May 28 / 2026 / Reading Time: 11 minutes
Weekly Situation Report : 5/25/26
EXECUTIVE SUMMARY
This article is to inform our partners and clients on the various happenings within the cybersecurity space. That includes items such as relevant breaches, emerging vulnerabilities, research, threat actor movement, and what you need to do as an organization to mitigate a future threat.
KEY TAKEAWAYS
- Nightmare Eclipse has disclosed another Windows local privilege escalation vulnerability dubbed “MiniPlasma.”
- A public exploit is now available for the newly discovered DirtyDecrypt Linux root escalation vulnerability.
- Microsoft has warned that a zero-day flaw in Exchange is being actively exploited in ongoing attacks.
- The FlowerStorm malware campaign is using the KrakVM virtual machine framework to implement advanced anti-forensics techniques.
- GitHub has reportedly been compromised by TeamPCP, with stolen data allegedly being sold by the LAPSUS$ group.
1. Nightmare Eclipse Discloses another LPE Dubbed ‘MiniPlasma’
SUMMARY
Security researcher Nightmare Eclipse has released another local privilege escalation(LPE) exploit dubbed ‘MiniPlasma’ targeting Windows. This is the 6th vulnerability that the researcher has disclosed since April.
Category
Critical Vulnerabilities
Industry
Technology, Multiple
Sources
https://www.securityweek.com/researcher-drops-miniplasma-windows-exploit-for-unpatched-2020-cve/
https://project-zero.issues.chromium.org/issues/42451192
ANALYST COMMENTS
A security researcher, Nightmare Eclipse, has released an exploit named MiniPlasma targeting a Windows privilege escalation vulnerability (CVE-2020-17103) disclosed in 2020, which may have never been effectively patched. The flaw exists in the Windows Cloud Filter driver, allowing registry key manipulation through an undocumented API, potentially leading to system code execution. Nightmare Eclipse notes that the original proof-of-concept code from Google Project Zero researchers still works, suggesting either the root cause of the vulnerability was never resolved or the vulnerability was re-introduced with a newer update. This means the “MiniPlasma” Local Privilege Escalation vulnerability is still exploitable on fully patched Windows 11 systems as of the May 2026 security updates. However, Microsoft appears to have already addressed or altered the affected behavior in newer Insider Preview Canary builds, suggesting a fix may be in development or testing.
During testing, we were unable to successfully execute the vulnerability on Windows 10 Pro or Home systems.
According to discussions with other researchers, the vulnerability may actually be the same as CVE-2020-17103, as exploitation is successful on newer versions of Windows 11. This indicates that the vulnerability itself was never fully remediated and that a change between Windows versions has made the operating system vulnerable again. Verifying this, notice the code blocks within the PoC from 2020 (gathered from the original Google Project Zero posting) versus the PoC released last week:
# codeblock snippet from original CVE-2020-17103 PoC
const string ROOT_KEY = @"\Registry\User\.DEFAULT\Software\Policies\Microsoft";
static string CLOUD_FILES = $@"{ROOT_KEY}\CloudFiles";
static string BLOCKED_APPS = $@"{CLOUD_FILES}\BlockedApps";
const string TARGET_KEY = @"\Registry\User\.DEFAULT\DEMODEMO";
# codeblock snippet from MiniPlasma PoC, note only the small registry change from "DEMODEMO" to "Volatile Environment"
const string ROOT_KEY = @"\Registry\User\.DEFAULT\Software\Policies\Microsoft";
static string CLOUD_FILES = $@"{ROOT_KEY}\CloudFiles";
static string BLOCKED_APPS = $@"{CLOUD_FILES}\BlockedApps";
const string TARGET_KEY = @"\Registry\User\.DEFAULT\Volatile Environment";The similarities in the code, combined with public researcher discussions, suggest that Microsoft may have applied uneven mitigation strategies across affected versions, potentially resulting in incomplete remediation of the vulnerability. We are not currently aware of any exploitation in the wild of this vulnerability. However, if it follows the trend of the other vulnerabilities released by the researcher, this will soon be exploited and will likely be weaponized during post-exploitation procedures for threat actors. As the PoC is also public, we can expect to see exploitation by multiple groups including state-backed actors and ransomware operators.
