Wednesday War Room – 05/27/2026

Over the last 48 hours, the pattern is loud: developer ecosystems are still getting poisoned, web platforms are being exploited fast, identity workflows are getting socially engineered, and attackers are now willing to show up in person like this is some kind of terrible cyberpunk customer service desk.Let’s dive in.

Author

J.W. Croley
May 27, 2026

In partnership with

Are you running your business on incomplete numbers?

Most small business owners have financials, but few have financial clarity. There's a real difference between books that are technically up to date and books that actually tell you what's going on in your business right now. When accounting is reactive — updated when there's time, reviewed at tax season — you lose visibility exactly when you need it most. You can't tell which clients are truly profitable. You can't spot a cash flow gap before it becomes a crisis. BELAY's outsourced accounting team changes that.

The convergence of threat actors, posioned dev ecosystems, and identity signals a new phase of threat actor maturity that demands immediate executive attention and strategic response.

Gitea Flaw Exposes Private Container Images Without Authentication

Risk Level: Critical

Business Impact: Complete domain compromise, privilege escalation, authentication bypass

Business Impact: Private container image exposure can leak application code, embedded secrets, internal architecture, and build artifacts that attackers can reuse for supply chain compromise.

What You Need to Know

A Gitea vulnerability, CVE-2026-27771, allows unauthenticated attackers to pull private container images from affected deployments without credentials. Researchers estimate it may impact more than 30,000 deployments, with exposure across healthcare, aerospace, retail infrastructure, and internet service providers, according to The Hacker News report on Gitea private image exposure.

Why This Matters

  • “Private” container images often contain secrets, configs, internal paths, and deploy logic.

  • Container registries sit directly in the software supply chain.

  • Attackers can use exposed images to reverse-engineer environments before they ever touch production.

Executive Actions

📦 Upgrade Gitea to the fixed version immediately and validate all self-hosted instances.

🔐 Rotate secrets that may have been embedded in container images.

🧱 Restrict registry access and require authentication for image pulls across all environments.

🕵️ Review logs for anonymous pulls, unusual image downloads, and access from unexpected IP ranges.

GlassWorm Botnet Disrupted After Resilient C2 Takedown

Risk Level: High

Business Impact: Developer workstation compromise can lead to stolen GitHub, npm, OpenVSX, and crypto credentials, enabling downstream supply chain attacks.

What You Need to Know

Security firms disrupted the GlassWorm botnet by simultaneously taking down four command-and-control channels, including Solana blockchain dead drops, BitTorrent DHT, Google Calendar, and traditional VPS infrastructure. The campaign targeted developers through malicious VS Code/OpenVSX extensions and package ecosystem abuse, as covered by SecurityWeek’s GlassWorm disruption report and BleepingComputer’s breakdown of the takedown.

Why This Matters

  • Developer machines are now supply chain infrastructure, whether leadership likes that sentence or not.

  • Stolen developer tokens can become poisoned packages, repo compromise, and build pipeline abuse.

  • Resilient C2 shows these actors are building operations meant to survive normal takedowns.

Executive Actions

🧩 Audit VS Code/OpenVSX extensions and remove anything unapproved or suspicious.

🔑 Rotate GitHub, npm, OpenVSX, and CI/CD tokens for exposed developer endpoints.

🕵️ Hunt for GlassWorm indicators, including unusual extension behavior and outbound connections tied to known infrastructure.

🧱 Enforce developer workstation controls: extension allowlisting, least privilege, and restricted secret access.

LiteSpeed cPanel Plugin Flaw Actively Exploited for Root-Level Script Execution

Risk Level: Critical

Business Impact: Successful exploitation can give attackers root-level script execution on hosting servers, enabling website compromise, persistence, data theft, and broader server takeover.

What You Need to Know

CISA gave federal agencies four days to patch CVE-2026-48172, an actively exploited LiteSpeed cPanel user-end plugin flaw tied to mishandled Redis enable/disable behavior. The vulnerability allows remote attackers with no privileges to execute arbitrary scripts with root privileges.

Why This Matters

  • Hosting control panels are high-density targets: one server can host many customer sites.

  • Root-level execution turns “plugin bug” into full server compromise.

  • Exploited cPanel flaws often lead to webshells, spam, redirects, and ransomware staging.

Executive Actions

🩹 Patch LiteSpeed cPanel user-end plugins immediately and verify installed versions.

🔎 Search logs for cpanel_jsonapi_func=redisAble activity and validate source IPs.

🔒 Restrict cPanel access by IP, MFA, and hardened admin workflows.

🧯 Treat suspicious activity as possible root compromise and review persistence, cron jobs, and unknown scripts.Leadership Insight:

This week’s signal is simple: 

Attackers are targeting trust in the systems around the system. Private registries, developer extensions, cPanel plugins, LMS platforms, IT support workflows, and AI installers all exist because organizations need speed and convenience. Attackers are turning that convenience into access.

The executive lesson is not “ban everything.”

