Gallery

Contacts

405 W. Greenlawn Ave Lansing, Michigan 48910

contact@techjacksolutions.com

+1-616-320-4064

Twitter Facebook-f Pinterest-p Instagram

Weekly Security Intelligence Briefing — Week of 2026-06-01

Briefing
og security news briefs
_ _ Tech Jacks Solutions_ 0 Comments

Executive Summary

The week of June 1, 2026 presents an elevated threat posture across every major attack surface. The SCC pipeline processed 50 intelligence items this week, identifying 6 critical CVEs (CVSS 9.0+), 4 CISA KEV additions, and 14 active campaigns spanning nation-state espionage, software supply chain compromise, ransomware pre-staging, and large-scale data breaches affecting over 30 million individuals. The dominant theme is convergence: supply chain attacks against developer toolchains (npm, PyPI, IDE extensions, CI/CD pipelines), nation-state operations using living-off-the-land techniques and legitimate tool abuse, and a rapid evolution in phishing-as-a-service platforms that now bypass MFA in real time and monetize stolen payment cards through digital wallet tokenization. The Glassworm botnet takedown exposed the developer supply chain as the highest-value, least-defended attack surface in enterprise environments. Three coordinated npm campaigns—vpmdhaj, Megalodon, and a broader 47-package operation—harvested AWS credentials, HashiCorp Vault tokens, GitHub Actions secrets, and CI/CD pipeline keys at scale. Fox Tempest’s dismantled Malware-as-a-Service operation used Microsoft-signed binaries to deliver Rhysida ransomware, Lumma Stealer, and Vidar. Iranian APT Screening Serpens deployed six new RAT variants against US, Israeli, and UAE defense and aerospace targets. Critical infrastructure received 11 new CISA ICS advisories. Organizations operating WordPress at scale, running Gradio AI inference on Windows, deploying Magento with Mirasvit extensions, or maintaining Azure Linux container infrastructure face immediate patching obligations. The week’s highest-priority single action: audit every npm dependency installed between May 20–29, 2026 and rotate any credentials accessible from affected CI/CD environments.

Critical Action Items

  1. npm Supply Chain Compromise (vpmdhaj / Megalodon / 47-Package Campaign) — Immediate: Audit all npm install logs from May 20–29, 2026. Cross-reference against the 47 malicious packages documented in Microsoft Threat Intelligence reports (May 20, 28, 29 advisories). Revoke and rotate all AWS IAM keys, HashiCorp Vault tokens, GitHub Actions secrets, and npm publish tokens accessible from any affected CI/CD runner or developer workstation. Isolate runners pending credential audit. Block public registry resolution for internal package scopes; enforce private registry proxying.
  2. CVE-2026-8732 — WP Maps Pro Unauthenticated Admin Creation (CVSS 9.5, Actively Exploited): Upgrade WP Maps Pro to version 6.1.1 immediately. Block unauthenticated POST requests to wp-admin/admin-ajax.php at WAF. Query WordPress user tables for administrator accounts created after plugin installation with no content history. Rotate all admin credentials.
  3. CVE-2026-28414 — Gradio Absolute Path Traversal on Windows, CISA KEV (CVSS 7.5, EPSS 89th percentile): Upgrade Gradio to version 6.7+ on all Windows hosts running Python 3.13+. Restrict inbound network access to Gradio endpoints immediately. Search HTTP access logs for requests to /windows/win.ini or /windows/system32/. Rotate any credentials accessible from the server filesystem.
  4. CVE-2026-45247 — Mirasvit Full Page Cache Warmer PHP Object Injection, CISA KEV (CVSS 9.8): Upgrade Mirasvit Full Page Cache Warmer to version 1.11.12+ on all Magento 2 instances. If immediate upgrade is not possible, configure WAF to block requests with serialized PHP object patterns in the CacheWarmer cookie. Search application logs for CacheWarmer=O%3A patterns.
  5. CVE-2026-45321 — TanStack npm Supply Chain, CISA KEV (CVSS 9.3, KEV Deadline 2026-06-10): Halt automated TanStack dependency updates immediately. Cross-reference installed versions against CISA KEV entry. Revoke all credentials accessible from environments where TanStack packages were installed. Verify against NVD entry CVE-2026-45321 for patched version confirmation before reintroducing the dependency.
  6. CVE-2026-2441 — Chrome 148 RCE, Actively Exploited (CVSS 9.5, EPSS 96th percentile): Push Chrome 148.0.7778.96 or later to all enterprise endpoints immediately via automated patch management (CIS 7.4). Do not wait for standard patch cycle. Verify deployment via EDR fleet query. Alert on Chrome renderer processes spawning unexpected child processes.
  7. Fox Tempest Malware-as-a-Service — Microsoft-Signed Malware (Critical): Query EDR and AV for binaries signed by Microsoft certificates issued May 2025–May 2026 that appear on the revocation list published in Microsoft’s May 19, 2026 Fox Tempest disclosure. Isolate any hosts where revoked-certificate binaries executed. Hunt for Rhysida (.rhysida extension, VSS deletion), Lumma Stealer (browser credential store access), and Vidar indicators. Retrieve full IOC list directly from: https://www.microsoft.com/en-us/security/blog/2026/05/19/exposing-fox-tempest-a-malware-signing-service-operation/
  8. Kimsuky VS Code Tunnel Abuse and Six New RAT Variants (Nation-State, High Priority): Block outbound connections to *.trycloudflare.com and VS Code tunnel endpoints (vscode.dev, tunnel.azurefd.net) from non-developer endpoints. Audit VS Code-family extension installations on all developer workstations. Alert on DWAgent (dwagent.exe, dwagsvc.exe) processes not in authorized software inventory. Disable VS Code Remote Tunneling via Group Policy where not required.

Key Security Stories

Glassworm Botnet Dismantled: Developer Supply Chain Confirmed as Highest-Value Attack Surface

CrowdStrike, Google, and Shadowserver jointly dismantled the Glassworm botnet, a sophisticated operation targeting developers through malicious IDE extensions distributed via OpenVSX and trojanized packages across npm and PyPI. The botnet infected environments running VSCode, Cursor, Positron, Windsurf, and VSCodium on Windows, macOS, and Linux. GlasswormRAT established persistence via four distinct command-and-control channels and used dynamic DNS resolution (T1568) to maintain C2 connectivity. The campaign delivered credential-stealing payloads targeting browser password stores, SSH keys, and secrets accessible from developer workstations and CI/CD pipeline runners.

The significance of Glassworm extends beyond its immediate payload. It demonstrated that the developer workstation is now a primary attack vector for reaching production infrastructure — an attacker who compromises a developer’s IDE gains access to every repository, CI/CD secret, cloud credential, and signing key that developer touches. Specific IDE targets included Cursor, Positron, Windsurf, and VSCodium, each with extension ecosystems that lack the verification rigor of the official Microsoft Marketplace. Obfuscated JavaScript payloads (T1027) evaded standard malware scanning, and fast-flux DNS (T1568.001) made infrastructure takedown difficult.

Specific IOC values (hashes, domains, IPs) were not confirmed in available source data at analysis time. Validate against CrowdStrike’s official technical reporting before operationalizing IOC-based detections. Immediate actions: audit all IDE extension installations via code --list-extensions, purge unapproved extensions, re-provision compromised developer environments from clean images, and rotate all credentials accessible from affected workstations. Sources: CrowdStrike blog, The Hacker News campaign coverage (May 30, 2026).

Coordinated npm Supply Chain: 47 Malicious Packages Harvest CI/CD Credentials Across Three Campaigns

Three related npm supply chain campaigns identified between May 20–29, 2026 collectively deployed 47 malicious packages targeting AWS credentials, HashiCorp Vault tokens, GitHub Actions secrets, and npm publish tokens. Campaign 1 (33 packages, dependency confusion, May 29) used internal enterprise package name spoofing to hijack dependency resolution in organizations with public package registries. Campaign 2 (14 packages, typosquatting, May 28) targeted cloud and CI/CD credential theft via packages published by threat actor aliases mr.4nd3r50n, ce-rwb, t-in-one, and vpmdhaj. Campaign 3 (compromised @antv publisher account, May 20) injected malicious payloads into trusted packages after compromising the publisher account. All three campaigns used obfuscated JavaScript payloads, lifecycle hook abuse (postinstall scripts), and direct AWS IMDS endpoint queries (169.254.169.254) to harvest EC2 instance credentials.

