Google on Monday released patches for 124 security vulnerabilities impacting its Android operating system for the month of June 2026, including one high-severity flaw in the Framework component that has come under active exploitation. Tracked as CVE-2025-48595 (CVSS score: 8.4), the security flaw has been described as a case of privilege escalation without requiring any user interaction. The
Cybersecurity News and Vulnerability Aggregator
Cybersecurity news aggregator
Updated: 8:20 pm
J/K Navigate / Search S Save V Open Link
— or
treemd <(curl -sL https://allsec.sh/md) (as Markdown) Top Cybersecurity Stories Today
Multiple Instagram users had their accounts hijacked after attackers convinced Meta's AI-powered support tools that they were the legitimate owners. [...]
Overview A stored cross-site scripting (XSS) vulnerability has been discovered in Appsmith, specifically in the CodeMirror based SQL query editor’s autocomplete renderer. CVE-2026-7299 has been assigned to track the vulnerability. An attacker with developer level access to a shared PostgreSQL datasource can inject arbitrary JavaScript by creating malicious database objects whose names contain XSS payloads. Successful exploitation leads to arbitrary JavaScript execution in the browser of any workspace member who triggers SQL autocomplete, enabling session hijacking, privilege escalation, or credential theft. Version 2.1 of Appsmith fixes CVE-2026-7299. Description Appsmith is an open source, low code platform intended to allow developers to build internal tools, dashboards, and applications using a UI builder, database and API integrations, and JavaScript customization. Appsmith can also be deployable either self-hosted or via the cloud. A vulnerability, tracked as CVE-2026-7299, has been discovered, allowing for XSS within the SQL query editors autocomplete function. The vulnerability description is below. CVE-2026-7299 Appsmith’s SQL query editor’s autocomplete functionality fails to sanitize database object names before rendering them in innerHTML, allowing an authenticated Developer to inject persistent XSS by a malicious table or column names triggering arbitrary code execution in the sessions of other workspace members when they interact with the same datasource. This vulnerability requires an account with developer access. A developer Appsmith account is an account designed to create, edit, and delete apps within a workspace they are assigned to. When an administrator opens the SQL editor and triggers autocomplete (e.g., by typing SELECT * FROM), the malicious ta
Overview The Collibra Platform Agent contains vulnerabilities that can be chained by a remote, unauthenticated attacker to achieve remote code execution. An attacker can exploit these issues by uploading a crafted ZIP archive that writes attacker-controlled files to arbitrary locations on the server once extracted, resulting in code execution. Description Collibra Platform (CP) and Collibra Platform Self-Hosted (CPSH), an enterprise grade, cloud-based platform designed to help organizations locate, understand, trust, and manage their data assets. The Collibra Agent of CP and CPSH that is installed on the host system is an independent service that listens on different port than the web interface and have the following vulnerabilities. CVE-2026-10622 Privileged REST endpoints exposed under /rest/* do not properly enforce authentication or authorization. This allows a remote, unauthenticated attacker to interact with sensitive application functionality and gather information useful for further exploitation, including identifying suitable filesystem locations or application paths. Additionally, the web services hosting the vulnerable REST endpoint was observed to bind to all available network interfaces regardless of the setting passed to the installer script. This behavior may increase exposure in deployments where administrators believe access is restricted to specific interfaces or trusted networks. CVE-2026-10621 A Zip Slip vulnerability during extraction is exposed through POST /rest/restore and enables path traversal. When a ZIP archive is processed, file paths contained within the archive are not properly validated or canonicalized before extraction.
More than 30 npm packages under Red Hat's '@redhat-cloud-services' namespace were compromised in a supply-chain attack that distributed a new variant of the Shai-Hulud credential-stealing malware, dubbed "Miasma." [...]
Latest
Tuesday, June 2
A threat actor is using an AI-built ransomware attack toolkit that automates Active Directory discovery and helps evade endpoint detection and response (EDR) solutions. [...]
