Weekly Cyber Briefing 08.05.2026
Threat actors access Trellix source code and exploit a Palo Alto Networks zero-day; the NCSC warns of a surge in security updates; UK employees sell their logins; and Iranian state-backed hackers target Teams calls.
Security vendor Trellix has revealed that threat actors accessed a “portion” of its source code. It’s unclear when the breach occurred, and the firm said it won’t disclose further details until a forensic investigation is complete. A short statement claimed: “Based on our investigation to date, we have found no evidence that our source code release or distribution process was affected, or that our source code has been exploited.”
Despite Trellix’s assurances, an attack like this could, in theory, enable threat actors to poison updates and design malware/attacks that bypass detection. Trellix has tens of thousands of global enterprise customers.
Confirm with the vendor whether source code related to your products was accessed. Check that recent Trellix updates were correctly signed. Monitor the vendor’s products for unusual traffic and activity.
Palo Alto Networks has warned customers that state-sponsored actors have been exploiting a critical zero-day vulnerability in its PAN-OS firewall since early April. CVE-2026-0300 is a buffer overflow vulnerability in the User-ID Authentication Portal (also known as the Captive Portal) service of the product. It has a CVSS score of 9.3.
Exploitation could enable an unauthenticated attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted packets. By remotely hijacking the firewall, they could gain a foothold in your network, enabling lateral movement and data theft/extortion.
Follow the vendor’s advice. Until a patch is available, disable the User-ID Authentication Portal if not required. If it is, restrict access to trusted zones only.
The National Cyber Security Centre (NCSC) has warned security teams to expect a deluge of security advisories as vendors use powerful new AI models to find and fix vulnerabilities in their software. Tools like Anthropic’s Mythos Preview and OpenAI’s GPT-5.4 have not been released publicly up until now to allow time for this to happen.
A sudden “rush of software updates”, as described by the NCSC, could overwhelm security teams if they’re not properly prepared. That might provide an opening for threat actors, especially if they use AI and automation to find and exploit exposed systems at scale.
Enable automatic “hot patching” as long as fixes don’t cause service disruption, and switch on automatic updates. Otherwise, take a risk-based approach to prioritise updates, following the NCSC’s vulnerability management guidance.
Some 13% of UK workers have admitted selling their corporate logins over the past 12 months, or knowing someone who has, according to Cifas. The non-profit fraud prevention service claimed the figure rose even higher for senior managers (32%), directors (36%), C-suite executives (43%) and business owners (81%).
Credentials sold for profit could end up on the cybercrime underground, enabling threat actors to bypass security defences and log in as legitimate employees. This makes them particularly hard to detect, increasing the chances of a costly breach.
Deploy phishing-resistant multi-factor authentication (MFA) to enhance security at login. Consider using user and entity behaviour analytics (UEBA), network detection and response (NDR), or other monitoring tools to detect suspicious behaviour continuously. Follow zero-trust approaches (least privilege and just-in-time access) to limit potential damage, and use data loss prevention to spot breaches in real time. Update training and awareness to remind employees what’s at stake.
Security researchers have revealed how Iranian state hackers, masquerading as cyber criminals from the Chaos ransomware group, used Teams for initial access in a recent breach. Reportedly posing as IT support staff, they used interactive Teams sessions and screen sharing to trick victims into approving authentication requests. They then deployed remote access tools to maintain persistence and steal data.
The campaign highlights the growing abuse of collaboration platforms as initial access vectors. And how state-sponsored actors are using false flag techniques to make attribution and incident response harder.
Extend monitoring beyond email telemetry to include anomalous Teams activity, external tenant communications, MFA fatigue indicators, suspicious remote management tool deployment, and unusual authentication patterns following Teams interactions. Set up allow/block lists for trusted domains and conditional access policies to block legacy authentication. Disable anonymous meeting joins where possible.
Features 06.05.2026
What happens when a ‘systemic’ flaw appears in a protocol, and its designer refuses to patch it?
Weekly Cyber Briefing 01.05.2026
Zimbra servers, SAP npm packages and cPanel/WHM systems under attack; utility tech firm Itron reports a security breach
Features 28.04.2026
The bad news: your employee’s 10-year-old home router is part of your network infrastructure