[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f6eWKV7Z0NWGL6wBuwzlL7eS6sA6Zf5k7KIJrhqAvT_Q":3},{"roundup":4},{"id":5,"week_label":6,"slug":7,"date_from":8,"date_to":9,"tldr":10,"full_brief":11,"top_iocs":12,"social_linkedin":62,"social_x":63,"article_count":64,"awareness_links":65,"status":126,"published_at":127,"created_at":128,"updated_at":128,"mastodon_posted_at":129,"executive_summary":130,"tagline":131,"cover_image_url":132},"89c3506c-d488-407f-aa53-e0bd9701338e","2026-W23","2026-w23","2026-06-01","2026-06-07","🚨 Supply chain attacks dominated with IronWorm and Miasma worms hitting npm\u002FGitHub, while compromising 100+ packages\n🎯 Critical infrastructure under siege with 900+ exposed US gas stations and multiple SD-WAN zero-days\n🏛️ Government breaches escalated across Ecuador, Spain, Mexico, and France exposing millions of citizen records\n💰 Ransomware groups pivoted to direct cloud exfiltration, bypassing traditional network defenses\n🤖 AI-powered threats emerged with ChatGPT lockdown mode and proof-of-concept autonomous worms\n🔐 Authentication bypasses plagued enterprise VPNs from Cisco to Palo Alto Networks","## Supply Chain & Software Integrity\n\n**[Miasma Worm Hits 73 Microsoft GitHub Repositories in Major Supply Chain Attack](https:\u002F\u002Fthehackernews.com\u002F2026\u002F06\u002Fmiasma-worm-hits-73-microsoft-github.html)**. Self-replicating Miasma malware compromised 73 Microsoft repositories including Azure and MicrosoftDocs, with GitHub disabling access to affected repos.\n\n**[Miasma Malware Hits 32 Red Hat Packages via Compromised GitHub Account](https:\u002F\u002Fhackread.com\u002Fmiasma-malware-red-hat-packages-github-account\u002F)**. Attackers compromised a Red Hat employee's GitHub account to inject Miasma malware into 32 npm packages under @redhat-cloud-services, affecting 96 versions with 80K-117K weekly downloads.\n\n**[IronWorm and New Miasma Worm Variant Hit npm in Supply Chain Attacks](https:\u002F\u002Fthehackernews.com\u002F2026\u002F06\u002Fironworm-and-new-miasma-worm-variant.html)**. Multiple campaigns deployed IronWorm Rust-based stealer and Miasma worm variants across 50+ legitimate npm packages, targeting secrets from OpenAI, AWS, Docker, and crypto wallets.\n\n**[Hola Browser for Windows compromised to deliver cryptominer](https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fhola-browser-for-windows-compromised-to-deliver-cryptominer\u002F)**. Israeli VPN browser Hola was compromised to deliver undeclared Monero miners to 0.1% of users via supply chain attack.\n\n### Key Takeaway\nImplement software composition analysis, monitor GitHub\u002Fnpm repositories for anomalies, and verify package integrity using SLSA provenance attestations.\n\n## Critical Infrastructure & Industrial Systems\n\n**[Over 900 US gas station tank gauge systems exposed to attacks](https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fover-900-us-gas-station-tank-gauge-systems-exposed-to-attacks\u002F)**. CISA, FBI, NSA warn of 900+ exposed automatic tank gauge systems across US critical infrastructure actively targeted by threat actors exploiting hardcoded credentials and SQL injection.\n\n**[Cisco Catalyst SD-WAN Manager CVE-2026-20245 Flaw Actively Exploited – No Patch Available](https:\u002F\u002Fthehackernews.com\u002F2026\u002F06\u002Fcisco-catalyst-sd-wan-manager-cve-2026.html)**. Cisco disclosed CVE-2026-20245, the 7th exploited SD-WAN zero-day in 2026, allowing authenticated attackers to execute root commands via file uploads with no current patch.\n\n**[Threat Brief: Active Exploitation of PAN-OS CVE-2026-0257](https:\u002F\u002Fbit.ly\u002F4fu1rEo)**. Unit 42 reports in-the-wild exploitation of PAN-OS GlobalProtect authentication bypass vulnerability allowing unauthorized VPN connections.