June 8, 2026 | By Jonathan Brown bordercybergroup.com

───────────────────────────────────────────────────

Nightmare-Eclipse's Windows zero-day spree: six exploits, three confirmed in the wild, and a July escalation threat still outstanding

A researcher operating as Nightmare-Eclipse (also Chaotic Eclipse) has publicly released six Windows privilege escalation and defense-degradation exploits since April 2026, with working PoC code published to GitHub before Microsoft had patches ready. Of the six — BlueHammer, RedSun, UnDefend, YellowKey, GreenPlasma, and MiniPlasma — at least three (BlueHammer, RedSun, UnDefend) were confirmed exploited in real attacks following public disclosure, per BleepingComputer and Dark Reading (May 2026). MiniPlasma, the most recent, abuses a flaw in the Windows Cloud Filter driver (cldflt.sys) tied to CVE-2020-17103, a vulnerability Google Project Zero reported in 2020 and Microsoft reportedly patched — ThreatLocker confirmed on May 22, 2026 that the original PoC still produces a SYSTEM shell on fully patched Windows 11 and Server 2025 without modification. Microsoft silently addressed RedSun without assigning a CVE, per the researcher's account corroborated by Barracuda Networks (May 19, 2026); BlueHammer received a formal patch (CVE-2026-33825) and a CISA KEV entry; the remaining flaws are unpatched as of this writing. GitHub banned the account May 23, GitLab on May 26–27. The researcher's Blogger posts — the primary source for these specific claims — contain signed statements threatening an RCE disclosure campaign tied to July 14 (the following Patch Tuesday) and describe a dead man's switch that would automatically release additional exploits if certain conditions are met. Whether those disclosures will materialize is speculative; the public disclosure pattern to date is consistent with a researcher who has followed through on prior stated intentions, though that is a small sample on which to base a firm prediction.

Watch for: Whether tomorrow's Patch Tuesday (June 9) addresses MiniPlasma, YellowKey, and GreenPlasma; any out-of-band Microsoft MSRC advisory; and new Blogger posts from Nightmare-Eclipse in the window around the update.

Confidence: High (exploitation of three CVEs confirmed by named researchers and vendors; July escalation threat is possible, not confirmed — based on researcher's own Blogger statements)

Sources: BleepingComputer, May 2026; Dark Reading, May 2026; ThreatLocker Blog, May 22, 2026; Barracuda Networks Blog, May 19, 2026; The Register, May 13, 2026; Ciphers Security, June 2, 2026.

───────────────────────────────────────────────────

Cisco SD-WAN auth bypass cluster: UAT-8616 was first in, ten additional threat clusters followed PoC publication

Rapid7 researchers Stephen Fewer and Jonah Burgess discovered CVE-2026-20182 (CVSS 10.0) while investigating CVE-2026-20127, an earlier Cisco Catalyst SD-WAN Controller authentication bypass that was already being exploited in the wild at disclosure. CVE-2026-20182 is a separate logic failure in the vdaemon service over DTLS (UDP port 12346): when a connecting peer claims to be a vHub device, device-type-specific certificate verification does not occur, yet the code path marks the peer as authenticated — giving an unauthenticated remote attacker NETCONF access and the ability to manipulate routing configuration across the entire SD-WAN fabric, per Rapid7's May 14, 2026 disclosure. Tenable's Research Special Operations team documented that a sophisticated threat actor designated UAT-8616 had exploited Cisco SD-WAN vulnerabilities since at least 2023, and that ten additional threat clusters began exploitation of multiple SD-WAN vulnerabilities once public PoC code became available, per Tenable (May 2026). CISA added CVE-2026-20182 to the KEV catalog and issued Emergency Directive 26-03 mandating federal agency remediation by May 17. Cisco Talos published indicators of compromise; advisory cisco-sa-sdwan-authbp-qwCX8D4v covers the broader cluster including CVE-2026-20122, CVE-2026-20128, CVE-2026-20133, CVE-2026-20209, and CVE-2026-20210. The jump from one long-running sophisticated actor to ten distinct clusters within weeks of PoC publication is consistent with rapid commoditization of this attack surface, though whether those clusters represent independent capability development versus shared tooling has not been established in public reporting.

Watch for: New Cisco Talos IoC updates; attribution reporting on UAT-8616's sector focus — NETCONF access across the SD-WAN fabric is consistent with network-level pre-positioning rather than pure credential harvesting.

