TL;DR
Microsoft GitHub repositories compromised by Miasma supply-chain worm affecting 73 repos. SolarWinds Serv-U flaw actively exploited for DoS attacks. Chrome 149 patches record 429 vulnerabilities; AI agent finds 21 zero-days in FFmpeg.
Executive Summary
- Microsoft's GitHub infrastructure targeted by self-replicating Miasma worm across 73 repositories in four organizational units, representing a significant supply-chain risk.
- SolarWinds Serv-U multi-protocol file server under active denial-of-service exploitation following CISA KEV catalog addition.
- Chrome 149 released with 429 vulnerability patches, including critical and high-severity flaws; concurrent AI-driven discovery of 21 FFmpeg zero-days signals accelerating vulnerability landscape.
- Instagram account takeover technique exploiting Meta's AI support bot disclosed, affecting high-profile accounts including Obama White House and U.S. Space Force accounts.
- Chinese APT group UNC5221 deploying new backdoors and previously undocumented malware (Plenet, AgentPSD, Brickstorm) to maintain Microsoft 365 access.
Top Threats Today
1. Miasma Self-Replicating Worm Hits Microsoft GitHub Supply Chain
Severity: HIGH Affected: technology
The Miasma self-replicating worm has compromised 73 Microsoft repositories across four GitHub organizations—Azure, Azure-Samples, Microsoft, and MicrosoftDocs [1]. The incident demonstrates a direct threat to the software supply chain, as Microsoft's own development infrastructure became an attack vector. The scope of repository access and replication behavior indicate potential for downstream impact on dependent projects and consumers of Microsoft code artifacts.
Sources:[1] The Hacker News
Recommended Action
- Immediately audit GitHub organization access logs and commit histories for the affected repositories (Azure, Azure-Samples, Microsoft, MicrosoftDocs) for injected malicious code.
- Rotate all GitHub personal access tokens and deploy application keys with minimal required permissions across affected orgs.
- Enable GitHub's branch protection rules requiring signed commits and enforce code review for all pull requests in high-risk repositories.
- Scan all clones and builds of these repositories in your environments for indicators of compromise.
2. SolarWinds Serv-U Denial-of-Service Actively Exploited
Severity: HIGH Affected: government, technology
CISA has added a high-severity SolarWinds Serv-U multi-protocol file server vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active in-the-wild exploitation [1]. Threat actors are now leveraging this flaw to conduct denial-of-service attacks against impacted servers [2]. The active exploitation status and broad deployment of Serv-U in enterprise file transfer environments create immediate operational risk.
Sources:[1] The Hacker News[2] BleepingComputer
Recommended Action
- Prioritize patching of all SolarWinds Serv-U instances; check SolarWinds advisories for available security updates.
- Implement network-level rate limiting and DoS protections in front of Serv-U instances.
- Monitor Serv-U logs for unusual connection patterns, failed authentication attempts, or service crashes.
- If patching is delayed, isolate Serv-U systems to trusted networks only and restrict direct internet exposure.
3. Chrome 149 Patches Record 429 Vulnerabilities; FFmpeg Zero-Days Uncovered
Severity: HIGH Affected: technology
Google shipped Chrome 149 with patches for 429 vulnerabilities, with over 100 rated as critical or high-severity, predominantly use-after-free and insufficient validation ⚠ flaws [2]. Concurrently, an autonomous AI agent discovered 21 previously unknown zero-day vulnerabilities in FFmpeg, the widely-deployed media library used in nearly all video-processing applications ⚠[1]. The convergence of massive patch volume and AI-driven zero-day discovery highlights an accelerating vulnerability ecosystem.
Sources:[1] The Hacker News[2] SecurityWeek
Recommended Action
- Deploy Chrome 149 to all endpoints immediately; enable automatic Chrome updates if not already active.
- Audit applications and services in your environment that embed FFmpeg for version and update status.
- Monitor FFmpeg project advisories and security updates; prepare to patch FFmpeg-dependent applications once official patches are released.
- Consider temporary use-case restrictions on untrusted video inputs if FFmpeg updates are delayed.
4. Meta AI Support Bot Weaponized for Instagram Account Takeover
Severity: HIGH Affected: technology
Hackers circulated instructions on Telegram demonstrating how to exploit Meta's “AI support assistant” bot to bypass account recovery controls and reset Instagram account credentials [1]. The technique was used to briefly seize and deface high-profile accounts including the Obama White House Instagram and the Chief Master Sergeant of the U.S. Space Force account with pro-Iranian content [1]. The compromise of official U.S. government social media channels represents both a reputational and operational security incident.
Sources:[1] Krebs on Security
Recommended Action
- If you manage Instagram accounts, immediately enable the strongest available authentication controls (two-factor authentication, authenticator apps).
- Add a recovery email and phone number verified outside of potentially compromised accounts.
- Monitor account activity logs for unauthorized access or recovery requests.
- Document and report any suspected unauthorized account recovery attempts to Meta directly.
5. Chinese APT UNC5221 Deploys New Backdoors to Maintain Microsoft 365 Access
Severity: HIGH Affected: government, technology, finance
A Chinese espionage group tracked as UNC5221 has been observed accessing Microsoft 365 environments using the Brickstorm backdoor and previously undocumented malware named Plenet and AgentPSD [1]. The deployment of new, undocumented malware indicates active development and operational focus on maintaining persistent access to cloud collaboration environments. Organizations with Microsoft 365 deployments are at risk of intrusion by this capability.
Sources:[1] BleepingComputer
Recommended Action
- Enable advanced threat detection in Microsoft Defender for Cloud and Microsoft 365 Defender; review alerts for anomalous authentication or mailbox access patterns.
- Audit Microsoft 365 sign-in logs for impossible-travel events, unfamiliar IPs, and atypical user behavior.
- Enforce conditional access policies requiring multi-factor authentication for all privileged users and from unknown networks.
- Consider engagement with threat intelligence providers for IOC feeds related to Brickstorm, Plenet, and AgentPSD if available.
Ongoing Threats
- WordPress Everest Forms Pro Critical Vulnerability (CVE-2026-3300): BleepingComputer reports active exploitation allowing complete site takeover. Earlier coverage.
- Polyfill Malicious Login Prompts: Toshiba and Muji websites reported suspicious credential-harvesting sign-in screens injected via compromised polyfill library.
- DentaQuest Data Breach: ShinyHunters extortion group leaked approximately 234 GB of data allegedly stolen from dental benefits administrator, impacting 2.6 million individuals [29].
Today’s Action Checklist
- ☐ URGENT: Audit Microsoft GitHub repositories (Azure, Azure-Samples, Microsoft, MicrosoftDocs) for Miasma worm activity; rotate credentials immediately.
- ☐ URGENT: Patch SolarWinds Serv-U installations or apply network mitigations; monitor for DoS attack indicators.
- ☐ HIGH: Update Chrome to version 149 and audit FFmpeg deployments in your environment for version status.
- ☐ HIGH: Enable multi-factor authentication on all Instagram accounts and government social media accounts; review account activity logs.
- ☐ HIGH: Review Microsoft 365 sign-in anomalies and enable conditional access policies for privileged users in response to UNC5221 activity.
- ☐ Review polyfill library usage in web properties; audit for credential-theft indicators in frontend logs.