Google on Monday released patches for 124 security vulnerabilities impacting its Android operating system for the month of June 2026, including one high-severity flaw in the Framework component that has come under active exploitation. Tracked as CVE-2025-48595 (CVSS score: 8.4), the security flaw has been described as a case of privilege escalation without requiring any user interaction. The
The Russian hacking group known as Gamaredon has been attributed to the continued exploitation of a WinRAR vulnerability to deliver multiple malware families aimed at data theft and propagation. Per Sekoia, the activity involves the weaponization of CVE-2025-8088, a path traversal flaw in WinRAR, to launch an HTML Application payload dubbed GammaPhish, which is then used to retrieve an
Been hacking on UltraViolet for a while - basically network discovery and search you run yourself. Shodan vibes, except the data sits in your Postgres behind a normal Docker Compose stack. Not SaaS, not multi-tenant. One install, your hardware. You give it CIDRs you're actually allowed to hit (please only stuff you own or have written permission for). It finds open TCP/UDP ports, then probes a bunch of protocols - HTTP/HTTPS with bodies, titles, tech guesses, favicon hash, robots.txt, security.txt; TLS with certs, JARM, JA3S/JA4S; mail, LDAP, common DBs and queues; some ICS/SCADA and IoT stuff too. Roughly \~100 probe types last I counted. Discovery can be the built-in scanner or masscan/zmap if you want it faster. Results go into Postgres. Search is full-text over banners, HTTP bodies, TLS bits, DNS, CVEs - handy when you're trying to answer "where is this nginx version still hanging around" without living in spreadsheets. Why I wanted this: * perimeter / inventory that doesn't rot in a shared cloud account * rescan diffs (new, gone, changed) plus websocket updates while scans run * CVE side is local NVD mirror + fingerprint matching, with KEV and EPSS layered on * offline tarball exists if you need air-gap (images, optional CVE seed, GeoIP db) * saved searches can alert to logs or webhooks, with cooldowns so one chatty host doesn't wreck your day What it is not: an exploit scanner. No L2 mapping, no agents everywhere, no "scan the whole internet" product angle. Single tenant on purpose. Stack is boring on purpose - Go API + worker, React UI, Postgres 16. RBAC (viewer / operator / admin), JWT + refresh, audit log, rate limits, schedules, Prometheus metrics, optional Grafana profile. Dev is clone, secrets in `service-env`, `make dev`, UI on :3000. Production mode kills the default `admin/admin` thing. Repo: [https://github.com/yakushstanislav/UltraViolet](https://github.com/yakushstanislav/UltraViolet)
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added a high-severity security flaw impacting Oracle WebLogic Server to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. The vulnerability, CVE-2024-21182 (CVSS score: 7.5), allows an unauthenticated attacker with network access to take control of susceptible servers. It was
Available for Android 12 and later, the anti-scam feature is baked into Google Dialer, which sends a silent “confirmation signal” to ensure whoever’s calling you is who they appear to be.
Microsoft is working to address a widespread service issue affecting the mail flow pipeline for Exchange Online customers across North America and Germany. [...]
Multiple Instagram users had their accounts hijacked after attackers convinced Meta's AI-powered support tools that they were the legitimate owners. [...]
Oracle released its first ever monthly Critical Security Patch Update this week, a format change the company announced in early May to supplement its quarterly CPU cycle with faster fixes for high priority issues. The May 2026 CSPU covers 77 vulnerabilities across five products. Database Server, REST Data Services, Communications, E-Business Suite, and Hospitality Applications. Around a dozen are rated critical, and the majority of the rest are high severity. Several of the critical flaws are exploitable by unauthenticated attackers over the network, which means no credentials needed to attempt exploitation. The detail in Oracle's own advisory that caught my attention was this: Oracle explicitly noted that some past customer breaches occurred not because the vulnerability was a zero-day, but because customers had simply not applied patches that were already available. Oracle patched it. The customer didn't update. Breach happened. That is the gap the monthly cadence is trying to close. For anyone running Oracle in their environment, the May CSPU is live now at oracle.com/security-alerts/cspumay2026.html. A second monthly update is coming mid-June, and the quarterly CPU drops in July. The schedule after that is CSPUs on August 18 and September 15. The products most worth prioritizing based on attack surface are Database Server, which has three RCE bugs all remotely exploitable without authentication, and REST Data Services, where seven of the eleven patches address unauthenticated network-accessible vulnerabilities. The Verizon 2026 DBIR reported this year that the median time to patch a critical vulnerability actually increased year over year, from 32 days to 43 days, while exploitation windows have shrunk to hours in some cases. Oracle moving to monthly updates is a reasonable response to that pressure, but it only helps if organizations actually apply them. This assumes some familiarity with your environment and patch management tooling. If any of this is unclear or you want to talk through prioritization, drop a comment and the community or myself can help. More read: [https://www.oracle.com/security-alerts/cspumay2026.html](https://www.oracle.com/security-alerts/cspumay2026.html)
AI-powered attacks and shadow AI adoption are creating new security risks inside the browser. Push Security explains why browser visibility is becoming critical for both threat detection and AI governance. [...]
