Hybrid Cloud
Cybersecurity
Data & AI
IoT & Connectivity
Business Applications
Intelligent Workplace
Small Medium Enterprise
Health
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Banking and Finance
Smart Cities
Public Sector
Cybersecurity Weekly Briefing, 5 may
Active exploitation of an authentication bypass vulnerability in PAN-OS GlobalProtect
Rapid7 has warned of the active and widespread exploitation of CVE-2026-0257 (CVSSv3 9.1), an authentication bypass vulnerability in Palo Alto PAN-OS and Prisma Access that affects the GlobalProtect authentication override feature.
The flaw arises because authentication override cookies are encrypted using RSA without any post-decryption signature verification: if the certificate used for this purpose is reused in the portal or gateway’s HTTPS service, any unauthenticated remote attacker can extract the public key from the TLS handshake and forge an arbitrary cookie, gaining full VPN access to the internal network.
Rapid7 MDR identified the first wave of exploitation on 17 May from infrastructure hosted on Vultr, and a second on 21 May from Dromatics Systems, with the same spoofed MAC address in both cases, pointing to a single actor. The vulnerability was added to the CISA KEV catalogue on 29 May.
■ Security teams must urgently apply the patch published by Palo Alto or, as a temporary mitigation, disable the authentication override feature or generate a dedicated certificate for it.
New variant of Shai-Hulud found in compromised Red Hat npm packages
More than 30 packages from the npm repository under the Red Hat name were compromised in a supply chain attack that distributed a new variant of the Shai-Hulud malware, dubbed Miasma, discovered by the firms Aikido and OX Security.
The attackers compromised a Red Hat employee’s GitHub account and used it to inject a malicious workflow into GitHub Actions, which published backdoored versions of the packages by abusing npm’s trusted publishing mechanism via short-lived OIDC tokens. The 4.2 MB obfuscated payload, executed automatically via a pre-install script, steals GitHub Actions secrets, AWS, Google Cloud and Azure credentials, HashiCorp Vault tokens, Kubernetes ServiceAccount tokens, SSH keys, Docker credentials, GPG keys and .env files.
OX Security notes that Miasma adds additional layers of obfuscation and multi-stage delivery mechanisms compared to the original Mini Shai-Hulud, whose source code was published by the TeamPCP group in May. The affected packages were accumulating approximately 117,000 weekly downloads, and at the time of publication, 309 GitHub repositories had been compromised by the campaign.
■ Organisations that have installed affected versions should immediately rotate all credentials, secrets and tokens present on the compromised systems.
Public PoC allows GitHub OAuth tokens to be stolen via github.dev and VSCode
Researcher Ammar Askar published a proof-of-concept capable of stealing GitHub OAuth tokens by opening a malicious repository on github.dev, without a phishing page or any further interaction beyond the initial click. The chain exploits VSCode’s handling of webviews, where synthetic keyboard events generated from untrusted content can be treated as legitimate input by the editor’s main window.
The attack installs local extensions in the environment, retrieves the GitHub session token and can access private repositories, modify code, trigger workflows and operate across the entire scope associated with the user.
■ Until an official fix is available, the practical mitigation recommended by the researcher is to clear local github.dev data in the browser and avoid opening links to untrusted notebooks or repositories from authenticated sessions.
HTTP/2 Bomb brings down NGINX, Apache, IIS and Envoy in under a minute from a single machine
Researchers at the offensive security firm Calif have documented HTTP/2 Bomb, a denial-of-service technique that combines HPACK compression amplification with a vulnerability (CVE-2026-49975, CVSSv3 9.8 according to Tenable) in the HTTP/2 flow control window block (Slowloris-style), achieving memory amplification ratios of 5,700:1 in Envoy and 4,000:1 in Apache httpd. A single client with a 100 Mbps connection can exhaust 32 GB of server RAM in 10–45 seconds depending on the implementation; on IIS with Windows Server 2025, 64 GB is exhausted in approximately 45 seconds.
The attack bypasses existing defences based on total header size because the individual values are minimal, and the amplification stems from the internal header count. NGINX was patched in version 1.29.8 and Apache httpd mod_http2 in 2.0.41; IIS, Envoy and Cloudflare Pingora remain unpatched.
■ A public PoC already exists. Organisations unable to patch immediately should disable HTTP/2 or place a proxy/WAF with a strict limit on the number of headers in front of the vulnerable servers.
CISA warns of attacks on fuel monitoring systems in critical infrastructure
CISA, the FBI, the NSA, the Department of Energy and other US government partners have issued a warning about malicious activity targeting internet-facing Automatic Tank Gauge (ATG) control systems, which are used to monitor fuel and liquid tanks in the energy, chemical, food, agriculture and transport sectors.
Attackers are reportedly gaining access via authentication bypass vulnerabilities, embedded credentials, command execution, SQL injection and privilege escalation flaws, to modify network parameters, product identifiers, tank volumes, pump controls and alerts. Although the activity has not been formally attributed, it is consistent with previous incidents targeting petrol stations investigated in May.
■ The operational recommendation is to disconnect ATGs from the internet, restrict remote access using firewalls, VPNs or ACLs, change default credentials, implement MFA and monitor for unauthorised changes.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
