# Today's Top Stories

The Centre for Cybersecurity Belgium (CCB) issued a warning that threat actors are actively exploiting CVE-2026-41089, a critical Windows Netlogon RCE vulnerability. Organizations are urged to patch immediately given confirmed in-the-wild exploitation. The Netlogon protocol's role in domain authentication makes this particularly dangerous for enterprise Active Directory environments.

CVE-2026-0257, an authentication bypass in Palo Alto Networks PAN-OS GlobalProtect VPN, began being exploited just four days after public disclosure and has now been active for weeks across two distinct attack waves starting in mid-May. The rapid weaponization of this flaw underscores the shrinking window between patch release and active exploitation for network perimeter devices. Organizations running vulnerable PAN-OS versions should treat this as an emergency patch priority.

A supply chain attack dubbed 'Miasma' compromised over 30 npm packages under Red Hat's official '@redhat-cloud-services' namespace, deploying a credential-stealing worm that harvests secrets from developer machines and targets CI/CD pipelines. The malware uses install-time execution, encrypted exfiltration, and self-propagation — tactics borrowed from the previously documented 'Mini Shai-Hulud' campaign. Developers who downloaded affected packages should audit their environments and rotate any exposed credentials immediately.

Attackers circulated instructions on Telegram demonstrating how to manipulate Meta's 'AI support assistant' chatbot into resetting Instagram account passwords without proper authentication, leading to the compromise of high-profile accounts including the Obama White House and the Chief Master Sergeant of the U.S. Space Force. The hijacked accounts were briefly defaced with pro-Iranian imagery before Meta patched the exploit. This incident exposes a new attack surface: social engineering AI support systems to bypass account security controls.

Dutch police, working with the National Cyber Security Center (NCSC), dismantled a botnet comprising at least 17 million infected devices — including computers, tablets, smartphones, and IoT devices — by seizing more than 200 command-and-control servers located in the Netherlands. The infrastructure was allegedly used to power a residential proxy network and facilitate broader cybercrime operations. The scale of this takedown makes it one of the largest botnet disruptions in recent years.

A 19-year-old privilege escalation vulnerability in the Linux kernel's CIFS (Common Internet File System) implementation, dubbed 'CIFSwitch,' now has public proof-of-concept exploit code released, allowing low-privileged local users to escalate to root on vulnerable systems. The long patch window and PoC availability significantly increase exploitation risk for unpatched Linux servers and workstations. Administrators should audit kernel versions and apply available patches promptly.

Researchers uncovered 'codexui-android,' a malicious npm package masquerading as a remote web UI for OpenAI Codex that had accumulated over 29,000 weekly downloads, stealing OpenAI Codex authentication tokens from developer machines. The package remains available for download on npm and GitHub at time of reporting. This attack specifically targets AI/ML developers who use Codex, making their API credentials and potentially sensitive code repositories at risk.

An inspector general report found that NIST's National Vulnerability Database (NVD) backlog grew from 13,000 unprocessed vulnerabilities in February 2024 to over 27,000 by end of 2025, critically undermining the database's utility as a cornerstone of patch management and risk prioritization workflows. The report directly attributes the degradation to NIST management failures. Security teams relying on NVD for CVE enrichment and CVSS scores are operating with increasingly stale and incomplete data.

CVE-2026-8732, a critical unauthenticated privilege escalation flaw in the WP Maps Pro WordPress plugin (with over 15,000 Envato Market sales), is being actively exploited to create rogue administrator accounts on vulnerable sites. The plugin allows embedding Google Maps and OpenStreetMap features, making it a widely deployed target. WordPress site owners using WP Maps Pro should update immediately and audit admin user lists for unauthorized accounts.

Microsoft publicly walked back implied threats of criminal prosecution against security researchers after backlash from the security community, stating explicitly: 'we have no intention to pursue action against individuals conducting or publishing their security research.' The controversy was triggered when Microsoft appeared to signal legal action against a researcher who published several zero-day exploits in recent weeks. The reversal is significant for the vulnerability disclosure ecosystem, though the initial threat has already chilled researcher relations with the company.