Cyber Threat Brief

2026-05-24: Multiple PHP package supply chain attacks hit Laravel and Composer ecosystems with cross-platform

SHOW NOTES - 2026-05-24 STORIES COVERED * Today: * Laravel Lang Package Compromise [https://www.bleepingcomputer.com/news/security/laravel-lang-packages-hijacked-to-deploy-credential-stealing-malware/] [Critical Alerts] * Packagist Supply Chain Attack (Second Wave) [https://thehackernews.com/2026/05/packagist-supply-chain-attack-infects-8.html] [Critical Alerts] * Underminr CDN Vulnerability [https://www.securityweek.com/underminr-vulnerability-lets-attackers-hide-malicious-connections-behind-trusted-domains/] [Business & Infrastructure Threats] * WolfSSL Certificate Forgery (CVE-2026-5194) [https://thehackernews.com/2026/05/claude-mythos-ai-finds-10000-high.html] [Vulnerability Disclosures] * npm Adds Staged Publishing + 2FA Requirement [https://thehackernews.com/2026/05/npm-adds-2fa-gated-publishing-and.html] [General Security News] * Italian Authorities Disrupt CINEMAGOAL Piracy Network [https://www.bleepingcomputer.com/news/legal/italy-disrupts-cinemagoal-piracy-app-that-stole-streaming-auth-codes/] [General Security News] * UK Water Utility Data Breach Victims Report Impact [https://databreaches.net/2026/05/23/uk-victims-feel-violated-after-water-firms-data-breach/] [General Security News] * UK Secures £355,880 Confiscation Order in Motor Insurance Data Theft [https://databreaches.net/2026/05/23/uk-355880-10-confiscation-order-secured-following-proceeds-of-crime-hearing/] [General Security News] * Rhode Island Workers' Compensation Vendor Breach Affects 131,000 [https://databreaches.net/2026/05/23/rhode-islands-workers-compensation-notifies-those-affected-by-january-data-breach/] [General Security News] CVES REFERENCED CVE-2026-5194 INDICATORS OF COMPROMISE Domains: flipboxstudio[.]info., flipboxstudio[.]info, github[.]com Read the full brief [https://carolinacleartech.com/brief/2026-05-24/]

2026-05-23: Drupal Core SQL injection (CVE-2026-9082) and Trend Micro Apex One directory traversal

