2026 has officially become the year of speed, scale and support. The delta between a phishing email landing and a full organizational compromise has shrunk to mere seconds.
2026 has officially become the year of speed, scale and support. The delta between a phishing email landing and a full organizational compromise has shrunk to mere seconds.
![[Heads Up] GitHub Breach Shows Developer Tools Are Social Engineering Targets](https://blog.knowbe4.com/hubfs/malware-code_1200x630_og.jpg)
GitHub disclosed that attackers accessed its internal repositories after compromising an employee device through a poisoned Visual Studio Code extension. The company said the activity appears limited to GitHub-owned internal repositories, with the attacker’s claim of roughly 3,800 repositories being “directionally consistent” with its investigation. GitHub also said it found no evidence that customers’ own enterprises, organizations or repositories were impacted.
In the world of security awareness training, a comprehensive library of relevant and engaging content is a necessity. But even the best training can feel limited when you need to talk about your specific VPN rules, a policy that changed this morning, or a novel threat uniquely targeting your industry today.
A phishing campaign exploited a glitch in Robinhood’s account creation process to send phishing emails from the investment platform’s own systems, SecurityWeek reports.
Phishing remains the single biggest human-driven threat in most organizations. Yet many security leaders face a familiar problem: the stronger the push to run frequent training and simulations, the louder the employee backlash. Complaints range from “too many tests” to “training interrupts my work,” and that resistance can erode both engagement and security outcomes. The good news: you can lower Phish-prone Percentages without burning out your people by shifting strategy from frequency for frequency’s sake to smarter, less intrusive, and more supportive interventions that change behavior.
UK residents lost £102 million ($138 million US) to romance scams in 2025, according to a new report from the City of London Police.
Attackers are abusing the storage and sharing features of Kuse, a free AI app, to assist in phishing campaigns, according to researchers at Trend Micro. Kuse is a legitimate agentic AI platform used by employees to streamline workflows. Users can share files with coworkers, which generates a link hosted by Kuse’s domain. In this case, attackers are abusing the share feature to generate legitimate-looking phishing links.
Researchers at Guardo Labs are tracking a major phishing campaign that abused Google AppSheet as a relay to send phishing emails. The researchers identified more than 30,000 Facebook accounts that were compromised by this campaign. Since the emails are sent from Google’s legitimate infrastructure, they’re much more likely to land in users’ inboxes.
