Skip to main content
Emerging ThreatsMalware & Ransomware

Cyberattacks Accelerate as AI Lowers Bar for Threat Actors

Rows of computer equipment racks and industrial controllers in a dimly lit network operations center with a sense of…

"Since Gogs ships with open registration enabled by default and no limit on repository creation, an unauthenticated attacker can simply create an account and repository on any default-configured instance," Rapid7 warned — a blunt line that captures this week's theme: defaults and automation handing attackers cheap, fast entry points.

PAN-OS GlobalProtect authentication bypass (CVE-2026-0257) is being exploited

Palo Alto Networks warned that CVE-2026-0257 — scored 7.8 CVSS — is under active exploitation in the wild. The flaw is an authentication bypass in PAN-OS and Prisma Access that can be leveraged to establish VPN connections. According to the vendor, the issue specifically impacts firewalls with GlobalProtect portal or gateway configured when authentication override cookies are enabled and a particular certificate configuration exists. The advisory places this vulnerability on the list of urgent fixes for network teams running affected configurations.

Critical Gogs zero-day exposes default-configured instances to RCE

Rapid7 published details of a critical remote code execution vulnerability in Gogs, the open-source self-hosted Git service. The chain hinges on pull requests with malicious branch names and is particularly potent because Gogs sets open registration and unrestricted repository creation by default. Rapid7 said an unauthenticated attacker can create an account, enable rebase merging where applicable, and execute arbitrary commands as the Gogs server process user. A successful exploit can read every repository hosted on the instance, dump credentials and secrets, pivot to other systems, and modify hosted code. Rapid7 reported that servers on Windows, Linux, and macOS running default configurations are affected and that no patch had been released at the time of publishing.

GlassWorm C2 takedown severs operators but not the economics of repo abuse

CrowdStrike, Google, and the Shadowserver Foundation simultaneously disabled all four GlassWorm command-and-control channels on May 26, 2026 at 2 p.m. UTC, cutting the operators' live control over infected hosts. GlassWorm had spread via trojanized VS Code extensions on the Microsoft VS Code Marketplace and Open VSX and through compromised npm and Python packages. CrowdStrike instructed infected endpoints to beacon to the benign IP address 164.92.88[.]210 so organizations can check for potential infections. Researchers note the takedown is a temporary disruption: open-source ecosystems continue to provide low-cost distribution and allow operators to resurface under new accounts, domains, or package names.

AI assistance, OAuth device-phishing, and new kits reshape attack speed and scale

AI is threaded through several campaigns this week. WithSecure reported GREYVIBE — a previously undocumented actor active since August 2025 — making operational use of large language models in attacks against Ukrainian targets. Separately, threat actors are using AI chatbots to redirect searches to booby-trapped downloads that install cryptocurrency miners and deploy persistent access via ScreenConnect.

Phishing-as-a-service developments are notable: Netcraft documented EvilTokens automating device-code OAuth phishing at scale, abusing the OAuth 2.0 device authorization flow and using AI to spin up realistic infrastructure. Fortra described RatPressto, a new phishing toolkit hosted on legitimate-but-compromised WordPress sites, which serves ScreenConnect to establish persistent remote access. eSentire detailed an intrusion that used Microsoft Teams voice phishing to obtain Quick Assist access and then deployed a Java RAT named Nimbus that uses Google Drive and Google Sheets for C2 — an attack that took less than 20 minutes from initial contact to RAT execution.

What this means for security teams, CERTs, and end users

  • Security teams and technologists: prioritize fixes for CVE-2026-0257 and the Gogs RCE, audit default configurations (open registration, rebase settings, cookie-based overrides), and check for GlassWorm indicators such as beacons to 164.92.88[.]210. The trending CVE list in this bulletin also highlights multiple high-priority fixes (for example, CVE-2026-8732, CVE-2026-27771, CVE-2026-41089) that should be triaged based on exposure.
  • Regulators and CERTs: CERT-In's guidance urging 12-hour patching where feasible — and prescribing one-day remediation for critical externally exposed flaws, three days for critical internal high-value systems, and five days for high-severity issues — reflects a policy response to AI-compressed exploitation timelines described in the bulletin.
  • End users and administrators: be wary of smishing campaigns spanning 19 countries, fraudulent AI-chatbot redirects delivering miners, and OAuth device-code phishing kits. Where possible, tighten MFA, limit default account creation on self-hosted services, and treat “default” as a suspect configuration.

The throughline of this week’s reporting is familiar and troubling: defaults, automation, and AI are shrinking the window between discovery and damage. As the bulletin puts it plainly, patch the loud stuff, audit the weird stuff, and don't ignore the boring stuff — because attackers keep finding the cheap paths first.

Original story — The Hacker News