\n\n### Key Takeaway\nInventory and segment industrial control systems, apply emergency patches for SD-WAN and VPN appliances, and implement network monitoring for anomalous OT traffic.\n\n## Nation-State & APT Activity\n\n**[Chinese APT deploys new malware to keep access to hacked networks](https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fchinese-apt-deploys-new-malware-to-keep-access-to-hacked-networks\u002F)**. UNC5221 (VerdantBamboo) used Brickstorm backdoor with new malware Plenet and AgentPSD for 18+ month persistence in Microsoft 365 environments, reinfecting networks post-remediation.\n\n**[Five Eyes: Chinese Spies Target Government, Military Staff With Fake Job Opportunities](https:\u002F\u002Fwww.securityweek.com\u002Ffive-eyes-chinese-spies-target-government-military-staff-with-fake-job-opportunities\u002F)**. Chinese military intelligence conducts recruitment campaigns via LinkedIn, Indeed, Upwork targeting cleared personnel with fake defense analyst positions for intelligence collection.\n\n**[New Threat Cluster OP-512 Targets Microsoft IIS Servers with Custom Web Shell Framework](https:\u002F\u002Fthehackernews.com\u002F2026\u002F06\u002Fnew-threat-cluster-op-512-targets.html)**. China-aligned OP-512 deploys bespoke three-component web shell framework on IIS servers with timestomping and cryptographic access controls.\n\n### Key Takeaway\nTrain cleared personnel on social engineering tactics, monitor M365 for persistence indicators, and deploy advanced IIS web shell detection capabilities.\n\n## Ransomware & Data Breaches\n\n**[New Pink Extortion Group Targets Microsoft 365 Cloud Data Via Vishing Scams](https:\u002F\u002Fhackread.com\u002Fpink-extortion-microsoft-365-cloud-data-vishing-scams\u002F)**. Pink Extortion Group uses voice phishing to bypass MFA and exfiltrate M365 files for extortion with tight payment deadlines via internal communications.\n\n**[DentaQuest data breach exposed info of 2.6 million accounts](https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fdentaquest-data-breach-exposed-info-of-26-million-accounts\u002F)**. ShinyHunters breached dental benefits administrator DentaQuest affecting 2.6M accounts, leaking 234GB including health insurance data after failed extortion.\n\n**[PCPJack Hijacks 230 AWS, Google Cloud, and Azure Servers for Covert SMTP Relay Network](https:\u002F\u002Fthehackernews.com\u002F2026\u002F06\u002Fpcpjack-hijacks-230-aws-google-cloud.html)**. PCPJack compromised 230 cloud servers across major CSPs to operate covert SMTP relay network with exposed C2 directories containing Sliver configurations.\n\n### Key Takeaway\nImplement M365 Conditional Access policies, monitor cloud workloads for unauthorized services, and establish incident response procedures for extortion attempts.\n\n## Vulnerabilities & Active Exploitation\n\n**[Critical Everest Forms Pro flaw exploited to take over WordPress sites](https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fcritical-everest-forms-pro-flaw-exploited-to-take-over-wordpress-sites\u002F)**. CVE-2026-3300 in Everest Forms Pro WordPress plugin actively exploited for arbitrary PHP code execution, enabling complete site takeover and rogue admin creation.\n\n**[CISA: Hackers now exploit SolarWinds Serv-U flaw to crash servers](https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fcisa-hackers-now-exploit-solarwinds-serv-u-flaw-to-crash-servers\u002F)**. CISA added CVE-2026-28318 to KEV catalog as hackers actively exploit SolarWinds Serv-U denial-of-service vulnerability via crafted POST requests.