaS Campaign
Check Point's latest threat intelligence bulletin covers a confirmed 7-Eleven breach, a GitHub source code theft via a weaponized VS Code extension, and the FBI warning about the Kali365 phishing-as-a-service kit.
Check Point Research has released its weekly threat intelligence bulletin for May 25, 2026, detailing a series of significant cyber incidents. Among the most notable are a confirmed breach at 7-Eleven, a sophisticated attack on GitHub's internal infrastructure, and an FBI warning about a new phishing-as-a-service kit called Kali365 that bypasses multi-factor authentication.
7-Eleven confirmed a breach after unauthorized access to systems used for franchisee documents. The threat actor group ShinyHunters claimed responsibility, stating they stole more than 600,000 Salesforce records containing personal and corporate information. The convenience store chain is offering identity protection services to affected individuals.
GitHub suffered a breach after attackers weaponized a Visual Studio Code extension to compromise an employee device and steal internal source code. The company estimates that approximately 3,800 internal repositories were exfiltrated, though it found no evidence of impact on customer-facing systems. Separately, Grafana Labs disclosed a breach after a compromised GitHub token allowed intruders to access parts of its source code. The company has refused to pay the ransom and reports no customer data exposure or service disruption.
The FBI has issued a warning about Kali365, a phishing-as-a-service kit actively targeting Americans, primarily distributed through Telegram. The platform targets Microsoft 365 users with device-code phishing, capturing OAuth access and refresh tokens to enable persistent access to Outlook, Teams, and OneDrive while bypassing MFA.
On the vulnerability front, Microsoft patched two actively exploited Windows Defender flaws: CVE-2026-41091, a local privilege escalation vulnerability in the Malware Protection Engine, and CVE-2026-45498, a denial-of-service flaw in the Defender Antimalware Platform. Both updates are delivered automatically through normal Defender updates. Trend Micro addressed CVE-2026-34926, a directory traversal flaw in Apex One on-premises servers that allows attackers with administrator access to push malicious code to endpoints. Drupal released emergency patches for CVE-2026-9082, a critical SQL injection flaw affecting Drupal sites using PostgreSQL, with active attacks reported shortly after disclosure.
Check Point Research also highlighted a 124% surge in hacktivism and ransomware across Germany, Austria, and Switzerland in 2025, with Germany accounting for most incidents. Ransomware activity was led by Akira, Qilin, and Safepay. Additionally, researchers uncovered a supply chain attack on Laravel Lang localization packages via Composer, where attackers rewrote GitHub tags to point to malicious commits, deploying a cross-platform credential stealer targeting cloud keys, developer tokens, and browser passwords.