The vpmdhaj campaign (Campaign 2) demonstrated particularly sophisticated tradecraft: a two-stage payload where stage one profiled the victim environment and stage two delivered targeted credential harvesting based on what cloud platforms and secrets managers were detected. The Bun JavaScript runtime was used as an evasion vehicle for Microsoft Defender detection. The @antv publisher account compromise (Campaign 3, “Mini Shai-Hulud”) is especially concerning because it weaponized a trusted, widely-used npm scope — organizations that allowlisted @antv packages by publisher reputation rather than by hash were fully exposed.

Full package name lists are documented in the three Microsoft Threat Intelligence reports: May 20, May 28, and May 29, 2026. Retrieve IOC tables directly from Microsoft’s security blog. The due date for all remediations is immediate — credentials accessible from affected environments should be treated as compromised regardless of confirmation. Sources: Microsoft Security Blog (three separate reports, May 2026), SafeDep threat intelligence.

Fox Tempest Dismantled: Microsoft-Signed Malware-as-a-Service Operation Delivered Rhysida, Lumma, and Vidar

Microsoft disclosed the takedown of Fox Tempest, a Malware-as-a-Service operation that abused Microsoft’s code signing infrastructure to deliver malware with valid Authenticode signatures. The operation signed Rhysida ransomware, Lumma Stealer, and Vidar deployments with legitimate Microsoft certificates, allowing them to bypass security controls that treat signed binaries as implicitly trusted. The signing abuse window spanned approximately May 2025 through May 2026. Microsoft published certificate thumbprints and binary hashes associated with Fox Tempest-signed malware in their May 19, 2026 disclosure.

The business impact is severe: signed malware bypasses application allowlisting controls, endpoint detection based on certificate trust, and many enterprise DLP and EDR policies that treat Microsoft-signed binaries as safe. Lumma Stealer and Vidar both target browser credential databases (Chrome Login Data, Edge, Firefox), cryptocurrency wallet files, and session cookies. Rhysida ransomware follows credential theft with bulk encryption and ransom demands. The combination — steal credentials first, encrypt later — gives attackers both extortion leverage and persistent access via harvested credentials even after decryption.

Detection pivot: Windows Event ID 4688 (process creation) combined with certificate thumbprint matching from Microsoft’s revocation list. Also hunt for Rhysida-specific artifacts: mass file rename events with .rhysida extension, vssadmin.exe delete shadows, and dropped HTML ransom notes. For Lumma/Vidar: alert on non-browser processes accessing Chrome SQLite credential databases. Full IOC list available at: https://www.microsoft.com/en-us/security/blog/2026/05/19/exposing-fox-tempest-a-malware-signing-service-operation/. Source: Microsoft Security Blog, May 19, 2026.

Iranian APT Screening Serpens Deploys Six New RAT Variants Against US, Israel, and UAE Defense/Aerospace Sectors

Palo Alto Networks Unit 42 identified an active campaign by Iranian APT Screening Serpens (linked to UNC1549 / TEMP.Zagros tradecraft) deploying six previously undocumented remote access tool variants against organizations in the defense, aerospace, technology, and critical infrastructure sectors in the United States, Israel, and the United Arab Emirates. The campaign uses job-offer lures delivered via spearphishing attachments and LinkedIn-equivalent platforms (T1566.001), with delivery beginning as early as February 2026. Initial access is achieved via document-based execution leading to scripting interpreter chains (T1059). The actor abuses legitimate cloud platforms including Microsoft OneDrive and Dropbox as command-and-control relay points (T1102), a technique that complicates detection because C2 traffic is indistinguishable from legitimate cloud sync traffic at the network layer.

The six new RAT variants share characteristic behaviors with prior UNC1549 tooling: masquerading file extensions (T1036), obfuscated command execution (T1027), and web protocol-based C2 (T1071.001). Valid account abuse (T1078) is used post-initial-access for persistence and lateral movement. The targeting of defense, aerospace, and critical infrastructure aligns with Iran’s documented intelligence collection priorities. Organizations in these sectors should treat this as an active, targeted threat requiring immediate hunting, not just indicator-based blocking.

Specific IOC hashes, domains, and IPs for the six RAT variants were not confirmed from available data at analysis time. Subscribe to Palo Alto Networks Unit 42 Threat Intelligence portal for IOC release. Hunt using behavioral indicators: email gateway search for job-themed lures targeting engineering/executive roles; EDR hunt for scripting interpreter execution from document viewer parent processes; network-layer detection for non-browser HTTPS to OneDrive/Dropbox from workstations in sensitive business units. Source: Unit 42 Threat Intelligence, May 30, 2026.

Kimsuky Nation-State Group Expands Arsenal: VS Code Tunnel Abuse, LLM-Assisted Malware, and Real-Time Infection Verification

North Korean-attributed threat actor Kimsuky significantly expanded its operational toolkit in campaigns observed through May 2026. Key innovations include the abuse of VS Code Remote Tunneling as a covert C2 channel (T1572), use of Cloudflare Quick Tunnels (*.trycloudflare.com) as additional C2 infrastructure (T1090.003), and deployment of a “JSONPing” infection verification mechanism — periodic low-volume JSON-formatted HTTP POST requests confirming victim infection status. The actor deploys three new malware families: HelloDoor, HttpMalice, and HTTPSpy, the latter compiled in Rust for cross-platform capability and evasion. LLM assistance is evidenced in malware code quality improvements, suggesting AI-assisted development of implants.

Initial access uses spearphishing with spoofed Cisco Webex, nProtect Online Security, and AhnLab Safe Transaction installers delivered via South Korean B2B messaging platforms (T1566.001, T1566.002). The DWAgent commercial remote access tool is abused as an additional persistence and access mechanism (T1219). Keylogging (T1056.001) and screen capture (T1113) are confirmed collection capabilities. Persistence is established via Windows Scheduled Tasks (T1053.005) and obfuscated command execution (T1027, T1027.010). The campaign targets organizations with ties to South Korea but has global implications given Kimsuky’s history of targeting think tanks, government entities, and defense contractors outside the Korean Peninsula.

Specific detection priorities: block *.trycloudflare.com and VS Code tunnel endpoints at perimeter for non-developer assets; alert on DWAgent process execution not in authorized software inventory; hunt for Rust-compiled executables with high entropy in user-writable directories; query email gateways for Webex/nProtect/AhnLab-named attachments from external senders. Sources: The Hacker News (May 29, 2026), Darktrace campaign analysis blog.

Charter Communications Breach: ShinyHunters Uses Vishing to Compromise Microsoft Entra and Exfiltrate Salesforce CRM Data for 4.9 Million Accounts

ShinyHunters compromised Charter Communications (Spectrum) through a vishing attack targeting IT/help desk staff, gaining access to Microsoft Entra identity platform credentials and subsequently exfiltrating data from Salesforce CRM. Approximately 4.9 million customer accounts were affected, with some reports citing up to 13 million depending on the scope of Salesforce data included. The breach methodology is a now-established ShinyHunters pattern: phone-based social engineering to manipulate MFA enrollment or identity reset workflows, leveraging the human layer to bypass technical controls. Charter is the second major telecom breach reported this week; a separate, earlier ShinyHunters report covered the same organization with slightly different victim count estimates, suggesting ongoing data publication.

The Salesforce exfiltration component (T1213, T1530) is the critical intelligence point. ShinyHunters accessed bulk CRM records containing customer PII, account data, and potentially service configuration. The combination of telecom customer data (name, address, phone number, account number) with Salesforce-stored interaction history creates high-quality datasets for spearphishing and SIM-swapping attacks. Organizations with Salesforce deployments and any Microsoft Entra integration should treat this as a threat model update, not just a third-party breach notification.

