Ticker feed

Hackers targeted Red Hat's NPM repository Monday, publishing malicious versions of 32 packages in just 72 seconds — almost certainly automated. The poisoned packages span Red Hat's entire Hybrid Cloud Console JavaScript ecosystem, with nearly 10 million collective downloads combined.

The malware, linked to a worm called "Mini Shai-Hulud" from hacking group TeamPCP, harvests GitHub secrets, cloud credentials, SSH keys, Kubernetes material, and more — then exfiltrates everything to attacker-controlled servers. At least 210 repositories containing stolen credentials have already been identified.

Red Hat has published clean versions of all 32 packages. Anyone who installed a compromised version should treat their environment as breached and rotate all credentials immediately.

Source: SecurityWeek

A security flaw in Palo Alto Networks' PAN-OS GlobalProtect VPN, tracked as CVE-2026-0257, is being actively exploited — and organizations running unpatched systems are at real risk. Attackers are forging authentication cookies to impersonate legitimate users and gain VPN access without valid credentials.

Palo Alto patched the flaw in May, but Rapid7 confirmed successful exploitation across multiple customer environments as early as May 17. CISA added it to its Known Exploited Vulnerabilities catalog on May 29. Despite a "medium" CVSS score of 7.8, researchers stress it should be treated as critical — an unauthenticated admin VPN session into your internal network is serious. Patch immediately.

Source: Dark Reading

A Russian state-linked worm tied to the FSB's Gamaredon group is targeting Ukrainian government, military, and critical infrastructure — and it's remarkably hard to detect. Security firm Sekoia reconstructed an active infection chain first spotted in January 2026 that starts with a booby-trapped xHTML file, exploits a WinRAR path traversal flaw (CVE-2025-8088), and drops a hidden HTA file that runs on next login.

The worm, dubbed GammaWorm, hides its modules in NTFS Alternate Data Streams — a native Windows feature that leaves no visible trace in directory listings. It spreads via USB drives and network shares, pulls C2 addresses from Telegram and Cloudflare, and loops indefinitely as a backdoor. Sekoia recommends a full system wipe for infected machines and updating WinRAR to version 7.13 or later.

Source: Infosecurity Magazine

A critical Windows Netlogon vulnerability (CVE-2026-41089) is being actively exploited in the wild, putting unpatched domain controllers at serious risk. Attackers need only network access to trigger the flaw — no authentication, no user interaction required — allowing full SYSTEM-level code execution and potential domain takeover.

Microsoft patched it in May 2026's Patch Tuesday update, alongside 15 other critical flaws. Belgium's Center for Cybersecurity has flagged it as a top-priority emergency fix. Security teams should patch domain controllers immediately, tighten network segmentation, and monitor for suspicious Netlogon traffic and unexpected admin account creation.

Source: Cybersecurity News

A cybercriminal group called Silent Ransom Group (SRG) has escalated its attacks on US law firms by impersonating IT staff — both over the phone and in person. Since 2023, the group has targeted law, insurance, finance, and healthcare firms using callback scams to trick employees into granting remote desktop access.

As of spring 2026, the FBI warns that when remote access fails, SRG sends an actor physically to the victim's office, convincing staff to plug in an external drive under the guise of IT maintenance. Data is then quietly exfiltrated using legitimate tools like WinSCP or Rclone — making traditional antivirus detection unlikely.

The FBI recommends verifying all visitor credentials, disabling external drive permissions, enforcing phishing-resistant MFA, and training staff to authenticate IT requests before granting any access.

Source: Infosecurity Magazine

A maximum-severity vulnerability in Samba's printing subsystem — CVE-2026-4480, CVSS 10.0 — lets unauthenticated attackers run arbitrary commands on affected Linux and Unix systems. The flaw lives in the %J substitution parameter used in print commands, which passes client-controlled input directly into a shell without escaping special characters. Since many Samba setups allow guest print job submissions by default, no credentials are needed to exploit it.

Patches are out: Samba versions 4.22.10, 4.23.8, and 4.24.3 fix the issue. Systems using printing = cups or iprint aren't affected. If patching isn't immediate, removing %J from your smb.conf print command is the safest workaround.

Source: Cybersecurity News

A critical SQL injection vulnerability in Ghost CMS (CVE-2026-26980) has been exploited by at least two hacker groups to quietly poison over 700 websites with ClickFix malware. First disclosed February 19, 2026, the flaw lets unauthenticated attackers steal Admin API keys and rewrite article content at scale.

Researchers at Qianxin XLab spotted the campaign on May 7. By May 17, compromised sites included Harvard, Oxford, and Auburn University, spanning blockchain, fintech, and media industries. Visitors saw nothing suspicious — malicious JavaScript hid at the bottom of articles, eventually serving a fake Cloudflare verification page that tricked users into running malware themselves.

Ghost CMS admins should patch immediately, rotate all credentials, and audit access logs.

Source: Cyber Security News

Security firm Token Security discovered five chained vulnerabilities in Zapier that, together, could have let an attacker take over millions of user accounts — starting with nothing more than a free account.

The attack path ran from a code-writing feature through discarded credentials, into an internal storage system holding over 1,100 private software images. One image contained a publishing key for code running inside every logged-in user's browser — meaning a bad actor could have quietly hijacked automations across Zapier's 8,000+ integrations.

Researchers reported the flaws in February. Zapier triaged within four days, patched within three weeks, and paid the $3,000 maximum bounty. No exploitation was detected.

Source: CyberScoop

Security researchers at Adversa AI have uncovered a novel attack technique called SymJack that weaponizes AI coding agents to silently inject malicious code into software pipelines. The attack works by disguising a malicious symlink as an innocuous file, tricking developers into approving a simple copy command that secretly registers a rogue MCP server in the agent's configuration. On the next restart, the attacker's code runs unsandboxed — capable of stealing SSH keys, cloud tokens, and browser sessions.

Adversa tested SymJack across five major coding agents — Claude Code, Gemini CLI, Cursor, Grok Build, and GitHub Copilot CLI — and it worked on all of them. While most vendors dismissed the report, Anthropic quietly hardened Claude Code to resolve symlinks before requesting user approval. The attack isn't a software bug; it exploits developer trust in automation itself.

Source: SecurityWeek

Notepad++ has patched three security vulnerabilities in version v8.9.6.1, released May 26, 2026 — two of them critical. The worst, CVE-2026-48778, lets attackers plant a malicious executable path inside Notepad++'s config.xml file. When a user opens a folder via the command line menu, Windows runs the attacker's program instead. No validation, no warning.

A second critical flaw, CVE-2026-48800, works the same way but targets shortcuts.xml. Attack paths include modifying local config files, poisoning cloud-synced settings, or social engineering via archive extraction.

Anyone running v8.9.6 or earlier should update immediately from the official releases page.

Source: Cybersecurity News