Threat Advisories

CISA added three vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog on May 27, 2026, confirming that they are actively exploited in real‑world attacks.

While these vulnerabilities affect different technologies, they share a common theme: compromise of trusted software distribution and development pipelines. Unlike traditional vulnerabilities targeting exposed services, these issues enable attackers to distribute malicious code through legitimate channels such as software installers, npm packages, and development tools.

GitHub has confirmed the unauthorized access and exfiltration of approximately 3,800 of its internal development repositories. The breach was orchestrated by the financially motivated cybercrime group TeamPCP, who exploited a trojanized Microsoft Visual Studio Code (VS Code) extension installed on a privileged employee's device.

A critical vulnerability, tracked as CVE-2026-42945 and codenamed "NGINX Rift," has been identified in the ngx_http_rewrite_module of the NGINX web server. Discovered by researchers at DepthFirst AI, this flaw has existed within the NGINX codebase for approximately 18 years. The vulnerability is a heap buffer overflow that occurs due to inconsistent state handling within NGINX's internal script engine during the processing of rewrite directives.

Microsoft’s May 2026 Patch Tuesday update for Windows 10, KB5087544, reflects the current reality of the platform. Now firmly in its Extended Security Updates phase, Windows 10 is no longer evolving through features, but it is still being actively secured and maintained. This update combines a large set of vulnerability fixes with targeted changes to Remote Desktop and Secure Boot that reveal how Microsoft is tightening control over endpoint trust and stability.

Fortinet has disclosed two critical vulnerabilities affecting FortiSandbox and FortiAuthenticator that could enable unauthenticated remote code execution (RCE) on exposed systems.

Trellix has announced that internal source code for portions of its product portfolio was accessed without authorisation. The affected material relates to product development code only and does not include customer environments or customer data. There is no indication of malicious modification to released software artifacts.

CVE 2026 31431, commonly known as “Copy Fail”, is a high severity local privilege escalation vulnerability affecting the Linux kernel. The issue impacts kernels shipped by all major Linux distributions since 2017 and allows a local, unprivileged user to gain root level execution on the host system.

In late March 2026, a threat actor operating under the alias “The_Auditors” claimed to have breached BlackLine Systems, a US‑based financial automation and accounting software provider. The attacker alleges the exfiltration of approximately 354 GB of sensitive financial and operational documents, reportedly totaling over 1.5 million records belonging not only to BlackLine, but to its enterprise customers. At the time of writing, BlackLine has not publicly confirmed a breach, and the claims remain unverified. However, multiple cybersecurity intelligence firms have assessed the allegations as credible based on multiple indicators.

A new and active npm supply‑chain attack has been observed abusing compromised maintainer credentials to self‑propagate malicious code across packages in the Node.js ecosystem. The malware steals authentication material (npm tokens, cloud credentials, CI/CD secrets, SSH keys, and wallet data) and uses any discovered publishing tokens to inject itself into additional packages owned by the same maintainer, creating worm‑like lateral spread.

Microsoft has disclosed a critical remote code execution (RCE) vulnerability in the Windows Internet Key Exchange (IKE) Service Extensions, tracked as CVE‑2026‑33824. The vulnerability is caused by a double‑free memory handling flaw that can be triggered remotely by an unauthenticated attacker sending specially crafted network traffic to a vulnerable system. Successful exploitation could allow arbitrary code execution with system‑level privileges.