⚡ Weekly Recap: New Linux Flaw, PAN-OS Exploit, AI-Powered Attacks, OAuth Phishing and More

Summary

A comprehensive weekly security roundup covering multiple critical threats including active exploitation of CVE-2026-0257 (PAN-OS authentication bypass), a critical unpatched zero-day in Gogs enabling remote code execution via malicious branch names, and the takedown of the GlassWorm C2 infrastructure by CrowdStrike and Google. The recap also highlights emerging threats including poisoned development tools, OAuth phishing kits, and AI-powered attack tooling lowering the barrier to entry for attackers.

Full text

⚡ Weekly Recap: New Linux Flaw, PAN-OS Exploit, AI-Powered Attacks, OAuth Phishing and More Ravie LakshmananJun 01, 2026Cybersecurity / Hacking Monday hit like a cron job with anger issues. A busted auth path here, a repo-side faceplant there, some "patched-ish" thing already getting chewed on in the wild, and then the usual bonus round: poisoned dev tools, sketchy forum chatter, phishing kits pretending to be productivity, and AI lowering the bar for people who already thought 'curl | sh' had a personality. The vibe is simple: old bugs, new wrappers, faster abuse. Patch the obvious crap first. Then read the rest. ⚡ Threat of the Week PAN-OS GlobalProtect Authentication Bypass Under Exploitation - Palo Alto Networks warned that a recently disclosed medium-severity security flaw impacting PAN-OS and Prisma Access has come under active exploitation in the wild. The vulnerability, tracked as CVE-2026-0257 (CVSS score: 7.8), refers to a case of authentication bypass that could be exploited by bad actors to set up VPN connections. The issue specifically affects firewalls with GlobalProtect portal or gateway configured when authentication override cookies are enabled and a specific certificate configuration exists, the network security company said. Securing AI Use Within Your Organization Starts Here The risks of ungoverned AI within your organization are compounding at machine speed. Turn your AI security priorities into actionable steps with this step-by-step guide. Download Now ➝ 🔔 Top News Critical Unpatched Flaw in Gogs - The popular open-source self-hosted Git service Gogs is affected by a critical-severity zero-day vulnerability that exposes servers to remote code execution (RCE), per Rapid7. The injection flaw can be exploited by authenticated attackers via pull requests with malicious branch names. "Since Gogs ships with open registration enabled by default and no limit on repository creation, an unauthenticated attacker can simply create an account and repository on any default-configured instance," the cybersecurity firm says. Any repository owner can enable rebase merging with a single toggle in settings, and the entire exploit chain can be operated without interaction from any other user. Attackers with write access to repositories that have rebase enabled can exploit the flaw directly. "The result is arbitrary command execution as the Gogs server process user, giving the attacker the ability to compromise the server, read every repository on the instance (including other users' private repos), dump credentials (password hashes, API tokens, SSH keys, 2FA secrets), pivot to other network-accessible systems, and modify any hosted repository's code," Rapid7 said. Gogs servers across Windows, Linux, and macOS that are running default configurations are affected. No patch has been released as of the time of publishing. GlassWorm C2 Taken Down - CrowdStrike, Google, and the Shadowserver Foundation dismantled the GlassWorm malware operation by taking down all four of GlassWorm's command-and-control (C2) channels simultaneously on May 26, 2026, at 2 p.m. UTC. GlassWorm, since its emergence last year, has conducted a "multi-pronged campaign" using trojanized VS Code extensions published on both the Microsoft VS Code Marketplace and Open VSX. The campaign is also known to have introduced malicious code through compromised npm and Python packages. By taking down all four channels at the same time, the action severed the operators' access to the infected hosts and their ability to deliver new commands. Evidence suggests that GlassWorm's operators are of Russian origin: the malware checks the system's locale and avoids infecting machines in CIS countries, and its code contains