Gallery

Contacts

411 University St, Seattle, USA

engitech@oceanthemes.net

+1 -800-456-478-23

Twitter Facebook-f Pinterest-p Instagram

Weekly Security Intelligence Briefing — Week of 2026-05-18

Briefing
og security news briefs
_ _ Tech Jacks Solutions_ 0 Comments

Executive Summary

The week of 2026-05-18 delivered one of the most operationally dense threat landscapes recorded by the SCC pipeline this year. The briefing tracks 45 intelligence items across critical CVEs, active campaigns, nation-state operations, supply chain compromises, and data breaches. Three items demand immediate board-level attention. First, CVE-2026-42897, an unpatched Microsoft Exchange XSS zero-day under active exploitation with a CISA KEV remediation deadline of 2026-05-29, requires immediate EEMS mitigation deployment on all on-premises Exchange 2016, 2019, and SE instances. Second, CVE-2026-20182, a CVSS 10.0 authentication bypass in Cisco Catalyst SD-WAN with a CISA KEV deadline of 2026-05-17 (already passed), confirms sustained nation-state targeting of network control planes. Third, Pwn2Own Berlin 2026 demonstrated 47 zero-days across Microsoft Exchange, VMware ESXi, Red Hat Enterprise Linux, and NVIDIA Container Toolkit over three days, establishing a 90-day countdown to weaponization of these techniques against production infrastructure. The financial sector faces simultaneous pressure from three directions: DPRK cryptocurrency theft operations totaling $2.02 billion, the MURKY PANDA China-nexus espionage campaign targeting Microsoft 365 environments, and eCrime hands-on intrusions surging 43% year-over-year. The node-ipc npm supply chain compromise (versions 9.1.6, 9.2.3, 12.0.1) and the broader Shai-Hulud/Mini Shai-Hulud campaign affecting TanStack, Mistral AI, OpenAI, and 170+ packages represent the most significant developer tool supply chain event of the year to date. AI workload security emerges as a systemic gap: the prompt injection attack surface on Kubernetes-hosted LLM workloads currently has no native detection coverage in most enterprise security stacks. Seven CVEs carry CISA KEV status this week. Overall risk posture: CRITICAL.

Critical Action Items

  1. CVE-2026-42897 — Microsoft Exchange XSS (Active Exploitation, KEV Deadline 2026-05-29): Deploy Exchange Emergency Mitigation Service (EEMS) mitigation immediately on all Exchange Server 2016, 2019, and SE instances. Run Get-ExchangeDiagnosticInfo -Server -Process MSExchangeHMWorker -Component EEMSAgent to confirm EEMS connectivity. Restrict OWA access to VPN-only if patching cannot complete before the KEV deadline. Monitor IIS W3C logs for anomalous POST patterns to OWA/EWS/Autodiscover endpoints.
  2. CVE-2026-20182 — Cisco Catalyst SD-WAN Authentication Bypass, CVSS 10.0 (KEV Deadline 2026-05-17 — PAST DUE): Apply patches from advisory cisco-sa-sdwan-rpa2-v69WY2SW immediately. No workarounds exist. Block NETCONF (TCP/830) to SD-WAN Controller and Manager from all untrusted networks now. Rotate all administrative credentials post-patch. Consult NSA/ACSC joint advisory for UAT-8616 threat actor IOCs.
  3. CVE-2026-32661 — Canon GUARDIANWALL MailSuite Stack Buffer Overflow, CVSS 9.8 (CISA KEV): Restrict network access to GUARDIANWALL web service immediately. No patch confirmed available at time of writing; contact Canon Marketing Japan support for remediation timeline. Monitor for unexpected child process spawning from grdnwww context.
  4. CVE-2026-8181 — Burst Statistics WordPress Plugin Authentication Bypass, CVSS 9.5 (CISA KEV): Update Burst Statistics to version 3.4.2 immediately on all WordPress installations. Query the WordPress database for unauthorized administrator accounts created after 2026-04-23. Estimated 115,000 of 200,000 active installs remain unpatched.
  5. node-ipc npm Supply Chain Compromise (Versions 9.1.6, 9.2.3, 12.0.1): Run npm list node-ipc across all Node.js projects, CI/CD pipelines, and container images. Isolate any build environment that executed a malicious version. Rotate ALL credentials accessible in affected environments: AWS IAM, GCP service accounts, Azure tokens, GitHub/GitLab tokens, Kubernetes service accounts, SSH keys, and npm tokens. Block outbound connections to Azure-themed domains not in approved inventory.
  6. Pwn2Own Berlin 2026 — 47 Zero-Days Including Microsoft Exchange RCE Chain: Monitor w3wp.exe and Exchange backend processes for unexpected child process creation. Alert on SYSTEM-level process creation from Exchange application pools. Subscribe to ZDI advisories and establish P1 SLA for Exchange RCE CVEs when assigned. Enable AMSI and ETW on all endpoints now.
  7. Azure Backup for AKS Confused Deputy Privilege Escalation (No CVE Assigned): Audit Azure RBAC assignments for the Backup Contributor role across all subscriptions. Query AKS audit logs for unexpected ClusterRoleBinding creation events. Remove or scope-limit any identity holding Backup Contributor that is not a tightly controlled dedicated service identity. Log retention for Kubernetes API server must exceed 90 days.
  8. FunnelKit Funnel Builder for WooCommerce / CVE-2026-4782 & CVE-2026-4798 — Active Card Skimming: Update FunnelKit Funnel Builder to version 3.15.0.3 immediately. Audit checkout page source for unrecognized GTM container IDs. Search wp_options for injected script content. Notify payment processor of potential compromise window. Initiate PCI-DSS incident record if in-scope.

Key Security Stories

Secret Blizzard Rebuilds Kazuar as Autonomous P2P Botnet with 150-Option Evasion Engine

Microsoft published detailed analysis on 2026-05-14 of an extensively rebuilt Kazuar implant attributed to Secret Blizzard (Turla), the FSB-linked Russian APT group. The new architecture operates as a three-tier peer-to-peer botnet with autonomous leader election, meaning takedown of individual nodes does not disrupt the network. The malware deploys a 150-option evasion engine targeting Windows security instrumentation: AMSI, ETW, WLDP, and Windows Messaging subsystems are all addressed. Kazuar uses Exchange Web Services (EWS) as a C2 channel alongside Named Pipes and Mailslots for intra-network communication, making detection dependent on behavioral analytics rather than network signatures.

