Summary5 min read

Cybersecurity Headlines – May 26, 2026

Host: Sarah Lane
Main Theme:
A rapid-fire update on the latest cybersecurity incidents and intelligence, with a focus on supply chain attacks, international law enforcement actions, CMS vulnerabilities, threat group operations, and industry-wide risks.

Key Stories & Discussion Points

1. Megalodon Infects Over 5,500 GitHub Repositories

[00:08–01:02]

What Happened:
Researchers at Safedep identified a widespread supply chain attack named "Megalodon." Attackers pushed 5,718 malicious automated commits to more than 5,500 repositories on GitHub in just six hours on May 18.
How:
The attackers used these commits to inject GitHub Action workflows designed to:
- Steal CI (Continuous Integration) secrets (Cloud credentials, SSH keys, API tokens, database strings)
- Plant dormant backdoors, triggerable via GitHub's API
Impact & Exposure:
The campaign was flagged after a compromised Tile Desk version was published from a poisoned repository, highlighting the ongoing surge in software supply chain attacks.
Quote:
“The commits inserted GitHub action workflows that stole CI secrets including Cloud credentials, SSH keys, API tokens and database strings, while planting dormant backdoors that could be triggered later through GitHub's API.” – Sarah Lane [00:15]
Insight:
Demonstrates the increasing sophistication and scale of attacks targeting development infrastructure.

2. Netherlands Seizes 800 Servers in Russian Cyber Ops Crackdown

[01:03–01:38]

Incident:
Dutch police arrested two men and confiscated more than 800 servers from hosting providers (Mir Hosting and Work Titans BV), accused of supporting Russian-linked operations.
Linkages:
These servers allegedly powered the infrastructure of Stark Industries Solutions, previously connected to DDoS and proxy services for Russian government cyber activities. The infrastructure was shifted to the Dutch companies after earlier EU sanctions.
Quote:
“Dutch authorities have arrested two men and seized more than 800 servers tied to hosting providers… accusing both of helping provide infrastructure used by Russian linked groups for cyber attacks, influence operations and disinformation across the EU.” – Sarah Lane [01:08]
Significance:
Marks a rare and sizable takedown of cross-border cybercrime facilitation hubs.

3. Ghost CMS Exploited in ClickFix Attacks

[01:39–02:24]

Details:
Cheonxin Xlab researchers flagged active exploitation of a critical Ghost CMS vulnerability. Over 700 websites hijacked through attacks that inject malicious JavaScript for click fraud (ClickFix).
Vulnerability:
Discovered by Anthropic’s Claude and patched in February, it allowed API key theft and mass modification of published content with malware loaders.
Impact:
Users visiting compromised sites face fake CAPTCHA pages, leading to command execution and persistent malware installation.
Quote:
“Attackers are actively exploiting a critical Ghost CMS… to hijack more than 700 websites and inject malicious JavaScript tied to click fix attacks.” – Sarah Lane [01:42]

4. Nigel Farage’s Russian Hack Claim Dismissed

[02:25–02:53]

Dispute:
Former UK cyber chief Kieran Martin refuted claims by UK politician Nigel Farage that Russia hacked him, leaked data, and influenced a Guardian exposé.
Martin’s Take:
Characterized Farage’s allegations as “a serious national security claim without any merit unless backed by technical proof,” urging evidence to be sent to the UK’s National Cybersecurity Centre.
Quote:
“‘A serious national security claim without any merit unless backed by technical proof.’” – Kieran Martin via Sarah Lane [02:41]

5. Grand Prix Fan Scams Surge

[03:12–03:47]

Overview:
Bitdefender’s Grand Prix Fan Threat Index reveals cybercriminals targeting F1 fans with:
- Fake streaming apps
- Counterfeit merchandise
- Fraudulent tickets and social media scams Scams aim to harvest data, spread malware, or conscript devices into botnets.
Quote:
“With some fake streaming tools, even enrolling devices into botnets.” – Sarah Lane [03:40]
Context:
Highlights how event popularity can drive targeted cybercrime ecosystems.

