In today’s cybersecurity news…
CISA adds Drupal Core flaw to KEV
The CVE numbered flaw (CVE-2026-9082) in Microsoft Exchange Server has a CVSS score of 9.8. As we reported on May 20 Drupal issued a critical security patch for the SQL injection vulnerability that allows unauthenticated attackers to compromise sites running PostgreSQL databases, in response to exploitation attempts that had started almost immediately, with thousands of attacks in the wild being tracked. According to Imperva, attacks are primarily targeting gaming and financial services sites. The KEV addition means federal agencies must fix the vulnerability by May 27.
Underminr hides malicious connections behind trusted domains
This vulnerability exists in the in shared content delivery network (CDN) infrastructure. Spelled Underminr, it is a variant of a technique called domain fronting, a now-mitigated type of attack that enabled threat actors to place a legitimate allowed domain in the SNI and TLS certificate validation fields of an HTTPS request, while embedding a different target domain in the TLS tunnel’s encrypted HTTP host header. This meant an HTTP request reached the hidden destination, while traffic would appear to be going to a reputable front domain. According to Zero Trust company ADAMnetworks, Underminr has been abused in attacks mostly via TCP connections on port 443, in which SNI exposes the intended TLS hostname.
Canadian man charged with running KimWolf DDoS botnet
Following up on a story we covered in December and January, Jacob Butler was arrested in Ottawa on Wednesday “after the U.S. Justice Department filed an extradition warrant tied to his operation of the KimWolf botnet, one of the largest and most damaging distributed denial-of-service (DDoS) platforms in the world.” The 23-year-old was “initially identified by Brian Krebs in February,” but denied being the online persona known as “Dort” that ran KimWolf. Butler was charged with one count of aiding and abetting computer intrusion. He is facing up to 10 years in prison if convicted.
Hackers attack German hospitals through third-party provider
German university hospitals are dealing with a large-scale patient data breach “after unknown hackers reportedly targeted an external billing service provider used by medical centers across the country,” this according to statements from several affected medical institutions. The third-party vendor, Unimed “handles billing services for privately insured and self-paying patients on behalf of numerous German hospitals.” Hospitals, based in at least six German cities, said the breach did not compromise their own clinical infrastructure or disrupt patient treatment, but did affect many thousands of patients from each of the hospitals.
Huge thanks to our sponsor, Guardsquare
Creative hijacking of Laravel Lang packages deploys credential-stealing malware
According to security firms StepSecurity, Aikido Security, and Socket, “a supply chain attack targeting the Laravel Lang localization packages has exposed developers to a sophisticated credential-stealing malware campaign after attackers abused GitHub version tags to distribute malicious code through Composer packages.” These Laravel Lang packages are third-party localization packages and are not part of the official Laravel project. What made the attack unique is that the actual project’s source code was not modified to include malicious code, but instead the attackers abused a GitHub feature that allows tags to point to commits in forks of the same repository.
Italy disrupts CINEMAGOAL piracy app
Italian authorities have dismantled a piracy ecosystem that provided access to various streaming platforms, including Netflix, Disney+, and Spotify. The app, named CINEMAGOAL, is an app that customers installed on their devices, and allowed its operators to make millions from audiovisual piracy, unauthorized computer access, and computer fraud. “The system used virtual machines in Italy to capture valid authentication/decryption codes from legitimate subscriptions every 3 minutes and redistribute them to customers.
FBI warns about fast-growing AI phishing kit targeting Microsoft 365 users
The warning focuses on Kali365, “a growing phishing-as-a-service platform that retrieves Microsoft 365 access tokens.” In a public service announcement Thursday, the FBI describes this as a toolkit that “bypasses multi-factor authentication and abuses OAuth device code authorizations via phishing lures impersonating common enterprise services…granting cybercriminal-controlled applications access to Microsoft 365 accounts.” According to researchers at Proofpoint, Kali365 is one of many “rapidly emerging AI generated, AI driven device-code phishing tools, which are gaining popularity as a more effective means for cybercriminals to circumvent security controls while abusing legitimate Microsoft device authorization pages, according to researchers.
Claude Mythos AI finds 10,000 high-severity flaws in widely used software
In what will likely be an ongoing developing story, Anthropic on Friday disclosed that “Project Glasswing has helped uncover more than 10,000 high- or critical-severity vulnerabilities across some of the most “systemically” important software across the world since the cybersecurity initiative went live last month.” One of the identified weaknesses is “a critical flaw in WolfSSL, which has a CBE number and a (CVE-2026-5194) and a CVSS score of 9.1 that could allow an attacker to forge certificates and masquerade as a legitimate service. Anthropic echoed a now-common sentiment, stating, “the relative ease of finding vulnerabilities compared with the difficulty of fixing them amounts to a major challenge for cybersecurity.”