Daily Drop (1306)
05-26-26
Monday, May 26, 2026 // Buy Bob a Coffee // Ghostwire
China-Linked Hackers Compromise Southeast Asian Edge Routers With Custom Linux Implant
Bottom Line Up Front (BLUF): A suspected China-aligned espionage group is targeting Southeast Asian organizations by compromising Linux-based edge routers with a custom ELF malware implant, giving operators visibility and control over all downstream network traffic. The campaign pairs router-level persistence with cracked Cobalt Strike Beacons on Windows systems, creating a unified cross-platform command-and-control architecture designed for long-term intelligence collection and stealthy lateral operations.
Analyst Comments: Most organizations monitor laptops and servers aggressively; far fewer have mature visibility into routers, DNS manipulation, or edge-device persistence. That gap is exactly what these operators are exploiting. The operational design here is notable. Instead of relying solely on endpoint compromise, the actors implant the gateway layer first, then selectively stage Windows payloads behind it. That gives them options: DNS hijacking, credential interception, software update redirection, and stealthy traffic inspection across entire environments. If the router stays owned, rebuilding endpoints may not matter.
READ THE STORY: GBhackers
Researchers Link Los Angeles Transit System Breach to Iran-Backed MOIS Hackers
Bottom Line Up Front (BLUF): Security researchers have attributed the March cyberattack against the Los Angeles County Metropolitan Transportation Authority (LACMTA) to Iranian government-linked hackers operating under the persona “Ababil of Minab.” According to Gambit Security, the group is tied to Iran’s Ministry of Intelligence and State Security (MOIS) and forms part of a broader pattern of state-backed “hacktivist” operations targeting transportation, healthcare, and critical infrastructure sectors.
Analyst Comments: Tehran-linked groups increasingly operate behind politically themed personas that provide plausible deniability while still allowing psychological and geopolitical messaging. “Ababil of Minab” fits that pattern almost perfectly. The targeting also matters. Transit systems are attractive because they blend public visibility, operational disruption potential, and relatively uneven cybersecurity maturity. Even when attackers don’t cause catastrophic outages, prolonged recovery periods generate public pressure and media amplification that align well with influence operations.
READ THE STORY: TC
Hackers Exploit KnowledgeDeliver Zero-Day to Deploy Godzilla Web Shells and Cobalt Strike
Bottom Line Up Front (BLUF): Threat actors exploited a zero-day vulnerability in the KnowledgeDeliver learning management system (LMS) to deploy Godzilla web shells and Cobalt Strike backdoors against enterprise and educational environments, primarily in Japan. The flaw, tracked as CVE-2026-5426, stems from hardcoded ASP.NET machineKey values shared across deployments, enabling attackers to execute ViewState deserialization attacks for remote code execution.
Analyst Comments: Once attackers obtain shared machineKey values from one deployment, every unpatched instance effectively becomes targetable at scale. The attack chain itself is classic but effective: ViewState deserialization → web shell deployment → persistence → Cobalt Strike. What stands out is the operational discipline. Mandiant noted the final payload encryption key included the victim organization’s name, suggesting the intrusion wasn’t random scanning but likely a targeted operation with pre-staged tooling.
READ THE STORY: Security week
Angular VS Code Extension Flaws Enable Silent Remote Code Execution Through Malicious Projects
Bottom Line Up Front (BLUF): Multiple high-severity vulnerabilities in the Angular Language Service VS Code extension (Angular.ng-template) allow attackers to achieve remote code execution on developer workstations through malicious repositories, dependencies, and workspace settings. The flaws affect all versions prior to 21.2.4 and can bypass VS Code’s Workspace Trust protections, turning routine developer actions like cloning repositories or opening projects into viable compromise paths.
Analyst Comments: Attackers no longer need to burn browser zero-days when they can target the software supply chain and development environments directly. VS Code extensions sit in a dangerous middle ground: highly trusted, deeply integrated, and often granted broad execution privileges with minimal scrutiny. The tsdk abuse here is particularly nasty because it executes silently during workspace initialization. No phishing click, no macro enable prompt—just opening the project can be enough. That effectively turns a GitHub repository into a delivery mechanism for arbitrary code execution.
