Cybersecurity News and Vulnerability Aggregator

Cybersecurity news aggregator

Top Cybersecurity Stories Today

The Hacker News 12h ago

ACR Stealer, an infostealer in circulation since 2024, is walking out of enterprise networks with saved browser passwords, live session tokens, PDFs, Microsoft 365 documents, and files from synced OneDrive and SharePoint folders. It gets in because someone pasted a command into a Run box and pressed Enter. Microsoft laid out two of the delivery chains on Thursday. Its Defender Experts team, the

Latest

Friday, July 17
Cloudflare Just now
CVE

Cloudflare has deployed new Web Application Firewall (WAF) protections for two critical vulnerabilities affecting WordPress. The protections address an Unauthenticated Remote Code Execution (RCE) vulnerability in WordPress's REST API and a related SQL Injection vulnerability. The WordPress security team disclosed the vulnerabilities to Cloudflare before public release so that we could prepare protections for customers. Cloudflare has deployed the new rules to protect all customers, including those on free and paid plans, as long as their application traffic is proxied through the Cloudflare WAF. The rules were deployed at 17:03 UTC on July 17 2026. WAF protections reduce exposure while customers update, but they are not a substitute for patching. WordPress has released fixes in version 7.0.2, with backports to affected earlier branches: 6.9.5, 6.8.6, and 7.1 Beta 2 ( see release details ). Versions earlier than 6.8 are not affected. WordPress is treating this as its highest-severity, highest-priority class of issue and is forcing automatic updates to affected sites, so most sites will be updated automatically. We still recommend confirming that you are on a patched release or the backports for your branch and follow the guidance in the official WordPress security release announcement . What you need to know The vulnerabilities affect different parts of the request path: CVE-2026-60137: SQL injection. A vulnerability in WordPress version 6.8 and later allows crafted input to alter a database query. Rating High. CVE-2026-63030: Unauthenticated remote code execution. A vulnerability in WordPress version 6.9 and later allows an unau

The Hacker News 1h ago

Eleven bytes will make an unpatched OpenSSL server set aside up to 131 KB of memory for a message that never arrives. On the glibc systems Okta tested, that memory is gone until the process restarts. OpenSSL shipped the HollowByte fix in June with no CVE, no advisory, and no changelog entry pointing at it. Okta's Red Team, which reported the denial-of-service bug and named it, published the

The Hacker News 2h ago

Cybersecurity researchers have discovered a cluster of seven malicious npm packages targeting the Vite frontend tooling ecosystem as part of a software supply chain attack. The malicious package campaign, codenamed ViteVenom by Checkmarx, marks an expansion of ChainVeil, which was observed using an "unprecedented" four-tier blockchain-based command-and-control (C2) infrastructure spanning Tron,

r/Malware 3h ago

A man from Florida got arrested, allegedly behind the PirateFI and Blockblasters Crypto stealer attacks. The second Game stole 150k from a cancer Patient. https://www.tomshardware.com/tech-industry/cyber-security/fbi-arrests-florida-man-in-steam-malware-investigaton-after-tracing-stolen-bitcoin-to-uber-eats-gift-cards

r/blueteamsec 4h ago

**What it is:** sigwood is a local, MIT-licensed CLI threat-hunting workbench for logs at rest: Zeek conn/dns, Pi-hole/dnsmasq, syslog, and AWS CloudTrail. It sits in the gap between grep and a SIEM and is built for the cold start case where you've got a directory of logs and you don't have a detection pipeline at the ready. There's no database, daemon, agent, account, or telemetry. Just `pipx install sigwood`, point it at a file or directory, and read the output. **How it detects:** Beacon detection runs in the frequency domain (FFT over connection timing) rather than time-domain interval statistics (complements RITA, not a replacement, same problem, different math). DNS anomalies (DGA/tunneling-like patterns) use HDBSCAN clustering; rare syslog events use drain3 template mining; scans and long-duration connections use plainly labeled thresholds and z-scores. Heuristics are called heuristics, not ML. Every finding names its method, and `-v` prints the evidence behind it. No opaque model, no LLM at runtime. The FFT/HDBSCAN approach follows the signal-analysis methodology from SANS SEC595. **Triage flow:** `digest` gives a factual first pass with time span, top talkers, and traffic mix orientation so you can decide where to hunt before running detectors. `hunt` runs the six detectors (beacon / dns / scan / syslog / duration / aws). `graph` replays conn/dns or Pi-hole traffic as an animated Sankey in a single self-contained HTML file (no server) with time, metric, and filter controls plus a copyable command to pivot back to a hunt. **Kicking the tires:** the repo includes a synthetic demo corpus so you can run every detector before pointing it at real logs. Python 3.11+, Linux/macOS, x86-64 and ARM including Raspberry Pi. `hunt`, `digest`, and `graph` are purely local. Only the optional Splunk/S3 convenience exporters touch the network. **Provenance:** much of the implementation is Claude Code working from specifications and Python prototypes I wrote. I've worked in security operations for 20 years; the architecture, detection logic, severity model, and test strategy are mine, I review every diff, and I maintain the code. No LLM anywhere in the tool itself. Repo: [https://github.com/helixmap/sigwood](https://github.com/helixmap/sigwood) I'd particularly value feedback from people who hunt for a living. Where do the detectors over- or under-call on real logs, and what's missing for triage.