Immediate detection actions: query Microsoft Entra sign-in logs for new MFA method registrations, impossible travel events, and OAuth grants during March–April 2026; review Salesforce Login History for accounts accessing abnormal record volumes; implement out-of-band verification requirements for any identity reset initiated via phone. Note: Worth noting this touches regulatory reporting obligations — organizations holding Spectrum customer data for any business purpose may have breach notification considerations under applicable state privacy laws and should verify with legal counsel. Sources: BleepingComputer, SecurityWeek (May 29–31, 2026).

Carnival Corporation Data Breach: ShinyHunters Claims 6 Million Records; Fourth Breach in Seven Years

ShinyHunters published data allegedly stolen from Carnival Corporation, affecting approximately 6 million customer and employee records. The breach method aligns with ShinyHunters’ documented tradecraft: valid account abuse (T1078), cloud storage data collection (T1530), and exfiltration over web services (T1567). Carnival has experienced four significant security incidents in seven years, establishing a pattern of recurring compromise that warrants a formal third-party security program assessment beyond standard incident response. The stolen data includes personal customer and employee records with potential identity theft and spearphishing downstream risk.

No confirmed technical IOCs (IPs, domains, hashes) have been publicly released for this incident. Detection should focus on downstream threat indicators: monitor authentication logs for credential stuffing targeting externally exposed customer portals, flag inbound phishing emails referencing Carnival, Princess, Holland America, or other Carnival brand lures targeting employees, and review cloud storage access logs (AWS CloudTrail, Azure Monitor) for bulk GetObject operations in the 90 days prior to disclosure. Sources: primary reporting pending; ShinyHunters infrastructure monitoring recommended via BreachForums threat intelligence feeds.

Dutch Police Takedown of Asocks Exposes Residential Proxy Botnet Across 17 Million Devices

Dutch authorities dismantled the Asocks commercial residential proxy service, exposing a botnet infrastructure spanning 17 million Android devices, IoT devices, routers, smartphones, and computers. The Asocks infrastructure was connected to the LumiApps SDK, a proxyware development kit distributed through mobile applications, which enrolled devices into the botnet without user awareness. Criminal actors purchased access to Asocks exit nodes for credential stuffing (T1110.004), ad fraud, web scraping, and general anonymization of malicious traffic. The significance for enterprise defenders is that attacks originating from residential proxy infrastructure are invisible to IP reputation-based defenses — the source IP resolves to a legitimate ISP residential assignment, not a datacenter or known malicious range.

Organizations relying on IP-based detection for credential stuffing, rate limiting, or malicious traffic identification should treat this as a capability gap requiring supplementation with behavioral analytics. The documented credential stuffing use case means any organization with externally exposed authentication endpoints is potentially affected by Asocks-enabled attacks. MDM policy review for applications embedding LumiApps SDK is warranted for organizations with corporate mobile device programs. Source: Dutch Police (KLPD) press release, May 31, 2026; Europol coordination notice.

CISA Releases 11 ICS Advisories Covering Maritime, Building Automation, CCTV, EV Charging, and Industrial OT Systems

CISA published 11 Industrial Control System advisories on May 28, 2026 covering a wide range of OT and IoT products: MacGregor Voyage Data Recorder G4e (maritime), ABB EIBPORT (building automation, session hijack confirmed), ABB Busch-Welcome 2 Wire Door Opener Actuator, CP Plus 8-channel NVR, KMW CCTV Security Cameras, Schneider Electric EcoStruxure Machine Expert HVAC, XCharge C6 EV Charger, Fourth Frontier Frontier X/X2 mobile ECG applications, Mitsubishi Electric Factory Automation Engineering Products, and ABB Ability Zenon Remote Transport. The ABB EIBPORT session hijack vulnerability is the highest-confidence risk in this set, with unauthenticated session token abuse enabling unauthorized access to building automation controls.

Organizations operating any of these 11 product families should retrieve the individual CISA advisories at cisa.gov/news-events/ics-advisories, as specific CVE identifiers, patch versions, and firmware update paths are documented per product. The maritime and EV charging entries are of particular note given critical infrastructure targeting patterns observed this quarter. Compensating controls — network segmentation, access restriction, anomaly monitoring — are appropriate where patching is not immediately feasible in OT environments. Source: CISA ICS Advisory Bundle, May 28, 2026.

AI Platform Abuse: Trusted Domains (ChatGPT, Claude, M365) Weaponized for Phishing and Malware Delivery

Multiple campaigns this week weaponized the trust users place in legitimate AI platform URLs. The LLMShare campaign abused ChatGPT shared conversation links (chatgpt.com/share/*) to host fake OpenAI outage pages and serve malware. A related campaign used Claude Artifacts (claude.ai/artifacts/*) to deliver the MacSync infostealer to macOS users via Google Ads redirect chains impersonating Homebrew. Varonis identified a campaign abusing Microsoft 365 Direct Send to deliver phishing email appearing to originate from the victim’s own domain while bypassing SPF/DKIM/DMARC enforcement. A separate Permiso Security research disclosure (“ChatGPhish”) documented how ChatGPT’s Markdown renderer can be exploited for prompt injection and phishing redirection — adversarially crafted content causes the AI to render hyperlinks pointing to attacker-controlled infrastructure.

The unifying theme is Living off Trusted Sites (LoTS): perimeter defenses calibrated to domain reputation provide no protection when the malicious content is hosted on chatgpt.com, claude.ai, or delivered through microsoft.com infrastructure. Detection must shift from domain reputation to behavioral analysis of content and download actions. Immediate actions: audit M365 Direct Send connector configurations and restrict to authorized source IPs; brief ChatGPT and Claude users that AI-rendered links are not inherently safe; implement web proxy content inspection that evaluates download behavior, not just domain reputation. Sources: Varonis Security Blog, Permiso Security ChatGPhish disclosure (May 29–30, 2026).

CVE-2026-7786: Hard-Coded Admin Credentials in USR-W610 IoT Gateway (CVSS 9.8, CISA Advisory)

CISA published an advisory for CVE-2026-7786, a hard-coded credential vulnerability in the Jinan USR IOT Technology Limited USR-W610 RS232/RS485 to Wi-Fi/Ethernet converter running firmware version 7.03T.07. The device bridges legacy serial (RS232/RS485) industrial equipment to IP networks, making it a common OT/ICS boundary component. Hard-coded admin credentials (T1078.001, T1552.001) allow any attacker with network access to the management interface to authenticate with full administrative privileges. Because the credentials are static and shared across all units, public disclosure of the credential values triggers an immediate assumption that scanning is already underway.

The threat model here is OT lateral movement: an attacker who authenticates to the USR-W610 gains the ability to modify serial port parameters, baud rates, and connected device addressing for whatever industrial equipment is bridged through the converter. In manufacturing, utilities, or building automation contexts, this can translate to process manipulation or equipment damage. Network segmentation — placing these devices on isolated OT VLANs with no internet exposure — is the primary compensating control until a firmware patch is available. Check Jinan USR IOT’s official support portal for firmware updates addressing this vulnerability. Source: CISA Advisory, May 30, 2026.

Linux Kernel CIFS 19-Year-Old Privilege Escalation (CIFSwitch) — No CVE Assigned, Public PoC Available

Security researchers disclosed a 19-year-old vulnerability in the Linux kernel CIFS subsystem (cifs-utils 6.14+) enabling local privilege escalation to root via dynamic linker hijacking and NSS module injection during kernel key upcall operations. Confirmed affected distributions include Linux Mint 21.3/22.3, CentOS Stream 9, Rocky Linux 9, AlmaLinux 9, Kali Linux 2021.4–2026.1, and SLES 15 SP7. Ubuntu, Debian, and other distributions with cifs-utils installed are potentially affected. AlmaLinux published patched kernels for community testing as of May 28, 2026. No CVE has been assigned at time of reporting.

The absence of a CVE identifier creates a vulnerability management gap: automated scanning tools that rely on CVE-based signatures will not flag unpatched systems. Organizations must specifically query for cifs-utils version 6.14+ in their software inventory and apply vendor patches as they become available. Where cifs-utils is not operationally required, remove it (yum remove cifs-utils or apt remove cifs-utils). Temporary mitigation for systems requiring CIFS mounts: set user.max_user_namespaces=0 (RHEL-family) or kernel.unprivileged_userns_clone=0 (Debian-family) via sysctl, validating operational impact first. A public Metasploit module is in development. Source: AlmaLinux security blog (May 28, 2026), researcher disclosure.

