In today’s cybersecurity news…
Grafana GitHub token breach leads to extortion attempt
Grafana Labs disclosed that an attacker gained unauthorized access to part of the company’s GitHub environment after obtaining a compromised GitHub token. According to the company, the intruder downloaded portions of Grafana’s source code and later attempted to extort the company. Grafana emphasized that the breach did not impact customer systems, hosted services, or personal data, and that the stolen code did not contain production secrets. The company quickly revoked the exposed token, rotated credentials, and launched an internal investigation. The incident highlights the ongoing risk posed by leaked developer credentials and the growing focus cybercriminals are placing on software supply-chain environments and source code repositories.
Microsoft rejects Azure vulnerability report, researcher disputes decision
A security researcher is accusing Microsoft of quietly fixing a serious Azure Backup for Kubernetes vulnerability after initially rejecting the report and declining to issue a CVE identifier. The researcher claimed the flaw could have allowed users with low-level backup permissions to gain broader access within Azure Kubernetes Service environments. Microsoft reportedly maintained that the behavior was “expected” and not a security vulnerability, despite evidence that changes were later made to the platform. The situation has sparked criticism from parts of the security community, who argue that inconsistent disclosure and classification practices can make it harder for organizations to properly assess risk and prioritize defensive measures in cloud environments.
Funnel Builder flaw actively exploited to steal payment data
Researchers are warning that a critical vulnerability in the WordPress Funnel Builder plugin is being actively exploited to inject malicious payment-skimming code into WooCommerce checkout pages. The flaw affects more than 40,000 websites using the plugin and allows attackers to insert fake Google Tag Manager scripts that steal customer credit card information during checkout. Security experts say attackers are moving quickly to exploit unpatched systems, making immediate updates essential. Developers have released version 3.15.0.3 to address the issue, and administrators are being urged to inspect checkout pages for unauthorized scripts.
(The Hacker News)
CISA Orders Federal agencies to patch Cisco SD-WAN bug immediately
The Cybersecurity and Infrastructure Security Agency has ordered all U.S. federal civilian agencies to immediately patch a critical Cisco Catalyst SD-WAN vulnerability that is already being actively exploited. The flaw allows unauthenticated remote attackers to gain elevated access to affected systems and has been added to CISA’s Known Exploited Vulnerabilities catalog. Cisco released patches and warned that the vulnerability represents a serious risk to organizations relying on SD-WAN infrastructure. Federal agencies were given a tight remediation deadline under an emergency directive, reflecting concern that attackers could use the flaw to gain persistent access into government networks. Security researchers say edge networking devices remain among the most aggressively targeted enterprise technologies. CVE-2026-20182
(The Record)
Huge thanks to our sponsor, ThreatLocker
Microsoft warns of Exchange Server zero-day under active attack
Microsoft is warning organizations to immediately apply mitigations for a newly disclosed Exchange Server zero-day vulnerability that is already being exploited in the wild. The flaw, CVE-2026-42897, affects Exchange Server Subscription Edition along with Exchange 2016 and 2019. Researchers say the spoofing and cross-site scripting issue could allow attackers to compromise enterprise email environments. The vulnerability surfaced only days after Microsoft’s May Patch Tuesday updates, which notably contained no reported zero-days at release time.
(Security Week)
Pwn2Own Berlin hackers exploit Windows 11 and Edge
At the opening day of the Pwn2Own Berlin 2026 competition, security researchers earned more than $523,000 after successfully demonstrating 24 unique zero-day exploits against widely used technologies including Windows 11 and Microsoft Edge. The event showcased how rapidly attackers and researchers alike are discovering vulnerabilities in modern operating systems and browsers. Several exploits targeted privilege escalation and sandbox escapes, while others demonstrated remote code execution capabilities.
(BleepingComputer)
Researchers discover 18-year-old NGINX vulnerability
Security researchers uncovered an 18-year-old vulnerability in the popular open-source web server NGINX that can lead to denial-of-service attacks and, under certain conditions, possible remote code execution. The flaw was reportedly identified using an autonomous AI-driven scanning system capable of analyzing legacy code for hidden weaknesses. Researchers say the discovery demonstrates how older, widely trusted infrastructure software may still contain exploitable bugs that escaped earlier scrutiny. NGINX remains one of the world’s most commonly deployed web servers, meaning any serious vulnerability has potentially massive downstream impact across cloud services, websites, and enterprise applications..
(BleepingComputer)
CISA Urges Critical Infrastructure to Prepare for Long-Term Isolation
Cybersecurity and Infrastructure Security Agency is advising crit Isolation ical infrastructure operators to prepare for the possibility of operating independently from IT systems and third-party vendors for weeks or even months during a major cyber conflict. The guidance is driven largely by concern over persistent threats from Chinese state-linked groups such as Salt Typhoon and Volt Typhoon. CISA plans to conduct targeted resilience assessments focused on ensuring utilities and infrastructure operators can continue delivering essential services even if disconnected from external networks. The agency says organizations should strengthen operational technology resilience and rehearse manual recovery procedures, reflecting growing fears that future cyber conflicts may deliberately target interconnected infrastructure dependencies.
(Cyberscoop)