Detailed write-ups
Megalodon, TrapDoor, and Laravel-Lang: the supply-chain wave (May 18–23)
Three distinct campaigns hit nearly every package ecosystem in the same week. Megalodon automated 5,718 malicious commits across 5,561 GitHub repos in six hours on May 18 via forged bot identities (build-bot, auto-ci, ci-bot, pipeline-bot); the injected GitHub Actions workflows run base64-encoded bash that exfiltrates CI secrets, cloud credentials, SSH keys, and OIDC tokens to 216.126.225.129:8443. TrapDoor — distinct from the Android ad-fraud Trapdoor below — published 34 cross-ecosystem packages (384 versions total) on npm, PyPI, and crates.io targeting crypto, DeFi, Solana, and AI developers; payload includes a hidden prompt-injection layer designed to manipulate AI coding assistants when victims push PRs through GitHub. Laravel-Lang attackers obtained push access to the Composer org and rewrote git tags on May 22–23, repointing 233+ versions to malicious commits that load on every composer install via autoload, exfiltrating .env, SSH keys, Docker/Kubernetes configs, and AES-256-encrypted browser passwords from 17 Chromium variants to flipboxstudio[.]info/exfil.
Sources: The Hacker News (Megalodon) · The Hacker News (TrapDoor) · The Hacker News (Laravel-Lang)
Operation Saffron: First VPN dismantled (May 21)
Europol’s coordinated Operation Saffron seized 33 bulletproof servers across 27 countries and arrested a Ukrainian admin of First VPN — the bulletproof anonymization service that 25 ransomware operations (including Avaddon) used for recon, intrusion staging, and C2 obfuscation. The full user database — roughly 5,000 criminal accounts — was preserved for downstream attribution. Subscriber lookups against this list against past incident IOCs should be a priority hunt for any IR team that has touched ransomware response in the last 24 months: persistent egress IPs from First VPN ranges will now de-anonymize a long tail of unattributed intrusions.
Sources: The Hacker News · BleepingComputer
Microsoft disrupts Fox Tempest’s malware-signing service (May 19–20)
Under Operation FauxSign, Microsoft seized infrastructure operated by Fox Tempest, a financially motivated MSaaS operator that abused Microsoft Artifact Signing to mint more than 1,000 short-lived (72-hour) code-signing certificates disguising ransomware payloads as legitimate apps — AnyDesk, Microsoft Teams, PuTTY, Webex. BleepingComputer’s reporting adds the business model: $5,000–$9,000 per customer, with Fox Tempest using stolen U.S. and Canadian identities to pass Artifact Signing’s identity verification. Downstream impact: healthcare, education, government, and financial-services intrusions whose initial-access binaries carried a legitimate Microsoft signature. Hunt teams should pivot on Artifact Signing certificate metadata in the May 1–May 20 window.
Sources: Microsoft Security Blog · BleepingComputer
Webworm: EchoCreep, GraphWorm, and chained proxies (May 20)
ESET published a deep look at the China-aligned Webworm cluster (overlapping with Space Pirates and UAT-8302). Two new custom backdoors take center stage: EchoCreep uses Discord channels for C2, and GraphWorm abuses Microsoft Graph and OneDrive for tasking and data staging. Supporting tooling includes WormFrp, ChainWorm, SmuxProxy, and WormSocket. Targets: government and diplomatic organizations in Belgium, Italy, Poland, Serbia, and Spain. ESET decrypted 400+ Discord operator messages plus bash-history fragments documenting recon commands across 50+ unique victims, and published indicators for iox / frp tunneling and the chained-proxy infrastructure. For European government CSIRTs, the Graph-API C2 detection is the highest-leverage hunt: tenant audit logs, OneDrive item names, and outbound Graph traffic baselines.
