Proof-of-concept exploit code has been published for a critical remote code execution flaw in protobuf.js, a widely used JavaScript implementation of Google's Protocol Buffers. [...]
Cybersecurity News and Vulnerability Aggregator
Cybersecurity news aggregator
Updated: 4:40 am
J/K Navigate / Search S Save V Open Link
— or
treemd <(curl -sL https://allsec.sh/md) (as Markdown) Top Cybersecurity Stories Today
Bug hiding in plain sight for over a decade lands on KEV list CISA is sounding the alarm on a newly-exploited Apache ActiveMQ bug, ordering federal agencies to patch within two weeks as attackers circle a flaw that's been quietly lurking for more than a decade.…
OpenAI says its safeguards “sufficiently reduce cyber risk” for now, while GPT-5.4-Cyber is a new cybersecurity-focused model.
Grinex, a Kyrgyzstan-incorporated cryptocurrency exchange sanctioned by the U.K. and the U.S. last year, said it's suspending operations after it blamed Western intelligence agencies for a $13.74 million hack. The exchange said it fell victim to what it described as a large-scale cyber attack that bore hallmarks of foreign intelligence agency involvement. This attack led to the theft of over 1
In cybercrime markets, trust isn't assumed, it's verified. Flare reveals how underground guides teach actors to evaluate carding shops based on data quality, reputation, and survivability. [...]
Latest
Sunday, April 19
To the Scientific Community, I am seeking a peer review of the theoretical logic behind a propulsionless mobility system I am architecting, tentatively titled the Aero-Grav Mark I. The goal is to induce a localized repulsive gravitomagnetic field to counter Earth’s g (9.8 \text{ m/s}^2) through Non-Linear Gravito-Electromagnetic (GEM) Coupling. The Theoretical Logic: My architecture treats the gravitational field as a vector field described by the linearized Einstein Field Equations. The core mechanism involves a high-velocity Plasma Vortex acting as the active medium. Frame-Dragging (Lense-Thirring Effect): By spinning the ionized medium at ultra-high RPM within a vacuum-sealed resonant cavity, we aim to generate a gravitomagnetic field (B_g). Equation: B_g = \frac{4G}{c^2} \frac{\mathbf{J} \times \mathbf{r}}{r^3} Parametric RF-Agitation: To address the G/c^2 suppression constant (\approx 10^{-28}), the system utilizes Gigahertz-frequency pulses (2.45 GHz) to "agitate" the plasma. We hypothesize that at these frequencies, the energy-momentum tensor (T_{\mu\nu}) exhibits non-linear coupling, allowing for resonant amplification of the induced metric perturbation (h_{\mu\nu}). Vacuum Resonance (The Q-Factor): By utilizing a high-Q resonant cavity (scavenged microwave waveguides), we aim to multiply the effective energy density (T_{00}) by a factor of 10^4, creating a "Spacetime Cushion" through constructive interference of the RF pulses. Neural-Tensor Interface: Control is achieved via an sEMG (Surface Electromyography) link that maps human motor intent to the phase-modulation of the RF emitters, allowing for real-time vectoring of the T_{0i} (momentum flux) components. The Engineering Challenge: I am currently building a proof-of-concept prototype using scavenged high-frequency emitters, vacuum-isolated plasma chambers, and an ESP32-S3 neural-link controller. The Question: Given the current understanding of High-Frequency Gravitational Waves (HFGW) and the Gertsenshtein Effect, is there a theoretical threshold where GHz-frequency EM agitation can produce a measurable weight anomaly in a high-velocity plasma medium? I have the Python simulation logic and the initial hardware architecture ready for verification. I am looking for a dialogue on the energy density requirements and the validity of the Resonant Gain loophole in linearized GR. Respectfully, [Your Name] Lead Developer, Aero-Grav Project
Saturday, April 18
**Hey everyone,** I just pushed Crow-Eye version 0.9.1. I completely rewrote the LNK/JumpList parsers from scratch, enhanced the Prefetch parser, and standardized global UTC time handling across all artifacts. It’s faster, more resilient, and the expanded timeline visualization now supports even more artifacts. But while pushing these updates, I wanted to talk about a growing problem in our field: **The "Black Box" of Forensics.** Right now, most people depend heavily on parsers without really knowing the behavior underneath them. With AI becoming more prevalent, this problem is only going to get worse. People will start trusting outputs without understanding the binary structure or the forensic anatomy of what they are actually looking at. I have a different vision. I believe AI should make it easier for researchers to develop parsers and understand data, not just blindly output answers. That’s why I decided we need a backbone , something to help the next generation deeply understand the forensic anatomy we are studying. # 👁️ Introducing "Eye-Describe": Visualizing the Binary Truth To fix this, I am building a new educational suite called Eye-Describe. It aims to visually explain the internal binary structures of forensic artifacts directly to the user. It will