Threat Analysis: OAuth Device Code Phishing, Laravel Supply Chain Compromise, and an Actively Exploited Drupal Flaw
Hello, Mauven here.
This is your Daily Threat Analysis for 26th May 2026.
Three items today, each with a different attack surface and each with direct exposure for UK small businesses. None of them require a sophisticated attacker, a nation-state budget, or an unusual configuration. They require ordinary tools, widely used software, and the assumption that your providers have been paying attention. That assumption is doing a lot of heavy lifting.
1. OAuth Device Code Phishing: MFA Is Not the Mitigation You Think It Is
Arctic Wolf has published analysis of a campaign they are calling Token Bingo, tracking a large-scale device code phishing operation that has been running since at least early April 2026. The platform of choice is Kali365, a phishing-as-a-service kit, and the primary target is Microsoft 365.
Here is what makes this one worth your attention: it does not ask victims for their password. It does not trigger a fake login page. It exploits the OAuth 2.0 Device Authorization Grant, the legitimate Microsoft workflow used when you log into a service on a device that cannot easily accept keyboard input, such as a smart TV or a printer. The attacker generates a device code and sends the victim a convincing lure directing them to Microsoft’s actual login page, microsoft.com/devicelogin, and asks them to enter the code. The victim sees a genuine Microsoft URL, authenticates normally, and unknowingly hands the attacker a valid session token with access to their account.
Multi-factor authentication does not prevent this. The victim completes MFA themselves as part of the flow. The attacker ends up with a token that is valid regardless of whether MFA is configured, because MFA has already been satisfied by the legitimate user doing exactly what the attacker needed them to do.
The advisory notes that post-compromise activity includes the creation of inbox forwarding rules and inbox deletion rules, the usual artefacts of business email compromise. What the advisory does not say explicitly, but what the operational pattern makes clear, is that by the time those rules are visible, the attacker has typically had persistent access for days. The token does not expire quickly. Access persists.
What this means for UK SMBs. If your staff use Microsoft 365, and the majority of UK small businesses do, they are in the target pool. The lure quality does not need to be high because the destination is a genuine Microsoft page. Any staff member who has ever used a device code flow to authenticate a legitimate service has the muscle memory that makes this work.
What to do.
- Review your Microsoft Entra ID (formerly Azure AD) audit logs for device code authentication events. Look for sign-ins via the device code flow that do not correspond to known device enrolments.
- Check for OAuth application consents that were not approved by your IT administrator. In Entra ID, this is under Enterprise Applications > User Consent.
- If you use Conditional Access, consider restricting or blocking the device code authentication flow unless it is genuinely required for your organisation.
- Brief your staff. The tell is the unsolicited request to visit
microsoft.com/deviceloginand enter a code. If nobody asked them to do that, they should not do it.
2. Laravel Lang Supply Chain Compromise: 700+ Package Versions Backdoored
On 22nd and 23rd May 2026, community-maintained Laravel Lang packages were compromised with remote code execution backdoors. Socket’s analysis identifies at least four affected repositories: laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes, and laravel-lang/actions. Over 700 versions across these packages were affected.
The attack pattern is consistent with organisation-level credential compromise, the coordinated, rapid tag publishing across multiple repositories in a short window suggests the attacker had access to credentials or tokens at the GitHub organisation level, not just a single maintainer account. A malicious dependency was introduced that, when pulled into a build pipeline, would execute attacker-controlled code.
Laravel is one of the most widely used PHP frameworks for web application development, and it has a substantial presence in the UK SMB web development ecosystem, particularly among agencies and freelancers building bespoke CMS installations, e-commerce sites, and client portals.
The NCSC published guidance on software supply chain attacks in 2021 and updated it in 2023. The fact that packages maintained by well-known, trusted community projects can be compromised at the organisation credential level is not new information. What is worth noting is that many smaller web development shops do not audit their dependency trees between client projects. A package pulled for one client’s build in May 2026 may persist in another client’s codebase for months.
