IFIN Threat Intel

@[email protected]
29 Followers
0 Following
62 Posts
IFIN Threat Intel1d ago

Last Updated: 2026-05-21T20:32:38Z (UTC)

What's Happening

A widespread GitHub Actions attack codenamed "Megalodon" has compromised over 5600 GitHub repos. The payload is an infostealer that of course has worming capabilities.

SafeDep has the details.

https://safedep.io/megalodon-mass-github-repo-backdooring-ci-workflows/

Actions

Review the commit messages, users, and contents for presence in your repositories. Also note the exfiltration server at 216.126.225[.]129:8443, although these connections will likely be made from a GitHub Actions VM, unless you're using custom runners. If so, watch those for suspicious activity.



Discuss this on our forum.
IFIN Threat IntelMay 15

Last Updated: 2026-05-15T18:08:25Z (UTC)

What's Happening

CVE-2026-20182 Authentication Bypass in Cisco Catalyst SD-WAN controller has been found exploited in the wild. It has a severity rating of 10.

Rapid 7, who initially disclosed the vulnerability, has published their own in-depth analysis and timeline.

https://www.rapid7.com/blog/post/ve-cve-2026-20182-critical-authentication-bypass-cisco-catalyst-sd-wan-controller-fixed/

Rapid7 has also released a Metasploit Module that exploits this vulnerability.

https://github.com/rapid7/metasploit-framework/pull/21463

Cisco has released an update and disclosed a number of IOC's related to the ongoing exploitation.

https://blog.talosintelligence.com/sd-wan-ongoing-exploitation/

The NIST CVE entry.

https://nvd.nist.gov/vuln/detail/CVE-2026-20182

Actions

Update Cisco SD-WAN. This table from Rapid7 shows patched versions for all fixed releases:

| Cisco Catalyst SD-WAN Release | First Fixed Release ||----|----|| Earlier than 20.9\* | Migrate to a fixed release || 20.9 | 20.9.9.1 || 20.10 | 20.12.7.1 || 20.11\* | 20.12.7.1 || 20.12 | 20.12.5.4, 20.12.6.2, 20.12.7.1 || 20.13\* | 20.15.5.2 || 20.14\* | 20.15.5.2 || 20.15 | 20.15.4.4, 20.15.5.2 || 20.16\* | 20.18.2.2 || 20.18 | 20.18.2.2 || 26.1.1 | 26.1.1.1 |

Indicators of Compromise

Note that the Cisco Talos IoCs listed in their linked GitHub repo appear to be for a different campaign.