Overview VoLTE deployments on Verizon’s IMS network have operated without negotiated SIP integrity protection. In observed test conditions, SIP signaling—including registration, call setup, and messaging—traveled without IPsec ESP encapsulation and without SIP Security Agreement headers, exposing it to interception and modification by on-path attackers. Recent carrier configuration updates, including Apple’s iOS 26.5 carrier bundle released on May 11, 2026, include IMS IPsec–related settings. However, such configuration entries do not confirm active deployment, successful negotiation, or functional protection in production. Description CVE-2026-10629 Verizon IMS deployments were observed transmitting SIP signaling without integrity protection. REGISTER exchanges lacked Security-Client, Security-Server, and Security-Verify headers, and no ESP-encapsulated SIP traffic was detected during subsequent signaling such as INVITE, MESSAGE, BYE, and UPDATE. This pattern persisted across devices, operating systems, and network conditions, indicating a deliberate network configuration rather than a transient issue. Per 3GPP TS 33.203 and GSMA IR.92, SIP signaling between the UE and P-CSCF must be protected using IPsec ESP following IMS AKA authentication, with negotiation occurring during registration. The absence of this protection allows attackers to manipulate SIP signaling undetected, enabling call hijacking, spoofing, denial-of-service, and misrouting of emergency calls. Verizon initially acknowledged the issue and stated that integrity support would be available upon request and extended broadly later in the year. However, the company has since ceased participation in coordination, including follow-up discussions and draft review, and has not provided verifiable evidence of mi
Overview A stored cross-site scripting (XSS) vulnerability has been discovered in Appsmith, specifically in the CodeMirror based SQL query editor’s autocomplete renderer. CVE-2026-7299 has been assigned to track the vulnerability. An attacker with developer level access to a shared PostgreSQL datasource can inject arbitrary JavaScript by creating malicious database objects whose names contain XSS payloads. Successful exploitation leads to arbitrary JavaScript execution in the browser of any workspace member who triggers SQL autocomplete, enabling session hijacking, privilege escalation, or credential theft. Version 2.1 of Appsmith fixes CVE-2026-7299. Description Appsmith is an open source, low code platform intended to allow developers to build internal tools, dashboards, and applications using a UI builder, database and API integrations, and JavaScript customization. Appsmith can also be deployable either self-hosted or via the cloud. A vulnerability, tracked as CVE-2026-7299, has been discovered, allowing for XSS within the SQL query editors autocomplete function. The vulnerability description is below. CVE-2026-7299 Appsmith’s SQL query editor’s autocomplete functionality fails to sanitize database object names before rendering them in innerHTML, allowing an authenticated Developer to inject persistent XSS by a malicious table or column names triggering arbitrary code execution in the sessions of other workspace members when they interact with the same datasource. This vulnerability requires an account with developer access. A developer Appsmith account is an account designed to create, edit, and delete apps within a workspace they are assigned to. When an administrator opens the SQL editor and triggers autocomplete (e.g., by typing SELECT * FROM), the malicious ta
Netlogon vulnerabilities always deserve attention because they sit so close to the heart of Active Directory. When a flaw can impact domain controllers, the conversation quickly shifts from a single vulnerable system to trust across the entire environment.
Overview The Collibra Platform Agent contains vulnerabilities that can be chained by a remote, unauthenticated attacker to achieve remote code execution. An attacker can exploit these issues by uploading a crafted ZIP archive that writes attacker-controlled files to arbitrary locations on the server once extracted, resulting in code execution. Description Collibra Platform (CP) and Collibra Platform Self-Hosted (CPSH), an enterprise grade, cloud-based platform designed to help organizations locate, understand, trust, and manage their data assets. The Collibra Agent of CP and CPSH that is installed on the host system is an independent service that listens on different port than the web interface and have the following vulnerabilities. CVE-2026-10622 Privileged REST endpoints exposed under /rest/* do not properly enforce authentication or authorization. This allows a remote, unauthenticated attacker to interact with sensitive application functionality and gather information useful for further exploitation, including identifying suitable filesystem locations or application paths. Additionally, the web services hosting the vulnerable REST endpoint was observed to bind to all available network interfaces regardless of the setting passed to the installer script. This behavior may increase exposure in deployments where administrators believe access is restricted to specific interfaces or trusted networks. CVE-2026-10621 A Zip Slip vulnerability during extraction is exposed through POST /rest/restore and enables path traversal. When a ZIP archive is processed, file paths contained within the archive are not properly validated or canonicalized before extraction.
AI-driven exploitation timelines are rapidly shrinking, and they are not going to stop shrinking. Vulnerabilities are being discovered, reproduced, and weaponized faster than ever in the history of enterprise security. As a result, the window between a vulnerability being disclosed and indiscriminate exploitation observed across the internet is now measured in hours, not days. The industry's
Most organizations now recognize that endpoint protection alone is no longer sufficient. That's why adoption of endpoint detection and response (EDR) has accelerated rapidly in recent years. Organizations understand that modern attacks move faster, evade traditional prevention controls, and require continuous visibility into suspicious activity across the environment. But owning EDR
The right-wing think tank is actively pushing “civil terrorism”—increasing penalties for minor crimes committed while people engage in constitutionally protected free speech.
Cybersecurity researchers have disclosed details of a spear-phishing campaign likely undertaken by the Pakistan-aligned SideCopy group targeting Afghanistan's Ministry of Finance with an open-source remote access trojan called Xeno RAT. "The campaign opens with a spear phishing delivery - a ZIP archive containing a malicious LNK file bearing a carefully crafted Pashto-language filename,"
Attackers are abusing the shared content features of AI chatbot platforms — ChatGPT and Claude — to deliver malware through pages hosted on legitimate, trusted domains, distributing the malicious links via sponsored malvertising ads on search engines.
Password manager Dashlane has disclosed that "fewer than" 20 users on the personal subscription plan had their encrypted vaults downloaded following a brute-force attack launched by an unknown party. On May 31, 2026, the company said an "external" threat actor launched a brute-force attack against certain Dashlane user accounts with the aim of breaking two-factor authentication (2FA)
A vulnerability that lurked in the Linux kernel for 19 years allows low-privileged users to obtain root-level privileges on numerous distributions. Dubbed CIFSwitch, the issue impacts the Linux kernel’s CIFS subsystem and the cifs-utils userspace helper it uses for handling authentication. June 1, 2026 https://heyitsas.im/posts/cifswitch
Monday, June 1
A threat actor tracked as DriveSurge has been operating large-scale malware distribution campaigns using ClickFix and FakeUpdates techniques on compromised sites. [...]
More than 30 npm packages under Red Hat's '@redhat-cloud-services' namespace were compromised in a supply-chain attack that distributed a new variant of the Shai-Hulud credential-stealing malware, dubbed "Miasma." [...]
The Spanish National Police has arrested an individual for leaking sensitive information related to members of various key state organizations, including the National Cybersecurity Institute (INCIBE). [...]
running custom firmware / patching the stock firmware of the soundcore headphones and running DOOM on it!
Came across an article, product like phpBB still has some potential flaws.
Key Takeaways We just got back from Tenable Exposure 2026 in Boston and three big questions dominated every conversation we had on the floor: The good news is, Synack is exactly positioned to answer these questions. Tenable Finds It. Sara AI Pentesting Proves What’s Exploitable. The Synack and Tenable integration addresses a gap that’s gotten […] The post Tenable Exposure 2026: AI Pentesting Helps Partners Scale appeared first on Synack .
A new Mini Shai-Hulud supply chain attack campaign, codenamed Miasma, has compromised @redhat-cloud-services packages to steal credentials and secrets from developer machines and deliver a self-propagating worm. "This is effectively a Mini Shai-Hulud campaign: it uses the same core tactics of install-time execution, credential harvesting, CI/CD targeting, encrypted exfiltration, and potential
A major npm supply-chain incident reportedly hit the @redhat-cloud-services scope, with malicious versions published through an OIDC trusted publishing gap. The concerning part is that the packages could still appear with valid provenance, while the Miasma payload ran during npm install, stole developer/CI credentials, and attempted to spread through npm tokens, Git repos, and dev tooling configs. Apparently, the Miasma worm is an evolved form of the Mini Shai-Hulud worm
Nearly 2,000 WordPress websites were infected with malware that relies on Steam Community profile comments to hide command-and-control (C2) data. [...]
Cloudflare's core is the centralized data centers that run our control plane, billing, and analytics — distinct from the globally distributed edge that handles user traffic. Core servers are bare metal, and when issues happen during reboot, the consequences can cascade fast. Their boot sequence is orchestrated by UEFI , the modern firmware standard that initializes hardware and hands off control to the operating system. Small quirks in that handoff can have outsized consequences. After a routine firmware update, some of our core servers were taking four hours to come back online, rather than just minutes as they did before. What should have been a one-day fleet-wide rollout was stretching into multi-day slogs. New nodes faced the full timeout gauntlet on their very first boot. Maintenance windows ballooned. Engineering teams had to babysit upgrades that should have run unattended. The behavior we saw was brought to light when we were bringing nodes online that had been powered off for an extended period. These nodes’ firmware was out of date and required multiple updates to resolve. Combine this with recent updates to the boot protocols used by servers in some of our locations, and boot times on the affected nodes became unacceptable. This is the story of how we tracked the cause to a firmware quirk and an over-eager linear search through every available network boot interface, and how we cut total boot and upgrade time from hours back down to minutes. Along the way, we'll share what we learned about UEFI internals, vendor-specific quirks, and the automation strategies that ultimately solved the problem. The network boot interface A network boot interface allows a server to boot its operating system over the network instead of from local storage. This is critical f
@redhat-cloud-services npm scope backdoored with valid signed SLSA provenance; recovered the GitHub commit-search dead-drop C2 markers