SHOW NOTES - 2026-05-23 STORIES COVERED * Today: * Drupal Core SQL Injection Bug Actively Exploited, Added to CISA KEV (CVE-2026-9082) [https://thehackernews.com/2026/05/drupal-core-sql-injection-bug-actively.html] [Critical Alerts] * Trend Micro Apex One Zero-Day Exploited in the Wild (CVE-2026-34926) [https://www.bleepingcomputer.com/news/security/trend-micro-warns-of-apex-one-zero-day-exploited-in-attacks/] [Critical Alerts] * LiteSpeed cPanel Plugin CVE-2026-48172 Exploited to Run Scripts as Root [https://thehackernews.com/2026/05/litespeed-cpanel-plugin-cve-2026-48172.html] [Critical Alerts] * FBI Warns About Fast-Growing Phishing Kit Targeting Microsoft 365 Users (Kali365) [https://cyberscoop.com/fbi-phishing-kali365-microsoft365-access-tokens/] [Business & Infrastructure Threats] * First VPN Dismantled in Global Takedown Over Use by 25 Ransomware Groups [https://thehackernews.com/2026/05/first-vpn-dismantled-in-global-takedown.html] [Business & Infrastructure Threats] * Four-Faith Industrial Router Vulnerability Exploited by Botnets (CVE-2024-9643) [https://www.securityweek.com/in-other-news-industrial-router-exploitation-cisa-kev-nomination-form-gas-station-hacking/] [Business & Infrastructure Threats] * Multi-Stage Linux Intrusion via F5 and Confluence Edge Appliance Compromise [https://www.microsoft.com/en-us/security/blog/2026/05/22/from-edge-appliance-to-enterprise-compromise-multi-stage-linux-intrusion-via-f5-and-confluence/] [Business & Infrastructure Threats] * Iranian Hackers Suspected in US Gas Station Tank Monitor Breaches [https://www.securityweek.com/in-other-news-industrial-router-exploitation-cisa-kev-nomination-form-gas-station-hacking/] [Business & Infrastructure Threats] * CISA Contractor Exposes Credentials on Public GitHub Repository [https://www.securityweek.com/in-other-news-industrial-router-exploitation-cisa-kev-nomination-form-gas-station-hacking/] [Business & Infrastructure Threats] * Hugging Face Hiding Second-Stage Malware for npm Supply Chain Attack [https://databreaches.net/2026/05/22/hugging-face-hiding-second-stage-malware-for-npm-supply-chain-attack/?pk_campaign=feed&pk_kwd=hugging-face-hiding-second-stage-malware-for-npm-supply-chain-attack] [Business & Infrastructure Threats] * New macOS Stealer Variant Masquerades as Apple, Google & Microsoft (Reaper) [https://www.sentinelone.com/blog/the-good-the-bad-and-the-ugly-in-cybersecurity-week-21-7/] [General Security News] * Interpol Operation Ramz Rounds Up 200+ Cybercrime Suspects Across Middle East and North Africa [https://www.sentinelone.com/blog/the-good-the-bad-and-the-ugly-in-cybersecurity-week-21-7/] [General Security News] * Verizon DBIR: Healthcare Fends Off Increased Social Engineering Attacks [https://www.darkreading.com/cyber-risk/verizon-dbir-healthcare-fends-off-increased-social-engineering-attacks] [General Security News] * CVE-2026-41091 (CISA-KEV, EPSS 0.066, 91st percentile) [Vulnerability Disclosures] * CVE-2026-45401 (EPSS 0.000, 12th percentile) [Vulnerability Disclosures] * CVE-2025-14575 (Qt Network OpenSSL TLS backend, EPSS 0.000, 1st percentile) [Vulnerability Disclosures] * CVE-2026-3593 (BIND 9 DNS-over-HTTPS, EPSS 0.000, 5th percentile) [Vulnerability Disclosures] * CVE-2026-42009 (GnuTLS DTLS, EPSS 0.001, 31st percentile) [Vulnerability Disclosures] * CVE-2026-3039 (BIND 9, EPSS 0.001, 16th percentile) [Vulnerability Disclosures] * CVE-2026-3592 (BIND 9, EPSS 0.000, 4th percentile) [Vulnerability Disclosures] * CVE-2026-5946 (BIND 9, EPSS 0.000, 11th percentile) [Vulnerability Disclosures] * CVE-2026-5950 (BIND 9, EPSS 0.001, 21st percentile) [Vulnerability Disclosures] * CVE-2026-41054 (haveged, EPSS 0.000, 0th percentile) [Vulnerability Disclosures] * CVE-2026-8723 (qs.stringify, EPSS 0.000, 14th percentile) [Vulnerability Disclosures] * CVE-2026-5947 (BIND 9, EPSS 0.000, 6th percentile) [Vulnerability Disclosures] * CVE-2026-8711 (NGINX JavaScript, EPSS 0.002, 47th percentile) [Vulnerability Disclosures] * CVE-2025-51480 (ONNX 1.17.0, EPSS 0.004, 59th percentile) [Vulnerability Disclosures] * CVE-2023-6606 (Linux kernel SMB, EPSS 0.000, 1st percentile) [Vulnerability Disclosures] * CVE-2025-39932 (Linux SMB client, EPSS 0.000, 2nd percentile) [Vulnerability Disclosures] * Multiple Linux kernel CVEs [Vulnerability Disclosures] CVES REFERENCED CVE-2022-40139, CVE-2023-41179, CVE-2023-6606, CVE-2024-9643, CVE-2025-14575, CVE-2025-39901, CVE-2025-39905, CVE-2025-39927, CVE-2025-39932, CVE-2025-39940, CVE-2025-39990, CVE-2025-40003, CVE-2025-40064, CVE-2025-40065, CVE-2025-40074, CVE-2025-51480, CVE-2025-54948, CVE-2026-3039, CVE-2026-34926, CVE-2026-3592, CVE-2026-3593, CVE-2026-41054, CVE-2026-41091, CVE-2026-41940, CVE-2026-42009, CVE-2026-45401, CVE-2026-48172, CVE-2026-5946, CVE-2026-5947, CVE-2026-5950, CVE-2026-8711, CVE-2026-8723, CVE-2026-9082 INDICATORS OF COMPROMISE IP Addresses: 5.3.1.0, 2.223.66.103, 5.181.234.59, 92.38.148.58 Read the full brief [https://carolinacleartech.com/brief/2026-05-23/]

2026-05-22: Microsoft patched two actively exploited Defender zero-days with CISA deadline June 3

