MAGNET S2 WEEKLY SNAPSHOT – 260531-2015z

Download a PDF version of this report

MAGNET S2 WEEKLY SNAPSHOT — 260531-2015Z

MAGNET S2

Weekly OSINT Intelligence Snapshot

DTG: 260531-2015Z | Reporting Period: 24–31 May 2026 | United States Focus

www.magnethf.com

MAGCON STATUS

MAGCON

LEVEL 3

ELEVATED

MAGCON holds at Level 3 – ELEVATED. The dominant development this week is the Iran-US MOU reaching final-stage negotiations but remaining unsigned as of DTG. Negotiators reached tentative agreement on a 60-day ceasefire extension and Hormuz reopening by approximately 28 May — Iran to clear mines, US to lift port blockade, Iran commits to no nuclear weapons and enrichment negotiations — but Trump has not yet signed. VP Vance (29 May): ‘very close, not there yet.’ Continued US self-defense strikes near Hormuz (25 & 28 May) and Iranian fire on a US Kuwait base underscore ceasefire fragility. Brent crude fell to ~$91/bbl — down ~17% in May, its steepest monthly decline since 2020 — on deal optimism. AAA national gas average dropped to $4.356/gal (30 May) from $4.55 a week prior. A new supply-chain cyberattack campaign — DAEMON Tools Lite, TanStack npm, and Nx Console — was added to CISA KEV on 27 May with CVSS scores up to 9.5. GKN Aerospace MMA chemical incident in Garden Grove, CA closed its acute life-safety phase; criminal investigation and environmental remediation now active. Converse Reservoir IED investigation continues with no arrest or motive. Civil Unrest upgraded to ELEVATED: anti-ICE protests at Delaney Hall detention center in Newark, NJ entered their 9th day (31 May) — producing violent clashes with police, tear gas, pepper spray, tire fires, projectile throwing, dueling pro/anti-ICE counter-demonstrations, weapons arrests, mandatory curfew (9PM–6AM within half-mile of facility), and a congressional oversight visit by House Minority Leader Jeffries.

TREND VS LAST WEEK: WORSENING — CIVIL UNREST NOW ELEVATED / DIPLOMATIC NEARING INFLECTION / ENERGY IMPROVING / CYBER NEW VECTOR

PRIMARY RISK DRIVERS

US-Iran MOU negotiations reached tentative agreement by ~28 May: 60-day ceasefire extension, Hormuz reopening (no tolls), Iran clears mines within 30 days, US lifts port blockade, Iran commits to no nuclear weapons and enrichment negotiations — but Trump had NOT signed as of DTG; VP Vance (29 May): ‘very close, not there yet.’ Iran has not formally confirmed.
US military conducted ‘self-defense strikes’ near Hormuz on 25 May and 28 May — shooting down 4 Iranian drones targeting a commercial vessel, hitting an Iranian launch unit; Iran fired on a US base in Kuwait; US disabled a merchant vessel attempting to breach the Iranian port blockade; ceasefire ‘technically intact’ per US officials but increasingly stressed.
US Treasury sanctioned Iran’s Persian Gulf Strait Authority (27 May) for an alleged IRGC-linked Hormuz toll scheme — the same concept Trump rejected in direct talks — signaling a parallel pressure campaign alongside diplomacy.
Brent crude fell to ~$91.12/bbl (29 May) — down ~17% in May, the steepest monthly decline since 2020 — on deal optimism; AAA national gas average $4.356/gal (30 May), down from $4.55 on 21 May; gasoline stocks fell for 15th consecutive week; IEA undersupply warning unchanged.
NEW — Supply chain cyberattack KEV triple (27 May): CVE-2026-8398 DAEMON Tools Lite (CVSS 9.3) — compromised official installers Apr–May 2026 via valid code-signing certificates; CVE-2026-45321 TanStack npm (CVSS 9.5) — 84 malicious package versions via hijacked GitHub Actions; CVE-2026-48027 Nx Console VS extension (CVSS 9.3) — malicious version on VS Marketplace and OpenVSX; federal deadlines Jun 10–17.
GKN Aerospace MMA chemical incident (Garden Grove, CA) acute phase CLOSED 26 May — all ~50,000 displaced residents returned; no injuries throughout. OC DA criminal investigation active; hold letters served on GKN. Groundwater contamination testing ongoing. Multiple civil suits filed. MAGNET reports 260526-1200Z and 260527-1306Z published on magnethf.com.
NEW — Delaney Hall ICE detention center (Newark, NJ) protests entered 9th day (31 May): violent clashes with police (tear gas, pepper spray used), tire fires, projectiles thrown, weapons arrests, dueling pro/anti-ICE counter-demonstrations (30 May). Newark Mayor Baraka imposed mandatory curfew within half-mile of facility (9PM–6AM until further notice). NJ State Police assumed perimeter security from ICE on 29 May. House Minority Leader Jeffries and NJ House members conducted oversight visit 31 May. DHS granted limited family visitation resumption.
Converse Reservoir IED (Mobile, AL) — FBI investigation ongoing with no arrest and no confirmed motive; underwater physical security gap remains open nationally for water utility operators.
Previously reported KEV items remain active — Linux CVE-2026-31431 exploitation surge (deadline passed 15 May), Cisco SD-WAN CVE-2026-20182 CVSS 10.0 (deadline passed 17 May), MS Defender CVE-2026-41091/45498, Trend Micro Apex One, Langflow — all require immediate patching if not completed.
Canvas LMS breach phishing window continues — 275M records, 90+ day exposure window active.

