Multiple Cybersecurity Threats Reported by Internet Storm Center

On May 27, 2026, the Internet Storm Center Stormcast reported multiple cybersecurity threats, including a fake AI download page distributing the ACR stealer malware via Google Ads. Attackers used deceptive domains like fairoint.com to mimic the official Claude AI page, tricking users into downloading the info-stealing malware. Microsoft released an emergency patch for a SharePoint remote code execution vulnerability (CVE not specified) affecting all supported versions, classified as low-complexity but requiring authenticated user credentials to exploit. Visual Studio Code’s Angular Language Service extension was found vulnerable to remote code execution when processing malicious settings or JS doc files due to improper character escaping. Additionally, BIND DNS server versions 9.20 and 9.21 were patched for a heap use-after-free vulnerability in DNS-over-HTTPS (DoH) support, potentially leading to memory corruption, though remote code execution was deemed unlikely. The root cause stemmed from HTTP/2 implementation flaws, a recurring issue in web protocols. The episode emphasized caution when opening untrusted projects in VS Code and highlighted the risks of credential-based attacks in SharePoint.