SHOW NOTES - 2026-05-22 STORIES COVERED * 2026-05-22 * Today: * Microsoft Defender Actively Exploited Zero-Days (CVE-2026-41091, CVE-2026-45498) [https://thehackernews.com/2026/05/microsoft-warns-of-two-actively.html] [Critical Alerts] * Trend Micro Apex One Zero-Day Exploitation (CVE-2026-34926) [https://www.securityweek.com/trendai-patches-apex-one-zero-day-exploited-in-the-wild/] [Critical Alerts] * Drupal Highly Critical SQL Injection (CVE-2026-9082) [https://www.securityweek.com/drupal-patches-highly-critical-vulnerability-exposing-websites-to-hacking/] [Critical Alerts] * Langflow Code Execution Vulnerability Exploited by MuddyWater (CVE-2025-34291) [https://thehackernews.com/2026/05/cisa-adds-exploited-langflow-and-trend.html] [Critical Alerts] * CISA Adds Legacy Microsoft Vulnerabilities to KEV [https://thehackernews.com/2026/05/microsoft-warns-of-two-actively.html] [Critical Alerts] * The Gentlemen Ransomware Defense Evasion TTPs [https://www.huntress.com/blog/the-gentlemen-ransomware-defense-evasion-ttps] [Ransomware & Extortion] * First VPN Cybercrime Service Dismantled [https://www.bleepingcomputer.com/news/security/police-seize-first-vpn-service-used-in-ransomware-data-theft-attacks/] [Ransomware & Extortion] * Cloud Atlas APT Returns with New Tools and SSH Tunnels [https://securelist.com/cloud-atlas-2026/119895/] [Business & Infrastructure Threats] * GitHub Breached via Compromised VS Code Extension [https://news.risky.biz/risky-bulletin-microsoft-ends-sms-mfa-for-personal-accounts/] [Business & Infrastructure Threats] * Cross-Platform NPM Stealer Targets Windows, macOS, Linux [https://isc.sans.edu/diary/rss/33006] [Business & Infrastructure Threats] * ABB Industrial Control Systems Vulnerabilities [https://www.cisa.gov/news-events/ics-advisories/icsa-26-141-03] [Vulnerability Disclosures] * Hitachi Energy GMS600 OpenSSL Timing Attack (CVE-2022-4304) [https://www.cisa.gov/news-events/ics-advisories/icsa-26-141-01] [Vulnerability Disclosures] * Microsoft Linux Kernel CVEs in MSRC Update Guide [https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-26944] [Vulnerability Disclosures] * Pwn2Own Berlin 2026: 47 Zero-Days Exploited [https://thehackernews.com/2026/05/threatsday-bulletin-linux-rootkits.html] [Vulnerability Disclosures] * Microsoft Ends SMS MFA for Personal Accounts [https://news.risky.biz/risky-bulletin-microsoft-ends-sms-mfa-for-personal-accounts/] [General Security News] * UK NCSC Issues Agentic AI Security Guidance [https://thehackernews.com/2026/05/threatsday-bulletin-linux-rootkits.html] [General Security News] * Poland Urges Officials to Switch from Signal to mSzyfr [https://thehackernews.com/2026/05/threatsday-bulletin-linux-rootkits.html] [General Security News] * Dutch Police Unmasked 74 Fraud Suspects via Game Over?! Campaign [https://thehackernews.com/2026/05/threatsday-bulletin-linux-rootkits.html] [General Security News] * Trump Postpones AI Security Executive Order [https://cyberscoop.com/trump-postpones-executive-order-focused-on-ai-security/] [General Security News] * US-China Cyber Espionage Acknowledgment [https://thehackernews.com/2026/05/threatsday-bulletin-linux-rootkits.html] [General Security News] CVES REFERENCED CVE-2008-4250, CVE-2009-1537, CVE-2009-3459, CVE-2010-0249, CVE-2010-0806, CVE-2018-0802, CVE-2022-35737, CVE-2022-4304, CVE-2023-7104, CVE-2024-26944, CVE-2024-55591, CVE-2025-10504, CVE-2025-12142, CVE-2025-12143, CVE-2025-3277, CVE-2025-34291, CVE-2025-6965, CVE-2026-0968, CVE-2026-33825, CVE-2026-34926, CVE-2026-41091, CVE-2026-43303, CVE-2026-43331, CVE-2026-43465, CVE-2026-43494, CVE-2026-43495, CVE-2026-43496, CVE-2026-43497, CVE-2026-43499, CVE-2026-43501, CVE-2026-43502, CVE-2026-45498, CVE-2026-45584, CVE-2026-9082 INDICATORS OF COMPROMISE Hashes: 049300aa5dd774d6c984779a0570f59610399c71864b5d5c2605906db46ddeb9 Read the full brief [https://carolinacleartech.com/brief/2026-05-22/]

2026-05-21: Microsoft patched two actively exploited Defender zero-days that CISA added to KEV with a June 3

