This week’s threat landscape exposes a severe fragility across the foundational layers of enterprise technology. Attackers are unearthing decades-old vulnerabilities in core web servers (NGINX), exploiting physical encryption barriers (BitLocker), and orchestrating highly complex, multi-stage supply chain attacks against developer environments. Whether it is an 18-year-old remote code execution flaw or the hijacking of expired developer email domains, the overarching theme is the weaponization of assumed trust—be it in the network perimeter, the operating system, or the open-source pipeline.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

Core Infrastructure and Perimeter Devices Under Fire

‍Critical unauthenticated flaws in web servers, SD-WAN controllers, and identity management platforms are exposing enterprise backbones to immediate takeover.

• NGINX "Rift" Vulnerability (CVE-2026-42945) — An 18-year-old critical flaw in the ngx_http_rewrite_module allows unauthenticated attackers to achieve Remote Code Execution (RCE). A single crafted HTTP request using unnamed PCRE capture groups and a question mark can trigger a heap buffer overflow, corrupting memory without requiring prior access or a valid session.
• Cisco Catalyst SD-WAN Manager Auth Bypass (CVE-2026-20182) — A critical authentication bypass allows unauthenticated remote attackers to gain full administrative control over the vManage REST API. By forging requests, attackers can orchestrate the entire SD-WAN fabric, modify VPNs, and intercept traffic.
• Fortinet FortiAuthenticator RCE (CVE-2026-44277) — A critical improper access control flaw (CVSS 9.8) allows unauthenticated remote attackers to execute arbitrary code or commands on the IAM appliance, potentially compromising an organization's MFA and identity databases.
• Exchange Server XSS Zero-Day (CVE-2026-42897) — Microsoft warned of an actively exploited cross-site scripting flaw in on-premise Exchange Servers. Attackers can execute malicious JavaScript within an authenticated Outlook Web Access (OWA) session via crafted emails. Microsoft is deploying emergency mitigations via EEMS.
• Microsoft May 2026 Patch Tuesday — While lacking active zero-days, this massive 138-vulnerability release includes critical unauthenticated RCEs targeting core network identities: Windows DNS Client (CVE-2026-41096) and Netlogon on Domain Controllers (CVE-2026-41089).

The OS and Hardware Layer Under Siege

‍Adversaries and researchers are breaking through local operating system protections, compromising full-disk encryption, and achieving root escalation.

• BitLocker Bypasses (YellowKey & GreenPlasma) — Two zero-day exploit chains can bypass Windows BitLocker encryption with local/physical access. "YellowKey" forces a Secure Boot downgrade to extract the Volume Master Key (VMK), while "GreenPlasma" uses logical TPM sniffing during silent patching states. The public "BitUnlocker" tool has automated these attacks.
• Fragnesia Linux Kernel LPE (CVE-2026-46300) — A critical local privilege escalation flaw in the Linux networking stack (ESP-in-TCP) allows an unprivileged user to achieve root access by triggering a heap buffer overflow via malformed packet fragments.
• SHADOW-EARTH-053 APT Campaign — This China-aligned group continues to target Asian governments by exploiting legacy Microsoft Exchange ProxyLogon vulnerabilities. Once inside, they deploy Godzilla web shells, sideline ShadowPad malware, and deeply embed into the network for sustained espionage.

Advanced Supply Chain and CI/CD Compromise

‍Threat actors are explicitly targeting developer ecosystems, weaponizing orphaned accounts and misconfigured GitHub Actions to push malware with valid provenance.

• "Mini Shai-Hulud" Targets @tanstack (TeamPCP) — Attackers hijacked TanStack's legitimate GitHub Actions release pipeline by abusing pull_request_target misconfigurations. They extracted OIDC tokens from runner memory to publish 84 malicious npm packages with valid SLSA provenance attestations. The malware harvests CI/CD secrets and features a destructive dead-man's switch.
• node-ipc Supply Chain Follow-up — Final analysis reveals attackers hijacked a dormant co-maintainer's expired email domain to push trojanized versions (e.g., v12.0.1). The payload features zero-interaction execution and exfiltrates cloud secrets using highly covert DNS TXT record tunneling to bypass corporate web proxies.
• TeamPCP Checkmarx Compromise — The same threat actor backdoored the Checkmarx Jenkins AST plugin (v2026.5.09) and distributed it via the official Jenkins Marketplace. The payloads are designed to aggressively harvest Kubernetes configs, GitHub tokens, and CI/CD secrets.

Social Engineering and Application Flaws

‍The human element remains a highly effective vector, with attackers using convincing lures and vulnerable administrative interfaces to bypass initial defenses.

• pgAdmin 4 Administration Flaws — Four vulnerabilities (CVE-2026-7813 to -7819) in the popular PostgreSQL administration tool allow authenticated users to execute OS commands, run arbitrary SQL, and traverse paths via symlinks.
• MacSync Stealer via Homebrew Ads — A malvertising campaign uses Google Ads to impersonate the popular macOS package manager "Homebrew." Victims are tricked into copying a fake installation command into their Terminal, which silently downloads the MacSync infostealer.
• Help Desk Impersonation (ModeloRAT) — Attackers are spoofing corporate IT Help Desks, urging users to download "security updates" from legitimate Dropbox links. These LNK and VBScript files execute Python reconnaissance scripts to validate the target before deploying an evolved version of the ModeloRAT backdoor.

Proactive steps for the week

• Secure BitLocker Configurations: Transition enterprise Windows endpoints from "TPM-only" to TPM + PIN (or Startup Key) to mitigate the YellowKey/GreenPlasma physical bypass attacks.
• Patch Core Network Assets: Prioritize updates for NGINX (v1.30.1/1.31.0), FortiAuthenticator (v8.0.3/6.6.9+), and Cisco SD-WAN (v20.12.3+). For Windows, immediately deploy the Netlogon and DNS Client patches to Domain Controllers.
• Audit CI/CD Workflows: Review all GitHub Actions for the unsafe use of pull_request_target combined with code checkouts. Enforce strict id-token scoping to prevent the OIDC extraction seen in the TanStack attack.
• Purge Malicious Dependencies: Enforce a lockfile downgrade to known clean baselines for node-ip(v12.0.0 or 9.2.1) and immediately remove any@tanstack versions associated with the May 11, 2026, compromise window.
• Block Malicious Delivery Vectors: Educate macOS developers on the dangers of pasting Terminal commands from search engine ads (Homebrew lure). Restrict unauthorized execution of wscript.exeand block downloads of executable archives from unapproved Dropbox paths.

To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories. For a deeper understanding of how you can prevent these threats from affecting your organization, request a call to get in touch with our experts.