May 26 Digest: SharePoint RCE, Megalodon CI/CD Blitz, 7-Eleven Breach

This Week in Cybersecurity

Issue 21 brings a dense slate of critical patches, active exploitation, and supply chain turbulence across five days.

The week's most immediately actionable story is Microsoft's out-of-band patch for CVE-2026-45659 — a CVSS 8.8 remote code execution flaw in SharePoint Server. Unlike many high-severity CVEs that require chained conditions, this one demands only network access and basic authentication. No in-the-wild exploitation has been confirmed yet, but SharePoint's history — ProxyLogon, ProxyShell, CVE-2023-29357 — suggests that gap will close quickly. Every on-premises SharePoint administrator should have this patch applied before the end of the week.

The supply chain threat materialized at machine speed on May 24 with the disclosure of Megalodon: an automated campaign that pushed 5,718 malicious commits across 5,561 GitHub repositories within a six-hour window. The attack used throwaway bot accounts — build-bot, auto-ci, pipeline-bot — to inject GitHub Actions workflow files designed to exfiltrate CI/CD secrets from targeted repos. The pace of compromise dramatically exceeds what human defenders can respond to in real time. The lesson from Megalodon is structural: if you are pinning Actions by tag rather than SHA, you are not protected.

The week's biggest breach disclosure belongs to 7-Eleven, which confirmed that the ShinyHunters extortion gang stole the personal information of approximately 185,000 customers — names, email addresses, phone numbers, dates of birth, physical addresses, and loyalty program details — in an April 2026 attack. Have I Been Pwned independently verified the dataset. ShinyHunters follows a predictable playbook: steal data, demand ransom privately, publish when the victim goes quiet. The group has now notched Ticketmaster, Santander, AT&T, ADT, and 7-Eleven in the past 18 months.

In Japan, a zero-day in KnowledgeDeliver — a widely deployed learning management system — was actively exploited to install the Godzilla web shell and Cobalt Strike Beacon implants before a patch was available. The tooling is consistent with Chinese APT tradecraft. LMS platforms are attractive targets precisely because they are treated as peripheral to core IT security programs, yet they hold employee and student PII and often share authentication with internal systems.

Rounding out a demanding week: an Iranian APT refined its toolset against aviation software targets; the BYOVD technique gets a new no-hardware angle; 185,000 individuals impacted in a Docketwise breach; GhostWriter pivots to Prometheus-based phishing against Ukrainian government entities; police execute the first seizure of a VPN ransomware operation; and LiteSpeed's cPanel plugin CVE-2026-48172 enables root-level script execution via a cPanel integration flaw.

Top Stories

Microsoft Patches SharePoint RCE CVE-2026-45659 — CVSS 8.8

Microsoft shipped a security update for CVE-2026-45659, a remote code execution vulnerability in SharePoint Server carrying a CVSS score of 8.8. The flaw is straightforward: a network-accessible attacker with basic authentication can execute arbitrary code in the context of the SharePoint application pool service account. No specialized exploitation prerequisites beyond authenticated network access are required — no CSRF chains, no secondary vulnerabilities needed.

The update covers all currently supported on-premises SharePoint Server branches. SharePoint Online (Microsoft 365) is not affected; Microsoft manages cloud patching directly. Organizations running on-premises SharePoint should immediately identify installed versions, apply the update via Windows Server Update Services or the Microsoft Update Catalog, and verify using Get-SPProduct in SharePoint Management Shell.

The CVSS 8.8 rating reflects high impact across confidentiality, integrity, and availability. CISA's Known Exploited Vulnerabilities catalog has historically added SharePoint RCE flaws quickly after patches release — often when exploitation begins. The absence of confirmed in-the-wild exploitation today should not create false comfort. SharePoint is a perennial ransomware and espionage target because of the sensitive documents, project data, and connected business workflow integrations it hosts.

Recommended immediate actions: patch all SharePoint instances (including staging and dev), review application pool service account permissions against least privilege, and enable monitoring of SharePoint ULS logs for exploitation-pattern anomalies.

