Weekly Security Intelligence Briefing — Week of 2026-06-08

Executive Summary

The week of June 8, 2026 represents one of the most complex and operationally consequential threat landscapes observed this year. The SCC pipeline processed 55 intelligence items spanning critical CVEs, advanced persistent threat campaigns, supply chain compromises, and high-impact data breaches. Seven items carry a priority score above 0.85, with two npm supply chain campaigns (Shai-Hulud/SLSA provenance bypass and Miasma Red Hat namespace compromise) scoring a maximum 1.0, requiring immediate organizational response. Three CISA KEV additions demand remediation — Oracle WebLogic CVE-2024-21182 (deadline June 4, already passed), SolarWinds Serv-U CVE-2026-28318 (deadline June 19), and Android Framework CVE-2025-48595 (deadline June 5) — alongside Arista EOS CVE-2026-7473 and Budibase CVE-2026-31816. Nation-state actors dominated this cycle: Gamaredon and Turla demonstrated collaborative access-brokering against Ukrainian targets; UNC5221 sustained 18-month footholds across MSP supply chains; the Pakistan-linked SideCopy/APT36 deployed Xeno RAT against the Afghan Finance Ministry; and GREYVIBE used ChatGPT and Gemini to augment cyberattacks. Critical infrastructure threats materialized with 900+ US automatic tank gauge systems actively compromised. The AI attack surface expanded significantly, with confirmed agentic prompt injection chains, CI/CD pipeline exploits via Claude Code (CVE-2026-25253), and the FIFA World Cup 2026 opening a major event-themed threat window spanning 16 host cities. Security teams should treat this week’s supply chain compromises and nation-state campaigns as requiring board-level awareness and immediate remediation resources.

Critical Action Items

1. npm Supply Chain — Shai-Hulud/SLSA Provenance Bypass (Priority 1.0): Immediately freeze all npm dependency updates. Audit package.json and lock files for @tanstack/*, @redhat-cloud-services/*, @uipath/*, @opensearch-project/opensearch, @mistralai/mistralai, and @bitwarden/cli. Rotate all credentials accessible from affected build environments — AWS keys, GCP service accounts, Azure principals, HashiCorp Vault tokens, SSH keys. Do not reinstate CI/CD pipelines until verified clean with independent hash pinning. Consult Wiz, Unit 42, and Microsoft Security Blog advisories for current IOC sets.
2. Oracle WebLogic CVE-2024-21182 — CISA KEV, Deadline June 4 (PASSED): CVSS 9.5, EPSS 89.6%. If not yet patched, treat as actively exploited with zero tolerance for delay. Apply Oracle CPU patch immediately. Restrict WebLogic admin ports (7001, 7002) to internal management networks. Rotate all service account credentials. Review for web shell artifacts in autodeploy directories.
3. SolarWinds Serv-U CVE-2026-28318 — CISA KEV, Deadline June 19: CVSS 7.5. Unauthenticated DoS via uncontrolled resource consumption. Restrict inbound access to Serv-U ports at perimeter. Apply vendor patch from SolarWinds Trust Center. Implement IPS rule to block POST requests with Content-Encoding: deflate as a temporary mitigation. Monitor for service crash patterns (Windows Event ID 7034).
4. Budibase CVE-2026-31816 — CISA KEV, Critical, EPSS 95th percentile: CVSS 9.8. Public PoC available. Unauthenticated RCE via webhook path query string bypass. Isolate all internet-facing Budibase instances immediately. Implement WAF rule blocking ?/webhooks/trigger pattern. Upgrade beyond version 3.31.4. Rotate all credentials on affected instances.
5. Arista EOS CVE-2026-7473 — CISA KEV: CVSS 8.2. Unexpected tunnel protocol decapsulation bypassing network segmentation. Identify all EOS devices with VXLAN, decap-group, or GRE configurations. Apply vendor patch per Arista advisories. Restrict tunnel traffic to authorized sources at upstream perimeter. This vulnerability directly undermines network segmentation enforcement.
6. Gamaredon/UNC5221 Nation-State — Immediate Threat Hunting Required: UNC5221 has sustained 18-month footholds across MSP supply chains targeting VMware vSphere, Synology NAS, Dell RecoverPoint, and pfSense. Suspend unverified MSP remote access. Hunt for Brickstorm, Plenet, and AgentPSD artifacts. Apply Dell DSA-2024-369 patches. Rotate all MSP-delegated credentials. Re-establish access only via MFA-enforced, logged channels.
7. Claude Code CI/CD Prompt Injection (SCC-STY-2026-0168): Anthropic Claude Code GitHub Action prior to v2.1.128 allows prompt injection via GitHub issue/PR bodies to access /proc/self/environ and exfiltrate CI/CD secrets including ANTHROPIC_API_KEY. Upgrade to v2.1.128 immediately. Rotate all secrets injected into affected pipeline environments. Audit agent file access logs for /proc/ path reads.
8. Cisco Unified CM CVE-2026-20230 — Critical SSRF, PoC Public: CVSS 9.5. SSRF via WebDialer enabling root escalation. Disable WebDialer immediately or restrict access to trusted networks. Upgrade to Release 14SU6 or Release 15SU5. PoC is publicly available, exploitation window is compressing rapidly.

Key Security Stories

Shai-Hulud npm Supply Chain Reaches Maximum Severity: SLSA Provenance Weaponized, 520M Downloads at Risk

The Shai-Hulud supply chain campaign reached critical threshold this week, with the attack technique evolving to abuse GitHub OIDC Trusted Publishing to inject malicious code into npm packages without requiring stolen credentials. The campaign compromised packages spanning @tanstack/react-router (~12.7M weekly downloads), the entire @redhat-cloud-services namespace (32 packages, 96 versions), @uipath/* (57 packages), @opensearch-project/opensearch, @mistralai/mistralai, and @bitwarden/cli. The worm is self-spreading, re-compromising repositories from within infected pipelines, and specifically targets CI/CD environments running GitHub Actions, CircleCI, AWS, GCP, Azure, Kubernetes, HashiCorp Vault, Docker Hub, and VS Code extensions.

The most significant technical escalation is the SLSA provenance bypass. Attackers modified GitHub Actions workflow configurations to generate valid SLSA attestations for malicious package versions, meaning provenance alone cannot be trusted as an integrity signal for affected namespaces. This invalidates a core assumption of the supply chain security improvement movement. Mini Shai-Hulud source code is now publicly available, meaning secondary actor adoption is expected. Organizations should treat any npm package from affected namespaces installed since May 2026 as potentially compromised and rotate all accessible credentials immediately.

Affected versions: Multiple packages across six npm namespaces; see Unit 42, Wiz, and StepSecurity advisories for confirmed package lists. Exploitation status: Actively exploited, wormable, public PoC. Business impact: Credential theft covering all major cloud providers; potential for data destruction in affected CI/CD environments. Sources: Wiz: https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack; Microsoft Security Blog (search-retrieved, recommend human validation); Unit 42: https://unit42.paloaltonetworks.com/monitoring-npm-supply-chain-attacks/

Miasma Malware Backdoors Entire Red Hat npm Namespace via GitHub OIDC Abuse

On June 1, 2026, all 32 packages and 96 versions in the @redhat-cloud-services npm namespace were confirmed backdoored with Miasma malware. The attack exploited GitHub OIDC Trusted Publishing — the same mechanism implemented to replace long-lived secrets — to publish malicious package versions. Miasma targets 86 credential variable names and 20 credential file types, including AWS access keys, GCP service account JSON, Azure service principals, Kubernetes configs, HashiCorp Vault tokens, SSH private keys, npm tokens, and PyPI tokens. Exfiltration routes through the Tor network. A command history clearing routine (T1070.003) is executed post-exfiltration to impede forensics.

