[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f4ieoWTztrbHm8MMiKaejej0Jn2WNjPZqJUOOcjzdD7g":3},{"roundup":4},{"id":5,"week_label":6,"slug":7,"date_from":8,"date_to":9,"tldr":10,"full_brief":11,"top_iocs":12,"social_linkedin":64,"social_x":65,"article_count":66,"awareness_links":67,"status":127,"published_at":128,"created_at":129,"updated_at":129,"mastodon_posted_at":130,"executive_summary":131,"tagline":132,"cover_image_url":133},"701513ac-3679-4a9d-a34f-5ff115e500ff","2026-W22","2026-w22","2026-05-25","2026-05-31","🔒 Critical authentication bypass vulnerabilities dominated headlines with Fortinet FortiClient EMS and Palo Alto PAN-OS under active exploitation\n🏦 Major breaches hit financial services and healthcare, with Charter Communications (42M records) and iFood Brazil (43.8M records) leading massive data exposures\n🤖 AI-powered attacks evolved significantly with GreyVibe using ChatGPT and Gemini to accelerate phishing campaigns and malware development\n🔗 Supply chain compromises escalated through malicious npm packages, poisoned VS Code extensions, and GitHub Action workflow injections\n🌍 Nation-state tensions intensified as Russian intelligence agencies ramped up technology theft operations under sanctions pressure\n⚖️ Regulatory enforcement strengthened with California suing 23andMe and French CNIL imposing €5M healthcare data protection fines","## Vulnerabilities & Exploits\n\n**[Critical FortiClient EMS Authentication Bypass Exploited in Wild](https:\u002F\u002Fdarkwebinformer.com\u002Fone-forged-header-unauthenticated-authentication-bypass-in-fortinet-forticlient-ems-cve-2026-35616\u002F)**. CVE-2026-35616 (CVSS 9.1) allows attackers to forge HTTP headers and gain full administrator access to FortiClient EMS without authentication. Active exploitation is deploying EKZ credential stealer malware disguised as legitimate Fortinet updates.\n\n**[Palo Alto Networks PAN-OS Authentication Bypass Added to KEV](https:\u002F\u002Fwww.cisa.gov\u002Fnews-events\u002Falerts\u002F2026\u002F05\u002F29\u002Fcisa-adds-one-known-exploited-vulnerability-catalog)**. CISA added CVE-2026-0257 to the Known Exploited Vulnerabilities catalog after confirming active exploitation of the authentication bypass flaw.\n\n**[Unpatched Gogs Zero-Day Enables RCE via Branch Names](https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fnew-gogs-zero-day-flaw-lets-hackers-get-remote-code-execution\u002F)**. A CVSS 9.4 vulnerability allows authenticated users to execute arbitrary code by injecting malicious branch names into pull requests, exploiting git rebase operations. The flaw remains unpatched despite March disclosure.\n\n**[Pre-Auth RCE in Marimo Notebook Framework](https:\u002F\u002Fdarkwebinformer.com\u002Froot-in-one-request-pre-auth-rce-in-marimo-cve-2026-39987\u002F)**. CVE-2026-39987 (CVSS 9.3) enables unauthenticated attackers to achieve root code execution via a single WebSocket handshake in Marimo Python notebook environments.\n\n### Key Takeaway\nPrioritize patching authentication bypass vulnerabilities in FortiClient EMS and PAN-OS immediately, as both are under active exploitation.\n\n## Ransomware & Breaches\n\n**[Charter Communications Confirms 42M Record Breach by ShinyHunters](https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fcharter-communications-data-breach-affects-49-million-accounts\u002F)**. The extortion group used voice phishing to compromise an employee's Microsoft Entra account in April, accessing Salesforce and stealing data on 4.9 million unique customers.