The Lyceum: Cyber Intelligence Daily — May 22, 2026

Three things define today. CISA fast-tracked two actively-exploited bugs onto its KEV catalog with a June 4 deadline — one in Langflow, the AI workflow tool your developers may already be running, and one in Trend Micro Apex One. Cisco simultaneously shipped a patch for a perfect-10 flaw in Secure Workload that hands out site-admin privileges to anyone who can reach the REST API. And ESET published a forensic teardown of a China-aligned crew called Webworm that's hiding its command traffic inside Discord and OneDrive — services your firewall waves through by default. The connective tissue: the things you trust to enforce trust are the things getting weaponized.

• CVE-2025-34291 — Langflow versions prior to 1.9.3: actively exploited (CISA KEV), CVSS 8.8 per backbone. Account takeover plus RCE via a CORS-and-CSRF chain; Trend Micro observed the Flodric botnet pivoting through compromised instances.
• CVE-2026-34926 — Trend Micro Apex One (on-premise): actively exploited (CISA KEV), no NVD score yet. Directory traversal lets a pre-authenticated local attacker modify a server-side table and push malicious code down to every managed endpoint.
• CVE-2026-20223 — Cisco Secure Workload 3.9 (migrate), 3.10 (fix in 3.10.8.3), 4.0 (fix in 4.0.3.17): patched, no in-wild reports yet, CVSS 10.0. Unauthenticated REST API access yields Site Admin privileges across tenant boundaries; SaaS is auto-patched, on-prem is on you.
• CVE-2026-41091 & CVE-2026-45498 — Microsoft Defender: actively exploited (CISA KEV), KEV deadline June 3. Local privilege escalation to SYSTEM and a denial-of-service against Defender itself — your AV is the attack surface.
• CVE-2026-39831 — Go x/crypto/ssh: patched. FIDO/U2F signatures accepted without the user-presence flag, meaning hardware keys could be used unattended — quietly erasing one of the main reasons you bought them.
• CVE-2026-46333 — Linux kernel (default Debian, Ubuntu, Fedora): public PoC available, CVSS 7.1. Nine-year-old ptrace race lets any unprivileged user read /etc/shadow and SSH host keys, then run as root.
• Cockpit unauthenticated RCE — Cockpit 327–359 admin console: public exploit, no vendor advisory in hand confirming in-wild use. SSH argument injection over the web console — turnkey code for an internet-exposed admin surface.

The debate about whether these flaws are being exploited is over. You have until June 4.

CISA added CVE-2025-34291 in Langflow and CVE-2026-34926 in Trend Micro Apex One on-premise to its Known Exploited Vulnerabilities catalog on Thursday. The KEV catalog is CISA's "these are the fires actually burning right now" list — the signal that moves a vulnerability from "important" to "drop what you're doing."

Langflow is an open-source visual tool that lets developers drag-and-drop components to build AI agent workflows without writing much code. CVE-2025-34291 chains three weaknesses — overly permissive CORS configuration, a token refresh endpoint missing CSRF defenses, and a code execution endpoint that allows code execution by design — to achieve full account takeover and remote code execution when a logged-in user visits a malicious page, per Obsidian Security's writeup. Trend Micro researchers observed attackers deploying the Flodric botnet through compromised Langflow instances. The fix is version 1.9.3 or later.

The Trend Micro side is different but equally uncomfortable. CVE-2026-34926 is a directory traversal in Apex One on-premise that allows a pre-authenticated local attacker to modify a key server-side table, injecting malicious code that's then pushed to every managed agent. Your endpoint security management console — the thing supposed to deliver protection to every machine in your fleet — becomes the delivery vehicle.

What changes if you don't patch: Langflow servers exposed to the internet without authentication are now active targets; if you stood one up for AI experimentation and forgot about it, assume it's been scanned. The signal to watch: if Apex One exploitation expands from "active" to mass-deployment via managed service providers, expect emergency vendor advisories within days — that's the canary for whether attackers are using this for opportunistic ransomware or targeted espionage.

Cisco Secure Workload is the platform many enterprises use to enforce zero-trust security across their data centers — the thing that watches everything and stops lateral movement. The irony of today's disclosure writes itself.

CVE-2026-20223 is a CVSS 10.0 flaw stemming from insufficient validation and authentication in REST API endpoints, Security Affairs reports. The bug affects both SaaS and on-premises deployments. Attackers need no credentials, no user interaction, and no meaningful effort to exploit it, The Register notes. What they get is Site Admin privileges with access to site resources — and in a multi-tenant environment, cross-tenant access breaks the core promise of that architecture: that someone else's compromise isn't supposed to become your problem.

Cisco has already patched SaaS deployments; no customer action needed there. On-prem customers need version 3.10.8.3 or 4.0.3.17; anyone still on 3.9 or earlier needs to migrate. There are no workarounds. As of Cisco's advisory, there's no evidence of in-the-wild exploitation — but with a CVSS 10 and trivial attack complexity, that window won't stay open long.

What changes if exploitation begins: A single compromised Secure Workload instance hands an attacker the policy engine governing thousands of workloads across cloud and data center. The signal to watch: if this CVE shows up in CISA KEV within 48–72 hours, on-prem customers who haven't patched are in serious trouble — Cisco's last few perfect-10s followed exactly that trajectory.

