Daily Digest

CISA Contractor Leaks GovCloud Keys on GitHub; Microsoft Dismantles 'Fox Tempest' Malware-Signing Service

CISA Contractor Leaks GovCloud Keys on GitHub; Microsoft Dismantles 'Fox Tempest' Malware-Signing Service

May 30, 2026
11 articles (9 new, 2 updated)
33 min read

Summary

This intelligence briefing for May 30, 2026, covers a critical data exposure by a CISA contractor who left sensitive AWS GovCloud credentials on a public GitHub repository for six months. Other major incidents include Microsoft's takedown of the 'Fox Tempest' malware-signing service used by ransomware gangs, a massive supply chain attack named 'Megalodon' compromising over 5,500 GitHub repositories, and active exploitation of a new Palo Alto Networks PAN-OS vulnerability. State-sponsored activities also feature prominently, with Iranian APT 'Screening Serpens' deploying new RATs and Russia escalating cyber espionage efforts.

Filter by Category

New Articles (9)

Massive 'Megalodon' Supply Chain Attack Compromises 5,500+ GitHub Repos to Steal Cloud Credentials

CRITICAL

'Megalodon' Supply Chain Attack by TeamPCP Infects Over 5,500 GitHub Repositories with Malicious GitHub Actions

A large-scale supply chain attack named 'Megalodon' has compromised over 5,500 GitHub repositories by injecting malicious GitHub Action workflows. The attack, attributed to the threat actor TeamPCP, occurred within a six-hour window and aimed to exfiltrate a wide range of cloud credentials (AWS, GCP, Azure), API tokens, and other secrets from the CI/CD environments of the infected projects. The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning, urging organizations to audit their software development pipelines.

May 30, 2026
6 min read
supply chainGitHub ActionsCI/CDcredential theftopen source +2 more
Massive 'Megalodon' Supply Chain Attack Compromises 5,500+ GitHub Repos to Steal Cloud Credentials

SANS Survey: Government Cybersecurity Crippled by Funding Gaps and Staff Shortages

MEDIUM

Government Cybersecurity Programs Plagued by Funding Gaps and Staff Shortages, SANS Institute Reports

A new survey from the SANS Institute reveals a critical state for government cybersecurity programs, which are significantly underfunded and understaffed. Only one-third of these initiatives are fully funded, with 63% of respondents citing budget limitations as their main obstacle. This resource crisis is compounded by a severe talent shortage, with over half of organizations struggling to hire and retain staff, leading to a major gap between strategic planning and operational execution.

May 30, 2026
4 min read
governmentcybersecurity fundingskills gapSANS Institutepublic sector +1 more
SANS Survey: Government Cybersecurity Crippled by Funding Gaps and Staff Shortages

FBI Warns 'Silent Ransom Group' (Luna Moth) is Sending Operatives In-Person to Steal Data

HIGH

FBI Issues Alert on 'Silent Ransom Group' (Luna Moth) Using In-Person Impersonation Tactics for Data Theft

The FBI has issued an alert about the 'Silent Ransom Group,' also known as Luna Moth, a data extortion group that is escalating its tactics to include physical, in-person intrusion. The group initially uses social engineering, impersonating IT support to gain remote access. If that fails, they dispatch an operative to the victim's office to physically access a computer and exfiltrate data using a USB drive. The group, which targets law firms, healthcare, and finance, focuses on data theft for extortion rather than encryption.

May 30, 2026
6 min read
social engineeringphysical securitydata extortionFBILuna Moth +1 more
FBI Warns 'Silent Ransom Group' (Luna Moth) is Sending Operatives In-Person to Steal Data

Actively Exploited PAN-OS Flaw (CVE-2026-0257) Allows VPN Hijack, CISA Adds to KEV

CRITICAL

Palo Alto Networks PAN-OS Vulnerability (CVE-2026-0257) Under Active Exploitation

A medium-severity authentication bypass vulnerability, CVE-2026-0257, in Palo Alto Networks' PAN-OS software is being actively exploited in the wild. The flaw, which has a CVSS score of 7.8, affects the GlobalProtect portal and allows an unauthenticated attacker to bypass security and establish an unauthorized VPN connection. Due to observed exploitation by security firm Rapid7, CISA has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, mandating urgent patching for federal agencies.

May 30, 2026
5 min read
CVEvulnerabilityPalo Alto NetworksPAN-OSGlobalProtect +3 more
Actively Exploited PAN-OS Flaw (CVE-2026-0257) Allows VPN Hijack, CISA Adds to KEV

Microsoft Faces Community Backlash After Threatening Researcher Over Zero-Day Disclosures

MEDIUM

Microsoft Faces Backlash for Threatening Researcher 'Nightmare Eclipse' After Unpatched Zero-Day Disclosures

Microsoft is facing widespread criticism from the cybersecurity community after its Digital Crimes Unit publicly threatened legal action against a security researcher known as 'Nightmare Eclipse.' The researcher had published proof-of-concept code for six unpatched zero-day vulnerabilities in Windows Defender and BitLocker, claiming Microsoft had unfairly revoked their access to the MSRC for reporting bugs. The incident has sparked a major debate on responsible disclosure and the relationship between vendors and researchers.

