Kazu Actor Strikes Healthcare, Government; NGINX Zero-Day Exploited

Summary

Today's threat landscape is defined by a concentrated, multi-sector data breach campaign from the actor Kazu, who claims to have compromised healthcare and government entities across four continents. This activity, combined with the active exploitation of a critical NGINX vulnerability (CVE-2026-42945) and a significant GitHub token breach at Grafana, signals a period of elevated risk for organizations with exposed web infrastructure and cloud development pipelines. Defenders should prioritize patching NGINX instances and auditing GitHub token permissions.

Today's developments

A single threat actor, Kazu, dominates today's critical data exposure events with six alleged breaches, targeting a diverse set of high-value victims. Claims include the South Africa Official National Data and Insights Portal, the Gauteng Provincial Government (allegedly 3.8 TB), and the Peruvian clinical laboratory Natclar (allegedly 1.8 TB). In the healthcare sector, Kazu also claims to have breached Health Time Spain (allegedly 2.2 million records) and HealthDaq in Ireland (allegedly 431 GB), alongside MyVete in Argentina (allegedly 5.5 million users). This pattern suggests a coordinated effort to exfiltrate large datasets from government and health infrastructure, likely for extortion or sale.

Beyond Kazu, other notable incidents include an alleged breach of PT Perikanan Indonesia (fishery sector) by CatNatXploit, and a claim by actor sexybroker of compromising Okinawa Tourist Service in Japan (allegedly 600,000+ customer records). Actor KYCMyASS has allegedly leaked identity documents from Spain, the UAE, and Malaysia, indicating a focus on credential and identity data. In the financial sector, an actor claims to have breached Coinbase, though no customer impact has been confirmed.

Industry reporting highlights two critical infrastructure threats. Security researchers at VulnCheck and depthfirst report that CVE-2026-42945, a heap buffer overflow in NGINX's ngx_http_rewrite_module (CVSS 9.2), is being actively exploited in the wild. This vulnerability affects NGINX versions 0.6.27 through 1.30.0 and can lead to worker crashes and potential remote code execution. Separately, Grafana disclosed that an unauthorized party obtained a GitHub token, allowing them to download the company's codebase. Grafana stated that no customer data or systems were impacted, but the incident underscores the risk of compromised CI/CD pipeline credentials.

Threat landscape signals

The data reveals a pronounced shift toward government and healthcare targeting, with 10 of today's 47 critical exposures involving public sector or medical entities. The actor Kazu alone accounts for six of these, suggesting a well-resourced operation focused on bulk data exfiltration. DDoS activity remains high (33 events), led by the pro-Russian group NoName057(16) with 18 events, primarily targeting Austrian entities (21 events total for Austria). This indicates a sustained hacktivist campaign against European infrastructure.

The appearance of a new Ransomware-as-a-Service (RaaS) actor, KRYBIT, on the dark web is a notable development, signaling potential new entry points for ransomware operations. Additionally, the active exploitation of the NGINX CVE and the Grafana token breach highlight that supply chain and web infrastructure vulnerabilities remain the most probable initial access vectors. Defenders should prioritize patching NGINX, reviewing GitHub token permissions, and monitoring for unusual data egress from web-facing applications.