|Value | Type | Description||--- | --- | ---||38.181.52\[.\]89 | IPv4 | Cluster 1||89.125.244\[.\]33 | IPv4 | Cluster 1||89.125.244\[.\]51 | IPv4 | Cluster 1||71.80.85\[.\]135 | IPv4 | Cluster 2||212.83.162\[.\]37 | IPv4 | Cluster 3||38.60.214\[.\]92 | IPv4 | Cluster 4||65.20.67\[.\]134 | IPv4 | Cluster 4||104.233.156\[.\]1 | IPv4 | Cluster 4||194.233.100\[.\]40 | IPv4 | Cluster 4||f6f8e0d790645395188fc521039385b7c4f42fa8b426fd035f489f6cda9b5da1 | sha256 | Cluster 5 -- AdaptixC2 sample||194.163.175\[.\]135:4445 | IPv4:port | Cluster 5 -- AdaptixC2 C2 server||194.163.175\[.\]135 | IPv4 | Cluster 5 -- AdaptixC2 C2 IP||02654acfb21f83485393ba8b14bd8862b919b9ec966fc6768f6aac1338a45ee8 | sha256 | Cluster 6 -- Sliver sample||mtls://23.27.143\[.\]170:443 | url | Cluster 6 -- Sliver C2 over mTLS||23.27.143\[.\]170 | IPv4 | Cluster 6 -- Sliver C2 IP||0ed72d52347bfe4a78afff8a6982a64050c8fc86d8957a20eeb3e0f3f5342ed0 | sha256 | Cluster 7 -- XMRig downloader script||96fc528ca5e7d1c2b3add5e31b8797cb126f704976c8fbeaecdbf0aa4309ad46 | sha256 | Cluster 7 -- XMRig sample||7aa88a64a527ade7d93c20faf23b54f2ee33ad9b1246cdc2f8ded2ab639affb1 | sha256 | Cluster 7 -- XMRig configuration||83.229.126\[.\]195 | IPv4 | Cluster 7 -- XMRig remote location IP||hxxp://83.229.126\[.\]195:8081/xmrig | url | Cluster 7 -- XMRig remote URL||hxxp://83.229.126\[.\]195:8081/config.json | url | Cluster 7 -- XMRig configuration file remote location||0c87871642f84e09e8d3fb23ec36bf55601323e31151a7017a85dbec929cf15d | sha256 | Cluster 8 -- Nim-based backdoor||hxxps://1a820b09-95ba-44eb-b350-417e8241b725-00-1lgwuuen9b77p.worf.replit\[.\]dev/download | url | Cluster 8 -- Download URL for the Nim-based backdoor||1a820b09-95ba-44eb-b350-417e8241b725-00-1lgwuuen9b77p.worf.replit.dev | hostname | Cluster 8 -- Attacker controlled sub-domain hosting the Nim-based backdoor||79.135.105\[.\]208 | IPv4 | Cluster 8 -- Attacker IP that downloaded the Nim-based backdoor||hxxp://13\[.\]62\[.\]52\[.\]206:5004 | url | Cluster 8 -- C2 for Nim-based backdoor||13.62.52\[.\]206 | IPv4 | Cluster 8 -- C2 IP for Nim-based backdoor||18d77c9c5bbb5b9d5bdfd366fdfcf26bad9e64c63ca865fad711bcce8e3d5a80 | sha256 | Cluster 8 -- KScan scanning tool||176.65.139\[.\]31 | IPv4 | Cluster 8 -- IP related to Nim-based backdoor and KScan||d94f75a70b5cabaf786ac57177ed841732e62bdcc9a29e06e5b41d9be567bcfa | sha256 | Cluster 9 -- gsocket sample||5bc5998161056b7c8f70c9724d8a63abc7ff8c3843b91c30cffab0899e39b7f8 | sha256 | Cluster 9 -- gsocket secret file||47.104.248\[.\]7 | IPv4 | Cluster 9 -- IP related to Miner activity||b0f51b098842cd630097b462aab0ec357e2c7824af37cca6d08165265da2c2d3 | sha256 | Cluster 10 -- VManage credential extractor script||72f570ce97de3eaaffef33d90b0c337a153fc9690cc34ee207b557d868360060 | sha256 | Cluster 10 -- Check for root escalation||17302d903baf182f94dc3be40ab1e0874dd0eb2ec5255bf9131fd53591efe925 | sha256 | Cluster 10 -- Check for root escalation|

Notes



Discuss this on our forum.
IFIN Threat IntelMay 14

Socket.dev has yet another NPM package compromise, in this case the node-ipc packages.

https://socket.dev/blog/node-ipc-package-compromised

Affected versions:

Initial access appears to be email domain takeover from a dormant maintainer.

Assuming the npm account recovery email for atiertant was indeed hosted on atlantis-software[.]net , the new domain owner was then able to trigger a standard npm password reset, receive the reset email at a mailbox under their control, and gain publish rights without ever compromising any of the maintainer's own infrastructure

Indicators of Compromise

|Value | Type | Description||--- | --- | ---||96097e0612d9575cb133021017fb1a5c68a03b60f9f3d24ebdc0e628d9034144 | SHA256 | node-ipc.cjs||449e4265979b5fdb2d3446c021af437e815debd66de7da2fe54f1ad93cbcc75e | SHA256 | node-ipc-9.1.6.tgz ||c2f4dc64aec4631540a568e88932b61daebbfb7e8281b812fa01b7215f9be9ea | SHA266 | node-ipc-9.2.3.tgz||78a82d93b4f580835f5823b85a3d9ee1f03a15ee6f0e01b4eac86252a7002981 | SHA256 | node-ipc-12.0.1.tar.gz||sh[.]azurestaticprovider[.]net | Domain | Bootstrap resolver||bt[.]node[.]js | Domain | Exfiltration domain||37.16[.]75.69 | IPv4 | Boostrap IP|