Confidence: High (exploitation confirmed; commoditization inference is based on cluster count, not independently verified tooling analysis)

Sources: Rapid7 Labs, May 14, 2026; Tenable RSO, May 2026; CISA KEV and Emergency Directive 26-03, May 2026; Help Net Security, May 15, 2026; SOCRadar, May 2026; Cisco advisory cisco-sa-sdwan-authbp-qwCX8D4v.

───────────────────────────────────────────────────

Miasma hits Red Hat's npm namespace via CI/CD pipeline compromise — attribution murkier than it looks

On June 1, 2026, 32 packages under the @redhat-cloud-services npm namespace were backdoored with a credential-stealing worm dubbed Miasma, affecting 96 package versions with a combined 116,991 weekly downloads, per Aikido Security (June 1, 2026). The malicious packages were published through GitHub Actions OIDC tokens rather than long-lived npm publishing tokens — which Aikido and JFrog assessed as indicative of CI/CD pipeline compromise rather than individual developer credential theft. Attribution requires care here: the payload shares strong structural resemblance to the Mini Shai-Hulud worm associated with TeamPCP (UNC6780), but TeamPCP open-sourced that worm's code on May 12, 2026, meaning any actor now has access to the same techniques. Definitive attribution of Miasma to TeamPCP specifically is not currently possible, per Socket's analysis. Dark web monitoring firm Whiteintel separately reported detecting Red Hat GitHub credentials and session cookies in infostealer logs on April 13 and May 15, 2026, which may represent the initial access vector — a reported observation, not a confirmed causal link. Wiz Research published a second advisory on June 4, 2026, documenting a new campaign wave abusing binding.gyp for install-time code execution. Red Hat confirmed in RHSB-2026-006 that the compromise was limited to internal development tooling and that Red Hat Enterprise Linux is unaffected.

Watch for: Whether stolen OIDC tokens were used to pivot further into Red Hat's build infrastructure; downstream container images built from affected frontend packages during the exposure window; and propagation of the binding.gyp execution vector into other campaigns.

Confidence: High (compromise confirmed by multiple named firms; attribution to TeamPCP assessed as plausible, not confirmed)

Sources: Aikido Security, June 1, 2026; Wiz Research, June 1 and June 4, 2026; Red Hat RHSB-2026-006; The Hacker News, June 2026; Whiteintel via The Hacker News; JFrog, June 2026; Cybersecurity Dive, June 2026.

───────────────────────────────────────────────────

GTIG confirms first AI-generated zero-day: a criminal group used an LLM to find and weaponize a logic flaw, stopped before mass exploitation

Google's Threat Intelligence Group published findings on May 11, 2026 confirming with high confidence that a criminal threat actor used an AI model to develop a working zero-day exploit — a Python script bypassing two-factor authentication in a popular open-source web-based system administration tool by exploiting a hardcoded trust assumption in the login flow, per the Google Cloud Blog (May 11, 2026). The distinction between AI-generated and AI-assisted matters here and is worth being precise about. GTIG's conclusion that this exploit was generated — not merely assisted — rests on four forensic markers in the code artifact itself: an abundance of educational docstrings atypical of human-authored exploit code, a hallucinated CVSS score, textbook-clean Pythonic structure consistent with LLM training output, and a root-cause logic error of the type that static analysis scanners pass over but semantic reasoning about developer intent surfaces. GTIG disclosed the vulnerability to the vendor and disrupted the campaign before mass exploitation. The same report documents TeamPCP (UNC6780) compromising GitHub repositories tied to Trivy, Checkmarx, LiteLLM, and BerriAI in March 2026, embedding the SANDCLOCK credential stealer to harvest AWS keys and GitHub tokens for subsequent ransomware partnerships; the LiteLLM compromise is specifically flagged because that library routes traffic to multiple AI providers, meaning stolen API secrets potentially enable AI-assisted operations at enterprise scale. GTIG also documented APT45 (DPRK-linked) running systematic CVE analysis workflows through Gemini, and a China-linked group designated UNC2814 using expert-persona jailbreaking to research pre-authentication RCE flaws in TP-Link firmware and Odette File Transfer Protocol implementations. The logic-error root cause is the analytically significant detail: this class of semantic vulnerability is where LLM-assisted discovery has a structural advantage over traditional fuzzing — that observation is supported by GTIG's documented case, not by a broad survey of exploit tooling.

