Cyber Threat Brief — May 28 2026
⚠️ This report is AI-generated. Always validate findings.
1. CISA KEV: Three Supply-Chain CVEs — CVE-2026-45321, CVE-2026-48027, CVE-2026-8398
TL;DR: CISA added three supply-chain compromises to KEV on May 27 — TanStack npm (TeamPCP/Mini Shai-Hulud Wave 4), Nx Console VS Code extension, and DAEMON Tools Lite installer. Federal deadline June 17. All involve credential theft with persistence mechanisms targeting developer workstations.
What’s New:
- CVE-2026-45321 (TanStack): 84 malicious versions across 42
@tanstack/*npm packages published May 11 via GitHub Actions OIDC token extraction; provenance attestation intact making detection harder - CVE-2026-48027 (Nx Console): Version 18.95.0 live for 11 minutes on May 18; SANDCLOCK payload harvested GitHub/npm/AWS/Vault/K8s/1Password/SSH/GCP/Docker/Claude Code creds; exfil via HTTPS + GitHub API + DNS tunneling
- CVE-2026-8398 (DAEMON Tools): Trojanized installers v12.5.0.2421–2434 since April 8; signed with valid AVB Disc Soft certificate; C2
env-check.daemontools[.]cc - CISA advisory AA26-147A released with YARA rules and detection methods
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
router_init.js / setup.mjs at npm package root | File indicator | T1195.002 | Filesystem / SBOM | Audit package-lock.json for @tanstack versions published May 11 |
git-tanstack[.]com, *.getsession.org, 83.142.209[.]194 | C2 domains/IP | T1071.001 | DNS/proxy logs | Block at DNS/proxy |
com.user.gh-token-monitor.plist (macOS) / gh-token-monitor.service (Linux) | Persistence | T1053.003 | EDR/filesystem | Hunt for daemon on developer workstations |
~/.local/share/kitty/cat.py, /var/tmp/.gh_update_state, /tmp/kitty-* | Persistence (Nx) | T1059.006 | EDR/filesystem | Hunt and remove; rotate all creds |
env-check.daemontools[.]cc | C2 domain | T1071.001 | DNS logs | Block; scan for DAEMON Tools v12.5.0.2421–2434 |
.vscode/tasks.json injected tasks, ~/.claude/settings.json hooks | Persistence | T1546 | Filesystem | Audit IDE configs on dev machines |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | Need npm supply-chain package integrity rule; need VS Code extension sideload detection |
| Elastic | None | Need file integrity monitoring for npm/VS Code persistence artifacts |
| Sigma | None | Need rules for gh-token-monitor daemon, cat.py persistence, and DNS tunneling exfil patterns |
Sources: CISA Alert · StepSecurity Analysis · HackerNews - Nx Console · Kaspersky - DAEMON Tools
2. LiteSpeed cPanel Plugin Root Privesc — CVE-2026-48172
TL;DR: CVSS 10.0 privilege escalation in LiteSpeed cPanel plugin lets any authenticated cPanel user execute arbitrary scripts as root via the redisAble function. CISA KEV added May 26 with May 29 federal deadline (tomorrow). Mass automated exploitation in progress.
What’s New:
- Any cPanel user calls
cpanel_jsonapi_func=redisAbleto run arbitrary scripts as root — no admin required - Attackers scanning and exploiting at scale per multiple security firms; no single threat actor attributed
- Affects LiteSpeed User-End cPanel Plugin 2.3–2.4.4; fixed in 2.4.5+, recommended upgrade to WHM Plugin 5.3.1.0 (cPanel plugin v2.4.7)
- Federal deadline May 29 (TOMORROW)
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
cpanel_jsonapi_func=redisAble in request | Exploit signature | T1068 | WAF / cPanel access logs | Block or alert on this API call |
grep -rE "cpanel_jsonapi_func=redisAble" /var/cpanel/logs /usr/local/cpanel/logs/ | Hunt query | T1068 | cPanel logs | Run immediately to check for prior exploitation |
| LiteSpeed cPanel Plugin < 2.4.5 | Vulnerable software | T1068 | Asset inventory | Patch to 2.4.7+ |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | Need cPanel API abuse detection for redisAble function calls |
| Elastic | None | No cPanel-specific rules |
| Sigma | None | Need web access log rule matching cpanel_jsonapi_func=redisAble |
Sources: The Hacker News · CyCognito · LiteSpeed Blog
3. Exchange OWA XSS Zero-Day — CVE-2026-42897
TL;DR: Actively exploited Exchange Server zero-day (CVSS 8.1) allows session hijack via crafted email opened in OWA. No permanent patch — only mitigation available. CISA KEV deadline May 29 (tomorrow). Patch expected June 10 Patch Tuesday.