On 1 Jun 2026, 31 packages across the redhat-cloud-services npm scope were republished with an install-time malware payload, and it kept re-arming: at least 4 bursts in one afternoon as the registry purged each batch, version numbers climbing each time. What makes it notable for defenders: ## Valid, signed provenance Every malicious version carries valid SLSA provenance and passes `npm audit signatures`. npm trusted publishing authorizes on (repository + workflow file path), so the attacker pushed a throwaway branch carrying a workflow named `release.yml` set to run on any push with `id-token: write`. GitHub Actions ran it in the repo's context, npm minted a real publish token AND a real attestation, then the branch was deleted. `main` was never touched. The scope publishes from more than one RedHatInsights repo (clients from javascript-clients, the MCP servers from platform-frontend-ai-toolkit), so more than one CI pipeline was abused. Provenance proves where a build came from, not what it does. ## IOCs (from a sandbox detonation) C2 is a GitHub commit-search dead-drop, no hardcoded host. The implant queries `api.github.com/search/commits` for marker strings to locate its drop point: - `thebeautifulmarchoftime` - `IfYouInvalidateThisTokenItWillNukeTheComputerOfTheOwner` - User-Agent: `python-requests/2.31.0` Searchable in GitHub commit search / audit logs, and the drop-point commits can be purged. (Not in the public writeups yet; contributed to the issue below.) Behavior: - Env-gated: only fires when `CI` / `GITHUB_ACTIONS` are set (dormant in a bare sandbox). - Credential reads within ms of install: `~/.aws/credentials`, `~/.ssh/id_rsa`, `~/.git-credentials`, `~/.docker/config.json`. - All egress DNS-resolved, no hardcoded-IP C2, no cloud metadata probe in our run. ## Detection - Pin to integrity (lockfile) and expect re-arming: `latest` was malicious far more often than not across the afternoon. - A kernel agent that returns `-EPERM` on credential-file reads kills the job before the C2 fires. - Behavioral checks at publish time catch this regardless of how clean the provenance looks. ## Sources - StepSecurity, original report + writeup: https://github.com/RedHatInsights/platform-frontend-ai-toolkit/issues/57 and https://www.stepsecurity.io/blog/multiple-redhat-cloud-services-npm-packages-compromised - SafeDep, the OIDC/SLSA provenance-abuse technique (AntV wave): https://safedep.io/mini-shai-hulud-strikes-again-314-npm-packages-compromised/ - Recovered C2 markers contributed to the RedHatInsights issue: https://github.com/RedHatInsights/platform-frontend-ai-toolkit/issues/57#issuecomment-4594221102 - Full first-hand method (detonation, provenance anatomy, checksums): https://leitwacht.eu/blog/valid-provenance-malicious-package Disclosure: I founded Leitwacht; the agent referenced is our open-source CE binary.
Microsoft says an ongoing incident is preventing users of its Teams collaboration platform and Office for the web cloud-based productivity suite from opening files. [...]
Attackers are exploiting vulnerabilities faster than many organizations can identify and patch them. SecAlerts explains why faster vulnerability alerts can help reduce exposure and improve response times. [...]
Monday hit like a cron job with anger issues. A busted auth path here, a repo-side faceplant there, some "patched-ish" thing already getting chewed on in the wild, and then the usual bonus round: poisoned dev tools, sketchy forum chatter, phishing kits pretending to be productivity, and AI lowering the bar for people who already thought 'curl | sh' had a personality. The vibe is simple: old
CISA's latest patch deadlines are a reminder that attackers tend to focus on the same things defenders depend on most: edge devices, security tools, and internet-facing applications. When PAN-OS, Defender, and Langflow all show up on the radar at once, patching becomes a risk management exercise, not just maintenance.
A new cyber espionage campaign codenamed Operation Dragon Weave has been observed targeting officials and citizens in the Czech Republic and Taiwan to deliver an AdaptixC2 agent. According to Seqrite Labs, targets of the campaign include government, research, academic, technology, and financial services sectors. The activity entails distributing spear-phishing emails containing ZIP attachments
Three years ago, the practical question for an MSP building a cybersecurity practice was which "vCISO platform" to buy. The term was good shorthand for the work at the time: assessments, advisory, reporting, maybe a compliance module bolted on the side. The work has since outgrown the descriptor. A Security Growth Platform is the more precise name for what MSPs and MSSPs need from the software
In this excerpt from WIRED Book Club pick The Yahoo Boys, journalist Carlos Barragán traces one scammer’s journey from flop to fortune.
Thanks to the newly detailed FROST technique, telltale SSD activity can be measured in the browser using simple JavaScript.
Presently sponsored by: Report URI: Guarding you from rogue JavaScript! Don’t get pwned; get real-time alerts & prevent breaches #SecureYourSite Today, I loaded the 1,000th data breach into Have I Been Pwned . Reflecting on that milestone number, I pondered how to mark the occasion in writing, and what immediately came to mind was a very simple question: why is it still needed? Especially considering the emergence of privacy regulations such as GDPR and CCPA in the 12 and a half years since I started HIBP, what possible purpose does it still serve? The title kinda gives the answer away, and the big number we hit today coincided with another pattern that makes everything worse: increasingly long lag times for disclosure. This is all going to be anecdotal, and as far as I know, there are no hard numbers for me to cite, but the evidence is everywhere. Here's what I mean: New breach: Cruise operator Carnival was targeted in a ShinyHunters “pay or leak” attack last week. 8.7M records with 7.5M email addresses and loyalty program data were published yesterday. 85% were already in @haveibeenpwned . Read more: https://t.co/QhqNt0WucV — Have I Been Pwned (@haveibeenpwned) April 24, 2026
To reduce the amount of noise from questions, we have disabled self-posts in favor of a unified questions thread every week. Feel free to ask any question about reverse engineering here. If your question is about how to use a specific tool, or is specific to some particular target, you will have better luck on the [Reverse Engineering StackExchange](http://reverseengineering.stackexchange.com/). See also /r/AskReverseEngineering.