6. Anthropic’s Mythos Class Bug-Finding Models

[03:48–04:23]

Developments:
Anthropic plans eventual public release of its “Mythos” bug-finders (currently under Project Glasswing), pending stronger safeguards.
Performance & Challenge:
Mythos has already scanned 1,000+ open source projects, finding 6,200+ serious vulnerabilities, including one in WolfSSL. The sheer volume is stretching security teams’ resources.
Quote:
“But the volume of AI generated findings is also adding strain to security.” – Sarah Lane [04:18]

7. Lazarus Group Deploys Memory-Only RAT

[04:24–04:51]

Threat:
Fox IT reports North Korea-linked Lazarus Group’s deployment of a "Remote PE" memory-only remote access trojan, targeting financial and crypto businesses.
How It Works:
Distributes via Telegram and fake scheduling sites. Loads wholly in memory, evades endpoint detection, leaves minimal forensics—a potent tool for stealthy surveillance and theft.
Quote:
“Loads entirely in memory, evades endpoint detection and leaves almost no forensic traces while giving attackers persistent access…” – Sarah Lane [04:44]

8. Oncology Institute Patient Data Breach

[04:52–05:23]

Incident:
The Oncology Institute (TOI) confirmed exposure of patient data after a third-party vendor breach, believed to be Trizetto Provider Solutions, affecting multiple healthcare clients and up to 3.4 million patients.
Uncertainties:
Full damage assessment and attack attribution remain pending.
Quote:
“While the vendor was not named, the timeline points to Trizetto Provider Solutions… The full scope of the impact and who was behind the attack? Still unclear.” – Sarah Lane [05:15]

Notable Quotes & Memorable Moments

“The commits inserted GitHub action workflows that stole CI secrets including Cloud credentials, SSH keys, API tokens and database strings, while planting dormant backdoors that could be triggered later through GitHub's API.” – [00:15]
"Dutch authorities have arrested two men and seized more than 800 servers tied to hosting providers… accusing both of helping provide infrastructure used by Russian linked groups for cyber attacks, influence operations and disinformation across the EU." – [01:08]
“‘A serious national security claim without any merit unless backed by technical proof.’” – [02:41]
“With some fake streaming tools, even enrolling devices into botnets.” – [03:40]
“Loads entirely in memory, evades endpoint detection and leaves almost no forensic traces…” – [04:44]

Episode Highlights & Takeaways

Software supply chain attacks are escalating in scale and sophistication.
International law enforcement is tackling nation-state cyber infrastructure.
Popular CMS platforms continue to be high-impact targets for mass exploitation.
AI-augmented bug finding can help but also overwhelm standard security processes.
Prominent nation-state threat actors (like Lazarus) are evolving their tactics to resist detection.
Healthcare and event-focused scams demonstrate the breadth and versatility of attackers.

For more details or to dive deeper into each story, visit CISOseries.com.

