Miasma Hits RedHat, Active VPN Exploitation, Signal Backup Phishing

Red Hat npm Packages Hit by “Miasma” Supply Chain Attack

In one of the most technically alarming stories of the week, a significant supply chain attack on June 1, 2026, targeted over 30 official packages under the @redhat-cloud-services npm scope. The campaign, dubbed “Miasma: The Spreading Blight,” is a new variant of the Mini Shai-Hulud malware family — a sophisticated credential-stealing worm previously linked to threat actor group TeamPCP. This was not a typosquatting campaign. The attackers hijacked a legitimate, trusted npm namespace and published backdoored versions of widely-used frontend components, API clients, and developer tooling.

Investigation revealed that at least 32 package releases contained unauthorized modifications. These packages cumulatively average approximately 80,000 weekly downloads.

The malware enumerates repositories the token can write to, reads workflow files via GraphQL, and commits a malicious workflow so that the commit appears as a verified, signed change. It also checks for endpoint protection from CrowdStrike, SentinelOne, and Carbon Black before commencing its malicious actions.

Any developer or organization that installed affected @redhat-cloud-services package versions on or after June 1 should immediately treat all GitHub tokens, npm tokens, and cloud credentials as compromised.

Palo Alto Networks GlobalProtect VPN Actively Exploited — Patch Now

Hackers began exploiting CVE-2026-0257, a high-severity authentication bypass vulnerability in Palo Alto Networks PAN-OS GlobalProtect, just four days after public disclosure. The security defect allows attackers to bypass restrictions and establish VPN connections to vulnerable appliances. Palo Alto Networks released fixes for the bug on May 13, and on Friday updated its advisory to warn that threat actors are actively exploiting the flaw in the wild. The threat actor successfully exploited CVE-2026-0257 across multiple environments, probing the authentication bypass using forged cookies. In eight out of ten cases, the cookies were accepted without a full VPN session being established.

CISA added the vulnerability to its Known Exploited Vulnerabilities catalog. Organizations running Palo Alto firewalls with GlobalProtect portal or gateway enabled should apply patches immediately and check for signs of unauthorized VPN connections.

Signal Users Targeted in Sophisticated Backup-Stealing Phishing Campaign

Hackers are targeting Signal users in an attempt to steal their chat backups as part of a new hacking campaign. In this particular case, the hackers are pretending to be Signal’s support team to exploit the target’s trust in the app and the organization behind it.

The scheme, first reported in late May 2026, impersonates “Signal Support” with fraudulent messages warning of imminent data loss due to a fabricated “sync issue.” Victims receive direct messages from an unverified account labeled “Signal Support,” urging them to act quickly to avoid permanent data loss.

Journalist Josh Rogin noted that several anti-Chinese Communist Party activists received this malicious message. The director at Access Now’s Digital Security Helpline confirmed that two additional people shared similar messages — and neither was a Chinese activist — suggesting the campaign could be more widespread, targeting journalists, dissidents, and human rights defenders.

Signal has clarified that it will never reach out to users first and will never ask for a registration code, PIN, or recovery key. Any such message is malicious. Users should enable additional security measures and ignore any unsolicited contact claiming to be from Signal Support.

Fake UK Visa Portal Leaks 100,000 Passports and Selfies

A website named “UK Visa Portal” publicly exposed its users’ crucial information, including passport pages and photographs. Primary passport pages exposing full names, passport numbers, nationalities, dates of birth, places of birth, and issue and expiry dates were included in the leak, but accompanying documents also provided home addresses, contact numbers, and email addresses. TechCrunch reports at least 100,000 documents were available without restrictions, and as of May 26, 2026, the issue had still not been addressed.

The exposed files were stored in an AWS S3 bucket. Rather than fixing the issue, the company reportedly sent attorneys in response to disclosure attempts.

Critically, this is not an official UK government website. The site requires applicants to upload sensitive documents and pay a fee, giving it an air of legitimacy. Anyone who used this service should remain alert to targeted phishing and identity fraud attempts using their exposed passport details.

