2026-05-22: Microsoft patched two actively exploited Defender zero-days with CISA deadline June 3

2026-05-27: CISA adds exploited LiteSpeed cPanel plugin zero-day to KEV catalog with May 29 patch deadline

SHOW NOTES - 2026-05-27 STORIES COVERED * Today: * LiteSpeed cPanel Plugin Privilege Escalation (CVE-2026-48172) [https://www.securityweek.com/cisa-urges-immediate-patching-of-exploited-litespeed-cpanel-plugin-zero-day/] [Critical Alerts] * Microsoft SharePoint Remote Code Execution (CVE-2026-45659) [https://www.darkreading.com/vulnerabilities-threats/microsoft-issues-sharepoint-patch] [Critical Alerts] * AI Threat Landscape: Criminal Deployment at Operational Scale [https://research.checkpoint.com/2026/ai-threat-landscape-digest-march-april-2026/] [Ransomware & Extortion] * MyPillow Appears on Play Ransomware Leak Site [https://www.theregister.com/cyber-crime/2026/05/26/mypillow-appears-on-play-ransomware-leak-site/5246513] [Ransomware & Extortion] * KnowledgeDeliver Zero-Day Exploited for Web Shell Deployment (CVE-2026-5426) [https://www.securityweek.com/hackers-exploited-knowledgedeliver-zero-day-for-web-shell-deployment/] [Business & Infrastructure Threats] * MFA Prompt Bombing: Push Notification Fatigue Attacks [https://thehackernews.com/2026/05/mfa-prompt-bombing-why-your-second.html] [Business & Infrastructure Threats] * Microsoft Defender Automatic Device Isolation (Preview) [https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-can-now-automatically-isolate-hacked-endpoints/] [Windows / AD Security] * Windows 11 KB5089573 Optional Preview Update [https://www.bleepingcomputer.com/news/microsoft/windows-11-kb5089573-update-released-with-performance-improvements/] [Windows / AD Security] * Varonis Atlas Integrates Claude Compliance API for AI Governance [https://www.bleepingcomputer.com/news/security/how-varonis-atlas-integrates-claude-compliance-api-for-ai-governance/] [General Security News] * Industrial Control Systems [https://www.cisa.gov/news-events/ics-advisories/icsa-26-146-06] [Vulnerability Disclosures] * Microsoft Update Guide CVE Disclosures [https://msrc.microsoft.com/update-guide] [Vulnerability Disclosures] CVES REFERENCED CVE-2025-55182, CVE-2025-7745, CVE-2025-9970, CVE-2026-45495, CVE-2026-45498, CVE-2026-45659, CVE-2026-48172, CVE-2026-5426, CVE-2026-7251 INDICATORS OF COMPROMISE IP Addresses: 5.3.1.0, 1.4.9.22 Read the full brief [https://carolinacleartech.com/brief/2026-05-27/]

