ZeroFox Daily Intelligence Brief - May 26, 2026
|by Alpha Team
ZeroFox Daily Intelligence Brief - May 26, 2026
ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.
Brief Highlights
- New Supply Chain Attack “TrapDoor” Targeting Crypto and AI Developers
- Lazarus Targets Financial Firms with RemotePE Malware Strain
- Geopolitical Focus: U.S. Strikes Southern Iran, Chinese Pressure on Taiwan, Ebola Updates
New Supply Chain Attack “TrapDoor” Targeting Crypto and AI Developers
Source: https://thehackernews.com/2026/05/trapdoor-supply-chain-attack-spreads.html
What we know: New cross-ecosystem supply chain attack “TrapDoor” has reportedly planted 34 malicious packages across npm, PyPI, and Crates[.]io to steal credentials, crypto wallets, SSH keys, and cloud secrets from developers in the crypto, DeFi, and AI communities.
Context: The campaign, active since May 22, 2026, deploys a shared payload “trap-core[.]js” that scans for credentials, attempts lateral movement, and establishes persistence. It also attempts to poison AI coding assistants by embedding .cursorrules and CLAUDE[.]md hidden instructions to trick tools into running "security scans" that exfiltrate secrets.
Analyst note: Threat actors are very likely to increasingly target AI coding tools as a silent middle layer of attack, since these tools have become embedded in software workflows. It is likely that this campaign results in crypto theft and downstream impact on entities, including those not being directly connected to blockchain development communities.
Lazarus Targets Financial Firms with RemotePE Malware Strain
Source: https://thehackernews.com/2026/05/lazarus-deploys-remotepe-memory-only.html
What we know: North Korea-linked Lazarus threat group has reportedly deployed the RemotePE malware strain targeting financial and cryptocurrency companies. Lazarus started the campaign by compromising an employee’s device via social engineering tactics.
Context: RemotePE reportedly operates in three stages with a malicious dynamic link library (DLL) called Iassvc[.]dll that loads an encrypted payload. Another loader called RemotePELoader fetches the malware in memory, and a final RemotePE RAT communicates with a command and control (C2) server for remote control.
Analyst Note: Given Lazarus Group’s history of targeting financial institutions and cryptocurrency wallets to actively steal funds, the absence of immediate theft activity in this campaign likely indicates a different operational priority. The group is likely interested in maintaining persistence to conduct high-value financial theft once sufficient access and reconnaissance are achieved.
Geopolitical Focus: U.S. Strikes Southern Iran, Chinese Pressure on Taiwan, Ebola Updates
- U.S. Central Command conducted renewed self defense strikes in southern Iran on May 25, 2026, targeting missile launch sites and Iranian mining boats that threatened the U.S. Navy warships. Additionally, Israel is set to intensify its military campaign against Hezbollah in Lebanon.
- Iranian President Masoud Pezeshkian ordered the reopening of international internet access in the country, following a near-90-day blackout.
- More than 1.51 million foreign pilgrims have arrived in Mecca to perform the annual Hajj pilgrimage despite months of regional instability. In response to potential threats, Saudi has deployed air defense batteries around Mecca, emphasizing that their forces are prepared to protect the region against all aerial threats.
- Taiwan's defense ministry detected 21 Chinese aircraft and multiple warships operating around the island. This activity follows a standoff in the South China Sea, where Taiwan's coast guard faced off with a Chinese coast guard vessel.
- The World Health Organization (WHO) has warned that the Ebola outbreak in the Democratic Republic of Congo (DRC) is actively outpacing response efforts. It urged neighboring countries to take immediate action as suspected deaths have reached 220.
DEEP AND DARK WEB INTELLIGENCE
Spear user NormalLeVrai: Threat actor “NormalLeVrai” has advertised the sale of an alleged WhatsApp zero-day exploit for USD 3,000 on dark web forum Spear. The actor claimed the exploit affected both desktop and mobile devices and required victims to open or view the malicious message to enable compromise. Separately, the actor also leaked an alleged dataset of around 3 billion WhatsApp users containing personal and account-related information for free. The actor has since been permanently banned for allegedly selling real IDs/documents and suspected distribution of “public data.”
VULNERABILITY AND EXPLOIT INTELLIGENCE
CVE-2026-26980: This is an SQL injection vulnerability in Ghost CMS, an open-source content management system used by over 100,000 websites. The flaw exists in Ghost's Content API, enabling an unauthenticated attacker to extract the site's Admin API key from the database without authorization and subsequently modify published articles. Threat actors have actively exploited this vulnerability to inject malicious JavaScript loaders into compromised sites, triggering ClickFix attacks.
Affected products: Ghost CMS versions prior to 6.19.1
Tags: DIB, tlp:green