show investigators exactly how the parsers work under the hood. When you are looking at extracted data (like Prefetch or Amcache), you won't just see the result. Eye-Describe will visually highlight the binary structure of the artifact, showing you exactly where in the hex data that specific evidence was extracted from, and why it matters. **A Live Example: The Windows Boot Disk Explorer** To give you a taste of this philosophy, I’ve published the first piece of this initiative online: The Interactive Tool: Windows Boot Disk Explorer (https://crow-eye.com/Eye-Describe/windows\_boot\_disk\_explorer) The Deep-Dive Article: The Anatomy of the Windows Boot Process (https://crow-eye.com/booting-process) Instead of just listing partitions, this interactive tool visually breaks down the actual physical disk architecture (UEFI+GPT vs. BIOS+MBR). When you click a segment (like the ESP or MSR), it reveals its specific forensic role, the file structure inside it, and a node-based visualization showing exactly how the files interact during the system startup sequence. https://preview.redd.it/b5m273lvu0wg1.png?width=1447&format=png&auto=webp&s=d209ec6a07b5280c796aa21b8a741f8473bfb4de \--- Coming in Crow-Eye 0.10.0: "The Eye" AI Agent While we are building out this Eye-Describe educational backbone, we are simultaneously working on our AI integration. In our next major release (0.10.0), we are introducing **The Eye** a feature that allows users to connect their own API keys or CLI agents directly into Crow-Eye. This isn't just a basic chatbot. The Eye will have direct access to the parser results generated by Crow-Eye, making it deeply aware of both your specific forensic data and general artifact behavior. It will assist investigators by: Spotting the Unseen: By analyzing the parsed results across all artifacts, The Eye can proactively spot anomalies, correlations, or hidden tracks that you might have missed during manual review. Building & Testing Hypotheses: You can propose an attack scenario, and the agent will use the actual parsed evidence to help you verify if the artifacts support or refute that hypothesis, helping you build a clear picture of the attack. Evaluating Trust: It will understand the nuances of different artifacts advising you on what data is highly reliable (like the MFT) versus what might be easily manipulated or fragile. Querying the Database: Helping you search through massive datasets using natural language. \--- 🤝 Open Call to Researchers & Reverse Engineers I’d love for you to check out the Boot Disk Explorer concept and read the article. Let me know what you think what artifacts do you think are the hardest for students to grasp and would benefit most from this kind of visual binary breakdown? If you have deep knowledge about the binary structure of specific Windows artifacts and want to help visualize them, please reach out! I believe collaborating on this will massively help the DFIR community and the next generation of investigators. You can contact me directly at: [Ghassanelsman@gmail.com](mailto:Ghassanelsman@gmail.com) GitHub Repo: [https://github.com/Ghassan-elsman/Crow-Eye](https://github.com/Ghassan-elsman/Crow-Eye) Eye-Describe : [https://crow-eye.com/Eye-Describe/windows\_boot\_disk\_explorer](https://crow-eye.com/Eye-Describe/windows_boot_disk_explorer) Boot Process Article: [https://crow-eye.com/booting-process](https://crow-eye.com/booting-process) Happy hunting!
Built Ghost - scans processes for signs of malware injection. Catches shellcode, API hooks, process hollowing, thread hijacking, that stuff. Works on Windows, Linux, macOS. Pretty fast, scans 200 processes in about 5 seconds. Has both command line and terminal UI. Fair warning - you'll get false positives from browsers and game anti-cheat because they do weird memory stuff. So don't freak out if it flags Chrome. Open source, MIT license. Drop a star if you find it useful.
I have built a comprehensive security guide for LLM apps and MCP covering OWASP LLM Top 10, OWASP Agentic ASI 2026, real CVEs, and working mitigation code. 492 MCP servers are publicly exposed with zero auth right now. Kindly check out and if you want to contribute, please do : [https://github.com/pathakabhi24/LLM-MCP-Security-Field-Guide](https://github.com/pathakabhi24/LLM-MCP-Security-Field-Guide)
Grinex, a US-sanctioned cryptocurrency exchange registered in Kyrgyzstan, said it’s halting operations after experiencing a 13 million heist carried out by “western special services” hackers.
Proof-of-concept exploit code has been published for a critical remote code execution flaw in protobuf.js, a widely used JavaScript implementation of Google's Protocol Buffers. [...]
Microsoft is warning that a recent Microsoft Edge browser update introduced a bug that breaks right-click paste in chats in the Microsoft Teams desktop client. [...]
NAKIVO Inc. announced the general availability of NAKIVO Backup & Replication v11.2, focused on fast, reliable, and proactive data protection. [...]
Plus: Major data breaches at a gym chain and hotel giant, a disruptive DDoS attack against Bluesky, dubious ICE hires, and more.