ACTIONABLE GUIDANCE
A patch is not currently available and therefore, attackers will likely take advantage of this window of time before a patch is available, in order to abuse this within their attack chains. The most prominent characteristic of the vulnerability is its interactions with and modification of specific registry locations. Given this behavior, organizations can detect changes to the registry locations below. Monitoring and detection strategies designed to identify use of this PoC are currently the most effective approach until a viable patch or additional mitigation measures become available.
#Monitor changes to the following:
Computer\HKEY_CURRENT_USER\Software\Policies\Microsoft\CloudFiles\BlockedApps\*
Computer\HKEY_CURRENT_USER\Volatile Environment
2. Exploit Available for New DirtyDecrypt Linux Root Escalation Flaw
SUMMARY
A recently discovered Linux kernel vulnerability named DirtyDecrypt, which has now been patched, allows for local privilege escalation to root access via a proof-of-concept exploit. This issue affects certain Linux distributions and is part of a series of similar vulnerabilities, prompting organizations to prioritize updates and mitigation efforts to protect against potential exploits.
Category
Critical Vulnerabilities
Industry
Education, Technology, Public Administration and Government
Sources
https://www.bleepingcomputer.com/news/security/exploit-available-for-new-dirtydecrypt-linux-root-escalation-flaw/
https://www.securityweek.com/poc-released-for-dirtydecrypt-linux-kernel-vulnerability/
https://www.sentinelone.com/vulnerability-database/cve-2026-31643/
https://nvd.nist.gov/vuln/detail/CVE-2026-31635
ANALYST COMMENTS
A proof-of-concept exploit for the recently patched local privilege escalation vulnerability in the Linux kernel’s rxgk module (CONFIG_RXGK), named DirtyDecrypt (DirtyCBC), allows attackers to gain root access on affected Linux systems. This flaw was independently discovered and reported by researchers, but was later determined to be a duplicate of an issue already patched in the mainline kernel. Successful exploitation requires the CONFIG_RXGK option to be enabled, limiting exposure to specific distributions like Fedora, Arch Linux, and openSUSE Tumbleweed.
CONFIG_RXGK is typically used to support systems using the Andrew File Systems (AFS). AFS is a file system that is common in large university and campus environments for both US and international educational institutions. This may increase the likelihood of exploitation attempts targeting the education sector. Organizations operating in these environments should prioritize patching and mitigation efforts for this vulnerability.
As AFS is not commonly used with most Linux systems in other sectors, organizations that do not use the file system may prioritize more critical threats ahead of this issue. This vulnerability may see some success in post-exploitation scenarios. However, this is unlikely to impact organizations with cloud-heavy environments and is more likely to affect organizations running desktop versions of affected Linux distros within the individual user space. The following distributions are currently known to be affected by this issue:
- Fedora (including Rawhide and Workstation, prior to patches)
- Arch Linux (prior to system updates)
- openSUSE Tumbleweed (prior to zypper dup)
- Systems using mainline kernel PPAs
- ELRepo kernel-ml on RHEL/CentOS Stream
ACTIONABLE GUIDANCE
The guidance for this vulnerability is similar to Dirty Frag and Fragnesia-related vulnerabilities, as it affects the same modules. Depending on the Linux distribution in use, a patch and additional guidance may be available via the distribution’s official website. If mitigations for Fragnesia or Dirty Frag have been applied, you are likely protected from this vulnerability. Otherwise the following modules can be disabled from loading:
- Esp4
- Esp6
- Rxrpc
3. Microsoft Warns of Exchange Zero-Day Flaw Exploited in Attacks
SUMMARY
Microsoft has detailed a high-severity spoofing vulnerability,CVE-2026-42897, affecting Exchange Server versions that could allow attackers to execute arbitrary code through cross-site scripting (XSS) in Outlook on the web. We recommend the use of the Exchange Emergency Mitigation Service (EEMS) to provide interim protection until official patches are available.