The Hacker News 4h ago

A Go botnet called NadMesh turned up in early July hunting exposed AI services, and the operator's own dashboard claims 3,811 unique AWS keys. A Shodan harvester keeps the scan queue stocked with ComfyUI, Ollama, n8n, Open WebUI, Langflow, and Gradio: the image generators, local model runners, and workflow builders that teams stand up fast and firewall late. The intel feed behind that counter

The Hacker News 5h ago
APT

Cybersecurity researchers have attributed the April 2026 DigiCert security incident to a threat activity cluster dubbed CylindricalCanine. Expel, which shared technical details of the event, described the threat actor as a sub-group of GoldenEyeDog (aka APT-Q-27, Dragon Breath, and Miuuti Group), a Chinese cybercrime group known for its targeting of the gambling and gaming sectors using

r/cybersecurity 5h ago

Disclosure up front: I work on a patch-management product (TridentStack Control), and this is a free, standalone spin-off of the remediation data we already maintain. No account, nothing gated on the tool or the API. Putting it here rather than at the bottom because it should come before the pitch, not after. [tridentstack.com/cve](http://tridentstack.com/cve) Two things send me to NVD constantly, and both have gotten painful. First, the REST API has been flaky for weeks (there was a whole [r/cybersecurity](https://www.reddit.com/r/cybersecurity/) thread on it), which is rough if you script against it. Second, NVD tells you a CVE exists but not how to actually fix it. So the tool focuses on those two. For each CVE it shows the sourced remediation when one exists: the KB for Windows and Office, the fixed version for a package (npm, PyPI, Go, apt, and so on), or the Apple update train, each with a link back to the vendor advisory. When there is no published fix, it says so instead of guessing. It never fabricates a version or KB, which given how many "AI CVE" tools hallucinate fixes felt like the whole point. There is also a public API, no key and no signup (60 requests/min, no key required): * GET /api/v1/cve/CVE-2021-44228 (single CVE with remediation) * GET /api/v1/cve?kev=true&fix=true&severity=critical (filtered list) * bulk.jsonl for the whole catalog, an OSV export per CVE, and an OpenAPI 3.1 spec Quick try: curl [https://tridentstack.com/api/v1/cve/CVE-2021-44228](https://tridentstack.com/api/v1/cve/CVE-2021-44228) It is a cached read layer over NVD plus CISA KEV plus EPSS plus curated remediation sources, so it stays queryable on the days NVD's own API is having issues. That caching is also the point: freshness is bounded by our sync cadence, so it is not real-time, and I am not claiming it is fresher or more complete than NVD. The underlying data is derived from NVD. For context on why I leaned on a cached layer: since NIST's April notice about record CVE growth, roughly 80% of new CVEs now land without full CVSS/CWE/CPE enrichment, and separately about 29,000 older backlogged CVEs were reclassified as won't-be-enriched. Leaning on a single live source felt fragile. Sources are public-domain or CC and attributed on the /cve/about page. Sharing it because the "CVE exists, ok but what is the fix" gap and the NVD API flakiness are things I figure a lot of you hit too. Feedback and missing-fix reports welcome.

The Hacker News 7h ago

North Korean threat actors linked to the Contagious Interview campaign have been observed employing steganography in SVG image files to conceal malicious payloads as part of a campaign using fake job postings and coding challenges. "Any user who ran the project ended up with a four-stage payload aligned with OTTERCOOKIE: a browser credential and crypto wallet stealer, a file stealer, a

