WEEKLY TOP TEN: May 18, 2026, 16:00 GMT
- Trend Micro Apex One Zero-Day Actively Exploited in the Wild
Trend Micro patched a directory traversal zero-day tracked as CVE-2026-34926 in its Apex One on-premises endpoint protection platform. The vulnerability allows a local attacker with admin credentials to inject malicious code into agents across affected installations. The flaw was discovered internally by Trend Micro’s own incident response team, and while no public attribution has been made, the level of access required is consistent with past APT activity targeting the platform. Additional high-severity privilege escalation vulnerabilities were also addressed in the same update cycle. Admins are urged to patch on-premises deployments immediately. - Drupal Critical SQL Injection Flaw Now Actively Targeted in Attacks
Drupal issued an emergency patch on May 20 for CVE-2026-9082, a highly critical SQL injection vulnerability affecting Drupal Core. Attackers began exploiting it within 48 hours of patch release, with security firms observing attacks against thousands of websites. The flaw can be exploited without authentication for information disclosure, privilege escalation, and remote code execution. CISA subsequently added the vulnerability to its Known Exploited Vulnerabilities catalog. Organizations running affected versions of Drupal are urged to apply the patch immediately, as mass exploitation is already underway across a broad range of sites. - GitHub Confirms Breach of 3,800 Internal Repositories
GitHub confirmed that approximately 3,800 internal repositories were breached after an employee installed a malicious version of the Nx Console VS Code extension, which had been compromised as part of the TanStack npm supply-chain attack. The trojanized extension exfiltrated credentials from the affected device. GitHub removed the extension from the VS Code marketplace and isolated the compromised endpoint. The TeamPCP threat group behind the campaign also targeted Trivy, Checkmarx, and Bitwarden CLI, suggesting a coordinated effort to compromise developer toolchains across multiple ecosystems. - CISA Contractor Exposes Credentials, Tokens, and AWS Keys
A contractor working with CISA left a public GitHub repository containing plaintext passwords, private keys, GitHub tokens, AWS secrets, and an explicit guide for disabling GitHub’s secret scanning. The repository included directories with names such as “All Backups” and files named things like “Important AWS Tokens.txt.” CISA confirmed awareness of the exposure and opened an investigation. The incident was flagged by an independent researcher who initially dismissed the repository as too suspicious to be real. The breach exposed serious credential hygiene failures within contractor infrastructure supporting the United States’ top cybersecurity defense agency. - Cisco Patches Maximum Severity Flaw in Secure Workload Platform
Cisco patched a maximum severity vulnerability (CVE-2026-20223, CVSS 10.0) in its Secure Workload product, caused by insufficient validation and authentication in REST API endpoints. An attacker who sends a crafted API request can gain Site Admin privileges, allowing them to read sensitive data and modify configurations across tenant boundaries. The flaw affects both SaaS and on-premises deployments of Cisco Secure Workload, regardless of device configuration. Cisco says the issue does not affect the web-based management interface, only internal REST APIs. No active exploitation has been confirmed, but the perfect CVSS score demands urgent patching across all affected deployments. - First VPN Cybercrime Service Seized, Used by 25 Ransomware Groups
An international law enforcement operation dismantled First VPN, a dark web VPN service active since 2014 that the FBI confirmed had been used by at least 25 ransomware groups for network reconnaissance and intrusions. Europol and partners seized 33 servers linked to the service, which advertised itself on Russian-language cybercrime forums. IP addresses associated with First VPN were tied to scanning operations, botnets, denial-of-service attacks, and hacking campaigns. The administrator was arrested and the service’s infrastructure was fully disrupted. The FBI published indicators of compromise and MITRE ATT&CK mappings to assist defenders in identifying any prior exposure to the network. - Microsoft Warns of New Defender Zero-Days UnDefend and RedSun Exploited in Attacks
Microsoft began rolling out patches for two Microsoft Defender zero-day vulnerabilities — UnDefend and RedSun — that were already being actively exploited in the wild. UnDefend allows attackers with standard user permissions to block Defender definition updates, effectively disabling antivirus protection. RedSun is a local privilege escalation flaw that Microsoft silently patched without initially assigning a CVE identifier. Both vulnerabilities were publicly disclosed by disgruntled researcher Chaotic Eclipse (also known as Nightmare Eclipse) in protest of Microsoft’s vulnerability disclosure process. All three previous disclosures from the same researcher — BlueHammer, YellowKey, and GreenPlasma — were also exploited in attacks. - TanStack Weighs Invitation-Only Pull Requests After Supply Chain Attack
Following a damaging supply chain breach, TanStack is evaluating a shift to invitation-only pull requests, a significant departure from its open-contribution model. Attackers from the TeamPCP group exploited TanStack’s use of the pull_request_target feature, triggering a malicious workflow that poisoned a GitHub Actions cache, compromising 84 package versions across 42 @tanstack/* packages. Stolen credentials included GitHub tokens, cloud secrets, npm keys, and CI/CD authentication material. The campaign appears linked to earlier Mini Shai-Hulud attacks, and the TanStack team noted that GitHub’s cache scoping in Actions contributed to the vulnerability’s impact. - Ghostwriter APT Targets Ukrainian Government
The Belarus-linked threat group Ghostwriter, also tracked as UAC-0057 and UNC1151, targeted Ukrainian government agencies with phishing emails delivering malware and Cobalt Strike payloads using the Prometheus post-exploitation framework. The campaign sought to compromise government entities and exfiltrate sensitive information aligned with Russian intelligence interests. CERT-UA issued an alert warning affected organizations of the active campaign. The group has a documented history of influence operations and cyberespionage against Ukraine and EU governments. Security teams in government sectors are advised to review email filtering policies and endpoint detection rules for Cobalt Strike indicators. - Cisco SD-WAN Zero-Day CVE-2026-20182 Sixth Exploited in 2026
Cisco patched yet another SD-WAN zero-day, CVE-2026-20182, exploited in targeted attacks by sophisticated threat actor UAT-8616. The vulnerability exists because the peering authentication mechanism in affected Catalyst SD-WAN Controller systems does not function properly, allowing attackers to send crafted requests to gain unauthorized peering access. CISA added the flaw to its Known Exploited Vulnerabilities catalog and ordered federal agencies to patch by May 17. Cisco urged all organizations to review logs from any internet-exposed SD-WAN Controller systems for signs of unauthorized access. This marks the sixth actively exploited Cisco SD-WAN zero-day in 2026, a troubling pattern for network infrastructure defenders.
Our Threat Operations and Intelligence team compiles a daily digest of the most recent online cybersecurity risks. The previous 10 stories were determined to be most significant during the course of the week, ranked by highest risk, and using multiple sources when available.