Cybersecurity News and Vulnerability Aggregator

Cybersecurity news aggregator

Top Cybersecurity Stories Today

watchTowr 2h ago

We’re back, melting - we’ve tried shouting, screaming, and throwing things at the Sun, and it is just not working. Before we begin our analysis, we want to be clear - given the number of vulnerabilities fixed (and some not mentioned..), we’ve struggled to have confidence in our attribution of “vulnerability specific CVE ID”. We’ve performed some informed, uninformed, random guesses - but as usual, please resist the urge to send us emails explaining how awful/wrong we are. We know some of you can’t resist, so please rest assured that we do read them, print them, and frame our favorites each month. Like the individual who emailed us 5 times to tell us that they were older than Telnet. Given that Telnet is newer than SSH (which we replied to tell you (your follow-up emails were caught by our spam filter, sorry)), we knew you were lying to us. As always, watchTowr clients gain industry-first access to our research days before publication to validate their exposure, accompanied by Active Defense capabilities to autonomously mitigate exposure. This research is a glimpse into the capabilities that power our Preemptive Exposure Management solution and get organizations ahead of inevitable in-the-wild exploitation: the

The Hacker News 11h ago

Attackers are hiding a data-stealing trojan inside fake exploit code aimed at the people who hunt bugs for a living. The malware, called ChocoPoC, travels in Python proof-of-concept (PoC) repositories on GitHub that claim to exploit hot new CVEs. Run one, and it quietly lifts your saved passwords, browser cookies, and files, then hands the attacker a shell on your machine. YesWeHack and

The Hacker News Jul 1

Cybersecurity researchers have flagged a new multi-stage malware delivery attack chain that uses social engineering and Blogger pages to deliver an information stealer called PureLogs. The activity has been codenamed VEIL#DROP by Securonix. It's suspected that the initial payloads are distributed either via spear-phishing or a drive-by compromise, which occurs when an unsuspecting user lands on

The Hacker News Jul 1
CVE

A recently disclosed critical security flaw impacting Progress Kemp LoadMaster is seeing active exploitation attempts, according to an advisory from eSentire's Threat Response Unit (TRU). The Canadian cybersecurity company said it identified exploitation attempts targeting CVE-2026-8037 (CVSS score: 9.6), an operating system (OS) command injection flaw that could be exploited to achieve

The Hacker News Jul 1

Microsoft on Tuesday said it's accelerating its quantum safe security roadmap, stating technology advances in quantum computing are making it essential to replace existing encryption standards sooner than previously expected. "Advances in quantum research and development have shifted the risk horizon," Mark Russinovich, chief technology officer of Microsoft Azure, said. "We believe

Latest

Thursday, July 2
r/cybersecurity 1h ago

Would you guys agree there isn't much to change in our roadmap as long as the fundamentals and zero trust approach are properly addressed? I wonder how well this post will age considering the crazy censorship happening with SOTA models on cybersecurity tasks. [https://cephalosec.com/blog/cybersecurity-in-the-post-mythos-era-keep-calm-and-carry-on/](https://cephalosec.com/blog/cybersecurity-in-the-post-mythos-era-keep-calm-and-carry-on/)

Praetorian 1h ago

How we built a procedural engine that learns your real cloud environment, generates decoy environments indistinguishable from production, and converts every attacker interaction into signal. In the myth, Daedalus built the Labyrinth of Knossos so well that he nearly couldn’t escape it himself. The corridors looked real. The paths felt purposeful. And the deeper you went, the harder it became to tell which direction led out. That’s the design constraint we gave ourselves when building Knossos for Praetorian Guard: generate cloud infrastructure so realistic that an attacker who lands inside it doesn’t realize they’ve already lost. Every API call they make, every role they assume, every secret they pull from Parameter Store, all of it is being recorded, scored, and fed back into the system that built the trap. The idea isn’t new. Honeypots have existed for decades. But the gap between a traditional honeypot and what a competent attacker expects to find in a real AWS account is enormous. Drop a single canary token in an otherwise empty VPC and you’ve told the attacker two things: you’re running deception, and there’s nothing interesting here. They pivot, and you’ve burned your one shot. Knossos takes a fundamentally different approach. Rather than scattering individual lures and hoping someone trips

