Cybersecurity news aggregator
treemd <(curl -sL https://allsec.sh/md) (as Markdown) Time to start dropping SBOMs FEATURE Two supply chain attacks in March infected open source tools with malware and used this access to steal secrets from tens of thousands – if not more – organizations. We won't know the full blast radius for months.…
The new AI model is being heralded—and feared—as a hacker’s superweapon. Experts say its arrival is a wake-up call for developers who have long made security an afterthought.
Hackers gained access to an API for the CPUID project and changed the download links on the official website to serve malicious executables for the popular CPU-Z and HWMonitor tools. [...]
Google has made Device Bound Session Credentials (DBSC) generally available to all Windows users of its Chrome web browser, months after it began testing the security feature in open beta. The public availability is currently limited to Windows users on Chrome 146, with macOS expansion planned in an upcoming Chrome release. "This project represents a significant
Unknown threat actors have hijacked the update system for the Smart Slider 3 Pro plugin for WordPress and Joomla to push a poisoned version containing a backdoor. The incident impacts Smart Slider 3 Pro version 3.5.1.35 for WordPress, per WordPress security company Patchstack. Smart Slider 3 is a popular WordPress slider plugin with more than 800,000 active installations across its free and Pro
An international law enforcement action led by the U.K.'s National Crime Agency (NCA) has identified over 20,000 victims of cryptocurrency fraud across Canada, the United Kingdom, and the United States. [...]
In March 2025, 3 AppSec orgs were compromised in supply-chain attacks using Github Actions: * 3rd March -> **Xygeni** * 19th March -> **Aqua/Trivy** * 23rd March -> **Checkmarkx** Ctrl-Alt-Intel found TP-Link / ASUS / IOT exploitation for residential SOCKS proxy networks in March... The threat actor responsible for this also compromised Xygeni OPSEC failure -> using the same C2 authentication secret in their IOT botnet & in the Xygeni compromise [Full incident analysis](https://ctrlaltintel.com/research/ProxyPCP/)
Time to start dropping SBOMs FEATURE Two supply chain attacks in March infected open source tools with malware and used this access to steal secrets from tens of thousands – if not more – organizations. We won't know the full blast radius for months.…
Plus: Iran’s internet blackout hits the 1,000-hour mark, cryptocurrency scams result in a record amount of money stolen from Americans, and more.
From AI-generated images to restricted satellite data, the systems used to verify what’s real online are struggling to keep up.
Nearly 800 state logins surfaced in breach data, including defense and NATO-linked accounts Hungary's government has discovered the hard way that the biggest threat to national security might just be its own password choices.…
Hungarian domestic intelligence, the national police in El Salvador, and several U.S. law enforcement and police departments have been attributed to the use of an advertising-based global geolocation surveillance system called Webloc. The tool was developed by Israeli company Cobwebs Technologies and is now sold by its successor Penlink after the two firms merged in July 2023
ShinyHunters is claiming a breach of Rockstar Games, allegedly involving access to a Snowflake environment via a third-party SaaS integration. Reports suggest the attack may have leveraged stolen authentication tokens rather than a direct exploit, allowing access through trusted connections. A potential data leak has been threatened, with a deadline reportedly set for mid-April.
Check out our new spin on an old phishing technique we blogged about.
OpenAI has rolled out a new Pro subscription that costs $100 and is in line with Claude's pricing, which also has a $100 subscription, in addition to the $200 Max monthly plan. [...]
Hey guys, I built a webapp that clusters malware samples by TLSH fuzzy hash similarity and visualizes the relationships as an interactive graph. You can drop a SHA256 or TLSH hash to instantly find similar samples, see which malware family they belong to, and spot shared infrastructure (via URLhaus). Dashed edges mean two samples were distributed from the same domain. Stack: FastAPI + SQLite (updated daily via GitHub Actions from MalwareBazaar) + Cytoscape.js for the graph The database is updated daily—let me know what you'd like to see in a project like this!
The Kill Chain models how an attack succeeds. The Attack Helix models how the offensive baseline improves. The Tipping Point One person. Two AI subscriptions. Ten government agencies. 150 gigabytes of sovereign data. In December of 2025, a single unidentified operator used Anthropic’s Clau
The Blind Spot As organizations race to deploy LLM-powered chat agents, many have adopted a layered defense model: a primary chat agent handles user interactions while a secondary supervisor agent monitors contextual input (i.e., chat messages) for prompt injection attacks and policy violations. This architecture mirrors traditional security patterns like web application firewalls sitting in front of application servers. But what happens when the supervisor only watches the front door? Indirect prompt injection is a class of attack where adversarial instructions are embedded not in the user’s direct input, but in external data sources that an LLM consumes as context: profile fields, retrieved documents, tool outputs, or database records. Unlike direct prompt injection, where a user explicitly sends malicious instructions through the chat interface, indirect injection hides the payload in data that the application fetches on the user’s behalf—often from sources the system implicitly trusts. During a recent engagement targeting a multi-model AI-integrated customer service solution, our team identified a weakness in the architecture that made it susceptible to indirect prompt injection attacks. The customer service solution consisted of an AI-enabled chat agent that processed user requests and a separate supervisor agent that monitored the chat communications for adversarial instructions and manipulation, including prompts injected into data provided to the agent via the chat window. The supervisor agent was effective in consistently detecting and blocking attempts to attack or manipulate the chat agent. However, by injecting adversarial instructions into user profile fields—such as a user’s name—that the chat agent would retrieve upon request, we were able to bypass supervisor protections and trick the chat agent into misinterpreting our user’s profile data as a prompt and executing our hidden instructions. The root cause is a fundamen
The new AI model is being heralded—and feared—as a hacker’s superweapon. Experts say its arrival is a wake-up call for developers who have long made security an afterthought.
