Threat Newsletter May 25, 2026

If this edition of the newsletter has a single recurring theme, it's that the systems and institutions we trust to keep us secure are themselves becoming the attack surface. The agency responsible for securing federal infrastructure leaked its own cloud keys. A major open-source ecosystem had its packages quietly poisoned. A government contractor's sloppy GitHub hygiene exposed more sensitive data than most nation-state breaches ever surface. Vendors are silently patching critical flaws without CVEs, leaving defenders with no way to know they were ever at risk. And the tools developers use every day — package managers, CI/CD pipelines, code signing — are being systematically turned against them. The perimeter isn't the problem anymore. The problem is that trust itself has become the exploit.

Microsoft Exchange Server Zero-Day Actively Exploited (CVE-2026-42897)

Microsoft confirmed active in-the-wild exploitation of a cross-site scripting (XSS) flaw in the Outlook Web Access (OWA) component of Exchange Server 2016, 2019, and Subscription Edition. An attacker only needs to send a crafted email — if the recipient opens it in OWA, malicious JavaScript executes silently in the victim's authenticated browser session, enabling session token theft, mailbox impersonation, and email rule manipulation. No permanent patch exists yet; Microsoft has pushed a temporary fix via the Exchange Emergency Mitigation Service (EEMS).

Key Takeaways

CVE-2026-42897 carries a CVSS score of 8.1 and was disclosed just 48 hours after May Patch Tuesday, which covered 138 separate flaws.
Attack vector is deceptively simple — phishing-style email + OWA = potential full mailbox compromise.
Exchange Online users are not affected; this impacts on-premises deployments only.
Microsoft urges admins to enable EEMS immediately and verify mitigation ID M2 has been applied via the Exchange Health Checker script.
No threat actor has been publicly attributed yet.

Cisco SD-WAN Zero-Day Exploited — CISA Orders Federal Agencies to Patch by Deadline

CISA issued an emergency directive ordering all federal agencies to patch a critical vulnerability in Cisco Catalyst SD-WAN Controller (CVE-2026-20182, CVSS 10.0). The flaw allows an unauthenticated remote attacker to bypass authentication entirely and gain administrative privileges. CISA set a strict Sunday deadline for compliance, making clear this is being actively exploited in the wild.

Key Takeaways

CVE-2026-20182 is a maximum-severity authentication bypass — no credentials or user interaction required.
This is the sixth exploited SD-WAN vulnerability in 2026, signaling persistent attacker interest in Cisco's network management plane.
Federal agencies under BOD 22-01 must comply; private sector organizations running SD-WAN are strongly urged to patch immediately.
Threat actor UAT-8616 has been attributed to active exploitation.

Cisco Secure Workload CVSS 10.0 Flaw Grants Unauthenticated Attackers Full Site Admin Access

Less than a week after the SD-WAN disclosure, Cisco patched yet another CVSS 10.0 flaw, this time in its Secure Workload platform. The vulnerability in the product's internal REST API endpoints allows an unauthenticated remote attacker to gain Site Admin privileges simply by sending crafted API requests — no credentials needed. Exploitation allows reading sensitive data and making configuration changes across tenant boundaries.

Key Takeaways

Affects both SaaS and on-premises Secure Workload deployments regardless of device configuration.
No workarounds exist — patching to versions 3.10.8.3 or 4.0.3.17 is the only remediation.
Not yet exploited in the wild at time of disclosure, but the trivial nature of the attack makes rapid exploitation likely.
This is part of a troubling pattern of Cisco issuing multiple max-severity bugs within short windows.

Microsoft Rejects Critical Azure Vulnerability Report

Security researcher Justin O'Leary reported a critical privilege escalation flaw in Azure Backup for AKS — allowing a user in the low-privileged "Backup Contributor" role to obtain cluster-admin access. Microsoft's Security Response Center rejected the report as "by design," arguing no product changes were needed.

Key Takeaways

Organizations that granted the Backup Contributor role between an unknown start date and May 2026 may have been exposed to privilege escalation.
Without a CVE, security teams have no standard mechanism to track the exposure window or remediation timeline.
This incident reignites debate over whether cloud vendors should be allowed to be their own CVE Naming Authorities for their own products.
Defenders should audit AKS Trusted Access role bindings, especially if Backup Contributor was assigned before May 2026.

Claude Code Sandbox Bypass — Network Exfiltration Risk (Silently Patched)

Security researcher Aonan Guan (Wyze Labs) disclosed that Anthropic silently fixed two sandbox bypass vulnerabilities in Claude Code without issuing a CVE or security advisory. The most notable flaw was a SOCKS5 hostname null-byte injection that could trick the sandbox's network allowlist into approving blocked connections — potentially allowing any data inside the sandbox (credentials, source code, private files) to be exfiltrated to an attacker-controlled server. Guan notes this is the second time in five months Anthropic has patched a sandbox bypass without a public advisory.

Key Takeaways

The fix shipped in Claude Code version 2.1.88 on March 31; Anthropic says it found the bug internally before Guan's HackerOne report on April 3.
The vulnerability is especially dangerous when chained with a prompt injection attack.
No public advisory or CVE was issued — raising the same disclosure transparency concerns seen with the Azure case above.
Users should ensure Claude Code is updated to the latest version and review their sandbox network allowlist configurations.

