Tata Electronics has confirmed in a statement to BleepingComputer that it was the target of a cyberattack that impacted parts of its IT infrastructure. [...]
Cybersecurity News and Vulnerability Aggregator
Cybersecurity news aggregator
Updated: 9:00 am
J/K Navigate / Search S Save V Open Link
— or
treemd <(curl -sL https://allsec.sh/md) (as Markdown) Top Cybersecurity Stories Today
Threat actors have begun to exploit a recently disclosed critical security flaw impacting Cisco Unified Communications Manager (Unified CM) and Unified Communications Manager Session Management Edition (Unified CM SME). The vulnerability, tracked as CVE-2026-20230 (CVSS score: 8.6), is a case of improper input validation for specific HTTP requests that could allow an unauthenticated, remote
The private events group, cofounded by Peter Thiel, says a “criminal” hacker is behind a breach that exposed members’ personal details. WIRED found no evidence a break-in was needed to access the files.
A Russian-speaking initial access broker (IAB) driven by financial gain is assessed to be behind a large-scale credential-harvesting operation known as FortiBleed that has targeted over 430,000 FortiGate firewalls globally. The campaign, active since February 2026, involves collecting credential lists, searching for exposed services, brute-forcing accessible systems, and deploying bespoke
Two men pleaded guilty in the United Kingdom this week to criminal charges stemming from an August 2024 cyberattack that crippled Transport for London , the entity responsible for the public transport network in the Greater London area. The duo were key members of a prolific cybercrime group known as Scattered Spider , and their guilty pleas came on the first day of what was expected to be a six-week trial. Owen Flowers (left) 18, and Thalha Jubair, 20. Image: UK National Crime Agency (NCA). Thalha Jubair , 20, of East London and 18-year-old Owen Flowers of Walsall admitted conspiring to commit unauthorized acts against Transport for London computer systems and causing risk of serious damage to human welfare. According to a report from the BBC, Flowers alone admitted to being part of a conspiracy to hack into U.S. based healthcare providers SSM Health Care Corporation and Sutter Health in September 2024. Jubair is also wanted by U.S. law enforcement agencies. In September 2025, prosecutors in New Jersey unsealed
Latest
Wednesday, June 24
Incident Analysis · June 2026 An Indonesian gambling-spam campaign called LEMON212 planted doorway pages across multiple unrelated customer sites on our server — not by breaching them individually, but by taking over a single reseller account and walking its customer list. By Tremhost Infrastructure Security · Earlier this month we discovered a coordinated parasite-SEO attack on one of our managed cPanel/WHM servers. Dozens of customer websites — a hospital here, a school there, completely unrelated businesses — had been silently filled with Indonesian online-gambling content. The attacker wasn’t targeting any of those businesses individually. They had taken over the account of a reseller who managed all of those sites, and used that single login to walk straight into every site the reseller owned. We’re publishing what we found because the propagation mechanism is underappreciated, the detection lessons are non-obvious, and the mitigations are straightforward once you understand the attack surface. We have published the full report [here](https://tremhost.com/how-one-compromised-reseller-account-let-an-attacker-hit-dozens-of-websites-at-once/). Or full link: [https://tremhost.com/how-one-compromised-reseller-account-let-an-attacker-hit-dozens-of-websites-at-once/](https://tremhost.com/how-one-compromised-reseller-account-let-an-attacker-hit-dozens-of-websites-at-once/)
Threat actors have begun to exploit a recently disclosed critical security flaw impacting Cisco Unified Communications Manager (Unified CM) and Unified Communications Manager Session Management Edition (Unified CM SME). The vulnerability, tracked as CVE-2026-20230 (CVSS score: 8.6), is a case of improper input validation for specific HTTP requests that could allow an unauthenticated, remote
Hi everyone, I'm open-sourcing a project I've been building called **darkVault**. darkVault is an Android application that uses a zero-knowledge architecture and client-side encryption to transform Google Drive into an encrypted vault where users retain control of their encryption keys. Project Website: [https://scap3sh4rk.github.io/darkVault/](https://scap3sh4rk.github.io/darkVault/) GitHub: [https://github.com/scap3sh4rk/darkVault](https://github.com/scap3sh4rk/darkVault) Current features include: * AES-256-GCM encryption * Encrypted file and folder management * Secure media previews * Android Keystore integration * Biometric authentication * Zero-knowledge design I am specifically looking for feedback from: * Application Security Researchers * Android Security Researchers * Mobile Pentesters * Cryptographers * Open Source Contributors The project includes a public [SECURITY.md](http://SECURITY.md) and responsible disclosure process. If you discover a legitimate security vulnerability and follow the disclosure process, reports may be eligible for GitHub Security Advisories and, where appropriate, CVE assignment processes subject to CNA requirements. My primary goal is to have the design, implementation, and threat model reviewed by people with stronger security expertise than myself. Security Policy: [https://github.com/scap3sh4rk/darkVault/blob/main/SECURITY.md](https://github.com/scap3sh4rk/darkVault/blob/main/SECURITY.md) Discussions: [https://github.com/scap3sh4rk/darkVault/discussions](https://github.com/scap3sh4rk/darkVault/discussions) I would appreciate any feedback on architecture, cryptography choices, Android security posture, threat modeling, or implementation flaws.
Presently sponsored by: Report URI: Guarding you from rogue JavaScript! Don’t get pwned; get real-time alerts & prevent breaches #SecureYourSite I know enough about home cinema audiovisual to know there's a lot I don't know. It's conscious incompetence, if you like, which is different to the unconscious incompetence most people have on the topic. That's not to sound derogatory (it's spelled out that way in the competence model ), rather it recognises that this is a super specialised area and as soon as you start scratching the surface, things get very complex and very expensive really fast. But it's also exciting, and what we've got in the pipeline for our house expansion will blow you away. More to come soon
[https://github.com/primordialomegazero/BeyondYourComprehensionFHE](https://github.com/primordialomegazero/BeyondYourComprehensionFHE)
Tuesday, June 23
Tata Electronics has confirmed in a statement to BleepingComputer that it was the target of a cyberattack that impacted parts of its IT infrastructure. [...]
Microsoft has released the KB5095093 preview cumulative update for Windows 11 24H2 and 25H2, which fixes numerous bugs and begins rolling out new features, including the new Point-in-Time restore feature. [...]
The private events group, cofounded by Peter Thiel, says a “criminal” hacker is behind a breach that exposed members’ personal details. WIRED found no evidence a break-in was needed to access the files.
A new macOS ClickFix campaign is using Terminal commands to silently download, mount, and launch info-stealing malware from malicious disk image (DMG) files. [...]
A Russian-speaking initial access broker (IAB) driven by financial gain is assessed to be behind a large-scale credential-harvesting operation known as FortiBleed that has targeted over 430,000 FortiGate firewalls globally. The campaign, active since February 2026, involves collecting credential lists, searching for exposed services, brute-forcing accessible systems, and deploying bespoke
Two men pleaded guilty in the United Kingdom this week to criminal charges stemming from an August 2024 cyberattack that crippled Transport for London , the entity responsible for the public transport network in the Greater London area. The duo were key members of a prolific cybercrime group known as Scattered Spider , and their guilty pleas came on the first day of what was expected to be a six-week trial. Owen Flowers (left) 18, and Thalha Jubair, 20. Image: UK National Crime Agency (NCA). Thalha Jubair , 20, of East London and 18-year-old Owen Flowers of Walsall admitted conspiring to commit unauthorized acts against Transport for London computer systems and causing risk of serious damage to human welfare. According to a report from the BBC, Flowers alone admitted to being part of a conspiracy to hack into U.S. based healthcare providers SSM Health Care Corporation and Sutter Health in September 2024. Jubair is also wanted by U.S. law enforcement agencies. In September 2025, prosecutors in New Jersey unsealed
Security firm AIR built a fake AI agent skill, pushed it through a popular skill marketplace and an Instagram ad, and says it reached roughly 26,000 agents, including some on corporate accounts. Every skill security scanner the firm tested it against marked it safe. The payload was harmless by design: it collected the user's email address and did nothing else. The point was to show
President Trump signed an executive order on June 22 setting hard deadlines for federal agencies to move high-value assets and high-impact systems to post-quantum cryptography. Key establishment must move by December 31, 2030; digital signatures by December 31, 2031. EO 14409 leaves national security systems on a separate track. The deadlines matter because of a threat that does not
GitHub is moving to strengthen software supply chain security by updating "actions/checkout" to block pwn request attacks that exploit the risky use of the "pull_request_target workflow" trigger to run malicious code with the workflow's full privileges. Effective June 18, 2026, the latest version of "actions/checkout," the official GitHub action for checking out a repository into the
Attackers can now weaponize newly disclosed vulnerabilities far faster than most organizations can patch them. Picus Security explains how security teams can validate exploitability before a public exploit even exists. [...]