\n\n**[Brazilian Food Giant iFood Targeted in 43.8M Record Extortion](https:\u002F\u002Fdarkwebinformer.com\u002Fbrazilian-food-delivery-giant-ifood-targeted-in-alleged-43-8m-record-customer-data-extortion\u002F)**. Threat actors claim to possess customer records including CPF national IDs, payment data, and personal information in ongoing extortion campaign.\n\n**[Carnival Corporation Admits 6M Customer Records Stolen](https:\u002F\u002Fwww.securityweek.com\u002Fcarnival-data-breach-exposed-6-million-people\u002F)**. Social engineering attack on April 14 led to ShinyHunters stealing customer names, addresses, dates of birth, and government ID numbers from the cruise operator.\n\n**[Silent Ransom Group Escalates to Physical Data Theft](https:\u002F\u002Fwww.wired.com\u002Fstory\u002Fsecurity-news-this-week-cybercrime-crew-claims-it-hacked-mike-lindells-mypillow\u002F)**. The FBI warned that threat actors are now sending operatives in person to company offices to steal data directly, marking a dangerous escalation in ransomware tactics.\n\n### Key Takeaway\nImplement stronger social engineering defenses and employee training, as voice phishing continues driving major breaches.\n\n## Supply Chain\n\n**[Malicious VS Code Extension Compromises GitHub Employee](https:\u002F\u002Fwww.cisa.gov\u002Fnews-events\u002Falerts\u002F2026\u002F05\u002F28\u002Fsupply-chain-compromises-impact-nx-console-and-github-repositories)**. The poisoned Nx Console extension (v18.95.0) was distributed via automatic VS Code updates, compromising a GitHub employee's device and exposing internal repositories.\n\n**[33 Malicious npm Packages Target Developer Environments](https:\u002F\u002Fwww.microsoft.com\u002Fen-us\u002Fsecurity\u002Fblog\u002F2026\u002F05\u002F29\u002F33-malicious-npm-packages-abuse-dependency-confusion-profile-developer-environments\u002F)**. Microsoft discovered packages exploiting dependency confusion to profile environments and steal cloud credentials via organizational namespace impersonation.\n\n**[Megalodon Campaign Injects Malicious GitHub Actions](https:\u002F\u002Fwww.cisa.gov\u002Fnews-events\u002Falerts\u002F2026\u002F05\u002F28\u002Fsupply-chain-compromises-impact-nx-console-and-github-repositories)**. Attackers are compromising CI\u002FCD pipelines by injecting malicious workflow files to harvest secrets and cloud credentials from GitHub repositories.\n\n**[Fake Sicoob SDK Exfiltrates Banking Certificates](https:\u002F\u002Fsocket.dev\u002Fblog\u002Fmalicious-nuget-package-impersonates-sicoob-sdk?utm_medium=feed)**. Malicious NuGet package targeted Brazilian banking infrastructure, stealing PFX certificates and authentication material through spoofed publisher identity.\n\n### Key Takeaway\nImplement package pinning, dependency scanning, and credential rotation policies to defend against the surge in supply chain attacks.\n\n## APT & Nation-State\n\n**[Russian Intelligence Escalates Western Technology Theft](https:\u002F\u002Fwww.securityweek.com\u002Frussian-spies-are-aggressively-seeking-western-technology-as-sanctions-bite-officials-say\u002F)**. Intelligence agencies are using fake companies and cyber operations to target advanced manufacturing, space technology, and quantum research as sanctions strain Moscow's economy.\n\n**[GreyVibe Uses AI to Supercharge Ukrainian Cyberattacks](https:\u002F\u002Fwww.securityweek.com\u002Frussia-linked-greyvibe-attackers-use-ai-to-supercharge-cyberattacks\u002F)**. The Russia-linked group leverages ChatGPT and Gemini across all attack phases, from phishing lure creation to custom malware development (PhantomRelay, LegionRelay, Fallspy).\n\n**[Pentagon Confirms Adversaries Tracking Troops via Commercial Data](https:\u002F\u002Fwww.wired.com\u002Fstory\u002Fthe-pentagon-knew-enemies-could-track-troops-phones-for-years-now-they-are\u002F)**. Foreign intelligence services are purchasing US military personnel location data and health records for as little as 12 cents per record to target troops in the Middle East.