OpenAI Codex Authentication Tokens Stolen in codexui-android npm Supply Chain Attack
A malicious supply chain campaign has been stealing OpenAI Codex authentication tokens through a popular npm package called codexui-android, which draws over 29,000 weekly downloads by advertising itself as a legitimate remote web UI for Codex. Unlike typical typosquatting attacks, the exfiltration code was quietly embedded into a functional, actively maintained package roughly a month after its initial release — building trust before turning malicious. Every invocation has been sending users’ ~/.codex/auth.json contents, including long-lived refresh tokens that don’t expire, to an attacker-controlled server disguised as Sentry. The same credential theft chain has been found embedded in two Android apps with a combined 60,000+ downloads on the Google Play Store.
Hackers are Exploiting Palo Alto GlobalProtect VPN Authentication Bypass (CVE-2026-0257)
Active exploitation of a PAN-OS GlobalProtect authentication bypass flaw has been confirmed across multiple enterprise customers, with attackers using forged authentication override cookies to establish unauthorized VPN sessions against unpatched Palo Alto Networks devices. The vulnerability stems from firewalls decrypting and trusting cookie content without any signature verification — a flaw made possible when the certificate used for cookie encryption is the same one serving the HTTPS portal. Rapid7 observed two distinct exploitation waves in May, both attributed to the same threat actor based on consistent spoofed MAC addresses. CISA added CVE-2026-0257 to its Known Exploited Vulnerabilities catalog and ordered federal agencies to remediate by June 1.
Lithuania Investigates Theft of 600,000 State Registry Records by Foreign Actor
Lithuanian prosecutors are investigating a major breach of the country’s Centre of Registers in which attackers misused institutional login credentials — believed to have been tied to the Migration Department — to quietly exfiltrate over 600,000 records containing names, national ID numbers, dates of birth, and property data. The breach was detected in early April but withheld from public disclosure due to an ongoing criminal investigation, and the agency’s director resigned after scrutiny over the delayed response. Opposition politicians have alleged the hallmarks of a Russian intelligence operation, pointing to the potential exposure of residential addresses belonging to military personnel, intelligence officers, and diplomats. Lithuania has not confirmed foreign attribution, and no group has claimed responsibility.
Station Casinos Reveals Data Breach Took Place in March 2026
Station Casinos LLC, the operator of Red Rock Casino Resort, Green Valley Ranch, and several other Las Vegas properties, has disclosed that an unauthorized third party accessed a single employee account and associated files on March 5, 2026 — more than two months before the company began notifying affected customers in late May. While the company has confirmed customer names were exposed, it also flagged the possibility that Social Security numbers, financial account numbers, payment card data, driver’s license numbers, and dates of birth may have been accessed in some cases. The total number of individuals affected has not been disclosed. The incident continues a troubling pattern of cyberattacks against the Las Vegas hospitality and gaming sector.
The 2026 Verizon Data Breach Investigations Report marks a historic shift: software vulnerability exploitation has overtaken stolen credentials as the leading initial breach vector for the first time in the report’s 19-year history, now accounting for 31% of incidents while credential abuse fell to 13%. The window for defenders has collapsed dramatically — AI-assisted attackers are compressing exploitation timelines from months to hours, yet organizations patched only 26% of CISA’s Known Exploited Vulnerabilities last year, down from 38% the year prior, with median remediation time climbing to 43 days. Ransomware appeared in 48% of all breaches, third-party-related breaches surged 60% year-over-year, and mobile-based phishing achieved click-through rates 40% higher than traditional email campaigns.