watchTowr 2h ago

We’re back, melting - we’ve tried shouting, screaming, and throwing things at the Sun, and it is just not working. Before we begin our analysis, we want to be clear - given the number of vulnerabilities fixed (and some not mentioned..), we’ve struggled to have confidence in our attribution of “vulnerability specific CVE ID”. We’ve performed some informed, uninformed, random guesses - but as usual, please resist the urge to send us emails explaining how awful/wrong we are. We know some of you can’t resist, so please rest assured that we do read them, print them, and frame our favorites each month. Like the individual who emailed us 5 times to tell us that they were older than Telnet. Given that Telnet is newer than SSH (which we replied to tell you (your follow-up emails were caught by our spam filter, sorry)), we knew you were lying to us. As always, watchTowr clients gain industry-first access to our research days before publication to validate their exposure, accompanied by Active Defense capabilities to autonomously mitigate exposure. This research is a glimpse into the capabilities that power our Preemptive Exposure Management solution and get organizations ahead of inevitable in-the-wild exploitation: the

r/cybersecurity 3h ago

Hey all! I’m kicking around a product idea and trying to figure out if the problem is actually worth solving. The general idea is around IT/helpdesk/security impersonation. Basically, if someone reaches out to an employee claiming to be from IT or security and asks them to do something, how does that employee actually know the person is legit? I’m not selling or advertising anything, just trying to get honest feedback from people who deal with this stuff in the real world. If you work in security, IAM, IT, helpdesk, GRC, etc., I’d really appreciate it if you took a few minutes to fill this out: [https://docs.google.com/forms/d/e/1FAIpQLSdOnYbBwCmqwpCcdDPDJcKB9IkJ7Vv-MHqwYZuCG6lsE\_Pyjg/viewform?usp=header](https://docs.google.com/forms/d/e/1FAIpQLSdOnYbBwCmqwpCcdDPDJcKB9IkJ7Vv-MHqwYZuCG6lsE_Pyjg/viewform?usp=header)

The Hacker News 3h ago

This week’s security news is mostly about weak spots. Browsers, bots, sandboxes, AI systems, and email flows all show the same problem in different ways. Everything looks normal until someone tests a small gap and finds a way through. This is not one big break. It is small permissions, weak checks, open systems, and normal tools doing things they were allowed to do. That same pattern runs

CERT/CC 4h ago

Overview The GamersFirst Anti-Cheat (GFAC) driver GFAC.sys contains multiple local privilege escalations and denial-of-service vulnerabilities stemming from insecure handling of user-controlled input through a minifilter communication port. A local attacker can abuse these flaws to perform arbitrary kernel memory writes, obtain privilege escalation to SYSTEM, or trigger a system crash. Description GFAC is a proprietary anti-cheat software developed by video game publisher Little Orbit. GFAC includes a kernel-mode driver, GFAC_Sys_x64.sys , that exposes privileged functionality to user-mode applications through a minifilter communication port. Although these low-level interfaces are necessary for the software's operation, vulnerabilities can arise if user-mode access is not properly restricted and validated. CVE-2026-12166 GFAC_Sys_x64.sys contains a NULL pointer dereference condition in its initialization and request handling logic. A local attacker can trigger the vulnerable code path, causing the driver to read or write to a memory address assigned as NULL. Successful exploitation results in a system crash (“blue screen of death”). CVE-2026-12167 The minifilter communication port that GFAC_Sys_x64.sys exposes does not enforce sufficiently restrictive security descriptors. As a result, low-privileged users can establish connections to the driver and access functions intended only for trusted processes. [RM1.1][MB1.2][RM1.3]User access to privileged functions could help an attacker take advantage of other weaknesses in the driver. CVE-2026-12168 GFAC_Sys_x64.sys processes messages received through a minifilter communication

