Critical Flaws in Windows & Palo Alto Under Active Attack; Carnival and Charter Suffer Massive Data Breaches

On June 1, 2026, over 30 official Red Hat `@redhat-cloud-services` npm packages were compromised by 'Miasma,' a new credential-stealing worm. Miasma is identified as a variant of the 'Mini Shai-Hulud' worm, which was recently open-sourced. The attack vector involved a compromised CI/CD pipeline, leveraging GitHub Actions OIDC to publish malicious packages. The worm uses a `preinstall` script to harvest CI secrets, cloud credentials, SSH keys, and npm tokens, leading to self-propagation. Users who installed affected packages since June 1 are urged to rotate all credentials immediately, indicating a significant escalation in supply chain attacks.

Security researchers have uncovered 'GHOST STADIUM,' a Chinese-speaking threat actor operating a vast phishing ecosystem targeting 2026 FIFA World Cup fans. This operation now involves over 4,300 fraudulent domains, a significant increase from previous reports. The phishing kit used is highly sophisticated, perfectly mimicking the official FIFA website's PingIdentity SSO flow and enabling immediate account takeover through password resets. Promoted heavily via Facebook ads, the campaign's potential financial impact is estimated to be in the billions of dollars, making it one of the largest event-based phishing campaigns ever. Other parallel schemes include fake streaming sites and infostealers.

The ShinyHunters cybercrime group has publicly leaked the database containing 4.9 million customer records stolen from Charter Communications. This action follows a failed ransom attempt by the group. The leaked data, which includes names, addresses, phone numbers, and account details, confirms the threat actor's earlier claims of a successful breach initiated via a vishing attack on April 1, 2026. This development significantly escalates the impact of the incident, moving from a claimed theft to a confirmed public exposure, increasing the risk of targeted phishing and fraud for affected customers.

The critical Windows Netlogon RCE vulnerability, CVE-2026-41089, which was patched in Microsoft's May 2026 Patch Tuesday, is now confirmed to be under active exploitation in the wild. Security agencies, including the Centre for Cybersecurity Belgium, are urging organizations to apply the updates immediately. This flaw, rated 9.8 CVSS, allows an unauthenticated attacker on the same network to achieve remote code execution with SYSTEM privileges on a domain controller, potentially leading to a complete Active Directory domain compromise. The active exploitation significantly elevates the threat level, making prompt patching an emergency priority to prevent widespread attacks.

The Carnival Corporation data breach has been updated with critical new information. The scope of compromised data now explicitly includes highly sensitive personally identifiable information such as passport numbers and driver's license details, significantly increasing the risk of identity theft for affected individuals. The victim pool has also expanded to include employees, not just customers, with over 800,000 residents of Texas specifically impacted. Carnival is now offering two years of free credit monitoring to U.S. customers. This update highlights a more severe and widespread impact than initially reported.

New intelligence confirms that JINX-0164's supply chain attack specifically involved the compromise of the npm package `@velora-dex/sdk` version 4.9.1, which was trojanized on April 7, 2026, to distribute the MINIRAT backdoor. This represents a significant escalation, shifting the attack from individuals to potentially wider developer communities. Attribution has been clarified, with JINX-0164 now assessed as a distinct, financially motivated criminal entity, moving away from previous speculative links to North Korean APTs. Additional technical details include AUDIOFIX's use of `launchctl` for persistence and new hunting hints for macOS EDR and command line patterns, enhancing detection capabilities.

Carnival Corporation has confirmed that the data breach, initiated by a social engineering attack in April 2026, affected precisely 5,995,277 individuals. The company disclosed that the compromised personal identifiable information (PII) is extensive, including full names, home addresses, email addresses, phone numbers, dates of birth, and critically, government-issued ID numbers such as driver's licenses and passport numbers. Carnival began notifying affected individuals in late May 2026 and is now offering two years of credit monitoring services to mitigate the heightened risk of identity theft and fraud. This update provides crucial specifics on the scope and sensitivity of the data lost.

The critical authentication bypass vulnerability, CVE-2026-0257, in Palo Alto Networks' GlobalProtect VPN has been re-evaluated, with its CVSS score increasing from 7.8 to 9.1, elevating its severity to critical. Additionally, Prisma Access products are now explicitly confirmed to be affected, expanding the scope of vulnerable systems beyond just PAN-OS. The vulnerability remains under active exploitation, and CISA added it to its KEV catalog on May 31, 2026, underscoring the urgent need for patching or mitigation.