Monday roundup. Same chaos, fresh week.
A shady developer tool led to compromises, long-dormant vulnerabilities resurfaced, and even security tools turned out to need protection from themselves. Plenty of organizations spent the week auditing legacy systems and neglected servers that should have been updated ages ago. Classic.
Phishing operations are leveling up as well — fewer clumsy scam attempts, more carefully crafted campaigns that genuinely look legitimate. At the same time, botnets are scooping up every internet-exposed asset they can find like it’s going out of style. The web remains a hot mess.
Here’s what went down.
⚡ Threat of the Week
GitHub Breached Through Nx Console VS Code Extension—GitHub has officially confirmed that the intrusion into its internal repositories stemmed from a compromised employee workstation running a tampered version of the Nx Console Microsoft Visual Studio Code (VS Code) extension. The attack reportedly enabled the threat actor, a cybercriminal outfit called TeamPCP, to siphon off roughly 3,800 repositories. GitHub stated it has taken containment measures and rotated all critical secrets, noting it continues to watch for any follow-up activity. The Nx team disclosed that the extension, nrwl.angular-console, was compromised after one of its developers’ machines was breached in the wake of the recent TanStack supply chain attack. Other organizations affected by the TanStack incident include OpenAI, Mistral AI, and Grafana Labs. Grafana Labs also faced an extortion demand, though the company confirmed it refused to pay the attackers who had threatened to leak its source code. These events represent just a handful of the downstream casualties still surfacing from the Mini Shai-Hulud campaign. Combined with TeamPCP’s public release of the Shai-Hulud source code, this signals a major shift in software supply chain threats — giving adversaries a turnkey playbook for building similar worms aimed at open-source repositories and developer workflows.
🔔 Top News
- Microsoft Dismantled Fox Tempest—Microsoft has taken action against Fox Tempest, a cyber threat group that powered Rhysida ransomware campaigns and other infections involving Oyster, Lumma Stealer, and Vidar. The group functioned upstream in the malware and ransomware supply chain, serving as an enabler by supplying tools that other threat actors leveraged to launch attacks. Among these was a fraudulent code-signing service that allowed cybercriminals to push malware through trusted channels without raising alarms. While the resale of code-signing certificates has been a known practice for at least a decade, Fox Tempest’s operation was notable for offering a scalable platform supporting extortion, phishing, SEO poisoning, and malware-laced ads.
- 9-Year-Old Linux Kernel Bug Allows Root Command Execution—A newly disclosed vulnerability in the Linux kernel went undetected for nine years. Tracked as CVE-2026-46333 (CVSS score: 5.5), the flaw involves improper privilege management that could let an unprivileged local user access sensitive files and run arbitrary commands as root on default installations of major distributions including Debian, Fedora, and Ubuntu. The bug was introduced back in November 2016.
- Microsoft Flagged Two Actively Exploited Defender Vulnerabilities—Microsoft has revealed that a privilege escalation flaw and a denial-of-service bug in Defender are currently being exploited in the wild. CVE-2026-41091 could grant an attacker SYSTEM-level privileges, while CVE-2026-45498 involves a denial-of-service condition. Although Microsoft hasn’t formally confirmed the connection, the descriptions for CVE-2026-41091 and CVE-2026-45498 closely match those of RedSun and UnDefend — two Defender zero-days disclosed by Chaotic Eclipse (also known as Nightmare-Eclipse) last month.
- Newly Disclosed Drupal Core Vulnerability Under Active Attack—A critical security flaw in Drupal Core is being actively exploited just days after its public disclosure. The vulnerability, CVE-2026-9082 (CVSS score: 6.5), is an SQL injection flaw affecting all supported versions of Drupal Core. Drupal confirmed that “exploit attempts are now being detected in the wild.” Imperva, a Thales subsidiary, reported observing over 15,000 attack attempts targeting nearly 6,000 unique sites across 65 countries.
- Claude Mythos AI Uncovers 10K High-Severity Flaws in Widely Used Software—Anthropic announced that Project Glasswing has helped identify more than 10,000 high- or critical-severity vulnerabilities across some of the world’s most “systemically” important software since the cybersecurity initiative launched last month. Of these, 6,202 have been classified as high- or critical-severity issues affecting over 1,000 open-source projects. Further analysis of these candidates confirmed 1,726 as valid true positives, with 1,094 rated as either high- or critical-severity. Overall, these efforts have resulted in 97 patches applied upstream and 88 security advisories published.
