🛡️ CISO Intel — Wednesday, 27-05-2026

By Marcus Reed | 26-05-2026 08:00 IST → 27-05-2026 08:00 IST | Sources cross-referenced

Executive Summary

Today’s intelligence paints a stark picture: the AI arms race is no longer a theoretical future, it’s the present, and it’s accelerating the threat landscape at an alarming rate. We’re seeing AI models like Anthropic’s Mythos unearthing thousands of critical vulnerabilities, while simultaneously, attackers are weaponizing AI to automate exploitation, enhance social engineering, and even subvert AI coding assistants in sophisticated supply chain attacks. The window between vulnerability disclosure and active exploitation is collapsing, demanding an immediate shift to continuous, AI-augmented defense.

🔴 Critical Threats — Act Now

Drupal Core SQL Injection (CVE-2026-9082) 🚨

What happened: A highly critical SQL injection vulnerability, CVE-2026-9082, has been discovered in Drupal Core’s database abstraction API. This flaw allows specially crafted requests to bypass query sanitization logic, enabling arbitrary SQL execution against Drupal sites using PostgreSQL databases. The vulnerability, rated 9.8 CVSS, was initially disclosed by Drupal on May 20, 2026, with patches released across supported versions. CISA has since added it to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to patch by midnight tonight, May 27, 2026.

Source verification: This incident is confirmed and extensively reported. Original advisories from Drupal (SA-CORE-2026-004) and CVE.org (CVE-2026-9082) confirm the details. Multiple security firms like SOC Prime, Tenable, Akamai, Imperva, and CyberInsider have published detailed analyses and observed active exploitation attempts in the wild. CISA’s KEV listing further corroborates active exploitation.

Technical breakdown: CVE-2026-9082 is a blind SQL injection vulnerability residing in the PostgreSQL EntityQuery condition handler within Drupal’s database abstraction API. The core issue is that user-controlled PHP array keys were not properly sanitized before being used in SQL placeholder construction. Attackers can submit HTTP requests with specially crafted array structures, allowing malicious SQL syntax to be injected directly into the PostgreSQL backend. This bypasses the intended security controls designed to prevent SQLi. The attack chain can lead to information disclosure (e.g., user password hashes, sensitive data), data modification or deletion, and in certain configurations, privilege escalation or remote code execution. The vulnerability can be exploited by unauthenticated attackers, making public-facing PostgreSQL-backed Drupal sites extremely vulnerable.

Blast radius: While the CVSS score is a maximum 9.8, it’s crucial to note that this vulnerability only affects Drupal sites using PostgreSQL as their database backend. Sites running MySQL, MariaDB, or SQLite are not impacted. Drupal estimates that less than 5% of its deployments are affected. However, given Drupal’s widespread use across government, education, media, and enterprise platforms, this still represents a significant number of high-value targets. Imperva reported observing over 15,000 exploitation attempts targeting nearly 6,000 websites across 65 countries, with almost half targeting gaming and financial services organizations.

Marcus’s verdict:

This isn’t just another SQLi; it’s a textbook example of how a fundamental flaw in an abstraction layer can unravel an entire security model. The fact that it’s unauthenticated and actively exploited means the clock is ticking for anyone running vulnerable Drupal instances on PostgreSQL. CISA’s 24-hour mandate for federal agencies isn’t hyperbole; it’s a reflection of the immediate, severe risk. If you’re running Drupal with PostgreSQL, you should have patched this yesterday. If not, consider your systems compromised and start hunting. The narrow scope to PostgreSQL is a small mercy, but it doesn’t diminish the criticality for those affected.

What to do:

1. Immediate Patching: Prioritize applying the official Drupal core updates for SA-CORE-2026-004 (CVE-2026-9082) immediately. This includes Drupal versions 8.9.0 before 10.4.10, 10.5.0 before 10.5.10, 10.6.0 before 10.6.9, 11.0.0 before 11.1.10, 11.2.0 before 11.2.12, and 11.3.0 before 11.3.10.
2. Verify Database Backend: Confirm if your Drupal deployments are using PostgreSQL. If so, these are your highest priority.
3. Log Analysis: Scrutinize PostgreSQL and web application firewall (WAF) logs for any suspicious, specially crafted SQL queries or anonymous user activity leading up to the patch. Look for reconnaissance and validation attempts.
4. WAF Rules: Ensure your WAF has up-to-date rules to detect and block SQL injection attempts, particularly those targeting PHP array keys in query strings. Akamai reports their App & API Protector customers are already protected.
5. Incident Response: Assume compromise for any unpatched, internet-facing PostgreSQL-backed Drupal instance. Initiate incident response procedures, including forensic analysis for RCE, privilege escalation, or data exfiltration.

