Threat
alerts

In May 2026, a security researcher operating under the pseudonym "Nightmare-Eclipse" disclosed two new zero-day vulnerabilities targeting the Microsoft Windows ecosystem: GreenPlasma and YellowKey. This follows the researcher's previous zero-days (BlueHammer and RedSun) which were actively weaponised shortly after release.

CVE-2026-0300 is a critical zero-day vulnerability affecting Palo Alto Networks PAN-OS firewalls. The flaw exists within the User-ID™ Authentication Portal and allows an unauthenticated, remote attacker to execute arbitrary code with root privileges via specially crafted network packets.

As traditional security defences improve, advanced threat actors are increasingly targeting foundational architectural components within the Microsoft Windows operating system. Two recent vulnerabilities—CVE-2026-32202 and an unpatched flaw known as "PhantomRPC"—highlight this shift. Attackers are using logical flaws and protocol abuses to achieve stealthy initial access and rapid privilege escalation.

A sophisticated, self-propagating supply-chain worm has been identified within the Node Package Manager (npm) ecosystem. Initially spotted on 21 April 2026, the attack targets high-value endpoints, including AI agent tooling and database operations. Threat actors compromised multiple packages linked to Namastex Labs, most notably the embedded PostgreSQL server utility, pgserve. The malware behaves as a highly aggressive infostealer, harvesting developer credentials, browser data, cloud service keys, and cryptocurrency wallets. Crucially, the attack leverages a worm-like mechanism to recursively spread across both the npm and PyPI ecosystems using stolen publish tokens. To ensure persistence and evade law enforcement takedowns, the attackers exfiltrate stolen data to a decentralised Internet Computer Protocol blockchain canister.

The April 2026 security landscape was effectively upended by a researcher known as "Nightmare-Eclipse". Driven by a public grievance with Microsoft’s Security Response Center (MSRC) over their vulnerability disclosure process, the researcher released a triad of weaponised zero-day exploits on GitHub. These tools ( BlueHammer, RedSun, and UnDefend ) turned the operating system’s primary defence mechanism into its greatest vulnerability. While Microsoft addressed BlueHammer in its April 2026 Patch Tuesday update, RedSun and UnDefend remain critically unpatched and are actively being exploited in the wild.

Adobe released a security update (APSB26-43) to address CVE-2026-34621, a critical zero-day vulnerability in Adobe Acrobat and Reader. Flaw lies in an improperly Controlled Modification of Object Prototype Attributes within the embedded JavaScript engine, has been exploited in the wild since at least November.

The Qilin ransomware group has recently emerged as one of the most active ransomware operations, executing highly sophisticated campaigns that leverage the "Bring Your Own Vulnerable Driver" (BYOVD) technique. This method is used to systematically disable or bypass endpoint detection and response (EDR) solutions. By side-loading a malicious dynamic-link library (DLL) named msimg32.dll, Qilin initiates a complex, multi-stage infection chain capable of blinding and terminating over 300 different EDR drivers from nearly every security vendor on the market. The group typically gains initial access via stolen credentials and operates methodically, deploying the ransomware payload an average of six days after the initial compromise to maximise impact.

A highly critical supply chain attack was identified targeting the axios npm package, a widely utilised HTTP client library. The attack involved the hijack of a lead maintainer’s npm account, which was subsequently used to publish malicious versions of the library. These poisoned releases bypassed established GitHub Actions, CI/CD pipelines, and injected a hidden dependency designed to drop a cross-platform Remote Access Trojan (RAT).

A critical out-of-bounds (OOB) read vulnerability, identified as CVE-2026-3055, has been discovered in Citrix NetScaler ADC and NetScaler Gateway. The vulnerability allows unauthenticated attackers to remotely siphon sensitive data directly from the appliance's memory. A sibling vulnerability (CVE-2026-4368) was also identified, which can cause "session mixup," allowing low-privilege users to hijack high-privilege sessions.