2026-05-26: Critical Alerts

SHOW NOTES - 2026-05-26 STORIES COVERED * May 26, 2026 * Drupal SQL Injection (CVE-2026-9082) [https://www.bleepingcomputer.com/news/security/cisa-orders-feds-to-patch-actively-exploited-drupal-vulnerability/] [Critical Alerts] * Microsoft Defender Zero-Days (CVE-2026-41091, CVE-2026-45498) [https://thehackernews.com/2026/05/weekly-recap-linux-flaws-defender-0.html] [Critical Alerts] * Trend Micro Apex One Directory Traversal (CVE-2026-34926) [https://research.checkpoint.com/2026/25th-may-threat-intelligence-report/] [Critical Alerts] * Linux Kernel Privilege Escalation (CVE-2026-46333) [https://thehackernews.com/2026/05/weekly-recap-linux-flaws-defender-0.html] [Critical Alerts] * GitHub Breach via Poisoned VS Code Extension [https://isc.sans.edu/diary/rss/33016] [Ransomware & Extortion] * Microsoft Azure Durable Functions SDK Trojanized (durabletask) [https://isc.sans.edu/diary/rss/33016] [Ransomware & Extortion] * Laravel-Lang Supply Chain Attack [https://www.securityweek.com/laravel-lang-packages-poisoned-for-malware-delivery/] [Ransomware & Extortion] * 7-Eleven Data Breach (ShinyHunters) [https://www.bleepingcomputer.com/news/security/7-eleven-data-breach-exposes-personal-information-of-185-000-people/] [Ransomware & Extortion] * Ghost CMS Mass Exploitation (CVE-2026-26980) [https://thehackernews.com/2026/05/ghost-cms-cve-2026-26980-exploited-to.html] [Business & Infrastructure Threats] * Kali365 Phishing-as-a-Service (Microsoft 365 OAuth Abuse) [https://www.bleepingcomputer.com/news/security/fbi-warns-of-kali365-phishing-service-targeting-microsoft-365-accounts/] [Business & Infrastructure Threats] * KnowledgeDeliver LMS Zero-Day (CVE-2026-5426) [https://thehackernews.com/2026/05/knowledgedeliver-lms-flaw-exploited-to.html] [Business & Infrastructure Threats] * Netherlands Seizes 800 Servers, Arrests Bulletproof Hosting Operators [https://krebsonsecurity.com/2026/05/netherlands-seizes-800-servers-arrests-2-for-aiding-cyberattacks/] [Business & Infrastructure Threats] * ACR Stealer via Fake Claude Download Pages [https://isc.sans.edu/diary/rss/33018] [Business & Infrastructure Threats] * Microsoft Fox Tempest Takedown (Rhysida Ransomware Enabler) [https://thehackernews.com/2026/05/weekly-recap-linux-flaws-defender-0.html] [Business & Infrastructure Threats] * Windows Server 2016 Domain Controller Lookup Failures (KB5087537) [https://www.bleepingcomputer.com/news/microsoft/microsoft-domain-controller-lookup-may-fail-on-windows-server-2016/] [Windows / AD Security] * ACR Stealer (Fake Claude Campaign) [https://isc.sans.edu/diary/rss/33018] [IOCs & Detection] * Ghost CMS Campaign (CVE-2026-26980) [https://thehackernews.com/2026/05/ghost-cms-cve-2026-26980-exploited-to.html] [IOCs & Detection] * Lazarus RemotePE [https://thehackernews.com/2026/05/lazarus-deploys-remotepe-memory-only.html] [IOCs & Detection] * Nimbus Manticore (Iranian APT) [https://thehackernews.com/2026/05/iranian-hackers-deploy-minifast-and.html] [IOCs & Detection] * Laravel-Lang Supply Chain Attack [https://www.securityweek.com/laravel-lang-packages-poisoned-for-malware-delivery/] [IOCs & Detection] * CERT-In Mandates 12-Hour Patching for Internet-Facing Flaws [https://thehackernews.com/2026/05/cert-in-mandates-12-hour-patching-for.html] [General Security News] * Anthropic Mythos Detected 23,000 Vulnerabilities Across 1,000 OSS Projects [https://www.securityweek.com/anthropic-mythos-detected-23000-potential-vulnerabilities-across-1000-oss-projects/] [General Security News] * Check Point: AI-Driven Attacks Have Entered Routine Criminal Use [https://research.checkpoint.com/2026/25th-may-threat-intelligence-report/] [General Security News] * TeamPCP Supply Chain Campaign (CVE-2026-45321) [https://isc.sans.edu/diary/rss/33016] [Vulnerability Disclosures] * CVE-2026-26980 (Ghost CMS SQL Injection) [https://thehackernews.com/2026/05/ghost-cms-cve-2026-26980-exploited-to.html] [Vulnerability Disclosures] * CVE-2026-5426 (KnowledgeDeliver LMS Hard-Coded Machine Keys) [https://thehackernews.com/2026/05/knowledgedeliver-lms-flaw-exploited-to.html] [Vulnerability Disclosures] * Healthcare Data Breaches [https://www.securityweek.com/oncology-institute-discloses-third-party-data-breach/] [Vulnerability Disclosures] CVES REFERENCED CVE-2026-26980, CVE-2026-34926, CVE-2026-41091, CVE-2026-45321, CVE-2026-45498, CVE-2026-46333, CVE-2026-5426, CVE-2026-9082 INDICATORS OF COMPROMISE Domains: flipboxstudio[.]info, clo4shara[.]xyz, google[.]com, fairpoint29[.]com, enhanceblabber[.]cc, primemetricsa[.]com, creativecommunityinfo[.]art, ibb[.]co, enhanceblabber[.]cc., aes-secure[.]net, getsqldeveloper[.]com Hashes: 70b5ecc110e074dbca92932c0e840ea3492ea0a43c3f215b71392c12b02213b2, a14c3ecf5eb3d2543358482e43dc765dbf9ee7a4bec7571f5ecb8829ca719692, 47fa746422f1bf6b7712dc6803378e6a995488007193a7441d790f70d204728f Read the full brief [https://carolinacleartech.com/brief/2026-05-26/]