Full story →

Megalodon: 5,561 GitHub Repos Hit with Malicious CI/CD Workflows in Six Hours

Cybersecurity researchers disclosed Megalodon, an automated supply chain attack campaign that injected malicious GitHub Actions workflow files into 5,561 repositories via 5,718 commits — all within a single six-hour window on May 24. The attack used throwaway GitHub accounts with CI-bot-mimicking names (build-bot, auto-ci, ci-bot, pipeline-bot) to blend into legitimate pipeline activity.

The rogue workflow files were designed to: exfiltrate repository secrets (API keys, deploy tokens, cloud credentials), establish persistence through workflow triggers that fire on every subsequent commit, and pivot into downstream dependencies to extend the supply chain infection. The GITHUB_TOKEN provisioned per pipeline run, plus any custom secrets configured in the repository, are exposed during malicious workflow execution. From stolen CI/CD credentials, attackers can publish compromised packages, deploy to production, and escalate across cloud infrastructure without triggering authentication anomalies.

Megalodon's six-hour timeline sets a new benchmark for automated supply chain attack velocity, exceeding the tj-actions/changed-files incident of 2024 and the Shai-Hulud worm's spread in May 2026. The scale-over-stealth strategy is deliberate: by targeting thousands of repos simultaneously, attackers maximize the probability that high-value secrets exist in at least a fraction of targets.

Immediate response: audit all repositories' .github/workflows/ directories for unexpected files or modifications from unfamiliar accounts, rotate any secrets exposed during the attack window, and enforce branch protection rules requiring PR review before workflow file merges. The durable fix is SHA pinning — no tag-based Action pin survives a compromised maintainer or tag redirect attack.

Full story →

7-Eleven Data Breach: ShinyHunters Expose 185,000 Customers via April Intrusion

ShinyHunters has published data stolen from 7-Eleven in an April 2026 breach, with Have I Been Pwned independently verifying and ingesting the dataset at approximately 185,000 unique records. The compromised fields include full names, email addresses, phone numbers, dates of birth, physical addresses, and loyalty program account details — a combination that enables layered downstream fraud: phishing, credential stuffing, identity fraud, and physical address targeting.

ShinyHunters' extortion model — steal, demand privately, publish when ignored — played out here on the standard timeline. The group demanded ransom in early May 2026; when 7-Eleven did not publicly acknowledge or pay, the dataset was published on underground forums with sample data provided to authenticate the claim. 7-Eleven has confirmed the breach and launched an investigation with third-party forensic specialists.

The threat actor is prolific and well-resourced. ShinyHunters' recent victim list includes Ticketmaster (560M records), Santander Bank (30M), AT&T, and ADT — with documented ties to the Coinbase Cartel cluster. Retail loyalty databases are consistently underprotected relative to payment card systems, despite containing comparable value for fraud operations.

If you hold a 7-Eleven loyalty account: change your password immediately, check your email at haveibeenpwned.com, enable 2FA where available, monitor for phishing impersonating 7-Eleven, and consider a credit freeze if your date of birth and address combination may be leveraged for identity fraud.

Full story →

KnowledgeDeliver Zero-Day Exploited to Deploy Godzilla Web Shell and Cobalt Strike

A zero-day vulnerability in KnowledgeDeliver — a commercial learning management system developed by Digital Knowledge and widely deployed across Japanese educational institutions, corporations, and government-affiliated learning programs — was actively exploited before a patch was available. Attackers achieved unauthenticated remote code execution, then installed the Godzilla web shell and deployed Cobalt Strike Beacon implants on compromised servers.

Godzilla is a feature-rich, Java-based web shell with encrypted communications, file management, command execution, and database access capabilities — standard post-exploitation tooling for Chinese-nexus threat actors. Cobalt Strike Beacon enables lateral movement, credential harvesting, and persistent C2 channel establishment. The combination of these two tools in a targeted LMS intrusion is consistent with TTPs documented for PRC-linked APT clusters, though no definitive public attribution has been made.

