Sample Briefing Preview

This is what you get, every morning.

A real ThreatForge intelligence briefing — sanitized for preview. All threat categories, severity ratings, and analyst commentary intact. IOCs and sensitive details removed.

Briefing dated May 22, 2026 54 threats tracked
Severity distribution
28 Critical
11 High
6 Medium
9 Low
Sample threat entries
LOW Geopolitical

North Korean Ballistic Missile Components Detected in Transit Through Third-Country Intermediaries

Financial intelligence shared via FinCEN advisory channels and corroborated by OSINT vessel tracking identifies a Hong Kong-registered front company, Evergreen Pacific Trading Ltd., as a probable intermediary in a dual-use component transfer chain linking DPRK procurement networks to a Syrian end-user. Manifests filed in Busan and Vladivostok contain discrepancies consistent with known North Korea…

LOW Supply Chain

Malicious npm Package 'azure-identity-utils' Targets CI/CD Pipelines with Credential Harvesting

A typosquatted npm package named 'azure-identity-utils' (legitimate package: '@azure/identity') has been observed exfiltrating environment variables and CI/CD secrets to a command-and-control server at 185.220.101.47. The package accumulated over 4,200 downloads before being flagged, primarily affecting organizations using GitHub Actions and Jenkins pipelines. Affected tokens include Azure service…

LOW Data Breach

Third-Party Marketing Analytics Firm Exposes Data of 900K Retail Loyalty Program Members via Misconfigured S3 Bucket

Security researcher group GrayhatWarfare identified a publicly accessible AWS S3 bucket on May 19, 2026, attributed to DataSpark Analytics, containing behavioral profiles, email addresses, loyalty point balances, and partial payment card BINs for customers of at least two mid-tier U.S. retail chains. The bucket, named 'dataspark-retail-prod-export,' had been publicly accessible since approximately…

LOW Cyber Threat

Scattered Spider Targeting Cloud Identity Providers via SIM-Swap Attacks on IT Help Desks

The financially motivated threat group Scattered Spider (UNC3944) has resumed aggressive operations targeting Okta and Microsoft Entra ID tenants at Fortune 500 financial services firms by social engineering IT help desk personnel into resetting MFA for high-privilege accounts. At least five major US financial institutions have reported unauthorized access to cloud environments between May 18-21,…

LOW Cyber Threat

Exposed Kubernetes API Servers Targeted in Cryptojacking Campaign Leveraging Misconfigured RBAC

A financially motivated threat actor is mass-scanning for publicly exposed Kubernetes API servers with overly permissive RBAC configurations, deploying XMRig Monero miners via privileged DaemonSet deployments across compromised clusters. Over 1,200 clusters have been identified as compromised in the past two weeks, predominantly belonging to small-to-medium enterprises using managed Kubernetes ser…

Analyst commentary
Today's briefing reflects an exceptionally high-threat environment, with 28 of 54 tracked items rated Critical (10.0/10) spanning ransomware, nation-state exploitation, supply chain compromise, and geopolitical instability. The most urgent finding is the active exploitation of multiple zero-day vulnerabilities — including CVE-2026-21847 (Fortinet SSL-VPN), CVE-2026-1847 (Ivanti EPMM), and CVE-2026-3291 (PAN-OS 11.x) — by Chinese and other state-nexus threat actors targeting critical infrastructu
🛡 Sanitized for preview. Specific IPs, email addresses, and internal organization details have been redacted. The full briefing — including all IOCs, Iinks, and executive context — is delivered to subscribers daily via email and the dashboard.

Get the full briefing every morning.

Starting at $149/mo. No analysts required. Cancel anytime.

Subscribe — from $149/mo View all plans