The implant performs comprehensive collection including keylogging, screen capture, remote email harvesting via Exchange MAPI, and file enumeration. C2 traffic uses symmetric encryption over multiple protocols including HTTP/S, mail protocols, and non-application-layer channels, with dynamic C2 resolution to frustrate blocklisting. Microsoft’s primary analysis, which includes IOCs including hashes, domains, and IPs, is published at https://www.microsoft.com/en-us/security/blog/2026/05/14/kazuar-anatomy-of-a-nation-state-botnet/.

Organizations should treat this as an active threat requiring immediate behavioral hunting rather than waiting for signature updates. Detection priority: EWS audit logs for programmatic access by non-mail-client hosts, Sysmon Event IDs 17/18 for Named Pipe creation, and asymmetric P2P traffic patterns where one host generates all external DNS/HTTPS traffic while peers are silent. Any confirmed Kazuar infection requires full host reimaging; the modular architecture makes manual cleanup unreliable. Reimage, rotate all credentials, and validate Exchange EWS audit logging is forwarding to SIEM before restoring to production. MITRE: T1055, T1114.002, T1562.001, T1562.006, T1071.003, T1568, T1573.001, T1090.001.

node-ipc Supply Chain Compromise: Credential-Harvesting Backdoor Targets 90 Secret Categories

Three versions of the widely-deployed node-ipc npm package — 9.1.6, 9.2.3, and 12.0.1 — were found to contain an embedded credential-harvesting infostealer with DNS TXT record exfiltration. The backdoor targets 90 categories of secrets including AWS, Azure, GCP, OCI, DigitalOcean, Kubernetes, Docker, Helm, Terraform, npm, GitHub, GitLab, Git CLI, macOS Keychain, Firefox, and Microsoft Teams credentials. Version 12.0.1 includes hash-gating targeting specific entry points, indicating active threat actors conducting targeted operations rather than opportunistic mass compromise. The C2 uses a typosquatted Azure-themed domain for dual-channel exfiltration over HTTPS and DNS TXT queries.

node-ipc is widely used as a transitive dependency in major JavaScript projects including vue-cli. Any Node.js project that resolved dependencies during the compromise window should be treated as potentially affected. Detection relies on DNS TXT query anomalies from build/runtime hosts and file system access monitoring for credential paths including ~/.aws/credentials, ~/.kube/config, ~/.docker/config.json, and SSH private key paths.

The immediate action is to run npm list node-ipc and npm ls node-ipc across all repositories and CI/CD runners. Malicious versions are 9.1.6, 9.2.3, and 12.0.1; all three are confirmed IOCs. Treat any build environment that executed these versions as fully compromised. Rotate every secret accessible to those environments and audit cloud provider access logs for unauthorized API calls during the exposure window. MITRE: T1195.001, T1552.001, T1552.004, T1048.003, T1071.004, T1195.002.

Pwn2Own Berlin 2026: 47 Zero-Days in Three Days Across Microsoft, VMware, Red Hat, and NVIDIA

Pwn2Own Berlin 2026 concluded with 47 demonstrated zero-day vulnerabilities over three days, with a compound Microsoft Exchange exploit chain achieving SYSTEM-level RCE earning the highest single prize. Additional targets included Windows 11, Microsoft Edge, Microsoft SharePoint, VMware ESXi (container escape, T1611), Red Hat Enterprise Linux for Workstations (LPE), and the NVIDIA Container Toolkit. All demonstrated exploits are under 90-day coordinated disclosure embargo managed by the Zero Day Initiative.

The Exchange finding is the highest-priority item from this competition. Historical precedent from ProxyLogon and ProxyShell shows that Exchange vulnerabilities disclosed through research competitions frequently see exploitation within 30 days of patch release, sometimes within hours. The 90-day embargo does not eliminate exploitation risk during the window; sophisticated threat actors track competition results and may develop independent variants. Security teams should treat this as a high-probability near-term threat, not a theoretical future concern.

Immediate defensive posture: monitor w3wp.exe and Exchange worker processes for anomalous child process creation; alert on SYSTEM-level process creation from Exchange application pools; review IIS logs for anomalous POST patterns to OWA, EWS, and Autodiscover endpoints (the same telemetry that surfaced ProxyLogon). For VMware ESXi, monitor for unexpected process execution at the hypervisor level and container-to-host escape indicators. Subscribe to ZDI advisories at zerodayinitiative.com and MSRC for CVE assignments and patch releases. Source: ZDI advisory program. IOCs are pending embargo expiration.

Financial Sector Under Siege: DPRK Steals $2.02B, Hands-On Intrusions Surge 43%, eCrime Listings Up 27%

The CrowdStrike 2026 Financial Services Threat Landscape Report documents a convergence of three distinct threat clusters against financial institutions in 2025-2026. North Korean state-sponsored actors (TraderTraitor / FAMOUS CHOLLIMA) stole $2.02 billion from cryptocurrency exchanges and fintech platforms, using a combination of supply chain compromise (T1195.002), spearphishing, and an operationally significant insider threat tactic: placement of DPRK IT workers inside target firms as legitimate employees. China-nexus MURKY PANDA conducted espionage operations against Microsoft 365 environments using session cookie theft (T1539), OAuth application abuse (T1550.001), and remote email collection (T1114.002). eCrime groups operating BGH ransomware increased leak site listings by 27%.

The identity security controls most relevant to all three threat clusters are phishing-resistant MFA (FIDO2/CTAP2), conditional access enforcement on all M365 and cloud identity perimeters, and elimination of SMS/voice MFA fallback paths. These three clusters converge on the same attack surface: identity and session tokens. Organizations running Microsoft 365 should audit the Unified Audit Log for anomalous OAuth consent grants, impossible-travel sign-ins, and Exchange Online mailbox delegation events immediately. The DPRK IT worker insertion vector requires HR-level controls: enhanced contractor identity verification and behavioral monitoring for new employees who rapidly access sensitive financial systems.

No specific campaign IOCs are publicly released with the CrowdStrike report at time of writing. Consult CrowdStrike Falcon Intelligence or contracted threat intelligence feeds for MURKY PANDA and TraderTraitor-specific indicators. The report blog is published at https://www.crowdstrike.com/en-us/blog/crowdstrike-2026-financial-services-threat-landscape-report/. MITRE: T1566, T1539, T1550.001, T1114.002, T1195.002, T1621, T1657, T1078.

