Cybersecurity News and Vulnerability Aggregator
Cybersecurity news aggregator
treemd <(curl -sL https://allsec.sh/md) (as Markdown) Top Cybersecurity Stories Today
Artificial intelligence platforms may be just as susceptible to social engineering as human beings, but they are proving remarkably good at finding security vulnerabilities in human-made computer code. That reality is on full display this month with some of the more widely-used software makers — including Apple , Google , Microsoft , Mozilla and Oracle — fixing near record volumes of security bugs, and/or quickening the tempo of their patch releases. As it does on the second Tuesday of every month, Microsoft today released software updates to address at least 118 security vulnerabilities in its various Windows operating systems and other products. Remarkably, this is the first Patch Tuesday in nearly two years that Microsoft is not shipping any fixes to deal with emergency zero-day flaws that are already being exploited. Nor have any of the flaws fixed today been previously disclosed (potentially giving attackers a heads up in how to exploit the weakness). Sixteen of the vulnerabilities earned Microsoft’s most-dire “critical” label, meaning malware or miscreants could abuse these bugs to seize remote control over a vulnerable Windows device with little or no help from the user. Rapid7 has done much of the heavy lifting in identifying some of the more concerning critical weaknesses this month, including: CVE-2026-41089 : A critical stack-based buffer overflow in Windows Netlogon that offers an attacker SYSTEM privileges on the domain controller. No privileges or user interaction are required, and attack complexity is low. Patches are available for all versions of Windows Server from 2012 onwards.
The Information Commissioner's Office has fined South Staffordshire Water Plc and parent company South Staffordshire Plc £963,900 ($1.3 million) over a cyberattack that exposed the personal data of 663,887 customers and employees. [...]
TeamPCP, the threat actor behind the recentsupply chain attack spree, has been linked to the compromise of the npm and PyPI packages from TanStack, UiPath, Mistral AI, OpenSearch, and Guardrails AI as part of a fresh Mini Shai-Hulud campaign. The affected npm packages have been modified to include an obfuscated JavaScript file ("router_init.js") that's designed to profile the execution
Instructure, the edtech giant behind the widely popular Canvas learning management system (LMS), has reached an "agreement" with the ShinyHunters extortion group to prevent the data stolen in a recent breach from being leaked online. [...]
Latest
Sharing RedThread, an open-source CLI for AI red-team campaigns: https://github.com/matheusht/redthread The project is for staging/internal LLM apps and agent workflows. It is not a prompt shield and it is not claiming broad production enforcement. What it does today: - runs PAIR, TAP, Crescendo, and GS-MCTS attack campaigns - records multi-step traces - scores results with JudgeAgent/rubric flows - generates candidate defenses from confirmed failures - replays exploit and benign cases before treating a defense as evidence - adds agentic checks for tool poisoning, confused deputy paths, canary propagation, and budget amplification The part I care about most is evidence quality. A sealed dry-run replay, a live replay, and a live validation failure are different things. RedThread keeps those separate instead of flattening everything into pass/fail. I am looking for security people who can poke holes in the model: - What attack classes should be fixtures? - What evidence would make a finding useful in a real review? - Where do LLM red-team tools get noisy or misleading?
Famous for helping build Apple’s iPhones, Foxconn just suffered another cyberattack, highlighting the perils of warehousing some of the world’s most valuable data.
Artificial intelligence platforms may be just as susceptible to social engineering as human beings, but they are proving remarkably good at finding security vulnerabilities in human-made computer code. That reality is on full display this month with some of the more widely-used software makers — including Apple , Google , Microsoft , Mozilla and Oracle — fixing near record volumes of security bugs, and/or quickening the tempo of their patch releases. As it does on the second Tuesday of every month, Microsoft today released software updates to address at least 118 security vulnerabilities in its various Windows operating systems and other products. Remarkably, this is the first Patch Tuesday in nearly two years that Microsoft is not shipping any fixes to deal with emergency zero-day flaws that are already being exploited. Nor have any of the flaws fixed today been previously disclosed (potentially giving attackers a heads up in how to exploit the weakness). Sixteen of the vulnerabilities earned Microsoft’s most-dire “critical” label, meaning malware or miscreants could abuse these bugs to seize remote control over a vulnerable Windows device with little or no help from the user. Rapid7 has done much of the heavy lifting in identifying some of the more concerning critical weaknesses this month, including: CVE-2026-41089 : A critical stack-based buffer overflow in Windows Netlogon that offers an attacker SYSTEM privileges on the domain controller. No privileges or user interaction are required, and attack complexity is low. Patches are available for all versions of Windows Server from 2012 onwards.
Silverfort published research two weeks ago showing the Agent ID Administrator role could take over any service principal in a tenant. Microsoft patched the specific flaw. But the underlying primitive is unchanged: if you own a service principal, you own its permissions. The attack is simple. Gain ownership of a service principal that holds a directory role. Add a client secret. Authenticate as that service principal. Inherit every permission it holds. If the target has a Global Administrator, that's a full tenant takeover. 99% of tenants have at least one privileged service principal. Most organizations don't audit who owns them. Here's what most environments look like: *→ Service principals created by developers who left 12+ months ago* *→ Ownership assigned at creation time, never reviewed* *→ Credentials that haven't been rotated since the application was registered* *→ Application-level permissions that bypass every user-scoped control* *→ No alert when someone changes ownership or adds credentials* We wrote a post covering: *1. The attack chain — how ownership becomes takeover in four steps* *2. Where to check in the Entra admin center — the portal paths most admins never open* *3. Three PowerShell audit queries you can run in 30 minutes* *4. Two KQL detection rules for Sentinel — ownership changes and credential additions* *5. The consolidated audit script you can hand to your security lead* The organizations that get compromised through service principal abuse aren't the ones that failed to patch a specific vulnerability. They're the ones that never governed the primitive. Full post with all queries and detection rules: [https://training.ridgelinecyber.com/blog/service-principal-ownership-attack-path/](https://training.ridgelinecyber.com/blog/service-principal-ownership-attack-path/)
The Information Commissioner's Office has fined South Staffordshire Water Plc and parent company South Staffordshire Plc £963,900 ($1.3 million) over a cyberattack that exposed the personal data of 663,887 customers and employees. [...]
Signal has introduced new in-app confirmations and warning messages as additional safeguards against phishing and social engineering attempts that could lead to various forms of fraud. [...]
Hi guys, I send out a weekly newsletter with the latest cybersecurity vendor reports and research, and thought you might find it useful, so sharing it here. All the reports and research below were published between May 4th - May 10th. You can get the below into your inbox every week if you want: [https://www.cybersecstats.com/cybersecstatsnewsletter/](https://www.cybersecstats.com/cybersecstatsnewsletter/) # Big Picture Reports **The State of Agentic Cybersecurity (SimSpace)** If you needed more confirmation that confidence in security outcomes is often misplaced, here it is. **Key stats:** * 78% of security leaders report high confidence in their defenses, even though security teams score as low as 30% in Defensive Security Readiness exercises. * Only 29% of organizations conduct continuous simulation testing. * 73% of organizations are using AI agents in their Security Operations Center at a moderate to high level. *Read the full report* [*here*](https://www.cybersecstats.com/r/01aba9ab?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* **A 2026 Snapshot On The State Of Data Security (Capital One)** A look into how decision-maker priorities are shifting. Interestingly, only a minority sees GenAI as a priority right now, but a majority sees it as being important in the next two years. **Key stats:** * 66% of decision-makers said protecting enterprise data at scale is a security priority over the next 12 months. * 52% of leaders are slowed by a lack of automation, nonstandard processes, and siloed decision-making. * 34% of decision-makers said genAI capabilities are paramount to data security today, a figure that increases to 64% as they look two years ahead. *Read the full report* [*here*](https://www.cybersecstats.com/r/3ce524fa?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* **The State of Workforce Password Security in 2026 (Zoho)** A look at where password security stands in 2026, with a few obligatory AI-related stats mixed in as well. **Key stats:** * 91% of U.S. organizations indicate that AI will strengthen their security posture. * Only 9% of U.S. organizations report being ready to deploy AI-powered security today. * There is an 82-percentage-point gap between AI belief (91%) and AI deployment readiness (9%) in the U.S. *Read the full report* [*here*](https://www.cybersecstats.com/r/bf2c0d1a?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* # Ransomware **The State of Ransomware Q1 2026 (BlackFog)** Could also be called “the ransomware iceberg.” Stats about ransomware from the first quarter of 2026. **Key stats:** * Only one in nine global ransomware attacks was publicly disclosed in Q1 2026. * There were 2,160 undisclosed ransomware attacks identified in Q1 2026. * Data exfiltration occurred in 96% of ransomware attacks in Q1 2026. *Read the full report* [*here*](https://www.cybersecstats.com/r/afde0ce6?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* # AI Security & Governance **AI Pulse Survey (Protiviti)** More data points on the reality of AI visibility (i.e., how much orgs know about AI tool use). **Key stats:** * 47% of large organizations do not have full visibility into employee AI tool usage. * 65% of organizations report challenges with shadow AI. * Only 40% of organizations have a formal AI governance framework in place. *Read the full report* [*here*](https://www.cybersecstats.com/r/f68a5d71?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* **The State of AI in 2026 (ISACA)** Most organizations think employees are using AI, but only 1 in 5 report seeing the ROI they expected. **Key stats:** * 90% believe employees are using artificial intelligence in their organization, but only 22% say AI return on investment has met or exceeded their expectations. * Only 38% of digital trust professionals are confident in their board's understanding of AI risks. * 45% of digital trust professionals noted that AI risks are an immediate priority. *Read the full report* [*here*](https://www.cybersecstats.com/r/501049aa?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* **The State of Application Strategy in 2026 (F5)** The vast majority of organizations are now running their own AI inference operations and coordinating multiple models in production. **Key stats:** * 78% of organizations run AI inference themselves. * Organizations coordinate an average of seven AI models in production. * 88% of organizations have faced AI-related security challenges. *Read the full report* [*here*](https://www.cybersecstats.com/r/8b47b732?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* # Identity & Access Management **Identity at Machine Speed (Keeper Security)** Data about why managing your identity footprint is getting harder. **Key stats:** * 89% of senior IT leaders report that managing the growing identity footprint is challenging. * 72% of organizations do not detect credential misuse in real time, often taking hours or sometimes days or weeks to identify unauthorized privileged access. * 51% of U.S. cybersecurity decision-makers identify AI-related Non-Human Identity management and security as a top identity governance gap. *Read the full report* [*here*](https://www.cybersecstats.com/r/76b8ab05?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* # Workplace Fraud **Workplace Fraud Trends 2025 (Cifas)** A broader report on workplace fraud trends. But we had to include one stat in particular that will be interesting to security pros... **Key stat:** * 13% of employees say they've sold or know someone who has sold company login details, often under the belief it's harmless. *Read the full report* [*here*](https://www.cybersecstats.com/r/75bf9d6b?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* # Small Business Security **Fraud, Scams, and Ransomware: Small Businesses React (Public Private Strategies Institute)** Interesting report quantifying the real financial losses small American businesses are experiencing as a result of fraud, scams, and ransomware. **Key stats:** * 72% of small businesses experienced fraud, scams, or ransomware last year. * Average losses for small businesses ranged from nearly $60,000 for payment fraud to more than $90,000 for email compromise. * Among small businesses already targeted, 76% say AI was used in the attack. *Read the full report* [*here*](https://www.cybersecstats.com/r/2ce8367e?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* # Industry-Specific **Law firm trust in technology report (Integris)** How much firms are spending on tech and how quickly they're actually putting it to use. **Key stats:** * 63% of law firm decision-makers report a significant email-based security breach in the past 12 months. * 83% of law firm clients say a firm's technology sophistication affects their confidence. * 57% of law firms reported a mobile-related breach. *Read the full report* [*here*](https://www.cybersecstats.com/r/b0c23ab0?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.*
In the US, fired and laid-off workers often have their digital credentials deactivated before they learn about the loss of their jobs; indeed, the inability to log in to a corporate system may be the first an employee knows of the situation. Although not a generous or humane approach to staff reduction, it does follow from the simple fact that a fired employee with access to company systems is a security risk. Just ask the Akhter twin brothers, accused of wiping out 96 databases hosting US government information in the minutes after both were fired last year from their shared employer. Read full article Comments ]]>
Iran’s traditional naval fleet has been almost completely destroyed by US-Israeli raids. But Iran’s military has put a fleet of small vessels on the water that is crippling every passageway.
Microsoft has released the Windows 10 KB5087544 extended security update to fix the May 2026 Patch Tuesday vulnerabilities and resolve an issue with the new Remote Desktop warnings. [...]
Fortinet has released security patches for two critical vulnerabilities in FortiSandbox and FortiAuthenticator that could enable attackers to run commands or arbitrary code. [...]
Microsoft has released Windows 11 KB5089549 and KB5087420 cumulative updates for versions 25H2/24H2 and 23H2 to fix security vulnerabilities, bugs, and add new features. [...]
GitHub - iss4cf0ng/OpenBootloader: A Proof-of-Concept of simple bootloader, written in Assembly (NASM) and C language.
Android 17, expected to roll out next month, will introduce several security and privacy features focused on device theft, threat detection, and banking scam calls. [...]
Exim has released security updates to address a severe security issue affecting certain configurations that could enable memory corruption and potential code execution. Exim is an open-source Mail Transfer Agent (MTA) designed for Unix-like systems to receive, route, and deliver email. The vulnerability, tracked as CVE-2026-45185, aka Dead.Letter, has been described as a use-after-free
There is a lot of non-data driven discussions around using AI in investigations. Some people think it will be amazing. Some think its a disaster. A lot of other people are undecided. The community needs data to help navigate this and I'm hoping you can help. We launched a challenge a couple of weeks back. 1. Submit anonymized screen shots of where AI was amazing, where it was a disaster, and where it was "meh...." 2. Our panel of judges (skeptics and advocates) will review them 3. The public will vote 4. Winners get bragging rights 5. All anonymous submissions are posted on github. Judges: * Heather Barnhart (SANS) * Alexis Brignoni (LEAPPS) * Eric Capuano (Digital Defense Institute) * Brian Carrier (Sleuth Kit Labs – Organizer) * Filip Stojkovski (BlinkOps) Full details are here: [https://www.cybertriage.com/blog/aidfir-2026-challenge-the-good-vs-the-ugly/](https://www.cybertriage.com/blog/aidfir-2026-challenge-the-good-vs-the-ugly/) Please send in your best submissions!
RubyGems, the standard package manager for the Ruby programming language, has temporarily paused account sign ups following what has been described as a "major malicious attack." "We're dealing with a major malicious attack on Ruby Gems right now," Maciej Mensfeld, senior product manager for software supply chain security at Mend.io, said in a post on X. "Signups are paused for the time being.
Vibe coding has the cybersecurity industry talking. As thousands of practitioners attended talks about the promise and risk of AI agents at RSAC 2026 in March, and hundreds of vendors — both legacy and startups — presented their latest AI-powered tools in the expo hall, hard questions about the impact of this technology on the field arose in the back of many attendees’ minds. At least one person expressed their thoughts on the industry’s future in the AI era by publishing a satirical website titled “RSA 2026: The Great Cooking.” [The site](https://vibecoded.vc/cooked/), which saw some circulation among social media circles, states 61.9% of RSAC 2026 exhibitors “could be replaced by a weekend of vibe-coding in Cursor.” While created with unclear methodology, and an “unhealthy amount of spite,” as its creator states, the website’s sharp criticism seemingly resonated with several cybersecurity pros seeking to cut through the noise and really understand what AI can and can’t achieve. “The Great Cooking website was great satire on the reality of the current cyber market — lots of hype, lots of wrapper companies faking it until they make it, lots of legacy companies that are going to struggle to differentiate, and a few truly differentiating cyber companies that are solving hard problems,” [Horizon3.ai](http://Horizon3.ai) CEO and Co-founder Snehal Antani, who shared the site on LinkedIn, told SC Media. Amy Chaney, SVP of technology at Citi, also praised the site as a “light-hearted review,” but said it is just that — a “funny read” and “not a buyer’s guide.” “Many of the RSA ‘cooked’ solutions are high viability market winners, many of the exhibits labeled ‘actually hard’ will solve no problems,” Chaney said. The satire taps into a large debate already going on in cybersecurity about how AI-assisted development — or “vibe coding” — is disrupting industry norms around software creation and the state of security itself. Even where claims about AI’s capabilities may be exaggerated, vibe coding’s explosion in popularity is undoubtedly making its mark on security teams and in boardrooms around the world. “I’ve never seen a bigger disconnect between what investors want to hear and what CISOs are trying to solve, and unfortunately, corporate marketing has over rotated to the investor narrative instead of focusing on solving problems that matter to practitioners,” Antani said. Full article: [https://www.scworld.com/feature/vibe-coding-has-cybersecurity-asking-what-ai-can-and-cant-replace](https://www.scworld.com/feature/vibe-coding-has-cybersecurity-asking-what-ai-can-and-cant-replace)
I'm Chris Cochran (/u/[Financial\_Jicama\_401](https://www.reddit.com/user/Financial_Jicama_401/)), Field CISO and VP of AI Security at SANS Institute. I'm doing an AMA today about the AI Security Maturity Model we just released. Before you click away, this isn't a marketing deck disguised as a framework. No buzzword bingo. No "AI will solve everything" nonsense. Here's what this actually is: a structured way to figure out where your org honestly stands on AI security, and what to do next. It covers three things, protecting your AI systems, using AI in your security operations, and governing AI across the org. Some context on why I built this: \- I kept seeing orgs claim they were "mature" on AI security with zero documentation to back it up. A 30-person company with a real policy and an inventory spreadsheet is in a better spot than an enterprise waving around a Stage 3 label with nothing behind it. \- Most teams aren't at the same level across protect, utilize, and govern, and that gap is exactly the thing that gets you burned. \- "Don't use AI" policies don't work. They just push usage underground. The model is built around bringing AI into visibility, not pretending you can ban it. The model has five stages, but the whole point is that not every org needs to reach Stage 5. Your target depends on your actual risk profile, not some aspirational slide deck. It's aligned with OWASP AI Exchange, NIST AI RMF, MITRE ATLAS, EU AI Act, ISO 42001, and CSA AICM, so if you're already mapping to those, this connects the dots to what your team actually does day to day. I've worked at Netflix, NSA, Mandiant, the U.S. House of Representatives, and Axonius before SANS. I'm also a Marine Corps vet. I've been on both sides of this, building programs from scratch and trying to secure things that were already on fire. Ask me anything. If I don't know, I'll say so. If you think something in the model is wrong, I genuinely want to hear it, this thing gets better with practitioner feedback, not less of it. Link to the full model: [https://go.sans.org/I9L8dM](https://go.sans.org/I9L8dM) Let's get into it.
CUBIC, standardized in RFC 9438 , is the default congestion controller in Linux, and as a result governs how most TCP and QUIC connections on the public Internet probe for available bandwidth, back off when they detect loss, and recover afterward. At Cloudflare, our open-source implementation of QUIC, quiche , uses CUBIC as its default congestion controller, meaning this code is in the critical path for a significant share of the traffic we serve. In this post, we’ll tell the story of a bug in which CUBIC's congestion window (cwnd) gets permanently pinned at its minimum and never recovers from a congestion collapse event. The story starts with a Linux kernel change aimed at bringing CUBIC into line with the app-limited exclusion described in RFC 9438 §4.2-12 — a fix to a real problem in TCP that, when ported to our QUIC implementation, surfaced unexpected behaviors in quiche. It has a happy ending: an elegant (near-)one-line fix that broke the cycle. CUBIC's logic in a nutshell Before we dive into the core problem, a quick refresher on CCAs may help to set the stage. The central knob a CCA turns is the congestion window ( cwnd ): the sender-side cap on how many bytes can be in flight (sent but not yet acknowledged) at any moment. A larger cwnd lets the sender push more data per round trip; a smaller cwnd throttles it. Every loss-based CCA, CUBIC included, is ultimately a policy for how to grow cwnd when the network looks healthy and how to shrink it when it doesn't. I
Cybersecurity researchers have flagged a new version of the TrickMo Android banking trojan that uses The Open Network (TON) for command-and-control (C2). The new variant, observed by ThreatFabric between January and February 2026, has been observed actively targeting banking and cryptocurrency wallet users in France, Italy, and Austria. "TrickMo relies on a runtime-loaded APK (dex.module),
TeamPCP, the threat actor behind the recentsupply chain attack spree, has been linked to the compromise of the npm and PyPI packages from TanStack, UiPath, Mistral AI, OpenSearch, and Guardrails AI as part of a fresh Mini Shai-Hulud campaign. The affected npm packages have been modified to include an obfuscated JavaScript file ("router_init.js") that's designed to profile the execution
SAP has released the May 2026 security updates addressing 15 vulnerabilities across multiple products, including two critical flaws in the Commerce Cloud enterprise-grade e-commerce platform and the S/4HANA ERP suite. [...]
Go’s native fuzzing is useful, but it stands far behind state-of-the-art tooling that the Rust, C, and C++ ecosystems offer with LibAFL and AFL++. Path constraints are hard to solve. Structured inputs usually need handmade parsing. It doesn’t even detect several common bug classes, such as integer overflows, goroutine leaks, data races, and execution timeouts. So to make it better, we built gosentry , a fuzzing-oriented fork of the Go toolchain that keeps the standard testing.F workflow while using a stronger fuzzing stack underneath to tackle those issues. With gosentry, go test -fuzz uses LibAFL by default. It can fuzz structs natively, run grammar-based fuzzing with Nautilus, detect bug classes that it couldn’t detect before, and create a fuzzing campaign coverage report in one command. If you already have Go fuzz harnesses, you don’t need to rewrite them. Point them at gosentry’s binary and you get all of the above through the same go test -fuzz interface, with a few new flags: ./bin/go test -fuzz = FuzzHarness --focus-on-new-code = false --catch-races = true --catch-leaks = true Figure 1: Basic gosentry usage gosentry keeps the harness API and changes the engine and the surrounding tooling — you
Agentic AI is already running in production environments across many organizations today. It is executing tasks, consuming data, and taking actions — most likely without meaningful involvement from the security team. The industry conversation has largely framed this as a question of policy: allow it, restrict it, or monitor it? However, that framing misses the point. The more urgent
AI Will Absorb 99.98% of SOC Triage Within a Year, as 79% of IT teams brace for AI-driven workload shift
COPENHAGEN, DENMARK, 12 May 2026 — Heimdal’s managed SOC processes three million alerts a month. In the year ahead, fewer than 500 of those, less than 0.02%, are expected to need a human analyst. That’s the forecast from Heimdal founder Morten Kjaersgaard, based on the trajectory of AI Wingman SOC as it absorbs the bulk […] The post AI Will Absorb 99.98% of SOC Triage Within a Year, as 79% of IT teams brace for AI-driven workload shift appeared first on Heimdal Security Blog .
Instructure, the edtech giant behind the widely popular Canvas learning management system (LMS), has reached an "agreement" with the ShinyHunters extortion group to prevent the data stolen in a recent breach from being leaked online. [...]
A pre-auth remote code execution vulnerability was found in the CWMP implementation of ipTIME routers, allowing unauthenticated attackers to execute arbitrary code remotely.
American educational technology company Instructure, the parent company of Canvas, said it reached an "agreement" with a decentralized cybercrime extortion group after it breached its network and threatened to leak stolen information from thousands of schools and universities. In an update shared on Monday, the Utah-based firm said it "reached an agreement with the unauthorized actor involved in
OpenAI has launched Daybreak, a new cybersecurity initiative that brings together frontier artificial intelligence (AI) model capabilities and Codex Security to help organizations identify and patch vulnerabilities before attackers find a way in using the same issues. "Daybreak combines the intelligence of OpenAI models, the extensibility of Codex as an agentic harness, and our partners across
Apple on Monday officially released iOS 26.5 with support for end-to-end encryption (E2EE) to Rich Communication Services (RCS) in beta as part of a "cross-industry effort" to replace traditional SMS with a more secure alternative. To that end, E2EE RCS messaging is rolling out to iPhone users running iOS 26.5 with supported carriers and Android users on the latest version of Google Messages.
California Attorney General Rob Bonta announced a proposed $12.75 million settlement agreement with General Motors (GM) over allegations that the company violated the California Consumer Privacy Act (CCPA). [...]
Presently sponsored by: Report URI: Guarding you from rogue JavaScript! Don’t get pwned; get real-time alerts & prevent breaches #SecureYourSite Today, we welcome the 43rd government onboarded to Have I Been Pwned's free gov service, Bangladesh. The BGD e-GOV CIRT department now has full access to query all their government domains via API, and monitor them against future breaches. Bangladesh joins a growing list of national governments using HIBP to help protect their public sector digital assets, and we look forward to supporting their efforts to identify exposure of government email addresses in data breaches and respond quickly when new incidents appear.
Checkmarx warned over the weekend that a rogue version of its Jenkins Application Security Testing (AST) plugin had been published on the Jenkins Marketplace. [...]
A security researcher has released a proof-of-concept tool named GhostLock that demonstrates how a legitimate Windows file API can be abused in attacks to block access to files stored locally or on SMB network shares. [...]
Key Takeaways Sara Pentest and Sara Pentest+ Are Now Generally Available Since releasing Sara Pentest as general availability earlier this month, we’ve also shipped a set of platform updates that make it easier to scope, launch, and act on Sara findings at scale. This post walks through what’s new with the Synack PTaaS platform, and […] The post What’s New with Sara Pentest: Closing the Coverage Gap, One Test at a Time appeared first on Synack .
Checkmarx has confirmed that a modified version of the Jenkins AST plugin was published to the Jenkins Marketplace. "If you are using Checkmarx Jenkins AST plugin, you need to ensure that you are using the version 2.0.13-829.vc72453fa_1c16 that was published on December 17, 2025 or previously," the cybersecurity company said in a statement over the weekend. As of writing, Checkmarx has released
A threat actor named Mr_Rot13 has been attributed to the exploitation of a recently disclosed critical cPanel flaw to deploy a backdoor codenamed Filemanager on compromised environments. The attack exploits CVE-2026-41940, a vulnerability impacting cPanel and WebHost Manager (WHM) that could result in an authentication bypass and allow remote attackers to gain elevated control of the control
VU#471747: dnsmasq contains several vulnerabilities, including attacker DNS redirect, privilege escalation, and heap manipulation
Overview dnsmasq is affected by multiple memory safety and input validation vulnerabilities, including heap buffer overflows, heap corruption, and code execution flaws. Collectively, these vulnerabilities enable attackers to poison cached DNS records, bypass security controls, crash the dnsmasq process, or under certain conditions, achieve local privilege escalation. dnsmasq has released version 2.92rel2 to fix the vulnerabilities. Description dnsmasq is an open-source networking tool that provides DNS forwarding, DHCP, and network boot services for small-to-medium sized networks and home routing devices. It can also function as a DNS resolver, which is the primary exploitation use case for several of the vulnerabilities described below, tracked collectively as CVE-2026-2291, CVE-2026-4890, CVE-2026-4891, CVE-2026-4892, CVE-2026-4893, and CVE-2026-5172. CVE-2026-2291 dnsmasq's extract_name() function can be abused to cause a heap buffer overflow, enabling an attacker to inject false DNS cache entries. This could cause DNS queries to be redirected to attacker-controlled IP addresses or result in a Denial of Service (DoS). CVE-2026-4890 An infinite-loop flaw in the DNSSEC validation of dnsmasq allows remote attackers to cause Denial of Service (DoS) conditions via a crafted DNS packet. CVE-2026-4891 A heap-based out-of-bounds read vulnerability in the DNSSEC validation of dnsmasq allows remote attackers to leak memory information via a crafted DNS packet. CVE-2026-4892 A heap-based out-of-bounds write vulnerability in the DHCPv6 implementation of dnsmasq allows local attackers to execute arbitrary code with root pr
Google on Monday disclosed that it identified an unknown threat actor using a zero-day exploit that it said was likely developed with an artificial intelligence (AI) system, marking the first time the technology has been put to use in the wild in a malicious context for vulnerability discovery and exploit generation. The activity is said to be the work of cybercrime threat actors who appear to
Overview Casdoor contains an arbitrary file write vulnerability in the implementation of its "Local File System" storage provider. Due to insufficient sanitization of user-supplied paths, an authenticated user with file upload permissions can escape the intended storage directory and write files elsewhere on the target filesystem. The vulnerability allows attackers to bypass Casdoor’s storage sandbox and perform unauthorized actions with the privileges of the Casdoor runtime user. Description Casdoor is an open-source identity and access management (IAM) platform and Model Context Protocol (MCP) gateway that provides authentication, single sign-on, and multi-protocol identity services for applications. Internally, it uses its Local File System storage provider to save files to a dedicated $CASDOOR/files/ directory. During a file upload via the /api/upload-resource endpoint, the Casdoor application determines the target storage filepath by concatenating the user-supplied parameters pathPrefix and fullFilePath . However, values provided for pathPrefix are not properly sanitized, so directory traversal sequences such as ../../ are accepted without any integrity or permission checks beyond those of the OS user running the Casdoor process. The application does not verify that the destination filepath remains inside the dedicated storage directory, and it will create or overwrite any file that the Casdoor process has permission to modify. CVE-2026-6815 An arbitrary file write vulnerability exists in Casdoor's Local File System storage provider. Due to insufficient path sanitization, an authenticated attacker with file upload privileges can perform a path tra
The EtherRAT malware family was first reported by Sysdig back in December 2025. At that time, the initial access vector was exploitation of CVE-2025-55182 (React2Shell) targeting Linux servers. In March 2026, a Windows variant campaign was reported by Atos, with their investigation showing evidence of activity going back to the previous December. In April, we […] The post Flash Alert: EtherRat and TukTuk C2 End in The Gentleman Ransomware appeared first on The DFIR Report .
**IOCX v0.7.3 — deterministic PE structural validation for reproducible malware analysis** A recurring issue in malware research is the lack of determinism in PE parsing. Small deviations in malformed headers, inconsistent RVA→file‑offset resolution, truncated sections, or ambiguous directory boundaries often lead different parsers—and even different versions of the \*same\* parser—to produce divergent structural interpretations. This undermines reproducibility, complicates longitudinal tracking of families that exploit PE edge cases, and introduces noise into automated pipelines. IOCX v0.7.3 addresses this by implementing a fully deterministic structural‑validation framework for PE files. The validator stack has been written around explicit, conservative rules governing entrypoint resolution, section‑table integrity, RVA‑graph consistency, TLS callback validation, signature‑directory bounds, and entropy classification. All decisions are derived from strict structural criteria rather than heuristic fallbacks. The result is a parser that produces stable, reproducible outputs across environments, versions, and malformed samples. **Same input → same structural interpretation → same anomaly set.** For researchers working with adversarial PEs, loader‑abuse techniques, or large‑scale corpora where methodological consistency matters, this release may be of interest. IOCX v0.7.3 is available on PyPI: `pip install iocx` [https://pypi.org/project/iocx/](https://pypi.org/project/iocx/) [https://github.com/iocx-dev/iocx](https://github.com/iocx-dev/iocx) **Deterministic by design.**
Rough Monday. Somebody poisoned a trusted download again, somebody else turned cloud servers into public housing, and a few crews are still getting into boxes with bugs that should’ve died years ago — the same old holes, same lazy access paths, same “how the hell is this still open” feeling. One report this week basically reads like a guy tripped over root access by accident and decided to stay
Health service has given US tech firm ‘unlimited access’ to certain data to build integrated platform, according to reports UK politics live – latest updates MPs have warned that an NHS decision to grant Palantir access to identifiable patient information in its plan to use AI to improve the health service is “dangerous” and will fuel public fears that data privacy is not being prioritised. NHS England has allowed staff from the US tech firm and other contractors to access patient data before it has been pseudonymised, despite internal fears of a “risk of loss of public confidence”, the Financial Times reported. Continue reading...
Defending a network at 2 am looks a lot like this: an analyst copy-pasting a hash from a PDF into a SIEM query. A red team script is being rewritten by hand so the blue team can use it. A patch waiting on a change-approval window that's longer than the exploitation window itself. Nobody in that chain is incompetent. Every human is doing their job correctly. The problem is the system, its
I recently published a security research post on the myAudi connected vehicle platform. I found that anyone with a VIN can access a sensitive informations about car and ownership I think the topic is useful beyond Audi itself, because many vendors now rely on these “connected vehicle” platforms and mobile apps, often with very similar architectures and assumptions
A malicious Hugging Face repository managed to take a spot in the platform's trending list by impersonating OpenAI's Privacy Filter open-weight model to deliver a Rust-based information stealer to Windows users. The project, named Open-OSS/privacy-filter, masqueraded as its legitimate counterpart released by OpenAI late last month (openai/privacy-filter), including copying the entire description
To reduce the amount of noise from questions, we have disabled self-posts in favor of a unified questions thread every week. Feel free to ask any question about reverse engineering here. If your question is about how to use a specific tool, or is specific to some particular target, you will have better luck on the [Reverse Engineering StackExchange](http://reverseengineering.stackexchange.com/). See also /r/AskReverseEngineering.
I’m happy to announce that we are releasing the beta version of RAPTR, a fully open source, API driven collaboration platform built specifically for red and purple team engagements. Check out the code on GitHub , read the docs , or try out the latest build at our sandbox . Why I built it Up until recently, our team relied on PurpleOps for our Purple Team engagements . It’s a solid tool and served as a good starting point for us. Eventually, we needed more out of it, so we maintained our own custom f
Learn how malicious Claude Code skills can abuse dynamic context commands to execute before model-level prompt injection defenses can intervene.
Presently sponsored by: Report URI: Guarding you from rogue JavaScript! Don’t get pwned; get real-time alerts & prevent breaches #SecureYourSite Well, it's the day before the Instructure "pay or leak" deadline (at least by my Aussie watch), and the company remains removed from the ShinyHunters website. In its place sits a press statement that amounts to "we're not making any statements". So did they pay? And if so, what lofty figure would an incident of this scale command? The lawsuits are already being prepared (search for "instructure class action lawsuit"), so perhaps that will be the catalyst for transparency. What a crazy time.
Across all major ShinyHunters campaigns (AT&T/Snowflake, Salesforce, Canvas/Instructure), only one event has both a publicly stated payment amount and a known approximate settlement date: the May 2024 AT&T payment of \~5.7 BTC (\~$370K), confirmed by *Wired* but never published with a transaction hash. I use that as the analytical anchor for an end-to-end on-chain analysis using only free public data. **Pipeline (5 stages):** 1. BigQuery bulk filter on amount and time window → 500 candidates. 2. Recipient profiling via Blockstream Esplora (lifetime tx count, spend shape). 3. Sender-side cluster analysis using common-input ownership; looking for broker-aggregation patterns. 4. Depth-12 concurrent forward trace, top-K=4 fan-out. 5. Terminal attribution via OKLink, BitInfoCharts, WalletExplorer. **Result:** A single highest-fit candidate: 5.71997804 BTC paid 2024-05-17 22:04 UTC to a fresh recipient, spent in 6 min, laundered through a 6-cycle automated peel chain, terminating at an exchange deposit cluster. Funding side shows broker-aggregation fingerprint (4× 1.147 BTC peels in a 90-min window pre-payout). Upstream hub addresses appear reused across multiple victims of the same laundering service, active through 2025. Paper closes with the legal pathway from chain endpoint to indictment and a scoped compliance-request template. **Limitations (explicit in §5):** Ranking under a scoring scheme, not positive ID. No off-chain ground truth. Documented OKLink vs. Arkham label conflict on the dominant terminal, resolved via behavioural audit. No formal null-distribution analysis yet. Score weights are author judgements. **Asking for:** 1. Technical feedback / methodology critique. 2. arXiv [cs.CR](http://cs.CR) endorsement — endorsement code: **ZQXBSQ** [github.com/tr4m0ryp/shinyhunters-gotta-catch-em-all/blob/main/Gotta\_Catch\_Em\_All\_ShinyHunters.pdf](http://github.com/tr4m0ryp/shinyhunters-gotta-catch-em-all/blob/main/Gotta_Catch_Em_All_ShinyHunters.pdf) Tooling and dataset released for reuse
I am proud to announce the release of **Crow-Eye v0.10.0**. This milestone marks the official launch of **The Eye** a robust intelligence layer designed to integrate your own AI agents directly into **Crow-Eye,** This isn't just a regular update; it’s a massive milestone for us . My goal from day one has been to build an ecosystem that doesn't just chase known signatures, but actually gives investigators the power to hunt zero-days But as we celebrate this release and introduce our new AI layer, we need to talk about the elephant in the room. # The Problem with AI in Forensics There’s a huge rush right now to slap AI onto cybersecurity tools, and honestly, a lot of it is dangerous. We are seeing "black box" solutions where investigators feed raw data into an LLM and just trust the answers it spits out. In DFIR, an AI hallucination can ruin a case. An answer without mathematical, binary proof is worthless. If an AI agent cannot anchor its reasoning to exact offsets, hashes, and unmanipulated timestamps, we cannot trust it. To fix this, I realized we had to architect a system where the AI is bound by the exact same strict evidentiary rules as a human analyst. # The Starting Line: Automated Triage Before the AI even wakes up, Crow-Eye does the heavy lifting. When you launch **The Eye**, the platform immediately runs a high-speed Automated Triage phase. It queries the underlying SQLite databases to map out the ground truth: active users, execution histories, accessed files, USB devices, and Auto Run configs. This builds a comprehensive **Initial Report**. This report isn't the final investigation it’s the baseline. It’s the verified starting line before we let the AI touch the data. # The Brain of "The Eye" I believe you should have total control over your data and your analytical "brain." That’s why The Eye is completely modular. You can plug in whatever intelligence fits your environment: * **Cloud AI Models:** Hook up your public API keys for high-performance reasoning. * **Offline Servers & Local Inference:** For air-gapped labs where privacy is non-negotiable. * *Dev Note:* A lot of my testing and development for The Eye was actually done using **LM Studio** and Google’s open-weights models (like the **Gemma** family). If you're a solo investigator, running Gemma locally on your own machine is incredibly powerful. Just a tip: push your context window as high as possible to handle the dense forensic payloads! * **CLI Agents:** If you are a developer or researcher, you can hook up your own custom-built local agents, or seamlessly pipe in tools like **Claude Code** and the **Gemini CLI**. https://preview.redd.it/zdg32192ic0h1.png?width=2023&format=png&auto=webp&s=a1458500b3765ccb1a7fb4018a9dcd2203bd7a1a # Keeping the AI Honest: The Ghassan Elsman Protocol (GEP) Triage gives us the data, but the **Ghassan Elsman Protocol (GEP)** ensures the AI doesn't mess it up. The GEP is a strict set of rules hardcoded into the workflow to maintain a perfect chain of custody: 1. **Case Awareness:** The Initial Report is injected directly into the prompt to ground the AI in reality. 2. **Pre-Flight Ping:** Validates backend connectivity to stop silent failures. 3. **Evidence Anchoring:** Automatically tags and preserves raw hashes, IPs, and timestamps in the chat history. 4. **Chain of Custody:** Every truncation or data preservation event is meticulously logged. 5. **Non-Repudiation:** Messages are assigned deterministic, hash-linked IDs so records can't be altered. 6. **Context Pinning:** Critical evidence is locked and excluded from automated AI summarization. 7. **Tool Traceability:** Every tool the AI uses (like querying LOLBAS) is logged with exact execution counts. 8. **Machine-Readable Synthesis:** You get a clean JSON audit trail at the end to prove compliance. # What's Next: Bridging Analysis and Anatomy While The Eye handles the high-speed analysis, our educational hub, **Eye Describe**, In upcoming updates, we are going to start building a bridge between these two tools. The goal is to gradually integrate visual references alongside the AI's findings. We want to reach a point where the AI doesn't just give you an answer, but helps point you toward the structural anatomy of the artifact it analyzed. It’s an iterative, ongoing project, but we believe it is an important step toward total forensic transparency. This is the very first release of The Eye. You might hit a few bumps connecting to certain local backends or managing specific CLI tools, but we are actively squashing bugs and refining the experience over the next few weeks. Please submit any issues you find! The latest source code and release are available right now on our GitHub. For those waiting for the compiled `.exe` version, it will be dropping very soon on our official website. **GitHub :** [https://github.com/Ghassan-elsman/Crow-Eye](https://github.com/Ghassan-elsman/Crow-Eye) **good hunting**
Cybersecurity researchers have disclosed a critical security vulnerability in Ollama that, if successfully exploited, could allow a remote, unauthenticated attacker to leak its entire process memory. The out-of-bounds read flaw, which likely impacts over 300,000 servers globally, is tracked as CVE-2026-7482 (CVSS score: 9.1). It has been codenamed Bleeding Llama by Cyera. Ollama is a
The compression of the exploit timeline: Why n-day gaps and 90-day embargoes are failing in practice.