This is ModsHub (formerly FiveMods) - a GTA V/FiveM software claiming to have over 1,2 million active users. It falls under the family TamperedChef. It shares similarities with previous TC-classified software - e.g. it collects a lot of system user data, provides extensive logging, various backup domains, obfuscated C2 communication and scheduled task set to autorun every day at 18:00 with a custom argument. We have also discovered a more capable variant (**which does not fall under the same business/network**) called Network Graphics that includes for example WebSocket connection that shares undeniable similarities with ModsHub - the code, technical functionality, behaviour and **code signer Danylo Babenko** are all almost identical. Full report: [https://rifteyy.org/report/tamperedchef-within-gta-v-modding-community](https://rifteyy.org/report/tamperedchef-within-gta-v-modding-community)
Grinex, a Kyrgyzstan-incorporated cryptocurrency exchange sanctioned by the U.K. and the U.S. last year, said it's suspending operations after it blamed Western intelligence agencies for a $13.74 million hack. The exchange said it fell victim to what it described as a large-scale cyber attack that bore hallmarks of foreign intelligence agency involvement. This attack led to the theft of over 1
AETHER: Prototype adaptive deception environment that generates dynamic decoys based on attacker behaviour
Built a prototype deception system called **AETHER** during a recent cybersecurity hackathon. The goal was to explore moving beyond static honeypots toward **behaviour-driven deception environments**. Core idea: * Capture attacker terminal interaction signals (commands, timing, directory traversal patterns) * Generate a behavioural profile of the attacker * Predict likely next actions * Dynamically generate decoy assets (files, services, directories) * Reinforcement loop adjusts deception strategy to maximize engagement The system essentially tries to create **adaptive deception environments tailored to the attacker’s interaction style**. Curious how practitioners here view behaviour-driven deception systems vs traditional honeypots. GitHub: [*https://github.com/gurarpitzz/AETHER-Smart-Honeypot*](https://github.com/gurarpitzz/AETHER-Smart-Honeypot) [*https://github.com/gurarpitzz/AETHER-Concept2*](https://github.com/gurarpitzz/AETHER-Concept2)
* [https://github.com/cispa/trevex](https://github.com/cispa/trevex) * [https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7053.html](https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7053.html) * [https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7050.html](https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7050.html)
Threat actors are exploiting security flaws in TBK DVR and end‑of‑life (EoL) TP-Link Wi-Fi routers to deploy Mirai-botnet variants on compromised devices, according to findings from Fortinet FortiGuard Labs and Palo Alto Networks Unit 42. The attack targeting TBK DVR devices has been found to exploit CVE-2024-3721 (CVSS score: 6.3), a medium-severity command injection vulnerability affecting
Friday, April 17
The Payouts King ransomware is using the QEMU emulator as a reverse SSH backdoor to run hidden virtual machines on compromised systems and bypass endpoint security. [...]
Bug hiding in plain sight for over a decade lands on KEV list CISA is sounding the alarm on a newly-exploited Apache ActiveMQ bug, ordering federal agencies to patch within two weeks as attackers circle a flaw that's been quietly lurking for more than a decade.…
Or, how public information and a €5 tracker exposed an avoidable opsec lapse Militaries around the world spend countless hours training, developing policies, and implementing best operational security practices, so imagine the size of the egg on the face of the Dutch navy when journalists managed to track one of its warships for less than the cost of some hagelslag and a coffee.…
A post-midnight revolt in the House sank the White House's efforts to extend Section 702—a spy program the FBI has used to look into members of Congress, protesters, and political donors.
In cybercrime markets, trust isn't assumed, it's verified. Flare reveals how underground guides teach actors to evaluate carding shops based on data quality, reputation, and survivability. [...]
Huntress is warning that threat actors are exploiting three recently disclosed security flaws in Microsoft Defender to gain elevated privileges in compromised systems. The activity involves the exploitation of three vulnerabilities that are codenamed BlueHammer (requires GitHub sign-in), RedSun, and UnDefend, all of which were released as zero-days by a researcher known as Chaotic Eclipse (
Two weeks ago, Google’s Quantum AI group published a zero-knowledge proof of a quantum circuit so optimized, they concluded that first-generation quantum computers will break elliptic curve cryptography keys in as little as 9 minutes. Today, Trail of Bits is publishing our own zero-knowledge proof that significantly improves Google’s on all metrics. Our result is not due to some quantum breakthrough, but rather the exploitation of multiple subtle memory safety and logic vulnerabilities in Google’s Rust prover code. Google has patched their proof, and their scientific claims are unaffected, but this story reflects the unique attack surface that systems introduce when they use zero-knowledge proofs. Google’s proof uses a zero-knowledge virtual machine (zkVM) to calculate the cost of a quantum circuit on three key metrics. The total number of operations and Toffoli gate count represent the running time of the circuit, and the number of qubits represents the memory requirements. Google, along with their coauthors from UC Berkeley, the Ethereum Foundation, and Stanford, published proofs for two circuits; one minimizes the number of gates, and the other minimizes qubits. Our proof improves on both. Resource Type Google’s Low-Gate
Google this week announced a new set of Play policy updates to strengthen user privacy and protect businesses against fraud, even as it revealed it blocked or removed over 8.3 billion ads globally and suspended 24.9 million accounts in 2025. The new policy updates relate to contact and location permissions in Android, allowing third-party apps to access the contact lists and a user's location in
University student says he plans to move to Android, but concedes iOS engineers acting fast Apple is finally working on a fix for a bug that has locked some users out of their iPhones for months, The Register understands.…
Famously vengeful Knicks owner Jim Dolan has long spied on people at his iconic arenas. WIRED goes deep inside the operation that allegedly tracked a trans woman, lawyers, protesters, and more.
