This was the week the CVSS 10.0 stopped being rare. LiteSpeed's cPanel plugin, three separate flaws in Ubiquiti's UniFi OS, and Cisco Secure Workload — the tool built to contain attackers — all landed at maximum severity, several under active exploitation. If your patch calendar treats a 10.0 as a once-a-quarter event, this week broke that assumption.

The other story is the merge. An automated campaign called Megalodon backdoored 5,561 GitHub repositories in six hours by poisoning their CI/CD workflows. Laravel-Lang was compromised through 700+ malicious Git tags pointing at a fork the attacker controlled — the official repo was never touched. GitHub confirmed TeamPCP exfiltrated 3,800 internal repositories through one poisoned VS Code extension. The developer pipeline is now the front line, and the most routine action in software development — merging code — is the weapon.

Law enforcement had its best infrastructure week of the year. Dutch investigators seized 800 servers from Stark Industries, the bulletproof hoster beneath Russian state-aligned operations. Europol dismantled First VPN and walked away with a list of thousands of its cybercrime users. A 23-year-old alleged KimWolf botmaster was arrested in Ottawa. The takedowns are hitting the shared infrastructure layer, not just individual actors.

Let's get into it.

Those requests came from non-traded BDC investors in Q1 2026, and most got back roughly half of what they asked for. Moody's U.S. BDC sector outlook: Negative.

On Percent's marketplace that same quarter: new issuances, scheduled payments, 0.44% lifetime net loss rate on asset-based deals since inception.† The difference is structural: concentrated corporate loans with redemption windows that close at manager discretion vs. asset-based finance with 6–24 month deal terms. 14.6% net ABS returns LTM after losses (3/31/26).† Starting at $500.

See how private credit works when it's built for individual investors.

_{Alternative investments are speculative. No assurance can be given that investors will receive a return of their capital. †Past performance is not indicative of future results. Terms apply.}

Vulnerabilities

Four maximum-severity flaws landed in four days. CVE-2026-48172 in the LiteSpeed User-End cPanel plugin lets anyone with a valid cPanel account run code as root — actively exploited, and on shared hosting one cheap account becomes a path to every account on the server. Ubiquiti patched three CVSS 10.0 flaws in UniFi OS, all remotely exploitable with no login, across its gateways, Dream Machines, and network video recorders. And Cisco patched CVE-2026-20223, a CVSS 10.0 flaw in Cisco Secure Workload — insufficient authentication on internal REST API endpoints lets an unauthenticated attacker seize Site Admin of the microsegmentation platform built to contain attackers.

Why it matters: A 10.0 used to be a drop-everything event because it was rare. Four in a week breaks that cadence. Prioritize the LiteSpeed and UniFi flaws first — both are internet-facing and login-free — then audit Secure Workload, because a compromised containment tool is worse than no containment tool.

→ Read the LiteSpeed story · Ubiquiti · Cisco Secure Workload

Supply Chain Attack

An automated campaign called Megalodon pushed 5,718 malicious commits to 5,561 GitHub repositories in six hours, hiding secret-stealing payloads inside CI/CD workflow files. The attack targets the most routine action in software development: the merge. A pull request that looks like a minor workflow tweak runs attacker code the moment CI executes, harvesting the secrets and tokens that live in the build environment.

Why it matters: CI/CD runners hold the keys to everything downstream — cloud credentials, signing keys, deployment tokens. If your pipeline auto-runs workflows from forks or unreviewed PRs, you are one merge away from this. Require workflow-file changes to go through a protected review path, and scope CI secrets to the minimum.

→ Read the full story

Supply Chain Attack

The 2026 supply-chain wave reached PHP this week. Researchers found 700+ malicious version tags on the Laravel-Lang project — yet the official repositories were never touched. The attacker pointed Git tags at a fork they controlled, defeating the most intuitive defender check: inspecting the real repo. Anyone pulling a tagged version got the attacker's credential stealer.

Why it matters: "The official repo looks clean" is no longer a sufficient check. Pin dependencies to commit hashes, not tags, and verify that the commit a tag resolves to actually lives in the upstream repository — not a fork. This defeats the entire Git-tag class of attack.

→ Read the full story

Vulnerabilities

Microsoft patched UnDefend (CVE-2026-41091) and RedSun (CVE-2026-45498), two Defender zero-days exploited in the wild since April. Their entire purpose is the security tool: one escalates privileges through Defender, the other disables it. Barracuda ties the wave to the researcher behind MiniPlasma. Read alongside the Trend Micro Apex One zero-day (CVE-2026-34926) — now on CISA's KEV with a June 4 deadline, capable of turning the endpoint-security console into a malware distribution channel — and a pattern emerges.

