AWS Governance Upgrades, CISA Supply Chain Alert, Critical Gogs RCE

Cloud providers shipped governance and filtering upgrades as governments tightened response expectations and defenders confronted fresh supply chain compromises and critical vulnerabilities. AWS introduced new resilience, traffic control, and visibility capabilities, while India’s CERT-In set aggressive containment clocks for exposed assets. CISA detailed developer ecosystem intrusions, researchers warned on unpatched Gogs RCE, and ransomware operators and OT/IoT flaws kept pressure on enterprise and public-sector teams.

Cloud Governance and Control on AWS

AWS made the next generation of AWS Resilience Hub generally available, adding a three-level application model (systems, user journeys, services), automated dependency discovery, and generative AI–assisted failure mode analysis aligned to Well-Architected guidance and organization policies. In parallel, AWS Organizations began emitting CloudTrail events for account membership changes, enabling centralized, auditable monitoring of joins and departures to strengthen cross-account governance and incident response workflows.

For network egress control, AWS introduced URL and domain category filtering in Network Firewall, allowing policies based on AWS-managed categories (for example, AI/ML, social networking, gambling) instead of manual lists, with SNI-based domain filtering (no decryption) and TLS-inspection–based URL filtering. In regulated environments, Amazon added PrivateLink support for FIPS endpoints in GovCloud and select regions for DynamoDB Streams, providing private connectivity from VPCs without public internet exposure to support compliant CDC and real-time architectures.

AWS also announced the next generation of OpenSearch Serverless, emphasizing rapid autoscaling (up to 20x faster than before), a decoupled compute and shared storage layer, scale-to-zero, and pay-per-usage pricing. New networking via collection-level and regional endpoints aims to simplify multi-VPC and on-premises connectivity for search and vector use cases powering agents and AI applications.

Software Supply Chain and Developer Ecosystems Under Fire

CISA warned of software supply chain compromises spanning CI/CD pipelines, code extensions, and repository workflows, highlighting a malicious Nx Console VS Code extension update and GitHub workflow tampering dubbed “Megalodon.” The advisory adds the malicious extension (CVE-2026-48027) to the KEV Catalog and provides guidance on detection, secret rotation, and hardening of update and workflow processes. Details and recommendations are in the CISA alert.

Rapid7 disclosed a critical, unpatched RCE in the open-source Git service Gogs that allows any authenticated user to execute arbitrary code via argument injection during a rebase merge, risking full server compromise and cross-tenant repository exposure. Mitigations include disabling registration, restricting repo creation, and auditing or disabling rebase merging while awaiting a fix. See coverage at Hacker News.

Wiz reported a financially motivated cluster, Jinx-0164, targeting macOS crypto developers through LinkedIn lures and staged calls that deliver the Python-based Audiofix stealer and later a MINIRAT backdoor via supply chain paths. The group abuses harvested GitHub tokens to access CI/CD systems and inject malicious commits to propagate through trusted builds. Findings are summarized by InfoSecurity.

ESET documented BTMOB, an Android RAT offered as a malware-as-a-service with an APK builder that generates customized phishing payloads and abuses Accessibility Services for control, data theft, and transaction interception. Campaigns have used lookalike sites targeting Latin America and offer evasion options like icon hiding and disabling Google Play. Details are provided by BleepingComputer.

Active Exploitation, Ransomware, and Critical Fixes

Microsoft analyzed The Gentlemen ransomware, a Go-based RaaS used by Storm-2697 affiliates, detailing obfuscation, per-file ephemeral keys with XChaCha20, lateral movement support, and a pre-encryption routine that disables protections, deletes shadow copies, and terminates targeted processes. The post provides detections, hunting queries, and IOCs to help defenders. See the Microsoft blog.

Arctic Wolf observed active exploitation of a pre-auth API bypass in FortiClient EMS (CVE-2026-35616) to push a malicious Windows stealer across managed endpoints, exfiltrating browser-stored credentials and cookies. Fortinet addressed the issue in EMS 7.4.7 and later; organizations should patch, audit EMS changes, and monitor for unusual POST activity. Technical details are in Hacker News.

CISA issued an ICS advisory for KMW CCTV cameras describing a critical unauthenticated password reset flaw that allows remote takeover of camera feeds and settings. Vendor firmware updates are available; CISA urges immediate patching, segmentation, restricted internet access, and use of VPNs where remote access is required. See the KMW advisory.

Cisco Talos examined how malformed DICOM files can trigger heap overflows through common libraries (pydicom, GDCM) and impact Orthanc servers during imaging ingestion, underscoring risks in PACS workflows exposed to untrusted inputs. The report outlines root causes and defensive hardening. Read the Talos blog.

Policy Shifts, Major Breaches, and Event Risk

India’s CERT-In issued a blueprint urging faster vulnerability containment tied to asset exposure and criticality, including a 12-hour containment target for certain internet-facing, high-value systems where feasible, and one-, three-, and five-day windows for other classes. The framework emphasizes continuous exposure management and compensating controls when patching is impractical. Coverage is available at CSO Online.

Microsoft reiterated support for Coordinated Vulnerability Disclosure after a researcher publicly released multiple Windows zero-days with PoC code, noting some flaws are being actively exploited. The company said its teams are analyzing impact, deploying mitigations, and preparing updates. More in Hacker News.

Carnival Corporation disclosed a data breach affecting nearly 6 million people after social engineering led to account compromise and data exfiltration in April 2026. The company engaged third-party experts and began notifications; analysts highlighted the continued effectiveness of social engineering and the need for stronger identity protections. Details via BleepingComputer.

With the 2026 FIFA World Cup approaching, Unit 42 outlined likely threats from Iran-affiliated disruptors, pro-Russian hacktivists, and financially motivated crime targeting fans and hospitality supply chains. The report calls for coordinated protections across IT and OT supporting municipal services. Read the Unit 42 assessment.

The FBI described the Silent Ransom Group’s expanded use of tech support impersonation to obtain remote or in-person access to employee workstations, then exfiltrate data for extortion. Indicators include unauthorized remote tools, hidden Rclone usage, and unusual transfers to external services. Recommendations and context are summarized by CSO Online.

The Play ransomware group listed MyPillow on its leak site; the company’s CEO denied any breach and said no ransom demand was received. The report notes that outsourcing data to third parties does not eliminate risk and that supplier security remains critical. Coverage from Bitdefender.