11 minutes was all it took for attackers to gut 3,800 internal code repositories at GitHub. On May 18, a compromised version of the Nx Console extension was uploaded to the official Visual Studio Code marketplace. According to the analysis by Rescana, the attack used a stolen contributor token to push a malicious orphan commit that exfiltrated credentials and source code from thousands of organizations. This is the price of the "vibe coding" revolution: when amateurs use AI to build software in minutes, they leave the back door wide open for the professionals to walk in.

The breach is part of a systemic failure of the digital perimeter. Simultaneously, CISA added two Microsoft Defender zero-days to its Known Exploited Vulnerabilities catalog. Tracked as CVE-2026-41091 and CVE-2026-45498, these bugs allow local attackers to elevate their privileges to SYSTEM level and shut down endpoint protection. Per the security filings, these vulnerabilities are already being exploited in the wild to disrupt Windows environments.

The state has proven it cannot defend the code it relies on. While the DOJ is busy scrubbing news releases about Jan. 6 from its website to "reverse weaponization," the actual infrastructure of the government's cloud is being picked clean. By the time the Department of Justice finished its web-editing project on May 22, the master keys to the federal castle were already in the hands of whoever was smart enough to use a malicious VS Code extension. The Cognitive Enclosure is failing, not because the walls are too low, but because the architects are more interested in political optics than system security.