Check Point Weekly Roundup: Carnival, Charter, and Station Casinos Breaches Highlight Social Engineering, AI Threats, and Critical CVEs

Check Point Research's June 1 threat intelligence bulletin paints a busy picture for defenders, with major breaches at Carnival Corporation, Charter Communications, and Station Casinos alongside active exploitation of critical vulnerabilities and new AI-powered threats. Carnival Corporation confirmed a data breach affecting nearly 6 million people after attackers used social engineering to compromise an employee's account. Exposed data includes names, contact details, dates of birth, and government identification numbers, posing a significant identity theft risk to cruise line customers.

Charter Communications, operating under the Spectrum brand, suffered a breach attributed to the ShinyHunters group, which exposed 4.9 million email addresses along with names, phone numbers, physical addresses, and a subset of employee directory records. Meanwhile, Station Casinos, a Las Vegas operator owned by Red Rock Resorts, disclosed a more contained incident where an unauthorized third party accessed a single employee account and associated files. In Lithuania, the Centre of Registers also reported a breach affecting over 600,000 records through misused institutional credentials.

On the AI front, researchers profiled GREYVIBE, a Russia-aligned group using ChatGPT and Google Gemini to accelerate phishing, malware development, and post-compromise activity against Ukrainian targets. The group employs spear-phishing, fake CAPTCHA pages, and decoy websites to deliver PhantomRelay on Windows and FallSpy on Android. Separately, a malicious npm package named mouse5212-super-formatter was discovered exfiltrating developers' files by scanning local directories and uploading data to a GitHub repository using a hardcoded private token, recording at least seven exfiltration events and 676 downloads.

Critical vulnerabilities demand immediate attention. Palo Alto Networks' PAN-OS CVE-2026-0257, a GlobalProtect authentication bypass fixed earlier this month, is now being actively exploited against unpatched devices. Attackers use forged authentication override cookies to create unauthorized VPN sessions, and CISA added the flaw to its Known Exploited Vulnerabilities catalog on May 29. The Ghost CMS SQL injection flaw CVE-2026-26980 is also under active exploitation, with two groups targeting over 700 sites to steal Admin API keys and deliver data-stealing malware via fake Cloudflare checks.

A critical remote code execution vulnerability in Gogs, the open-source self-hosted Git service, carries a CVSS score of 9.4 but remains unpatched more than two months after disclosure. An authenticated user can abuse rebase merging to execute commands, risking repository access and cross-tenant data exposure. Check Point also released a Jumbo Security Release addressing vulnerabilities in its own security gateways (CVE-2026-48131 and CVE-2026-48132), which were not exploited in the wild.

Threat intelligence reports in the bulletin attribute a destructive campaign against LA Metro to an Iran-linked operation using the Ababil of Minab persona, linking additional transit and technology attacks to Black Shadow infrastructure. Researchers also observed renewed Grandoreiro banking malware campaigns targeting Portuguese banks and organizations across Spain, Mexico, and Latin America, as well as a FIFA World Cup-themed fraud network called GHOST STADIUM that clones official websites across 300 domains to steal login credentials and payment data.

This roundup underscores the convergence of social engineering, AI-enabled attacks, and prompt vulnerability patching as essential pillars of modern cyber defense. Organizations are urged to apply patches for PAN-OS and Ghost CMS immediately, monitor for malicious npm packages, and remain vigilant against credential theft and AI-generated phishing.