— DAILY INTEL FEED Friday, 29 May 2026
Attackers are going after Defender itself, and CISA gave you a 14-day clock
Two Microsoft Defender flaws are under active exploitation: CVE-2026-41091, a link-following (CWE-59) local privilege-escalation bug, and CVE-2026-45498, a denial-of-service condition in Defender. CISA added both to the KEV catalog on 20 May with an FCEB remediation deadline of 3 June under BOD 22-01 — a window tighter than CISA's usual 21-plus days, which reads as a severity signal rather than routine cadence. Huntress reports observing exploitation of both, alongside BlueHammer (CVE-2026-33825), and the descriptions overlap with "RedSun" and "UnDefend," disclosed by the researcher Chaotic Eclipse (aka Nightmare Eclipse).
The operational concern is the pairing: one flaw can elevate privileges, the other can impair endpoint protection. Public reporting does not yet show confirmed chaining, but the combination matches a familiar ransomware pre-execution pattern. One caution before you publish severity numbers: reported CVSS is inconsistent across outlets — The Hacker News lists the DoS at 4.0, another current report lists it at 7.5, and the LPE has been cited at 7.8. Confirm against Microsoft's advisory and NVD before quoting any score.
Watch for: Whether Microsoft or Huntress ties these to a named actor or publishes IOCs before 3 June — and whether anyone confirms chaining rather than co-occurrence.
Sources: The Hacker News (26 May 2026); BleepingComputer (21 May 2026); CISA KEV Catalog (20 May 2026); Huntress.
GitHub's own repos fell to the same campaign that hit OpenAI, Mistral, and Grafana
GitHub confirmed exfiltration of roughly 3,800 internal repositories after an employee installed a poisoned VS Code extension — the actor is TeamPCP, which Google Threat Intelligence Group tracks as UNC6780. GitHub has characterized the 3,800 figure as directionally consistent with its own investigation rather than independently confirmed. The vector was a malicious build of Nx Console (nrwl.angular-console), seeded after an Nx developer's system was compromised in the TanStack supply-chain attack — the same campaign that hit OpenAI, Mistral AI, and Grafana Labs. TeamPCP has a track record against open-source security and AI-middleware tooling (Trivy, Checkmarx KICS, LiteLLM, the Telnyx SDK, TanStack, and Bitwarden's CLI), largely automated via "Mini Shai-Hulud," an adapted self-replicating worm.
Grafana's postmortem supplies the sharpest operational lesson: they rotated a large number of GitHub workflow tokens but missed one, and the attackers used it to reach the repos. TeamPCP later listed the GitHub data on a forum from around $95,000, framed as a straight data sale rather than classic extortion. A defensible read for defenders: EDR generally does not inspect the extension-activation layer, which plausibly explains why this vector keeps succeeding — that's analysis, not a vendor finding.
Watch for: GitHub's promised full report — specifically whether any customer support-interaction data held inside those internal repos is confirmed exposed.
Sources: VentureBeat, Help Net Security, BleepingComputer (20–21 May 2026); GitHub CISO Alexis Wales statement (19–21 May 2026); Grafana Labs / Joe McManus (21 May 2026); Google Threat Intelligence Group (UNC6780).
The mechanism under all of it: a Pwn Request, cache poisoning, and an OIDC token pulled from runner memory
If you only track the victims you miss how it works. Per TanStack's own postmortem, an attacker published 84 malicious versions across 42 @tanstack/* packages in a six-minute window on 11 May by combining the pull_request_target "Pwn Request" pattern, GitHub Actions cache poisoning across the fork-to-base trust boundary, and runtime memory extraction of an OIDC token from the Actions runner. No npm tokens were stolen and the publish workflow itself was not compromised — the trust boundary was. StepSecurity's researcher (ashishkurmi) flagged the malicious versions publicly within 20–26 minutes, which is fast and still slower than auto-update fan-out.
The pattern worth internalizing: integrity of the build failed, not secrecy of the code. That maps cleanly onto the broader trust-layer thesis — adversaries are targeting the infrastructure that establishes software integrity, not just the secrets inside it.
Watch for: Reuse of the cache-poisoning plus OIDC-extraction combination against other high-fan-out npm/PyPI namespaces over the next 48–72 hours; audit any repo using pull_request_target with fork access to caches.
Sources: TanStack postmortem (updated 15 May 2026); StepSecurity.
Feds didn't chase a ransomware brand this time — they took down a shared anonymity service
An international law-enforcement coalition dismantled First VPN and arrested its administrator. Per the FBI, at least 25 ransomware gangs used the service to mask activity; Europol noted it marketed anonymous connections, anonymous payments, and hidden infrastructure to criminal users, ran servers across 27 countries, and had been under investigation since December 2021.
The strategic read is analysis, not the agencies' framing: brand takedowns tend to produce rebrands, whereas hitting shared services — VPNs, bulletproof hosting, crypto rails — degrades the affiliate substrate that multiple groups depend on at once. If that thesis holds, the value here is less the single service and more the seized logs.
Watch for: Whether a named firm documents which substitute anonymity services absorb the displaced traffic — and any follow-on arrests stemming from the seized infrastructure.
Sources: TechCrunch (21 May 2026); FBI alert; Europol.
