Tuesday, May 26, 2026
Today's digest
The FBI's active warning about Kali365 targeting Microsoft 365 accounts via OAuth device code phishing is the most immediately actionable item for any M365 GCC High environment — review conditional access and device code flow policies today.
FBI warns of Kali365 phishing service targeting Microsoft 365 accounts
The FBI has issued a warning about Kali365, a phishing-as-a-service platform that hijacks Microsoft 365 accounts by abusing OAuth device code authentication to steal session tokens and bypass MFA. The technique does not require stealing a password — it exploits a legitimate auth flow, making it particularly dangerous for M365 GCC High environments. Administrators should audit conditional access policies and consider blocking device code flow for users who don't require it.
OMB revamps cyber event logging requirements
A new OMB memo rescinds previous federal cyber event logging mandates and establishes revised requirements designed to reduce compliance overhead while maintaining security visibility. The changes will affect how federal agencies and potentially their contractors document and retain log data, which has direct implications for CMMC AU (Audit and Accountability) controls. Organizations operating under NIST 800-171 should review the new expectations to determine whether internal logging practices need to be updated.
TrapDoor Supply Chain Attack Spreads Credential-Stealing Malware via npm, PyPI, and CratesIO
A coordinated supply chain attack campaign dubbed TrapDoor has seeded more than 34 malicious packages across npm, PyPI, and Crates.io, spanning over 384 package versions since May 22, 2026. The packages deliver credential-stealing malware, posing a direct risk to any CI/CD pipeline or developer environment that pulls from these registries — including Ansible roles and Python-based automation common in GovCloud deployments. Administrators should audit dependency manifests and pin package versions immediately.
Weekly Recap: Linux Flaws, Defender 0-Days, Router Botnets, and Supply Chain Chaos
This week's threat landscape included actively exploited Linux kernel vulnerabilities, zero-days affecting Microsoft Defender, and router-based botnet activity — a combination that touches nearly every layer of a typical GovCloud or on-prem infrastructure stack. The recap also highlights a resurgence of old unpatched vulnerabilities being re-exploited alongside increasingly targeted phishing campaigns. It's a useful single-source triage document if you're catching up on the week's patching priorities.
Lazarus Deploys RemotePE Memory-Only RAT Against Financial and Crypto Firms
North Korea's Lazarus Group has been observed deploying RemotePE, a memory-resident remote access trojan that never writes to disk, making it difficult to detect with traditional endpoint tools. The multi-stage attack chain uses two loaders — DPAPILoader and RemotePELoader — with DPAPILoader leveraging Windows DPAPI to decrypt payloads, a technique that can abuse legitimate OS functionality to evade detection. While current targeting is financial and crypto sectors, Lazarus TTPs frequently migrate to government contractor environments.
KnowledgeDeliver LMS Flaw Exploited to Deploy Godzilla and Cobalt Strike
CVE-2026-5426 (CVSS 7.5), a now-patched vulnerability in the KnowledgeDeliver LMS, was exploited as a zero-day via hard-coded ASP.NET machine keys to deploy the Godzilla web shell and subsequently load Cobalt Strike Beacon. Hard-coded machine keys are a known ASP.NET anti-pattern that allows attackers to forge ViewState payloads for remote code execution — a class of vulnerability worth auditing across any internally hosted ASP.NET applications. Patch immediately if running this LMS; also review other ASP.NET apps for similar misconfigurations.
Ghost CMS CVE-2026-26980 Exploited to Hijack 700+ Sites for ClickFix Attacks
Attackers are actively exploiting CVE-2026-26980 (CVSS 9.4), a critical unauthenticated SQL injection flaw in Ghost CMS's Content API, to inject malicious JavaScript that redirects visitors into ClickFix social engineering attacks. Over 700 sites have already been compromised in this campaign. Any internet-facing Ghost CMS instance should be patched immediately; also review web content filtering policies to block ClickFix-style redirect domains at the proxy or DNS layer.
Netherlands Seizes 800 Servers, Arrests 2 for Aiding Cyberattacks
Dutch authorities arrested two co-owners of hosting companies found to be operating infrastructure used by Russian intelligence agencies for cyberattacks, influence operations, and disinformation campaigns within the EU — specifically the network previously tied to sanctioned ISP Stark Industries Solutions. The takedown removed a significant piece of Russian cyber-operational infrastructure and may temporarily disrupt associated threat actor activity. Defenders tracking Russian APT infrastructure should note potential re-registration of associated IP ranges to new hosting providers.
Anthropic to release Mythos-class models to the public
Anthropic is expanding access to its Mythos-class AI models — originally restricted due to their capability to identify software vulnerabilities at scale — to a broader audience including government users, while keeping the most capable variant under controlled access as guardrails are finalized. This is notable for CMMC and federal environments because AI-assisted vulnerability discovery tools in adversary hands significantly raise the bar for patch cadence and attack surface management. Organizations should treat this as a signal to accelerate patching programs and reduce mean time to remediate known CVEs.
AI reprices public-sector knowledge work
A Federal News Network commentary argues that AI is fundamentally changing the cost structure of government knowledge work, and that agencies treating AI governance as operational infrastructure — rather than policy compliance — will realize the most efficiency gains. For IT administrators supporting CMMC environments, this framing is relevant because AI tool adoption introduces new CUI handling risks and data governance obligations under NIST 800-171 controls. Organizations should establish clear acceptable-use policies for AI tools before adoption outpaces governance.