Blocking malicious traffic at the firewall only works if the malicious traffic looks different from the legitimate kind. A China-aligned espionage crew called Webworm has rendered that assumption obsolete.

ESET researchers analyzed Webworm's 2025 activity and found the group has shifted focus from Asia to Europe, targeting government organizations in Belgium, Italy, Poland, Serbia, and Spain. The new tradecraft routes command-and-control traffic through services enterprises already trust and can't easily block. The EchoCreep backdoor uses Discord to upload files, send runtime reports, and receive commands. GraphWorm uses Microsoft Graph API exclusively against OneDrive endpoints to receive jobs and exfiltrate victim information, per ESET via StreetInsider.

ESET got an unusually clear view. Researchers decrypted over 400 Discord messages and discovered an attacker-operated server used for reconnaissance against more than 50 unique targets. WormFrp, one of Webworm's new proxies, retrieves its configuration from a compromised Amazon Web Services storage bucket belonging to an Indian jewelry store website. Hidden among thousands of jewelry images: encrypted text files configuring the malware, plus snapshots of an Italian government entity's virtual machine and a configuration file for a remote connection manager used by a Spanish government organization, Bank Info Security reports. The stolen Spanish file included credentials and passwords for a wide range of servers and firewalls — meaning Webworm likely still has persistent access.

What changes: Detection logic that depends on "where is this traffic going?" stops working when it's all going to discord.com and graph.microsoft.com. The defenders' job shifts to "which process on which host is initiating this?" — a much harder telemetry problem. The signal to watch: follow-on disclosures from the five named EU governments. National CERTs have surely been notified; how they respond — quiet remediation, public attribution, or coordinated diplomatic statement — tells you how seriously this is being taken at the policy level.

Nobody had to break GitHub directly. They hitched a ride inside a trusted developer tool.

GitHub says the compromise of roughly 3,800 internal repositories came via a malicious version of the Nx Console VS Code extension, itself caught up in the broader TanStack npm supply-chain attack, BleepingComputer reports. The extension was briefly poisoned to harvest credentials and secrets for npm, AWS, Kubernetes, GitHub, and GCP/Docker. GitHub says it secured the employee device, rotated critical secrets, and has not found evidence customer data outside the affected repos was stolen.

The compromised Nx Console 18.95.0 was available only briefly — but a short poisoning window was enough. This is the software equivalent of a fake badge at a secure facility.

What changes: Developer tools are now part of the attack surface, not just the toolbox. The marketplace plugin you installed last quarter is a privileged process running on a machine with access to source code and cloud credentials. The signal to watch: copycats. Once one poisoned extension proves it can open doors at a company like GitHub, every organization with engineers using marketplace plugins should assume this tactic is about to get more crowded — and check whether their EDR vendor has finally figured out how to baseline VS Code extension behavior.

Ukraine's national CERT published a fresh advisory cataloging three new malware families deployed by the cluster it tracks as UAC-0057 — OYSTERFRESH, OYSTERSHUCK, and OYSTERBLUES. The OYSTER family has been a workhorse for this group's intrusions across Ukrainian and allied targets; three new variants appearing simultaneously points to a deliberate toolkit refresh, likely in response to improving detection coverage. When a cluster cycles its malware this systematically, defenders elsewhere should expect the new variants to surface in non-Ukrainian targeting within weeks — these techniques rarely stay geographically polite. Source: CERT-UA Article #6315762 — Ukrainian. No English-language coverage confirmed at time of publication.

The Russian security outlet Xakep reports that Steam has removed the game "Beyond The Dark" from its storefront after the title was found to contain malware. The specific payload and attribution aren't yet detailed in the Russian-language coverage, but the pattern is familiar — game distribution platforms have become a viable malware delivery channel because the install permissions users grant to games are exactly what attackers need. Combined with this week's news about poisoned VS Code extensions and npm packages, the broader trend is hard to miss: the trusted-software pipelines you depend on are all viable initial access vectors now. Source: Xakep.ru — Russian. No English-language coverage confirmed at time of publication.

Xakep also reports on a malware family called "fast16" allegedly purpose-built for sabotaging nuclear weapons development. Specific targets and successful operations aren't elaborated, and attribution remains thin. But the framing alone is a notable signal. Destructive malware aimed at strategic weapons programs sits in a different category from espionage tooling — it implies an actor willing to cross thresholds that most state-sponsored crews avoid. Treat this as an early signal worth tracking rather than confirmed reporting, but the alleged intent is exactly the kind of capability that intelligence services worry about most. Source: Xakep.ru — Russian. No English-language coverage confirmed at time of publication.

A botnet routed through a jewelry-store cloud bucket in India to steal Spanish firewall passwords; a Windows screenshot tool repurposed as a credential vacuum; a Cisco platform sold to enforce zero-trust shipping a flaw that hands out site-admin to anyone who knocks. The thing protecting the door, the thing taking the screenshot, the thing storing the wedding rings — all working as intended for someone, just not you. Stay paranoid.

Forward this to whoever in your org still thinks the marketplace plugin is part of the toolbox.