May 30, 2026
4 min read
vulnerability disclosureresponsible disclosurezero-dayMicrosoftsecurity research +1 more
Microsoft Faces Community Backlash After Threatening Researcher Over Zero-Day Disclosures

Russia Ramps Up Cyber Espionage to Steal Western Tech Amid Sanctions, EU Officials Warn

HIGH

Russian Cyber Espionage Escalates Amid Sanctions, European Officials Warn

Senior intelligence officials from three European nations are warning that Russia has significantly intensified its efforts to steal Western technology and defense secrets through cyber espionage. This escalation is seen as a direct response to the economic pressure of international sanctions on its wartime economy. Russian intelligence agencies are using cyber spies, fake companies, and other tactics to circumvent sanctions and gather intelligence for potential future attacks on critical infrastructure.

May 30, 2026
5 min read
cyber espionageRussiaAPTnation-statecritical infrastructure +1 more
Russia Ramps Up Cyber Espionage to Steal Western Tech Amid Sanctions, EU Officials Warn

PoC Exploit Released for Critical 9.9 CVSS RCE Flaw in Flowise AI Platform

CRITICAL

Exploit Code Published for Critical RCE Vulnerability (CVE-2026-40933) in Flowise AI Platform

Proof-of-concept exploit code has been released for a critical remote code execution (RCE) vulnerability in Flowise, a popular open-source platform for building AI applications. The vulnerability, CVE-2026-40933, has a CVSS score of 9.9 and is a one-click flaw that can be triggered by tricking a user into importing a malicious 'chatflow.' Successful exploitation could allow an attacker to take over self-hosted Flowise servers, often with root privileges, leading to complete system compromise.

May 30, 2026
5 min read
CVERCEFlowiseAILLM +2 more
PoC Exploit Released for Critical 9.9 CVSS RCE Flaw in Flowise AI Platform

New Executive Order 14390 Shifts US Federal Focus to Combating Cybercrime Against Citizens

INFORMATIONAL

Executive Order 14390 Signals Shift in Federal Focus to Combating Cybercrime Against Citizens

The recently signed Executive Order 14390, 'Combating Cybercrime, Fraud, and Predatory Schemes Against American Citizens,' marks a significant shift in U.S. federal cybersecurity policy. The order broadens the government's focus from primarily protecting federal systems and critical infrastructure to directly combating cybercrime that affects individual citizens and businesses. This new emphasis on operational disruption of cybercrime presents both opportunities and new regulatory pressures for enterprises.

May 30, 2026
4 min read
executive ordercyber policyregulationcompliancecybercrime +1 more
New Executive Order 14390 Shifts US Federal Focus to Combating Cybercrime Against Citizens

TCS Launches Sovereign Cloud in EU to Address AI Data Security and Sovereignty Rules

INFORMATIONAL

TCS Launches SovereignSecure Cloud in EU for Enhanced AI Data Security

Tata Consultancy Services (TCS) has launched its SovereignSecure Cloud service in the European Union. This new offering is designed to help organizations in the EU adopt AI and other advanced cloud technologies while adhering to strict data sovereignty regulations like GDPR. The service aims to provide the benefits of cloud infrastructure while ensuring that sensitive data remains within the EU's jurisdictional boundaries and under the control of the client organization.

May 30, 2026
4 min read
sovereign clouddata sovereigntycloud securityTCSEU +2 more
TCS Launches Sovereign Cloud in EU to Address AI Data Security and Sovereignty Rules

Updated Articles (2)

AI Amplifies Supply Chain Threats, Creating New and Complex Cyber Risks

MEDIUM

Artificial Intelligence Exacerbates Cybersecurity Risks in Global Supply Chains

Update:

A new Darktrace report details how AI adoption in manufacturing exposes operational technology (OT) environments to significant cyber risks. The report introduces 'agentic AI systems'—highly autonomous AIs—as a critical new threat vector due to their broad permissions. Survey findings indicate 90% of manufacturing security professionals believe AI will increase social engineering success, and 49% are concerned about adaptive malware. This update emphasizes the IT/OT convergence and the potential for physical harm, production disruption, and IP theft in the manufacturing sector.

May 22, 2026
Updated: May 30, 2026
5 min read
AI SecuritySupply Chain AttackArtificial IntelligenceThird-Party RiskMLOps
AI Amplifies Supply Chain Threats, Creating New and Complex Cyber Risks

CISA Contractor Leaks AWS GovCloud Keys and Internal System Credentials on Public GitHub Repo

HIGH

Major Security Lapse at CISA: Contractor Exposes GovCloud Keys and Internal Credentials on Public GitHub Repository

Update:

Further investigation into the CISA contractor data leak reveals more critical details. The exposed data included administrative credentials for three AWS GovCloud accounts and plaintext passwords for internal CISA systems, specifically found in a file named 'importantAWStokens'. The private RSA key provided access to all CISA code repositories, not just a single GitHub app. The contractor was identified as an employee of defense firm Nightwing. Additionally, the AWS GovCloud keys remained valid for 48 hours after the GitHub repository was taken down on May 18, 2026, extending the window of vulnerability. The credentials reportedly followed a weak, predictable pattern, highlighting significant security failures.

May 24, 2026
Updated: May 30, 2026
6 min read
CISAData LeakGitHubAWS GovCloudCredential Leak +2 more
CISA Contractor Leaks AWS GovCloud Keys and Internal System Credentials on Public GitHub Repo

📢 Share This Publication

Help others stay informed about cybersecurity threats

📅 Daily Edition

Curated and deduplicated every day from dozens of trusted sources — giving you one clean, consolidated view of what matters in cybersecurity.

🔢 Deduplication Applied

Related stories are merged into a single evolving article rather than repeated as separate entries — cutting through noise so you only read what's new.

🔗 Full Articles Linked

Every entry links to its full enriched article — complete with MITRE ATT&CK mappings, extracted IOCs, and actionable detection and mitigation guidance.