Home  /  Episodes  /  May 26, 2026

Episode show notes

May 26's Top Cyber News NOW! - Ep 1139

Aired May 26, 2026 Daily Cyber Threat Brief Hosted by Dr. Gerald Auger

At a glance

Five major supply chain and infrastructure attacks dominated the news: a massive GitHub supply chain attack poisoned 5,500+ repositories with credential-stealing malware, Dutch authorities seized 800 servers tied to Russian-linked DDoS infrastructure, and AI-powered vulnerability discovery tools are about to flood the market with zero-day findings. Healthcare data breaches and memory-only malware targeting financial firms add to the threat landscape.

Stories covered

How are malicious commits infecting GitHub repositories at scale?

What happened: Researchers identified Megalodon, a supply chain attack that injected malicious GitHub Actions workflows into 5,500+ repositories via 5,718 commits in a 6-hour window on May 18th. The workflows exfiltrated CI/CD environment variables including AWS, Azure, GCP credentials, SSH keys, API tokens, and database strings, while planting dormant backdoors triggerable via GitHub API.

Why it matters: Compromised repositories mean threat actors gain direct access to cloud infrastructure, databases, and services—bypassing the software entirely. Downstream users of affected packages face cascading compromise risk. Most organizations cannot easily inventory which GitHub repos they depend on through their supply chain.

What to do: Audit your software bill of materials (SBOM) to identify dependencies and their origins. Invalidate and rotate any exposed credentials immediately. Enable MFA on all API tokens and GitHub accounts. Monitor for unexpected GitHub Actions or workflow modifications in your repos.

Why did the Netherlands seize 800 servers linked to Russian cyber operations?

What happened: Dutch authorities arrested two men and seized 800+ servers from hosting providers MIR Hosting and Work Titans BV, which allegedly hosted Stark Industries Solutions—a bulletproof hosting network linked to Russian state-backed DDoS attacks and disinformation campaigns since 2022.

Why it matters: Bulletproof hosting infrastructure enables threat actors to operate with impunity. Taking down 800 servers is a significant operational disruption, though threat actors will migrate to alternative providers or establish new infrastructure.

What to do: Monitor for indicators of compromise tied to Stark Industries. Patch any systems targeted by DDoS attacks from this infrastructure. This is a temporary speed bump in the broader threat landscape—maintain defensive depth.

How are attackers exploiting Ghost CMS to deliver ClickFix malware?

What happened: A critical SQL injection vulnerability in Ghost CMS (patched in February) allowed attackers to steal admin API keys and inject malicious JavaScript into 700+ websites. Visitors are redirected to fake CAPTCHA pages that trick them into running malicious commands via command shells, installing persistent malware.

Why it matters: End users on compromised websites become attack vectors—even if the site owner deployed all security controls. ClickFix attacks succeed only if users execute the injected commands, making user education critical.

What to do: Educate end users never to copy-paste commands into terminal windows or run boxes when prompted by browser alerts. Demo this behavior visibly. If your organization uses Ghost CMS, verify the patch is applied. Monitor for unexpected JavaScript injections in web assets.

Why is the UK cyber chief dismissing Russian hacking claims without evidence?

What happened: Former UK cyber chief Kieran Martin rejected Reform UK leader Nigel Farage's claim that Russia hacked him and leaked information, stating the allegation lacks technical merit and evidence. Farage claimed a Russian hack exposed an undeclared 5 million pound donation from a cryptocurrency billionaire.

Why it matters: Unsubstantiated attribution claims damage credibility and distract from real cyber threats. Extraordinary claims require forensic evidence—not speculation.

What to do: Monitor for now. This story has minimal cybersecurity operational impact.

Which Formula 1 fans are being targeted by fake streaming apps and malware?

What happened: Bitdefender researchers found a broad scam ecosystem targeting F1 fans: fake streaming apps, counterfeit merchandise, bogus ticket offers, and social media scams designed to steal credentials, spread malware, or enroll devices into botnets.