Trump Mobile Confirms Customer Data Exposure

Phone provider Trump Mobile confirmed that it was exposing customers’ names, email addresses, mailing addresses, cell numbers, and order identifiers to the open internet. The company said the exposure was linked to a third-party platform provider that supports “certain Trump Mobile operations,” and that no breach of Trump Mobile’s network, systems, or infrastructure had occurred.

The incident was characterized as a data leak rather than a targeted hack, involving an open data exposure that allows unauthorized access to a company database. The security flaw was brought to light by independent researchers who confirmed that their own personal information was accessible online after purchasing the company’s flagship hardware.

The Trump Mobile case highlights a recurring and dangerous pattern: companies placing excessive trust in third-party providers without adequate contractual security obligations or vendor monitoring.

ChatGPT Vulnerability “ChatGPhish” Used to Launch Prompt Injection Phishing Attacks

Cybersecurity researchers disclosed details of a vulnerability in OpenAI ChatGPT that leverages the AI assistant’s implicit trust in Markdown links and images to trigger prompt injections and open the door to phishing attacks. The technique has been codenamed ChatGPhish by Permiso Security. “The chatgpt.com response renderer trusts Markdown links and Markdown image URLs that originated from a third-party page the assistant has just summarized. It auto-fetches those images and surfaces those links as live, clickable elements inside the trusted assistant UI,” security researcher Andi Ahmeti said.

This is a particularly insidious vulnerability because the phishing content is delivered through a trusted, AI-generated interface — making it far more convincing than a traditional suspicious link. Users relying on ChatGPT to summarize documents or web pages should be aware that summarized content could be weaponized to inject malicious links into their AI sessions. Cybersecurity experts stress that implementing DMARC, DKIM, and SPF is essential to prevent email spoofing, phishing attacks, and domain impersonation.

Dutch Police Dismantle 17-Million-Device Botnet Linked to Asocks Proxy Service

On May 28, 2026, the NCSC Netherlands announced that a joint operation with Dutch police took a major botnet offline. Investigators identified 200 servers used to host and control the botnet infrastructure, all located in the Netherlands. The police seized several servers from a hosting provider, which then took the botnet offline after it was determined that the infrastructure was being used for criminal activity. According to the NCSC, the botnet consisted of at least 17 million infected devices, which were being remotely controlled to carry out cyberattacks including spam, phishing, online fraud, and distributed denial-of-service attacks.

Dutch media outlet NL Times reported that the disrupted infrastructure was linked to Asocks, a commercial residential and mobile proxy service. The victim devices — ranging from routers and IoT gadgets to Android-based devices — were converted into anonymization infrastructure, fraud tooling, and spam relays, often without the device owner ever knowing.

This takedown is one of the largest botnet disruptions by device count in recent history, but highlights how cheap IoT devices and weak default configurations continue to fuel global cybercrime ecosystems.

FBI Warns of FIFA World Cup 2026 Phishing Campaign Exploding in Scale

The FBI is warning of fake websites impersonating FIFA ahead of the 2026 World Cup, designed to steal personal and financial information, sell fake tickets and hospitality packages, and push other tournament-related fraud. What began as a cluster of 79 malicious domains has evolved into a distributed phishing ecosystem spanning 222 domains mapped to 203 unique IP addresses — nearly tripling the domain footprint and increasing hosting infrastructure by more than 14-fold. Follow-up analysis shows that 206 of the 222 identified domains are currently active, and 52 new domains were registered between April 1 and April 17, 2026, indicating that the campaign is accelerating as the tournament approaches.

Football fans planning to attend the 2026 FIFA World Cup should only purchase tickets through the official FIFA website, verify all communications through official channels, and avoid clicking on links received through email or social media promoting deals, hospitality packages, or exclusive access.

