Edition: 28 May 2026 — Morning Brief
Glassworm Takedown Is a Win, Not a Conclusion — Operators Are Still Free
On May 26, 2026, at 14:00 UTC, CrowdStrike's Counter Adversary Operations team, working with Google and the Shadowserver Foundation, simultaneously struck all four command-and-control channels of the Glassworm botnet — a global developer-targeting operation active since at least early 2025. The C2 architecture tells you why the timing had to be simultaneous: channels included Solana blockchain memo fields encoding C2 addresses, BitTorrent DHT configuration data, Google Calendar event titles used as Base64-encoded dead-drops, and traditional VPS infrastructure. Knocking one channel would have left three standing. The RAT itself — GlasswormRAT, a full-featured Node.js payload — stole npm, GitHub, and Git credentials; drained cryptocurrency wallet extensions; deployed SOCKS proxies and hidden VNC servers; and hid its code using Unicode variation selectors, rendering malicious characters invisible in standard code editors. More than 300 GitHub repositories were poisoned during the campaign; malicious code was also introduced via compromised npm and Python packages and trojanized VS Code extensions published to the Open VSX marketplace. Attribution points toward Russia; no arrests have been made. This disruption holds only as long as operators stay dormant — and they have the infrastructure muscle memory to reconstitute. CXO Today + 3
Watch for: [Analytic indicator, not a confirmed signal] New blockchain dead-drop registrations on Solana or fresh Open VSX extension submissions from new accounts are the lowest-effort rebuild paths and the logical place to watch — but no public reporting has yet documented activity along either vector.
Sources: CrowdStrike Counter Adversary Operations blog, May 26, 2026; Cybersecurity Dive, May 27, 2026; The Register, May 27, 2026; Security Affairs, May 27, 2026.
Silent Ransom Group Is Now Walking Through Your Front Door — Literally
The FBI's Cyber Division has confirmed that Silent Ransom Group (SRG) — also tracked as Luna Moth, Chatty Spider, and UNC3753 — is targeting law firms by combining IT-themed social engineering calls with physical in-person visits, during which an operative posing as IT support inserts a storage device into a workstation to exfiltrate data. The group deploys no ransomware and no encryption — desktops don't lock, no splash screens appear, IT systems continue to function normally — making the attack entirely invisible until a ransom email arrives threatening to post stolen data on SRG's publicly accessible clearnet leak site. Data from more than 38 firms has already been published on that site; researchers put the total attack count above 100, with activity surging sharply in early 2026. Jones Day and Wood Smith Henning & Berman both faced exposures in Q1. The operational question nobody has answered publicly: how are operatives sourced for physical access runs? This is an open analytical gap — no named intelligence firm has publicly attributed SRG's physical recruitment pipeline, and any hypothesis about sourcing should be treated as speculation until confirmed. The physical tradecraft changes the defensive calculus for every firm operating open-plan reception areas, regardless of who is doing the recruiting. FBI + 2
Watch for: SRG leak site additions in the next 48 hours; the group's post-visit ransom demand timeline runs roughly 10–21 days, meaning current access operations are already in progress.
Sources: FBI Cyber Division FLASH alert, May 26, 2026; CyberScoop, May 27, 2026; BleepingComputer, May 27, 2026; DataBreaches.net, April 13, 2026.
MuddyWater Is Weaponizing Your EDR Against You
MuddyWater, linked to Iran's Ministry of Intelligence and Security, has been tied to a Q1 2026 campaign hitting at least nine organizations across nine countries on four continents. Targets span industrial and electronics manufacturing, education, public-sector bodies, financial services, and professional services — per Symantec and Carbon Black's Threat Hunter team. The standout TTP: attackers repeatedly deployed legitimately signed Fortemedia (fmapp.exe) and SentinelOne (sentinelmemoryscanner.exe) binaries to sideload malicious DLLs while masquerading as benign software. Using a signed SentinelOne binary as the sideloading vehicle while targeting organizations likely running SentinelOne is a notable technique choice — whether that reflects operational calculation or opportunistic tool selection is an interpretive question the public record doesn't yet resolve. The campaign's common thread, per Symantec, is that every targeted organization holds material of intelligence value to Tehran: IP on high-tech manufacturing, government research, or downstream access to customers of services companies. Initial access vector remains unconfirmed in the public disclosure. The Hacker News + 2
Watch for: Fortemedia fmapp.exe and sentinelmemoryscanner.exe executing from non-standard directories or spawning unexpected child processes — these are the in-the-wild detection signatures this campaign has handed defenders.