- Cisco Fixed a CVSS 10.0 Secure Workload Vulnerability—Cisco released patches for a maximum-severity security flaw in Secure Workload that could let an unauthenticated, remote attacker access sensitive data. Tracked as CVE-2026-20223 (CVSS score: 10.0), the flaw stems from inadequate validation and authentication when accessing REST API endpoints. “An attacker could exploit this vulnerability by sending a crafted API request to an affected endpoint,” Cisco explained. “A successful exploit would allow the attacker to read sensitive information and make configuration changes across tenant boundaries with Site Admin-level privileges.”
- Microsoft Issued Mitigations for YellowKey—Microsoft released mitigations for a BitLocker bypass vulnerability called YellowKey following its public disclosure last week. The zero-day, now tracked as CVE-2026-45585, carries a CVSS score of 6.8 and is categorized as a BitLocker security feature bypass. It affects Windows 11 version 26H1 for x64-based Systems, Windows 11 Version 24H2 for x64-based Systems, Windows 11 Version 25H2 for x64-based Systems, Windows Server 2025, and Windows Server 2025 (Server Core installation). Microsoft noted that successful exploitation could allow an attacker with physical access to circumvent the BitLocker Device Encryption feature on the system’s storage device and access encrypted data.
🔥 Trending CVEs
Vulnerabilities keep rolling in every week, and the window between a patch release and active exploitation is narrowing fast. Here are the standout issues from this week: high-severity, widely deployed, or already under attack in the wild.
Review the list, update what you’re running, and prioritize the urgent ones first — CVE-2026-48172 (LiteSpeed User-End cPanel Plugin), CVE-2026-34926 (Trend Micro Apex One), CVE-2026-20223 (Cisco Secure
This section covers a range of recently identified security vulnerabilities and known weaknesses, including those found in various software components, tools, and platforms such as workload systems, Microsoft Defender, the Linux Kernel, Drupal Core, Microsoft Windows BitLocker, SEPPMail, SGLang, cPanel, the Amazon Redshift JDBC driver, MongoDB, ChromaDB, Universal Robots PolyScope 5, ExifTool, Google Chrome, Apache OFBiz, UniFi OS, Open WebUI, F5 NGINX Plus, NGINX Open Source, Splunk Enterprise, Splunk Cloud Platform, FreePBX, PostgreSQL, and Apache Flink.
🎥 Cybersecurity Webinars
- Learn How Attackers Leverage AI to Boost DDoS Impact (and How to Defend Against It) → Modern threat actors are using artificial intelligence to uncover hidden gaps in network defenses, automatically create scripts that evade detection, and slip past conventional security measures with alarming precision. This webinar connects the dots between AI-powered attacks and the need for robust cloud defenses, providing actionable data on how adversaries are achieving greater success with DDoS attacks. Sign up to move past hypothetical scenarios, use AI to conduct security testing that won’t disrupt operations (CTEM), and help your team shift from simply reacting to attacks to building automated, ongoing resilience.
- Beyond the Zero-Day: Finding Threats That Don’t Require a Vulnerability → Zero-day exploits are no longer the gold standard for measuring cyber risk. Today’s advanced attackers are sidestepping traditional security entirely by exploiting weaknesses in identity management, using built-in system tools to stay under the radar, and deploying AI-driven automation that doesn’t depend on software bugs. This webinar shifts the focus away from fixating on zero-days and reveals how attackers are using modern tactics after they’ve already gained access—plus how security teams can change their approach from constantly patching to actively seeking out suspicious behavior.
📰 Around the Cyber World
- Hacking Through Vulnerabilities Surpasses Stolen Passwords as Top Breach Entry Point — For the first time in almost 20 years, exploiting software vulnerabilities has replaced stolen or compromised passwords as the leading way attackers break into systems and cause data breaches, according to Verizon. Over the past year, nearly a third (31%) of data breaches started with attackers exploiting a vulnerability, a jump from 20% in 2024. Meanwhile, credential abuse fell from 22% to 13%. Even more concerning, only 26% of critical vulnerabilities listed in the U.S. Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities (KEV) catalog were fully fixed by organizations in 2025, down from 38% the year before. “The typical time to fully resolve these vulnerabilities increased to 43 days—almost two weeks longer than the previous year’s 32 days,” the report noted. “On average, organizations had 50% more critical vulnerabilities to patch compared to the previous year’s data.” Ransomware was involved in 48% of all breaches last year, up from 44% in 2024. However, there is a silver lining: ransom payments have kept falling, with the median amount dropping from $150,000 in 2024 to nearly $140,000.