DELTA SUMMARY – CHANGES FROM LAST REPORT (260524-1200Z)

TOPIC	DELTA FROM 260524-1200Z
Delaney Hall ICE Protests — Newark, NJ (22–31 May)	NEW — CIVIL UNREST ELEVATED. Anti-ICE protests at Delaney Hall began ~22 May after detainees alleged inhumane conditions (worm-infested food, lack of medical care, hunger/labor strike from 22 May). Escalated through the week: ICE used chemical irritants and pepper spray (26–28 May); NJ State Police assumed perimeter control from ICE on 29 May; Saturday 30 May saw most violent confrontations — tire fires, projectiles, police on horseback, barricades torn down, ICE vehicle smashed. Newark Mayor Baraka imposed mandatory curfew within half-mile radius (9PM–6AM, until further notice). Multiple arrests including individuals with weapons. House Minority Leader Jeffries conducted oversight visit 31 May. DHS granted limited family visitation resumption. Dueling pro/anti-ICE demonstrations active as of DTG.
Iran-US MOU Status	WORSENING THEN IMPROVING — CRITICAL INFLECTION. Negotiators reached tentative 60-day MOU agreement by ~28 May: Hormuz reopens (no tolls); Iran clears mines within 30 days; US lifts port blockade; Iran commits to no nuclear weapons and enrichment negotiations. Trump not signed — told mediators ‘a couple of days to think about it.’ VP Vance (29 May): ‘very close, not there yet.’ Iran not formally confirmed. Contradictions persist over US force withdrawal and port blockades. Assessment: MOU signing probability highest since conflict began, but not a done deal.
US Self-Defense Strikes Near Hormuz (25–28 May)	NEW — WORSENING/FRAGILE CEASEFIRE. US CENTCOM conducted self-defense strikes on Iranian missile launch sites and boats on 25 May. Second strike wave 28 May: US shot down 4 Iranian drones targeting a commercial ship, hit a launch unit near Hormuz. Iran fired on a US base in Kuwait. US disabled a merchant vessel in the Gulf of Oman attempting to breach the Iranian port blockade. Ceasefire ‘technically intact’ per US officials — each incident raises escalatory risk.
US Treasury Sanctions — IRGC Toll Scheme (27 May)	NEW — 27 May. US Treasury sanctioned Iran’s Persian Gulf Strait Authority, linked to an alleged IRGC-backed toll collection scheme — the same concept Trump rejected in prior direct negotiations. Signals a continued US pressure track alongside diplomacy.
Oil / Energy	IMPROVING — SIGNIFICANTLY. Brent crude fell to ~$91.12/bbl (29 May), down ~17% for May — steepest monthly decline since 2020. AAA national gas average $4.356/gal as of 30 May, down from $4.55 (21 May). Gasoline stocks fell 15th consecutive week; SPR remains active. Deal signing could push Brent toward $80–85; collapse reverses all gains rapidly. IEA undersupply warning unchanged.