Mini Shai-Hulud / TeamPCP Supply Chain Campaign: TanStack, Mistral AI, OpenAI, and 170+ Packages Compromised

A sustained supply chain campaign attributed to TeamPCP, operating under the umbrella designation “Mini Shai-Hulud,” compromised npm and PyPI packages from TanStack, Mistral AI SDKs, UiPath, Guardrails AI, OpenSearch, and over 170 additional packages. The attack vector in each case was compromised publication credentials from the target maintainer — notably, TeamPCP reused Checkmarx’s publication credentials (stolen in the March 2026 Trivy compromise) to publish the malicious Checkmarx Jenkins AST Plugin v2026.5.09 to the official Jenkins Marketplace on 2026-05-09. OpenAI developer devices running macOS applications were confirmed compromised. GitHub Actions workflows and VS Code were among the affected surfaces.

The Grafana breach (CoinbaseCartel), confirmed during this same week, followed an identical pattern: a compromised GitHub Actions personal access token granted repository-read scope was used to exfiltrate Grafana source code. The threat actor then sent extortion demands. These incidents collectively establish that CI/CD pipeline credentials and npm/PyPI publication tokens are high-value targets that adversaries are actively harvesting through multiple vectors including prior supply chain compromises, social engineering, and credential reuse.

Security teams operating Node.js or Python build environments must immediately audit Gemfile.lock, package-lock.json, and requirements.txt for affected packages. Confirm IOCs and malicious package names against SafeDep’s published analysis at https://safedep.io/mass-npm-supply-chain-attack-tanstack-mistral and Mistral AI’s security advisory at https://docs.mistral.ai/resources/security-advisories. Rotate all CI/CD secrets. OpenAI macOS application users must update before 2026-06-12 to avoid certificate invalidation. MITRE: T1195.001, T1195.002, T1552.001, T1552.004, T1486.

BlackFile (UNC6671): Vishing-Driven AiTM Campaign Bypasses MFA Across Microsoft 365, Okta, Salesforce, Zendesk

Mandiant has tracked UNC6671 (operating as “BlackFile”) as an adversary-in-the-middle (AiTM) extortion group conducting vishing-based initial access against enterprise SaaS platforms. The group phones target users, impersonates IT support, and convinces them to approve MFA push requests, then harvests session tokens via AiTM proxy infrastructure. Once inside Microsoft 365, SharePoint, or OneDrive tenants, the group exfiltrates data to cloud storage for double-extortion leverage. The campaign abuses Microsoft Graph API access using Python (python-requests, msal) and PowerShell (Invoke-RestMethod) user-agents that may not match standard user activity baselines.

A critical detection gap enables this campaign: UNC6671 exploits suspected differences in Microsoft 365 Unified Audit Log event classification between “FileAccessed” and “FileDownloaded” events. Standard exfiltration alerts keyed to download events may not fire on FileAccessed-based bulk enumeration. Detection requires baselining per-user FileAccessed volume and alerting on 3x-5x deviation within 60 minutes, combined with Graph API access from non-standard user-agents. Okta System Log alerts for MFA challenge followed by approval from a different IP or device fingerprint are the equivalent signal in Okta environments.

Mitigation: disable IMAP/POP3/SMTP AUTH for all Microsoft 365 accounts; eliminate SMS and voice OTP fallback by requiring FIDO2 hardware keys for critical users; configure Okta FastPass without OTP phone fallback. Test changes on non-production accounts before enterprise enforcement. No public IOCs have been confirmed for this campaign at time of writing. MITRE: T1566.004, T1621, T1539, T1557, T1567.002, T1530.

FrostyNeighbor: Belarusian APT Pre-Screening Campaign Against Polish and Ukrainian Government Organizations

A newly identified Belarusian APT activity cluster, designated FrostyNeighbor, has been conducting spearphishing and reconnaissance operations against government organizations in Poland and Ukraine. The campaign focuses on pre-screening — identifying high-value targets through OSINT, gathering victim identity and organizational information, and sending tracking-pixel-bearing document lures to fingerprint which targets open the documents before committing to full-stage exploitation. This methodology allows the operator to identify and prioritize targets before deploying more detectable capabilities.

The attack chain maps to T1593 (Search Open Websites), T1566.001 (Spearphishing Attachment), T1598 (Phishing for Information), T1589 (Gather Victim Identity Information), and T1592 (Gather Victim Host Information). The tracking-pixel delivery mechanism means initial contact triggers an outbound HTTP request from the document viewer to an attacker-controlled domain, revealing the target’s IP, OS, and document viewer. Detection requires monitoring for outbound HTTP GET requests initiated by Office processes or PDF readers to external domains shortly after email receipt.

While this campaign targets European government entities, the tradecraft is transferable and has been observed adapted for corporate espionage targets. Organizations with government-adjacent functions, defense contracting, or intergovernmental liaison roles should treat spearphishing awareness training and email gateway inspection as elevated priorities. No confirmed IOCs are publicly available; monitor CERT Polska advisories for updates.

AI-Accelerated Vulnerability Discovery: The Patching Playbook Is Behind

Both the CrowdStrike 2026 Global Threat Report and IBM X-Force Threat Intelligence Index document a structural shift: AI-assisted tools are compressing the time between vulnerability disclosure and working exploit development. CrowdStrike documents a 42% increase in pre-disclosure zero-day exploitation (medium confidence per the report). IBM X-Force documents active development of fine-tuned offensive AI models for vulnerability discovery. This is not a future threat — it is the present baseline adversary capability for state-linked actors and increasingly for sophisticated eCrime groups.

The implication for security operations is direct: CVSS-score-driven monthly patch cycles are no longer aligned with actual exploitation timelines for high-severity vulnerabilities in internet-facing software. Virtual patching via WAF or EDR exploit mitigation policies for unpatched internet-facing services is no longer a fallback option — it is a required interim control while patches are staged. Detection engineering must shift left of CVE publication: behavioral detection for T1190, T1068, T1203, and T1210 should not depend on a CVE being assigned before alerting.

The Microsoft MDASH agentic AI security scanning system (announced this week) and CrowdStrike Falcon AIDR’s expansion to Kubernetes AI workloads represent defensive responses to this trend. Organizations should review whether AI-assisted detection tooling is in their procurement pipeline. In the interim, the most impactful single control is ensuring EDR behavioral rules cover exploitation of internet-facing services without requiring signature updates. Sources: CrowdStrike 2026 Global Threat Report; IBM X-Force Threat Intelligence Index 2026.

Azure Backup for AKS Confused Deputy Privilege Escalation — Silent Fix, No CVE Issued

Researcher disclosure documented a Confused Deputy vulnerability in the Azure Backup for AKS service. An attacker with the Backup Contributor role could invoke Azure Backup APIs in a way that caused the Azure Backup service’s elevated trust context to act as a proxy, resulting in cluster-admin binding on targeted AKS clusters without the attacker directly holding Kubernetes admin permissions. Microsoft silently patched this vulnerability without issuing a CVE or public advisory, a practice that prevents affected organizations from assessing their exposure window or initiating incident response.

