SECURITYINTEL DAILY BRIEF ■ ThreatIntel BriefThursday, June 04, 2026 INTEL CONFIDENCE 100% | THREAT LEVEL CRITICAL |
|
THREAT OF THE DAY Red Hat npm Supply Chain Attack Compromises CI/CD | CRITICAL |
|
5 C2 IPs | 77 OTX IOCs | 32 ARTICLES |
|
■ ANALYST TLDR Today's threat landscape is highlighted by a highly sophisticated npm supply chain attack targeting Red Hat packages, active exploitation of critical privilege escalation vulnerabilities in the Linux kernel, and a newly disclosed RCE flaw in Redis (CVE-2026-23479). Additionally, emerging threats like the "HTTP/2 Bomb" denial-of-service vector and zero-day vulnerabilities in Acer Wave 7 routers pose immediate operational risks to enterprise infrastructure. |
|
■ CRITICAL STORIES Inside the Red Hat npm Miasma credential-stealing campaign A sophisticated supply chain attack compromised over 90 versions of @redhat-cloud-services npm packages, allowing threat actors to silently infect CI/CD environments and steal credentials from GitHub, cloud platforms, and local developer machines. |
Autonomous AI Tool Finds 2-Year-Old RCE Flaw in Redis (CVE-2026-23479) An authenticated use-after-free vulnerability in Redis's blocking-client code allows remote code execution on hosting servers, highlighting the power of AI-driven bug hunting and the persistence of legacy flaws in critical database infrastructure. |
Acer working to patch max severity zero-days in Wave 7 routers Attackers are actively targeting Acer Wave 7 mesh routers using two unpatched, maximum-severity zero-day vulnerabilities, threatening the integrity of edge networks and remote worker environments. |
CISA warns of active attacks exploiting Android, Linux bugs Threat actors are actively exploiting a Linux kernel improper authentication vulnerability to escape containers and escalate privileges, alongside Android flaws, prompting urgent federal binding operational directives. |
|
■ CVEs IDENTIFIED CVE-2026-23479 Redis — Remote Code Execution (RCE) via use-after-free in blocking-client code |
CVE-2026-33829 Microsoft Windows Snipping Tool — Information Disclosure via ms-screensketch URI handler |
[CVE-TBD] Red Hat @redhat-cloud-services npm packages — Supply chain compromise and credential theft |
[CVE-TBD] Linux Kernel — Privilege escalation and container escape via improper authentication |
|
■ THREAT ACTORS Unnamed Chinese-speaking Cybercrime Group | APT / Cyberespionage |
Deploying Atlas RAT and backdoor in European space sector cyberattacks |
Miasma Campaign Actors | Cybercrime / Supply Chain |
Compromising Red Hat npm packages to steal developer and cloud credentials |
Unnamed Espionage Threat Actor | APT |
Maintaining 150-day email access to a senior executive at a global stock exchange for data exfiltration |
|
|
|
■ ATT&CK TTPs | T1195.002 | | Supply Chain Compromise: Compromised Software Dependencies | Malicious code injected into @redhat-cloud-services npm packages |
| T1068 | | Exploitation for Privilege Escalation | Exploiting Linux kernel improper authentication to escape containers |
| T1566.001 | | Phishing: Spearphishing Attachment | Malspam abusing Google DoubleClick to deliver DesckVB RAT |
| T1566.002 | | Phishing: Spearphishing Link | Callback phishing using fake Amazon/PayPal invoices and phone calls |
| T1212 | | Exploitation of Credential Access | Stealing GitHub OAuth tokens via VS Code one-click links and M365 Android debug flags |
| T1499 | | Endpoint Denial of Service | "HTTP/2 Bomb" combining compression bombs and Slowloris-style holds to crash servers |
|
■ PATCH PRIORITY Redis — Authenticated RCE via use-after-free (CVE-2026-23479) — THN |
Linux Kernel — Container escape and privilege escalation (PE) vulnerability — SW |
Acer Wave 7 Mesh Routers — Active exploitation of two max-severity zero-days — BC |
Microsoft 365 Android Apps — Leftover debug flag allows account token theft — THN |
|
|
|
■ RECOMMENDED ACTIONS TODAY | 1 | [P1] Audit all CI/CD pipelines and developer environments for the installation of compromised @redhat-cloud-services npm packages; rotate all GitHub, cloud, and local credentials immediately if found. |
| 2 | [P1] Apply the official Redis patch for CVE-2026-23479 to prevent authenticated remote code execution on database hosts. |
| 3 | [P1] Update all Linux kernel deployments to resolve the container escape and privilege escalation vulnerability highlighted by CISA. |
| 4 | [P2] Isolate all internet-exposed Automatic Tank Gauge (ATG) systems used for fuel monitoring behind firewalls or VPNs as warned by CISA. |
| 5 | [P2] Implement temporary mitigations or access controls for Acer Wave 7 mesh routers pending official patches for the two max-severity zero-day vulnerabilities. |
|
|
|
C2 IP BLOCKLIST · AbuseCH Feodo · Showing 5 of 5 IP ADDRESS 162.243.103.246 | PORT 8080 | STATUS OFFLINE | MALWARE Emotet | COUNTRY US |
IP ADDRESS 50.16.16.211 | PORT 443 | STATUS ONLINE | MALWARE QakBot | COUNTRY US |
IP ADDRESS 34.204.119.63 | PORT 443 | STATUS OFFLINE | MALWARE QakBot | COUNTRY US |
IP ADDRESS 178.62.3.223 | PORT 443 | STATUS OFFLINE | MALWARE QakBot | COUNTRY GB |
IP ADDRESS 27.133.154.218 | PORT 443 | STATUS OFFLINE | MALWARE QakBot | COUNTRY JP |
|
FULL IOC EXPORT — GOOGLE SHEET All live IOCs with full SHA256 hashes (OTX), IPs, and domains. 2 tabs: C2 IPs · OTX IOCs
Updated daily · Export as CSV to import directly into your tools ■ Open Full IOC Sheet → |
|
IOC SOURCES: AbuseCH Feodo · AlienVault OTX
NEWS: THN · KRB · SANS · REC · BC · SW · AWS · GCP · MSFT · U42 · SCH · MWB |