— Wednesday, 03 June 2026
Read of the day: the May GitHub breach didn't stay on GitHub. A leaked personal access token now sits at the root of a PHP supply-chain attack; a malware-signing service was reselling trust derived from Microsoft's signing infrastructure to a who's-who of ransomware crews; and in one cloud intrusion an LLM agent appears to have driven most of the post-exploitation with little human direction. The trust layer is still the battlefield — and AI is now operating on both sides of it.
Sysdig says an LLM agent — with little human direction — drove the post-exploitation chain after a Marimo RCE
Sysdig documented a 10 May intrusion in which an attacker exploited CVE-2026-39987 (CVSS v4.0 9.3), a pre-auth RCE in the Marimo notebook platform (an unauthenticated WebSocket endpoint gives a full shell without any credential check), then let an LLM agent run much of what followed. Sysdig assesses the post-exploitation showed several indicators of autonomous agent behavior — suggesting an LLM executed much of the workflow without continuous human direction — as the operation extracted two cloud credentials from the host, replayed them through a fanned-out egress pool to pull an SSH private key from AWS Secrets Manager, opened eight parallel SSH sessions against a downstream bastion, and exfiltrated an internal PostgreSQL database in under two minutes, with the whole chain wrapping in just over an hour. The standout tell, per Sysdig: the actor improvised a database dump with no apparent prior knowledge of the schema. This is the line the AI-threat conversation has been circling for a year — not AI helping a human write a script, but AI executing the intrusion workflow itself, adapting live to an environment it had never seen — and Sysdig's case is a strong data point for it, not yet proof of fully autonomous tradecraft. On the fixed version, the record is clear once you go to the source: Marimo's official GitHub security advisory lists all versions below 0.23.0 as affected and 0.23.0 as the fix; the "0.20.4" figure in some early secondary reporting is superseded.
Watch for: A second IR shop publishing an independent agentic-attack teardown — one Sysdig case is a data point; a second turns it into a trend. Many internet-reachable Marimo deployments co-locate cloud credentials, API keys, or database secrets, which makes any exposed instance an attractive post-exploitation target.
Sources: Sysdig Threat Research (technical writeup, late May 2026); Marimo GitHub Security Advisory (8 April 2026); The Hacker News (29 May 2026); NVD; incident dated 10 May 2026.
A leaked GitHub token rewrote every tag on four Laravel-Lang packages — and it may trace back to the GitHub breach
On 22–23 May an attacker with push access to the Laravel-Lang GitHub org rewrote every existing git tag across four widely used Composer packages (laravel-lang/lang, http-statuses, attributes, actions), repointing them at malicious commits inside a roughly 15-minute opening burst. Because the attacker rewrote history rather than publishing a new version, any project that pulled updates through normal Composer dependency resolution resolved to a poisoned tag — only projects locked to a specific pre-22-May commit hash were safe. The payload auto-executes on dependency install and runs a cross-platform credential stealer that exfiltrates CI secrets to a typosquatted domain. Socket, StepSecurity, Aikido and Snyk all analyzed it; the version counts conflict and should be flagged — Aikido puts it at 233 poisoned versions, Socket at ~700, with 502 tags in laravel-lang/lang alone. The connective detail: Snyk assesses the access came from a leaked GitHub Personal Access Token "presumed to have resulted from a recent GitHub data breach" — i.e., a possible downstream blast from the TeamPCP intrusion. That linkage is Snyk's assessment, not a confirmed forensic chain; treat it as a thread to pull, not a finding.
Watch for: Confirmation (or denial) that the PAT originated in the GitHub estate compromise — if it holds, it would be one of the first observed downstream supply-chain attacks linked to that incident, and a sign the breach is reaching into other ecosystems. Also watch for the same tag-rewrite technique hitting another Composer or npm org.
Sources: StepSecurity, Socket, Aikido, Snyk (advisories, 22–27 May 2026); SecurityWeek, BleepingComputer, The Hacker News (late May 2026).
