Threat Intelligence - RH-ISAC Blog

Executive Summary  On 20 April 2026 Wiz Research uncovered a critical vulnerability (CVE-2026-3854) in GitHub’s internal git infrastructure affecting both GitHub.com and GitHub Enterprise Server. By exploiting an injection flaw in GitHub’s internal protocol, any authenticated user could execute arbitrary commands on GitHub’s backend servers with a single git push command – using nothing but a standard git client.   Affected…

Executive Summary According to a report from Xint published on 29 April 2026, a Linux kernel vulnerability named “Copy Fail” has affected multiple major Linux distributions released since 2017. The flaw, designated CVE-2026-31431, allows a local, unprivileged user to escalate privileges to root by exploiting improper handling of data copying within the kernel. The vulnerability enables potential threat actors…

Executive Summary Security researchers from Socket have discovered that version 2026.4.0 of Bitwarden CLI has been compromised through a poisoned GitHub Actions workflow. This incident is part of the broader Checkmarx supply chain campaign and specifically impacts the npm distribution used by developers and automated build environments. The malicious payload executes credential-harvesting routines targeting cloud service providers, SSH…

Executive Summary Unit 42 has responded to numerous incidents since February 2026 involving data theft and extortion across various industries. We attribute a specific portion of this financially-motivated activity with moderate confidence to the activity cluster CL-CRI-1116, which overlaps with public reporting on BlackFile, UNC6671 and Cordial Spider.  This blog is designed to provide RH-ISAC…

Executive Summary ESET Researchers discovered a new variant of the NGate malware family that abuses a legitimate Android application called HandyPay, instead of the previously leveraged NFCGate tool. The malicious code allows attackers to transfer NFC data from the victim’s payment card to their own device and use it for contactless ATM cash-outs and unauthorized payments, while also capturing the victim’s payment…

Executive Summary Infrastructure provider Vercel disclosed a significant security incident, stemming from a compromise of the third-party AI tool Context[.]ai. A highly sophisticated threat actor leveraged a hijacked OAuth token from a Vercel employee to gain unauthorized access to internal environments and non-sensitive environment variables. ShinyHunters has claimed responsibility for the breach, allegedly offering the exfiltrated data for sale…

Executive Summary On 3 April 2026, a disgruntled security researcher publicly released a working proof-of-concept for an unpatched Windows local privilege escalation (LPE) vulnerability named BlueHammer. The flaw combines a time-of-check to time-of-use (TOCTOU) race condition and path-confusion issue in Windows Defender’s signature-update mechanism. It allows a low-privileged local user to access the SAM database,…

Executive Summary On 7 April 2026, reports emerged in open source that multiple companies have suffered data theft attacks after a SaaS integration provider was breached and authentication tokens stolen. While numerous cloud storage and SaaS vendors were targeted using the stolen tokens, the majority of the data theft attacks targeted the cloud-based data warehouse platform Snowflake….

Executive Summary According to a released report by StepSecurity, on 30 March 2026, an unnamed threat actor compromised a npm account associated with the Axios library and published malicious package versions, impacting developers and organizations relying on the dependency. The threat actor introduced backdoored versions of 1.14.1 and 0.30.4 that included a hidden malicious component designed…

Executive Summary According to a released report from Rapid7 Labs, Chinese threat actor Red Menshen is targeting telecommunication networks in undisclosed regions with the goal of carrying out espionage against corporate and government agencies. This campaign, reported on 26 March 2026, has been a long-term operation gaining access to telecom critical environments for an extended period…