ScarCruft Hit a Korean Gaming Site. Ollama Had a 0-Day Heap Leak. Zara Lost 197,000 Records.

Hey guys, Mr. Technology here.

The week of May 13, 2026 produced three security stories that, taken together, show the shape of the modern threat surface. ScarCruft (APT37), the North Korea-aligned espionage group, ran a multi-year supply chain compromise against a gaming platform serving ethnic Koreans in China's Yanbian region. Cyera disclosed CVE-2026-7482, a critical unauthenticated heap memory leak in Ollama, with approximately 300,000 Ollama servers exposed on the public internet. And Zara disclosed a breach exposing the personal data of approximately 197,000 customers. Three stories. Three sectors. One pattern: the supply chain is the target, and the AI infrastructure is in the blast radius.

ScarCruft and the Yanbian Gaming Supply Chain

ESET Research published the writeup (covered by Help Net Security on May 5, 2026). The target is sqgame[.]net, a gaming platform built for ethnic Koreans in China. The platform serves a community that sits along the North Korean border and includes many refugees and defectors — exactly the population North Korean state-sponsored threat actors target for intelligence collection.

The compromise worked like this:

• The Windows installer on sqgame's site was clean. The trojan was delivered through an update package hosted at a subdomain.
• **The update package contained a patched mono.dll library.** A legitimate .NET runtime library was modified to include a downloader. The downloader checked for analysis tools and virtual machines, located the sqgame client process, and pulled shellcode from compromised South Korean websites.
• The shellcode delivered RokRAT. A known North Korean backdoor. RokRAT installed BirdCall, a more capable C++ implant ESET first attributed to ScarCruft in 2021. The trojanized mono.dll was then swapped back to a clean copy from another compromised Korean site, erasing the visible artifact.
• Two of three Android games were repackaged. Yanbian Red Ten and New Drawing had their AndroidManifest.xml modified to redirect the entry-point activity to the BirdCall backdoor before launching the original game. The malicious APKs were distributed only through sqgame's download page, not Google Play. The iOS title on the same site was untouched — likely because Apple's review process raises the cost of trojanization.
• The targeting was unmistakable. The BirdCall implant specifically searches for .hwp files (the format used by South Korea's Hancom Office suite), Korean-language documents, and files matching .doc, .docx, .xls, .xlsx, .ppt, .pptx, .txt, .pdf, .jpg, .m4a, and .p12. Microphone recording is constrained to a 7pm-10pm local time window. Command-and-control runs over HTTPS to Zoho WorkDrive accounts.

The campaign has been active since late 2024. ESET notified sqgame in December 2025 and received no reply. The malicious Windows update package was no longer serving the trojan at publication time, but the malicious Android APKs were still on the site.

The lesson is the architecture of the compromise. This was not a single malware payload. It was a multi-stage, multi-platform, multi-year supply chain attack with redundant C2, anti-forensic cleanup, and regional targeting precision. The cost of building it was high. The cost of running it was low once built. The threat actor is optimizing for long-term persistence, not smash-and-grab.

Ollama CVE-2026-7482: The 9.1 Critical

Cyera's research team disclosed CVE-2026-7482, a critical unauthenticated heap memory leak in Ollama, the world's most popular platform for running LLMs locally. The CVSS is 9.1. The vulnerability is exploitable in three unauthenticated API calls. Approximately 300,000 Ollama servers are exposed on the public internet.

The technical details:

• The bug is an out-of-bounds heap read in Ollama's model quantization pipeline. When a user creates a model from an uploaded GGUF file, Ollama reads tensor data from memory. A malicious GGUF file can declare a far larger tensor size than the actual data provided, forcing Ollama to read well beyond the intended buffer boundary.
• The out-of-bounds read accesses sensitive heap data. System prompts, user messages, environment variables, API keys, conversation history, customer data — all of it is in heap memory that the over-read can access.
• **The attacker exfiltrates the result via Ollama's built-in push feature.** Three API calls: upload the crafted GGUF, create the model (triggering the read), push the model (with the embedded heap data) to an attacker-controlled server.