r/cybersecurity 8h ago

Hi r/cybersecurity, I'm Quincy Castro, Chief Information Security Officer at Chainguard. On July 17, I'll be here to answer your questions about software vulnerability discovery and remediation using frontier AI models like Mythos, GPT-5.4, and more. A bit about me: before Chainguard, I spent four years as CISO at Redis. Earlier in my career, I worked in various roles for the U.S. government, and later led security programs as CISO of GE Transportation and Wabtec. At Chainguard, I lead our Security and Technology organization, which puts me in the middle of a shift that's changed a lot about how our industry finds and fixes vulnerabilities. Frontier AI models can now find novel vulnerabilities in open source software at a pace that traditional review and fuzzing never matched, and creatively chain together vulnerabilities into effective attack paths. Bugs that survived years of expert scrutiny are turning up in hours. That's good news for defenders in theory, since we could be finding flaws before attackers do. In practice, it’s upending traditional approaches to vulnerability handling and inverting assumptions underpinning things like coordinated disclosure (weeks to fix, a handful of likely finders). At Chainguard, we’ve been working with organizations of all sizes to solve this problem by building [Athena](https://www.chainguard.dev/athena), an industry coalition for the coordinated defense of open source software. Athena pools vulnerability findings from frontier AI programs and other sources, builds hardened fixes under embargo, and layers in network and platform protections while fixes work their way upstream to maintainers. More than two dozen organizations are participating, and the coalition has processed tens of thousands of findings so far. Some of what I'm happy to dig into: * How security organizations can manage the deluge of vulnerabilities coming from the work of frontier models * What it takes to remediate at the speed these models discover, and where the bottlenecks really are * How the CISO role is changing in this modern security environment * What being a CISO for a company like Chainguard is actually like * Where I think this space is headed over the next year I'll be online starting at 1:00 p.m. ET to answer questions. Ask me anything! Proof: [https://imgur.com/a/81WI9lo](https://imgur.com/a/81WI9lo)

The Hacker News 9h ago

The European Commission on Thursday ordered Google to give rival AI assistants the same reach into Android that Gemini already has: the camera, the microphone, whatever is on screen, a wake word that fires with the display off, and the ability to drive other apps in the background by imitating taps and typing. Google has to ship it in the next major release, Android 18, and by 1 August 2027 at

The Hacker News 10h ago
CVE

Military forces are under increasing pressure to field autonomous capabilities faster than ever before. Across the U.S., UK, and NATO, new investment, evolving defense strategies, and accelerated acquisition pathways are transforming how capability is delivered, rewarding programs that can move from concept to operational deployment at commercial speed. Now the focus shifts to the trusted

r/cybersecurity 10h ago

Coca-Cola’s fairlife dairy business suspended U.S. production after a ransomware incident involving production-related systems, prompting the company to activate its incident response plans, notify law enforcement and begin restoring affected operations. The company said product quality and safety were not affected, and Canadian production continued uninterrupted, but it did not identify which U.S. facilities or systems were directly compromised. Coca-Cola has not disclosed whether data was stolen, files were encrypted or a ransom demand was received, and no ransomware group had publicly claimed responsibility or been attributed to the attack at the time of publication.

The Hacker News 10h ago

Armenia has held a Russian tourist named Aleksandr Ermakov in a detention center since June 28, on a U.S. extradition request for a REvil ransomware suspect named Aleksandr Ermakov. His wife, Maria Yurova, told REN TV that border officers pulled him out of the departure hall at Yerevan's Zvartnots airport, held up a phone with a photo of him off his VKontakte page, and walked him into a side

The Hacker News 12h ago

ACR Stealer, an infostealer in circulation since 2024, is walking out of enterprise networks with saved browser passwords, live session tokens, PDFs, Microsoft 365 documents, and files from synced OneDrive and SharePoint folders. It gets in because someone pasted a command into a Run box and pressed Enter. Microsoft laid out two of the delivery chains on Thursday. Its Defender Experts team, the

The Hacker News 12h ago

Cybersecurity researchers have discovered a previously undocumented malware called GoSerpent that has been put to use in cyber attacks targeting entities in Southeast Asia since late 2025 with a focus on long-term access and intelligence gathering. Russian cybersecurity company Kaspersky, which uncovered the activity in February 2026, said it was aimed at government and diplomatic entities in

Heimdal Security 13h ago

If Microsoft Defender quarantines BrowserModifier:Win32/MediaArena on one of your endpoints, the alert reads like a win. Our SOC data says treat it as a live persistence incident instead. In the case we timed, the payload finished writing its persistence 21 seconds into execution. Quarantine didn’t complete until 29 seconds. By the time the alert fired, […] The post MediaArena malvertising: why a quarantine isn’t the end of the incident appeared first on Heimdal Security Blog .

The Hacker News 15h ago

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a newly patched security flaw impacting Microsoft SharePoint Server to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by July 19, 2026. The vulnerability in question is CVE-2026-58644 (CVSS score: 9.8), a critical deserialization

r/cybersecurity 15h ago

Our research paper, co-authored with my colleagues from Astana IT University, on software supply chain attacks and preventive security measures, has been officially published in IEEE with DOI link https://doi.org/10.1109/SIST61674.2026.11596367. Its open version is available on GitHub, as it might be interesting and useful for someone to use principles of this theoretical framework, but some of materials are still rough and need polishing [https://github.com/NoyanTM/aitu-sist-2026\_research-paper/blob/main/paper/sist-2026\_paper\_word.pdf](https://github.com/NoyanTM/aitu-sist-2026_research-paper/blob/main/paper/sist-2026_paper_word.pdf). In my blog post, I already explained practical cases and national perspectives about protection against such threats, along with a new "mentality" of software usage as something tangible with associated risks [https://github.com/NoyanTM/blog/blob/main/posts/2026-05-29\_teampcp-russians-and-supply-chain-security.md](https://github.com/NoyanTM/blog/blob/main/posts/2026-05-29_teampcp-russians-and-supply-chain-security.md).

Thursday, July 16
Synack Jul 16

The EU AI Act's security requirements go beyond governance documentation and AI literacy training. High-risk AI systems need adversarial testing to prove they can withstand real attacks. Policies describe intent. Testing produces evidence. The post The EU AI Act Is Not Just a Compliance Deadline; It’s a Security Validation Challenge appeared first on Synack .

CERT/CC Jul 16
CVE

Overview A denial-of-service (DoS) vulnerability exists in some HTTP/2 server implementations that fail to adequately limit resource consumption when buffering response data under stalled flow-control conditions. A remote, unauthenticated attacker can trigger memory exhaustion and service interruption by using standard flow-control parameters such as SETTINGS_INITIAL_WINDOW_SIZE = 0 to stall outbound data for multiple simultaneous request streams. Description HTTP/2 is a widely used application-layer protocol that supports multiplexing, header compression, and flow-control mechanisms to regulate the transmission of data between web browsers and servers. Flow control is designed to prevent senders from overwhelming receivers and relies on client-advertised window sizes to determine the maximum volume of unacknowledged data that can be in transit at any given time. A client can intentionally stall outbound flow control by withholding WINDOW_UPDATE frames or by advertising SETTINGS_INITIAL_WINDOW_SIZE = 0 . In some HTTP/2 implementations, the server continues processing requests and generating complete response bodies even though it is unable to transmit them. The resulting response data remains buffered in memory, and each stalled stream retains its allocated buffer until the connection closes or a timeout occurs. An attacker can exploit this behavior by opening many simultaneous streams and requesting large resources, causing the server to accumulate large amounts of buffered response data. In environments with permissive resource limits, this can lead to excessive memory consumption, swap exhaustion, service instability, and, in severe cases, system crashes. Even under more conservative limits, the attack can exhaust worker or connection resources and de

The Hacker News Jul 16
CVE

Owen Flowers, 18, and Thalha Jubair, 20, were each sentenced to five and a half years at Woolwich Crown Court on Thursday, 16 July 2026, for the 2024 hack of Transport for London. The attack left 148 TfL systems inoperable and forced all 27,000 of the transport authority's employees into an office to get their passwords reset in person. Both the NCA and the CPS put TfL's losses and recovery

Synack Jul 16

Most security teams underestimate what it costs to build an AI pentesting solution in house. People, AI token costs, infrastructure, and compliance gaps add up faster than the initial business case accounts for, and the hidden bill usually arrives in year two. I’ve been hearing the same question from security leaders lately. They’re all asking […] The post The Hidden Costs of Building an AI Pentesting Solution appeared first on Synack .

The Hacker News Jul 16

A lot of this week’s trouble starts with something that looks close enough. A familiar repo. A useful installer. A harmless sync setting. Then the handoff goes bad, the box starts talking to someone else, and the damage moves faster than the explanation. Old bugs are back, weak defaults are earning their keep, and some attack paths are so plain they barely feel like research. Here’s the mess.

CERT/CC Jul 16

Overview A Pickle deserialization vulnerability has been discovered within the SGLang project , enabling an attacker to perform remote code execution (RCE) on the target vulnerable server. In order for an attacker to exploit this vulnerability, the expert-parallel backup subsystem must be enabled, and an attacker must have network access to the SGLang service. No patch is available at this time, and no response was obtained from the project maintainers during coordination. Description SGLang is an open-source framework for serving large language models (LLMs) and multimodal AI models, supporting models such as Qwen, DeepSeek, Mistral, and Skywork, and is compatible with OpenAI APIs. A vulnerability has been discovered within the tool and is tracked as follows: CVE-2026-14890 SGLang uses an expert-parallel backup subsystem designed to handle the large amount of compute and memory constraints associated with different model types. This system, when running, exposes a ZeroMQ PULL socket on a routable network interface that does not contain authentication or deserialization safeguards, allowing an attacker to provide a malicious pickle file that results in unauthenticated remote code execution when the feature is enabled and the service is reachable over the network. The vulnerability is caused by the ZeroMQ PULL socket in expert_backup_manager.py binding to an external IP address with no authentication, meaning that any process that can reach the endpoint can send a payload that eventually gets deserialized with Pickle. This vulner

r/netsec Jul 16

RFC 8628's device authorization grant lets a TV or CLI "poll" for login on a second screen. On Google's implementation, the entire session was transferable across browsers, the authorization server never checked that the client\_id and scope in the consent URL matched the ones the device\_code was issued for, and prompt=none turned the whole thing into a one-click, invisible account takeover.