Grafana GitHub Token Breach — Codebase Stolen, Extortion Attempted

Grafana disclosed that an unauthorized party accessed its GitHub environment and downloaded its entire codebase using a compromised token. The attacker subsequently attempted extortion. In a related follow-up report, the breach was linked to the broader TanStack supply-chain attack — Grafana had a GitHub token associated with TanStack packages that was never rotated after the initial TanStack compromise, giving attackers a persistent foothold. Grafana refused to pay the ransom.

Key Takeaways

This is a direct downstream consequence of the Shai-Hulud / TeamPCP supply chain campaign.
Token rotation after any upstream compromise is critical — Grafana's failure to rotate after TanStack was the root cause.
The incident joins a growing list of organizations impacted through the same supply chain attack cluster.
Grafana's decision not to pay the ransom aligns with FBI guidance on the ShinyHunters group.

7-Eleven Data Breach Confirmed After ShinyHunters Ransom Demand

7-Eleven confirmed that on April 8, 2026, an unauthorized third party accessed systems used to store franchisee documents and Salesforce data. The ShinyHunters group listed the company on its dark web leak site, claiming more than 600,000 Salesforce records containing personal and corporate information were stolen. The group demanded a ransom by April 21, and after no agreement was reached, leaked 9.4 GB of alleged data. ShinyHunters has been targeting Salesforce environments at major organizations since mid-2025 through phishing, third-party misconfigurations, and integration abuse.

Key Takeaways

Intrusion vector was not a Salesforce product vulnerability — it was phishing, third-party abuse, or misconfiguration.
ShinyHunters' recent campaign has hit Instructure, Vimeo, Wynn Resorts, Vercel, Medtronic, and now 7-Eleven.
The FBI advises victims not to pay — paying doesn't guarantee data won't be sold or further extortion attempted.
Organizations using cloud SaaS platforms should audit third-party integration permissions and CRM data access controls.

CISA Contractor Leaks AWS GovCloud Keys on GitHub

A Nightwing contractor working for CISA maintained a public GitHub repository from November 2025 until mid-May 2026 that exposed credentials to multiple highly privileged AWS GovCloud accounts and dozens of internal CISA systems. One exposed file was literally titled "importantAWStokens." Another contained plaintext usernames and passwords for internal CISA infrastructure. GitGuardian researcher Guillaume Valadon, who discovered the leak, called it "the worst leak that I've witnessed in my career." The repository also revealed details about how CISA builds, tests, and deploys software internally. Alarmingly, the exposed AWS keys reportedly remained valid for 48 hours after CISA was notified.

Key Takeaways

The contractor had explicitly disabled GitHub's default secret-scanning protection — making this a deliberate configuration failure, not an accident.
CISA is currently operating with reduced budget and staffing, which may have contributed to delayed detection.
AWS GovCloud is the environment for sensitive government workloads — the exposure is especially serious.
All organizations should enforce branch protection rules, automated secret scanning (e.g., GitHub Advanced Security), and mandatory key rotation policies.

Shai-Hulud Supply Chain Campaign Strikes Again — 600+ npm Packages Compromised

The TeamPCP threat group, behind the ongoing Shai-Hulud supply chain campaign, launched another wave on May 19, 2026, publishing 639 malicious versions across 323 unique npm packages in just one hour (01:56–02:56 UTC). The bulk of the attack targeted the @antv data visualization ecosystem, which collectively accounts for approximately 16 million weekly downloads. The malware harvests secrets from developer machines and CI/CD environments, self-propagates using stolen npm tokens, and uses GitHub repositories under victims' accounts as a fallback exfiltration mechanism. Over 2,700 attacker-created repositories with Dune-themed names were identified holding encrypted stolen credentials.

Key Takeaways

This follows earlier Shai-Hulud waves that compromised TanStack, Mistral AI, Bitwarden CLI, SAP, Guardrails AI, and UiPath packages — the campaign has been active since September 2025.
The malware targets 130+ file patterns and explicitly supports 18+ CI/CD platforms including GitHub Actions, GitLab CI, CircleCI, Jenkins, and Azure DevOps.
Developers should roll back to safe versions published before May 18, rotate all secrets, and audit CI/CD environment variables immediately.
A leaked copy of Shai-Hulud source code has also enabled copycat campaigns by other threat actors.

Microsoft Exposes Fox Tempest — Malware-Signing-as-a-Service Operation

Microsoft Threat Intelligence published a detailed exposé of Fox Tempest, a financially motivated threat actor operating a Malware-Signing-as-a-Service (MSaaS) platform. Fox Tempest abused Microsoft's artifact signing infrastructure to issue legitimate-looking code signatures for malicious payloads, which were then distributed by other cyber criminals including ransomware groups Vanilla Tempest and various Storm clusters. The service allowed threat actors to bypass endpoint defenses that rely on code-signing validation.

