ZeroFox Daily Intelligence Brief

ZeroFox Daily Intelligence Brief - May 18, 2026

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

Grafana Discloses GitHub Environment Compromise, Source Code Stolen
Threat Actors Use QR-Code Mail Phishing to Target Ledger Users
Geopolitical Focus: Ebola Outbreak, Drone Strike Near Abu Dhabi Nuclear Power Plant

Grafana Discloses GitHub Environment Compromise, Source Code Stolen

Source: https://thehackernews.com/2026/05/grafana-github-token-breach-led-to.html

What we know: Open-source analytics and visualization application Grafana Labs has disclosed that a threat actor gained unauthorized access to its GitHub environment and downloaded its source code. Extortion group CoinbaseCartel has reportedly claimed responsibility for the attack.

Context: Grafana says it has invalidated the compromised credentials. The company has also refused to pay the ransom demanded by the attackers threatening to publish the stolen database. The company clarified that no personal or customer information has been affected and its operations remain uninterrupted.

Analyst note: Source code compromise is likely to enable threat actors to find vulnerabilities, if any, login logic, or infrastructure details that can be exploited in future attacks.

Threat Actors Use QR-Code Mail Phishing to Target Ledger Users

Source: https://hackread.com/scammers-physical-phishing-letters-ledger-wallet-seed/

What we know: Users of Ledger hardware cryptocurrency wallets are reportedly being targeted via physical phishing letters that urge the recipients to complete a fake “Quantum Resistance” security update.

Context: The mailed letters, which include Ledger branding, QR codes, and localized language variants, direct victims to phishing websites that request their 24-word recovery seed phrase, enabling attackers to steal funds from compromised wallets. The campaign could reportedly be leveraging customer data exposed in the January 2026 breach involving Global-e, Ledger’s e-commerce partner.

Analyst Note: The localized nature of the operation likely indicates access to structured customer datasets containing geographic and language information, increasing the likelihood of tailored follow-on targeting or resale of victim profiles within cybercriminal ecosystems.

Geopolitical Focus: Ebola Outbreak, Drone Strike Near Abu Dhabi Nuclear Power Plant

The World Health Organization has declared a global health emergency in the wake of the Ebola virus outbreak in the Democratic Republic of Congo and Uganda. At least 80 deaths and about 250 suspected cases have been reported in a province in Congo.
The United Arab Emirates (UAE) reported a drone strike that triggered a fire near the Barakah Nuclear Power Plant in Abu Dhabi, calling it a "dangerous escalation." No injuries or radiological impact were reported. No group has claimed responsibility, though the UAE has previously accused Iran of attacks on its energy infrastructure.
A freight train collided with a public bus near Makkasan train station in central Bangkok. At least eight people were killed, and several others were injured. The collision triggered a fire that engulfed the bus and damaged several nearby vehicles.
The Minnesota National Guard has been activated to support firefighting operations against fast-moving wildfires in the northern part of the state. The Stewart Trail fire has destroyed 34 structures. Authorities warned that changing wind patterns may complicate containment efforts, and a temporary flight restriction is in place.
A magnitude 5.2 earthquake struck the city of Liuzhou in China's Guangxi region early on May 18, 2026, killing at least two. More than 7,000 residents were forced to evacuate, while thirteen buildings collapsed.

DEEP AND DARK WEB INTELLIGENCE

Exploit user Grandiose: Untested threat actor "Grandiose" has advertised alleged access to the Gmail and Google Drive accounts of an unnamed artificial intelligence (AI) company on dark web forum Exploit. The offer includes login credentials, two-factor authentication (2FA) codes, and backup codes with an asking price of USD 10,000.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2026-42897: This is an actively exploited spoofing vulnerability affecting Microsoft Exchange Server software. The flaw enables threat actors to execute arbitrary code via cross-site scripting (XSS) to target Outlook on the web. While a security patch is not yet available to permanently fix the bug, the Exchange Emergency Mitigation Service (EEMS) is providing automatic mitigations. Successful exploitation of the flaw is likely to enable threat actors to steal email contents and attempt account takeover.

Affected products: Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition (SE) software