Attackers are hiding a data-stealing trojan inside fake exploit code aimed at the people who hunt bugs for a living. The malware, called ChocoPoC, travels in Python proof-of-concept (PoC) repositories on GitHub that claim to exploit hot new CVEs. Run one, and it quietly lifts your saved passwords, browser cookies, and files, then hands the attacker a shell on your machine. YesWeHack and
Cybersecurity News and Vulnerability Aggregator
Cybersecurity news aggregator
treemd <(curl -sL https://allsec.sh/md) (as Markdown) Top Cybersecurity Stories Today
Cybersecurity researchers have flagged a new multi-stage malware delivery attack chain that uses social engineering and Blogger pages to deliver an information stealer called PureLogs. The activity has been codenamed VEIL#DROP by Securonix. It's suspected that the initial payloads are distributed either via spear-phishing or a drive-by compromise, which occurs when an unsuspecting user lands on
A recently disclosed critical security flaw impacting Progress Kemp LoadMaster is seeing active exploitation attempts, according to an advisory from eSentire's Threat Response Unit (TRU). The Canadian cybersecurity company said it identified exploitation attempts targeting CVE-2026-8037 (CVSS score: 9.6), an operating system (OS) command injection flaw that could be exploited to achieve
Microsoft on Tuesday said it's accelerating its quantum safe security roadmap, stating technology advances in quantum computing are making it essential to replace existing encryption standards sooner than previously expected. "Advances in quantum research and development have shifted the risk horizon," Mark Russinovich, chief technology officer of Microsoft Azure, said. "We believe
Citrix on Tuesday released security updates to address multiple flaws in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) that could be exploited by an attacker to facilitate arbitrary file reads or trigger a denial-of-service (DoS) condition. The vulnerabilities are listed below - CVE-2026-8451 (CVSS score: 8.8) - An insufficient input validation
Latest
We’re running Patch the Planet , an ongoing collaboration with OpenAI that pairs Trail of Bits engineers directly with more than 30 open-source projects. Its goal is to front-run a serious problem facing open-source maintainers: highly capable models like GPT-5.5-Cyber will soon create a firehose of bug reports, and OSS maintainers are already spread thin. Our plan is to point OpenAI’s latest models at real codebases, find the security bugs first, work with maintainers to patch them, and find ways to decrease the burden on maintainers in the long run. This post compiles field reports from Patch the Planet. We’ll update it as the initiative progresses with insights on model capabilities, bespoke tooling for maintainers, and industry guidance. Follow this blog for updates. Field report 1: GPT-5.5-Cyber built a custom fuzzing harness for zlib Authored by Benjamin Samuels The expertise barrier that kept bespoke fuzzing campaigns out of reach for most attackers is gone. We watched GPT-5.5-Cyber build in a single day what would have taken weeks for a skilled security researcher : harnesses across a dozen entrypoints, sanitizer and variant builds, seeds, and multiple findings currently undergoing coordinated disclosure. This particular instance focused on zlib , a widely used data format and lossless data compression software library. We pointed GPT-5.5-Cyber at the library and drove it through Codex with the /goal command, asking it to find a specific class of bugs that are critically dangerous in compression libraries. We’l
Security firm Sysdig says it has found what it believes is the first ransomware attack run from start to finish by an AI agent. Its Threat Research Team calls the operator JADEPUFFER and says a large language model handled the whole job: breaking in, stealing credentials, moving deeper into the network, then encrypting and wiping a company's production database. Ransomware has always
The recently discovered financially-motivated FortiBleed campaign has been attributed to INC and Lynx ransomware operations, indicating that the verified, stolen credentials were intended for follow-on intrusions. "An operator tied to FortiBleed's infrastructure was found actively working negotiation panels for both groups, tying mass FortiGate credential theft directly to ransomware deployment
Attackers are hiding a data-stealing trojan inside fake exploit code aimed at the people who hunt bugs for a living. The malware, called ChocoPoC, travels in Python proof-of-concept (PoC) repositories on GitHub that claim to exploit hot new CVEs. Run one, and it quietly lifts your saved passwords, browser cookies, and files, then hands the attacker a shell on your machine. YesWeHack and
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a high-severity flaw impacting Microsoft SharePoint Server to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The vulnerability, tracked as CVE-2026-45659 (CVSS score: 8.8), is a case of remote code execution arising from the deserialization of untrusted data. The issue