Why it matters: High-interest sporting events (F1, FIFA, boxing) are proven attack vectors because fans are motivated to find free or discounted access. Malware-laden apps can establish persistent device compromise.

What to do: Educate end users and family members to use only official streaming services and retailers. Warn against downloading apps from untrusted sources or third-party sites. This applies to all major sporting and entertainment events.

When will Anthropic release its AI-powered vulnerability-finding model to the public?

What happened: Anthropic says it will eventually release public versions of Claude-based Mythos vulnerability-finding models once stronger safeguards exist. For now, access is limited under Project Glass Wing to governments and select partners. Mythos has already scanned 1,000+ open-source projects and identified 6,200+ high/critical vulnerabilities, including flaws in WolfSSL.

Why it matters: AI-powered vulnerability discovery will dramatically accelerate zero-day identification across legacy codebases. Once widely available—whether via US release or foreign equivalents—security teams will face overwhelming patching demands and threat actors will weaponize the same models.

What to do: Strengthen your vulnerability management program now to track, prioritize, and patch at scale. Establish robust incident response capabilities (internal or third-party). Expect a 2-3 year surge in exploitable vulnerabilities as AI tools saturate the market.

How is North Korea's Lazarus Group deploying memory-only malware to financial firms?

What happened: Lazarus Group is distributing Remote PE, a cross-platform remote access trojan that loads entirely in memory without touching disk. It's delivered via social engineering on Telegram and fake Calendly scheduling links. The malware provides persistent C2 access for surveillance and financial theft.

Why it matters: Memory-only malware evades disk-based EDR detection and leaves minimal forensic traces. Initial infection relies on social engineering, making employees the vulnerability. Lazarus targets high-value financial and cryptocurrency firms.

What to do: Enforce strict Telegram/messaging security policies for employee communications. Verify identity before clicking scheduling links from "colleagues." Monitor process injection and unusual service installations. Increase security awareness training focused on social engineering and credential validation.

Why is a cancer care provider disclosing a third-party data breach affecting 3.4 million patients?

What happened: The Oncology Institute disclosed that a breach at third-party vendor Tisetto Provider Solutions exposed patient data across multiple healthcare customers. Approximately 3.4 million individuals were affected; full attack scope and attribution remain unclear.

Why it matters: Third-party SaaS compromises create cascading liability across entire customer bases. Healthcare organizations bear the cost of breach notification and remediation despite the vendor's failure. Multiple healthcare providers will be forced to disclose similar incidents.

What to do: Audit your SaaS vendors' security controls and breach notification obligations. Maintain updated contact information for affected customers. Budget for identity protection services and regulatory compliance costs.

Key takeaways

  • Supply chain attacks are now multi-vector: GitHub repos, SaaS platforms, and infrastructure hosting. You may be compromised without direct breach of your systems.
  • AI vulnerability discovery (Mythos and equivalents) will create a 2-3 year surge in exploitable zero-days. Vulnerability management and incident response must scale now.
  • Memory-only malware and social engineering remain highly effective against financial services. EDR visibility into process memory and messaging-based employee verification are critical.
  • Third-party breaches amplify impact across entire customer ecosystems. Vendor SLA enforcement and supply chain monitoring are GRC wins.
  • User education on ClickFix, fake streaming apps, and credential verification is the highest-ROI defensive control against consumer-facing attacks.

Topics covered

GitHub supply chain attackmalicious GitHub Actionscredential exfiltrationbulletproof hostingDDoS infrastructureSQL injectionGhost CMSClickFix attacksFormula 1 scamsfake streaming malwareMythos vulnerability discoveryzero-day surgeLazarus GroupRemote PE malwarememory-only malwareTelegram social engineeringthird-party SaaS breachhealthcare data breachvulnerability managementincident response

Show notes generated from the live transcript using AI on Tue, 26 May 2026 17:43:59 GMT. Errors? Open the YouTube replay for the source of truth.

Want the live experience? The Daily Cyber Threat Brief airs live every weekday at 5am PT / 8am ET on YouTube. 400+ practitioners join the chat in real time.