Threat actors are exploiting a recently patched security flaw impacting Gravity SMTP, a WordPress plugin that's installed on about 100,000 sites. The vulnerability, tracked as CVE-2026-4020 (CVSS score: 5.3), is a medium-severity information disclosure flaw that can allow unauthenticated attackers to extract sensitive data, such as configuration data, API keys, secrets, and OAuth tokens
Cybersecurity News and Vulnerability Aggregator
Cybersecurity news aggregator
Updated: 10:20 am
J/K Navigate / Search S Save V Open Link
— or
treemd <(curl -sL https://allsec.sh/md) (as Markdown) Top Cybersecurity Stories Today
Plus: Gay bars in San Francisco using face scanners, France quits Palantir, Apple plans to change its private email, and more.
Security researchers at Paradigm Shift have published a working exploit, dubbed usbliter8, that achieves arbitrary code execution inside the SecureROM of Apple's A12 and A13 chips. That code is burned into the silicon at manufacture. No software update can reach it. Affected devices will carry this flaw for as long as they stay in use. This is not a remote attack. It requires
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday urged Fortinet customers with FortiGate appliances to take steps to secure against ongoing malicious activity aimed at thousands of internet-accessible devices. The sweeping campaign, believed to be the work of Russian-speaking threat actors, has been codenamed FortiBleed. The number of compromised devices stands at
Everyone's writing code with AI agents today. But the moment an agent needs to deploy something — and needs to sign up and create an account — it slams face-first into a wall built for humans: a browser-based OAuth flow, a dashboard to click through, an API token to copy-paste, a multi-factor authentication prompt to satisfy. For an interactive copilot sitting next to a developer, that's annoying. For a background agent, it's a hard stop. Today we're rolling out Temporary Cloudflare Accounts for Agents. Agents can now deploy websites , APIs , and agents right away, without first needing to sign up for an account. Any agent can now run wrangler deploy --temporary and deploy a Worker to Cloudflare. This temporary deployment stays live for 60 minutes, during which time you can claim the temporary account, making it permanently your own. If you don't, it expires on its own. Our goal? Let your agent code and ship. Why frictionless deployments matter for AI agents Frictionless temporary accounts matter more than it might first seem: Background AI sessions have no human in the loop, and are becoming the norm . Any auth step that needs a browser, a copy-paste, or "click here in 60 seconds" means an agent gets stuck and may choose to d
Latest
Sunday, June 21
Hi community, ​ We are developing an open source remote mobile forensics tool called MESH. We're actively in development and looking for alpha testers. If you need to get logical forensics data off a android device for investigation, this can speed up your acquisition and investigation timeline. ​ Thanks! ​ https://github.com/BARGHEST-ngo/MESH
Choosing the right Linux security tools for ethical hackers is the difference between a clean assessment and a production incident. Modern security work demands a structured approach that combines reconnaissance, vulnerability identification, validation, network analysis, credential testing, and post-assessment reporting.
The cryptographic keys that secure your computer's boot sequence will start to expire on June 24. Here's what that means for you.
Saturday, June 20
[https://thecontractor.io/ms-surface-eop-system/](https://thecontractor.io/ms-surface-eop-system/)
An AI pair of eyes sitting over your shoulder, catching what you miss while you're deep in an investigation. Repo: [**https://github.com/hasamba/DFIR-Companion**](https://github.com/hasamba/DFIR-Companion) Landing page: [**https://hasamba.github.io/DFIR-Companion/**](https://hasamba.github.io/DFIR-Companion/) Demo Case: [**https://dfir-companion-production.up.railway.app/dashboard?caseId=demo**](https://dfir-companion-production.up.railway.app/dashboard?caseId=demo) Hands-on lab: [**https://killercoda.com/dfir-companion/scenario/killercoda**](https://killercoda.com/dfir-companion/scenario/killercoda) Honestly, it started out of frustration. I'm sitting on an investigation, open Velociraptor, spot an interesting lead, start digging into it, find another lead, and so on, and then suddenly I realize I completely forgot to go back to the other findings from the first artifact. The sheer amount of information you need to process during an investigation is simply more than one pair of eyes can handle, no matter how much coffee you've had. So I started building something to help myself and it ended up going somewhere I didn't expect. The original idea was a browser extension that takes screenshots every few seconds, so I could scroll back and see what I missed. Pretty dumb idea in hindsight, actually. But then the question came up: if I already have all those screenshots, why not let AI go through them while I work? And from there it exploded. Today it's a real-time dashboard that updates live as I investigate. It identifies findings, automatically builds an event timeline, extracts IOCs and enriches them from multiple sources, creating playbook that suggests what to check next, suggest hunt queries for velociraptor, run them and collect