SECURITYINTEL DAILY BRIEF ■ ThreatIntel BriefTuesday, June 02, 2026 INTEL CONFIDENCE 100% | THREAT LEVEL CRITICAL |
| THREAT OF THE DAY Critical Flaws Actively Exploited; Supply Chain Attacks Surge | CRITICAL |
| 5 C2 IPs | 60 OTX IOCs | 30 ARTICLES |
| ■ ANALYST TLDR Critical vulnerabilities in Windows Netlogon, WP Maps Pro, and Palo Alto Networks PAN-OS are under active exploitation, demanding immediate patching. A significant supply chain attack dubbed "Miasma" is compromising Red Hat and OpenAI npm packages to steal developer credentials and tokens, alongside widespread malware campaigns leveraging compromised websites and fake applications. |
| ■ CRITICAL STORIES Critical Windows Netlogon RCE flaw now exploited in attacks Threat actors are actively exploiting CVE-2026-41089, a critical Remote Code Execution vulnerability in Windows Netlogon, requiring immediate attention. |
WP Maps Pro Vulnerability Exploited to Take Over WordPress Sites The critical CVE-2026-8732 in WP Maps Pro is being actively exploited to create administrative accounts and compromise WordPress sites. |
Red Hat npm packages compromised to steal developer credentials / Miasma Supply Chain Attack A sophisticated supply chain attack, "Miasma," is compromising Red Hat and OpenAI npm packages to steal developer credentials and tokens, indicating a significant threat to development environments. |
Recent Palo Alto Networks Vulnerability Exploited for Weeks CVE-2026-0257, a critical authentication bypass in Palo Alto Networks PAN-OS, has been actively exploited for weeks, posing a severe risk to affected organizations. |
| ■ CVEs IDENTIFIED CVE-2026-8732 WP Maps Pro (WordPress Plugin) — Unauthenticated admin account creation, site takeover |
CVE-2026-41089 Windows Netlogon — Remote Code Execution (RCE), active exploitation |
CVE-2026-0257 Palo Alto Networks PAN-OS — Authentication bypass, active exploitation |
[CVE-TBD] Red Hat npm packages — Supply chain compromise, credential theft, worm distribution (Miasma) |
|
■ THREAT ACTORS Large-scale malware distribution (ClickFix, FakeUpdates) |
Individual (Doxer) | Cybercrime |
Leaking sensitive government employee data |
Pro-Iranian groups/individuals | State-aligned/Hacktivist |
Instagram account defacement via Meta AI bot |
|
|
| ■ ATT&CK TTPs | T1195.002 | | Compromise Software Supply Chain | Red Hat npm packages, OpenAI Codex npm, poisoned dev tools |
| T1190 | | Exploit Public-Facing Application | WP Maps Pro (CVE-2026-8732), Windows Netlogon (CVE-2026-41089), PAN-OS (CVE-2026-0257) |
| T1068 | | Exploitation for Privilege Escalation | WP Maps Pro (CVE-2026-8732), Windows Netlogon (CVE-2026-41089), Linux Kernel (CIFSwitch flaw) |
| T1552 | | Unsecured Credentials | Miasma malware, Fake BlueWallet, OpenAI Codex token theft |
| T1110 | | Brute Force | Dashlane password manager attacks |
| T1566 | | Phishing | FakeUpdate attacks, Fake BlueWallet downloads, OAuth Phishing, Meta AI bot for Instagram takeover |
|
■ PATCH PRIORITY Windows Netlogon — Active RCE exploitation (CVE-2026-41089) — BC, SW |
WP Maps Pro (WordPress Plugin) — Active unauthenticated admin account creation (CVE-2026-8732) — SW, THN |
Palo Alto Networks PAN-OS — Active authentication bypass exploitation (CVE-2026-0257) — SW, THN |
Red Hat npm packages — Supply chain compromise, credential theft (Miasma) — BC, THN |
|
|
| ■ RECOMMENDED ACTIONS TODAY | 1 | [P1] Immediately patch all Windows systems for CVE-2026-41089 (Netlogon RCE) as it is actively exploited. |
| 2 | [P1] Patch or disable WP Maps Pro plugin (WordPress) if using, due to active exploitation of CVE-2026-8732 allowing admin account creation. |
| 3 | [P1] Apply patches for Palo Alto Networks PAN-OS (CVE-2026-0257) to mitigate active authentication bypass exploitation. |
| 4 | [P2] Developers using Red Hat npm packages or OpenAI Codex npm (codexui-android) should review dependencies for compromise and rotate credentials/tokens. |
| 5 | [P2] Linux administrators should prioritize patching the 19-year-old CIFSwitch kernel vulnerability to prevent privilege escalation, especially where PoC exists. |
|
| | C2 IP BLOCKLIST · AbuseCH Feodo · Showing 5 of 5 IP ADDRESS 162.243.103.246 | PORT 8080 | STATUS OFFLINE | MALWARE Emotet | COUNTRY US |
IP ADDRESS 50.16.16.211 | PORT 443 | STATUS ONLINE | MALWARE QakBot | COUNTRY US |
IP ADDRESS 34.204.119.63 | PORT 443 | STATUS OFFLINE | MALWARE QakBot | COUNTRY US |
IP ADDRESS 178.62.3.223 | PORT 443 | STATUS OFFLINE | MALWARE QakBot | COUNTRY GB |
IP ADDRESS 27.133.154.218 | PORT 443 | STATUS OFFLINE | MALWARE QakBot | COUNTRY JP |
| FULL IOC EXPORT — GOOGLE SHEET All live IOCs with full SHA256 hashes (OTX), IPs, and domains. 2 tabs: C2 IPs · OTX IOCs
Updated daily · Export as CSV to import directly into your tools ■ Open Full IOC Sheet → |
| IOC SOURCES: AbuseCH Feodo · AlienVault OTX
NEWS: THN · KRB · SANS · REC · BC · SW · AWS · GCP · MSFT · U42 · SCH · MWB |
|