Presently sponsored by: Report URI: Guarding you from rogue JavaScript! Don’t get pwned; get real-time alerts & prevent breaches #SecureYourSite I'm finding it quite fascinating to watch the current spate of ShinyHunters breaches and dumps. There's the obvious criminality of it all, but then there's also the response from organisations (or lack thereof, as it relates to disclosure to victims), the appearance and disappearance of victims on their dark web site, the speculation around payments and so on and so forth. And it's seemingly endless - I mentioned DentaQuest during the video, and sure enough, the next day, a 233GB corpus allegedly from them was dropped. By the next update, it might be BCD Travel as well and who knows which other services will appear on the "pay or leak" list. Strange times, I can't remember it ever being this crazy before TBH.
Sunday, May 31
Dutch authorities have announced the takedown of a botnet that enslaved millions of infected devices, including computers, tablets, smartphones, and IoT devices, to carry out malicious attacks. The bot network, per the Dutch Politie and the National Cyber Security Center (NCSC), consisted of at least 17 million infected devices. More than 200 servers located in the Netherlands acted as the
Source: [https://x.com/nextronresearch/status/2060014483242651694?s=20](https://x.com/nextronresearch/status/2060014483242651694?s=20) Copy: [https://bazaar.abuse.ch/sample/bb1b4e46f1e4a7f17b1b04ee08c33400b2b6fd2327612a4d84da81e2656ba48b/](https://bazaar.abuse.ch/sample/bb1b4e46f1e4a7f17b1b04ee08c33400b2b6fd2327612a4d84da81e2656ba48b/)
Saturday, May 30
I reverse engineered how Plex gates its Pass features, then wrote a tiny patch that flips them all on (Linux)
Plus: A ransomware group is now stealing data in person, BusPatrol wants to hand its license plate surveillance data to the cops, and more.
Palo Alto Networks has warned that a recently disclosed medium-severity security flaw impacting PAN-OS and Prisma Access has come under active exploitation in the wild. The vulnerability, tracked as CVE-2026-0257 (CVSS score: 7.8), refers to a case of authentication bypass that could be exploited by bad actors to set up VPN connections. "Authentication bypass vulnerabilities in the
Friday, May 29
The website, which compares human beings to extraterrestrials, touts arrest numbers from the Trump administration’s sweeping immigration crackdown. But some of its details are really out there.
Cybersecurity researchers have disclosed details of a vulnerability in OpenAI ChatGPT that leverages the artificial intelligence (AI) assistant's implicit trust in Markdown links and images to trigger prompt injections and open the door to phishing attacks. The technique has been codenamed ChatGPhish by Permiso Security. "The chatgpt.com response renderer trusts Markdown links and Markdown
An unknown threat actor has been observed using a large language model (LLM) agent to conduct post-compromise actions after obtaining initial access following the exploitation of a publicly-accessible Marimo network using a recently disclosed vulnerability. "The attacker compromised an internet-reachable Marimo notebook via CVE-2026-39987, extracted two cloud credentials from the compromised
A previously undocumented threat actor dubbed GREYVIBE has been attributed to ongoing and persistent attacks targeting Ukraine and Ukraine-related entities since at least August 2025. GREYVIBE, per WithSecure, is assessed to be a Russian-speaking group operating broadly in the Russian time zone, with the activities aligning with Kremlin state interests, specifically when it comes to
Shadow AI used to mean employees pasting things they shouldn't into ChatGPT. It now means something bigger: employees building full applications with AI, wiring them into production systems, and publishing them on the open internet. Without Security or IT in the loop. The artifact moved from a prompt to a product. The risk surface moved with it. In The Shadow Builders report (get it here), a
We found a cluster of 1,001 IPs across 306 networks and 64 countries, tied to eight shared staging servers and a single TLS and HTTP fingerprint that appears nowhere else, plus smaller botnets that fall into clean separate islands.
I built an independent benchmark with 20 real CVEs across 15 CWE categories, 5 models (3 OpenAI, 2 Poolside Laguna), three prompt conditions: full advisory, behavioral description only, and location only (file and function, no description of the flaw). I have three findings worth sharing: * **No model reliably fixes real vulnerabilities.** The best solve rate (gpt-5.5) is 50% overall and 60% under the most favorable condition. The failure modes (e.g, wrong-search drift, budget exhaustion mid-implementation, plausible-but-incomplete patches that pass every visible test) are structured and repeatable across models and tasks. * **Token cost varies 4x for equivalent outcomes.** The Laguna models consume 3–4x more tokens than OpenAI models of the same capability tier, with no improvement in solve rate. * **The locate condition is the benchmark's sharpest instrument.** Give a model only a file and function (no description of the flaw). Every model drops. The differences between models are within noise at this scale, but it's the condition that most closely resembles what a security researcher actually does: reading code cold and recognizing independently that something is wrong. Benchmark code and evaluation traces are open sourced.
