Threat Intelligence - RH-ISAC Blog

Account fraud isn’t a one-off event, it’s an industry. Operators run shops, set prices, manage stock and respond to customers. They specialize, collaborate, and follow the money into whichever industries are paying out. For a retailer, it is a customer’s account quietly emptied of points, gift card credit and stored payment value. For a quick…

Executive Summary According to a report from the Microsoft Defender security research team published on 6 May 2026,an active “ClickFix” campaign is targeting macOS users through fake utility and troubleshooting lures. The campaign uses deceptive prompts masquerading as system fixes or macOS utilities to trick users into manually executing malicious terminal commands. In the past two…

Executive Summary On 5 May 2026, ESET researchers reported that a North Korea-aligned threat group known as ScarCruft executed a supply chain attack against a video gaming platform serving ethnic Koreans in China’s Yanbian region, planting backdoors in both Windows and Android versions of the platform’s games to turn a trusted service into a covert espionage tool. Key Takeaways…

Executive Summary  On 20 April 2026 Wiz Research uncovered a critical vulnerability (CVE-2026-3854) in GitHub’s internal git infrastructure affecting both GitHub.com and GitHub Enterprise Server. By exploiting an injection flaw in GitHub’s internal protocol, any authenticated user could execute arbitrary commands on GitHub’s backend servers with a single git push command – using nothing but a standard git client.   Affected…

Executive Summary According to a report from Xint published on 29 April 2026, a Linux kernel vulnerability named “Copy Fail” has affected multiple major Linux distributions released since 2017. The flaw, designated CVE-2026-31431, allows a local, unprivileged user to escalate privileges to root by exploiting improper handling of data copying within the kernel. The vulnerability enables potential threat actors…

Executive Summary Security researchers from Socket have discovered that version 2026.4.0 of Bitwarden CLI has been compromised through a poisoned GitHub Actions workflow. This incident is part of the broader Checkmarx supply chain campaign and specifically impacts the npm distribution used by developers and automated build environments. The malicious payload executes credential-harvesting routines targeting cloud service providers, SSH…

Executive Summary Unit 42 has responded to numerous incidents since February 2026 involving data theft and extortion across various industries. We attribute a specific portion of this financially-motivated activity with moderate confidence to the activity cluster CL-CRI-1116, which overlaps with public reporting on BlackFile, UNC6671 and Cordial Spider.  This blog is designed to provide RH-ISAC…

Executive Summary ESET Researchers discovered a new variant of the NGate malware family that abuses a legitimate Android application called HandyPay, instead of the previously leveraged NFCGate tool. The malicious code allows attackers to transfer NFC data from the victim’s payment card to their own device and use it for contactless ATM cash-outs and unauthorized payments, while also capturing the victim’s payment…

Executive Summary Infrastructure provider Vercel disclosed a significant security incident, stemming from a compromise of the third-party AI tool Context[.]ai. A highly sophisticated threat actor leveraged a hijacked OAuth token from a Vercel employee to gain unauthorized access to internal environments and non-sensitive environment variables. ShinyHunters has claimed responsibility for the breach, allegedly offering the exfiltrated data for sale…

Executive Summary On 3 April 2026, a disgruntled security researcher publicly released a working proof-of-concept for an unpatched Windows local privilege escalation (LPE) vulnerability named BlueHammer. The flaw combines a time-of-check to time-of-use (TOCTOU) race condition and path-confusion issue in Windows Defender’s signature-update mechanism. It allows a low-privileged local user to access the SAM database,…