Tageszusammenfassung - 19.05.2026

End-of-Day report

Timeframe: Montag 18-05-2026 18:00 - Dienstag 19-05-2026 18:00 Handler: Guenes Holler Co-Handler: Michael Schlagenhaufer

News

Vorankündigung: Kritische Sicherheitslücke in Drupal Core - Patch-Verfügbarkeit am 20. Mai 2026

Drupal hat eine Vorankündigung (Pre-Announcement) zu einer als kritisch eingestuften Sicherheitslücke in Drupal Core veröffentlicht. Für alle unterstützten Versionszweige wird am 20. Mai 2026 zwischen 19:00 und 23:00 CEST eine Sicherheitsaktualisierung bereitgestellt. Zum Zeitpunkt dieser Vorankündigung sind noch keine Details zur Schwachstelle und kein Patch verfügbar.

https://www.cert.at/de/aktuelles/2026/5/drupal-critical-preannounce

GitHub Actions Supply Chain Attack Redirects Tags to Steal CI/CD Credentials

In yet another software supply chain attack, threat actors have compromised the popular GitHub Actions workflow, actions-cool/issues-helper, to run malicious code that harvests sensitive credentials and exfiltrates them to an attacker-controlled server.

https://thehackernews.com/2026/05/github-actions-supply-chain-attack.html

Compromised Nx Console 18.95.0 Targeted VS Code Developers with Credential Stealer

Cybersecurity researchers have flagged a compromised version of the Nx Console extension that was published to the Microsoft Visual Studio Code (VS Code) Marketplace. The extension in question is rwl.angular-console (version 18.95.0), a popular user interface and plugin for code editors like VS Code, Cursor, and JetBrains. The VS Code extension has more than 2.2 million installations.

https://thehackernews.com/2026/05/compromised-nx-console-18950-targeted.html

DirtyDecrypt PoC Released for Linux Kernel CVE-2026-31635 LPE Vulnerability

Proof-of-concept (PoC) exploit code has now been released for a recently patched security flaw in the Linux kernel that could allow for local privilege escalation (LPE).

https://thehackernews.com/2026/05/dirtydecrypt-poc-released-for-linux.html

Cyberangriff Grafana: Erpresser kopieren Sourcecode und drohen mit Leak

Grafana Labs ist Opfer einer Cyberattacke geworden. Dabei hatten Angreifer Zugriff auf die Codebasis von Grafana. Darunter fallen alle zu einem Projekt gehörenden Quelltext- und Konfigurationsdateien. Also offensichtlich mehr, als die Open-Source-Anwendung auf GitHub ohnehin öffentlich preisgibt. [..] Die Entwickler versichern, dass nach jetzigem Kenntnisstand keine Kundendaten oder persönliche Daten von Mitarbeitern von dem Vorfall betroffen sind.

https://www.heise.de/news/Cyberattacke-Angreifer-kopieren-Sourcecode-von-Grafana-11298389.html

CISA Admin Leaked AWS GovCloud Keys on Github

Until this past weekend, a contractor for the Cybersecurity & Infrastructure Security Agency (CISA) maintained a public GitHub repository that exposed credentials to several highly privileged AWS GovCloud accounts and a large number of internal CISA systems. Security experts said the public archive included files detailing how CISA builds, tests and deploys software internally, and that it represents one of the most egregious government data leaks in recent history.

https://krebsonsecurity.com/2026/05/cisa-admin-leaked-aws-govcloud-keys-on-github/

32-jähriger SMS-Betrüger in Wien festgenommen

Ermittlern des Landeskriminalamts Wien ist ein Schlag gegen mutmaßliche Cyberkriminelle gelungen, die über sogenannte "SMS Blaster" millionenfach betrügerische Phishing-SMS versendet haben sollen. Seit dem 6. April sollen die Phishing-SMS insbesondere bei größeren Veranstaltungen verschickt worden sein. Am 14. Mai wurde ein Verdächtiger ausgeforscht und von Cobra-Beamten festgenommen. [..] Bei den eingesetzten Geräten handelt es sich um sogenannte "SMS Blaster". Das Gerät imitiert Mobilfunkzellen oder nutzt Mobilfunknetze automatisiert. Damit können tausende Nachrichten gleichzeitig an Mobiltelefone in der Umgebung gesendet werden.

https://www.derstandard.at/story/3000000321362/32-jaehriger-sms-betrueger-in-wien-festgenommen

Microsoft Details Storm-2949 Cloud Attack on Azure and Microsoft 365

Microsoft Threat Intelligence has disclosed details of a cyberattack carried out by a threat actor tracked as Storm-2949, which escalated from a targeted identity compromise into a large-scale breach of cloud infrastructure and sensitive enterprise systems. The campaign focused heavily on data theft from Microsoft 365 services, Azure-hosted production environments, and cloud storage resources, demonstrating how compromised identities can become gateways to an organization-s entire cloud ecosystem.

https://thecyberexpress.com/microsoft-storm-2949-azure-m365-cloud-breach/

When Filenames Become Attack Surfaces: Weaponizing NASAs CFITSIO Extended Filename Syntax

This research was recently presented at BSides Luxembourg 2026. This blogpost documents our findings presented during the talk. [..] We-ll focus on perfectly documented features, useful during file processing, but chained together to achieve some unexpected offensive primitives.

https://blog.doyensec.com/2026/05/19/cfitsio-weaponized-filenames.html

Vulnerabilities

SEPPMail Secure E-Mail Gateway Vulnerabilities Enable RCE and Mail Traffic Access

Critical security vulnerabilities have been disclosed in SEPPMail Secure E-Mail Gateway, an enterprise-grade email security solution, that could be exploited to achieve remote code execution and enable an attacker to read arbitrary mails from the virtual appliance. [..] One significant hurdle that an attacker must overcome to achieve remote code execution is that syslogd re-reads the configuration only upon receiving the SIGHUP (aka "signal hang up") signal.

https://thehackernews.com/2026/05/seppmail-secure-e-mail-gateway.html

Linux kernel flaw opens root-only files to unprivileged users

Despite its official designation, a demo exploit on GitHub calls it ssh-keysign-pwn. It is not quite as catchy a name as Copy Fail, or Dirty Frag, or indeed Fragnesia, but we feel it is safe to say it hasn't been a good month. [..] The good news is that it's already been fixed [..] This time, the culprit is CVE-2026-46333, a local kernel vulnerability that lets an unprivileged user read files they should not be able to access, including those normally available only to root. An attacker who already has login access to an affected machine could therefore potentially grab SSH keys, password files, or other confidential credentials.

https://www.theregister.com/security/2026/05/18/linux-kernel-flaw-opens-root-only-files-to-unprivileged-users/5241950

TYPO3 Security Advisories 19.05.2026

TYPO3 has release security advisories for ceselector, tt_address, ke_search, news, crawler and sf_register.

https://typo3.org/security