ZeroFox Daily Intelligence Brief - May 15, 2026

ZeroFox Daily Intelligence Brief - May 15, 2026

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Suspected Dream Market Operator Arrested After Years on the Run
• Node-ipc Supply Chain Attack Exfiltrates Cloud Secrets
• “Ghostwriter” Targets Government and Military Entities in Ukraine and Poland

Suspected Dream Market Operator Arrested After Years on the Run

Source: https://www.bleepingcomputer.com/news/security/us-charges-suspected-dream-market-admin-arrested-in-germany/

What we know: The suspected administrator of Dream Market, who used the alias “Speedstepper,” has been indicted in the United States on money‑laundering charges. The suspect had remained unidentified after Dream Market shut down in 2019.

Context: Authorities allege the suspect laundered more than USD 2 million between August 2023 and April 2025. Investigators recovered roughly USD 1.7 million in gold bars, over USD 23,000 in cash, and found evidence of Dream Market proceeds in bank accounts and cryptocurrency wallets holding about USD 1.2 million.

Analyst note: Arrests of other high-ranking administrators earlier this year suggest authorities tracked funds and international travel details of suspects, while coordinating with cross-border partners. Information recovered through financial records, cryptocurrency wallets, and seized assets is likely to provide leads into former vendors, facilitators, and linked darknet marketplaces.

Node-ipc Supply Chain Attack Exfiltrates Cloud Secrets

Source: https://thehackernews.com/2026/05/stealer-backdoor-found-in-3-node-ipc.html

What we know: Three different versions of node-ipc npm packages have reportedly been compromised by threat actors to include an obfuscated backdoor. The backdoor attempts to exfiltrate a broad set of developer and cloud secrets to an external command-and-control (C2) server.

Context: The attack involves a malicious node‑ipc package that runs automatically when imported. The malware fingerprints the host, enumerates and collects developer credentials, then exfiltrates data through a network endpoint that is sent directly to the attacker’s server. Meanwhile, a background process continues transmission after the parent app exits.

Analyst note: Threat actors are likely to increasingly focus on stealing identities and targeting the automation that runs modern software delivery, obfuscating malware activity to blend into normal developer and app behavior.

“Ghostwriter” Targets Government and Military Entities in Ukraine and Poland

Source: https://www.darkreading.com/cyberattacks-data-breaches/frostyneighbor-apt-govt-orgs-poland-ukraine

What we know: The Belarus-linked cyber espionage group dubbed Ghostwriter (also tracked as FrostyNeighbor) has reportedly launched a spear-phishing campaign targeting government and military organizations in Ukraine and Poland.

Context: The campaign used PDF lures impersonating telephone company Ukrtelecom to deliver a JavaScript-based version of PicassoLoader. Researchers noted the operators manually validated victims using geofencing and host profiling, only escalating infections against targets deemed valuable for espionage operations.

Analyst note: The selective deployment process likely indicates that Ghostwriter is targeting high-value entities within Ukrainian and Polish governments to collect specific intelligence on regional military activity and government operations. Given Belarus’ close alignment with Russia, it is likely that the threat actor is funneling tactical information about Ukraine for Russia’s gain.

DEEP AND DARK WEB INTELLIGENCE

breached[.]st user diencracked / TeamPCP: Threat actor "diencracked," claiming collaboration with TeamPCP hackers, have announced a crowdsourced supply chain attack competition on dark web forum breached[.]st. They claim to offer a USD 1,000 bounty to forum members who successfully execute the most impactful supply chain compromise using the open-sourced version of the worm "Shai Hulud." Additionally, TeamPCP is threatening to leak Mistral AI’s internal repositories and source code if they don’t find a buyer within a week willing to pay USD 25,000.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2026-20182: This is an authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller and Manager. The flaw stems from a malfunction in the peering authentication mechanism, enabling an unauthenticated remote attacker to bypass authentication and gain high-privileged access by sending crafted requests. Successful exploitation is very likely to result in full administrative control over the SD-WAN infrastructure, enabling network configuration tampering, and traffic interception.

Affected products: On-premises deployments of Cisco SD-WAN Cloud-Pro, Cisco SD-WAN Cloud (Cisco Managed), and Cisco SD-WAN for Government (FedRAMP)