- Hackers Set Their Sights on India’s Education Sector — Cybercriminals are targeting student data across India’s education ecosystem, including schools, third-party vendors, and online platforms, to carry out phishing attacks, impersonation scams, social engineering schemes, and financially driven fraud. “Attackers frequently take advantage of exposed or misused student information to craft highly believable scams related to admissions, scholarships, internships, fee payments, and academic support services,” CYFIRMA explained. “In many cases, threat actors used trusted school branding, fake websites, and insider access to steal login credentials, banking details, or trick victims into making direct payments. Some incidents also pointed to the misuse of student-linked bank accounts as part of larger fraud and money mule operations.”
- RondoDox Botnet Operators Add Critical ASUS Router Vulnerability to Their Toolkit — The group behind the RondoDox botnet has started using CVE-2018-5999 (CVSS score: 9.8), a severe vulnerability in ASUS routers, marking the first time this flaw has ever been seen exploited in real-world attacks. The activity was first spotted on May 17, 2026, targeting the organization’s honeypots. “The attack method involves sending payloads that set the ateCommand_flag to 1, which then allows the infosvr interface to accept arbitrary configuration changes,” VulnCheck CTO Jacob Baines shared in a LinkedIn post.
- Fraudulent Microsoft Teams Download Pages Spread ValleyRAT Malware — Fake websites impersonating Microsoft Teams, promoted on X, are tricking users into downloading a tampered installer disguised as a ZIP file. This ultimately results in the installation of ValleyRAT, a remote access trojan tied to a Chinese cybercrime syndicate known as Silver Fox. “The payload uses a DLL sideloading technique through a legitimate Tencent executable (GameBox.exe), ultimately deploying a version of ValleyRAT,” K7 Labs reported. “What makes this campaign notable is its seamless execution chain, blending social engineering with multi-step payload delivery, in-memory decryption, and stealthy persistence tactics.”
- Focused Cyberattacks Hit Malaysian Organizations — An attacker-run infrastructure hosted on Microsoft Azure in the Malaysia West region has been used to launch a targeted intrusion campaign against several Malaysian organizations, according to Oasis Security. “The operation shows a high level of careful planning, with the attacker creating custom Python tools tailored for each victim—covering internal network scanning, database access, and data theft,” the company stated. The infrastructure hosts target-specific Python scripts, webshell deployment tools, a Laravel remote code execution exploit chain, and source code for custom command-and-control (C2) components.
- Texas AG Takes Meta to Court Over WhatsApp Encryption Claims — The Texas Attorney General has filed a lawsuit against Meta, alleging that its WhatsApp messaging service does not provide the end-to-end encryption (E2EE) the company has long promised. “Reports indicate that WhatsApp employees have had the ability to read user messages,” the Texas Attorney General’s Office said. “Further investigations suggest that message content can be retrieved and viewed after it has been sent. This is a completely inaccurate portrayal of Meta’s privacy policies.” The lawsuit is based on a recent Bloomberg report detailing how the U.S. Commerce Department’s Bureau of Industry and Security abruptly shut down an investigation into claims that Meta could access encrypted WhatsApp messages. Preliminary findings from the department stated that “there are no restrictions on the kinds of WhatsApp messages Meta can view.” Meta has dismissed the allegations as “without merit.”
- FIOD Detains Two Suspects Linked to Stark Industries Hosting — The Netherlands Fiscal Intelligence and Investigation Service (FIOD) has arrested two individuals and confiscated 800 servers tied to a web hosting provider that facilitated cyberattacks, interference operations, and disinformation campaigns.
The arrests involved a 57-year-old man from Amsterdam and a 39-year-old from The Hague. While the firm’s name wasn’t directly stated, officials believe it to be Stark Industries, which received EU sanctions in May 2025. After the sanctions hit, much of its technical infrastructure shifted to a Dutch firm called THE.Hosting (also known as WorkTitans). According to the FIOD, this company essentially serves as a front for the sanctioned entities. The 57-year-old suspect is listed as the director and sole indirect shareholder. A second Dutch company is also believed to have helped; this entity, linked to the 39-year-old, handles the server internet connections for the first firm.