back the results, checks for data leaks, and answers the standard questions every investigation report needs: access vector, lateral movement, privilege escalation, etc. If a client confirms a finding-"that's legit, it's our weekly scan", one click and the entire analysis updates accordingly. The coolest part, to me, is that this started as a Velociraptor-specific solution but in practice became an AI layer on top of every tool I have open in the browser: SIEM, Security Onion, Splunk4DFIR, VolWeb, you name it. Even tools with no built-in AI suddenly get smarter, and all the data consolidates in one place instead of me jumping between ten tabs. Important to understand: this is NOT another detection layer. Your Sigma, YARA, and Suricata rules are already doing their job. This tool is the layer after detection-it takes all the verdicts from your tools, correlates them, and builds the "so what." The tool didn't stop at screenshots either. You can feed it almost any DFIR output and it will automatically detect the format and import it deterministically (no burning tokens on AI for that). Additional features: • Data correlation • Threat intel enrichment — with OPSEC in mind • AI input anonymization • Asset ↔ IoC graph • Targeted query generation • Export to multiple platforms • Free-form case Q&A against an LLM and much more... 📎 If you work in DFIR, Blue Team, or SOC — I'd love for you to try it out, open issues, suggest features, submit PRs, or just tell me what you think.
A new ransomware operation named 'Prinz Eugen' prioritizes recently modified files for encryption and leaves no ransom note on the system. [...]
Microsoft has attributed a recent Mastra AI supply chain attack that compromised more than 140 npm packages to the North Korean hacking group Sapphire Sleet, also known as BlueNoroff. [...]
Threat actors are exploiting a recently patched security flaw impacting Gravity SMTP, a WordPress plugin that's installed on about 100,000 sites. The vulnerability, tracked as CVE-2026-4020 (CVSS score: 5.3), is a medium-severity information disclosure flaw that can allow unauthenticated attackers to extract sensitive data, such as configuration data, API keys, secrets, and OAuth tokens
Plus: Gay bars in San Francisco using face scanners, France quits Palantir, Apple plans to change its private email, and more.
https://x.com/i/status/2066449234816065588
According to multiple sources, meal kit provider CookUnity has suffered a data breach on June 1st where customer names, emails, and addresses were accessed and being shared on a hacking forum. The situation has been reported to support by multiple people and according to at least one user they have acknowledged a "cybersecurity incident involving malicious activity" as of a few days ago with no notice to the actual users who had their information stolen. The leaked information has been available for well over 2 weeks now so I think its fair to say they have no interest even vaguely disclosing the situation to their customers. You can read more about the data breach here: [https://x.com/DarkWebInformer/status/2061580773816520924](https://x.com/DarkWebInformer/status/2061580773816520924)
Friday, June 19
Market intelligence platform Klue has publicly confirmed a recent security incident that allowed threat actors to steal OAuth tokens used to connect to customers' Salesforce environments, as the new "Icarus" extortion group publicly claims the attack. [...]
Security researchers at Paradigm Shift have published a working exploit, dubbed usbliter8, that achieves arbitrary code execution inside the SecureROM of Apple's A12 and A13 chips. That code is burned into the silicon at manufacture. No software update can reach it. Affected devices will carry this flaw for as long as they stay in use. This is not a remote attack. It requires
The Gentlemen ransomware-as-a-service (RaaS) operation is actively developing and maintaining a suite of endpoint detection and response (EDR) killers that it hands out to affiliates for impairing system defenses before deploying the encryptor. This mature portfolio of EDR-terminating tools is centered around a framework that's known as GentleKiller. "They also incorporate third-party or
The Texas Parks and Wildlife Department (TPWD) disclosed a data breach at its license system vendor that exposed personal information for more than three million individuals. [...]
Dutch law enforcement authorities, along with counterparts from Canada , Germany, and the U.S., have disrupted malicious infrastructure associated with SocGholish and cleaned up nearly 15,000 infected WordPress websites. "With these actions we deprive cybercriminals of access to infected computer systems," Maikel Rollman of the Netherlands National High Tech Crime Unit said. "This prevents
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday urged Fortinet customers with FortiGate appliances to take steps to secure against ongoing malicious activity aimed at thousands of internet-accessible devices. The sweeping campaign, believed to be the work of Russian-speaking threat actors, has been codenamed FortiBleed. The number of compromised devices stands at
A crafted MPLS packet can trigger an out-of-bounds read in mpls\_do\_error, leaking 4 bytes of adjacent kernel stack memory back in an ICMP/MPLS error response. It requires MPLS enabled, but the leak is remote and repeatable. Fixed in OpenBSD-current on 2026-06-18.
