Palo Alto Exploited, Chrome Zero-Day Patched, and Three Critical CVEs
TL;DR - Large-scale web compromise, npm supply-chain abuse, and social-engineering-driven account takeovers led the day. - Defenders should review WordPress, CI/CD, npm, and identity recovery controls now. - Prioritize exposed repos, vulnerable plugins, and systems tied to active exploitation reports.
Top Stories
1) Hackers hijack thousands of sites for ClickFix and FakeUpdate attacks
BleepingComputer reports that a threat actor tracked as DriveSurge is running broad malware delivery campaigns through compromised websites using ClickFix and FakeUpdate lures, impacting thousands of sites (source).
Why this matters
This is not just another malvertising story. If your organization runs public websites, especially CMS-driven properties, those sites can become delivery infrastructure for downstream malware infections. If you operate endpoint security, expect user-driven execution chains where the victim believes they are fixing a browser issue, CAPTCHA prompt, or update workflow.
What to do now
- Review web server integrity on public-facing sites.
- Check for unexpected JavaScript injections in templates, headers, footers, and tag manager content.
- Hunt for redirected update prompts and fake browser remediation flows.
- Block known fake update delivery domains and review secure web gateway telemetry.
- Alert help desk teams that users may report unusual browser prompts or “verification” requests.
Quick checks
# Search common web roots for suspicious inline script tags
grep -RniE "clickfix|fakeupdate|atob\(|fromCharCode|document\.write|eval\(" /var/www /usr/share/nginx/html 2>/dev/null
# Look for recently modified web files
find /var/www -type f -mtime -7 | sort
Technical Notes
Common signs of website injection include:
<script src="https://example-cdn-invalid[.]tld/update.js"></script>
<script>
// obfuscated redirect or clipboard lure
setTimeout(function(){ window.location='...'; }, 1500);
</script>
Watch for web logs showing short-lived spikes from a small set of pages, followed by outbound requests to unusual domains.
2) Red Hat npm packages compromised to steal developer credentials
More than 30 packages under the @redhat-cloud-services npm namespace were reportedly compromised in a supply-chain incident that delivered a new Shai-Hulud credential-stealing variant called “Miasma,” according to BleepingComputer (source).
Why this matters
This is the kind of incident that turns developer workstations and CI pipelines into initial access points. If your builds consumed affected packages, the risk is not limited to package integrity. You should also assume possible credential exposure involving developer tokens, registry auth, cloud keys, and CI secrets.
What to do now
- Identify whether your environment installed affected
@redhat-cloud-servicespackages. - Revoke and rotate npm tokens, GitHub tokens, CI variables, and cloud credentials used by impacted developers or runners.
- Review recent package-lock changes and build history.
- Rebuild critical artifacts from known-good states.
- Validate provenance and integrity controls for internal package consumption.
Immediate triage steps
# Search package manifests and lock files for the affected namespace
grep -Rni "@redhat-cloud-services" ./
# Review npm install history in CI logs if retained
grep -Rni "npm install\|pnpm install\|yarn install" /var/log /opt/ci/logs 2>/dev/null
# List globally configured npm registries and auth usage
npm config list
Technical Notes
Supply-chain review should include:
package.jsonpackage-lock.json,pnpm-lock.yaml, oryarn.lock- CI job logs
- Secret manager access logs
- GitHub Actions or GitLab CI token use
Example lockfile grep:
grep -Rni "@redhat-cloud-services" package-lock.json pnpm-lock.yaml yarn.lock 2>/dev/null
If there is any evidence of installation, rotate secrets first and investigate second.
3) Hackers used Meta’s AI support bot to seize Instagram accounts
KrebsOnSecurity reports attackers circulated instructions on Telegram for abusing Meta’s AI support assistant to trigger password resets and seize Instagram accounts, including high-profile accounts that were briefly defaced (source).
Why this matters
This is an identity assurance failure story. It highlights the risk of automated support workflows that can be socially engineered at scale. For organizations with executive, brand, or public-sector social accounts, standard MFA is not enough if account recovery paths are weak.
What to do now
- Audit account recovery options for official social media accounts.
- Restrict who can initiate recovery or support interactions.
- Move high-value accounts into managed enterprise social workflows where available.
- Ensure backup emails, phone numbers, and admin roles are current and tightly controlled.