CISA KEV — Supply Chain Attacks (27 May)	NEW — CRITICAL. Three supply-chain CVEs added to KEV 27 May: CVE-2026-8398 (DAEMON Tools Lite, CVSS 9.3) — compromised official installers Apr–May 2026 with valid code-signing certs; CVE-2026-45321 (TanStack npm, CVSS 9.5) — 84 malicious package versions published via hijacked GitHub Actions; CVE-2026-48027 (Nx Console VS extension, CVSS 9.3) — malicious version on VS Marketplace and OpenVSX. All exploit trusted distribution channels. Federal deadlines June 10–17. Audit, update, and rotate credentials immediately.
GKN Aerospace MMA Incident — Garden Grove, CA	ACUTE PHASE CLOSED — LONG-TAIL ACTIVE. All evacuation orders lifted 26 May (~1930L). ~50,000 residents displaced over ~6 days returned; no civilian or first responder injuries. OC DA criminal investigation active — document hold letters (‘don’t get the shredder started’) served on GKN. Environmental remediation and groundwater contamination testing ongoing; results expected in coming days to weeks. Civil class-action suits filed. GKN regulatory history: $909K AQMD settlement (2025), prior OSHA penalties. MAGNET S2 reports 260526-1200Z (original) and 260527-1306Z (delta) published on magnethf.com.
Linux / Cisco / MS Defender KEV Items	ONGOING — NO CHANGE. Linux CVE-2026-31431 exploitation surge active; federal deadline PASSED 15 May. Cisco SD-WAN CVE-2026-20182 CVSS 10.0; deadline PASSED 17 May; UAT-8616 clusters remain active. MS Defender CVE-2026-41091 and CVE-2026-45498 on KEV from 20 May. All require immediate patching. If Cisco not patched, assume compromise.
Converse Reservoir IED	ONGOING — NO ARREST. FBI investigation continues. No suspect identified, no confirmed motive. Water utility underwater physical security gap remains a national-level open issue.
Canvas LMS Breach	STABLE/ELEVATED — NO CHANGE. No new developments. Phishing risk from 275M records continues through 90+ day window. Canvas-themed spear-phishing campaigns remain expected through mid-August.

NO CHANGE:

MAGCON level holds at 3 – ELEVATED
Iranian APT cyber targeting of U.S. ICS/OT remains active
Bab el-Mandeb / Red Sea threat stable at ELEVATED (Houthi posture unchanged)
CIRCIA mandatory cyber incident reporting rule finalization still pending
CISA CI Fortify initiative ongoing; Converse Reservoir IED directly validates CI Fortify threat model
Microsoft Exchange CVE-2026-42897 (XSS/OWA) — patch still required

