Microsoft's Force Upgrades and GitHub Malware: A Week of Trust Issues

2026-04-05

Page content

Microsoft’s Force Upgrades and GitHub Malware: A Week of Trust Issues

I’ve been thinking a lot about trust this week after reading through the latest security news. We’ve got Microsoft pushing forced upgrades again, attackers using GitHub as their personal command center, and WhatsApp users getting tricked into installing spyware. It’s like watching a masterclass in how trust can be weaponized from multiple angles.

When Microsoft Decides What’s Best for You

Let’s start with the elephant in the room. Microsoft is now force-upgrading unmanaged Windows 11 24H2 devices to 25H2, and honestly, this feels like déjà vu all over again. We’ve been down this road before with Windows 10, and it wasn’t pretty then either.

Here’s what bugs me about this approach: Microsoft is essentially saying “we know better than you” to millions of users and organizations. Sure, they’ll argue it’s for security reasons, and there’s some truth to that. Keeping systems patched is critical. But forced upgrades have a nasty habit of breaking things at the worst possible times.

For those of us managing enterprise environments, this is particularly frustrating. Even though this specifically targets “unmanaged” devices, we know how quickly these policies can expand. The key takeaway here is that if you want control over your update timeline, you need proper management tools in place. Group Policy, WSUS, or modern device management solutions aren’t just nice-to-haves anymore—they’re essential for maintaining any semblance of control over your environment.

GitHub: The New Underground Highway

Now here’s something that should make us all uncomfortable: attackers are using GitHub as a covert command and control channel. They’re leveraging LNK files with embedded decoders, PowerShell persistence mechanisms, and GitHub repositories to orchestrate their campaigns.

This is brilliant from an attacker’s perspective, and terrifying from ours. GitHub traffic looks completely legitimate to most security tools. It’s encrypted, it’s expected in development environments, and blocking it entirely would cripple most modern organizations. The attackers know this, and they’re exploiting our dependency on these platforms.

The campaign uses a multi-stage approach that’s becoming increasingly common. First contact through LNK files, then PowerShell for persistence, and finally GitHub for ongoing command and control. Each stage is designed to blend in with normal system activity, making detection significantly harder.

What can we do about this? We need to get smarter about monitoring GitHub API usage patterns and implementing more granular controls around PowerShell execution. It’s also worth reviewing whether all users really need unrestricted access to code repositories during normal business operations.

Supply Chain Attacks Hit AI

Speaking of trust issues, Mercor got hit through a LiteLLM supply chain attack, with the Lapsus$ group claiming they’ve stolen 4TB of data. This is particularly interesting because it highlights how AI companies are becoming attractive targets, and how the supply chain attack vector continues to be incredibly effective.

LiteLLM is a library that provides a unified interface for various large language model APIs. If you compromise something like that, you potentially get access to multiple downstream organizations. It’s the same playbook we saw with SolarWinds, but now applied to the AI ecosystem.

The fact that Lapsus$ is involved makes this even more concerning. They’ve shown they’re not just after data—they’re after reputation damage and operational disruption. For AI companies handling sensitive recruiting data like Mercor, this kind of breach can be devastating.

Then we have WhatsApp alerting 200 users about a fake iOS app that installed spyware, with most targets located in Italy. This attack involved social engineering to trick users into installing a malicious version of the WhatsApp app, and there are reports that an Italian firm is facing legal action over it.

What’s particularly noteworthy here is the targeted nature of this campaign. Two hundred users isn’t a massive number—this looks like a focused operation rather than a spray-and-pray approach. The geographic concentration in Italy suggests this might have been a surveillance operation targeting specific individuals or groups.

The involvement of what appears to be an Italian company in developing or deploying this spyware raises serious questions about the commercial surveillance industry. We’ve seen similar issues with companies like NSO Group, and it seems like the problem isn’t going away.

Healthcare Under Siege

Finally, there’s an excellent piece on how hospitals need to prepare for inevitable ransomware attacks. A chief medical information officer shared insights about what healthcare organizations face during these incidents, emphasizing that preparation and rehearsals are key to defense.

This resonates with me because healthcare represents such a critical target. Attackers know that hospitals can’t afford extended downtime when lives are on the line, which makes them more likely to pay ransoms. The article emphasizes something we often overlook: the importance of tabletop exercises and incident response rehearsals.

You can have the best security tools in the world, but if your team doesn’t know how to coordinate during a crisis, you’re still going to struggle. Healthcare organizations especially need to practice scenarios where core systems are unavailable and patient care must continue.

The Trust Problem

Looking at all these stories together, there’s a common thread: trust is being weaponized from every angle. Microsoft is using our trust in their update process to force changes. Attackers are using our trust in GitHub to hide malicious activity. Supply chain attacks exploit our trust in third-party libraries. Social engineering attacks abuse our trust in familiar applications.

The solution isn’t to trust nothing—that’s not practical in our interconnected world. Instead, we need to get better at implementing verification mechanisms and reducing our blast radius when trust inevitably breaks down.