Watch for: Vendor disclosure identifying the targeted system administration tool — not yet publicly confirmed — and any independent reports of the patched vulnerability being rediscovered and weaponized since GTIG's intervention.

Confidence: High for GTIG's core finding; Moderate for broader inferences about the pace of AI-assisted exploit development across the threat landscape (this is a documented first case, not yet a documented pattern)

Sources: Google Cloud Blog / Google Threat Intelligence Group, May 11, 2026; Help Net Security, May 11, 2026; The Hacker News, May 2026.

───────────────────────────────────────────────────

Android June bulletin patches actively exploited Framework zero-day CVE-2025-48595, plus three critical Qualcomm flaws at CVSS 9.8

Google's June 2026 Android Security Bulletin (published June 1, 2026) addresses 124 vulnerabilities, including one zero-day — CVE-2025-48595 (CVSS 8.4) — that Google states "may be under limited, targeted exploitation," per BleepingComputer and Cyberinsider (June 2026). The flaw is a local elevation of privilege in the Android Framework component rooted in an integer overflow; successful exploitation requires no user interaction and no additional execution privileges beyond a local foothold, affecting Android 14, 15, 16, and 16-QPR2. Google did not disclose the discovering researcher, exploiting actor, or campaign scope. SC Media notes that Google's "limited, targeted exploitation" language in prior bulletins has historically correlated with commercial spyware or nation-state operations against high-value individuals — this is a pattern-based inference, not a confirmed attribution for CVE-2025-48595. Separately, the bulletin includes three critical Qualcomm closed-source component vulnerabilities — CVE-2025-47392, CVE-2026-25276, and CVE-2026-25277, all CVSS 9.8 — affecting hardware abstraction layers and requiring vendor-specific firmware updates on a separate delivery track from the Android OS patch.

Watch for: Whether CVE-2025-48595 is added to CISA's KEV catalog in the coming days; any researcher publication attributing exploitation to a named commercial spyware vendor or state actor; OEM patch timelines for the Qualcomm firmware fixes.

Confidence: High (active exploitation confirmed by Google); Low (spyware or nation-state attribution is a historical pattern inference, not a confirmed finding for this CVE)

Sources: Google Android Security Bulletin, June 1, 2026; BleepingComputer, June 2026; Cyberinsider, June 2026; SC Media, June 2026.

───────────────────────────────────────────────────

Exchange Server OWA zero-day CVE-2026-42897 exploited in the wild, permanent patch still pending

Microsoft confirmed active exploitation of CVE-2026-42897 (CVSS 8.1) in on-premises Exchange Server on May 15, 2026 — a cross-site scripting flaw in the Outlook Web Access component that allows an unauthenticated attacker to execute arbitrary JavaScript in a victim's browser session by sending a crafted email the target opens in OWA, per Help Net Security and The Hacker News (May 15, 2026). Affected versions are Exchange Server 2016, 2019, and Subscription Edition; Exchange Online is not affected. The impact is browser-session-scoped — credential theft, session hijacking, and internal phishing within OWA — not server-level compromise, per SOCPrime's technical analysis. CISA added CVE-2026-42897 to the KEV catalog on May 15, 2026, with a mandatory federal remediation deadline of May 29. Microsoft provided a temporary mitigation through its Exchange Emergency Mitigation Service while preparing a permanent fix; no threat actor has been publicly named in connection with active exploitation. The delivery mechanism — a crafted email — means every supported on-premises Exchange version is reachable simultaneously without requiring direct network access to Exchange services, making this class of vulnerability well-suited to broad targeting of organizations that have not migrated to Exchange Online.

Watch for: Whether tomorrow's Patch Tuesday (June 9) includes a permanent CVE-2026-42897 fix; anomalous OWA access log entries showing JavaScript execution in user sessions that the EEMS temporary mitigation may not fully suppress.

Confidence: High (exploitation confirmed by Microsoft; CISA KEV entry)

Sources: Help Net Security, May 15, 2026; The Hacker News, May 15, 2026; CISA KEV, May 15, 2026; SOCPrime, May 2026; Field Effect, May 2026.