The traditional vulnerability disclosure timeline relies on a fundamental assumption: exploit development and vulnerability discovery take time. Over the last 12 months the integration of LLMs into offensive tooling has demonstrably broken this assumption. I recently published a technical write-up arguing that the 90-day disclosure window is effectively dead backed by three specific observations from recent incidents: 1. **Automated Diff Analysis (30-minute n-days) :** The safety net between a patch release and an in-the-wild exploit is gone. Taking a recent React security patch (CVE-2026-23870), I used an LLM to analyze the diff, identify the vulnerable path, and write a working DoS PoC in roughly 30 minutes. The human reverse-engineering bottleneck has been bypassed. 2. **Vulnerability Convergence :** I recently reported a critical P0 to a vendor and was told I was the 11th reporter in 6 weeks. LLM assisted scanners are causing independent researchers to converge on the same bugs simultaneously. An embargo no longer contains the vulnerability; it simply provides a head start to whichever threat actor also found it. 3. **The Linux Kernel (Copy Fail & Dirty Frag) :** The recent kernel exploits highlight this perfectly. Copy Fail (CVE-2026-31431) went from an automated AI scan to a public PoC to nation state weaponization in days. Shortly after the embargo for Dirty Frag (CVE-2026-43284 / CVE-2026-43500) was broken in hours because an unrelated third party independently discovered the same bug class using similar tooling. The defense cannot operate on monthly cycles when the offense is operating in hours. The focus needs to shift to real-time, PR-level AI scanning to match the pace. can read the full technical breakdown and case studies on my blog:[https://blog.himanshuanand.com/2026/05/the-90-day-disclosure-policy-is-dead/](https://blog.himanshuanand.com/2026/05/the-90-day-disclosure-policy-is-dead/) I am curious if the researchers here are experiencing similar convergence rates or if you view this as a temporary anomaly while legacy codebases are scanned with new tools.
I built a realistic enterprise security architecture guide covering SPOFs, insider threats, and budget implementation
Plus: Meta officially kills encrypted Instagram DMs, the Trump administration targets “violent left wing extremists,” leaked documents reveal Russia's school for elite hackers, and more.
cPanel has released updates to address three vulnerabilities in cPanel and Web Host Manager (WHM) that could be exploited to achieve privilege escalation, code execution, and denial-of-service. The list of vulnerabilities is as follows - CVE-2026-29201 (CVSS score: 4.3) - An insufficient input validation of the feature file name in the "feature::LOADFEATUREFILE" adminbin call that could result
Existing benchmarks for LLM-based vulnerability detection compress model performance into a single metric, which fails to reflect the distinct priorities of different stakeholders. For example, a CISO may emphasize high recall of critical vulnerabilities, an engineering leader may prioritize minimizing false positives, and an AI officer may balance capability against cost. To address this limitation, we introduce SecLens-R, a multi-stakeholder evaluation framework structured around 35 shared dimensions grouped into 7 measurement categories. The framework defines five role-specific weighting profiles: CISO, Chief AI Officer, Security Researcher, Head of Engineering, and AI-as-Actor. Each profile selects 12 to 16 dimensions with weights summing to 80, yielding a composite Decision Score between 0 and 100. We apply SecLens-R to evaluate 12 frontier models on a dataset of 406 tasks derived from 93 open-source projects, covering 10 programming languages and 8 OWASP-aligned vulnerability categories. Evaluations are conducted across two settings: Code-in-Prompt (CIP) and Tool-Use (TU). Results show substantial variation across stakeholder perspectives, with Decision Scores differing by as much as 31 points for the same model. For instance, Qwen3-Coder achieves an A (76.3) under the Head of Engineering profile but a D (45.2) under the CISO profile, while GPT-5.4 shows a similar disparity. These findings demonstrate that vulnerability detection is inherently a multi-objective problem and that stakeholder-aware evaluation provides insights that single aggregated metrics obscure.
Overview A privilege escalation vulnerability has been discovered in Linux kernel versions version 4.17 (released 2017) and later. Many popular distributions and Linux-based containers are affected. This vulnerability was publicly disclosed on April 29, 2026, has been assigned CVE ID CVE-2026-31431 , and is commonly referred to as "Copy Fail." Description The Linux kernel, since version 4.17, includes the algif_aead module, which provides user space access to authenticated encryption with associated data (AEAD) operations via the AF_ALG interface. This module may be available as a loadable kernel module or compiled directly into the kernel, depending on the Linux distribution or the custom built Linux install. According to the https://copy.fail disclosure statement: An unprivileged local user can write 4 controlled bytes into the page cache of any readable file on a Linux system, and use that to gain root. The vulnerability is caused by a logic flaw in the Linux kernel’s algif_aead ( AF_ALG) implementation. An unprivileged local user can reliably perform a controlled 4-byte write into the page cache of any readable file without race conditions or timing dependencies. Critically, the corrupted page is not marked dirty, so the modified contents are never written back to disk. The underlying file remains unchanged, allowing the in-memory corruption to bypass checksum and file integrity verification mechanisms. Because subsequent reads are served from the page cache, an attacker can target a setuid binary and modify it
Threat hunters have flagged a previously undocumented Brazilian banking trojan dubbed TCLBANKER that's capable of targeting 59 banking, fintech, and cryptocurrency platforms. The activity is being tracked by Elastic Security Labs under the moniker REF3076. The malware family is assessed to be a major update of the Maverick family, which is known to leverage a worm called SORVEPOTEL to
JDownloader is compromised! * The replaced malicious executable contains the official and benign JDownloader in resources along with an XOR encrypted blob also available in resources * The encrypted blob after 8 minutes of waiting to prevent sandbox noise is decrypted and executed, the next stage contains also several XOR encrypted resources and the official Python installer * After decrypting resources, they contain PyArmor encrypted file and PyArmor runtime * Delivers sophisticated Python remote access malware See AnyRun execution chain along with the 8 minute wait before the payload starts: [https://app.any.run/tasks/e0cecc2d-5571-49fe-a549-cc7d1b8b5908](https://app.any.run/tasks/e0cecc2d-5571-49fe-a549-cc7d1b8b5908) IOC's: * Initial delivered installer -> 5a6636ce490789d7f26aaa86e50bd65c7330f8e6a7c32418740c1d009fb12ef3 * Stage 2 payload -> 77a60b5c443f011dc67ace877f5b2ad7773501f3d82481db7f4a5238cf895f80 * PyArmor encrypted blob: 5fdbee7aa7ba6a5026855a35a9fe075967341017d3cb932e736a12dd00ed590a * hxxps://parkspringshotel\[.\]com/m/Lu6aeloo.php (most likely another compromised URL) * hxxpx://auraguest\[.\]lk/m/douV2quu.php (most likely another compromised URL)
With the launch of the first 16 satellites, Russia begins construction of a network for satellite internet that aims to cover the entire country by 2030. But getting there won’t be easy.
Thousands of schools around the US were paralyzed on Thursday after education tech firm Instructure shut down access to its Canvas platform following a breach by hackers going by the name ShinyHunters.
SASS King Part 2: reverse-engineering ptxas heuristic decisions and what the compiled binary actually reveals
An ongoing data extortion attack targeting the widely-used education technology platform Canvas disrupted classes and coursework at school districts and universities across the United States today, after a cybercrime group defaced the service’s login page with a ransom demand that threatened to leak data from 275 million students and faculty across nearly 9,000 educational institutions. A screenshot shared by a reader showing the extortion message that was shown on the Canvas login page today. Canvas parent firm Instructure responded to today’s defacement attacks by disabling the platform, which is used by thousands of schools, universities and businesses to manage coursework and assignments, and to communicate with students. Instructure acknowledged a data breach earlier this week, after the cybercrime group ShinyHunters claimed responsibility and said they would leak data on tens of millions of students and faculty unless paid a ransom. The stated deadline for payment was initially set at May 6, but it was later pushed back to May 12. In a statement on May 6, Instructure said the investigation so far shows the stolen information includes “certain identifying information of users at affected institutions, such as names, email addresses, and student ID numbers, as well as as messages among users.” The company said it found no evidence the breached data included more sensitive information, such as passwo
A look at how to secure Kubernetes secrets
Chrome users were caught off guard by a 4-GB Google AI model baked into Chrome, sparking privacy concerns. The good news: You can easily uninstall it. The bad? You might not want to.
This afternoon, we sent the following email to our global team. One of our core values at Cloudflare is transparency, and we believe it's important that you hear this directly from us because it’s a major moment at Cloudflare. Team: We are writing to let you know directly that we’ve made the decision to reduce Cloudflare’s workforce by more than 1,100 employees globally. The way we work at Cloudflare has fundamentally changed. We don’t just build and sell AI tools and platforms. We are our own most demanding customer. Cloudflare’s usage of AI has increased by more than 600% in the last three months alone. Employees across the company from engineering to HR to finance to marketing run thousands of AI agent sessions each day to get their work done. That means we have to be intentional in how we architect our company for the agentic AI era in order to supercharge the value we deliver to our customers and to honor our mission to help build a better Internet for everyone, everywhere. Today is a hard day. This decision unfortunately means saying goodbye to teammates who have contributed meaningfully to our mission and to building Cloudflare into one of the world’s most successful companies. We want to be clear that this decision is not a reflection of the individual work or talent of those leaving us. Instead, we are reimagining every internal process, team, and role across the company. Today’s actions are not a cost-cutting exercise or an assessment of individuals’ performance; they are about Cloudflare defining how a world-class, high-growth company operates and creates value in the agentic AI era. This is a moment we need to own as founders and leaders of the company. Matthew has personally sent out every offer letter we've extended. It is a practice he has always looked forward to because it represented our growth and the incredible talent joining our mission. It didn’t feel rig
On April 29, 2026, a Linux kernel local privilege escalation vulnerability was publicly disclosed under the name "Copy Fail" ( CVE-2026-31431 ). Cloudflare’s Security and Engineering teams began assessing the vulnerability as soon as it was disclosed. We reviewed the exploit technique, evaluated exposure across our infrastructure, and validated that our existing behavioral detections could identify the exploit pattern within minutes. There was no impact to the Cloudflare environment, no customer data was at risk, and no services were disrupted at any point. Read on to learn how our preparedness paid off. Background Our Linux kernel release process Cloudflare operates a global Linux server infrastructure at an immense scale, with datacenters located across 330 cities . We maintain a custom Linux kernel build based on the community's Long-Term Support (LTS) versions to manage updates effectively at this volume. At any given time, we may utilize multiple LTS versions from various series, such as 6.12 or 6.18, which benefit from extended update periods. The community regularly merges and releases security and stability updates which trigger an automated job to generate a new internal kernel build approximately every week. These builds undergo testing in our staging data centers to ensure stability before a global rollout. Following a successful release, the Edge Reboot Release (ERR) pipeline manages a systematic update and reboot of the edge infrastructure on a four-week cycle. Our control plane infrastructure typically adopts the most recent kernel, with reboots scheduled according to specific workload requir
To stop children from bypassing its age checks, Meta is revamping its age-verification tools with an AI system that analyzes images and videos for “visual cues,” such as height and bone structure.
On May 5, 2026, at roughly 19:30 UTC, DENIC, the registry operator for the .de country-code top-level domain (TLD), started publishing incorrect DNSSEC signatures for the .de zone. Any validating DNS resolver receiving these signatures was required by the DNSSEC specification to reject them and return SERVFAIL to clients, including 1.1.1.1 , the public DNS resolver operated by Cloudflare. The country-code top-level domain for Germany, .de , is one of the largest on the Internet. On Cloudflare Radar , it consistently ranks among the most broadly queried TLDs globally. An outage at this level of the DNS hierarchy has the potential to make millions of domains unreachable. In this post, we’ll walk through what we saw, the impact of these events, and how we applied temporary mitigations while DENIC resolved the issue. How DNSSEC works DNSSEC (Domain Name System Security Extensions) adds cryptographic authentication to DNS. When a zone is signed with DNSSEC, each set of records is accompanied by a digital signature known as an RRSIG record that lets a resolver verify the records haven’t been tampered with. Unlike encrypted DNS protocols, such as DNS over TLS (DoT) and DNS over HTTPs (DoH), DNSSEC is about integrity, not privacy. The records are visible, but their authenticity can be proven. What makes DNSSEC unique is that the signatures travel together with the records they protect. This means int
The start of support for macOS malware analysis in MalChela...
It's not just you. Scammers, hackers, and other cybercriminals are complaining about “AI shit” flooding platforms where they discuss cyberattacks and other illegal activity.
BSides can often be the one place where you can find the most obscure talks about a technical detail. For example, "Edge Device Memory Forensics" by Richard Tuffin or maybe "Forensic analysis of privacy focused mobile browsers" by Lorena Carthy and Ruben Jernslett. Finding them is the hard part. I built a website that tracks all BSides chapters, all 8575 videos, fetches transcripts, indexes them by technology, speakers, events, tools, protocols, standards, and much more. It is free, no login, no ads, no tracking beyond basic visits (no cookies). And I'm planning to keep it so. Check out the forensics talks at [https://allbsides.com/talks.html?q=forensics](https://allbsides.com/talks.html?q=forensics), and let me know if you find the site useful or spot anything missing. Genuinely happy to receive feedback!
Someone hacked the deadmau5 discord server by virusing an admin. Said admin gave me the malware sample. Used claude sonnet 4.6 in combination with nyxstrike MCP framework to decompile and decrypt their obfuscated code, finding a goldmine. Title speaks for itself. The discord bot token could possibly have led to their CNC. But logging into the discord bot token to check for communications and see where it leads breaks 2 federal laws alone that I can think of. I did validate the token was live however, and matched it to a bot account. I also have discovered the webhook and token that was in the malware, both of them have been nuked (not by me). So, I checked their domain that they've been using, and they recompiled and reuploaded it. So its 26 bytes larger. I suspect they replaced the webhook url and the bot token with fresh ones, and suspect further that discord nuked the previous ones themselves. Nevertheless, I have personally not seen malware like this on github, so this must have been private and not some skid level stuff. I know it was turkish (at least the devs were). [Github](https://github.com/destiny-creates/goxlr.net-malware) link attatched for the source code including the deobfuscated malware classes, and the analysis/report. Don't flame me, it's still pretty cool 😆. Cracking the zkm encryption would have taken weeks (Im a python guy not a JS guy). Nyxstrike + sonnet 4.6 = 1.5 hours and its cracked.