\n\n**[AI Agent Uncovers 21 Zero-Days in FFmpeg; Chrome Patches Record 429 Bugs](https:\u002F\u002Fthehackernews.com\u002F2026\u002F06\u002Fai-agent-uncovers-21-zero-days-in.html)**. AI discovered 21 zero-days in FFmpeg (some 23 years old); Google patched record 429 vulnerabilities in Chrome 149 including critical sandbox escape flaws.\n\n### Key Takeaway\nPrioritize patching WordPress plugins, SolarWinds Serv-U, and Chrome; implement automated vulnerability scanning enhanced by AI-powered discovery tools.\n\n## AI & Emerging Threats\n\n**[New ChatGPT Lockdown Mode Limits Tools That Could Enable Data Exfiltration](https:\u002F\u002Fthehackernews.com\u002F2026\u002F06\u002Fnew-chatgpt-lockdown-mode-limits-tools.html)**. OpenAI introduced Lockdown Mode to mitigate prompt injection data exfiltration by limiting web browsing, file downloads, and image support in ChatGPT.\n\n**[Adaptive, Agentic AI Worms Loom as Next Enterprise Threat](https:\u002F\u002Fwww.darkreading.com\u002Fcyber-risk\u002Fadaptive-agentic-ai-worms-enterprise-cyber-threat)**. Researchers warn adaptive AI worms with learning capabilities and autonomous vulnerability discovery could materialize within one year.\n\n### Key Takeaway\nEvaluate AI tool risks, implement data loss prevention for AI interactions, and prepare for autonomous threat actors in enterprise security planning.\n\n## References\n\n- https:\u002F\u002Fthehackernews.com\u002F2026\u002F06\u002Fmiasma-worm-hits-73-microsoft-github.html\n- https:\u002F\u002Fhackread.com\u002Fmiasma-malware-red-hat-packages-github-account\u002F\n- https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fover-900-us-gas-station-tank-gauge-systems-exposed-to-attacks\u002F\n- https:\u002F\u002Fthehackernews.com\u002F2026\u002F06\u002Fcisco-catalyst-sd-wan-manager-cve-2026.html\n- https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fchinese-apt-deploys-new-malware-to-keep-access-to-hacked-networks\u002F\n- https:\u002F\u002Fhackread.com\u002Fpink-extortion-microsoft-365-cloud-data-vishing-scams\u002F\n- https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fcritical-everest-forms-pro-flaw-exploited-to-take-over-wordpress-sites\u002F\n- https:\u002F\u002Fthehackernews.com\u002F2026\u002F06\u002Fnew-chatgpt-lockdown-mode-limits-tools.html",[13,17,20,23,26,30,34,37,40,43,46,50,53,56,59],{"type":14,"value":15,"context":16},"cve","CVE-2026-28318","Uncontrolled resource consumption in SolarWinds Serv-U, actively exploited",{"type":14,"value":18,"context":19},"CVE-2026-20245","Cisco Catalyst SD-WAN Manager command-line interface vulnerability allowing arbitrary command execution as root",{"type":14,"value":21,"context":22},"CVE-2026-20182","SD-WAN authentication bypass zero-day exploited by UAT-8616 threat actor, fixed May 2026",{"type":14,"value":24,"context":25},"CVE-2026-20127","SD-WAN vulnerability exploited by UAT-8616 for unauthorized access",{"type":27,"value":28,"context":29},"ip","209.146.60.26","IP address originating exploitation attempts",{"type":31,"value":32,"context":33},"malware","IronWorm","Rust-written malware targeting NPM developers for credential theft",{"type":27,"value":35,"context":36},"202.56.2.126","Source IP for exploit attempts targeting Everest Forms Pro vulnerability",{"type":31,"value":38,"context":39},"Miasma","Self-propagating credential-stealing worm variant based on Mini Shai-Hulud; deployed via compromised Red Hat npm packages.",{"type":31,"value":41,"context":42},"Mini Shai-Hulud","Open-source malware framework published by TeamPCP on BreachForums; basis for Miasma variant.",{"type":31,"value":44,"context":45},"nearlevrai","Threat actor selling stolen datasets from French organizations",{"type":47,"value":48,"context":49},"domain","vladars.net","Official government