Free practical cybersecurity guidance for organisations without a security team.
hello@actionsoncyber.com
Actions On Cyber

Daily SMB Cyber Intelligence Brief

SMB Cyber Intelligence Brief — Supply‑chain tampering and active website exploitation risk

What small and medium-sized businesses should look out for today.

High Saturday 23 May 2026, 12:41 UK time
Today’s look-out: Supplier and developer supply‑chain risk (packages, GitHub, website platforms)

What to look out for today

1) Software supply‑chain tampering: reports of compromised PHP packages used by developers (Laravel-Lang) distributing credential‑stealing code.

2) GitHub repo/CI pipeline compromise attempts: an automated campaign pushed malicious workflow changes into thousands of GitHub repositories, aiming to steal secrets from CI/CD.

3) Website compromise attempts: Drupal has warned of real‑world attempts to exploit a newly announced, highly critical SQL injection issue.

Why this matters to smaller businesses

  • You can be hit indirectly: even if you’re not the target, a plugin, language pack, template, library, or a contractor’s repo can become the route in.
  • Credential theft scales fast: stolen passwords, API keys, and “secrets” can lead to email takeover, cloud access, payment fraud, or data exposure.
  • Websites are high‑impact: if your public website or intranet is compromised, it can cause downtime, malware warnings, defacement, or data leakage—often outside office hours.

Warning signs

  • Unexpected password reset emails, new MFA prompts, or impossible travel alerts for Microsoft 365/Google/CRM accounts.
  • Unexplained changes in GitHub/GitLab repos: new workflow files, sudden “automation” commits, or unfamiliar bot accounts making changes.
  • CI/CD or hosting alerts about new environment variables, new tokens, or outbound connections from build runners you don’t recognise.
  • Website symptoms: sudden spikes in traffic, unexplained redirects, new admin users, new pages you didn’t publish, or customers reporting odd pop‑ups.
  • Any supplier/agency saying “we need you to re-authenticate” or “we changed payment details” in the same week as a security story—treat as suspicious until verified.

How attackers may exploit the situation

  • Malicious updates/packages: a trusted dependency gets updated and quietly steals credentials from developer machines or servers.
  • Repo workflow injection: attackers add or modify build workflows to capture secrets (tokens, keys) used for deployments or cloud access.
  • Website exploitation: attackers probe the internet for vulnerable Drupal sites, then attempt to extract data or gain control.

What to do today

  • Confirm who owns your web stack: if you use Drupal (or aren’t sure), identify the maintainer (internal, agency, MSP) and ensure it’s being actively monitored.
  • Lock down developer and admin access: enforce MFA for GitHub and hosting, and review who has admin rights and access to deploy.
  • Check for recent unexpected repo changes: look for new/changed CI workflows and newly created tokens/secrets in source control and build systems.
  • Rotate high‑value secrets if concerned: prioritise repo deploy keys, CI tokens, cloud API keys, and shared admin passwords.
  • Brief staff on “security story” scams: attackers often ride the news cycle with fake security alerts and re‑auth links.

Ask your IT provider

  • Do we run Drupal anywhere (public site, microsites, intranet), and who is responsible for monitoring and emergency changes out of hours?
  • Which systems hold our deployment secrets (GitHub/GitLab, CI runners, hosting panels), and how are they protected and audited?
  • Do we have alerts for new admin accounts on the website/CMS and for unexpected changes to CI workflows?
  • If a supplier library/package we rely on is compromised, what is our process to identify where it’s used and to rotate credentials quickly?

Patch watch - only one short paragraph, and only if relevant

If you use Drupal, treat Drupal’s warning about active exploitation attempts as urgent: ensure the responsible party has reviewed the advisory and confirmed remediation and monitoring are in place. This is less about “patching everything” and more about making sure your internet‑facing CMS is actively managed, logged, and recoverable.

One action today

Have your web/IT owner confirm today whether you use Drupal or affected dev dependencies, and review the last 7 days of website admin changes and GitHub/CI workflow changes for anything unexpected.

Related Actions On Cyber resource

Actions On Cyber: Supplier Security & Third‑Party Access Checklist (including “who can deploy”, “where secrets live”, and “how to verify supplier security alerts”).

Sources

This brief is for general awareness and does not replace advice from your IT provider, legal adviser, insurer or incident response specialist.