───────────────────────────────────────────────────

Kyber ransomware deploys post-quantum key encapsulation against a U.S. defense contractor: cryptanalytic key recovery is off the table; backup recovery is not

Rapid7 documented the Kyber ransomware group in March 2026 during incident response a major U.S.-based defense and aerospace contractor that provides communication, surveillance, and electronic warfare systems, per BleepingComputer and the Cloud Security Alliance (April 2026). As of this writing, the specific company has not been publically named... However Industrial Cyber adds that 141GB of data was leaked including project files, internal builds, databases, and backup archives. The group deployed two variants simultaneously on the same network: a Rust-based Windows build that encrypts AES session keys using Kyber1024 — the CRYSTALS-Kyber post-quantum key encapsulation mechanism standardized by NIST as ML-KEM (FIPS 203) — and a Linux/ESXi build targeting VMware datastores with capabilities for VM termination and management interface defacement. Rapid7 described the dual-platform deployment as capable of causing a complete operational blackout. The post-quantum claim requires precision: organizations cannot recover files encrypted by this family through future cryptanalytic advances against the key material, because Kyber1024 is designed to resist quantum decryption. Backup-based recovery of data remains a viable path — the post-quantum algorithm changes what is possible against the encrypted key material, not what is possible against clean offline backups. Kaspersky's state of ransomware report (May 2026) also documents the PE32 family adopting the same NIST ML-KEM standard. The convergence worth tracking is that the same freely available, publicly standardized post-quantum algorithms defenders are deploying to protect communications are now appearing in ransomware toolchains.

Watch for: Kyber group victim disclosures establishing whether defense and IT services represents a deliberate sector focus; any CISA or NSA guidance specifically addressing post-quantum ransomware in the context of the defense industrial base.

Confidence: High (Rapid7 incident response is primary; post-quantum algorithm identification is technically confirmed; the "complete operational blackout" claim is Rapid7's own assessment of dual-variant deployment)

Sources: Rapid7 incident response, March 2026, via BleepingComputer, April 22, 2026; Cloud Security Alliance Lab Space, April 2026; Kaspersky Securelist state of ransomware report, May 2026.

───────────────────────────────────────────────────

TeamPCP open-sourced its worm and the ecosystem noticed: SLSA Build Level 3 provenance does not attest what most teams assume

Unit 42 (Palo Alto Networks) published a tracking report on June 2, 2026 documenting five distinct Shai-Hulud campaign waves since September 2025. TeamPCP's May 11, 2026 attack on TanStack's GitHub Actions CI pipeline is the clearest documented case: within six minutes of the initial vector triggering, 84 malicious package artifacts were published across 42 @tanstack/* packages, per Unit 42. That campaign produced the first malicious npm packages carrying valid SLSA Build Level 3 provenance attestation — meaning packages that would pass cryptographic supply chain verification while still delivering malicious payloads. The mechanism was OIDC token extraction directly from GitHub Actions runner process memory, per Tenable's Mini Shai-Hulud FAQ (May 2026). TeamPCP open-sourced the worm's code on May 12, 2026 — one day after the TanStack attack — which has already spawned copycat activity complicating future attribution, per Unit 42. The SLSA point deserves precise framing: SLSA Build Level 3 provenance attests that a build was produced by a specified pipeline. It does not attest that the pipeline itself was uncompromised at build time. When attackers compromise a pipeline and produce attestations from that environment, the provenance system is functioning as designed while attesting to a compromised artifact. This is not a failure of SLSA — it is a clarification of its scope that teams relying on provenance as a security control need to internalize.

Watch for: Campaign waves exploiting the open-sourced tooling by actors outside TeamPCP; npm, PyPI, or GitHub Actions registry responses around OIDC token scope restrictions; and propagation of the binding.gyp execution vector documented by Wiz on June 4, 2026 into non-Miasma campaigns.

Confidence: High (Unit 42 and Tenable documentation is primary; the SLSA framing is an analytical clarification of documented behavior, not an inference beyond the evidence)

Sources: Unit 42 / Palo Alto Networks, June 2, 2026; Tenable Mini Shai-Hulud FAQ, May 2026; NHS England Digital cyber alert CC-4781, May 2026; Wiz Research, June 4, 2026; Orca Security, May 2026.