portal of Republika Srpska allegedly targeted in data scraping incident",{"type":47,"value":51,"context":52},"googletagmanager.com","Legitimate Google domain abused to host malicious GTM container and skimmer payload",{"type":47,"value":54,"context":55},"api.stripe.com","Legitimate Stripe API domain abused to exfiltrate stolen payment card data",{"type":47,"value":57,"context":58},"cryptdrainer.com","C2\u002Fmalware distribution domain for crypto-draining service operated by Darkode1",{"type":27,"value":60,"context":61},"213.136.80.73","Command-and-control (C2) server with exposed open directories containing malware configs and tooling","🚨 This week: Supply chain attacks hit 100+ legitimate packages while critical infrastructure exposure reached crisis levels.\n\nKey developments:\n• Miasma worm compromised 73 Microsoft GitHub repos including Azure\n• 900+ US gas station control systems exposed to active attacks\n• Cisco's 7th exploited SD-WAN zero-day of 2026 has no patch\n• Chinese APT maintained 18-month M365 persistence with new malware\n• Government breaches across 4 countries exposed 13M+ citizen records\n\nFull roundup: https:\u002F\u002Fthreatnoir.com\u002Fweekly\u002F2026-w23\n\n#CyberSecurity #SupplyChain #CriticalInfrastructure #ThreatIntelligence #InfoSec","🚨 Supply chain attacks hit 100+ packages, 900+ US gas stations exposed, Cisco's 7th SD-WAN zero-day has no patch. China APT persisted 18 months in M365. AI discovered 21 FFmpeg zero-days. The pace is accelerating. https:\u002F\u002Fthreatnoir.com\u002Fweekly\u002F2026-w23",80,[66,69,72,75,78,81,84,87,90,93,96,99,102,105,108,111,114,117,120,123],{"slug":67,"title":68},"fifa-world-cup-2026-fraud-campaign-exploits-fan-excitement-through-sophisticated-phishing","FIFA World Cup 2026 Fraud Campaign Exploits Fan Excitement Through Sophisticated Phishing",{"slug":70,"title":71},"massive-health-and-logistics-data-breach-exposes-43-million-records","Massive Health and Logistics Data Breach Exposes 43 Million Records",{"slug":73,"title":74},"kenyan-citizen-database-breach-exposes-10-million-records","Kenyan Citizen Database Breach Exposes 10 Million Records",{"slug":76,"title":77},"mexican-health-ministry-data-breach-exposes-1500-sensitive-medical-records","Mexican Health Ministry Data Breach Exposes 1,500+ Sensitive Medical Records",{"slug":79,"title":80},"dentaquest-breach-exposes-26m-records-after-failed-extortion","DentaQuest Breach Exposes 2.6M Records After Failed Extortion",{"slug":82,"title":83},"ai-powered-worms-present-new-autonomous-threat-landscape","AI-Powered Worms Present New Autonomous Threat Landscape",{"slug":85,"title":86},"webshell-attack-compromises-11k-customer-records-through-unpatched-web-vulnerability","Webshell Attack Compromises 11K Customer Records Through Unpatched Web Vulnerability",{"slug":88,"title":89},"government-portal-data-scraping-exposes-51k-citizen-records","Government Portal Data Scraping Exposes 51K+ Citizen Records",{"slug":91,"title":92},"supply-chain-data-breach-exposes-critical-infrastructure-vulnerabilities","Supply Chain Data Breach Exposes Critical Infrastructure Vulnerabilities",{"slug":94,"title":95},"cryptocurrency-drainer-services-target-user-assets-through-social-engineering","Cryptocurrency Drainer Services Target User Assets Through Social Engineering",{"slug":97,"title":98},"crypto-draining-service-targets-users-through-social-engineering","Crypto-Draining Service Targets Users Through Social Engineering",{"slug":100,"title":101},"hyundai-steel-mexico-data-breach-exposes-53gb-of-supply-chain-information","Hyundai Steel Mexico Data Breach Exposes 53GB of Supply Chain Information",{"slug":103,"title":104},"supply-chain-attack-embeds-cryptominer-in-popular-browser","Supply