Threat Overview Supply Chain Vulnerabilities Ransomware Briefing

Executive Summary

The past week saw an active cyber environment, marked by supply chain compromises, widespread vulnerability exploitation, and ongoing ransomware activity.

  • Supply Chain Compromise Targeting Developer Environments: The Miasma campaign exploited the Red Hat npm supply chain by injecting a credential-stealing worm into affected packages. This impacts organizations using the compromised npm dependencies, presenting a risk to developer accounts, cloud environments, and CI/CD pipelines.
  • Active Exploitation of Network Edge Vulnerabilities: Active exploitation of Palo Alto Networks PAN-OS CVE-2026-0257 continued, allowing unauthorized access and affecting entities with vulnerable PAN-OS GlobalProtect configurations, leading to potential network intrusions.
  • New Denial-of-Service Vulnerability: CVE-2026-49975, an HTTP/2 bomb attack, gained attention because it can rapidly incapacitate web servers. This vulnerability affects any organization hosting web services accessible via HTTP/2, posing a direct threat to service availability.
  • Industrial Control Systems Targeted: Exposed fuel tank gauges in the US were attacked. This affects industrial entities with internet-exposed operational technology, which creates risks of operational disruption.

Business Impact:

These activities impact various business functions. Supply chain compromises and network edge breaches create opportunities for data theft and service interruptions across IT and development. Ransomware operations, notably by groups such as Akira, Medusa Locker, and Qilin, continued to disrupt organizations within defense, aerospace, education, manufacturing, and general services. Mass data breaches, including national identity documents and government registries across Latin America, MENA, and APAC, increase chances for identity fraud. Unconfirmed reports also surfaced regarding the potential compromise of highly sensitive defense industrial information related to submarine technology.

Trends and Changes vs. Last Week:

Software supply chain attacks, critical vulnerability exploitation, diverse ransomware activity, and geopolitically motivated hacktivism remained consistent. An increase occurred in the advertisement and sale of privileged network access credentials for government and critical infrastructure entities on underground forums. Mass data breaches, particularly those involving national identity and sensitive government data, became more prevalent, along with reports of high-value defense industrial information being referenced in illicit markets.

Outlook:

Continued activity is expected concerning supply chain compromise campaigns targeting developer tools and cloud environments. Sustained exploitation of recently disclosed critical vulnerabilities in network infrastructure is also anticipated. Ransomware operations are likely to remain active and diverse, with an ongoing trade in network access credentials. Geopolitically motivated hacktivist operations are projected to persist, especially within current conflict zones. The underground trade of stolen data and access credentials is expected to remain active.

Key Threat Intelligence Highlights

Key developments this week:

A Miasma supply chain attack has compromised Red Hat npm packages, injecting a credential-stealing worm. This incident exposed users to data theft via trusted software components, showing the persistent danger to software development.

A critical, actively exploited remote code execution vulnerability, CVE-2026-0257, in Palo Alto Networks' PAN-OS GlobalProtect gateways and firewalls allows unauthenticated attackers root-level control, enabling arbitrary code execution and potential full system compromise. Affected organizations must patch or mitigate immediately.

A new vulnerability, CVE-2026-49975, allows an HTTP/2 bomb attack that can quickly overwhelm web servers. This attack method can render target systems inoperable within seconds, causing widespread service interruptions and denying user access to online resources. The issue affects all services using the HTTP/2 protocol, requiring swift defensive measures against denial-of-service.

Internet-exposed fuel tank gauges in the US are under active attack, with malicious actors exploiting poor security configurations. This compromise enables the manipulation of fuel levels and operational controls, posing risks of environmental damage and supply chain interruptions for essential services. The exposure of these devices shows an urgent need for better cybersecurity practices to protect critical infrastructure.

Additional Threat Intelligence Context

CVE-2026-20245 | CVSS: 7.8 (PROBLEMATIC) - Cisco Catalyst SD-WAN Manager Command Execution: Actively exploited, this vulnerability allows remote command execution as root, often chained with authentication flaws, controlling SD-WAN management and routing, with no patch yet available.

Available Exploits:

  • CVE-2026-20245 Exploit

Analysis: # CVE Analysis Report: CVE-2026-20245

GitHub Link:

  • Title: CVE-2026-20245 PoC (template)
  • CVE: CVE-2026-20245 (CVSS: 7.8, PROBLEMATIC)
  • CVSS Score: 7.8
  • CVSS Severity: PROBLEMATIC

Based on the analysis:

  • Complexity Score: NA
  • Remote/Local: Remote
  • Authenticated/Unauthenticated: Unauthenticated
  • Privilege Required: None

Risk Score: 75/100

Based on ease of use, potential impact, how widely it could spread, etc.

