Miasma Worm Spreads Through npm; CISA Warns on Fuel Systems; HTTP/2 Bomb Threatens Web Servers

US Agencies Warn of Ongoing Attacks Targeting Automatic Tank Gauge (ATG) Systems

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) have released a joint advisory concerning active cyberattacks targeting internet-exposed Automatic Tank Gauge (ATG) systems. These systems, vital for monitoring fuel levels in critical infrastructure sectors like energy and transportation, are being compromised by unattributed actors. The attackers are remotely executing commands to disable system alerts, posing significant physical and operational risks. The advisory strongly urges operators to immediately disconnect these systems from the internet, change default passwords, and apply security patches to mitigate the threat.

ATGICS SecurityOT SecurityCritical InfrastructureCISA +1 more

"Miasma" Worm Spreads Through npm via "Phantom Gyp" Technique, Stealing Dev Secrets

CRITICAL

Self-Spreading "Miasma" Worm Hits npm Registry Using Novel "Phantom Gyp" Attack

A sophisticated, self-replicating worm named "Miasma" is actively compromising the npm registry in a widespread software supply chain attack. The malware utilizes a novel technique dubbed "Phantom Gyp," which abuses `binding.gyp` files to execute malicious code during the `npm install` process, bypassing standard security checks. The campaign has already compromised dozens of packages, including some in the `@redhat-cloud-services` namespace, and is designed to steal a vast array of developer credentials, including cloud service keys, GitHub tokens, and SSH keys.

npmMiasmaPhantom GypSupply Chain AttackRed Hat +2 more

"Miasma" Worm Spreads Through npm via "Phantom Gyp" Technique, Stealing Dev Secrets

Phishing Campaign Impersonates SendGrid Support, Leverages Compromised Account for High Authenticity

MEDIUM

SendGrid Support Phishing Campaign Uses Compromised Account to Bypass Defenses

A convincing phishing campaign is targeting organizations by impersonating support notifications from the email delivery service SendGrid. The emails, which create urgency by claiming account permissions are insufficient, are being sent from a compromised SendGrid account. This tactic allows the malicious messages to appear highly authentic and bypass many standard security filters. The goal is to lure users to a fake login page, `personalsglogin[.]com`, to harvest their credentials.

PhishingSendGridCredential HarvestingEmail Security

Sandhills Medical Foundation Discloses Ransomware Breach Affecting 169,000 Patients

Sandhills Medical Foundation Data Breach Exposes SSNs and Health Info of 169,017 Individuals

Sandhills Medical Foundation, Inc. has announced it was the victim of a ransomware attack in May 2025 that has compromised the sensitive data of 169,017 individuals. The breach involved an unauthorized third party gaining access to a server and potentially exfiltrating a wide range of personal and health information, including Social Security numbers, driver's licenses, and medical records. The foundation has begun notifying affected individuals, who are now at significant risk of identity theft and fraud.

Data BreachRansomwareHealthcarePHIPII +1 more

Sandhills Medical Foundation Discloses Ransomware Breach Affecting 169,000 Patients

"Disruption Week" Crackdown Takes Down 1.4M+ Accounts Tied to Southeast Asia Scam Networks

INFORMATIONAL

Global "Disruption Week" Dismantles Over 1.4 Million Accounts in Cybercrime Crackdown

A major international law enforcement operation, dubbed "Disruption Week," has successfully dismantled significant infrastructure belonging to cybercriminal scam networks in Southeast Asia. The coordinated effort, involving the US, Thailand, and major tech companies, resulted in the disruption of over 1.4 million malicious accounts on platforms like Facebook and Instagram, 63 arrests, and the seizure of over $3.8 million in cryptocurrency. The targeted networks were responsible for large-scale fraud operations, often using trafficked and forced labor.