KnowledgeDeliver LMS Zero-Day (CVE-2026-5426) 💀

What happened: A zero-day deserialization vulnerability, CVE-2026-5426 (CVSS 7.5), in Digital Knowledge’s KnowledgeDeliver Learning Management System (LMS) has been actively exploited in the wild. Attackers are leveraging this flaw to achieve unauthenticated remote code execution (RCE), deploy Godzilla web shells, and subsequently drop Cobalt Strike beacons. The root cause is a classic vendor misstep: the use of identical, hardcoded ASP.NET machine keys across multiple customer deployments.

Source verification: This zero-day exploitation is confirmed by Google-owned Mandiant and Google Threat Intelligence Group (GTIG), with detailed reports published by Bleeping Computer and SecurityWeek.

Technical breakdown: The vulnerability, CVE-2026-5426, stems from KnowledgeDeliver installations relying on a standardized web.config file provided by the vendor. This file contained hardcoded machineKey values used by the ASP.NET framework for encrypting and signing data, including ViewState payloads. When these machine keys are known, an attacker can craft a malicious ViewState payload. By sending this payload in an HTTP request (via the __VIEWSTATE parameter), the server is tricked into deserializing it, leading to unauthenticated RCE. The observed attack chain involves injecting malicious scripts into the LMS platform, deploying the Godzilla (aka BLUEBEAM) web shell for persistent access, and then using this foothold to install Cobalt Strike beacons. In some cases, attackers modified JavaScript files to display fake security alerts, tricking users into downloading malicious installers. The fact that the payload was encrypted with a key specific to the compromised organization suggests targeted preparation.

Blast radius: All KnowledgeDeliver deployments prior to February 24, 2026, are impacted and potentially at risk. KnowledgeDeliver is primarily popular in Japan for enterprise and educational e-learning. The use of shared secrets means that if an attacker obtains the keys from one deployment, they can potentially compromise any other internet-facing KnowledgeDeliver instance globally. This highlights a systemic risk in vendor security practices.

Marcus’s verdict:

This is a vendor security failure of epic proportions. Hardcoded machine keys in a widely deployed product are an open invitation for mass compromise. It’s not a matter of if you’ll be hit, but when, if you haven’t patched. The deployment of Godzilla web shells and Cobalt Strike beacons indicates a sophisticated adversary looking for deep, persistent access. This isn’t just about patching; it’s about re-evaluating your vendor’s security posture and the fundamental design choices they make. Assume breach and hunt aggressively.

What to do:

1. Patch Immediately: Update KnowledgeDeliver LMS to a version released after February 24, 2026. This is the absolute minimum.
2. Rotate Machine Keys: Even after patching, manually rotate the ASP.NET machine keys for your KnowledgeDeliver instances. Ensure they are unique and securely generated for each deployment.
3. Threat Hunting: Assume compromise. Actively hunt for Godzilla web shells (aka BLUEBEAM) and Cobalt Strike beacons on your KnowledgeDeliver servers. Look for unusual file modifications, new processes, and suspicious network connections.
4. Restrict Access: Implement strict network segmentation and access controls for your LMS, limiting exposure to the internet where possible.
5. Vendor Review: Engage with Digital Knowledge regarding their security practices and the implications of such a fundamental design flaw.

Ghost CMS Website Hijacking (CVE-2026-26980) 👻

What happened: A SQL injection vulnerability, CVE-2026-26980 (CVSS 9.4 Critical), in Ghost CMS’s Content API has been actively exploited to hijack over 700 legitimate websites. This includes prominent institutions like Harvard University, Oxford University, and DuckDuckGo. Attackers are exploiting this flaw to inject malicious JavaScript, which then displays fake Cloudflare CAPTCHA prompts, tricking visitors into running malware via social engineering (the “ClickFix” attack).