Multi-Ecosystem Software Supply-Chain Campaigns: Coordinated efforts like the Miasma worm, Node.js/npm worms, and typosquats (e.g., axios delivering Epsilon Stealer) spread credential stealers and remote access tools, compromising developer systems and CI/CD pipelines.

CVE-2026-3300 | CVSS: 9.8 (CRITICAL) - Everest Forms Pro Remote Code Execution: This critical WordPress plugin vulnerability has been actively exploited since April 2026 to create rogue administrator accounts, with public proof-of-concept code widely available.

Available Exploits:

  • CVE-2026-3300 Exploit
  • CVE-2026-3300 Exploit

Analysis: # CVE Analysis Report: CVE-2026-3300

GitHub Link:

  • Title: Everest Forms Pro RCE PoC
  • CVE: CVE-2026-3300 (CVSS: 9.8, CRITICAL)
  • CVSS Score: 9.8
  • CVSS Severity: CRITICAL

Based on the analysis:

  • Complexity Score: Easy
  • Remote/Local: Remote
  • Authenticated/Unauthenticated: Unauthenticated
  • Privilege Required: None

Risk Score: 100/100

Based on ease of use, potential impact, how widely it could spread, etc.

CVE-2026-49261 - MariaDB Remote Code Execution (CVSS 10.0): Actively exploited, threatening many internet-exposed database servers.

CVE-2026-0257 | CVSS: None (CRITICAL) - PAN-OS GlobalProtect Authentication Bypass: Actively exploited, it permits adversaries to impersonate local administrators via crafted cookies, gaining covert VPN access and bypassing perimeter controls.

Available Exploits:

  • CVE-2026-0257 Exploit
  • CVE-2026-0257 Exploit
  • CVE-2026-0257 Exploit
  • CVE-2026-0257 Exploit
  • CVE-2026-0257 Exploit

Analysis: # CVE Analysis Report: CVE-2026-0257

GitHub Link:

  • Title: PAN-OS GlobalProtect Auth Bypass Detection PoC
  • CVE: CVE-2026-0257 (CVSS: None, CRITICAL)
  • CVSS Score: None
  • CVSS Severity: CRITICAL

Based on the analysis:

  • Complexity Score: Easy
  • Remote/Local: Remote
  • Authenticated/Unauthenticated: Unauthenticated
  • Privilege Required: None

Risk Score: 91/100

Based on ease of use, potential impact, etc.

CVE-2026-45247 | CVSS: 9.8 (CRITICAL) - Magento Mirasvit Cache Warmer RCE: A critical unauthenticated RCE actively exploited by initial access brokers to implant malware. This RCE appears on the CISA KEV catalog.

Available Exploits:

  • CVE-2026-45247 Exploit

Analysis: # CVE Analysis Report: CVE-2026-45247

GitHub Link:

  • Title: CVE-2026-45247 PoC skeleton
  • CVE: CVE-2026-45247 (CVSS: 9.8, CRITICAL)
  • CVSS Score: 9.8
  • CVSS Severity: CRITICAL

Based on the analysis:

  • Complexity Score: NA
  • Remote/Local: Remote
  • Authenticated/Unauthenticated: Unauthenticated
  • Privilege Required: None

Risk Score: 75/100

Based on ease of use, potential impact, how widely it could spread, etc.

CVE-2026-28318 | CVSS: 7.5 (PROBLEMATIC) - Verizon VoLTE IMS Core Vulnerability: Active exploitation allows unprotected SIP signaling for call manipulation, spoofing, and denial-of-service against subscribers.

Available Exploits:

  • CVE-2026-28318 Exploit

Analysis: # CVE Analysis Report: CVE-2026-28318

GitHub Link:

  • Title: SolarWinds Serv-U POST Deflate Crash PoC (CVE-2026-28318)
  • CVE: CVE-2026-28318 (CVSS: 7.5, PROBLEMATIC)
  • CVSS Score: 7.5
  • CVSS Severity: PROBLEMATIC

Based on the analysis:

  • Complexity Score: Easy
  • Remote/Local: Remote
  • Authenticated/Unauthenticated: Unauthenticated
  • Privilege Required: None

Risk Score: 100/100

Based on ease of use, etc.

CVE-2026-28318 | CVSS: 7.5 (PROBLEMATIC) - SolarWinds Serv-U Denial of Service: Actively exploited for remote unauthenticated availability disruption via crafted requests, which disrupts managed file transfer services.