The whole attack requires no authentication. Ollama launches with no authentication by default and listens on all network interfaces. The 300,000 internet-facing instances are the immediate and broadly exploitable target.

The lesson is the AI infrastructure supply chain. Ollama is the default for self-hosted AI inference. It is used by enterprises as a shared internal AI assistant, by development teams running Claude Code or similar agentic tools, by organizations in regulated industries processing PII and PHI. The supply chain is the model weights, but the supply chain is also the inference server. A critical unauthenticated memory leak in the most popular inference server is the kind of disclosure that should be a Priority 1 incident for every security team running Ollama in production.

Zara: 197,000 Customer Records

The third story, which got less coverage than the first two, is the breach disclosure from Zara. The numbers, per industry reporting from the week of May 13, 2026: approximately 197,000 customer records were exposed. The data included names, email addresses, phone numbers, postal addresses, and purchase history. The breach was discovered by Zara's internal security team and disclosed to affected customers per GDPR requirements.

The lesson is the retail supply chain. The exact vector for the Zara breach is not yet public, but the pattern in retail breaches is consistent: a third-party service provider with access to customer data is compromised, and the customer data of every retailer using that provider is exposed. The retailer is responsible for the data. The retailer did not necessarily own the vulnerability. The supply chain is the data processors, the marketing platforms, the customer data platforms, and the analytics vendors.

The Shape of the Modern Threat Surface

Three stories, three sectors, one pattern.

The state-aligned supply chain attack (ScarCruft) targets the software supply chain at the application layer — a gaming platform with regional targeting precision. The cost of the attack is high to build, low to run. The target is intelligence collection on a specific population. The defender's response is to vet every update package, every third-party library, and every installer — work that requires more resources than most organizations have.

The AI infrastructure vulnerability (Ollama CVE-2026-7482) targets the inference server — the software that runs every self-hosted LLM. The vulnerability is critical, unauthenticated, and broadly exploitable. The defender's response is to patch the server, restrict network access, and audit exposed instances. The 300,000 exposed instances are the immediate risk. The broader lesson is that AI infrastructure has a security maturity problem. The vendors are racing to ship features, the users are racing to ship products, and the security review is, in many cases, not happening.

The retail customer data breach (Zara) targets the customer data supply chain — the third-party processors and platforms that hold customer data. The defender's response is to audit every third party with data access, enforce data minimization, and segment the data so a single breach does not expose everything. The pattern is the same as the other two: a target at the supply chain layer, exploiting a trust relationship the defender has with a vendor.

The Take

Three things to act on this week.

If you run Ollama in production: treat CVE-2026-7482 as Priority 1. Patch immediately. Restrict network access. Audit your exposed instances. The vulnerability is critical, unauthenticated, and broadly exploitable. The 300,000 internet-facing Ollama servers are the immediate risk, and you do not want to be on the list when Cyera's research team publishes the proof-of-concept code.

If you ship software that targets a specific population: the ScarCruft story is a reminder that the supply chain is the attack surface. The trojan was in a library. The library was in an update package. The update package was on a site serving a specific population. Every link in that chain is an attack surface. Audit the libraries, audit the update mechanism, audit the download infrastructure. The cost of prevention is lower than the cost of a multi-year compromise.

If you are a security leader at a retailer: the Zara breach is the pattern. Your customer data is held by third parties. The third parties are the supply chain. Audit every third party, enforce data minimization, and segment the data so a single breach does not expose everything. The regulator is going to ask what you did. The answer needs to be better than "we trusted the vendor."

The supply chain is the target. The defender's response is the same on every story: know your supply chain, audit your supply chain, and segment your supply chain so a single failure does not cascade. The threat actors are optimizing for the supply chain. The defenders need to do the same.

— Mr. Technology

Sources: Help Net Security — North Korean hackers trojanize gaming platform to spy on ethnic Koreans in China, ESET Research on ScarCruft (cited in Help Net Security), Cyera — Bleeding Llama: A Critical Memory Leak in Ollama, CVE-2026-7482 details (Cyera), Ollama GitHub repository, WIRED — Thousands of Vibe-Coded Apps Expose Corporate and Personal Data on the Open Web (related supply chain), Dragos — AI in the Breach (related supply chain).