The Hacker News Jul 16

n8n, the workflow automation platform, handed out the wrong accounts at login. On Enterprise instances configured to trust more than one external token issuer, it matched an incoming JWT to a local user on the sub claim alone and ignored iss. A valid token from issuer A carrying a sub that belongs to someone under issuer B logged you in as them. Their password never

The Hacker News Jul 16

ClickLock Stealer, a new macOS infostealer, answers a victim's refusal by killing their apps on a loop until they hand over the login password. It arrives as a command pasted into Terminal, asks for the password behind a fake system dialog, and when the victim cancels, installs two LaunchAgents and quietly exits. At the next login, Finder, the Dock, Spotlight, Terminal, Activity Monitor, and

The Guardian Jul 16
CVE

Thalha Jubair, 20, and Owen Flowers, 19, sentenced to five and a half years each for cyber-attack that cost Transport for London £39m The data of millions of commuters was stolen, Londoners were left out of pocket and 27,000 Transport for London staff were forced to reset their passwords. Over four days in 2024 a pair of teenage hackers had London’s transport network at their mercy. Thalha Jubair and Owen Flowers had burrowed into the heart of Transport for London’s IT systems and held the “keys to the kingdom”. Continue reading...

The Hacker News Jul 16

More than 20 Brazilian government websites were hijacked and turned into malware delivery channels in an active PhantomEnigma campaign uncovered by ANY.RUN, a leading provider of interactive malware analysis and threat intelligence solutions. The investigation revealed previously undocumented backdoor behavior, hidden infrastructure relationships, and multiple attack arms behind a campaign

The Hacker News Jul 16

Ask an AI agent to summarize the reviews on a product page, and a single planted review can make it click "Buy Now" instead. Ask a coding assistant to apply a maintainer's fix from a GitHub thread, and a fake comment can make it run a stranger's command on your computer. Neither trick hijacks the agent's task. Each one just corrupts the facts it trusts and lets it carry on with the job you

The Hacker News Jul 16

An advanced malware previously attributed to a China-linked threat actor has resurfaced after more than four years within a Taiwan manufacturing firm, along with a previously unreported backdoor dubbed Stupig. Daxin ("srt64.sys"), as the kernel-mode rootkit is referred to, was first documented by Broadcom-owned Symantec in March 2022, with evidence indicating its use in targeted attacks aimed

The Hacker News Jul 16

Artificial intelligence (AI) is changing offensive security, but it has not changed the standard that matters most: a finding has to be proven before it becomes useful. AI-assisted tools can read code quickly, generate payloads, summarize attack surfaces, explain unfamiliar APIs, and run repetitive testing workflows at impressive speed. That is a real advantage for security teams. It also

The Guardian Jul 16

‘Malicious actor’ obtains sensitive data including Medicare numbers, treatment details and pathology results in cyber-attack on Partnered Health Follow our Australia news live blog for latest updates Get our breaking news email , free app or daily news podcast Australians’ medical records and patient information could be sold on the hidden market, an expert has warned, after a cyber-attack at one of the nation’s biggest healthcare providers. Partnered Health revealed 21 clinics across several cities including Sydney, Melbourne and Canberra were affected when a “malicious actor” accessed its data on 23 June. Continue reading...

Wednesday, July 15
r/Malware Jul 15

Hi r/Malware, If you ever need to quickly scan a suspicious file, URL, or installed application on an Android device using VirusTotal, I have built an open-source client called Veto. It lets you run queries using your own API key directly from your mobile device. GitHub: [https://github.com/ProfessorQuantumUniverse/Veto](https://github.com/ProfessorQuantumUniverse/Veto) I am currently trying to release the app on Google Play and need to fulfill Google's closed testing period. If you would like to test this tool, please consider opting in. Steps to join: 1. Join a Google Group: [veto\_android@googlegroups.com](https://groups.google.com/g/veto_android) 2. Opt-in link: [https://play.google.com/apps/testing/com.quantum\_prof.vtscansuite](https://play.google.com/apps/testing/com.quantum_prof.vtscansuite) 3. Play Store link: [https://play.google.com/store/apps/details?id=com.quantum\_prof.vtscansuite](https://play.google.com/store/apps/details?id=com.quantum_prof.vtscansuite) Feedback from malware analysts is highly valued!

