Executive Signal
- Miasma worm supply chain campaign has now reached Microsoft’s own GitHub organizations — 73 repositories across Azure, Azure-Samples, Microsoft, and MicrosoftDocs are confirmed compromised. Any organization consuming code from these repos should treat downstream artifacts as suspect until cleared.
- CISA has added CVE-2026-3844 (SolarWinds Serv-U) to the KEV catalog — active exploitation is confirmed; impact is denial of service via server crash. Federal agencies face mandatory remediation timelines. All Serv-U operators should treat this as an emergency patch.
- CVE-2026-3300 in Everest Forms Pro is under active exploitation — attackers are achieving full WordPress site takeover. Any organization running this plugin on public-facing sites is exposed now.
- Internet-exposed fuel tank gauges are being actively targeted in the US — attackers are gaining unauthorized access to ICS at gas stations, with potential for physical disruption to fuel distribution.
- Polyfill-linked credential harvesting prompts have appeared on Toshiba and Muji websites — third-party script injection is producing unauthorized login overlays on major brand sites. Organizations using polyfill.io or similar CDN-delivered scripts should audit their web properties.
Immediate Action Required
| Priority | Item | Action |
|---|---|---|
| 🔴 Critical | Miasma Worm — Microsoft GitHub Repos | Audit all CI/CD pipelines, build systems, and developer workflows pulling from Azure, Azure-Samples, Microsoft, or MicrosoftDocs GitHub organizations. Treat recent artifacts as potentially tainted. |
| 🔴 Critical | CVE-2026-3844 — SolarWinds Serv-U | Patch immediately. CISA KEV listing confirms active exploitation. Validate all Serv-U instances are patched; isolate any unpatched instances from the internet. |
| 🔴 Critical | CVE-2026-3300 — Everest Forms Pro (WordPress) | Update the plugin immediately across all WordPress deployments. Check affected sites for unauthorized admin accounts and webshells. |
High-Impact Developments
Miasma Worm Compromises 73 Microsoft GitHub Repositories
- What happened: The self-replicating Miasma worm has spread to 73 repositories across four Microsoft GitHub organizations — Azure, Azure-Samples, Microsoft, and MicrosoftDocs — as part of an ongoing supply chain attack campaign.
- Why it matters: Compromised repositories can inject malicious code into downstream builds, developer toolchains, and customer-facing software. The breadth of Microsoft’s repository footprint means blast radius is potentially very large. Trust in official Microsoft sample code and documentation repos is now in question.
- Who should care: Software engineering leads, cloud operations teams, DevSecOps, and anyone with automated pipelines consuming Microsoft GitHub content. Supply chain risk owners should escalate immediately.
- Recommended action: Inventory all dependencies and pipeline references to affected GitHub organizations. Review recent commits and artifact integrity. Do not pull new code from affected repos until Microsoft confirms remediation. Run software composition analysis against recent builds.
- Confidence: High
- Search metadata: Miasma worm, supply chain attack, GitHub, Azure, Microsoft, malware
SolarWinds Serv-U CVE-2026-3844 — CISA KEV, Active Server Crashes
- What happened: CISA has added CVE-2026-3844 to the Known Exploited Vulnerabilities catalog. Attackers are actively exploiting this flaw in SolarWinds Serv-U to crash servers and disrupt file transfer services. A patch exists.
- Why it matters: KEV listing carries mandatory remediation requirements for federal agencies and signals broad active exploitation. Serv-U is widely deployed for managed file transfer — disruption directly impacts operational continuity and potentially regulated data workflows.
- Who should care: IT operations, infrastructure teams, and security operations at any organization running SolarWinds Serv-U. Vulnerability management leads should validate patch status immediately.
- Recommended action: Apply the available SolarWinds patch without delay. Confirm no Serv-U instances are internet-exposed without compensating controls. Review logs for anomalous crash events or unexpected service restarts as indicators of prior exploitation.
- Confidence: High
- Search metadata: CVE-2026-3844, SolarWinds Serv-U, CISA KEV, denial of service
CVE-2026-3300 — Everest Forms Pro WordPress Plugin Under Active Exploitation
- What happened: Attackers are actively exploiting a critical vulnerability in the Everest Forms Pro WordPress plugin, achieving complete takeover of affected sites.