Category
Critical Vulnerabilities
Industry
Technology, Financial and Fintech, Public Sector and Government Administration
Sources
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42897
https://www.reddit.com/r/exchangeserver/comments/1td5fxa/urgent_microsoft_released_a_mitigation_for/
https://microsoft.github.io/CSS-Exchange/Security/EOMT/
ANALYST COMMENTS
Microsoft disclosed a high-severity Exchange Server vulnerability, CVE-2026-42897, that allows attackers to execute arbitrary code through cross-site scripting attacks targeting Outlook users. This flaw affects Exchange Server 2016, 2019, and Subscription Edition (SE). While patches are not yet available, the Exchange Emergency Mitigation Service (EEMS) can automatically mitigate the issue for on-premises deployments.
The vulnerability is not known to have a PoC available. We have identified a potential fake occurrence of the PoC associated with this vulnerability, however it is unlikely a weaponized version, abusing the vulnerability, has been widely released. Additionally a PoC has not been shared widely amongst underground or dark web forums that we have access to, nor could we find relevant discussions relating to this particular issue. Attribution for the currently observed exploitation has not been identified. Nation-state actors likely have the resources to weaponize the vulnerability in the short-term, making actors associated with China or Russia the most likely to abuse this vulnerability.
Given the issue is related to input validation and XSS being used in the context of a specially crafted email, it is likely trivial for an attacker to embed malicious JavaScript within the email body. Based on analysis of the vulnerability description and comments from users, the vulnerability may be due a missing or improperly implemented Content Security Policy (CSP) header. The latter scenario is notable because both Internet Explorer (IE) and Edge operating in IE compatibility mode, lack the ability to use CSP headers. If the vulnerability is primarily caused by the absence of a CSP header, the threat landscape could expand beyond nation state actors to include a wider range of financially motivated threat groups.
ACTIONABLE GUIDANCE
Admins can apply mitigations manually using the Exchange on-premises Mitigation Tool (EOMT). However, user reports indicate that this may cause issues such as disrupted OWA print calendar functionality and inline image display. The following versions are vulnerable to this issue:
Microsoft Exchange Server Subscription Edition RTM
Microsoft Exchange Server 2019 Cumulative Update 15
Microsoft Exchange Server 2019 Cumulative Update 14
Microsoft Exchange Server 2016 Cumulative Update 23
4. FlowerStorm Uses KrakVM for Anti-Forensics
SUMMARY
FlowerStorm, a PhaaS attack kit, recently integrated KrakVM, an open-source JavaScript virtual machine, to obfuscate its phishing campaigns. The framework targets various sectors and includes complex credential harvesting and MFA interception capabilities.
Category
Phishing
Industry
Public Sector and Government Administration, Logistics and Shipping, Retail
Sources
ANALYST COMMENTS
FlowerStorm, a Phishing-As-A-Service (PhaaS) attack kit active since mid-2024, has been used in large-scale campaigns, notable for its capability of managing multi-factor authentication (MFA) interception. In April, 2026, researchers identified a campaign leveraging KrakVM, a newly released open source JavaScript virtual machine, to deliver the FlowerStorm payload. The phishing emails impersonated urgent business communications such as voicemails or invoices, and contained KrakVM-encoded HTML attachments. When opened, the attachment initiated a complex process that harvested credentials. The campaign targeted various sectors including local government, logistics, retail, communications, and real estate, using German domain names with English words to mimic legitimate businesses. The use of KrakVM, with its Base64 encoded sections and custom ciphers, provided a sophisticated level of obfuscation, making the malicious content difficult to analyze without execution. The overall campaign structure involved using the virtual machine to decode and execute the attack payload, which was the FlowerStorm kit designed to harvest credentials and support AITM MFA interception.
We examined several Flowerstorm-associated phishing pages and found that many of the recent samples of this phishing kit no longer appear to use KrakVM in the manner described by the original source. The latest KrakVM based sample was identified on April 23rd. Comparing the obfuscation used against our own testing of the tool showed minimal deviation from the tool’s default output. We were able to identify and pivot on these samples through references to variables and functions such as “krakvm”, “runVM(bytecode);”, and other strings containing “krak”.