The Hacker News 6h ago

The threat actor known as ToddyCat has been attributed to a new malware called Umbrij that's designed to gain surreptitious access to a victim's email correspondence via the Google API. "In this campaign, the attackers focused their attention on corporate email communications hosted on Gmail, targeting access compromise via APIs," Kaspersky said in a detailed report published this week. "

r/cybersecurity 7h ago

I am a doctoral candidate at Marymount University conducting research on how artificial intelligence (AI) and augmented intelligence are perceived and utilized in cybersecurity hiring, and I would be honored to have your insights. **I am seeking the opinions of** **employers, hiring managers, recruiters, etc.** I know that there may be strong feelings on both sides of this topic, but that's why as an academic I want to understand it. *About the Study* This study explores hiring managers' perspectives on integrating AI or augmented intelligence into cybersecurity recruitment processes. The goal is to understand how these tools are used to support decision-making or if they are seen as unnecessary or potentially disruptive. Your responses will provide valuable insights into current practices, opportunities, and challenges in cyber hiring. *Eligibility Criteria* You are eligible to participate if: * You hold a role with responsibility for cybersecurity candidate selection, such as a recruiter, hiring manager, screener, or hiring panelist. * You are at least 21 years of age. * You are employed by either: * The U.S. federal government or uniformed services, or * A civilian corporation, non-profit, local/county/state government, or other civilian entity in the United States. *Survey Details* The survey is anonymous, takes approximately 20-25 minutes, and can be completed at your convenience. Your participation will provide crucial insights into the perceptions and practices of hiring managers in cybersecurity. Survey Link: [https://marymountedu.az1.qualtrics.com/jfe/form/SV\_d5MzkPBECgOdYuW](https://marymountedu.az1.qualtrics.com/jfe/form/SV_d5MzkPBECgOdYuW) *Privacy and IRB Approval* This research is approved by the Marymount University Institutional Review Board (IRB). All information you provide will remain confidential and used solely for academic purposes. *How to Participate* Simply click on the survey link above. You’ll be asked to review an informed consent form before starting the survey. Your responses will contribute to advancing our understanding of cybersecurity workforce management.

The Hacker News 7h ago

Identity lifecycle management was architected around a person with an employment record, a manager, and a departure date. AI agents have none of those. As autonomous principals proliferate across enterprise environments, the governance model built for humans develops structural blind spots that traditional IGA tools weren't designed to detect. This guide covers where that model breaks, what it

Trail of Bits 8h ago
CVE

We’re running Patch the Planet , an ongoing collaboration with OpenAI that pairs Trail of Bits engineers directly with more than 30 open-source projects. Its goal is to front-run a serious problem facing open-source maintainers: highly capable models like GPT-5.5-Cyber will soon create a firehose of bug reports, and OSS maintainers are already spread thin. Our plan is to point OpenAI’s latest models at real codebases, find the security bugs first, work with maintainers to patch them, and find ways to decrease the burden on maintainers in the long run. We’ll publish field reports like this one as the initiative progresses; follow along via the Patch the Planet tag. The expertise barrier that kept bespoke fuzzing campaigns out of reach for most attackers is gone. We watched GPT-5.5-Cyber build in a single day what would have taken weeks for a skilled security researcher : harnesses across a dozen entrypoints, sanitizer and variant builds, seeds, and multiple findings currently undergoing coordinated disclosure. This particular instance focused on zlib , a widely used data format and lossless data compression software library. We pointed GPT-5.5-Cyber at the library and drove it through Codex with the /goal command, asking it to find a specific class of bugs that are critically dangerous in compression libraries. We’ll publish the full harness and findings for inspection once the vulnerabilities are patched and a new release is cut. The lab GPT-5.5-Cyber built in a day We didn’t tell the model how to find these bugs. The obvious first move is to read the source code, but zlib

The Hacker News 10h ago

Security firm Sysdig says it has found what it believes is the first ransomware attack run from start to finish by an AI agent. Its Threat Research Team calls the operator JADEPUFFER and says a large language model handled the whole job: breaking in, stealing credentials, moving deeper into the network, then encrypting and wiping a company's production database. Ransomware has always

The Hacker News 11h ago

The recently discovered financially-motivated FortiBleed campaign has been attributed to INC and Lynx ransomware operations, indicating that the verified, stolen credentials were intended for follow-on intrusions. "An operator tied to FortiBleed's infrastructure was found actively working negotiation panels for both groups, tying mass FortiGate credential theft directly to ransomware deployment

The Hacker News 11h ago

Attackers are hiding a data-stealing trojan inside fake exploit code aimed at the people who hunt bugs for a living. The malware, called ChocoPoC, travels in Python proof-of-concept (PoC) repositories on GitHub that claim to exploit hot new CVEs. Run one, and it quietly lifts your saved passwords, browser cookies, and files, then hands the attacker a shell on your machine. YesWeHack and