───────────────────────────────────────────────────

North Korean operations account for 76% of cryptocurrency value stolen in 2026: fewer attacks, larger yields, tighter laundering infrastructure

TRM Labs data reported by Dark Reading (May 1, 2026) puts North Korean operations at approximately 76% of total cryptocurrency value stolen year-to-date in 2026. That figure reflects value, not incident count — a distinction that matters: a small number of very large DPRK operations can dominate dollar totals without implying DPRK involvement in most discrete theft incidents. Chainalysis's 2026 crypto hacking report (April 2026) documents DPRK achieving approximately $3.4 billion in total ecosystem theft in 2025 with 74% fewer known attacks than prior years, consistent with a deliberate shift toward fewer, higher-yield operations. Chainalysis documents a characteristic 45-day laundering cycle following major thefts, consistent preferences for Chinese-language OTC services, bridge protocols, and mixing services, and a cumulative lower-bound estimate of $6.75 billion stolen since the program began. The U.S. Department of State (January 12, 2026) confirmed DPRK cyber units stole an additional $400 million in the three months following that report's release, bringing 2025 totals above $2 billion, and assessed the DPRK cyber program as having reached sophistication approaching China and Russia. OFAC sanctioned six individuals and two entities on March 12, 2026 for facilitating IT worker fraud schemes generating nearly $800 million in 2024; Chainalysis noted a key facilitator converted approximately $2.5 million into cryptocurrency for DPRK IT workers between mid-2023 and mid-2025 across networks spanning Vietnam, Laos, and Spain.

Watch for: Any Bybit-scale incident at a major exchange or DeFi protocol in the second half of 2026; OFAC designations of additional facilitator networks; U.S. Congressional action on pending inquiries into exchange cybersecurity spending adequacy.

Confidence: High (TRM Labs and Chainalysis figures are from named primary sources; value-vs-count clarification is applied directly to the reported data)

Sources: TRM Labs via Dark Reading, May 1, 2026; Chainalysis crypto hacking report, April 2026; U.S. Department of State, January 12, 2026; OFAC press release, March 12, 2026; Chainalysis OFAC blog, March 12, 2026.

───────────────────────────────────────────────────

The ransomware ecosystem is bifurcating: post-quantum encryption on one end, no encryption at all on the other

Kaspersky's state of ransomware report (May 2026) documents a structural split in the extortion ecosystem: one faction is adopting post-quantum encryption to eliminate cryptanalytic key recovery as a victim option (Kyber using Kyber1024, PE32 using NIST ML-KEM), while another is abandoning encryption entirely in favor of pure data exfiltration and leak-site pressure. Kaspersky documents the shift toward encryptionless extortion as a direct response to the collapse in ransom payment rates — down to 28% of victims in 2025 from above 50% two years prior. ShinyHunters is the reference case: its data leak site is the entire monetization channel, with no encryption deployed. GuidePoint Security's Q1 2026 research (April 16, 2026) describes overall attack volume as having reached an elevated but stable baseline — steady quarter-over-quarter and year-over-year — suggesting the 2025 surge has reset baseline expectations rather than receded. On the law enforcement side: RAMP was seized in January 2026; LeakBase in March 2026; both followed the 2025 seizures of Nulled, Cracked, XSS, and the data leak sites of BlackSuit and 8Base, per Kaspersky. Qilin became the dominant ransomware group from Q2 2025 onward following RansomHub's dormancy. The bifurcation, if it holds, has a practical implication for defenders: the post-quantum encryption variant makes cryptanalytic key recovery irrelevant (though clean offline backups remain a recovery path), while the encryptionless variant makes backup recovery irrelevant to extortion pressure entirely — both strains may present similarly at initial detection while requiring distinct response postures. This is an analytical inference from the documented structural trend, not a confirmed operational observation.

Watch for: Additional ransomware families adopting NIST ML-KEM; Qilin affiliate recruitment activity as the dominant RaaS following RansomHub's exit; whether the encryptionless model expands to mid-market targets after enterprise-scale validation.

Confidence: Moderate-High (bifurcation trend supported by multiple named independent sources; defender response inference is explicitly labeled as analytical)

Sources: Kaspersky Securelist state of ransomware report, May 2026; GuidePoint Research and Intelligence Team Q1 2026 via Industrial Cyber, April 16, 2026; Cybersecurity Insiders, May 2026.

Jonathan Brown | Border Cyber Group bordercybergroup.com | Support independent security reporting

If you find our work helpful... Buy us a coffee!: https://bordercybergroup.com/#/portal/support