☕ Good Morning Security Gang,
If there was one theme that dominated today’s show, it was this:
The pace of cyber operations is accelerating faster than our institutions, infrastructure, and security programs were designed to handle.
Today’s episode delivered one of the most diverse threat landscapes we’ve covered all year. We examined a newly disclosed HTTP/2 denial-of-service exploit capable of taking down major web servers in seconds, a publicly disclosed VS Code zero-day that steals GitHub OAuth tokens with a single click, a five-month espionage campaign that silently drained the mailbox of a senior stock exchange executive, and a Five Eyes intelligence warning revealing how China is actively recruiting government insiders through platforms many professionals use every day.
At the same time, AI continues reshaping cybersecurity at unprecedented speed. This week alone, AI systems discovered critical vulnerabilities in both Redis and web infrastructure while organizations continue struggling to patch vulnerabilities discovered years ago. The message is becoming increasingly clear: attackers are accelerating, AI is accelerating, and defenders must adapt or risk falling behind.
Double espresso in hand, coffee cup cheers, gang. Let’s dive in.
🧭 Executive Summary
Today’s threat landscape revealed four converging realities that every security leader should be paying attention to.
First, AI-assisted vulnerability discovery is dramatically compressing the timeline between identifying weaknesses and operational exploitation. Second, developer environments and software supply chains continue emerging as some of the most valuable attack surfaces available to threat actors. Third, nation-state intelligence services are increasingly blending traditional espionage techniques with cyber operations, targeting both technical systems and human assets simultaneously. Finally, critical infrastructure and internet-facing services remain dangerously exposed due to patching delays, misconfigurations, and operational complexity.
Every story today reinforced the same conclusion: speed is now the defining factor in cybersecurity.
📰 Top Stories & Deep Dive Analysis
“The pace of cyber operations is accelerating faster than our institutions were designed to handle.” James Azar
💣 HTTP/2 Bomb Can Crash Major Web Servers in Under a Minute
The most urgent technical story today involved the disclosure of CVE-2026-49975, a remote denial-of-service vulnerability researchers are calling the “HTTP/2 Bomb.” The flaw impacts several of the world’s most widely deployed web server technologies, including Apache HTTP Server, Microsoft’s IIS, Envoy Proxy, and Cloudflare’s Pingora infrastructure.
The attack combines two previously understood concepts into a highly effective denial-of-service technique. First, attackers abuse HPACK compression mechanisms to force servers into allocating enormous amounts of memory while decompressing relatively small amounts of malicious traffic. Then, by combining the attack with slow connection techniques similar to Slowloris, the server is prevented from releasing that memory once allocated.
The results are staggering. Researchers demonstrated that a single client connected through a standard residential internet connection could consume and hold approximately 32 gigabytes of memory on vulnerable Apache and Envoy servers in roughly twenty seconds.
What makes this especially concerning is the scale. Researchers estimate more than 880,000 public websites are potentially affected by default configurations. Nginx quietly patched the issue earlier this year, while Apache released fixes in late May. However, Microsoft IIS, Envoy, and Cloudflare’s Pingora remained unpatched as of publication.
The broader significance of this story is equally important. The vulnerability was discovered using OpenAI’s Codex platform, marking the second major AI-assisted vulnerability discovery disclosed this week. That trend is no longer theoretical, it is operational.
Organizations should immediately patch Apache and Nginx deployments, implement strict connection limits, enforce HPACK restrictions, and review mitigation options at load balancer and web application firewall layers.
💻 VS Code Zero-Day Steals GitHub Tokens With a Single Click
The developer community was rocked this week after security researcher Amar Askar publicly disclosed a VS Code zero-day vulnerability capable of stealing GitHub OAuth tokens through a remarkably simple attack chain.
The vulnerability exploits several behaviors within VS Code’s notebook and extension ecosystem. By delivering a malicious Jupyter notebook file, attackers can execute JavaScript inside a WebView iframe. The script then silently installs a malicious extension by triggering synthetic keyboard shortcuts and exploiting GitHub’s automatic authentication behavior between GitHub.com and GitHub.dev.
Once the extension is installed, it intercepts OAuth tokens before they reach GitHub’s web environment and exfiltrates them to the attacker.
The most alarming aspect is the blast radius. These tokens do not simply grant access to a single repository. They provide access to every private repository the victim can access through GitHub.
No patch is currently available.
This story continues reinforcing what we’ve seen throughout 2026: developer environments have become one of the highest-value targets in cybersecurity. Developers often hold privileged access to source code, cloud infrastructure, secrets, CI/CD systems, and deployment pipelines, making them prime targets for sophisticated attackers.
Organizations should immediately review installed VS Code extensions, restrict use of untrusted Jupyter notebooks, and consider disabling notebook functionality on systems where it is not required.
📈 Five-Month Espionage Campaign Targets Global Stock Exchange Executive
One of the most fascinating espionage reports of the year came from Symantec’s threat hunting team, which documented a highly disciplined operation targeting a senior executive at a major global stock exchange.
“The gap between attacker tempo and institutional response time is becoming the defining characteristic of this threat environment.” James Azar
Unlike many modern attacks focused on disruption or ransomware, this campaign was remarkably restrained. Over a period of five months, attackers quietly extracted the executive’s Outlook mailbox in carefully staged increments.
The attackers used malware disguised as Adobe and OneDrive services while leveraging legitimate tools and cloud services to avoid detection. Exfiltration occurred through Dropbox and personal OneDrive accounts. Particularly noteworthy was their use of hardcoded Microsoft-owned IP addresses rather than normal OneDrive hostnames, effectively bypassing DNS-based monitoring controls.
The attackers avoided large data transfers, instead stealing information in smaller date-based batches. The result was complete visibility into the executive’s communications, calendar data, strategic discussions, and market-related correspondence.