AI agents can access data, trigger workflows, deploy code, and interact with critical business systems, often with little oversight. Token Security breaks down why AI agents are becoming a new identity and governance challenge. [...]
Everyone's writing code with AI agents today. But the moment an agent needs to deploy something — and needs to sign up and create an account — it slams face-first into a wall built for humans: a browser-based OAuth flow, a dashboard to click through, an API token to copy-paste, a multi-factor authentication prompt to satisfy. For an interactive copilot sitting next to a developer, that's annoying. For a background agent, it's a hard stop. Today we're rolling out Temporary Cloudflare Accounts for Agents. Agents can now deploy websites , APIs , and agents right away, without first needing to sign up for an account. Any agent can now run wrangler deploy --temporary and deploy a Worker to Cloudflare. This temporary deployment stays live for 60 minutes, during which time you can claim the temporary account, making it permanently your own. If you don't, it expires on its own. Our goal? Let your agent code and ship. Why frictionless deployments matter for AI agents Frictionless temporary accounts matter more than it might first seem: Background AI sessions have no human in the loop, and are becoming the norm . Any auth step that needs a browser, a copy-paste, or "click here in 60 seconds" means an agent gets stuck and may choose to d
Introduction The average enterprise security team has 40 or more security tools, giving a lot of visibility into internal telemetry and asset data. But often, these tools are working in siloes, generating (overlapping) alerts and data. And yet, breach dwell times remain stubbornly long (~43 days), response windows keep closing before teams can act, and analysts burn out triaging noise instead
Microsoft has confirmed a confusing Windows bug that causes different filenames to appear in the confirmation dialog when deleting a file from the Recycle Bin. [...]
CISA has urged U.S. federal agencies to secure their systems by Sunday against a critical Splunk Enterprise vulnerability that is being exploited in attacks. [...]
The first wave of enterprise AI concern was straightforward. It was simply employees pasting sensitive data into public AI tools. Security teams responded with usage policies, domain blocks, and data loss prevention rules. That response made sense at the time. It doesn't fit the problem anymore. Shadow AI has shifted from a data leakage concern to an access control problem. The threat isn't
Salesforce has revealed that it disabled the Klue Battlecards app integration within its platform in response to a security incident impacting the competitive intelligence company on June 11, 2026. To that end, organizations will be unable to connect to Salesforce via the app until further notice, the American cloud-based software company noted in an alert published this week. "Salesforce took
A New York man faces cyberstalking charges after allegedly sharing AI-generated nude images and fabricated racist messages using fake social media profiles to harass a Georgia college student. [...]
Apple has updated its Beats Studio Buds wireless earbuds to patch a high-severity vulnerability that could be exploited by nearby hackers to eavesdrop on users. The vulnerability, tracked as CVE-2025-20701 (CVSS score: 8.8), refers to a case of incorrect authorization impacting the Airoha Bluetooth audio SDK that makes it possible to pair a Bluetooth audio device without user consent.
In the previous post we walked through WasmForge, our Go-to-WebAssembly loader that takes existing signatured Go tools and ships them as opsec-safe binaries. This approach doesn’t just apply to Go, however, as there are many languages that can compile to WebAssembly. Another language of interest to us, especially regarding legacy tools which have been over-signatured, is C#. In short, we got several GhostPack tools working through WasmForge. Rubeus and Seatbelt both run as PE binaries that pass through the same outer host which we use for Sliver, with most of their commands functioning at full parity to the original C# code. The mechanism is .NET’s NativeAOT-WASI toolchain plus a non-trivial amount of bridge code that we wrote with heavy LLM assistance. The release of this post also heralds our open-sourcing of the entire toolchain. This is also the last post in this series, so we’ll talk about the open source release at the end. If you’d like to skip ahead and try out the tool, you can grab it from github.com/praetorian-inc/wasmforge . The Most Signatured Tools on the Internet If Go tools are signatured into oblivion, C# tools are signatured and salted . Every major red team C# tool released in the last decade has a YARA rule with the project name in its title, several rules covering specific function names, and a handful of b
Thursday, June 18
The Gentlemen ransomware-as-a-service (RaaS) is actively developing and maintaining a suite of endpoint detection and response (EDR) killers to help affiliates evade detection in attacks. [...]
