May 20 Digest: Exchange Zero-Day, Verizon DBIR, GitHub Actions Hijack, Grafana Breach, 7-Eleven

This Week in Cybersecurity

Issue 20 opens with an active crisis: Microsoft Exchange Server's Outlook Web Access is under attack through an unpatched cross-site scripting zero-day — CVE-2026-42897 — and Microsoft has no patch available. The flaw lets attackers hijack authenticated mailbox sessions without needing valid credentials. With no fix on the timeline and OWA deployed across enterprises, government agencies, and critical infrastructure worldwide, the exploitation window is wide open. The targeting pattern is consistent with nation-state espionage groups and ransomware initial access brokers who have long treated Exchange mailbox access as a prize asset. If you have OWA publicly exposed, pulling it behind a VPN is the right call today.

The week's most strategically significant release is Verizon's 2026 Data Breach Investigations Report, which marks an inflection point: for the first time, vulnerability exploitation has overtaken credential theft as the leading initial access vector in confirmed breaches. AI tooling compressing exploit development timelines — combined with chronic patching delays — is the underlying driver. The DBIR's message is unambiguous: if your vulnerability management program measures remediation in weeks rather than hours for critical CVEs, you are now operating outside the defensive window.

The software supply chain continued to take hits. Threat actors compromised actions-cool/issues-helper, a popular GitHub Actions workflow used across thousands of repositories, silently redirecting every existing version tag to a malicious commit designed to harvest CI/CD secrets. The technique is a sharp reminder that pinning to a tag provides zero protection — tags are mutable. Only SHA pinning defends against this class of attack. Any repository that ran this action should treat all exposed secrets as compromised.

On the breach front: Grafana Labs confirmed that attackers stole its source code via a stolen GitHub access token, then attempted extortion. Separately, 7-Eleven confirmed a breach claimed by ShinyHunters, adding the world's largest convenience store chain and its 70 million loyalty program members to the gang's growing list of victims. The Grafana incident is particularly significant given how widely the platform is deployed as the monitoring backbone for enterprise and critical infrastructure environments — a stolen codebase means attackers have months to audit offline for previously unknown vulnerabilities.

Rounding out a dense week: the Shai-Hulud worm spawned fresh antv npm package compromises via a hijacked maintainer account; the Pwn2Own Berlin 2026 competition closed out with 47 zero-days claimed; millions of US healthcare patients were impacted across several simultaneous data breaches; and Ivanti, Fortinet, SAP, and VMware each issued patches for serious RCE and privilege escalation flaws.

Top Stories

Microsoft Exchange Zero-Day Under Active Exploitation — No Patch Available

A zero-day XSS vulnerability in Microsoft Exchange Server's Outlook Web Access is being actively exploited with no patch currently available. CVE-2026-42897 allows attackers who can deliver a malicious link or email to the victim to execute JavaScript in the context of an authenticated OWA session — granting full read and send access to the compromised mailbox, along with the ability to steal session tokens for persistent access.

The attack requires no authentication of the attacker's own. The victims are simply Exchange users with OWA access. Threat actors consistent with nation-state espionage tradecraft and ransomware IAB operations are confirmed to be exploiting the flaw in the wild. Exchange's history is a reliable predictor: ProxyLogon in 2021 and ProxyNotShell in 2022 both saw mass compromise within days of public disclosure, and this zero-day is already past that threshold.

Compensating controls while no patch exists: restrict OWA to VPN-only access, enforce MFA on all OWA logins, deploy a WAF to block XSS payloads, and monitor logs for inbox rule creation and geographic anomalies. Monitor the Microsoft Security Response Center for an out-of-band patch.

Full story →

Verizon DBIR 2026: Vulnerability Exploitation Now the #1 Breach Vector

Verizon's annual Data Breach Investigations Report — the most widely referenced benchmark in the industry — documents a landmark shift in the 2026 edition: vulnerability exploitation has displaced credential theft as the top initial access vector in confirmed data breaches. The reversal is driven by AI-assisted exploit development compressing the window between CVE publication and mass exploitation from months to days, and by persistent patching fatigue across security teams overwhelmed by CVE volume.

Ransomware gangs have adapted accordingly — they are now more likely to exploit an unpatched vulnerability as their front door than to rely on phishing. Supply chain breaches continue their upward trajectory, consistent with the wave of npm, PyPI, and GitHub Actions compromises documented throughout 2025–2026. Healthcare, manufacturing, and public sector organizations saw the sharpest increases in exploitation-led breaches.

The DBIR's operational implication is direct: time-to-patch for critical CVEs must be measured in hours, not weeks. Attack surface reduction, MFA on everything, and third-party risk programs that treat vendor software the same as internal code are the other key recommendations. The organizations that fare best in the 2027 DBIR will be those that treated this year's report as a remediation SLA, not a read-and-file document.