CISA KEV & Critical CVE Table

CVE Product CVSS EPSS Status KEV Deadline Description
CVE-2026-45321 TanStack (npm) 9.3 0.027% CISA KEV — Active Exploitation 2026-06-10 Supply chain compromise; credential-stealing malware in npm packages
CVE-2026-28414 Gradio < 6.7 (Windows, Python 3.13+) 7.5 4.2% (89th pctl) CISA KEV — Active Exploitation TBD — check KEV catalog Absolute path traversal; unauthenticated arbitrary file read on Windows
CVE-2026-45247 Mirasvit Full Page Cache Warmer for Magento 2 < 1.11.12 9.8 0.104% CISA KEV — Active Exploitation TBD — check KEV catalog PHP object injection via CacheWarmer cookie; unauthenticated RCE
CVE-2026-5426 KnowledgeDeliver LMS (ASP.NET) 9.5 0.071% CISA KEV — Active Exploitation TBD — check KEV catalog Hardcoded ASP.NET machine keys; ViewState deserialization RCE; Cobalt Strike delivery confirmed
CVE-2026-8732 WP Maps Pro WordPress plugin ≤ 6.1.0 9.5 0.074% Active Exploitation — Not yet KEV N/A Unauthenticated admin account creation via AJAX endpoint
CVE-2026-2441 Google Chrome < 148.0.7778.96 9.5 23.1% (96th pctl) Active Exploitation — Not yet KEV N/A RCE in Chrome renderer; drive-by compromise; emergency out-of-band patch
CVE-2026-35616 Fortinet FortiClient EMS 7.4.5–7.4.6 9.5 41.2% (97th pctl) Active Exploitation — EKZ infostealer deployed N/A Authentication bypass; EKZ infostealer deployed post-exploitation; browser credential theft
CVE-2026-7786 USR-W610 IoT Gateway firmware 7.03T.07 9.8 0.041% CISA Advisory — Not yet KEV N/A Hard-coded admin credentials; full administrative access without authentication
CVE-2026-27771 Gitea (built-in container registry) 9.1 0.000% Disclosed — Not yet exploited N/A Unauthenticated private container image access; broken authentication on registry API
CVE-2026-8606 GitHub Enterprise Server (GitHub Packages enabled) 8.5 0.076% Disclosed — Patch pending N/A SSRF via GitHub Packages; internal service access including secrets
CVE-2026-44495 axios (npm) — specific versions TBC 8.1 0.000% Disclosed — Patch pending (GHSA-3g43-6gmg-66jw) N/A Prototype pollution via config merge; credential theft and response hijacking
CVE-2026-44494 axios (npm) — specific versions TBC 8.1 0.000% Disclosed — Patch pending (GHSA-35jp-ww65-95wh) N/A Prototype pollution gadget; full man-in-the-middle via proxy configuration hijack
CVE-2025-11993 WooCommerce Infinite Scroll and Ajax Pagination ≤ 1.8 8.8 0.080% Disclosed — Patch available N/A PHP object injection via Subscriber-level account; potential RCE via POP chain
CVE-2026-39821 Azure Linux 3.0 application-gateway-kubernetes-ingress 1.7.7-3 10.0 0.045% May 2026 Patch Tuesday — Patch available N/A Punycode label validation bypass in golang.org/x/net/idna; domain masquerading / AiTM
CVE-2026-46595 Azure Linux 3.0 docker-buildx 0.14.0-11 10.0 0.040% May 2026 Patch Tuesday — Patch available N/A VerifiedPublicKeyCallback permission bypass in golang.org/x/crypto/ssh; SSH auth bypass
CVE-2025-15556 Notepad++ (Windows) — version range TBC Not assigned 6.1% (91st pctl) Patch released — three CVEs bundled N/A Arbitrary code execution; privilege escalation via three chained vulnerabilities
No CVE (CIFSwitch) Linux kernel CIFS / cifs-utils 6.14+ 7.5 (estimated) 0.000% No CVE assigned — Public disclosure, PoC in development N/A Local privilege escalation to root via dynamic linker hijacking in kernel CIFS upcall

Supply Chain & Developer Tool Threats

npm Ecosystem: Three Concurrent Campaigns (47 Total Malicious Packages)

This week represents the most significant npm supply chain attack cluster observed in 2026. Three coordinated campaigns targeted different npm attack vectors simultaneously: dependency confusion (33 packages spoofing internal enterprise package names), typosquatting (14 packages with character-substituted names targeting popular packages), and publisher account compromise (@antv scope, “Mini Shai-Hulud”). All three campaigns harvested the same credential classes: AWS IAM keys via IMDS endpoint queries to 169.254.169.254, HashiCorp Vault tokens, GitHub Actions workflow tokens, and npm publish credentials. The vpmdhaj campaign introduced a two-stage payload architecture where stage one profiled the environment and stage two delivered targeted harvesting. The Bun JavaScript runtime was used in stage one to evade Microsoft Defender AV detection. Organizations should pin all npm packages to verified lockfile hashes and enforce private registry proxying to eliminate public registry confusion attacks.

Glassworm IDE Extension Campaign

Malicious extensions distributed through the OpenVSX marketplace targeted users of VSCode-compatible IDEs including Cursor, Positron, Windsurf, and VSCodium. Extensions used obfuscated JavaScript payloads, four distinct C2 channels, and fast-flux DNS (T1568.001) to maintain persistence and exfiltrate credentials. The attack vector is insidious because IDE extensions run with the full permissions of the IDE process, which in developer environments includes access to every repository, credential store, and SSH key the developer uses. Enumerate all installed extensions via code --list-extensions, verify against a known-good allowlist, and implement endpoint controls blocking unapproved extensions at the MDM or software policy layer.

Megalodon Campaign: 5,500+ GitHub Repositories Poisoned in Six Hours

The Megalodon campaign poisoned over 5,500 public GitHub repositories in a six-hour window by injecting malicious content into GitHub Actions workflow YAML files. The campaign targeted CI/CD secrets, cloud provider credentials, and npm tokens accessible within Actions runner environments. Stolen credentials were exfiltrated to attacker-controlled infrastructure. StepSecurity published primary research with the affected repository list. Organizations should audit GitHub Actions workflow files for unauthorized modifications, pin Actions to commit SHAs rather than mutable tags, and rotate all GitHub PATs, SSH keys, and CI/CD secrets that may have been accessible during the campaign window. Source: StepSecurity, May 27, 2026: https://www.stepsecurity.io/blog/megalodon-mass-github-actions-secret-exfiltration-across-5-500-public-repositories

JINX-0164: macOS Infostealer via npm Supply Chain and LinkedIn Recruiter Lures

Campaign JINX-0164 chains LinkedIn-style recruiter lures with a compromised npm package (@velora-dex/sdk) to deliver MiniRAT and the AUDIOFIX infostealer to macOS developer workstations. MiniRAT establishes persistence via launchctl (T1543.004) and targets iCloud Keychain, Chrome credential stores, SSH keys, and Discord/Slack/Telegram sessions. The CI/CD reach of this campaign is significant: any build runner that installed @velora-dex/sdk should be treated as compromised, all secrets accessible from that runner should be rotated, and all build artifacts produced during the exposure window should be re-verified before deployment. Enumerate launchctl persistence at ~/Library/LaunchAgents/ and /Library/LaunchDaemons/ for unfamiliar plists referencing executables in non-standard paths.

TanStack npm Supply Chain (CVE-2026-45321, CISA KEV, Deadline 2026-06-10)

A malicious npm package was published to the TanStack namespace delivering credential-stealing malware. CISA added this to the Known Exploited Vulnerabilities catalog with a remediation deadline of June 10, 2026. All organizations using TanStack npm packages should halt automated updates, audit installed versions against the CISA KEV entry, and treat any credentials accessible from environments where TanStack packages were installed as compromised. Verify patched version availability via the NVD entry for CVE-2026-45321 before reintroducing the dependency.