Every weapon begins as an extension of the hand that holds it. The spear lengthened the reach of the arm. The bow sent the point flying without the throw. The rifle placed a man's death a quarter mile beyond his sight, and the aircraft carried that death across oceans. At each turn, the distance between the warrior and the wound grew wider, and yet one thing never moved: a human chose the target
Kind of crazy to look at the graph in this blog. CVE drops on 04/29, they develop a patch on 4/30, and deploy it across all of their servers on 05/01. Obviously they have the engineers to write BPF-LSM patches, but I think it points to a future where they can (almost) keep up with vulnerability disclosures.
A vulnerability in Cisco Unified Communications Manager allows unauthenticated attackers to arbitrarily write files in the server which could be used to run arbitrary commands or code on the server.
Cybersecurity researchers have discovered a set of malicious npm packages that are designed to deliver a Windows-based remote access trojan (RAT). The list of identified packages, is below - aes-decode-runner-pro (145 downloads) postcss-minify-selector (256 downloads) postcss-minify-selector-parser (615 downloads) All the packages were published over the past month by an npm user named
Would appreciate any feedback. From the project page: “Recursive-IR is a single-binary orchestration that transforms an OpenSearch stack into a fully capable and customisable DFIR log analytics platform. Incident responders and digital forensics investigators can examine events arranged in a "super timeline" enabling correlation between different source artefacts to better understand the threat actor's full chain of attack. It enables collaborative case-centric investigations with persistent enrichments such as tags, comments, and analyst context, while fully leveraging the strengths of OpenSearch and native OpenSearch Dashboards — scalable observability, visualisation, and Security Analytics for alerting and correlation across ingested forensics artefacts. The platform offers full control over data being analysed with facilities to resolve data type mapping conflicts, mutating fields (e.g., renaming, copying, or stringifying), normalizing log sources with different timezones, and even selecting fields to be used as @timestamp. Artefacts can be reloaded or re-parsed and reloaded easily enabling users to perform modifications such as adding enrichments or mutating fields if needed, a feature which isn't commonly available in traditional SIEMs.” https://github.com/improvisec/recursive-ir
Direct messages sent via WhatsApp are being used to distribute malicious Visual Basic Script (VBScript) files that lead to the installation of legitimate Remote Monitoring and Management (RMM) software. Per findings from Kaspersky, the active campaign is targeting users of WhatsApp Desktop and WhatsApp Web across Malaysia, Brazil, India, Mexico, Singapore, the U.K., Spain, Taiwan, Australia,
OpenAI on Monday said it's releasing an improved version of its GPT‑5.5‑Cyber model to trusted defenders as part of the Daybreak initiative the artificial intelligence (AI) company announced last month. Calling GPT‑5.5‑Cyber its "strongest model yet for finding and helping patch software vulnerabilities," OpenAI said the model can "sustain deeper analysis across large codebases" to
Monday, June 22
An ongoing malware campaign is targeting WhatsApp users in multiple countries with deceptive messages that push VBScript files, leading to remote system access. [...]
I wrote down how I think about onboarding order. Basically I ranked sources by how much they actually help an investigation, not by what's easiest to ingest. For each one I went through what you need to collect, how painful the parsing is, what retention makes sense, and what you can realistically detect once it's in.
The JaredFromSubway Ethereum MEV (Maximal Extractable Value) bot suffered a $15 million loss after an attacker manipulated the opportunity-detection logic by creating fake cryptocurrency trading opportunities. [...]
