Cloud Hardening, Rapid Patch Timelines, and Active Exploits
Coverage: 26 May 2026 (UTC)
< view all daily briefs >Cloud platforms shipped notable resilience and containment features, while policymakers pressed for faster remediation and new advisories targeted critical industrial and medical systems. Investigators detailed large-scale repository tampering and SaaS-focused breaches, and researchers tracked phishing services that intercept credentials in real time. Together, the updates underscore the need to shorten response windows, harden defaults, and scrutinize developer and backup workflows.
Cloud Resilience and Containment Upgrades
AWS RDS enabled ENA Express for Multi-AZ replication traffic, using the Scalable Reliable Datagram transport to distribute writes across multiple network paths, apply advanced congestion control, and provide multi-pathing. The change targets the synchronous replication layer to the standby, improving write throughput and lowering write latency variability—especially for high-availability, write-intensive workloads. Support spans Amazon RDS for MariaDB, MySQL, PostgreSQL, Db2, and Oracle at no additional charge across broad AWS Regions; existing instances can opt in via start–stop or compute scaling, subject to supported instance types. In parallel, GuardDuty Malware Protection for AWS Backup now scans Amazon S3 continuous backups to identify clean point‑in‑time recovery targets. Customers can select full or incremental scans, initiate on‑demand scans at any restorable time, and query status with the new GetPITRMalwareScanResults API to verify backup integrity before restore.
EC2 M8i and M8i‑flex instances arrived in AWS GovCloud (US‑East), bringing custom Intel Xeon 6 processor–based general‑purpose compute to regulated workloads. AWS cites up to 15% better price‑performance and 2.5x memory bandwidth over prior Intel‑based generations, with workload gains including up to 30% faster PostgreSQL, 60% faster NGINX, and 40% higher AI recommendation performance. M8i‑flex targets common sizes and underutilized compute, while M8i offers 13 sizes, SAP certification, two bare‑metal options, and a new 96xlarge for large applications.
Microsoft Defender for Endpoint introduced a preview capability to automatically isolate suspected compromised endpoints. The feature cuts general network connectivity to limit lateral movement, ransomware spread, and exfiltration, while maintaining the device’s connection to the Defender service for monitoring and remediation. Isolation applies to onboarded end‑user workstations and can be released by security operators after investigation, extending Defender’s containment toolkit to shorten response times.
Networks Built for AI Workloads
Google blog detailed a re‑architected fabric for AI‑scale computing, treating multiple campuses as pooled resources and anchoring an AI Hypercomputer with decoupled domains: a scale‑up campus network, an east‑west accelerator fabric, and the Jupiter frontend. The Virgo Network, a scale‑out fabric using high‑radix switches, a flat two‑layer topology, and multi‑planar control, delivers high bisection bandwidth, low latency, hardware‑level fault isolation, and cross‑data‑center expansion. Demonstrated with TPU 8t, Google reports per‑accelerator bandwidth gains, reduced unloaded fabric latency, and near‑linear scaling toward million‑chip logical clusters. Reliability features include autonomous hang detection, fast fault localization, and sub‑millisecond telemetry to catch microbursts and reduce recovery time. Across the WAN, a multi‑shard global network with regional isolation and Protective Reroute aims for beyond‑nines reliability and fair QoS for cross‑site training. AI‑native Cloud Interconnect supports 400 Gbps links scaling in 3.2 Tbps increments to cut data‑transfer idle time, backed by a footprint of 10+ million km of fiber, 43 cloud regions, and 200+ edge locations for latency‑sensitive inference.
Policy, Patch Deadlines, and ICS Risks
CERT‑In guidance urges accelerated vulnerability response aligned to AI‑driven attack speed, setting indicative expectations to contain or remediate known‑exploited vulnerabilities on internet‑facing and crown‑jewel systems within 12 hours. Timelines include one day for critical externally exposed flaws, three days for critical internal issues on high‑value systems, and five days for other high‑severity problems. The blueprint recommends prioritization via KEV and EPSS, interim mitigations where patches are unavailable, and broader posture measures—governance, zero‑trust, AI‑aware SOC operations, and software/AI BOMs—implemented in phases. The existing six‑hour incident reporting requirement is reiterated, with the timelines positioned as operational priorities rather than binding deadlines.