READ THE STORY: GBhackers
TrapDoor Malware Campaign Targets Developer Workstations Across npm, PyPI, and Crates.io
Bottom Line Up Front (BLUF): Researchers uncovered a large-scale supply chain malware campaign dubbed TrapDoor that weaponized malicious packages across npm, PyPI, and Crates.io to compromise developer environments and steal credentials, SSH keys, cloud secrets, browser data, and AI coding assistant context files. The campaign specifically targeted the broader developer workflow rather than isolated package installations, highlighting how developer workstations are increasingly becoming high-value initial access targets for enterprise compromise.
Analyst Comments: Modern developer systems now hold source code, cloud access, CI/CD credentials, browser sessions, Git trust relationships, and increasingly AI-assisted workflow context. That combination makes them one of the most privileged—and least segmented—assets in most organizations. The AI tooling angle is especially important. TrapDoor reportedly attempted to manipulate files like .cursorrules and CLAUDE.md using hidden Unicode instructions designed to influence AI coding assistants into exposing secrets or executing unintended workflows. That moves beyond conventional malware behavior into adversarial prompt engineering against developer tooling.
READ THE STORY: CSO Online
Laravel-Lang Composer Packages Backdoored Through Mass Git Tag Poisoning Attack
Bottom Line Up Front (BLUF): Attackers compromised multiple Laravel-Lang Composer packages by maliciously rewriting more than 700 Git tags across several repositories, distributing a cross-platform PHP information stealer to Laravel applications during package installation and autoload execution. The campaign targeted cloud credentials, CI/CD secrets, Kubernetes configurations, browser data, cryptocurrency wallets, and developer tooling, turning a trusted localization ecosystem into a large-scale software supply chain compromise.
Analyst Comments: Instead, they abused GitHub’s tagging behavior to point legitimate version tags at commits hosted in a malicious fork. That’s a supply chain nightmare because many security controls trust signed tags, release histories, or repository integrity checks without validating where tagged commits actually originate. The operational maturity here also stands out. The malware included host-based execution controls to avoid redundant infections, disabled TLS verification to improve payload delivery reliability, and deployed a second-stage cross-platform infostealer capable of harvesting secrets from virtually every layer of modern developer infrastructure. This wasn’t smash-and-grab cryptomining. This was infrastructure access collection.
READ THE STORY: Security Affairs
‘Megalodon’ Malware Campaign Infects Over 5,500 GitHub Repositories in Automated Supply Chain Attack
Bottom Line Up Front (BLUF): A large-scale software supply chain attack dubbed Megalodon infected more than 5,500 GitHub repositories in a six-hour automated campaign designed to steal CI/CD secrets, cloud credentials, SSH keys, OpenID Connect tokens, and source code secrets. Attackers weaponized malicious GitHub Actions workflows and stealth backdoors, highlighting how compromised developer credentials and poisoned automation pipelines continue to undermine trust in modern software delivery ecosystems.
Analyst Comments: Once attackers gain repository write access, CI/CD systems effectively become remote execution infrastructure. The stealth component here is what makes Megalodon more dangerous than a noisy repo defacement campaign. The secondary payload reportedly replaced workflows with dormant workflow_dispatch triggers that generate no visible CI runs until manually activated through the GitHub API. That means many organizations may still have live backdoors sitting quietly inside repositories weeks later without obvious indicators in Actions history.
READ THE STORY: DR
GitHub Breach Exposes Thousands of Internal Repositories After Malicious VS Code Extension Compromise
Bottom Line Up Front (BLUF): GitHub confirmed that attackers stole at least 3,800 internal repositories after compromising a developer through a malicious VS Code extension tied to the Nx Console ecosystem. The breach has been claimed by the supply chain-focused threat group TeamPCP, which is now attempting to sell the stolen data through underground marketplaces. Researchers warn the incident highlights how developer tooling, IDE extensions, and software supply chain infrastructure have become primary attack surfaces for modern threat actors.