The targeting of LMS infrastructure reflects a deliberate APT strategy: learning management systems hold employee and student PII, are frequently integrated with internal HR and identity systems, and receive lower security attention than front-line corporate infrastructure. A compromised LMS server becomes a credentialed pivot point into internal networks.

A patch is now available from Digital Knowledge. Organizations running KnowledgeDeliver should apply it immediately, audit web-accessible directories for unauthorized .jsp / .jspx files, rotate all credentials stored in or accessible through the LMS, and deploy endpoint detection on the LMS host to catch Cobalt Strike beacon patterns.

Full story →

UK Online Safety Act: AI Chatbots Now Subject to Child Safety Obligations

The UK's Online Safety Act expanded its scope to formally include AI chatbots among the regulated services subject to child safety obligations. Platforms operating AI-based conversational services must now implement age-appropriate design measures, conduct child safety risk assessments, and prevent minors from encountering harmful content through AI interactions — with Ofcom as the enforcement authority.

The regulatory shift comes as AI companions, tutoring bots, and generalist chatbots have been widely deployed across consumer and educational platforms without consistent child safety guardrails. The OSA's approach sets a structural precedent: AI interfaces are now subject to the same duty-of-care framework as social media platforms under UK law, not treated as a distinct unregulated category.

For security and compliance professionals: organizations serving UK users with AI-integrated products need to audit chatbot interactions for content policy compliance, implement verified age-gating where required, and document risk assessments per Ofcom's codes of practice. The OSA's enforcement track record — including significant fines against major platforms — signals this is not a compliance formality.

Full story →

Security Corner

10 CVEs are newly published to the Security Advisories section this week. Key advisories to prioritize:

CVE-2026-8719 — WordPress AI Engine Plugin Privilege Escalation (CVSS 8.8) The AI Engine plugin's MCP OAuth bearer-token path fails to enforce WordPress capability checks. Any authenticated user — including subscriber-level — can present a valid OAuth token and obtain full MCP access that should be restricted to administrators. MCP access exposes chatbot configurations, system prompts, conversation history, and potentially broader WordPress admin functions. Multi-user WordPress installations with subscriber-level accounts should treat this as a priority patch. Full advisory →

CVE-2026-9525 — SQL Injection in itsourcecode Electronic Judging System 1.0 (CVSS 7.3) The admin panel's /admin/edit_judge.php endpoint constructs SQL queries via direct string interpolation of the judge_id parameter — a textbook unsanitized input flaw. Remote attackers can extract data, bypass authentication, modify records, and — if database permissions allow — escalate to OS-level command execution via LOAD_FILE or stored procedures. A public proof-of-concept exploit is available. Full advisory →

Also published this week:

• CVE-2026-8398 → Advisory →
• CVE-2026-8053 → Advisory →
• CVE-2026-8153 → Advisory →
• CVE-2026-7637 → Advisory →
• CVE-2026-8043 → Advisory →
• CVE-2026-7458 → Advisory →
• CVE-2026-7546 → Advisory →
• CVE-2026-7567 → Advisory →

Quick Takes

• Iranian APT Targets Aviation Software Companies with Updated Tools: A tracked Iranian state-sponsored threat actor refined its malware toolset and directed fresh campaigns against aviation software companies — a sector that underpins flight operations, maintenance scheduling, and supply chain management. The updated tooling suggests active development investment, not a static campaign. Aviation sector security teams should review threat intel feeds for TTP updates and confirm perimeter exposure for internet-facing systems. Read more →

• Docketwise Data Breach Impacts 143,000: Immigration law firm software provider Docketwise disclosed a breach affecting approximately 143,000 individuals. Docketwise handles sensitive immigration case data — visa applications, personal documentation, legal communications — making the exposure particularly sensitive for affected clients. Impacted law firms should notify affected clients per breach notification obligations and monitor for phishing targeting immigration applicants. Read more →