"Ghost" operators are tracking phones through SS7, no handset compromise required
Citizen Lab documented two multi-year surveillance campaigns that abused long-known weaknesses in global telecom signaling to track targets' physical locations across multiple countries. The vendors operated as ghost companies impersonating legitimate carriers, piggybacking on real operator networks to query location data and automatically failing over to a second method when the first was blocked; the primary abuse targeted SS7, the 1970s-era signaling protocol with no authentication or encryption. Citizen Lab did not name the vendors.
The defender takeaway is well-calibrated by the research itself: this is surveillance-for-hire at the network layer, fully outside endpoint or app-level controls, so no amount of device hardening sees it. It also lands alongside regulatory movement — the FCC tightening telecom KYC rules to close foreign-service loopholes — which suggests the signaling layer is finally drawing policy attention.
Watch for: Whether any carrier or regulator names the ghost operators, and whether signaling-firewall guidance gets refreshed in response.
Sources: Citizen Lab (23 Apr 2026); TechCrunch, CyberScoop (23–24 Apr 2026).
On-prem Exchange took a zero-day two days after a quiet Patch Tuesday
Microsoft warned of CVE-2026-42897, a spoofing/XSS flaw affecting on-premise Exchange Server (Subscription Edition, 2016, 2019), disclosed 14 May and exploited in the wild; mitigations were issued ahead of a permanent patch. SecurityWeek reported that the May Patch Tuesday closed 137 vulnerabilities without addressing any zero-days — unusual enough to draw notice — and that this flaw surfaced roughly 48 hours later.
On-prem (hosted on premises rather than cloud) Exchange remains a standing liability for organizations that can't or won't migrate. Treat any internet-facing instance as a hunt surface, not a patch-cycle line item.
Watch for: A permanent patch and any attribution; XSS-in-Exchange historically gets folded into broader intrusion chains quickly.
Sources: SecurityWeek (14 May 2026); The Hacker News (26 May 2026); Microsoft MSRC.
[DEVELOPING SIGNAL] China-nexus edge-router implant campaign reported in Southeast Asia
One outlet reports a campaign compromising Linux-based edge routers with a custom ELF implant, paired with a cracked Cobalt Strike Beacon on Windows for unified C2, enabling traffic visibility and manipulation downstream of the router while sidestepping endpoint defenses. The China-nexus read rests on reported indicators — Mandarin-language strings in the implant, Chinese-language C2 headers, cracked Cobalt Strike licenses, and infrastructure patterns said to align with known PRC clusters. That attribution is an analytical inference from reported indicators, not a confirmed finding, and it is currently single-sourced and uncorroborated, with no named top-tier threat-intelligence firm publicly attributing it.
Holding it here precisely for that reason: the TTPs (edge-device persistence, downstream traffic control) are consistent with documented PRC pre-positioning, but consistency is not confirmation, and the available reporting is derivative rather than primary.
Watch for: Corroboration from a named firm (Mandiant/GTIG, Recorded Future, Talos) with IOCs or an implant hash — that is what would move this from signal to confirmed.
Sources: Single secondary outlet (reported ~26 May 2026). Uncorroborated; do not elevate.
"Ransomware as terrorism" is back before Congress — this time with homicide charges attached
At a joint House Homeland Security subcommittee hearing, former FBI cyber deputy Cynthia Kaiser — now at Halcyon's ransomware research center — proposed terrorism designations for groups attacking hospitals, plus homicide charges under the federal felony-murder rule where attacks lead to patient deaths. She cited FBI figures showing healthcare ransomware incidents roughly doubling from 238 in 2024 to 460 in 2025, making it the most-targeted sector.
Worth tracking not because designation is imminent — Congress has floated this before — but because the felony-murder framing is a genuinely new prosecutorial lever, and designations would unlock State/Treasury/Justice sanctions and travel restrictions. The arguably underweighted angle: terrorism designations demand a higher evidentiary bar than indictments, which would reshape what "attribution" has to prove.
Watch for: Any committee markup or DOJ signal on the felony-murder theory — that's the part with near-term teeth.
Sources: CyberScoop, Nextgov/FCW (21–22 Apr 2026).
A destructive wiper hit Venezuela's energy sector, and Kaspersky is calling it targeted
Kaspersky reported a previously unseen data wiper — which it tracks as Lotus Wiper — active in Venezuela in late 2025 and early 2026, with what it describes as clear signs of targeting victims in the energy and utilities sector. Its activity falls within the same broad period as reported geopolitical and military activity involving Venezuela; during that period Venezuela's grid went down and its largest oil producer reported a ransomware attack. US Cyber Command has previously told Congress it contributed cyber expertise to regional operations without specifying involvement.
Any link between the wiper and a US or other state operation is not established in public reporting — the temporal overlap is correlation, not attribution, and should not be presented as more. The value is the pattern: destructive malware co-located with kinetic action against critical infrastructure is the cyber-kinetic convergence worth tracking regardless of attribution.
Watch for: A fuller Kaspersky or third-party technical writeup with attribution analysis; sourcing on state-aligned wipers tends to firm up weeks after first disclosure.
Sources: Kaspersky (Lotus Wiper); Risky Business Bulletin (~22 Apr 2026).
Jonathan Brown is a cybersecurity researcher and investigative journalist at bordercybergroup.com.
If you would like to support our work, providing useful, well researched and detailed evaluations of current cybersecurity topics without ads or fees... Buy us a coffee! https://bordercybergroup.com/#/portal/support
Member discussion: