ARTICLES 2026 MAY January(387) February(431) March(447) April(451) May(495) June(12) July(0) August(0) September(0) October(0) November(0) December(0)
DATE |
NAME |
Info |
CATEG. |
WEB |
| 31.5.26 | Palo Alto GlobalProtect VPN auth bypass flaw now exploited in attacks | Palo Alto Networks is warning that hackers are now exploiting a PAN-OS GlobalProtect authentication bypass flaw, tracked as CVE-2026-0257, in attacks attempting to breach corporate networks. | Vulnerebility | BleepingComputer |
| 31.5.26 | New CIFSwitch Linux flaw gives root on multiple distributions | A newly discovered local privilege escalation vulnerability dubbed 'CIFSwitch' in the Linux kernel could allow attackers to forge CIFS authentication key descriptions, abuse the kernel's key request mechanism, and gain root privileges. | Vulnerebility | BleepingComputer |
| 31.5.26 | ChatGPT share links abused to host fake outage pages to deliver malware | Threat actors are abusing ChatGPT's content-sharing feature to display fake OpenAI outage pages that direct users to download malware disguised as the ChatGPT desktop application. | AI | BleepingComputer |
| 31.5.26 | California AG sues 23andMe over 2023 breach exposing health data | California Attorney General Rob Bonta filed a lawsuit against 23andMe, now Chrome Holding Co., over the company's failure to protect sensitive customer genetic and personal information. | Incindent | BleepingComputer |
| 31.5.26 | From $5 Attacks to Botnet-Powered Platforms: Inside the DDoS-as-a- Service Market | DDoS attacks are increasingly being sold like subscription services, complete with pricing tiers, support, and reseller programs. Flare explores how the DDoS-as-a-Service market has evolved from scattered tools into polished attack platforms. | CyberCrime | BleepingComputer |
| 31.5.26 | Dutch govt disrupts malware botnet with 17 million infected devices | Dutch authorities have taken offline a massive botnet of 17 million devices and seized more than 200 servers at a local provider that supported the operation. | BotNet | BleepingComputer |
| 31.5.26 | Google Chrome adds session cookie theft protection for all users | Google says the Chrome Device Bound Session Credentials (DBSC) security feature is now generally available and is rolling out to all users to prevent account takeovers. | Safety | BleepingComputer |
| 31.5.26 | Man sent to prison for selling data of 7 millions elderly Americans | A North Carolina man was sentenced to more than 10 years in prison for selling the personal information of over 7 million elderly Americans to Jamaican scammers. | Incindent | BleepingComputer |
| 31.5.26 | US charges Google security engineer with Polymarket insider trading | A Google security engineer was charged with insider trading after winning $1.2 million using confidential company data to place bets on the cryptocurrency-based Polymarket decentralized prediction market. | Cryptocurrency | BleepingComputer |
| 31.5.26 | Anthropic confirms Claude Mythos-class models will roll out to the public | Anthropic has confirmed that it plans to bring Mythos-class models to the general public after delaying the rollout due to security risks to public and private software. | AI | BleepingComputer |
| 31.5.26 | GreyVibe hackers use ChatGPT, Gemini to power cyberattacks | A likely Russian threat cluster tracked as GreyVibe has been targeting Ukrainian entities with AI-generated lures and a rich set of custom malware tools. | AI | BleepingComputer |
| 31.5.26 | BTMOB Android malware service generates custom phishing payloads | An Android remote access trojan named BTMOB is offered to cybercriminals with a builder interface for generating malware payloads tailored to phishing lures. | Virus | BleepingComputer |
| 31.5.26 | FBI warns of fake FIFA websites running World Cup fraud schemes | The FBI is warning of fake websites impersonating FIFA ahead of the 2026 World Cup, to steal personal and financial information, sell fake tickets and hospitality packages, and push other fraud related to the event. | CyberCrime | BleepingComputer |
| 31.5.26 | Hackers exploit FortiClient EMS flaw to push infostealer malware | Hackers are exploiting an authentication bypass vulnerability (CVE-2026-35616) in FortiClient Enterprise Management Server (EMS) to deliver an undocumented credential stealer called EKZ | Exploit | BleepingComputer |
| 31.5.26 | New Gogs zero-day flaw lets hackers get remote code execution | An unpatched zero-day vulnerability in the Gogs self-hosted Git service can allow attackers to gain remote code execution (RCE) on Internet-facing instances. | Vulnerebility | BleepingComputer |
| 31.5.26 | How SIEM helps MSPs reduce noise and stop threats faster | MSPs don't lack security data. They struggle to separate real threats from alert noise. Kaseya explains how SIEM helps MSPs improve visibility, reduce fatigue, and respond faster. | Security | BleepingComputer |
| 31.5.26 | Romanian gets 5 years in prison for hacking Oregon govt network | A Romanian national was sentenced this week to 56 months in federal prison for breaking into an Oregon state government computer network and fr cyberattacks targeting dozens of other U.S. victims. | CyberCrime | BleepingComputer |
| 31.5.26 | Carnival Cruise confirms data breach affecting nearly 6 million people | Carnival Corporation, the world's largest cruise line operator, has confirmed a data breach affecting nearly 6 million people claimed by the ShinyHunters extortion gang in April 2026. | Incindent | BleepingComputer |
| 30.5.26 | PAN-OS GlobalProtect Authentication Bypass (CVE-2026-0257) Under Active Exploitation | Palo Alto Networks has warned that a recently disclosed medium-severity security flaw impacting PAN-OS and Prisma Access has come under | Vulnerebility | The Hacker News |
| 30.5.26 | ChatGPhish Vulnerability Turns ChatGPT Web Summaries Into a Phishing Surface | Cybersecurity researchers have disclosed details of a vulnerability in OpenAI ChatGPT that leverages the artificial intelligence (AI) assistant's | Vulnerebility | The Hacker News |
| 30.5.26 | Sextortionist sentenced to 33 years for targeting 145 children | A Canadian man was sentenced to 33 years in prison after pleading guilty to targeting more than 145 children across the United States, some as young as 6 years old, in an eight-year-long sextortion scheme. | CyberCrime | BleepingComputer |
| 30.5.26 | GPU mining malware spreads via SEO poisoning, AI chatbots | Threat actors are targeting systems with high-performance computers in an ongoing cryptojacking campaign spread through a coordinated SEO poisoning operation that also manipulated AI chatbot recommendations. | Virus | BleepingComputer |
| 30.5.26 | Glassworm botnet disrupted after resilient C2 infrastructure takedown | The Glassworm botnet targeting developers in software supply-chain attacks has been disrupted after researchers took down its resilient command-and-control infrastructure relying on Solana blockchain transactions and the BitTorrent DHT network. | Virus | BleepingComputer |
| 30.5.26 | FBI warns of in-person data theft attacks from extortion gang | The FBI warned on Tuesday that the Silent Ransom Group (SRG) extortion gang is now targeting U.S.-based law firms in in-person data theft attacks. | CyberCrime | BleepingComputer |
| 30.5.26 | CISA gives feds 4 days to patch actively exploited cPanel plugin flaw | The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given U.S. federal agencies four days to secure their servers against a critical vulnerability in the LiteSpeed cPanel user-end plugin, which is actively being exploited in attacks. | Exploit | BleepingComputer |
| 30.5.26 | Dutch police arrests suspect linked to Ajax football club hack | The Dutch National Police arrested a 35-year-old man suspected of hacking the professional football club Ajax Amsterdam (AFC Ajax) earlier this year. | CyberCrime | BleepingComputer |
| 30.5.26 | KnowledgeDeliver flaw exploited as a zero-day to install web shells | Hackers exploited a critical zero-day vulnerability in a server running the KnowledgeDeliver learning management system (LMS) to deploy the Godzilla web shell. | Vulnerebility | BleepingComputer |
| 30.5.26 | Charter confirms data breach after ShinyHunters extortion threat | U.S. telecommunications giant Charter Communications has confirmed it suffered a data breach after the ShinyHunters extortion group threatened to leak stolen data unless a ransom is paid. | Incindent | BleepingComputer |
| 30.5.26 | How Varonis Atlas integrates Claude Compliance API for AI governance | AI governance requires visibility into how AI tools interact with enterprise data. Varonis explains how its Atlas platform uses Claude Compliance API data to help monitor usage, investigate risk, and support compliance. | AI | BleepingComputer |
| 30.5.26 | Microsoft Defender can now automatically isolate hacked endpoints | Microsoft is testing a new Defender for Endpoint capability that will automatically isolate compromised endpoints to thwart attackers' attempts to move laterally across the network. | Hack | BleepingComputer |
| 30.5.26 | CISA orders feds to patch actively exploited Drupal vulnerability | CISA has given U.S. government agencies until Wednesday evening to secure their servers against an SQL injection vulnerability in the Drupal content management system (CMS) that it flagged as actively exploited. | Exploit | BleepingComputer |
| 30.5.26 | Microsoft: Domain Controller lookup may fail on Windows Server 2016 | Microsoft has confirmed a new known issue affecting Windows Server 2016 systems that causes domain controller lookups to fail after installing the KB5087537 May 2026 security update. | OS | BleepingComputer |
| 30.5.26 | 7-Eleven data breach exposes personal information of 185,000 people | The ShinyHunters extortion gang stole the personal information of over 183,000 people after hacking the systems of convenience store chain giant 7-Eleven in April, according to data breach notification service Have I Been Pwned. | Incindent | BleepingComputer |
| 30.5.26 | Anthropic’s restricted Claude Mythos model may be coming to Claude Code | Anthropic appears to be preparing for the public rollout of the Mythos model, which was announced in April as a restricted model that poses major security risks to private and public software. | AI | BleepingComputer |
| 30.5.26 | FBI warns of Kali365 phishing service targeting Microsoft 365 accounts | The FBI is warning about the Kali365 phishing-as-a-service platform (PhaaS) that is used to hijack Microsoft 365 accounts by abusing OAuth device code authentication to steal session tokens and bypass multi-factor authentication (MFA). | Phishing | BleepingComputer |
| 30.5.26 | Ghost CMS SQL injection flaw exploited in large-scale ClickFix campaign | A large-scale campaign is exploiting a critical SQL injection vulnerability (CVE-2026-26980) in Ghost CMS to inject malicious JavaScript code that triggers ClickFix attack flows. | Vulnerebility | BleepingComputer |
| 30.5.26 | Laravel Lang packages hijacked to deploy credential-stealing malware | A supply chain attack targeting the Laravel Lang localization packages has exposed developers to a sophisticated credential-stealing malware campaign after attackers abused GitHub version tags to distribute malicious code through Composer packages. | Hack | BleepingComputer |
| 30.5.26 | While Russian-speaking threat actors have historically dominated the phishing-as-a-service (PhaaS) landscape, a rival ecosystem is rapidly growing within the Chinese-language underground. Google Threat Intelligence Group (GTIG) analyzed a dozen current PhaaS offerings in the Chinese underground, all of them mature services and many likely tied intricately to the broader criminal ecosystem in that region. | Exploit blog | GTI | |
| 30.5.26 | In late 2025, Mandiant responded to a security incident involving a compromised web server running KnowledgeDeliver. KnowledgeDeliver is a Learning Management System (LMS) developed by Digital Knowledge commonly used in Japan. Mandiant identified a critical vulnerability that allowed unauthenticated Remote Code Execution (RCE). | Phishing blog | GTI | |
| 30.5.26 | Operation Dragon Weave : Uncovering a China-Linked Campaign Targeting Czech Republic and Taiwan Using Azure Cloud C2 | Contents Introduction Key Targets Industries Affected Geographical focus Infection Chain Initial Findings Looking into the Decoy Document Technical Analysis Stage 1 – Initial Delivery Path A: LNK-Based Execution Path B: Executable-Based Delivery Stage 2 – Script-Based Dropper Chain Stage... | Hacking blog | Seqrite |
| 30.5.26 | Operation XENOFISCAL: SideCopy deploying persistent XenoRAT targeting the MoF, Afghanistan | Authors: Dixit Panchal & Vaibhav Krushna Billade Table of Contents: Introduction: Key Targets: Infection Chain: Initial Findings about Campaign: Analysis of Decoy: Technical Analysis: Stage 1: Analysis of LNK File. Stage 2: Analysis of HTA/JavaScript Payload Stage 3: Analysis... | Hacking blog | Seqrite |
| 30.5.26 | OverlayPhantom: The Android Banking Trojan Hiding in Plain Sight | Cyble analyzes OverlayPhantom, an Android banking trojan targeting 180+ apps across 10 countries, stealing credentials via fake overlays and real-time screen streaming. | Malware blog | Cyble |
| 30.5.26 | The Gentlemen ransomware: Dissecting a self-propagating Go encryptor | Microsoft Threat Intelligence presents a comprehensive analysis of The Gentlemen, a Go-based ransomware deployed by affiliates of Storm-2697 that combines per-file ephemeral key encryption with an aggressive self-propagation module to deploy itself across an entire network using series of simultaneous lateral movement techniques per target. | Ransom blog | Microsoft blog |
| 30.5.26 | Smart Contracts for C&C: How ClearFake Hid in Plain Sight on BSC Testnet | TrendAI™ Research analyzed an intrusion where threat actors used the EtherHiding technique to route ClearFake payload delivery through smart contracts on the BNB Smart Chain testnet. | Hacking blog | Trend Micro |
| 30.5.26 | H2O-3 Unauthenticated RCE via PostgreSQL JDBC socketFactory | SonicWall Capture Labs threat research team became aware of the threat CVE-2026-3960, assessed its impact, and developed mitigation measures for this vulnerability. The flaw, also known as the H2O-3 ImportSQLTable PostgreSQL JDBC SocketFactory RCE, is a critical remote code execution vulnerability affecting the open-source H2O-3 machine learning platform (h2oai/h2o-3) in all releases up to and including 3.46.0.9 | Vulnerebility blog | SonicWall |
| 30.5.26 | Introducing EvidenceForge: Synthetic security logs that don’t look (as) fake | EvidenceForge generates high-quality, realistic, and consistent datasets across multiple log formats, enabling teams to effectively train personnel and validate detection models without the need for complex manual simulations. | Cyber blog | CISCO TALOS |
| 30.5.26 | Less panic patching, more precision | In this newsletter, Thor breaks down why you should stop relying solely on CVSS and start using EPSS and GCVE to focus your patching efforts on the threats that actually matter. | Cyber blog | CISCO TALOS |
| 30.5.26 | DICOM, Pydicom, GDCM, and Orthanc: A technical tour of what really happens in the heap | This white paper presents a concrete case study demonstrating the creation of a heap overflow vulnerability through the exploitation of the DICOM file format. | Cyber blog | CISCO TALOS |
| 30.5.26 | MediaArea heap-based buffer overflow vulnerabilities | Talos researchers find 4 heap-based buffer overflow vulnerabilities in MediaArea's MediaInfoLib. | Vulnerebility blog | CISCO TALOS |
| 30.5.26 | This month in security with Tony Anscombe – May 2026 edition | In this roundup, Tony looks at attacks against Polish water treatment facilities, how AI-directed attacks failed in Mexico, and what Google believes is the first AI-generated zero-day exploit | Cyber blog | Eset |
| 30.5.26 | ESET APT Activity Report Q4 2025–Q1 2026 | An overview of the activities of selected APT groups investigated and analyzed by ESET Research in Q4 2025 and Q1 2026 | APT blog | Eset |
| 30.5.26 | What to consider before asking an AI chatbot for health advice | Using chatbots for medical advice could elicit hallucinations and even expose you to security and privacy risks. Here’s what’s at stake and how to stay safe. | AI blog | Eset |
| 30.5.26 | BTMOB: A stealthy RAT burrowing deep into Android devices | The malware pairs remote access capabilities with ready-made campaign tools, lowering the barrier for full device compromise | Malware blog | Eset |
| 29.5.26 | Attackers Use LLM Agent for Post-Exploitation After Marimo CVE-2026-39987 Exploit | An unknown threat actor has been observed using a large language model (LLM) agent to conduct post-compromise actions after obtaining | AI | The Hacker News |
| 29.5.26 | New Russian-Linked GREYVIBE Targets Ukraine with AI-Powered Cyberattacks | A previously undocumented threat actor dubbed GREYVIBE has been attributed to ongoing and persistent attacks targeting Ukraine and | AI | The Hacker News |
| 29.5.26 | Malicious Sicoob NuGet Steals Banking Credentials as npm Packages Target Cloud Secrets | Cybersecurity researchers have discovered a malicious NuGet package that masquerades as a C# software development kit for Sicoob, one of Brazil's largest cooperative financial systems, to siphon client IDs and PFX certificates. | Virus | The Hacker News |
| 29.5.26 | Analysis of a Year of Files Uploaded to DShield Sensors | Using the data collected over the past year and using Kibana these two ES|QL query to summarize the data, this shows the list of the most uploaded threat to two DShield sensors (local and cloud) over the past year | Security | SANS |
| 29.5.26 | Reconstructing an Akira Ransomware Kill Chain from Perimeter and Endpoint Logs | Most Akira write-ups focus on the ransom note or the encryption routine. By the time those show up the interesting forensic work is over. The questions that matter to defenders sit earlier. | Ransom | SANS |
| 29.5.26 | Authenticated RCE via Argument Injection in Gogs (NOT FIXED) | Rapid7 Labs discovered a critical argument injection (CWE-88) vulnerability in Gogs, a popular open-source self-hosted Git service. Rapid7 Labs scores this vulnerability as CVSSv4 9.4 (Critical). | Vulnerebility | RAPID7 |
| 29.5.26 | Kimsuky Deploys HTTPSpy, Expands Arsenal with HelloDoor and VS Code Tunnels | The North Korean state-sponsored threat actor known as Kimsuky (aka Velvet Chollima) has been attributed to a fresh set of cyber attacks | Vulnerebility | The Hacker News |
| 29.5.26 | Critical Gogs RCE Vulnerability Lets Any Authenticated User Execute Arbitrary Code | A critical security vulnerability has been disclosed in Gogs, a popular open-source self-hosted Git service, that allows an authenticated user to | Vulnerebility | The Hacker News |
| 28.5.26 | FortiClient EMS Exploited via CVE-2026-35616 to Deliver EKZ Infostealer Disguised as a Fortinet Patch | Arctic Wolf observed a threat cluster exploiting CVE-2026-35616, deploying an infostealer disguised as a Fortinet patch to FortiClient EMS-managed endpoints. | Exploit | ARTICWOLF |
| 28.5.26 | Threat Actors Exploit Critical FortiClient EMS Flaw to Deploy Credential Stealer | Threat actors are continuing to exploit a critical, now-patched security flaw impacting FortiClient Endpoint Management Server (EMS) | Vulnerebility | The Hacker News |
| 28.5.26 | Microsoft Slams Public Zero-Day Disclosures Amid GitHub Researcher Account Removal | Microsoft has come out strongly in favor of Coordinated Vulnerability Disclosure (CVD), urging the research community to share their findings | Vulnerebility | The Hacker News |
| 28.5.26 | JINX-0164 Targets Cryptocurrency Firms with Fake Recruiter Lures and macOS Malware | A new campaign orchestrated by a previously undocumented threat actor has targeted cryptocurrency organizations with an aim to facilitate digital | Cryptocurrency | The Hacker News |
| 27.5.26 | Grandoreiro Malware and BTMOB RAT Campaigns Target Windows and Android Users | Latin America and Europe become the target of two banking trojan campaigns that are designed to infect Windows and Android devices with | Virus | The Hacker News |
| 27.5.26 | Possible ACR Stealer From Page Impersonating Claude | In recent weeks, I've searched for pages impersonating Claude that distribute malware. In recent weeks, I've reliably found these sites through malicious ads in Google searches that lead to these pages, often concealed in URLs fo | Virus | SANS |
| 27.5.26 | GlassWorm Malware Takedown Disrupts Developer Supply Chain Attack Infrastructure | CrowdStrike, in partnership with Google and the Shadowserver Foundation, has announced the simultaneous disruption of all command- | Virus | The Hacker News |
| 27.5.26 | From poisoned search results to GPU mining: A cryptojacking campaign abusing ScreenConnect and Microsoft .NET utilities | Microsoft Defender Experts identified an active cryptojacking campaign in which malicious download sites are surfaced not only through traditional search engine poisoning, but also through AI chatbot interactions. This emerging delivery technique extends social engineering beyond conventional search results and increases the visibility of malicious software recommendations. | Cryptocurrency | Microsoft blog |
| 27.5.26 | Gitea Vulnerability Exposes Private Container Images without Authentication | Cybersecurity researchers have disclosed a security flaw in Gitea, an open-source, self-hosted platform for version control, that allows | Vulnerebility | The Hacker News |
| 27.5.26 | AI Chatbot Recommendations Redirect Users to Cryptojacking Malware Sites | Microsoft has warned of an active cryptojacking campaign that makes use of artificial intelligence (AI) chatbot interactions as a mechanism for surfacing malicious download sites. | AI | The Hacker News |
| 26.5.26 | MuddyWater Uses DLL Side-Loading in Espionage Campaign Targeting 9 Countries | The Iranian hacking group known as MuddyWater has been linked to a new campaign affecting at least nine organizations across nine countries | APT | The Hacker News |
| 26.5.26 | Cloud Atlas activity in the second half of 2025 and early 2026: new tools and a new payload | Cloud Atlas attacks the public sector and diplomatic structures of Russia and Belarus, using ReverseSocks, SSH, and Tor for persistence in infected systems and its new tool, PowerCloud. | APT | SECURELIST |
| 26.5.26 | SMicrosoft Patches SharePoint RCE Flaw CVE-2026-45659 Across Server Versions | Microsoft has rolled out updates to fix a remote code execution vulnerability impacting SharePoint that could be exploited by bad actors | Vulnerebility | The Hacker News |
| 26.5.26 | CERT-In Mandates 12-Hour Patching for Internet-Facing Flaws Amid AI-Assisted Attacks | The Indian Computer Emergency Response Team (CERT-In) has issued new guidelines requiring organizations to patch critical security | AI | The Hacker News |
| 26.5.26 | Iranian Hackers Deploy MiniFast and MiniJunk V2 via Phishing and SEO Poisoning | The Iranian state-sponsored threat actor known as Nimbus Manticore (aka Screening Serpens and UNC1549 ) has been attributed to a fresh | Phishing | The Hacker News |
| 26.5.26 | Exploitation of KnowledgeDeliver via ViewState Deserialization Vulnerability | In late 2025, Mandiant responded to a security incident involving a compromised web server running KnowledgeDeliver. KnowledgeDeliver is a Learning Management System (LMS) developed by Digital Knowledge commonly used in Japan. | Exploit | GTI |
| 25.5.26 | KnowledgeDeliver LMS Flaw Exploited to Deploy Godzilla and Cobalt Strike | A now-patched high-severity security flaw affecting Digital Knowledge KnowledgeDeliver , a Learning Management System (LMS) popular in | Exploit | The Hacker News |
| 25.5.26 | TeamPCP Supply Chain Campaign: Activity Through 2026-05-24 | TeamPCP now operates across three package ecosystems in parallel, it reached GitHub's own internal codebase, it trojanized an officially Microsoft-published Python SDK, and it appears to have open-sourced its own framework on GitHub. | Hack | SANS |
| 25.5.26 | Wireshark 4.6.6 Released | Wireshark release 4.6.6 fixes 1 vulnerability and 11 bugs. | Security | SANS |
| 25.5.26 | Ghost CMS CVE-2026-26980 Exploited to Hijack 700+ Sites for ClickFix Attacks | Threat actors are exploiting a recently disclosed critical security flaw in Ghost CMS to inject malicious JavaScript code with an aim to fuel | Exploit | The Hacker News |
| 25.5.26 | Lazarus Deploys RemotePE Memory-Only RAT Against Financial and Crypto Firms | Cybersecurity researchers have shed light on a cross-platform malware called RemotePE that has been put to use by the North Korea-linked | APT | The Hacker News |
| 25.5.26 | TrapDoor Supply Chain Attack Spreads Credential-Stealing Malware via npm, PyPI, and CratesIO | A new coordinated cross-ecosystem software supply chain attack campaign has targeted npm, PyPI, and Crates.io to distribute credential- | Virus | The Hacker News |
| 24.5.26 | An Example of Stack String in High Level Language | This week, I’m attending the SEC670[1] training (“Red Teaming Tools - Developing Windows Implants, Shellcode, Command and Control”). | Security | SANS |
| 24.5.26 | npm Adds 2FA-Gated Publishing and Package Install Controls Against Supply Chain Attacks | GitHub has rolled out new controls for npm to improve the security of the software supply chain, giving maintainers the ability to explicitly approve | Phishing | The Hacker News |
| 24.5.26 | Packagist Supply Chain Attack Infects 8 Packages Using GitHub-Hosted Linux Malware | A new "coordinated" supply chain attack campaign has impacted eight packages on Packagist including malicious code designed to run a Linux | Virus | The Hacker News |
| 24.5.26 | Netherlands seizes 800 servers of hosting firm enabling cyberattacks | Netherlands seizes 800 servers of hosting firm enabling cyberattacks | CyberCrime | BleepingComputer |
| 24.5.26 | Former US execs plead guilty to aiding tech support scammers | Two former executives of a call-tracking and analytics company pleaded guilty to concealing a years-long tech support fraud scheme that victimized individuals worldwide. | Spam | BleepingComputer |
| 24.5.26 | Trend Micro warns of Apex One zero-day exploited in the wild | Japanese cybersecurity software company Trend Micro has addressed an Apex One zero-day vulnerability exploited in attacks targeting Windows systems. | Exploit | BleepingComputer |
| 24.5.26 | Drupal: Critical SQL injection flaw now targeted in attacks | Drupal is warning that hackers are attempting to exploit a "highly critical" SQL injection vulnerability announced earlier this week. | Vulnerebility | BleepingComputer |
| 24.5.26 | Ubiquiti patches three max severity UniFi OS vulnerabilities | Ubiquiti has released security updates to patch three maximum severity vulnerabilities in UniFi OS that can be exploited by remote attackers without privileges. | Vulnerebility | BleepingComputer |
| 24.5.26 | US and Canada arrest and charge suspected Kimwolf botnet admin | U.S. and Canadian authorities arrested and charged a Canadian man with operating the KimWolf distributed denial-of-service (DDoS) botnet, which infected nearly two million devices worldwide. | BotNet | BleepingComputer |
| 24.5.26 | Google accidentally exposed details of unfixed Chromium flaw | Google has accidentally leaked details about an unfixed issue in Chromium that keeps JavaScript running in the background even when the browser is closed, allowing remote code execution on the device. | Vulnerebility | BleepingComputer |
| 24.5.26 | Apple blocked over $11 billion in App Store fraud in 6 years | Apple revealed that it blocked over $11 billion in fraudulent App Store transactions over the last six years, more than $2.2 billion in potentially fraudulent App Store transactions in 2025 alone. | CyberCrime | BleepingComputer |
| 24.5.26 | Inside a Crypto Drainer: How to Spot it Before it Empties Your Wallet | Modern crypto drainers don't hack wallets. They trick users into approving malicious transactions. Flare explores how the Lucifer DaaS platform scales wallet theft through phishing and automation | Cryptocurrency | BleepingComputer |
| 24.5.26 | Chinese hackers target telcos with new Linux, Windows malware | A Chinese cyber-espionage campaign has been targeting telecommunications providers with newly discovered Linux and Windows malware dubbed Showboat and JFMBackdoor, respectively. | APT | BleepingComputer |
| 24.5.26 | Max severity Cisco Secure Workload flaw gives Site Admin privileges | Cisco has released security updates to address a maximum-severity vulnerability in Secure Workload that allows attackers to gain Site Admin privileges. | Vulnerebility | BleepingComputer |
| 24.5.26 | Police seize “First VPN” service used in ransomware, data theft attacks | A virtual private network service called 'First VPN,' used in ransomware and data theft attacks, has been taken offline in a joint international law enforcement operation. | Ransom | BleepingComputer |
| 24.5.26 | Flipper One project needs community help to build open Linux platform | Flipper Devices, the maker of the Flipper Zero pentesting tool, is asking the community to help build Flipper One, an open Linux platform for connected devices. | Hack | BleepingComputer |
| 24.5.26 | Microsoft warns of new Defender zero-days exploited in attacks | On Wednesday, Microsoft started rolling out security patches for two Defender vulnerabilities that have been exploited in zero-day attacks. | Exploit | BleepingComputer |
| 24.5.26 | GitHub links repo breach to TanStack npm supply-chain attack | GitHub says the hackers who breached 3,800 internal repositories gained access via a malicious version of the Nx Console VS Code extension, compromised in last week's TanStack npm supply-chain attack. | Hack | BleepingComputer |
| 24.5.26 | Ukraine identifies infostealer operator tied to 28,000 stolen accounts | The Ukrainian cyberpolice, working in conjunction with U.S. law enforcement, has identified an 18-year-old man from Odesa suspected of running an infostealer malware operation targeting users of an online store in California. | CyberCrime | BleepingComputer |
| 24.5.26 | Hackers bypass SonicWall VPN MFA due to incomplete patching | Threat actors brute-forced VPN credentials and bypassed multi-factor authentication (MFA) on SonicWall Gen6 SSL-VPN appliances to deploy tools used in ransomware attacks. | Vulnerebility | BleepingComputer |
| 23.5.26 | Grafana breach caused by missed token rotation after TanStack attack | The Grafana data breach was caused by a single GitHub workflow token that slipped through the rotation process following the TanStack npm supply-chain attack last week. | Incindent | BleepingComputer |
| 23.5.26 | Drupal critical update to fix bug with high exploitation risk | Drupal has announced a "core security release" scheduled for later today, warning that threat actors might develop exploits within hours of the update disclosure. | Vulnerebility | BleepingComputer |
| 23.5.26 | Exploit released for new PinTheft Arch Linux root escalation flaw | PinTheft, a recently patched Linux privilege escalation vulnerability, now has a publicly available proof-of-concept (PoC) exploit that allows local attackers to gain root privileges on Arch Linux systems. | Exploit | BleepingComputer |
| 23.5.26 | GitHub confirms breach of 3,800 repos via malicious VSCode extension | GitHub has confirmed that roughly 3,800 internal repositories were breached after one of its employees installed a malicious VS Code extension. | Hack | BleepingComputer |
| 23.5.26 | Microsoft shares mitigation for YellowKey Windows zero-day | Microsoft has shared mitigations for YellowKey, a recently disclosed Windows BitLocker zero-day vulnerability that grants access to protected drives. | Exploit | BleepingComputer |
| 23.5.26 | Claude Mythos AI Finds 10,000 High-Severity Flaws in Widely Used Software | Anthropic on Friday disclosed that Project Glasswing has helped uncover more than 10,000 high- or critical-severity vulnerabilities across some of | AI | The Hacker News |
| 23.5.26 | Laravel-Lang PHP Packages Compromised to Deliver Cross-Platform Credential Stealer | Cybersecurity researchers have flagged a fresh software supply chain attack campaign that has targeted multiple PHP packages belonging to | Virus | The Hacker News |
| 23.5.26 | LiteSpeed cPanel Plugin CVE-2026-48172 Exploited to Run Scripts as Root | A maximum-severity security vulnerability impacting LiteSpeed User-End cPanel Plugin has come under active exploitation in the wild. The flaw, | Exploit | The Hacker News |
| 23.5.26 | Drupal Core SQL Injection Bug Actively Exploited, Added to CISA KEV | The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a recently patched critical security flaw impacting Drupal Core to | Exploit | The Hacker News |
| 23.5.26 | GitHub investigates internal repositories breach claimed by TeamPCP | GitHub is investigating a breach of its internal repositories after the TeamPCP hacker group claimed to have accessed approximately 4,000 repositories containing private code. | Incindent | BleepingComputer |
| 23.5.26 | Max-severity flaw in ChromaDB for AI apps allows server hijacking | A max-severity vulnerability in the latest Python FastAPI version of the ChromaDB project allows unauthenticated attackers to run arbitrary code on exposed servers. | AI | BleepingComputer |
| 23.5.26 | Cybercrime service disrupted for abusing Microsoft platform to sign malware | Microsoft says it has disrupted a malware-signing-as-a-service (MSaaS) operation that abused the company's Artifact Signing service to generate fraudulent code-signing certificates used by ransomware gangs and other cybercriminals. | CyberCrime | BleepingComputer |
| 23.5.26 | Discord rolls out end-to-end encryption on voice, video calls | Discord announced that all voice and video calls through the communication platform are now protected by default with end-to-end encryption (E2EE). | Safety | BleepingComputer |
| 23.5.26 | FBI: Americans lost over $388 million to scams using crypto ATMs in 2025 | The FBI says Americans have lost over $388 million last year to scams using cryptocurrency kiosks, also known as crypto ATMs or Bitcoin ATMs. | Cryptocurrency | BleepingComputer |
| 23.5.26 | Microsoft Self-Service Password Reset abused in Azure data theft attacks | A threat actor targeting Microsoft 365 and Azure production environments is stealing data in attacks that abuse legitimate applications and administration features. | OS | BleepingComputer |
| 23.5.26 | Microsoft plans to improve Windows 11 driver quality in 2026 | Microsoft plans to raise the quality bar of Windows 11 drivers, as drivers "sit at the heart of every Windows experience" and connect the OS to the "silicon, components, and peripherals." | OS | BleepingComputer |
| 23.5.26 | Microsoft blames macOS update for undismissible Teams location prompts | Microsoft has confirmed user reports that the Teams team collaboration app is displaying non-dismissible location prompts on some macOS systems. | OS | BleepingComputer |
| 23.5.26 | New Shai-Hulud malware wave compromises 600 npm packages | Threat actors earlier today published more than 600 malicious packages to the Node Package Manager (npm) index as part of a new Shai-Hulud supply-chain campaign. | Virus | BleepingComputer |
| 23.5.26 | 7-Eleven confirms data breach claimed by the ShinyHunters gang | Convenience store chain giant 7-Eleven confirmed that its systems were breached in a cyberattack claimed by the ShinyHunters extortion group last month. | Incindent | BleepingComputer |
| 23.5.26 | Critical Microsoft Vulnerabilities Doubled: From Exposure to Escalation | Microsoft's total vulnerability count stayed steady in 2025, but critical flaws surged year over year. BeyondTrust breaks down why attackers are increasingly focused on privilege escalation and identity abuse. | OS | BleepingComputer |
| 23.5.26 | Microsoft confirms patching issues in restricted Windows networks | Microsoft says customers in restricted network environments may encounter Windows Update failures after installing the January 2026 optional non-security preview updates. | OS | BleepingComputer |
| 23.5.26 | INTERPOL ‘Operation Ramz’ seizes 53 malware, phishing servers | More than 200 individuals were arrested for cybercrime activities during INTERPOL's Operation Ramz, which focused on the Middle East and North Africa. | CyberCrime | BleepingComputer |
| 23.5.26 | SHub macOS infostealer variant spoofs Apple security updates | A new variant of the 'SHub' macOS infostealer uses AppleScript to show a fake security update message and installs a backdoor. | Virus | BleepingComputer |
| 23.5.26 | 5 Steps to Managing Shadow AI Tools Without Slowing Down Employees | Many employees already use shadow AI tools at work without security review. Adaptive Security breaks down how teams can build practical AI governance without adding friction for employees. | AI | BleepingComputer |
| 23.5.26 | First VPN Dismantled in Global Takedown Over Use by 25 Ransomware Groups | Authorities in Europe and North America have announced the dismantling of a criminal virtual private network (VPN) service used by criminal actors to obscure the origins of ransomware attacks, data theft, scanning, and denial-of-service attacks. | Ransom | The Hacker News |
| 23.5.26 | Ghostwriter Targets Ukraine Government Entities with Prometheus Phishing Malware | The Belarus-aligned threat actor known as Ghostwriter (aka UAC-0057 and UNC1151Ukraine's National Security and Defense Council) has been observed using lures related to Prometheus, a Ukrainian online learning platform, to target government organizations in the country. | BigBrothers | The Hacker News |
| 23.5.26 | Megalodon GitHub Attack Targets 5,561 Repos with Malicious CI/CD Workflows | Cybersecurity researchers have disclosed details of a new automated campaign called Megalodon that has pushed 5,718 malicious commits to | Hack | The Hacker News |
| 23.5.26 | WantToCry ransomware remotely encrypts files | Brute-force attempts against SMB services can be early signs of an attack | Ransom blog | SOPHOS |
| 23.5.26 | Google Threat Intelligence Group (GTIG) has continued to track an expansive extortion campaign by UNC6671, a threat actor operating under the "BlackFile" brand, that targets organizations via sophisticated voice phishing (vishing) and single sign-on (SSO) compromise. | Phishing blog | GTI | |
| 23.5.26 | DBIR 2026: Network Asset Breaches Up 3x as Vulnerability Exploitation Accelerates | The Verizon Data Breach Investigations Report remains one of the most useful annual sources for understanding how real-world breaches are changing. The 2026 report analyzes more than 31,000 security incidents, including more than 22,000 confirmed data breaches, and shows a clear shift in attacker focus: exploitation of vulnerabilities is now the leading known initial access vector. | Security blog | Eclypsium |
| 23.5.26 | YellowKey: The Unpatched BitLocker Bypass Hidden in Windows Recovery | A stolen Windows 11 laptop and a USB stick are enough to read a BitLocker-encrypted drive using nothing but Microsoft’s own recovery tools, and the researcher is holding back a follow-on attack that also defeats the startup PIN defenders are scrambling to enable in response. | Hacking blog | Eclypsium |
| 23.5.26 | Operation Dragon Whistle: UNG0002 Targets Chinese Academia via Weaponized Institutional Lure | Table of Contents: Introduction: Key Targets: Infection Chain: Initial Findings about Campaign: Analysis of Decoys & Spear phishing Email: Technical Analysis: Stage1: Analysis of LNK File. Stage2: Analysis of VBS. Stage3: DLL Side Loading. Infrastructural Artefacts & Threat actor... | Cyber blog | Seqrite |
| 23.5.26 | JOMANGY: INJ3CTOR3’s Self-Healing FreePBX Toll Fraud Campaign | CRIL uncovers JOMANGY, a stealth PHP webshell by INJ3CTOR3 with 6 persistence layers and self-healing cron jobs built to survive host cleanup. | Malware blog | Cyble |
| 23.5.26 | Cyble Named a Challenger in the Inaugural 2026 Gartner® Magic Quadrant™ for Cyberthreat Intelligence Technologies | One of the only two vendors recognized as a Challenger out of 17 evaluated vendors in the first-ever Gartner® evaluation of cyberthreat intelligence market. | Cyber blog | Cyble |
| 23.5.26 | GCC Cyber 2026: How Digital Banking Expansion Is Creating a New Attack Surface Attackers Are Already Exploiting | The GCC digital banking attack surface is expanding rapidly, driven by AI threats, ransomware, open banking risks, and rising cyberattacks in 2026. | Attack blog | Cyble |
| 23.5.26 | Why Australian Dark Web Data Is Now Being Sold in Bundles — and What It Means for Organizational Exposure in 2026 | Australian dark web data is fueling bundled breach sales, with ransomware groups expanding cyber risks across industries in 2025. | Ransom blog | Cyble |
| 23.5.26 | Inside the JDownloader Supply-Chain Attack: An r77 Rootkit Bot That Kills Your Antivirus | Malware that hid itself on infected systems and disabled antivirus protection. | Security blog | GENDIGITAL |
| 23.5.26 | Fast16: Pre-Stuxnet Sabotage Tool Was Built to Subvert Nuclear Weapons Simulations | New analysis confirms the targeted applications and reveals fast16 was tailored to corrupt uranium-compression simulations central to nuclear weapon design. | APT blog | SECURITY.COM |
| 23.5.26 | Exposing Fox Tempest: A malware-signing service operation | Fox Tempest is a financially motivated threat actor operating a malware‑signing‑as‑a‑service (MSaaS) used by other cybercriminals, including Vanilla Tempest and Storm groups, to more effectively distribute malicious code, including ransomware. | APT blog | Microsoft blog |
| 23.5.26 | One Man, One AI, One Fake Persona: Inside the 5-Year Influence and Fraud ‘Patriot Bait’ Campaign | A solo Russian-speaking threat actor ran a 5-year Telegram channel and, starting September 2025, used AI to automate its content, credential theft, and a cryptocurrency fraud scheme targeting American audiences. | AI blog | Trend Micro |
| 23.5.26 | Analyzing Void Dokkaebi’s Cython-Compiled InvisibleFerret Malware | Void Dokkaebi, a North Korea-aligned intrusion set, has updated its information-stealing malware, InvisibleFerret, shifting its delivery format to evade script-based detections. | Malware blog | Trend Micro |
| 23.5.26 | Inside SHADOW-WATER-063’s Banana RAT: From Build Server to Banking Fraud | In this blog entry, researchers from the TrendAI™ MDR team discuss how they mapped the full end-to-end operation of SHADOW-WATER-063’s Banana RAT banking malware by analyzing server-side artifacts and victim-side data. | Malware blog | Trend Micro |
| 23.5.26 | Next.js WebSocket Upgrade Handler SSRF | The SonicWall Capture Labs threat research team became aware of a Server-Side Request Forgery vulnerability in Next.js, assessed its impact and developed mitigation measures. Next.js enables organizations to create full-stack web applications by extending the latest React features and integrating powerful Rust-based JavaScript tooling for the fastest builds. | Malware blog | SonicWall |
| 23.5.26 | Paved With Intent: ROADtools and Nation-State Tactics in the Cloud | ROADtools is a publicly available toolkit for offensive and defensive security purposes that attackers have integrated into cloud attacks. The tool is designed to: | Security blog | Palo Alto |
| 23.5.26 | Tracking TamperedChef Clusters via Certificate and Code Reuse | This article documents novel activity clusters that have significant overlap with the publicly described threat known as TamperedChef (aka EvilAI). TamperedChef-style malware is trojanized productivity software, such as PDF editors or calendars, that deliver malicious payloads. | Malware blog | Palo Alto |
| 23.5.26 | The npm Threat Landscape: Attack Surface and Mitigations (Updated May 21) | The security of the npm ecosystem reached a critical inflection point in September 2025. The Shai-Hulud worm, a self-replicating malware that automated the compromise and redistribution of malicious packages, marked the end of the “nuisance” era of npm attacks and the beginning of a high-consequence threat landscape. | Malware blog | Palo Alto |
| 23.5.26 | The art of being ungovernable | In this edition of the Threat Source newsletter, William explores the value of being "ungovernable" in a professional setting, sharing how challenging the status quo and seeking out the smartest people in the room can lead to a more fulfilling and successful career. | Security blog | CISCO TALOS |
| 23.5.26 | From PDB strings to MaaS: Tracking a commodity BadIIS ecosystem used by Chinese-speaking threat | Cisco Talos has uncovered a BadIIS variant — identifiable by its embedded "demo.pdb" strings — that functions as commodity malware, likely sold or shared among multiple Chinese-speaking cyber crime groups operating under a malware-as-a-service (MaaS) model for continuous monetization. | APT blog | CISCO TALOS |
| 23.5.26 | Foul play: Fake FIFA websites target soccer fans looking for World Cup tickets, merchandise | Cyber blog | Eset | |
| 23.5.26 | Webworm: New burrowing techniques | ESET researchers describe new tools and techniques that the Webworm APT group recently added to its arsenal | Malware blog | Eset |
| 23.5.26 | The quest for greater tech independence | A complete decoupling from US technology is neither realistic nor necessary, but the changing environment does require nations and companies to reassess their relationships and dependencies | Cyber blog | Eset |
| 22.5.26 | Cross-Platform NPM Stealer | I found a Node.js stealer that looked pretty well obfuscated. The file was not running out-of-the-box because it was uploaded on VT as “extracted-decoded.js” (and reformated). | Virus | SANS |
| 22.5.26 | Selective HTTP Proxying in Linux | Recently, Rob wrote about a tool, Proxifier, that can intercept requests from specific processes. Proxifier is available for Windows, macOS, and Android. But I have not seen a generic Linux option yet. | Security | SANS |
| 22.5.26 | Kimwolf DDoS Botnet Operator Arrested in Canada Over DDoS-for-Hire Attacks | The U.S. Department of Justice (DoJ) on Thursday announced the arrest of a Canadian man in connection with allegedly operating a distributed | BotNet | The Hacker News |
| 22.5.26 | CISA Adds Exploited Langflow and Trend Micro Apex One Vulnerabilities to KEV | The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added two security flaws impacting Langflow and Trend Micro | Vulnerebility | The Hacker News |
| 22.5.26 | Cisco Patches CVSS 10.0 Secure Workload REST API Flaw Enabling Data Access | Cisco has rolled out updates for a maximum-severity security flaw impacting Secure Workload that could allow an unauthenticated, remote | Vulnerebility | The Hacker News |
| 22.5.26 | Leaked Shai-Hulud malware fuels new npm infostealer campaign | The Shai-Hulud malware leaked last week is now used in new attacks on the Node Package Manager (npm) index, as infected packages emerged over the weekend. | Virus | BleepingComputer |
| 22.5.26 | Grafana says stolen GitHub token let hackers steal codebase | Grafana Labs disclosed that hackers have downloaded its source code after breaching its GitHub environment using a stolen access token. | Incindent | BleepingComputer |
| 22.5.26 | Microsoft testing adjustable taskbar, Start menu in Windows 11 | Microsoft has finally brought back the resizable taskbar and Start menu to Windows 11 in the latest preview version rolling out to Insiders in the Experimental channel. | OS | BleepingComputer |
| 22.5.26 | Microsoft confirms Windows 11 security update install issues | Microsoft has confirmed that the May 2026 Windows 11 security update (KB5089549) fails to install on some systems and triggers 0x800f0922 errors. | OS | BleepingComputer |
| 22.5.26 | Exploit available for new DirtyDecrypt Linux root escalation flaw | A recently patched local privilege escalation vulnerability in the Linux kernel's rxgk module now has a proof-of-concept exploit that allows attackers to gain root access on some Linux systems. | Vulnerebility | BleepingComputer |
| 22.5.26 | Hackers earn $1,298,250 for 47 zero-days at Pwn2Own Berlin 2026 | The Pwn2Own Berlin 2026 hacking contest has concluded, with security researchers collecting $1,298,250 in rewards after exploiting 47 zero-day flaws. | Congress | BleepingComputer |
| 22.5.26 | New Windows 'MiniPlasma' zero-day exploit gives SYSTEM access, PoC released | A cybersecurity researcher has released a proof-of-concept exploit for a Windows privilege escalation zero-day dubbed "MiniPlasma" that lets attackers gain SYSTEM privileges on fully patched Windows systems. | Vulnerebility | BleepingComputer |
| 22.5.26 | Tycoon2FA hijacks Microsoft 365 accounts via device-code phishing | The Tycoon2FA phishing kit now supports device-code phishing attacks and abuses Trustifi click-tracking URLs to hijack Microsoft 365 accounts. | Phishing | BleepingComputer |
| 22.5.26 | Microsoft rejects critical Azure vulnerability report, no CVE issued | A security researcher claims Microsoft quietly fixed an Azure Backup for AKS vulnerability after rejecting his report, and without issuing a CVE. Microsoft disputes the claim, telling BleepingComputer the behavior was expected and that "no product changes were made," despite the researcher documenting a silent fix. | Vulnerebility | BleepingComputer |
| 22.5.26 | Russian hackers turn Kazuar backdoor into modular P2P botnet | The Russian hacker group Secret Blizzard has developed its long-running Kazuar backdoor into a modular peer-to-peer (P2P) botnet designed for long-term persistence, stealth, and data collection. | BotNet | BleepingComputer |
| 21.5.26 | Showboat Linux Malware Hits Middle East Telecom with SOCKS5 Proxy Backdoor | Cybersecurity researchers have disclosed details of a new Linux malware dubbed Showboat that has been put to use in a campaign targeting a | Virus | The Hacker News |
| 21.5.26 | Microsoft Warns of Two Actively Exploited Defender Vulnerabilities | Microsoft has disclosed that a privilege escalation and a denial-of-service flaw in Defender has come under active exploitation in the wild. | Exploit | The Hacker News |
| 21.5.26 | 9-Year-Old Linux Kernel Flaw Enables Root Command Execution on Major Distros | Cybersecurity researchers have disclosed details of a vulnerability in the Linux kernel that remained undetected for nine years. The vulnerability, | Vulnerebility | The Hacker News |
| 21.5.26 | GitHub Internal Repositories Breached via Malicious Nx Console VS Code Extension | GitHub on Wednesday officially confirmed that the breach of its internal repositories was the result of a compromise of an employee device | Virus | The Hacker News |
| 21.5.26 | Highly Critical Drupal Core Flaw Exposes PostgreSQL Sites to RCE Attacks | Drupal has released security updates for a "highly critical" security vulnerability in Drupal Core that could be exploited by attackers to | Vulnerebility | The Hacker News |
| 21.5.26 | Microsoft Open-Sources RAMPART and Clarity to Secure AI Agents During Development | Microsoft has unveiled two new open-source tools called RAMPART and Clarity to assist developers in better testing the security of artificial intelligence (AI) agents. | AI | The Hacker News |
| 20.5.26 | Microsoft Takes Down Malware-Signing Service Behind Ransomware Attacks | Microsoft on Tuesday said it disrupted a malware-signing-as-a-service (MSaaS) operation that weaponized the company's Artifact Signing | Ransom | The Hacker News |
| 20.5.26 | Webworm Deploys EchoCreep and GraphWorm Backdoors Using Discord and MS Graph API | Cybersecurity researchers have flagged fresh activity from a China-aligned threat actor known as Webworm in 2025, deploying custom | Virus | The Hacker News |
| 20.5.26 | GitHub Breached — Employee Device Hack Led to Exfiltration of 3,800+ Internal Repos | GitHub on Tuesday said it's investigating unauthorized access to its internal repositories after the notorious threat actor known as TeamPCP | Incindent | The Hacker News |
| 20.5.26 | Microsoft Releases Mitigation for YellowKey BitLocker Bypass CVE-2026-45585 Exploit | Microsoft on Tuesday released a mitigation for a BitLocker bypass vulnerability named YellowKey following its public disclosure last week. | Exploit | The Hacker News |
| 20.5.26 | Grafana GitHub Breach Exposes Source Code via TanStack npm Attack | Grafana Labs, on May 19, 2026, said an investigation into its recent breach found no evidence of customer production systems or operations being compromised. | Hack | The Hacker News |
| 20.5.26 | GitHub Investigating TeamPCP Claimed Breach of ~4,000 Internal Repositories | GitHub on Tuesday said it's investigating unauthorized access to its internal repositories after the notorious threat actor known as TeamPCP | Hack | The Hacker News |
| 20.5.26 | Trapdoor Android Ad Fraud Scheme Hit 659 Million Daily Bid Requests Using 455 Apps | Cybersecurity researchers have disclosed details of a new ad fraud and malvertising operation dubbed Trapdoor targeting Android device users. | Hack | The Hacker News |
| 19.5.26 | DirtyDecrypt PoC Released for Linux Kernel CVE-2026-31635 LPE Vulnerability | Proof-of-concept (PoC) exploit code has now been released for a recently patched security flaw in the Linux kernel that could allow for local | Vulnerebility | The Hacker News |
| 19.5.26 | Drupal to Release Urgent Core Security Updates on May 20, Sites Told to Prepare | Drupal has issued an alert stating that it intends to release a "core security release" for all supported branches on May 20, 2026, from 5-9 | Security | The Hacker News |
| 19.5.26 | SEPPMail Secure E-Mail Gateway Vulnerabilities Enable RCE and Mail Traffic Access | Critical security vulnerabilities have been disclosed in SEPPMail Secure E-Mail Gateway , an enterprise-grade email security solution, that could | Vulnerebility | The Hacker News |
| 19.5.26 | Compromised Nx Console 18.95.0 Targeted VS Code Developers with Credential Stealer | Cybersecurity researchers have flagged a compromised version of the Nx Console extension that was published to the Microsoft Visual Studio | Hack | The Hacker News |
| 19.5.26 | Popular GitHub Action Tags Redirected to Imposter Commit to Steal CI/CD Credentials | In yet another software supply chain attack, threat actors have compromised the popular GitHub Actions workflow, actions-cool/issues- | Hack | The Hacker News |
| 19.5.26 | Mini Shai-Hulud Pushes Malicious AntV npm Packages via Compromised Maintainer Account | Cybersecurity researchers have discovered a fresh software supply chain attack campaign that has compromised various npm packages | Virus | The Hacker News |