It is govern the things that can scale compromise: developer endpoints, package systems, remote support, hosting controls, and anything employees install because it looks useful.

Half your market is one app away.

Your business is already on Instagram, SMS, and web chat. But 52 million immigrants in the US rely on WhatsApp to connect with businesses they trust — not email, not phone calls.

Wati helps you show up on WhatsApp and every channel they use. Are you still not there?

KnowledgeDeliver Zero-Day Used to Drop Godzilla Web Shells

Risk Level: Critical

Business Impact: Learning management system compromise can expose user data, internal training content, credentials, and provide persistent access into connected environments.

What You Need to Know

Attackers exploited a critical zero-day in the KnowledgeDeliver LMS to deploy the Godzilla web shell on a vulnerable server. The exploitation was observed before a patch was available, making it a true zero-day incident with direct command-execution and persistence risk, according to BleepingComputer’s KnowledgeDeliver zero-day report.

Why This Matters

  • LMS platforms often contain user records, internal documents, and authentication integrations.

  • Web shells give attackers durable access even after the initial bug is patched.

  • “Training systems” are still production systems when they authenticate employees and store sensitive data.

Executive Actions

🧯 Isolate vulnerable KnowledgeDeliver servers until patched and validated.

🔎 Hunt for Godzilla web shell indicators, suspicious uploaded files, and abnormal command execution.

🔐 Rotate credentials tied to the LMS, especially service accounts and SSO integrations.

🧱 Review segmentation so LMS compromise cannot become broader internal access.

Silent Ransom Group Uses In-Person IT Impersonation for Data Theft

Risk Level: High 

Business Impact: Social engineering that combines phone calls, remote access, and physical intrusion can bypass technical controls and lead directly to data theft and extortion.

What You Need to Know

The FBI warned that Silent Ransom Group is targeting U.S. law firms with social engineering that starts as fake IT support calls or emails and can escalate to an in-person actor attempting to plug a USB device into a victim computer. The campaign is designed to steal data for extortion, as summarized in BleepingComputer’s FBI warning coverage.

Why This Matters

  • This bypasses a lot of tooling because the “malware” may be a person with a USB drive.

  • Legal and financial environments hold sensitive data that creates strong extortion leverage.

  • Helpdesk impersonation works because employees are trained to cooperate with IT.

Executive Actions

🧠 Brief employees: IT will not ask for unscheduled remote access or physical USB access without verification.

🔎 Require visible badge verification and front-desk escalation for anyone claiming to be support staff.

🔐 Restrict USB storage usage and alert on new external drive connections.

📞 Create a callback verification process for any urgent “IT support” request.

Fake ChatGPT and Claude Installers Drop Deno RAT Malware

Risk Level: High 

Business Impact: Fake AI/tooling installers can provide attackers with remote access, browser/session theft, crypto wallet theft, and stealthy screen monitoring.

What You Need to Know

Attackers are using counterfeit ChatGPT, Claude, and creative software installers hosted on GitHub and SourceForge to deliver the DinDoor backdoor and Deno-based RAT malware. The campaign uses compromised YouTube channels to drive victims to fake repositories, then abuses legitimate tools like Scoop, WinGet, and Deno to run payloads, according to Help Net Security’s Deno RAT report.

Why This Matters

  • Fake AI installers target the exact users experimenting with new productivity tooling.

  • Legitimate platforms and tools help the malware blend into normal developer/power-user behavior.

  • RAT access can quickly become credential theft, screen monitoring, SOCKS proxy abuse, and follow-on compromise.

Executive Actions

🧩 Restrict software installation to approved sources and managed app catalogs.

🔎 Hunt for unexpected Deno runtime usage, suspicious Scoop/WinGet installs, and GitHub-hosted installer activity.

🔐 Treat confirmed infections as identity incidents: kill sessions, rotate passwords, and review tokens.

🧠 Warn users not to install AI tools or plugins from YouTube links, random GitHub repos, or unofficial mirrors.

⚙️ Immediate Leadership Checklist ⚙️

📦 Audit Gitea/container registry exposure and rotate secrets embedded in images

🧩 Enforce IDE/extension allowlisting and rotate developer ecosystem tokens

🩹 Patch LiteSpeed cPanel plugins and review logs for exploitation attempts

🧯 Hunt for web shells on LMS/CMS-style platforms, especially KnowledgeDeliver exposure

🔐 Reinforce physical security and callback verification for IT support requests

🤖 Lock down unofficial AI installers and route approved AI tooling through managed deployment

💡 If attackers are showing up through your plugins, packages, portals, and even the front door, maybe it’s time we stop calling these “edge cases” and start calling them Tuesday. 💡

J.W.

(P.S. Check out our partners! It goes a long way to support this newsletter!)

Are you running your business on incomplete numbers?

Most business owners have financials. Few have financial clarity. BELAY's outsourced accounting team manages your books, tracks key metrics, and delivers timely reporting so you always know where your business stands — and what to do next.