This week’s threat landscape exposes a severe escalation in the automation and scale of software supply chain attacks, alongside critical vulnerabilities striking at the heart of enterprise security and AI infrastructure. From the massive "Megalodon" campaign rewriting thousands of GitHub workflows to unpatched zero-days in the Windows Kernel and catastrophic authentication bypasses in Cisco and Ubiquiti platforms, adversaries are aggressively targeting foundational trust boundaries.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

The CI/CD and Software Supply Chain Siege

‍Threat actors are deploying highly automated worms and leveraging compromised developer endpoints to execute massive, cross-ecosystem supply chain attacks, bypassing traditional perimeter defenses.

• "Megalodon" GitHub Actions Campaign — In a highly automated six-hour window, attackers pushed 5,718 malicious commits to 5,561 GitHub repositories using stolen Personal Access Tokens (PATs). By forging commit authors (e.g., build-bot), they injected malicious workflows (SysDiag, Optimize-Build) designed to harvest cloud credentials, OIDC tokens, and SSH keys directly from CI/CD runners.
• "Mini Shai-Hulud" @antv npm Worm — A self-propagating worm compromised Alibaba’s @antv ecosystem and 323 unique npm packages. Using hijacked publisher accounts, the malware deployed "phantom commit droppers" and embedded preinstall hooks to scrape memory for AWS/GCP keys and publish tokens, automatically republishing itself to scale the infection.
• GitHub Internal Codebase Exfiltration — A poisoned VS Code extension compromised a GitHub employee's workstation, allowing the TeamPCP threat group to harvest local credentials and exfiltrate 3,800 internal, private GitHub repositories. The stolen data includes critical infrastructure logic for GitHub Actions, Copilot, and CodeQL, presenting a massive blueprint for future supply chain attacks.
• Packagist & GitHub Cross-Ecosystem Attack — Attackers compromised eight Composer packages and over 700 GitHub repos by hiding malicious lifecycle hooks inside package.json and .github/workflows/ files. This cross-ecosystem tactic drops a Linux binary (gvfsd-network) into /tmp/.sshd to achieve silent Remote Code Execution (RCE) on CI runners.

Critical Infrastructure, AI, and Security Framework Flaws

‍The platforms designed to protect networks and orchestrate AI data models are themselves suffering from maximum-severity vulnerabilities.

• Cisco Secure Workload Auth Bypass (CVE-2026-20223) — A critical CVSS 10.0 vulnerability in the internal REST API allows unauthenticated remote attackers to gain full "Site Admin" privileges. This grants adversaries cross-tenant access to intercept application traffic and alter microsegmentation policies.
• ChromaDB Pre-Auth RCE (CVE-2026-45829) — A critical CVSS 10.0 flaw in the Python implementation of the ChromaDB vector database allows unauthenticated attackers to execute arbitrary code. By passing malicious model configurations (e.g., rogue HuggingFace repos) before authentication checks occur, attackers achieve full host takeover.
• Microsoft Defender RCE (CVE-2026-45584) — A high-severity heap buffer overflow in the Microsoft Malware Protection Engine allows attackers to achieve remote code execution by delivering a specifically malformed file. Because the engine runs with high system privileges, this parsing failure poses a severe systemic risk.
• SISA Advisory (Ubiquiti, LiteLLM, NGINX) — Multiple critical infrastructure flaws were highlighted, including three CVSS 10.0 vulnerabilities in Ubiquiti UniFi OS allowing unauthenticated RCE and network takeover. Additionally, critical broken access control flaws in the LiteLLM AI proxy framework (CVE-2026-47101/2) permit low-level users to inject administrative paths into API keys.

OS Kernel Exploits and Advanced Cyber Espionage

‍Adversaries are leveraging deeply embedded local privilege escalations and stealthy proxies to maintain persistent, invisible access.

• MiniPlasma Windows Kernel Zero-Day (CVE-2026-40899) — A critical Use-After-Free (UAF) race condition in the Windows Cloud Files Mini Filter Driver (cldflt.sys) remains unpatched. Exploitable on fully updated Windows 11 systems, it allows local attackers to overwrite process tokens and achieve SYSTEM privileges.
• DirtyDecrypt Linux Kernel LPE (CVE-2026-31635) — A missing Copy-on-Write (COW) guard in the Linux kernel’s rxgk module allows local, unprivileged users to overwrite the page cache during decryption operations, granting full root access. Functional proof-of-concept exploits are already public.
• Showboat & JFMBackdoor Espionage — State-sponsored Chinese actors (Calypso/Bronze Medley) are targeting telecommunications firms using a dual-platform framework. "Showboat" acts as a modular Linux proxy that masquerades as kernel threads and tunnels SOCKS5 traffic via PNG images, while "JFMBackdoor" utilizes DLL side-loading on Windows for deep administrative persistence.

Identity and Trust Evasion

• Microsoft Internal Account Infrastructure Phishing — Scammers are exploiting unvalidated input fields during Microsoft tenant enrollment to trigger fully authenticated, automated emails directly from msonlineservicesteam@microsoftonline.com. Because the emails originate from core Microsoft infrastructure, they easily bypass SPF/DKIM/DMARC and Secure Email Gateways (SEGs).

Proactive steps for the week

• Harden CI/CD Workflows: Immediately audit GitHub Actions for unauthorized changes (e.g., SysDiag, Optimize-Build). Enforce branch protections, mandate signed commits, and restrict GITHUB_TOKEN permissions to read-only where possible to halt the Megalodon campaign.
• Purge Malicious Dependencies: Identify and remove affected versions of the @antv ecosystem and compromised Packagist/GitHub packages. Run strict dependency diffs against lockfiles and utilize npm install --ignore-scripts to block automated malware execution.
• Isolate AI and Security Infrastructure: Ensure ChromaDB instances are not internet-facing and terminate authentication at a reverse proxy layer. Transition to the native Rust server architecture if possible. Ensure Microsoft Defender definitions and platform engines are automatically updated to v1.1.26050.x or higher.
• Patch Edge and Network Controllers: Apply urgent updates for Cisco Secure Workload (v3.10.8.3 or v4.0.3.17) and Ubiquiti UniFi OS (v5.1.12+) to remediate CVSS 10.0 flaws.
• Address Kernel Flaws: Deploy Linux distribution patches for DirtyDecrypt immediately. For Windows, strictly enforce Driver Signature Enforcement and utilize Windows Defender Credential Guard to mitigate the MiniPlasma zero-day until a patch is released.

‍