The Hacker News 13h ago
CVE

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a high-severity flaw impacting Microsoft SharePoint Server to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The vulnerability, tracked as CVE-2026-45659 (CVSS score: 8.8), is a case of remote code execution arising from the deserialization of untrusted data. The issue

r/cybersecurity 13h ago
AI

While the prompt injection technique "bioshocking" deserves attention, the lack of concern showed by some of the major LLM is more worrying. Has anyone experienced similar stonewalling when reporting vulnerabilities to AI firms? [https://layerxsecurity.com/blog/bioshocking-ai-gaming-the-ai-browser-and-escaping-its-guardrails/](https://layerxsecurity.com/blog/bioshocking-ai-gaming-the-ai-browser-and-escaping-its-guardrails/)

r/cybersecurity 19h ago

https://www.nextgov.com/cybersecurity/2026/06/hackers-breached-dhs-information-sharing-network-people-familiar-say/414534/

Wednesday, July 1
The Hacker News 23h ago

Argo CD, a widely used tool for deploying software to Kubernetes, has an unpatched flaw in its repo-server component that lets an unauthenticated attacker run code, provided they can reach the component's internal network port. Synacktiv, which found the bug, says it can lead to a full cluster takeover. There is no fix and no CVE. The firm says it reported the flaw to Argo CD's maintainers in

The Hacker News 23h ago

A teenager accused of belonging to the hacking group Scattered Spider has been extradited from Finland to face U.S. charges of conspiracy, computer intrusion, and fraud, the U.S. Department of Justice announced on July 1. Peter Stokes, 19, a dual U.S. and Estonian citizen, appeared in a Chicago federal court on June 30, where a judge ordered him held in custody. Finnish police

The Hacker News Jul 1
APT

Unknown threat actors are leveraging the ScreenConnect remote access tool as a way to deploy and execute AsyncRAT. Kaspersky said the activity is part of a "massive, multi-domain, multi-language" campaign that distributes malicious installer archives hosted on spoofed websites. These installers masquerade as popular software like OBS Studio, DNS Jumper, DS4Windows, and Bandicam, among others.

The Hacker News Jul 1

Cybersecurity researchers have flagged a new multi-stage malware delivery attack chain that uses social engineering and Blogger pages to deliver an information stealer called PureLogs. The activity has been codenamed VEIL#DROP by Securonix. It's suspected that the initial payloads are distributed either via spear-phishing or a drive-by compromise, which occurs when an unsuspecting user lands on

NVISO Labs Jul 1

Introduction This blog post addresses the practical implications of Post-Quantum Cryptography (PQC). It examines why waiting for vendors is a high-risk strategy and why organizations must assume ownership of their own quantum-readiness efforts . It also introduces a more effective quantum-readiness playbook : a practical, risk-driven approach aimed at reducing exposure early, rather than relying on the commonly adopted inventory-first model. This is Part 2 of a two-part series and focuses on the practical implications of Post-Quantum Cryptography, including why organizations must take ownership of their own quantum-readiness journey and how a risk-driven approach can support

The Hacker News Jul 1

Two flaws in Cursor, an AI code editor, could let a single, ordinary-looking prompt break out of the editor's safety sandbox and run any command on a developer's computer. There is no click to fall for and no approval box to ignore. Cato AI Labs found the pair and named them DuneSlide. They are tracked as CVE-2026-50548 and CVE-2026-50549, both rated 9.8 out of 10 (or 9.3

The Hacker News Jul 1
CVE

A recently disclosed critical security flaw impacting Progress Kemp LoadMaster is seeing active exploitation attempts, according to an advisory from eSentire's Threat Response Unit (TRU). The Canadian cybersecurity company said it identified exploitation attempts targeting CVE-2026-8037 (CVSS score: 9.6), an operating system (OS) command injection flaw that could be exploited to achieve

The Hacker News Jul 1

Cybersecurity researchers have flagged a new malware artifact generated using DeepSeek that constructed a novel attack path combining "unrealistic browser-malware concepts with a real browser capability" to turn it into a working ransomware technique that runs entirely inside the browser on both Windows and Android devices. "This is the first documented case where a frontier AI model

The Hacker News Jul 1

Organizations have never had greater awareness of cyber risk. Yet turning that awareness into operational resilience has never been more challenging. The 2026 Bitdefender Cybersecurity Assessment confirms this is the case, as this year's findings reveal a series of surprising contradictions. Here are a few examples, based on the independent survey of 1,200 IT and cybersecurity professionals