CISA order directs federal agencies to remediate an actively exploited Drupal SQL injection (CVE‑2026‑9082) in the database abstraction API affecting PostgreSQL‑backed sites. The unauthenticated flaw can enable data disclosure, privilege escalation, and possibly remote code execution; Drupal released patches and confirmed exploitation. Shadowserver observed nearly 670 unpatched instances online, and the vulnerability was added to CISA’s KEV under Binding Operational Directive 22‑01. Private‑sector organizations are strongly urged to prioritize vendor mitigations or discontinue affected deployments if necessary.
ABB zenon Remote Transport was reported with missing authentication (CWE‑306) in the zensyssrv.exe service, allowing a remote system reboot when network access to the affected system exists. ABB reports no evidence of in‑the‑wild exploitation and recommends restricting exposure, isolating control networks, disabling the service if not needed, and using secure remote access such as up‑to‑date VPNs. Separately, Eppendorf BioFlo 320 devices expose a critical VNC service with a hard‑coded password (CWE‑259) and unencrypted traffic (CVSS 9.8). A Version 5.0 update permanently removes VNC access; users should verify VNC remains disabled and restrict configuration changes to appropriate roles. CISA reiterates minimizing internet exposure, segmenting control systems, and conducting impact analysis before applying mitigations.
Intrusions, Supply Chain, and Phishing Tactics
GitHub campaign tracking by SafeDep found “Megalodon,” which over six hours injected 5,718 malicious commits into 5,561 repositories by abusing compromised credentials to modify Actions workflows without pull requests. Attackers used forged automated author identities and two payload families—SysDiag variants with obfuscated bash, and Optimize‑Build variants relying on workflow_dispatch—to harvest CI‑exposed secrets, including cloud credentials and OIDC tokens, exfiltrating to 216.126.225.129:8443. Indicators of compromise and remediation steps include reviewing workflow runs, flagging unexpected workflow_dispatch executions, and auditing federated cloud token requests.
KnowledgeDeliver deployments investigated by Mandiant were compromised via CVE‑2026‑5426, an unauthenticated ViewState deserialization bug rooted in identical, hard‑coded ASP.NET machineKey values across customers. With the shared key, attackers signed malicious ViewState payloads for remote code execution, injected scripts to lure users into a fake installer that dropped a Cobalt Strike beacon, and deployed the Godzilla (BlueBeam) web shell. Attackers also modified application JavaScript to prompt installing a “security authentication plugin,” fetching additional staged code. Organizations with versions deployed before February 24, 2026 are at particular risk; unique machine keys, hardened defaults, and monitoring for anomalous signed ViewState activity are emphasized.
Charter Communications confirmed a breach after appearing on ShinyHunters’ leak site; the group claims 40 million records exfiltrated via a vishing‑enabled Microsoft Entra compromise and Salesforce data export. Charter said it is notifying authorities and reported that no sensitive PI or CPNI was exfiltrated. In a related case, 7‑Eleven reported unauthorized access to systems storing franchisee documents; ShinyHunters claimed a 9.4GB leak, and Have I Been Pwned associated exposed data with 185,300 people. Both incidents reflect risks from social engineering against SSO and access to connected SaaS platforms.
FBI guidance highlights “Kali365,” a phishing‑as‑a‑service that abuses Microsoft’s device code flow to obtain OAuth tokens for Outlook, Teams, OneDrive, and more—bypassing passwords and many MFA prompts. Recommended mitigations include blocking device code flow via Microsoft Entra conditional access (with appropriate break‑glass exclusions), adopting phishing‑resistant MFA, reviewing device code flow usage, and user training. Complementing this, GTIG research details Chinese PhaaS offerings that move to live credential interception with real‑time OTP capture, use encrypted messaging channels for lures, leverage AI‑generated pages and browser automation, and monetize via card provisioning and bespoke brokerage templates.
TrapDoor, tracked by Socket, spans npm, PyPI, and Crates.io with 34+ malicious packages and hundreds of variants designed to steal developer secrets via postinstall, import‑time, and build scripts. The campaign also manipulates files used by coding assistants to influence assistant behavior toward secret discovery, underscoring the need to treat developer endpoints as production‑adjacent with allowlisting, install‑time scanning, least‑privilege credentials, and zero‑trust controls. Separately, FortiGuard Labs analyzed a phishing wave delivering a fileless PureLogs variant via obfuscated JavaScript, staged PowerShell, and process hollowing into MsBuild.exe. The in‑memory plugin system harvests browser credentials, cookies, autofill data, Discord tokens, and cryptocurrency wallets, encrypting and exfiltrating data over HTTP POST, complicating detection and response.