The practical risk is significant: any identity holding Backup Contributor on a subscription with AKS clusters should be considered a potential path to cluster-admin. The exposure window is undefined. Forensic evidence may already be outside retention windows for organizations with less than 90-day AKS audit log retention. Organizations should immediately pull Azure RBAC role assignments for Backup Contributor across all subscriptions, review AKS audit logs for unexpected ClusterRoleBinding creation, and extend Kubernetes API server audit log retention to at least 90 days.

This incident illustrates a broader governance concern: cloud providers silently patching critical vulnerabilities without CVE assignment eliminates the notification mechanism organizations depend on for GRC compliance. Security teams should add cloud provider silent-patch monitoring (via researcher disclosure channels, security news aggregation, and vendor bug bounty program disclosures) to their vulnerability management process. IOC: Azure Backup for AKS service identity / Backup Contributor role. MITRE: T1548, T1078.004, T1098.003, T1134, T1530, T1610.

Prompt Layer Blind Spot: AI Workloads Require Runtime Detection Traditional Security Cannot Provide

Two separate SCC intelligence items this week independently confirmed the same finding: prompt injection against LLM-integrated Kubernetes workloads represents an active attack surface with no native detection coverage in most enterprise security stacks. CrowdStrike’s expansion of Falcon AIDR to include a Kubernetes Container Sensor collector addresses this gap for Falcon customers, providing runtime detection of injection attempts, policy violations, and downstream behavioral anomalies. For organizations without this capability, the attack surface is effectively unmonitored.

The threat model is straightforward: prompt injection leaves no malicious binary, no anomalous network signature in traditional terms, and no exploit artifact. Detection requires instrumentation at the inference layer — logging what the model receives and what it causes downstream. A successfully injected instruction operates within whatever permissions the container already holds, meaning least-privilege enforcement on AI workload service accounts directly limits blast radius regardless of detection capability. OWASP LLM01 (Prompt Injection) should be a named threat pattern in every organization’s threat register where LLM workloads are deployed.

For organizations currently deploying AI workloads without prompt-layer monitoring, the recommended immediate controls are: enforce least-privilege on all AI workload service account permissions, audit Kubernetes pod-level API activity for unexpected exec commands or container deployments, and log full request/response payloads from LLM API calls to an immutable log store. Evaluate runtime AI detection tooling including Falcon AIDR, open-source instrumentation frameworks, or equivalent vendor capabilities. MITRE: T1059, T1190, T1552, T1565, T1602, T1610, T1611.

CISA KEV & Critical CVE Table

CVE Product CVSS EPSS Status KEV Deadline Description
CVE-2026-42897 Microsoft Exchange Server 2016/2019/SE, OWA 9.0 0.22% Active Exploitation, No Patch 2026-05-29 Unauthenticated XSS zero-day in Outlook on the Web; enables session hijacking and browser-side code execution; EEMS mitigation required immediately
CVE-2026-20182 Cisco Catalyst SD-WAN Controller & Manager 10.0 (CVSS 10) Not published Active Exploitation, Patched 2026-05-17 (PAST DUE) Authentication bypass via NETCONF allowing unauthenticated administrative access; attributed to UAT-8616; no workarounds exist
CVE-2026-32661 Canon GUARDIANWALL MailSuite / Mail Security Cloud 9.8 0.14% CISA KEV, Patch Availability Unconfirmed Not published Stack-based buffer overflow enabling unauthenticated RCE via web service component; grdnwww process exploitation path
CVE-2026-8181 Burst Statistics WordPress Plugin 3.4.0–3.4.1 9.5 0.26% Active Exploitation, Patched (3.4.2) Not published Unauthenticated authentication bypass via REST API enabling admin account creation; ~115,000 unpatched installs estimated
CVE-2026-44338 praison/praisonai 2.5.6–4.6.33 9.8 0.06% CISA KEV, Patched (4.6.34) Not published Missing authentication on /agents and /chat Flask API endpoints enabling unauthenticated workflow execution and RCE
CVE-2026-20224, CVE-2026-20209, CVE-2026-20210 Cisco Catalyst SD-WAN Manager (All Deployment Types) 9.5 Not published Patched, Related to Active Campaign Not published XXE enabling SSRF, unauthenticated RCE, and privilege escalation via management interface; chained with CVE-2026-20182 campaign
CVE-2026-0250 Palo Alto GlobalProtect App 6.0–6.3 (Windows/macOS/Linux/Android/ChromeOS) Not published (vendor advisory) 0.00% Patched None Buffer overflow enabling SYSTEM-level RCE via MitM attack during TLS negotiation; requires network adjacency to exploit
CVE-2026-0265 PAN-OS 10.2/11.1/11.2/12.1 PA-Series & VM-Series 7.5 0.00% Patches Partially Available None Authentication bypass via Cloud Authentication Service; affects firewalls and Panorama; Cloud NGFW and Prisma Access not affected
CVE-2026-42945 NGINX Plus R32–R36; NGINX Open Source 1.0.0–1.30.0; NGINX App Protect and Gateway variants 9.5 0.00% Patched; Public PoC Available None 18-year-old heap overflow in NGINX rewrite module; unauthenticated RCE; public PoC published at github.com/DepthFirstDisclosures/Nginx-Rift
CVE-2026-45185 Exim 4.97–4.99.2 (GnuTLS builds, STARTTLS+CHUNKING) 9.5 0.06% Patched (4.99.3) None Use-after-free in GnuTLS STARTTLS + CHUNKING interaction enabling unauthenticated RCE on internet-facing MTA; Debian/Ubuntu primary impact
CVE-2026-33824 / CVE-2026-33827 Microsoft Windows ikeext.dll (IKEv2) / tcpip.sys (TCP/IP+IPSec+IPv6) 9.5 0.10% Patched (May 2026 Patch Tuesday) None AI-discovered memory corruption CVEs enabling unauthenticated network RCE; discovered by Microsoft MDASH system; broad Windows exposure
CVE-2026-46300 Linux kernel XFRM ESP-in-TCP (all major distributions) 7.5 0.00% Patched; Public PoC Available None Third Linux XFRM LPE in two weeks; deterministic root exploit; affects AlmaLinux, Amazon Linux, CloudLinux, Debian, RHEL, SUSE, Ubuntu
CVE-2025-14869 GitLab CE/EE 18.5–18.11.2 7.5 0.03% Patched (18.9.7, 18.10.6, 18.11.3) None Unauthenticated DoS against API endpoints; low EPSS (8.6th percentile) suggests low active exploitation probability currently
CVE-2026-4782 / CVE-2026-4798 Avada Builder WordPress Plugin ≤3.15.2 / ≤3.15.1 7.5 0.04% Patched (3.15.3) None Path traversal (CVE-2026-4782) and blind SQL injection (CVE-2026-4798) enabling credential theft and database extraction; ~1 million site exposure

