Back to Weekly Roundups
2026-W22 Classification: PUBLIC

WEEKLY INTELLIGENCE BRIEFING

2026-05-25 to 2026-05-31 80 articles

Articles scanned
80
Top IOCs
15
Authentication bypasses meet AI-powered supply chains

Tagline

Authentication bypasses meet AI-powered supply chains

Executive Summary

The week in one line

Critical authentication bypasses and AI-powered supply chain attacks dominated while regulatory enforcement intensified.

What happened

The week saw a convergence of critical infrastructure vulnerabilities and sophisticated attack campaigns. AI tools are now accelerating threat actor operations.

  • Fortinet FortiClient EMS authentication bypass (CVE-2026-35616) exploited in wild to deploy credential stealers
  • Charter Communications breached via voice phishing, exposing 42M records to ShinyHunters
  • Malicious VS Code extension compromised GitHub employee, exposing internal repositories
  • GreyVibe threat actors using ChatGPT and Gemini to accelerate cyberattacks against Ukrainian targets
  • California sued 23andMe for inadequate genetic data protection after 2023 breach

Why it matters for defenders and leaders

Authentication bypass vulnerabilities are providing broad network access while AI is democratizing advanced attack techniques. Supply chain risks are expanding beyond traditional software dependencies.

  • Critical infrastructure products lack basic authentication controls, enabling widespread compromise
  • Social engineering tactics are evolving faster than employee training programs can adapt
  • AI tools are lowering the skill barrier for sophisticated phishing and malware development
  • Regulatory enforcement is accelerating with significant financial penalties for data protection failures

What to do this week

  • Patch FortiClient EMS and Palo Alto PAN-OS authentication bypass vulnerabilities immediately
  • Audit VS Code extensions and implement package pinning for CI/CD pipelines
  • Review and strengthen social engineering training and incident response procedures
  • Rotate credentials for any GitHub repositories and cloud services accessed via compromised tooling
  • Assess third-party data sharing agreements and commercial data broker relationships
TLDR
  • 🔒 Critical authentication bypass vulnerabilities dominated headlines with Fortinet FortiClient EMS and Palo Alto PAN-OS under active exploitation
  • 🏦 Major breaches hit financial services and healthcare, with Charter Communications (42M records) and iFood Brazil (43.8M records) leading massive data exposures
  • 🤖 AI-powered attacks evolved significantly with GreyVibe using ChatGPT and Gemini to accelerate phishing campaigns and malware development
  • 🔗 Supply chain compromises escalated through malicious npm packages, poisoned VS Code extensions, and GitHub Action workflow injections
  • 🌍 Nation-state tensions intensified as Russian intelligence agencies ramped up technology theft operations under sanctions pressure
  • ⚖️ Regulatory enforcement strengthened with California suing 23andMe and French CNIL imposing €5M healthcare data protection fines

Intelligence Breakdown

5 modules
Vulnerabilities & Exploits
VULNERABILITIES-AND-EXPLOITS
2026-W22

Critical FortiClient EMS Authentication Bypass Exploited in Wild. CVE-2026-35616 (CVSS 9.1) allows attackers to forge HTTP headers and gain full administrator access to FortiClient EMS without authentication. Active exploitation is deploying EKZ credential stealer malware disguised as legitimate Fortinet updates.

Palo Alto Networks PAN-OS Authentication Bypass Added to KEV. CISA added CVE-2026-0257 to the Known Exploited Vulnerabilities catalog after confirming active exploitation of the authentication bypass flaw.

Unpatched Gogs Zero-Day Enables RCE via Branch Names. A CVSS 9.4 vulnerability allows authenticated users to execute arbitrary code by injecting malicious branch names into pull requests, exploiting git rebase operations. The flaw remains unpatched despite March disclosure.

Pre-Auth RCE in Marimo Notebook Framework. CVE-2026-39987 (CVSS 9.3) enables unauthenticated attackers to achieve root code execution via a single WebSocket handshake in Marimo Python notebook environments.

Key Takeaway

Prioritize patching authentication bypass vulnerabilities in FortiClient EMS and PAN-OS immediately, as both are under active exploitation.

Ransomware & Breaches
RANSOMWARE-AND-BREACHES
2026-W22

Charter Communications Confirms 42M Record Breach by ShinyHunters. The extortion group used voice phishing to compromise an employee's Microsoft Entra account in April, accessing Salesforce and stealing data on 4.9 million unique customers.

Brazilian Food Giant iFood Targeted in 43.8M Record Extortion. Threat actors claim to possess customer records including CPF national IDs, payment data, and personal information in ongoing extortion campaign.

Carnival Corporation Admits 6M Customer Records Stolen. Social engineering attack on April 14 led to ShinyHunters stealing customer names, addresses, dates of birth, and government ID numbers from the cruise operator.

Silent Ransom Group Escalates to Physical Data Theft. The FBI warned that threat actors are now sending operatives in person to company offices to steal data directly, marking a dangerous escalation in ransomware tactics.

Key Takeaway

Implement stronger social engineering defenses and employee training, as voice phishing continues driving major breaches.

Supply Chain
SUPPLY-CHAIN
2026-W22

Malicious VS Code Extension Compromises GitHub Employee. The poisoned Nx Console extension (v18.95.0) was distributed via automatic VS Code updates, compromising a GitHub employee's device and exposing internal repositories.

33 Malicious npm Packages Target Developer Environments. Microsoft discovered packages exploiting dependency confusion to profile environments and steal cloud credentials via organizational namespace impersonation.

Megalodon Campaign Injects Malicious GitHub Actions. Attackers are compromising CI/CD pipelines by injecting malicious workflow files to harvest secrets and cloud credentials from GitHub repositories.

Fake Sicoob SDK Exfiltrates Banking Certificates. Malicious NuGet package targeted Brazilian banking infrastructure, stealing PFX certificates and authentication material through spoofed publisher identity.

Key Takeaway

Implement package pinning, dependency scanning, and credential rotation policies to defend against the surge in supply chain attacks.

APT & Nation-State
APT-AND-NATION-STATE
2026-W22

Russian Intelligence Escalates Western Technology Theft. Intelligence agencies are using fake companies and cyber operations to target advanced manufacturing, space technology, and quantum research as sanctions strain Moscow's economy.

GreyVibe Uses AI to Supercharge Ukrainian Cyberattacks. The Russia-linked group leverages ChatGPT and Gemini across all attack phases, from phishing lure creation to custom malware development (PhantomRelay, LegionRelay, Fallspy).

Pentagon Confirms Adversaries Tracking Troops via Commercial Data. Foreign intelligence services are purchasing US military personnel location data and health records for as little as 12 cents per record to target troops in the Middle East.

Key Takeaway

Restrict commercial data broker relationships and implement stronger OPSEC training as adversaries exploit civilian data ecosystems.

References
REFERENCES
2026-W22

Regulatory Updates

Regulatory & Compliance
Action items and policy signal

California Sues 23andMe Over 2023 Breach Response. Attorney General Rob Bonta filed suit over inadequate security measures that allowed credential-stuffing attacks to expose 7 million customers' genetic data.

French CNIL Fines IQVIA €5M for Health Data Violations. Penalty imposed for inadequate patient notification and pseudonymisation failures in repositories containing 20 million patient records.

Federal Audit Exposes NIST NVD Mismanagement. Commerce IG found 27,000 vulnerability backlog and $200,000 waste from duplicated work with CISA's competing program.

Key Takeaway

Strengthen breach response procedures and data protection controls as regulators increase enforcement actions and penalties.