The Hacker News Jul 1

Microsoft on Tuesday said it's accelerating its quantum safe security roadmap, stating technology advances in quantum computing are making it essential to replace existing encryption standards sooner than previously expected. "Advances in quantum research and development have shifted the risk horizon," Mark Russinovich, chief technology officer of Microsoft Azure, said. "We believe

Heimdal Security Jul 1

COPENHAGEN, Denmark, 1 July 2026 – Heimdal today announced the launch of MSP Onboarding Wizard, a new capability that helps managed service providers onboard Microsoft Cloud Solution Provider (CSP) customers inside the Heimdal platform faster and with less manual work. Built for MSPs managing multiple Microsoft tenants, MSP Onboarding Wizard reduces customer onboarding from around […] The post Heimdal Launches MSP Onboarding Wizard to Help Partners Onboard Microsoft CSP Customers in 2 Minutes appeared first on Heimdal Security Blog .

The Hacker News Jul 1

Anthropic is putting Claude Fable 5 back online worldwide. On June 30, the U.S. Commerce Department lifted the export controls it had imposed on Fable and its more tightly controlled sibling Mythos 5 about two and a half weeks earlier. Fable 5 returns to users on Wednesday, July 1, across Claude.ai, the Claude Platform, Claude Code, and Claude Cowork. Export controls restrict who can

Tuesday, June 30
watchTowr Jun 30

Well, well, well - once again, the cat has dragged us in and spat us out. Today, we find ourselves questioning the reality we sit within. Must it be so predictable, and why us? “But watchTowr, what do you mean?” Well, if you’re here, you likely fit into one of the following categories: A dear reader, A group therapy accomplice A Groundhog Day fan club member Why? Because we once again find ourselves talking about Citrix NetScalers. Yes, that’s right, we’ve found another excuse to create memes and mock promise rings. For those that don’t start violently wretching when the phrase “Citrix NetScaler” is uttered, we have another word to whisper: “CitrixBleed”. As many know, the term CitrixBleed now refers to not a single vulnerability, but an entire class of Memory Disclosure-esque vulnerabilities in Citrix NetScaler devices, many of which have played roles in breaches and incidents in recent memory. For those new to this trauma, the following prior reading may be of interest: How Much More Must We Bleed? - Citrix NetScaler Memory Disclosure (CitrixBleed 2 CVE-2025-5777) Is It CitrixBleed4? Well, No. Is It Good? Also, No. (Citrix NetScaler Memory Leak & RXSS CVE-2025-12101)

Troy Hunt Jun 30

Presently sponsored by: Report URI: Guarding you from rogue JavaScript! Don’t get pwned; get real-time alerts & prevent breaches #SecureYourSite How's the view?! Back to business, it's now 8 years ago that Scott and I thought it would be a cool idea to build Why no HTTPS? We used the site to shame companies for not implementing their transport later security property, and to make it a bit of fun, we shamed by country as well. This helped people jump on the bandwagon of giving their respective countries a little "encouragement", and we hope they'll do the same now with Why no Passkeys? Following my infamous phishing incident last year , I registered the domain with the intent of building the successor for the TLS version. However, due to a combination of me having no time and Scott getting very good with Claude Code, he's now stood up this project solo and done a wonderful job of it. Go and check it out, and give those big names from your country a little push.

Synack Jun 30

“Continuous” has become the most stretched word in offensive security. This guide breaks down what continuous penetration testing means, why most of the market doesn’t deliver it, and how Synack’s Sara is bringing always-on, human-validated testing to the enterprise. The post Continuous Penetration Testing: What Security Leaders Need to Know appeared first on Synack .

r/computerforensics Jun 30

https://mooofin.github.io/portfolio/blog/s4nct1m0ny.html tuts for ISF from kernel DWARF. for vol as well . loginwindow plaintext credential extraction, Chainbreaker 3DES keychain decryption, and full RE of a Swift dropper using machine Hardware UUID as decryption key , ive tried to make it very less jargon and reader friendly

Monday, June 29
The DFIR Report Jun 29

Key Takeaways This case was first reported to customers in a threat brief released in July 2025 and in a public flash alert in August 2025 in partnership with Swisscom B2B CSIRT, which observed another intrusion tied to the same campaign. This report contains data from both intrusions. We plan to release a DFIR Labs […] The post From Bing Search to Ransomware: Bumblebee and AdaptixC2 Deliver Akira appeared first on The DFIR Report .