Supply Chain & Developer Tool Threats

node-ipc npm Backdoor (Versions 9.1.6, 9.2.3, 12.0.1)

Confirmed malicious versions of node-ipc contain a self-executing infostealer activated at module load time. The payload enumerates and exfiltrates credentials from 90 secret categories via DNS TXT records and HTTPS to a typosquatted Azure-themed C2. Version 12.0.1 uses SHA-256 hash gating to activate only in targeted environments. The npm account “atiertant” was used to publish the malicious versions. node-ipc is a transitive dependency of vue-cli and other widely used JavaScript frameworks. Any environment that ran these versions should be treated as fully compromised pending complete credential rotation.

Mini Shai-Hulud / Shai-Hulud: TanStack, Mistral AI, OpenAI, UiPath, Guardrails AI, OpenSearch

A broad campaign attributed to TeamPCP compromised 170+ npm and PyPI packages by stealing publication credentials from maintainer accounts. OpenAI developer devices were confirmed compromised. The Mistral AI SDK, TanStack query libraries, UiPath automation packages, Guardrails AI, and OpenSearch packages were all affected. Credential theft targets include CI/CD secrets, cloud provider keys, and code signing certificates. SafeDep has published package-level IOCs at https://safedep.io/mass-npm-supply-chain-attack-tanstack-mistral. OpenAI certificate invalidation scheduled for 2026-06-12 will break macOS/Windows/iOS/Android apps if not updated before that date.

Checkmarx Jenkins AST Plugin v2026.5.09 — Malicious Release on Official Marketplace

TeamPCP published a malicious version of the Checkmarx Jenkins AST Plugin (v2026.5.09) to the official Jenkins Marketplace on 2026-05-09, reusing Checkmarx’s publication credentials stolen during the March 2026 Trivy supply chain compromise. This is TeamPCP’s third confirmed supply chain strike. The malicious plugin can harvest pipeline credentials and execute arbitrary commands within Jenkins build contexts. All Jenkins instances that installed v2026.5.09 should treat build credentials as compromised.

Grafana Source Code Exfiltrated via Compromised GitHub Actions Token

The CoinbaseCartel threat actor exfiltrated Grafana source code by compromising a GitHub Actions personal access token with repository-read scope. The actor subsequently demanded ransom. This incident underscores that GitHub Actions tokens scoped beyond minimum requirements represent a significant supply chain attack surface. Organizations should immediately audit GitHub Actions workflow definitions for overly scoped tokens and migrate to short-lived OIDC-based authentication where supported.

GemStuffer: RubyGems Packages Weaponized as Dead-Drop Channels

A campaign designated GemStuffer weaponized legitimate RubyGems packages as dead-drop resolver infrastructure, using rubygems.org itself as a data staging and C2 relay. Targeted UK government public-facing servers running Ruby applications. Detection requires monitoring outbound HTTP connections from Ruby application runtime processes to rubygems.org outside scheduled build windows, which represents anomalous behavior. Organizations running Ruby in production should audit Gemfile.lock for packages published by unknown or recently created rubygems.org accounts.

JDownloader Official Website Compromise (May 6–7, 2026)

The official JDownloader distribution website (jdownloader.org) served trojanized Windows and Linux installers during May 6–7, 2026, containing a Python-based remote access trojan (RAT). Any system where JDownloader was downloaded or installed during this two-day window should be isolated and forensically triaged. The RAT establishes persistence via system service creation and communicates via obfuscated HTTP channels. File hash IOCs for the trojanized installers have not been publicly confirmed at time of writing.

Nation-State & APT Activity Summary

Russia — Secret Blizzard (Turla / FSB)

Attribution: FSB-linked, MITRE Group G0010 (Turla). Campaign: Rebuilt Kazuar malware deployed as autonomous P2P botnet with leader election and 150-option defensive instrumentation evasion. Targets: Historical pattern: government, diplomatic, defense sectors in Europe, Central Asia, and Ukraine. TTPs: EWS-based C2 (T1071.003), Named Pipe lateral communication (T1090.001), AMSI/ETW bypass (T1562.001, T1562.006), process injection (T1055), keylogging (T1056.001), screen capture (T1113), remote email collection (T1114.002), multi-hop proxy (T1090.003). IOCs: Retrieve from Microsoft’s published blog: https://www.microsoft.com/en-us/security/blog/2026/05/14/kazuar-anatomy-of-a-nation-state-botnet/.

Russia — FrostyNeighbor (Belarusian APT)

Attribution: Belarusian state-nexus, newly identified cluster. Campaign: Pre-screening espionage campaign using tracking-pixel document lures for target fingerprinting. Targets: Polish and Ukrainian government organizations. TTPs: T1593 (OSINT), T1566.001 (spearphishing attachment), T1598 (phishing for information), T1589 (victim identity gathering), T1592 (host information gathering), T1056 (input capture post-access). IOCs: None confirmed in public sources; monitor CERT Polska.

North Korea — TraderTraitor / Lazarus Group / FAMOUS CHOLLIMA (DPRK)

Attribution: Korean People’s Army (KPA) RGB, multiple sub-groups. Campaign: $2.02 billion in cryptocurrency theft in 2025-2026; simultaneous IT worker insertion into financial sector firms for intelligence collection and financial access. Targets: Cryptocurrency exchanges, fintech platforms, traditional banks; global with emphasis on US and Asian markets. TTPs: T1195.002 (software supply chain), T1566 (phishing), T1078 (valid accounts), T1574.001 (DLL hijacking), T1550.001 (pass the cookie), T1657 (financial theft), T1656 (impersonation for IT worker insertion). IOCs: Consult CrowdStrike Falcon Intelligence or contracted TI feed for current indicators.

China — MURKY PANDA (APT)

Attribution: PRC state-nexus. Campaign: Espionage against Microsoft 365 environments in financial sector, targeting mailboxes, SharePoint, and OneDrive for sensitive business and customer data. Targets: Financial institutions, insurance entities operating in Microsoft 365. TTPs: T1114.002 (remote email collection), T1539 (session cookie theft), T1550.001 (pass the cookie via application access token), T1087.001 (account discovery), T1567 (exfiltration over web service). Detection: Microsoft 365 Unified Audit Log for anomalous FileAccessed events; Graph API access with Python/PowerShell user-agents from unexpected IPs.