AI/ML Supply Chain: Open Source AI Agent Package Vulnerability

Ars Technica reported a critical vulnerability in an unnamed widely-used open-source AI agent package affecting millions of AI agent deployments. Specific package name and CVE ID were not available in source data provided to the SCC pipeline; retrieve the primary Ars Technica report directly for confirmed package name and patch status. Organizations should inventory all open-source packages used in AI agent pipelines (LangChain, AutoGPT, CrewAI, and similar stacks are candidate areas) and verify the specific package once identified. The vulnerability is described as “trivial to exploit.” Apply least-privilege principles to AI agent runtime permissions and network segmentation isolating agent environments from production data stores. Source: Ars Technica, May 28, 2026.

Nation-State & APT Activity Summary

Iran — Screening Serpens (UNC1549)

Targeted sectors: Defense, aerospace, technology, critical infrastructure in the United States, Israel, and United Arab Emirates.

TTPs: Spearphishing with job-offer lures (T1566.001) via email and professional networking platforms; scripting interpreter execution chains (T1059); web service-based C2 using OneDrive and Dropbox (T1102); masquerading file extensions (T1036); obfuscated command execution (T1027); valid account abuse post-initial-access (T1078).

New capability: Six previously undocumented RAT variants deployed since approximately February 2026. IOC hashes and domains not yet publicly confirmed; monitor Unit 42 publications for release.

Attribution confidence: High (Unit 42, May 30, 2026).

North Korea — Kimsuky

Targeted sectors: South Korean government, think tanks, defense contractors; broader targeting of entities with South Korea ties globally.

TTPs: VS Code Remote Tunnel abuse for C2 (T1572); Cloudflare Quick Tunnel C2 (T1090.003); spearphishing with spoofed Webex/security tool installers (T1566.001/T1566.002); DWAgent commercial RAT abuse (T1219); scheduled task persistence (T1053.005); obfuscated Rust and VBScript payloads (T1027); JSONPing infection verification; LLM-assisted malware development.

New capability: HelloDoor, HttpMalice, HTTPSpy (Rust-compiled cross-platform). JSONPing verification loop confirms victim infection before delivering heavier payloads.

Attribution confidence: High (Darktrace, The Hacker News reporting, May 29, 2026).

North Korea — DPRK (Financial Theft Operations)

Targeted sectors: Cryptocurrency exchanges, fintech platforms, financial institutions globally. CrowdStrike reports $2 billion in DPRK cryptocurrency theft tracked in the 2026 financial services threat landscape report.

TTPs: DLL search order hijacking (T1574.001); software supply chain compromise (T1195.002); valid account abuse (T1078); multi-hop proxy infrastructure (T1090.003).

Attribution confidence: High (CrowdStrike 2026 Financial Services Threat Landscape Report).

China — MURKY PANDA

Targeted sectors: Financial institutions, insurance entities; specifically targeting Microsoft 365 environments via trusted-relationship intrusion (T1199).

TTPs: Trusted third-party/vendor access abuse (T1199); OAuth application consent grant exploitation (T1550.001); remote email collection via compromised cloud accounts (T1114.002); web session cookie theft (T1550.004); multi-hop proxy infrastructure (T1090.003).

Attribution confidence: High (CrowdStrike, May 2026 Financial Services report).

Russia-Nexus — Fox Tempest (Malware-as-a-Service Operator, Dismantled)

Operation: Commercial MaaS operation providing Microsoft-signed malware (Rhysida ransomware, Lumma Stealer, Vidar) to affiliate customers. Now dismantled following Microsoft disclosure.

TTPs: Code signing certificate abuse (T1588.003); phishing initial access (T1566); user execution (T1204); exfiltration over C2 (T1041); data encrypted for impact (T1486).

Current risk: Revoked certificate IOCs remain relevant — malware previously deployed via Fox Tempest infrastructure may still be running on victim networks. Full IOC list: Microsoft Security Blog, May 19, 2026.

Attribution confidence: High (Microsoft Threat Intelligence).

South Korea — MuddyWater (Iranian Attribution)

Targeted sectors: Airport operations, manufacturing, government entities across nine countries.

TTPs: DLL sideloading (T1574.002) via legitimate vendor binaries (Fortemedia fmapp.exe, SentinelOne sentinelmemoryscanner.exe, Chromium ChromElevator); SOCKS5 tunnel C2 (T1090.001); SAM database credential dumping (T1003.002); keylogging (T1056.001); screen capture (T1113); PowerShell execution (T1059.001); JavaScript execution (T1059.007).

Attribution confidence: High (Unit 42 / MuddyWater behavioral alignment, May 26, 2026).

Phishing & Social Engineering Alert

Chinese PhaaS: Darcula / Lucid MFA Bypass and Real-Time Payment Card Tokenization

Platform: Darcula PhaaS attributed to UNC5814; Lucid affiliate network. Active in 119+ countries.

Delivery vectors: iMessage (Apple) and RCS (Android/Google) smishing; recipients cannot distinguish from legitimate SMS. Lures impersonate Amazon Japan, PayPay, Rakuten Securities, Nomura Securities, Nintendo, Mercari, JCB Card, JA Bank, and other major brands. Google Ads purchases also used for Homebrew and Claude impersonation campaigns delivering the ACR infostealer to macOS users.

MFA bypass: Adversary-in-the-Middle (T1557) using Puppeteer-based browser automation. Victim MFA OTP codes are intercepted and relayed to the real target service in real time, completing authentication before the OTP expires. This technique defeats SMS OTP and TOTP entirely. Only FIDO2/WebAuthn (passkeys/hardware security keys) provides reliable protection.

New capability — digital wallet tokenization: After capturing payment card credentials and completing AiTM authentication, operators use the stolen credentials to provision the card to Apple Pay or Google Pay digital wallets within seconds, creating persistent payment access that survives card reissuance in some cases.

Evasion: Dynamically generated brand-clone phishing pages resist static signature detection. Pages use JavaScript obfuscation, browser fingerprinting, and geographic IP filtering to avoid security researcher access. IOC list is highly dynamic; cross-reference Google Threat Intelligence Group primary report for current infrastructure indicators: https://cloud.google.com/blog/topics/threat-intelligence/chinese-language-phishing-services/

Detection guidance: Monitor for OTP submission within 2-5 seconds of issuance followed by high-privilege actions; alert on digital wallet provisioning from new or unrecognized devices; implement FIDO2/passkeys as the only MFA method for high-value financial and payment applications; provide user awareness training specifically covering iMessage and RCS phishing (users often assume these channels are more secure than email).

Kali365: Microsoft 365 OAuth Device Code Flow Hijacking

The Kali365 PhaaS platform abuses the Microsoft 365 OAuth device code authentication flow (login.microsoftonline.com/common/oauth2/deviceauth) to steal access tokens without requiring the victim to enter a password on an attacker-controlled site. Victims receive phishing emails directing them to enter an attacker-supplied device code at the legitimate Microsoft URL, unknowingly granting the attacker a valid OAuth token for their account. The technique bypasses standard phishing detection because the victim interacts with a legitimate Microsoft domain. Detection: query Entra ID sign-in logs for AuthenticationProtocol = ‘deviceCode’ originating from unfamiliar ASNs or geographic locations. Restrict or disable device code flow via Conditional Access policy where not operationally required.

Silent Ransom Group (Luna Moth): Physical Impersonation Attacks Against Law Firms

The FBI issued an advisory warning that Silent Ransom Group operatives are conducting in-person social engineering at law firm offices, impersonating IT support staff to gain physical workstation access and install commercial remote access tools (AnyDesk, Zoho Assist). This attack vector bypasses all network-layer and email-based phishing controls. The FBI advisory covers law firms as the primary target but notes secondary targeting of insurance, finance, and healthcare sectors. Controls: implement mandatory IT staff identity verification requiring photo ID cross-checked by a manager before any physical workstation access; audit visitor logs and badge records; alert on remote access tool installations outside approved change windows.