\n\n### Key Takeaway\nRestrict commercial data broker relationships and implement stronger OPSEC training as adversaries exploit civilian data ecosystems.\n\n## Regulatory & Compliance\n\n**[California Sues 23andMe Over 2023 Breach Response](https:\u002F\u002Fwww.securityweek.com\u002Fcalifornia-sues-23andme-alleging-it-failed-to-protect-user-data-in-2023-breach\u002F)**. Attorney General Rob Bonta filed suit over inadequate security measures that allowed credential-stuffing attacks to expose 7 million customers' genetic data.\n\n**[French CNIL Fines IQVIA €5M for Health Data Violations](https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=CNIL_(France)_-_SAN-2026-008&diff=51768&oldid=0)**. Penalty imposed for inadequate patient notification and pseudonymisation failures in repositories containing 20 million patient records.\n\n**[Federal Audit Exposes NIST NVD Mismanagement](https:\u002F\u002Fcyberscoop.com\u002Fnist-nvd-audit-mismanagement-duplication\u002F)**. Commerce IG found 27,000 vulnerability backlog and $200,000 waste from duplicated work with CISA's competing program.\n\n### Key Takeaway\nStrengthen breach response procedures and data protection controls as regulators increase enforcement actions and penalties.\n\n## References\n\n- https:\u002F\u002Fdarkwebinformer.com\u002Fone-forged-header-unauthenticated-authentication-bypass-in-fortinet-forticlient-ems-cve-2026-35616\u002F\n- https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fcharter-communications-data-breach-affects-49-million-accounts\u002F\n- https:\u002F\u002Fwww.cisa.gov\u002Fnews-events\u002Falerts\u002F2026\u002F05\u002F28\u002Fsupply-chain-compromises-impact-nx-console-and-github-repositories\n- https:\u002F\u002Fwww.microsoft.com\u002Fen-us\u002Fsecurity\u002Fblog\u002F2026\u002F05\u002F29\u002F33-malicious-npm-packages-abuse-dependency-confusion-profile-developer-environments\u002F\n- https:\u002F\u002Fwww.securityweek.com\u002Frussia-linked-greyvibe-attackers-use-ai-to-supercharge-cyberattacks\u002F\n- https:\u002F\u002Fwww.securityweek.com\u002Fcalifornia-sues-23andme-alleging-it-failed-to-protect-user-data-in-2023-breach\u002F\n- https:\u002F\u002Fwww.wired.com\u002Fstory\u002Fthe-pentagon-knew-enemies-could-track-troops-phones-for-years-now-they-are\u002F\n- https:\u002F\u002Fcyberscoop.com\u002Fnist-nvd-audit-mismanagement-duplication\u002F",[13,17,21,24,27,30,33,36,39,43,47,50,53,57,60],{"type":14,"value":15,"context":16},"cve","CVE-2026-35616","Critical remote code execution vulnerability in FortiClient EMS, CVSS 9.1, exploited in the wild",{"type":18,"value":19,"context":20},"malware","BTMOB","Android RAT enabling device takeover, distributed via phishing",{"type":18,"value":22,"context":23},"SpySolr","Original malware BTMOB is believed to be based on",{"type":18,"value":25,"context":26},"EKZ Infostealer","Information-stealing malware deployed via FortiClient EMS exploitation, targets browser credentials and cookies",{"type":18,"value":28,"context":29},"Megalodon","CI\u002FCD malware campaign injecting malicious GitHub Action workflows to harvest secrets",{"type":14,"value":31,"context":32},"CVE-2025-8110","Previous Gogs RCE vulnerability actively exploited in zero-day attacks in early December",{"type":14,"value":34,"context":35},"CVE-2026-39987","Pre-authentication RCE in Marimo notebook tool",{"type":14,"value":37,"context":38},"CVE-2026-0257","Palo Alto Networks PAN-OS authentication bypass vulnerability actively exploited in the wild",{"type":40,"value":41,"context":42},"domain","t.co","URL