The campaign demonstrates that OIDC Trusted Publishing, while stronger than long-lived secrets for normal operations, provides no protection when the GitHub account itself is compromised. Organizations relying on this mechanism for security assurance must add compensating controls including out-of-band publisher verification and private registry proxying. Red Hat has not yet confirmed restored namespace integrity at time of briefing; do not reinstall packages from @redhat-cloud-services until official confirmation is received from Red Hat security channels.

Affected versions: All 96 versions across 32 @redhat-cloud-services npm packages. Exploitation status: Active, confirmed backdoor. Business impact: Complete cloud credential compromise for any environment where affected packages were installed. Source: Red Hat advisory channel; npm organization page: https://www.npmjs.com/org/redhat-cloud-services

UNC5221 Nation-State Actor Maintains 18-Month Persistence Across MSP Supply Chains

Mandiant and NVISO analysis confirmed this week that UNC5221 — a China-nexus threat actor — has sustained persistent access across MSP supply chains for up to 18 months using the Brickstorm, Plenet, and AgentPSD toolsets. The actor specifically targeted EDR-blind infrastructure: VMware ESXi hosts, Dell RecoverPoint for Virtual Machines, Egnyte Storage Sync, Synology NAS, pfSense edge routers, and Linux systems running GroupWise. By avoiding Windows endpoints with EDR coverage, the actor operated undetected across multiple victim environments simultaneously, using MSP trusted relationships (T1199) as a lateral movement path into downstream clients.

The campaign is significant because it demonstrates a mature, patient operational model: establish access via a single MSP, maintain lightweight implants on EDR-blind devices, and harvest credentials and data over months without triggering endpoint detection. Re-compromise was documented following prior remediation attempts, indicating the actor had pre-positioned additional persistence mechanisms. Dell DSA-2024-369 is the likely initial access vector for RecoverPoint devices. Organizations using MSP relationships should immediately audit all remote access paths, isolate MSP-reachable infrastructure pending verification, and consult primary Mandiant/NVISO reporting for confirmed Brickstorm, Plenet, and AgentPSD IOCs not reproducible here from available T3-tier sources.

Affected systems: VMware vSphere, Dell RecoverPoint, Egnyte, Synology NAS, pfSense, Linux GroupWise. Exploitation status: Active, long-term persistence confirmed. Source: Mandiant/NVISO primary reporting (obtain directly for confirmed IOCs).

900+ US Automatic Tank Gauge Systems Actively Compromised: Critical Fuel Infrastructure Under Attack

More than 900 automatic tank gauge (ATG) systems at US gas stations and critical infrastructure sites were confirmed actively compromised this week. Affected vendors include Franklin Fueling, Veeder-Root, and OPW. ATG systems control fuel level monitoring, leak detection, overfill protection, and alarm thresholds — direct manipulation of these systems represents physical safety risk beyond typical IT security impact. The attack exploited internet-facing management interfaces using default credentials (T1078.001, T0812), command injection (CWE-78), SQL injection (CWE-89), and improper privilege management (CWE-269).

The CISA advisory for this campaign was pending at time of briefing; monitor cisa.gov for published IOC sets. Any organization operating ATG systems at fuel facilities, fleet depots, or generator installations should immediately verify those systems are not internet-exposed. The attack surface for critical infrastructure OT/ICS assets remains severely under-protected, with many operators treating ATG systems as “just hardware” outside the IT security perimeter. These are network-connected computers with web interfaces and default vendor credentials, and they are being actively targeted.

Affected systems: Franklin Fueling, Veeder-Root, OPW ATG systems. Exploitation status: Active, confirmed, 900+ systems compromised. Business/physical impact: Fuel flow disruption, safety alarm manipulation, potential environmental incident. Source: Monitor CISA advisories at cisa.gov.

Silent Ransom Group and Pink Extortion: Vishing Campaigns Escalate Against Legal, M365, and Professional Services

Two distinct vishing-driven extortion campaigns reached high operational tempo this week. Silent Ransom Group escalated targeting of US law firms, demonstrating a sub-30-minute extortion timeline from initial call to data exfiltration. The group uses fake IT support calls to deploy Quick Assist, AnyDesk, Zoho Assist, Bomgar, SuperOps, and WinSCP, then exfiltrate via Rclone to cloud storage. Ephemeral messaging via Privnote.com is used for ransom demands. Fast-flux residential proxy infrastructure (TTL under 300 seconds) makes IOC-based blocking difficult.

Separately, the Pink Extortion Group is actively targeting Microsoft 365 users via voice phishing, exploiting MFA fatigue (T1621) to gain cloud account access. Both campaigns exploit the same fundamental gap: users cannot distinguish legitimate IT support calls from social engineering, and MFA push notifications create a false sense of security when number matching is not enforced. Organizations in legal, professional services, and financial sectors should immediately enforce MFA number matching in Entra ID, implement strict help desk identity verification callbacks, and conduct targeted vishing simulation training. Confirmed IOC: privnote.com connections from corporate endpoints during RMM sessions are high-confidence indicators for Silent Ransom Group.

Affected platforms: Microsoft 365, Quick Assist, AnyDesk, Rclone, Zoho Assist. Exploitation status: Active, ongoing. Source: FBI IC3 and Mandiant advisories for current infrastructure IOCs.

FIFA World Cup 2026 Threat Landscape: Multi-Vector Campaigns Active Across 16 Host Cities

With the FIFA World Cup 2026 opening in mid-June across 16 host cities in the US, Canada, and Mexico, threat actors have already deployed active infrastructure targeting event attendees, corporate sponsors, telecommunications providers, airlines, hotels, and payment card systems. Recorded Future confirmed spoofed ticketing domains (fifa26-tickets[.]com pattern), active payment fraud infrastructure, and host-city themed domains. Nation-state actors including those aligned with Russia, Iran, and North Korea are expected to conduct disruptive and espionage operations targeting event infrastructure.

The window between now and the tournament’s end represents an elevated threat period for any organization with sponsorship, hospitality, logistics, or travel connections to the event. Corporate travelers attending matches should be briefed on device security, rogue Wi-Fi risks, and credential harvesting attempts themed around ticketing and accommodations. Security teams should block newly registered domains containing FIFA, WC2026, WorldCup2026, host-city names, and major sponsor names at DNS and proxy layers. The full list of 16 host cities includes Boston, Dallas, Miami, Atlanta, Seattle, San Francisco, Kansas City, Philadelphia, New York, Houston, Vancouver, Toronto, Guadalajara, Monterrey, and Mexico City.

Affected sectors: All organizations with FIFA event relationships; broad consumer targeting. Exploitation status: Pre-event infrastructure active, escalating through July 2026. Source: Recorded Future threat intelligence.

Agentic AI Attack Surface Confirmed: Zero-Click Exploit Chains, HITL Bypass, Memory Poisoning

Microsoft’s AI Red Team published findings this week confirming seven new failure modes in agentic AI systems, including zero-click exploit chains against Microsoft Security Copilot and OpenClaw. CVE-2026-25253 is assigned to one component. The report documented trust boundary violations, tool call injection (MITRE AML.T0051), insecure memory handling (AML.T0080), and HITL bypass techniques that allow malicious instructions embedded in external content to drive agent actions without human approval. Additionally, 336 confirmed malicious plugins were identified in the OpenClaw marketplace, and 31 commercial operators were found deploying AI Recommendation Poisoning in production environments.

This confirms that agentic AI is now exploitable infrastructure, not a productivity tool with theoretical risks. Organizations should immediately inventory all agentic deployments, audit tool-call permissions against least privilege principles, verify that memory and context stores reject unvalidated external writes, and instrument agent runtime logs for anomalous tool call sequences. The Claude Code CI/CD prompt injection (SCC-STY-2026-0168) published the same week provides a concrete worked example of this attack class in production environments. Patch Claude Code GitHub Action to v2.1.128 and rotate all CI/CD secrets accessible from affected pipeline environments.