SECTOR THREAT LEVELS

SECTOR	LEVEL	NOTES
Terrorism / Extremism	ELEVATED	White House checkpoint shooting (23 May) follow-up ongoing; no new incident this week but 30-day cluster of lone-actor/mentally ill threats to presidential security perimeter remains analytically significant.
Cyber Activity	ELEVATED	NEW: Supply-chain KEV triple (27 May) adds developer toolchain attack vector. Linux CVE-2026-31431 exploitation surge ongoing. Cisco SD-WAN and MS Defender deadlines passed with exploitation continuing.
Critical Infrastructure	ELEVATED	Converse Reservoir IED (Mobile, AL) investigation ongoing — no arrest. GKN Garden Grove MMA acute phase closed; environmental and criminal tracks active. SD-WAN overdue patches expose CI networks.
Energy / Fuel Sector	HIGH	IMPROVING conditionally. Brent ~$91/bbl (29 May); AAA gas $4.356/gal (30 May). Unsigned MOU and ongoing Hormuz military incidents maintain volatility. IEA undersupply warning unchanged; SPR active.
Education Sector	ELEVATED	Canvas ransom resolved; phishing risk from 275M records continues through 90+ day window.
Civil Unrest	ELEVATED	UPGRADED from ROUTINE. Delaney Hall ICE detention center protests (Newark, NJ) — 9th day (31 May); violent clashes, curfew imposed, dueling pro/anti-ICE demonstrations. Congressional oversight visit by House Minority Leader Jeffries. Ongoing potential for escalation; watch for spread to other ICE facilities.
Transportation Systems	ELEVATED	Hormuz MOU tentatively agreed but NOT signed; strait effectively closed pending mine clearance. Do not route commercial traffic through Hormuz until confirmed open.
Supply Chain / Logistics	ELEVATED	Deal optimism driving anticipatory supply chain normalization planning; restoration will be gradual — mine clearance, infrastructure repair, tanker redeployment — regardless of MOU signing timeline.
Food / Fertilizer Security	ELEVATED	Gulf shipping disruption continues to impact fertilizer and agricultural trade lanes. No new developments.

GLOBAL CHOKEPOINT WATCH

CHOKEPOINT	STATUS	ASSESSMENT
Strait of Hormuz	CRITICAL → IMPROVING	60-day MOU tentatively agreed (~28 May) but NOT SIGNED. Ongoing US self-defense strikes (25 & 28 May) and Iranian fire on Kuwait base confirm ceasefire fragility. Mine clearance and infrastructure repair needed before commercial traffic can resume even after signing. TREAT AS CLOSED until MOU signed AND mines cleared.
Bab el-Mandeb / Red Sea	ELEVATED	Stable. Houthi threat posture unchanged. No significant new incidents.
Panama Canal	ROUTINE	Stable. Normal operations.
Strait of Malacca	ELEVATED	SE Asia energy stress from Hormuz closure persists; anticipatory easing on deal news. Stable.

KEY INCIDENTS

CIVIL UNREST — Delaney Hall ICE Facility Protests, Newark, NJ [ELEVATED — 9th Day, 31 May]

Anti-ICE protests at the Delaney Hall immigration detention center in Newark, New Jersey have continued for nine consecutive days as of 31 May, generating the most significant sustained civil unrest event in the reporting period. The protests began approximately 22 May after detainees alleged inhumane conditions inside the facility — reports included worm-infested food, inadequate medical care, extended detention of individuals who had offered to voluntarily self-deport, and unsanitary bathrooms. Detainees launched a hunger and labor strike on 22 May. Letters with hundreds of signatures were smuggled out of the facility and circulated publicly.

The protest environment escalated significantly through the week. ICE agents used chemical irritants and pepper spray on protesters on May 26 and 28. On 29 May, NJ Governor Mikie Sherrill announced NJ State Police would assume perimeter security from ICE — ICE agreed to withdraw from the immediate area — and a ‘peaceful, protected protest zone’ was established. The most violent night occurred on 30 May: demonstrators tore down barricades, set tires on fire in the street, threw projectiles at officers, and smashed the windscreen of an ICE vehicle. Police on horseback were deployed to disperse crowds. Multiple individuals were arrested, some found in possession of weapons. Dueling pro-ICE and anti-ICE counter-demonstrations also occurred on 30 May.

Newark Mayor Ras Baraka declared a mandatory curfew in the early hours of 31 May — 9PM to 6AM within a half-mile radius of Delaney Hall, until further notice. On 31 May, House Minority Leader Hakeem Jeffries and NJ House members conducted an oversight visit, publicly calling for Delaney Hall’s closure and describing ‘unsanitary living conditions, lack of adequate medical care and unhealthy food.’ DHS separately announced limited family visitation would resume Sunday. Assessment: watch for protest spread to other ICE facilities in NJ and adjacent states.