FortiClient EMS Vulnerability CVE-2026-35616 Actively Exploited to Steal Credentials

Hackers are exploiting an authentication bypass vulnerability tracked as CVE-2026-35616 in FortiClient Enterprise Management Server (EMS) to deliver an undocumented credential stealer called EKZ. CISA added the flaw to its Known Exploited Vulnerabilities catalog alongside several other actively exploited vulnerabilities this week, including flaws in Daemon Tools, TanStack, and Nx Console.

The EKZ credential stealer is particularly concerning because it targets enterprise environments where FortiClient is commonly deployed for endpoint security and VPN management. Organizations using FortiClient EMS should apply available patches immediately, audit all recent authentication logs for signs of unauthorized activity, and rotate any potentially compromised credentials.

Signal Backup Phishing Campaign Specifically Targeting Dissidents and Journalists

Building further on the Signal phishing story, the attack specifically targeted journalists, anti-Chinese Communist Party activists, human rights defenders, and civil society groups. The attack vector was Signal’s own in-app messaging system, meaning the phishing messages arrive inside the encrypted app itself — giving them a degree of legitimacy that email-based phishing cannot achieve.

The targeting of high-risk individuals — journalists and dissidents who rely on Signal specifically for its security guarantees — makes this campaign especially dangerous. Security researchers at Access Now’s Digital Security Helpline are actively tracking the campaign and assisting affected individuals.

Hotel Reservation Hijack Scams Targeting Travelers Across 350+ Properties

Researchers at Gen (the company behind Norton) have identified a growing scam trend they call the Reservation Hijack scam. Cybercriminals use real hotel booking details to appear legitimate — contacting victims in the context of a real trip, with details that match an actual booking, including the hotel name, travel dates, and payment details. In advanced cases, attackers first compromise hotel systems to access trusted communication channels that make their scams even more convincing.

Customer data from more than 350 hotels around the world may have been accessed as part of realistic reservation-hijacking scams.

Together, the 350 compromised properties have a maximum guest capacity of around 82,000 people at any one time. Applying a conservative 50% occupancy rate and an average stay of 2.5 nights, that translates to an estimated six million guest stays per year where reservation data could potentially be exposed.

Travellers should be deeply suspicious of any payment requests or “re-confirmation” requests arriving via email or messaging platforms that reference their bookings — even when those requests appear to reference real reservation details.

Linux CIFSwitch Vulnerability Allows Low-Privileged Users to Gain Root Access

A newly discovered local privilege escalation vulnerability dubbed “CIFSwitch” in the Linux kernel could allow attackers to forge CIFS authentication key descriptions, abuse the kernel’s key request mechanism, and gain root privileges on vulnerable systems. Proof-of-concept exploit code has already been released, significantly raising the urgency for Linux administrators to apply the relevant kernel patches.

Local privilege escalation vulnerabilities are particularly dangerous in cloud environments and shared infrastructure, where a compromised low-privilege account can quickly become full system compromise. Linux administrators should review their kernel versions and apply updates as a matter of priority.

7-Eleven Data Breach — 185,000 Customers Affected

7-Eleven disclosed a data breach affecting about 185,000 people, exposing personal information in a major retail incident. ShinyHunters have been connected to this incident as well, adding 7-Eleven to an already extensive list of victims that includes Charter, Carnival, Odido, Canvas, and SoundCloud — all hit within a short window of time, suggesting the group is operating at an unprecedented pace of activity in 2026.

Miasma Malware Establishes Persistence via Claude Code and Visual Studio Code

In a remarkable detail to emerge from the Red Hat npm supply chain attack, the Miasma malware establishes persistence by injecting a SessionStart hook into Anthropic Claude Code and a tasks.json with “runOn”: “folderOpen” for Microsoft Visual Studio Code projects, so that the malware re-executes every time developers open their projects.

This is a novel and highly targeted persistence mechanism specifically designed to affect professional developers using popular AI coding assistants and IDEs. Developers who installed any of the affected @redhat-cloud-services packages should immediately audit their Claude Code and VS Code configurations for unauthorized modifications.