Hello, stay ahead with CISO Brief 🚀

🛡️ Researchers uncovered a large-scale campaign exploiting a critical SQL injection (CVE-2026-26980) in Ghost CMS to inject malicious JavaScript that triggers ClickFix attack flows. More than 700 domains — including university portals, media outlets, fintech firms, and personal blogs — were affected. The flaw impacts Ghost 3.24.0 through 6.19.0 and allows unauthenticated actors to exfiltrate admin API keys. Administrators are urged to upgrade to 6.19.1+, rotate keys, and scan sites for injected scripts.

🔒 GitHub has introduced staged publishing on npm, requiring a human maintainer to complete a two-factor authentication (2FA) challenge before a package version becomes publicly installable. The prebuilt tarball is uploaded to a staging queue and only becomes available after explicit approval. Maintainers must have publish access, an existing package, and enabled 2FA. GitHub also added three install-source flags to control non-registry installs.

🔎 Anthropic disclosed that Project Glasswing and access to Claude Mythos Preview helped partners uncover over 10,000 high- or critical-severity vulnerability candidates across widely used, systemically important software since last month. Analysis verified 1,726 true positives, including 1,094 high- or critical-severity flaws, and resulted in 97 upstream patches and 88 advisories. One notable finding was a critical WolfSSL flaw (CVE-2026-5194).

🔐 A critical vulnerability, CVE-2026-48172 (CVSS 10.0), in the LiteSpeed User-End cPanel Plugin allows privilege escalation via the lsws.redisAble function, enabling arbitrary scripts to run as root. The flaw affects plugin versions 2.3 through 2.4.4 and is being actively exploited; LiteSpeed fixed it in v2.4.5 and later bundled releases. Administrators are urged to upgrade to cPanel plugin v2.4.7 (with WHM plugin v5.3.1.0) or uninstall the user-end plugin if immediate patching is not feasible.

🛡️ The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical SQL injection flaw in Drupal Core (CVE-2026-9082, CVSS 6.5) to its Known Exploited Vulnerabilities list after evidence of active exploitation. The vulnerability affects all supported Drupal Core versions and could enable privilege escalation and remote code execution via crafted requests using the database abstraction API. Patches were released across multiple 8.x–11.x branches, with manual patches required for Drupal 9.5 and 8.9.

🛡️ Chromium contains an unpatched vulnerability that lets attackers keep a Service Worker alive across restarts and execute JavaScript persistently. Reported by researcher Lyra Rebane, the bug abuses the Background Fetch API and a race that creates and aborts background fetches to evade UI visibility. Although some UI fixes were applied in 2023, the deeper issue—preventing indefinite Service Worker lifetimes—remains unresolved and can enable tracking, crypto mining, and browser-based bots.

🔒 Amazon SageMaker Unified Studio now supports domain management for both Identity Center and IAM-based domains outside the AWS Console. Administrators and data management teams can create and manage projects, configure workforce identity, administer users and permissions, and set networking properties. VPC configuration and account associations are consistent across domain types and available in all Regions where Unified Studio is offered.

🔍 AWS Transform now includes enhanced migration assessment capabilities that support what-if scenarios, customizable assumptions, flexible file formats, and expanded TCO assessment features. These updates enable rapid building of migration business cases and faster decision-making. The tool accepts inputs from RVTools, CMDBs, AWS discovery exports, and many third-party discovery tools. New analysis options cover EC2, FSx, S3, SQL Server on EC2, virtual desktops, and additional Cloud Value Framework pillars.

🛠️ Amazon SageMaker Unified Studio now adds business context, metadata, and data governance features for IAM-based domains. Customers can annotate AWS Glue Data Catalog tables with business names, descriptions, and README documentation, and use AI-generated metadata to automate cataloging. Teams can build business glossaries, define metadata form templates, and capture structured attributes like classification, retention, and ownership. These capabilities enable search, filtering by glossary or metadata fields, and access requests with automated Lake Formation permission grants, and are available in all regions where SageMaker Unified Studio is supported.