Iran — Pro-Iran Hacktivist Group (eBay Claim)

Attribution: Pro-Iran hacktivist group (specific group unconfirmed in sourced reporting). Campaign: Claimed cyber attack against eBay; platform scope unconfirmed. Targets: Western commercial platforms. TTPs: T1586 (compromise accounts), T1498 (network denial of service). Assessment: Unverified claim at time of writing. No confirmed IOCs or official eBay statements available. Do not act on unverified reporting; set re-evaluation trigger if primary source confirmation is published.

Multiple Nation-State Actors — AI-Assisted Zero-Day Development (GTIG)

Attribution: PRC-nexus, DPRK-nexus, and Russia-nexus actors documented by Google Threat Intelligence Group (GTIG) as using LLMs (including Gemini) for vulnerability research, exploit development, spearphishing content generation, and translation services. Campaign: Industrialized offensive AI operations including the first confirmed AI-generated zero-day (OFTP and TP-Link firmware). TTPs: T1588.006, T1587.001, T1587.004, T1620 (PromptFlux variant autonomous malware), T1556 (2FA bypass development). IOCs: Refer to GTIG blog at cloud.google.com/blog/topics/threat-intelligence/ for published indicators.

Phishing & Social Engineering Alert

BlackFile / UNC6671 — Vishing + AiTM MFA Bypass

Active Campaign: UNC6671 (BlackFile) is conducting targeted vishing calls against corporate employees, impersonating IT helpdesk and security teams. The calls social-engineer victims into approving MFA push notifications or providing OTP codes, which the attacker uses in real-time through an AiTM proxy to harvest valid session tokens for Microsoft 365, Okta, Salesforce, Zendesk, and ServiceNow.

Attack Characteristics: Calls use caller ID spoofing to display internal helpdesk numbers. Conversation script references plausible IT scenarios (security alert, required MFA re-enrollment, suspicious login from the user’s account). Attack is timed to compress victim response — the caller stays on the line while the victim approves the MFA push.

Evasion Techniques: No malware deployed; attack relies entirely on legitimate session tokens. Standard endpoint detection is ineffective. The group exploits differences in Microsoft 365 audit log event classification (FileAccessed vs. FileDownloaded) to evade standard exfiltration detection rules.

Detection Guidance: Alert on MFA push approval from a different IP or device fingerprint than the challenged session (Okta System Log). Monitor Microsoft 365 Unified Audit Log for FileAccessed event volume spikes (3x-5x normal volume in 60 minutes) from a single user combined with Graph API access via Python or PowerShell user-agents. Build SIEM correlation: FileAccessed events per session exceeding threshold, cross-referenced against sign-in risk score in Entra Identity Protection.

Mitigation: Enforce phishing-resistant MFA (FIDO2/passkeys) for all critical users. Eliminate SMS and voice call MFA fallback paths. Train help desk staff that no legitimate IT process requires users to approve MFA pushes during an unsolicited inbound call.

DPRK IT Worker Social Engineering — Job Application and Contractor Insertion

FAMOUS CHOLLIMA (DPRK) has operationalized a systematic approach to insider threat through fraudulent employment. Operatives create convincing professional profiles (LinkedIn, GitHub, professional portfolios) and apply for remote contractor and full-time developer positions at financial firms and technology companies. Once hired, they perform their assigned work while simultaneously exfiltrating sensitive data. Detection requires HR and onboarding process controls, not security tooling alone: enhanced identity verification for remote employees, behavioral monitoring for new hires who rapidly access sensitive financial systems or bulk-transfer internal data, and VPN/device registration anomaly detection (DPRK operatives commonly use residential VPN exit nodes that resolve to cloud-hosted infrastructure).

Indicators of Compromise

Type Value Confidence Context / Campaign
IP Address 194.87.92[.]109 Medium Gremlin Stealer C2 — zero VirusTotal detections at initial discovery per Unit 42; defanged for safety; block at perimeter firewall and DNS sinkholes
npm Package node-ipc@9.1.6 High Confirmed malicious version — credential-harvesting backdoor with DNS TXT exfiltration; do not install or retain
npm Package node-ipc@9.2.3 High Confirmed malicious version — credential-harvesting backdoor with DNS TXT exfiltration
npm Package node-ipc@12.0.1 High Confirmed malicious version — SHA-256 hash-gated payload for targeted activation; DNS TXT exfiltration
Jenkins Plugin checkmarx-ast-scanner v2026.5.09 High Malicious Jenkins Marketplace release published 2026-05-09 using stolen Checkmarx credentials; TeamPCP supply chain campaign
URL Pattern /agents (PraisonAI Flask API endpoint) High CVE-2026-44338 — unauthenticated access exposes AI workflow configuration; unauthenticated POST/GET requests are exploitation indicators
URL Pattern /chat (PraisonAI Flask API endpoint) High CVE-2026-44338 — unauthenticated POST triggers agents.yaml workflow execution; primary exploitation path
Tool Certify.exe leveraged via AD CS enrollment API to enumerate misconfigured certificate templates (ESC1) for privilege escalation High AD CS exploitation campaign — reconnaissance phase tool; presence on endpoints without authorized red team activity is suspicious
Tool Certipy leveraged via AD CS template enrollment to forge Kerberos authentication certificates for domain privilege escalation High AD CS exploitation campaign — Python-based exploitation tool for ESC1 and shadow credential attacks
Tool PKINITtools leveraged via Kerberos PKINIT to obtain TGTs impersonating privileged domain accounts High AD CS exploitation campaign — post-certificate-issuance lateral movement enabling pass-the-ticket attacks
File Extension .rex48 Medium Rex ransomware — file extension appended to encrypted files; behavioral indicator only; not a network IOC
URL / Web Path GTM-[unrecognized container ID] in WooCommerce checkout source Medium FunnelKit card skimmer campaign — skimmer scripts disguised as Google Tag Manager entries; any GTM container ID not in your GTM account is likely IOC
Domain Pattern .ton TLD / TON blockchain DNS namespace Medium TrickMo Android banking trojan — uses TON blockchain DNS for C2; block .ton resolution at perimeter
URL (Primary Intel Source) https://safedep.io/mass-npm-supply-chain-attack-tanstack-mistral Medium SafeDep published package-level IOCs for Mini Shai-Hulud supply chain campaign; validate content before operationalizing
URL (Primary Intel Source) https://www.microsoft.com/en-us/security/blog/2026/05/14/kazuar-anatomy-of-a-nation-state-botnet/ High Microsoft primary analysis of Kazuar P2P botnet; published IOC list including hashes, domains, and IPs for Secret Blizzard campaign
URL (Public PoC) https://github.com/DepthFirstDisclosures/Nginx-Rift Medium Public proof-of-concept for CVE-2026-42945 NGINX heap overflow; treat inbound connections from IPs scanning for NGINX vulnerable paths with elevated suspicion
Azure RBAC Role Azure Backup for AKS service identity / Backup Contributor role High Azure AKS Confused Deputy — Backup Contributor role abused as Confused Deputy mechanism for cluster-admin binding; any identity holding this role should be audited