Affected platforms: Microsoft Security Copilot, OpenClaw, MCP ecosystem, Claude Code, broad agentic AI. Exploitation status: Demonstrated, PoC available, active threat. Source: Microsoft Security Blog (2026-06-04); NVD CVE-2026-25253.

Polyfill.io CDN Reactivated: Credential-Harvesting Active Against Major Brand Sites

The polyfill.io CDN — acquired by Funnull CDN in 2024 and flagged at that time as a security risk — was reactivated around May 2026 and is actively serving HTTP 401 responses that trigger browser credential prompts on sites still loading scripts from the domain. Confirmed affected downstream sites include Toshiba, Muji, Samsung Smart TVs, Zojirushi, FiNC Technologies, Ishiyaku Publishers, and Hobonichi. The attack exploits browser native authentication dialogs to harvest credentials at scale (T1556, T1056.003).

This incident is a governance failure: the 2024 compromise was widely publicized, yet organizations maintained polyfill.io as a script dependency for two years. Any organization operating web properties must immediately scan all production HTML, JavaScript bundles, CMS templates, and tag manager configurations for references to polyfill.io and cdn.polyfill.io. Block the domain at WAF, proxy, and DNS layers. Replace with a self-hosted copy or the Cloudflare-maintained fork (verify availability independently). Implement Content Security Policy to prevent unauthorized external script loads going forward. IOC confidence is high: polyfill.io and cdn.polyfill.io should be treated as confirmed malicious.

IOCs (high confidence): polyfill.io, cdn.polyfill.io. Affected sites: Any web property loading scripts from polyfill.io. Source: BleepingComputer (May 2026).

Meta HTS Authentication Bypass Exposes 20,000+ Instagram Accounts via AI Support Tool

Meta’s High Touch Support (HTS) AI-assisted account recovery tool contained an authentication bypass that allowed attackers to submit password reset requests without verifying account ownership, exposing approximately 20,000+ Instagram accounts between April 17 and May 31, 2026. The vulnerability illustrates a recurring control gap in AI-assisted support tooling: automated systems that inherit elevated privileges without inheriting the identity verification requirements of the workflows they replace. The attack is mapped to T1199 (Trusted Relationship) and T1556 (Modify Authentication Process).

Organizations should immediately audit all AI-assisted helpdesk and account recovery workflows. Any tool capable of initiating password resets, email changes, or MFA removal must enforce the same identity verification gates as standard recovery flows. Suspend any tool that cannot verify requestor identity before issuing a reset. For Meta-specific exposure: review Instagram account activity logs for unexpected password resets or email changes between April 17 and May 31, 2026. This incident should be treated as a case study in AI support tool governance, not a Meta-specific one-time event.

Affected platform: Meta Instagram. Exposure window: April 17 – May 31, 2026. Source: Secondary reporting; primary confirmation from Meta pending.

DentaQuest ShinyHunters Breach: 234 GB of Health Data Including Government IDs Exposed

ShinyHunters published 234 GB of DentaQuest (Sun Life subsidiary) data this week, exposing records for 2.6 million accounts including names, government-issued IDs, health records, and dental benefits data for US Medicaid and Medicare beneficiaries. DentaQuest administers dental benefits programs for vulnerable populations, making this a high-impact breach with downstream identity fraud and benefits fraud risk. The breach vector has not been officially confirmed; attack patterns are consistent with valid account compromise (T1078) and cloud storage exfiltration (T1530).

Organizations with EDI feeds, API integrations, or portal access to DentaQuest should immediately suspend automated data flows and audit service account credentials. Healthcare organizations and benefits administrators should brief fraud operations teams on elevated risk for the affected beneficiary population. HIPAA breach notification obligations require assessment by privacy and legal teams. The breach was disclosed via Telegram before formal notification, a pattern increasingly common with ShinyHunters and similar groups that should inform monitoring strategies.

Affected organization: DentaQuest/Sun Life (Medicaid/Medicare dental benefits). Records exposed: 2.6M accounts, 234 GB. Regulatory exposure: HIPAA breach notification assessment required.

WFP Gaza Registration Breach: 600,000 Households in Active Conflict Zone Exposed

The UN World Food Programme’s Self-Registration Application (SRA) for Palestine was breached, exposing registration data for approximately 600,000 households in Gaza. The exposed data includes national IDs, geolocation data, phone numbers, and household composition — information that carries direct physical safety risk for beneficiaries in an active conflict zone. The breach was disclosed via Telegram, not official WFP channels, and the exposure timeline and containment status were unclear at time of briefing.

This incident is relevant to the broader security community as a pattern: humanitarian and NGO registration systems hold uniquely sensitive data (identity combined with geolocation in conflict zones) and are increasingly targeted. Organizations operating similar systems — particularly those holding sensitive population data in conflict or high-risk regions — should immediately audit access controls, implement multi-factor authentication on all externally accessible interfaces, review data minimization practices, and ensure that geolocation data is retained only at operationally necessary granularity. Monitor dark web and Telegram channels for secondary circulation of this dataset.

Affected system: WFP SRA for Palestine. Records exposed: ~600,000 households. Physical risk: High — identity + geolocation in active conflict zone.

CISA KEV & Critical CVE Table

CVE	Product	CVSS	EPSS	Status	KEV Deadline	Description
CVE-2024-21182	Oracle WebLogic Server	9.5	89.6% (99.58th pct)	CISA KEV — Active Exploitation	June 4, 2026 (PASSED)	Unauthenticated remote takeover. Patch immediately via Oracle CPU advisory.
CVE-2026-28318	SolarWinds Serv-U	7.5	0.062% (19.65th pct)	CISA KEV — Active Exploitation	June 19, 2026	Unauthenticated DoS via Content-Encoding: deflate POST. Apply SolarWinds patch; restrict port access.
CVE-2025-48595	Android Framework	8.4	0.006% (0.35th pct)	CISA KEV	June 5, 2026 (PASSED)	Integer overflow enabling local privilege escalation. Deploy June 2026 Android Security Bulletin via MDM.
CVE-2026-7473	Arista EOS	8.2	0.029% (8.7th pct)	CISA KEV	Not yet published at time of briefing	Tunnel protocol decapsulation bypass enabling network boundary violation. Patch per Arista advisory; restrict tunnel traffic.
CVE-2026-31816	Budibase ≤ 3.31.4	9.8	16.9% (95.1st pct)	CISA KEV — Active Exploitation, Public PoC	Not yet published at time of briefing	Unauthenticated RCE via webhook path query string bypass. Isolate and upgrade immediately.
CVE-2025-0108	Palo Alto PAN-OS GlobalProtect	9.1	94.1% (99.9th pct)	Active Exploitation	Not on KEV at time of briefing	Authentication bypass on management web interface. Restrict management access; apply Palo Alto patch immediately.
CVE-2025-52665	Ubiquiti UniFi OS Server	9.8	26.6% (96.4th pct)	Critical — Vendor Patch Available	Not on KEV	Chained auth bypass enabling unauthenticated root RCE. Patch per Ubiquiti advisory; restrict management interface.
CVE-2026-20230	Cisco Unified CM / Unified CM SME	9.5	Not available	Critical — Public PoC Available	Not on KEV	SSRF via WebDialer enabling root escalation. Disable WebDialer; upgrade to 14SU6 / 15SU5.
CVE-2026-3300	Everest Forms Pro (WordPress)	9.8	0.313% (54.8th pct)	Active Exploitation	Not on KEV	Unauthenticated file upload enabling web shell deployment. Disable plugin; apply WAF rules; verify Wordfence advisory for patch.
CVE-2026-41089	Windows Netlogon	9.8	0.095% (26.4th pct)	Active Exploitation Reported	Not on KEV	Critical RCE targeting domain controllers. Apply Microsoft May 2025 cumulative update; restrict Netlogon RPC exposure.
CVE-2026-8206	Kirki WordPress Plugin ≤ 6.0.6	9.8	0.119% (30.5th pct)	CISA KEV	Not yet published at time of briefing	Improper privilege management enabling password reset bypass. Disable or update plugin immediately.
CVE-2026-25253	Microsoft Security Copilot / OpenClaw / MCP	9.5	Not available	Confirmed — Zero-Click Exploit Chains Demonstrated	Not on KEV	Agentic AI trust boundary violations and HITL bypass. Review NVD and MSRC for patch status; audit agentic permissions.
CVE-2026-44486	axios (npm)	7.5	Not available	Vulnerability Disclosed	Not on KEV	Proxy-Authorization header leaks to redirect target. Audit proxy-authenticated axios usage; patch when vendor releases fix.
CVE-2026-44487	axios (npm)	7.4	Not available	Vulnerability Disclosed	Not on KEV	Proxy-Authorization credential leak across HTTP-to-HTTPS redirects. Rotate proxy credentials; apply patch when available.
CVE-2026-44495	axios (npm)	8.1	Not available	Vulnerability Disclosed	Not on KEV	Prototype pollution enabling credential theft and response hijacking. Validate all external input paths to axios config objects; patch when released.
CVE-2025-8088 / CVE-2026-21509	WinRAR / Windows (Gamaredon)	7.5 / Not confirmed	9.1% (92.8th pct)	Actively Exploited by Gamaredon APT	Not on KEV	WinRAR path traversal enabling modular malware chain deployment. Patch WinRAR immediately; monitor for LNK/HTA artifacts.
CVE-2024-55591	Fortinet FortiOS / FortiProxy	9.6	94.1% (99.9th pct)	Active Exploitation by Gentlemen Ransomware	Not on KEV at time of briefing	Authentication bypass exploited with AI-assisted TTPs. Patch per FG-IR-24-535; restrict management interface access.
CVE-2026-33829 / CVE-2023-35636	Windows Search URI Handler	7.5	0.26% (49.5th pct)	No Patch Available (Microsoft Declined)	Not on KEV	NTLMv2 hash leak via search: URI. Block outbound SMB (TCP 445); restrict NTLM via Group Policy.