SHOW NOTES - 2026-05-21 STORIES COVERED * 2026-05-21 * Today: * Microsoft Defender Zero-Days (CVE-2026-41091, CVE-2026-45498) [https://www.securityweek.com/microsoft-patches-exploited-undefend-and-redsun-defender-zero-days/] [Critical Alerts] * RaaS Ecosystem Tradecraft Analysis [https://www.huntress.com/blog/raas-ecosystem-ransomware-tradecraft] [Ransomware & Extortion] * Microsoft Disrupts Fox Tempest Malware-Signing Service [https://thehackernews.com/2026/05/microsoft-takes-down-malware-signing.html] [Ransomware & Extortion] * Mini Shai-Hulud npm Supply Chain Attack [https://www.microsoft.com/en-us/security/blog/2026/05/20/mini-shai-hulud-compromised-antv-npm-packages-enable-ci-cd-credential-theft/] [IOCs & Detection] * SonicWall VPN MFA Bypass via CVE-2024-12802 [https://www.bleepingcomputer.com/news/security/hackers-bypass-sonicwall-vpn-mfa-due-to-incomplete-patching/] [Business & Infrastructure Threats] * TamperedChef Trojanized Productivity Software [https://unit42.paloaltonetworks.com/tracking-tampered-chef-clusters/] [Business & Infrastructure Threats] * Typosquatting Embedded in Third-Party Scripts [https://thehackernews.com/2026/05/typosquatting-is-no-longer-user-problem.html] [Business & Infrastructure Threats] * AI Coding Agents and Credential Leakage [https://www.securityweek.com/1password-teams-with-openai-to-stop-ai-coding-agents-from-leaking-credentials/] [Business & Infrastructure Threats] * CISA Exposed GitHub Repo with Secrets [https://www.theregister.com/security/2026/05/19/americas-top-cyber-defense-agency-left-a-github-repo-open-with-passwords-keys-tokens-and-incredibly-obvious-filenames/5242915] [Business & Infrastructure Threats] * 9-Year-Old Linux Kernel Privilege Escalation (CVE-2026-46333) [https://thehackernews.com/2026/05/9-year-old-linux-kernel-flaw-enables.html] [Windows / AD Security] * PinTheft Linux Privilege Escalation (Arch Linux) [https://www.bleepingcomputer.com/news/linux/exploit-released-for-new-pintheft-arch-linux-root-escalation-flaw/] [Windows / AD Security] * Identity and Device Security Integration [https://www.bleepingcomputer.com/news/security/identity-alone-isnt-enough-why-device-security-has-to-share-the-load/] [General Security News] * Supply Chain Vulnerability Crisis [https://www.securityweek.com/supply-chain-security-crisis-too-many-vulnerabilities-too-little-visibility/] [General Security News] * Drupal Core SQL Injection (CVE-2026-9082) [https://thehackernews.com/2026/05/highly-critical-drupal-core-flaw.html] [Vulnerability Disclosures] * Memcached SASL Timing Side Channel (CVE-2026-47784) [https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-47784] [Vulnerability Disclosures] * DNS Software Vulnerabilities (Multiple CVEs) [https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32792] [Vulnerability Disclosures] * Rsync Vulnerabilities (CVE-2026-43617, CVE-2026-43618, CVE-2026-43619, CVE-2026-43620, CVE-2026-29518, CVE-2026-45232) [https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-43619] [Vulnerability Disclosures] * GitHub CLI Terminal Escape Sequence Injection (CVE-2026-45803) [https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45803] [Vulnerability Disclosures] * Cowboy SPDY Decompression Bomb (CVE-2026-43970) [https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-43970] [Vulnerability Disclosures] * WebSocket Uninitialized Memory Disclosure (CVE-2026-45736) [https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45736] [Vulnerability Disclosures] CVES REFERENCED CVE-2008-4250, CVE-2009-1537, CVE-2009-3459, CVE-2010-0249, CVE-2010-0806, CVE-2024-12802, CVE-2026-29518, CVE-2026-32792, CVE-2026-33278, CVE-2026-40622, CVE-2026-41091, CVE-2026-41292, CVE-2026-42534, CVE-2026-42923, CVE-2026-42944, CVE-2026-42959, CVE-2026-42960, CVE-2026-43617, CVE-2026-43618, CVE-2026-43619, CVE-2026-43620, CVE-2026-43970, CVE-2026-44390, CVE-2026-44608, CVE-2026-45232, CVE-2026-45498, CVE-2026-45736, CVE-2026-45803, CVE-2026-46333, CVE-2026-47784, CVE-2026-9082 Read the full brief [https://carolinacleartech.com/brief/2026-05-21/]