Presently sponsored by: Report URI: Guarding you from rogue JavaScript! Don’t get pwned; get real-time alerts & prevent breaches #SecureYourSite It's a fascinating display of leverage: the ShinyHunters folks, with very limited resources and experience (their demographic will be teenagers to their early 20s), consistently gaining access to the data of massive brands. Not through technical ingenuity alone (although I'm sure there's a portion of that), but primarily through good ol' social engineering. That's coming through in the disclosure notices from the impacted companies, and Mandiant has a good write-up of it too : These operations primarily leverage sophisticated voice phishing (vishing) and victim-branded credential harvesting sites to gain initial access to corporate environments by obtaining single sign-on (SSO) credentials and multi-factor authentication (MFA) codes Question now is how long their run will go for. There's a very predictable ending if things keep going in this direction but right now, they show little sign of abating.
Hi all — finally pushed this public after several months of work. Sharing here because this subreddit is where I'd want feedback from before anywhere else. **WAInsight** — https://github.com/akhil-dara/WAInsight (MIT) **Scope.** It doesn't extract data from a phone — that's a separate step with whatever acquisition workflow you already use. WAInsight starts after acquisition. Point it at a folder containing `msgstore.db` + `wa.db` + `Media/` + `Avatars/` and it ingests everything through a 29-stage pipeline into a normalised `analysis.db` (47 indexed tables), then opens a 30-page Qt desktop UI to actually work the case. **Why.** I wanted analysis to be the primary deliverable, not the report. So the UI is built around browsing every chat exactly like opening WhatsApp itself — home-style conversation list, bubbles with edits / revokes / replies / reactions / receipts / forwarded badges / mention chips / pinned-message strip — with forensic provenance one click away on every bubble. Reports are a snapshot of what was found, not the destination. **Capabilities, grouped by what you're actually trying to do:** *Reading the timeline* - Forensic ℹ button on every bubble: msgstore source IDs, every SQL row that fed the bubble, origination flags decoded, per-recipient receipt timeline (delivered / read / played, ms-precise). - Ghost-message recovery from `message_quoted_text` (deleted-for-everyone messages reconstructed inline next to the revoked bubble). - Edit history per message — every revision side-by-side. - Reply chains as click-through badges with cross-conversation "Go to original" jumps. - 60+ system events decoded (group / security / admin / privacy / business / ephemeral) instead of opaque type codes. - Calendar with per-day message counts shown flight-fare style; click+drag to range-filter. - Windowed-flat virtual scroller for chats with 5K+ messages — jumping to message #47K in a 47K-message chat is O(1). *Media analysis* - Folder-shaped Media Dashboard that scales to 200K+ rows at `file://` (sharded AVIF thumbs + chunked metadata + vendored UI engine, sub-millisecond bitset crossfilter). Cascading filters: conversation × sender × MIME × extension × status × date. - Perceptual visual search across the whole case — drop a screenshot, get Exact / Near-Exact / Near-Duplicate / Template-Match tiers (pHash + dHash + edge-map). - Camera-original → WhatsApp tracking: feed an original from `DCIM/`, find every chat that photo was sent in even after WhatsApp's recompression changed the SHA-256. - View-once images and voice notes downloadable from the bubble even after on-device expiry (CDN URL + media_key, AES-CBC + HMAC). - Hash-link auto-rescue: missing media that shares a SHA-256 with another message's on-disk media gets auto-resolved (tagged `recovery_method='hash_linked'`, never confused with a real local copy). - `wa.db` thumbnail blob rendered as fallback when even the bytes are gone. - HD/SD twin pairs surfaced inline with cross-jumps. - Cross-chat propagation: right-click any media → every chat that shared the same SHA-256, chronologically. Says where the bytes were *first seen*, not just where they were last forwarded. - 12-state media recovery taxonomy preserved in every report and dashboard (`original` / `downloaded` / `hash_linked` / `orphan_recovered` / etc.). - Orphaned-media browser: files in `Media/` with no surviving message row + auto-rescue against surviving message hashes. *Identity & devices* - Per-message platform attribution from `key_id` — every bubble carries an inline tag (Android / iPhone / Web/Desktop / Companion #N), confidence-scored. The classifier was its own separate research piece — collected `key_id` samples across real devices on Android, iPhone, Web, and linked companions until the rules held up. Powers the Group Report's *Device Platform Usage* breakdown and the contact's *Device Sessions* tab. - Unified contact registry merged from 5 sources (`jid_map` ∪ `wa_contacts` ∪ `lid_display_name` ∪ group labels ∪ mention names) so every JID resolves to one canonical identity. - Owner-aware everywhere — `sender_id IS NULL` for owner messages gets joined to `case_metadata` so owner activity never surfaces as "Unknown" anywhere in the UI or reports. *Groups & communities* - Past-participant reconstruction from 3 sources: `group_past_participant` ∪ `group_member.is_current=0` ∪ message-presence inference (catches members the roster purged after a long enough gap). - Owner can-post / can-edit banner on every Group Info page, sourced from `chat.participation_status` + admin flags. - Community LID resolution + comment-author resolution even when WhatsApp only stored the LID. - Group Edit History with profile-picture diff. *Calls* - Synthetic call reconstruction: calls that have no `message` row in their conversation get virtual rows so they render in every participant's chat timeline at the right position. Group voice chats appear inside the group's chat even when WhatsApp didn't write a message row for them. *Cross-case pivots* - Cross-Contact Analysis: pick 2+ contacts, instantly see shared groups, calls between them, file SHA-256 hashes any of them shared in common, cross @-mentions, every conversation any of them appears in. Owner is a first-class pickable contact. - FTS5 global search with sender / conversation / date / ghost filters; results panel as a sidebar inside the chat with click-to-jump highlights. *Reports & handoff* - Per-group landscape-A4 PDF/HTML report: case+evidence provenance banner with source-DB SHA-256 hashes, group identity, owner role, top contributors / forwarders, device platform split, mentions network, activity heatmap, calls, locations (with live-share start/final coords), message-type taxonomy (Type 64/82/90/92/112/116 etc. mapped to readable labels), bot activity, former members. - Per-contact report with section picker. - Offline HTML viewer bundle — single ZIP, opens from `file://` with no Python or server. WhatsApp-Web-style chat list, full message rendering, FTS5-equivalent search. The case officer / opposing counsel can open it in any browser. - Tagged-messages export with three modes (full / tagged-only / tagged ± N day buffer). **Forensic integrity.** Source `msgstore.db` opened with three independent guards (`?mode=ro&immutable=1` URI + `SQLITE_OPEN_READONLY` flag + `PRAGMA query_only=ON`). Source files SHA-256 hashed at ingest. Every action journaled to a hash-chained `chain_of_custody.jsonl` — each entry's hash includes the previous one, so the audit trail is tamper-evident, not just append-only. Original IDs preserved (`message.source_msg_id`, `media.source_media_row_id`, etc.) so every analysis row links back to its msgstore.db / wa.db origin. Timestamps shown local + UTC in brackets so case timezone is unambiguous. **Honest caveats.** Android-only. No automated tests yet. Schema research was done sample-by-sample so there are likely edge cases on WA versions / Business app / regional builds I haven't seen — Business app support is on the roadmap. Validated primarily against my own personal-device datasets. Built solo. PySide6 + SQLite + ~85K lines of Python. There's a deepwiki for it too (https://deepwiki.com/akhil-dara/WAInsight) if you want a deeper architectural read before cloning. Would genuinely value feedback from anyone who works WhatsApp cases regularly — especially edge cases or schema variants that break it. Issues / DMs / comments all welcome.