Leaked files show the invite-only network grades members by their money and fame, shaping who’s in, who’s out, and who pays.
The tech sector was the only industry in Synack's 2026 State of Vulnerabilities Report to get slower at remediating critical vulnerabilities—growing from 74 to 98 days while manufacturing, government, and financial services all improved. This post breaks down the technical and cultural forces driving that gap, and what it takes to close it. The post The Tech Sector’s Critical Vulnerability Paradox appeared first on Synack .
Overview Multiple vendor-signed UEFI applications are vulnerable to Secure Boot bypass via a "Bring Your Own Vulnerable Driver" (BYOVD)-style attack. If a target system trusts the affected vendor’s certificate, an attacker can exploit these applications to execute arbitrary code during the early pre-boot phase before the operating system initializes. To mitigate this risk, system administrators should apply updates to the UEFI Forbidden Signature Database (DBX) that revoke trust in the affected vendor-signed binaries, preventing these vulnerable applications from executing during the boot process. Description The Unified Extensible Firmware Interface ( UEFI ) standard defines the modern firmware architecture used to initialize hardware and transfer control to the operating system during system startup. On systems with Secure Boot enabled, UEFI applications and drivers must be cryptographically signed and verified before execution. Trust for these signatures is established through several firmware-managed databases, including the authorized signature database (DB), which commonly contains certificates from original equipment manufacturer (OEM) vendors, operating system authorities, and other supply-chain partners in the UEFI ecosystem. The UEFI shell is a command-line application that allows advanced users to interact directly with the UEFI environment to run diagnostics or special tasks prior to the operating system boot. Other UEFI applications, such as bootloaders, manage the operating system startup sequence or load specific drivers before the main OS initializes. Some of these applications possess functionalities that can manipulate system memory, modify sensitive NVRAM variables, or load raw drivers. If a vendor-signed application inadvertently exposes the
A few weeks ago, we published our initial findings from Project Glasswing , looking at what happens when you point frontier security models at an enterprise codebase. We also explored how our defensive structures adapt to protect our infrastructure and customers from threats posed by frontier AI . Since then, the AI ecosystem has continued to shift rapidly — developers who've built tightly around a single model have already experienced what happens when that model is no longer available or gets superseded by a more capable one. These market shifts only reinforce our core thesis: no matter which underlying model is leading the pack on any given day, the future of agentic workflows will not be found in standalone models, prompts, or single-agent sessions. Moving from a localized security "skill" to a continuous, fleet-wide scanning pipeline requires an architecture where models are treated as interchangeable components. Relying on a single model inherently limits defensive coverage, as the same system will tend to look at code paths through the exact same lens. To counter this, models should be frequently interchanged and cross-tested. By varying the models across the pipeline — such as using one model for initial discovery and an entirely different one for validation — we can ensure that vulnerabilities are cross-checked by distinct sets of logic. Furthermore, a true enterprise-scale harness must look beyond isolated repositories to trace vulnerabilities across cross-repo dependencies, ultimately filtering thousands of raw candidates down to a trusted, triaged queue of actionable fixes. This post serves as a practical look at how to build that model-agnostic layer, focusing on how we manage state controls, eliminate false positives, and coordinate end-to-end triage at scale. Two
For the past four years, a sprawling Android-based botnet called Popa has forced millions of consumer TV boxes to relay Internet traffic linked to advertising fraud, account takeovers, and mass data-scraping efforts. This week, researchers from multiple security firms concluded that the Popa botnet is linked to NetNut , a “residential proxy” provider operated by the publicly-traded Israeli firm Alarum Technologies Ltd [NASDAQ: ALAR]. Malicious streaming devices sold online that enroll the user’s home Internet address in a residential proxy service. Image: HUMAN Security. Popa is a massive botnet, but by all accounts it is unlike traditional botnets that enlist compromised systems in destructive activities, such as coordinating huge distributed denial-of-service attacks. Rather, Popa appears designed with a singular purpose: Implementing a persistent communications layer capable of registering a device, maintaining long-lived encrypted connections, and opening communication tunnels on demand. Experts say Popa is a plugin
F5 has released security updates to address two critical security flaws in NGINX Open Source that could be exploited to achieve code execution on affected systems. The vulnerabilities are listed below - CVE-2026-42530 (CVSS v4 score: 9.2) - A use-after-free vulnerability in the ngx_http_v3_module that could be triggered by a remote unauthenticated attacker when NGINX Open Source is
Threat actors targeting cryptocurrency wallets have been distributing clipboard-stealing malware with self-spreading capabilities and using the Tor network to conceal communication. [...]
