Issue #200 - May 25, 2026
- May 28
- 2 min read
KnowledgeDeliver flaw exploited as a zero-day to install web shells
Source: BleepingComputer
Attackers exploited CVE-2026-5426, a deserialization flaw in the KnowledgeDeliver LMS, to gain unauthenticated remote code execution and deploy the Godzilla web shell. Mandiant said the issue stemmed from shared hardcoded ASP.NET machine keys, enabling malicious ViewState payloads and follow-on delivery of a Cobalt Strike backdoor.
Feeding Frenzy: 'Megalodon' Malware Infects Thousands of GitHub Repos
Source: Dark Reading
SafeDep researchers said the Megalodon campaign pushed more than 5,700 malicious commits into over 5,500 GitHub repositories in roughly six hours. The malware targeted CI/CD workflows to steal secrets, cloud credentials, SSH keys, and source code, highlighting how quickly software supply chain attacks can spread through developer ecosystems.
MuddyWater Uses DLL Side-Loading in Espionage Campaign Targeting 9 Countries
Source: The Hacker News
Broadcom-linked research tied MuddyWater to a broad espionage campaign hitting organizations in nine countries across manufacturing, finance, education, and the public sector. The operation relied on DLL side-loading, Node.js-driven PowerShell reconnaissance, password theft, and reverse-proxy tunneling to maintain covert access and support quiet lateral movement.
CISA Urges Immediate Patching of Exploited LiteSpeed cPanel Plugin Zero-Day
Source: SecurityWeek
CISA added CVE-2026-48172 to its Known Exploited Vulnerabilities catalog after attackers abused the LiteSpeed user-end plugin for cPanel as a zero-day. The bug can give intruders root-level script execution, and agencies were told to patch or remove affected versions immediately, underscoring the speed of exploitation after disclosure.
Vulnerability in Popular Conference Software Granted Attackers a 100% Talk Acceptance Rate
Source: SecurityWeek
Researchers disclosed CVE-2026-41241 in Pretalx, an open source call-for-papers platform used by many technical conferences. A stored XSS flaw let a speaker plant JavaScript that executed when organizers searched submissions, enabling account takeover and even automatic acceptance of attacker-submitted talks across multiple deployments sharing the same codebase.