Source verification: This mass compromise is confirmed by multiple security firms, including CybelAngel, SentinelOne, and Chinese cybersecurity company Qianxin (XLab threat intelligence researchers). The vulnerability was patched in February 2026, but widespread failure to update led to the current wave of attacks.

Technical breakdown: CVE-2026-26980 is an unauthenticated blind SQL injection vulnerability in Ghost CMS’s Content API, specifically within the slug filter ordering functionality. The flaw exists because the original code concatenated user-supplied slug values directly into SQL CASE statements using string interpolation, rather than parameterized queries. This allowed attackers to inject arbitrary SQL syntax to extract sensitive data, including the Admin API Key, without any authentication. Once the Admin API Key is obtained, attackers use the Ghost Admin API to modify article content in bulk, injecting malicious JavaScript loaders at the bottom of pages.

The injected JavaScript then orchestrates the “ClickFix” social engineering attack. This involves forging Cloudflare human verification pages that instruct users to copy-paste malicious commands into Windows Run or PowerShell. This low-tech, high-impact method bypasses many traditional security controls by leveraging user trust in legitimate domains and the perceived legitimacy of a CAPTCHA.

Blast radius: The vulnerability affects Ghost CMS versions from 3.24.0 through 6.19.0, with the patch available since February 19, 2026 (version 6.19.1). Over 700 websites, including major universities, fintech firms, AI and SaaS companies, media outlets, security sites, and personal blogs, have been compromised. Ghost is used by over 100,000 websites, indicating a significant potential exposure for unpatched instances.

Marcus’s verdict:

This is a brutal combination of a critical, easily exploitable SQLi and a clever social engineering payload. The fact that major universities and even DuckDuckGo were compromised speaks volumes about the patching lag in our industry. Attackers aren’t always looking for zero-days; they’re looking for unpatched N-days on high-value targets. The “ClickFix” attack is particularly nasty because it weaponizes user trust and bypasses endpoint security by making the user execute the malicious payload themselves. This is a stark reminder that even well-known, widely-used platforms need continuous vigilance.

What to do:

1. Patch Immediately: Update Ghost CMS to version 6.19.1 or later. The patch has been available since February 19, 2026.
2. Audit for Compromise: Review your Ghost CMS instances for any unauthorized modifications to articles or templates, specifically looking for injected JavaScript. Check web server logs for suspicious API calls to the Ghost Content API.
3. Educate Users: Reinforce security awareness training, specifically warning users about unexpected CAPTCHA prompts, especially those asking them to copy-paste commands into their system.
4. Monitor for Malicious Activity: Implement endpoint detection and response (EDR) solutions to detect suspicious command-line activity (e.g., PowerShell, cmd.exe running unusual commands) that might result from the “ClickFix” attack.
5. API Key Rotation: If compromised, rotate all Ghost Admin API Keys and other sensitive credentials stored in the database.

TrapDoor Supply Chain Attack ⛓️

What happened: A sophisticated, multi-ecosystem supply chain attack campaign, codenamed “TrapDoor,” is actively distributing credential-stealing malware across popular open-source package managers: npm, PyPI, and Crates.io. This campaign specifically targets developers in high-value sectors such as crypto, DeFi, Solana, and AI. A particularly insidious aspect is its abuse of AI coding assistants for covert data exfiltration.

Source verification: This campaign is confirmed and extensively reported by multiple security firms, including Socket Security (who codenamed it TrapDoor), Phoenix Security, The Hacker News, and CoreWin. Initial activity was observed as early as May 19, 2026, with widespread reporting on May 24-26, 2026.

Technical breakdown: The TrapDoor campaign involves over 34 malicious packages and more than 384 versions, masquerading as legitimate development utilities (e.g., crypto auditors, Sui/Move helpers, DeFi scanners, AI tools). Attackers use various ecosystem-specific execution paths:

• npm: Postinstall hooks deploy a shared JavaScript payload, trap-core.js, which scans for credentials, validates AWS and GitHub tokens, attempts SSH-based lateral movement, and establishes persistence via .cursorrules, CLAUDE.md, Git hooks, shell hooks, systemd, and cron.
• PyPI: Malware executes on import.
• Crates.io (Rust): Malicious build.rs scripts are used.