If an autonomous AI agent interacts with your company's core intellectual property today, can your security team instantly name the person who authorized it? For most enterprises, the answer is a simple no. The rush to adopt internal AI tools has left a massive trail of administrative debt: orphaned agents (AI tools left running after their creator leaves the company) and standing privileges (
ThreatsDay Bulletin: Claude Chat Abuse, NastyC2 npm Packages, Device-Code Phishing + 25 More Stories
The internet did not break this week. It got used exactly as designed, which is worse. Searches were siphoned through shady browser add-ons. AI chat links turned into malware delivery paths. macOS attacks ran in memory and left almost nothing behind. Cloud agents looked like helpers until attackers treated them like open shells. Add exposed edge gear, poisoned packages, cash courier scams,
Introduction Merely a few years ago, when asking about the state of quantum computing or the need for Post-Quantum Cryptography (PQC), the response would usually revolve around the ongoing PQC competition that NIST had brought to life in an attempt to identify algorithms for standardization. In 2022, Cloudflare started experimenting 1 with hybrid key agreement on its production edge, though most of the world outside a handful of research labs had barely registered that any of this mattered. The core argument of that work was that organizations n
Microsoft has disclosed details of a Windows-based cryptocurrency clipper campaign codenamed CryptoBandits that has targeted users since February 2026 with clipboard-intercepting malware with self-spreading capabilities and using the Tor anonymity network to hide communication. "The clipper in this campaign relies on Windows Script Host and ActiveX-driven logic to launch a bundled Tor proxy and
Cybersecurity researchers have charted the evolution of INC from an nascent ransomware-as-a-service (RaaS) operation to one of the most prolific cybercrime groups in 2026, claiming no less than 830 victims since August 2023. "The disruption of LockBit and the shutdown of BlackCat created opportunities for INC to expand as affiliates migrated to alternative ransomware operations," Acronis
An independent PCI assessor tested Reflectiz against the new PCI DSS rules. Here is the verdict: See the full QSA assessment here → When a customer types their card number into your checkout, their browser is running far more than your code. Analytics tags, a tag manager, a support widget, a payment iframe: a modern checkout loads dozens of third-party scripts, and any one of them can be turned
Threat actors associated with the DragonForce ransomware have been observed using a custom Go-based remote access trojan (RAT) called Backdoor.Turn to conceal command-and-control (C2) traffic inside Microsoft Teams relay infrastructure. According to findings from Broadcom-owned Symantec and Carbon Black, the backdoor was deployed against a major U.S. services firm. The name of the company was
Twelve years ago this month, Cloudflare launched an ambitious project built on a simple idea: people shouldn’t be knocked offline just because someone more powerful disagrees with them. Today, Project Galileo provides free access to cybersecurity services to more than 3,400 websites belonging to journalists, human rights defenders, and other nonprofit organizations in 120 countries. We continue to believe that a better Internet is one where anyone with an idea can reach a global audience. Each year on the anniversary of Project Galileo, we announce new products, programs, and strategic partnerships. To celebrate our 12th anniversary this year, we’re publishing our first comprehensive report on cyberattacks targeting civil society, releasing case studies that explore the security needs of 16 Project Galileo participants, and announcing new project partners. Introducing a new annual report on cyberattacks against global civil society Because Project Galileo now includes 3,400 domains belonging to organizations in over 120 countries, Cloudflare has access to unique data regarding the cyber threats, attacks, and trends targeting civil society — a critical pillar of global democracy. In addition, because the Cloudflare network spans more than 335 cities in 125 countries and more than 20% of the web
Artist Morry Kolman will be livestreaming feeds of the NBA champions’ ticker-tape parade from NYC’s traffic cameras—and this time, the city’s Department of Transportation isn’t demanding he stop.
Internal Home Office tests of age-verification technology show the risks of life-altering errors. It’s moving forward anyway.
