Weekly Threat Roundup: Nx Console Supply Chain Attack (May 25-31)

This Week at a Glance

A malicious version of Nx Console (CVE-2026-48027) was published, marking a critical supply chain attack. Simultaneously, the Charter data breach exposed 4.9M accounts, while threat actors exploited FortiClient EMS and PAN-OS flaws. Notably, attackers used an LLM agent for post-exploitation after exploiting a Marimo CVE.

Top Vulnerabilities

• CVE-2026-48027 (CVSS 9.8, Critical, Actively Exploited): A malicious version of Nx Console (18.95.0) was published on May 19, 2026, in a supply chain attack. Full advisory.
• CVE-2026-44590 (CVSS 9.3, Critical): Sherlock, a social media username search tool, prior to 0.16.1, leaks CI tokens via command injection. Full advisory.

Data Breaches

• Charter: 4.9M accounts exposed by ShinyHunters. Full report.
• Ameriprise: 503K accounts exposed. Full report.
• Kemper: 269K accounts exposed in ransomware attack. Full report.
• Edmunds: 178K accounts (emails, passwords) exposed. Full report.
• Mytheresa: 84K accounts (credit cards) exposed. Full report.

Threat Intelligence

• Active Exploitation: Threat actors exploit critical FortiClient EMS flaw to deploy credential stealer. Full article.
• PAN-OS GlobalProtect Authentication Bypass (CVE-2026-0257): Under active exploitation. Full article.
• LLM Agent in Post-Exploitation: Attackers used an LLM agent after exploiting Marimo CVE-2026-39987. Full article.
• Dark Web Claims: Ransomware groups (CoinbaseCartel, Genesis) claimed attacks on Siveco, Green Resource, and Cedar Street Capital. Siveco, Green Resource, Cedar Street Capital.

Key Takeaway

The use of an LLM agent for post-exploitation after the Marimo CVE-2026-39987 exploit signals a shift toward AI-assisted attack automation. Security teams should monitor for anomalous LLM API calls and review logs for automated reconnaissance patterns, as this tactic may become more common.