While the prompt injection technique "bioshocking" deserves attention, the lack of concern showed by some of the major LLM is more worrying. Has anyone experienced similar stonewalling when reporting vulnerabilities to AI firms? [https://layerxsecurity.com/blog/bioshocking-ai-gaming-the-ai-browser-and-escaping-its-guardrails/](https://layerxsecurity.com/blog/bioshocking-ai-gaming-the-ai-browser-and-escaping-its-guardrails/)
https://www.nextgov.com/cybersecurity/2026/06/hackers-breached-dhs-information-sharing-network-people-familiar-say/414534/
Argo CD, a widely used tool for deploying software to Kubernetes, has an unpatched flaw in its repo-server component that lets an unauthenticated attacker run code, provided they can reach the component's internal network port. Synacktiv, which found the bug, says it can lead to a full cluster takeover. There is no fix and no CVE. The firm says it reported the flaw to Argo CD's maintainers in
A teenager accused of belonging to the hacking group Scattered Spider has been extradited from Finland to face U.S. charges of conspiracy, computer intrusion, and fraud, the U.S. Department of Justice announced on July 1. Peter Stokes, 19, a dual U.S. and Estonian citizen, appeared in a Chicago federal court on June 30, where a judge ordered him held in custody. Finnish police
Unknown threat actors are leveraging the ScreenConnect remote access tool as a way to deploy and execute AsyncRAT. Kaspersky said the activity is part of a "massive, multi-domain, multi-language" campaign that distributes malicious installer archives hosted on spoofed websites. These installers masquerade as popular software like OBS Studio, DNS Jumper, DS4Windows, and Bandicam, among others.
Cybersecurity researchers have flagged a new multi-stage malware delivery attack chain that uses social engineering and Blogger pages to deliver an information stealer called PureLogs. The activity has been codenamed VEIL#DROP by Securonix. It's suspected that the initial payloads are distributed either via spear-phishing or a drive-by compromise, which occurs when an unsuspecting user lands on
Adobe has released patches for multiple maximum-severity security flaws impacting Adobe ColdFusion and Adobe Campaign Classic. The ColdFusion updates "resolves critical and important vulnerabilities that could lead to arbitrary code execution, privilege escalation, arbitrary file system read, and security feature bypass," Adobe said in an alert released Tuesday. The vulnerabilities are listed
Introduction This blog post addresses the practical implications of Post-Quantum Cryptography (PQC). It examines why waiting for vendors is a high-risk strategy and why organizations must assume ownership of their own quantum-readiness efforts . It also introduces a more effective quantum-readiness playbook : a practical, risk-driven approach aimed at reducing exposure early, rather than relying on the commonly adopted inventory-first model. This is Part 2 of a two-part series and focuses on the practical implications of Post-Quantum Cryptography, including why organizations must take ownership of their own quantum-readiness journey and how a risk-driven approach can support
Two flaws in Cursor, an AI code editor, could let a single, ordinary-looking prompt break out of the editor's safety sandbox and run any command on a developer's computer. There is no click to fall for and no approval box to ignore. Cato AI Labs found the pair and named them DuneSlide. They are tracked as CVE-2026-50548 and CVE-2026-50549, both rated 9.8 out of 10 (or 9.3
A recently disclosed critical security flaw impacting Progress Kemp LoadMaster is seeing active exploitation attempts, according to an advisory from eSentire's Threat Response Unit (TRU). The Canadian cybersecurity company said it identified exploitation attempts targeting CVE-2026-8037 (CVSS score: 9.6), an operating system (OS) command injection flaw that could be exploited to achieve
Cybersecurity researchers have flagged a new malware artifact generated using DeepSeek that constructed a novel attack path combining "unrealistic browser-malware concepts with a real browser capability" to turn it into a working ransomware technique that runs entirely inside the browser on both Windows and Android devices. "This is the first documented case where a frontier AI model
Organizations have never had greater awareness of cyber risk. Yet turning that awareness into operational resilience has never been more challenging. The 2026 Bitdefender Cybersecurity Assessment confirms this is the case, as this year's findings reveal a series of surprising contradictions. Here are a few examples, based on the independent survey of 1,200 IT and cybersecurity professionals
Microsoft on Tuesday said it's accelerating its quantum safe security roadmap, stating technology advances in quantum computing are making it essential to replace existing encryption standards sooner than previously expected. "Advances in quantum research and development have shifted the risk horizon," Mark Russinovich, chief technology officer of Microsoft Azure, said. "We believe
A vulnerability in Apple’s “Hide My Email” tool lets almost anyone discover a person’s real email address that is supposed to be hidden by the feature, and Apple has failed to fix it for more than a year, according to a security researcher and 404 Media’s own tests.