IRAN–U.S. — MOU at Signing Threshold; Ceasefire Fragile (24–30 May)

The week of 24–30 May marked the closest the US and Iran have come to a signed agreement since hostilities began February 28. By approximately May 28, US and Iranian negotiators had reached tentative agreement on a 60-day MOU: the Strait of Hormuz would reopen with unrestricted shipping, Iran would clear mines within 30 days, the US would lift its port blockade of Iran and issue limited sanctions waivers, and both sides would enter nuclear negotiations during the 60-day window. Iran committed verbally to never seeking nuclear weapons and to enrichment negotiations.

Trump was briefed on the final terms but did not immediately sign off, telling mediators he wants ‘a couple of days to think about it’ (reported 29 May). VP Vance confirmed: ‘very close, not there yet.’ Iran has not formally confirmed acceptance. Contradictions persist — Tehran claimed the draft stipulates US force withdrawal and lifting of all port blockades, which Washington has pushed back on.

Military incidents continued throughout the week. US CENTCOM conducted ‘self-defense strikes’ on Iranian missile launch sites and boats on May 25 and again on May 28, shooting down four Iranian drones targeting a commercial vessel and hitting a launch unit near Hormuz. Iran retaliated by firing on a US base in Kuwait. The US Treasury simultaneously sanctioned Iran’s Persian Gulf Strait Authority for an alleged IRGC toll scheme. Assessment: MOU signing probability is the highest since the conflict began, but remains unsigned and fragile. Even if signed, mine clearance and infrastructure repair will delay supply normalization by weeks.

CYBER — Supply Chain KEV Cluster: DAEMON Tools, TanStack, Nx Console (27 May)

CISA added three supply-chain compromise vulnerabilities to the KEV catalog on May 27, marking a significant escalation in attacker targeting of legitimate software distribution channels. CVE-2026-8398 (CVSS 9.3): Official DAEMON Tools Lite installers distributed from the vendor’s website were compromised between April and May 2026 with embedded malicious code bearing valid code-signing certificates. Update to version 12.6.0.2445 or uninstall. Federal deadline: June 17.

CVE-2026-45321 (CVSS 9.5): Attackers hijacked GitHub Actions to publish 84 malicious TanStack npm package versions containing credential-stealing malware under the trusted TanStack identity. Audit package lock files and rotate credentials. Federal deadline: June 10. CVE-2026-48027 (CVSS 9.3): A malicious version of the Nx Console developer extension was briefly available on both Visual Studio Marketplace and OpenVSX. Update immediately. Federal deadline: June 17.

The supply-chain vector bypasses most perimeter and endpoint defenses by arriving through installation, update, or package management pipelines. Organizations should treat any software installed or updated during April–May 2026 with additional scrutiny and implement software composition analysis (SCA).

CI / INFRASTRUCTURE — GKN Aerospace MMA Garden Grove: Acute Phase Closed; Long-Tail Active

OCFA formally closed the life-safety phase of the GKN Aerospace MMA chemical incident in Garden Grove, CA on the evening of May 26. All evacuation orders were lifted at approximately 1930L; approximately 50,000 displaced residents were cleared to return. Garden Grove USD reopened all schools May 27. No civilian or first responder injuries were reported. MAGNET S2 published original report 260526-1200Z and delta update 260527-1306Z, both available at magnethf.com/reports.

Three parallel long-tail tracks are now active: (1) Criminal investigation — Orange County DA Todd Spitzer served GKN with formal document preservation notices, stating publicly ‘Don’t get the shredder started.’ Anonymous tip hotline 714-347-8714 active. (2) Environmental remediation — millions of gallons of cooling water runoff under testing; groundwater contamination results expected in coming days to weeks. (3) Civil litigation — multiple law firms have filed or are investigating class-action claims. Additional GKN regulatory history confirmed: $909,935 AQMD settlement (2025) for violations from a 2020 inspection; OSHA penalties (2018).