| 19.5.26 | TeamPCP Supply Chain Campaign: Activity Through 2026-05-17 | Since the last update, the TeamPCP supply chain campaign produced its loudest stretch since the March Trivy disclosure: an officially confirmed Checkmarx Jenkins plugin compromise and a new self-spreading Mini Shai-Hulud worm across npm and PyPI. | Hack | SANS |
| 19.5.26 | INTERPOL Operation Ramz Disrupts MENA Cybercrime Networks with 201 Arrests | INTERPOL has coordinated a first-of-its-kind cybercrime crackdown across the Middle East and North Africa (MENA) that led to 201 arrests | CyberCrime | The Hacker News |
| 18.5.26 | Ivanti, Fortinet, SAP, VMware, n8n Patch RCE, SQL Injection, Privilege Escalation Flaws | Ivanti, Fortinet, n8n, SAP, and VMware have released security fixes for various vulnerabilities that could be exploited by bad actors to bypass | Vulnerebility | The Hacker News |
| 18.5.26 | MiniPlasma Windows 0-Day Enables SYSTEM Privilege Escalation on Fully Patched Systems | Chaotic Eclipse, the security researcher behind the recently disclosed Windows flaws, YellowKey and GreenPlasma , has released a proof-of- | Vulnerebility | The Hacker News |
| 18.5.26 | Four Malicious npm Packages Deliver Infostealers and Phantom Bot DDoS Malware | Cybersecurity researchers have discovered four new npm packages containing information-stealing malware, one of which is a clone of the | Virus | The Hacker News |
| 18.5.26 | Pre-Stuxnet Fast16 Malware Tampered with Nuclear Weapons Simulations | A new analysis of the Lua-based fast16 malware has confirmed that it was a cyber sabotage tool designed to tamper with nuclear weapons | Virus | The Hacker News |
| 18.5.26 | NGINX CVE-2026-42945 Exploited in the Wild, Causing Worker Crashes and Possible RCE | A newly disclosed security flaw impacting NGINX Plus and NGINX Open has come under active exploitation in the wild, days after its public | Vulnerebility | The Hacker News |
| 18.5.26 | Grafana GitHub Token Breach Led to Codebase Download and Extortion Attempt | Grafana has disclosed that an "unauthorized party" obtained a token that granted them the ability to access the company's GitHub environment | Incindent | The Hacker News |
| 17.5.26 | Funnel Builder Flaw Under Active Exploitation Enables WooCommerce Checkout Skimming | A critical security vulnerability impacting the Funnel Builder plugin for WordPress has come under active exploitation in the wild to inject | Exploit | The Hacker News |
| 17.5.26 | Funnel Builder WordPress plugin bug exploited to steal credit cards | A critical vulnerability in the Funnel Builder plugin for WordPress is being actively exploited to inject malicious JavaScript snippets into WooCommerce checkout pages. | Exploit | BleepingComputer |
| 17.5.26 | Microsoft Exchange, Windows 11 hacked on second day of Pwn2Own | During the second day of Pwn2Own Berlin 2026, competitors collected $385,750 in cash awards after exploiting 15 unique zero-day vulnerabilities in multiple products, including Windows 11, Microsoft Exchange, and Red Hat Enterprise Linux for Workstations. | OS | BleepingComputer |
| 17.5.26 | Popular node-ipc npm package compromised to steal credentials | Hackers have injected credential-stealing malware into newly published versions of node-ipc, a popular inter-process communication package, in a new supply chain attack targeting npm. | Incindent | BleepingComputer |
| 17.5.26 | Avada Builder WordPress plugin flaws allow site credential theft | Two vulnerabilities in the Avada Builder plugin for WordPress, with an estimated one million active installations, allow hackers to read arbitrary files and extract sensitive information from the database. | CyberCrime | BleepingComputer |
| 17.5.26 | Microsoft backpedals: Edge to stop loading passwords into memory | Microsoft is updating the Edge web browser to ensure it no longer loads saved passwords into process memory in clear text at startup after previously stating it was "by design." | OS | BleepingComputer |
| 17.5.26 | Inside the REMUS Infostealer: Session Theft, MaaS, and Rapid Evolution | Stolen browser sessions and authentication tokens are becoming more valuable than stolen passwords. Flare explains how the REMUS infostealer evolved around session theft and operational scalability. | Virus | BleepingComputer |
| 17.5.26 | Microsoft to automatically roll back faulty Windows drivers | Microsoft is introducing a new capability that will allow it to remotely roll back problematic Windows drivers delivered through Windows Update. | OS | BleepingComputer |
| 17.5.26 | Microsoft warns of Exchange zero-day flaw exploited in attacks | On Thursday, Microsoft shared mitigations for a high-severity Exchange Server vulnerability exploited in attacks that allow threat actors to execute arbitrary code via cross-site scripting (XSS) while targeting Outlook on the web users. | Exploit | BleepingComputer |
| 17.5.26 | TeamPCP hackers advertise Mistral AI code repos for sale | The TeamPCP hacker group is threatening to leak source code from the Mistral AI project unless a buyer is found for the data. | AI | BleepingComputer |
| 17.5.26 | Hackers exploit auth bypass flaw in Burst Statistics WordPress plugin | Hackers are leveraging a critical authentication bypass vulnerability in the WordPress plugin Burst Statistics to obtain admin-level access to websites. | Exploit | BleepingComputer |
| 17.5.26 | Cisco warns of new critical SD-WAN flaw exploited in zero-day attacks | Cisco is warning that a critical Catalyst SD-WAN Controller authentication bypass flaw, tracked as CVE-2026-20182, was actively exploited in zero-day attacks that allowed attackers to gain administrative privileges on compromised devices. | Vulnerebility | BleepingComputer |
| 17.5.26 | OpenAI confirms security breach in TanStack supply chain attack | OpenAI says two employees' devices were breached in the recent TanStack supply chain attack that impacted hundreds of npm and PyPI packages, causing the company to rotate code-signing certificates for its applications as a precaution. | AI | BleepingComputer |
| 17.5.26 | Windows 11 and Microsoft Edge hacked at Pwn2Own Berlin 2026 | On the first day of Pwn2Own Berlin 2026, security researchers collected $523,000 in cash awards after exploiting 24 unique zero-days. | OS | BleepingComputer |
| 17.5.26 | 18-year-old NGINX vulnerability allows DoS, potential RCE | An 18-year-old flaw in the NGINX open-source web server, discovered using an autonomous scanning system, can be exploited for denial of service and, under certain conditions, remote code execution. | Vulnerebility | BleepingComputer |
| 17.5.26 | Cyber-Enabled Cargo Crime: How Cybercrime Tradecraft is Used to Steal Freight | Cargo theft now starts with phishing emails and stolen credentials, not hijackings, to reroute and steal freight from supply chains. NMFTA outlines how cyber-enabled cargo crime is changing transportation security. | Phishing | BleepingComputer |
| 17.5.26 | KongTuke hackers now use Microsoft Teams for corporate breaches | Initial access broker KongTuke has moved to Microsoft Teams for social engineering attacks, taking as little as five minutes to gain persistent access to corporate networks. | Incindent | BleepingComputer |
| 17.5.26 | Dell confirms its SupportAssist software causes Windows BSOD crashes | Dell confirmed that its SupportAssist software is causing blue-screen crashes on some Windows systems following a wave of user reports about random reboots affecting Dell devices since Friday. | OS | BleepingComputer |
| 17.5.26 | US charges suspected Dream Market admin arrested in Germany | The alleged main administrator of Dream Market Incognito Market, one of the largest dark web marketplaces before its shutdown, has been indicted in the United States on money laundering charges. | CyberCrime | BleepingComputer |
| 17.5.26 | New Fragnesia Linux flaw lets attackers gain root privileges | Linux distros are rolling out patches for a new high-severity kernel privilege escalation vulnerability (known as Fragnasia and tracked as CVE-2026-46300) that allows attackers to run malicious code as root. | Vulnerebility | BleepingComputer |
| 17.5.26 | West Pharmaceutical says hackers stole data, encrypted systems | West Pharmaceutical Services disclosed that it was the target of a cyberattack that resulted in data exfiltration and system encryption. | Incindent | BleepingComputer |
| 17.5.26 | Iranian hackers targeted major South Korean electronics maker | The Iran-linked hacking group MuddyWater (a.k.a. Seedworm, Static Kitten) launched a broad cyber-espionage campaign targeting at least nine high-profile organizations across multiple sectors and countries. | APT | BleepingComputer |
| 17.5.26 | New critical Exim mailer flaw allows remote code execution | A critical vulnerability affecting certain configurations of the Exim open-source mail transfer agent could be exploited by an unauthenticated remote attacker to execute arbitrary code. | Vulnerebility | BleepingComputer |
| 17.5.26 | Windows BitLocker zero-day gives access to protected drives, PoC released | A cybersecurity researcher has published proof-of-concept (PoC) exploits for two unpatched Microsoft Windows vulnerabilities named YellowKey and GreenPlasma, which are a BitLocker bypass and a privilege-escalation flaw. | Vulnerebility | BleepingComputer |
| 16.5.26 | Turla Turns Kazuar Backdoor Into Modular P2P Botnet for Persistent Access | The Russian state-sponsored hacking group known as Turla has transformed its custom backdoor Kazuar into a modular peer-to-peer | APT | The Hacker News |
| 16.5.26 | Microsoft fixes BitLocker recovery issue only for Windows 11 users | Microsoft has addressed a known issue causing some Windows 11 systems to boot into BitLocker recovery after installing the April 2026 Windows security updates. | OS | BleepingComputer |
| 16.5.26 | Microsoft fixes Windows Autopatch bug installing restricted drivers | Microsoft has fixed a Windows Autopatch bug that caused driver updates restricted by administrative policies to be deployed on some Autopatch-managed Windows devices in the European Union. | OS | BleepingComputer |
| 16.5.26 | Foxconn confirms cyberattack claimed by Nitrogen ransomware gang | Foxconn, the world's largest electronics manufacturer, says some of its North American factories are now working to resume normal operations after a cyberattack. | Ransom | BleepingComputer |
| 16.5.26 | 73 Seconds to Breach, 24 Hours to Patch: The Case for Autonomous Validation | Attackers can compromise systems in minutes while patching and response still take hours or days. Picus Security breaks down why autonomous validation is becoming critical for modern defense strategies. | Security | BleepingComputer |
| 16.5.26 | Microsoft says some users can't install Office on Windows 365 devices | Microsoft says some customers are experiencing issues downloading and installing Office on their Windows 365 devices. | OS | BleepingComputer |
| 16.5.26 | US govt seeks Instructure testimony on massive Canvas cyberattack | The U.S. House Committee on Homeland Security is calling on Instructure executives to testify about two cyberattacks by the ShinyHunters extortion group that targeted the company's Canvas platform, allowing threat actors to steal student data and disrupt schools during final exams. | Incindent | BleepingComputer |
| 16.5.26 | UK fines water supplier $1.3M for exposing data of 664k customers | The Information Commissioner's Office has fined South Staffordshire Water Plc and parent company South Staffordshire Plc £963,900 ($1.3 million) over a cyberattack that exposed the personal data of 663,887 customers and employees. | Incindent | BleepingComputer |
| 16.5.26 | Webinar: Fixing the gaps in network incident response | IT teams often struggle to quickly coordinate responses across disparate systems during network incidents. This upcoming webinar explores how automation and AI-assisted workflows can reduce response times and help prevent outages. | Security | BleepingComputer |
| 16.5.26 | Signal adds security warnings for social engineering, phishing attacks | Signal has introduced new in-app confirmations and warning messages as additional safeguards against phishing and social engineering attempts that could lead to various forms of fraud. | Social | BleepingComputer |
| 16.5.26 | Microsoft releases Windows 10 KB5087544 extended security update | Microsoft has released the Windows 10 KB5087544 extended security update to fix the May 2026 Patch Tuesday vulnerabilities and resolve an issue with the new Remote Desktop warnings. | OS | BleepingComputer |
| 16.5.26 | Fortinet warns of critical RCE flaws in FortiSandbox and FortiAuthenticator | Fortinet has released security patches for two critical vulnerabilities in FortiSandbox and FortiAuthenticator that could enable attackers to run commands or arbitrary code. | Vulnerebility | BleepingComputer |
| 16.5.26 | Windows 11 KB5089549 & KB5087420 cumulative updates released | Microsoft has released Windows 11 KB5089549 and KB5087420 cumulative updates for versions 25H2/24H2 and 23H2 to fix security vulnerabilities, bugs, and add new features. | OS | BleepingComputer |
| 16.5.26 | Microsoft May 2026 Patch Tuesday fixes 120 flaws, no zero-days | Today is Microsoft's May 2026 Patch Tuesday, with security updates for 120 flaws and no zero-days disclosed this month. | OS | BleepingComputer |
| 16.5.26 | Škoda warns of customer data breach after online shop hack | Škoda Auto, a wholly owned subsidiary of the Volkswagen Group, has disclosed a data breach after attackers hacked its online shop and stole the personal information of an undisclosed number of customers. | Incindent | BleepingComputer |
| 16.5.26 | Android 17 to expand banking scam call and privacy protections | Android 17, expected to roll out next month, will introduce several security and privacy features focused on device theft, threat detection, and banking scam calls. | Spam | BleepingComputer |
| 16.5.26 | Shai Hulud attack ships signed malicious TanStack, Mistral npm packages | Hundreds of packages across npm and PyPI have been compromised in a new Shai-Hulud supply-chain campaign delivering credential-stealing malware targeting developers. | Virus | BleepingComputer |
| 16.5.26 | Operating inside the lethal trifecta: Blast radius reduction in AI agent deployments | Seven things security teams can start doing today to reduce risk | AI blog | SOPHOS |
| 16.5.26 | May’s Patch Tuesday hauls out 132 CVEs | With advisories, this month’s count approaches 300 – though many are already in place | OS Blog | SOPHOS |
| 16.5.26 | Why AMOS matters: The macOS malware stealing data at scale | Sophos X-Ops looks at the Atomic macOS Stealer and its capabilities | Malware blog | SOPHOS |
| 16.5.26 | When Malware Authors Study Algebra: The Group Theory Inside Bedep's DGA | A closer look at how Bedep used foreign exchange data and advanced math to generate hard-to-predict domains, making its command-and-control infrastructure more difficult for defenders to block and disrupt | Malware blog | GENDIGITAL |
| 16.5.26 | Building a last-resort unpacker with AI | Exploring how AI can assist in unpacking protected binaries, recovering payloads from unsupported packers, while reducing repetitive analysis | AI blog | GENDIGITAL |
| 16.5.26 | Chasing an Angry Spark | A VM-obfuscated backdoor observed on a single machine in the UK, operated for one year, and vanished without a trace. | Malware blog | GENDIGITAL |
| 16.5.26 | Seedworm: Iran-Linked Hackers Breached Korean Electronics Maker in Global Spying Campaign | Iran-linked threat actor abused signed Fortemedia and SentinelOne binaries for DLL sideloading and exfiltrated data through a public file-transfer service. | APT blog | SECURITY.COM |
| 16.5.26 | Undermining the trust boundary: Investigating a stealthy intrusion through third-party compromise | Microsoft Incident Response investigated an attack operated through legitimate and trusted administrative mechanisms to blend seamlessly into routine operations and remain undetected demonstrating that intrusions have increasingly avoided using noisy exploits, obvious malware, or custom tooling, instead leveraging systems that organizations already trust within their environments. | Security blog | Microsoft blog |
| 16.5.26 | Kazuar: Anatomy of a nation-state botnet | Kazuar, a sophisticated malware family attributed to the Russian state actor Secret Blizzard, has been under constant development for years and continues to evolve in support of espionage-focused operations. | BotNet blog | Microsoft blog |
| 16.5.26 | Analyzing TeamPCP’s Supply Chain Attacks: Checkmarx KICS and elementary-data in CI/CD Credential Theft | Our research examines the April 22 Checkmarx KICS and April 24 elementary-data incidents as part of a broader TeamPCP supply chain campaign. Across both cases, the actor abused trusted CI/CD and release workflows to steal credentials at scale. | Hacking blog | Trend Micro |
| 16.5.26 | Vibe Hacking: Two AI-Augmented Campaigns Target Government and Financial Sectors in Latin America | TrendAI™ Research has identified two emerging threat campaigns—SHADOW-AETHER-040 and SHADOW-AETHER-064—that use agentic AI to drive intrusion operations against government and financial organizations in Latin America, marking these among the first cases we have observed of AI agents executing attacks from initial access to data exfiltration. | AI blog | Trend Micro |
| 16.5.26 | What Is the Instructure Canvas Breach? Impact, Risks, and What Institutions Should Do | The Instructure Canvas breach affects universities, K–12 school districts, and teaching hospitals globally. This blog entry intends to provide context and practical guidance. | Security blog | Trend Micro |
| 16.5.26 | The Ransomware Chimera That Does Everything | Malware typically falls into well-defined categories. Ransomware encrypts files and demands payment. Banking trojans steal credentials. Botnets await remote commands. However, some samples defy these conventional classifications by incorporating multiple threat vectors into a single executable. | Ransom blog | SonicWall |