- Preserve evidence if an account was reset unexpectedly.
Defender takeaway
Treat support-channel abuse as a legitimate attack path. Security reviews should include: - automated help bots - customer support escalation flows - identity verification exceptions - recovery email and SIM ownership
4) WordPress malware campaign hides payloads in Steam profiles
BleepingComputer reports a campaign affecting nearly 2,000 WordPress sites in which malware hid command-and-control data in Steam Community profile comments (source).
Why this matters
This is a useful reminder that C2 and payload staging can be hidden in legitimate third-party services, making simple domain-based blocking less effective. If you defend WordPress at scale, you need file integrity monitoring, plugin hygiene, and behavioral detection, not just blocklists.
What to do now
- Scan WordPress themes and plugins for unauthorized PHP and JavaScript.
- Look for outbound traffic patterns to Steam pages from web servers where such access is unnecessary.
- Review admin account creation and plugin install events.
- Enforce least privilege on WordPress admin roles and hosting panels.
WordPress triage commands
# Find recently changed PHP files
find /var/www -type f -name "*.php" -mtime -14
# Search for suspicious remote fetch functions
grep -RniE "curl_exec|file_get_contents\(|base64_decode\(|gzinflate\(|str_rot13\(" /var/www 2>/dev/null
Technical Notes
WordPress webshells and loaders often use combinations of:
- base64_decode
- gzinflate
- create_function
- remote content fetches
- cron-based persistence
Example pattern hunt:
grep -RniE "wp_ajax_|add_action\('init'|base64_decode|preg_replace.*/e" wp-content/ 2>/dev/null
5) Windows Netlogon RCE now reportedly exploited
BleepingComputer reports that the Centre for Cybersecurity Belgium warned that a recently patched critical Windows Netlogon remote code execution flaw is now being exploited in attacks (source).
Why this matters
Anything involving Netlogon should be treated as high priority in Windows environments, especially on domain controllers and systems with trust relationships. If exploitation is active, delayed patching increases risk of rapid domain impact.
What to do now
- Identify domain controllers and vulnerable Windows systems.
- Validate patch deployment status.
- Review authentication, Netlogon, and lateral movement telemetry.
- Increase scrutiny on unusual machine-account behavior and privilege changes.
Windows checks
# Review installed updates
Get-HotFix | Sort-Object InstalledOn -Descending | Select-Object -First 20
# Check recent privileged group membership changes
Get-WinEvent -LogName Security -MaxEvents 200 | Where-Object {$_.Id -in 4728,4729,4732,4733,4756,4757}
6) CISA adds Oracle WebLogic vulnerability to KEV
CISA added CVE-2024-21182 affecting Oracle WebLogic Server to the Known Exploited Vulnerabilities catalog, citing evidence of active exploitation (source).
Why this matters
KEV inclusion is a prioritization signal. If you run WebLogic, this should move into the “verify exposure and remediate” queue immediately, especially for internet-facing systems or middleware tied to sensitive applications.
What to do now
- Inventory WebLogic instances.
- Determine internet exposure and admin interface reachability.
- Apply vendor-recommended fixes and temporary mitigations where patching is delayed.
- Review logs for unusual admin actions, deployment changes, and webshell indicators.
7) Dashlane users reportedly locked out after brute-force attempts
BleepingComputer reports multiple Dashlane users were locked out after brute-force attempts from unknown devices and distant locations (source).
Why this matters
Even if the underlying vaults remain protected, account lockout waves create operational risk, user panic, and support overhead. Password managers remain high-value targets because they aggregate identity access.
What to do now
- Remind users to enable phishing-resistant MFA where supported.
- Review alerts for impossible travel and repeated login failures.
- Have a documented recovery process for enterprise-managed password manager accounts.
- Check whether credential stuffing from prior breaches may be in play.
Critical Vulnerabilities
CVE-2026-45131 — CloudPirates Open Source Helm Charts
- CVSS: 10.0
- Issue: A GitHub Actions workflow reportedly executed attacker-controlled code from fork pull requests in a privileged context, exposing repository secrets.
- Reference: GitHub advisory, patch commit
Why it matters
This is a CI/CD trust-boundary failure. If you maintain open source projects or accept fork-based contributions, unsafe workflow design can hand secrets directly to attackers.
What to do
- Review use of pull_request_target, secret exposure, and writable tokens.