In addition to these indicators, a common exfil pattern was observed in longer domains.

xh......bt[.]node[.]jsxd......bt[.]node[.]jsxf....0..bt[.]node[.]js

Discuss this on our forum.
IFIN Threat IntelMay 11

Last Updated: 2026-05-12T17:22:17Z (UTC)

What's Happening

Around 170 NPM packages have been compromised by the same group executing other "Mini Shai-Hulud" attacks. The attack seems to have begun with TanStack, a popular web UI frontend framework, had its npm packages compromised Initial discovery by Step Security. The attack has moved over to PyPi as well.

https://www.stepsecurity.io/blog/mini-shai-hulud-is-back-a-self-spreading-supply-chain-attack-hits-the-npm-ecosystem

TanStack has published their post-mortem here:

https://tanstack.com/blog/npm-supply-chain-compromise-postmortem

OpenSourceMalware has a breakdown of the current spread, now at 170 packages. These include the Mistral AI clients.

https://opensourcemalware.com/blog/teampcp-mistralai-opensearch-compromised

Actions

Review Socket's very long list of compromised packages and search in your environment. It appears all affected packages share a new router_init.js file.

If these indicators are found, rotate all relevant secrets, session tokens, etc.

Indicators of Compromise

Value | Type | Description-|-|-ab4fcadaec49c03278063dd269ea5eef82d24f2124a8e15d7b90f2fa8601266c | SHA256 | Hash of router_init.jsrouter_init.js | String | Filename of common indicator filefilev2.getsession.org | Domain | Session C2 Domainapi.masscan.cloud | Domain | C2 Domaingit-tanstack.com | Domain | C2 Domainbun run tanstack_runner.js | Process Command Line | Launches router_init.js

Notes

The relevant issue on their router package appears to be a good source of updates. They are working on an incident report now.

https://github.com/TanStack/router/issues/7383

Socket has another writeup.

https://socket.dev/blog/tanstack-npm-packages-compromised-mini-shai-hulud-supply-chain-attack

Looks like quite a few examples of the attack code have been published to GitHub:

https://github.com/search?q=Shai-Hulud%3A+Here+We+Go+Again+&type=repositories



Discuss this on our forum.
IFIN Threat IntelMay 10

Mexican water utility hit with a Claude-generated tool.

https://www.dragos.com/blog/ai-assisted-ics-attack-water-utility

No listed IoCs in the PDF, but the full report is worth a read to see how attackers are using these tools to orchestrate and execute attack chains.

dragos-2026-ai-mexico-water-attack-intel-brief (1).pdf (3.1 MB)



Discuss this on our forum.
IFIN Threat IntelMay 7

Last Updated: 2026-05-21T18:49:50Z (UTC)

This one went entirely under the radar for me yesterday. But it looks spicy. No-priv, un-auth.

https://security.paloaltonetworks.com/CVE-2026-0300

From Palo Alto:

Description

A buffer overflow vulnerability in the User-ID(tm) Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted packets.

The risk of this issue is greatly reduced if you secure access to the User-ID(tm) Authentication Portal per the best practice guidelines by restricting access to only trusted internal IP addresses.

Prisma Access, Cloud NGFW and Panorama appliances are not impacted by this vulnerability.