Analyst Comments: It was a compromise of developer trust. That distinction matters because it reflects where offensive tradecraft is going: compromise the tooling developers rely on every day, steal credentials or session access, then pivot into repositories, CI/CD systems, and downstream software ecosystems. The VS Code angle is especially concerning because IDE extensions effectively operate with high trust and broad local access. Once attackers weaponize an extension with millions of installs—even briefly—they gain scalable access to developer environments that often hold cloud credentials, signing keys, API tokens, and privileged repository access.
READ THE STORY: CPO Magazine
Genetec Security Center SQL Injection Flaw Impacts Access Manager Role
Bottom Line Up Front (BLUF): A medium-severity SQL injection vulnerability tracked as CVE-2026-27768 affects Genetec Security Center and impacts the Access Manager role. The flaw could allow authenticated attackers with elevated privileges to manipulate backend SQL queries, potentially leading to unauthorized access, data exposure, or system disruption. Genetec has released fixes in Security Center 5.12.2.17 and 5.13.3.5.
Analyst Comments: While exploitation requires high privileges and high attack complexity, this type of vulnerability becomes far more serious in environments where attackers already have partial footholds or compromised administrator accounts. Genetec deployments are common in physical security ecosystems—video surveillance, access control, and integrated building security operations. SQL injection inside those environments is not just an “IT issue.” Depending on deployment architecture, compromise could potentially expose credential stores, badge access records, surveillance metadata, or broader integrated infrastructure systems.
READ THE STORY: CVE Feed
HiDraw XML Parser Flaw Enables Local Code Execution Through Malicious XML Files
Bottom Line Up Front (BLUF): CVE-2026-7310 is a medium-severity heap-based buffer overflow in HiDraw’s XML parser that could allow an authenticated local attacker to trigger memory corruption using a specially crafted XML file. Successful exploitation may cause application crashes, denial of service, or potential arbitrary code execution.
Analyst Comments: XML parser bugs are dangerous because they often sit inside trusted workflows—opening project files, importing diagrams, or processing vendor-provided data. The local-access and user-interaction requirements reduce broad exploitation risk, but they do not eliminate targeted risk. An attacker who already has low-level access, compromised credentials, or a foothold on a shared workstation could use this to escalate impact or destabilize affected systems. For Hitachi Energy customers, the priority should be controlling file provenance. Don’t treat XML imports as harmless documents.
READ THE STORY: CVE Feed
Items of interest
AI Is Triggering a Bug Hunting Arms Race Across the Cybersecurity Industry
Bottom Line Up Front (BLUF): The rapid adoption of AI for vulnerability discovery and exploit development is fundamentally reshaping bug hunting, vulnerability disclosure, and patch management. Researchers and threat actors alike are increasingly using agentic AI systems to identify software flaws and generate exploits at machine speed, creating pressure on organizations already struggling to keep up with remediation and coordinated disclosure timelines.
Analyst Comments: For years, finding novel vulnerabilities required deep expertise, time, and patience. AI dramatically compresses that process by scaling code analysis, exploit experimentation, and bug triage in parallel. That changes both the economics and operational tempo of security research. The important detail here is not just that defenders are finding more bugs — attackers are too. Google’s observation that threat actors used AI-assisted methods to develop a zero-day exploit capable of bypassing MFA protections is probably one of the clearest public indicators yet that offensive AI-assisted vulnerability research is already operational. The industry has largely assumed this was happening privately; now there is visible evidence.
READ THE STORY: wired
The AI Cybersecurity Arms Race: Mythos vs. GPT-5.4-Cyber (Video)
FROM THE MEDIA: The speed and autonomy of frontier AI models have created a "cybersecurity Oppenheimer moment". This video explores the rapidly evolving landscape of autonomous network actors, focusing on the architectural and governance frameworks of Anthropic's Claude Mythos and OpenAI's GPT-5.4-Cyber.
Is Mythos Too Dangerous for the Public | The AI That Scares Governments and Experts (Video)
FROM THE MEDIA: Have your secrets leaked? Learn about what you can do to mitigate risk -- and stop secrets from leaking in the first place.
The selected stories cover a broad range of cyber threats and are intended to help readers frame key publicly discussed threats and improve overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, don’t hesitate to get in touch with InfoDom Securities at dominanceinformation@gmail.com.