shortener used to distribute alleged malicious link in threat actor post",{"type":44,"value":45,"context":46},"hash_sha256","bb1b4e46f1e4a7f17b1b04ee08c33400b2b6fd2327612a4d84da81e2656ba48b","WHQL-signed kernel driver keylogger with Xryus Technologies signature",{"type":40,"value":48,"context":49},"resana.numerique.gouv.fr","French government platform allegedly compromised in data breach",{"type":40,"value":51,"context":52},"numerique.gouv.fr","French government digital infrastructure domain hosting Resana platform",{"type":54,"value":55,"context":56},"mitre_attack","T1078.001","Valid accounts abuse via authentication bypass to perform unauthorized administrative actions",{"type":54,"value":58,"context":59},"T1555","Credential dumping from web browsers (Chromium and Firefox)",{"type":61,"value":62,"context":63},"ip","83.138.53.110","Attacker-controlled C2 infrastructure receiving exfiltrated credential data via HTTP POST","🚨 This week brought critical authentication bypasses under active exploitation, AI-powered cyberattacks, and major supply chain compromises:\n\n• Fortinet FortiClient EMS zero-day enables full admin access via forged headers\n• Charter Communications exposed 42M records via voice phishing attack\n• Malicious VS Code extension compromised GitHub employee systems\n• Russian GreyVibe group uses ChatGPT to accelerate Ukrainian cyberattacks\n• California sues 23andMe for inadequate genetic data protection\n\nFull roundup: https:\u002F\u002Fthreatnoir.com\u002Fweekly\u002F2026-w22\n\n#cybersecurity #threatintelligence #infosec #supplychain #authentication","🔥 Week 22 highlights: Fortinet auth bypass exploited in wild, Charter 42M record breach via vishing, malicious VS Code extension hits GitHub, AI-powered cyberattacks accelerate. Patch now, audit extensions, strengthen social engineering defenses. Full roundup: https:\u002F\u002Fthreatnoir.com\u002Fweekly\u002F2026-w22",80,[68,71,74,77,80,83,86,89,92,95,98,101,104,107,110,113,115,118,121,124],{"slug":69,"title":70},"charter-communications-faces-shinyhunters-extortion-campaign","Charter Communications Faces ShinyHunters Extortion Campaign",{"slug":72,"title":73},"fraudulent-fifa-world-cup-domains-target-users-with-multiple-attack-vectors","Fraudulent FIFA World Cup Domains Target Users with Multiple Attack Vectors",{"slug":75,"title":76},"zapier-vulnerability-chain-highlights-need-for-comprehensive-security-testing","Zapier Vulnerability Chain Highlights Need for Comprehensive Security Testing",{"slug":78,"title":79},"zero-day-disclosure-dispute-highlights-critical-vulnerability-management-gaps","Zero-Day Disclosure Dispute Highlights Critical Vulnerability Management Gaps",{"slug":81,"title":82},"btmob-android-malware-exploits-user-trust-and-device-permissions","BTMOB Android Malware Exploits User Trust and Device Permissions",{"slug":84,"title":85},"romanian-hacker-exploits-government-network-access-controls","Romanian Hacker Exploits Government Network Access Controls",{"slug":87,"title":88},"critical-forticlient-ems-zero-day-exploited-in-active-attacks","Critical FortiClient EMS Zero-Day Exploited in Active Attacks",{"slug":90,"title":91},"ibm-and-red-hat-launch-5b-open-source-security-initiative","IBM and Red Hat Launch $5B Open Source Security Initiative",{"slug":93,"title":94},"major-telecommunications-provider-suffers-42-million-record-data-breach","Major Telecommunications Provider Suffers 42 Million Record Data Breach",{"slug":96,"title":97},"massive-customer-data-breach-exposes-438m-records-at-brazilian-food-delivery-giant","Massive Customer Data Breach Exposes 43.8M Records at Brazilian Food Delivery