UNG0002 Targets Chinese Universities — The Chinese education sector is under attack from a spear-phishing group called UNG0002 in an operation named “Dragon Whistle.” Seqrite Labs noted that the group’s approach is highly specialized. Instead of a generic bait, they specifically target the mandatory annual fitness tests at Changzhou University. Since failing these tests could affect graduation, the tactic creates an artificial sense of urgency, pushing students to open infected emails. These emails contain ZIP files that deploy a Cobalt Strike Beacon.
Void Botnet Leverages Ethereum for Resilient C2 — A new malware called “Void Botnet” uses Ethereum smart contracts for its Command and Control (C2) infrastructure, making it nearly impossible to shut down. A developer selling this Rust-based tool as “TheVoidStl” markets two C2 modes: one that reads commands from blockchain contracts (updating every 3-5 minutes) and another direct web panel (under 30 seconds). This dual-mode setup makes tracking and taking down the network very difficult.
Proton Pass Introduces AI-Specific Sharing Tokens — Proton Pass, a well-regarded encrypted password manager, now offers AI access tokens. This feature allows users to grant permissions to AI agents and track their actions. Proton explained that every token use is logged with a reason provided, and administrators can set expiration times ranging from one hour to one year to maintain control.
DevilNFC and NFCMultiPay Malware Discovered — Two new Android malware families, DevilNFC and NFCMultiPay, are targeting banking customers in Europe and Latin America. Unlike typical Chinese MaaS tools, these have Spanish and Portuguese (Brazilian) ties. Cleafy analysts noted that Generative AI may have been used in their development. DevilNFC is particularly aggressive; it locks the victim’s screen (Kiosk Mode), intercepts NFC traffic to steal PINs, and acts as an emulator on the attacker’s rooted phone. The malware spreads via SMS and WhatsApp, directing users to fake Google Play pages.
TAX#TRIDENT Uses Tax Scams to Target Windows — A campaign known as TAX#TRIDENT uses fake Indian income tax notices. Victims are lured via three unique methods: a ZIP file with a signed installer, a VBScript downloader, or a disguised PHP endpoint. Each path aims to install persistence mechanisms and connect the endpoint to the operators’ network. The malicious scripts often present a decoy tax image to confuse the victim while the payload installs silently.
CISA Invites Public Nominations for KEV List — CISA has launched an online form for security researchers and partners to submit vulnerabilities that have been actively exploited in the wild. This helps the agency prioritize and update its Known Exploited Vulnerabilities (KEV) catalog more efficiently.
Mass Exploitation of Four-Faith Router Vulnerability — A critical authentication bypass flaw in Four-Faith F3x36 routers (CVE-2024-9643) has been under mass exploitation since mid-May 2026. CrowdSec researchers have tracked over 139 unique IPs targeting this vulnerability. The rate of attacks tripled in May, indicating that threat actors are rapidly weaponizing this router bug to build botnets.
Chinese PhaaS Shifts to Digital Wallet Tokenization — Google researchers analyzed the underground Phishing-as-a-Service (PhaaS) ecosystem in China. They found a shift from simple password harvesting to sophisticated real-time credential and OTP interception. Crucially, attackers are now using these stolen details to provision tokens into digital wallets via RCS and iMessage. This allows for instant transactions and ATM withdrawals, providing attackers with direct access to a victim’s funds rather than just their login credentials.
🔧 Cybersecurity Tools
- Bumblebee — This open-source tool scans developer machines for supply-chain vulnerabilities without executing code. It checks metadata and configurations for browser extensions, language packages, and AI tool settings.
- Claude-BugHunter — A specialized configuration for Anthropic’s Claude Code that turns it into a security assistant, automating the detection and reporting of vulnerabilities during pentests.
Disclaimer: These tools are for research and educational purposes only. Please do not deploy them in production environments without a thorough review.
Conclusion
Don’t wait until the fire is out of control to buy a smoke detector. Patching those low-level vulnerabilities now might save you from a nightmare scenario next week. Remember, if a vulnerability is public, attackers are already looking for it.
The digital landscape remains volatile, with sophisticated scams and weaponized legacy hardware presenting new challenges every week. Stay safe out there.