Full story →

GitHub Actions Supply Chain Attack Hijacks All Tags to Steal CI/CD Secrets

Threat actors compromised actions-cool/issues-helper — a GitHub Actions workflow used in thousands of repositories for automated issue management — and redirected every existing version tag to a malicious imposter commit. The attack is retroactive: any repository that ran any version of the action in an upcoming pipeline execution would silently deliver CI/CD secrets to the attacker's exfiltration server.

Available secrets exposed include the GITHUB_TOKEN provisioned per-run, plus any custom secrets configured in the repository: AWS and cloud provider credentials, container registry tokens, npm publishing keys, signing certificates, and database connection strings. With stolen CI/CD credentials, attackers can deploy to production, publish compromised packages, and escalate across cloud infrastructure — all without triggering authentication anomalies.

The attack explodes the "pin to a version tag" guidance that circulates widely in CI/CD security recommendations. Tags are mutable Git references. They can be silently moved. Only pinning to a full 40-character commit SHA provides real protection against this class of supply chain compromise. Immediate response: audit all workflows for the action, disable affected pipelines, and rotate every secret accessible during recent runs.

Full story →

Grafana Labs Confirms Source Code Stolen After GitHub Token Breach

Grafana Labs confirmed that attackers downloaded its source code repositories after breaching its GitHub environment using a stolen access token. The attackers subsequently attempted extortion, threatening to release the stolen codebase publicly. Grafana confirmed the incident following BleepingComputer's reporting, with the breach attributed to the Coinbase Cartel — a cybercrime cluster with documented ties to ShinyHunters and Scattered Spider.

The attack follows a consistent 2026 playbook: steal a GitHub PAT with broad repository access, quietly exfiltrate code, demand ransom. GitHub tokens are high-value targets because they bypass MFA, may grant access to dozens of repositories from a single credential, and often persist indefinitely without expiry. The Grafana breach follows similar incidents against Trivy, Axios, and multiple enterprise targets throughout 2026.

The downstream risk is significant: Grafana is the monitoring and observability backbone for enterprise IT, financial services, healthcare, and critical infrastructure globally. Attackers with offline access to the full Grafana codebase can audit it for zero-day vulnerabilities at leisure. Organizations running Grafana should rotate all API keys and service account tokens immediately, audit plugin installations, review admin access logs, and prepare to apply emergency patches when vulnerabilities are discovered from the stolen source.

Full story →

7-Eleven Confirms Data Breach — ShinyHunters Claims Responsibility

7-Eleven confirmed a data breach after the ShinyHunters extortion group publicly claimed the attack on cybercrime forums, providing purported proof of access. The breach occurred approximately one month before the public claim. With over 85,000 locations across 20 countries and a US loyalty program — 7Rewards — with over 70 million active members, the potential scope of the exposed dataset is substantial.

ShinyHunters is one of the most prolific data theft and extortion operations active today, with a documented history that includes Ticketmaster (560 million records), Santander Bank (30 million records), and ADT (5.5 million records). The group's connection to the Coinbase Cartel ties it to the same cluster responsible for this week's Grafana breach. 7-Eleven's investigation into the full scope — which systems were accessed, what customer and employee data was exfiltrated — is ongoing.

If you are a 7Rewards member: change your password immediately, use a unique password across accounts, watch for phishing using 7-Eleven branding, and monitor for unusual charges on any stored payment methods. Retailers of this scale remain prime targets precisely because loyalty databases contain the combination of contact info, purchase history, and stored payment data that enables layered fraud.

Full story →

Security Corner

10 CVEs are newly published to the Security Advisories section this week. Key advisories to prioritize:

CVE-2026-8838 — Amazon Redshift Python Driver RCE via Unsafe Code Execution (CVSS 9.8) The vector_in() function in the Amazon Redshift Python driver (versions below 2.1.14) executes arbitrary code received from the server using Python's dynamic code execution capability with no sanitization. A rogue endpoint or man-in-the-middle attacker can deliver a crafted server response that runs arbitrary commands on the client machine — including application servers, ETL pipelines, and data engineering environments. The CVSS 9.8 score reflects no authentication required and no user interaction needed. Upgrade to amazon-redshift-python-driver>=2.1.14 immediately, enforce sslmode=verify-full on all connections, and rotate credentials for any environment where the vulnerable driver ran without full TLS certificate validation. Full advisory →

CVE-2026-8785, CVE-2026-27130, CVE-2026-25244 — Additional Critical Advisories Three further critical-severity advisories were published this week covering privilege escalation and remote code execution vectors in widely deployed enterprise software. Review the full advisory list and prioritize based on your environment's exposure surface.