Giant",{"slug":99,"title":100},"brazilian-food-delivery-giant-ifood-hit-by-438m-record-data-extortion","Brazilian Food Delivery Giant iFood Hit by 43.8M Record Data Extortion",{"slug":102,"title":103},"850m-indian-identity-records-allegedly-exposed-in-massive-data-breach","850M Indian Identity Records Allegedly Exposed in Massive Data Breach",{"slug":105,"title":106},"whql-signed-keylogger-exploits-legitimate-driver-signing-process","WHQL-Signed Keylogger Exploits Legitimate Driver Signing Process",{"slug":108,"title":109},"social-engineering-attack-compromises-employee-account-exposes-6m-records","Social Engineering Attack Compromises Employee Account, Exposes 6M Records",{"slug":111,"title":112},"french-government-platform-breach-exposes-990k-records","French Government Platform Breach Exposes 990K Records",{"slug":114,"title":112},"french-government-platform-breach-exposes-990k-records-1779988827866",{"slug":116,"title":117},"healthcare-ransomware-attack-exposes-student-mental-health-data","Healthcare Ransomware Attack Exposes Student Mental Health Data",{"slug":119,"title":120},"mental-health-provider-exposed-in-ransomware-attack","Mental Health Provider Exposed in Ransomware Attack",{"slug":122,"title":123},"critical-authentication-bypass-in-fortinet-forticlient-ems-exploited-in-wild","Critical Authentication Bypass in Fortinet FortiClient EMS Exploited in Wild",{"slug":125,"title":126},"critical-authentication-bypass-in-fortinet-forticlient-ems","Critical Authentication Bypass in Fortinet FortiClient EMS","published","2026-05-31T05:45:16.676+00:00","2026-05-31T05:46:54.938259+00:00","2026-05-31T06:00:04.532+00:00","### The week in one line\nCritical authentication bypasses and AI-powered supply chain attacks dominated while regulatory enforcement intensified.\n\n### What happened\nThe week saw a convergence of critical infrastructure vulnerabilities and sophisticated attack campaigns. AI tools are now accelerating threat actor operations.\n\n- Fortinet FortiClient EMS authentication bypass (CVE-2026-35616) exploited in wild to deploy credential stealers\n- Charter Communications breached via voice phishing, exposing 42M records to ShinyHunters\n- Malicious VS Code extension compromised GitHub employee, exposing internal repositories\n- GreyVibe threat actors using ChatGPT and Gemini to accelerate cyberattacks against Ukrainian targets\n- California sued 23andMe for inadequate genetic data protection after 2023 breach\n\n### Why it matters for defenders and leaders\nAuthentication bypass vulnerabilities are providing broad network access while AI is democratizing advanced attack techniques. Supply chain risks are expanding beyond traditional software dependencies.\n\n- Critical infrastructure products lack basic authentication controls, enabling widespread compromise\n- Social engineering tactics are evolving faster than employee training programs can adapt\n- AI tools are lowering the skill barrier for sophisticated phishing and malware development\n- Regulatory enforcement is accelerating with significant financial penalties for data protection failures\n\n### What to do this week\n- Patch FortiClient EMS and Palo Alto PAN-OS authentication bypass vulnerabilities immediately\n- Audit VS Code extensions and implement package pinning for CI\u002FCD pipelines\n- Review and strengthen social engineering training and incident response procedures\n- Rotate credentials for any GitHub repositories and cloud services accessed via compromised tooling\n- Assess third-party data sharing agreements and commercial data broker relationships","Authentication bypasses meet AI-powered supply chains","https:\u002F\u002Fcdn.threatnoir.com\u002Fweekly\u002F2026-w22-cover.png"]