Supply Chain & Developer Tool Threats

npm Ecosystem Under Coordinated Multi-Actor Attack

The npm ecosystem experienced its most severe week on record. Beyond the Shai-Hulud/SLSA bypass campaign (priority 1.0) and Miasma Red Hat namespace compromise, four additional coordinated npm supply chain campaigns were identified across 176 packages using typosquatting, dependency confusion, and postinstall script injection. The IronWorm Rust-based infostealer campaign separately compromised 36 npm packages via npm Trusted Publishing abuse, deploying eBPF rootkits on Linux systems and exfiltrating credentials over Tor. The Hola Browser Windows distribution pipeline was compromised to deliver a Monero cryptominer via Windows Service masquerading and Defender exclusion modification (T1562.001, T1543.003).

Specific packages confirmed compromised this week:

• @tanstack/react-router and related @tanstack/* packages (May 11, 2026 wave)
• All @redhat-cloud-services/* namespace packages (June 1, 2026)
• @uipath/* (57 packages)
• @opensearch-project/opensearch
• @mistralai/mistralai
• @bitwarden/cli
• 36 additional IronWorm-compromised packages (see Ox Security advisory)
• 176 packages across four coordinated campaigns (see Sonatype-2026-003429)

Miasma Campaign Targets Microsoft GitHub Repositories

The Miasma worm compromised 73 Microsoft GitHub repositories across the Azure, Azure-Samples, Microsoft, and MicrosoftDocs organizations using stolen publisher credentials. The Azure Durable Task ecosystem (durabletask, durabletask-dotnet, durabletask-go, durabletask-js, durabletask-mssql) and the icflorescu/mantine-datatable npm package were among confirmed compromised repositories. AI coding environments including Claude Code, Gemini CLI, Cursor, and VS Code were specifically targeted as propagation vectors. Organizations pulling any of these repositories during the mid-May to June 2026 window should treat those environments as compromised and rotate all accessible credentials immediately.

VS Code Extension Auto-Update Delay: Microsoft’s 2-Hour Mitigation

Microsoft implemented a 2-hour auto-update delay for non-verified VS Code Marketplace extensions, responding to the documented pattern of supply chain attacks via marketplace publisher compromise. Prior disclosures of critical flaws in extensions with 125,000+ combined installs (February 2026, Aikido Security research) and the current attack surface demonstrate that IDE extensions are an active supply chain attack vector. Verified-publisher extensions receive no delay, maintaining the trust gap. Organizations should enforce extension allowlisting via VS Code policy settings and audit all installed extensions against an approved inventory immediately.

GitHub OAuth Token Exfiltration via VS Code Webview (Unpatched Zero-Day)

A disclosed but unpatched VS Code zero-day allows a single click to exfiltrate GitHub OAuth tokens via webview postMessage abuse. A public PoC is available from Aikido Security. No CVE is assigned and no vendor patch exists at time of briefing. All developer workstations using VS Code with GitHub integration should be treated as potentially exposed. Rotate GitHub OAuth tokens, audit repository access logs, and implement token scope restrictions until a vendor patch is released. Monitor Aikido.dev and BleepingComputer for patch status.

SEO-Poisoned Fake Open-Source Tool Sites: Ghidra, dnSpy, SpiderFoot

An active campaign deploys Remus Stealer and AnimateClipper via SEO-poisoned fake download sites impersonating Ghidra (NSA reverse engineering tool), dnSpy, and SpiderFoot. The campaign uses CloudFront-hosted JavaScript redirect layers (TDS infrastructure) that profile sandbox visitors to suppress payload delivery during analysis. Developer and security analyst workstations are the primary target. All open-source security tool downloads must originate exclusively from verified GitHub release pages with SHA-256 hash verification. Enforce application allowlisting to block unsigned executables from user download directories.

Nation-State & APT Activity Summary

Russia

Gamaredon (FSB-linked, Primitive Bear / Shuckworm): Active exploitation of WinRAR CVE-2025-8088 path traversal deploying a modular malware chain (GammaPhish → GammaLoad → GammaWorm → GammaSteel) against Ukrainian government and military targets. GammaWorm propagates via USB (T1091) and network shares (T1080). GammaSteel exfiltrates to AWS S3. C2 routing uses Telegram API (api.telegram.org) for endpoint resolution. LNK persistence, mshta.exe LOLBin abuse, NTFS Alternate Data Streams, and VBScript execution are confirmed TTPs. Gamaredon also functioned as an access broker this week, providing Turla with footholds for Kazuar backdoor deployment — a documented division-of-labor model new to public reporting this cycle.

Turla (FSB-linked, Snake): Deployed Kazuar backdoor against Ukrainian targets via Gamaredon-brokered initial access. Kazuar uses .NET process injection, irregular jitter beaconing, and encrypted channels. This collaboration confirms Russian intelligence services are coordinating offensive cyber operations rather than operating independently.

GREYVIBE: Russia-aligned threat group confirmed using ChatGPT and Google Gemini to augment cyberattacks against Ukrainian organizations. AI is used for spearphishing lure generation (eliminating grammar-based detection heuristics), script development, and target reconnaissance. Traditional email gateway detection based on language quality is no longer reliable against this actor.

China

UNC5221: Sustained 18-month MSP supply chain footholds using Brickstorm, Plenet, and AgentPSD against VMware ESXi, Dell RecoverPoint, Synology NAS, pfSense, and Linux GroupWise. The actor deliberately avoids Windows endpoints with EDR coverage, operating exclusively on EDR-blind appliance infrastructure. Documented re-compromise following prior remediation indicates pre-positioned secondary persistence. Primary attribution source: Mandiant/NVISO — obtain directly for confirmed IOCs.