Microsoft warns that some Windows domain controllers are entering restart loops after installing the April 2026 security updates. [...]
The National Institute of Standards and Technology (NIST) has announced changes to the way it handles cybersecurity vulnerabilities and exposures (CVEs) listed in its National Vulnerability Database (NVD), stating it will only enrich those that fulfil certain conditions owing to an explosion in CVE submissions. "CVEs that do not meet those criteria will still be listed in the NVD but will not
23-year-old Kamerin Stokes of Memphis, Tennessee, was sentenced to 30 months in prison for selling access to tens of thousands of hacked DraftKings accounts. [...]
Pause your Mythos panic because mainstream models anyone can use already pick holes in popular software Anthropic withheld its Mythos bug-finding model from public release due to concerns that it would enable attackers to find and exploit vulnerabilities before anyone could react.…
An international law enforcement operation has taken down 53 domains and arrested four people in connection with commercial distributed denial-of-service (DDoS) operations that were used by more than 75,000 cybercriminals. The ongoing effort, dubbed Operation PowerOFF, disrupted access to the DDoS-for-hire services, took down the technical infrastructure supporting them, and obtained access to
Thursday, April 16
Presently sponsored by: Report URI: Guarding you from rogue JavaScript! Don’t get pwned; get real-time alerts & prevent breaches #SecureYourSite I love cutting-edge tech, but I hate hyperbole, so I find AI to be a real paradox. Somewhere in that whole mess of overnight influencers, disinformation and ludicrous claims is some real "gold" - AI stuff that's genuinely useful and makes a meaningful difference. This blog post cuts straight to the good stuff, specifically how you can use AI with Have I Been Pwned to do some pretty cool things. I'll be showing examples based on OpenClaw running on the Mac Mini in the hero shot, but they're applicable to other agents that turn HIBP's data into more insightful analysis. So, let me talk about what you can do right now, what we're working on and what you'll be able to do in the future. Model Context Protocol (MCP) A quick MCP primer first: Anthropic came up with the idea of building a protocol that could connect systems to AI apps, and thus the Model Context Protocol was born: Using MCP, AI applications like Claude or ChatGPT can connect to data sources (e.g. local files, databases), tools (e.g. search engines, calculators) and workflows (e.g. specialized prompts)—enabling them to access key information and perform tasks. If I'm honest, I'm a bit on the fence as to how useful this really is ( and I'm not alone ), but creating it was a
Bug or feature? A design flaw – or expected behavior based on a bad design choice, depending on who is telling the story – baked into Anthropic's official Model Context Protocol (MCP) puts as many as 200,000 servers at risk of complete takeover, according to security researchers.…
A new malware called ZionSiphon, specifically designed for operational technology, is targeting water treatment and desalination environments to sabotage their operations. [...]
Two day intrusion. RDP brute force with a company specific wordlist, Cobalt Strike, and a custom Rust exfiltration platform (RustyRocket) that connected to over 6,900 unique Cloudflare IPs over 443 to pull data from every reachable host over SMB. Recovered the operator README documenting three operating modes and a companion pivoting proxy for segmented networks. Personalized extortion notes addressed by name to each employee with separate templates for leadership and staff. Writeup includes screen recordings of the intrusion, full negotiation chat from their Tor portal, timeline, and IOCs.
A researcher known as "Chaotic Eclipse" has published a proof-of-concept exploit for a second Microsoft Defender zero-day, dubbed "RedSun," in the past two weeks, protesting how the company works with cybersecurity researchers. [...]
HAProxy HTTP/3 -> HTTP/1 Desync: Cross-Protocol Smuggling via a Standalone QUIC FIN (CVE-2026-33555)
u/albinowax ’s work on request smuggling has always inspired me. I’ve followed his research, watched his talks at DEFCON and BlackHat, and spent time experimenting with his labs and tooling. Coming from a web security background, I’ve explored vulnerabilities both from a black-box and white-box perspective — understanding not just how to exploit them, but also the exact lines of code responsible for issues like SQLi, XSS, and broken access control. Request smuggling, however, always felt different. It remained something I could detect and exploit… but never fully trace down to its root cause in real-world server implementations. A few months ago, I decided to go deeper into networking and protocol internals, and now, months later, I can say that I “might” have figured out how the internet works😂 This research on HAProxy (HTTP/3, standalone mode) is the result of that journey — finally connecting the dots between protocol behavior and the actual code paths leading to the bug. (Yes, I used AI 😉 )
Available for free to any company that wants to use it, the “completely anonymous” app puts the pressure on porn sites and social media platforms to start blocking access by minors.