TakedownLaw EnforcementCybercrimeScamSoutheast Asia +1 more

3 min read

"Disruption Week" Crackdown Takes Down 1.4M+ Accounts Tied to Southeast Asia Scam Networks

New 'HTTP/2 Bomb' Exploit Can Crash NGINX, Apache, and Other Major Web Servers in Seconds

'HTTP/2 Bomb' Exploit Threatens Web Servers with Rapid Denial-of-Service

Security researchers have unveiled a new, highly effective denial-of-service (DoS) exploit named the "HTTP/2 Bomb." The attack chains together known vulnerabilities in the HTTP/2 protocol to rapidly overwhelm and crash major web servers, including NGINX, Apache, and Microsoft IIS, that use default configurations. The exploit, which can be launched from a standard computer, reportedly knocks servers offline in seconds, putting an estimated 880,000 websites at risk.

HTTP/2DoSDenial of ServiceVulnerabilityNGINX +2 more

New 'HTTP/2 Bomb' Exploit Can Crash NGINX, Apache, and Other Major Web Servers in Seconds

Fake Claude Code and OpenAI Codex Installers on Google Sites Distribute ACRStealer Malware

Fake AI Coding Assistant Installers on Google Sites Lure Developers with Infostealer

A malware campaign is targeting software developers by hosting fake installer pages for popular AI coding assistants, such as Anthropic's Claude Code and OpenAI's Codex, on Google Sites. The use of the `sites.google.com` domain adds a veneer of legitimacy, helping the pages bypass web filters. The attack tricks developers into copying and pasting a malicious shell command that uses a hidden operator to download and execute ACRStealer, a potent infostealer designed to harvest developer credentials, API keys, and cryptocurrency wallets.

ACRStealerAmateraMalwareInfoStealerGoogle Sites +3 more

Fake Claude Code and OpenAI Codex Installers on Google Sites Distribute ACRStealer Malware

Akira Ransomware Claims Attack on Medenet, Exposing Patient SSNs and Medical Records

Medical Billing Firm Medenet Discloses Data Breach by Akira Ransomware Gang

Medenet Inc., a Florida-based medical billing and records company, has disclosed a data breach originating from a cyberattack on December 26, 2025. The Akira ransomware group has since claimed responsibility, alleging on a dark web forum that they exfiltrated 24 gigabytes of data. The stolen information reportedly includes highly sensitive patient and employee data, such as Social Security numbers, medical records, passports, and corporate contracts. Medenet began notifying affected individuals in late May 2026.

AkiraRansomwareData BreachHealthcareMedenet +2 more

Akira Ransomware Claims Attack on Medenet, Exposing Patient SSNs and Medical Records

Phishing Attack on Bozeman School District Exposes SSNs of Over 2,600 Staff

MEDIUM

Bozeman School District #7 Investigates Phishing Attack, Staff Data Compromised

Bozeman School District #7 in Montana is notifying 2,617 current and former staff members of a data breach that exposed their names and Social Security numbers. The incident stemmed from a social-engineered phishing campaign that gave an unauthorized party access to the district's network for over a month, between February and March 2026. The district has completed its forensic review and is offering identity monitoring services to those affected. Student data was reportedly not compromised in this incident.

Data BreachPhishingEducationSocial Security NumberBozeman

Phishing Attack on Bozeman School District Exposes SSNs of Over 2,600 Staff

Updated Articles (1)

Russia Ramps Up Cyber Espionage to Steal Western Tech Amid Sanctions, EU Officials Warn

Russian Cyber Espionage Escalates Amid Sanctions, European Officials Warn

Update:

Germany's BND has issued a direct warning to German businesses regarding escalated Russian cyber threats. This follows a recent sophisticated phishing campaign by Russian state-sponsored actors that successfully compromised a senior BND official's device. The campaign notably utilized secure messaging apps like Signal and WhatsApp to deliver malicious links, bypassing traditional email security. This incident highlights the pervasive nature of Russian espionage and their ability to target high-value individuals, prompting the BND to urge corporate executives to enhance their vigilance against these advanced social engineering tactics.

May 30, 2026

Updated: June 4, 2026