Megalodon Supply Chain Attack Compromised More Than 5,000 GitHub Repositories
Megalodon was one of the most significant developer ecosystem incidents in this batch, with attackers pushing thousands of commits across more than 5,000 public GitHub repositories in only a few hours. The campaign targeted GitHub Actions workflows and aimed to steal every secret available to runners, including cloud keys, SSH material, and OIDC tokens.
Source: InfoStealers

CISA Warns That Nx Console and GitHub Supply Chain Intrusions Are Hitting CI CD Pipelines
CISA said recent developer ecosystem intrusions, including the Nx Console compromise and the Megalodon campaign, show that threat actors are actively abusing CI CD tooling, code extensions, and workflows. The alert matters because it frames these incidents as a broader pattern rather than isolated package compromises.
Source: CISA

GitHub Rotates Enterprise Server Signing Key After Internal Repository Attack
GitHub said it recently detected a cyberattack and began rotating keys, including the GitHub Enterprise Server signing key, out of caution. This is a high impact follow up because the signing key is used to validate GitHub Enterprise Server binaries during manual update workflows.
Source: GitHub

Unfixed Gogs Vulnerability Allows Authenticated Remote Code Execution
Rapid7 disclosed a critical argument injection flaw in Gogs that allows any authenticated user to execute code on the server during a pull request rebase workflow. The vendor had not released a fix at publication time, which makes exposed self hosted Git environments especially risky.
Source: Rapid7

FortiClient EMS Is Being Exploited to Deliver EKZ Infostealer
Arctic Wolf observed attackers exploiting CVE-2026-35616 in FortiClient EMS and pushing a fake Fortinet patch that actually installed the EKZ infostealer. The malware focuses on browser credential theft, which turns an enterprise management weakness into a direct path for credential harvesting at scale.
Source: Arctic Wolf

Ghost CMS Flaw Was Used to Hijack More Than 700 Sites for ClickFix Attacks
Attackers exploited CVE-2026-26980 in Ghost CMS to inject malicious JavaScript into more than 700 sites and feed ClickFix attack chains. The campaign shows how compromising legitimate sites can give attackers trusted delivery infrastructure for broad social engineering operations.
Source: Cisco SD WAN Zero Day Is Being Exploited to Gain Root Access
Cisco warned that attackers are actively exploiting CVE-2026-20245 in Catalyst SD WAN Manager. The unpatched flaw allows low privileged attackers to escalate to root, which makes it especially dangerous for organizations that rely on SD WAN management planes for broad network control.
Source: BleepingComputer

Palo Alto GlobalProtect VPN Auth Bypass Is Now Exploited in Attacks
Palo Alto Networks says CVE-2026-0257 is now being used in attacks to establish unauthorized VPN connections through GlobalProtect. Because the issue affects a remote access path directly tied to corporate network entry, it creates immediate exposure for internet facing deployments that are not yet updated.
Source: Palo Alto Networks

Critical Windows Netlogon RCE Is Being Exploited Against Domain Controllers
Belgium’s national cyber authority warned that attackers are exploiting CVE-2026-41089, a critical Windows Netlogon remote code execution flaw patched in May. Since Netlogon sits at the center of domain based authentication, successful exploitation can directly threaten core Windows identity infrastructure.
Source: BleepingComputer

Oracle WebLogic Vulnerability Is Now Exploited in the Wild
CISA warned that CVE-2024-21182 in Oracle WebLogic is being exploited in real attacks nearly two years after Oracle patched it. The case shows how older enterprise flaws with public proof of concept code continue to remain operationally relevant long after a vendor release.
Source: SecurityWeek

Red Hat npm Packages Were Compromised to Steal Developer Credentials
More than 30 packages in Red Hat’s @redhat-cloud-services namespace were backdoored with a new Shai Hulud variant dubbed Miasma. The malware was designed to steal cloud secrets, SSH keys, CI tokens, and developer credentials, turning a trusted enterprise package namespace into a supply chain attack path.
Source: BleepingComputer

VS Code Zero Day Can Steal GitHub Tokens with a Single Click
Researchers released exploit code for a VS Code zero day that can install malicious extensions and steal GitHub OAuth tokens when users are lured into clicking a crafted link. The issue is especially serious because it targets a widely used developer tool and can expose private repositories through trusted workflows.
Source: BleepingComputer

WP Maps Pro Flaw Lets Attackers Create WordPress Admin Accounts
Attackers are actively exploiting CVE-2026-8732 in WP Maps Pro to create full administrator accounts on affected WordPress sites without authentication. The issue is severe because it turns a support feature into a direct path for complete site takeover.
Source: Security Affairs

Critical Flowise Flaw Can Give Attackers Full Server Control
A critical vulnerability in Flowise allows a malicious workflow import to take over a self hosted server when opened by a logged in user. Researchers also warned that the official fix can be bypassed, which keeps the exposure window open for organizations running the platform internally.
Source: Infosecurity Magazine

Dashlane Says Attackers Copied Encrypted Password Vaults from Some Accounts
Dashlane disclosed that a brute force campaign went beyond lockouts and allowed a threat actor to access some user accounts and copy encrypted vaults. Although Dashlane said its internal systems were not compromised, the incident raises the stakes because password managers concentrate highly sensitive data in one place.
Source: Help Net Security

UN World Food Programme Breach Exposed Data from 600,000 Gaza Households
The UN World Food Programme said its Palestine self registration application was breached, exposing beneficiary information from across Gaza. The affected data included names, identification numbers, phone numbers, and location details, making this a major humanitarian sector privacy and safety incident.
Source: BleepingComputer

PCPJack Hijacked 230 Cloud Servers into a Hidden SMTP Relay Network
Hunt.io found exposed operator infrastructure tied to PCPJack and linked the campaign to 230 compromised AWS, GCP, and Azure systems. The operation used Sliver, Chisel, and other tooling to build a covert SMTP relay network that could support large scale spam and follow on abuse.
Source: Hunt.io

Gamaredon Is Hiding Worm Components in NTFS Data Streams
Sekoia observed Gamaredon using alternate data streams in Windows to hide worm components while maintaining long term access inside Ukrainian networks. The technique reduces visible artifacts on disk and fits the group’s long running espionage focus on government, military, and critical infrastructure targets.
Source: Infosecurity Magazine

GoDaddy Found Malware on Nearly 2,000 WordPress Sites Using Steam as C2
GoDaddy researchers found malware on roughly 1,980 WordPress sites that pulled hidden instructions from Steam Community profile comments using invisible Unicode. The campaign stands out because it abuses a legitimate gaming platform as unconventional command and control infrastructure.
Source: Security Affairs

Operation FlutterBridge Is Spreading a New macOS Backdoor Through Malvertising
Unit 42 described an active macOS malvertising campaign called Operation FlutterBridge that delivers a backdoor named FlutterShell. Beyond adware behavior, the malware supports shell execution and file system manipulation, and some variants abuse AI summarization features during data theft flows.
Source: Unit 42

Magecart Attackers Are Using Stripe and Google Tag Manager as Trusted Cover
Sansec found a payment theft campaign that abuses Google Tag Manager and Stripe infrastructure to host both malicious checkout code and stolen card data. By hiding inside domains many stores already trust, the attackers make detection and blocking significantly harder for defenders and merchants alike.
Source: BleepingComputer