Here are today’s top cybersecurity stories for Monday, June 1, 2026.
Windows Netlogon CVE-2026-41089 Now Actively Exploited — Domain Controllers at Immediate Risk
Microsoft confirmed that CVE-2026-41089, a critical zero-click remote code execution flaw in Windows Netlogon, is now under active exploitation in the wild. Carrying a CVSS score of 9.8, the vulnerability allows unauthenticated attackers to send a specially crafted network request to a domain controller and execute arbitrary code without any user interaction. The flaw was patched in the May 12 Patch Tuesday release but exploitation was confirmed on May 29. Organizations running unpatched Windows Server domain controllers face full Active Directory compromise risk. BleepingComputer
Miasma Supply Chain Attack Compromises 32 Red Hat npm Packages — CI/CD Pipelines Weaponized
Wiz Research identified a supply chain compromise affecting at least 32 package releases under the @redhat-cloud-services npm namespace, averaging 80,000 weekly downloads. Dubbed “Miasma,” the campaign is linked to the Mini Shai-Hulud malware family and threat actor group TeamPCP. Malicious packages were published via hijacked GitHub Actions OIDC tokens. Each infected install executes a multi-stage loader that steals credentials from AWS, Azure, GCP, Kubernetes, GitHub Actions, npm, Bitwarden, and 1Password. The malware also hooks AI developer tools including Claude, Codex, Gemini, and Copilot. The Hacker News
CISA Flags PAN-OS CVE-2026-0257 GlobalProtect Auth Bypass as Actively Exploited — June 1 Federal Deadline
CISA added CVE-2026-0257, an authentication bypass vulnerability in Palo Alto Networks PAN-OS GlobalProtect, to its Known Exploited Vulnerabilities catalog with a federal agency remediation deadline of June 1, 2026. Rapid7 documented successful exploitation beginning May 17, with two distinct attack waves traced to Vultr and Dromatics Systems infrastructure. The flaw allows unauthenticated attackers to bypass authentication and establish unauthorized VPN connections on affected firewalls. Palo Alto Networks has patches available. Help Net Security
CIFSwitch: 19-Year-Old Linux Kernel Flaw Gives Root Access Across Multiple Distributions
A new local privilege escalation vulnerability dubbed CIFSwitch was publicly disclosed following a linux-distros embargo, with a public proof-of-concept exploit available at disclosure. The flaw, introduced in 2007, lets a local attacker abuse the kernel’s CIFS key request mechanism, force a namespace switch, and load a malicious NSS module to achieve root code execution. Enterprise Linux distributions including CentOS Stream 9, Rocky Linux 9, AlmaLinux 9, and SLES 15 SP7 are confirmed vulnerable in default configurations. Patched kernels were available at public disclosure. BleepingComputer
ChatGPT Share Links Abused to Host Fake Outage Pages and Deliver Malware
Push Security uncovered a campaign dubbed LLMShare in which threat actors abuse ChatGPT’s content-sharing feature to host fake OpenAI outage pages on the legitimate chatgpt.com domain. Google ads direct users to the shared page, which claims the web version is unavailable and prompts a desktop app download. The link redirects to a cloaked site serving malware installers for both Windows and macOS. The technique exploits user trust in the chatgpt.com domain. BleepingComputer
BTMOB Android RAT Offered as Malware-as-a-Service With No-Code Builder
Security researchers disclosed BTMOB, a new Android remote access trojan sold as a malware-as-a-service platform with a no-code payload builder. Available at $700 per month or $5,000 for a lifetime license, BTMOB enables remote screen viewing, credential overlay harvesting, message interception, and full file exfiltration. ESET reports the platform is openly advertised on the clearweb and primarily targets users in Brazil and Latin America, though its MaaS model extends its reach globally. BleepingComputer
Dashlane Users Locked Out After Brute-Force Campaign Triggers Account Suspensions
Dashlane confirmed a brute-force attack on May 31 targeting user accounts, triggering automated suspensions. Users received failed login notifications from locations including Korea and Russia before their accounts were suspended. Dashlane resolved the incident and found no platform compromise, but some users reported continuing login issues. Password manager accounts represent a high-value target as compromise exposes all stored credentials. BleepingComputer
Microsoft Rejects Critical Azure Backup for AKS Vulnerability Report — No CVE Issued
Researcher Justin O’Leary disclosed that Microsoft rejected his report of a privilege escalation flaw in Azure Backup for AKS that allowed a Backup Contributor role user to obtain cluster-admin access. Microsoft argued the issue required pre-existing admin access, a characterization O’Leary disputes. After Microsoft contacted MITRE recommending against CVE assignment, CERT/CC closed the case under CNA hierarchy rules. A silent patch was later applied. BleepingComputer
Cisco Patches ISE CVE-2026-20029 After Public Proof-of-Concept Released
Cisco released updates for Identity Services Engine addressing CVE-2026-20029, an XXE vulnerability in the web management interface licensing feature. Rated CVSS 4.9, the flaw requires admin credentials but a public proof-of-concept exploit is now available. Exploitation allows arbitrary file reads from the underlying OS. Cisco reports no known malicious exploitation and recommends immediate upgrade as no workaround exists. BleepingComputer
Stay tuned for today’s in-depth analysis posts.
