Ten forward calls. Eight-minute read. Each one: the move, the priority requirement it touches, our confidence, the indicators to watch, and the open-source reporting it's built on.
This is the first real issue. Every call below is an analytic judgment about the next one to eight weeks, drawn from named, dated, public reporting and given a confidence band. Where a number is someone else's, it's attributed. Where it's our read, we say so.
Confidence key: High = above 70% inside the window · Medium = 40–70% · Low = under 40% but high-impact if it lands.
Three unauth-bypass flaws are in active use right now: Check Point's CVE-2026-50751 (a Qilin ransomware affiliate was confirmed in one post-compromise case), Palo Alto PAN-OS GlobalProtect CVE-2026-0257 (exploited across multiple Rapid7 customers from mid-May), and Citrix NetScaler CVE-2026-3055, a CVSS 9.8 unauth RCE on appliances acting as a SAML identity provider, now under large-scale exploitation per Fortinet.
So what: treat any internet-facing VPN, gateway, or NetScaler SAML IdP as patch-or-isolate this cycle, not next maintenance window. The gap between a published appliance CVE and a ransomware affiliate using it is now days.
Watch: scanning spikes on appliance management ports; NetScaler boxes still exposed as SAML IdP; fresh "access for sale" posts naming your sector.
Fortinet shipped out-of-band fixes for FortiClient EMS CVE-2026-35616, a pre-auth API bypass leading to privilege escalation (CVSS 9.1), and CVE-2026-21643, a SQL-injection flaw exploited since late March.
So what: EMS controls your managed endpoints, so a compromise there is a foothold over everything it manages. Patch the EMS server before you touch anything downstream.
Watch: anomalous EMS API calls; new admin accounts in the console; unexpected policy or deployment changes.
Flare's analysis of millions of infostealer logs found enterprise SSO or identity-provider credentials in roughly one in six infections by late 2025, with Microsoft Entra ID appearing in about 79% of enterprise identity logs. Reporting in early 2026 documented the full chain: infection to dark-web listing in under 48 hours, ransomware often within another 48. A February campaign replayed infostealer-harvested credentials against ADFS, STS, and OWA portals at named multinationals.
So what: assume one infected employee laptop becomes enterprise access within days. Force session step-up on anomalous logins, and rotate exposed credentials on a clock, not on incident.
Watch: SSO logins from new networks or ASNs; a surge in MFA-fatigue prompts at the help desk; your domains showing up in stealer-log feeds.
Roughly 8.6 billion stolen cookies and session artifacts have surfaced through malware infections, and newer stealers decrypt server-side to dodge endpoint tooling. A valid session token skips the password and the MFA prompt entirely.
So what: shorten session lifetimes on high-value apps, bind tokens to device where you can, and alert on impossible-travel reuse. MFA alone does not stop a replayed session.
Watch: the same session cookie used from two geographies; token reuse after a known device wipe.
The "Mini Shai-Hulud" campaign disclosed on 2026-05-12 hit TanStack, Mistral AI, UiPath, and over 160 npm and PyPI packages, self-propagating and carrying a destructive daemon. Days later, three malicious versions of node-ipc (a library with over 10 million weekly downloads) shipped an identical credential-stealing payload.
So what: pin and verify provenance on dependencies, freeze CI secrets behind short-lived tokens, and audit whether your builds pulled node-ipc 9.1.6, 9.2.3, or 12.0.1 or any flagged TanStack release.
Watch: unexpected new releases of pinned dependencies; outbound network calls from build agents; maintainer-account takeover chatter.
Late-May reporting documented bursts of malicious packages typosquatting OpenSearch, ElasticSearch, and DevOps libraries, plus dependency-confusion packages impersonating internal scopes across nine organizations, all built to steal cloud and CI/CD secrets.
So what: scope-lock your internal package names so they can't be shadowed, and make cloud credentials in CI short-lived and least-privilege.
Watch: new maintainer aliases publishing in tight windows; cloud secrets read from runners that never needed them before.
The 2026 AFP survey reports about 76% of US organizations faced attempted or actual payments fraud last year, with BEC hitting roughly three-quarters of them and invoice fraud the most common single method. Close to half still validate vendor banking changes with email or a single callback, and most report a jump in AI-assisted impersonation.
So what: re-verify any banking-detail change out of band, against a number you already had. Brief finance this week, before the wire goes out, not after.
Watch: lookalike domains of your top vendors; "updated remittance" emails; voice or video that pressures a finance contact to move fast.
Russian GRU-linked activity against network edge devices in energy and other critical-infrastructure sectors continues, and 2026 reporting puts enterprise infrastructure at roughly 48% of exploited zero-days, an all-time high.
So what: if you run OT or ICS, hunt for living-off-the-land persistence on edge gear and jump hosts now. Do not wait for an advisory naming your vendor.
Watch: dormant accounts logging in off-hours; new scheduled tasks on management hosts; edge devices reaching out to each other in ways they shouldn't.
A late-February wave ran 149 DDoS attacks against 110 organizations across 16 countries after the US-Israel-Iran exchange, with two groups driving roughly 70% of it; government, finance, and telecom took the brunt. Pro-Russia hacktivists, separately, keep intensifying OT intrusions per multi-agency advisories.
So what: confirm DDoS protection and incident comms are rehearsed, not assumed. These events are short, loud, and reputational.
Watch: target lists circulating on Telegram; your sector or org named in a manifesto.
CISA added the Android Framework integer-overflow CVE-2025-48595 to its exploited-vulnerabilities catalog on 2026-06-02.
So what: tighten your MDM patch cadence for corporate Android, and prioritize high-risk users (executives, finance, anyone with broad mobile access).
Watch: unknown configuration profiles or enterprise certificates; users reporting apps they didn't install.
Built against your priority requirements. Reply with the PIRs you care about and Issue #2 leads with yours.
Ten scored forward calls a week. 20 founding seats locked at $29/mo for life.
Become a fou