FIFA 2026 World Cup Fraud: 300+ Fake Sites (Ghost Stadium Campaign)

Group-IB identified 300+ typosquatted FIFA-themed domains registered ahead of the 2026 FIFA World Cup in North America. Domains are distributed via Google sponsored search results, Facebook, Telegram, and WhatsApp. Victims are directed to fraudulent ticketing portals collecting payment card data and personal information. Deploy DNS/web filter block lists using Group-IB’s published domain list; implement user awareness communications advising employees to verify the official FIFA ticketing URL (fifa.com) and avoid sponsored search results for event ticketing. Source: Group-IB, FBI PSA, May 2026.

Indicators of Compromise

Campaign / Story IOC Type Value Confidence Context / Behavioral Note
npm Supply Chain (All Campaigns) npm alias mr.4nd3r50n High Threat actor npm publisher alias — all packages published under this alias should be treated as malicious
npm Supply Chain (All Campaigns) npm alias ce-rwb High Threat actor npm publisher alias
npm Supply Chain (All Campaigns) npm alias t-in-one High Threat actor npm publisher alias
npm Supply Chain (All Campaigns) npm alias vpmdhaj High Threat actor npm publisher alias
npm vpmdhaj / Dual Campaign IP 169.254.169.254/latest/meta-data/ High AWS IMDS endpoint queried by stage-two payload to harvest EC2 instance credentials — HTTP GET from non-AWS-native processes is a strong indicator
npm vpmdhaj / Dual Campaign URL https://sts.amazonaws.com (GetCallerIdentity) High AWS STS endpoint queried by payload to validate and exfiltrate credential context — flag from CI/CD runners at unexpected times
npm Dual Campaign URL https://www.microsoft.com/en-us/security/blog/2026/05/29/33-malicious-npm-packages-abuse-dependency-confusion-profile-developer-environments/ High Microsoft TI primary source — full package name list and IOCs documented here
npm Dual Campaign URL https://www.microsoft.com/en-us/security/blog/2026/05/28/typosquatted-npm-packages-used-steal-cloud-ci-cd-secrets/ High Microsoft TI primary source — 14 typosquatted package details and exfiltration domain list
npm @antv Compromise URL https://www.microsoft.com/en-us/security/blog/2026/05/20/mini-shai-hulud-compromised-antv-npm-packages-enable-ci-cd-credential-theft/ High Microsoft TI primary source — affected @antv package versions and payload hashes
JINX-0164 macOS Campaign npm package @velora-dex/sdk High Compromised npm package delivering MiniRAT and AUDIOFIX infostealer; all post-mid-2025 versions should be treated as malicious
Fox Tempest MaaS URL (primary source) https://www.microsoft.com/en-us/security/blog/2026/05/19/exposing-fox-tempest-a-malware-signing-service-operation/ High Full IOC list including certificate thumbprints, binary hashes, C2 domains for Rhysida/Lumma/Vidar — retrieve directly
Fox Tempest MaaS Behavioral Processes with Microsoft Authenticode signatures issued May 2025–May 2026 appearing on revocation list High Cross-reference against Microsoft revocation list; Windows Event ID 8028 (SmartScreen blocked revoked certificate)
Fox Tempest — Rhysida File extension .rhysida High Mass file rename to .rhysida extension indicates active Rhysida ransomware encryption; treat as critical P1 incident trigger
Fox Tempest — Rhysida Command vssadmin.exe delete shadows (leveraged by Rhysida to inhibit recovery) High VSS deletion before encryption is a pre-encryption ransomware indicator; alert on this command from any non-administrator context
CVE-2026-8732 WP Maps Pro URL pattern /wp-admin/admin-ajax.php (POST, unauthenticated, WP Maps Pro action parameter) High High POST volume from external IPs to this endpoint is a behavioral indicator of automated exploitation
CVE-2026-28414 Gradio URL pattern /windows/win.ini High HTTP 200 response to this path on a Gradio server running Python 3.13+ confirms exploitation
CVE-2026-28414 Gradio URL pattern /windows/system32/drivers/etc/hosts Medium Suspicious when observed in HTTP requests to Gradio applications — reconnaissance indicator for path traversal capability
CVE-2026-45247 Mirasvit / Magento Cookie pattern CacheWarmer=O%3A (URL-encoded PHP serialization prefix) High Indicates PHP object injection attempt via CacheWarmer cookie; any occurrence in web logs warrants immediate investigation
CVE-2026-5426 KnowledgeDeliver LMS URL (TI source) https://cloud.google.com/blog/topics/threat-intelligence/knowledgedeliver-viewstate-deserialization-vulnerability/ Medium (search-retrieved — validate before use) GTIG report containing IOC details for KnowledgeDeliver exploitation including Cobalt Strike C2 indicators
Asocks Residential Proxy Botnet Domain asocks.com High Primary domain of dismantled criminal residential proxy service — block at DNS/proxy layer
Asocks / LumiApps URL https://lumiapps.io Medium LumiApps SDK distribution site linked to Asocks botnet recruitment via mobile applications — dual-use; verify against current threat intelligence before blocking
Kimsuky C2 Domain wildcard *.trycloudflare.com Medium Cloudflare Quick Tunnel domains abused as covert C2 channels — block for non-developer endpoints; implement allowlisting for authorized developer use
Kimsuky C2 Domain vscode.dev Medium Legitimate Microsoft VS Code Remote Tunneling infrastructure abused for C2 — block tunnel-specific subpaths from non-developer endpoints
GPU Cryptojacking Campaign Domain wildcard *.dynu.com High Dynu dynamic DNS used for C2 and payload hosting in GPU cryptojacking / ScreenConnect backdoor campaign
GPU Cryptojacking Campaign Domain wildcard *.dynu.net High Dynu dynamic DNS infrastructure — block at DNS resolver layer
GPU Cryptojacking Campaign URL (primary source) https://www.microsoft.com/en-us/security/blog/2026/05/26/poisoned-search-results-gpu-mining-cryptojacking-campaign-abusing-screenconnect-microsoft-net-utilities/ High Microsoft Defender Experts advisory — full IOC list including specific domains and file hashes
GPU Cryptojacking — LOLBin abuse Behavioral InstallUtil.exe, RegAsm.exe, RegSvcs.exe, MSBuild.exe, AppLaunch.exe, AddInProcess.exe, aspnet_compiler.exe (leveraged via process hollowing to host cryptominer payloads) High Alert on these .NET LOLBins exhibiting sustained GPU utilization or initiating outbound network connections
Darcula/Lucid PhaaS URL (TI source) https://cloud.google.com/blog/topics/threat-intelligence/chinese-language-phishing-services/ High GTIG primary source — current Darcula/Lucid infrastructure IOC list; domain list rotates rapidly, retrieve current version
Kali365 M365 PhaaS URL (legitimate — used as lure) login.microsoftonline.com/common/oauth2/deviceauth High Legitimate Microsoft endpoint abused by Kali365 device code flow phishing — presence in user-reported phishing lures is a direct indicator
CVE-2026-7786 USR-W610 Port TCP 23 (Telnet) High USR-W610 management interface exposed on Telnet — flag Telnet access to device IP as control gap requiring protocol upgrade; no authentication bypass needed given hard-coded credentials
Gogs RCE (No CVE) URL pattern Branch names containing –exec or other flag-formatted arguments in git operation logs High Argument injection exploit uses crafted branch names to trigger OS command execution during git rebase; alert on branch names matching pattern .*–exec.* or –[a-z]+=
Charter Breach (ShinyHunters) URL (news source — low confidence IOC) https://www.bleepingcomputer.com/news/security/charter-communications-data-breach-affects-49-million-accounts/ Low Primary reporting source — monitor for IOC updates as investigation matures; no technical IOCs confirmed at time of reporting
Megalodon GitHub Campaign URL (TI source) https://www.stepsecurity.io/blog/megalodon-mass-github-actions-secret-exfiltration-across-5-500-public-repositories Medium (search-retrieved — validate before use) StepSecurity primary research — affected repository list and campaign technical details

Note: IOCs labeled “search-retrieved” or sourced from secondary reporting require human validation against primary sources before deployment in production detection systems. IOCs derived from behavioral patterns (URL patterns, command patterns, process names) are independent of source confidence and may be deployed based on your environment’s risk tolerance.