Key Takeaways

Signed malware is significantly more dangerous — it evades many traditional AV and EDR controls that trust signed binaries.
This is a "crime-as-a-service" model enabling less technically sophisticated ransomware groups to deploy more credible malware.
Microsoft has taken action to revoke the associated certificates and disrupt the signing pipeline.
Defenders should not rely solely on code-signing as a trust signal — behavioral detection and application allowlisting remain important.

Chinese Espionage Group Calypso Targets Telcos with New Linux & Windows Malware

Researchers at Lumen's Black Lotus Labs and PwC Threat Intelligence revealed that the Chinese espionage group Calypso (also tracked as Red Lamassu) has been running a long-term campaign against telecommunications providers across Asia Pacific and parts of the Middle East since at least mid-2022.

Key Takeaways

The Linux implant Showboat is built for long-term persistence, encrypted configuration management, and anti-forensics — a hallmark of sophisticated nation-state tooling.
Calypso's tooling appears to be shared across multiple China-aligned threat clusters targeting distinct regional victim sets.
Telcos in Asia Pacific and the Middle East should treat this as an active threat and review their OT/IT boundary controls and Linux server integrity.
Initial infection vector is unknown, making proactive hunting essential.

Legacy Windows Tool MSHTA Fueling Silent Malware Surge

Researchers at Bitdefender documented a sharp rise in attacks abusing MSHTA (Microsoft HTML Application Host), a legitimate Windows utility dating back to 1999. Because MSHTA is a signed Microsoft binary, Windows trusts it by default — making it an attractive Living-off-the-Land Binary (LOLBIN) for attackers seeking to evade detection.

Key Takeaways

Attackers deliver payloads via phishing emails, fake software downloads, and malicious HTA files — MSHTA executes them entirely in memory, bypassing many traditional AV tools.
LummaStealer is the most common final payload, designed to harvest browser credentials, session cookies, and cryptocurrency wallet data.
Since legitimate use of MSHTA is extremely low in modern environments, security teams should consider blocking or monitoring mshta.exe execution via EDR/application control policies.
PurpleFox's use of MSHTA shows the technique is not limited to commodity stealers — it's used in persistent, long-term intrusion campaigns too.

MENA Region Runs First-of-its-Kind Cybercrime Operation — 201 Arrested

A coordinated cybercrime enforcement operation spanning the Middle East and North Africa (MENA) region ran between October 2025 and February 2026, resulting in 201 arrests. This marks the first large-scale, multi-national cybercrime operation of its kind in the region, targeting scam networks and cybercriminal infrastructure across multiple countries.

Key Takeaways

The operation signals growing law enforcement capacity and international cooperation in the MENA region.
Targeting of scam networks reflects the global priority placed on disrupting financially motivated cybercrime.
201 arrests across a multi-month operation demonstrates that attribution and prosecution in the region is maturing.

CISA Wants Critical Infrastructure to Survive "Weeks to Months" in Isolation

CISA released new guidance urging critical infrastructure operators to prepare for scenarios where their Operational Technology (OT) networks are completely isolated from IT systems and third-party vendors — for potentially weeks to months — during a conflict or major cyber incident.

Key Takeaways

This is a significant escalation in posture — previous guidance focused on detection and recovery, while this focuses on sustained autonomous operation.
The guidance acknowledges the growing threat of nation-state attacks targeting critical infrastructure during geopolitical conflicts.
OT/IT network segmentation and manual operational continuity plans are no longer optional — they are being treated as baseline requirements.
Organizations should review their dependency on external vendors and third-party monitoring services for any OT functions.

Google Launches CodeMender to Compete with Anthropic's Claude Mythos

Following Anthropic's restricted release of Claude Mythos Preview — an AI model capable of autonomously discovering and exploiting software vulnerabilities at scale — Google announced expanded external access to CodeMender, its own AI code security agent developed through Google DeepMind. Google I/O saw select security experts invited to test the API.

Key Takeaways

Claude Mythos Preview has set a new benchmark — Anthropic reports it can find "tens of thousands of vulnerabilities" including bugs in every major OS and browser, reproducing exploits on the first attempt in over 83% of cases.
The race to deploy AI-powered vulnerability discovery is reshaping both offensive and defensive security research.
Access restrictions on models like Mythos are important safety measures, but leaked or misappropriated access (as already occurred with Mythos via a Discord group) remains a real threat.
Organizations should prepare for a world where AI-driven exploit development significantly compresses the time between vulnerability disclosure and weaponization.

Google's Surge in Chrome Vulnerability Discoveries Likely AI-Driven

Google has been patching an unprecedented number of Chrome vulnerabilities internally, with a single advisory in early May listing 100 vulnerabilities found by Google itself. Over 200 vulnerabilities in recent Chrome releases are marked as "reported by Google."

Key Takeaways

AI-powered internal vulnerability research is outpacing traditional bug bounty programs, leading Google to adjust its Chrome reward payouts downward while increasing Android rewards.
Faster internal discovery means faster patching — a net positive for end users, but it compresses the window for defenders to deploy patches before exploitation.
The same AI capabilities that help defenders find bugs are increasingly available to threat actors — this is a double-edged sword.
Keeping Chrome and all Chromium-based browsers updated is more important than ever given the volume of patches being released.