Cisco Secure Workload Has a CVSS 10.0 Flaw — Unauthenticated Attackers Can Seize Site Admin of the Tool Built to Contain Them

Cisco patched CVE-2026-20223, a CVSS 10.0 flaw in Cisco Secure Workload: insufficient authentication on internal REST API endpoints lets an unauthenticated attacker seize Site Admin — full control of the microsegmentation platform built to contain attackers.

Europol Dismantles 'First VPN' — the Cybercrime Underground's Most-Used Anonymity Service — and Walks Away With a List of Thousands of Its Users

A Europol- and Eurojust-coordinated operation dismantled First VPN — a service Europol calls the most widely used in the cybercrime underground — arresting an admin, seizing 33 servers, and identifying thousands of cybercrime-linked users. The intelligence yield is the story.

Showboat: A China-Affiliated Espionage Backdoor Has Been Inside Middle East and Central Asia Telcos Since 2022

Lumen's Black Lotus Labs disclosed Showboat, a modular Linux backdoor a China-affiliated espionage operation has used to sit inside Middle East and Central Asia telecom networks for roughly four years. A SOCKS5-proxy foothold inside a carrier is a persistent window into a region's traffic.

Drupal Ships an Emergency 'Highly Critical' Fix — CVE-2026-9082 Lets Anonymous Attackers SQL-Inject Any PostgreSQL Site

Drupal shipped an out-of-band 'Highly Critical' fix for CVE-2026-9082, an unauthenticated SQL injection in Drupal core affecting every PostgreSQL-backed site. Maintainers warned exploits could land within hours — for a core flaw pre-announced on schedule, the patch window is effectively closed.

ssh-keysign-pwn: A Nine-Year-Old Linux Kernel ptrace Flaw Leaks SSH Keys on Its Way to Root

Qualys disclosed CVE-2026-46333 — 'ssh-keysign-pwn' — a nine-year-old Linux kernel ptrace flaw that gives an unprivileged user root. Its defining feature is credential theft: the exploit captures SSH keys and shadow-file password hashes, so a patched kernel does not end the exposure.

Microsoft Patches Two Actively Exploited Defender Zero-Days — UnDefend and RedSun Were Built to Disable the Security Tool Itself

Microsoft patched UnDefend (CVE-2026-41091) and RedSun (CVE-2026-45498), two Defender zero-days exploited in the wild since April. Their purpose is the security tool itself — one escalates through Defender, the other disables it. Barracuda ties the wave to the researcher behind MiniPlasma.

GitHub Confirms TeamPCP Exfiltrated 3,800 Internal Repositories Through One Poisoned VS Code Extension

GitHub confirmed TeamPCP (UNC6780) exfiltrated roughly 3,800 internal repositories after an employee installed a poisoned Visual Studio Code extension. The same actor behind the Mini Shai-Hulud worm listed the data for $50,000+ on BreachForums — framed as a sale, not a ransom.

YellowKey: A USB Port and a Reboot Bypass BitLocker — and Microsoft's Only Fix Is a Config Change, Not a Patch

Microsoft released mitigations for YellowKey (CVE-2026-45585), a BitLocker bypass disclosed by the researcher behind MiniPlasma. A USB port and a reboot defeat the encryption on any TPM-only device — and the only fix is a TPM+PIN configuration change, not a patch.

Webworm's New Backdoors Run on Discord and Microsoft OneDrive — and the China-Aligned APT Has Pivoted to Five European Governments

ESET documented Webworm, a China-aligned APT that pivoted from Asia to European governments. Its two new backdoors — EchoCreep and GraphWorm — run command-and-control entirely on Discord and Microsoft OneDrive, hiding inside the trusted cloud traffic every enterprise allowlists.

Microsoft Just Took Down a Code-Signing-as-a-Service Operation. Five Ransomware Crews Were the Customers.

Microsoft's Digital Crimes Unit disrupted Fox Tempest on May 19 — a malware-signing-as-a-service operation that issued over 1,000 fraudulent code-signing certificates to ransomware crews including Rhysida, Vanilla Tempest, and three Storm clusters at up to $9,500 per signed sample.

Operation Endgame 2.0: Europol Just Took Down 300 Servers and 20 Operators of the Ransomware Supply Chain

Europol and Eurojust executed Operation Endgame 2.0 May 19-22: 300+ servers dismantled, 650 domains, 20 international arrest warrants, €3.5M crypto seized across seven countries. The strategic target is the initial-access-broker layer that supplies ransomware affiliates.

'The Worst Leak I've Witnessed': CISA Contractor Left AWS GovCloud Admin Keys on Public GitHub for Six Months

GitGuardian discovered a public GitHub repo named 'Private-CISA' holding 844 MB of plaintext passwords, AWS GovCloud admin tokens, and Entra ID SAML certs belonging to CISA — public since November 2025. The Nightwing contractor engineer manually disabled push-protection.