Helpful 5: High-Value Low-Effort Mitigations

1. Block npm Lifecycle Script Execution in CI/CD Pipelines

Why: This week’s three npm campaigns (47 malicious packages) all relied on postinstall lifecycle hooks to execute malicious payloads during npm install. Blocking lifecycle scripts eliminates the execution vector without requiring you to identify every malicious package.

How:

  1. Add --ignore-scripts flag to all npm install commands in CI/CD pipeline definitions: npm ci --ignore-scripts
  2. Set in .npmrc for the pipeline environment: ignore-scripts=true
  3. Enforce via pipeline policy — flag any npm install command that does not include --ignore-scripts as a policy violation
  4. Audit packages that legitimately require build scripts; add them to a documented approved exceptions list with specific version pinning
  5. Apply to developer workstations via .npmrc in home directory as a default-safe behavior

Framework alignment: NIST SI-3 (Malicious Code Protection), NIST SR-3 (Supply Chain Controls and Processes), CIS v8 2.3 (Address Unauthorized Software), CIS v8 2.5 (Allowlist Authorized Software)

2. Enforce FIDO2/Passkeys on All Externally Exposed Applications — Retire SMS OTP

Why: The Darcula/Lucid PhaaS campaigns this week bypass SMS OTP and TOTP MFA in real time via adversary-in-the-middle relay. The Kali365 campaign bypasses MFA entirely via OAuth device code abuse. FIDO2 (passkeys, FIDO hardware keys) is the only MFA method that provides cryptographic protection against both relay and phishing attacks because authentication is origin-bound — it cannot be replayed from a different origin.

How:

  1. Identify all externally exposed applications using SMS OTP or TOTP as primary MFA (query identity provider authentication logs for method distribution)
  2. Enable FIDO2 authenticator support in your identity provider (Microsoft Entra ID: Authentication Methods policy; Okta: Authenticators; Google Workspace: Security Keys)
  3. Set a migration deadline; begin with highest-risk accounts (finance, executive, privileged admin)
  4. Disable SMS OTP as an MFA option for new enrollments immediately; migrate existing users within 90 days
  5. For Microsoft 365 specifically: restrict the OAuth device code flow via Conditional Access policy for users who do not require device onboarding

Framework alignment: NIST IA-2 (Identification and Authentication), NIST IA-5 (Authenticator Management), CIS v8 6.3 (Require MFA for Externally-Exposed Applications), CIS v8 6.5 (Require MFA for Administrative Access), MITRE D3FEND D3-MFA

3. Implement Private npm Registry Proxying for All CI/CD and Developer Environments

Why: Dependency confusion attacks (33 of this week’s 47 malicious packages) work by registering public packages with names matching your internal private packages. When your package manager resolves dependencies, it may pull the higher-version public malicious package instead of your internal one. A private registry proxy with explicit scope-to-registry mapping eliminates this attack vector entirely at the infrastructure level.

How:

  1. Deploy a private npm registry (Verdaccio, JFrog Artifactory, AWS CodeArtifact, GitHub Packages, or Nexus)
  2. Configure all internal package scopes to resolve only from your private registry: in .npmrc, set @your-scope:registry=https://your-private-registry/
  3. Block direct internet access to registry.npmjs.org from CI/CD runners — all packages must flow through the private proxy
  4. Configure the private registry to proxy public npm for unscoped packages, with integrity verification and optional allowlisting
  5. Register shadow packages on public npm for all your internal package names (even if empty) to prevent adversary registration

Framework alignment: NIST CM-7 (Least Functionality), NIST SR-3 (Supply Chain Controls and Processes), CIS v8 2.1 (Establish and Maintain a Software Inventory), CIS v8 2.3 (Address Unauthorized Software)

4. Audit and Rotate All Long-Lived Non-Human Identity Credentials

Why: The supply chain and non-human identity stories this week share a common thread: long-lived API tokens, service account keys, and OAuth grants with excessive permissions. The vpmdhaj campaign specifically targeted static AWS IAM keys, Vault tokens, and GitHub Actions secrets that had been stored for months or years. Non-human identities (NHIs) now outnumber human identities in most enterprises by 10:1 or more and are dramatically under-governed.

How:

  1. Enumerate all service account credentials, API tokens, OAuth grants, and machine identities: query AWS IAM (list-access-keys for all users), Azure Managed Identity and App Registrations, GitHub personal access tokens and fine-grained tokens, and any secrets manager (Vault, AWS Secrets Manager, Azure Key Vault)
  2. Flag any credential older than 90 days as requiring rotation or replacement with a short-lived equivalent
  3. Replace static long-lived API keys in CI/CD with short-lived OIDC tokens scoped to minimum permissions (GitHub Actions OIDC → AWS/Azure/GCP is now widely supported)
  4. Revoke any credential that cannot be attributed to a current, documented integration
  5. Set maximum lifetime policies in your secrets manager and identity provider: no service account credential should exceed 90 days without rotation

Framework alignment: NIST AC-2 (Account Management), NIST AC-6 (Least Privilege), NIST IA-5 (Authenticator Management), CIS v8 5.1 (Establish and Maintain an Inventory of Accounts), CIS v8 5.3 (Disable Dormant Accounts), MITRE D3FEND D3-CRO (Credential Rotation), D3-CH (Credential Hardening)

5. Deploy Behavioral Detection for .NET LOLBin Process Hollowing

Why: The GPU cryptojacking campaign this week used process hollowing (T1055.012) to inject malicious payloads into legitimate, signed .NET binaries (InstallUtil.exe, RegAsm.exe, MSBuild.exe, etc.). This technique bypasses application allowlisting based on binary hash or signature because the container process is legitimate. Behavioral detection on parent-child process relationships catches this regardless of the payload’s identity.

How:

  1. In your EDR platform, create detection rules alerting on the following .NET LOLBins spawning child processes or initiating outbound network connections: InstallUtil.exe, RegAsm.exe, RegSvcs.exe, MSBuild.exe, AppLaunch.exe, AddInProcess.exe, aspnet_compiler.exe
  2. In SIEM, create a rule correlating Windows Event ID 4688 (process creation) where the parent process name matches any of the above and the child process name is cmd.exe, powershell.exe, or a network tool
  3. Enable Sysmon Event ID 8 (CreateRemoteThread) and Event ID 10 (ProcessAccess) targeting the same LOLBin process names
  4. Alert on sustained GPU utilization from any of these processes (they have no legitimate reason to use GPU resources)
  5. Block these binaries from initiating outbound network connections via application control policy where they are not operationally required

Framework alignment: NIST SI-4 (System Monitoring), NIST CM-7 (Least Functionality), CIS v8 8.2 (Collect Audit Logs), MITRE D3FEND D3-SFA (System File Analysis), MITRE ATT&CK T1055.012 (Process Hollowing), T1218 (System Binary Proxy Execution)