CERT/CC Jul 15
CVE

Overview A privilege escalation vulnerability exists in the tdeio64.sys driver due to an unprotected input/output control (IOCTL) dispatch routine that fails to validate the origin and permissions of user-supplied requests. An unprivileged local attacker can abuse exposed IOCTL dispatch routines [RM1.1][MB1.2]to perform arbitrary kernel memory read and write operations, ultimately obtaining NT AUTHORITY\SYSTEM privileges and compromising the security of the affected system. Description The tdeio64.sys driver distributed by Pegatron Corporation, a Taiwanese electronics manufacturer that produces motherboards and OEM components, is a Windows Driver Model (WDM) driver that provides low-level access to system I/O ports and hardware components. The driver exposes the \\.\TdeIo device interface and processes privileged IOTL requests without enforcing adequate access control or validating user-supplied memory addresses. CVE-2026-14961 By sending a crafted DeviceIoControl request, an unprivileged attacker can abuse the driver's IOCTL dispatcher to perform arbitrary kernel memory reads and writes. This capability can be used to overwrite the current process token with the SYSTEM process token, resulting in privilege escalation to NT AUTHORITY\SYSTEM . CVE-2026-14960 In addition to arbitrary kernel memory access, the driver exposes IOCTLs capable of interacting directly with hardware I/O ports. An attacker who successfully exploits these interfaces may be able to manipulate hardware resources in ways that extend beyond normal operating system protections. Impact &l

CERT/CC Jul 15

Overview Two distinct cryptographic signature verification vulnerabilities exist in Digital Bazaar node-forge, a widely used JavaScript library implementing cryptographic primitives for Node.js and browser environments. These vulnerabilities allow attackers to forge RSA (PKCS#1 v1.5) and Ed25519 signatures under specific, exploitable conditions. Description Both vulnerabilities stem from insufficient enforcement of canonical cryptographic structures during verification: in the RSA case, non-standard ASN.1 encodings and undersized padding are accepted; in the Ed25519 case, non-canonical signature scalars are not rejected. As a result, node-forge accepts signatures that appear valid internally but are rejected by industry-standard libraries such as OpenSSL and Node.js’s native crypto module. The vulnerabilities affect node-forge versions 0.1.2 through 1.3.3 for RSA-PKCS#1 v1.5, and 0.7.4 through 1.3.3 for Ed25519. Both issues were resolved in v1.4.0, released on 2026-04-05. CVE-2026-33894 arises in lib/rsa.js , where RSASSA-PKCS1-v1_5 verification accepts forged signatures due to two related flaws. First, the ASN.1 parser for DigestInfo permits non-canonical encodings—specifically, structures with more than the two required fields (algorithm OID and octet string), including attacker-controlled additional data. Second, the PKCS#1 v1.5 decoding logic fails to enforce the RFC 2313 requirement that the padding string ( PS ) must be at least 8 bytes . These combined weaknesses enable attackers to construct specially crafted signatures, particularly with low public exponents (e.g., e = 3 ), that node-forge validates successfully while standard implementations correctly reject them.

r/Malware Jul 15

# Romanian Government Cadastre (ANCPI) cyber attack A very serious ransomware attack is underway on the networks of ANCPI, Romania’s national cadastre agency. Our close monitoring of the threat actor Bytetobreach — who carried out a similar attack last month on Latvia State Forests — detected simultaneous uploads on dark web forums regarding this incident. These claims were later confirmed on ANCPI’s official website. What was described as a “small technical incident” in yesterday’s press release has suddenly been recharacterized by ANCPI itself as “the most serious technical incident in the institution’s history.” Sources : [https://www.ancpi.ro/](https://www.ancpi.ro/) (official press releases ) [https://pwnforums.st/Thread-DATABASE-RO-Thy-arss-shall-be-spanked-Romania-ANCPI](https://pwnforums.st/Thread-DATABASE-RO-Thy-arss-shall-be-spanked-Romania-ANCPI)[https://spear.cx/Thread-Selling-RO-Thy-arss-shall-be-spanked-Romania-ANCPI](https://spear.cx/Thread-Selling-RO-Thy-arss-shall-be-spanked-Romania-ANCPI)