Wednesday, June 17
Worth a MalExt Report? A 2 Million-User Chrome Extension Added Give Freely/Wildlink in a 5-Day Update
I've been reversing the 2M+ user Volume Booster Chrome extension and found something interesting. Between v1.0.3 (2025-06-27) and v1.0.4 (2025-07-02), the extension added: "content_scripts": [{ "matches": ["<all_urls>"], "js": [ "vendor/GiveFreely-content.umd.js", "content-script.js" ] }] The previous version was essentially a small audio booster. The newer version introduces a Give Freely / Wildlink component that appears to support merchant detection, affiliate attribution, and donation campaigns. No new permissions were added, meaning existing users would have received the update automatically without a new Chrome permission approval prompt. I've also found the same Give Freely / Wildlink infrastructure in multiple unrelated extensions, which makes me think it's being distributed as a white-label monetization/fundraising SDK. I'm still investigating and considering whether this is worth adding to MalExt. At this point I don't have evidence of malware, credential theft, or anything overtly malicious just a significant expansion of functionality in a 2M-user extension. Curious what others think. Is this a transparency/privacy concern, or just a normal extension monetization model? Any opinions or prior research on Give Freely / Wildlink would be appreciated so i can added to [malext.io](http://malext.io)
Overview Earlier this year, a team at Praetorian was building Constantine , our automated 0-day discovery engine. I wanted to find techniques worth folding into it, so on the side I started poking at the FreeBSD kernel with Claude Code, running on Opus 4.6, which was the latest Opus model at the time. A few days of work turned up real bugs and a weekend after that produced two working exploits capable of escaping from a FreeBSD jail. This article is part of a two-part series. In part one, I will be focusing on the methodology used to uncover the identified vulnerabilities and part two will focus on the methodology we leveraged to develop and exploit the vulnerabilities. It’s been several months since I disclosed roughly eight separate vulnerabilities to the FreeBSD security team. The reality is that this is a volunteer team and they are likely overwhelmed by the sheer number of vulnerabilities being identified within FreeBSD by various security researchers leveraging large language models. Because of this, we can really only publicly discuss a single vulnerability we reported CVE-2026-3038 , a fairly straight-
Microsoft has formally disclosed that it's working to release a patch to address a Defender zero-day codenamed RoguePlanet. The vulnerability has now been assigned the CVE identifier CVE-2026-50656 (CVSS score: 7.8), with the tech giant describing it as a privilege escalation flaw. "Microsoft is aware of an elevation of privilege in the Microsoft Malware Protection Engine in Microsoft Defender
A French-speaking attacker broke into a small French automotive business, planted a keylogger, and stole banking and email credentials. Ordinary stuff, until one move near the end. Before his command-and-control server went dark, he installed OpenSSH and Tailscale on a victim's machine, building a way back in that did not run through the C2 at all. When the Havoc server went offline the next
Adopting or migrating to a Zero Trust network architecture can be a daunting task. Before a single policy changes, teams have to recall how their network is actually built: which applications exist, their authentication and authorization constructs, how traffic flows between them, and any assumptions the current architecture makes. This hands-on process requires practitioners to decode the intent behind every security and routing policy in place. Today, we’re releasing the Cloudflare One stack, a set of skills you give to your agent to configure, deploy, and manage your Zero Trust environment for you. This toolkit is designed to help automate the process of learning an entirely new security suite and mapping your existing one into Cloudflare. Cloudflare has worked with thousands of customers through exactly this process. That repetition built expertise on where migrations stall, what questions come up every time, and what it takes to move forward. The Cloudflare One stack packages that expertise and makes it more accessible than ever. The agent gap in network security Teams are already using agents to write code, triage alerts, and automate workflows. Organizations are increasingly asking for Cloudflare-provided tooling to help agents execute on security workflows. On their own, agents are not trained on the nuances of an organization's specific network topology or vendor configurations. By providing prescriptive and authoritative guidance, organizations can layer this context into their existing toolkit to make better use of the security products they are already deploying. Cloudflare has long been the easiest-to-deploy SASE vendor in the market. The stack extends that philosophy to agents: it gives them the context, tools, and structured reasoning they need to o
Storage cost has always been a hot topic when log management discussion are on the table. In today’s enterprise ecosystems, organizations commonly ingest very high volumes of logs into their SIEM platforms from a wide range of sources, including servers, network devices, cloud environments, security tools, identity systems, and, in some cases, endpoint telemetry. To fit each enterprise’s needs,
The attacker didn't touch any Mastra source code but just added one dependency to every package: `easy-day-js` which is a clean-looking dayjs clone. The trick was in semver that is they pinned `^1.11.21` but the `latest` tag pointed to `1.11.22` which had a `postinstall` hook. You audit `1.11.21`but npm installs `1.11.22`. full details - [https://safedep.io/mastra-npm-scope-takeover-supply-chain-attack/](https://safedep.io/mastra-npm-scope-takeover-supply-chain-attack/)
Your playbooks move fast, but GreyNoise helps them move smarter. Here are five ways GreyNoise drives better decisions in SOAR.
Tuesday, June 16
The US government crackdown on Anthropic’s Claude Fable 5 and Mythos 5 hides a glaring truth: AI models with advanced hacking capabilities will soon be the norm.
