Cyber Threat Brief — June 4 2026
⚠️ This report is AI-generated. Always validate findings.
1. Mirasvit Cache Warmer Magento RCE — CVE-2026-45247
TL;DR: CISA added CVE-2026-45247 (CVSS 9.8) to KEV on June 3 — unauthenticated PHP object injection via the CacheWarmer cookie in a Magento extension with 150K+ installs. Actively exploited targeting e-commerce sites.
What’s New:
- Attacker sends serialized PHP object in
CacheWarmercookie →unserialize()without class restriction → Magento gadget chain → RCE - No authentication, no special config required — default installs exploitable
- Imperva observed base64-encoded serialized payloads targeting gaming and business sites; US, UK, France, Australia most hit
- Post-exploitation: webshell drops,
core_config_datatampering (encryption keys, PayPal settings) - Patched in Mirasvit Full Page Cache Warmer v1.11.12 (May 25 2026)
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
CacheWarmer cookie with serialized PHP (O:, a: markers) | Payload | T1190 | WAF / web access logs | Block/alert on serialized PHP in cookie values |
New .php files in pub/media/ or var/ dirs | IOC | T1505.003 | File integrity monitoring | Alert on unexpected PHP file creation |
POST to /mirasvitwarm paths | TTP | T1190 | Web access logs | Hunt for anomalous POST requests |
core_config_data modifications (encryption keys, PayPal) | TTP | T1565.001 | Magento DB audit / application logs | Monitor for unauthorized config changes |
Web server spawning bash, wget, curl | TTP | T1059.004 | EDR / process logs | Alert on shell children of php-fpm/httpd |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | Web Shell Indicator (generic) | Need Magento-specific rule on CacheWarmer cookie deserialization |
| Elastic | Webshell Detection via File Creation (generic) | No Mirasvit-specific cookie inspection rule |
| Sigma | webshell_detection_file_creation.yml (generic) | Need WAF/proxy rule for serialized PHP in cookie headers |
Sources: CISA KEV June 3 · Imperva · Sansec · THN
2. Miasma Supply Chain Attack — @redhat-cloud-services npm Packages
TL;DR: 32 Red Hat npm packages (80K weekly downloads) backdoored with a Mini Shai-Hulud variant that sweeps cloud credentials, CI/CD secrets, SSH keys, and kubeconfigs. Compromised employee GitHub account used to bypass code review.
What’s New:
- Wiz Research disclosed June 1; compromised Red Hat employee account pushed malicious orphan commits to RedHatInsights repos
- OIDC token workflow published trojanized versions with valid SLSA provenance attestations — signature verification alone won’t catch this
- New variant adds GCP and Azure identity collectors alongside existing AWS/GitHub/Vault/K8s credential theft
- Per-infection unique encryption makes hash-based IOCs unreliable across different package versions
- Exfil to attacker-created GitHub repos with description
Miasma: The Spreading Blight
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
| Compromised package versions (see Wiz advisory for full list) | IOC | T1195.002 | SBOM / dependency scanners | Audit @redhat-cloud-services/* for affected versions |
preinstall script invoking _index.js with eval() + ROT decode | TTP | T1059.007 | npm audit logs / CI logs | Flag packages with obfuscated preinstall scripts |
GitHub repos with description Miasma: The Spreading Blight | IOC | T1567.001 | GitHub audit logs | Search org repos for unauthorized “Miasma” repos |
UA: google-api-nodejs-client/7.0.0 gl-node/20.11.0 gccl/7.0.0 | IOC | T1071.001 | Proxy / cloud API logs | Alert on this UA from non-GCP workloads |
.env, SSH keys, kubeconfig, cloud cred file reads from npm context | TTP | T1552.001 | EDR / auditd | Alert on credential file access by node/npm processes |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | Need npm preinstall script execution monitoring; credential file access by node processes |
| Elastic | None | Need rule for bulk credential file enumeration by package manager child processes |
| Sigma | None | Need rule for suspicious eval() in npm lifecycle scripts; GitHub API exfil pattern |
Sources: Wiz Research · THN · JFrog · BleepingComputer
3. VS Code github.dev OAuth Token Theft — No CVE Assigned
TL;DR: Unpatched zero-day chains Jupyter notebook webview escape + workspace extension auto-trust to steal unscoped GitHub OAuth tokens from any github.dev user in one click. Full read/write access to all repos including private.
What’s New:
- Ammar Askar full-disclosed June 2 after prior negative MSRC experiences; no CVE assigned
- Attack: victim clicks crafted github.dev link → malicious
.ipynbtriggers JS viaonerror→ rogue extension installed from.vscode/extensions/without trust prompt → OAuth token exfiltrated - Token is unscoped — grants read/write to ALL repos (public + private), can push commits, alter settings, trigger workflows
- Microsoft claims “mitigated for our services” but no patch confirmed for VS Code Desktop (requires repo clone + notebook open)
- VS Code Desktop also affected via malicious cloned repos
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
| Untrusted github.dev links in phishing/chat | TTP | T1566.002 | Email gateway / chat DLP | Block/warn on github.dev links to unknown repos |
.vscode/extensions/ with unsigned extensions in cloned repos | IOC | T1195.002 | Git repo scanning | Pre-clone scan for embedded VS Code extensions |
| Unexpected GitHub API calls (repo enumeration, token creation) | TTP | T1528 | GitHub audit logs | Alert on bulk repo access or new PAT creation post-github.dev session |
.ipynb files with onerror JS in image tags | IOC | T1204.002 | Repo scanning / EDR | Flag notebooks with embedded JavaScript |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | Need GitHub audit log rule for mass repo enumeration following github.dev session |
| Elastic | None | No VS Code extension sideloading detection |
| Sigma | None | Need rule for .vscode/extensions/ in cloned repo triggering API calls |
Sources: BleepingComputer · THN · Aikido
Status Updates
- CVE-2026-41089 (Windows Netlogon DC RCE): ITW exploitation ongoing. No new artifacts since June 3. Original brief.
- CVE-2026-0257 (PAN-OS GlobalProtect Auth Bypass): CISA KEV deadline passed June 1. Palo Alto elevated severity to High. Exploitation ongoing. Original brief.
- CVE-2025-48595 (Android Framework EoP): Federal deadline TOMORROW June 5 (3-day fuse). Enforce June 2026 SPL on managed devices. Original brief.