2026-05-25: Supply chain attacks hit developer ecosystems with 34 malicious packages stealing credentials

SHOW NOTES - 2026-05-25 STORIES COVERED * Today: * Ghost CMS SQL Injection (CVE-2026-26980) [https://www.bleepingcomputer.com/news/security/ghost-cms-sql-injection-flaw-exploited-in-large-scale-clickfix-campaign/] [Critical Alerts] * KnowledgeDeliver LMS ViewState Deserialization (CVE-2026-5426) [https://cloud.google.com/blog/topics/threat-intelligence/knowledgedeliver-viewstate-deserialization-vulnerability/] [Critical Alerts] * TrapDoor Supply Chain Attack (npm, PyPI, Crates.io) [https://thehackernews.com/2026/05/trapdoor-supply-chain-attack-spreads.html] [Business & Infrastructure Threats] * Megalodon GitHub Actions Attack (5,500+ Repositories) [https://www.securityweek.com/over-5500-github-repositories-infected-in-megalodon-supply-chain-attack/] [Business & Infrastructure Threats] * DocketWise Data Breach (143,000 Affected) [https://www.securityweek.com/docketwise-data-breach-impacts-143000/] [Business & Infrastructure Threats] * Chinese-Language Phishing-as-a-Service Ecosystem [https://cloud.google.com/blog/topics/threat-intelligence/chinese-language-phishing-services/] [General Security News] * Anthropic Mythos Finds 23,000 Vulnerabilities [https://news.risky.biz/risky-bulletin-mythos-found-thousands-of-critical-bugs/] [General Security News] * Linus Torvalds Cracks Down on AI-Generated Pull Requests [https://www.theregister.com/oses/2026/05/25/linus-torvalds-to-start-being-more-hardnosed-about-pointless-pull-requests-some-of-which-come-from-ais/5245549] [General Security News] * Wireshark 4.6.6 [https://isc.sans.edu/diary/rss/33010] [Vulnerability Disclosures] * CVE-2026-43029 (mptcp soft lockup) [https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-43029] [Vulnerability Disclosures] * CVE-2026-43414 (qla2xxx fcport double free) [https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-43414] [Vulnerability Disclosures] CVES REFERENCED CVE-2026-26980, CVE-2026-43029, CVE-2026-43414, CVE-2026-5426 Read the full brief [https://carolinacleartech.com/brief/2026-05-25/]

2026-05-24: Multiple PHP package supply chain attacks hit Laravel and Composer ecosystems with cross-platform