Social engineering: 'low-cost, hard to patch, and scales well' North Korean criminals set on stealing Apple users' credentials and cryptocurrency are using a combination of social engineering and a fake Zoom software update to trick people into manually running malware on their own computers, according to Microsoft.…
Cybersecurity researchers have warned of an active malicious campaign that's targeting the workforce in the Czech Republic with a previously undocumented botnet dubbed PowMix since at least December 2025. "PowMix employs randomized command-and-control (C2) beaconing intervals, rather than persistent connection to the C2 server, to evade the network signature detections," Cisco Talos
Hackers are exploiting a critical vulnerability in Marimo reactive Python notebook to deploy a new variant of NKAbuse malware hosted on Hugging Face Spaces. [...]
Fortune 500 companies and one US defense contractor got taken for $5m in four-year scam Two Americans have been jailed for a combined 200 months for helping North Korea generate $5 million through fraudulent IT worker schemes.…
ThreatsDay Bulletin: Defender 0-Day, SonicWall Brute-Force, 17-Year-Old Excel RCE and 15 More Stories
You know that feeling when you open your feed on a Thursday morning and it's just... a lot? Yeah. This week delivered. We've got hackers getting creative in ways that are almost impressive if you ignore the whole "crime" part, ancient vulnerabilities somehow still ruining people's days, and enough supply chain drama to fill a season of television nobody asked for. Not
I submitted an earlier version of this dataset and was declined on the basis of missing methodology and unverifiable provenance. The feedback was fair. The documentation has since been rewritten to address it directly, and I would very much appreciate a second look. ## What the dataset contains 101,032 samples in total, balanced 1:1 attack to benign. **Attack samples (50,516)** across 27 categories sourced from over 55 published papers and disclosed vulnerabilities. Coverage spans: - Classical injection - direct override, indirect via documents, tool-call injection, system prompt extraction - Adversarial suffixes - GCG, AutoDAN, Beast - Cross-modal delivery - text with image, document, audio, and combined payloads across three and four modalities - Multi-turn escalation - Crescendo, PAIR, TAP, Skeleton Key, Many-shot - Emerging agentic attacks - MCP tool descriptor poisoning, memory-write exploits, inter-agent contagion, RAG chunk-boundary injection, reasoning-token hijacking on thinking-trace models - Evasion techniques - homoglyph substitution, zero-width space insertion, Unicode tag-plane smuggling, cipher jailbreaks, detector perturbation - Media-surface attacks - audio ASR divergence, chart and diagram injection, PDF active content, instruction-hierarchy spoofing **Benign samples (50,516)** are drawn from Stanford Alpaca, WildChat, MS-COCO 2017, Wikipedia (English), and LibriSpeech. The benign set is matched to the surface characteristics of the attack set so that classifiers must learn genuine injection structure rather than stylistic artefacts. ## Methodology The previous README lacked this section entirely. The current version documents the following: 1. **Scope definition.** Prompt injection is defined per Greshake et al. and OWASP LLM01 as runtime text that overrides or redirects model behaviour. Pure harmful-content requests without override framing are explicitly excluded. 2. **Four-layer construction.** Hand-crafted seeds, PyRIT template expansion, cross-modal delivery matrix, and matched benign collection. Each layer documents the tool used, the paper referenced, and the design decision behind it. 3. **Label assignment.** Labels are assigned by construction at the category level rather than through per-sample human review. This is stated plainly rather than overclaimed. 4. **Benign edge-case design.** The ten vocabulary clusters used to reduce false positives on security-adjacent language are documented individually. 5. **Quality control.** Deduplication audit results are included: zero duplicate texts in the benign pool, zero benign texts appearing in attacks, one documented legacy duplicate cluster with cause noted. 6. **Known limitations.** Six limitations are stated explicitly: text-based multimodal representation, hand-crafted seed counts, English-skewed benign pool, no inter-rater reliability score, ASR figures sourced from original papers rather than re-measured, and small v4 seed counts for emerging categories. ## Reproducibility Generators are deterministic (`random.seed(42)`). Running them reproduces the published dataset exactly. Every sample carries `attack_source` and `attack_reference` fields with arXiv or CVE links. A reviewer can select any sample, follow the citation, and verify that the attack class is documented in the literature. ## Comparison to existing datasets The README includes a comparison table against deepset (500 samples), jackhhao (2,600), Tensor Trust (126k from an adversarial game), HackAPrompt (600k from competition data), and InjectAgent (1,054). The gap this dataset aims to fill is multimodal cross-delivery combinations and emerging agentic attack categories, neither of which exists at scale in current public datasets. ## What this is not To be direct: this is not a peer-reviewed paper. The README is documentation at the level expected of a serious open dataset submission - methodology, sourcing, limitations, and reproducibility - but it does not replace academic publication. If that bar is a requirement for r/netsec specifically, that is reasonable and I will accept the feedback. ## Links - GitHub: https://github.com/Josh-blythe/bordair-multimodal - Hugging Face: https://huggingface.co/datasets/Bordair/bordair-multimodal I am happy to answer questions about any construction decision, provide verification scripts for specific categories, or discuss where the methodology falls short.