Sources: The Hacker News · ESET WeLiveSecurity
Nightmare-Eclipse: YellowKey, GreenPlasma, MiniPlasma (May 18–20)
The Windows 0-day cluster published by Chaotic Eclipse / Nightmare-Eclipse grew to six exploits across six weeks. Microsoft this week issued mitigation guidance for YellowKey (CVE-2026-45585) — a BitLocker bypass on Windows 11 and Server 2022/2025 — instructing admins to remove autofstx.exe from the WinRE BootExecute list; the attack uses crafted FsTx files on USB or EFI media to cause WinRE to spawn cmd.exe after a Ctrl-keypress, sidestepping TPM-only BitLocker. On May 13–17 the group released GreenPlasma (a ctfmon.exe LPE-to-SYSTEM chain via a registry trick) and MiniPlasma (a weaponized PoC for the 2020-patched CVE-2020-17103 Cloud Files Mini Filter, still yielding SYSTEM on fully patched Windows 11). Barracuda’s retrospective ties together the six-exploit campaign — BlueHammer, RedSun, UnDefend, YellowKey, GreenPlasma, MiniPlasma — including in-the-wild weaponization and the emergency Microsoft / CISA KEV response cycle.
Sources: The Hacker News (YellowKey) · Help Net Security (YellowKey) · The Hacker News (GreenPlasma/MiniPlasma) · Barracuda Labs
Microsoft Defender CVEs in the wild (May 19–21)
Two Defender flaws disclosed May 19 are being actively exploited. CVE-2026-41091 is a link-following local privilege escalation in Defender scanning, granting SYSTEM. CVE-2026-45498 is a denial-of-service in the Antimalware Platform. Both landed on the CISA Known Exploited Vulnerabilities catalog with a June 3 federal remediation deadline. The combination is especially nasty: -45498 silences Defender, -41091 then escalates inside the same host. Validate that Defender platform components are on the May patch level, and watch for unusual MsMpEng child processes and Antimalware Platform service restarts.
Sources: Help Net Security
Cisco SD-WAN UAT-8616: ongoing exploitation (May 14–18)
Cisco and Talos continue to attribute the active exploitation of CVE-2026-20182 (CVSS 10.0 authentication bypass) and the earlier CVE-2026-20127 to UAT-8616, a sophisticated actor active since 2023 with overlap into a known ORB network. Post-compromise behavior: appending SSH keys to /home/vmanage-admin/.ssh/authorized_keys, NETCONF configuration tampering, and root escalation. CISA Emergency Directive 26-03 mandated federal-civilian remediation by May 17; Talos publishes IOCs and YARA, plus authorized_keys persistence detection guidance. Critical-infrastructure operators with vManage exposure should run integrity checks on authorized_keys and recent NETCONF changes regardless of patch status.
Sources: The Hacker News · Cisco Talos
Trend Micro Apex One zero-day turns EDR into a delivery channel (May 20)
CVE-2026-34926 in on-prem Trend Micro Apex One is a directory-traversal that lets an admin-authenticated local attacker modify a key database table on the management server. Injected code then propagates to every connected endpoint agent through normal policy push, turning the EDR fleet into a malware-distribution channel. Added to CISA KEV May 20 with a June 4 federal deadline. The supply-chain framing matters: an attacker who reaches Apex One admin no longer needs to drop binaries on each host — they ride the trusted EDR update path.
Sources: BleepingComputer
SonicWall MFA bypass via login-format alternation (May 20)
ReliaQuest documented active exploitation of CVE-2024-12802 on SonicWall Gen6 SSL-VPN. Attackers brute-force credentials, then exploit the fact that MFA enrollment is applied per login-format (UPN vs SAM) rather than per-user — so an attacker who has only an MFA-enforced SAM enrollment can re-authenticate via UPN and bypass MFA entirely. Crucially, the rogue logins appear in logs as normal MFA flows. The original patch was incomplete; SonicWall released supplemental guidance. Detection: alert on the same identity authenticating across both UPN and SAM forms within short windows, and on first-time UPN authentications from never-seen-before geos.
