The Lyceum: Cyber Intelligence Daily — May 30, 2026

The infrastructure you trust most — your VPN gateway, your self-hosted Git server, your developer's npm install — is exactly what's being broken into this weekend. Three live exploitation stories landed within hours of each other: an actively exploited Palo Alto GlobalProtect authentication bypass with a federal deadline that expires Monday, an unpatched Gogs RCE with a working Metasploit module already public, and a 17-million-device botnet that the Dutch police took offline overnight without naming a single suspect. The through-line: defenders are now patching the things that were supposed to be doing the defending.

• CVE-2026-0257 — Palo Alto Networks PAN-OS GlobalProtect: actively exploited, no NVD score yet (CISA KEV confirmed); authentication bypass via forged override cookies on firewalls with GlobalProtect enabled and specific certificate setup. Federal remediation deadline is Monday, June 1.
• Gogs argument injection RCE — Gogs 0.14.2 and 0.15.0+dev: no patch, Rapid7 scores it CVSS 9.4, working Metasploit module already public. Any authenticated user can inject --exec into git rebase via a malicious branch name.
• CVE-2026-48172 — LiteSpeed cPanel Plugin: CISA KEV, privilege escalation to root on shared hosting. Federal deadline was Friday, May 29 — already passed for agencies that missed it.
• CVE-2026-8398 — Daemon Tools Lite: CISA KEV, unspecified high-impact vulnerability. Federal deadline is today, May 30.
• Microsoft npm typosquatting campaign — 14 malicious packages impersonating OpenSearch, ElasticSearch, and DevOps libraries; harvested AWS credentials, HashiCorp Vault tokens, GitHub Actions secrets, and npm publish tokens during npm install. Packages taken down, but rotation work remains.
• 33-package dependency confusion campaign — Separate Microsoft disclosure: malicious npm packages profiling developer environments to map CI/CD and desktop systems for follow-on attacks.

Someone may already be inside your network without ever stealing a password.

CISA added CVE-2026-0257 to its Known Exploited Vulnerabilities catalog on May 29, requiring U.S. federal civilian agencies to remediate it by Monday, June 1. Palo Alto's advisory describes the flaw as a CVSS 7.8 authentication bypass affecting firewalls with GlobalProtect portal or gateway enabled, specifically when authentication override cookies are turned on and a particular certificate setup exists. In plain terms: if your firewall reuses the same certificate for two jobs, an attacker can grab the public key from your HTTPS service and forge a fake "I'm already logged in" cookie — no username, no password, no MFA required.

Rapid7 MDR identified successful exploitation across numerous customers, with the earliest observed exploitation dating to May 17. A second wave hit on May 21 from the hosting provider Dromatics Systems, and Rapid7 believes both waves are likely from the same threat actor based on a consistent MAC address. In that second wave, some victims received full VPN IP assignments after the cookie authentication, giving attackers direct access to internal networks. The Hacker News confirms active exploitation and the Monday remediation deadline.

The patch window is still open through the weekend. Disabling the Authentication Override options for cookie generation and acceptance in the GlobalProtect configuration is a one-config mitigation that doesn't require a maintenance window. What failure looks like: the same hosting infrastructure pivoting to a third wave on Monday morning, against organizations that assumed the federal deadline didn't apply to them. Watch whether Rapid7 or Palo Alto names the threat actor in the next 48 hours — the consistent MAC and Dromatics Systems hosting are specific enough that attribution is coming.

Fixed versions include PAN-OS 12.1.4-h6, 11.2.12, 11.1.15, and 10.2.18-h6. Panorama and Cloud NGFW are not affected.

If your team runs Gogs as an internal GitHub alternative, this one needs attention before Monday standup.

Rapid7 disclosed an authenticated remote code execution flaw in Gogs's "Rebase before merging" workflow, scoring it CVSS 9.4 against versions 0.14.2 and 0.15.0+dev. The Hacker News explains the mechanism: any authenticated user can achieve RCE by creating a pull request with a malicious branch name that injects the --exec flag into git rebase during the merge. SecurityWeek points out that Gogs ships with open registration enabled by default and no limit on repository creation — "authenticated attacker" is a bar that takes about 30 seconds to clear on a default install. A security researcher reported the issue to project maintainers in mid-March. The project still has no patch. The Register confirms a public Metasploit module is now out.

Act on this today and you can set DISABLE_REGISTRATION = true and MAX_CREATION_LIMIT = 0 in app.ini to block the trivial unauthenticated path, then audit repositories for branch names beginning with -- to catch existing attempts. Don't act, and a Metasploit module sits in the wild all weekend against a product where successful exploitation grants read access to every repository on the instance — password hashes, API tokens, SSH keys, 2FA secrets, source code. The observable signal is GreyNoise or Shodan scanning telemetry against port 3000 in the next 24 hours.