Cloudflare’s global network and backbone in 2026. Cloudflare's network recently passed a major milestone: we crossed 500 terabits per second (Tbps) of external capacity. When we say 500 Tbps, we mean total provisioned external interconnection capacity: the sum of every port facing a transit provider, private peering partner, Internet exchange, or Cloudflare Network Interconnect (CNI) port across all 330+ cities. This is not peak traffic. On any given day, our peak utilization is a fraction of that number. (The rest is our DDoS budget.) It’s a long way from where we started. In 2010, we launched from a small office above a nail salon in Palo Alto, with a single transit provider and a reverse proxy you could set up by changing two nameservers . The early days of transit and peering Our first transit provider was nLayer Communications, a network most people now know as GTT. nLayer gave us our first capacity and our first hands-on company experience in peering relationships and the careful balance between cost and performance. From there, we grew city by city : Chicago, Ashburn, San Jose, Amsterdam, Tokyo. Each new data center meant negotiating colocation contracts, pulling fiber, racking servers, and establishing peering through Internet exchanges . The Internet isn't actually a cloud, of course. It is a collection of specific rooms full
The attack surface targeted by Iranian-linked hackers in cyberattacks against U.S. critical infrastructure networks includes thousands of Internet-exposed programmable logic controllers (PLCs) manufactured by Rockwell Automation. [...]
Posted by Jiacheng Lu, Software Engineer, Google Pixel Team Google is continuously advancing the security of Pixel devices. We have been focusing on hardening the cellular baseband modem against exploitation. Recognizing the risks associated within the complex modem firmware, Pixel 9 shipped with mitigations against a range of memory-safety vulnerabilities. For Pixel 10, Google is advancing its proactive security measures further. Following our previous discussion on "Deploying Rust in Existing Firmware Codebases" , this post shares a concrete application: integrating a memory-safe Rust DNS(Domain Name System) parser into the modem firmware. The new Rust-based DNS parser significantly reduces our security risk by mitigating an entire class of vulnerabilities in a risky area, while also laying the foundation for broader adoption of memory-safe code in other areas. Here we share our experience of working on it, and hope it can inspire the use of more memory safe languages in low-level environments. Why Modem Memory Safety Can’t Wait In recent years, we have seen increasing interest in the cellular modem from attackers and security researchers. For example, Google's Project Zero gained remote code execution on Pixel modems over the Internet. Pixel modem has tens of Megabytes of executable code. Given the complexity and remote attack surface of the modem, other critical memory safety vulnerabilities may remain in t
Analysis of 1 billion CISA KEV remediation records reveal a breaking point for human-scale security. Qualys shows most critical flaws are exploited before defenders can patch them. [...]
Cybersecurity researchers have flagged yet another evolution of the ongoing GlassWorm campaign, which employs a new Zig dropper that's designed to stealthily infect all integrated development environments (IDEs) on a developer's machine. The technique has been discovered in an Open VSX extension named "specstudio.code-wakatime-activity-tracker," which masquerades as WakaTime, a
Hackers gained access to an API for the CPUID project and changed the download links on the official website to serve malicious executables for the popular CPU-Z and HWMonitor tools. [...]
I wanted to share a bit of my story in cybersecurity, because it’s probably not a typical one. Today I work with cybersecurity, vulnerabilities, and digital security research. But the detail that surprises most people is that I’m completely blind. I wasn’t always fully blind. I was born extremely premature, at only six months of gestation. There were serious complications during the birth and my survival was considered almost a miracle. Two days after I was born I needed heart surgery, and doctors discovered that my left eye was already blind because the optic pathway between the eye and the brain had not developed correctly. For a while I could still see partially with my right eye, around 80–90%. But I later developed cataracts and by the time I was nine years old I had completely lost my vision. Technology entered my life very early. I learned to read when I was three. In school I was introduced to a resource room where I discovered DOSVOX, a system created in Brazil to help blind people use computers. Even before that I loved technology. I used to play video games entirely by sound and actually won some competitions that way. When I was around ten years old I started using computers more seriously. I began building small websites and experimenting with programming. By fourteen I was studying programming more deeply. By seventeen I discovered cybersecurity and became fascinated with understanding how systems break, how vulnerabilities appear, and how attackers think. One of the biggest tools that made this possible for me is something called a screen reader. For those who don’t know, a screen reader is software that reads everything on the computer out loud. On Windows I mainly use NVDA (NonVisual Desktop Access), which is open source. Over time I even contributed to the community by developing two add-ons that improve accessibility for programs like Word, Excel, and Microsoft Teams. The path into cybersecurity wasn’t easy. Many security tools were not designed with accessibility in mind. Documentation is often very visual. Security labs and platforms sometimes assume you can see everything on the screen. So a lot of my learning process involved adapting tools, creating alternative workflows, and sometimes figuring things out in ways that weren’t originally intended. Eventually I graduated in Cyber Defense and later completed multiple postgraduate specializations in cybersecurity. Today I hold dozens of certifications and work with vulnerability research, digital security, and accessible technology. One milestone that meant a lot to me was discovering and reporting a vulnerability that became officially registered in the NVD (National Vulnerability Database) maintained by the U.S. government. As far as I know, I was the first completely blind cybersecurity professional to do that. I also wrote a book called “Digital Scams: How to Protect Yourself in the Internet Era”, published in Portuguese and English, to help people understand online fraud and protect themselves. Beyond the technical side, one of my biggest missions is promoting inclusion in cybersecurity. I truly believe people with disabilities can bring unique perspectives to the field. Security is about thinking differently about systems, risks, and failures — and diverse experiences can strengthen that. More recently I’ve been quoted in international articles discussing AI and cybersecurity risks, which was another meaningful moment for me. Not just personally, but because it shows that accessibility barriers in technology can be challenged. If my journey helps inspire even one more person with a disability to enter technology or cybersecurity, then it’s worth sharing. I’m always open to connecting with people in the security community. I’m also available to collaborate on reports, interviews, articles, podcasts, or research related to cybersecurity, accessibility in technology, AI security, and digital threats. LinkedIn: [https://www.linkedin.com/in/juan-mathews-rebello-santos-/](https://www.linkedin.com/in/juan-mathews-rebello-santos-/)
A financially motivated threat actor tracked as Storm-2755 is stealing Canadian employees' salary payments after hijacking their accounts in payroll pirate attacks. [...]
