TL;DR
Microsoft patched a critical SharePoint RCE (CVE-2026-45659); CISA contractor leaked AWS GovCloud keys and internal secrets on GitHub; MuddyWater espionage campaign targeted nine organizations across nine countries using DLL side-loading. Immediate patching and credential rotation required.
Executive Summary
- Microsoft issued an out-of-band patch for SharePoint RCE vulnerability CVE-2026-45659 (CVSS 8.8) affecting multiple server versions [3, 18].
- A CISA contractor exposed AWS GovCloud credentials and internal agency secrets via a public GitHub repository, prompting congressional demands for answers [12, 14].
- MuddyWater conducted a multi-continent espionage campaign targeting nine organizations across industrial manufacturing, education, finance, and public-sector entities using DLL side-loading [1].
- Dark Reading reports malware campaign “Megalodon” pushed malicious commits to over 5,500 GitHub repositories in six hours, stealing developer credentials and secrets [16].
- KnowledgeDeliver LMS zero-day actively exploited to install Godzilla web shells in educational environments [6].
Top Threats Today
1. Microsoft SharePoint Remote Code Execution (CVE-2026-45659)
Severity: HIGH Affected: technology government
Microsoft has rolled out patches for CVE-2026-45659, a remote code execution vulnerability in SharePoint that requires no specialized conditions for exploitation [1]. The vulnerability carries a CVSS score of 8.8 [1]. SharePoint access is considered critical to organizational security, as it often provides attackers the “keys of the kingdom” within enterprise environments [2].
Sources:[1] The Hacker News[2] Dark Reading
Recommended Action
- Immediately apply Microsoft’s SharePoint security updates across all affected server versions
- Audit access logs for SharePoint systems for signs of unauthorized access prior to patching
- Monitor for exploitation attempts targeting unpatched SharePoint instances
2. CISA Contractor Leaks AWS GovCloud Credentials and Agency Secrets on GitHub
Severity: CRITICAL Affected: government
A contractor for the Cybersecurity & Infrastructure Security Agency (CISA) maintained a public GitHub repository that exposed credentials to highly privileged AWS GovCloud accounts and internal CISA systems [2]. The exposure remained publicly accessible until the past weekend [2]. Congressional lawmakers in both houses are demanding answers regarding the incident and CISA’s containment efforts [1].
Sources:[1] Krebs on Security[2] Krebs on Security
Recommended Action
- Immediately rotate all exposed AWS GovCloud credentials and assume compromise of any systems accessed via those keys
- Conduct forensic analysis of AWS GovCloud account activity logs to identify unauthorized access or data exfiltration
- Review all CISA contractor GitHub repositories for similar credential exposure patterns
- Implement automated secrets detection and blocking in all code repositories
3. MuddyWater Espionage Campaign Targeting Nine Organizations Across Four Continents
Severity: HIGH Affected: manufacturing education finance government
The Iranian hacking group known as MuddyWater has been linked to a new campaign in the first quarter of 2026 affecting at least nine organizations across nine countries on four continents [1]. Targeted sectors include industrial and electronics manufacturing, education, financial services, and public-sector bodies [1]. The campaign employed DLL side-loading techniques [1].
Sources:[1] The Hacker News
Recommended Action
- Review logs for suspicious DLL loading patterns and sideloaded libraries in critical processes
- Audit active directory for unusual privilege escalation events and lateral movement indicators
- Conduct threat-hunting for MuddyWater TTPs in network monitoring systems and endpoint detection tools
4. Megalodon Malware Campaign Compromises Over 5,500 GitHub Repositories
Severity: HIGH Affected: technology
A malware campaign tracked as “Megalodon” pushed thousands of malicious commits to more than 5,500 GitHub repositories in just six hours [1]. The campaign targeted developer credentials, secrets, and additional sensitive information [1].
Sources:[1] Dark Reading
Recommended Action
- Audit GitHub commit history across all repositories for malicious or unexpected commits in the past 48 hours
- Rotate all developer credentials, API tokens, and secrets that may have been exposed via GitHub
- Enable branch protection rules and require code review for all commits
- Implement GitHub secret scanning and prevent commits containing credentials
5. KnowledgeDeliver LMS Zero-Day Exploited for Web Shell Deployment
Severity: HIGH Affected: education
Hackers exploited a critical zero-day vulnerability in the KnowledgeDeliver learning management system to deploy the Godzilla web shell [1]. The vulnerability was caused by hardcoded machineKey values in a configuration file that enabled ViewState deserialization attacks leading to remote code execution [2].
Sources:[1] BleepingComputer[2] SecurityWeek
Recommended Action
- Immediately assess all KnowledgeDeliver installations for active web shells using file integrity monitoring and web shell detection tools
- Review web server access logs for suspicious upload activity and shell execution patterns
- Contact KnowledgeDeliver vendor for security patches and deploy immediately upon availability
Today’s Action Checklist
- ☐ URGENT: Patch all Microsoft SharePoint systems with CVE-2026-45659 security updates
- ☐ CRITICAL: Rotate all AWS GovCloud credentials exposed in CISA GitHub leak; audit access logs for compromise
- ☐ URGENT: Audit GitHub repositories for Megalodon malware commits; rotate developer credentials and API tokens
- ☐ HIGH: Scan for KnowledgeDeliver zero-day exploitation and web shell presence in educational networks
- ☐ HIGH: Implement threat-hunting for MuddyWater DLL side-loading indicators in manufacturing, education, and financial sectors