This is the second Gogs zero-day in six months. The project's patch cadence is now a structural problem, not a one-off.

Two hundred servers. Seventeen million infected devices. All the infrastructure physically located in the Netherlands — and not a single suspect named.

The Dutch National Police and the country's National Cyber Security Center seized those 200 servers controlling a botnet spanning computers, mobile phones, IoT devices, and routers, per Help Net Security. The investigation began when a security researcher tipped off the NCSC, which traced the infrastructure to a local hosting provider. Cybercrime specialists at The Hague Police Unit seized the servers, and the provider shut down the botnet after realizing it was being used for criminal purposes, according to The Register.

Dutch news outlet NL Times reports that the botnet is part of the infrastructure underpinning Asocks, a commercial residential and mobile proxy network. That framing matters: residential proxy networks rent out infected devices as anonymous internet exit points, letting criminals route attacks through what looks like a home broadband connection in Amsterdam or Austin. Neither the police nor NCSC-NL revealed the botnet's name — an oddity for takedowns of this kind — and did not detail exactly what devices were enrolled.

If Dutch prosecutors name suspects this week, it would be the first major residential-proxy-network criminal prosecution in Europe, and a signal that law enforcement is treating proxy-network operators as criminal infrastructure rather than just the people who rent them. The real risk is 17 million still-infected endpoints whose malware hasn't been removed, waiting for new C2 infrastructure to come online. Just before announcing the takedown, NCSC-NL published a blog calling the rise of residential proxy networks a "worrying trend" — Risky Business notes the same.

The observable signal: whether the malware on those 17 million devices reconnects to a new controller before defenders clean them up.

The attack is old-school in spirit and modern in execution.

Microsoft Threat Intelligence disclosed on May 28 that a single actor published 14 malicious npm packages under a newly created maintainer alias, designed to impersonate familiar OpenSearch, ElasticSearch, DevOps, and environment-config libraries. Once installed, the packages harvested AWS credentials, HashiCorp Vault tokens, GitHub Actions secrets, and npm publish tokens. The malicious code ran automatically during npm install, and later variants used the legitimate Bun runtime as a loader to stay quieter. Stolen npm publish tokens and cloud secrets let an attacker pivot downstream into build systems, production environments, and other packages. Microsoft says the packages and accounts were taken down after notification.

A separate Microsoft Security Blog post the next day described 33 malicious npm packages abusing dependency confusion to profile developer environments — a different campaign with the same shape. Identifying systems that installed the affected versions on or after May 28, rotating exposed cloud and pipeline tokens, and disabling install scripts where practical closes the window before stolen tokens get used. The slow-burn failure mode: an AWS credential exfiltrated Thursday becomes a production breach in July, attributed to "unknown initial access vector." Watch for a named victim disclosure in the next two weeks — that's how long it typically takes for stolen CI/CD tokens to convert into a visible incident.

The software supply chain is now close enough to touch your cloud keys.

Ukraine's CERT-UA published an updated advisory cataloging three new malware families deployed by the cluster it tracks as UAC-0057 — a group long associated with Belarus-aligned operations against Ukrainian and EU institutions. The advisory documents OYSTERFRESH, OYSTERSHUCK, and OYSTERBLUES as the current toolkit, replacing earlier variants. CERT-UA bulletins on this cluster have historically appeared days to weeks before Western threat-intel firms publish parallel coverage, giving defenders working in Ukrainian or EU public-sector supply chains a meaningful timing advantage. Source: CERT-UA Advisory #6315762 — Ukrainian. No English-language coverage confirmed at time of publication.

Russian-language outlet Xakep reports that the threat cluster Fluffy Wolf attacked Russian organizations using a malware family that hasn't surfaced in Western reporting yet. The framing matters because Russian-on-Russian cybercrime reporting often signals either an internal criminal market shift or a counterintelligence operation surfacing publicly — both of which tend to precede broader campaigns against non-Russian targets within weeks. Source: Xakep — Russian. No English-language coverage confirmed at time of publication.

Check Point Research published a digest covering AI-related threat activity from March and April, which has not yet been picked up by major English-language security outlets despite being in English itself. The digest tracks AI-assisted malware development, prompt injection campaigns, and the use of LLMs in reconnaissance — the same operational categories that surfaced in this week's GREYVIBE and Kimsuky disclosures. Source: Check Point Research — English. No secondary English-language coverage confirmed at time of publication.

A forged cookie waltzes past a VPN, a --exec flag rides a pull request to root, and a Dutch hosting provider quietly pulls the plug on 17 million infected devices whose owners will never know. Somewhere on a developer's laptop right now, an AI agent is reading from /mnt/user-data and posting the contents to a GitHub repo whose owner forgot to revoke his own token — which is, honestly, the most 2026 sentence anyone could write. Stay patched.

Forward this to the friend who still hasn't applied the Palo Alto patch — they have until Monday.