Helpful 5: High-Value Low-Effort Mitigations

1. Enable EEMS on All On-Premises Exchange Servers Today

Why: CVE-2026-42897 is an actively exploited Exchange XSS zero-day with a CISA KEV deadline of 2026-05-29. No formal patch exists at time of writing. EEMS is Microsoft’s built-in automated mitigation delivery mechanism and represents the only available vendor-endorsed remediation.

How:

  1. On each Exchange server, run: Get-ExchangeDiagnosticInfo -Server -Process MSExchangeHMWorker -Component EEMSAgent
  2. If EEMS reports it is not connected, run the Exchange Health Manager restart: Restart-Service MSExchangeHM
  3. Verify connectivity to Microsoft’s mitigation feed: Test-NetConnection -ComputerName officeclient.microsoft.com -Port 443
  4. Confirm the mitigation was applied by re-running the DiagnosticInfo command and checking the LatestMitigationsApplied output
  5. As additional defense: restrict OWA to VPN-only access at the firewall level

Framework Alignment: NIST CSF RS.MI-01, NIST 800-53 SI-2 (Flaw Remediation), CIS v8 Control 7.4 (Application Patch Management)

2. Rotate All CI/CD and Package Registry Credentials

Why: The node-ipc compromise, Mini Shai-Hulud campaign, Checkmarx Jenkins plugin attack, and Grafana breach all exploited CI/CD pipeline credentials or npm/PyPI publication tokens. This credential category is under active, sustained attack from multiple threat actor groups simultaneously this week.

How:

  1. Audit all GitHub Actions workflow files for hardcoded tokens or overly scoped personal access tokens
  2. In GitHub: Settings → Developer Settings → Personal Access Tokens — revoke any with repo-read or write scope not actively required
  3. For npm: run npm token list and revoke all tokens not required for active CI pipelines; issue new tokens with minimum scope
  4. Replace long-lived tokens with short-lived OIDC-based authentication for GitHub Actions where the repository/workflow supports it
  5. Enable GitHub Advanced Security secret scanning (free for public repositories; included in GHAS for private) to detect future secrets committed to source

Framework Alignment: NIST 800-53 SR-3 (Supply Chain Controls), NIST 800-53 IA-5 (Authenticator Management), CIS v8 Controls 6.1, 6.2 (Access Granting/Revoking Process)

3. Block node-ipc Malicious Versions and Audit npm Dependency Trees

Why: Three confirmed malicious node-ipc versions (9.1.6, 9.2.3, 12.0.1) are in active distribution. node-ipc is a transitive dependency of vue-cli and other widely used frameworks, meaning exposure may exist without any direct reference in your package.json. Credential exfiltration is silent and may have already occurred in your environment.

How:

  1. Run npm list node-ipc or npm ls node-ipc --all across all repositories and CI/CD runners
  2. Also check: find . -path "*/node_modules/node-ipc/package.json" -exec grep '"version"' {} \; for container image auditing
  3. In package.json, add a resolutions override (yarn) or overrides (npm 8.3+): "node-ipc": ">=9.3.0" to force safe version resolution
  4. Enforce npm ci (not npm install) in all CI/CD pipelines to enforce lockfile integrity
  5. If any malicious version was executed: treat environment as compromised and rotate all accessible credentials

Framework Alignment: NIST 800-53 SR-3 (Supply Chain Controls), NIST 800-53 SI-7 (Software Integrity), CIS v8 Controls 2.5, 2.6 (Allowlist Authorized Software/Libraries)

4. Enforce Phishing-Resistant MFA and Eliminate OTP Fallback Paths

Why: BlackFile/UNC6671’s AiTM campaign, DPRK’s MFA fatigue attacks (T1621), and Scattered Spider’s help desk social engineering all bypass SMS/push-based MFA. This week’s financial sector intelligence confirms these are not theoretical threats — they are the primary initial access vector for $2.02 billion in confirmed DPRK theft this year alone.

How:

  1. In Microsoft Entra ID: Authentication Policies → Require FIDO2 Security Key or Certificate-Based Authentication for all privileged and finance-role accounts
  2. Create a Conditional Access policy that blocks authentication methods with phishing risk (SMS, voice call) for M365 apps handling sensitive financial data
  3. For Okta: disable phone/SMS as fallback methods in the Authenticator enrollment policy; enforce Okta FastPass without OTP fallback for admin accounts
  4. Alert on T1621 patterns: five or more MFA push requests within 10 minutes for a single account
  5. Train help desk staff that approving MFA pushes during unsolicited inbound calls is a known attack vector; establish callback verification procedures

Framework Alignment: NIST 800-53 IA-2 (Identification and Authentication), NIST CSF PR.AC-1, CIS v8 Controls 6.3, 6.4, 6.5 (MFA Requirements)

5. Deploy Behavioral Detection Rules for AD CS Template Abuse

Why: Unit 42 published a detailed five-phase exploitation lifecycle this week documenting AD CS ESC1 template abuse and shadow credential attacks enabling domain compromise. This attack path is actively exploited by both ransomware operators (pre-deployment) and nation-state actors, and is invisible to password-based detection because it never touches a password.