| 16.5.26 | Adversary in the Middle Attacks - Abusing Trust via Weaponized PDFs | The SonicWall Capture Labs threat research team has identified an active Adversary-in-the-Middle (AiTM) phishing campaign that leverages PDF documents as the initial delivery vector. This is a technique that bypasses multi-factor authentication entirely by stealing authenticated session cookies, not just credentials. | Hacking blog | SonicWall |
| 16.5.26 | Gremlin Stealer's Evolved Tactics: Hiding in Plain Sight With Resource Files | This article examines new obfuscation techniques the Gremlin stealer malware uses to conceal malicious payloads within embedded resources. We analyze a variant protected by a sophisticated commercial packing utility that employs instruction virtualization, transforming the original code into a custom, non-standard bytecode executed by a private virtual machine. | Malware blog | Palo Alto |
| 16.5.26 | Inside AD CS Escalation: Unpacking Advanced Misuse Techniques and Tools | Active Directory Certificate Services (AD CS) is a foundational component of Windows enterprise infrastructure, responsible for managing public key infrastructure (PKI) and issuing certificates that enable authentication and encryption across networks. | Hacking blog | Palo Alto |
| 16.5.26 | The State of Ransomware – Q1 2026 | Consolidation after peak fragmentation: The top 10 ransomware groups accounted for 71% of all Q1 2026 victims, a sharp reversal from the fragmentation seen in Q3 2025. The ransomware ecosystem is once again consolidating around fewer, more dominant operators. | Ransom blog | CHECKPOINT |
| 16.5.26 | Thus Spoke…The Gentlemen | On May 4th, 2026, The Gentlemen RaaS administrator acknowledged on underground forums that an internal backend database (Rocket) had been leaked. This leak exposed 9 accounts, including zeta88 (aka hastalamuerte), who runs the infrastructure, builds the locker and RaaS panel, manages payouts, and effectively acts as the administrator of the program. | Ransom blog | CHECKPOINT |
| 16.5.26 | Ongoing exploitation of Cisco Catalyst SD-WAN vulnerabilities | Cisco Talos is tracking the active exploitation of CVE-2026-20182, an authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage. | Exploit blog | CISCO TALOS |
| 16.5.26 | The time of much patching is coming | In this week’s newsletter, Martin reflects on what the next iteration of AI tools means for vulnerability discovery and our ability to manage large-scale patch releases. | Security blog | CISCO TALOS |
| 16.5.26 | Breaking things to keep them safe with Philippe Laulheret | Philippe shares his unique journey from French engineering school to the front lines of cybersecurity, explaining how his lifelong love for solving puzzles helps him uncover critical security flaws before they can be exploited. | Cyber blog | CISCO TALOS |
| 16.5.26 | State-sponsored actors, better known as the friends you don’t want | Responding to a state-sponsored threat is nothing like responding to ransomware, and the differences can make or break the outcome. Learn why your IR plan might need revisiting, and the factors you should consider. | Ransom blog | CISCO TALOS |
| 16.5.26 | Microsoft Patch Tuesday for May 2026 — Snort rules and prominent vulnerabilities | Microsoft has released its monthly security update for May 2026, which includes 137 vulnerabilities affecting a range of products, including 16 that Microsoft marked as “critical”. | Vulnerebility blog | CISCO TALOS |
| 16.5.26 | Unplug your way to better code | Cybersecurity concepts — logs, packets, DNS exfiltration, and more — are usually intangible, and its practitioners are prone to mental fatigue, Amy takes a second to yell at you to go touch grass. | Cyber blog | CISCO TALOS |
| 16.5.26 | Why geopolitical turmoil is a gift for scammers, and how to stay safe | Conflict is a boon for opportunistic fraudsters. Look out for their ploys. | Cyber blog | Eset |
| 16.5.26 | FrostyNeighbor: Fresh mischief and digital shenanigans | ESConflict is a boon for opportunistic fraudsters. Look out for their ploys.ET researchers uncovered new activities attributed to FrostyNeighbor, updating its compromise chain to support the group’s continual cyberespionage operations | APT blog | Eset |
| 16.5.26 | Eyes wide open: How to mitigate the security and privacy risks of smart glasses | Smart glasses allow anyone to track and record the world around them. That could put your data and the privacy of those nearby at risk. | Security blog | Eset |
| 16.5.26 | On the Effectiveness of Mutational Grammar Fuzzing | Mutational grammar fuzzing is a fuzzing technique in which the fuzzer uses a predefined grammar that describes the structure of the samples. When a sample gets mutated, the mutations happen in such a way that any resulting samples still adhere to the grammar rules, thus the structure of the samples gets maintained by the mutation process. | Vulnerebility blog | Project Zero |
| 15.5.26 | Four OpenClaw Flaws Enable Data Theft, Privilege Escalation, and Persistence | Cybersecurity researchers have disclosed a set of four security flaws in OpenClaw that could be chained to achieve data theft, privilege escalation, and persistence. The vulnerabilities, collectively dubbed Claw Chain by Cyera, can permit an attacker to establish a foothold, expose sensitive data, and plant backdoors. | AI | The Hacker News |
| 15.5.26 | TanStack Supply Chain Attack Hits Two OpenAI Employee Devices, Forces macOS Updates | OpenAI has disclosed that two of its employee devices in its corporate environment were impacted via the Mini Shai-Hulud supply chain attack on TanStack, but noted that no user data, production systems, or intellectual property were compromised or modified in an unauthorized manner. | AI | The Hacker News |
| 15.5.26 | On-Prem Microsoft Exchange Server CVE-2026-42897 Exploited via Crafted Email | Microsoft has disclosed a new security vulnerability impacting on-premise versions of Exchange Server that it said has come under active | Vulnerebility | The Hacker News |
| 15.5.26 | CISA Adds Cisco SD-WAN CVE-2026-20182 to KEV After Admin Access Exploits | The U.S.Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a newly disclosed vulnerability impacting Cisco Catalyst | Vulnerebility | The Hacker News |
| 15.5.26 | Cisco Catalyst SD-WAN Controller Auth Bypass Actively Exploited to Gain Admin Access | Cisco has released updates to address a maximum-severity authentication bypass flaw in Catalyst SD-WAN Controller that it said has | Vulnerebility | The Hacker News |
| 15.5.26 | Stealer Backdoor Found in 3 Node-IPC Versions Targeting Developer Secrets | Cybersecurity researchers are sounding the alarm about what has been described as "malicious activity" in newly published versions of node-ipc. | Virus | The Hacker News |
| 14.5.26 | Ghostwriter Targets Ukrainian Government With Geofenced PDF Phishing, Cobalt Strike | The Belarus-aligned threat group known as Ghostwriter has been attributed to a fresh set of attacks targeting governmental organizations in Ukraine. Active since at least 2016, Ghostwriter has been linked to both cyber espionage and influence operations targeting neighboring countries, particularly Ukraine. | APT | The Hacker News |
| 14.5.26 | PraisonAI CVE-2026-44338 Auth Bypass Targeted Within Hours of Disclosure | Threat actors have been observed attempting to exploit a recently disclosed security vulnerability in PraisonAI , an open-source multi-agent | AI | The Hacker News |
| 14.5.26 | Windows Zero-Days Expose BitLocker Bypasses And CTFMON Privilege Escalation | An anonymous cybersecurity researcher who disclosed three Microsoft Defender vulnerabilities has returned with two more zero-days involving a | Vulnerebility | The Hacker News |
| 14.5.26 | New Fragnesia Linux Kernel LPE Grants Root Access via Page Cache Corruption | Details have emerged about a new variant of the recent Dirty Frag Linux local privilege escalation (LPE) vulnerability that allows local attackers to | Vulnerebility | The Hacker News |
| 14.5.26 | 18-Year-Old NGINX Rewrite Module Flaw Enables Unauthenticated RCE | Cybersecurity researchers have disclosed multiple security vulnerabilities impacting NGINX Plus and NGINX Open, including a critical flaw that | Vulnerebility | The Hacker News |
| 14.5.26 | SAP fixes critical vulnerabilities in Commerce Cloud and S/4HANA | SAP has released the May 2026 security updates addressing 15 vulnerabilities across multiple products, including two critical flaws in the Commerce Cloud enterprise-grade e-commerce platform and the S/4HANA ERP suite. | Vulnerebility | BleepingComputer |
| 14.5.26 | Instructure reaches 'agreement' with ShinyHunters to stop data leak | Instructure, the edtech giant behind the widely popular Canvas learning management system (LMS), has reached an "agreement" with the ShinyHunters extortion group to prevent the data stolen in a recent breach from being leaked online. | APT | BleepingComputer |
| 14.5.26 | GM agrees to $12.75M California settlement over sale of drivers’ data | California Attorney General Rob Bonta announced a proposed $12.75 million settlement agreement with General Motors (GM) over allegations that the company violated the California Consumer Privacy Act (CCPA). | Incindent | BleepingComputer |
| 14.5.26 | Official CheckMarx Jenkins package compromised with infostealer | Checkmarx warned over the weekend that a rogue version of its Jenkins Application Security Testing (AST) plugin had been published on the Jenkins Marketplace. | Virus | BleepingComputer |
| 14.5.26 | New GhostLock tool abuses Windows API to block file access | A security researcher has released a proof-of-concept tool named GhostLock that demonstrates how a legitimate Windows file API can be abused in attacks to block access to files stored locally or on SMB network shares. | Virus | BleepingComputer |
| 14.5.26 | Instructure confirms hackers used Canvas flaw to deface portals | Education technology giant Instructure has confirmed that a security vulnerability allowed hackers to modify Canvas login portals and leave an extortion message. | Vulnerebility | BleepingComputer |
| 14.5.26 | Google: Hackers used AI to develop zero-day exploit for web admin tool | Researchers at Google Threat Intelligence Group (GTIG) say that a zero-day exploit targeting a popular open-source web administration tool was likely generated using AI. | AI | BleepingComputer |
| 14.5.26 | TrickMo Android banker adopts TON blockchain for covert comms | A new variant of the TrickMo Android banking malware, delivered in campaigns targeting users across Europe, introduces new commands and uses The Open Network (TON) for stealthy command-and-control communications. | Virus | BleepingComputer |
| 14.5.26 | Hackers abuse Google ads, Claude.ai chats to push Mac malware | Attackers are abusing Google Ads and legitimate Claude.ai shared chats in an active malvertising campaign. Users searching for "Claude mac download" may come across sponsored search results that list claude.ai as the target website, but lead to instructions that install malware on their Mac. | Virus | BleepingComputer |
| 14.5.26 | Police shut down reboot of Crimenetwork marketplace, arrest admin | German authorities have shut down a relaunch version of the criminal marketplace 'Crimenetwork' that generated more than 3.6 million euros, and arrested its operator. | CyberCrime | BleepingComputer |
| 14.5.26 | [GUEST DIARY] Tearing apart website fraud to see how it works. | One day at work, a friend messaged me, “How do you check a website to see if it’s legit?” | Security | SANS |
| 13.5.26 | Microsoft's MDASH AI System Finds 16 Windows Flaws Fixed in Patch Tuesday | Microsoft has unveiled a new multi-model artificial intelligence (AI)-driven system called MDASH to facilitate vulnerability discovery and remediation at scale, adding that it's being tested by some customers as part of a limited private preview. | AI | The Hacker News |
| 13.5.26 | Azerbaijani Energy Firm Hit by Repeated Microsoft Exchange Exploitation | A threat actor with affiliations to China has been linked to a "multi-wave intrusion" targeting an unnamed Azerbaijani oil and gas company | Exploit | The Hacker News |
| 13.5.26 | Microsoft Patches 138 Vulnerabilities, Including DNS and Netlogon RCE Flaws | Microsoft on Tuesday released patches for 138 security vulnerabilities spanning its product portfolio, although none of them have been listed as | OS | The Hacker News |
| 13.5.26 | GemStuffer Abuses 150+ RubyGems to Exfiltrate Scraped U.K. Council Portal Data | Cybersecurity researchers are calling attention to a new campaign dubbed GemStuffer that has targeted the RubyGems repository with more than 150 gems that use the registry as a data exfiltration channel rather than for malware distribution. "The packages do not appear designed for mass developer compromise," Socket said . | Hack | The Hacker News |
| 13.5.26 | Android Adds Intrusion Logging for Sophisticated Spyware Forensics | Google on Tuesday unveiled a new opt-in Android feature called Intrusion Logging for storing forensic logs to better analyze sophisticated spyware attacks. Intrusion Logging, available as part of Advanced Protection Mode , enables "persistent and privacy-preserving forensics logging to allow for investigation of devices in the event of a suspected compromise," the company said. | Safety | The Hacker News |
| 13.5.26 | Proxying the Unproxyable? Sending EXE traffic to a Proxy | I had a recent engagement where I had to look at the network traffic generated by a Windows executable. Unfortunately, it was all TLS, and all TLS1.3 to boot. | Security | SANS |
| 13.5.26 | Microsoft May 2026 Patch Tuesday | Today's Microsoft patch Tuesday fixes 137 different vulnerabilities. In addition, the update addresses 137 Chromium-related issues affecting Microsoft Edge. | OS | SANS |
| 13.5.26 | New Exim BDAT Vulnerability Exposes GnuTLS Builds to Potential Code Execution | Exim has released security updates to address a severe security issue affecting certain configurations that could enable memory corruption and | Vulnerebility | The Hacker News |
| 13.5.26 | RubyGems Suspends New Signups After Hundreds of Malicious Packages Are Uploaded | RubyGems , the standard package manager for the Ruby programming language, has temporarily paused account sign ups following what has been described as a "major malicious attack." | Virus | The Hacker News |
| 12.5.26 | Apple Patches Everything | Apple today released its typical feature update across it's operating systems (iOS, iPadOS, macOS, tvOS, watchOS, vision OS). | OS | SANS |
| 12.5.26 | Why we use CAPTCHAs | A few months ago, I implemented Cloudflare's Turnstile CAPTCHA on some pages. The reason for implementing these CAPTCHAs is obvious: Bots make up a large percentage of traffic and affect site performance. | BotNet | SANS |
| 12.5.26 | YARA-X 1.16.0 Release | YARA-X's 1.16.0 release brings 4 improvements and 4 bugfixes. | Security | SANS |
| 12.5.26 | GTIG AI Threat Tracker: Adversaries Leverage AI for Vulnerability Exploitation, Augmented Operations, and Initial Access | Since our February 2026 report on AI-related threat activity, Google Threat Intelligence Group (GTIG) has continued to track a maturing transition from nascent AI-enabled operations to the industrial-scale application of generative models within adversarial workflows. | AI | GTI |
| 12.5.26 | New TrickMo Variant Uses TON C2 and SOCKS5 to Create Android Network Pivots | Cybersecurity researchers have flagged a new version of the TrickMo Android banking trojan that uses The Open Network (TON) for command- | Hack | The Hacker News |
| 12.5.26 | Mini Shai-Hulud Worm Compromises TanStack, Mistral AI, Guardrails AI & More Packages | TeamPCP , the threat actor behind the recent supply chain attack spree, has been linked to the compromise of the npm and PyPI packages from | Hack | The Hacker News |
| 12.5.26 | Instructure Reaches Ransom Agreement with ShinyHunters to Stop 3.65TB Canvas Leak | American educational technology company Instructure, the parent company of Canvas, said it reached an "agreement" with a decentralized | Ransom | The Hacker News |
| 12.5.26 | OpenAI Launches Daybreak for AI-Powered Vulnerability Detection and Patch Validation | OpenAI has launched Daybreak , a new cybersecurity initiative that brings together frontier artificial intelligence (AI) model capabilities and Codex | AI | The Hacker News |
| 12.5.26 | iOS 26.5 Brings Default End-to-End Encrypted RCS Messaging Between iPhone and Android | Apple on Monday officially released iOS 26.5 with support for end-to-end encryption (E2EE) to Rich Communication Services (RCS) in beta as part of a "cross-industry effort" to replace traditional SMS with a more secure alternative. | OS | The Hacker News |
| 12.5.26 | TeamPCP Compromises Checkmarx Jenkins AST Plugin Weeks After KICS Supply Chain Attack | Checkmarx has confirmed that a modified version of the Jenkins AST plugin was published to the Jenkins Marketplace. "If you are using | Hack | The Hacker News |
| 12.5.26 | cPanel CVE-2026-41940 Under Active Exploitation to Deploy Filemanager Backdoor | A threat actor named Mr_Rot13 has been attributed to the exploitation of a recently disclosed critical cPanel flaw to deploy a backdoor codenamed | Vulnerebility | The Hacker News |
| 12.5.26 | Hackers Used AI to Develop First Known Zero-Day 2FA Bypass for Mass Exploitation | Google on Monday disclosed that it identified an unknown threat actor using a zero-day exploit that it said was likely developed with an artificial | AI | The Hacker News |
| 11.5.26 | Fake OpenAI Privacy Filter Repo Hits #1 on Hugging Face, Draws 244K Downloads | A malicious Hugging Face repository managed to take a spot in the platform's trending list by impersonating OpenAI's Privacy Filter open-weight model to deliver a Rust-based information stealer to Windows users. | AI | The Hacker News |
| 10.5.26 | JDownloader site hacked to replace installers with Python RAT malware | The website for the popular JDownloader download manager was compromised earlier this week to distribute malicious Windows and Linux installers, with the Windows payload found deploying a Python-based remote access trojan. | Virus | BleepingComputer |