What’s New:
- Crafted email executes JavaScript in authenticated OWA session — enables session token theft, mailbox impersonation, inbox rule manipulation
- Affects Exchange SE, 2016, 2019 (on-prem only; Exchange Online not affected)
- Microsoft mitigation does NOT protect IE or Edge IE-compat mode users — they remain fully exposed
- CISA KEV since May 15; federal deadline May 29 (TOMORROW)
- No public IOCs released by Microsoft; no attribution
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
OWA requests with script, onerror, onload, eval in query/body | Exploit pattern | T1189 | IIS logs | Hunt for XSS payloads in /owa/ requests |
| Unusual inbox rule creation / mail forwarding | Post-exploitation | T1114.003 | Exchange audit logs | Alert on new mail rules created via OWA |
Long query strings to /owa/auth/ paths | Exploit indicator | T1189 | IIS/WAF logs | Baseline and alert on anomalous OWA request sizes |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | Need OWA XSS payload detection in IIS logs; need Exchange mailbox rule anomaly rule |
| Elastic | None | No Exchange OWA-specific XSS rule |
| Sigma | None | Need IIS log rule for XSS payloads in OWA paths |
Sources: Microsoft Tech Community · BleepingComputer · Dark Reading
4. Drupal Core PostgreSQL SQLi — CVE-2026-9082
TL;DR: Highly critical (Drupal 23/25) unauthenticated SQL injection in Drupal’s entity query API when using PostgreSQL. 15K+ exploitation attempts against 6K sites within 48 hours of May 20 disclosure. CISA KEV since May 22.
What’s New:
- Unsafe handling of PHP array keys in PostgreSQL entity query condition translation — attacker-supplied keys reach SQL placeholder construction unsanitized
- Unauthenticated exploitation on any Drupal+PostgreSQL site
- Imperva tracked 15K+ attacks against ~6K sites in 65 countries within 48 hours; gaming and financial services most targeted
- Affects Drupal 8.9.0 through multiple 10.x and 11.x branches; fix: apply SA-CORE-2026-004
- PostgreSQL backends estimated at <5% of Drupal installs, but high-value targets disproportionately use PostgreSQL
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
| Malformed entity query array keys in POST parameters | Exploit payload | T1190 | WAF / Drupal access logs | Deploy WAF rule for array key injection patterns in Drupal entity queries |
| Drupal + PostgreSQL backend | Vulnerable config | T1190 | Asset inventory | Prioritize patching; confirm backend DB type |
| SQL error messages with unexpected placeholders | Exploitation indicator | T1190 | Drupal watchdog / DB logs | Hunt for PostgreSQL injection errors |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | Need Drupal-specific SQLi detection; generic web SQLi rules may partially cover |
| Elastic | Web Application SQL Injection (generic) | Gap: Not tuned for Drupal entity query parameter format |
| Sigma | web_sqli_generic.yml (partial) | Gap: No Drupal PostgreSQL-specific rule |
Sources: Drupal SA-CORE-2026-004 · Security Affairs · Tenable
Status Updates
- CVE-2026-41091 / CVE-2026-45498 (Microsoft Defender RedSun / UnDefend): Patched May 19–21 in Defender Engine 1.1.26040.8 and Platform 4.18.26040.7. CISA KEV added with June 3 deadline. Confirmed ITW by Huntress — attackers chain UnDefend (disables Defender updates) then RedSun (CfAPI junction → SYSTEM privesc). Original coverage in BlueHammer brief.
- CVE-2026-42897 (Exchange OWA): Federal CISA KEV deadline TOMORROW May 29. No permanent patch. Apply Microsoft mitigation immediately. IE/Edge compat mode users remain exposed.
- CVE-2026-48172 (LiteSpeed cPanel): Federal CISA KEV deadline TOMORROW May 29. Patch to WHM Plugin 5.3.1.0.
- CVE-2026-4681 (PTC Windchill): Still no patch as of May 28. German police physical outreach continues. Apply servlet path deny mitigations.