How:

  1. Enable LDAP auditing on domain controllers (Security Policy → Audit Directory Service Access)
  2. In Sysmon, add rules for Event ID 13 (RegistryValueSet) targeting HKLM\SYSTEM\CurrentControlSet\Control\Lsa\PasswordFilters and NetworkProvider\Order — changes to these keys should be extremely rare
  3. Query Active Directory Certificate Services enrollment log (Event IDs 4886, 4887) for certificate requests where the Subject Alternative Name differs from the requester’s identity
  4. Alert on writes to the msDS-KeyCredentialLink attribute on user or computer objects (Security Event ID 5136 with attribute name matching)
  5. Run PSPKIAudit or Certify.exe in audit mode against your CA to enumerate ESC1-ESC8 misconfigurations in certificate templates; remediate permissive enrollment ACLs

Framework Alignment: NIST 800-53 AC-3 (Access Enforcement), NIST 800-53 IA-5 (Authenticator Management), CIS v8 Controls 5.4, 6.8 (Restrict Administrator Privileges / RBAC)

Framework Alignment Matrix

Threat MITRE Tactic MITRE Technique NIST 800-53 Controls CIS v8 Controls
CVE-2026-42897 Exchange XSS (Active Exploitation) Initial Access, Execution T1189, T1059.007, T1185 SI-2, SI-3, SI-10, SC-7 7.4, 16.10
CVE-2026-20182 Cisco SD-WAN Auth Bypass (CVSS 10.0) Initial Access, Persistence T1190, T1078, T1556, T1133 AC-17, IA-2, IA-5, SI-2 6.3, 6.5, 7.3, 7.4
Kazuar P2P Botnet (Secret Blizzard / Turla) C2, Defense Evasion, Collection T1071.003, T1055, T1562.001, T1114.002, T1568 AC-6, SC-7, SI-3, SI-4, CA-7 6.3, 8.2
node-ipc Supply Chain Backdoor Initial Access, Credential Access, Exfiltration T1195.001, T1552.001, T1552.004, T1048.003, T1071.004 SR-3, SI-7, IA-5, CA-7 2.5, 2.6, 15.1
DPRK Financial Theft (TraderTraitor / FAMOUS CHOLLIMA) Initial Access, Defense Evasion, Impact T1195.002, T1566, T1078, T1574.001, T1657, T1621 AT-2, CA-7, SR-2, SR-3, IA-2 6.3, 6.4, 6.5, 14.2
BlackFile / UNC6671 AiTM Vishing Campaign Credential Access, Collection, Exfiltration T1566.004, T1621, T1539, T1557, T1567.002 IA-2, IA-5, AC-17, AT-2 6.3, 6.5, 14.2
AD CS ESC1 / Shadow Credential Exploitation Credential Access, Persistence T1649, T1558, T1550.003, T1136 AC-2, AC-3, IA-2, IA-5, CM-7 5.4, 6.8, 3.3
Azure Backup AKS Confused Deputy Privilege Escalation Privilege Escalation, Defense Evasion T1548, T1078.004, T1098.003, T1134 AC-6, AC-3, CM-6 3.3, 5.4, 6.8
Pwn2Own Berlin 2026 (Exchange RCE Chain) Execution, Privilege Escalation, Lateral Movement T1203, T1068, T1210, T1611 SI-2, SI-16, CA-8, RA-5 7.3, 7.4, 16.10
FunnelKit WooCommerce Card Skimmer (Active) Initial Access, Execution, Collection T1190, T1059.007, T1056.003, T1565.002 SI-2, SI-10, AC-3, CM-3 7.4, 16.10, 8.2
Prompt Injection Against Kubernetes LLM Workloads Execution, Credential Access, Lateral Movement T1059, T1190, T1552, T1611, T1602 AC-6, SI-10, SI-4, CA-8 16.10, 8.2
CVE-2026-42945 NGINX Heap Overflow (Public PoC) Initial Access, Execution, Privilege Escalation T1190, T1203, T1068 SI-2, SI-16, AC-6, SC-7 7.3, 7.4, 16.10
MURKY PANDA M365 Espionage Collection, Defense Evasion, Exfiltration T1114.002, T1539, T1550.001, T1567 AC-2, IA-2, CA-7, SI-4 6.3, 6.4, 6.5, 8.2
Nitrogen Ransomware (Foxconn, PSB, Grupo 55) Initial Access, Impact, Exfiltration T1189, T1486, T1490, T1041, T1195 CP-9, CP-10, SC-7, SI-4, SR-2 15.1, 7.3, 7.4

Upcoming Security Events & Deadlines

CISA KEV Remediation Deadlines

  • 2026-05-17 (PAST DUE): CVE-2026-20182 — Cisco Catalyst SD-WAN Authentication Bypass (CVSS 10.0). If not remediated, escalate immediately to CISO with documented risk acceptance or emergency change.
  • 2026-05-29: CVE-2026-42897 — Microsoft Exchange XSS Zero-Day. EEMS mitigation must be deployed and verified. Formal patch expected via June Patch Tuesday; deploy immediately upon release.
  • CVE-2026-32661 (Canon GUARDIANWALL) and CVE-2026-8181 (Burst Statistics) and CVE-2026-44338 (PraisonAI) are on KEV; remediation deadlines not published in available source data — treat as 21-day standard federal deadline from KEV addition date.

Patch Tuesday

  • 2026-06-09 (Second Tuesday of June): Next Microsoft Patch Tuesday. Expected to include formal patches for CVE-2026-42897 (Exchange) and CVE-2026-40361 (Outlook zero-click). Verify against MSRC update guide at https://msrc.microsoft.com/update-guide/ upon release.

Vendor Deadlines

  • 2026-06-12: OpenAI macOS, Windows, iOS, and Android application certificate invalidation deadline. Applications not updated before this date will fail to connect. All organizations with OpenAI applications deployed must ensure updates are applied before this date.
  • Ongoing: Cisco SD-WAN Manager patches (advisory cisco-sa-sdwan-mltvnps2-JxpWm7R) for CVE-2026-20224, CVE-2026-20209, CVE-2026-20210 — apply immediately per advisory.
  • Ongoing: ZDI 90-day embargo for Pwn2Own Berlin 2026 findings. CVE assignments and formal patches expected beginning August 2026. Monitor ZDI advisories at zerodayinitiative.com.

Security Events

  • 2026-06 (Ongoing): DEF CON 34 — Las Vegas. Anticipate publication of additional research on AD CS exploitation, AI-assisted offensive tooling, and OT/ICS RF attack techniques following this week’s reporting trends.
  • CrowdStrike 2026 Global Threat Report and Financial Services Threat Landscape Report: Full reports with complete IOC sets are published at crowdstrike.com; retrieve and ingest IOCs into SIEM/TIP if licensed.

Sources

Section 1 — Executive Summary / Section 3 — Key Security Stories

Section 4 — CVE Table

Section 5 — Supply Chain Threats

Section 6 — Nation-State Activity

Section 7 — Phishing & Social Engineering

Sections 9–10 — Mitigations and Framework Alignment

Section 11 — Events and Deadlines

Author

Tech Jacks Solutions

Leave a comment

Your email address will not be published. Required fields are marked *