TL;DR: Sulla is an open source SMB secret scanner for discovering credentials exposed in SMB shares across enterprise networks. It leverages our recently released Titus Go library, resulting in an easy-to-use, adaptable, and highly performant standalone binary. Every network penetration tester knows the struggle: reviewing network shares for sensitive material is a painful must-do. With anything more than a handful of shares, manual review quickly becomes tedious if not outright infeasible. But automated secret scanning solutions produce nearly unworkable quantities of output, with actual secrets few and far between, not to mention requiring a Windows attack box. Sulla solves this issue by combining Praetorian’s years of secrets detection innovation with a clean, user-friendly interface purpose-built for internal networks. The result is a focused SMB secret scanner that pentesters can run from any Linux box and trust to surface high-signal findings. Sulla is also integrated end-to-end in the Guard, Praetorian’s all-in-one Continuous Threat Exposure Management platform, ensuring SMB secrets are identified as they appear in your environment. How Sulla Scans SMB Shares for Secrets Sulla automatically discovers readable SMB shares, traverses their file trees, and scans their contents for secr
When we first launched DMARC Management , it was driven by a simple belief: every domain on the Internet deserves strong email authentication, and cost should never be the reason it doesn't happen. As part of our mission to help build a better Internet, we made DMARC Management available for free to every Cloudflare customer. We wanted to give everyone the tools to understand and improve their DMARC posture without needing to hire an email security consultant or parse XML report files by hand. Today, we are taking that commitment further. Cloudflare DMARC Management is now generally available, with a redesigned experience built to help you reach full DMARC enforcement as easily as possible. The DMARC Management dashboard offers a unified view of your email authentication posture. What email authentication actually does for you Every time someone receives an email "from" your domain, their email provider asks a simple question: did the real owner of this domain actually send this? Without a way to answer that question, anyone can send an email pretending to be you and your recipients will have no way to tell the difference. Email authentication is the set of DNS records that answers that question. There are four protocols that protect your domain: SPF (Sender Policy Framework) tells receiving mail servers which IP addresses and services are allowed to send email on behalf of your domain. DKIM (DomainKeys Identified Mail) attaches a cryptographic signature to every email you send, so receiving servers can
Key findings US executives are more than four times as confident as their own practitioners that AI risk is under control, 29% to 7%. The UK gap runs the same direction, 18% to 11%. The board’s view and the team’s view aren’t the same view. ChatGPT sits in 7 in 10 IT estates and Microsoft […] The post The State of AI Risk Management in 2026 appeared first on Heimdal Security Blog .
i built an ai that caught a hacker hopping across 6 computers in the same second. then i made it prove every word.
i work in digital forensics. when a company gets hacked my job is to figure out what the attacker actually did and prove it. i built an ai to help. on a 22 computer case it caught 6 machines a hacker was hopping between in the exact same second, the kind of lateral movement youd never spot one machine at a time. it surfaced it for me to confirm, it doesnt decide anything on its own. but the part i actually care about: it cant report a finding unless it shows the exact tool output it came from. no proof, no claim. if it cant back it up, a check throws it out. you dont trust the ai, you check its work yourself. its open source and free, and it runs read only so it never touches the evidence. where it still misses things i published exactly what instead of hiding it. heres a folder of real forensic images, go try to make it spit out a wrong answer: https://sansorg.egnyte.com/fl/HhH7crTYT4JK#folder-link/HACKATHON-2026 5 min of it running, including a real screwup it catches and fixes itself: https://www.youtube.com/watch?v=jw6etogNzhY&t=70s code: https://github.com/TimothyVang/verdict-dfir tell me where it breaks, or send a fix.
In this post, we walk through different threats to Salesforce and how to detect them.
