This Week in Cybersecurity: Red Hat Supply Chain Worm, PAN-OS Auth Bypass Exploited, and AI Turned Against Itself

Explore this content with AI:

ChatGPT | Perplexity | Claude | Google AI Mode

Red Hat Cloud Services npm packages backdoored in "Miasma" supply chain worm attack

On June 1, 2026, attackers compromised a Red Hat employee's GitHub account and injected malicious code into three RedHatInsights repositories — frontend-components, javascript-clients, and platform-frontend-ai-toolkit. From there, they used GitHub Actions OIDC tokens to publish backdoored versions of 32 official packages under the @redhat-cloud-services scope, collectively downloaded roughly 117,000 times per week. Because the packages were published through the compromised CI/CD pipeline rather than via a stolen npm token, each poisoned version carried valid SLSA provenance attestations, making them appear fully legitimate to automated supply chain verification tools.

The malware, concealed in a 4.2 MB obfuscated JavaScript payload, runs via a preinstall lifecycle hook — meaning it executes before any application code, and before the developer has any indication that something is wrong. Its credential sweep is sweeping: GitHub Actions tokens, AWS, GCP, and Azure credentials, HashiCorp Vault tokens, Kubernetes service account configs, npm and PyPI publish tokens, SSH private keys, Docker credentials, GPG keys, and every .env file on the machine. Across 96 compromised versions of the 32 affected packages, the exposure window opened on June 1. If your environment pulled any @redhat-cloud-services package on June 1, treat every CI secret, cloud credential, and SSH key as compromised and rotate immediately. The payload is a variant of the Shai-Hulud worm — the tooling associated with the TeamPCP (UNC6780) supply chain campaign — though TeamPCP has publicly open-sourced those tools, making definitive attribution to TeamPCP impossible. Any actor with access to the open-sourced code could have carried out this attack; investigators have not confirmed who is responsible.

Why it matters: This attack should reset assumptions about SLSA provenance as a sufficient trust signal. When an attacker compromises the CI/CD pipeline upstream of the signing step, the attestation itself becomes evidence of a legitimate build process — which is exactly what happened here. Security teams need controls at the consumption layer (dependency pinning, runtime behavior monitoring, and network egress from build environments) alongside those at the generation layer.

Read more at Orca Security

GREYVIBE: Newly documented Russia-linked threat actor targets Ukraine using ChatGPT, Gemini, and Ideogram AI

WithSecure published its full investigation of GREYVIBE on May 28, 2026, naming a previously undocumented threat actor behind a persistent series of attacks against Ukraine and Ukraine-related entities dating back to at least August 2025. The group is assessed as Russian-speaking and operating broadly within the Moscow time zone, with intelligence-gathering objectives aligned with Kremlin interests. Confirmed victims span military, government, civilian, and business-related organizations. WithSecure's report title puts the defining characteristic plainly: "A Russia-nexus group leveraging AI across state-aligned operations."

The use of AI is systematic, not incidental. WithSecure identified strong evidence of the use of ChatGPT, Google Gemini, and Ideogram AI across multiple operational phases: generating realistic images for phishing lures, developing the group's custom obfuscators (LOOKVALJS, DAYLIGHT, TEASOUP), building its custom malware families, PhantomRelay and LegionRelay, configuring backend infrastructure, and producing post-compromise commands. WithSecure assesses with moderate confidence that several of the group's tools were developed with LLM assistance, noting that design flaws in LegionRelay, a PowerShell-based remote access tool, are consistent with AI-assisted development. The group ran five distinct campaigns concurrently: PhantomMail (spear-phishing targeting Ukrainian officials), PhantomClick (fake CAPTCHA ClickFix pages), PrincessClub (fake Ukrainian adult-club sites targeting combatants in Kharkiv), DroneLink (fake UAV charity sites), and Nebo (Russian-language military terminal lures). Despite the campaign breadth, WithSecure assesses GREYVIBE as "low-to-moderately sophisticated," noting repeated operational security failures — the AI tooling appears to compensate for capability gaps rather than augmenting elite tradecraft.

Why it matters: GREYVIBE demonstrates that AI-powered attack development is no longer the exclusive province of top-tier nation-state actors. A group that WithSecure rates as below mature nation-state tradecraft still sustained five parallel, regionally tailored campaigns against Ukrainian targets — by outsourcing malware development, lure creation, and operational scripting to commercial AI platforms. The implication for defenders: signature-based detection of novel malware becomes structurally harder when threat actors can regenerate and refactor their tooling on demand with AI assistance.

Read more at WithSecure Labs

Palo Alto PAN-OS GlobalProtect CVE-2026-0257: authentication bypass under active exploitation as CISA deadline passed

Palo Alto Networks confirmed active exploitation of CVE-2026-0257 on May 29, 2026 — a vulnerability in PAN-OS GlobalProtect's authentication override cookie mechanism that allows an unauthenticated attacker to bypass security restrictions and establish unauthorized VPN connections. CISA had added CVE-2026-0257 to its Known Exploited Vulnerabilities catalog and set a federal remediation deadline of June 1, 2026, which passed this week.