Framework Alignment Matrix

Threat MITRE Tactic MITRE Technique NIST 800-53 CIS v8
npm Supply Chain (47 packages, vpmdhaj, Megalodon) Initial Access T1195.001 — Compromise Software Dependencies SR-3, SR-2, SI-7, CM-3 2.1, 2.3, 2.5, 2.6
npm Credential Harvest (AWS IMDS, Vault, GitHub) Credential Access T1552.005 — Cloud Instance Metadata API; T1552.001 — Credentials in Files IA-5, AC-6, AC-2 5.1, 5.4, 6.5
Glassworm IDE Extension Campaign Persistence T1176 — Software Extensions; T1568 — Dynamic Resolution CM-7, SI-7, SR-3 2.3, 2.5, 2.6
Fox Tempest Signed Malware (Rhysida/Lumma/Vidar) Defense Evasion T1553.002 — Code Signing; T1588.003 — Code Signing Certificates SC-17, SI-3, SI-7, CA-7 8.2, 3.10
CVE-2026-8732 WP Maps Pro Admin Creation Initial Access / Persistence T1190 — Exploit Public-Facing Application; T1136.001 — Local Account AC-2, AC-3, IA-2, SI-2 6.1, 6.3, 7.4
CVE-2026-28414 Gradio Path Traversal Discovery / Credential Access T1083 — File and Directory Discovery; T1552.001 — Credentials in Files AC-3, SI-10, SI-2 16.10, 7.3, 7.4
CVE-2026-45247 Mirasvit PHP Object Injection Initial Access / Execution T1190 — Exploit Public-Facing App; T1059.004 — Unix Shell SI-10, SI-3, SI-4, SC-7 16.10, 7.3, 7.4
CVE-2026-5426 KnowledgeDeliver ViewState RCE Initial Access / Execution T1190; T1505.003 — Web Shell; T1059.003 — Windows Command Shell SI-10, CM-2, SI-4, RA-5 16.10, 7.4
CVE-2026-2441 Chrome RCE Initial Access / Execution T1189 — Drive-by Compromise; T1203 — Exploitation for Client Execution SI-2, SI-3, CM-7, AC-6 7.4, 16.10
CVE-2026-35616 FortiClient EMS Auth Bypass (EKZ) Initial Access / Credential Access T1190; T1555.003 — Credentials from Web Browsers; T1539 — Steal Web Session Cookie AC-3, IA-2, SI-2, SI-4 6.1, 6.3, 8.2
Iranian APT Screening Serpens (Six RAT Variants) Initial Access / C2 T1566.001 — Spearphishing Attachment; T1102 — Web Service; T1036 — Masquerading SI-3, SI-4, CA-7, AT-2 14.2, 8.2
Kimsuky VS Code Tunnel / New RATs C2 / Execution T1572 — Protocol Tunneling; T1219 — Remote Access Tools; T1053.005 — Scheduled Task CM-7, SI-4, CA-7, SC-7 2.3, 4.4, 8.2
MURKY PANDA M365 Cloud Espionage Initial Access / Collection T1199 — Trusted Relationship; T1550.001 — Application Access Token; T1114.002 — Remote Email Collection SA-9, AC-20, AC-6, AU-6 6.3, 6.5, 15.1
Darcula/Lucid PhaaS AiTM + Tokenization Credential Access T1557 — AiTM; T1111 — MFA Interception; T1621 — MFA Request Generation IA-2, IA-5, AT-2, SI-8 6.3, 6.4, 6.5, 14.2
Kali365 OAuth Device Code Phishing Credential Access T1528 — Steal Application Access Token; T1550.001 — Application Access Token IA-2, AC-3, IA-8, AU-6 6.3, 6.5, 14.2
GPU Cryptojacking / ScreenConnect Backdoor Execution / Defense Evasion T1055.012 — Process Hollowing; T1218 — System Binary Proxy Execution; T1608.006 — SEO Poisoning SI-4, CA-7, CM-7, SR-2 2.3, 2.5, 4.6
CIFSwitch Linux CIFS Privilege Escalation (No CVE) Privilege Escalation T1068 — Exploitation for Privilege Escalation; T1574.006 — Dynamic Linker Hijacking AC-6, SI-2, SI-4, AC-3 5.4, 7.3, 8.2
CVE-2026-7786 USR-W610 Hard-Coded Credentials Defense Evasion / Credential Access T1078.001 — Default Accounts; T1552.001 — Credentials in Files IA-2, IA-5, AC-17, SC-7 4.7, 4.2
Asocks Residential Proxy Botnet Command and Control T1090.002 — External Proxy; T1110.004 — Credential Stuffing CA-7, SC-7, SI-4, CM-7 6.3, 6.4, 8.2
Non-Human Identity Supply Chain Attacks Initial Access / Credential Access T1199 — Trusted Relationship; T1528 — Steal Application Access Token; T1098 — Account Manipulation SA-9, SR-2, IA-5, AC-6 5.1, 6.1, 15.1
Silent Ransom Group Physical Impersonation Initial Access T1200 — Hardware Additions; T1566.004 — Spearphishing Voice; T1219 — Remote Access Tools AT-2, AC-2, AC-3, IR-4 6.1, 6.2, 14.2
Charter / Carnival / 23andMe Breach Pattern (ShinyHunters) Resource Development / Collection T1566.004 — Vishing; T1530 — Data from Cloud Storage; T1213 — Data from Information Repositories AC-2, IA-2, IA-5, AU-6 6.3, 6.5, 5.2
AI Platform Abuse (ChatGPT, Claude, M365 Direct Send) Initial Access / Execution T1566.002 — Spearphishing Link; T1204.001 — Malicious Link; T1534 — Internal Spearphishing AT-2, SI-3, SC-7, SI-4 14.2, 6.3, 8.2

Upcoming Security Events & Deadlines

CISA KEV Remediation Deadlines

  • CVE-2026-45321 (TanStack npm Supply Chain) — Deadline: 2026-06-10. Revoke credentials and verify patched package version before this date.
  • CVE-2026-28414 (Gradio Path Traversal) — Deadline: Check CISA KEV Catalog for current due date. Upgrade to Gradio 6.7+ immediately.
  • CVE-2026-45247 (Mirasvit Magento PHP Object Injection) — Deadline: Check CISA KEV Catalog for current due date. Upgrade to version 1.11.12+ immediately.
  • CVE-2026-5426 (KnowledgeDeliver LMS ViewState RCE) — Deadline: Check CISA KEV Catalog for current due date. Restrict external access and rotate machine keys immediately.

Next Microsoft Patch Tuesday

  • 2026-06-09 (second Tuesday of June). Given the volume of Azure Linux patches in the May 2026 cycle, a significant June release is expected. Prioritize Azure Linux 3.0 components and any continued golang.org/x/crypto/x/net fixes.

Active Patching Deadlines from This Week

  • CVE-2026-2441 Chrome 148 RCE — Emergency out-of-band patch. Deploy Chrome 148.0.7778.96+ immediately. No CERT deadline needed; active exploitation requires zero delay.
  • CVE-2026-8732 WP Maps Pro — Active exploitation confirmed. Upgrade to version 6.1.1 before week’s end.
  • CVE-2026-35616 FortiClient EMS — EPSS at 97th percentile with active EKZ infostealer deployment. Apply Fortinet patch immediately upon availability; check FortiGuard PSIRT (https://www.fortiguard.com/psirt).
  • Gogs RCE (No CVE, No Patch) — No vendor patch available as of late May 2026. Immediately isolate from internet-facing exposure. Plan migration to Gitea or Forgejo.
  • Linux CIFSwitch (No CVE) — AlmaLinux patched kernels available for community testing as of May 28, 2026. Monitor CentOS Stream, Rocky Linux, SUSE, and Debian/Ubuntu channels for corresponding fixes.

Vendor EOL & Support Notes

  • Gogs — All versions as of May 2026 remain vulnerable with no patch in development. Organizations self-hosting Gogs should treat this as an EOL-equivalent security event and plan migration within 30 days.
  • WooCommerce Infinite Scroll and Ajax Pagination ≤ 1.8 — Update to latest version above 1.8 immediately.
  • Link Whisper Free ≤ 0.9.0 — Update to latest available version in WordPress plugin repository.

Upcoming Comment & Review Periods

  • NIST SP 1800-41 (ICS/OT Ransomware Response) — Public comment period open. Submit comments before the close date; assign ownership of control gap remediation to OT security teams.

Forthcoming Threat Intelligence Reports to Monitor

  • Unit 42 full IOC release for Screening Serpens six new RAT variants (pending primary report publication)
  • CrowdStrike full IOC release for Glassworm botnet (pending technical advisory publication)
  • Permiso Security ChatGPhish patch status update from OpenAI

Sources

Section 3: Key Security Stories

Section 4: CISA KEV & Critical CVE Table

Section 5: Supply Chain & Developer Tool Threats

Section 6: Nation-State & APT Activity

Section 7: Phishing & Social Engineering

Section 9: Helpful 5 Mitigations

Section 11: Upcoming Events

Integrity Lock active — no configuration modifications permitted during this session. All URLs sourced from SCC pipeline intelligence items are labeled with confidence level. URLs marked “search-retrieved” should be validated before access. This briefing reflects SCC pipeline data as of 2026-06-01. Standards and sources may have been updated since this briefing was generated.

1

Author

Tech Jacks Solutions

Leave a comment