| 10.5.26 | Fake OpenAI repository on Hugging Face pushes infostealer malware | A malicious Hugging Face repository that reached the platform's trending list impersonated OpenAI's "Privacy Filter" project to deliver information-stealing malware to Windows users. | AI | BleepingComputer |
| 10.5.26 | NVIDIA confirms GeForce NOW data breach affecting Armenian users | NVIDIA has confirmed in a statement for BleepingComputer that GeForce NOW user information has been exposed in a data breach. | Incindent | BleepingComputer |
| 10.5.26 | Why More Analysts Won’t Solve Your SOC’s Alert Problem | Attackers move faster than overwhelmed SOC teams can realistically investigate alerts. Prophet Security breaks down how AI can help analysts investigate alerts faster and focus on real threats. | Security | BleepingComputer |
| 10.5.26 | Trellix source code breach claimed by RansomHouse hackers | The attack on the Trellix source code repository disclosed last week has been claimed by the RansomHouse threat group, which leaked a small set of images as proof of the intrusion. | Ransom | BleepingComputer |
| 10.5.26 | CISA gives feds four days to patch Ivanti flaw exploited as zero-day | CISA has given U.S. federal agencies four days to secure their networks against a high-severity vulnerability in Ivanti Endpoint Manager Mobile (EPMM) exploited in zero-day attacks. | Exploit | BleepingComputer |
| 10.5.26 | Zara data breach exposed personal information of 197,000 people | Hackers who gained access to the databases of Spanish fast-fashion retailer Zara stole data belonging to more than 197,000 customers, according to data breach notification service Have I Been Pwned. | Incindent | BleepingComputer |
| 10.5.26 | Former govt contractor convicted for wiping dozens of federal databases | A 34-year-old Virginia man was found guilty of conspiring to destroy dozens of government databases after getting fired from his job as a federal contractor. | Incindent | BleepingComputer |
| 10.5.26 | Ollama Out-of-Bounds Read Vulnerability Allows Remote Process Memory Leak | Cybersecurity researchers have disclosed a critical security vulnerability in Ollama that, if successfully exploited, could allow a remote, | Vulnerebility | The Hacker News |
| 10.5.26 | New Linux 'Dirty Frag' zero-day gives root on all major distros | A new Linux zero-day exploit, named Dirty Frag, allows local attackers to gain root privileges on most major Linux distributions with a single command. | Vulnerebility | BleepingComputer |
| 10.5.26 | Canvas login portals hacked in mass ShinyHunters extortion campaign | The ShinyHunters extortion gang has breached education technology giant Instructure again, this time exploiting another vulnerability to deface Canvas login portals for hundreds of colleges and universities. | Incindent | BleepingComputer |
| 10.5.26 | New TCLBanker malware self-spreads over WhatsApp and Outlook | A new trojan named TCLBanker, which targets 59 banking, fintech, and cryptocurrency platforms, uses a trojanized MSI installer for Logitech AI Prompt Builder to infect systems. | Virus | BleepingComputer |
| 10.5.26 | New PCPJack worm steals credentials, cleans TeamPCP infections | A new malware framework called PCPJack is stealing credentials from exposed cloud infrastructure while actively removing TeamPCP's access to the systems. | Virus | BleepingComputer |
| 10.5.26 | Australia warns of ClickFix attacks pushing Vidar Stealer malware | The Australian Cyber Security Center (ACSC) is warning organizations of an ongoing malware campaign using the ClickFix social engineering technique to distribute the Vidar Stealer info-stealing malware. | Virus | BleepingComputer |
| 10.5.26 | Ivanti warns of new EPMM flaw exploited in zero-day attacks | Ivanti warned customers today to patch a high-severity remote code execution vulnerability in Endpoint Manager Mobile (EPMM) exploited in zero-day attacks. | Exploit | BleepingComputer |
| 10.5.26 | The Browser Is Breaking Your DLP: How Data Slips Past Modern Controls | Your security controls aren't failing, they're missing where most of today's work actually happens. Keep Aware shows how browser activity like copy/paste and AI prompts bypass traditional protections. | Security | BleepingComputer |
| 10.5.26 | Americans sentenced for running 'laptop farms' for North Korea | Two U.S. nationals were sentenced to 18 months in prison each for operating so-called laptop farms that helped North Korean IT workers fraudulently obtain remote employment at nearly 70 American companies. | APT | BleepingComputer |
| 10.5.26 | Crypto gang member gets 6.5 years for role in $230 million heist | A 20-year-old California man was sentenced to 78 months in prison for serving as a home invader and money launderer in a criminal ring that stole over $250 million in cryptocurrency. | Cryptocurrency | BleepingComputer |
| 10.5.26 | Palo Alto Networks firewall zero-day exploited for nearly a month | Palo Alto Networks warned customers that suspected state-sponsored hackers have been exploiting a critical-severity PAN-OS firewall zero-day vulnerability for nearly a month. | Exploit | BleepingComputer |
| 10.5.26 | Fake Claude AI website delivers new 'Beagle' Windows malware | A fake version for the Claude AI website offers a malicious Claude-Pro Relay download that pushes a previously undocumented backdoor for Windows named Beagle. | AI | BleepingComputer |
| 10.5.26 | Hackers abuse Google ads for GoDaddy ManageWP login phishing | A phishing campaign delivered through Google sponsored search results is targeting credentials for ManageWP, GoDaddy's platform for managing fleets of WordPress websites. | Phishing | BleepingComputer |
| 10.5.26 | Critical vm2 sandbox bug lets attackers execute code on hosts | A critical vulnerability in the popular Node.js sandboxing library vm2 allows escaping the sandbox and executing arbitrary code on the host system. | Vulnerebility | BleepingComputer |
| 10.5.26 | New Cisco DoS flaw requires manual reboot to revive devices | Cisco patched a Crosswork Network Controller and Network Services Orchestrator denial-of-service vulnerability that requires manually rebooting targeted systems for recovery. | Vulnerebility | BleepingComputer |
| 10.5.26 | DAEMON Tools devs confirm breach, release malware-free version | Disc Soft Limited, the maker of DAEMON Tools Lite, confirmed that the software had been trojanized in a supply chain attack and released a new, malware-free version. | Incindent | BleepingComputer |
| 10.5.26 | Why ransomware attacks succeed even when backups exist | Backups don't fail because they're missing, they fail because attackers destroy them first. Acronis explains how ransomware targets backup systems before encryption, leaving no path to recovery | Ransom | BleepingComputer |
| 10.5.26 | MuddyWater hackers use Chaos ransomware as a decoy in attacks | The MuddyWater Iranian hackers disguised their operations as a Chaos ransomware attack, relying on Microsoft Teams social engineering to gain access and establish persistence. | APT | BleepingComputer |
| 10.5.26 | Palo Alto Networks warns of firewall RCE zero-day exploited in attacks | Palo Alto Networks warned customers today that a critical-severity unpatched vulnerability in the PAN-OS User-ID Authentication Portal is being exploited in attacks. | Exploit | BleepingComputer |
| 10.5.26 | New stealthy Quasar Linux malware targets software developers | A previously undocumented Linux implant named Quasar Linux (QLNX) is targeting developers' systems with a mix of rootkit, backdoor, and credential-stealing capabilities. | Virus | BleepingComputer |
| 10.5.26 | Instructure hacker claims data theft from 8,800 schools, universities | The hacker behind a breach at education technology giant Instructure claims to have stolen 280 million data records for students and staff from 8,809 colleges, school districts, and online education platforms. | Incindent | BleepingComputer |
| 10.5.26 | DAEMON Tools trojanized in supply-chain attack to deploy backdoor | Hackers trojanized installers for the DAEMON Tools software and since April 8, delivered a backdoor to thousands of systems that downloaded the product from the official website. | Virus | BleepingComputer |
| 9.5.26 | Another Universal Linux Local Privilege Escalation (LPE) Vulnerability: Dirty Frag | Less than two weeks after the public disclosure of the Copy Fail vulnerability (CVE-2026-31431), another local privilege escalation (LPE) vulnerability in the Linux kernel has been revealed. | Vulnerebility | SANS |
| 9.5.26 | An Adaptive Cyber Analytics UI for Web Honeypot Logs [Guest Diary] | Through the expansion of Large Language Models (LLMs), cybersecurity has exploded with a variety of tools for both offensive and defensive purposes. | AI | SANS |
| 9.5.26 | cPanel, WHM Release Fixes for Three New Vulnerabilities — Patch Now | cPanel has released updates to address three vulnerabilities in cPanel and Web Host Manager (WHM) that could be exploited to achieve | Vulnerebility | The Hacker News |
| 9.5.26 | TCLBANKER Banking Trojan Targets Financial Platforms via WhatsApp and Outlook Worms | Threat hunters have flagged a previously undocumented Brazilian banking trojan dubbed TCLBANKER that's capable of targeting 59 | Virus | The Hacker News |
| 9.5.26 | Fake Call History Apps Stole Payments From Users After 7.3 Million Play Store Downloads | Cybersecurity researchers have discovered fraudulent apps on the official Google Play Store for Android that falsely claimed to offer access to call | Hack | The Hacker News |
| 9.5.26 | Student hacked Taiwan high-speed rail to trigger emergency brakes | A 23-year-old university student in Taiwan was arrested for interfering with the TETRA communication system used by the country's high-speed railway network (THSR). | Incindent | BleepingComputer |
| 9.5.26 | FTC to ban data broker Kochava from selling Americans’ location data | The FTC will ban data broker Kochava and its subsidiary, Collective Data Solutions (CDS), from selling location data without consumers' explicit consent to settle charges alleging that it sold precise geolocation data collected from hundreds of millions of mobile devices. | BigBrothers | BleepingComputer |
| 9.5.26 | The EOL Blind Spot in Your CVE Feed: What SCA Tools Miss | Critical vulnerabilities can exist in open source software your scanners don't check. HeroDevs reveals how EOL software creates blind spots in CVE feeds and SCA tools, and how you can receive a free end-of-life scan for your projects. | Security | BleepingComputer |
| 9.5.26 | Vimeo data breach exposes personal information of 119,000 people | The ShinyHunters extortion gang stole personal information belonging to over 119,000 people after hacking the Vimeo online video platform in April, according to data breach notification service Have I Been Pwned. | Incindent | BleepingComputer |
| 9.5.26 | Google now offers up to $1.5 million for some Android exploits | Google overhauls its Android and Chrome vulnerability rewards programs, offering bounties of up to $1.5 million for the most difficult exploits while scaling back payouts for flaws that artificial intelligence (AI) has made easier to find. | OS | BleepingComputer |
| 9.5.26 | Karakurt extortion gang ‘cold case’ negotiator gets 8.5 years in prison | A Latvian national extradited to the United States was sentenced to 8.5 years in prison for his "cold case" negotiator role in the Russian Karakurt ransomware group. | CyberCrime | BleepingComputer |
| 9.5.26 | CloudZ malware abuses Microsoft Phone Link to steal SMS and OTPs | A new version of the CloudZ remote access tool (RAT) is deploying a previously unseen malicious plugin called Pheno that hijacks the Microsoft Phone Link connection to steal sensitive codes from mobile devices. | Virus | BleepingComputer |
| 9.5.26 | ScarCruft hackers push BirdCall Android malware via game platform | The North Korean hacker group APT37 has been delivering an Android version of a backdoor called BirdCall in a supply-chain attack through a video game platform. | APT | BleepingComputer |
| 9.5.26 | Weaver E-cology critical bug exploited in attacks since March | Hackers have been exploiting a critical vulnerability (CVE-2026-22679) in the Weaver E-cology office automation since mid-March to run discovery commands. | Vulnerebility | BleepingComputer |
| 9.5.26 | Researchers report Amazon SES abused in phishing to evade detection | Cybersecurity firm Kaspersky reports that the Amazon Simple Email Service (SES) is being increasingly abused to send convincing phishing emails that can bypass standard security filters and render reputation-based blocks ineffective. | Phishing | BleepingComputer |
| 9.5.26 | Backdoored PyTorch Lightning package drops credential stealer | A malicious version of the PyTorch Lightning package published on the Python Package Index (PyPI) delivers a credential-stealing payload targeting browsers, environment files, and cloud services. | Virus | BleepingComputer |
| 9.5.26 | Trellix discloses data breach after source code repository hack | Cybersecurity firm Trellix disclosed a data breach after attackers gained access to "a portion" of its source code repository. | Cyber | BleepingComputer |
| 9.5.26 | They don’t hack, they borrow: How fraudsters target credit unions | Fraudsters aren't hacking credit unions, they are exploiting normal business processes. Flare reveals how structured loan fraud methods use stolen identities to pass verification and secure funds. | Exploit | BleepingComputer |
| 9.5.26 | Progress warns of critical MOVEit Automation auth bypass flaw | Progress Software warned customers to patch a critical authentication bypass vulnerability in its MOVEit Automation enterprise-grade managed file transfer (MFT) application. | Vulnerebility | BleepingComputer |
| 9.5.26 | CISA says ‘Copy Fail’ flaw now exploited to root Linux systems | CISA has warned that threat actors have started exploiting the "Copy Fail" Linux security vulnerability in the wild, one day after Theori researchers disclosed it and shared a proof-of-concept (PoC) exploit. | Exploit | BleepingComputer |
| 9.5.26 | Microsoft confirms April Windows updates cause backup failures | Microsoft has confirmed that the April 2026 security updates are causing failures in third-party backup applications using the psmounterex.sys driver. | OS | BleepingComputer |
| 9.5.26 | Instructure confirms data breach, ShinyHunters claims attack | Educational tech giant Instructure has confirmed that data was stolen in a cyberattack, with the ShinyHunters extortion gang claiming responsibility. | Incindent | BleepingComputer |
| 9.5.26 | Microsoft Defender wrongly flags DigiCert certs as Trojan:Win32/Cerdigent.A!dha | Microsoft Defender is detecting legitimate DigiCert root certificates as Trojan:Win32/Cerdigent.A!dha, resulting in widespread false-positive alerts, and in some cases, removing certificates from Windows | Virus | BleepingComputer |
| 9.5.26 | Telegram Mini Apps abused for crypto scams, Android malware delivery | Cybersecurity researchers have uncovered a large-scale fraud operation that uses Telegram's Mini App feature to run crypto scams, impersonate well-known brands, and distribute Android malware. | Cryptocurrency | BleepingComputer |
| 9.5.26 | Pull the Plug: FIRESTARTER Survives Patches, Reboots, and Your Incident Response Plan | You patched your Cisco ASA. You rebooted it. Your vulnerability scanner shows green. You closed the ticket. However, the backdoor is still there! | Vulnerebility blog | Eclypsium |
| 9.5.26 | Zero Trust Target Level Compliance Device Pillar Challenges: Do The Hard Parts Now | The Department of War’s Zero Trust Target Level deadline may be September 30, 2027, but for agencies responsible for device security, the practical deadline comes much sooner. | Cyber blog | Eclypsium |
| 9.5.26 | Operation GriefLure: Dissecting an APT Campaign Targeting Vietnam’s Military Telecom & Philippine Healthcare | Table of Contents: Introduction: Key Targets: Infection Chain: Initial Findings about Campaign: Analysis of Decoys: Technical Analysis: Campaign-1: Stage-1: Ho so.rar Campaign: 2 Stage-1: download.zip Stage-2: The LNK & Batch file (Common in 1 & 2 both) Stage-3: Analysis | Hacking blog | Seqrite |
| 9.5.26 | Operation Silent Rotor: Targeted Campaign Compromises Unmanned Aviation Sector Ahead of Moscow Summit | Operation Silent Rotor: Targeted Campaign Compromises Unmanned Aviation Sector Ahead of Moscow Summit Table of Content Introduction Key Targets Industries Affected Geographical focus Infection Chain Initial Findings Looking into the Decoy Documents Technical Analysis Stage 1 – Analysis of... | Hacking blog | Seqrite |
| 9.5.26 | Cyble Recognized in the 2026 Gartner® Magic Quadrant™ for Cyberthreat Intelligence Technologies — and What Cyble Feels It Means for the Next Era of Threat Intel | A note from our CEO on the recognition, what we believe it signals about the category, and where we go from here. | Cyber blog | Cyble |
| 9.5.26 | Operation HumanitarianBait: An Infostealer Campaign in Disguise | Cyble analyzes Operation HumanitarianBait, a stealthy espionage campaign using aid-themed lures to deploy a fileless Python infostealer. | Hacking blog | Cyble |
| 9.5.26 | Third-Party Breaches Without Breaches: How Attackers Use Trusted Access to Bypass US Enterprise Defenses | A new supply chain attack exploits trusted access and browsers. Learn how attackers bypass defenses and how to prevent supply chain attack risks. | Hacking blog | Cyble |
| 9.5.26 | Cyble Named a Challenger in the 2026 Gartner® Magic Quadrant™ for Cyber Threat Intelligence | Recognized for Completeness of Vision and Ability to Execute | Security blog | Cyble |
| 9.5.26 | Breaking the code: Multi-stage ‘code of conduct’ phishing campaign leads to AiTM token compromise | Microsoft Defender Research observed a large-scale credential theft campaign that exemplifies this trend, using code of conduct-themed lures, a multi-step attack chain, and legitimate email services to distribute fully authenticated messages from attacker-controlled domains. | Phishing blog | Microsoft blog |