Thursday, May 28
Discovery During a recent network security assessment, we were working on an environment that was well-hardened – Patching was current, password policies were strong, and network segmentation was in place. So, as part of our enumeration of all network assets, we started looking for default credentials and this led us to multiple Canon enterprise printers configured with default administrator credentials. Enterprise printers are an interesting attack surface because it is common practice to have them configured with domain credentials. So, with administrative access, we tried to execute auth-back attacks by modifying the printer’s configuration to point to our server for credential capture or relay. However, network segmentation controls blocked this attack, as outbound controls prevented traffic from reaching our attacker-controlled subnet. We needed a different approach. We turned our attention to how the printer handled stored credentials. Specifically, we were curious to look at what happened to them during export. While exploring the printer’s administrative interface, we found a configuration export feature that allows administrators to back up device settings. This immediately raised a question: how were stored credentials being protected during export? Canon’s documentation states that exporting sensitive data requires encryption and the web interface presents encryption options (Security Level 1 and 2) that appear mandatory. However, we quickly discovered that these controls are implemented client-side without server-side validation. Vulnerability Canon imageRUNNER ADVANCE DX printers provide a configuration export feature that is accessible through the web management interface. The web UI appears to enforce encryption by requiring a user-supplied pass
Key Takeaways AI generates findings at scale, but scale without trust creates risk. The real security challenge isn’t discovery—it’s knowing which findings are real, exploitable, and worth acting on before automated systems take action. False positives become operationally dangerous in AI-driven environments. Model hallucination, single-tool reliance, and misinterpreted context can cause AI to fabricate vulnerabilities […] The post AI Can’t Fix What It Can’t Trust: Why Continuous Security Validation Matters appeared first on Synack .
In previous blog posts we’ve talked about getting nerd sniped . Today we’re going to talk about a kind of nerd sniping that any offensive security tool creator is familiar with; when your tool gets signatured. This normally kicks off a frustrating spiral of back and forth changes between the tool author and security vendors until the tool author runs out of resources to keep responding to changes. Like many parts of the security space, LLMs have changed how this story might end. The Classic Offensive Security Tooling Lifecycle There’s a lifecycle to most offensive security tooling. First you encounter a problem that’s common or problematic enough that you want to automate it, so you write a tool. Then you use that tool privately until you decide the time has arrived to open source it. This is a cool moment, you get to share your techniques with the community and if you’re really lucky, maybe the fundamental problem your tool exposes is fixed. Much more likely, once it’s open sourced it eventually gets signatured to the point that you
The US military has long known that cheap fixes could stop location data from exposing its troops. It adopted almost none—and now says adversaries are using the data to target soldiers during a war.
Cloudflare processes more than a billion events every second. Our network spans 330+ cities in 120+ countries. Behind every HTTP request, every Worker invocation, every R2 read operation, there is data, and a lot of it. For years, that data was not very easy to access. It lived in dozens of production databases, ClickHouse clusters, Kafka streams, Google Cloud buckets, BigQuery datasets, and a long tail of pipelines. To answer a simple question like "How many domains that signed up today are in the Top 100 by traffic?", an analyst at Cloudflare had to know which system to ask, what credentials to use, what query language to write, and whether the data they were looking at was sampled, fresh, or seven-days stale. As a result, it was difficult to glean informed insights from the data. To solve this problem, we built two in-house tools: Town Lake, Cloudflare's unified data analytics platform, and Skipper, an AI data agent that runs on top of it. Town Lake is a single SQL interface to everything Cloudflare knows, and Skipper is how anyone at Cloudflare can ask questions in plain English and get correct, auditable answers back in seconds. This is the story of how we built both. The shape of the problem If you have ever worked at a company that went through a hyper-growth period, you know what data sprawl looks like. Ours had a few specific symptoms: Too many disparate systems. A product engineer who wanted to investigate a customer issue might need to query Postgres for account metadata, ClickHouse for analytics events, BigQuery for usage rollups, R2 for raw logs, and Kafka topics for real-time signals. Each system had its own credentials, its own language, and its own retention policy. Sampled data. This is fine for dashboards, but doesn’t work for domains like billing. Our
Customer data from more than 350 hotels around the world may have been accessed as part of realistic reservation-hijacking scams.
From Exploit Code to Production Detection: Building a CVE-2026-31431 (Copy Fail) detection with Agents
CVE-2026-31431 (Copy Fail) lets any unprivileged user corrupt the Linux page cache via AF_ALG sockets to escalate privileges. This post covers the exploit mechanics and how Datadog Security Research used coding agents to ship a detection content pack in a single session.
Wednesday, May 27
Anna Turley gives Reform leader 24 hours to report Russian hacking claim in ‘public and national interest’ The Labour chair has given Nigel Farage 24 hours to report to security services the claim that his phone was hacked by Russia-linked actors or the party will do it for him. In a letter to the Reform UK leader, Anna Turley said it was “in the public and national interest” to ensure that a suspected overseas hack of a senior politician’s phone by a hostile state was properly investigated. Continue reading...