Publisher claims misconfigured Salesforce-hosted page leaked data Textbook giant McGraw Hill has landed on a ransomware crew's leak site after an alleged Salesforce-linked misconfiguration spilled 13.5 million records into the wild.…
A "novel" social engineering campaign has been observed abusing Obsidian, a cross-platform note-taking application, as an initial access vector to distribute a previously undocumented Windows remote access trojan called PHANTOMPULSE in attacks targeting individuals in the financial and cryptocurrency sectors. Dubbed REF6598 by Elastic Security Labs, the activity has been found to leverage
Just migrate already, would you? But if you can't, Redmond will take your cash Microsoft will keep delivering security updates for old versions of Exchange Server and Skype for Business Server, after admitting that some customers aren't ready to make the move to newer products.…
Your cybersecurity is only as good as the physical security of the servers PWNED Welcome back to Pwned, the column where we immortalize the worst vulns that organizations opened up for themselves. If you’re the kind of person who leaves your car doors unlocked with a pile of cash in the center console, this week’s story is for you.…
The Computer Emergencies Response Team of Ukraine (CERT-UA) has disclosed details of a new campaign that has targeted governments and municipal healthcare institutions, mainly clinics and emergency hospitals, to deliver malware capable of stealing sensitive data from Chromium-based web browsers and WhatsApp. The activity, which was observed between March and April
Browser fingerprinting is everywhere Google markets its Chrome browser by citing its superior safety features, but according to privacy consultant Alexander Hanff, Chrome does not protect against browser fingerprinting – a method of tracking people online by capturing technical details about their browser.…
Understanding npm and the importance of dependency cooldowns.
Wednesday, April 15
Like the majority of the companies participating, it remains a mystery Last week, Anthropic surprised the world by declaring that its latest model, Mythos, is so good at finding vulns that it would create chaos if released. Now, under the title of Project Glasswing, over 50 selected companies and orgs are allowed to test the hyped up LLM to find security holes in their own products. But just how many problems have they really discovered?…
What Are Shadow Admins in AD? A common problem we encounter within many customer Active Directory environments are accounts that, at first glance, may appear innocuous, but that actually have hidden administrative privileges or unrolled privileges equivalent to those of a domain administrator account. We call these accounts shadow domain admins. These accounts don’t show up when you run the net group domain admins command. They won’t appear in your PAM solution’s audit reports. But an attacker who finds one has effectively won the domain. Over the past several years, the problem has gotten significantly worse as organizations undergo digital transformation. Workloads are migrating to AWS and Azure, identity is being federated to the cloud via ADFS, and domain controllers are running as virtual machines on ESXi. The blast radius of a single compromised account now extends well beyond the traditional Active Directory boundary. A shadow admin path in 2016 might have been a service account with an overly permissive ACL. In 2026, it’s an ADFS server running on a hypervisor managed by a VMware admin who doesn’t even know they’re one hop from domain admin, and two hops from your entire AWS environment. In this post, we’ll walk through several real-world examples we routinely discover during engagements and show how Praetorian Guard’s continuous attack path mapping surfaces them before an adversary does. ADFS Servers and the Federation Layer If your organization federates identity to cloud providers using Active Directory Federation Services (ADFS), you’ve almost certainly heard of the Golden SAML technique that was exploited in the SolarWinds (Solorigate) attack. The ADFS server h
No reports of active exploitation (yet) Watch out for more Fortinet vulns! Two critical bugs in Fortinet's sandbox could allow unauthenticated attackers to bypass authentication or execute unauthorized code on vulnerable systems.…
Threat actors have been observed weaponizing n8n, a popular artificial intelligence (AI) workflow automation platform, to facilitate sophisticated phishing campaigns and deliver malicious payloads or fingerprint devices by sending automated emails. "By leveraging trusted infrastructure, these attackers bypass traditional security filters, turning productivity tools into delivery
Some customer orgs tell staff to block inbound email from the provider Autovista confirms that it called in outside support to help clean up a ransomware infection currently affecting systems in Europe and Australia.…
Latest in a string of cases that have earned France an unfortunate title A mother and her ten-year-old son are now free after being kidnapped for around 20 hours while the father was being extorted for hundreds of thousands of euros.…
Vuln old enough to drive lands on CISA's exploited list While Microsoft was rolling out its bumper Patch Tuesday updates this week, US cybersecurity agency CISA was readying an alert about a 17-year-old critical Excel flaw now under exploit.…
Command prefix will require password by default The latest version of Raspberry Pi OS now requires a password for sudo by default.…
Few technologies have moved from experimentation to boardroom mandate as quickly as AI. Across industries, leadership teams have embraced its broader potential, and boards, investors, and executives are already pushing organizations to adopt it across operational and security functions. Pentera’s AI Security and Exposure Report 2026 reflects that momentum: every CISO surveyed
Open Rights Group says years of reliance on US giants have left Britain exposed Britain has spent years wiring its public sector into US Big Tech, and a new report says that dependence could quickly become a national security headache.…
An analysis by WIRED and Indicator found nearly 90 schools and 600 students around the world impacted by AI-generated deepfake nude images—and the problem shows no signs of going away.