Monday, June 15
Remus Stealer is a rapidly evolving Malware-as-a-Service infostealer that emerged in 2026. Remus also shifted from Lumma's 32-bit architecture and traditional resolvers to 64-bit with EtherHiding and enhanced anti-analysis (e.g., sandbox DLL checks, PST honeypot detection). * It utilizes EtherHiding, storing C2 addresses in Ethereum smart contracts to avoid takedowns. * The malware steals credentials, browser cookies, authentication tokens, and cryptocurrency wallet data. * Session theft is one of Remus's most dangerous capabilities because it can bypass MFA by stealing active session cookies directly from browser memory. * The malware shows strong technical similarities to Lumma Stealer and may represent its evolutionary successor. * Financial services, healthcare, government, technology firms, and MSPs are particularly attractive targets. * Common infection vectors include phishing, fake software downloads, malvertising, and fake CAPTCHA campaigns, as well as SEO poisoning and fake GitHub projects to trick tech-savvy users. See whole [ANY.RUN](http://ANY.RUN) execution chain at [https://app.any.run/tasks/ae43628b-9d56-4c43-abac-fae7266c749f/](https://app.any.run/tasks/ae43628b-9d56-4c43-abac-fae7266c749f/) Check out whole malware analysis report at [https://any.run/malware-trends/remus/](https://any.run/malware-trends/remus/)
While fuzzing the Kubernetes AWS KMS provider, researchers at Syntetisk found a denial-of-service issue in aws-encryption-provider where an empty ciphertext field could trigger an unrecovered Go panic and crash the plugin process. The writeup includes root-cause analysis, crash path details, reproducer examples, impact discussion, and disclosure timeline
Today, we’re excited to share that key members of the team at Ensemble AI are joining Cloudflare to help accelerate our work in AI infrastructure and make it easier for developers to run powerful AI models efficiently at scale. Ensemble AI, founded in 2023 in San Francisco, has spent the last few years focused on one of the most important challenges in AI: making large models faster, smaller, and more cost-effective to serve, without sacrificing quality. The team has developed new approaches to model compression and efficient inference that are designed to reduce the memory, compute, and deployment overhead of large language models and multimodal architectures. As AI becomes a core part of how developers build applications, the economics of inference matter more than ever. Models are getting larger; workloads are becoming more dynamic. And customers increasingly expect AI to be available everywhere: globally distributed, fast, reliable, and affordable. Bringing the Ensemble AI team into Cloudflare strengthens our ability to make that possible. Incorporating Ensemble’s expertise The team at Ensemble AI has focused on preserving the structure inside modern AI models while reducing the cost of running them. Instead of treating model efficiency as only a quantization or hardware problem, Ensemble has explored new model building blocks that can make neural networks more compact and efficient at the architectural level. A core part of this work is NdLinear , a drop-in replacement for standard linear layers in transformer models that operates directly on multidimensional activations rather than flattening structure away. This enables models to preserve meaningful axes, such as heads, channels
London, UK, 16 June 2026 – Heimdal today published The State of AI Risk Management in 2026, a survey of 1,000 IT professionals across the United Kingdom and the United States. The report’s headline finding is a divide inside the same organizations: the closer a person sits to the day-to-day running of AI, the less […] The post Heimdal Survey: Executives Four Times More Confident About AI Risk Than the Teams Managing It appeared first on Heimdal Security Blog .
🎉 A new 13Cubed episode is up! Have you ever wondered how you can look at the USN Journal on a live and running system? In this episode, we'll dive in to see how it actually works and whether it matches what we’ve been taught. [https://www.youtube.com/watch?v=eSLHyqZlglk](https://www.youtube.com/watch?v=eSLHyqZlglk)
Rank One, whose board includes a former CIA deputy director and a former FBI science chief, supplied face recognition to Meta for internal development of its smart glasses app.
Presently sponsored by: Report URI: Guarding you from rogue JavaScript! Don’t get pwned; get real-time alerts & prevent breaches #SecureYourSite Light switches. How on earth is it so hard to find decent light switches?! It sounds ridiculous until you actually spend enough time looking for ones that meet two simple criteria: Aren't stateful (switch is up or down, has to be push-button) Looks good Now, I'm conscious that this is also very likely an Australian problem, more so than a European or North American one. We're pretty limited by what we get down here, and because it involves electricity, the switches here have to pass all sorts of local Aussie tests and standards. I can't just jump onto eBay or Amazon and ship a box of good ones over from the US. So we're stuck with these rubbish ones... unless you can find me something decent? Please?!
This post explores four vectors for threat actors to abuse Azure Storage to maliciously encrypt victim blobs, including step-by-step explanations and event codes for detection.
Sunday, June 14
Readers reply: Experts say we should use passkeys, but can a smartphone pin really be safer than a password?
The long-running series in which readers answer other readers’ questions on subjects ranging from trivial flights of fancy to profound scientific and philosophical concepts This week’s question: Is ‘ripen at home’ fruit the supermarkets’ idea of a joke? I’ve been struggling to get my head around the idea that a passkey, which can be a pin on your phone, or facial recognition, can be safer than using a complicated password and two-factor authentication. I get that having something unique to your device, not stored on a company’s server, is unphishable and less hackable by cybercrims, but what if your phone is nicked and someone guesses the password? And what if you lose your phone? Continue reading...