SHOW NOTES - 2026-05-24 STORIES COVERED * Today: * Laravel Lang Package Compromise [https://www.bleepingcomputer.com/news/security/laravel-lang-packages-hijacked-to-deploy-credential-stealing-malware/] [Critical Alerts] * Packagist Supply Chain Attack (Second Wave) [https://thehackernews.com/2026/05/packagist-supply-chain-attack-infects-8.html] [Critical Alerts] * Underminr CDN Vulnerability [https://www.securityweek.com/underminr-vulnerability-lets-attackers-hide-malicious-connections-behind-trusted-domains/] [Business & Infrastructure Threats] * WolfSSL Certificate Forgery (CVE-2026-5194) [https://thehackernews.com/2026/05/claude-mythos-ai-finds-10000-high.html] [Vulnerability Disclosures] * npm Adds Staged Publishing + 2FA Requirement [https://thehackernews.com/2026/05/npm-adds-2fa-gated-publishing-and.html] [General Security News] * Italian Authorities Disrupt CINEMAGOAL Piracy Network [https://www.bleepingcomputer.com/news/legal/italy-disrupts-cinemagoal-piracy-app-that-stole-streaming-auth-codes/] [General Security News] * UK Water Utility Data Breach Victims Report Impact [https://databreaches.net/2026/05/23/uk-victims-feel-violated-after-water-firms-data-breach/] [General Security News] * UK Secures £355,880 Confiscation Order in Motor Insurance Data Theft [https://databreaches.net/2026/05/23/uk-355880-10-confiscation-order-secured-following-proceeds-of-crime-hearing/] [General Security News] * Rhode Island Workers' Compensation Vendor Breach Affects 131,000 [https://databreaches.net/2026/05/23/rhode-islands-workers-compensation-notifies-those-affected-by-january-data-breach/] [General Security News] CVES REFERENCED CVE-2026-5194 INDICATORS OF COMPROMISE Domains: flipboxstudio[.]info., flipboxstudio[.]info, github[.]com Read the full brief [https://carolinacleartech.com/brief/2026-05-24/]

2026-05-23: Drupal Core SQL injection (CVE-2026-9082) and Trend Micro Apex One directory traversal