The vulnerability carries a CVSS score of 7.8 — rated HIGH severity — with Palo Alto's own advisory marking urgency as HIGHEST given active exploitation. It affects firewalls with the GlobalProtect portal or gateway configured when authentication override cookies are enabled and a specific certificate configuration is in place. Rapid7 identified the earliest exploitation on May 17, a second wave on May 21, and assessed both waves as likely involving the same threat actor — though attribution had not been confirmed at the time of reporting. The flaw does not affect Panorama or Cloud NGFW deployments. Patches are available across all supported PAN-OS releases; Palo Alto's advisory also provides mitigation guidance for organizations that cannot patch immediately. If your organization has GlobalProtect deployed with authentication override cookies enabled, assume you were in the exploitation window.

Why it matters: VPN gateways are high-value targets precisely because they represent the perimeter's front door, and successful exploitation here gives attackers a foothold inside the network before any endpoint detection fires. The pattern of exploitation beginning days after public disclosure — and accelerating over two discrete waves — underscores how quickly threat actors move on disclosed VPN flaws. Check your GlobalProtect configuration now; if you had the vulnerability's specific configuration present and hadn't patched before June 1, treat the device logs as a forensic priority.

Read more at Help Net Security

ChatGPhish: ChatGPT's web summary feature turned into a phishing surface, OpenAI has not patched

Permiso Security researcher Andi Ahmeti disclosed "ChatGPhish" on May 29, 2026: a technique that weaponizes ChatGPT's web summarization feature by embedding malicious Markdown payloads in any web page a user prompts ChatGPT to summarize. The chatgpt.com response renderer implicitly trusts Markdown links and image URLs sourced from the third-party pages the assistant has just processed, then auto-fetches those images and surfaces those links as live, clickable elements inside the trusted assistant interface.

In practice, this means an attacker can append a small payload to any publicly accessible web page. When a victim later asks ChatGPT to summarize that page, the response can leak the victim's IP address, User-Agent, and Referer headers — via automatic image-fetch requests to attacker-controlled servers — and render phishing links, spoofed account alerts, and QR codes inside what the user perceives as a trusted AI interface. Permiso first reported the vulnerability to OpenAI via Bugcrowd on April 29, 2026; as of the May 29 public disclosure, OpenAI had not implemented a fix despite two submissions and a follow-up request for clarification. The vulnerability does not require the victim to click anything on the raw page; the attack is triggered when ChatGPT summarizes it.

Why it matters: AI tools have become part of daily workflows for many security and IT professionals — summarizing threat reports, vendor documents, and security advisories is exactly the kind of task ChatGPT gets pointed at. A malicious actor who knows that pattern can seed a document that harvests credentials or delivers a phishing link inside a context the target has no reason to distrust. Until a patch ships, treat any link generated by ChatGPT as originating from the underlying source rather than OpenAI — and consider whether sensitive research workflows should avoid web summarization for now.

Read more at The Hacker News

Dutch authorities dismantle Asocks botnet linked to 17 million infected devices

Dutch police (Politie) and the National Cyber Security Center (NCSC) announced on May 31, 2026, the takedown of the Asocks botnet — a residential proxy service backed by at least 17 million infected devices, including computers, tablets, smartphones, and IoT hardware. More than 200 servers located in the Netherlands provided the backend infrastructure; authorities seized a subset of those servers from a hosting provider, which subsequently took the remaining infrastructure offline.

Asocks marketed itself as a legitimate residential proxy service, but its underlying infrastructure was built on devices that had been compromised without their owners' knowledge. Residential proxy services built on botnet infrastructure are routinely used by threat actors to launder malicious traffic through legitimate IP addresses and geographies, circumventing IP reputation blocks and making attribution significantly harder. The takedown follows a pattern identified by HUMAN's Satori Threat Intelligence in 2024, when researchers first linked Asocks infrastructure to a broader campaign dubbed PROXYLIB. While law enforcement did not publicly attribute Asocks to a specific criminal organization, the scale — 17 million enrolled devices — places it among the largest residential proxy botnets ever dismantled.

Why it matters: Botnet-backed proxy infrastructure is the plumbing for a wide range of attacks: credential stuffing, fraud, automated scanning, and the kind of multi-hop access that supply chain attackers use to complicate forensics. Dismantling Asocks removes a major layer of obfuscation from the criminal toolkit. For defenders, the story is also a reminder to audit internet-facing IoT and endpoint devices for unexpected outbound proxy behavior — your device may have been a node in this network without your organization's knowledge.

Read more at The Hacker News

Final thoughts

This week's stories are a study in how attackers weaponize trust. Whether it's the SLSA provenance certificate that makes a backdoored npm package look clean, the authentication cookie that a VPN gateway issues to make life easier for users, the AI interface that users assume filters harmful content before surfacing it, or the residential proxy service marketed as legitimate tooling — each of these attacks succeeded by turning a trusted mechanism against the people depending on it. That pattern is increasingly deliberate, not coincidental: as perimeter controls and signature-based detection improve, sophisticated actors invest in compromising the trust signals on which detection relies.

The Dutch botnet takedown offers a counterpoint worth sitting with. Seventeen million devices. Two hundred servers. One hosting provider that made the call to pull the plug. Large-scale cooperation between law enforcement, national cybersecurity agencies, and infrastructure providers is producing real results — and those results compound, because each dismantled proxy network makes the next wave of attacks slightly harder to launder.

Check back next Tuesday for the latest.