CYBER / INFRASTRUCTURE BULLETIN

KEV Bulletin — Patch Immediately

CVE / SYSTEM	SEVERITY	ACTION REQUIRED
CVE-2026-8398 DAEMON Tools Lite	CVSS 9.3	NEW KEV 27 May. Supply chain RCE via compromised official installers (Apr–May 2026). Update to v12.6.0.2445 or uninstall. Federal deadline: Jun 17, 2026.
CVE-2026-45321 TanStack (npm)	CVSS 9.5	NEW KEV 27 May. 84 malicious npm versions via hijacked GitHub Actions; credential theft. Audit package lock files; rotate credentials. Federal deadline: Jun 10, 2026.
CVE-2026-48027 Nx Console (VS ext)	CVSS 9.3	NEW KEV 27 May. Malicious extension on VS Marketplace and OpenVSX. Update immediately. Federal deadline: Jun 17, 2026.
CVE-2026-31431 Linux Kernel ‘Copy Fail’	CVSS 7.8	EXPLOITATION SURGE CONFIRMED ACTIVE. Federal deadline PASSED 15 May. Mass exploitation of unpatched containers/cloud underway. Patch to kernel 6.18.22 / 6.19.12 / 7.0 — treat as active incident response priority.
CVE-2026-20182 Cisco Catalyst SD-WAN	CVSS 10.0	Federal deadline PASSED 17 May. UAT-8616 and 10+ clusters active. Unauthenticated remote auth bypass. Apply ED-26-03 or discontinue immediately. If not patched, assume compromise.
CVE-2026-41091 Microsoft Defender (EoP)	CVSS 7.8	KEV 20 May. Elevation of privilege to SYSTEM via Defender abuse. Patch to Defender 4.18.26040.7 / MMP Engine 1.1.26040.8. Actively exploited; Canada CCCS issued parallel guidance.
CVE-2026-45498 Microsoft Defender (DoS)	CVSS 4.0	KEV 20 May. Denial of service. Same patch target as CVE-2026-41091.
CVE-2026-34926 Trend Micro Apex One	HIGH	KEV 21 May. Directory traversal vulnerability on-premise. Apply Trend Micro patches immediately.
CVE-2025-34291 Langflow	HIGH	KEV 21 May. Origin validation error. Patch or discontinue; review for unauthorized DB access.
CVE-2026-42897 Microsoft Exchange Server	HIGH	ONGOING. XSS in Outlook Web Access. Apply MSRC mitigations. Confirmed active exploitation.

EMERGING INDICATORS

Watch: Delaney Hall curfew enforcement and protest continuation — mandatory curfew (9PM–6AM) now in effect; watch for curfew violations, additional arrests, and whether protests spread to other ICE facilities in NJ, NY, or other states.
Watch: Federal response to congressional oversight at Delaney Hall — Jeffries’ visit and ‘shut it down’ demand may drive legislative or administrative action; DHS response to detainee condition allegations is an indicator.
Watch: Trump MOU signing decision — this is the primary trigger for energy normalization and military resumption risk reduction; any announcement expected within 72 hours; prepare for both signing and collapse contingencies.
Watch: Mine clearance timeline in Hormuz — even after MOU signing, Iran must clear mines within 30 days; verification mechanism and US response to any delays are key operational indicators.
Watch: GKN groundwater / runoff contamination results (Garden Grove) — expected in days to weeks; confirmed contamination elevates environmental liability and sets national industrial compliance precedent.
Watch: Orange County DA criminal charges against GKN — document hold letters served; any charges filed would be a significant national industrial safety enforcement precedent.
Watch: Supply chain attack expansion — DAEMON Tools / TanStack / Nx Console KEV additions signal an active campaign targeting developer tooling; watch for additional compromised packages, extensions, or update mechanisms.
Watch: Iran response to continued US self-defense strikes — IRGC has threatened force against any ceasefire violations; watch for an escalatory response that formally breaks the ceasefire framework.
Watch: US Treasury Hormuz sanctions follow-through — any Iranian attempt to implement a toll scheme post-MOU signing would trigger sanctions enforcement and potential re-escalation.
Watch: Converse Reservoir FBI investigation update — any arrest or motive attribution will change national threat posture for water utility operators and CI security planners.
Watch: Linux CVE-2026-31431 cloud / container exploitation telemetry — organizations should be monitoring for unauthorized privilege escalation in unpatched environments now; federal deadline has passed.
Watch: Additional lone-actor incidents at federal facilities — three White House perimeter incidents in 30 days represents an anomalous cluster; any new incident confirms an emerging pattern requiring upgraded response protocols.