Each sample made extensive use of Cloudflare services and Cloudflare Turnstile for loading the elements of the malicious phishing pages. Another common characteristic observed across the samples was the use an eval element that blocks users agents containing references to “burp”, and logic to monitor or restrict specific key presses:
if (navigator.webdriver || window.callPhantom || window._phantom || navigator.userAgent.includes("Burp")) {
window.location = "about:blank";
}
document.addEventListener("keydown", function (event) {
function UgNY(event) {
const TbWb = [
{ keyCode: 123 },
{ ctrl: true, keyCode: 85 },
{ ctrl: true, shift: true, keyCode: 73 },
{ ctrl: true, shift: true, keyCode: 67 },
{ ctrl: true, shift: true, keyCode: 74 },
{ ctrl: true, shift: true, keyCode: 75 },
{ ctrl: true, keyCode: 72 }, // Ctrl + H
{ meta: true, alt: true, keyCode: 73 },
{ meta: true, alt: true, keyCode: 67 },
{ meta: true, keyCode: 85 }
];
return TbWb.some(BZfD =>
(!BZfD.ctrl || event.ctrlKey) &&
(!BZfD.shift || event.shiftKey) &&
(!BZfD.meta || event.metaKey) &&
(!BZfD.alt || event.altKey) &&
event.keyCode === BZfD.keyCode
);
}
...snip...
window.location.replace("https://outlook.office365.com/encryption/Login?itemID=E4E_M_5e217a7d-1049-4a97-9017-6be67ce4532d&recipientemailaddress=<email>...snipThe evidence presented here may indicate a shift away from KrakVM based tactics, or reflect the preference of a single affiliate using the service. There was little variation in many of the recent samples, and no samples identified after April 23rd exhibited qualities associated with the original KrakVM variant of the Flowerstorm PhaaS kit.
ACTIONABLE GUIDANCE
Each sample analyzed shared several common characteristics. Within the attack chain, the phishing kit will redirect the users to a *.myqcloud[.]com resource, which usually serves a malicious bootstrap.min.js file acting as the primary payload. Blocking this domain, along with monitoring for indicators such as references to “krak or krakvm” and heavily obfuscated bytecode, may help identify activity associated with the PhaaS kit.
5. GitHub Compromised by TeamPCP, Data Being Sold by LAPSUS$
SUMMARY
GitHub was impacted by a breach attributed to TeamPCP that leveraged a malicious VS Code extension called Nx Console. The campaign enabled theft of private code repositories by exploiting developer credentials and CI/CD pipeline secrets.
Category
Supply Chain Risk
Industry
Technology, Multiple
Sources
https://www.helpnetsecurity.com/2026/05/21/github-grafana-breach-root-cause-nx-console/
https://nx.dev/blog/nx-console-v18-95-0-postmortem
https://www.stepsecurity.io/blog/nx-console-vs-code-extension-compromised
https://github.com/nrwl/nx-console/security/advisories/GHSA-c9j4-9m59-847w
Internal OSec Research
ANALYST COMMENTS
GitHub suffered a breach due to a malicious version of the Nx Console VS Code extension, which was installed by a GitHub employee and led to the theft of 4,000 private code repositories. The compromised extension harvested various credentials including GitHub tokens, AWS credentials, and npm registry tokens, while exfiltrating data via multiple channels including HTTPS, the GitHub API, and DNS. The Nx Console extension that was compromised include the following:
- Nx Console v18.95.0 - Exposure window (2026-05-18, 12:30-13:09 UTC)
ACTIONABLE GUIDANCE
Developers and organizations that have installed the malicious version of the plugin between the exposure dates noted should audit their systems for the presence of malicious code or noted indicators of compromise. While the GitHub breach is unlikely to cause immediate impact to most repository owners, the stolen data may contribute to future exploitation activity against GitHub, repositories, or dependent organizations in the coming months.
Maintaining backups of hosted projects outside of GitHub is recommended to reduce the risk of data loss or platform related compromise. Regular audits of SBOMs are also recommended to help identify malicious or compromised dependencies introduced through supply chain or direct vectors.
Get the Complete Report
The full Intelligence Desk brief includes exhaustive IOC lists, YARA detection rules, detailed remediation playbooks, and OSec's original threat research. Delivered weekly to our partners and clients. REQUEST ACCESS