Pakistan

SideCopy / APT36 (Operation XENOFISCAL): Xeno RAT v1.8.7 deployed against the Afghan Finance Ministry and provincial revenue directorates via LNK-based spearphishing attachments. A separately deployed DeskRAT (Golang ELF implant) targeted Indian military personnel via .desktop file-based persistence on Linux. Capabilities include keylogging (T1056.001), screen capture (T1113), video capture (T1125), clipboard monitoring (T1115), and C2 over HTTP/HTTPS. The use of both Windows and Linux implants in a single campaign indicates expanded capability investment by this actor.

Iran

IRGC-affiliated ransomware operators (OFAC action): The US Treasury OFAC sanctioned Nobitex, Wallex, Bitpin, and Ramzinex this week — four Iranian cryptocurrency exchanges linked to IRGC ransomware payment processing. Any organization that made a ransomware payment routed through these exchanges is subject to OFAC strict liability. Organizations should immediately screen historical crypto transactions against the OFAC SDN list and consult legal counsel.

Regional — South Asia

Asin Android Spyware (ESET attribution, suspected state-linked): Trojanized conflict-themed Android applications targeting Arabic-speaking journalists and OSINT researchers distributed via Facebook and Telegram. Capabilities include audio capture (T1429), SMS control (T1582), location tracking (T1430), and contact exfiltration. Targets are high-risk individuals in conflict zones. Organizations employing journalists or OSINT analysts should immediately audit Android devices for sideloaded applications themed around government news, conflict maps, or PDF utilities.

TA4922 (Multi-Region)

TA4922 expanded beyond East Asia into Europe this week, deploying the novel Atlas RAT with suspected LLM-assisted development. The RAT targets Google Chrome credentials, uses AnyDesk as a delivery/lateral movement vector, and abuses SyncFuture as a malware staging platform. Anti-sandbox evasion targets Microsoft Defender Application Guard. Atlas RAT supports audio capture, screen/video capture, keylogging, clipboard monitoring, and process injection via process hollowing. Block SyncFuture domains and AnyDesk on endpoints where not authorized.

Phishing & Social Engineering Alert

ClickFix and FakeUpdates: Commodity Drive-By at Scale

The DriveSurge Initial Access Broker (IAB) is operating a mass drive-by campaign across thousands of hijacked legitimate websites using ClickFix and FakeUpdates lures. The campaign targets all major browsers (Chrome, Firefox, Edge, Safari, Opera, Brave, Yandex, Vivaldi, Samsung Internet, UC Browser) on Windows and macOS. The attack chain presents fake browser update prompts or CAPTCHA-style “human verification” dialogs instructing users to paste PowerShell commands copied to the clipboard via JavaScript. This technique bypasses URL filtering because initial delivery occurs through legitimate compromised sites with established reputations.

Detection priority: Alert on any browser process spawning PowerShell, cmd.exe, mshta.exe, or wscript.exe. This is the single highest-confidence behavioral indicator for this attack class. No browser functionality requires spawning shell interpreters.

SmartApeSG delivered NetSupport RAT (T1219) via a separate ClickFix chain on May 27, 2026, confirmed by SANS ISC diary documentation. The encoded, non-TLS C2 channel in the dropper stage and NetSupport’s non-standard port (TCP 5405) use should be flagged in perimeter monitoring. Enforce PowerShell execution policy to AllSigned or Restricted via Group Policy across all endpoints.

AI-Powered Vishing at Scale

Google deployed RCS-based deepfake call detection on Android 12+ this week, recognizing that AI voice cloning has crossed an infrastructure-level threat threshold. Organizations cannot rely on users to distinguish AI-cloned voices from legitimate IT support or executive calls. The Silent Ransom Group, Pink Extortion Group, and multiple ransomware precursor campaigns all used voice phishing as initial access this week. Implement verified callback policies for all IT support actions and require out-of-band confirmation for any identity-affecting action initiated by phone.

FIFA World Cup 2026 Phishing Pre-Season

Phishing domains using tournament keywords are active now, four weeks before opening matches. Users clicking search ads or receiving unsolicited emails about tickets, accommodations, or travel packages are at high risk. Train users to verify URLs against official domains (fifa.com and FIFA26.com only). DNS-layer blocking of keyword-matching newly registered domains should be deployed immediately and maintained through July 2026.

SEO-Poisoned Security Tool Downloads

Security analysts and developers searching for Ghidra, dnSpy, or SpiderFoot via search engines are encountering malicious sites in top search results. This is particularly dangerous because the target population — security professionals — typically has elevated trust in their own judgment about software safety. Enforce policy requiring open-source security tool downloads exclusively from pinned, verified GitHub release pages with hash verification. No exceptions for “quick downloads” during incident response.

Indicators of Compromise

Campaign / Story	Type	Value	Confidence	Context
Polyfill.io CDN	Domain	polyfill.io	High	Reactivated CDN serving HTTP 401 credential-harvesting responses. Block at all layers.
Polyfill.io CDN	Domain	cdn.polyfill.io	High	Primary subdomain for malicious script delivery. Block at all layers.
Smart TV SDK / Bright Data	Domain	proxyjs.brdtnet.com	High	Bright Data SDK C2 for residential proxy enrollment on iOS, Roku, Samsung, LG devices.
Smart TV SDK / Bright Data	Domain	proxyjs.luminatinet.com	High	Bright Data SDK alternate C2 domain.
Smart TV SDK / Bright Data	Domain	proxyjs.bright-sdk.com	High	Bright Data SDK alternate C2 domain.
Five-Month Stock Exchange LOTL Exfiltration	Domain	api.dropboxapi.com	High	Consumer Dropbox API used for covert email exfiltration. Flag non-browser process connections.
Five-Month Stock Exchange LOTL Exfiltration	Domain	onedrive.live.com	High	Personal OneDrive consumer endpoint (distinct from SharePoint) used as secondary exfiltration channel.
Silent Ransom Group	Domain	privnote.com	Medium	Legitimate ephemeral messaging service abused for extortion demand delivery. Flag from corporate endpoints during/after RMM sessions.
Gamaredon / GammaSteel	Domain	api.telegram.org	High	Gamaredon uses Telegram channels to resolve current C2 endpoints. Flag from non-browser, non-approved processes.
Gamaredon / GammaSteel	URL Pattern	amazonaws.com S3 endpoints	High	GammaSteel exfiltration staging destination. Flag outbound PUT/POST to S3 from endpoints without authorized cloud storage function.
OFAC Sanctions — IRGC Ransomware	Domain	nobitex.ir	High	OFAC-sanctioned Iranian cryptocurrency exchange. Any transaction routing is an OFAC compliance risk.
OFAC Sanctions — IRGC Ransomware	Domain	wallex.ir	High	OFAC-sanctioned Iranian cryptocurrency exchange.
OFAC Sanctions — IRGC Ransomware	Domain	bitpin.ir	High	OFAC-sanctioned Iranian cryptocurrency exchange.
OFAC Sanctions — IRGC Ransomware	Domain	ramzinex.com	High	OFAC-sanctioned Iranian cryptocurrency exchange.
TA4922 / Atlas RAT	Domain	syncfuture[.]com (pattern)	Medium	SyncFuture platform abused as Atlas RAT delivery vector. Block in enterprise environments.
FIFA World Cup 2026 Phishing	Domain Pattern	fifa26-tickets[.]com (pattern)	Medium	Spoofed FIFA ticketing infrastructure. Block all non-fifa.com / FIFA26.com FIFA-branded domains.
FIFA World Cup 2026 Phishing	Domain Pattern	worldcup2026[.]*	Medium	Newly registered domains in this pattern used for phishing and payment fraud.
Miasma / GitHub Repository Compromise	URL	https://github.com/Azure/durabletask	High	Affected GitHub repository — one of 73 disabled by GitHub. Do not use until integrity confirmed restored.
Miasma / GitHub Repository Compromise	URL	https://github.com/microsoft/durabletask-mssql	High	Affected GitHub repository — compromised.
Shai-Hulud npm Campaign	URL Pattern	raw.githubusercontent.com (anomalous POST/PUT from CI/CD)	Medium	Shai-Hulud uses GitHub repository endpoints for exfiltration. Anomalous POST/PUT from build systems is suspicious.
Everest Forms Pro CVE-2026-3300	URL Pattern	wp-content/uploads/*.php	Medium	PHP files in WordPress upload directory indicate web shell deployment post-exploitation.
Budibase CVE-2026-31816	URL Pattern	?/webhooks/trigger	High	Query string injection pattern bypassing Budibase authorized() middleware. Flag in API request URLs.
Budibase CVE-2026-31816	URL	https://github.com/imjdl/CVE-2026-31816-rshell	High	Public PoC reverse shell exploit. Presence of requests matching this pattern indicates active exploitation attempt.
IronWorm / npm Supply Chain	Domain	Tor network exfiltration infrastructure	High	IronWorm routes harvested credentials over Tor. Monitor for outbound Tor connections from build and developer hosts.
Triple Convergence — Weedhack	Domain	api.telegram.org (non-browser process)	Medium	Weedhack/Amatera Stealer exfiltration channel. Flag from non-browser, non-messaging processes.
Triple Convergence — Weedhack	Domain	cdn.discordapp.com (non-browser process)	Medium	Weedhack campaign exfiltration via Discord webhooks. Flag from non-browser processes.
Claude Code CI/CD Exploit	Tool (Behavioral)	Claude Code GitHub Action Read tool accessing /proc/self/environ	High	Read tool leveraged via prompt injection to access process environment, enabling CI/CD secret exfiltration. Any agent file Read to /proc/ paths is a critical indicator.
Silent Ransom Group	Tool (Behavioral)	WinSCP (winscp.exe) / Rclone (rclone.exe) with cloud storage CLI arguments	High	Exfiltration tools used by Silent Ransom Group on legal sector workstations. No legitimate business justification on most legal workstations.
PCPJack Cloud SMTP Relay	Behavioral	Sliver C2 binary execution; unexpected cron job creation; outbound SMTP on ports 25/465/587 from non-mail compute instances	Medium	PCPJack builds 230-node SMTP relay network via compromised cloud compute. Specific IOCs withheld by Hunt.io; behavioral detection required.