Microsoft and Resecurity dismantled a malware-signing service that resold trust derived from Microsoft's own signing infrastructure
Microsoft's Digital Crimes Unit, with Resecurity, disrupted Fox Tempest — a malware-signing-as-a-service operation that abused Microsoft Artifact Signing (formerly Azure Trusted Signing) to mint short-lived code-signing certificates, valid for up to ~72 hours, that made malware look like trusted software. Microsoft unsealed an SDNY case on 19 May, seized the operation's site (signspace[.]cloud), took hundreds of VMs offline, and revoked more than 1,000 fraudulent certificates; the actor is assessed to have used stolen or synthetic US/Canadian identities to clear Microsoft's identity checks. The customer list is the part that matters — Microsoft ties Fox Tempest-signed payloads to Rhysida (via Vanilla Tempest), Oyster, Lumma Stealer, Vidar, and affiliates of INC, Qilin and Akira. This is the trust layer attacked from the supply side: rather than stealing a victim's signing key, the crew obtained legitimacy derived from the platform's signing infrastructure and resold it as a service.
Watch for: Whether a successor MSaaS fills the vacuum (the 72-hour-cert model is cheap to rebuild), and whether the revocation actually breaks in-field payloads or just future signing. Hunt for recently revoked Artifact Signing certs across your EDR telemetry.
Sources: Microsoft Security Blog / Digital Crimes Unit ("Exposing Fox Tempest," 19 May 2026); Resecurity (press release, ~27 May 2026); Security Affairs, The Defense Post (late May 2026).
Russia's GREYVIBE built its malware with ChatGPT and Gemini — and WithSecure says the AI assistance left a hole in their own backend
WithSecure detailed GREYVIBE, a previously undocumented Russia-nexus group that has used OpenAI's ChatGPT, Google's Gemini and Ideogram AI across nearly every stage of a campaign against Ukrainian military, government, civilian and business targets running since at least August 2025. The lures are texture-rich — spear-phishing, fake CAPTCHA pages, even fraudulent Ukrainian "adult club" sites — and WithSecure assesses with moderate-to-high confidence that several custom tools were LLM-developed. The instructive twist: WithSecure says that same AI-assisted development introduced a design flaw into the LegionRelay malware that exposed its backend functionality, and reads it as a sign GREYVIBE isn't a top-tier state actor, given a sophisticated shop wouldn't make that mistake. The defender takeaway is the inverse of the doom narrative: AI lowered this group's barrier to entry, but appears to have lowered their operational discipline too. The broader framing — that AI uplift cuts both ways, and the artifacts it leaves behind are themselves intelligence — is an analytical reading on top of WithSecure's findings, not their explicit conclusion.
Watch for: Whether the next AI-assisted Russia-nexus group shows the same self-inflicted backend exposure — if AI-introduced bugs become a recurring attribution gift, that's a durable defensive advantage. WithSecure published full IOCs and YARA rules.
Sources: WithSecure Labs (GREYVIBE report, Mohammad Kazem Hassan Nejad, ~27 May 2026); The Hacker News, The Register, Security Affairs (29 May 2026).
The LA Metro "hacktivist" attack looks like an MOIS-linked operation behind a costume — and the playbook went straight for the recovery layer
Gambit Security assesses that "Ababil of Minab," the pro-Iran persona that claimed the March breach of the LA County Metropolitan Transportation Authority, is a facade for Black Shadow — an Iran-linked group the Israel National Cyber Directorate attributes to Iran's Ministry of Intelligence and Security. Read that as a strong, single-firm forensic assessment rather than settled attribution: the evidence chain (infrastructure overlap, tooling, the prior INCD attribution of Black Shadow) is solid, but it is Gambit's call and hasn't yet been independently corroborated by a second named firm. LA Metro confirmed the intrusion on 2 April; rail and bus service stayed up, but operators deleted VMs through the agency's own vCenter, hunted down backups and storage volumes to deny restoration, and exfiltrated data Gambit found exposed online (~700GB confirmed, against the group's far larger and unverified 500TB-wiped claim). The same campaign hit the South Florida Regional Transportation Authority, a firm called UNIMAC (where they renamed partitions "Minab" as a calling card), and GPS-tracker Vyncs — and in one case, per Gambit, the attacker used an AI chatbot to refine a destruction script. Two things make this more than another false-flag: Gambit's observation that modern operators now move from initial access straight into the recovery layer to maximize destruction, and the timing — Los Angeles is a FIFA World Cup 2026 host city, with the tournament opening 11 June.