| 9.5.26 | Supporting the National Cyber Strategy: How TrendAI™ Helps | A deeper look at the first three pillars and outlining how our capabilities directly support government agencies working to bring this strategy to life. | AI blog | Trend Micro |
| 9.5.26 | InstallFix and Claude Code: How Fake Install Pages Lead to Real Compromise | Targeting multiple industries worldwide, the InstallFix campaign uses fake Claude AI installer pages to trick users into running malware that collects system information, disables security features, achieves persistence, and connects to attacker-controlled C&C servers for additional payloads. | Malware blog | Trend Micro |
| 9.5.26 | Quasar Linux (QLNX) – A Silent Foothold in the Supply Chain: Inside a Full-Featured Linux RAT With Rootkit, PAM Backdoor, Credential Harvesting Capabilities | TrendAI™ Research breaks down Quasar Linux (QLNX), a previously undocumented sophisticated Linux RAT with low detection rates. In this blog, we examine a full-featured Linux threat incorporating a rootkit, a PAM backdoor, credential harvesting, and more, revealing how this malware enables stealthy access, persistence, and potential supply-chain attacks. | Malware blog | Trend Micro |
| 9.5.26 | Mesop AI Sandbox Unauthenticated Remote Code Execution | SonicWall Capture Labs threat research team became aware of the threat CVE-2026-33057, assessed its impact, and developed mitigation measures for this vulnerability. The flaw, also known as the Mesop AI Sandbox /exec-py Unauthenticated RCE, is a critical remote code execution vulnerability affecting Google-originated Mesop in PyPI versions up to and including 1.2.2. | AI blog | SonicWall |
| 9.5.26 | Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated Remote Code Execution | On May 6, 2026, Palo Alto Networks released a security advisory for CVE-2026-0300, identifying a buffer overflow vulnerability in the User-ID™ Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software. Vulnerable systems allow an unauthenticated attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted packets. | Vulnerebility blog | Palo Alto |
| 9.5.26 | Copy Fail: What You Need to Know About the Most Severe Linux Threat in Years | On April 29, 2026, researchers publicly disclosed a highly reliable local privilege escalation (LPE) vulnerability tracked as CVE-2026-31431. This vulnerability is commonly referred to as Copy Fail. Discovered in about an hour through an AI-assisted process, this logic flaw allows an unprivileged local attacker to consistently escalate their access to root across virtually all major Linux distributions released since 2017. | Vulnerebility blog | Palo Alto |
| 9.5.26 | Insights into the clustering and reuse of phone numbers in scam emails | Talos has recently started to collect and gather intelligence around phone numbers within emails as an additional indicator of compromise (IOC). In this blog, we discuss new insights into in-the-wild phone number reuse in scam emails. | Spam blog | CISCO TALOS |
| 9.5.26 | Unplug your way to better code | Cybersecurity concepts — logs, packets, DNS exfiltration, and more — are usually intangible, and its practitioners are prone to mental fatigue, Amy takes a second to yell at you to go touch grass. | Security blog | CISCO TALOS |
| 9.5.26 | UAT-8302 and its box full of malware | Cisco Talos is disclosing UAT-8302, a sophisticated, China-nexus advanced persistent threat (APT) group targeting government entities in South America since at least late 2024 and government agencies in southeastern Europe in 2025. | APT blog | CISCO TALOS |
| 9.5.26 | CloudZ RAT potentially steals OTP messages using Pheno plugin | Cisco Talos discovered an intrusion, active since at least January 2026, where an unknown attacker implanted a CloudZ remote access tool (RAT) and a previously undocumented plugin called “Pheno.” | Malware blog | CISCO TALOS |
| 9.5.26 | Fake call logs, real payments: How CallPhantom tricks Android users | ESET researchers uncovered fraudulent apps on Google Play that claim to provide the call history “for any number” and had been downloaded more than seven million times before being taken down | OS Blog | Eset |
| 9.5.26 | Fixing the password problem is as easy as 123456 | How come it’s still possible to ‘secure’ an online account with a six-digit string? | Security blog | Eset |
| 9.5.26 | A rigged game: ScarCruft compromises gaming platform in a supply-chain attack | ESET researchers have investigated an ongoing attack by the ScarCruft APT group that targets the Yanbian region via backdoor-laced Windows and Android games | APT blog | Eset |
| 8.5.26 | The Duality of the Pluggable Authentication Module (PAM) | The Group-IB DFIR Team has identified a new technique not yet included in the MITRE ATT&CK framework, which could lead to use the module pam_exec to obtain a privileged shell on a host and grant a full persistence to a threat actor. | CyberCrime | GROUP-IB |
| 8.5.26 | Quasar Linux RAT Steals Developer Credentials for Software Supply Chain Compromise | A previously undocumented Linux implant codenamed Quasar Linux RAT (QLNX) is targeting developers' systems to establish a silent foothold as well as facilitate a broad range of post-compromise functionality, such as credential harvesting, keylogging, file manipulation, clipboard monitoring, and network tunneling. | Virus | The Hacker News |
| 8.5.26 | New Linux PamDOORa Backdoor Uses PAM Modules to Steal SSH Credentials | Cybersecurity researchers have disclosed details of a new Linux backdoor named PamDOORa that's being advertised on the Rehub | Virus | The Hacker News |
| 8.5.26 | Linux Kernel Dirty Frag LPE Exploit Enables Root Access Across Major Distributions | Details have emerged about a new, unpatched local privilege escalation (LPE) vulnerability impacting the Linux kernel. Dubbed Dirty Frag , it has been described as a successor to Copy Fail (CVE-2026-31431, CVSS score: 7.8), a recently disclosed LPE flaw impacting the Linux kernel that has since come under active exploitation in the wild. The vulnerability was reported to Linux kernel maintainers on April 30, 2026. | Exploit | The Hacker News |
| 8.5.26 | Ivanti EPMM CVE-2026-6973 RCE Under Active Exploitation Grants Admin-Level Access | Ivanti is warning that a new security flaw impacting Endpoint Manager Mobile (EPMM) has been explored in limited attacks in the wild. The high- | Exploit | The Hacker News |
| 8.5.26 | PCPJack Credential Stealer Exploits 5 CVEs to Spread Worm-Like Across Cloud Systems | Cybersecurity researchers have disclosed details of a new credential theft framework dubbed PCPJack that targets exposed cloud | Exploit | The Hacker News |
| 8.5.26 | PAN-OS RCE Exploit Under Active Use Enabling Root Access and Espionage | Palo Alto Networks has disclosed that threat actors may have attempted to unsuccessfully exploit a recently disclosed critical security flaw as | Exploit | The Hacker News |
| 7.5.26 | PyPI Packages Deliver ZiChatBot Malware via Zulip APIs on Windows and Linux | Cybersecurity researchers have discovered three packages on the Python Package Index (PyPI) repository that are designed to stealthily deliver a | Virus | The Hacker News |
| 7.5.26 | vm2 Node.js Library Vulnerabilities Enable Sandbox Escape and Arbitrary Code Execution | A dozen critical security vulnerabilities have been disclosed in the vm2 Node.js library that could be exploited by bad actors to break out of the | Vulnerebility | The Hacker News |
| 7.5.26 | Mirai-Based xlabs_v1 Botnet Exploits ADB to Hijack IoT Devices for DDoS Attacks | Cybersecurity researchers have exposed a new Mirai -derived botnet that self-identifies as xlabs_v1 and targets internet-exposed devices running | BotNet | The Hacker News |
| 6.5.26 | MuddyWater Uses Microsoft Teams to Steal Credentials in False Flag Ransomware Attack | The Iranian state-sponsored hacking group known as MuddyWater (aka Mango Sandstorm, Seedworm, and Static Kitten) has been attributed to a ransomware attack in what has been described as a "false flag" operation. | Ransom | The Hacker News |
| 6.5.26 | Google's Android Apps Get Public Verification to Stop Supply Chain Attacks | Google has announced expanded Binary Transparency for Android as a way to safeguard the ecosystem from supply chain attacks. "This new | Hack | The Hacker News |
| 6.5.26 | Windows Phone Link Exploited by CloudZ RAT to Steal Credentials and OTPs | Cybersecurity researchers have disclosed details of an intrusion that involved the use of a CloudZ remote access tool (RAT) and a previous undocumented plugin dubbed Pheno with the aim of facilitating credential theft. | Virus | The Hacker News |
| 6.5.26 | Palo Alto PAN-OS Flaw Under Active Exploitation Enables Remote Code Execution | Palo Alto Networks has released an advisory warning that a critical buffer overflow vulnerability in its PAN-OS software has been exploited in the | Exploit | The Hacker News |
| 6.5.26 | Critical Apache HTTP/2 Flaw (CVE-2026-23918) Enables DoS and Potential RCE | The Apache Software Foundation (ASF) has released security updates to address several security vulnerabilities in the HTTP Server, including a | Vulnerebility | The Hacker News |
| 6.5.26 | DAEMON Tools Supply Chain Attack Compromises Official Installers with Malware | A newly identified supply chain attack targeting DAEMON Tools software has compromised its installers to serve a malicious payload, according to | Hack | The Hacker News |
| 6.5.26 | China-Linked UAT-8302 Targets Governments Using Shared APT Malware Across Regions | A sophisticated China-nexus advanced persistent threat (APT) group has been attributed to attacks targeting government entities in South America | APT | The Hacker News |
| 5.5.26 | SSL.com rotates their root certificate today | I just got an email from SSL.com last night, they are rotating out their root certificate today (May 5,2026). This is normal, business as usual stuff for a CA, but certificates get used for all kinds of things, and sometimes they aren't used like they should be, so sometimes hiccups happen. | Security | SANS |
| 5.5.26 |
For me, this started with a post in X at hxxps://x.com/intcyberdigest/status/2051406295828250963?s=61 , which highlighted research by @L1v1ng0ffTh3L4N that found exactly this issue. |
Security | SANS | |
| 5.5.26 |
TeamPCP Weekly Analysis: 2026-W18 (2026-04-27 through 2026-05-03) |
The most significant development of the week was the April 29 to 30 Mini Shai-Hulud worm, a self-propagating supply chain campaign that compromised four official SAP npm packages, two PyTorch Lightning PyPI versions, two intercom-client npm versions, and the intercom-php |
Incindent | SANS |
| 5.5.26 |
This week, I will release a few updates to our DShield honeypot. The update should happen automatically if you have "automatic updates" enabled on your system. There will be two major changes: Compatibility with Ubuntu 26.04 / new versions of Raspberry Pi OS |
Security | SANS | |
| 5.5.26 |
Wireshark release 4.6.5 fixes 43 vulnerabilities (38 CVEs) and 35 bugs. |
Security | SANS | |
| 5.5.26 |
MetInfo CMS CVE-2026-29014 Exploited for Remote Code Execution Attacks |
Threat actors are actively exploiting a critical security flaw impacting an open-source content management system (CMS) known as MetInfo, |
Exploit | The Hacker News |
| 5.5.26 |
ScarCruft Hacks Gaming Platform to Deploy BirdCall Malware on Android and Windows |
The North Korea-aligned state-sponsored hacking group known as ScarCruft has compromised a video game platform in a supply chain espionage attack, trojanizing its components with a backdoor called BirdCall to likely target ethnic Koreans residing in China. |
Virus | The Hacker News |
| 5.5.26 |
Weaver E-cology RCE Flaw CVE-2026-22679 Actively Exploited via Debug API |
A critical security vulnerability in Weaver (Fanwei) E-cology , an enterprise office automation (OA) and collaboration platform, has come under |
Vulnerebility | The Hacker News |
| 5.5.26 |
Microsoft Details Phishing Campaign Targeting 35,000 Users Across 26 Countries |
Microsoft has disclosed details of a large-scale credential theft campaign that has leveraged a combination of code of conduct-themed |
Phishing | The Hacker News |
| 5.5.26 |
Phishing Campaign Hits 80+ Orgs Using SimpleHelp and ScreenConnect RMM Tools |
An active phishing campaign has been observed targeting multiple vectors since at least April 2025 with legitimate Remote Monitoring and |
Phishing | The Hacker News |
| 5.5.26 | Progress Patches Critical MOVEit Automation Bug Enabling Authentication Bypass | Progress Software has released updates to address two security flaws in MOVEit Automation, including a critical bug that could result in an | Vulnerebility | The Hacker News |
| 4.5.26 | Silver Fox Deploys ABCDoor Malware via Tax-Themed Phishing in India and Russia | The China-based cybercrime group known as Silver Fox has been linked to a new campaign targeting organizations in Russia and India with a new | APT | The Hacker News |
| 4.5.26 | Critical cPanel Vulnerability Weaponized to Target Government and MSP Networks | A previously unknown threat actor has been observed targeting government and military entities in Southeast Asia, alongside a smaller | Vulnerebility | The Hacker News |
| 4.5.26 | Global Crackdown Arrests 276, Shuts 9 Crypto Scam Centers, Seizes $701M | A coordinated international operation involving U.S. and Chinese authorities has arrested at least 276 suspects and shut down nine scam | Cryptocurrency | The Hacker News |
| 3.5.26 | Malicious Ad for Homebrew Leads to MacSync Stealer | As macbooks and mac minis become more popular, we're seeing more campaigns targeting these macOS hosts. Malicious ads have popped up in search results that can lead potential victims to pages that present themselves as legitimate | Virus | SANS |
| 3.5.26 | Application Control Bypass for Data Exfiltration | In case of a cyber incident, most organizations fear more of data loss (via exfiltration) than regular data encryption because they have a good backup policy in place. If exfiltration happened, it means a total loss of control of the stolen data with all the consequences (PII, CC numbers, …). | Hack | SANS |
| 3.5.26 | CISA Adds Actively Exploited Linux Root Access Bug CVE-2026-31431 to KEV | The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added a recently disclosed security flaw impacting various Linux | Exploit | The Hacker News |
| 3.5.26 | Critrical cPanel flaw mass-exploited in "Sorry" ransomware attacks | A new disclosed cPanel flaw tracked as CVE-2026-41940 is being mass-exploited to breach websites and encrypt data in "Sorry" ransomware attacks. | Ransom | BleepingComputer |
| 3.5.26 | ConsentFix v3 attacks target Azure with automated OAuth abuse | A new attack type, dubbed ConsentFix v3, has been circulating on hacker forums, building on the previous technique by adding automation and scaling potential. | Attack | BleepingComputer |
| 3.5.26 | Microsoft tests modern Windows Run, says it's faster than legacy dialog | Microsoft has confirmed that Windows 11 is getting a new modern Run dialog with dark mode support and faster performance in a new preview build. | OS | BleepingComputer |
| 3.5.26 | Edu tech firm Instructure discloses cyber incident, probes impact | Instructure, the company behind the widely used Canvas learning platform, has disclosed that it recently suffered a cybersecurity incident and is now investigating its impact. | Cyber | BleepingComputer |
| 3.5.26 | 15-year-old detained over French govt agency data breach | French authorities have detained a 15-year-old suspected of selling data stolen in a cyberattack on France Titres (ANTS), the country's agency for issuing and managing administrative documents. | Incindent | BleepingComputer |
| 3.5.26 | Criminal IP and Securonix ThreatQ Collaborate to Enhance Threat Intelligence Operations | Raw threat intel isn't enough without real-world context. Criminal IP has partnered with Securonix to integrate exposure-based intelligence into ThreatQ, automating analysis and speeding up investigations. | Security | BleepingComputer |
| 3.5.26 | Microsoft fixes Remote Desktop warnings displaying incorrectly | Microsoft has fixed a known issue causing newly introduced Windows security warnings to display incorrectly when opening Remote Desktop (.rdp) files. | OS | |
| 3.5.26 | Microsoft now lets admins choose pre-installed Store apps to uninstall | Microsoft has updated a Windows 11 in-box app removal policy introduced in October to include a dynamic list that lets IT admins choose which preinstalled Store apps to uninstall. | OS | |
| 3.5.26 | Windows 11 KB5083631 update released with 34 changes and fixes | Microsoft has released the KB5083631 optional cumulative update for Windows 11, which includes 34 changes, such as a new Xbox mode for Windows PCs, enhanced security and performance for batch files, and performance improvements for launching startup apps. | OS | BleepingComputer |
| 3.5.26 | US ransomware negotiators get 4 years in prison over BlackCat attacks | Two former employees of cybersecurity incident response companies Sygnia and DigitalMint were sentenced to four years in prison each for targeting U.S. companies in BlackCat (ALPHV) ransomware attacks. | Ransom | BleepingComputer |
| 3.5.26 | New Bluekit phishing service includes an AI assistant, 40 templates | A new phishing kit named Bluekit offers more than 40 templates targeting popular services and includes basic AI features for generating campaign drafts. | Phishing | |
| 3.5.26 | Romanian leader of online swatting ring gets 4 years in prison | A Romanian national who led an online swatting ring that targeted more than 75 public officials, multiple journalists, and four religious institutions was sentenced to 4 years in federal prison. | CyberCrime | BleepingComputer |
| 3.5.26 | FBI links cybercriminals to sharp surge in cargo theft attacks | The U.S. Federal Bureau of Investigation (FBI) warned the transportation and logistics industry of a sharp rise in cyber-enabled cargo theft, with estimated losses in the United States and Canada reaching nearly $725 million in 2025. | CyberCrime | BleepingComputer |