A newly disclosed FFmpeg flaw dubbed 'PixelSmash' could be exploited for remote code execution on Jellyfin servers under certain conditions, and can also trigger a denial-of-service condition in applications like Kodi, Emby, Nextcloud, PhotoPrism, and OBS Studio. [...]
Security firm SOCRadar says the large-scale FortiBleed campaign targeting Fortinet FortiGate devices used custom sniffers to harvest authentication secrets from compromised firewalls and steal credentials. [...]
Multiple WordPress plugins from ShapedPlugin were compromised in a supply chain attack after unknown threat actors managed to tamper with the official release channels and push backdoor code. "Attackers compromised the vendor's build and distribution pipeline, injecting backdoor code into Pro plugin releases distributed through official licensed update channels," Wordfence said in an analysis
Microsoft has confirmed that Windows 11 version 26H2 will be the next feature update and that devices running Windows 11 24H2 and 25H2 will be able to upgrade using a small enablement package. [...]
A vulnerability chain dubbed AutoJack in Microsoft's AutoGen Studio interface for prototyping AI agents could let attackers manipulate an agent into executing arbitrary commands on its host system simply by visiting a malicious webpage. [...]
Amid concerns about AI models’ cybersecurity capabilities, OpenAI revealed an improved version of GPT-5.5-Cyber and its “Patch the Planet” initiative to fix open-source software bugs.
What happens when you clear dozens of Trail of Bits engineers’ schedules, pair them with every open-source maintainer they can contact, and unleash the latest frontier models like GPT-5.5-Cyber on critical open-source targets? Thanks to our partnership with OpenAI and its Daybreak initiative, we can report that the impact is hundreds of discovered bugs, 64 pull requests, and 51 issues filed across 19 projects (with many more still undergoing coordinated disclosure). That was just the first week of Patch the Planet . Frontier models like GPT-5.5-Cyber are producing a firehose of security findings, and already-stretched maintainers must sift through all of it to separate real vulnerabilities from plausible-sounding false positives. Patch the Planet is different: with our experts orchestrating and triaging findings, we handle the work of fixing and hardening the code alongside the people who maintain it. The first week of Patch the Planet covered 19 projects across cryptography, networking, language infrastructure, and software supply chain. Among these 19 projects were cURL, NATS, pyca, Sigstore, aiohttp, the Go project, freenginx, Python and python.org, urllib3, PyPI, SimpleX, Valkey, and RustCrypto. Over 30 projects have joined the initiative so far, and we’re rapidly expanding it to include more; if you maintain an open-source project, apply to join !
A heap over-read in the Squid web proxy can leak another user's cleartext HTTP request, including any credentials or session tokens it carries, to anyone already allowed to send traffic through the same proxy. The bug traces to a 1997 FTP-parsing change and is still live in Squid's default configuration. Researchers at Calif.io disclosed it in June and named it Squidbleed (
Cybersecurity researchers have disclosed details of four vulnerabilities in Dify, an open-source agentic workflow platform with more than 146,000 GitHub stars, that could allow attackers to stealthily read artificial intelligence (AI) conversions from other customers' applications without requiring authentication. The vulnerabilities have been collectively codenamed DifyTap by Zafran Security.
In May 2026 an attacker compromised a UK medical practice endpoint without delivering a single malicious file. They used PowerShell and the .NET compiler built into Windows to build a Remcos remote access trojan on the machine itself, so signature antivirus had no known sample to match. The thing that caught it was DNS filtering, […] The post How attackers built a RAT on a Windows machine using its own .NET compiler appeared first on Heimdal Security Blog .
AI models capable of devastating attacks on governments and business months away, rare Five Eyes statement warns
Signal agencies in Australia, the US, the UK, New Zealand and Canada sound alarm after Trump blocks foreign nationals from Anthropic’s Fable AI model Powerful AI models capable of devastating new cyber attacks on governments and businesses are mere months away, intelligence agencies for the Five Eyes have warned in a rare joint statement, urging leaders to “act now”. The surprising public intervention by signals agencies for Australia, the US, the UK, New Zealand and Canada comes after the Trump administration earlier this month decided to block “foreign nationals” from using a much-hyped AI model built by tech company Anthropic, called Fable. Continue reading...
Google has set September 30, 2026, as the day it begins enforcing Android developer verification in the first four countries, and the major device-maker app stores are in from the start. On that date, certified Android phones in Brazil, Indonesia, Singapore, and Thailand will block normal installs of apps whose developers have not registered an identity with Google, whether the app
Earlier this month, I spoke at the Gartner Security & Risk Management Summit about a blind spot most security programs are still not accounting for - how attackers are circumventing AI security programs by using legacy infrastructure to hijack AI agents. AI adoption is moving faster than security programs can account for. Roughly 71% of organizations are piloting AI agents across their
It’s Monday again. This week’s threat list looks painfully familiar: abused integrations, fake tools, poisoned websites, ransomware crews trying to shut down security tools, and mobile malware asking for way too much control. The annoying part is how little of this feels new. Weak credentials, sketchy downloads, browser extensions with too much access, and WordPress sites are used to push more
From fake tickets to cloned websites, AI is magnifying World Cup scams. Can fans distinguish between what’s real and what’s not?
Canada's spy service got a judge's permission to reach into infected servers, home routers, and IoT gear sitting on Canadian soil and neutralize two foreign-run botnets. The Federal Court released a public version of the ruling on June 15. It is the first time the Canadian Security Intelligence Service has used its threat reduction warrant powers this way. The warrant let CSIS alter,
At 06:34am on 2 June 2026, an attacker logged on to a customer’s network. In a single automated burst, they switched on remote desktop and created a rogue administrator account. And deleted the evidence behind them. The intrusion reached 34 endpoints and was over in under ten seconds. Heimdal Extended Threat Protection (XTP) and Ransomware […] The post Attacker enables RDP, creates admin, erases evidence in ten seconds appeared first on Heimdal Security Blog .
To reduce the amount of noise from questions, we have disabled self-posts in favor of a unified questions thread every week. Feel free to ask any question about reverse engineering here. If your question is about how to use a specific tool, or is specific to some particular target, you will have better luck on the [Reverse Engineering StackExchange](http://reverseengineering.stackexchange.com/). See also /r/AskReverseEngineering.
A new malware family is turning forgotten home routers into a distributed reconnaissance and proxy network, not the DDoS botnet these devices usually end up in. QiAnXin's XLab calls it AryStinger and counts at least 4,300 infected routers, a total it says is still rising. The distinction matters. AryStinger exists for the stage of an attack that comes before the break-in. Infected
A new report from INTERPOL has revealed a "dramatic increase" in cybercrime in Asia and the South Pacific, fueled by rapid digitalization, internet penetration, new technologies, organized criminal networks, and a disparity in cybersecurity maturity. According to INTERPOL's 2025/2026 Asia and South Pacific Cyberthreat Assessment Report, phishing has emerged as the most widespread and
Sunday, June 21
[**clearmic.net**](http://clearmic.net) **is malware, do not download it** Someone sent me this site asking if it was legitimate. I ran the installer in a sandbox and it's a RAT. It looks like a mic clarity app but bundles a hidden second executable that runs in the background. Here's what it actually does: logs your keystrokes, captures your screen, hijacks your clipboard, records microphone audio, and sends everything out to a remote server encrypted. It also deletes Windows Shadow Copies which is standard ransomware behaviour to stop you recovering your files. It actively checks if it's running in a sandbox too, which is why I'm glad I tested it before running it on a real machine. Full sandbox analysis if you want to dig into it yourself: [https://tria.ge/260621-vsjxnaet4k/behavioral2](https://tria.ge/260621-vsjxnaet4k/behavioral2) If you already ran this, disconnect from the internet and run Malwarebytes immediately. Change your passwords from a different device, especially Discord, email, and anything with saved credentials in your browser. Spread this around so people don't get caught out.
I reverse engineered Windows Copilot into a free OpenAI compatible API (GPT-4o, no API key, no billing)
The cryptographic keys that secure your computer’s boot sequence will start to expire on June 24. Here’s what that means for you.