Available Exploits:

  • CVE-2026-28318 Exploit

Analysis: # CVE Analysis Report: CVE-2026-28318

GitHub Link:

  • Title: SolarWinds Serv-U POST Deflate Crash PoC (CVE-2026-28318)
  • CVE: CVE-2026-28318 (CVSS: 7.5, PROBLEMATIC)
  • CVSS Score: 7.5
  • CVSS Severity: PROBLEMATIC

Based on the analysis:

  • Complexity Score: Easy
  • Remote/Local: Remote
  • Authenticated/Unauthenticated: Unauthenticated
  • Privilege Required: None

Risk Score: 100/100

Based on ease of use, etc.

CVE-2026-34908 | CVSS: 10.0 (CRITICAL) - UniFi OS Server Vulnerability Chain (CVE-2026-34910): A critical chain allowing unauthenticated attackers to achieve root-level command execution and expose sensitive data on UniFi OS Server deployments.

Available Exploits:

  • CVE-2026-34908 Exploit

Analysis: # CVE Analysis Report: CVE-2026-34908

GitHub Link:

  • Title: UniFi OS Server unauth RCE detector (CVE-2026-34908/34909/34910)
  • CVE: CVE-2026-34908 (CVSS: 10.0, CRITICAL)
  • CVSS Score: 10.0
  • CVSS Severity: CRITICAL

Based on the analysis:

  • Complexity Score: Easy
  • Remote/Local: Remote
  • Authenticated/Unauthenticated: Unauthenticated
  • Privilege Required: None

Risk Score: 100/100

Based on ease of use, etc.

CVE-2026-7312 - Progress Sitefinity OData Insight Flaws (CVSS 10.0): Actively exploited, exposing plaintext credentials and allowing CMS pivots.

CVE-2026-40965 - Cloud Foundry UAA JWT Signing Key Disclosure (CVSS 10.0): Allows unauthenticated JWT forgery in affected deployments.

CVE-2026-10622 - Collibra Platform Agent Issues ( & CVE-2026-10621): Allow unauthenticated remote code execution via exposed REST endpoints and Zip Slip conditions.

CVE-2026-0826 - Poly VVX Office VoIP Phones RCE: Critical stack-based buffer overflow with publicly available exploit code, allowing root RCE through crafted SIP INVITE messages.

CVE-2026-9311 - IBM WebSphere Vulnerabilities (CVE-2026-9330, CVE-2026-9319, CVE-2026-8644): Include RCE and authentication bypass flaws, allowing unauthenticated or low-privilege users to run arbitrary code or forge identities.

Ransomware Activity Overview

Ransomware groups like Akira targeted defense and aerospace entities like RUAG, exfiltrating military documentation. Medusa Locker continued widespread campaigns against mid-sized organizations globally across education, NGOs, manufacturing, and services, often using public victim naming. Other active groups include LockBit, NightSpire, Play, and Qil. The underground market also advertised privileged network access, including Fortinet SSL VPN access for the Argentine Army (L4TAMFUCK3R$) and full access to Canada's Iteris Radius+ traffic network (Z-Pentest Alliance), granting visibility over road-monitoring cameras. Direct VPN access credentials for government entities were also available. Large-scale data breaches continued, involving the sale of 11.4 million Spanish national identity documents, a 160 million-record Vietnamese "CIC 2025" dataset, 31 million Peruvian citizen records, Indonesian government and election data, and sensitive UN World Food Programme Gaza beneficiary information. These exposures create opportunities for identity fraud and subsequent network penetration. An advertisement on Spear.cx referenced the potential leak of "USA advanced nuclear submarines Critical-Quiet Technology - FROM VACCO," suggesting a highly sensitive defense-industrial information compromise. Geopolitically aligned hacktivist groups, including Iran-linked clusters, continued DDoS operations against Dutch and Israeli entities, sometimes blending cyber messaging with kinetic missile threat narratives. RipperSec also performed DDoS attacks on Israeli targets, and OpThailand-themed actors claimed compromises against Thai government and education platforms.

During the reporting period, 150 total victims were identified across 34 active ransomware groups. The top 5 most active groups accounted for 66 victims.

