ZeroFox Daily Intelligence Brief - May 25, 2026

ZeroFox Daily Intelligence Brief - May 25, 2026

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Netherlands Busts Front Company Sheltering Russian Cyber Infrastructure
• Fake CI/CD Bot Campaign “Megalodon” Hits Thousands of GitHub Repositories
• Geopolitical Focus: Chemical Leak in California, Russia Strikes Kyiv, Ebola Crisis Surges

Netherlands Busts Front Company Sheltering Russian Cyber Infrastructure

Source: https://www.bleepingcomputer.com/news/security/netherlands-seizes-800-servers-of-hosting-firm-enabling-cyberattacks/

What we know: Dutch authorities have arrested two individuals and seized 800 servers linked to EU-sanctioned web hosting firm Stark Industries. The entity, under EU sanctions for enabling cyberattacks and disinformation campaigns, had transferred its infrastructure to a Dutch front company.

Context: The Dutch front company, identified as WorkTitans B.V., provided hosting services reportedly used by pro-Russian hacktivist group NoName057(16). The suspects are accused of indirectly providing economic resources to sanctioned Russian and Belarusian entities, with the firm having been founded just days before Russia's invasion of Ukraine.

Analyst note: The investigation uncovers nation-state threat actors’ tactic to embed offensive cyber infrastructure inside target regions rather than launching attacks from their own soil. There are likely to be more similar entities based in the EU providing services to Russia-linked threat actors.

Fake CI/CD Bot Campaign “Megalodon” Hits Thousands of GitHub Repositories

Source: https://hackread.com/github-repositories-megalodon-supply-chain-attack/

What we know: Large-scale supply-chain campaign “Megalodon” has reportedly targeted more than 5,000 GitHub repositories by pushing malicious workflow files through fake bot accounts impersonating legitimate CI/CD services. Suspicious updates from “build-system@noreply[.]dev” or “ci-bot@automated[.]dev” signal potential compromise.

Context: The malware strain executed credential-stealing scripts designed to harvest GitHub tokens, cloud credentials, API keys, and other data. The campaign also reportedly impacted a live chatbot service, leading to the publication of several infected npm package versions before the malicious workflows were discovered.

Analyst note: Attackers are likely to continue abusing trusted CI/CD workflows to distribute malicious code at scale. In the near term, they are likely to use stolen credentials to maintain persistent access and exploit harvested secrets for various illicit activities and/or monetize it for sale on dark web market places.

Geopolitical Focus: Chemical Leak in California, Russia Strikes Kyiv, Ebola Crisis Surges

• California declared a state of emergency on May 24, 2026 following a toxic chemical leak at a GKN Aerospace facility in Garden Grove, Orange County. A tank containing roughly 7,000 gallons of methyl methacrylate was found to have a structural crack. Residents remain under evacuation orders, local schools are closed, and major road exits remain shut as a precaution.
• The Ebola outbreak in the Democratic Republic of Congo (DRC) has become the third-largest in recorded history, with suspected cases surpassing 900 and at least 119 deaths reported as of May 24, 2026.
• At least 20 people were killed and 70 others injured in a suicide bombing in Quetta, Pakistan. The attack targeted a train transporting military personnel and their families. The separatist Balochistan Liberation Army (BLA) claimed responsibility for the attack.
• Oil prices fell to two-week lows as optimism grew around a potential U.S.–Iran peace deal, with Brent crude and West Texas Intermediate both dropping over 4 percent. However, the Strait of Hormuz remains blocked.
• Russia launched a massive air assault on Kyiv and surrounding areas on May 24, 2026, deploying its Oreshnik hypersonic ballistic missile alongside roughly 600 drones and 90 missiles. The strikes killed at least four people, injured approximately 100, and caused widespread infrastructure damage.

DEEP AND DARK WEB INTELLIGENCE

Alleged OnlyFans Dataset Advertised: Threat actor "Euphoric_Reply_5727" has reportedly advertised an alleged OnlyFans database containing 340 million user records on a dark web forum. The actor claims that the leak includes user credentials, contact information (email addresses and phone numbers), platform usage metrics, and linked social profiles. However, the actor reportedly indicated that the data is a recycled dataset compiled from past leaks. The data is likely to be used to link online identities to real-world individuals. In the context of OnlyFans, the data likely poses blackmail risk for exposed individuals.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2026-9082: This is an SQL injection vulnerability affecting Drupal’s database abstraction API due to Improper Neutralization of Special Elements. CISA has flagged the flaw as being actively exploited. The vulnerability can be exploited without authentication. Successful exploitation is likely to result in remote code execution (RCE), privilege escalation, and information disclosure.

Affected products: The affected products are listed in this advisory.