Helpful 5: High-Value Low-Effort Mitigations

1. Enforce MFA Number Matching on Microsoft Authenticator — Block MFA Fatigue Now

Why this week: Pink Extortion Group and Silent Ransom Group both exploited MFA push notification fatigue (T1621) to compromise Microsoft 365 accounts. MFA fatigue requires zero technical sophistication from the attacker — the user simply approves the prompt to make the notifications stop. Number matching eliminates this attack vector entirely by requiring the user to enter a matching number displayed on the sign-in screen into the Authenticator app, proving they initiated the authentication.

How to implement:

1. Sign in to the Microsoft Entra ID admin center (entra.microsoft.com)
2. Navigate to Protection > Authentication methods > Authentication strengths
3. Under Microsoft Authenticator, enable Number matching for all users
4. Verify via Conditional Access that legacy authentication protocols are blocked (this prevents bypass)
5. Review sign-in logs for MFA prompt burst patterns (5+ prompts within 5 minutes to one account) and create an alert rule

Framework alignment: NIST 800-53r5 IA-2 (Identification and Authentication), NIST AC-7 (Unsuccessful Logon Attempts); CIS v8.1 6.3 (Require MFA for Externally-Exposed Applications), 6.5 (Require MFA for Administrative Access)

2. Block Outbound SMB (TCP 445) to External IPs — Prevent NTLMv2 Hash Theft

Why this week: CVE-2026-33829 (Windows Search URI handler NTLMv2 hash leak) has no patch and Microsoft declined to fix it. A single click on a malicious link or opening a crafted Office document can trigger an automatic NTLM authentication to an attacker-controlled server, handing over crackable NTLMv2 hashes. With no patch available, perimeter blocking is the only reliable mitigation.

How to implement:

1. Add a firewall rule blocking outbound TCP 445 and TCP 139 to all non-RFC1918 destinations from all endpoint and server subnets
2. Verify cloud-hosted Windows workloads and VPN-connected endpoints are also covered
3. In Group Policy: Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > “Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers” — set to “Deny all” or use Microsoft KB 5005413 configuration
4. Enable SMB signing: “Microsoft network server: Digitally sign communications (always)” = Enabled
5. Validate via controlled test from an internal workstation to a monitored external IP on TCP 445 (should be blocked)

Framework alignment: NIST 800-53r5 SC-7 (Boundary Protection), SC-8 (Transmission Confidentiality and Integrity), IA-5 (Authenticator Management); CIS v8.1 4.4 (Implement and Manage a Firewall on Servers), 4.5 (Implement and Manage a Firewall on End-User Devices), 5.2 (Use Unique Passwords)

3. Pin npm Dependencies to Verified Hashes — Block Supply Chain Injection Immediately

Why this week: The Shai-Hulud and Miasma campaigns demonstrated that SLSA attestation and package signatures alone cannot be trusted when the GitHub account or OIDC publishing trust is compromised. The only reliable protection for currently deployed pipelines is hash-pinned lockfiles that prevent automatic resolution of newer (potentially compromised) package versions.

How to implement:

1. Run npm ci instead of npm install in all CI/CD pipelines — this enforces lockfile integrity and refuses to proceed if package-lock.json is out of sync
2. Review package-lock.json and yarn.lock files for any @tanstack/*, @redhat-cloud-services/*, @uipath/*, @opensearch-project/opensearch, @mistralai/mistralai, or @bitwarden/cli entries and verify their resolution timestamps predate May 1, 2026
3. Add npm audit --audit-level=critical as a required pipeline gate
4. Configure your internal registry (Artifactory, Nexus) to block direct public npm registry fallback for private-namespace packages (dependency confusion prevention)
5. For confirmed affected packages: replace with verified alternatives or pin to confirmed clean pre-compromise versions

Framework alignment: NIST 800-53r5 SI-7 (Software, Firmware, and Information Integrity), SR-3 (Supply Chain Controls and Processes), CM-3 (Configuration Change Control); CIS v8.1 2.3 (Address Unauthorized Software), 2.5 (Allowlist Authorized Software), 2.6 (Allowlist Authorized Libraries)

4. Block polyfill.io at DNS and WAF — Active Credential Harvesting in Production

Why this week: The polyfill.io CDN is actively serving credential-harvesting HTTP 401 responses to sites that still load scripts from the domain. This is not a theoretical risk — named brand sites including Toshiba, Samsung, and Muji are confirmed affected. The fix takes minutes; the risk of inaction is active credential theft from your users visiting affected pages.

