This briefing covers critical cybersecurity threats identified during May 27-28, 2026. The period saw significant supply chain compromises affecting widely-used development tools, with malicious packages published to npm registry under trusted identities (TanStack, Nx Console) designed to harvest credentials. CISA added three high-impact KEV entries involving embedded malicious code in popular software. Critical vulnerabilities dominate the landscape with four CVSS 9.8+ flaws requiring immediate attention, including remote code execution issues in Gladinet Triofox, Pi.Alert configuration management, and the Goobi viewer platform.
The Mozi botnet continues widespread propagation with 17 active distribution URLs targeting IoT devices across multiple architectures. A new Mirai variant campaign emerged from infrastructure at 103.77.246.174 and 31.56.209.8, distributing payloads across 10+ architectures. ClearFake malware distribution infrastructure remains active with five distinct Hungarian-hosted domains. Notable command injection vulnerabilities were identified in Microsoft UFO framework, systeminformation library, and multiple authentication bypass flaws in pam_usb and Himmelblau systems.
Organizations should prioritize patching the three KEV vulnerabilities immediately, review npm package integrity in development pipelines, and monitor for Mozi/Mirai botnet indicators. The concentration of supply chain attacks and command injection vulnerabilities suggests adversaries are actively targeting developer tools and automation frameworks to establish persistent access.
Four critical-severity vulnerabilities (CVSS 9.8+) enable remote code execution without authentication, affecting web applications and monitoring platforms.
Goobi viewer REST endpoint accepts arbitrary Solr streaming expressions from unauthenticated clients, enabling complete backend system compromise. Affects versions 4.8.0 to before 26.04.1.
Triofox Cloud Server Agent Access Service processes remote HTTP requests on TCP/7878 without authentication across multiple URL paths (/resources, /status, /sysinfo, /woshome, /Settings, /schedule, /DavCache).
Stack-based buffer overflow in WOSDeviceDropFolder.dll when processing long URL paths starting with /resources, enabling remote code execution.
Stack-based buffer overflow in WOSDefaultHttpModule.dll processing long /woshome URL paths allows remote exploitation.
SaveConfigFile() endpoint writes unvalidated numeric config values directly into pialert.conf, which is executed via Python exec() every 3-5 minutes, enabling unauthenticated RCE.
Web-based configuration editor allows arbitrary Python code injection into pialert.conf, executed by background scan daemon with elevated privileges.
GitHub Actions workflow validate_modified_targets.yml vulnerable to command injection via pull_request_target trigger, allowing arbitrary command execution on CI runners and credential exfiltration.
OneUptime uses Node.js vm module for isolation, which can be escaped via error objects and infinite recursion. Fixed in version 10.0.98.
CISA added three vulnerabilities to the KEV catalog, all involving embedded malicious code in popular software packages that harvest credentials.
Daemon Tools contains embedded malicious code with high impact on confidentiality, integrity, and availability. Specific exploitation details undisclosed.
Malicious versions of TanStack published to npm registry under trusted identity to distribute credential-stealing malware, targeting JavaScript development pipelines.
Compromised Nx Console extension published with obfuscated payload harvesting credentials from disk and memory across multiple sources in developer environments.
Multiple high-severity command injection vulnerabilities in automation frameworks and authentication bypass flaws in security software.
Microsoft UFO automation framework (v3.0.1-4-ge2626659) trusts client-supplied identity and role fields in WebSocket task messages, allowing privilege escalation from normal device to administrative roles.
UFO uses user-controlled task_name value directly when constructing session log paths, enabling authenticated clients to write files outside intended directories via path traversal.
Microsoft UFO releases up to v3.0.0 contain OS command injection in ShellReceiver.run_shell() function, passing command strings without sanitization.
Universal installer uniget (before 0.27.1) executes check field from JSON metadata using /bin/bash -c without validation, enabling command injection from untrusted sources.
Node.js systeminformation library (4.17.0-5.31.5) vulnerable to command injection in networkInterfaces() when NetworkManager connection profile names contain shell metacharacters.
pamusb-pinentry (before 0.8.7) executes PINENTRY_FALLBACK_APP environment variable without validation, allowing local privilege escalation.