2026-05-20: Microsoft faces a sixth zero-day disclosure in six weeks as researcher "Nightmare Eclipse" releases

SHOW NOTES - 2026-05-20 STORIES COVERED * May 20, 2026 * Today: * YellowKey BitLocker Bypass (CVE-2026-45585) [Critical Alerts] * Action: [https://www.darkreading.com/cyberattacks-data-breaches/windows-zero-day-barrage-continues-after-patch-tuesday] [Critical Alerts] * Drupal Core Security Release Tonight [Critical Alerts] * Action: [https://thehackernews.com/2026/05/drupal-to-release-urgent-core-security.html] [Critical Alerts] * CISA Credentials Exposed in Public GitHub Repository [Critical Alerts] * Action: [https://arstechnica.com/information-technology/2026/05/in-stunning-display-of-stupid-secret-cisa-credentials-found-in-public-github-repo/] [Critical Alerts] * GreenPlasma Windows Privilege Escalation [Windows / AD Security] * Action: [https://www.darkreading.com/cyberattacks-data-breaches/windows-zero-day-barrage-continues-after-patch-tuesday] [Windows / AD Security] * MiniPlasma: Six-Year-Old Vulnerability Still Exploitable [Windows / AD Security] * Action: [https://www.darkreading.com/cyberattacks-data-breaches/windows-zero-day-barrage-continues-after-patch-tuesday] [Windows / AD Security] * Microsoft Teams macOS Location Prompt Issue [Windows / AD Security] * Action: [https://www.bleepingcomputer.com/news/microsoft/microsoft-blames-undismissible-teams-location-prompts-on-macos-update/] [Windows / AD Security] * ABB CoreSense Path Traversal (CVE-2025-3465) [Vulnerability Disclosures] * Action: [https://www.cisa.gov/news-events/ics-advisories/icsa-26-139-06] [Vulnerability Disclosures] * Kieback & Peter DDC Building Controllers XSS (CVE-2026-4293) [Vulnerability Disclosures] * Action: [https://www.cisa.gov/news-events/ics-advisories/icsa-26-139-05] [Vulnerability Disclosures] * ZKTeco CCTV Cameras Authentication Bypass (CVE-2026-8598) [Vulnerability Disclosures] * Action: [https://www.cisa.gov/news-events/ics-advisories/icsa-26-139-04] [Vulnerability Disclosures] * ExifTool macOS Vulnerability (CVE-2026-3102) [Vulnerability Disclosures] * Action: [https://securelist.com/exiftool-compromise-mac/119866/] [Vulnerability Disclosures] * Microsoft CVE Disclosures [Vulnerability Disclosures] * Action: [https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-43493] [Vulnerability Disclosures] * Sophos Firewall Update Bricking Devices [Business & Infrastructure Threats] * Action: [https://www.bleepingcomputer.com/news/security/sophos-pulls-buggy-firewall-update-bricking-devices-with-boot-loop/] [Business & Infrastructure Threats] * PAN-OS GlobalProtect Portal Command Injection (CVE-2026-47612) [Business & Infrastructure Threats] * Action: [https://www.bleepingcomputer.com/news/security/palo-alto-networks-warns-of-pan-os-globalprotect-portal-bug/] [Business & Infrastructure Threats] * Ivanti Endpoint Manager Mobile (EPMM) Critical Vulnerabilities [Business & Infrastructure Threats] * Action: [https://www.bleepingcomputer.com/news/security/ivanti-fixes-new-critical-endpoint-manager-mobile-flaws/] [Business & Infrastructure Threats] * Adobe ColdFusion Patches Critical Pre-Auth RCE [Business & Infrastructure Threats] * Action: [https://www.bleepingcomputer.com/news/security/adobe-fixes-critical-coldfusion-rce-flaw-exploited-in-the-wild/] [Business & Infrastructure Threats] * AI Vulnerability Discovery Accelerates [https://www.recordedfuture.com/blog/ai-vulnerability-playbook] [General Security News] * SentinelOne Announces Prompt Security for Agentic AI [https://www.sentinelone.com/blog/prompt-security-for-agentic-ai/] [General Security News] * Ransomware Tracker API Disruptions [General Security News] CVES REFERENCED CVE-2020-17103, CVE-2025-3465, CVE-2026-3102, CVE-2026-4293, CVE-2026-43491, CVE-2026-43492, CVE-2026-43493, CVE-2026-45585, CVE-2026-47612, CVE-2026-8598 INDICATORS OF COMPROMISE IP Addresses: 1.4.1.12 Read the full brief [https://carolinacleartech.com/brief/2026-05-20/]