VERIFIED STATUS

✓ CONFIRMED Delaney Hall ICE protests 9th day 31 May; curfew (9PM–6AM within half-mile) imposed by Newark Mayor Baraka; tire fires, projectiles thrown, weapons arrests on 30 May. NJ State Police assumed perimeter from ICE on 29 May. (Philadelphia Inquirer, CNN, Fox News, NBC News, NJ Globe — 29–31 May 2026)
✓ CONFIRMED House Minority Leader Jeffries and NJ House members conducted oversight visit at Delaney Hall 31 May; called for facility closure. DHS granted limited family visitation resumption Sunday. (ABC News — 31 May 2026)
✓ CONFIRMED US/Iran negotiators reached tentative 60-day MOU agreement by ~28 May; Trump not signed; Iran not formally confirmed. (Axios, CBS News, CNN — 28–31 May 2026)
✓ CONFIRMED US self-defense strikes near Hormuz 25 May and 28 May; Iran fired on Kuwait base; ceasefire technically intact. (Bloomberg, CNN/CENTCOM — 25–28 May 2026)
✓ CONFIRMED Brent crude ~$91.12/bbl (29 May), down ~17% for May. AAA national gas average $4.356/gal as of 30 May. (Trading Economics, AAA gasprices.aaa.com — 29–30 May 2026)
✓ CONFIRMED CISA added CVE-2026-8398, CVE-2026-45321, CVE-2026-48027 to KEV on 27 May; supply chain attacks confirmed active exploitation. (CISA.gov, SC Media, Security Affairs — 27–29 May 2026)
✓ CONFIRMED GKN Aerospace MMA incident all evacuations lifted 26 May; ~50,000 displaced; schools reopened 27 May; OC DA hold letters served on GKN. (OCFA, ABC7, CBS LA, OC DA — 26–27 May 2026)
✓ CONFIRMED US Treasury sanctioned Iran’s Persian Gulf Strait Authority (27 May) for alleged IRGC-linked Hormuz toll scheme. (Britannica, AP — 27 May 2026)
✗ NOT CONFIRMED Iran-US MOU formally signed. Both sides indicate ‘very close’ but no signing confirmed as of DTG.
✗ NOT CONFIRMED GKN Garden Grove groundwater contamination confirmed. Testing ongoing; no results publicly available as of DTG.
✗ NOT CONFIRMED Converse Reservoir IED — suspect identified or motive confirmed. FBI investigation ongoing with no public arrest.

OPERATOR GUIDANCE

NJ / NORTHEAST OPERATORS — Delaney Hall protests at active civil unrest level; mandatory curfew (9PM–6AM) within half-mile of facility at Doremus Ave, Newark; avoid the area during curfew hours; monitor for spread of protest activity to other ICE facilities or federal buildings in NJ, NY, and adjacent states.
PATCH DAEMON TOOLS LITE NOW — CVE-2026-8398 (supply chain RCE); update to v12.6.0.2445 or uninstall; audit any installations from Apr–May 2026 for indicators of compromise; federal deadline Jun 17.
AUDIT NODE.JS / TANSTACK DEPENDENCIES — CVE-2026-45321 supply chain attack; run software composition analysis (SCA) against package lock files; rotate all credentials accessible from affected environments; federal deadline Jun 10.
UPDATE NX CONSOLE — CVE-2026-48027; verify your VS extension version immediately; scan developer workstations for indicators of compromise; federal deadline Jun 17.
PATCH LINUX KERNEL — CVE-2026-31431 exploitation surge confirmed active; federal deadline PASSED 15 May; patch to kernel 6.18.22 / 6.19.12 / 7.0 immediately; audit all cloud and container environments for unauthorized privilege escalation.
CISCO SD-WAN — CVE-2026-20182 CVSS 10.0; federal deadline PASSED 17 May; if not patched, assume compromise and begin incident response procedures; apply ED-26-03 or discontinue immediately.
DO NOT USE UNOFFICIAL HORMUZ TRANSIT GUIDANCE — strait effectively closed until MOU signing is formally confirmed AND mine clearance is complete; verify through TRANSCOM for any operational requirements.
CANVAS INSTITUTIONS — maintain elevated phishing awareness through mid-August; verify any Canvas-branded communication through official channels; expect personalized spear-phishing using course names and private message context.
WATER / DAM OPERATORS — Converse Reservoir IED investigation ongoing with no arrest; maintain enhanced underwater physical security protocols; report anomalies to FBI and DHS; reference MAGNET report 260514-2115Z.
MR09 / CALIFORNIA OPERATORS — Monitor GKN groundwater contamination results; check AQMD and EPA ECHO enforcement databases for similar industrial-chemical facilities near residential zones in your operating area.
MONITOR IRAN DEAL STATUS — formal MOU signing is the primary trigger for energy price normalization; any announcement expected within 72 hours; prepare for both signing and collapse contingencies.
Report cyber incidents to cisa.gov or IC3.gov; CI Fortify guidance at cisa.gov.

