Megalodon Supply Chain Attack Compromised More Than 5,000 GitHub Repositories
Megalodon was one of the most significant developer ecosystem incidents in this batch, with attackers pushing thousands of commits across more than 5,000 public GitHub repositories in only a few hours. The campaign targeted GitHub Actions workflows and aimed to steal every secret available to runners, including cloud keys, SSH material, and OIDC tokens.
Source: InfoStealers

CISA Warns That Nx Console and GitHub Supply Chain Intrusions Are Hitting CI CD Pipelines
CISA said recent developer ecosystem intrusions, including the Nx Console compromise and the Megalodon campaign, show that threat actors are actively abusing CI CD tooling, code extensions, and workflows. The alert matters because it frames these incidents as a broader pattern rather than isolated package compromises.
Source: CISA

GitHub Rotates Enterprise Server Signing Key After Internal Repository Attack
GitHub said it recently detected a cyberattack and began rotating keys, including the GitHub Enterprise Server signing key, out of caution. This is a high impact follow up because the signing key is used to validate GitHub Enterprise Server binaries during manual update workflows.
Source: GitHub

Unfixed Gogs Vulnerability Allows Authenticated Remote Code Execution
Rapid7 disclosed a critical argument injection flaw in Gogs that allows any authenticated user to execute code on the server during a pull request rebase workflow. The vendor had not released a fix at publication time, which makes exposed self hosted Git environments especially risky.
Source: Rapid7

FortiClient EMS Is Being Exploited to Deliver EKZ Infostealer
Arctic Wolf observed attackers exploiting CVE-2026-35616 in FortiClient EMS and pushing a fake Fortinet patch that actually installed the EKZ infostealer. The malware focuses on browser credential theft, which turns an enterprise management weakness into a direct path for credential harvesting at scale.
Source: Arctic Wolf

Ghost CMS Flaw Was Used to Hijack More Than 700 Sites for ClickFix Attacks
Attackers exploited CVE-2026-26980 in Ghost CMS to inject malicious JavaScript into more than 700 sites and feed ClickFix attack chains. The campaign shows how compromising legitimate sites can give attackers trusted delivery infrastructure for broad social engineering operations.
Source: The Hacker News

Carnival Confirms Data Breach Affecting Nearly 6 Million People
Carnival confirmed a large scale data breach affecting nearly 6 million individuals after claims tied to ShinyHunters surfaced earlier in the year. The size of the exposure and the sensitivity of customer information make this one of the most significant breach confirmations in this set.
Source: BleepingComputer

Silent Ransom Group Is Social Engineering Law Firms by Posing as IT Support
The FBI and CISA warned that the Silent Ransom Group, also known as Luna Moth, is targeting law firms with calls and phishing emails while impersonating IT support. The group then uses legitimate remote access tools or even in person access attempts to exfiltrate data and pressure victims into paying.
Source: IC3

JOMANGY Campaign Turns FreePBX Systems Into Toll Fraud Infrastructure
Cyble linked an active FreePBX exploitation campaign to actor INJ3CTOR3 and said the operation deploys self healing webshells that include live toll fraud logic. The scale is notable, with evidence pointing to thousands of scanned IPs and ongoing abuse of victim SIP trunks for direct financial gain.
Source: Cyble

GlassWorm Botnet Was Disrupted After Months of Open Source Ecosystem Abuse
CrowdStrike, Google, and the Shadowserver Foundation disrupted the GlassWorm botnet by simultaneously taking down its command and control channels. The botnet had used blockchain, Google Calendar, BitTorrent, and VPS based infrastructure, showing how resilient its delivery model had become before the takedown.
Source: SecurityWeek

JINX-0164 Targeted Crypto Firms Through Developers and CI CD Infrastructure
Wiz described a financially motivated actor it tracks as JINX-0164 that used recruitment themed social engineering, custom macOS malware, and CI CD targeting against cryptocurrency organizations. The campaign matters because it combined employee laptop compromise with attempts to move into code distribution and development systems.
Source: Wiz

Smishing Operation Across 19 Countries Targeted Government, Postal, and Telecom Brands
Hunt.io traced what began as Romanian impersonation activity into a broader smishing operation spanning 19 countries. The infrastructure targeted government payment portals, postal services, and telecom brands, showing a coordinated cross border fraud ecosystem rather than a local campaign.
Source: Hunt.io

Fake ChatGPT Download Site Is Infecting Windows and Mac Users With Stealers
Malwarebytes warned that a fake site mimicking the ChatGPT desktop app experience is distributing malware to both Windows and macOS users. Windows visitors receive a credential stealing loader, while Mac users are served Odyssey Stealer, showing how attackers continue to weaponize trusted AI brand recognition.
Source: Malwarebytes

GREYVIBE Shows How Russia Nexus Operations Are Integrating AI Into Campaigns
WithSecure linked GREYVIBE to persistent operations targeting Ukraine and Ukraine related entities and said the group leveraged AI during both development and operational phases. That makes it one of the more concrete current examples of state aligned activity using AI beyond generic experimentation.
Source: WithSecure

Phishers Are Abusing Google AppSheet Notifications to Deliver Account Theft Emails
Kaspersky warned that attackers are using Google AppSheet to send phishing messages from legitimate looking Google linked addresses. This makes the emails more convincing and harder for users to distrust, especially because they appear to come from a real platform rather than an obviously fake sender.
Source: Kaspersky