SHOW NOTES - 2026-05-23 STORIES COVERED * Today: * Drupal Core SQL Injection Bug Actively Exploited, Added to CISA KEV (CVE-2026-9082) [https://thehackernews.com/2026/05/drupal-core-sql-injection-bug-actively.html] [Critical Alerts] * Trend Micro Apex One Zero-Day Exploited in the Wild (CVE-2026-34926) [https://www.bleepingcomputer.com/news/security/trend-micro-warns-of-apex-one-zero-day-exploited-in-attacks/] [Critical Alerts] * LiteSpeed cPanel Plugin CVE-2026-48172 Exploited to Run Scripts as Root [https://thehackernews.com/2026/05/litespeed-cpanel-plugin-cve-2026-48172.html] [Critical Alerts] * FBI Warns About Fast-Growing Phishing Kit Targeting Microsoft 365 Users (Kali365) [https://cyberscoop.com/fbi-phishing-kali365-microsoft365-access-tokens/] [Business & Infrastructure Threats] * First VPN Dismantled in Global Takedown Over Use by 25 Ransomware Groups [https://thehackernews.com/2026/05/first-vpn-dismantled-in-global-takedown.html] [Business & Infrastructure Threats] * Four-Faith Industrial Router Vulnerability Exploited by Botnets (CVE-2024-9643) [https://www.securityweek.com/in-other-news-industrial-router-exploitation-cisa-kev-nomination-form-gas-station-hacking/] [Business & Infrastructure Threats] * Multi-Stage Linux Intrusion via F5 and Confluence Edge Appliance Compromise [https://www.microsoft.com/en-us/security/blog/2026/05/22/from-edge-appliance-to-enterprise-compromise-multi-stage-linux-intrusion-via-f5-and-confluence/] [Business & Infrastructure Threats] * Iranian Hackers Suspected in US Gas Station Tank Monitor Breaches [https://www.securityweek.com/in-other-news-industrial-router-exploitation-cisa-kev-nomination-form-gas-station-hacking/] [Business & Infrastructure Threats] * CISA Contractor Exposes Credentials on Public GitHub Repository [https://www.securityweek.com/in-other-news-industrial-router-exploitation-cisa-kev-nomination-form-gas-station-hacking/] [Business & Infrastructure Threats] * Hugging Face Hiding Second-Stage Malware for npm Supply Chain Attack [https://databreaches.net/2026/05/22/hugging-face-hiding-second-stage-malware-for-npm-supply-chain-attack/?pk_campaign=feed&pk_kwd=hugging-face-hiding-second-stage-malware-for-npm-supply-chain-attack] [Business & Infrastructure Threats] * New macOS Stealer Variant Masquerades as Apple, Google & Microsoft (Reaper) [https://www.sentinelone.com/blog/the-good-the-bad-and-the-ugly-in-cybersecurity-week-21-7/] [General Security News] * Interpol Operation Ramz Rounds Up 200+ Cybercrime Suspects Across Middle East and North Africa [https://www.sentinelone.com/blog/the-good-the-bad-and-the-ugly-in-cybersecurity-week-21-7/] [General Security News] * Verizon DBIR: Healthcare Fends Off Increased Social Engineering Attacks [https://www.darkreading.com/cyber-risk/verizon-dbir-healthcare-fends-off-increased-social-engineering-attacks] [General Security News] * CVE-2026-41091 (CISA-KEV, EPSS 0.066, 91st percentile) [Vulnerability Disclosures] * CVE-2026-45401 (EPSS 0.000, 12th percentile) [Vulnerability Disclosures] * CVE-2025-14575 (Qt Network OpenSSL TLS backend, EPSS 0.000, 1st percentile) [Vulnerability Disclosures] * CVE-2026-3593 (BIND 9 DNS-over-HTTPS, EPSS 0.000, 5th percentile) [Vulnerability Disclosures] * CVE-2026-42009 (GnuTLS DTLS, EPSS 0.001, 31st percentile) [Vulnerability Disclosures] * CVE-2026-3039 (BIND 9, EPSS 0.001, 16th percentile) [Vulnerability Disclosures] * CVE-2026-3592 (BIND 9, EPSS 0.000, 4th percentile) [Vulnerability Disclosures] * CVE-2026-5946 (BIND 9, EPSS 0.000, 11th percentile) [Vulnerability Disclosures] * CVE-2026-5950 (BIND 9, EPSS 0.001, 21st percentile) [Vulnerability Disclosures] * CVE-2026-41054 (haveged, EPSS 0.000, 0th percentile) [Vulnerability Disclosures] * CVE-2026-8723 (qs.stringify, EPSS 0.000, 14th percentile) [Vulnerability Disclosures] * CVE-2026-5947 (BIND 9, EPSS 0.000, 6th percentile) [Vulnerability Disclosures] * CVE-2026-8711 (NGINX JavaScript, EPSS 0.002, 47th percentile) [Vulnerability Disclosures] * CVE-2025-51480 (ONNX 1.17.0, EPSS 0.004, 59th percentile) [Vulnerability Disclosures] * CVE-2023-6606 (Linux kernel SMB, EPSS 0.000, 1st percentile) [Vulnerability Disclosures] * CVE-2025-39932 (Linux SMB client, EPSS 0.000, 2nd percentile) [Vulnerability Disclosures] * Multiple Linux kernel CVEs [Vulnerability Disclosures] CVES REFERENCED CVE-2022-40139, CVE-2023-41179, CVE-2023-6606, CVE-2024-9643, CVE-2025-14575, CVE-2025-39901, CVE-2025-39905, CVE-2025-39927, CVE-2025-39932, CVE-2025-39940, CVE-2025-39990, CVE-2025-40003, CVE-2025-40064, CVE-2025-40065, CVE-2025-40074, CVE-2025-51480, CVE-2025-54948, CVE-2026-3039, CVE-2026-34926, CVE-2026-3592, CVE-2026-3593, CVE-2026-41054, CVE-2026-41091, CVE-2026-41940, CVE-2026-42009, CVE-2026-45401, CVE-2026-48172, CVE-2026-5946, CVE-2026-5947, CVE-2026-5950, CVE-2026-8711, CVE-2026-8723, CVE-2026-9082 INDICATORS OF COMPROMISE IP Addresses: 5.3.1.0, 2.223.66.103, 5.181.234.59, 92.38.148.58 Read the full brief [https://carolinacleartech.com/brief/2026-05-23/]