Top 5 Ransomware Groups

The_Gentlemen - 24 victim(s)

  • Notable victims: 3e accounting, Anandji haridas, Arabian procession holding, Bouri group, Brian jessel bmw (and 19 more)

Qilin - 15 victim(s)

  • Notable victims: Avcon jet, Central florida cosmetic & family dentistry, Clinica maitenes, Eat salad, Interspa betriebsverwaltungsgesellschaft (and 10 more)

INC_Ransom - 10 victim(s)

  • Notable victims: Bradley law firm, CUSTOMSIGN, Champaign-Urbana Public Health District, Colina Financial Advisors, Oztugotomotiv (and 5 more)

Medusa Locker - 9 victim(s)

  • Notable victims: Académie de montpellier / csjm, Actionaid / tacosa, Baiapai, Baratai, Colegio maría inmaculada (cmi) (and 4 more)

Akira - 8 victim(s)

  • Notable victims: Cherokee distributing co, Factors western, Hal otey financial, Kennon worldwide, National standard parts associates (and 3 more)

Deep Web

Deep Web Activity Overview

Deep web observations this week reveal varied data breaches and access offerings, spanning highly sensitive government and defense information, mass personal identification data, and industrial control system details. Activities included the sale of national security documents, critical military technology, compromised electoral systems, and large-scale citizen data registries. The observed incidents show malicious actors continue to seek data and access for financial gain, identity-related fraud, or geopolitical disruption.

What major data leaks appeared on deep web forums this week?

Several high-impact data leaks and access sales surfaced on deep web forums this week, involving government entities, critical infrastructure, and extensive citizen data from various nations.

  • Sensitive Defense and Security Data:
  • A post titled "USA advanced nuclear submarines Critical-Quiet Technology - FROM VACCO" appeared on June 7, 2026, offering data purportedly related to advanced US nuclear submarine technology. The content directly referenced several US Navy submarine classes (SSN-637, SSBN/SSN-640, SSN-688, SSBN-726, SSN-21, SSN-774, SSBN(X)). The origins of this data and its authenticity remain under assessment, but the claims alone represent a serious concern for national security.
  • On June 5, 2026, a listing titled "[NATO] COSMIC TOP SECRET NATO REPORTS FOR SALE" was observed. The actor "mosad" offered highly classified NATO reports, inviting potential buyers to contact them for samples or a full document list. The nature of these reports suggests a breach of top-tier government or military networks, carrying extensive geopolitical implications.
  • Compromised Government and Electoral Systems:
  • A concerning incident emerged on June 5, 2026, with "GordonFreeman" claiming "Full SSH Acces to CNE.GOB.EC Electoral Registry DB 2026" in Ecuador. The actor asserted complete control over the country's electoral registry database, exfiltrating over 13.5 million valid voter records. They claimed the ability to modify voter data, enable "massive electoral fraud," and deploy backdoors. A ransom of 4 BTC was demanded, with a stated intent to "poison" backups, wipe the registry, or inflate the database with "ghost voters" if demands were not met. This incident directly attacks democratic integrity.
  • On June 7, 2026, "TheNegratas" offered "Spain ID Breach - 11.4M ID Documents for Sale," claiming to have breached the State Digital Administration Agency. The compromised data includes DNI numbers, full names, photographs, signatures, dates of birth, addresses, and various document-specific details, effectively providing complete digital identities for a large portion of the Spanish population.
  • Critical Infrastructure and Law Enforcement Access:
  • A posting on June 2, 2026, titled "Canada! Central East Correctional Centre (Jail) databases SQL" by "Moneyistime" advertised over 70GB of SQL backups from a Canadian correctional facility. The data includes sensitive databases such as "AccessManager" (electronic locks, gates, biometric security), "DIRECTORY" (staff personal files, credentials), "SecurityPatrolSystemSPSCheckPoint" (guard schedules, patrol routes, physical blind spots), "UnitAssistant" (cell assignments, gang conflict maps, informant registries), and "HealthMonitor" (server status, broken security equipment). This information could compromise physical security and operational integrity.
  • On June 4, 2026, "henny" posted an offer to sell "[Government + Law Enforcement Emails And Panels]" from multiple regions (EU, South America, Asia, Africa). This actor claimed access to email accounts and administrative panels for government and law enforcement systems, including "kodex," "meta," and "microsoft." This type of access can lead to further intrusions, intelligence gathering, or operational disruption.
  • Large-Scale Corporate and Financial Data Leaks:
  • "max987" advertised "Vietnam 160M (CIC) 2025" on June 7, 2026, offering a national credit registry containing over 160 million records for individuals and companies. The data, priced at 8000 USDT, includes full names, dates of birth, national IDs, passports, loan data, balances, debt, tax IDs, company information, audit logs, and addresses. This is a vast collection of financial and personal information.
  • A substantial breach of a Turkish food company, GOKNUR GIDA A.Ş., was advertised by "DreamFyre" on June 4, 2026, offering 10.7 TB of data for $200,000. The exposed information is extensive, encompassing Active Directory architecture, SCADA, PLC, and RTU configurations, network device configurations, ESXi infrastructure, customer and financial data, employee PII (including Turkish ID numbers, passports, salaries), production recipes, R&D data, patents, supply chain information, ERP/CRM systems, and cybersecurity protocols. Industrial control system data was particularly notable.
  • Access for Ransomware Operations:
  • A post from "Simpson2" on June 4, 2026, titled "[want to sell company access for ransomware]" offered packages of access to companies with reported revenues between $10 million and $10 billion. The starting price was $10,000 for 10 targets, suggesting a dedicated access broker for ransomware attacks.