A researcher found that using Anthropic’s Claude Opus 4.7, he could break into the website of Front Gate—used by every festival from Lollapalooza to Bonnaroo—and freely issue any ticket he chose.
Heimdal Launches MSP Onboarding Wizard to Help Partners Onboard Microsoft CSP Customers in 2 Minutes
COPENHAGEN, Denmark, 1 July 2026 – Heimdal today announced the launch of MSP Onboarding Wizard, a new capability that helps managed service providers onboard Microsoft Cloud Solution Provider (CSP) customers inside the Heimdal platform faster and with less manual work. Built for MSPs managing multiple Microsoft tenants, MSP Onboarding Wizard reduces customer onboarding from around […] The post Heimdal Launches MSP Onboarding Wizard to Help Partners Onboard Microsoft CSP Customers in 2 Minutes appeared first on Heimdal Security Blog .
Anthropic is putting Claude Fable 5 back online worldwide. On June 30, the U.S. Commerce Department lifted the export controls it had imposed on Fable and its more tightly controlled sibling Mythos 5 about two and a half weeks earlier. Fable 5 returns to users on Wednesday, July 1, across Claude.ai, the Claude Platform, Claude Code, and Claude Cowork. Export controls restrict who can
Cybersecurity researchers have warned of a "massive, ongoing, automated password spray attack" aimed at Microsoft's Azure command-line interface (CLI), compromising dozens of accounts in the process. The activity, per Huntress, originates from an IPv6 address range (2a0a:d683::/32) controlled by internet infrastructure provider LSHIY LLC (AS32167). "Between June 12 and June 26, the threat
ClickFix, the trick that fools people into running malware by hand, has quietly grown a back office. New research shows the malicious commands behind its fake "prove you're human" pages are now handed out by API-driven servers that give each visitor the same malware in a different disguise. The same research also turned up a new delivery method built to slip past Windows' script scanning.
Citrix on Tuesday released security updates to address multiple flaws in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) that could be exploited by an attacker to facilitate arbitrary file reads or trigger a denial-of-service (DoS) condition. The vulnerabilities are listed below - CVE-2026-8451 (CVSS score: 8.8) - An insufficient input validation
Sharing new scenarios and adaptations to play the Datadog expansion pack of Backdoors & Breaches.
Presently sponsored by: Report URI: Guarding you from rogue JavaScript! Don’t get pwned; get real-time alerts & prevent breaches #SecureYourSite How's the view?! Back to business, it's now 8 years ago that Scott and I thought it would be a cool idea to build Why no HTTPS? We used the site to shame companies for not implementing their transport later security property, and to make it a bit of fun, we shamed by country as well. This helped people jump on the bandwagon of giving their respective countries a little "encouragement", and we hope they'll do the same now with Why no Passkeys? Following my infamous phishing incident last year , I registered the domain with the intent of building the successor for the TLS version. However, due to a combination of me having no time and Scott getting very good with Claude Code, he's now stood up this project solo and done a wonderful job of it. Go and check it out, and give those big names from your country a little push.
“Continuous” has become the most stretched word in offensive security. This guide breaks down what continuous penetration testing means, why most of the market doesn’t deliver it, and how Synack’s Sara is bringing always-on, human-validated testing to the enterprise. The post Continuous Penetration Testing: What Security Leaders Need to Know appeared first on Synack .
https://mooofin.github.io/portfolio/blog/s4nct1m0ny.html tuts for ISF from kernel DWARF. for vol as well . loginwindow plaintext credential extraction, Chainbreaker 3DES keychain decryption, and full RE of a Swift dropper using machine Hardware UUID as decryption key , ive tried to make it very less jargon and reader friendly
Hundreds of contractors working on a project for Meta pretended to be kids in order to see how other chatbots like Gemini and ChatGPT would respond to high-risk subjects, WIRED found.
Key Takeaways This case was first reported to customers in a threat brief released in July 2025 and in a public flash alert in August 2025 in partnership with Swisscom B2B CSIRT, which observed another intrusion tied to the same campaign. This report contains data from both intrusions. We plan to release a DFIR Labs […] The post From Bing Search to Ransomware: Bumblebee and AdaptixC2 Deliver Akira appeared first on The DFIR Report .