Saturday, June 20
An AI pair of eyes sitting over your shoulder, catching what you miss while you're deep in an investigation. Repo: [**https://github.com/hasamba/DFIR-Companion**](https://github.com/hasamba/DFIR-Companion) Landing page: [**https://hasamba.github.io/DFIR-Companion/**](https://hasamba.github.io/DFIR-Companion/) EDIT: Hands-on lab: [**https://killercoda.com/dfir-companion/scenario/killercoda**](https://killercoda.com/dfir-companion/scenario/killercoda) Honestly, it started out of frustration. I'm sitting on an investigation, open Velociraptor, spot an interesting lead, start digging into it, find another lead, and so on, and then suddenly I realize I completely forgot to go back to the other findings from the first artifact. The sheer amount of information you need to process during an investigation is simply more than one pair of eyes can handle, no matter how much coffee you've had. So I started building something to help myself and it ended up going somewhere I didn't expect. The original idea was a browser extension that takes screenshots every few seconds, so I could scroll back and see what I missed. Pretty dumb idea in hindsight, actually. But then the question came up: if I already have all those screenshots, why not let AI go through them while I work? And from there it exploded. Today it's a real-time dashboard that updates live as I investigate. It identifies findings, automatically builds an event timeline, extracts IOCs and enriches them from multiple sources, creating playbook that suggests what to check next, suggest hunt queries for velociraptor, run them and collect back the results, checks for data leaks, and answers the standard questions every investigation report needs: access vector, lateral movement, privilege escalation, etc. If a client confirms a finding-"that's legit, it's our weekly scan", one click and the entire analysis updates accordingly. The coolest part, to me, is that this started as a Velociraptor-specific solution but in practice became an AI layer on top of every tool I have open in the browser: SIEM, Security Onion, Splunk4DFIR, VolWeb, you name it. Even tools with no built-in AI suddenly get smarter, and all the data consolidates in one place instead of me jumping between ten tabs. Important to understand: this is NOT another detection layer. Your Sigma, YARA, and Suricata rules are already doing their job. This tool is the layer after detection-it takes all the verdicts from your tools, correlates them, and builds the "so what." The tool didn't stop at screenshots either. You can feed it almost any DFIR output and it will automatically detect the format and import it deterministically (no burning tokens on AI for that). Additional features: • Data correlation • Threat intel enrichment — with OPSEC in mind • AI input anonymization • Asset ↔ IoC graph • Targeted query generation • Export to multiple platforms • Free-form case Q&A against an LLM and much more... If you work in DFIR, Blue Team, or SOC — I'd love for you to try it out, open issues, suggest features, submit PRs, or just tell me what you think.
Threat actors are exploiting a recently patched security flaw impacting Gravity SMTP, a WordPress plugin that's installed on about 100,000 sites. The vulnerability, tracked as CVE-2026-4020 (CVSS score: 5.3), is a medium-severity information disclosure flaw that can allow unauthenticated attackers to extract sensitive data, such as configuration data, API keys, secrets, and OAuth tokens
Friday, June 19
A crafted MPLS packet can trigger an out-of-bounds read in mpls\_do\_error, leaking 4 bytes of adjacent kernel stack memory back in an ICMP/MPLS error response. It requires MPLS enabled, but the leak is remote and repeatable. Fixed in OpenBSD-current on 2026-06-18.
In the previous post we walked through WasmForge, our Go-to-WebAssembly loader that takes existing signatured Go tools and ships them as opsec-safe binaries. This approach doesn’t just apply to Go, however, as there are many languages that can compile to WebAssembly. Another language of interest to us, especially regarding legacy tools which have been over-signatured, is C#. In short, we got several GhostPack tools working through WasmForge. Rubeus and Seatbelt both run as PE binaries that pass through the same outer host which we use for Sliver, with most of their commands functioning at full parity to the original C# code. The mechanism is .NET’s NativeAOT-WASI toolchain plus a non-trivial amount of bridge code that we wrote with heavy LLM assistance. The release of this post also heralds our open-sourcing of the entire toolchain. This is also the last post in this series, so we’ll talk about the open source release at the end. If you’d like to skip ahead and try out the tool, you can grab it from github.com/praetorian-inc/wasmforge . The Most Signatured Tools on the Internet If Go tools are signatured into oblivion, C# tools are signatured and salted . Every major red team C# tool released in the last decade has a YARA rule with the project name in its title, several rules covering specific function names, and a handful of b
Thursday, June 18
The tech sector was the only industry in Synack's 2026 State of Vulnerabilities Report to get slower at remediating critical vulnerabilities—growing from 74 to 98 days while manufacturing, government, and financial services all improved. This post breaks down the technical and cultural forces driving that gap, and what it takes to close it. The post The Tech Sector’s Critical Vulnerability Paradox appeared first on Synack .