Patterns in this week's deep web breach data indicate evolving tactics and motivations among malicious actors.

  • Targeting of Government and Critical Infrastructure: A recurring theme is the compromise of governmental bodies, electoral commissions, defense contractors, and correctional facilities. This shows a direct interest in data and access that can destabilize nations, compromise national security, or facilitate high-impact physical and cyber operations.
  • Widespread Personal Identifiable Information (PII) Exfiltration: Large-scale PII breaches affect millions of citizens. Examples include 11.4 million Spanish national IDs and 160 million Vietnamese credit registry records. Such extensive datasets allow widespread identity theft, financial fraud, and sophisticated social engineering campaigns.
  • Industrial Espionage and Operational Technology (OT) Compromise: The GOKNUR GIDA A.Ş. breach explicitly included SCADA, PLC, RTU configurations, and production recipes. This points to a drive for industrial espionage and potential disruption or sabotage of critical industrial processes.
  • The Role of Access Brokers: Multiple postings advertise direct access to compromised networks or systems (e.g., government/law enforcement panels, company access for ransomware). These brokers serve as an initial entry point for other malicious actors, lowering the barrier for subsequent attacks such as data exfiltration, ransomware deployment, or network manipulation.
  • Geographic Diversity of Targets: The affected entities span North America (USA, Canada), Europe (NATO, Spain), South America (Ecuador), Asia (Vietnam), and the Middle East (Turkey). This widespread distribution shows a global reach by various threat actor groups.
  • Motivation for Financial Gain and Geopolitical Influence: While many breaches are for direct sale and financial profit, incidents like the Ecuadorian electoral system compromise suggest motivations extending to political disruption and manipulation. The sale of sensitive defense and NATO documents could serve both financial and state-sponsored intelligence objectives.

What are the potential impacts of this week's deep web activity?

The information observed on deep web forums this week carries several severe potential impacts across national security, economic stability, and individual privacy.

  • National Security and Geopolitical Instability: The purported leaks of US nuclear submarine technology and NATO "COSMIC TOP SECRET" reports could give adversaries unprecedented intelligence advantages, compromising military capabilities, operational secrecy, and strategic planning. The alleged manipulation of Ecuador's electoral system directly attacks sovereign democratic processes, capable of undermining public trust and potentially inciting political unrest.
  • Economic Disruption and Corporate Espionage: The 10.7 TB data breach from GOKNUR GIDA A.Ş., including production recipes, R&D data, and SCADA configurations, could cause substantial competitive disadvantage, intellectual property theft, and potential operational disruption for the affected company. The broad offerings of company access for ransomware operations consistently threaten organizations with service outages, data destruction, and considerable financial extortion.
  • Widespread Identity Theft and Fraud: The availability of 11.4 million Spanish ID documents and 160 million Vietnamese credit records provides malicious actors with extensive data for identity theft, account takeovers, and various forms of financial fraud against individuals and institutions. The combination of personal details, financial history, and national identifiers creates a solid foundation for sophisticated phishing and social engineering campaigns.
  • Compromise of Public Safety and Law Enforcement Operations: The exposure of Canadian correctional facility databases, including guard schedules, patrol routes, and informant registries, could directly compromise the physical security of personnel and inmates, facilitate escapes, or aid in internal criminal activities. The sale of government and law enforcement email access allows malicious actors to potentially infiltrate investigations, acquire sensitive operational details, and evade justice.
  • Erosion of Public Trust: Incidents involving the compromise of national ID systems, electoral registries, and critical government infrastructure directly diminish public confidence in government's ability to protect citizen data and maintain essential services.

Sources

  1. Miasma Supply Chain Attack Compromises Red Hat npm Packages with Credential-Stealing Worm
  2. Threat Brief: Active Exploitation of PAN-OS CVE-2026-0257
  3. CVE-2026-49975: HTTP/2 Bomb Attack Can Knock Web Servers Offline in Seconds
  4. Exposed Fuel Tank Gauges Under Attack in the US