ZeroFox Daily Intelligence Brief - May 29, 2026

ZeroFox Daily Intelligence Brief - May 29, 2026

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• CISA Issues Alert on Recent Supply Chain Attacks Targeting Developer Ecosystems
• Signal Phishing Attacks Now Target Secure Backup Recovery Keys
• ZeroFox SITREP on U.S.-Iran Negotiations, Russian Drone Hits Building in Romania

CISA Issues Alert on Recent Supply Chain Attacks Targeting Developer Ecosystems

Source: https://www.cisa.gov/news-events/alerts/2026/05/28/supply-chain-compromises-impact-nx-console-and-github-repositories

What we know: CISA has issued an alert warning developers of multiple software supply chain attacks, following the GitHub source code compromise allegedly by the TeamPCP threat group and the “Megalodon” operation.

Context: CISA advises auditing CI/CD workflow files for suspicious commits, especially from automated accounts and changes made after May 18, 2026. In case of compromise, all exposed credentials should be rotated. To reduce supply chain risk, entities should delay package pulls, pinning trusted versions, and sourcing only from verified repositories.

Analyst note: Compromised credentials and secrets harvested from these attacks are very likely to fuel subsequent supply chain intrusions in the near term—a pattern already evident in the current incident, where the TanStack compromise served as the launchpad for the GitHub breach.

Signal Phishing Attacks Now Target Secure Backup Recovery Keys

Source: https://techcrunch.com/2026/05/28/hackers-are-trying-to-steal-signal-users-backups-in-new-wave-of-phishing-attacks/

What we know: Threat actors are reportedly targeting Signal users in a “new wave” of phishing attacks by impersonating the app’s support team to trick victims into sharing Secure Backup recovery keys. Several anti-Chinese Communist Party (CCP) activists and other individuals have reportedly received malicious phishing messages impersonating Signal support.

Context: Unlike previous Signal hijacking attempts focused on account takeover, this campaign reportedly aims to gain access to victims’ encrypted cloud backups and historical communications by stealing the recovery keys. The chat backups contain a user’s older messages, photos, documents, and more.

Analyst Note: The encrypted backup data will likely enable threat actors to map networks, identify associates, and monitor activities, to support future political espionage and surveillance of dissidents. The insights are likely to be used to threaten or quell dissident activity.

Geopolitical Focus: ZeroFox SITREP on U.S.-Iran Negotiations, Russian Drone Hits Building in Romania

• The United States and Iran have reportedly reached an agreement to extend the ceasefire, but the U.S. President Trump is yet to approve the deal. ZeroFox assesses that a memorandum of understanding (MOU) on ending the war is likely.
• U.S. authorities indicted an individual for allegedly providing material support to two designated foreign terrorist organizations, Kata’ib Hizballah and Iran’s Islamic Revolutionary Guard Corps (IRGC).The accused was involved in nearly 20 attacks and attempted attacks throughout Europe and the United States.
• A Russian drone reportedly struck a residential building in Romania, a NATO country, during attacks near the border with Ukraine and Moldova, injuring two civilians and triggering a fire. Romanian authorities described the incident as a serious escalation.
• Cuba is reportedly facing a worsening water crisis affecting nearly 3 million people due to fuel shortages, aging infrastructure, and ongoing energy constraints. Authorities stated that the shortages continue to disrupt essential water distribution services.
• The WHO Chief stated that the Ebola outbreak in the Democratic Republic of the Congo (DRC) can be stopped with continued international support while visiting the country. Meanwhile the United States reportedly quarantined citizens exposed to the virus in Kenya as part of containment measures.

DEEP AND DARK WEB INTELLIGENCE

Breachforums[.]rs user Vyntra: On May 28, 2026, threat actor "Vyntra" claimed to have leaked a dataset allegedly associated with multiple entities from the U.S. Oil & Gas industry on dark web forum BreachForums. The data allegedly containing over 29,000 records also includes executive names, titles, and departmental information. If the data is legitimate, it can be leveraged in phishing and social engineering attacks to further compromise systems.

VULNERABILITY AND EXPLOIT INTELLIGENCE

Gogs zero-day vulnerability: An unpatched zero-day vulnerability in the Gogs self-hosted Git service reportedly enables threat actors to achieve remote code execution (RCE) on internet-facing instances. The flaw can be exploited through an argument injection flaw in the platform’s “Rebase before merging” feature. Low-privileged users are likely to be able to exploit the flaw on default-configured servers to compromise repositories, and steal credentials and API tokens.

Affected products: Gogs 0.14.2 and 0.15.0+dev