Mozilla remains committed to maintaining a secure, trustworthy, and transparent Web PKI. Today we are announcing the publication of Mozilla Root Store Policy (MRSP) version 3.1, effective July 1, 2026. While previous policy updates focused heavily on certificate revocation, automation, and operational resilience, MRSP v3.1 focuses on a different challenge: ensuring that Certification Authority (CA) operations are sufficiently transparent, understandable, and auditable. Trust in the Web PKI depends not only on technical requirements, but also on the ability of Mozilla, auditors, and the broader community to understand how CA systems are designed, operated, and assessed. MRSP v3.1 introduces new requirements intended to improve the quality of CA documentation and strengthen independent assurance of the design and effectiveness of controls that protect CA systems. Improving CP/CPS Documentation Certification Practice Statements (CPSes) and combined Certificate Policy / Certification Practice Statement documents (CP/CPSes) are among the most important public documents published by a CA. They describe how a CA conducts its operations and meets industry requirements. Over the years, we have seen significant variation in the quality, structure, and level of detail provided in CP/CPS documentation. Some documents provide extensive implementation detail, while others rely heavily on incorporation by reference or provide only high-level descriptions of CA practices. The revised policy will continue to require conformance with RFC 3647, as modified by applicable CA/Browser Forum requirements. Improvements to section 3.3 in the MRSP will establish clearer expectations regarding the content and quality of CP/CPS documentation. The new requirements emphasize that documentation must be explicit, bounded, auditable, and sufficientl
Europe’s pro-competition proposals could see Google Search and Android systems opened up. The company claims there are serious privacy flaws.
To reduce the amount of noise from questions, we have disabled self-posts in favor of a unified questions thread every week. Feel free to ask any question about reverse engineering here. If your question is about how to use a specific tool, or is specific to some particular target, you will have better luck on the [Reverse Engineering StackExchange](http://reverseengineering.stackexchange.com/). See also /r/AskReverseEngineering.
Reverse-engineering VMware's encrypted + compressed VM memory checkpoint format (vTPM "partial" encryption)
>On June 18, an international police operation seized the servers behind the fake "update your browser" pop-up, the one that has been tricking people into installing malware since 2017. They took down 106 servers and domains and scrubbed the malware off 14,971 hacked websites. >Dutch police, who led the operation, say the login details for 1.4 million websites were exposed in the process. The breach-notification service [Have I Been Pwned](https://haveibeenpwned.com/?ref=freshfromcache.com) was handed 154,000 email addresses and more than half a million passwords from the haul. Canada's federal police disinfected 2,488 computers and notified every Canadian victim they could identify. >The Netherlands, the FBI, Germany, and Canada ran it together with Europol behind them, as part of an ongoing campaign called Operation Endgame that has spent two years knocking out malware services hundreds of servers at a time. >SocGholish is tied to Evil Corp (yes, that's really their name), a Russian group that law enforcement knows well. The US, UK, and Australia have all sanctioned Evil Corp. Its alleged leader, Maksim Yakubets, carries a $5 million FBI bounty and is believed to have worked with Russian intelligence.
Plus: Former national security advisor John Bolton pleads guilty in classified-materials case, Microsoft helps take down major infostealer infrastructure, and more.
Recently I ran into a problem: I needed to analyze a VMware snapshot of a Windows 11 25H2 VM, but the VM had a vTPM, which makes VMware silently encrypt the .vmem/.vmsn/.vmss/.nvram. Volatility just couldn't find the kernel, and I couldn't find any existing tool to decrypt these files for offline analysis. So I reverse-engineered the format with the help of Claude and wrote one. It's called vmem-decrypt (pure Python): \- Recovers the data-file key from the VM password (PBKDF2 → AES-256-CBC key chain VMware labels everything "XTS-AES-256" but it's actually CBC, which trips up most people). \- Decrypts .vmem/.vmsn/.vmss/.nvram. \- Flattens the decrypted .vmem into a flat, Volatility-ready image. (VMware compresses then encrypts, so it's still in a proprietary checkpoint LZ77 layout) Workflow: pull the password hash from the .vmx (VM-Password-Extractor) → crack with hashcat (mode 27400) → feed the password to the tool → run Volatility. Full steps + format notes in the README. Tested on VMware Workstation Pro 26H1 / Win11 25H2 (build 26100), Volatility 3. Feedback welcome, especially snapshots from other VMware versions to test the format against. Repo: [https://github.com/heeeyaaaa/vmem-decrypt](https://github.com/heeeyaaaa/vmem-decrypt) (Yes, I used AI to help build this. It's tested and it works, that's what matters. Happy to walk through any part of how it works.)