Russian-language comments. In addition to taking down the GlassWorm infrastructure, CrowdStrike has instructed the infected endpoints to beacon to the benign IP address 164.92.88[.]210. Organizations are advised to check for connections to this IP address to identify potential infections. Despite these efforts, the broader economics of repository abuse remain an ongoing issue. Open-source ecosystems continue to offer attackers low-cost distribution channels with a massive reach when compared to traditional software. This also means operators behind such campaigns can resurface under new accounts, domains, or package names. In other words, it's only a temporary disruption, not eradication. CERT-In Urges Organizations to Patch Exploited Flaws Within 12 Hours - Organizations in India have been urged to patch actively exploited vulnerabilities impacting internet-facing or "crown jewel" systems within 12 hours, where feasible, so as to better respond to the speed artificial intelligence (AI) now brings to cyber attacks. CERT-In stopped short of framing the timelines as binding, describing them as indicative expectations to be applied according to operational criticality and threat exposure. The agency also warned that AI-assisted attacks are dramatically compressing the time between vulnerability disclosure and exploitation. The framework also recommends one-day remediation for critical externally exposed vulnerabilities, three days for critical internal vulnerabilities affecting high-value systems, and five days for high-severity flaws based on risk prioritization. GREYVIBE Leans on AI for Ukraine Attacks - A previously undocumented Russian group codenamed GREYVIBE has been found to make extensive use of large language models (LLMs) in its attacks against private, government, and military organizations in Ukraine. The end goal is to gather intelligence for the ongoing war. "While the activities align with Russian state interests, several observed indicators suggest the group has ties to the broader cybercrime ecosystem, with the group potentially involving current or former cybercriminal actors," WithSecure said. The threat actor is believed to have been active since August 2025. What's notable is the extent to which AI appears to be enmeshed throughout the operation. The group's use of AI is believed to be "operationally integrated rather than isolated or experimental." AI Chatbot Recommendations Redirect Users to Cryptojacking Malware - A new campaign is using searches for popular tools in AI chatbots to redirect users to sketchy sites that trick users into downloading booby-trapped executables that drop a cryptocurrency miner on compromised hosts. The goals of the campaign are not merely financially motivated. The threat actors have also been found to establish persistent remote access to compromised hosts through ScreenConnect deployments, which could then be leveraged for follow-on activity, such as data theft, lateral movement, or ransomware. 🔥 Trending CVEs Bugs drop weekly, and the gap between a patch and an exploit is shrinking fast. These are the heavy hitters for the week: high-severity, widely used, or already being poked at in the wild. Check the list, patch what you have, and hit the ones marked urgent first - CVE-2026-8732 (WP Maps Pro plugin), CVE-2026-0257 (Palo Alto Networks PAN-OS and Prisma Access), CVE-2026-27771 (Gitea), CVE-2026-45659 (Microsoft SharePoint), from CVE-2026-9090 through CVE-2026-9098 (Casdoor), CVE-2026-48800, CVE-2026-48778, CVE-2026-48770 (Notepad++), CVE-2026-40933 (Flowise), from CVE-2026-9872 through CVE-2026-9893 (Google Chrome), CVE-2026-32996, CVE-2026-32997 (Veeam Backup & Replication), CVE-2026-44962 (Plesk), CVE-2026-4868, CVE-2026-1402, CVE-2026-6713 (GitLab), CVE-2026-46840, CVE-2026-46775, CVE-2026-46839, CVE-2026-2332 (Oracle), CVE-2026-4480 (Samba), CVE-2025-59199 aka Click Or Trick (Microsoft Windows 11), CVE-2026-9560 (OpenVPN Connect for macOS), CVE-2026-9312 (GitHub Enterprise Server), CVE-2026-3593, CVE-2026-5946, CVE-2026-5947 (BIND 9), CVE-2026-47783 (Memcached), CVE-2026-44930 (Apache CXF), CVE-2026-9089 (ConnectWise Automate), CVE-2026-4115 (PuTTY), CVE-2026-48095 (7-Zip), an argument injection vulnerability in Gogs, a

Indicators of Compromise

• cve — CVE-2026-0257
• ip — 164.92.88.210
• malware — GlassWorm

Entities