Weekly Threat Intelligence: May 25 to May 31, 2026

Welcome to your weekly threat intelligence briefing. The cybersecurity landscape shifted dramatically between May 25 and May 31, 2026. Specifically, security teams recorded a massive surge in software supply chain attacks. Furthermore, our sensors logged an overwhelming 2,213 new vulnerabilities. Consequently, you need an active vulnerability report to effectively prioritize your defenses.

Supply Chain Attacks Dominate CISA KEV

The Cybersecurity and Infrastructure Security Agency (CISA) added five critical flaws to its catalog. Interestingly, threat actors heavily targeted software supply chains this week. For example, hackers published 84 malicious versions of popular @tanstack npm packages (CVE-2026-45321).

Moreover, an official DAEMON Tools Lite installer suffered a severe compromise (CVE-2026-8398). Attackers also successfully distributed a malicious version of the Nx Console UI (CVE-2026-48027). Therefore, developers must aggressively verify package integrity before deploying code. Additionally, Palo Alto Networks faced a massive authentication bypass in GlobalProtect (CVE-2026-0257). Hackers routinely use this flaw to breach enterprise VPNs without credentials.

Discoveries in the Wild

Our weekly threat intelligence radar detected several severe threats currently undergoing active exploitation. First, Windows Netlogon harbors a critical stack-based buffer overflow (CVE-2026-41089-admin). Unauthenticated attackers easily execute remote code over the network.

Second, the WP Maps Pro plugin for WordPress contains a dangerous privilege escalation flaw (CVE-2026-8732-admin). Consequently, anyone can create administrator accounts and seize total control of affected websites. Finally, attackers continue to exploit the LiteSpeed User-End cPanel Plugin (CVE-2026-48172) to gain root privileges.

The Sandbox Security Crisis

JavaScript sandboxes faced absolute devastation this week. Specifically, security researchers published multiple CVSS 10.0 sandbox escape vulnerabilities. For instance, NodeVM and SandboxJS both suffered catastrophic breakouts.

Furthermore, the notorious VM2 library experienced yet another critical bypass (CVE-2026-47208). Moreover, relying on software-based isolation currently exposes critical applications to extreme risks. Consequently, developers must pivot immediately to hardware-backed containment strategies. Ultimately, attackers can easily break out of these virtual environments to execute host-level code.

Essential Actions for Defenders

Your team must take immediate action based on this active vulnerability report. First, update your Windows domain controllers to patch the Netlogon vulnerability. Next, developers must actively audit their npm dependencies for compromised packages.

Furthermore, network administrators must rotate all compromised credentials immediately. Finally, security engineers should completely phase out vulnerable JavaScript sandboxes. Ultimately, aggressive patching remains your absolute strongest defense against these evolving threats. Therefore, stay incredibly vigilant and monitor your system logs closely.