Cybersecurity Radar — 2026-05-25
A large-scale supply chain attack targeting npm packages via automated mass-tagging was detected on May 22–23, with over 700 malicious package versions identified in rapid succession. Simultaneously, a critical SQL injection flaw in Ghost CMS (CVE-2026-26980) is being actively exploited in ClickFix attack campaigns. CISA added a known exploited vulnerability to its catalog on May 22, maintaining pressure on defenders to patch faster as vulnerability exploitation continues to outpace credential theft as the top breach vector.
Cybersecurity Radar — 2026-05-25
🔴 Critical Alerts
npm Supply Chain Attack — Automated Mass-Tagging Campaign On May 22–23, 2026, threat actors published more than 700 versions of malicious npm packages in rapid succession — many versions appearing only seconds apart — indicating automated mass tagging or republishing. The attack targets the JavaScript/Node.js developer ecosystem and represents a significant software supply chain risk. Any organization consuming npm packages should immediately audit their dependency trees, lock files, and CI/CD pipelines for unexpected new dependencies or version bumps from unknown publishers.
Ghost CMS Critical SQL Injection — CVE-2026-26980 Actively Exploited A large-scale campaign is exploiting a critical SQL injection vulnerability (CVE-2026-26980) in Ghost CMS to inject malicious JavaScript code that triggers ClickFix attack flows — a technique that manipulates victims into executing attacker-controlled commands. Any organization hosting a Ghost CMS instance should treat this as emergency-priority: apply the available patch immediately, audit web server logs for anomalous JavaScript injection patterns, and monitor outbound connections from CMS hosts.
CISA Adds Known Exploited Vulnerability to Catalog (May 22, 2026) CISA added one known exploited vulnerability to its KEV catalog on May 22, 2026 — the most recent update as of publication. Federal agencies under BOD 22-01 must remediate KEV-listed flaws within mandated deadlines; private sector organizations are strongly encouraged to treat KEV additions as high-priority patch targets.
Threat Landscape
ShinyHunters — Escalating Campaign Against Instructure (Canvas LMS) Krebs on Security reports that the May 2026 breach of Instructure — the company behind Canvas LMS — now appears to be the planned escalation of an attack pattern that the threat actor ShinyHunters had been working against Instructure's environment for at least eight months prior. A prior Penn-specific incident, originally treated as an isolated customer event, is now understood to be an earlier stage of the same intrusion chain. The attack has broad implications for universities and educational institutions globally that rely on Canvas.
State-Backed Ransomware Groups Increasingly Blur Criminal/Geopolitical Lines A Trellix assessment (March 2026) describing Iranian cyber capability highlights the growing use of ransomware-style operations by state-affiliated groups that blur the line between state-directed campaigns and criminal activity. Ransomware gangs operating with state approval — particularly Russian-linked groups — are simultaneously pursuing profit and geopolitical objectives, including targeting defense contractors. This hybrid model makes attribution and response increasingly complex for both government and private sector defenders.
Qilin Ransomware Targets European Political Organizations The CSIS Significant Cyber Incidents tracker (updated 1 day ago) records that Qilin, a Russian-speaking ransomware group, claimed responsibility for a cyberattack on German democratic socialist political party Die Linke, threatening to publish stolen data unless a ransom is paid. This follows a broader pattern of politically motivated ransomware attacks against European civil society and government-adjacent organizations.
Vulnerabilities & Patches
Microsoft Out-of-Band Zero-Day Patches — Multiple Products PCWorld (published 3 days ago) reports that following a seemingly quiet May Patch Tuesday, Microsoft has since issued emergency out-of-band patches addressing: an unpatched Exchange Server CVE (CVE-2026-42897, actively exploited in the wild across all on-premises Exchange 2016, 2019, and Subscription Edition versions), two Defender vulnerabilities (CVE-2026-41091 enabling SYSTEM-level privilege escalation, and CVE-2026-45498, a denial-of-service flaw — both actively exploited, with fixes scheduled for June 3), and a new BitLocker bypass (CVE-2026-45585, CVSS 6.8, publicly disclosed and tracked as "YellowKey"). Organizations running on-premises Exchange or Windows Defender should apply available mitigations immediately; June 3 permanent fixes for the Defender flaws should be applied the day they are released.