Product Status

| Versions | Affected | Unaffected ||:---:|:---:|:---:|| Cloud NGFW | None | All || PAN-OS 12.1 | < 12.1.4-h5< 12.1.7 | \>= 12.1.4-h5 (ETA: 05/13)>= 12.1.7 (ETA: 05/28) || PAN-OS 11.2 | < 11.2.4-h17< 11.2.7-h13< 11.2.10-h6< 11.2.12 | \>= 11.2.4-h17 (ETA: 05/28)>= 11.2.7-h13 (ETA: 05/13)>= 11.2.10-h6 (ETA: 05/13)>= 11.2.12 (ETA: 05/28) || PAN-OS 11.1 | < 11.1.4-h33< 11.1.6-h32< 11.1.7-h6< 11.1.10-h25< 11.1.13-h5< 11.1.15 | \>= 11.1.4-h33 (ETA: 05/13)>= 11.1.6-h32 (ETA: 05/13)>= 11.1.7-h6 (ETA: 05/28)>= 11.1.10-h25 (ETA: 05/13)>= 11.1.13-h5 (ETA: 05/13)>= 11.1.15 (ETA: 05/28) || PAN-OS 10.2 | < 10.2.7-h34< 10.2.10-h36< 10.2.13-h21< 10.2.16-h7< 10.2.18-h6 | \>= 10.2.7-h34 (ETA: 05/28)>= 10.2.10-h36 (ETA: 05/13)>= 10.2.13-h21 (ETA: 05/28)>= 10.2.16-h7 (ETA: 05/28)>= 10.2.18-h6 (ETA: 05/13) || Prisma Access | None | All |

Required Configuration for Exposure

This issue is applicable only to PA-Series and VM-Series firewalls that are configured to use User-ID(tm) Authentication Portal.

You can verify whether you have User-ID(tm) Authentication Portal configured in the User-ID(tm) Authentication Portal Settings page (Device > User Identification > Authentication Portal Settings -> Enable Authentication Portal).

Severity: CRITICAL, Suggested Urgency: HIGHEST

The risk is highest when you configure the User-ID(tm) Authentication Portal to enable access from the Internet or any untrusted network.CRITICAL - CVSS-BT: 9.3 /CVSS-B: 9.3 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N/E:A/AU:Y/R:U/V:C/RE:M/U:Red)

You can greatly reduce the risk of exploitation by restricting User-ID(tm) Authentication Portal access to only trusted internal IP addresses and preventing its exposure to the internet.HIGH - CVSS-BT: 8.7 /CVSS-B: 8.7 (CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N/E:A/AU:Y/R:U/V:C/RE:M/U:Red)

Exploitation Status

Limited exploitation has been observed targeting Palo Alto Networks User-ID(tm) Authentication Portals that are exposed to untrusted IP addresses and/or the public internet. Customers following standard security best practices, such as restricting sensitive portals to trusted internal networks are at a greatly reduced risk.

Exploitation Details/IOCs

Unit 42 has more details in their report.

https://unit42.paloaltonetworks.com/captive-portal-zero-day/

Starting April 9, 2026, there were unsuccessful exploitation attempts against a PAN-OS device. A week later, the attackers successfully achieved RCE against the device and injected shellcode. Following the compromise, the attackers immediately conducted log cleanup to mitigate detection by clearing crash kernel messages, deleting nginx crash entries and nginx crash records, as well as removing crash core dump files.

The attackers deployed a number of tools with root privileges four days later, before conducting Active Directory (AD) enumeration using the firewall’s service account credentials to target domain root and DomainDnsZones. Following enumeration, the attackers deleted ptrace injection evidence from the audit log and deleted the SetUserID (SUID) privilege escalation binary.

Known attackers are using and downloading the Earthworm and ReverseSocks5 tools.