Crafted filesystem UUID like $(id>/tmp/rce) in USB device causes root RCE when pamusb-conf --reset-pads executes, affecting versions before 0.8.7.
Himmelblau (2.0.0 to before 3.1.5 and 2.3.11) allows users within same Entra ID domain to obtain local Unix PAM authentication via DAG flow bypass, enabling lateral movement.
When deny_remote=false is configured, pam_usb (before 0.9.1) fails to properly validate PAM_RHOST, allowing remote authentication when intended for local sessions only.
pusb_pad_compare() (before 0.9.0) only verifies user-side pad readability but not system-side pad integrity, enabling authentication bypass via pad manipulation.
Path traversal, null pointer dereference, privilege escalation, and cross-site scripting vulnerabilities across multiple platforms.
Tanium addressed unauthorized code execution vulnerability in Connect component. Specific technical details not disclosed.
deny_remote feature (before 0.9.0) only tests first element of ut_addr_v6, failing to detect remote IPv6 sessions with addresses like ::ffff:203.0.113.50.
Path traversal in WOSDefaultHttpModule.dll allows unauthorized file access via specially crafted /woshome URL paths.
WOSCommonUtil.dll function calls return NULL when no user logged into Management Console, causing denial of service when dereferenced without validation.
Requests to /status or /sysinfo endpoints cause crash when WOSHttpStatusModule.dll is not present in the installation directory.
Solana Anchor framework (1.0.0 to before 1.0.2) logic error accepts any program ID when requiring system program ID, enabling arbitrary CPI attacks.
src/tmux.c (before 0.8.7) reads $TMUX environment variable and interpolates socket-path into popen() shell command without sanitization.
Symlink attacks on pad directory and files (before 0.8.7) enable authentication bypass and root file corruption.
msSLDParseUserStyle (6.4.0 to before 8.6.3) assumes msSLDParseRule added class for ElseFilter rules, causing DoS when rule has no symbolizer.
LangSmith SDK (before Python 0.8.0, JS/TS 0.6.0) pull_prompt methods deserialize manifests from untrusted sources without validation, enabling arbitrary code execution.
RELATE (before commit 555f0efb1c) has stored XSS allowing enrolled students to execute JavaScript in administrator sessions, leading to full admin account compromise.
GitLab EE (18.8-18.10.6, 18.11-18.11.3, 19.0) allows authenticated users to cause Duo AI workflows to execute under another user's identity due to improper user context handling.
Mozi botnet continues widespread distribution targeting IoT devices with 17 active distribution URLs across multiple Chinese ISP networks.
17 active Mozi malware distribution URLs detected across IP ranges 110.36.x.x, 182.x.x.x, 222.140.x.x, 39.79.x.x, 115.60.x.x, 119.183.x.x, 61.156.x.x, and 42.233.x.x targeting MIPS and ARM architectures on ports 36488-59662. Payloads delivered as bin.sh and /i executables.
Two distinct Mirai distribution campaigns identified with comprehensive multi-architecture targeting and new variant naming convention.
Active Mirai distribution from 103.77.246.174 serving 8 architecture variants (sh4, mpsl, spc, x86_64, ppc, i686, x86, mips, m68k) via wget user-agent. Comprehensive IoT device targeting across multiple CPU architectures.
New Mirai variant 'wife' distributed from 31.56.209.8 with loader.sh deployment script targeting 13 architectures including emerging platforms (loong64, riscv64, mips64le, ppc64le, arm64, s390x). Sophisticated targeting of modern IoT and embedded systems.
Continued ClearFake social engineering campaigns and Amadey dropper activity detected across Hungarian infrastructure and Russian IP space.
Five ClearFake malware distribution URLs active across schleer.hu, brssolar.hu, brandbuilder.hu, and boutiqbar.com Hungarian domains using UUID-based URL patterns for victim tracking.
Four malware payloads dropped by Amadey loader from 91.92.242.236/files-129312398/files/ with hexadecimal-named executables. C2 monitoring infrastructure detected for ongoing campaign tracking.
Malware distributed via malqen.life/js/IMG_20260527_082143_803.png disguised as image file, likely social engineering attack vector.