On Tuesday, May 26, Iran’s vice president announced that Internet access had started to be restored in the country after being cut off almost three months ago, following the launch of U.S. and Israeli attacks on February 28. Cloudflare Radar data confirms increased activity and indicates a partial restoration of the Internet in Iran. In this blog post, we’ll examine a range of data points that provide a lens into this prolonged shutdown – and the signs that Iran’s citizens are increasingly able to connect once again. As the situation continues to unfold, Radar will have the latest data on Iran’s connectivity . The first shutdown Iranian citizens have experienced two national Internet shutdowns this year. The first began on January 8 around 16:30 UTC (20:00 local time), and we explored the impact seen over the first few days in a blog post . Traffic from Iran remained near zero until January 21, when a small amount of traffic returned, only to disappear a little over 24 hours later. A similar brief restoration also occurred on January 25, before traffic recovered more fully beginning on January 27. The second shutdown In late February, as military strikes on Iran escalated, a second nationwide Internet shutdown began. That sweeping shutdown has persisted for nearly three months. The shutdown began on February 28. On that date, Cloudflare Radar observed a sharp drop in traffic from
I've been hard at work on a NEW phishing technique I'm excited to share. I'm calling it "Vaultjacking" and the impact is honestly a bit sobering. In my blog I demonstrate how a single AiTM landing page can spoof your Google passkey/password manager PIN and use that to access ALL of a victim's third-party credentials (yes, including passkeys). A simple phish on one site can lead to a total compromise of all Chrome-saved credentials.
A week after Dutch FIOD seized 800+ servers, the hosting network's ASN (AS209847) is still scanning at its normal daily rate
After FIOD seized 800+ servers and arrested two operators on May 18, the ELLIO research team reports that scanning from the network's ASN ranges has continued largely uninterrupted - and that while roughly a third of the recently-active ranges (including the legacy Stark blocks 94.131.105.0/24 and 92.118.232.0/24) have since been withdrawn from global routing, the surviving ranges under AS209847 (WorkTitans / THE.Hosting) are still announced and still scanning, at the network's normal daily rate. The sibling ASNs (AS213999 and the Moscow-based AS33993) remain routed and idle. The recent activity skews toward database and ICS/SCADA discovery = MongoDB, Redis, PostgreSQL, Oracle, LDAP, plus DNP3 and EtherNet/IP - alongside known-exploit probes like CVE-2017-17215 and WinRM.
Threat Intel: Lithuania Investigates B2B Credential Misuse Exposing 600,000 National Registry Records
The Lithuanian Prosecutor General’s Office and the Criminal Police Bureau have initiated a joint investigation into a large-scale data exfiltration incident targeting the **State Enterprise Centre of Registers**. The incident involved the unauthorized copying of over 600,000 records from the country's national Real Estate and Legal Entities Registers. Rather than exploiting an unpatched software vulnerability, the attack mechanics rely on a classic trust-boundary compromise. **The Entry Vector: Cross-Agency Credential Misuse (MITRE T1078)** Forensic tracking indicates that the threat actors executed a series of unauthorized connections originating from foreign infrastructure. The entry vector relied on valid, high-privilege B2B institutional login credentials assigned to external state departments authorized to query the central registry database. Independent statements from legislative and defense officials suggest the specific access pathway was carved out by compromising authenticated accounts belonging to the **Department of Migration under the Ministry of the Interior**. By hijacking these valid inter-agency connection points, the threat actors bypassed perimeter barriers, allowing them to issue massive queries to the backend database without triggering immediate anomaly blocks. **Exfiltration Scope & Impact Profile** The breach was initially identified by internal monitoring in early April 2026, but public disclosure was delayed due to the ongoing criminal inquiry. The exfiltrated data schemas consist of: * Full legal names, dates of birth, and unique national identification numbers. * Registered physical addresses, corporate entity structures, and detailed cadastral/property registry extracts. The Centre of Registers has confirmed that primary consumer-facing vectors - such as telephone contact details, email addresses, bank account numbers, or raw cadastral measurement files - were not part of the exfiltrated datasets. The primary operational risk is tactical intelligence gathering. Security analysts have pointed out that bulk access to unlisted residential addresses linked to legal entities can be leveraged by foreign intelligence services for target profiling, spear-phishing orchestration, or coercion of state personnel, diplomats, and military figures. **Incident Response & Remediation** Following the identification of the unauthorized bulk queries, the Centre of Registers implemented the following controls: 1. Immediate revocation and blocking of all compromised inter-agency institutional accounts. 2. Mandatory credential rotation and strict query-volume throttling across all API and web self-service gateways linked to external state dependencies. 3. The director of the Centre of Registers, Adrijus Jusas, formally stepped down on May 25 following administrative scrutiny regarding legacy IT infrastructure and monitoring gaps. While independent defense officials note the incident matches the operational signatures of state-aligned hybrid surveillance operations, official attribution from the Prosecutor General's Office remains open.
TL;DR: Visit https://sshlabs.compass-security.training to learn more about SSH security. Introduction SSH is a widely used protocol that provides secure access to remote systems. It enables encrypted communication, file transfers, command execution and shell access for system administration. However, when misconfigured, poorly secured or used in an unsafe way, SSH can become an attack vector for attackers. When we perform Linux hardening or infrastructure reviews , we often see that SSH is not used securel