• GhostWriter Targets Ukraine Government with Prometheus Phishing Malware: The GhostWriter threat actor — attributed to Belarusian intelligence and active in information operations against Ukraine — has pivoted to deploying the Prometheus phishing kit against Ukrainian government entities. The campaign combines credential harvesting with influence operations tradecraft, consistent with GhostWriter's documented history of targeting Ukrainian civil society, military, and government personnel ahead of and during the conflict. Read more →

• BYOVD Without Hardware — New Perspective on a Classic Technique: Researchers published analysis demonstrating a new angle on Bring Your Own Vulnerable Driver (BYOVD) attacks: achieving exploitation without requiring physical hardware associated with the targeted driver. The technique broadens the potential attack surface for BYOVD-based kernel exploitation and EDR bypass. Security teams relying on hardware-presence checks as a BYOVD defense should review this research. Read more →

• Police Seize Infrastructure Behind First VPN Ransomware Operation: Law enforcement executed the first documented seizure of infrastructure tied to a ransomware group that operated its own VPN service as a delivery and obfuscation layer. The operation marks an escalation in tactical law enforcement response — from seizing ransom payment infrastructure to taking down the anonymization layer itself. Details on the specific group and the jurisdictions involved are emerging. Read more →

• LiteSpeed cPanel Plugin CVE-2026-48172 Exploited for Root Script Execution: A vulnerability in the LiteSpeed cPanel plugin has been exploited to execute scripts as root — a critical privilege escalation for hosting environments where cPanel is the administrative interface for thousands of tenant sites. Shared hosting providers and managed WordPress hosts running LiteSpeed with cPanel integration should apply the patch immediately and audit for post-exploitation indicators. Read more →

• Packagist Supply Chain Attack Infects 8 Packages via GitHub-Hosted Malware: Eight Packagist PHP packages were compromised in a supply chain attack that used GitHub-hosted malware as the delivery mechanism. The campaign follows the broader 2026 trend of attackers targeting package registries across ecosystems — npm, PyPI, Packagist — with GitHub infrastructure as a staging ground. PHP developers should audit dependencies for the affected packages and rotate any secrets accessible from affected environments. Read more →

Upcoming

• SharePoint CVE-2026-45659 Exploitation Watch: With the CVSS 8.8 patch now public, the exploitation clock is running. CISA's KEV catalog is the indicator to watch — inclusion typically signals confirmed in-the-wild activity. Organizations that have not patched should treat an unpatched SharePoint Server as an active incident risk, not a scheduled maintenance item.

• Megalodon Attribution and GitHub Response: GitHub is working to remove malicious commits and suspend the bot accounts used in the Megalodon campaign. Watch for GitHub's post-incident report on the campaign's scope and any detection tooling improvements. The broader question — whether automated commit-rate limits or enhanced workflow review gates will follow — is worth tracking for DevSecOps planning.

• KnowledgeDeliver CVE Assignment: The CVE identifier for the KnowledgeDeliver zero-day has not been publicly disclosed at time of this issue. Expect a CVE publication from Digital Knowledge or JPCERT/CC in the coming days. Japanese organizations running the LMS should apply the patch now, without waiting for the CVE to be formalized.

• 7-Eleven Breach Notification Timeline: The ShinyHunters exposure of 185,000 records triggers data breach notification obligations under applicable privacy law. CCPA, Canadian PIPEDA, and applicable state/provincial laws govern disclosure timelines for affected jurisdictions. Formal notification to affected customers should be expected within 30–72 hours depending on regulatory requirements. Affected customers should not wait — act on password rotation and credit monitoring now.

• UK Online Safety Act Enforcement Ramp-Up: With AI chatbots now explicitly in scope, Ofcom is expected to begin issuing updated compliance guidance for AI services targeting the UK market. Organizations with consumer AI products should begin gap assessments against the forthcoming codes of practice now, ahead of enforcement action timelines.

By the Numbers

CosmicBytez Labs — IT & Cybersecurity Intelligence Hub

Unsubscribe · Privacy Policy · View in browser