For the past four years, a sprawling Android-based botnet called Popa has forced millions of consumer TV boxes to relay Internet traffic linked to advertising fraud, account takeovers, and mass data-scraping efforts. This week, researchers from multiple security firms concluded that the Popa botnet is linked to NetNut , a “residential proxy” provider operated by the publicly-traded Israeli firm Alarum Technologies Ltd [NASDAQ: ALAR]. Malicious streaming devices sold online that enroll the user’s home Internet address in a residential proxy service. Image: HUMAN Security. Popa is a massive botnet, but by all accounts it is unlike traditional botnets that enlist compromised systems in destructive activities, such as coordinating huge distributed denial-of-service attacks. Rather, Popa appears designed with a singular purpose: Implementing a persistent communications layer capable of registering a device, maintaining long-lived encrypted connections, and opening communication tunnels on demand. Experts say P
Introduction Merely a few years ago, when asking about the state of quantum computing or the need for Post-Quantum Cryptography (PQC), the response would usually revolve around the ongoing PQC competition that NIST had brought to life in an attempt to identify algorithms for standardization. In 2022, Cloudflare started experimenting 1 with hybrid key agreement on its production edge, though most of the world outside a handful of research labs had barely registered that any of this mattered. The core argument of that work was that organizations n
Artist Morry Kolman will be livestreaming feeds of the NBA champions’ ticker-tape parade from NYC’s traffic cameras—and this time, the city’s Department of Transportation isn’t demanding he stop.
Internal Home Office tests of age-verification technology show the risks of life-altering errors. It’s moving forward anyway.
Wednesday, June 17
Worth a MalExt Report? A 2 Million-User Chrome Extension Added Give Freely/Wildlink in a 5-Day Update
I've been reversing the 2M+ user Volume Booster Chrome extension and found something interesting. Between v1.0.3 (2025-06-27) and v1.0.4 (2025-07-02), the extension added: "content_scripts": [{ "matches": ["<all_urls>"], "js": [ "vendor/GiveFreely-content.umd.js", "content-script.js" ] }] The previous version was essentially a small audio booster. The newer version introduces a Give Freely / Wildlink component that appears to support merchant detection, affiliate attribution, and donation campaigns. No new permissions were added, meaning existing users would have received the update automatically without a new Chrome permission approval prompt. I've also found the same Give Freely / Wildlink infrastructure in multiple unrelated extensions, which makes me think it's being distributed as a white-label monetization/fundraising SDK. I'm still investigating and considering whether this is worth adding to MalExt. At this point I don't have evidence of malware, credential theft, or anything overtly malicious just a significant expansion of functionality in a 2M-user extension. Curious what others think. Is this a transparency/privacy concern, or just a normal extension monetization model? Any opinions or prior research on Give Freely / Wildlink would be appreciated so i can added to [malext.io](http://malext.io)
Overview Earlier this year, a team at Praetorian was building Constantine , our automated 0-day discovery engine. I wanted to find techniques worth folding into it, so on the side I started poking at the FreeBSD kernel with Claude Code, running on Opus 4.6, which was the latest Opus model at the time. A few days of work turned up real bugs and a weekend after that produced two working exploits capable of escaping from a FreeBSD jail. This article is part of a two-part series. In part one, I will be focusing on the methodology used to uncover the identified vulnerabilities and part two will focus on the methodology we leveraged to develop and exploit the vulnerabilities. It’s been several months since I disclosed roughly eight separate vulnerabilities to the FreeBSD security team. The reality is that this is a volunteer team and they are likely overwhelmed by the sheer number of vulnerabilities being identified within FreeBSD by various security researchers leveraging large language models. Because of this, we can really only publicly discuss a single vulnerability we reported CVE-2026-3038 , a fairly straight-