Megalodon infects GitHub repositories, Netherlands seizes 800 servers, Ghost CMS exploited for Cl...

Añadido: 2026-05-27

[00:00:00]From the CISO series, it's cybersecurity headlines.

[00:00:06]These are the cybersecurity headlines for Tuesday, >> [music] >> May 26th, 2026. I'm Sarah Lane.

[00:00:13]Megalodon infects GitHub repositories.

[00:00:17]Researchers at Safe Dev say a supply chain attack dubbed Megalodon infected more than 5,500 GitHub repositories after attackers pushed 5,718 malicious automated commits in a 6-hour window on May 18th. The commits inserted GitHub action workflows that stole CI secrets, including cloud credentials, SSH keys, API tokens, and database strings while planting dormant backdoors that could be triggered later through GitHub's API. The campaign surfaced after compromised versions of Tile Desk were published from a poisoned GitHub repository, adding to a growing wave of software supply chain attacks targeting developers.

[00:01:01]Netherlands seizes 800 servers over cyberattacks. Dutch authorities have arrested two men and seized more than 800 servers tied to hosting providers MIR Hosting and Work Titans BV, accusing both of helping provide infrastructure used by Russian-linked groups for cyberattacks, influence operations, and disinformation across the EU. The investigation centers on Stark Industries Solutions, a network previously linked to DDoS attacks and proxy services used in Russian cyber operations, whose infrastructure was allegedly transferred to the Dutch companies after earlier EU sanctions.

[00:01:41]Ghost CMS exploited for Click Fix attacks. Researchers at Qihoo 360 X Lab say attackers are actively exploiting a critical Ghost CMS flaw to hijack more than 700 websites and inject malicious JavaScript tied to click fix attacks.

[00:01:58]The bug was discovered by Anthropic using Claude and patched back in February letting attackers steal a site's admin API key and then bulk modify published articles with malware loaders. Victims visiting compromised sites are funneled to fake captcha pages that trick them into running malicious commands, ultimately installing persistent malware.

[00:02:21]Nigel Farage's hack claimed to be without any merit. Former UK cyber chief Ciaran Martin says Nigel Farage, leader of Reform UK, has provided no evidence for his recent claim that Russia hacked him and leaked information behind a Guardian report on an undeclared 5 million pound donation from crypto billionaire Christopher Harborne. Martin called the allegation a serious national security claim without any merit unless backed by technical proof and said Farage should report any evidence to the UK's National Cyber Security Centre immediately.

[00:02:58]>> [music] >> Huge thanks to our sponsor GuardSquare.

[00:03:03]Your back end is only as secure [music] as your front end. Research shows that client-side compromise is now a primary driver of API risk with [music] 63% of leaders detecting mobile app tampering or cloning last year.

[00:03:18]>> [music] >> Don't leave your mobile app security to chance. Get multi-layered protection for your entire mobile app ecosystem from the outside in. Learn more [music] at guardsquare.com.

[00:03:32]Fake streams, counterfeit merch, and scams, oh my. According to the Bitdefender Cybersecurity Grand Prix Fan Threat Index, cybercriminals have built a broad scam ecosystem around Formula 1 targeting fans with fake streaming apps, counterfeit merchandise, bogus ticket offers, and social media scams. This is all to steal personal and payment data, spread malware, or monetize victims through ads and redirects with some fake streaming tools even enrolling devices into botnets. Researchers say the pace and popularity of F1 make fans especially vulnerable.

[00:04:09]Mythos class models headed to the public. Anthropic says it plans to eventually release public versions of its Mythos bug finding models once it can build stronger safeguards against misuse. For now, access remains limited under Project Glasswing, though it is expanding to governments and some other partners. Anthropic says Mythos has scanned more than 1,000 open-source projects and found more than 6,200 high or critically severity vulnerabilities, including a major flaw in WolfSSL. But, the volume of AI-generated findings is also adding strain to security teams.

[00:04:48]Lazarus deploys Remote PE memory-only RAT. Researchers at Fox-IT say the North Korea-linked Lazarus Group is using a stealthy memory-only remote access Trojan called Remote PE in attacks on financial and cryptocurrency firms. It's delivered through social engineering on Telegram and fake scheduling sites and loads entirely in memory, evades endpoint detection, and leaves almost no forensic traces while giving attackers persistent access for surveillance, data theft, or financial heists.

[00:05:23]Oncology Institute discloses breach. The Oncology Institute or TOI, which delivers specialized cancer care through a network of clinics across five US states, says a previously disclosed cybersecurity incident at a third-party software vendor exposed patient data across its systems. While the vendor was not named, the timeline points to TriZetto Provider Solutions, which earlier reported a breach affecting multiple healthcare customers and about 3.4 million people. The full scope of the impact and who was behind the attack still unclear.

[00:05:59]Cloud misconfigurations aren't a technical problem. They just show what your organization really cares about.

[00:06:06]CISOs are always told that time to value is paramount, but why does the business forget that when there's a security incident? That's what we'll be discussing on this week's CISO Series podcast. Look for the episode, if you like cloud misconfigurations so much, why don't you marry them, wherever you get your podcasts. If you have some thoughts on the news from today or about our show in general, be sure to reach out to us [email protected].

[00:06:33]We would love to hear from you. I am Sarah Lane reporting for the CISO Series. You stay safe out there, everyone.

[00:06:42]Cybersecurity [music] headlines are available every weekday. Head to cisoseries.com for the full stories behind the headlines.