The malware is designed to steal a broad array of sensitive developer secrets: SSH keys, crypto wallet data (Sui, Solana, Aptos, Coinbase, Binance, MetaMask), AWS credentials, GitHub tokens, browser profile data, browser login databases, environment variables, and API keys.

The most novel aspect is the “AI assistant poisoning.” The malware modifies or creates files like .cursorrules and CLAUDE.md in developer environments, embedding hidden instructions using zero-width Unicode characters. These files are then parsed by AI coding assistants (like Claude Code and Cursor) to provide project-specific context. The embedded instructions trick the AI into performing a “security scan” that covertly exfiltrates local secrets. This represents a new attack surface directly targeting the AI tools developers rely on.

Blast radius: This campaign is widespread across npm, PyPI, and Crates.io, impacting any organization whose developers pull dependencies from these registries, especially those in the crypto, DeFi, Solana, and AI sectors. Traditional scanners relying on CVEs will miss this, as it’s a code-level threat, not a known vulnerability in a specific product version.

Marcus’s verdict:

This is a game-changer. TrapDoor isn’t just a supply chain attack; it’s a supply chain attack that weaponizes AI against developers. The AI assistant poisoning is a brilliant, terrifying evolution. It’s stealthy, abuses trust, and targets the very tools meant to enhance developer productivity and security. This campaign highlights the urgent need for behavioral analysis in our software supply chain security. If your developers are using AI coding assistants, those assistants are now a direct attack vector. This is sophisticated, and it’s going after the crown jewels of modern development: credentials, crypto assets, and the very intelligence layers we’re building.

What to do:

1. Supply Chain Monitoring: Implement continuous monitoring of your software supply chain for suspicious package activity, especially from npm, PyPI, and Crates.io. Focus on behavioral analysis rather than just CVE scanning.
2. Developer Environment Hardening:
   • Least Privilege: Enforce strict least-privilege access for developer workstations and build environments.
   • Credential Management: Implement robust secrets management solutions, discouraging local storage of sensitive credentials (SSH keys, API keys, cloud credentials).
   • AI Assistant Configuration Review: Audit and secure configurations for AI coding assistants. Look for unauthorized modifications to files like .cursorrules and CLAUDE.md. Consider sandboxing AI assistant environments.
3. Threat Hunting: Actively hunt for indicators of compromise (IOCs) related to TrapDoor, including specific package names (e.g., eth-security-auditor), the trap-core.js payload, and unexpected modifications to developer configuration files or Git hooks.
4. Network Monitoring: Monitor for suspicious outbound connections from developer workstations, especially to unusual or newly registered domains, which could indicate exfiltration.
5. Developer Education: Educate developers on the risks of malicious packages and the subtle ways AI assistants can be subverted.

🛡️ CVEs — Full Analysis

CVE-2026-45659 — Microsoft SharePoint

Summary: This is an authenticated remote code execution (RCE) vulnerability in Microsoft SharePoint due to deserializing untrusted data. An attacker with a minimum of Site Member permissions can execute code remotely on the SharePoint Server. CVSS/Details: CVSS 8.8 (High). Microsoft rates it as “Important” severity. Patches are available for SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016. No public PoC or active exploitation in the wild has been reported yet, but Microsoft’s out-of-band patch release suggests urgency. Marcus take: While Microsoft deems it “less likely to be exploited” and there’s no public PoC, this is SharePoint. SharePoint is a high-value target, often internet-facing, and holds a treasure trove of sensitive data. The history of SharePoint vulnerabilities being quickly weaponized means you should treat this as a critical update. “Authenticated” doesn’t mean “safe” when phishing is so prevalent. Patch this now, before a PoC drops and the script kiddies get to work.

CVE-2026-7452 — Autodesk 3ds Max

Summary: A memory corruption vulnerability in Autodesk 3ds Max, exploitable via a crafted WRL file, leading to arbitrary code execution. This typically affects users who open malicious files. CVSS/Details: CVSS 7.8 (High). Patches are available. No public PoC. Marcus take: This is a standard client-side vulnerability. If your organization uses 3ds Max, ensure users are trained to be wary of unsolicited .wrl files. Patching is essential, but user education and robust endpoint protection are your primary defenses against this type of attack. It’s not internet-facing, so the blast radius is contained to user interaction.