How to implement:

1. Add polyfill.io and *.polyfill.io to your DNS sinkhole and WAF blocklist immediately
2. Scan all web application source repositories, CMS templates, and tag manager entries: grep -r "polyfill.io" --include="*.html" --include="*.js" --include="*.php" .
3. For any match found: remove the script tag and replace with either a self-hosted copy of polyfill.js pinned to a verified commit, or the Cloudflare-maintained fork at cdnjs.cloudflare.com/polyfill (verify availability independently)
4. Add Subresource Integrity (SRI) hashes to all remaining third-party script tags
5. Deploy or strengthen Content Security Policy with a strict script-src allowlist

Framework alignment: NIST 800-53r5 SR-3 (Supply Chain Controls and Processes), SA-9 (External System Services), CM-3 (Configuration Change Control); CIS v8.1 2.1 (Establish and Maintain a Software Inventory), 2.3 (Address Unauthorized Software), 7.1 (Establish and Maintain a Vulnerability Management Process)

5. Disable or Restrict ATG Internet Exposure — 900+ Systems Already Compromised

Why this week: More than 900 US automatic tank gauge systems are confirmed actively compromised via internet-exposed management interfaces and default vendor credentials. If your organization operates fuel storage at any facility — gas stations, fleet depots, generator farms, data center backup fuel — ATG systems may be present on your network. These devices are rarely managed by IT security teams and are frequently internet-exposed as a “convenience” for remote monitoring.

How to implement:

1. Run a Shodan query or external exposure scan scoped to your organization’s IP ranges, searching for ATG-specific banners (TLS-450, SiteSentinel, Veeder-Root, Franklin Fueling) or open ports TCP 10001, TCP 502, TCP 80/443 on OT subnets
2. Any result is an immediate finding: take the device offline or place it behind a firewall with deny-all inbound rules
3. If remote access is operationally required, restrict to VPN with MFA only
4. Change all default and hardcoded credentials immediately (CIS 4.7)
5. Contact Franklin Fueling, Veeder-Root, and OPW for firmware updates addressing CWE-798, CWE-287, CWE-78, CWE-89, and CWE-269

Framework alignment: NIST 800-53r5 SC-7 (Boundary Protection), AC-17 (Remote Access), AC-4 (Information Flow Enforcement), IA-5 (Authenticator Management); CIS v8.1 1.1 (Establish and Maintain Detailed Enterprise Asset Inventory), 4.4 (Implement and Manage a Firewall on Servers), 4.7 (Manage Default Accounts)

Framework Alignment Matrix

Threat	MITRE Tactic	MITRE Technique	NIST 800-53r5	CIS v8.1
Shai-Hulud / npm SLSA Bypass	Initial Access / Persistence	T1195.001, T1195.002, T1554	SI-7, SR-3, CM-3, AC-6	2.3, 2.5, 2.6, 15.1
Miasma Red Hat Namespace	Initial Access / Credential Access	T1195.001, T1552.001, T1552.004, T1528	SI-7, SR-3, IA-5, SA-9	2.3, 5.2, 6.3, 15.1
UNC5221 MSP Supply Chain (18-month)	Initial Access / Persistence / Lateral Movement	T1199, T1133, T1505.003, T1021, T1078	AC-17, AC-20, CA-7, SI-4, SR-3	6.3, 6.4, 6.5, 8.2, 15.1
Gamaredon WinRAR CVE-2025-8088	Initial Access / Execution / Exfiltration	T1190, T1566.001, T1102, T1567.002, T1053.005	SI-2, SI-4, SC-7, AT-2, AU-6	7.3, 7.4, 14.2, 8.2
ATG / Critical Infrastructure Compromise	Initial Access / Impact	T1190, T1078.001, T0831, T0812	SC-7, AC-17, IA-5, CM-6, AU-9	1.1, 4.4, 4.7, 5.2, 6.3
Silent Ransom Group Vishing	Initial Access / Collection / Exfiltration	T1566.004, T1219, T1567, T1048, T1090.003	AC-17, IA-2, AT-2, SI-4, AU-6	6.3, 6.4, 6.5, 14.2, 8.2
Pink Extortion / MFA Fatigue	Credential Access / Defense Evasion	T1621, T1078.004, T1598.004	IA-2, AC-7, AU-6	6.3, 6.5, 14.2
Oracle WebLogic CVE-2024-21182 (KEV)	Initial Access / Persistence	T1190, T1505.003, T1133	SI-2, CM-7, SC-7, AC-6	7.3, 7.4, 6.3
Budibase CVE-2026-31816 (KEV)	Initial Access / Execution	T1190, T1059, T1078	SI-2, SI-10, AC-3, RA-5	7.3, 7.4, 6.1
Arista EOS CVE-2026-7473 (KEV)	Defense Evasion / Lateral Movement	T1599, T1572, T1021	AC-4, AC-3, CM-7	4.2, 6.1, 6.2
Palo Alto PAN-OS CVE-2025-0108	Initial Access / Defense Evasion	T1190, T1078	SC-7, SI-2, AC-17	6.3, 7.3, 7.4
Claude Code CI/CD Prompt Injection	Initial Access / Credential Access	T1195.001, T1552.001, T1059.004	AC-6, SI-10, SI-7, AU-2	16.10, 6.1, 7.4
Agentic AI Attack Surface (CVE-2026-25253)	Initial Access / Collection / Exfiltration	T1195, T1602, T1530, T1059	SA-9, SR-3, AC-6, AU-2, SI-7	16.10, 3.3, 6.1, 6.2
Polyfill.io Credential Harvesting	Initial Access / Collection	T1556, T1056.003, T1189, T1195.002	SR-3, SA-9, CM-3, SI-4	2.1, 2.3, 16.4, 15.1
Windows Search URI NTLMv2 Leak (CVE-2026-33829)	Credential Access / Initial Access	T1187, T1557.001, T1566.002	SC-7, SC-8, IA-5	4.4, 4.5, 5.2
DriveSurge ClickFix / FakeUpdates	Initial Access / Execution	T1189, T1059.001, T1204.002, T1219	SI-3, SI-4, CM-7, AT-2	2.5, 2.6, 14.2
SolarWinds Serv-U CVE-2026-28318 (KEV)	Impact	T1499, T1499.002	SC-5, SI-2	7.3, 7.4
Ransomware Ecosystem (RaaS Fragmentation)	Initial Access / Impact	T1566, T1078, T1486, T1490, T1489	CP-9, CP-10, SI-3, SI-8, AC-6	6.3, 6.4, 8.2, 14.2
Meta HTS Authentication Bypass	Credential Access / Persistence	T1199, T1556, T1098, T1078	AC-3, AC-6, IA-2, IA-5	6.1, 6.3, 6.5
WFP Gaza Registration Breach	Collection / Exfiltration	T1530, T1567, T1213, T1190	SC-28, AC-3, IA-5, RA-5	3.2, 3.3, 6.1, 6.2

Upcoming Security Events & Deadlines

Immediate CISA KEV Remediation Deadlines

• June 4, 2026 (PASSED): Oracle WebLogic CVE-2024-21182 — Federal civilian agencies required; all others should treat as urgent
• June 5, 2026 (PASSED): Android Framework CVE-2025-48595 — Apply June 2026 Android Security Bulletin via MDM; escalate unpatched devices to non-compliant status
• June 19, 2026: SolarWinds Serv-U CVE-2026-28318 — 11 days remaining; restrict port access and apply patch immediately
• Arista EOS CVE-2026-7473: KEV deadline not yet published at time of briefing — monitor cisa.gov for update; treat as urgent given active KEV listing
• Budibase CVE-2026-31816: KEV deadline not yet published — critical, active PoC; isolate immediately regardless of deadline
• Kirki WordPress CVE-2026-8206: KEV deadline not yet published — disable or update immediately

Patch Tuesday

• Next Microsoft Patch Tuesday: July 8, 2026 — Prepare testing environment for Windows domain controller updates, particularly given active Netlogon CVE-2026-41089 exploitation

Event-Based Elevated Threat Windows

• FIFA World Cup 2026: Opens mid-June 2026, runs through July 2026 — Elevated threat period for all organizations with event relationships. Maintain enhanced monitoring through July 2026.
• World Cup Host City Alert: Boston, Dallas, Miami, Atlanta, Seattle, San Francisco, Kansas City, Philadelphia, New York, Houston, Vancouver, Toronto, Guadalajara, Monterrey, Mexico City — Regional organizations should implement DNS keyword blocking and user awareness campaigns now.