What this means for UK SMBs. If your website, web application, or customer portal was built using Laravel, and if it was built or updated by a developer after mid-May 2026, the build may have incorporated a compromised package. You will not know unless someone checks.
What to do.
- If you have a web developer or IT provider who uses Laravel, ask them directly whether they are aware of the
laravel-langcompromise and whether they have audited recent builds. - Ask them to run
composer auditagainst any Laravel projects deployed or updated since 20th May 2026. - If your developer cannot answer this question confidently, that tells you something about their dependency management practices that you need to address before the next deployment.
- For developers reading this: rotate any credentials associated with affected packages, audit your GitHub organisation’s authorised OAuth applications and personal access tokens, and review your CI/CD pipeline for signs of unexpected outbound connections.
3. Drupal SQL Injection: Actively Exploited, CISA Has Ordered Patching
CISA has added a Drupal SQL injection vulnerability to its Known Exploited Vulnerabilities catalogue and ordered US federal agencies to patch by the end of the week. Shadowserver is tracking exploitation activity in the wild.
The vulnerability affects Drupal installations running on PostgreSQL databases. SQL injection at this level typically allows an attacker to read, modify, or delete database contents, which in a CMS context means extracting user credentials, session tokens, form submissions, and any other data the application stores. Depending on database permissions, it may also allow writing to the filesystem.
Drupal powers a meaningful proportion of UK charity, public sector, and professional services websites. It is not the dominant CMS in the UK SMB space, that remains WordPress by a significant margin, but it is common enough in sectors where bespoke functionality was a requirement and where upgrade cycles tend to be slow.
If your organisation’s website runs Drupal and is hosted by a managed provider, the question is whether your provider has applied the patch. Many managed hosting providers patch automatically; many do not. The fact that CISA is treating this as actively exploited means automated scanning for vulnerable instances is already underway. This is not a hypothetical future risk.
What to do.
- If you do not know what CMS your website runs, ask your web developer or hosting provider.
- If the answer is Drupal, ask them to confirm the current version and whether the latest security update has been applied.
- If the answer is that they will get to it, ask them when. “Soon” is not an acceptable answer when active exploitation is confirmed.
- If you manage your own Drupal installation, patch it today. Drupal security advisories are published at drupal.org/security.
Wider Context: What Else Is Moving
Two items from today’s threat intelligence that do not meet the threshold for full analysis but are worth flagging for awareness:
Lazarus RemotePE. Fox-IT has published analysis of a memory-resident toolchain used by a North Korean Lazarus subgroup. The toolchain, DPAPILoader, RemotePELoader, and RemotePE, is designed to evade endpoint detection by executing entirely in memory. The primary targeting has been financial and cryptocurrency organisations. This is not a direct SMB threat today, but if you have any exposure to cryptocurrency custody, digital asset management, or fintech supply chains, the TTPs are worth understanding. The use of Windows DPAPI for decryption is notable because it requires operating in the context of a specific user account, meaning initial access and credential theft are prerequisites. This does not appear from nowhere.
F5 BIG-IP to Confluence intrusion chain. Microsoft has published analysis of a multi-stage intrusion that began with an end-of-life F5 BIG-IP load balancer. The attacker moved from the edge appliance to internal servers via SSH with privileged credentials, then conducted Kerberos relay attacks. The operational relevance for UK SMBs is the entry point: an internet-facing appliance running end-of-life software. If you have any network appliance, load balancer, VPN concentrator, firewall, running software that the vendor no longer supports, it is a matter of when, not whether.
Sources
| Source | Publication |
|---|---|
| Arctic Wolf | Token Bingo: Don’t Let Your Code be the Winner |
| Socket | Laravel Lang Compromised with RCE Backdoor Across 700+ Versions |
| CISA KEV / BleepingComputer | CISA Orders Feds to Patch Actively Exploited Drupal Vulnerability |
| Fox-IT | RemotePE: The Lazarus RAT that Lives in Memory |
| Microsoft Security Blog | From Edge Appliance to Enterprise Compromise: Multi-Stage Linux Intrusion via F5 and Confluence |