- Why it matters: Full site compromise enables defacement, data theft, malware hosting, and SEO poisoning. Organizations running WordPress at scale — including marketing sites, customer portals, and e-commerce — are directly at risk.
- Who should care: Web application owners, IT operations, and security operations teams responsible for WordPress environments.
- Recommended action: Update Everest Forms Pro immediately. Audit affected sites for unauthorized admin accounts, modified files, and injected scripts. If patching cannot be completed immediately, apply temporary WAF rules as a stopgap.
- Confidence: High
- Search metadata: CVE-2026-3300, Everest Forms Pro, WordPress, vulnerability exploitation
Internet-Exposed Fuel Tank Gauges Targeted in the US
- What happened: Threat actors are actively exploiting internet-exposed fuel tank gauges at US gas stations, gaining unauthorized access to industrial control systems and creating conditions for operational disruption.
- Why it matters: This is active ICS/OT exploitation against physical infrastructure. Beyond gas stations, it signals continued adversary interest in internet-exposed industrial devices — relevant to any organization with OT/IoT assets reachable from the internet.
- Who should care: Critical infrastructure operators, OT/ICS security teams, and security architects responsible for industrial or operational technology environments.
- Recommended action: Audit internet exposure of all ICS and IoT devices. Remove direct internet connectivity from OT assets where not operationally required. Enforce network segmentation and access controls on any devices that must remain connected.
- Confidence: Medium
- Search metadata: fuel tank gauges, industrial control systems, IoT, unauthorized access, disruption
Monitor Only
- Polyfill-linked credential harvesting on Toshiba and Muji websites: Unauthorized login prompts tied to third-party script injection are appearing on major brand sites. Audit your own web properties for polyfill.io or similar CDN script dependencies and confirm no unauthorized login overlays are present. Customer-facing credential theft risk is real but currently scoped to specific named sites.
Analyst Observation
Today’s brief centers on two variables: supply chain integrity and patch velocity. The Miasma worm reaching Microsoft’s own GitHub organizations is an active contamination event inside one of the most trusted code distribution channels in enterprise software. Security teams without artifact integrity verification in their pipelines have no reliable way to know what they’ve already pulled. The SolarWinds Serv-U situation requires no interpretation — CISA confirmed active exploitation, a patch exists, and servers are crashing in the wild. Patch or isolate. The Everest Forms Pro exploitation and the polyfill credential harvesting reinforce a persistent pattern: the web application attack surface remains underinvested relative to its exposure. The fuel gauge story warrants continued attention; active exploitation of internet-exposed OT devices in the US energy sector is not a new pattern, but confirmed incidents should prompt any organization with internet-connected OT assets to verify their exposure posture now.
Source Links
- Miasma Worm Hits 73 Microsoft GitHub Repositories in Major Supply Chain Attack — https://thehackernews.com/2026/06/miasma-worm-hits-73-microsoft-github.html
- CISA Adds Actively Exploited SolarWinds Serv-U DoS Flaw to KEV Catalog — https://thehackernews.com/2026/06/cisa-adds-actively-exploited-solarwinds.html
- CISA: Hackers now exploit SolarWinds Serv-U flaw to crash servers — https://www.bleepingcomputer.com/news/security/cisa-hackers-now-exploit-solarwinds-serv-u-flaw-to-crash-servers/
- Critical Everest Forms Pro flaw exploited to take over WordPress sites — https://www.bleepingcomputer.com/news/security/critical-everest-forms-pro-flaw-exploited-to-take-over-wordpress-sites/
- Exposed Fuel Tank Gauges Under Attack in the US — https://www.darkreading.com/cyberattacks-data-breaches/exposed-fuel-tank-gauges-attack-us
- Suspicious Polyfill login prompts pop up on Toshiba, Muji websites — https://www.bleepingcomputer.com/news/security/suspicious-polyfill-login-prompts-pop-up-on-toshiba-muji-websites/
Generated by DevSecOpsDadAttack cyber threat intelligence.