Microsoft on Tuesday released updates to address a record 169 security flaws across its product portfolio, including one vulnerability that has been actively exploited in the wild. Of these 169 vulnerabilities, 157 are rated Important, eight are rated Critical, three are rated Moderate, and one is rated Low in severity. Ninety-three of the flaws are
OpenAI on Tuesday unveiled GPT-5.4-Cyber, a variant of its latest flagship model, GPT‑5.4, that's specifically optimized for defensive cybersecurity use cases, days after rival Anthropic unveiled its own frontier model, Mythos. "The progressive use of AI accelerates defenders – those responsible for keeping systems, data, and users safe – enabling them to find and fix problems
Tuesday, April 14
Microsoft today pushed software updates to fix a staggering 167 security vulnerabilities in its Windows operating systems and related software, including a SharePoint Server zero-day and a publicly disclosed weakness in Windows Defender dubbed “ BlueHammer .” Separately, Google Chrome fixed its fourth zero-day of 2026, and an emergency update for Adobe Reader nixes an actively exploited flaw that can lead to remote code execution. Redmond warns that attackers are already targeting CVE-2026-32201 , a vulnerability in Microsoft SharePoint Server that allows attackers to spoof trusted content or interfaces over a network. Mike Walters , president and co-founder of Action1 , said CVE-2026-32201 can be used to deceive employees, partners, or customers by presenting falsified information within trusted SharePoint environments. “This CVE can enable phishing attacks, unauthorized data manipulation, or social engineering campaigns that lead to further compromise,” Walters said. “The presence of active exploitation significantly increases or
Crow-eye v0.9.0 is out! Now with Direct Forensic Image Parsing, a rebuilt Timeline, and full Linux support.
Hey everyone! we just released version 0.9.0 of Crow-eye, and it brings some major updates we've been working hard on. A big focus for us in this version was removing the friction of dealing with forensic images. We actually added direct support for analyzing images right inside Crow-eye, so you don't need any other mounting software to get started. You can just point it at the image and let it parse. Right now we support parsing directly from: \* E01 / Ex01 \* VHDX / VHD \* VMDK \* ISO \* Raw / DD We also decided it was time to move on from the old timeline prototype. We built a brand new version of the Timeline Visualization from the ground up, making it way easier to correlate everything and actually see the full picture in one place. https://preview.redd.it/t22zt7ty68vg1.png?width=3439&format=png&auto=webp&s=7d5bc5f51cb0e93029ce0641813636a068ba3d58 And finally, something a lot of people asked for: Crow-eye is now completely cross-platform! We updated all the parsers so they no longer depend on Windows APIs for offline artifacts. This means you can now run it natively on Linux to parse offline artifacts and process those forensic images without needing a Windows machine. GitHub : [https://github.com/Ghassan-elsman/Crow-Eye](https://github.com/Ghassan-elsman/Crow-Eye) Let me know how it runs for you, what you think of the new timeline, or if you run into any bugs or issues!
Hello, I downloaded a sample from Malwarebazaar. It was a .bat file around 208.38 KB. I set it up into [AnyRun](https://any.run), and started the analysis. \--- **Threat Type:** XWorm v6.5 (RAT) + Stealer sold as Malware-as-a-Service. Capabilities include credential theft, keylogging, screenshot capture, file exfiltration, and hijacking of crypto wallets and accounts. **Execution Process:** 1. `.bat` file runs -> checks for sandbox using `findstr.exe` 2. Uses `certutil.exe` to Base64-decode an embedded payload 3. `cscript.exe` executes decoded VBScript, dropping `svchost.exe` (fake) to %TEMP% 4. Payload launches, copies itself to `%APPDATA%\main.exe` and the startup folder for persistence 5. Connects to C2 and sends system fingerprint via Telegram Bot API # IOCs **Dropper SHA256:** dea6cfb3234780ceeea718787e027cc6d2de18cfead1f8cc234e0ad268987868 **Dropped Payload SHA256:** 7f2b0ffbc5b149b4f9858589763bacdebf63ea1b3a00532e9278d613f75462ea * **C2:** `23.160(.)168.174:3212` * **AES Key:** `<666666>` * **Mutex:** `XUH24Sz2TPub4OF4` * **USB drop name:** `XWorm V6.5 by c3lestial(.)fun` Full Analysis: [https://app.any.run/tasks/1cd22443-8259-49c0-8e6e-a0ca93b0371c](https://app.any.run/tasks/1cd22443-8259-49c0-8e6e-a0ca93b0371c)
OpenAI says its safeguards “sufficiently reduce cyber risk” for now, while GPT-5.4-Cyber is a new cybersecurity-focused model.