Seeking feedback: Searchable index of EXIF/IPTC/XMP metadata from 720M+ public images — potentially useful for digital forensics investigations
I've been building a tool called Image-Meta and would love feedback from people who actually do forensics work, since that's one of the primary use cases I'm trying to serve well. \*\*What it does:\*\* Crawls and indexes the embedded metadata from publicly accessible images using ExifTool. Currently \~720 million images indexed with full EXIF/IPTC/XMP extraction. \*\*Forensics-relevant capabilities:\*\* \*\*Device attribution\*\* \- Search by camera serial number — link multiple images across different domains or accounts back to the same physical device \- Make/model filtering to narrow device type before drilling into serial \*\*Identity traces\*\* \- Author, copyright, rights, and description fields often contain real names, emails, and organizational affiliations that subjects didn't know were there \- Software fields can expose Photoshop/Lightroom license strings, machine names, or internal workflow metadata \*\*Timeline reconstruction\*\* \- foundDT = date we first indexed the image (earliest known appearance online) \- createDT / modifyDT = timestamps embedded in the file itself \- Useful for establishing when an image was created vs. when it first appeared publicly \*\*GPS / geospatial\*\* (Not available to public without subscription) \- Coordinate + radius search for images taken near a location \- Reverse-geocoded address search \- Many images still carry precise GPS even when uploaded to platforms that claim to strip metadata \*\*What I'm looking for feedback on:\*\* \- Are there metadata fields or query types that would make this more useful in an actual investigation workflow? \- Is the API structure (REST, Bearer token, field-level boolean search) something that integrates well with existing tooling? \- What's missing that you'd expect from a tool like this? Not trying to sell anything here — genuinely want to understand what the forensics community needs before I build more features. [https://image-meta.com](https://image-meta.com) API docs: [https://image-meta.com/api-docs](https://image-meta.com/api-docs)
Boards and CIOs are pushing security teams to build internal AI pentesting tools, but is it worth it? This piece walks through the five questions security teams should ask when deciding between build vs buy for AI pentesting. The post Considering Build vs. Buy for AI Pentesting? Top 5 Questions to Ask appeared first on Synack .
Exposed records from the private group included the personal information of a senior White House intelligence official and an active-duty special operations officer.
AI has handed hackers a resource advantage. Winning it back means spending your own resources far more precisely, and that’s the strategy we call Dynamic Defense. The principle is simple. Contain the threat just enough, for just long enough, until the risk is removed. This piece shows how that works as a five-stage loop that […] The post How Dynamic Defense shuts an attacker out without shutting down the business appeared first on Heimdal Security Blog .
The Cyber Resilience Act (CRA) is a regulation introduced by the European Union to strengthen cybersecurity requirements for products with digital elements. In simple terms, the CRA sets mandatory cybersecurity rules for hardware and software sold in the EU. This includes everything from connected devices (IoT) to operating systems and even stand-alone software. Very important, this concerns any company that wants to sell their products into the EU, regardless whether that company is based in the EU or not. The goal is to ensure that digital products placed on the EU market are secure by design and default and remain secure over time. That also means that the CRA does not stop at the launch of a product. It covers the entire lifecycle from design and development all the way through updates and vulnerability management. It also brings everyone in the product pipeline into responsibility. The CRA entered into force on 10 December 2024 , meaning it is already officially law in the EU, although most obligations are not yet applicable. The implementation is phased. From 11 September 2026 , companies will already need to comply with certain reporting obligations, particularly related to the notification of vulnerabilities and security incidents. From 11 December 2027 , the CRA will be fully applicable. Also, products with digital elements that have been placed on the market before 11 December 2027 are not subject to the CRA unless, from that date, they are subject to a substantial modification. Reporting obligations apply to all products with digital elements that have been made available on the Union market, including those already placed on the market before 11 December 2027. Preparing for the CRA is ultimately not just about interpreting legal text, but about translating regulatory expectations into concrete t
Release of GuardDog 3.0, an open-source tool to identify malicious packages, featuring a new YARA-based rules engine, a risk scoring engine, and built-in sandboxing.
We’re sharing two headline numbers as an early look at our State of Continuous Security Validation report before the full analysis lands in July. Turns out 95% of security teams discover high or critical vulnerabilities outside their scheduled testing windows—proof that cadence alone is no longer a reliable measure of coverage. The post The State of Continuous Security Validation: An Early Look at the Data appeared first on Synack .