Why it matters: Endpoint security tools are becoming the target, not just the defense. When the tool meant to detect malware is the delivery mechanism, EDR-only monitoring has a blind spot. Layer in independent telemetry — network and identity signals that don't depend on the endpoint agent being trustworthy.

→ Read the Defender story · Trend Micro Apex One

Policy & Government

Dutch financial-crime investigators seized 800 servers and arrested two men tied to Stark Industries, a hosting firm researchers have long described as a bulletproof hoster. The action targets the shared infrastructure layer beneath Russian state-aligned cyber and influence operations — not the operators who rent it, but the platform that makes them resilient. It capped a week that also saw Europol dismantle First VPN, the cybercrime underground's most-used anonymity service, seizing 33 servers and identifying thousands of users.

Why it matters: Infrastructure-layer takedowns degrade many actors at once and produce intelligence that fuels the next round of arrests. The First VPN user list, in particular, is a gift that will keep generating cases for months. Expect downstream disruptions to campaigns that relied on both services.

→ Read the Stark Industries story · First VPN takedown

Phishing

The FBI's IC3 warned organizations about Kali365, a Telegram-sold phishing-as-a-service kit that runs device-code phishing against Microsoft 365. The kit steals the OAuth tokens Microsoft issues after the victim genuinely passes MFA on Microsoft's real sign-in page. There is no fake login page to spot — the victim authenticates legitimately, and the attacker captures the resulting session token.

Why it matters: Device-code phishing defeats the "just turn on MFA" advice because it steals the post-MFA token, not the password. Defend with conditional access policies that bind tokens to compliant devices, block the device-code flow where it isn't needed, and alert on token use from anomalous locations.

→ Read the full story

Investors face a dilemma. When the S&P 500 finished its worst quarter since 2022 last month, diversifiers like bonds and bitcoin fell too.

Even with the turnaround in mid-April, analysts at Goldman Sachs and Vanguard have projected low-single-digit annualized returns from 2024-2034.

Bloomberg asked where experts would personally invest $100,000 for their March monthly edition.

One answer that surfaced for a second time? Art.

It's what billionaires like Bezos and the Rockefellers have privately used to diversify for decades.

Why?

Thanks to the world's premier art investing platform, now anyone can invest in works featuring legends like Banksy, Basquiat, and Picasso, without needing millions.

Shares in new offerings can sell quickly but...

Our subscribers skip their waitlist*

^{*According to Masterworks data. Investing involves risk. Past performance is not indicative of future returns. See important Reg A disclosures at masterworks.com/cd.}

There is a number worth sitting with from this week: six.

That is how many hours Megalodon needed to backdoor 5,561 GitHub repositories — by poisoning the one action every software team performs dozens of times a day. Not an exploit against a server, not a stolen credential, not a phishing email. A pull request. The merge. The single most routine, most trusted, most automated step in modern software development, turned into a delivery mechanism at machine scale.

Hold that next to the rest of the week. Laravel-Lang was poisoned through Git tags pointing at a fork, defeating the defender instinct to check the real repository. TeamPCP took 3,800 internal repositories through a single VS Code extension. Three different attacks, three different layers of the developer's daily workflow — the merge, the dependency tag, the editor — each one weaponizing trust that was never explicitly granted but always assumed.

This is the same trajectory we flagged last week with the developer credential economy, now one level deeper. Last week the workstation was the beachhead. This week the pipeline is the beachhead — the automated machinery that runs after the human stops paying attention. CI/CD runners execute without supervision, resolve tags without verification, and run extensions with broad scopes because friction in the developer workflow is treated as the enemy. Attackers have noticed that the cost of looking at what runs in the pipeline still exceeds, for most organizations, the value of finding what's wrong.

Meanwhile the security tools meant to catch all this had their own bad week. Microsoft patched two Defender zero-days built to disable Defender. Trend Micro's Apex One console can be turned into a malware distribution channel. Cisco Secure Workload — the platform whose entire job is to contain lateral movement — shipped a 10.0 that hands an unauthenticated attacker Site Admin. When the containment layer and the detection layer are both part of the attack surface, "we have EDR" is not the answer it used to be.

There is genuine good news underneath. The infrastructure takedowns this week — 800 Stark Industries servers, the First VPN user list, the KimWolf arrest — hit the shared layer that makes adversaries resilient, and the intelligence they produced will generate cases for months. Defense at the infrastructure level scales the same way offense does.

The question worth asking before next week's briefing: in your environment, what runs automatically — in CI, in the IDE, in the build — that no human reviews before it executes, and what would it cost an attacker to put their code in that path?

Until next time,

Stay sharp. Stay ahead.

📩 Share this briefing with a colleague who needs to stay ahead.

📰 Full coverage at thecybersignal.com

☀️ Daily briefing at daily.thecybersignal.com