May 26, 2026 Emerging Threats Weekly

kroll logo
Kroll
May 26, 2026
Kroll

This week’s briefing covers:

00:00 – Intro

00:45 [VULNERABILITY] Nginx Rift Moved From Disclosure To Exploitation Within Three Days
A critical NGINX vulnerability tracked as CVE-2026-42945 is now under active exploitation, with activity observed within three days of public disclosure. Patch updates were available at the time of disclosure, leaving a limited window for remediation before exploitation began.

03:04 [THREAT ACTOR] FrostyNeighbor Updated Its Espionage Playbook Against Ukrainian Government Targets
ESET-linked reporting this week showed renewed FrostyNeighbor activity against Ukrainian government organizations since March 2026. The Belarus-aligned actor continues to target government, military and other critical sectors while regularly changing its delivery mechanisms and malware chain to stay ahead of defensive detection.

05:28 [THREAT ACTOR] Storm-2949 Abused Password Reset Workflows To Steal Microsoft 365 And Azure Data
Microsoft detailed a multi-stage campaign by Storm-2949, starting with identity compromise and resulting in broad theft from Microsoft 365 and Azure environments. The actor appears to have focused on exfiltrating as much data as possible from high-value cloud assets.

07:38 [SUPPLY CHAIN] Mini Shai-Hulud Spread Across the Antv Npm Ecosystem
The latest Mini Shai Hulud campaign is affecting the AntV npm ecosystem, with over 300 packages compromised and millions of downloads at risk. Researchers linked it to TeamPCP and described it as a self propagating supply chain attack that spreads by abusing trusted developer accounts.

09:04 [SUPPLY CHAIN] Github Action Tag Hijack Turned Ci/Cd Runs Into Secret Theft
A separate supply chain incident compromised the actions cool/issues helper GitHub Action by repointing version tags to a malicious commit. Workflows that referenced the action by tag instead of a fixed commit SHA could unknowingly pull altered code.

Dive deeper:

Kroll’s Monthly Threat Intelligence Spotlight Report: https://www.kroll.com/en/reports/cyber/threat-intelligence-reports/cti-spotlight-trends-report

Kroll’s Q4 2024 Cyber Threat Landscape: https://www.kroll.com/en/reports/cyber/threat-intelligence-reports/q4-2024-threat-landscape-report-phishing

Kroll’s 2025 Cyber Threat Landscape Report: Cybercrime in the Crypto Era: https://www.kroll.com/Reports/Cyber/Threat-Intelligence-Reports/Threat-Landscape-Report-Lens-on-Crypto

Playlist of Kroll's Weekly Cyber Threat Intelligence Briefings: https://www.youtube.com/playlist

Kroll Cyber Blog: https://www.kroll.com/en/insights/cyber

Kroll Cyber Threat Intelligence: https://www.kroll.com/en/services/cyber/threat-intelligence-services

Kroll Threat Intelligence Reports: https://www.kroll.com/en/reports/cyber/threat-intelligence-reports

Kroll Responder MDR: https://www.kroll.com/en/services/cyber/kroll-responder

#krollcyber #threatintelligence #cyberthreats

Copyright © 2026 OpsMatters™. All rights reserved.