Mozilla Security Jun 29

Mozilla remains committed to maintaining a secure, trustworthy, and transparent Web PKI. Today we are announcing the publication of Mozilla Root Store Policy (MRSP) version 3.1, effective July 1, 2026. While previous policy updates focused heavily on certificate revocation, automation, and operational resilience, MRSP v3.1 focuses on a different challenge: ensuring that Certification Authority (CA) operations are sufficiently transparent, understandable, and auditable. Trust in the Web PKI depends not only on technical requirements, but also on the ability of Mozilla, auditors, and the broader community to understand how CA systems are designed, operated, and assessed. MRSP v3.1 introduces new requirements intended to improve the quality of CA documentation and strengthen independent assurance of the design and effectiveness of controls that protect CA systems. Improving CP/CPS Documentation Certification Practice Statements (CPSes) and combined Certificate Policy / Certification Practice Statement documents (CP/CPSes) are among the most important public documents published by a CA. They describe how a CA conducts its operations and meets industry requirements. Over the years, we have seen significant variation in the quality, structure, and level of detail provided in CP/CPS documentation. Some documents provide extensive implementation detail, while others rely heavily on incorporation by reference or provide only high-level descriptions of CA practices. The revised policy will continue to require conformance with RFC 3647, as modified by applicable CA/Browser Forum requirements. Improvements to section 3.3 in the MRSP will establish clearer expectations regarding the content and quality of CP/CPS documentation. The new requirements emphasize that documentation must be explicit, bounded, auditable, and sufficientl

r/ReverseEngineering Jun 29

To reduce the amount of noise from questions, we have disabled self-posts in favor of a unified questions thread every week. Feel free to ask any question about reverse engineering here. If your question is about how to use a specific tool, or is specific to some particular target, you will have better luck on the [Reverse Engineering StackExchange](http://reverseengineering.stackexchange.com/). See also /r/AskReverseEngineering.

Sunday, June 28
r/Malware Jun 28

>On June 18, an international police operation seized the servers behind the fake "update your browser" pop-up, the one that has been tricking people into installing malware since 2017. They took down 106 servers and domains and scrubbed the malware off 14,971 hacked websites. >Dutch police, who led the operation, say the login details for 1.4 million websites were exposed in the process. The breach-notification service [Have I Been Pwned](https://haveibeenpwned.com/?ref=freshfromcache.com) was handed 154,000 email addresses and more than half a million passwords from the haul. Canada's federal police disinfected 2,488 computers and notified every Canadian victim they could identify. >The Netherlands, the FBI, Germany, and Canada ran it together with Europol behind them, as part of an ongoing campaign called Operation Endgame that has spent two years knocking out malware services hundreds of servers at a time. >SocGholish is tied to Evil Corp (yes, that's really their name), a Russian group that law enforcement knows well. The US, UK, and Australia have all sanctioned Evil Corp. Its alleged leader, Maksim Yakubets, carries a $5 million FBI bounty and is believed to have worked with Russian intelligence.

Saturday, June 27
r/computerforensics Jun 27

Recently I ran into a problem: I needed to analyze a VMware snapshot of a Windows 11 25H2 VM, but the VM had a vTPM, which makes VMware silently encrypt the .vmem/.vmsn/.vmss/.nvram. Volatility just couldn't find the kernel, and I couldn't find any existing tool to decrypt these files for offline analysis. So I reverse-engineered the format with the help of Claude and wrote one. It's called vmem-decrypt (pure Python): \- Recovers the data-file key from the VM password (PBKDF2 → AES-256-CBC key chain VMware labels everything "XTS-AES-256" but it's actually CBC, which trips up most people). \- Decrypts .vmem/.vmsn/.vmss/.nvram. \- Flattens the decrypted .vmem into a flat, Volatility-ready image. (VMware compresses then encrypts, so it's still in a proprietary checkpoint LZ77 layout) Workflow: pull the password hash from the .vmx (VM-Password-Extractor) → crack with hashcat (mode 27400) → feed the password to the tool → run Volatility. Full steps + format notes in the README. Tested on VMware Workstation Pro 26H1 / Win11 25H2 (build 26100), Volatility 3. Feedback welcome, especially snapshots from other VMware versions to test the format against. Repo: [https://github.com/heeeyaaaa/vmem-decrypt](https://github.com/heeeyaaaa/vmem-decrypt) (Yes, I used AI to help build this. It's tested and it works, that's what matters. Happy to walk through any part of how it works.)

