ZeroFox Daily Intelligence Brief - June 9, 2026

ZeroFox Daily Intelligence Brief - June 9, 2026

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• ZeroFox Intelligence Flash Report - Qilin's Latest Spree of Alleged Victims
• 73 Microsoft Repositories Disabled Following Miasma Worm Infection
• ZeroFox Intelligence Brief - The Malicious Insider Threat

ZeroFox Intelligence Flash Report - Qilin's Latest Spree of Alleged Victims

Source: https://www.zerofox.com/advisories/40355/

What we know: ZeroFox has observed that the ransomware and digital extortion (R&DE) threat collective Qilin claimed 15 new victims across nine countries within a 72-hour period. The campaign spanned healthcare, hospitality, manufacturing, consumer services, and critical infrastructure sectors.

Context: The ransomware-as-a-service (RaaS) collective recently posted data samples from Austrian aviation company Avcon Jet to its dark web leak site, exposing employee passports, aircraft maintenance records, and the organization's internal cyber incident response plan. Separately, Qilin has been reportedly linked to the active exploitation of a critical authentication bypass vulnerability in Check Point Remote Access VPN, tracked as CVE-2026-50751.

Analyst note: ZeroFox assesses that Qilin will very likely conclude Q2 2026 as the most active ransomware collective globally. The group is very likely to continue or exceed its current operational tempo, outpacing other groups by a substantial margin, while remaining consistent with its established tactics, techniques, and procedures (TTPs).

73 Microsoft Repositories Disabled Following Miasma Worm Infection

Source: https://techcrunch.com/2026/06/08/microsofts-open-source-tools-were-hacked-to-steal-passwords-of-ai-developers/

What we know: GitHub has reportedly disabled 73 Microsoft repositories after detecting the Miasma worm, which allegedly stole passwords and sensitive credentials from users of compromised tools. Affected repos include Azure, Azure-Samples, Microsoft, and MicrosoftDocs.

Context: The attack reportedly began when a compromised contributor account pushed a malicious commit to the Azure Durable Task project, enabling remote code execution (RCE) and deployment of credential-stealing malware. Miasma is a self-propagating supply-chain worm believed to be connected to the Mini Shai Hulud worm, which was open-sourced by cybercrime group TeamPCP. GitHub reportedly disabled the compromised repositories within two minutes of triggering alerts.

Analyst Note: GitHub's rapid containment likely reduced the number of downstream victims. However, any secrets or access tokens obtained during the compromise is likely to be used in future attacks. Given that Mini Shai Hulud was open-sourced, the actors behind Miasma likely adapted existing malware rather than developing a more resilient custom worm.

ZeroFox Intelligence Brief - The Malicious Insider Threat

Source: https://www.zerofox.com/advisories/40323/

What we know: ZeroFox assesses that malicious insider threats pose a critical risk to organizations, with likely disgruntled employees exploiting privileged access and proprietary knowledge to conduct sophisticated attacks.

Context: Threat actors almost certainly monitor social media and dark web forums for disgruntled employees, whom they target to exploit as a means of gaining entry into specific corporate environments. The collusive insiders then execute structured operations mirroring external tactics, using internal privileges to bypass security.

Analyst Note: Insider threats are likely to remain a significant risk throughout 2026, with fallout almost certainly extending beyond targeted organizations. Social media and dark web recruitment is increasingly making it easier for insiders to "switch sides," enabling cascading impacts across supply chains.

DEEP AND DARK WEB INTELLIGENCE

Oxford University discloses data breach: UK’s Oxford University has disclosed a data breach affecting its CareerConnect platform. Third-party careers and recruitment tech provider Group GTI informed the university that attackers breached the platform on May 28, 2026 stealing credentials including usernames, email addresses, and encrypted passwords belonging to non-Single Sign On (SSO) users. Investigators found no evidence that the attack compromised internal university systems, student passwords, or financial data.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2026-28318: This is an already-patched denial-of-service (DoS) issue targeting a SolarWinds Serv-U vulnerability. Attackers can exploit this flaw to crash the service without authentication.

Affected products: Serv-U versions 15.4.2, 15.5, and 15.5.1, which have reached End-of-Life (EoL)