  • 67.206.213[.]86
  • 136.0.8[.]48
  • 146.70.100[.]69 (C2 Staging)
  • 149.104.66[.]84
  • hxxp[:]//146.70.100[.]69:8000/php_sess (EarthWorm Download)
  • hxxps[:]//github[.]com/Acebond/ReverseSocks5/releases/download/v2.2.0/ReverseSocks5-v2.2.0-linux-amd64.tar[.]gz (ReverseSocks5 Download)
  • e11f69b49b6f2e829454371c31ebf86893f82a042dae3f2faf63dcd84f97a584 (EarthWorm)
  • Safari/532.31 Mozilla/5.5 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36 Edg/138.0.0.0 (Attacker User Agent String)
  • /var/tmp/linuxap, /var/tmp/linuxda, /var/tmp/linuxupdate (Tunneling Tools)
  • /tmp/.c (Unidentified Python Script)
  • /tmp/R5, /var/R5 (ReverseSocks5)

IFIN Recommendations

  • Follow above mitigation strategies
  • Apply published patches
  • Monitor Palo Alto service accounts for activity, particularly AD enumeration
  • Wherever possible, monitor for the use of mentioned tools


Discuss this on our forum.
IFIN Threat IntelMay 4

CVE-2026-31431

https://copy.fail

https://xint.io/blog/copy-fail-linux-distributions

Confirmed the exploit. It's real.



Discuss this on our forum.
IFIN Threat IntelApr 30

"The PyPI package 'lightning', a widely-used deep learning framework, was compromised in a supply chain attack affecting versions 2.6.2 and 2.6.3 published on April 30, 2026. Teams building image classifiers, fine-tuning LLMs, running diffusion models, or developing time-series forecasters frequently have lightning somewhere in their dependency tree.

Running pip install lightning is all that is needed to activate. The malicious versions contain a hidden \_runtime directory with obfuscated JavaScript payload that executes automatically upon module import. The attack steals credentials, authentication tokens, environment variables, and cloud secrets, while also attempting to poison GitHub repositories. It has Shai-Hulud themes including creating public repositories called EveryBoiWeBuildIsaWormBoi."

https://semgrep.dev/blog/2026/malicious-dependency-in-pytorch-lightning-used-for-ai-training/



Discuss this on our forum.
IFIN Threat IntelApr 29

CVE-2026-41960. This is gonna burn some folks. cPanel and WHM have an auth bypass which is being currently exploited.

Last Update

2026-05-02T06:03:19Z (UTC)

Notes

Censys is now seeing wide exploitation attempts, and evidence of Sorry ransomware as a follow-on to successful exploitation.

https://censys.com/blog/the-cpanel-situation-is/

Shadowserver is reported 44k vulnerable, which they refer to as "likely compromised."

https://dashboard.shadowserver.org/statistics/honeypot/device/tree/?date_range=1&vendor=cpanel&data_set=count&scale=log&auto_update=on

There's a weaaponized PoC here:

https://github.com/ynsmroztas/cPanelSniper

Additional Links

https://www.bleepingcomputer.com/news/security/cpanel-whm-emergency-update-fixes-critical-auth-bypass-bug

https://www.namecheap.com/status-updates/ongoing-critical-security-vulnerability-in-cpanel-april-28-2026/

https://support.cpanel.net/hc/en-us/articles/40073787579671-cPanel-WHM-Security-Update-04-28-2026

https://labs.watchtowr.com/the-internet-is-falling-down-falling-down-falling-down-cpanel-whm-authentication-bypass-cve-2026-41940/



Discuss this on our forum.
IFIN Threat IntelApr 29

So far, four SAP-related npm packages have been compromised where the preinstall scripts inject malicious preinstall hooks that bootstrap the Bun JavaScript runtime and executes an obfuscated credential stealer payload (execution.js). This happens during dependency installation and can be used to harvest developer and CI/CD secrets across GitHub, npm, and major cloud providers. The payload exfiltrates the data via attacker-controlled GitHub repositories.

So far, four SAP npm packages have been compromised:

The repositories created by this malware carry a distinctive description hardcoded in the payload: "A Mini Shai-Hulud has Appeared". At the time of writing, a public GitHub search for this string returns victim repositories being created in real time, each one representing a developer whose credentials were stolen:

https://github.com/search?q=%22A+Mini+Shai-Hulud+has+Appeared%22&type=repositories&p=6

https://www.stepsecurity.io/blog/a-mini-shai-hulud-has-appeared



Discuss this on our forum.