Also published this week:

• CVE-2025-15609 → Advisory →
• CVE-2026-39079 → Advisory →
• CVE-2026-7302 → Advisory →
• CVE-2026-7301 → Advisory →
• CVE-2026-8507 → Advisory →
• CVE-2018-25320 → Advisory →

Quick Takes

• Shai-Hulud Worm Spreads Fresh Antv npm Compromises: The Shai-Hulud worm author — or a copycat operating after source code publication — pushed malicious packages via a compromised antv npm maintainer account, extending the supply chain attack campaign that has targeted major JavaScript ecosystem projects throughout May 2026. Any organization running antv packages should verify installed versions and rotate secrets exposed during the compromise window. Read more →

• Pwn2Own Berlin 2026 Closes with 47 Zero-Days: Pwn2Own Berlin wrapped with researchers claiming 47 zero-day vulnerabilities across browsers, operating systems, virtualization platforms, and enterprise software — totalling significant prize payouts. The competition provides a controlled look at the depth of exploitable vulnerabilities that exist in production software; the 47 figure will translate into a rapid patch cycle across affected vendors over the coming weeks. Read more →

• Ivanti, Fortinet, SAP, VMware — Patch RCE, SQLi, and Privilege Escalation Flaws: Multiple enterprise security vendors shipped patches this week for serious vulnerabilities. Ivanti, Fortinet, SAP, and VMware each addressed flaws with exploitation or high-severity CVSS ratings. Given the DBIR's top finding this week — vulnerability exploitation as the #1 breach vector — the argument for deferring these patches is weaker than ever. Read more →

• Millions Impacted Across Several US Healthcare Data Breaches: Multiple simultaneous data breach disclosures in the US healthcare sector impacted millions of patients this week. Healthcare remains one of the most targeted sectors in the 2026 DBIR data, with ransomware and insider threats combining with increasingly large third-party vendor breach exposures. Affected patients should monitor explanation-of-benefits statements and credit reports for signs of medical identity fraud. Read more →

• SepPMail Secure Email Gateway RCE and Mail Traffic Access Vulnerabilities: Vulnerabilities in the SepPMail Secure Email Gateway enable remote code execution and unauthorized access to mail traffic — particularly ironic given the product's purpose as a security control. Organizations running SepPMail should apply vendor patches immediately and audit gateway logs for signs of exploitation. Read more →

• Cybercrime Service Disrupted for Signing Malware via Microsoft Platform: A cybercrime service that abused Microsoft's own infrastructure to sign malware — lending it a veneer of trusted code signing — was disrupted this week. The technique of abusing legitimate platform signing pipelines to sign malicious code represents one of the more sophisticated detection evasion strategies seen in 2025–2026. Read more →

• FBI: Americans Lost $388M+ to Crypto ATM Scams in 2025: The FBI reported that crypto ATM-facilitated fraud losses exceeded $388 million in 2025, with the scam typically targeting older adults through impersonation of government agencies or utility companies. Cryptocurrency ATMs remove the friction points — reversibility, bank fraud departments, transfer delays — that catch traditional wire fraud in the act. Read more →

Upcoming

• Exchange CVE-2026-42897 Emergency Patch: Microsoft is expected to release an out-of-band fix or include remediation in the next Patch Tuesday. Monitor the Microsoft Security Response Center daily. Organizations with OWA publicly exposed should restrict access immediately and not wait for the patch announcement — active exploitation is confirmed now.

• Shai-Hulud Attribution and Arrests: With the worm's source code publicly circulating and fresh copycat campaigns emerging via antv npm packages, law enforcement tracking of the original TeamPCP authors and downstream operators is likely active. Watch for indictments or infrastructure takedowns — they tend to follow when multiple high-profile campaigns cluster in a short window.

• Post-Pwn2Own Patch Wave: 47 zero-days from Pwn2Own Berlin will translate into a concentrated vendor patch cycle over the next two to four weeks. Affected vendors (Microsoft, Mozilla, VMware, and others) are obligated to ship fixes within 90 days, but many will move faster given public disclosure. Maintain patch readiness for browsers, OS, and virtualization platforms.

• Grafana Vulnerability Disclosure Risk: With Grafana's full source code now in attacker hands, CVE disclosures from offline code audits should be expected in the coming months. Security teams running Grafana should subscribe to Grafana's security advisories, prepare to apply emergency patches on short notice, and harden Grafana access controls preemptively.

• ShinyHunters 7-Eleven Disclosure Timeline: The full scope of the 7-Eleven breach — what data was taken, how many customers and employees are affected, and which jurisdictions trigger mandatory notification — is still under investigation. CCPA, GDPR, and state-level notification requirements will govern disclosure timelines. Affected customers should act now on password rotation rather than waiting for formal notification.

By the Numbers

CosmicBytez Labs — IT & Cybersecurity Intelligence Hub

Unsubscribe · Privacy Policy · View in browser