For intelligence services, this type of access can be far more valuable than a disruptive attack. Market-moving information, regulatory discussions, merger activity, and strategic planning all carry significant intelligence value.
The report serves as a reminder that some of the most dangerous adversaries aren’t trying to make noise, they’re trying to remain invisible.
🇨🇳 Five Eyes Warn China Is Recruiting Government Insiders Through LinkedIn
One of the most significant geopolitical stories today came through a joint advisory issued by intelligence agencies from the United States, Canada, the United Kingdom, Australia, and New Zealand. The warning outlines how Chinese intelligence services are systematically recruiting government employees, military personnel, contractors, and critical infrastructure workers through professional networking platforms.
The process follows a surprisingly structured methodology. Targets are initially approached through platforms like LinkedIn, Indeed, and Upwork. Once contact is established, recruiters evaluate the individual’s access, responsibilities, and potential value. Victims are often asked to produce seemingly harmless research reports before gradually being tasked with increasingly sensitive topics.
Compensation is typically provided through:
PayPal
Payoneer
Wise
Skrill
Cryptocurrency
Traditional wire services
The advisory stresses that classified access is not required to become a target. Information such as facility layouts, contract details, budget planning, vendor relationships, and internal policies may appear harmless individually but can become extraordinarily valuable when aggregated.
Perhaps most concerning is the migration path. Once trust is established, communications move from public platforms to encrypted services such as Signal and Telegram, effectively moving activity outside organizational visibility.
This campaign strongly resembles North Korea’s long-running use of fake recruiters and employment opportunities to collect intelligence. China appears to be adapting that model at scale.
Security leaders should use this advisory as a catalyst for reviewing insider threat awareness programs and LinkedIn exposure policies.
⚡ Need to Know
"This is something I'm hammering home with my team all day long. Forget all the shiny tools that are coming out right now. Forget about all of them. If we can't do the fundamentals well, none of those tools are going to help. That's the reality." James Azar
🤖 AI Discovers Redis Zero-Day Missed for Two Years
An autonomous security tool identified CVE-2026-23479, a use-after-free vulnerability in Redis that had existed unnoticed since 2023. Public exploit code is now available. Redis Cloud has been patched, but self-hosted deployments require immediate upgrades.
⛽ Federal Agencies Warn of Fuel Monitoring System Attacks
CISA, FBI, NSA, DOE, TSA, EPA, and several other agencies jointly warned about active attacks targeting Automatic Tank Gauge (ATG) systems used at fuel stations, transportation hubs, and chemical facilities. Attackers are exploiting internet-exposed systems protected only by default passwords.
🤖 Five AI Agent Zero-Days Patched
Researchers disclosed five vulnerabilities affecting OpenClaw, an AI agent framework integrating with Slack, Teams, Discord, and other collaboration platforms. The flaws allowed attackers to impersonate authorized users through display-name manipulation. All issues have been patched.
📡 ASUS Router Vulnerabilities Await Fixes
Two critical vulnerabilities affecting ASUS Wave 7 mesh routers expose credentials and allow persistent backdoor installation. No patches are expected until the end of June, leaving organizations reliant on compensating controls in the interim.
🇨🇳 Chinese Threat Actors Using LLM-Assisted Malware
Proofpoint reported that TA-4922, a Chinese cybercrime group targeting Europe, appears to be using LLM-assisted development techniques to accelerate malware creation and campaign generation.
🪖 Proposal Calls for Independent U.S. Cyber Force
A new policy report recommends creation of a dedicated U.S. Cyber Force consisting of approximately 30,000 personnel and costing an estimated $11 billion. Supporters argue cyber operations have grown large enough to justify their own military branch.
🏛️ CISA Staffing Shortages Remain a Challenge
Homeland Security leadership confirmed that CISA remains significantly understaffed, operating with approximately 2,200 employees despite authorization for substantially more. Efforts to rebuild the agency continue.
🎯 Key Takeaway
Today’s episode highlighted a cybersecurity environment where AI is accelerating vulnerability discovery, nation-state actors are blending human intelligence and cyber operations, and critical infrastructure remains exposed through basic operational weaknesses.
The challenge isn’t simply identifying threats anymore.
The challenge is keeping pace with them.
🛠️ Action Items
Patch Apache and Nginx deployments vulnerable to HTTP/2 Bomb attacks
Implement connection limits and HPACK protections on internet-facing web servers
Audit VS Code extensions and restrict untrusted Jupyter notebook execution
Review GitHub OAuth exposure and developer workstation security
Hunt for suspicious Dropbox and OneDrive exfiltration activity
Brief employees on LinkedIn-based intelligence recruitment risks
Patch Redis environments immediately if self-hosted
Remove ATG systems from direct internet exposure
Restrict ASUS router management interfaces to trusted IP ranges
Review AI agent authorization controls and identity validation processes
🧠 James Azar’s CISOs Take
What stood out to me today is that every major story reflected the same underlying problem: speed. AI discovered vulnerabilities that sat unnoticed for years. Attackers leveraged trusted developer environments to steal credentials in under a minute. Nation-state operators quietly extracted executive communications for months without detection. The common thread isn’t sophistication—it’s velocity. Threat actors are moving faster than many organizations are structured to respond.
The second takeaway is that cybersecurity can no longer be viewed purely as a technical discipline. Today’s Five Eyes advisory demonstrates that nation-state intelligence operations increasingly blend cyber activity with human recruitment, social engineering, and insider targeting. Meanwhile, AI is becoming a force multiplier for both attackers and defenders. Organizations that continue separating technology risk from human risk will increasingly find themselves defending only half the battlefield.
🔥 Stay Cyber Safe.