Keyloggers: A Persistent Threat Nowadays, virtually all digital services rely on logins and authentication, from email inboxes to help desks. These involve login credentials to prove identity, typically at least a username and a password. Initially, this information is confidential from a potential attacker. Whi
Four-week call for evidence intended to help shape laws aimed at devices linked to crime The UK government is seeking views on radiofrequency jammers as it prepares legislation to ban the controversial devices.…
While much of the discussion on AI security centers around protecting ‘shadow’ AI and GenAI consumption, there's a wide-open window nobody's guarding: AI browser extensions. A new report from LayerX exposes just how deep this blind spot goes, and why AI extensions may be the most dangerous AI threat surface in your network that isn't on anyone's
Google says Gmail end-to-end encryption (E2EE) is now available on all Android and iOS devices, allowing enterprise users to read and compose emails without additional tools. [...]
Hey everyone, I’ve been working on a project to get better visibility into internal networks (homelabs/SMBs), and I looked into solutions like Wazuh, but got tired of the traditional SIEM approach. Collecting gigabytes of legitimate traffic logs, and constantly tuning out false positives felt like a massive resource drain for small environments. But i still wanted a low maintenance solution for my LAN. So, I built an open-source alternative called HoneyWire. Instead of the "magnifying glass" approach, it uses a tripwire model. If a sensor trips, it’s not a misconfiguration it’s an active threat or lateral movement. Instead of looking at everything that goes through a door, set up a fake one if something goes through it, it's an anomaly and should be looked at, or set up specific tripwire sensors on existing doors that should not be accessed normally. It's basically an alarm system for your LAN. It’s completely free and open-source. I built it to solve my own visibility problems, but I want to share it because it might solve the same problem to someone else. I would love feedback from people who have more experience then me: * **The Concept**: In your day-to-day, is a dedicated deception/tripwire hub actually useful for early-warning, or do you prefer the "collect everything" approach of a standard SIEM? * **The Sensors**: It currently has official Go binaries for Tarpits, Network Scan Detectors, ICMP Canaries, Web Router login page Decoy and File Canaries. What other sensor types are must-haves? * **The Standard**: It has a "Bring Your Own Sensor" universal JSON standard so you can write a decoy in any language and the Hub will parse it. Is this something useful or is it just a security blunder? (every official sensor is written in GO but this allows users to develop their own) * **The Gaps**: What am i missing that would prevent you from deploying this in a lab or SMB environment? Here is the GitHub repo: [https://github.com/andreicscs/HoneyWire](https://github.com/andreicscs/HoneyWire) Roast the architecture, the backend, the UI, or the core concept. I'd rather know where the blind spots are now. Thanks!
Cut through the noise and understand the real risks, responsibilities, and responses shaping enterprise AI today. Webinar Promo 2025 was the year of AI experimentation. In 2026, the bills are coming due. AI adoption has moved from isolated pilots to autonomous, enterprise wide deployment, bringing with it a sophisticated new generation of security challenges.…
Google has made Device Bound Session Credentials (DBSC) generally available to all Windows users of its Chrome web browser, months after it began testing the security feature in open beta. The public availability is currently limited to Windows users on Chrome 146, with macOS expansion planned in an upcoming Chrome release. "This project represents a significant
A critical security vulnerability in Marimo, an open-source Python notebook for data science and analysis, has been exploited within 10 hours of public disclosure, according to findings from Sysdig. The vulnerability in question is CVE-2026-39987 (CVSS score: 9.3), a pre-authenticated remote code execution vulnerability impacting all versions of Marimo prior to and including
Unknown threat actors have hijacked the update system for the Smart Slider 3 Pro plugin for WordPress and Joomla to push a poisoned version containing a backdoor. The incident impacts Smart Slider 3 Pro version 3.5.1.35 for WordPress, per WordPress security company Patchstack. Smart Slider 3 is a popular WordPress slider plugin with more than 800,000 active installations across its free and Pro
GreyNoise uncovers a concentrated RDP scanning campaign, revealing infrastructure patterns, rapid traffic shifts that impact detection, and recommendations for defenders.
A new Lua-based malware, called LucidRook, is being used in spear-phishing campaigns targeting non-governmental organizations and universities in Taiwan. [...]
Threat actors using a previously undocumented phishing-as-a-service (PhaaS) platform called "VENOM" are targeting credentials of C-suite executives across multiple industries. [...]
Dutch healthcare software vendor ChipSoft has been impacted by a ransomware attack that forced the company to take offline its website and digital services for patients and healthcare providers. [...]
Cops bust latest scam, return $12m to bilked victims US, UK, and Canadian law enforcement Thursday said that they disrupted a $45 million global cryptocurrency scam, freezing $12 million in stolen funds and identifying more than 20,000 cryptocurrency wallet addresses linked to fraud victims across 30 countries.…
Anthropic’s Mythos announcement marks a genuine inflection point in the threat landscape. And for those of us who have spent careers watching it evolve, this one feels different. Building a reliable working exploit used to take a skilled attacker the better part of a year. With AI-powered offensive tooling, we’re looking at potentially days. That […] The post Mythos Changes Everything: Why Your Entire Attack Surface Is Now at Risk appeared first on Synack .
Details have emerged about a now-patched security vulnerability in a widely used third-party Android software development kit (SDK) called EngageLab SDK that could have put millions of cryptocurrency wallet users at risk. "This flaw allows apps on the same device to bypass Android security sandbox and gain unauthorized access to private data," the Microsoft Defender
Possible link to Mr. Raccoon's claimed Adobe break-in A new extortion crew has targeted “several dozen high-value” corporations through phishing and helpdesk social-engineering, according to Google.…
Posted by Ben Ackerman, Chrome team, Daniel Rubery, Chrome team and Guillaume Ehinger, Google Account Security team Following our April 2024 announcement , Device Bound Session Credentials (DBSC) is now entering public availability for Windows users on Chrome 146, and expanding to macOS in an upcoming Chrome release. This project represents a significant step forward in our ongoing efforts to combat session theft, which remains a prevalent threat in the modern security landscape. Session theft typically occurs when a user inadvertently downloads malware onto their device. Once active, the malware can silently extract existing session cookies from the browser or wait for the user to log in to new accounts, before exfiltrating these tokens to an attacker-controlled server. Infostealer malware families, such as LummaC2, have become increasingly sophisticated at harvesting these credentials. Because cookies often have extended lifetimes, attackers can use them to gain unauthorized access to a user’s accounts without ever needing their passwords; this access is then often bundled, traded, or sold among threat actors. Crucially, once sophisticated malware has gained access to a machine, it can read the local files and memory where browsers store authentication cookies. As a result, there is no reliable way to prevent cookie exfiltration using software alone on any operating system. Historically, mitigating session theft relied on detecting the stolen credentials after the fact using a complex set of abuse heuristics – a reactive approach that persistent attackers could often circumvent. DBSC fundamentally changes the web's capability to defend against this threat by shifting the paradigm from reactive detection to proactive prevention, ensuring that successfully exfiltrated c
A previously undocumented threat cluster dubbed UAT-10362 has been attributed to spear-phishing campaigns targeting Taiwanese non-governmental organizations (NGOs) and suspected universities to deploy a new Lua-based malware called LucidRook. "LucidRook is a sophisticated stager that embeds a Lua interpreter and Rust-compiled libraries within a dynamic-link library (DLL) to download and
Hi everyone, I’m a Cybersecurity student at HFU in Germany and recently submitted a vulnerability to the Google VRP regarding the Google Password Manager on Android (tested on Pixel 8, Android 16). **The Issue:** When you view a cleartext password in the app and minimize it, the app fails to apply `FLAG_SECURE` or blur the background. When opening the "Recent Apps" (Task Switcher), the cleartext password is fully visible in the preview, *even though* the app actively overlays a "Enter your screen lock" biometric prompt in the foreground. It basically renders its own secondary biometric lock completely useless. **Google's Response:** Google closed the report as *Won't Fix (Intended Behavior)*. Their threat model assumes that if an attacker has physical access to an unlocked device, it's game over. **The BSI Discrepancy:** What makes this interesting is that the German Federal Office for Information Security (BSI) recently published a study on Password Managers. In their Threat Model A02 ("Attacker has temporary access to the unlocked device"), they explicitly mandate that sensitive content MUST be protected from background snapshots/screenshots. So while Google says this is intended, national security guidelines classify this as a vulnerability. (For comparison: The iOS built-in password manager instantly blurs the screen when losing focus). Here is my PoC screenshot: [https://drive.google.com/file/d/1PTGKRpyFj\_jY9S76Jlo62mSCDJ3c6uLO/view?usp=sharing](https://drive.google.com/file/d/1PTGKRpyFj_jY9S76Jlo62mSCDJ3c6uLO/view?usp=sharing) [https://drive.google.com/file/d/1nIJMQbM4R17EMt9f1Ffb4UmCPYY7-GXb/view?usp=sharing](https://drive.google.com/file/d/1nIJMQbM4R17EMt9f1Ffb4UmCPYY7-GXb/view?usp=sharing) What are your thoughts on this? Should password managers protect against shoulder surfing via the Task Switcher, or is Google right to rely solely on the OS lockscreen?
UK and US customers stuck waiting after fleet management SaaS vendor took affected environments offline A cybersecurity incident has knocked FleetWave into a "major outage" across the UK and US after Chevin Fleet Solutions pulled parts of its SaaS platform offline and left customers scrambling for answers.…
Overview Multiple vulnerabilities have been identified in Orthanc DICOM Server version, 1.12.10 and earlier, that affect image decoding and HTTP request handling components. These vulnerabilities include heap buffer overflows, out-of-bounds reads, and resource exhaustion vulnerabilities that may allow attackers to crash the server, leak memory contents, or potentially execute arbitrary code. Description Orthanc is an open-source lightweight Digital Imaging and Communications in Medicine (DICOM) server used to store, process, and retrieve medical imaging data in healthcare environments. The following nine vulnerabilities identified in Orthanc primarily stem from unsafe arithmetic operations, missing bounds checks, and insufficient validation of attacker-controlled metadata in DICOM files and HTTP requests. CVE-2026-5437 An out-of-bounds read vulnerability exists in DicomStreamReader during DICOM meta-header parsing. When processing malformed metadata structures, the parser may read beyond the bounds of the allocated metadata buffer. Although this issue does not typically crash the server or expose data directly to the attacker, it reflects insufficient input validation in the parsing logic. CVE-2026-5438 A gzip decompression bomb vulnerability exists when Orthanc processes an HTTP request with Content-Encoding: gzip . The server does not enforce limits on decompressed size and allocates memory based on attacker-controlled compression metadata. A specially crafted gzip payload can trigger excessive memory allocation and exhaust system memory. CVE-2026-5439 A memory exhaustion vulnerability exists in ZIP archive processing. Orthanc automatically extracts ZIP archives uploaded t
Malicious PDFs abuse legit features to harvest system data and decide which victims get a 2nd-stage payload Hackers have been quietly exploiting what appears to be a zero-day in Adobe Acrobat Reader for months, using booby-trapped PDFs to profile targets and decide who's worth fully compromising.…
No emails, no warnings, no humans – just bots, catch-22s, and a 60-day appeals queue Microsoft says that it will work on how it communicates with developers after two leading open source figures were suddenly locked out of their accounts, leaving them unable to sign updates.…
Wash your mouth out with digital soap Apple Intelligence, the personal AI system integrated into newer Macs, iPhones, and other iThings, can be hijacked using prompt injection, forcing the model into producing an attacker-controlled result and putting millions of users at risk, researchers have shown.…
Thursday. Another week, another batch of things that probably should've been caught sooner but weren't. This one's got some range — old vulnerabilities getting new life, a few "why was that even possible" moments, attackers leaning on platforms and tools you'd normally trust without thinking twice. Quiet escalations more than loud zero-days, but the kind that matter more in
Attackers slipped into the process and redirected funds, leaving the company scrambling to recover the cash UK-listed oil and gas outfit Zephyr Energy plc has admitted a cyber incident siphoned off roughly £700,000 after a single payment to a contractor was quietly redirected to an attacker-controlled account.…
As AI tools become more accessible, employees are adopting them without formal approval from IT and security teams. While these tools may boost productivity, automate tasks, or fill gaps in existing workflows, they also operate outside the visibility of security teams, bypassing controls and creating new blind spots in what is known as shadow AI. While similar to the phenomenon of
We added a new chapter to our Testing Handbook: a comprehensive security checklist for C and C++ code . We’ve identified a broad range of common bug classes, known footguns, and API gotchas across C and C++ codebases and organized them into sections covering Linux, Windows, and seccomp. Whereas other handbook chapters focus on static and dynamic analysis, this chapter offers a strong basis for manual code review. LLM enthusiasts rejoice: we’re also developing a Claude skill based on this new chapter. It will turn the checklist into bug-finding prompts that an LLM can run against a codebase, and it’ll be platform and threat-model aware. Be sure to give it a try when we release it. And after reading the chapter, you can test your C/C++ review skills against two challenges at the end of this post. Be in the first 10 to submit correct answers to win Trail of Bits swag! What’s in the chapter The chapter covers five areas: general bug classes, Linux usermode and kernel, Windows usermode and kernel, and seccomp/BPF sandboxes. It starts with language-level issues in the bug classes section—memory safety, integer errors, type confusion, compiler-introduced bugs—and gets progressively more environment-specific. The Linux usermode section focuses on libc gotchas. This section is also applicable to most POSIX systems. It ranges from well-known problems with string methods, to somewhat less known caveats around privilege dropping and environment variable handling. The Linux kernel is a complicated beast, and no checklist could cover even a part of its intricacies. However, our new Testing Handbook chapter can give you a starting point to bootstrap manual reviews of drivers and modules.
An apparent hack-for-hire campaign likely orchestrated by a threat actor with suspected ties to the Indian government targeted journalists, activists, and government officials across the Middle East and North Africa (MENA), according to findings from Access Now, Lookout, and SMEX. Two of the targets included prominent Egyptian journalists and government critics, Mostafa
Eurail B.V., a European travel operator that provides digital passes covering 33 national railways, says attackers stole the personal information of over 300,000 individuals in a December 2025 data breach. [...]
Political candidates are purchasing more home alarms, bulletproof vests, and other protections amid rising fears of political violence.
Even fitness equipment is vulnerable to mischief makers these days PWNED Welcome back to Pwned, the column where we share war stories from IT soldiers who shot themselves – or watched someone else shoot themselves – in the foot. Today's tale shows that even when you're setting up something as simple as fitness gear, there's no excuse for leaving security credentials lying around.…
The time is maybe Quantum computing exists in a sort of superposition with regard to cryptography – it's both a pending threat and a technology of no immediate consequence for decryption.…
A look at how Kubernetes CVE-2020-8562 allows attackers to bypass API server proxy protections using DNS rebinding
Public blockchains solved settlement. They didn't solve privacy. Institutions need to protect positions, counterparty relationships, and transaction amounts without abandoning transparency entirely - and every architecture that tried to solve this hit the same wall. Protocol-level privacy locks everything. Permissioned chains recreate centralization. Separate privacy layers fragment liquidity. Stellar's answer is different. Cryptographic primitives baked into the base layer, two production-ready privacy models on top, and the institution decides what to reveal and to whom. Transparent when you want it. Private when you need it.
If they don't know what they're doing, you might never get your data back interview It's the biggest threat today, but it took her a while to appreciate it. After spending two decades at the FBI and much of that time working to intercept and stop cyber threats from the likes of China and Russia, Halcyon Ransomware Research Center SVP Cynthia Kaiser says she was a "latercomer to really wanting to focus on ransomware."…
Any\[.\]run identified a multi-stage phishing campaign using a Google Drive-themed lure and delivering Remcos RAT. Attackers place the HTML on storage\[.\]googleapis\[.\]com, abusing trusted infrastructure instead of hosting the phishing page on a newly registered domain. The chain leverages RegSvcs.exe, a legitimate signed Microsoft/.NET binary with a clean VirusTotal hash. Combined with trusted hosting, this makes reputation-based detection unreliable and lowers alert priority during triage. File reputation alone is not enough. Detection depends on behavioral analysis and sandboxing. The page mimics a Google Drive login form, collecting email, password, and OTP. After a “successful login,” the victim is prompted to download Bid-Packet-INV-Document.js, triggering a multi-stage delivery chain: S (WSH launcher + time-based evasion) -> VBS Stage 1 (download + hidden execution) -> VBS Stage 2 (%APPDATA%\\WindowsUpdate + Startup persistence) -> DYHVQ.ps1 (loader orchestration) -> ZIFDG.tmp (obfuscated PE / Remcos payload) -> Textbin-hosted obfuscated .NET loader (in-memory via Assembly.Load) -> %TEMP%\\RegSvcs.exe hollowing/injection -> Partially fileless Remcos + C2 Analysis session: [https://app.any.run/tasks/0efd1390-c17a-49ce-baef-44b5bd9c4a97](https://app.any.run/tasks/0efd1390-c17a-49ce-baef-44b5bd9c4a97/?utm_source=reddit) TI Lookup query: [domainName:www.freepnglogos.com and domainName:storage.googleapis.com and threatLevel:malicious](https://intelligence.any.run/analysis/lookup?utm_source=reddit#%7B%22query%22:%22domainName:%5C%22www.freepnglogos.com%5C%22%20and%20domainName:%5C%22storage.googleapis.com%5C%22%20and%20threatLevel:%5C%22malicious%5C%22%22,%22dateRange%22:30%7D) IOCs Phishing URLs: hxxps://storage\[.\]googleapis\[.\]com/pa-bids/GoogleDrive.html hxxps://storage\[.\]googleapis\[.\]com/com-bid/GoogleDrive.html hxxps://storage\[.\]googleapis\[.\]com/contract-bid-0/GoogleDrive.html hxxps://storage\[.\]googleapis\[.\]com/in-bids/GoogleDrive.html hxxp://storage\[.\]googleapis\[.\]com/out-bid/GoogleDrive.html Credential exfiltration domains: usmetalpowders\[.\]co iseeyousmile9\[.\]com Credential exfiltration path: /1a/uh.php Malware staging host: brianburkeauction\[.\]com Source: r/ANYRUN
In Lebanon, nearly 1 in 5 people has been displaced by Israeli attacks, leaving the government to manage a modern crisis without modern digital infrastructure.
Cybersecurity researchers have flagged a new variant ofmalware called Chaosthat'scapable of hitting misconfigured cloud deployments, marking an expansion of the botnet's targeting infrastructure. "Chaos malware is increasingly targeting misconfigured cloud deployments, expanding beyond its traditional focus on routers and edge devices," Darktrace said in a new report.
Cybersecurity researchers have lifted the curtain on a stealthy botnet that's designed for distributed denial-of-service (DDoS) attacks. Called Masjesu, the botnet has been advertised via Telegram as a DDoS-for-hire service since it first surfaced in 2023. It's capable of targeting a wide range of IoT devices, such as routers and gateways, spanning multiple architectures. "Built for
The Russian threat actor known as APT28 (aka Forest Blizzard and Pawn Storm) has been linked to a fresh spear-phishing campaign targeting Ukraine and its allies to deploy a previously undocumented malware suite codenamed PRISMEX. "PRISMEX combines advanced steganography, component object model (COM) hijacking, and legitimate cloud service abuse for command-and-control," Trend Micro
Picked up a low-VT AMOS sample on March 12 worth flagging. Aligns with the recent malext variants but layers a few things we haven't seen combined before: * **Custom multi-stage decryption** (hex → ASCII → base64 via custom hash table) serving obfuscated osascript payloads at runtime — static analysis gets you almost nothing * **Anti-VM** via `system_profiler` checking for QEMU/VMware/KVM processor strings and known sandbox hardware serials, run twice before payload delivery * **Payload written to** `/bin/zsh` **child process iteratively via** `write()` **loop** — no plaintext payload on disk * **300+ crypto extension IDs** targeted + full desktop wallet scraping * **Hardware wallet trojanization** — silently replaces Ledger, Trezor, and Exodus with adhoc-signed phishing lookalikes that harvest passwords and seed phrases to `systellis[.]com` * **Three-layer persistence**: root LaunchDaemon (`com.finder.helper`) → `~/.mainhelper` backdoor pulled from C2 → `~/.agent` polling loop that pivots backdoor execution into the active console user's context every second via `stat -f "%Su" /dev/console`
Linux malware often hides in Berkeley Packet Filter (BPF) socket programs, which are small bits of executable logic that can be embedded in the Linux kernel to customize how it processes network traffic. Some of the most persistent threats on the Internet use these filters to remain dormant until they receive a specific "magic" packet. Because these filters can be hundreds of instructions long and involve complex logical jumps, reverse-engineering them by hand is a slow process that creates a bottleneck for security researchers. To find a better way, we looked at symbolic execution: a method of treating code as a series of constraints, rather than just instructions. By using the Z3 theorem prover, we can work backward from a malicious filter to automatically generate the packet required to trigger it. In this post, we explain how we built a tool to automate this, turning hours of manual assembly analysis into a task that takes just a few seconds. The complexity ceiling Before we look at how to deconstruct malicious filters, we need to understand the engine running them. The Berkeley Packet Filter (BPF) is a highly efficient technology that allows the kernel to pull specific packets from the network stack based on a set of bytecode instructions. While many modern developers are familiar with eBPF (Extended BPF), the powerful evolution used for observability and security, this post focuses on "classic" BPF. Originally designed for tools like tcpdump, classic BPF uses a simple virtual machine with just two registers to evaluate network traffic at high speeds. Because it runs deep within the kernel and can "hide" traffic from user-space tools, it has become a favorite tool for malware authors looking to build stealthy backdoors. Creating a contextual representation of BPF instructions
The Fragmented State of Modern Enterprise Identity Enterprise IAM is approaching a breaking point. As organizations scale, identity becomes increasingly fragmented across thousands of applications, decentralized teams, machine identities, and autonomous systems. The result is Identity Dark Matter: identity activity that sits outside the visibility of centralized IAM and
Two practice web addresses appear to have been compromised Multiple domains belonging to Scottish healthcare providers have been hijacked and are now pushing links to adult content and illegal sports streams, according to a researcher.…
The North Korea-linked persistent campaign known as Contagious Interview has spread its tentacles by publishing malicious packages targeting the Go, Rust, and PHP ecosystems. "The threat actor's packages were designed to impersonate legitimate developer tooling [...], while quietly functioning as malware loaders, extending Contagious Interview’s established playbook into a coordinated
[CVE-2026-34980](https://github.com/OpenPrinting/cups/security/advisories/GHSA-4852-v58g-6cwf) and [CVE-2026-34990](https://github.com/OpenPrinting/cups/security/advisories/GHSA-c54j-2vqw-wpwp)
In Telegram groups, men are sharing thousands of nonconsensual images of women and girls, buying spyware, and engaging in doxing and sexual abuse.