Troy Hunt Jul 15

Presently sponsored by: Report URI: Guarding you from rogue JavaScript! Don’t get pwned; get real-time alerts & prevent breaches #SecureYourSite "Build a smart home", they said. "It'll make life so much better", they said. Well, life wasn't very bloody good at 23:00 the other night after travelling 33 hours from Paris only to find the IoT doorlock batteries dead and the 9V "jump start" procedure completely failing! Eventually, the locksmith arrived and opened an old-school physical lock on another door in an alarmingly short time. So, lessons: Battery-powered locks suck and will eventually lock you out of your house Don't trust a fallback mechanism as rudimentary as "hold a 9V battery on some terminals" Always have an old school manual backup approach, AKA "a key" As I say in the video, we do have other doors that have keys, and if it weren't for the complacency we developed, we would have had one of these accessible. But alas, we didn't. The path forward is to take a deep dive into Ubiquiti's Access ecosystem , which I've flagged in the past, and by pure coincidence, I already had a meeting lined up with them to discuss just this. So, the hardware is on the way, and I'll have something entirely new to play with in the coming weeks. Stay tuned!

Tuesday, July 14
Krebs on Security Jul 14

Microsoft Corp. today released software updates to plug at least 570 security holes in its Windows operating systems and other software, almost triple the number of vulnerabilities the software giant fixed in its record-smashing Patch Tuesday release last month. Microsoft attributed the burgeoning patch counts to vulnerability discoveries aided by artificial intelligence. Nearly 60 of the bugs quashed in July’s Patch Tuesday earned a “critical” severity rating, meaning miscreants or malware could use them to seize remote control over a Windows device with little or no help from the user. Microsoft also addressed three zero-day flaws, including two that are already being exploited in the wild. Two of the zero-day weaknesses allow an attacker to elevate their user rights on a Windows system, as do approximately 250 other elevation of privilege flaws fixed this month; they include CVE-2026-56155 — an Active Directory Federation Services bug — and CVE-2026-56164 , a Microsoft Sharepoint vulnerability.

Cloudflare Jul 14

On July 3, 2026, the Albanian communications authority (AKEP), the operator of the .al country-code top-level domain (TLD) of Albania, attempted a DNSSEC key rollover. Something went wrong, resulting in DNSSEC validation failures. Any validating DNS resolver receiving these signatures was required by the DNSSEC specification to reject them and return errors to clients. That includes 1.1.1.1 , the public DNS resolver operated by Cloudflare. The .al TLD is the online home of Albanian government services, banks, and media; it ranks #191 on Cloudflare Radar's TLD ranking . Anyone trying to visit those sites, using a validating resolver, found them unreachable during the incident. The failure had the potential to affect every .al domain, regardless of where it was hosted or which authoritative nameservers served it. Just two months earlier, a similar incident struck .de , the TLD of Germany. As we described in our blog post on the incident , our response was to install a Negative Trust Anchor (NTA) for .de , temporarily suspending DNSSEC validation in 1.1.1.1 to keep domains reachable while the registry resolved the issue. We did the same for . al . NTAs restore resolution, but silently. A client receiving a response served under an NTA has no way to tell, from the response alone, that DNSSEC validation was bypassed, leaving it unable to distinguish a legitimate answer from a spoofed one. For the .al incident, 1.1.1.1 addressed that gap for the first time, returning a new Extended DNS Error (EDE) code alongside every affected res

Monday, July 13
Synack Jul 13

Most enterprises test less than a third of their attack surface, and attackers have already moved to AI-speed offense. Agentic AI closes the coverage gap, but only when paired with human expertise: an AI-first, human-validated model that secures critical infrastructure without sacrificing operational safety. The post Why the Future of Pentesting Needs Humans and Agentic AI Working Together appeared first on Synack .

Krebs on Security Jul 13

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a postmortem on a recent data leak in which a contractor published dozens of internal CISA credentials — including AWS Govcloud keys — in a public GitHub repository for almost six months before being notified by KrebsOnSecurity. Experts say the gaps identified in the agency’s initial response provide important lessons that all security teams should absorb. On May 15, 2026, the security firm GitGuardian asked for help in notifying CISA about the existence of a public GitHub repository called “Private CISA” that included 844 MB of sensitive CISA-related data. One of the exposed files, titled “importantAWStokens,” included the administrative credentials to three Amazon AWS GovCloud servers. Another file — “AWS-Workspace-Firefox-Passwords.csv” — listed plaintext usernames and passwords for dozens of internal CISA systems. CISA quickly acknowledged our initial alert, but took more than 48 hours to invalidate the AWS keys and many other important secrets leaked in the GitHub repo. In its report on the data leak , CISA said the complexities of the agency’s systems and interconnections with federal and industry partners caused its key rotation to take long

