Front Page

Supply Chain Attack

Grafana GitHub Token Breach: Forked-PR Workflow Abuse Exfiltrates Codebase, Canary Token Triggers Detection

Grafana disclosed on May 16 that CoinbaseCartel — an offshoot of the ShinyHunters, Scattered Spider, and Lapsus$ ecosystem — obtained a privileged GitHub token by abusing a misconfigured pull_request_target workflow. The attacker forked a public Grafana repository, injected a curl command, and dumped environment variables when the trusted CI runner executed the fork.

The intrusion was detected only because one of thousands of seeded canary tokens fired the moment it was touched. Grafana refused the extortion demand citing FBI guidance, and confirmed no customer data was exposed. Forensic priority: reconstruct GitHub Actions run logs, workflow YAML diffs, and token usage timelines across every repo the leaked token could access.

Web Server Security

"NGINX Rift" (CVE-2026-42945): 18-Year-Old Rewrite Module Heap Overflow Hits Active Exploitation With Public PoC

CVE-2026-42945, dubbed "NGINX Rift," is a heap buffer overflow in ngx_http_rewrite_module affecting versions 0.6.27 through 1.30.0 — code paths present since 2008. A state mismatch between the rewrite engine's length-calculation and copy passes lets an unauthenticated attacker overflow worker memory with a single crafted HTTP request.

The bug yields reliable DoS via worker crashes, and full RCE on hosts where ASLR is disabled; a working PoC is on GitHub and active exploitation is confirmed. Forensic priority: preserve worker core dumps, error_log entries showing repeated SIGSEGV events, and access logs containing the trigger URI pattern before they roll. Patches: NGINX 1.30.1 / 1.31.0, NGINX Plus R32 P6 / R36 P4.

Threat Bulletin

CRITICAL
CVE-2026-20182

Cisco Catalyst SD-WAN Controller — peering authentication bypass over DTLS (UDP 12346) lets unauthenticated attackers gain administrative access and pivot to NETCONF; CVSS 10.0. Limited exploitation by UAT-8616 confirmed; added to CISA KEV. Forensic Note: Preserve vdaemon logs, DTLS session captures on UDP 12346, and NETCONF configuration-change records — controller compromise propagates to every fabric edge device.

ACTIVE EXPLOIT
CVE-2026-44338

PraisonAI Flask API server — AUTH_ENABLED hardcoded to False exposes /agents and /chat endpoints without a token; CVSS 7.3. Probed within 3h 44m of disclosure (May 11) by scanner CVE-Detector/1.0; fix in 4.6.34. Forensic Note: Hunt access logs for unauthenticated GET /agents returning 200 OK, and review agents.yaml workflow history for unauthorized invocation chains.

Malware Spotlight

Tycoon2FA — OAuth Device-Code Phishing

The Tycoon2FA phishing-as-a-service kit returned in May 2026 with OAuth 2.0 device-authorization-grant abuse, hijacking Microsoft 365 accounts after victims enter the attacker's device code into Microsoft's legitimate microsoft.com/devicelogin page. The completed MFA flow issues access and refresh tokens directly to attacker-controlled devices — bypassing every conditional-access policy keyed to credential phishing. Forensic Note: Audit AzureAD sign-in logs for authenticationProtocol = deviceCode events, and enumerate newly registered devices in the affected tenant.