🔒 The FBI warns of phishing campaigns using Kali365 to harvest Microsoft 365 OAuth access tokens and bypass multi-factor authentication. Attackers trick users into entering a code on a legitimate Microsoft page, which instead authorizes the attacker’s device to access the victim’s account. The FBI advises IT teams to deploy conditional access policies and block authentication transfer to reduce exposure.

🔎 Authorities across Europe and North America announced a coordinated operation that dismantled First VPN, a criminal virtual private network service used to obscure ransomware, data theft, scanning, and DDoS activity. Led by France and the Netherlands with support from many countries and agencies since December 2021, investigators executed concurrent actions in May 2026, seizing servers, domains, and infrastructure while interviewing the service administrator. Europol and the FBI say First VPN marketed anonymity to cybercriminals on Russian-language forums, offered multiple protocols and payment methods, and provided exit nodes across 27 countries used by at least 25 ransomware groups.

🔎 Financial crime investigators in the Netherlands (FIOD) arrested two men and seized 800 servers linked to a web hosting company accused of enabling cyberattacks, interference operations, and disinformation campaigns. Authorities say the suspects provided resources indirectly to Russian and Belarusian entities sanctioned by the EU, and that infrastructure was moved to a front company after sanctions. Raids recovered servers, laptops, phones, and records across multiple Dutch data centers.

🔐 AWS Security Agent now generates verification scripts for penetration test findings to help teams reproduce and validate discovered vulnerabilities. The tool creates ready-to-run scripts for each confirmed finding that include setup instructions, documented environment variables, and redacted sensitive values. Teams download the script, configure variables, and execute it against targets to streamline triage and speed remediation. Verification scripts are available in all Regions where AWS Security Agent is supported.

🔒 Kaspersky researchers disclosed CVE-2026-25262, a BootROM-level flaw in Qualcomm’s Sahara/EDL implementation that enables arbitrary write operations during device recovery. The bug, a CWE-123 Write-What-Where condition in the ARM Primary Boot Loader, permits attackers with brief physical access via USB to upload and execute malicious code before the OS boots. Qualcomm confirmed the issue, issued a security bulletin, and pledged fixes for future silicon while advising mitigation steps for affected devices.

🛡️ European investigators dismantled First VPN in a joint operation led by France and the Netherlands, assisted by Europol and Eurojust. The service, widely promoted in Russia, was used by criminals for ransomware, fraud, and data theft to conceal identities and infrastructure. While the takedown is seen as warranted, experts warn that broad restrictions on VPNs risk harming legitimate privacy and business uses and could face legal challenges.

🚀 Microsoft announces the public preview of cross-cluster networking for Azure Kubernetes Fleet Manager, bringing transparent east‑west multi-cluster connectivity powered by Advanced Container Networking Services. Built on Cilium and Kubefleet, this managed capability extends the Kubernetes networking model across clusters to enable direct pod-to-pod communication, policy enforcement, and observability while preserving cluster isolation. The managed approach reduces operational overhead for multi-cluster fleets and supports resilient, global, and shared‑services architectures.

🔒 Microsoft announced it was recognized as a Leader in The Forrester Wave™: Workforce Identity Security Platforms, Q2 2026, receiving top scores for current offering and strategy. The post emphasizes the need to unify identity signals, access policies, and response workflows to reduce fragmentation and improve security. It highlights Microsoft Entra capabilities in ITDR, phishing-resistant authentication, access control, and identity verification. The article also stresses the growing importance of managing AI and non-human identities through continuous, context-aware enforcement.

🔄 Amazon WorkSpaces now supports WorkSpace Migration for all Linux operating systems offered by the service, enabling seamless migration between Linux OS versions and distributions. The feature automatically transfers user data from a Linux WorkSpace’s home directory to the new WorkSpace, removing the need for manual data copying. Supported in AWS commercial and AWS GovCloud (US) Regions where WorkSpaces Personal is available, the capability helps streamline OS upgrades and migrations without disrupting end users.