Cloudflare Jul 13
APT

Bot mitigation is an adversarial game: attackers adapt, defenders respond, and the cycle continues. At Cloudflare, we stay ahead by combining visibility across our global network with signals from the client-side environment. At the network level, we analyze over 1 trillion requests per day to understand reputation, patterns, and anomalies across more than 20% of the web. On the client side, we’ve pushed detection deeper with Cloudflare Turnstile , which has evolved from a CAPTCHA replacement to a risk-based managed challenge that adapts the amount of friction needed to verify the user is authentic. Today, Turnstile runs nearly 3 billion times per day on some of the most sensitive endpoints on the Internet, helping verify users at key moments like login, signup, and checkout. This improves protection on the most important areas of customer applications, but still leaves limited visibility into the rest of the application — how humans and bots actually interact across the full user journey. This is the visibility gap we’re closing today with our launch of Precursor . Introducing Precursor Precursor is a client-side, session-based verification system, built with privacy in mind, that uses dynamically injected JavaScript to continuously collect behavioral signals as visitors interact with your application. These signals are processed and incorporated into Cloudflare’s bot protection in real time, allowing us to continuously distinguish human traffic from automated or agentic traffic. This extends the client-side detections offered by a

Trail of Bits Jul 13
APT

We’ve added a new chapter to our Testing Handbook : a comprehensive guide to security testing Rust programs. This chapter covers the tools and techniques we use at Trail of Bits to validate the security of Rust programs and systems. fn main () {( | f: & dyn Fn ( u128 )-> Box < dyn Iterator < Item =

r/ReverseEngineering Jul 13

To reduce the amount of noise from questions, we have disabled self-posts in favor of a unified questions thread every week. Feel free to ask any question about reverse engineering here. If your question is about how to use a specific tool, or is specific to some particular target, you will have better luck on the [Reverse Engineering StackExchange](http://reverseengineering.stackexchange.com/). See also /r/AskReverseEngineering.

Saturday, July 11
r/computerforensics Jul 11

Up front: I'm an enthusiast, not a forensics professional, and this is not a validated forensics tool — it's not write-blocking, it hasn't been through any formal tool-validation, and I'm not going to pretend otherwise. I built it for reproducible file observation and I keep thinking it might be useful for first-pass triage, but the people who'd actually know are here, not where I usually hang out. So I'd rather you tell me where it falls short than nod along. ## What it does file-observer walks a directory and emits a single deterministic JSON manifest describing every file. It's read-only — it never writes to a file, never executes file content, and never modifies source. (Like any triage tool, you'd point it at a working copy or a mounted image, not originals.) The properties that made me think of this sub: - **Reproducible output.** Same bytes in → byte-identical manifest out, every run, regardless of worker count (there's a test that fails CI if a parallel scan differs from a serial one). It's determinism, not tool-validation — but the output is stable enough to diff and defend. - **SHA-256 per file**, plus identical-hash duplicate clustering across the tree. - **Content-vs-extension MIME mismatch + polyglot detection** — flags a file whose actual signature doesn't match its extension, and files that satisfy more than one format's structure. Useful for spotting renamed or disguised files. - **Metadata extraction, stdlib, bounded and never-crashing on hostile input:** image EXIF (make/model, timestamps, and GPS-presence — presence, deliberately not coordinates), video container/QuickTime capture fields (device make/model, creation dates, GPS-presence), PDF producer/creator/creation-date/encryption + a born-digital-vs-scanned/OCR provenance read, email envelopes (.eml/.msg: from/to/subject/date/message-id/attachments), and Office/OLE2 document fields. - **Structural safety flags** — has_macros (VBA), has_javascript (PDF), has_ole_objects, has_external_references. Observations, not verdicts. - **Integrity envelope** — optional HMAC-SHA256 manifest signature and a previous_manifest_checksum chain, if you want a tamper-evident record of the observation itself. - **Delta between two scans** — what was added/modified/removed since a prior manifest. Everything runs bounded and read-only, and it degrades to a per-file error record rather than crashing on a malformed or hostile file. ## Where I know it's weak (and where I don't) Honest limits: it's triage/observation, not analysis — no carving, no timeline, no registry/artifact parsing. Metadata is bounded observation, so a null means "not seen within the read window," not "not present." GPS is presence-only by design. And reproducible ≠ validated — I've oracle-checked the parsers against tools like exiftool, but that's not the same as CFTT-style validation. What I don't know is whether any of this is actually useful in a real workflow, or whether it's a toy next to the tooling you already trust. That's the question. Where would this break, mislead, or fail to matter for real casework? ## Try it pip install "file-observer[all]" Repo: https://github.com/russalo/file-observer I'd genuinely rather hear "here's why this is useless for X" than a pat on the head — I'm isolated from people who do this for a living, and that's exactly the gap I'm trying to close.

Story Overview