Friday, June 26
r/computerforensics Jun 26

I've been building a tool called Image-Meta and would love feedback from people who actually do forensics work, since that's one of the primary use cases I'm trying to serve well. \*\*What it does:\*\* Crawls and indexes the embedded metadata from publicly accessible images using ExifTool. Currently \~720 million images indexed with full EXIF/IPTC/XMP extraction. \*\*Forensics-relevant capabilities:\*\* \*\*Device attribution\*\* \- Search by camera serial number — link multiple images across different domains or accounts back to the same physical device \- Make/model filtering to narrow device type before drilling into serial \*\*Identity traces\*\* \- Author, copyright, rights, and description fields often contain real names, emails, and organizational affiliations that subjects didn't know were there \- Software fields can expose Photoshop/Lightroom license strings, machine names, or internal workflow metadata \*\*Timeline reconstruction\*\* \- foundDT = date we first indexed the image (earliest known appearance online) \- createDT / modifyDT = timestamps embedded in the file itself \- Useful for establishing when an image was created vs. when it first appeared publicly \*\*GPS / geospatial\*\* (Not available to public without subscription) \- Coordinate + radius search for images taken near a location \- Reverse-geocoded address search \- Many images still carry precise GPS even when uploaded to platforms that claim to strip metadata \*\*What I'm looking for feedback on:\*\* \- Are there metadata fields or query types that would make this more useful in an actual investigation workflow? \- Is the API structure (REST, Bearer token, field-level boolean search) something that integrates well with existing tooling? \- What's missing that you'd expect from a tool like this? Not trying to sell anything here — genuinely want to understand what the forensics community needs before I build more features. [https://image-meta.com](https://image-meta.com) API docs: [https://image-meta.com/api-docs](https://image-meta.com/api-docs)

Synack Jun 26

Boards and CIOs are pushing security teams to build internal AI pentesting tools, but is it worth it? This piece walks through the five questions security teams should ask when deciding between build vs buy for AI pentesting. The post Considering Build vs. Buy for AI Pentesting? Top 5 Questions to Ask appeared first on Synack .

Heimdal Security Jun 26
CVE

AI has handed hackers a resource advantage. Winning it back means spending your own resources far more precisely, and that’s the strategy we call Dynamic Defense. The principle is simple. Contain the threat just enough, for just long enough, until the risk is removed. This piece shows how that works as a five-stage loop that […] The post How Dynamic Defense shuts an attacker out without shutting down the business appeared first on Heimdal Security Blog .

Compass Security Jun 26

The Cyber Resilience Act (CRA) is a regulation introduced by the European Union to strengthen cybersecurity requirements for products with digital elements. In simple terms, the CRA sets mandatory cybersecurity rules for hardware and software sold in the EU. This includes everything from connected devices (IoT) to operating systems and even stand-alone software. Very important, this concerns any company that wants to sell their products into the EU, regardless whether that company is based in the EU or not. The goal is to ensure that digital products placed on the EU market are secure by design and default and remain secure over time. That also means that the CRA does not stop at the launch of a product. It covers the entire lifecycle from design and development all the way through updates and vulnerability management. It also brings everyone in the product pipeline into responsibility. The CRA entered into force on 10 December 2024 , meaning it is already officially law in the EU, although most obligations are not yet applicable. The implementation is phased. From 11 September 2026 , companies will already need to comply with certain reporting obligations, particularly related to the notification of vulnerabilities and security incidents. From 11 December 2027 , the CRA will be fully applicable. Also, products with digital elements that have been placed on the market before 11 December 2027 are not subject to the CRA unless, from that date, they are subject to a substantial modification. Reporting obligations apply to all products with digital elements that have been made available on the Union market, including those already placed on the market before 11 December 2027. Preparing for the CRA is ultimately not just about interpreting legal text, but about translating regulatory expectations into concrete t

Story Overview