The UK designated Xinbi Guarantee as an enabler of crypto scammers and human trafficking weeks ago. Telegram is still hosting it in plain sight.
Internal emails obtained by WIRED reveal how a conservative legal group with a direct line into FCC chairman Brendan Carr’s office built the case against Jimmy Kimmel and his employees.
When you hire an elite Red Team, you start with an implicit signal of their talent. You review their resumes, their standing within the research community, certifications with trusted vendors like OffSec and CREST. You assume they can navigate your specific tech stack and pivot through your environment. But in offensive security, assumptions are liabilities. […] The post Validating AI Pentesting with Explicit Signals from Synack Red Team appeared first on Synack .
This post is part of a small blog series covering common Entra ID security findings observed during real-world assessments. Each article explores selected findings in more detail to provide a clearer understanding of the underlying risks and practical implications. Part 1: Privileged Foreign Enterprise Applications Part 2: Privileged Unprotected Groups Part 3: Weak Privileged Identity Management Configuration Conditional Access Policies Conditional Access policies are among the most important security controls in Entra ID. As the name suggests, they define under which conditions access is allowed within a tenant. They are used to enforce protections such as MFA, restrict access based on device state or location, and apply stronger controls to sensitive applications or privileged accounts. At the same time, Conditional Access is a broad and complex topic. The
Presently sponsored by: Report URI: Guarding you from rogue JavaScript! Don’t get pwned; get real-time alerts & prevent breaches #SecureYourSite I'm starting to become pretty fond of Bruce. Actually, I've had a bit of an epiphany: an AI assistant like Bruce isn't just about auto-responding to tickets in an entirely autonomous manner; it's also pretty awesome at responding with just a little bit of human assistance. Charlotte and I both replied to some tickets today that were way too specific for Bruce to ever do on his own, but by feeding in just a little bit of additional info (such as the number of domains someone was presently monitoring), Bruce was able to construct a really good reply and "own" the ticket. So maybe that's the sweet spot: auto-reply to the really obvious stuff and then take just a little human input on everything else.
Monday, April 13
The current version of RAGFlow, a widely-deployed Retrieval Augmented Generation solution, contains a post-auth vulnerability that allows for arbitrary code execution. This post includes a POC, walkthrough and patch. The TL;DR is to make sure your RAGFlow instances aren't on the public internet, that you have the minimum number of necessary users, and that those user accounts are protected by complex passwords. (This is especially true if you're using Infinity for storage.)
More than 70 organizations, including the ACLU, EPIC, and Fight for the Future, say the AI smart glasses feature would endanger abuse victims, immigrants, and LGBTQ+ people.
Root cause: the $forbiddenphpstrings blocklist is only enforced in blacklist mode -> the default whitelist mode never touches it. The whitelist regex is also blind to PHP dynamic callable syntax (('exec')('cmd')). Either bug alone limits impact; together they reach OS command execution. Coordinated disclosure - patch available as of 4/4/2026.
Undisclosed number of names and contact and reservation details accessed in latest cybercrime attempt The accommodation reservation website Booking.com has suffered a data breach with “unauthorised parties” gaining access to customers’ details. The platform said it “noticed some suspicious activity involving unauthorised third parties being able to access some of our guests’ booking information”. Continue reading...
To reduce the amount of noise from questions, we have disabled self-posts in favor of a unified questions thread every week. Feel free to ask any question about reverse engineering here. If your question is about how to use a specific tool, or is specific to some particular target, you will have better luck on the [Reverse Engineering StackExchange](http://reverseengineering.stackexchange.com/). See also /r/AskReverseEngineering.
Introducing the Glasswing-Readiness Assessment In my last post, we looked at the emergence of Anthropic’s Mythos and how it has collapsed the exploit timeline from weeks to days. But once you accept that the speed of the adversary has changed, a more difficult question remains for security leaders: What do we actually do now? The […] The post Become Mythos-Ready and Close the AI Coverage Gap with Synack appeared first on Synack .
Sunday, April 12
drakoarmy/akamai-vm-reverse: Decompiled and cleaned Akamai v3 VM powering the latest sensor_data challenge script.