Watch for: Further Black Shadow activity against US transit, utilities, or World Cup-adjacent infrastructure in the run-up to 11 June; and whether other "hacktivist" personas claiming US infrastructure hits resolve to the same MOIS cluster.
Sources: Gambit Security (report, ~26 May 2026); SecurityWeek, Route Fifty, NBC News, The Jerusalem Post (late May 2026).
FortiClient EMS — the box that manages your endpoints — is now shipping a fake Fortinet "patch" that's actually an infostealer
Arctic Wolf observed threat actors exploiting CVE-2026-35616 (CVSS 9.1, a pre-auth API access-control bypass in FortiClient EMS that watchTowr caught in-the-wild on 31 March, before Fortinet's 4 April advisory) to push a credential stealer dubbed EKZ — disguised as a Fortinet endpoint update and executed silently via PowerShell through the EMS's own VPN scripting workflows. EKZ pulls credentials from Chrome and Firefox, including techniques to defeat Chrome's encrypted password store, logs them locally, and exfiltrates over HTTP. The point isn't the CVE, which is two months old and KEV-listed since 6 April; it's the delivery mechanism. EMS is the management plane for an entire endpoint fleet — turning it into a malware distributor means the fake update inherits the trust every managed endpoint extends to its own management server. A bogus "security patch" as the payload is the kind of detail that earns a second look.
Watch for: EMS processes spawning shells or PowerShell — abnormal by design and a high-fidelity exploitation signal. If you run EMS 7.4.5/7.4.6, confirm the hotfix is applied and rotate EMS admin creds and integration API keys.
Sources: Arctic Wolf (blog, ~27 May 2026); BleepingComputer (late May 2026); Fortinet advisory (4 April 2026); watchTowr; CISA KEV (6 April 2026).
Google's June Android zero-day is the "limited, targeted" kind — read: spyware or a state actor on someone specific
Google's 1 June Android Security Bulletin patched CVE-2025-48595 (CVSS 8.4), an integer-overflow elevation-of-privilege flaw in the Android Framework affecting Android 14, 15, 16 and 16 QPR2, with "indications" it is under limited, targeted exploitation. It needs no user interaction and no special privileges — a local-vector bug, which most likely means delivery via a malicious app the target was induced to install. CISA added it to KEV on 2 June (federal deadline 5 June). The phrase to decode is Google's own: "limited, targeted" is the language reserved for narrow operations against high-value individuals — journalists, activists, officials — and is the fingerprint of commercial spyware or nation-state tooling, not mass cybercrime. This is the fourth Android zero-day since December 2025, a cadence that points to a healthy market for Android privilege-escalation primitives. Google has not named the discoverer, the actor, or the delivery vector — so the spyware read, while well-founded, is inference from the disclosure pattern, not a confirmed attribution.
Watch for: Citizen Lab, Amnesty's Security Lab, or Google TAG attaching this CVE to a named spyware vendor or campaign — that's what would convert the pattern into a finding.
Sources: Google Android Security Bulletin (1 June 2026); CISA KEV (2 June 2026); The Hacker News, Help Net Security, BleepingComputer (1–2 June 2026).
A four-year-old container-escape bug just hit KEV — which tells you something about where it's being used
CISA added CVE-2022-0492 (CVSS 7.0) to the KEV catalog on 2 June, four years after it was patched. The flaw is a logic bug in the Linux kernel's control-group handling — Unit 42's Yuval Avrahami once called it one of the simplest Linux privilege escalations on record, since the kernel exposed a privileged operation without checking privileges — that allows container escape and host takeover. The catch, and the reason this is interesting rather than alarming: in any container hardened with seccomp plus AppArmor or SELinux (the Docker defaults), exploitation is blocked. CISA didn't say how it's being exploited in the wild. Assessment, flagged as such: a KEV listing for a long-patched, well-mitigated flaw is a tell that attackers are finding real estate where those defaults are off — lax, self-rolled, or legacy container configs running untrusted workloads. This is the second old-and-patched flaw CISA has KEV'd this week, following the 2024 WebLogic entry; the through-line is that the exploitable population isn't unpatched software so much as misconfigured deployment.