CVE-2025-9074 — Docker Desktop

Summary: This vulnerability allows local Linux containers to access the Docker Engine API, enabling privileged command execution. This is a local privilege escalation issue. CVSS/Details: CVSS 7.8 (High). CISA KEV listed, implying active exploitation or high likelihood of it. Patch available since January 2026. Marcus take: The Discord briefing had a typo, listing this as CVE-2025-9074, which is correct, not 2026. The fact that CISA has added this to its KEV catalog means it’s being actively exploited or has a very high risk of it. For developer environments, this is a critical local privilege escalation. If your developers use Docker Desktop on Linux, and they haven’t updated since January, assume they’re vulnerable. This can lead to container escape and host compromise. Patch immediately and verify the update status of all developer workstations.

N/A — LiteSpeed User-End cPanel Plugin v<2.4.5

Summary: A high-severity privilege escalation vulnerability, potentially to root, exists in LiteSpeed User-End cPanel Plugin versions prior to 2.4.5. The flaw is due to mishandling of the Redis enable/disable feature. It is actively exploited in the wild. CVSS/Details: High severity, exact CVSS not assigned (N/A). Actively exploited. Patch available by updating to version 2.4.5 or later. Marcus take: This is a critical issue for anyone running cPanel with vulnerable LiteSpeed plugins. Privilege escalation to root on a web server is a full compromise. The “actively exploited” status means you’re already a target if you’re unpatched. This isn’t theoretical; it’s a direct threat to your web infrastructure. Update this plugin immediately and audit your cPanel servers for signs of compromise, especially for new root-level accounts or suspicious processes.

⚡ TTPs & Attack Research — Deep Dives

AI Chatbot Poisoning for Cryptojacking 🤖

What happened: Microsoft Defender Experts are tracking a novel cryptojacking campaign that weaponizes AI chatbot interactions. Instead of traditional SEO poisoning, attackers are manipulating AI conversational interfaces to surface malicious download sites, ultimately pushing GPU-mining malware.

Technical breakdown: This TTP represents an evolution of social engineering. Instead of relying on users clicking malicious links in emails or search results, attackers are exploiting the trust and conversational nature of AI chatbots. They likely achieve this through:

1. Prompt Injection/Data Poisoning: Feeding the AI chatbot system with malicious data or prompts during its training or fine-tuning phase, or through clever real-time prompt engineering, to influence its responses.
2. Context Manipulation: Crafting queries or interactions that lead the chatbot to recommend or link to attacker-controlled websites hosting cryptojacking malware. This could involve asking for “best free GPU miners” or “fastest crypto tools.”
3. Conversational Lures: The chatbot, acting as a seemingly authoritative source, then guides the user to download and execute the malware, often disguised as legitimate software or utilities.

MITRE ATT&CK Mapping:

• T1566.002 (Phishing: Spearphishing Link): The AI chatbot acts as the delivery mechanism for the malicious link.
• T1496 (Resource Hijacking): The ultimate goal is cryptojacking, which involves unauthorized use of system resources for cryptocurrency mining.

Detection opportunities:

• Network Anomalies: Monitor for unusual outbound connections to known cryptomining pools or unexpected spikes in GPU/CPU utilization on user workstations.
• Endpoint Telemetry: Look for new, unauthorized processes running known cryptomining executables or attempts to modify system power settings.
• AI Chatbot Logs: If your organization uses internal AI chatbots, monitor interaction logs for suspicious queries that might indicate poisoning attempts or attempts to elicit malicious recommendations.

Mitigations:

• User Education: Train users about the new threat vector. Emphasize caution even when information comes from AI assistants.
• Endpoint Protection: Deploy robust EDR solutions with behavioral analysis capabilities to detect and block cryptojacking activities.
• Network Segmentation: Isolate developer and high-compute environments to limit the blast radius of cryptojacking.
• AI Governance: If deploying internal AI chatbots, implement strict content filtering, input validation, and continuous monitoring for prompt injection or poisoning attempts.

TrapDoor AI Assistant Abuse 🤖

What happened: As part of the ongoing TrapDoor supply chain campaign, attackers are directly targeting AI coding assistants. They modify developer environment files like .cursorrules and CLAUDE.md with hidden instructions (using zero-width Unicode characters) to trick these AI assistants into performing “security scans” that actually exfiltrate sensitive secrets.

Technical breakdown: This TTP is a sophisticated form of AI agent hijacking or **