Loading summary

Transcript3 lines

[00:00]
A
From the CISO series. It's Cybersecurity Headlines
[00:07]
B
these are the cybersecurity headlines for Tuesday, May 26, 2026. I'm Sarah Lane. Megalodon infects GitHub repositories researchers Safedep say a supply chain attack dubbed Megalodon infected more than 5,500 GitHub repositories after attackers pushed five 5,718 malicious automated commits in a six hour window on May 18. The commits inserted GitHub action workflows that stole CI secrets including Cloud credentials, SSH keys, API tokens and database strings, while planting dormant backdoors that could be triggered later through GitHub's API. The campaign surfaced after compromised versions of Tile Desk were published from a poisoned GitHub repository and adding to a growing wave of software supply chain attacks targeting developers. Netherlands seizes 800 servers over cyber attacks Dutch authorities have arrested two men and seized more than 800 servers tied to hosting providers Mir Hosting and work titans bv, accusing both of helping provide infrastructure used by Russian linked groups for cyber attacks, influence operations and and disinformation across the eu. The investigation centers on Stark Industries Solutions, a network previously linked to DDoS attacks and proxy services used in Russian cyber operations, whose infrastructure was allegedly transferred to the Dutch companies after earlier EU sanctions. Ghost CMS exploited for click fix attacks Researchers at Cheonxin xlab say attackers are actively exploiting a critical Ghost CM CMS HUA to hijack more than 700 websites and inject malicious JavaScript tied to click fix attacks. The bug was discovered by Anthropic using Claude and patched back in February, letting attackers steal a site's admin API key and then bulk modify published articles with malware loaders. Victims visiting compromised sites are funneled to fake captcha pages that trick them into running malicious commands, ultimately installing persistent malware. Nigel Farage's hack claimed to be without any merit Former UK cyber chief Kieran Martin says Nigel Farage, leader of Reform uk, has provided no evidence for his recent claim that Russia hacked him and leaked information behind a Guardian report on an undeclared 5 million pound donation from crypto billionaire Christopher Harborne. Martin called the allegation a serious national security claim without any merit unless backed by technical proof, and said Farage should report any evidence to the UK's National Cybersecurity Centre immediately. Huge thanks to our sponsor Guard Square. Your back end is only as secure as your front end. Research shows that client side compromise is now a primary driver of API risk with 63% of leaders detecting mobile app tampering or cloning last year. Don't leave your mobile app security to chance. Get multi layered protection for your entire mobile app ecosystem from the outside in. Learn more@guardsquare.com Fake streams, counterfeit Merch and Scams oh my. According to the Bitdefender Cybersecurity Grand Prix Fan Threat Index, cybercriminals have built a broad scam ecosystem around Formula One, targeting fans with fake streaming apps, counterfeit merchandise, bogus ticket offers and social media scams. This is all to steal personal and payment data, spread malware or monetize victims through ads and redirects with some fake streaming tools, even enrolling devices into botnets. Researchers say the pace and popularity of F1 make fans especially vulnerable. Mythos Class models headed to the public Anthropic says it plans to eventually release public versions of its Mythos bug finding once it can build stronger safeguards against misuse. For now, access remains limited under Project glasswing, though it is expanding to governments and some other partners. Anthropic says Mythos has scanned more than 1,000 open source projects and found more than 6,200 high or critical severity vulnerabilities, including a major flaw in Wolf ssl. But the volume of AI generated findings is also adding strain to security. Team Lazarus deploys Remote PE memory only RAT Researchers at Fox IT say the North Korea linked Lazarus group is using a stealthy memory only remote access trojan called Remote PE in attacks on financial and cryptocurrency firms. It's delivered through social engineering on Telegram and fake scheduling sites and loads entirely in memory, evades endpoint detection and leaves almost no forensic traces while giving attackers persistent access for surveillance, data theft or potential financial heists. Oncology Institute discloses breach the Oncology Institute, or toi, which delivers specialized cancer care through a network of clinics across five US States, says a previously disclosed cybersecurity incident at a third party software vendor exposed patient data across its systems. While the vendor was not named, the timeline points to Trizetto Provider Solutions, which earlier reported a breach affecting multiple healthcare customers and about 3.4 million people. The full scope of the impact and who was behind the attack? Still unclear. Cloud misconfigurations aren't a technical problem, they just show what your organization really cares about. CISOs are always told that time to value is paramount, but why does the business forget that when there's a security incident? That's what we'll be discussing on this week's CISO Series podcast. Look for the episode. If you like cloud misconfiguration so much, why don't you marry them wherever you get your podcasts? If you have some thoughts on the news from today or about our show in general, be sure to reach out to us feedbackisoseries.com we would love to hear from you. I am Sarah Lane, reporting for the CISO series. You stay safe out there everyone.
[06:43]
A
Cybersecurity headlines are available every weekday. Head to csoseries.com for the full stories behind the headlines.