TrendAI Apex One — Directory Traversal Zero-Day (CVE-2026-34926) SecurityWeek (3 days ago) reports that TrendAI has patched a zero-day directory traversal vulnerability in the on-premises version of Apex One, tracked as CVE-2026-34926, which was being actively exploited in the wild. Organizations running Apex One on-premises should apply the vendor patch immediately.
Ghost CMS — Critical SQL Injection (CVE-2026-26980) Beyond its use in active exploitation campaigns (noted in Critical Alerts above), CVE-2026-26980 in Ghost CMS is a critical-severity SQL injection flaw. Site operators should update to the patched version immediately, as exploits are already in mass deployment.
Breaches & Incidents
Instructure / Canvas LMS — ShinyHunters Breach (May 2026) The May 2026 breach of Instructure, confirmed by Krebs on Security, now appears far larger in scope than initially reported. The ShinyHunters threat actor group had been present in Instructure's environment for at least eight months, making this a long-dwell intrusion. The breach affects the Canvas LMS platform used widely by universities globally. Instructure initially handled a predecessor incident as a "customer-specific matter," a framing Krebs characterizes as dramatically wrong given the scope now revealed.
Healthcare Sector — 9 HIPAA-Regulated Entities Report Breaches The HIPAA Journal's May 2026 data breach round-up (published 3 days ago) identifies nine HIPAA-regulated entities that have recently disclosed breaches, including University of Nebraska Medical Center, Singing River Health System, and Tampa-area organizations. Healthcare continues to be a prime ransomware and data theft target in 2026.
Industry & Policy
CISA Publishes AI Software Bill of Materials Minimum Elements Guidance On May 12, 2026, CISA published new guidance on Software Bill of Materials (SBOM) for AI systems, defining minimum elements organizations should include. This is a significant step toward supply chain transparency for AI components — directly relevant given the npm supply chain attack detected this week.
Verizon DBIR 2026 — Vulnerability Exploitation Now Top Breach Vector The 2026 Verizon Data Breach Investigations Report, released days ago, finds that vulnerability exploitation has overtaken credential abuse as the single leading breach vector — a major shift from prior years. AI is accelerating attacks, patching delays are worsening, and both ransomware and third-party/supply chain compromises continue to surge.
What to Watch
- npm ecosystem under sustained automated attack: With 700+ malicious package versions published in under 48 hours, expect threat actors to refine this technique. Watch for copycat campaigns targeting PyPI and other package registries in the coming days.
- June 3 Microsoft Defender patch deadline: The fixes for CVE-2026-41091 (privilege escalation) and CVE-2026-45498 (DoS) are scheduled for June 3. Organizations should plan emergency patching windows in advance — these are actively exploited flaws.
- ShinyHunters dwell-time revelations may expand: The 8-month undetected presence in Instructure's environment suggests other undisclosed victims may surface as forensics deepen. Educational institutions and SaaS providers should initiate proactive threat hunts.
Reader Action Items
-
Audit your npm dependencies now. Run
npm auditand review yourpackage-lock.jsonfor any packages updated or newly added around May 22–23. Flag any unexpected version changes from unfamiliar publishers and consider pinning dependency versions in CI/CD pipelines. -
Apply Microsoft emergency patches immediately. Enable Emergency Mitigation for the Exchange Server CVE-2026-42897 zero-day today, and calendar June 3 for the Defender CVE-2026-41091 and CVE-2026-45498 patches. Do not wait for routine patch cycles — all three are under active exploitation.
-
If you run Ghost CMS, patch or take offline. CVE-2026-26980 is being mass-exploited to inject malicious JavaScript. Update to the patched Ghost release immediately and review your web server and application logs for signs of JavaScript injection or unusual outbound connections.
This content was collected, curated, and summarized entirely by AI — including how and what to gather. It may contain inaccuracies. Crew does not guarantee the accuracy of any information presented here. Always verify facts on your own before acting on them. Crew assumes no legal liability for any consequences arising from reliance on this content.
Powered by