SOURCE LIST

[1] Philadelphia Inquirer — Newark declares curfew around Delaney Hall, 31 May 2026 — inquirer.com
[2] CNN — Curfew established around Newark ICE facility after days of protests, 30 May 2026 — cnn.com
[3] ABC News — Family visitations to resume at NJ ICE facility following violent protests, 31 May 2026 — abcnews.com
[4] Fox News — Anti-ICE Delaney Hall protests enter 9th day, 31 May 2026 — foxnews.com
[5] NBC News — Protests over conditions at NJ ICE facility draw curfew, 30–31 May 2026 — nbcnews.com
[6] NJ Globe — Newark declares curfew around Delaney Hall, 31 May 2026 — newjerseyglobe.com
[7] Rolling Stone — Inside the protests at Delaney Hall detention center, 31 May 2026 — rollingstone.com
[8] CBS News — Iran War Live Updates (Trump decision pending), 31 May 2026 — cbsnews.com
[9] Axios — US and Iran reach deal but need Trump final approval, 28 May 2026 — axios.com
[10] Axios — What’s inside the Iran deal Trump is close to signing, 24 May 2026 — axios.com
[11] Bloomberg — US Strikes Iranian Military Near Hormuz, 28 May 2026 — bloomberg.com
[12] CNN — US-Iran Strikes / Peace Deal Live Updates, 25 May 2026 — cnn.com
[13] Trading Economics — Brent Crude Oil Price, 29 May 2026 — tradingeconomics.com
[14] AAA Gas Prices — State Gas Price Averages, 30 May 2026 — gasprices.aaa.com
[15] CISA — Adds Three Known Exploited Vulnerabilities, 27 May 2026 — cisa.gov
[16] SC Media — CISA Adds Daemon Tools, TanStack, Nx Console to KEV, 27 May 2026 — scworld.com
[17] Security Affairs — Supply Chain CVEs KEV, 28 May 2026 — securityaffairs.com
[18] MAGNET S2 Report 260527-1306Z — GKN MMA Delta Update — magnethf.com
[19] MAGNET S2 Report 260526-1200Z — GKN MMA Original Report — magnethf.com
[20] OCFA / ABC7 / CBS LA — GKN Evacuation Lifted, 26 May 2026
[21] Britannica — 2026 Iran War overview, updated 27 May 2026 — britannica.com
[22] Fox News / CNN / MAWSS — Converse Reservoir IED, 14–15 May 2026 — foxnews.com
[23] Malwarebytes / CISA — Linux CVE-2026-31431 Exploitation Surge, 21 May 2026
[24] Malwarebytes / CISA — Microsoft Defender KEV, 20–21 May 2026
[25] Trading Economics / AAA — Gasoline futures / retail gas prices, 29–30 May 2026 — tradingeconomics.com
[26] Al Jazeera — US Says Iran Deal Agreed, 24 May 2026 — aljazeera.com

Submit reports through established MAGNET situational awareness channels.
To Learn More About MAGNET, Visit www.MAGNETHF.COM