Vendor and Platform Deadlines

• TRENDnet TEW-432BRP firmware 3.10B20: End of life — no patch available (CVE-2026-10119). Decommission immediately; no future security updates will be issued.
• GEO my WP plugin ≤ 4.5.5: Patch expected; monitor wordpress.org/plugins/geo-my-wp/changelog/ for updated release addressing CVE-2026-9757.
• VS Code zero-day (GitHub OAuth token exfiltration): No patch available; no CVE assigned. Monitor Microsoft VS Code security advisories for patch announcement.
• axios npm package (three CVEs: CVE-2026-44486, CVE-2026-44487, CVE-2026-44495): Patches pending; monitor GHSA advisories and axios GitHub releases for patched versions.
• Cisco Unified CM CVE-2026-20230: Patches available at 14SU6 and 15SU5; deploy immediately given public PoC.

Upcoming Compliance and Reporting Milestones

• Organizations with DentaQuest data relationships: Assess HIPAA breach notification obligations immediately — 60-day notification clock applies from when breach is known
• Organizations that processed ransomware payments in 2024-2025: Screen historical crypto transactions against OFAC SDN list additions (Nobitex, Wallex, Bitpin, Ramzinex) and consult legal counsel within 30 days
• White House AI Cybersecurity Executive Order (June 2026): Federal agencies should begin tracking clearinghouse publications; private sector should monitor for procurement and supply chain implications

Sources

Section 2 — Critical Action Items

• Wiz Shai-Hulud analysis: https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack
• Oracle CPU advisory (search by CVE): https://www.oracle.com/security-alerts/
• SolarWinds Trust Center: https://www.solarwinds.com/trust-center/
• CISA KEV Catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
• Arista Security Advisories: https://advisories.arista.com
• Anthropic Claude Code GitHub Action: https://github.com/anthropics/claude-code-action
• Cisco Security Advisory CVE-2026-20230: https://sec.cloudapps.cisco.com/security/center/publicationListing.x

Section 3 — Key Security Stories

• Shai-Hulud (Wiz): https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack
• Unit 42 npm monitoring: https://unit42.paloaltonetworks.com/monitoring-npm-supply-chain-attacks/
• Microsoft Security Blog Shai-Hulud 2.0: https://www.microsoft.com/en-us/security/blog/2025/12/09/shai-hulud-2-0-guidance-for-detecting-investigating-and-defending-against-the-supply-chain-attack/ (search-retrieved; recommend human validation)
• StepSecurity Mini Shai-Hulud: https://www.stepsecurity.io/blog/mini-shai-hulud-is-back-a-self-spreading-supply-chain-attack-hits-the-npm-ecosystem
• Red Hat npm namespace (npm.js): https://www.npmjs.com/org/redhat-cloud-services
• Ox Security IronWorm: https://www.ox.security/blog/npm-2-0-hack-40-npm-packages-hit-in-major-supply-chain-attack/ (search-retrieved; recommend human validation)
• BleepingComputer Polyfill.io (May 2026): Search bleepingcomputer.com for “polyfill.io 2026” — recommend human validation of current URL
• Claude Code CI/CD exploit (Microsoft): https://www.microsoft.com/en-us/security/blog/2026/06/05/securing-ci-cd-in-agentic-world-claude-code-github-action-case/ (search-retrieved; recommend human validation)
• NVD CVE-2026-25253: https://nvd.nist.gov/vuln/detail/CVE-2026-25253
• Aikido VS Code zero-day research: https://www.aikido.dev/blog/vs-code-extension-github-breach (search-retrieved; recommend human validation)
• BleepingComputer VS Code zero-day: https://www.bleepingcomputer.com/news/security/vs-code-zero-day-lets-hackers-steal-github-tokens-in-one-click/ (search-retrieved; recommend human validation)
• CISA ATG advisory: https://www.cisa.gov (monitor for current advisory)
• Recorded Future FIFA World Cup 2026 threat assessment: Search recordedfuture.com — recommend human validation of current URL

Section 4 — CVE Table

• NVD CVE-2024-21182: https://nvd.nist.gov/vuln/detail/CVE-2024-21182
• NVD CVE-2025-0108: https://nvd.nist.gov/vuln/detail/CVE-2025-0108
• Palo Alto Security Advisory CVE-2025-0108: https://security.paloaltonetworks.com/CVE-2025-0108
• Ubiquiti / Bishop Fox CVE-2025-52665: https://bishopfox.com/blog/popping-root-on-unifi-os-server-unauthenticated-rce-chain-detection-analysis (search-retrieved; recommend human validation)
• FortiGuard FG-IR-24-535 (CVE-2024-55591): https://fortiguard.com/psirt/FG-IR-24-535 (search-retrieved; recommend human validation)
• Watchtowrlabs FortiOS PoC: https://github.com/watchtowrlabs/fortios-auth-bypass-poc-CVE-2024-55591
• Wordfence Everest Forms Pro CVE-2026-3300: Search wordfence.com/threat-intel — recommend human validation
• CISA KEV Catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

Section 6 — Nation-State Activity

• ESET Gamaredon research: https://www.welivesecurity.com (search for Gamaredon 2026 — recommend human validation)
• Mandiant UNC5221 reporting: https://www.mandiant.com (obtain primary report for confirmed IOCs)
• NVISO UNC5221 reporting: https://blog.nviso.eu (obtain primary report for confirmed IOCs)
• CYFIRMA SideCopy/APT36 Operation XENOFISCAL: https://www.cyfirma.com (search-retrieved; recommend human validation)
• SOC Prime SideCopy detection: https://socprime.com (search-retrieved; recommend human validation)
• OFAC Treasury press release (Nobitex): https://home.treasury.gov/news/press-releases/sb0519 (search-retrieved; recommend human validation)

Section 7 — Phishing and Social Engineering

• Silent Push DriveSurge research: https://silentpush.com/blog/drivesurge (search-retrieved; recommend human validation)
• SANS ISC diary SmartApeSG (May 27, 2026): https://isc.sans.edu (search isc.sans.edu for 2026-06-01 diary)
• Google Android deepfake call detection announcement: https://blog.google/products/android/ (search-retrieved; recommend human validation)

Section 9 — Helpful 5

• Microsoft KB 5005413 (NTLM restriction): https://support.microsoft.com/kb/5005413 (search-retrieved; recommend human validation)
• NIST SP 800-53 Rev. 5: https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
• CIS Controls v8.1: https://www.cisecurity.org/controls/v8
• Shodan ATG search: https://www.shodan.io

Section 11 — Events and Deadlines

• CISA KEV Catalog (live deadlines): https://www.cisa.gov/known-exploited-vulnerabilities-catalog
• Microsoft MSRC CVE-2026-41089: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-41089
• OFAC SDN Search: https://sdnsearch.ofac.treas.gov
• White House AI Executive Order (search Federal Register for June 2026): https://www.federalregister.gov
• Budibase CVE-2026-31816 GitHub PoC: https://github.com/imjdl/CVE-2026-31816-rshell

Note: URLs labeled “search-retrieved” were not verified against active content at time of briefing and should be validated by human review before use as definitive references. URLs from NVD (nvd.nist.gov), CISA (cisa.gov), NIST (csrc.nist.gov), and vendor security advisory portals are primary authoritative sources.

Integrity Lock active — no configuration modifications permitted during this session. This briefing was generated under GAIO v1.0 configuration with Specialist authority level. Framework control citations are sourced exclusively from the verified NIST 800-53r5, CIS v8.1, and MITRE D3FEND knowledge base provided at session initialization. IOC values are reproduced as provided in the SCC pipeline data; confidence levels are as documented in the source items.