Chain Attack Embeds Cryptominer in Popular Browser",{"slug":106,"title":107},"fluttershell-backdoor-exploits-user-trust-through-malvertising","FlutterShell Backdoor Exploits User Trust Through Malvertising",{"slug":109,"title":110},"magecart-campaign-exploits-trusted-third-party-services-for-payment-card-theft","Magecart Campaign Exploits Trusted Third-Party Services for Payment Card Theft",{"slug":112,"title":113},"ai-agent-systems-face-new-attack-vectors-as-technology-matures","AI Agent Systems Face New Attack Vectors as Technology Matures",{"slug":115,"title":116},"mortar-ransomware-infrastructure-reveals-active-raas-threat","MORTAR Ransomware Infrastructure Reveals Active RaaS Threat",{"slug":118,"title":119},"critical-infrastructure-breach-exposes-135m-electoral-records","Critical Infrastructure Breach Exposes 13.5M Electoral Records",{"slug":121,"title":122},"ironworm-malware-targets-npm-developers-through-credential-theft","IronWorm Malware Targets NPM Developers Through Credential Theft",{"slug":124,"title":125},"ecuadorian-government-infrastructure-compromised-via-ssh-access","Ecuadorian Government Infrastructure Compromised via SSH Access","published","2026-06-07T05:00:06.054+00:00","2026-06-07T05:01:51.201981+00:00","2026-06-07T05:15:07.527+00:00","### The week in one line\nSupply chains cracked while AI-powered threats emerged from research labs.\n\n### What happened\nCybercriminals weaponized software development infrastructure at unprecedented scale while governments suffered coordinated data breaches. Critical infrastructure operators discovered widespread exposure of industrial control systems to active exploitation campaigns.\n\n- Miasma and IronWorm malware infected 100+ legitimate npm packages and GitHub repositories including Microsoft Azure\n- Chinese APT UNC5221 maintained 18-month persistence in Microsoft 365 environments using three new malware families\n- Over 900 US gas station tank gauge systems discovered exposed to internet with active exploitation underway\n- Cisco disclosed 7th exploited SD-WAN zero-day of 2026 with no available patches\n- Government breaches in Ecuador, Spain, Mexico affected 13.5M+ citizen records\n- ShinyHunters breached DentaQuest exposing 2.6M dental patient records after failed extortion\n\n### Why it matters for defenders and leaders\nAttackers demonstrated ability to compromise trusted software distribution channels while exploiting gaps in cloud security architectures and critical infrastructure monitoring. The emergence of AI-assisted discovery tools is accelerating vulnerability identification faster than patching capabilities.\n\n- Supply chain attacks now target GitHub repositories directly, bypassing traditional package registry controls\n- Cloud-native extortion campaigns eliminate need for traditional ransomware deployment and encryption\n- Critical infrastructure systems lack basic network segmentation and expose legacy protocols to internet\n- AI agents discovered 21 zero-day vulnerabilities in a single library, indicating coming tsunami of findings\n\n### What to do this week\n\n- Audit npm and GitHub integrations for anomalous commits and unexpected package modifications\n- Implement Conditional Access policies for Microsoft 365 with device compliance requirements\n- Inventory internet-facing industrial control systems and implement network segmentation\n- Patch SolarWinds Serv-U CVE-2026-28318 and WordPress Everest Forms Pro CVE-2026-3300\n- Review VPN appliance configurations for Cisco SD-WAN and Palo Alto GlobalProtect vulnerabilities","Supply chains cracked, infrastructure exposed","https:\u002F\u002Fcdn.threatnoir.com\u002Fweekly\u002F2026-w23-cover.png"]