Stop Trusting the Signature

This week's most consequential incidents share a structural pattern that should make every security team uncomfortable: the infrastructure defenders rely on to establish trust — code-signing authorities, CI/CD tokens, legitimate cloud APIs — is being systematically repurposed as attack surface. The perimeter isn't being broken through; it's being borrowed.

Microsoft's Artifact Signing, Weaponized as a Service

Microsoft disclosed that it disrupted a malware-signing-as-a-service operation that had abused its own Artifact Signing system to generate fraudulent code-signing certificates for ransomware gangs and other threat actors, compromising thousands of machines before the takedown. The disturbing detail isn't just that attackers found the abuse vector — it's that signed malware bypasses virtually every signature-based control, and organizations that spent years hardening against unsigned binaries now face legitimately-signed ones. Microsoft's intervention is welcome. The abuse model will migrate to other signing infrastructure.

From TanStack to Grafana: The Token Nobody Rotated

The Grafana breach is a textbook example of second-order supply chain failure. The initial compromise was the TanStack npm attack from the prior week. Grafana's teams rotated most of their exposed credentials in the aftermath — but one GitHub workflow token slipped through. That single missed rotation became the entry point. This is the failure mode defenders rarely plan for: not the initial supply chain hit, but the credential hygiene gap that opens in the chaos of incident response. Rotation checklists need to be exhaustive and verified, not approximate.

Webworm Hides C2 Inside Discord and MS Graph

Webworm, a China-aligned threat actor, has deployed EchoCreep and GraphWorm backdoors that route command-and-control traffic through Discord and the Microsoft Graph API. Both platforms offer encrypted, authenticated, high-volume communications that are nearly impossible to block without disrupting legitimate operations. Defenders who rely on network-layer inspection to flag C2 traffic to known-bad infrastructure will miss this entirely. Detection requires baselining what normal Graph API and Discord activity looks like in your environment and alerting on deviations in volume, timing, or endpoint patterns.

GitHub's Internal Repositories Under Scrutiny

GitHub is investigating a claim by the TeamPCP group that it accessed approximately 4,000 internal repositories containing private code. The claim is unconfirmed, but the implications warrant attention regardless. GitHub sits at the center of global software supply chains; a compromise of internal infrastructure — source code, signing keys, internal tooling — would have cascading trust implications far beyond GitHub's own systems. The investigation is ongoing.

The Patch Queue Isn't Slowing Down

Drupal's security team took the unusual step of pre-announcing a critical core release for May 20, warning that exploits could emerge within hours of disclosure — a signal that the vulnerability is both exploitable and already on threat actors' radar. Separately, Ivanti, Fortinet, SAP, and VMware released fixes for RCE and privilege escalation flaws, with Ivanti Xtraction scoring a CVSS 9.x. And Microsoft confirmed that attackers are abusing Self-Service Password Reset in Azure environments to exfiltrate data — another reminder that identity controls without continuous device verification leave a wide lane open.

When signing authorities become malware delivery services, legitimate cloud APIs carry C2 traffic, and a single unrotated token undoes an otherwise competent incident response, the operative question stops being whether your controls are technically sound. It becomes whether the infrastructure those controls depend on is still trustworthy — and how quickly you'd know if it wasn't.