ZeroFox Daily Intelligence Brief - June 1, 2026

ZeroFox Daily Intelligence Brief - June 1, 2026

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Threat Actors Abusing ChatGPT Share Feature to Deploy Malware
• Typosquatted Npm Packages Found Harvesting Cloud and CI/CD Credentials
• Dutch Authorities Dismantle Botnet That Infected 17 Million Devices

Threat Actors Abusing ChatGPT Share Feature to Deploy Malware

Source: https://www.bleepingcomputer.com/news/security/chatgpt-share-links-abused-to-host-fake-outage-pages-to-deliver-malware/

What we know: Threat actors are reportedly leveraging ChatGPT's content-sharing feature to host convincing fake outage pages on legitimate OpenAI domains, luring users into downloading malware disguised as the ChatGPT desktop application.

Context: The phishing page involved a custom HTML page created using ChatGPT's rendering capabilities, published through a shared chatgpt[.]com/s/ link. The download button on the page led victims to a website, openew[.]app, impersonating OpenAI’s download portal. Separately, ChatGPT reportedly blindly executes hidden instructions in a web page while summarizing external content due to a prompt injection flaw.

Analyst note: AI tool poisoning is very likely to become a popular attack vector in the near future as threat actors increasingly weaponize flaws and legitimate features in popular AI assistants, apart from using AI to craft cyberattacks.

Typosquatted Npm Packages Found Harvesting Cloud and CI/CD Credentials

Source: https://www.theregister.com/security/2026/05/29/14-malicious-npm-packages-impersonated-opensearch-elasticsearch-libraries/5248792

What we know: A threat actor has reportedly published 14 malicious npm packages impersonating legitimate libraries like OpenSearch and Elasticsearch, targeting DevOps, GitHub Actions, cloud services, and npm registry itself.

Context: The attacker, under maintainer alias vpmdhaj (a39155771@gmail[.]com), used typosquatting to trick users into installing the malicious packages instead of legitimate ones. All of the malicious packages contained the same credential stealing payload, intended for cloud and CI/CD harvesting.

Analyst Note: Systems that downloaded the packages on or after May 28 are very likely at risk of compromise, though all the malicious libraries have since been removed. The threat actor is almost certainly trying to steal developer cloud credentials, enabling lateral movement and further data theft, to expand the poisoned packages into a supply chain attack campaign.

Dutch Authorities Dismantle Botnet That Infected 17 Million Devices

Source: https://thehackernews.com/2026/05/dutch-authorities-dismantle-botnet.html

What we know: Dutch authorities have dismantled a botnet consisting of at least 17 million infected devices, including computers, tablets, smartphones, and IoT devices, used in carrying out cyberattacks. Authorities seized a set of servers from the residential proxies provider, reportedly known as Asocks.

Context: Following the law enforcement action, Asocks has reportedly taken the botnet offline. Residential proxies are used for legitimate purposes such as for privacy and accessing geographically restricted websites. However, certain providers also reportedly provide services to cybercriminals.

Analyst Note: The takedown is likely to temporarily disrupt cybercriminal operations. Threat actors are very likely to pivot to alternative services quickly.

DEEP AND DARK WEB INTELLIGENCE

PwnForums user xMetah: Untested threat actor "xMetah" has advertised an alleged dataset associated with France-based government platform, Resana, on dark web forum PwnForums. The actor claims the dataset contains 989,828 records of personally identifiable information (PII), including names, email addresses, phone numbers, organizational affiliations, and account activity data.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2026-0257: This is an authentication bypass vulnerability in the Palo Alto Networks PAN-OS GlobalProtect portal and gateway. The flaw enables a remote attacker to bypass security restrictions and establish unauthorized VPN connections without valid credentials. CISA has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog due to active exploitation. Successful exploitation is very likely to result in immediate access to internal networks, and credential theft.

Affected products: Palo Alto Networks PAN-OS GlobalProtect portal and gateway with authentication override cookies enabled.