President Brad Smith tells an interviewer that Microsoft is reconsidering datacenter design in light of Iran war Microsoft is reevaluating how it designs and builds datacenters in conflict-prone regions after Iran began targeting Middle Eastern bit barns in retaliation for US military operations.…
Three @`fairwords` scoped npm packages were hit today by what appears to be the TeamPCP/CanisterWorm campaign. The interesting part isn't just the credential theft, it's what it does with your npm token afterward. **What the postinstall payload does:** * Harvests environment variables matching 40+ patterns (AWS, GCP, Azure, GitHub, OpenAI, Stripe, etc.) * Reads SSH keys, `.npmrc`, `.kube/config`, Docker auth, Terraform credentials, `.git-credentials` * Steals crypto wallet data - Solana keypairs, Ethereum keystores, MetaMask LevelDB, Phantom, Exodus, Atomic Wallet * Decrypts Chrome saved passwords on Linux using the well-known hardcoded PBKDF2 key (`"peanuts"` / `"saltysalt"`) * Scans `/proc/[pid]/environ` for tokens in other running processes **Affected versions:** * `fairwords/websocket` 1.0.38 and 1.0.39 * `fairwords/loopback-connector-es` 1.4.3 and 1.4.4 * `fairwords/encryption` 0.0.5 and 0.0.6 If you have any of these installed, rotate npm tokens, cloud keys, SSH keys immediately and check whether any packages you maintain received unexpected version bumps. Full analysis with IOCs and payload walkthrough in the blog.
Iran-affiliated cyber actors are targeting internet-facing operational technology (OT) devices across critical infrastructures in the U.S., including programmable logic controllers (PLCs), cybersecurity and intelligence agencies warned Tuesday. "These attacks have led to diminished PLC functionality, manipulation of display data and, in some cases, operational disruption and financial
Cloudflare is accelerating its post-quantum roadmap. We now target 2029 to be fully post-quantum (PQ) secure including, crucially, post-quantum authentication. At Cloudflare, we believe in making the Internet private and secure by default. We started by offering free universal SSL certificates in 2014, began preparing our post-quantum migration in 2019, and enabled post-quantum encryption for all websites and APIs in 2022, mitigating harvest-now/decrypt-later attacks. While we’re excited by the fact that over 65% of human traffic to Cloudflare is post-quantum encrypted, our work is not done until authentication is also upgraded. Credible new research and rapid industry developments suggest that the deadline to migrate is much sooner than expected. This is a challenge that any organization must treat with urgency, which is why we’re expediting our own internal Q-Day readiness timeline. What happened? Last week, Google announced they had drastically improved upon the quantum algorithm to break elliptic curve cryptography, which is widely used to secure the Internet. They did not reveal the algorithm, but instead provided a zero-knowledge proof that they have one. This is not even the biggest breakthrough. That same day, Oratomic published a resource estimate for breaking RSA-2048 and P-256 on a neutral atom computer. For P-256, it only requires a shockingly low 10,000 qubits. Google’s motivatio
AI coding tools are being shipped fast. In too many cases, basic security is not keeping up. In our latest research, we found the same sandbox trust-boundary failure pattern across tools from Anthropic, Google, and OpenAI. Anthropic fixed and engaged quickly (CVE-2026-25725). Google did not ship a fix by disclosure. OpenAI closed the report as informational and did not address the core architectural issue. That gap in response says a lot about vendor security posture.
The AI lab's Project Glasswing will bring together Apple, Google, and more than 45 other organizations. They'll use the new Claude Mythos Preview model to test advancing AI cybersecurity capabilities.
The Russia-linked threat actor known as APT28 (aka Forest Blizzard) has been linked to a new campaign that has compromised insecure MikroTik and TP-Link routers and modified their settings to turn them into malicious infrastructure under their control as part of a cyber espionage campaign since at least May 2025. The large-scale exploitation campaign has been codenamed
WhatsApp’s new “Private Inference” feature represents one of the most ambitious attempts to combine end-to-end encryption with AI-powered capabilities, such as message summarization. To make this possible, Meta built a system that processes encrypted user messages inside trusted execution environments (TEEs), secure hardware enclaves designed so that not even Meta can access the plaintext. Our now-public audit , conducted before launch, identified several vulnerabilities that compromised WhatsApp’s privacy model, all of which Meta has patched. Our findings show that TEEs aren’t a silver bullet: every unmeasured input and missing validation can become a vulnerability, and to securely deploy TEEs, developers need to measure critical data, validate and never trust any unmeasured data, and test thoroughly to detect when components misbehave. The challenge of using AI with end-to-end encryption WhatsApp’s Private Processing attempts to resolve a fundamental tension: WhatsApp is end-to-end encrypted, so Meta’s servers cannot read, alter, or analyze user messages. However, if users also want to opt in to AI-powered features like message summarization, this typically requires sending plaintext data to servers for computationally expensive processing. To solve this, Meta uses TEEs based on AMD’s SEV-SNP and Nvidia’s confidential GPU platforms to process messages in a secure enclave where even Meta can’t access them or learn meaningful information about the message contents. The stakes in WhatsApp are high, as vulnerabilities could expose millions of users’ private messages. Our review identified 28 issues, including eight high-severity findings that could h
In Brief The Question Every Board Is Asking Cybersecurity environments grow more complex every year. Cloud infrastructure expands daily. New applications appear. APIs multiply. Attackers increasingly use automation and purpose-built AI tools—including offensive tools like GhostGPT—to identify weaknesses faster than security teams can remediate them. At RSA 2026, the recurring theme across the keynote stages […] The post Continuous Security Validation: Why It Matters and Why Synack Is Built for It appeared first on Synack .