Sources: BleepingComputer
Exchange OWA CVE-2026-42897 and Ghost CMS ClickFix (May 18–25)
Two browser-layer exploitation stories book-ended the week. CVE-2026-42897 (CVSS 8.1) is an OWA cross-site-scripting / spoofing bug in on-prem Exchange Server (Subscription Edition, 2019, 2016) — crafted emails trigger arbitrary JavaScript in the OWA browser context. No patch initially; Microsoft shipped an Emergency Mitigation Service rule (M2.1.x URL rewrite) while a fix is prepared. Meanwhile, Ghost CMS SQL injection CVE-2026-26980 (Ghost 3.24.0–6.19.0) lets unauthenticated attackers read DB rows including admin API keys; XLab/Qianxin reports 700+ compromised sites — Harvard, Oxford, Auburn, DuckDuckGo among them — where attackers used the keys to inject malicious JS into published articles, loading a cloaking script that fingerprints visitors and serves a fake Cloudflare prompt via iframe (the now-familiar ClickFix lure). Observed payloads: DLL loaders, JS droppers, and Electron-based UtilifySetup.exe.
Sources: The Hacker News (Exchange) · BleepingComputer (Ghost CMS)
Law-enforcement wins: Ukraine infostealer, Kimwolf DDoS, INTERPOL Ramz (May 19–22)
Three substantial criminal-infrastructure outcomes. Ukraine’s cyberpolice (with U.S. partners) identified an 18-year-old Odesa man running infrastructure that processed and resold browser-session and credential data from an infostealer campaign hitting 28,000 customer accounts of a California online retailer; 5,800 accounts were used for $721K in fraudulent purchases. Jacob Butler (“Dort”), 23, of Ottawa, was charged in U.S./Canada for operating Kimwolf — an AISURU-variant IoT botnet that enslaved millions of digital photo frames, IP cameras, and other niche edge devices; tied to ~30 Tbps DDoS and 25,000+ attack commands sold as a service. The Central District of California simultaneously unsealed seizure warrants against 45 DDoS-for-hire platforms. INTERPOL Operation Ramz — the first MENA-focused Interpol cybercrime operation, running Oct 2025–Feb 2026 across 13 countries — delivered 201 arrests, identified 382 additional suspects, recovered 3,867 victims, and seized 53 servers, including disruption of a phishing-as-a-service operation seized by Algerian authorities. For threat-intel teams: expect IOCs from these takedowns to start retiring infrastructure that’s been quietly reused across unrelated campaigns.
Sources: BleepingComputer (Ukraine) · The Hacker News (Kimwolf) · The Hacker News (INTERPOL Ramz)
CISA contractor leaks GovCloud admin keys; DBIR documents the inversion (May 19–21)
Brian Krebs broke a story with major operational consequences: a contractor named “Private-CISA” (associated with Nightwing) maintained a public GitHub repo since November 2025 containing AWS GovCloud admin tokens, plaintext credentials for dozens of internal CISA systems, and a total of 844 MB in git history — with secret-scanning disabled. AWS keys remained valid 48 hours after takedown. Treat this as a credential-leak precedent for any partner with privileged federal access. In parallel, the Verizon DBIR 2026 recorded the first time in 19 years that vulnerability exploitation (31%) overtook credential abuse (13%) as the initial-access vector, citing AI’s collapse of time-to-exploit from months to hours and noting orgs patched only 26% of CISA KEV entries (down from 38% in 2024). Read together: high-value credentials still leak out, but the attacker preference has rotated toward the patch-gap.
Sources: KrebsOnSecurity · SecurityWeek (DBIR)
Trapdoor Android ad-fraud, Drupal SQLi, and the rest
HUMAN Security exposed Trapdoor — a different beast from the npm/PyPI TrapDoor above — a 455-app Android ad-fraud operation (24M+ installs) abusing install-attribution to activate hidden WebView ad fraud only for users coming through threat-actor campaigns; peak 659M fake bid requests per day across 183 attacker C2 domains. CISA also added Drupal core SQL injection CVE-2026-9082 (PostgreSQL backends with JSON:API, Views exposed filters, or entity-autocomplete exposed) to KEV; exploitation began within 48 hours of the patch release.
Sources: The Hacker News (Trapdoor Android) · The Hacker News / CISA (Drupal)
|