- Disable privileged workflow execution for untrusted forks.
- Rotate any secrets previously accessible to workflows.
Technical Notes
Review workflow files for patterns like:
on:
pull_request_target:
jobs:
build:
permissions: write-all
steps:
- uses: actions/checkout@v4
- run: ./scripts/from-pr.sh
Safer approach: - avoid privileged triggers for untrusted code - minimize token permissions - require maintainer approval before running workflows from forks
CVE-2026-45132 — CloudPirates Open Source Helm Charts
- CVSS: 10.0
- Issue: Another GitHub Actions workflow reportedly exposed a Personal Access Token and SSH signing key to fork-controlled code due to unsafe checkout and credential handling.
- Reference: GitHub advisory, patch commit
Why it matters
This is the same class of failure with potentially severe downstream impact: source tampering, package compromise, secret theft, and trust erosion for consumers of the project.
What to do - Audit reusable workflow templates across all repos. - Remove embedded or over-scoped credentials from CI. - Enforce short-lived tokens and environment protection rules.
Quick GitHub Actions audit
grep -RniE "pull_request_target|persist-credentials: true|secrets\.|ssh-key|token:" .github/workflows/
CVE-2026-42680 — Contest Gallery Pro WordPress plugin
- CVSS: 9.8
- Issue: Incorrect privilege assignment could allow privilege escalation in Contest Gallery Pro through version 29.0.1.
- Reference: Patchstack advisory
Why it matters
Privilege escalation in WordPress often means a low-privileged account can become admin or otherwise gain dangerous capabilities. For internet-facing sites, that can rapidly lead to plugin installs, code execution, credential theft, and SEO spam.
What to do - Update or disable the plugin immediately. - Review recently created admin users. - Check plugin and theme editor access, uploads, and scheduled tasks.
WordPress admin review
# WP-CLI examples
wp user list --role=administrator
wp plugin list
wp option get active_plugins
CVE-2026-48879 — AIWU WordPress plugin
- CVSS: 9.8
- Issue: Incorrect privilege assignment could allow privilege escalation in AIWU through version 1.4.17.
- Reference: Patchstack advisory
Why it matters
AI-related WordPress plugins are increasingly common in SMB and marketing environments. That broad adoption makes privilege bugs especially useful to attackers targeting lower-maturity sites.
What to do - Update, remove, or isolate affected instances. - Audit for unauthorized admin accounts and suspicious content generation jobs. - Review logs around user role changes and REST API activity.
What Defenders Should Do Today
1) Triage exposed web properties
Prioritize: - WordPress instances - public CMS pages - sites with ad scripts or custom JavaScript - systems showing unexplained file changes
2) Investigate developer and CI/CD exposure
Today’s supply-chain and GitHub Actions issues should trigger: - package inventory checks - secret rotation - workflow permission review - artifact trust verification
3) Harden account recovery and support workflows
Review: - social media admin recovery - help desk identity proofing - automated support bot escalation paths - backup email and phone ownership
4) Patch and verify critical vulnerabilities
Especially: - actively exploited Windows flaws noted by trusted reporting - KEV-listed middleware like WebLogic - vulnerable WordPress plugins - any repo or pipeline with unsafe fork workflow handling
5) Hunt for common indicators
Look for: - suspicious JavaScript in public sites - outbound traffic to unexpected content-hosting or community platforms - unauthorized admin creation - unusual CI token use - login failures and lockouts across identity platforms
Practitioner Checklist
- [ ] Scan public websites for injected JavaScript and recent file changes
- [ ] Search codebases and lockfiles for
@redhat-cloud-services - [ ] Rotate npm, Git, CI, and cloud credentials if affected
- [ ] Audit GitHub Actions workflows for fork-triggered secret exposure
- [ ] Patch or disable vulnerable WordPress plugins
- [ ] Review social account recovery paths and admin assignments
- [ ] Verify Windows patch coverage for critical authentication components
- [ ] Check for KEV exposure, including Oracle WebLogic
Final Take
The common thread across today’s stories is trust abuse: trusted websites distributing malware, trusted packages stealing credentials, trusted support automation enabling account takeover, and trusted CI workflows leaking secrets. For defenders, the fastest wins are to reduce implicit trust, rotate exposed credentials, and verify integrity across web, identity, and build systems.
This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.