> TritonInfoSec News

# Archive

Browse past daily curated stories

May 26 May 24 May 23 May 22 May 21 May 20 May 19 May 18 May 17 May 15 May 14 May 13 May 12 May 10 May 09 May 08 May 05 May 03 May 02 May 01 Apr 30 Apr 28 Apr 26 Apr 25 Apr 24 Apr 23 Apr 22 Apr 21 Apr 20 Apr 19

Tuesday, May 26, 2026

  1. 1
    0
    Krebs on Security threat-intel
    Netherlands Seizes 800 Servers, Arrests 2 for Aiding Cyberattacks

    Dutch authorities arrested two co-owners of hosting companies linked to Stark Industries Solutions — an ISP previously sanctioned by the EU — seizing 800 servers used to support Russian cyberattacks, influence operations, and disinformation campaigns within the EU. The infrastructure had been the subject of a 2025 KrebsOnSecurity investigation. This is a significant law enforcement action against bulletproof hosting enabling state-sponsored threat actors.

  2. 2
    0
    The Hacker News general
    Ghost CMS CVE-2026-26980 Exploited to Hijack 700+ Sites for ClickFix Attacks

    CVE-2026-26980, a CVSS 9.4 SQL injection vulnerability in Ghost CMS's Content API, is being actively exploited by threat actors to inject malicious JavaScript into 700+ compromised websites — including those of Harvard, Oxford, and DuckDuckGo — to deliver ClickFix social engineering attacks. The exploitation was documented by QiAnXin XLab and requires no authentication, making mass exploitation straightforward. Security teams running Ghost CMS should patch immediately and audit for unauthorized JavaScript injections.

  3. 3
    0
    SecurityWeek general
    Over 5,500 GitHub Repositories Infected in ‘Megalodon’ Supply Chain Attack

    A supply chain attack dubbed 'Megalodon' has infected over 5,500 GitHub repositories by injecting fake automated commits that introduce malicious GitHub Actions workflows designed to steal credentials, CI secrets, API keys, and tokens. The scale of this campaign makes it one of the largest GitHub-targeted supply chain attacks observed, posing serious risk to any organization whose repos were compromised. Developers should audit recent Actions workflow changes in their repositories.

  4. 4
    0
    The Hacker News general
    TrapDoor Supply Chain Attack Spreads Credential-Stealing Malware via npm, PyPI, and CratesIO

    The 'TrapDoor' campaign, first observed May 22, 2026, deployed over 34 malicious packages across 384+ versions on npm, PyPI, and Crates.io to distribute credential-stealing malware in a coordinated cross-ecosystem supply chain attack. Packages were published in waves from a cluster of accounts, a technique used to evade early detection. Security teams should review dependencies added after May 22 and check for TrapDoor indicators across all three ecosystems.

  5. 5
    0
    The Hacker News general
    Lazarus Deploys RemotePE Memory-Only RAT Against Financial and Crypto Firms

    Fox-IT (NCC Group) has detailed RemotePE, a memory-only, cross-platform RAT deployed by North Korea's Lazarus Group against financial and cryptocurrency firms via a multi-stage chain using loaders DPAPILoader and RemotePELoader. The fileless execution approach makes RemotePE difficult to detect with traditional endpoint tools. Financial sector defenders should update detection rules to cover DPAPI-based decryption chains and in-memory PE loading patterns associated with Lazarus TTPs.

  6. 6
    0
    BleepingComputer general
    FBI warns of Kali365 phishing service targeting Microsoft 365 accounts

    The FBI has issued a warning about Kali365, a phishing-as-a-service platform that targets Microsoft 365 accounts by abusing OAuth device code authentication flows to steal session tokens and bypass MFA. This PhaaS lowers the barrier for attackers to compromise M365 environments at scale. Organizations should consider disabling device code flow where not required and monitoring for anomalous OAuth token issuance.

  7. 7
    0
    SecurityWeek general
    Laravel-Lang Packages Poisoned for Malware Delivery

    Malicious tags were injected into Laravel-Lang packages within a 15-minute window, introducing backdoors designed to exfiltrate CI/CD secrets from build environments. The speed and precision of the compromise suggests a targeted supply chain attack against the PHP/Laravel ecosystem. Teams using Laravel-Lang should audit pinned versions and rotate any CI secrets that may have been exposed during the affected window.

  8. 8
    0
    SecurityWeek general
    Anthropic: Mythos Detected 23,000 Potential Vulnerabilities Across 1,000 OSS Projects

    Anthropic's Mythos AI model identified 23,000 potential vulnerabilities across 1,000 open-source software projects, with many confirmed as critical or high severity, and the count is still growing. This demonstrates the potential of restricted, security-focused AI models for large-scale vulnerability discovery at a pace humans cannot match. OSS maintainers and downstream consumers should monitor Anthropic's disclosure process for CVEs affecting their dependencies.

  9. 9
    0
    SecurityWeek general
    DocketWise Data Breach Impacts 143,000

    DocketWise, an immigration law software platform, disclosed a data breach affecting 143,000 individuals, with attackers accessing names, addresses, Social Security numbers, financial data, and medical information from third-party partner repositories. The breach is notable for the sensitivity of the data involved — immigration records combined with SSNs and financial details create significant identity theft and fraud risk for affected individuals.

  10. 10
    0
    SecurityWeek general
    266,000 Affected by Data Breach at Radiology Associates of Richmond

    Radiology Associates of Richmond disclosed a data breach in which threat actors exfiltrated files containing names and protected health information (PHI) belonging to approximately 266,000 individuals. Healthcare organizations remain high-value targets due to the sensitivity and regulatory value of PHI under HIPAA. Affected individuals face risks of medical identity fraud and should monitor their health records and insurance claims.