| 3.5.26 | April KB5083769 Windows 11 update causes backup software failures | The April 2026 KB5083769 security update breaks third-party backup applications from multiple vendors on systems running Windows 11 24H2 and 25H2. | OS | BleepingComputer |
| 3.5.26 | What Happens in the First 24 Hours After a New Asset Goes Live | When a new asset goes live, attackers start scanning within minutes. Sprocket Security shows how automated attacks move from discovery to compromise in under 24 hours. | Security | |
| 3.5.26 | New Linux ‘Copy Fail’ flaw gives hackers root on major distros | An exploit has been published for a local privilege escalation vulnerability dubbed "Copy Fail" that impacts Linux kernels released since 2017, allowing an unprivileged local attacker to gain root permissions. | Vulnerebility | |
| 3.5.26 | Critical cPanel and WHM bug exploited as a zero-day, PoC now available | The critical CVE-2026-41940 authentication bypass vulnerability in cPanel, WHM, and WP Squared is being actively exploited in the wild and has been leveraged in attempts since late February. | Exploit | BleepingComputer |
| 3.5.26 | Police dismantles 9 crypto scam centers, arrests 276 suspects | A joint international operation involving U.S. and Chinese authorities arrested at least 276 suspects and shut down nine cryptocurrency investment fraud centers. | Cryptocurrency | BleepingComputer |
| 3.5.26 | Official SAP npm packages compromised to steal credentials | Multiple official SAP npm packages were compromised in what is believed to be a TeamPCP supply-chain attack to steal credentials and authentication tokens from developers' systems. | Incindent | |
| 3.5.26 | Popular WordPress redirect plugin hid dormant backdoor for years | The Quick Page/Post Redirect plugin, installed on more than 70,000 WordPress sites, had a backdoor added five years ago that allows injecting arbitrary code into users' sites. | Hack | BleepingComputer |
| 2.5.26 | Hackers exploit RCE flaws in Qinglong task scheduler for cryptomining | Hackers are exploiting two authentication bypass vulnerabilities in the Qinglong open-source task scheduling tool to deploy cryptominers on developers' servers. | Cryptocurrency | BleepingComputer |
| 2.5.26 | Hackers arrested for hijacking and selling 610,000 Roblox accounts | The Ukrainian police have arrested three individuals who hacked more than 610,000 Roblox gaming accounts and sold them for a profit of $225,000. | Incindent | BleepingComputer |
| 2.5.26 | cPanel, WHM emergency update fixes critical auth bypass bug | A critical vulnerability affecting all but the latest versions of cPanel and the WebHost Manager (WHM) dashboard could be exploited to obtain access to the control panel without authentication. | Vulnerebility | BleepingComputer |
| 2.5.26 | European police dismantles €50 million crypto investment fraud ring | Austrian and Albanian authorities dismantled a criminal ring accused of running a large-scale cryptocurrency investment fraud operation that caused estimated losses of over €50 million ($58.5 million) to victims worldwide. | Cryptocurrency | |
| 2.5.26 | Learning from the Vercel breach: Shadow AI & OAuth sprawl | A single third-party OAuth integration can become a direct path into your environment. Push explains how the Vercel breach shows a compromised OAuth app can lead to widespread impact across downstream customers. | AI | |
| 2.5.26 | GitHub fixes RCE flaw that gave access to millions of private repos | In early March, GitHub patched a critical remote code execution vulnerability (CVE-2026-3854) that could have allowed attackers to access millions of private repositories. | Vulnerebility | BleepingComputer |
| 2.5.26 | CISA orders feds to patch Windows flaw exploited as zero-day | The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal agencies to secure their Windows systems against a vulnerability exploited in zero-day attacks. | Exploit | BleepingComputer |
| 2.5.26 | Microsoft says backend change broke Teams Free chat and calls | Microsoft is working to resolve a known issue that prevents some Microsoft Teams Free users from chatting and calling others. | OS | |
| 2.5.26 | Broken VECT 2.0 ransomware acts as a data wiper for large files | Researchers are warning that the VECT 2.0 ransomware has a problem in the way it handles encryption nonces that leads to permanently destroying larger files rather than encrypt them. | Ransom | BleepingComputer |
| 2.5.26 | Hackers are exploiting a critical LiteLLM pre-auth SQLi flaw | Hackers are targeting sensitive information stored in the LiteLLM open-source large-language model (LLM) gateway by exploiting a critical vulnerability tracked as CVE-2026-42208. | AI | BleepingComputer |
| 2.5.26 | US reportedly charges Scattered Spider hacker arrested in Finland | A 19-year-old dual United States and Estonian citizen arrested in Finland earlier this month faces federal charges in the U.S. alleging he was a prolific member of the notorious Scattered Spider hacking collective. | CyberCrime | BleepingComputer |
| 2.5.26 | Microsoft to deprecate legacy TLS in Exchange Online starting July | Microsoft says it will start blocking legacy TLS connections for POP and IMAP email clients in Exchange Online starting in July 2026. | OS | |
| 2.5.26 | Microsoft: New Remote Desktop warnings may display incorrectly | Microsoft has confirmed a new issue causing newly introduced Windows security warnings to display incorrectly when opening Remote Desktop (.rdp) files. | OS | |
| 2.5.26 | Microsoft asks iPhone users to reauthenticate after Outlook outage | After addressing a widespread outage that affected Outlook.com users worldwide on Monday, Microsoft has asked iPhone users to re-enter their credentials to regain access to their Outlook and Hotmail accounts via the default Mail app. | OS | BleepingComputer |
| 2.5.26 | Robinhood account creation flaw abused to send phishing emails | Online trading platform Robinhood's account creation process was exploited by threat actors to inject phishing messages into legitimate emails, tricking users into believing their accounts had suspicious activity. | Phishing | BleepingComputer |
| 2.5.26 | GlassWorm malware attacks return via 73 OpenVSX "sleeper" extensions | A new wave of the Glassworm campaign is targeting the OpenVSX ecosystem with 73 "sleeper" extensions that turn malicious after an update. | Virus | |
| 2.5.26 | Canada arrests three for operating “SMS blaster” device in Toronto | Canadian authorities have arrested three men for operating an "SMS blaster" device that pretends to be a cellular tower to send phishing texts to nearby phones. | Mobil | BleepingComputer |
| 2.5.26 | Trellix Confirms Source Code Breach With Unauthorized Repository Access | Cybersecurity company Trellix has announced that it suffered a breach that enabled unauthorized access to a "portion" of its source code. It said | Hack | The Hacker News |
| 2.5.26 | 30,000 Facebook Accounts Hacked via Google AppSheet Phishing Campaign | A newly discovered Vietnamese-linked operation has been observed using a Google AppSheet as a "phishing relay" to distribute phishing | Phishing | The Hacker News |
| 2.5.26 | Alleged Silk Typhoon hacker extradited to US for cyberespionage | A Chinese national accused of carrying out cyberespionage operations for China's intelligence services has been extradited from Italy to the United States to face criminal charges | CyberCrime | BleepingComputer |
| 2.5.26 | FTC: Americans lost over $2.1 billion to social media scams in 2025 | The U.S. Federal Trade Commission (FTC) warned of a massive increase in losses from social media scams since 2020, exceeding $2.1 billion in 2025. | BigBrothers | BleepingComputer |
| 2.5.26 | PyPI package with 1.1M monthly downloads hacked to push infostealer | An attacker pushed a malicious version of the popular elementary-data package Python Package Index (PyPI) to steal sensitive developer data and cryptocurrency wallets. | Virus | BleepingComputer |
| 2.5.26 | Home security giant ADT data breach affects 5.5 million people | The ShinyHunters extortion group stole the personal information of 5.5 million individuals after breaching the systems of home security giant ADT earlier this month, according to data breach notification service Have I Been Pwned. | Incindent | |
| 2.5.26 | Medtronic confirms breach after hackers claim 9 million records theft | Medical device giant Medtronic disclosed last week that hackers breached its network and accessed data in "certain corporate IT systems." | Incindent | |
| 2.5.26 | Money launderer linked to $230M crypto heist gets 70 months in prison | 22-year-old Evan Tangeman of Newport Beach, California, was sentenced to 70 months in prison for laundering funds stolen in a massive $230 million cryptocurrency heist. | Cryptocurrency | BleepingComputer |
| 2.5.26 | Deepfake Voice Attacks are Outpacing Defenses: What Security Leaders Should Know | Three seconds of audio is all it takes to clone a voice for fraud. Adaptive Security shows how deepfake calls trick employees into sending real money—and why most defenses don't catch them. | Attack | BleepingComputer |
| 2.5.26 | Microsoft says Outlook.com outage is causing sign‑in failures | Microsoft is investigating an ongoing Outlook.com outage that is causing intermittent signing issues and preventing customers from accessing their mailboxes. | OS | |
| 2.5.26 | American utility firm Itron discloses breach of internal IT network | Itron, Inc. has disclosed, via an 8-K filing with the U.S. Securities and Exchange Commission (SEC), a cybersecurity incident in which an unauthorized third party accessed certain internal systems. | Incindent | |
| 2.5.26 | Microsoft rolls out revamped Windows Insider Program | Microsoft says it's rolling out a revamped Windows Insider Program experience as part of the broader plans to address performance and reliability concerns affecting Windows 11. | OS | BleepingComputer |
| 2.5.26 | Threat actor uses Microsoft Teams to deploy new “Snow” malware | A threat group tracked as UNC6692 uses social engineering to deploy a new, custom malware suite named 'Snow' which includes a browser extension, a tunneler, and a backdoor. | Virus | BleepingComputer |
| 2.5.26 | ADT confirms data breach after ShinyHunters leak threat | Home security giant ADT has confirmed a data breach after the ShinyHunters extortion group threatened to leak stolen data unless a ransom is paid. | Incindent | |
| 2.5.26 | Firestarter malware survives Cisco firewall updates, security patches | Cybersecurity agencies in the U.S. and U.K. are warning about a custom malware called Firestarter persisting on Cisco Firepower and Secure Firewall devices running Adaptive Security Appliance (ASA) or Firepower Threat Defense (FTD) software. | Virus | BleepingComputer |
| 2.5.26 | Windows Update gets new controls to reduce forced restarts | Microsoft is rolling out Windows Update improvements that give users more control over how updates are installed while reducing disruption from frequent or poorly timed restarts. | OS | BleepingComputer |
| 2.5.26 | CISA’s Advisory On Botnets: Why Banning SOHO Routers Won’t Fix Critical Infrastructure Cyber Risk | CISA recently released a new cybersecurity advisory focused on defending against botnets built from compromised consumer and small-office/home-office (SOHO) routers. The advisory highlights how threat actors are actively exploiting vulnerable, internet-exposed devices to build large-scale proxy networks. | Vulnerebility blog | Eclypsium |
| 2.5.26 | The Week in Vulnerabilities: GitHub Enterprise, Argo CD, Oracle Identity Manager, and Mozilla Security Flaws | Cyble weekly vulnerability report shows 1,095 vulnerabilities, PoCs, KEV additions, and active attacks across enterprise, cloud, and open-source. | Cyber blog | Cyble |
| 2.5.26 | How Cyble Blaze AI Turns Billions of Threat Signals into Actionable Intelligence | Cyble Blaze AI transforms fragmented threat data into real-time action using AI security analytics and automated cyber threat intelligence. | AI blog | Cyble |
| 2.5.26 | ANZ Organizations Are in the Ransomware Crosshairs— What the Dark Web Is Telling Us | Ransomware in ANZ is evolving into a scalable cybercrime model, with dark web intelligence revealing targeted attacks, data theft, and rising risks. | Ransom blog | Cyble |
| 2.5.26 | Why U.S. Critical Infrastructure Is the Highest-Value Target in the Global Cyber War | A critical infrastructure cyberattack is driving new risks as ransomware and nation-state threats target essential US systems in 2026. | ICS blog | Cyble |
| 2.5.26 | Email threat landscape: Q1 2026 trends and insights | In early 2026, email threats increased with a rise in credential phishing, QR code phishing, and CAPTCHA-gated campaigns, highlighted by Microsoft’s disruption of the Tycoon2FA phishing platform which led to a 15% volume decrease and shifts in threat actor tactics. | Spam blog | Microsoft blog |
| 2.5.26 | Inside Shadow-Earth-053: A China-Aligned Cyberespionage Campaign Against Government and Defense Sectors in Asia | A China-aligned threat group is exploiting unpatched Microsoft Exchange vulnerabilities to conduct cyberespionage against government and critical infrastructure targets across Asia and beyond. | APT blog | Trend Micro |
| 2.5.26 | Kuse Web App Abused to Host Phishing Document | Bad actors took advantage of the legitimate name and services of Kuse, a popular AI-based app designed for workplaces. The attackers exploited the users’ trust in Kuse to carry out a phishing attack. | AI blog | Trend Micro |
| 2.5.26 | The npm Threat Landscape: Attack Surface and Mitigations | The security of the npm ecosystem reached a critical inflection point in September 2025. The Shai-Hulud worm, a self-replicating malware that automated the compromise and redistribution of malicious packages, marked the end of the “nuisance” era of npm attacks and the beginning of a high-consequence threat landscape. | Hacking blog | Palo Alto |
| 2.5.26 | TGR-STA-1030: New Activity in Central and South America | TGR-STA-1030 remains an active threat. Since February, we have observed widespread activity from this group across multiple countries. Most recently, their efforts appear to be heavily focused on regions within Central and South America. | Hacking blog | Palo Alto |
| 2.5.26 | The npm Threat Landscape: Attack Surface and Mitigations | The security of the npm ecosystem reached a critical inflection point in September 2025. The Shai-Hulud worm, a self-replicating malware that automated the compromise and redistribution of malicious packages, marked the end of the “nuisance” era of npm attacks and the beginning of a high-consequence threat landscape. | Attack blog | Palo Alto |
| 2.5.26 | VECT: Ransomware by design, Wiper by accident | Check Point Research discovers that the VECT 2.0 ransomware permanently destroys “large files” rather than encrypting them. A critical flaw in the encryption implementation, identical across all three platform variants (Windows, Linux, ESXi), discards three of four decryption nonces for every file above 131,072 bytes (128 KB). | Ransom blog | CHECKPOINT |
| 2.5.26 | Five defender priorities from the Talos Year in Review | With attackers moving faster than ever, it’s easy to feel overwhelmed. This blog breaks down five practical priorities from the Cisco Talos 2025 Year in Review to help defenders focus and prioritize, amidst all the noise. | Cyber blog | CISCO TALOS |
| 2.5.26 | Great responsibility, without great power | In this week’s newsletter, Hazel uses International Superhero Day as a springboard to explore why empathy — rather than just technical prowess — is the most essential, underrated superpower for navigating the human side of cybersecurity. | Cyber blog | CISCO TALOS |
| 2.5.26 | AI-powered honeypots: Turning the tables on malicious AI agents | Just as AI brings time-saving advantages to our lives, it brings similar advantages to threat actors. We can take the advantage back. This blog shows how generative AI can be used to rapidly deploy adaptive honeypot systems. | AI blog | CISCO TALOS |
| 2.5.26 | It pays to be a forever student | In this newsletter, Joe discusses why understanding other disciplines can often flow back into the macro and micro of cybersecurity, especially in a world of AI. | AI blog | CISCO TALOS |
| 2.5.26 | UAT-4356's Targeting of Cisco Firepower Devices | Cisco Talos is aware of UAT-4356's continued active targeting of Cisco Firepower devices’ Firepower eXtensible Operating System (FXOS). UAT-4356 exploited n-day vulnerabilities (CVE-2025-20333 and CVE-2025-20362) to gain unauthorized access to vulnerable devices. | Hacking blog | CISCO TALOS |
| 2.5.26 | This month in security with Tony Anscombe – April 2026 edition | Warnings about helpdesk impersonation scams and Iran-linked hackers targeting critical sectors in the US, plus the most damaging scams of 2025 - here's some of what made the headlines this month | Cyber blog | Eset |
| 1.5.26 | Cybercrime Groups Using Vishing and SSO Abuse in Rapid SaaS Extortion Attacks | Cybersecurity researchers are warning of two cybercrime groups that are carrying out "rapid, high-impact attacks" operating almost within the | CyberCrime | The Hacker News |
| 1.5.26 | China-Linked Hackers Target Asian Governments, NATO State, Journalists, and Activists | Cybersecurity researchers have disclosed details of a new China-aligned espionage campaign targeting government and defense sectors across | BigBrothers | The Hacker News |
| 1.5.26 | Two Cybersecurity Professionals Get 4-Year Sentences in BlackCat Ransomware Attacks | The U.S. Department of Justice (DoJ) on Thursday announced the sentencing of two cybersecurity professionals to four years each in prison for their role in | Ransom | The Hacker News |
| 1.5.26 | Poisoned Ruby Gems and Go Modules Exploit CI Pipelines for Credential Theft | A new software supply chain attack campaign has been observed using sleeper packages as a conduit to subsequently push malicious payloads that | Exploit | The Hacker News |
| 1.5.26 | PyTorch Lightning and Intercom-client Hit in Supply Chain Attacks to Steal Credentials | In yet another software supply chain attack, threat actors have managed to compromise the popular Python package Lightning to push two malicious | Hack | The Hacker News |