This post is part of a small blog series covering common Entra ID security findings observed during real-world assessments. Each article explores selected findings in more detail to provide a clearer understanding of the underlying risks and practical implications. Part 1: Privileged Foreign Enterprise Applications Part 2: Privileged Unprotected Groups What Is Privileged Identity Management? Privileged Identity Management (PIM) is a service in Microsoft Entra ID that enables organizations to manage, control, and monitor privileged access. The main features are: Provide just-in-time privileged access Assign time-bound access and end dates Require approval or multifactor authentication to activate privileged roles Require written justification for role activation Generate notifications when privileged roles are activated A common use case is to avoid permanently assigning the Global Administrator role. Instead, users or group members are made eligible to activate the role only when needed and only for a limited period.
Obvious signs: High cpu activity without any "visible" reason. The malware creates a fake dwm.exe process. That process is additional to the original dwm.exe of Windows. It connects to a dutch vps. It hides itself from the most comon end-user used process listing methods (task manager, sysinternals process explorer, perfmon etc.). It is not detected by Windows Defender, by Malwarebytes and ESET NOD32. It can be spotted when renaming SysInternals Process Explorer executable or using a tool like System Informer. Process Explorer is unable to kill this process, while System Informer is. Based on what I see, that dmw.exe doesn't exist as file, only in memory. [The fake process](https://preview.redd.it/qp97mhlicptg1.png?width=1477&format=png&auto=webp&s=46d6df54823a7a5f62d9f35742b80588a9a0a39d) [Protected process ](https://preview.redd.it/m25ruvflcptg1.png?width=531&format=png&auto=webp&s=77de33543669aaa63ae4650f659da07ebbfb8857) [The unauthorized connection](https://preview.redd.it/tsjxbgkscptg1.png?width=544&format=png&auto=webp&s=049cd62975df2f02ba09d08fb27c6deca525f44c)
Presently sponsored by: Report URI: Guarding you from rogue JavaScript! Don’t get pwned; get real-time alerts & prevent breaches #SecureYourSite This week, more time than I'd have liked to spend went on talking about the trials of chasing invoices. This is off the back of a customer (who, for now, will remain unnamed), who had invoices stacking back more than 6 months overdue and despite payment terms of 30 days, paid on an average of 80 days . But as I say in this week's video, more than anything, it was the gall of the CEO to take issue with my frustrated tone rather than with their complete lack of respect for basic business etiquette and paying one's suppliers. And so, Copilot and I spent the weekend fixing up a nice little Xero integration to ensure this never happens again. If you arrive at this post sometime in the future after finding your HIBP enterprise service no longer functioning weeks after an unpaid invoice was due, at least you'll know it's not personal... and pay your damn bills!
We're launching C2 Detection — a new GreyNoise intelligence module that gives you two distinct, high-confidence signals that a device in your environment has been compromised.
Cloudflare was designed to be simple to use for even the smallest customers, but it’s also critical that it scales to meet the needs of the largest enterprises. While smaller customers might work solo or in a small team, enterprises often have thousands of users making use of Cloudflare’s developer, security, and networking capabilities. This scale can add complexity, as these users represent multiple teams and job functions. Enterprise customers often use multiple Cloudflare Accounts to segment their teams (allowing more autonomy and separation of roles), but this can cause a new set of problems for the administrators by fragmenting their controls. That’s why today, we’re launching our new Organizations feature in beta — to provide a cohesive place for administrators to manage users, configurations, and view analytics across many Cloudflare Accounts. Principle of least privilege The principle of least privilege is one of the driving factors behind enterprises using multiple accounts. While Cloudflare’s role-based access control (RBAC) system now offers fine-grained permissions for many resources, it can be cumbersome to enumerate all the resources one by one. Instead, we see enterprises use multiple accounts, so each team’s resources are managed by that team alone. This allows organic growth within the account: they can add new resources as needed, without giving Administrative control too widely. While multiple accounts are great at limiting permissions for most of the users within an organization, they complicate things for the administrators, as the administrators need to be added to every account and given the appropriate
Nonprofits run out of US Border Patrol stations are also selling other “operation”-themed coins that include a phrase popularized by the Proud Boys, potentially in violation of government rules.
With Cloudflare now supporting PQC encryption, I thought it'd be a fun experiment to see if I could encapsulate Plex traffic in a tunnel since it's not supported natively. 🤓
To reduce the amount of noise from questions, we have disabled self-posts in favor of a unified questions thread every week. Feel free to ask any question about reverse engineering here. If your question is about how to use a specific tool, or is specific to some particular target, you will have better luck on the [Reverse Engineering StackExchange](http://reverseengineering.stackexchange.com/). See also /r/AskReverseEngineering.
An elusive hacker who went by the handle “ UNKN ” and ran the early Russian ransomware groups GandCrab and REvil now has a name and a face. Authorities in Germany say 31-year-old Russian Daniil Maksimovich Shchukin headed both cybercrime gangs and helped carry out at least 130 acts of computer sabotage and extortion against victims across the country between 2019 and 2021. Shchukin was named as UNKN (a.k.a. UNKNOWN) in an advisory published by the German Federal Criminal Police (the “Bundeskriminalamt” or BKA for short). The BKA said Shchukin and another Russian — 43-year-old Anatoly Sergeevitsch Kravchuk — extorted nearly $2 million euros across two dozen cyberattacks that caused more than 35 million euros in total economic damage. Daniil Maksimovich SHCHUKIN, a.k.a. UNKN, and Anatoly Sergeevitsch Karvchuk, alleged leaders of the GandCrab and REvil ransomware groups. Germany’s BKA said Shchukin acted as the head of one of the largest worldwide operating ransomware groups GandCrab and REvil, which pioneered the practice of double extortion — charging victims once for a key needed to unlock hacked systems, and a separate payment in exchange for a promise not to publish stolen data. Shchukin’s na
When Syrian government accounts were hijacked in March, the breach looked chaotic. But it revealed something more troubling: a state struggling with the most basic layer of cybersecurity.