Sources: Symantec/Carbon Black Threat Hunter Team, May 26, 2026; The Hacker News, May 26, 2026; Industrial Cyber, May 2026.
Two Microsoft Defender Zero-Days Were In Active Exploitation For Six Weeks Before a Patch Existed
Microsoft pushed out-of-band patches on May 21, 2026, for two Windows Defender zero-days. RedSun (CVE-2026-41091) and UnDefend (CVE-2026-45498) had no fixes for six weeks while active exploitation was already underway. Huntress incident responders documented the first real-world use of the chain in mid-April 2026. CVE-2026-41091 carries a CVSS score of 7.8 and targets the Microsoft Malware Protection Engine; the flaw lets a low-privileged attacker manipulate a symbolic link or directory junction during a Defender scan and escalate to full SYSTEM-level control. CVE-2026-45498 is a denial-of-service vulnerability in the Defender Antimalware Platform — reported CVSS 7.5 — that causes the scanning engine to crash or hang, effectively taking antivirus offline. Chained together, the pair provides local privilege escalation and then incapacitates the primary endpoint defense: a clean post-exploitation package requiring no elevated starting position. In a confirmed Huntress customer intrusion, an attacker entered via a compromised FortiGate VPN account, ran standard reconnaissance, and then deployed the exploits in sequence. A fifth zero-day from the same researcher, MiniPlasma — granting SYSTEM access on fully-patched Windows 11 via the Cloud Filter driver — remains unpatched. MiniPlasma's patch timeline is publicly unknown; assigning a specific arrival window would be speculation. Tech Times + 3
Watch for: [Analytic indicator] MiniPlasma CVE assignment is the leading observable; until a CVE appears, assume it remains a live unpatched privilege escalation vector on current Windows 11 builds.
Sources: BleepingComputer, May 25, 2026; TechTimes, May 21, 2026; Notebookcheck, May 21, 2026; CISA KEV catalog, May 20, 2026; GBHackers, May 2026.
Ghost CMS SQL Injection Turned Harvard and Oxford Into Malware Delivery Nodes
Attackers exploited CVE-2026-26980, a critical unauthenticated SQL injection flaw in Ghost CMS versions 3.24.0 through 6.19.0, to compromise over 700 domains — including Harvard University, Oxford University, Auburn University, and DuckDuckGo — turning them into ClickFix malware distribution points. The SQL injection bug allows attackers to steal administrative API keys without authentication, then silently inject malicious JavaScript into posts and pages across affected sites. Visitors are served a fake Cloudflare CAPTCHA that instructs them to copy-paste a command into Windows Run or PowerShell — installing malware by their own hand. First detected May 7, 2026, the campaign spans universities, blockchain, AI, SaaS, security research, media, and fintech sectors. At least two distinct threat clusters are assessed to be behind the campaign, with some sites compromised within a single day of initial access. Patch is available in Ghost 6.19.1. The patch had been available for roughly three months before mass exploitation arrived — consistent with the standard enterprise patching lag that turns known vulnerabilities into mass-casualty events. Daily Security Review + 2
Watch for: Expansion of the same ClickFix payload delivery chain to other CMS platforms; the fake Cloudflare verification lure has been infrastructure-agnostic in prior campaigns and doesn't require Ghost-specific access.
Sources: Malwarebytes, May 26, 2026; The Hacker News / XLab, May 2026; TechRadar, May 26, 2026; CVE-2026-26980 per named researcher reporting and vendor advisory.
Someone Used AI to Build a Claude-Targeting npm Stealer and Then Left Their GitHub Token In the Code
OX Security disclosed a malicious npm package named "mouse5212-super-formatter" designed to exfiltrate files from /mnt/user-data — the directory Anthropic's Claude AI tool uses for uploads and outputs in the background. The activity has been codenamed Malware-Slop. The package authenticates to GitHub during the postinstall stage using either a GitHub token found in the victim's environment or a hard-coded fallback token, then recursively uploads every file to a threat actor-controlled repository. The package reached 676 downloads before removal, and the attacker leaked their own GitHub private token in the code — allowing OX Security researchers to trace the stolen files and analyze the campaign before issuing a warning. The OPSEC failure is almost beside the point. The attack pattern explicitly maps AI coding tool file paths as a targeting surface — developer environments running Claude for code generation tasks routinely have sensitive project files sitting in /mnt/user-data. More competent iterations of the same concept are plausible and should be expected; the template is now public and demonstrated-working. The Hacker NewsThe Register
Watch for: Follow-on packages with the same postinstall exfiltration pattern but without the token leak — cleaner execution of an identical approach is the obvious next iteration.
Sources: OX Security researchers Moshe Siman Tov Bustan and Nir Zadok, via The Hacker News, May 27, 2026; The Register, May 27, 2026.
The "340 Million OnlyFans Breach" Is Most Likely Synthetic — But the Exposure Is Real Regardless
[DEVELOPING SIGNAL — leak listing confirmed by named security researchers; breach unconfirmed] A listing appeared on a popular data leak forum claiming to sell approximately 340 million OnlyFans creator and subscriber records including emails, usernames, account activity metrics, and linked social media accounts. OnlyFans has publicly denied any hack. The seller, using the handle Euphoric_Reply_5727, listed the dataset for approximately 0.313 BTC (~$76,000) and reportedly admitted the database was compiled from previous leaks and publicly available information rather than a direct platform compromise. Researchers analyzing screenshots identified technical inconsistencies: field names such as streams_count and likes_count resemble frontend API attributes rather than backend database columns, casting further doubt on a genuine internal server breach. The listing was documented and reported by Cybernews and Hackread on May 24–25, 2026; independent dataset validation by named security researchers is still in progress. What confirms the residual risk: for anyone who has connected an Instagram or X account to an OnlyFans profile, that linkage is already discoverable and may now be packaged for sale — the real exposure is identity correlation, not credential compromise. Cybernews + 3
Watch for: Independent researcher validation of the dataset sample; if the synthetic-aggregation hypothesis holds, expect the listing to seed targeted blackmail campaigns regardless — the platform name alone is sufficient leverage, and the seller has already demonstrated willingness to monetize doubt.
Sources: Cybernews, May 24–25, 2026 (listing first documented); Hackread, May 25, 2026; Martin Cid Magazine, May 26, 2026; CISONODE, May 25, 2026.
Mini Shai-Hulud Is Still Running — The npm Worm Era Has Normalized
Unit 42 has tracked an aggressive acceleration in npm supply chain compromise frequency and technical depth since September 2025, when the original Shai-Hulud worm marked the end of the nuisance era. Two separate campaigns ran in April 2026 — "Shai-Hulud: The Third Coming" starting April 22, and Mini Shai-Hulud starting April 29 — with the Mini Shai-Hulud campaign continuing into May 2026. The original Shai-Hulud used stolen GitHub publish tokens to compromise Aqua Security's open-source Trivy vulnerability scanner in March 2026, leading to multiple downstream attacks. The malware checked for GitHub tokens, uploaded found secrets to GitHub unencrypted, and then made all compromised repositories public. The thread connecting Glassworm, the Shai-Hulud waves, the TanStack compromise, the Bitwarden CLI impersonation, the Axios RAT, and this week's Malware-Slop package is one campaign-level signal: the npm ecosystem is an active, ongoing battlefield, not a series of isolated incidents. Whether each wave's credential harvest is operationally funding the next is an analytically reasonable inference from the shared tooling patterns — but direct causal linkage has not been publicly proven by named researchers, and should be treated as a working hypothesis. Palo Alto NetworksHuntress
Watch for: New npm package publishing spikes from accounts created within the last 30 days, particularly those mimicking security tools, formatters, or developer utility packages — the Mini Shai-Hulud template favors utility-style camouflage.
Sources: Unit 42 / Palo Alto Networks npm threat landscape tracker, updated May 21, 2026; Huntress Tradecraft Tuesday recap, April 21, 2026; SafeDep/Endor Labs on Mini Shai-Hulud SAP-package wave, April 2026.
Jonathan Brown is a cybersecurity researcher and investigative journalist at bordercybergroup.com.
If you would like to support our work, providing useful, well researched and detailed evaluations of current cybersecurity topics at no cost... Buy us a coffee! https://bordercybergroup.com/#/portal/support
Member discussion: