DJBSEC's CyberNews 2026-05-19

Today’s daily news covers the following categories: Policy & Legislation Nation-State/APT Vulnerability Privacy Malware Authentication

---

«««< Updated upstream

Cisco Catalyst SD-WAN Controller Zero-Day Vulnerability Disclosed

Vulnerability
Researchers have disclosed a zero-day vulnerability affecting Cisco Catalyst SD-WAN Controllers, potentially exposing enterprise networking environments to compromise. The flaw could allow attackers to gain unauthorized access or execute malicious actions against SD-WAN infrastructure. Given the widespread use of SD-WAN in enterprise connectivity, exploitation could have broad operational impact. Cisco is expected to release patches and mitigation guidance for affected customers. Organizations are being urged to restrict exposure and monitor for suspicious controller activity.
Read More

Sandworm Expands Operations Beyond Initial IT System Compromises

Nation-State/APT
The Russian-linked Sandworm group is reportedly pivoting from compromised IT systems into broader operational environments following initial intrusions. Researchers say the attackers are using trusted access to move laterally and establish deeper persistence inside victim networks. Sandworm has historically targeted critical infrastructure and government systems in disruptive campaigns. The latest activity demonstrates how advanced threat actors increasingly blend IT and operational targeting strategies. Organizations are encouraged to strengthen segmentation between enterprise and operational environments.
Read More

Attackers Compromise 170 NPM Packages in Supply Chain Attack

Malware
Cybercriminals have compromised approximately 170 NPM packages in a large-scale software supply chain attack. The malicious packages reportedly included code designed to steal credentials, execute payloads, or establish persistence in development environments. Because NPM packages are widely integrated into software projects, downstream exposure may be extensive. Researchers warn that attackers continue to target trusted open-source ecosystems to maximize reach. Developers are advised to audit dependencies and monitor repositories for suspicious updates.
Read More

Anthropic Mythos Identifies macOS Vulnerabilities

Threat Intelligence
Anthropic’s Mythos AI system has reportedly identified multiple previously unknown vulnerabilities affecting macOS environments. Researchers say the AI model was able to analyze complex codebases and uncover weaknesses faster than traditional manual testing methods. The findings demonstrate the growing effectiveness of AI-driven vulnerability research. At the same time, experts warn that similar capabilities could be leveraged offensively by attackers. Organizations should prepare for increasingly rapid vulnerability discovery cycles driven by AI technologies.
Read More

FamousSparrow Targets Oil and Gas Sector Through Exchange Exploits

Nation-State/APT
The FamousSparrow threat group is targeting oil and gas organizations using Microsoft Exchange Server exploits. Researchers say the campaign focuses on gaining persistent access to sensitive industrial and operational data. Energy sector organizations remain high-value targets for espionage and strategic intelligence gathering. Attackers are reportedly leveraging known Exchange vulnerabilities to compromise systems. Organizations should prioritize patching and closely monitor email infrastructure for suspicious activity.
Read More

GitLab Vulnerabilities Enable XSS and Denial-of-Service Attacks

Vulnerability
Multiple vulnerabilities affecting GitLab could allow attackers to conduct cross-site scripting and denial-of-service attacks against affected environments. GitLab is widely used in software development and CI/CD workflows, making these flaws particularly concerning for enterprises. Successful exploitation could disrupt development operations or expose sensitive project information. GitLab has released fixes and is urging administrators to patch affected systems immediately. Security teams should also review logs for signs of attempted exploitation.
Read More

FlowerStorm Phishing Gang Uses Virtual Machine Obfuscation

Phishing
The FlowerStorm phishing operation is adopting virtual machine obfuscation techniques to evade email security defenses and detection systems. Researchers say the group uses layered infrastructure and anti-analysis methods to improve campaign effectiveness. The tactic makes phishing payloads more difficult for automated security tools to analyze. FlowerStorm continues to evolve its operations to bypass modern email protections. Organizations should strengthen user awareness training and advanced email filtering capabilities.
Read More

PraisonAI Authentication Bypass Vulnerability Disclosed

Authentication
A critical authentication bypass vulnerability tracked as CVE-2026-44338 has been identified in PraisonAI systems. Attackers exploiting the flaw could gain unauthorized access without valid credentials. Authentication bypass issues are particularly dangerous because they undermine core access controls. Researchers warn that exposed systems may quickly become targets following public disclosure. Organizations using PraisonAI are urged to apply updates and restrict external access where possible.
Read More

China-Linked Typhoon Group Uses Fake Apple and Yahoo Sites

Nation-State/APT
A China-linked espionage group known as Twill Typhoon is reportedly using fake Apple and Yahoo login pages in credential harvesting campaigns. The operation targets victims through convincing phishing infrastructure designed to mimic trusted services. Researchers believe the campaign supports broader intelligence-gathering objectives tied to state-sponsored operations. Such phishing attacks are increasingly sophisticated and difficult for users to identify. Organizations should encourage phishing-resistant MFA and strengthen user awareness training.
Read More

Packagist Urges Immediate Composer Updates

Vulnerability
Packagist is urging developers to immediately update Composer following security concerns affecting the PHP package ecosystem. Vulnerabilities in package management tools can expose development pipelines to supply chain attacks and dependency compromise. Researchers warn that attackers continue targeting open-source ecosystems due to their widespread trust relationships. Updating Composer helps reduce the risk of malicious package installation or exploitation. Developers are encouraged to review dependencies and implement stronger package verification controls.
Read More

New Fragnesia Linux Kernel Exploit Enables Privilege Escalation

Vulnerability
Researchers have developed a new exploit targeting the Fragnesia Linux kernel vulnerability that enables local privilege escalation. Attackers exploiting the flaw could gain elevated permissions and potentially achieve full system compromise. Linux systems running unpatched kernels are especially vulnerable to exploitation attempts. Public availability of exploit techniques increases the urgency for organizations to patch affected systems. Administrators are advised to monitor for suspicious privilege escalation activity across Linux environments.
Read More

Seedworm APT Abuses Signed Fortemedia Drivers

Nation-State/APT
The Iranian-linked Seedworm APT group is abusing signed Fortemedia drivers to evade detection and maintain persistence on compromised systems. Using legitimate signed drivers allows attackers to bypass certain security protections and appear trustworthy to operating systems. Researchers say the tactic reflects growing sophistication in state-sponsored malware operations. The campaign demonstrates how attackers increasingly abuse trusted components to avoid detection. Organizations should monitor driver activity and validate trusted software components carefully.
Read More

18-Year-Old NGINX Vulnerability Enables Remote Code Execution

Vulnerability
Researchers have uncovered an 18-year-old vulnerability affecting NGINX that could allow remote code execution under specific conditions. The flaw remained undiscovered for years due to the complexity of exploitation and legacy code behavior. Given NGINX’s widespread deployment across enterprise and cloud environments, the discovery raises serious security concerns. Attackers may move quickly to develop exploit tooling now that details are public. Organizations should patch affected systems and review exposure immediately.
Read More

Cisco Announces Layoffs and Retraining Initiative

=======

INTERPOL Operation Ramz Targets Cybercrime Across MENA Region

Stashed changes Policy & Legislation
INTERPOL has announced the results of Operation Ramz, a coordinated cybercrime crackdown across the Middle East and North Africa region. The operation focused on dismantling cybercriminal infrastructure, disrupting fraud operations, and identifying malicious actors. Authorities worked with regional law enforcement and private-sector partners to seize servers and investigate financial cybercrime networks. Officials say the initiative demonstrates growing international cooperation against cyber threats. The operation also highlights how cybercrime activity continues to expand across global regions beyond traditional hotspots.
Read More

«««< Updated upstream

West Pharmaceutical Reports Data Theft and Encrypted Systems

Ransomware
West Pharmaceutical has disclosed a cyberattack involving stolen data and encrypted systems, indicating a likely ransomware incident. The company says attackers disrupted portions of its IT infrastructure while exfiltrating sensitive information. Healthcare and pharmaceutical organizations remain frequent ransomware targets due to the critical nature of their operations. The incident may impact operations, regulatory obligations, and customer trust. Organizations in the sector are being urged to strengthen ransomware defenses and incident response readiness.
Read More

AI Cyber Capability Benchmarks Struggle to Measure New Models

Threat Intelligence
Researchers say current AI cybersecurity benchmarks are struggling to accurately measure the capabilities of advanced models such as GPT-5 and Claude Mythos. The rapid evolution of AI systems is outpacing traditional evaluation methods used to assess autonomous cyber capabilities. Experts warn that outdated benchmarks may underestimate the risks or effectiveness of emerging AI-driven offensive and defensive tools. The discussion highlights growing concern over how to govern and evaluate increasingly capable AI systems. Organizations and policymakers are expected to push for more robust AI security evaluation standards.
Read More =======

Government-Backed Hackers Target Cloudflare Malaysia in Espionage Campaign

Nation-State/APT
Researchers say government-backed threat actors targeted Cloudflare infrastructure in Malaysia as part of an espionage-focused cyber campaign. The attackers reportedly aimed to gain access to sensitive communications and operational data tied to regional interests. Nation-state groups continue targeting cloud and networking providers because of the broad access they can provide into downstream organizations. Investigators are analyzing tactics and infrastructure associated with the operation. The campaign highlights the ongoing strategic importance of cloud platforms in cyber espionage operations.
Read More

Critical n8n Vulnerabilities Enable Remote Code Execution

Vulnerability
Multiple vulnerabilities affecting the n8n workflow automation platform could allow attackers to achieve remote code execution on exposed systems. Researchers warn that the flaws may enable attackers to take control of automation environments and access connected services. Workflow automation platforms are particularly sensitive because they often integrate with cloud services, APIs, and internal business systems. Public disclosure of the vulnerabilities increases the likelihood of active exploitation attempts. Organizations are being urged to patch affected systems immediately and review exposed instances.
Read More

CISA Administrator Accidentally Leaked AWS GovCloud Keys on GitHub

Privacy
A report from KrebsOnSecurity revealed that AWS GovCloud access keys tied to a CISA administrator account were accidentally exposed on GitHub. Although the keys were reportedly removed quickly, the incident raises concerns about credential handling and operational security practices. Exposure of government cloud credentials could potentially create opportunities for unauthorized access if abused. The event underscores how even cybersecurity-focused organizations remain vulnerable to human error. Security experts continue emphasizing the importance of secret scanning, least privilege, and automated credential rotation.
Read More

Shai-Hulud Copycat Malware Infects Another NPM Package

Malware
A copycat version of the Shai-Hulud malware campaign has been discovered embedded in another malicious NPM package. Attackers continue targeting the open-source ecosystem by injecting malware into trusted developer dependencies. Once installed, the package can compromise developer systems, steal credentials, or execute additional payloads. Researchers warn that software supply chain attacks remain one of the fastest-growing threats in development environments. Developers are encouraged to audit dependencies and closely monitor package integrity.
Read More

Reaper Stealer Targets macOS Passwords and Crypto Wallets

Malware
A new malware strain called Reaper Stealer is targeting macOS users by stealing passwords, browser data, and cryptocurrency wallets before deploying backdoors on infected systems. Researchers say the malware is designed to maintain long-term persistence after initial compromise. The campaign demonstrates the increasing sophistication of threats targeting macOS environments. Attackers are specifically focusing on financial data and authentication credentials to maximize impact. Users are advised to avoid untrusted downloads and keep security protections enabled.
Read More

Microsoft Changes Edge Plaintext Password Handling

Authentication
Microsoft is changing how the Edge browser handles plaintext password storage and autofill behavior to improve security protections. The update aims to reduce the risk of credential theft from local browser storage and improve overall password management practices. Browser-based credential storage remains a common target for attackers and infostealer malware. Security researchers say the changes are part of a broader push toward stronger authentication and passwordless technologies. Users are encouraged to adopt passkeys and multi-factor authentication wherever possible.
Read More

Stashed changes