Watch for: Any named-firm telemetry attaching this CVE to a specific actor or container-breakout campaign, which would tell you which deployment pattern is actually being hit. Audit for cgroups v1 hosts running containers without AppArmor/SELinux/seccomp.
Sources: CISA KEV (2 June 2026); Palo Alto Unit 42 (original analysis); Sysdig, Aqua Security (technical writeups); NVD.
A Drupal SQLi that NVD scored a 6.5 is being mass-exploited — and that gap is the whole story
Drupal disclosed CVE-2026-9082 on 20 May, a novel unauthenticated SQL injection in Drupal core's database abstraction layer — Akamai's analysis describes a technique that exploits the framework's own query-building logic rather than the usual parameter-value injection — affecting PostgreSQL-backed sites running the JSON:API, Views, or Entity autocomplete modules. It was found by Google Mandiant's Michael Maturi, and Drupal's pre-disclosure PSA warned exploitation could land "within hours or days." It did: Imperva tracked over 15,000 attempts against nearly 6,000 sites across 65 countries in the first 48 hours, with roughly half aimed at gaming and financial-services sites. The flag per house rules: the scores conflict, and the conflict matters. Drupal rates it 23 of 25 ("Highly Critical") and several trackers cite 9.8, while NVD assigned a CVSSv3 of 6.5, scoring confidentiality and integrity impact as merely "Low." A team triaging strictly off the NVD number would deprioritize an unauthenticated, mass-exploited, RCE-capable flaw. CISA added it to KEV within 48 hours of the patch.
Watch for: Whether NVD revises upward, and whether exploitation broadens past gaming/finance into government Drupal estates (a heavy Drupal user). Inventory every Drupal site, map the database backend, and prioritize any PostgreSQL deployment exposing those modules.
Sources: Drupal SA-CORE-2026-004 (20 May 2026); Imperva, Akamai, Tenable (analyses, late May 2026); CISA KEV (~26 May 2026); NVD.
The Kimwolf takedown reached its human phase — and a Krebs OSINT thread got there first
US authorities charged Jacob Butler ("Dort"), 23, of Ottawa, with aiding and abetting computer intrusion over the Kimwolf botnet, arresting him in Canada (~20–21 May) on a US extradition warrant from a sealed District of Alaska complaint filed 10 April; he faces up to 10 years. Kimwolf — an Android variant of the Aisuru botnet, spreading across TV boxes, DVRs and cameras to more than a million devices — powered DDoS-for-hire attacks that prosecutors describe as among the largest recorded, peaking around 30 Tbps, and hit Department of Defense network IPs among others. The arrest is the accountability phase of a takedown that began 19 March, when DoJ, Germany's BKA/ZAC NRW and Canadian police dismantled the C2 for Aisuru, Kimwolf, JackSkid and Mossad; seizure warrants also hit services behind 45 DDoS-for-hire platforms. The texture worth flagging: Brian Krebs publicly traced "Dort" to Kimwolf back in February via email addresses, forum registrations and Telegram/Discord posts — Butler denied it at the time. This fits the infrastructure-first-then-individuals enforcement doctrine, and underscores how often open-source attribution now precedes the indictment.
Watch for: Extradition progress and whether the unsealed evidence corroborates Krebs's February OSINT trace; downstream charges tied to the 45 seized DDoS-for-hire platforms.
Sources: US DoJ (District of Alaska, ~21 May 2026); Help Net Security, The Hacker News, CyberScoop (May 2026); Brian Krebs (KrebsOnSecurity, Feb 2026 attribution).
Jonathan Brown is a cybersecurity researcher and investigative journalist at bordercybergroup.com.
If you would like to support our work — useful, well-researched, ad-free cybersecurity intelligence — buy us a coffee: https://bordercybergroup.com/#/portal/support
Member discussion: