Microsoft has fixed a Windows Autopatch bug that caused driver updates restricted by administrative policies to be deployed on some Autopatch-managed Windows devices in the European Union. [...]
Cybersecurity News and Vulnerability Aggregator
Cybersecurity news aggregator
Updated: 3:20 pm
J/K Navigate / Search S Save V Open Link
— or
treemd <(curl -sL https://allsec.sh/md) (as Markdown) Top Cybersecurity Stories Today
Foxconn, the world's largest electronics manufacturer, says some of its North American factories are now working to resume normal operations after a cyberattack. [...]
The U.S. House Committee on Homeland Security is calling on Instructure executives to testify about two cyberattacks by the ShinyHunters extortion group that targeted the company's Canvas platform, allowing threat actors to steal student data and disrupt schools during final exams. [...]
The Information Commissioner's Office has fined South Staffordshire Water Plc and parent company South Staffordshire Plc £963,900 ($1.3 million) over a cyberattack that exposed the personal data of 663,887 customers and employees. [...]
RubyGems, the standard package manager for the Ruby programming language, has temporarily paused account sign ups following what has been described as a "major malicious attack." "We're dealing with a major malicious attack on RubyGems right now," Maciej Mensfeld, senior product manager for software supply chain security at Mend.io, said in a post on X. "Signups are paused for the time being.
Latest
Wednesday, May 13
**TL;DR: Bitdefender Labs tracked a multi-wave intrusion targeting an Azerbaijani oil and gas company from late December 2025 through late February 2026. This research documents expansion of Chinese APT activity against South Caucasus energy infrastructure, attributed with moderate-to-high confidence to FamousSparrow (overlapping with the Earth Estries threat ecosystem).** The new DLL sideloading variant is the interesting bit. Standard sideloading fires the payload from `DllMain` or a single export — sandboxes catch it. This one splits logic across two exports: * `Init` patches `StartServiceCtrlDispatcherW` in memory and exits * Host binary runs its normal startup, eventually calls `ComMain, which is`routed through the patched API into the loader and decrypts+executes the Deed RAT No anti-VM, no debugger checks, just an implicit requirement that the host be exercised normally. Run the DLL alone or hit one export in a sandbox and the malware looks inert. Chinese APTs are known to share new and successful techniques across the ecosystem. We saw it play out very clearly with "traditional" DLL sideloading - once it proved effective, it spread across basically every Chinese APT toolkit and then well beyond. Our expectation is the same here: this stealthier multi-export variant is not limited to the LogMeIn Hamachi binary used in this intrusion (there are plenty of other candidate executables with similar call patterns to abuse), and we expect to see it picked up by other Chinese APT groups over the next 12 months. In other words, this is a technique development story, not just a regional targeting story. Full writeup + IOCs: [https://www.bitdefender.com/en-us/blog/businessinsights/famoussparrow-apt-targets-azerbaijani-oil-gas-industry](https://www.bitdefender.com/en-us/blog/businessinsights/famoussparrow-apt-targets-azerbaijani-oil-gas-industry) If you want a primer on how DLL sideloading works in general before diving in, I wrote an explainer here (planning to update it with this new variant soon): [https://techzone.bitdefender.com/en/tech-explainers/what-is-dll-sideloading.html](https://techzone.bitdefender.com/en/tech-explainers/what-is-dll-sideloading.html)
Microsoft has fixed a Windows Autopatch bug that caused driver updates restricted by administrative policies to be deployed on some Autopatch-managed Windows devices in the European Union. [...]
A deep dive into detecting two recent Linux local privilege escalation vulnerabilities — CopyFail (CVE-2026-31431) and DirtyFrag (CVE-2026-43284, CVE-2026-43500) — both of which abuse the kernel page cache through splice() and specific socket subsystems (AF\_ALG, UDP\_ENCAP\_ESPINUDP, RxRPC). The post explains why the common detection approaches (blocking entire socket families or watching for specific file paths) are too broad or too easily bypassed, then walks through a behavior-based detection strategy using eBPF LSM hooks on security\_socket\_setsockopt, tracking per-task call frequency and option values to identify the abnormal patterns that exploits produce but legitimate workloads never do. Includes annotated eBPF code for both detections and a discussion of evasion mitigations.
The company says its new Incognito Chat allows you to use its AI chatbot without anyone else—including Meta—being able to access your conversations.
A threat actor with affiliations to China has been linked to a "multi-wave intrusion" targeting an unnamed Azerbaijani oil and gas company between late December 2025 and late February 2026, marking an expansion of its targeting. The activity has been attributed by Bitdefender with moderate-to-high confidence to a hacking group known as FamousSparrow (aka UAT-9244), which shares some level of
We’ve enabled higher usage limits, faster performance, and better reliability for Browser Run by rebuilding on top of Cloudflare’s Containers . You can now spin up 60 browsers per minute via the Workers binding and run up to 120 concurrently — 4x the previous limit. Also, Quick Action response times dropped more than 50%. You don't need to change anything: these improvements are live today. On top of that, we’re shipping fixes and new features faster than before. Read on to learn how we did it and see the data. Remind me: what is Browser Run? Browser Run enables developers to programmatically control and interact with headless browser instances running on Cloudflare’s global network. That’s useful for end-to-end testing of web applications, securely investigating suspicious URLs, and leveraging how browsers can easily render PDF documents, amongst other quick actions like capturing screenshots and extracting content. More recently, it’s become a critical enabler of AI agents to interact with the web. We’re building Browser Run to be the go-to platform to responsibly utilize automated browsers securely at massive scale. Outgrowing our bunk bed Before adopting Cloudflare Containers, we shared infrastructure with Browser Isolation (BISO). While technically similar, BISO’s larger container images slowed startup and development. Crucially, BISO browsers lacked optimal global distribution, compromising resiliency and latency. Addi
Foxconn, the world's largest electronics manufacturer, says some of its North American factories are now working to resume normal operations after a cyberattack. [...]
Attackers can compromise systems in minutes while patching and response still take hours or days. Picus Security breaks down why autonomous validation is becoming critical for modern defense strategies. [...]
Spent 2024–2025 filing Apple Security Bounty reports. All 16 are now closed. I've written up every one — including the ones Apple were right to reject, the ones where my own PoC was lying to me, and the few where I couldn't bridge the gap between binary evidence and a working exploit. No hype, no CVE-farming.
FOSS tool — not commercial. IOCX is a deterministic IOC extraction engine built for malware analysts and DFIR workflows. It’s static‑only (no execution), PE‑aware, and plugin‑extensible. The goal is to extract indicators and structural anomalies reliably, even from malformed or adversarial binaries. **Key behaviours:** * deterministic output (no sandbox variance) * handles malformed PE headers and weird section layouts * extracts IOCs + structural anomalies in one pass * plugin‑extensible enrichment system Repo: [https://github.com/iocx-dev/iocx](https://github.com/iocx-dev/iocx) Site: [https://iocx.dev](https://iocx.dev) Happy to answer technical questions or discuss edge cases.
[Claude Code] Android Reverse engineering Skill being updated with tracker/AD neutralization features
Security teams have never had better visibility into their environments and never been worse at confirming what they fix stays fixed. Mandiant's M-Trends 2026 report puts the mean time to exploit at an estimated negative seven days. The Verizon 2025 DBIR puts median time to remediate edge device vulnerabilities at 32 days. These numbers have understandably driven the industry toward a clear
Microsoft on Tuesday released patches for 138 security vulnerabilities spanning its product portfolio, although none of them have been listed as publicly known or under active attack. Of the 138 flaws, 30 are rated Critical, 104 are rated Important, three are rated Moderate, and one is rated Low in severity. As many as 61 vulnerabilities are classified as privilege escalation bugs, followed by
Cybersecurity researchers are calling attention to a new campaign dubbed GemStuffer that has targeted the RubyGems repository with more than 150 gems that use the registry as a data exfiltration channel rather than for malware distribution. "The packages do not appear designed for mass developer compromise," Socket said. "Many have little or no download activity, and the payloads are repetitive,
Google on Tuesday unveiled a new opt-in Android feature called Intrusion Logging for storing forensic logs to better analyze sophisticated spyware attacks. Intrusion Logging, available as part of Advanced Protection Mode, enables "persistent and privacy-preserving forensics logging to allow for investigation of devices in the event of a suspected compromise," the company said. The feature, it
Microsoft France's legal affairs director told the French Senate, under oath, that he can't guarantee European "sovereign cloud" data stays out of US reach
June 18, 2025. Anton Carniaux, Microsoft France's director of public and legal affairs. French Senate inquiry into public procurement and digital sovereignty. Senators asked him point-blank whether he could guarantee that data stored in Microsoft's sovereign cloud offering would never reach US authorities. He said no. Under oath. The reason is the US CLOUD Act from 2018. American companies have to comply with valid US legal requests for data regardless of where the servers physically sit. Microsoft, Amazon and Google all lobbied for that law back then. Same three now running the "European sovereign cloud" campaigns — Microsoft's "European Digital Sovereignty Commitments" launched early 2025, AWS and Google with their own variants right after. Doesn't matter what the product is called. The legal pipe runs back to Washington. Simon Uzenat, who chaired the Senate committee, called Microsoft's transparency reports on US data requests "purely declarative." No external verification, no oversight. Marketing kept running anyway. Carniaux is the cleanest public admission but not the only one. The Commission just awarded a €180M sovereign cloud tender in April 2026 — one of the four winners is S3NS, a Thales/Google Cloud joint venture. Commission's stated position now: non-European tech can meet sovereignty requirements with the right contract. They've redefined the word to fit the vendors. Then there's the Solvinity/Kyndryl deal in the Netherlands. American IT services company buying the Dutch provider that runs DigiD, the national digital ID every resident uses for tax filings, pensions, healthcare. Solvinity's own chief privacy officer told parliament the proposed risk mitigations couldn't actually shield against the CLOUD Act. He was fired. Government extended the DigiD contract through 2028 anyway, before the national security review concluded. Counter-example exists. Schleswig-Holstein moved 80% of 30,000 state employees off Microsoft Office to LibreOffice by December 2025. €15M annual licence savings against €9M one-time investment. Payback under 12 months. The French Gendarmerie has been running 100,000+ workstations on its own Linux distribution for over a decade. Not theoretical. Wrote the full piece up here, with the Gaia-X collapse and the Digital Omnibus lobbying paper trail: [https://thevisibleinvisible.substack.com/p/the-stolen-word](https://thevisibleinvisible.substack.com/p/the-stolen-word) Honest question — at what point does a US hyperscaler selling "sovereign cloud" to an EU government, after admitting under oath it can't deliver sovereignty, stop being marketing and start being something a prosecutor cares about? Or never?
Tuesday, May 12
The U.S. House Committee on Homeland Security is calling on Instructure executives to testify about two cyberattacks by the ShinyHunters extortion group that targeted the company's Canvas platform, allowing threat actors to steal student data and disrupt schools during final exams. [...]
Artificial intelligence platforms may be just as susceptible to social engineering as human beings, but they are proving remarkably good at finding security vulnerabilities in human-made computer code. That reality is on full display this month with some of the more widely-used software makers — including Apple , Google , Microsoft , Mozilla and Oracle — fixing near record volumes of security bugs, and/or quickening the tempo of their patch releases. As it does on the second Tuesday of every month, Microsoft today released software updates to address at least 118 security vulnerabilities in its various Windows operating systems and other products. Remarkably, this is the first Patch Tuesday in nearly two years that Microsoft is not shipping any fixes to deal with emergency zero-day flaws that are already being exploited. Nor have any of the flaws fixed today been previously disclosed (potentially giving attackers a heads up in how to exploit the weakness). Sixteen of the vulnerabilities earned Microsoft’s most-dire “critical” label, meaning malware or miscreants could abuse these bugs to seize remote control over a vulnerable Windows device with little or no help from the user. Rapid7 has done much of the heavy lifting in identifying some of the more concerning critical weaknesses this month, including: CVE-2026-41089 : A critical stack-based buffer overflow in Windows Netlogon that offers an attacker SYSTEM privileges on the domain controller. No privileges or user interaction are required, and attack complexity is low. Patches are available for all versions of Windows Server from 2012 onwards.
Silverfort published research two weeks ago showing the Agent ID Administrator role could take over any service principal in a tenant. Microsoft patched the specific flaw. But the underlying primitive is unchanged: if you own a service principal, you own its permissions. The attack is simple. Gain ownership of a service principal that holds a directory role. Add a client secret. Authenticate as that service principal. Inherit every permission it holds. If the target has a Global Administrator, that's a full tenant takeover. 99% of tenants have at least one privileged service principal. Most organizations don't audit who owns them. Here's what most environments look like: *→ Service principals created by developers who left 12+ months ago* *→ Ownership assigned at creation time, never reviewed* *→ Credentials that haven't been rotated since the application was registered* *→ Application-level permissions that bypass every user-scoped control* *→ No alert when someone changes ownership or adds credentials* We wrote a post covering: *1. The attack chain — how ownership becomes takeover in four steps* *2. Where to check in the Entra admin center — the portal paths most admins never open* *3. Three PowerShell audit queries you can run in 30 minutes* *4. Two KQL detection rules for Sentinel — ownership changes and credential additions* *5. The consolidated audit script you can hand to your security lead* The organizations that get compromised through service principal abuse aren't the ones that failed to patch a specific vulnerability. They're the ones that never governed the primitive. Full post with all queries and detection rules: [https://training.ridgelinecyber.com/blog/service-principal-ownership-attack-path/](https://training.ridgelinecyber.com/blog/service-principal-ownership-attack-path/)
The Information Commissioner's Office has fined South Staffordshire Water Plc and parent company South Staffordshire Plc £963,900 ($1.3 million) over a cyberattack that exposed the personal data of 663,887 customers and employees. [...]
Signal has introduced new in-app confirmations and warning messages as additional safeguards against phishing and social engineering attempts that could lead to various forms of fraud. [...]
In the US, fired and laid-off workers often have their digital credentials deactivated before they learn about the loss of their jobs; indeed, the inability to log in to a corporate system may be the first an employee knows of the situation. Although not a generous or humane approach to staff reduction, it does follow from the simple fact that a fired employee with access to company systems is a security risk. Just ask the Akhter twin brothers, accused of wiping out 96 databases hosting US government information in the minutes after both were fired last year from their shared employer. Read full article Comments ]]>
Iran’s traditional naval fleet has been almost completely destroyed by US-Israeli raids. But Iran’s military has put a fleet of small vessels on the water that is crippling every passageway.
Fortinet has released security patches for two critical vulnerabilities in FortiSandbox and FortiAuthenticator that could enable attackers to run commands or arbitrary code. [...]
Microsoft has released Windows 11 KB5089549 and KB5087420 cumulative updates for versions 25H2/24H2 and 23H2 to fix security vulnerabilities, bugs, and add new features. [...]
GitHub - iss4cf0ng/OpenBootloader: A Proof-of-Concept of simple bootloader, written in Assembly (NASM) and C language.
Android 17, expected to roll out next month, will introduce several security and privacy features focused on device theft, threat detection, and banking scam calls. [...]
Exim has released security updates to address a severe security issue affecting certain configurations that could enable memory corruption and potential code execution. Exim is an open-source Mail Transfer Agent (MTA) designed for Unix-like systems to receive, route, and deliver email. The vulnerability, tracked as CVE-2026-45185, aka Dead.Letter, has been described as a use-after-free
There is a lot of non-data driven discussions around using AI in investigations. Some people think it will be amazing. Some think its a disaster. A lot of other people are undecided. The community needs data to help navigate this and I'm hoping you can help. We launched a challenge a couple of weeks back. 1. Submit anonymized screen shots of where AI was amazing, where it was a disaster, and where it was "meh...." 2. Our panel of judges (skeptics and advocates) will review them 3. The public will vote 4. Winners get bragging rights 5. All anonymous submissions are posted on github. Judges: * Heather Barnhart (SANS) * Alexis Brignoni (LEAPPS) * Eric Capuano (Digital Defense Institute) * Brian Carrier (Sleuth Kit Labs – Organizer) * Filip Stojkovski (BlinkOps) Full details are here: [https://www.cybertriage.com/blog/aidfir-2026-challenge-the-good-vs-the-ugly/](https://www.cybertriage.com/blog/aidfir-2026-challenge-the-good-vs-the-ugly/) Please send in your best submissions!
RubyGems, the standard package manager for the Ruby programming language, has temporarily paused account sign ups following what has been described as a "major malicious attack." "We're dealing with a major malicious attack on RubyGems right now," Maciej Mensfeld, senior product manager for software supply chain security at Mend.io, said in a post on X. "Signups are paused for the time being.
Vibe coding has the cybersecurity industry talking. As thousands of practitioners attended talks about the promise and risk of AI agents at RSAC 2026 in March, and hundreds of vendors — both legacy and startups — presented their latest AI-powered tools in the expo hall, hard questions about the impact of this technology on the field arose in the back of many attendees’ minds. At least one person expressed their thoughts on the industry’s future in the AI era by publishing a satirical website titled “RSA 2026: The Great Cooking.” [The site](https://vibecoded.vc/cooked/), which saw some circulation among social media circles, states 61.9% of RSAC 2026 exhibitors “could be replaced by a weekend of vibe-coding in Cursor.” While created with unclear methodology, and an “unhealthy amount of spite,” as its creator states, the website’s sharp criticism seemingly resonated with several cybersecurity pros seeking to cut through the noise and really understand what AI can and can’t achieve. “The Great Cooking website was great satire on the reality of the current cyber market — lots of hype, lots of wrapper companies faking it until they make it, lots of legacy companies that are going to struggle to differentiate, and a few truly differentiating cyber companies that are solving hard problems,” [Horizon3.ai](http://Horizon3.ai) CEO and Co-founder Snehal Antani, who shared the site on LinkedIn, told SC Media. Amy Chaney, SVP of technology at Citi, also praised the site as a “light-hearted review,” but said it is just that — a “funny read” and “not a buyer’s guide.” “Many of the RSA ‘cooked’ solutions are high viability market winners, many of the exhibits labeled ‘actually hard’ will solve no problems,” Chaney said. The satire taps into a large debate already going on in cybersecurity about how AI-assisted development — or “vibe coding” — is disrupting industry norms around software creation and the state of security itself. Even where claims about AI’s capabilities may be exaggerated, vibe coding’s explosion in popularity is undoubtedly making its mark on security teams and in boardrooms around the world. “I’ve never seen a bigger disconnect between what investors want to hear and what CISOs are trying to solve, and unfortunately, corporate marketing has over rotated to the investor narrative instead of focusing on solving problems that matter to practitioners,” Antani said. Full article: [https://www.scworld.com/feature/vibe-coding-has-cybersecurity-asking-what-ai-can-and-cant-replace](https://www.scworld.com/feature/vibe-coding-has-cybersecurity-asking-what-ai-can-and-cant-replace)
CUBIC, standardized in RFC 9438 , is the default congestion controller in Linux, and as a result governs how most TCP and QUIC connections on the public Internet probe for available bandwidth, back off when they detect loss, and recover afterward. At Cloudflare, our open-source implementation of QUIC, quiche , uses CUBIC as its default congestion controller, meaning this code is in the critical path for a significant share of the traffic we serve. In this post, we’ll tell the story of a bug in which CUBIC's congestion window (cwnd) gets permanently pinned at its minimum and never recovers from a congestion collapse event. The story starts with a Linux kernel change aimed at bringing CUBIC into line with the app-limited exclusion described in RFC 9438 §4.2-12 — a fix to a real problem in TCP that, when ported to our QUIC implementation, surfaced unexpected behaviors in quiche. It has a happy ending: an elegant (near-)one-line fix that broke the cycle. CUBIC's logic in a nutshell Before we dive into the core problem, a quick refresher on CCAs may help to set the stage. The central knob a CCA turns is the congestion window ( cwnd ): the sender-side cap on how many bytes can be in flight (sent but not yet acknowledged) at any moment. A larger cwnd lets the sender push more data per round trip; a smaller cwnd throttles it. Every loss-based CCA, CUBIC included, is ultimately a policy for how to grow cwnd when the network looks healthy and how to shrink it when it doesn't. I
Cybersecurity researchers have flagged a new version of the TrickMo Android banking trojan that uses The Open Network (TON) for command-and-control (C2). The new variant, observed by ThreatFabric between January and February 2026, has been observed actively targeting banking and cryptocurrency wallet users in France, Italy, and Austria. "TrickMo relies on a runtime-loaded APK (dex.module),
TeamPCP, the threat actor behind the recentsupply chain attack spree, has been linked to the compromise of the npm and PyPI packages from TanStack, UiPath, Mistral AI, OpenSearch, and Guardrails AI as part of a fresh Mini Shai-Hulud campaign. The affected npm packages have been modified to include an obfuscated JavaScript file ("router_init.js") that's designed to profile the execution
Go’s native fuzzing is useful, but it stands far behind state-of-the-art tooling that the Rust, C, and C++ ecosystems offer with LibAFL and AFL++. Path constraints are hard to solve. Structured inputs usually need handmade parsing. It doesn’t even detect several common bug classes, such as integer overflows, goroutine leaks, data races, and execution timeouts. So to make it better, we built gosentry , a fuzzing-oriented fork of the Go toolchain that keeps the standard testing.F workflow while using a stronger fuzzing stack underneath to tackle those issues. With gosentry, go test -fuzz uses LibAFL by default. It can fuzz structs natively, run grammar-based fuzzing with Nautilus, detect bug classes that it couldn’t detect before, and create a fuzzing campaign coverage report in one command. If you already have Go fuzz harnesses, you don’t need to rewrite them. Point them at gosentry’s binary and you get all of the above through the same go test -fuzz interface, with a few new flags: ./bin/go test -fuzz = FuzzHarness --focus-on-new-code = false --catch-races = true --catch-leaks = true Figure 1: Basic gosentry usage gosentry keeps the harness API and changes the engine and the surrounding tooling — you
Agentic AI is already running in production environments across many organizations today. It is executing tasks, consuming data, and taking actions — most likely without meaningful involvement from the security team. The industry conversation has largely framed this as a question of policy: allow it, restrict it, or monitor it? However, that framing misses the point. The more urgent
AI Will Absorb 99.98% of SOC Triage Within a Year, as 79% of IT teams brace for AI-driven workload shift
COPENHAGEN, DENMARK, 12 May 2026 — Heimdal’s managed SOC processes three million alerts a month. In the year ahead, fewer than 500 of those, less than 0.02%, are expected to need a human analyst. That’s the forecast from Heimdal founder Morten Kjaersgaard, based on the trajectory of AI Wingman SOC as it absorbs the bulk […] The post AI Will Absorb 99.98% of SOC Triage Within a Year, as 79% of IT teams brace for AI-driven workload shift appeared first on Heimdal Security Blog .
A pre-auth remote code execution vulnerability was found in the CWMP implementation of ipTIME routers, allowing unauthenticated attackers to execute arbitrary code remotely.
OpenAI has launched Daybreak, a new cybersecurity initiative that brings together frontier artificial intelligence (AI) model capabilities and Codex Security to help organizations identify and patch vulnerabilities before attackers find a way in using the same issues. "Daybreak combines the intelligence of OpenAI models, the extensibility of Codex as an agentic harness, and our partners across
Apple on Monday officially released iOS 26.5 with support for end-to-end encryption (E2EE) to Rich Communication Services (RCS) in beta as part of a "cross-industry effort" to replace traditional SMS with a more secure alternative. To that end, E2EE RCS messaging is rolling out to iPhone users running iOS 26.5 with supported carriers and Android users on the latest version of Google Messages.
Most detection rules focus on obvious indicators, such as hashes or C2 domains. Advanced actors like APT29 do not play that game. **NOTE: Keep your feedback focused strictly on the detection rule and the telemetry. I am sharing this research to contribute to the community, not to compete with anyone. If you are just going to derail the thread with off topic arguments, I do not need your feedback.** **WHAT I FOUND:** Adversaries are running unsigned executables from C:\\Windows\\Temp\\ and loading Python compiled modules ((dot)pyd files) from AppData\\Local\\Temp. In isolation this looks like normal software installation. In context it is adversary staging. **THE DETECTION LOGIC:** I built my alerts based on the exact path and signature correlations from my lab notes. The alert triggers on these specific combinations: * Temp: An image executing from Temp or Image loading module or DLL from Temp. * ProgramData: A process in ProgramData loading image or image loading from ProgramData. * Legit + Unsigned: A signed legitimate process loading an unsigned .exe or .pyd module. * Temp + Legit: Execution from Temp loading legitimate signed System32 DLLs. **WHY EVENTID 7 MATTERS:** Process Creation (EventID 1) tells you WHAT ran. Image Load (EventID 7) tells you WHAT IT IS LOADING. Example from the telemetry: Image: C:\\Windows\\Temp\\python(dot)exe ImageLoaded: C:\\Users\\pbeesly\\AppData\\Local\\Temp\_MEI29522\_ctypes(dot)pyd Signed: false APT29 staged python.exe and loaded modules BEFORE executing the final payload. Most rules miss this because they only watch process creation. **TOOLS WORTH MONITORING (even if legitimate):** * PsExec64(dot)exe for remote execution * sdelete64(dot)exe for anti forensics * PSEXESVC(dot)exe for lateral movement **FALSE POSITIVES:** Software installers, portable apps, and Python development environments will trigger this. That is standard tuning for your specific environment. **SIGMA RULE:-** title: Suspicious Executable Activity from Temp Directories id: 42461076-ab43-408d-bc8d-97016a04e2cf description: Detects unsigned executables in Temp loading modules or DLLs, common in APT29 and malware staging status: experimental date: 2026/05/11 author: Manish Rawat references: - https://attack.mitre.org/techniques/T1574 - https://github.com/OTRF/Security-Datasets logsource: product: windows category: Image loaded detection: selection: EventID: - 7 Image|contains: - \\ProgramData\\ - \\Temp\\ - \\temp\\ selection_ImageLoaded_location: ImageLoaded|contains: - \\Temp\\ - \\temp\\ - \\ProgramData\\ selection_ImageLoaded_exe: ImageLoaded|endswith: - .exe - .pyd selection_signaturestatus: SignatureStatus: - 'Unsigned' - 'Unavailable' - 'Invalid' selection_Signed: Signed: - 'false' - '-' condition: (selection or selection_ImageLoaded_location) or (selection_ImageLoaded_exe and (selection_ImageLoaded_location or selection )) or (selection_signaturestatus and (selection or selection_ImageLoaded_exe or selection_ImageLoaded_location)) or (selection_Signed and (selection or selection_ImageLoaded_exe or selection_ImageLoaded_location)) falsepositives: - Software installers using temporary directories - Legitimate portable applications - Python development environments severity: medium tags: - attack.t1059.006 - attack.t1574 **This is the raw lab logic. I am still tuning it for production.** Note: Detecting only double \\\\Temp\\\\ logic is making this detection weak (only 24 events triggered), but with individual \\\\Temp\\\\ detection, it is getting much more results (300+ events triggered). I know individual \\\\Temp\\\\ detection can lead to false positives, but we can narrow it down based on a 90 days or 30 days baseline. SPL: (EventID=7 Image IN ("\*\\\\ProgramData\\\\\*", "\*\\\\Temp\\\\\*", "\*\\\\temp\\\\\*")) OR ImageLoaded IN ("\*\\\\Temp\\\\\*", "\*\\\\temp\\\\\*", "\*\\\\ProgramData\\\\\*") OR (ImageLoaded IN ("\*.exe", "\*.pyd") ImageLoaded IN ("\*\\\\Temp\\\\\*", "\*\\\\temp\\\\\*", "\*\\\\ProgramData\\\\\*") OR (EventID=7 Image IN ("\*\\\\ProgramData\\\\\*", "\*\\\\Temp\\\\\*", "\*\\\\temp\\\\\*"))) OR (SignatureStatus IN ("Unsigned", "Unavailable", "Invalid") (EventID=7 Image IN ("\*\\\\ProgramData\\\\\*", "\*\\\\Temp\\\\\*", "\*\\\\temp\\\\\*")) OR ImageLoaded IN ("\*.exe", "\*.pyd") OR ImageLoaded IN ("\*\\\\Temp\\\\\*", "\*\\\\temp\\\\\*", "\*\\\\ProgramData\\\\\*")) OR (Signed IN ("false", "-") (EventID=7 Image IN ("\*\\\\ProgramData\\\\\*", "\*\\\\Temp\\\\\*", "\*\\\\temp\\\\\*")) OR ImageLoaded IN ("\*.exe", "\*.pyd") OR ImageLoaded IN ("\*\\\\Temp\\\\\*", "\*\\\\temp\\\\\*", "\*\\\\ProgramData\\\\\*")) If you've some suggestion or feedback, please feel free to DM. Detection insights are valuable to me. If you hate this post, then do what you want to do.
Lockbit Black Loader and Shellcode Analysis - Full Thought process, Technical Writeup and Blue Team perspective
Monday, May 11
Presently sponsored by: Report URI: Guarding you from rogue JavaScript! Don’t get pwned; get real-time alerts & prevent breaches #SecureYourSite Today, we welcome the 43rd government onboarded to Have I Been Pwned's free gov service, Bangladesh. The BGD e-GOV CIRT department now has full access to query all their government domains via API, and monitor them against future breaches. Bangladesh joins a growing list of national governments using HIBP to help protect their public sector digital assets, and we look forward to supporting their efforts to identify exposure of government email addresses in data breaches and respond quickly when new incidents appear.
Key Takeaways Sara Pentest and Sara Pentest+ Are Now Generally Available Since releasing Sara Pentest as general availability earlier this month, we’ve also shipped a set of platform updates that make it easier to scope, launch, and act on Sara findings at scale. This post walks through what’s new with the Synack PTaaS platform, and […] The post What’s New with Sara Pentest: Closing the Coverage Gap, One Test at a Time appeared first on Synack .
Checkmarx has confirmed that a modified version of the Jenkins AST plugin was published to the Jenkins Marketplace. "If you are using Checkmarx Jenkins AST plugin, you need to ensure that you are using the version 2.0.13-829.vc72453fa_1c16 that was published on December 17, 2025 or previously," the cybersecurity company said in a statement over the weekend. As of writing, Checkmarx has released
A threat actor named Mr_Rot13 has been attributed to the exploitation of a recently disclosed critical cPanel flaw to deploy a backdoor codenamed Filemanager on compromised environments. The attack exploits CVE-2026-41940, a vulnerability impacting cPanel and WebHost Manager (WHM) that could result in an authentication bypass and allow remote attackers to gain elevated control of the control
VU#471747: dnsmasq contains several vulnerabilities, including attacker DNS redirect, privilege escalation, and heap manipulation
Overview dnsmasq is affected by multiple memory safety and input validation vulnerabilities, including heap buffer overflows, heap corruption, and code execution flaws. Collectively, these vulnerabilities enable attackers to poison cached DNS records, bypass security controls, crash the dnsmasq process, or under certain conditions, achieve local privilege escalation. dnsmasq has released version 2.92rel2 to fix the vulnerabilities. Description dnsmasq is an open-source networking tool that provides DNS forwarding, DHCP, and network boot services for small-to-medium sized networks and home routing devices. It can also function as a DNS resolver, which is the primary exploitation use case for several of the vulnerabilities described below, tracked collectively as CVE-2026-2291, CVE-2026-4890, CVE-2026-4891, CVE-2026-4892, CVE-2026-4893, and CVE-2026-5172. CVE-2026-2291 dnsmasq's extract_name() function can be abused to cause a heap buffer overflow, enabling an attacker to inject false DNS cache entries. This could cause DNS queries to be redirected to attacker-controlled IP addresses or result in a Denial of Service (DoS). CVE-2026-4890 An infinite-loop flaw in the DNSSEC validation of dnsmasq allows remote attackers to cause Denial of Service (DoS) conditions via a crafted DNS packet. CVE-2026-4891 A heap-based out-of-bounds read vulnerability in the DNSSEC validation of dnsmasq allows remote attackers to leak memory information via a crafted DNS packet. CVE-2026-4892 A heap-based out-of-bounds write vulnerability in the DHCPv6 implementation of dnsmasq allows local attackers to execute arbitrary code with root pr
Google on Monday disclosed that it identified an unknown threat actor using a zero-day exploit that it said was likely developed with an artificial intelligence (AI) system, marking the first time the technology has been put to use in the wild in a malicious context for vulnerability discovery and exploit generation. The activity is said to be the work of cybercrime threat actors who appear to
Overview Casdoor contains an arbitrary file write vulnerability in the implementation of its "Local File System" storage provider. Due to insufficient sanitization of user-supplied paths, an authenticated user with file upload permissions can escape the intended storage directory and write files elsewhere on the target filesystem. The vulnerability allows attackers to bypass Casdoor’s storage sandbox and perform unauthorized actions with the privileges of the Casdoor runtime user. Description Casdoor is an open-source identity and access management (IAM) platform and Model Context Protocol (MCP) gateway that provides authentication, single sign-on, and multi-protocol identity services for applications. Internally, it uses its Local File System storage provider to save files to a dedicated $CASDOOR/files/ directory. During a file upload via the /api/upload-resource endpoint, the Casdoor application determines the target storage filepath by concatenating the user-supplied parameters pathPrefix and fullFilePath . However, values provided for pathPrefix are not properly sanitized, so directory traversal sequences such as ../../ are accepted without any integrity or permission checks beyond those of the OS user running the Casdoor process. The application does not verify that the destination filepath remains inside the dedicated storage directory, and it will create or overwrite any file that the Casdoor process has permission to modify. CVE-2026-6815 An arbitrary file write vulnerability exists in Casdoor's Local File System storage provider. Due to insufficient path sanitization, an authenticated attacker with file upload privileges can perform a path tra
The EtherRAT malware family was first reported by Sysdig back in December 2025. At that time, the initial access vector was exploitation of CVE-2025-55182 (React2Shell) targeting Linux servers. In March 2026, a Windows variant campaign was reported by Atos, with their investigation showing evidence of activity going back to the previous December. In April, we […] The post Flash Alert: EtherRat and TukTuk C2 End in The Gentleman Ransomware appeared first on The DFIR Report .
Rough Monday. Somebody poisoned a trusted download again, somebody else turned cloud servers into public housing, and a few crews are still getting into boxes with bugs that should’ve died years ago — the same old holes, same lazy access paths, same “how the hell is this still open” feeling. One report this week basically reads like a guy tripped over root access by accident and decided to stay
Health service has given US tech firm ‘unlimited access’ to certain data to build integrated platform, according to reports UK politics live – latest updates MPs have warned that an NHS decision to grant Palantir access to identifiable patient information in its plan to use AI to improve the health service is “dangerous” and will fuel public fears that data privacy is not being prioritised. NHS England has allowed staff from the US tech firm and other contractors to access patient data before it has been pseudonymised, despite internal fears of a “risk of loss of public confidence”, the Financial Times reported. Continue reading...
I recently published a security research post on the myAudi connected vehicle platform. I found that anyone with a VIN can access a sensitive informations about car and ownership I think the topic is useful beyond Audi itself, because many vendors now rely on these “connected vehicle” platforms and mobile apps, often with very similar architectures and assumptions
To reduce the amount of noise from questions, we have disabled self-posts in favor of a unified questions thread every week. Feel free to ask any question about reverse engineering here. If your question is about how to use a specific tool, or is specific to some particular target, you will have better luck on the [Reverse Engineering StackExchange](http://reverseengineering.stackexchange.com/). See also /r/AskReverseEngineering.
I’m happy to announce that we are releasing the beta version of RAPTR, a fully open source, API driven collaboration platform built specifically for red and purple team engagements. Check out the code on GitHub , read the docs , or try out the latest build at our sandbox . Why I built it Up until recently, our team relied on PurpleOps for our Purple Team engagements . It’s a solid tool and served as a good starting point for us. Eventually, we needed more out of it, so we maintained our own custom f
Learn how malicious Claude Code skills can abuse dynamic context commands to execute before model-level prompt injection defenses can intervene.
Sunday, May 10
Presently sponsored by: Report URI: Guarding you from rogue JavaScript! Don’t get pwned; get real-time alerts & prevent breaches #SecureYourSite Well, it's the day before the Instructure "pay or leak" deadline (at least by my Aussie watch), and the company remains removed from the ShinyHunters website. In its place sits a press statement that amounts to "we're not making any statements". So did they pay? And if so, what lofty figure would an incident of this scale command? The lawsuits are already being prepared (search for "instructure class action lawsuit"), so perhaps that will be the catalyst for transparency. What a crazy time.
Across all major ShinyHunters campaigns (AT&T/Snowflake, Salesforce, Canvas/Instructure), only one event has both a publicly stated payment amount and a known approximate settlement date: the May 2024 AT&T payment of \~5.7 BTC (\~$370K), confirmed by *Wired* but never published with a transaction hash. I use that as the analytical anchor for an end-to-end on-chain analysis using only free public data. **Pipeline (5 stages):** 1. BigQuery bulk filter on amount and time window → 500 candidates. 2. Recipient profiling via Blockstream Esplora (lifetime tx count, spend shape). 3. Sender-side cluster analysis using common-input ownership; looking for broker-aggregation patterns. 4. Depth-12 concurrent forward trace, top-K=4 fan-out. 5. Terminal attribution via OKLink, BitInfoCharts, WalletExplorer. **Result:** A single highest-fit candidate: 5.71997804 BTC paid 2024-05-17 22:04 UTC to a fresh recipient, spent in 6 min, laundered through a 6-cycle automated peel chain, terminating at an exchange deposit cluster. Funding side shows broker-aggregation fingerprint (4× 1.147 BTC peels in a 90-min window pre-payout). Upstream hub addresses appear reused across multiple victims of the same laundering service, active through 2025. Paper closes with the legal pathway from chain endpoint to indictment and a scoped compliance-request template. **Limitations (explicit in §5):** Ranking under a scoring scheme, not positive ID. No off-chain ground truth. Documented OKLink vs. Arkham label conflict on the dominant terminal, resolved via behavioural audit. No formal null-distribution analysis yet. Score weights are author judgements. **Asking for:** 1. Technical feedback / methodology critique. 2. arXiv [cs.CR](http://cs.CR) endorsement — endorsement code: **ZQXBSQ** [github.com/tr4m0ryp/shinyhunters-gotta-catch-em-all/blob/main/Gotta\_Catch\_Em\_All\_ShinyHunters.pdf](http://github.com/tr4m0ryp/shinyhunters-gotta-catch-em-all/blob/main/Gotta_Catch_Em_All_ShinyHunters.pdf) Tooling and dataset released for reuse
I am proud to announce the release of **Crow-Eye v0.10.0**. This milestone marks the official launch of **The Eye** a robust intelligence layer designed to integrate your own AI agents directly into **Crow-Eye,** This isn't just a regular update; it’s a massive milestone for us . My goal from day one has been to build an ecosystem that doesn't just chase known signatures, but actually gives investigators the power to hunt zero-days But as we celebrate this release and introduce our new AI layer, we need to talk about the elephant in the room. # The Problem with AI in Forensics There’s a huge rush right now to slap AI onto cybersecurity tools, and honestly, a lot of it is dangerous. We are seeing "black box" solutions where investigators feed raw data into an LLM and just trust the answers it spits out. In DFIR, an AI hallucination can ruin a case. An answer without mathematical, binary proof is worthless. If an AI agent cannot anchor its reasoning to exact offsets, hashes, and unmanipulated timestamps, we cannot trust it. To fix this, I realized we had to architect a system where the AI is bound by the exact same strict evidentiary rules as a human analyst. # The Starting Line: Automated Triage Before the AI even wakes up, Crow-Eye does the heavy lifting. When you launch **The Eye**, the platform immediately runs a high-speed Automated Triage phase. It queries the underlying SQLite databases to map out the ground truth: active users, execution histories, accessed files, USB devices, and Auto Run configs. This builds a comprehensive **Initial Report**. This report isn't the final investigation it’s the baseline. It’s the verified starting line before we let the AI touch the data. # The Brain of "The Eye" I believe you should have total control over your data and your analytical "brain." That’s why The Eye is completely modular. You can plug in whatever intelligence fits your environment: * **Cloud AI Models:** Hook up your public API keys for high-performance reasoning. * **Offline Servers & Local Inference:** For air-gapped labs where privacy is non-negotiable. * *Dev Note:* A lot of my testing and development for The Eye was actually done using **LM Studio** and Google’s open-weights models (like the **Gemma** family). If you're a solo investigator, running Gemma locally on your own machine is incredibly powerful. Just a tip: push your context window as high as possible to handle the dense forensic payloads! * **CLI Agents:** If you are a developer or researcher, you can hook up your own custom-built local agents, or seamlessly pipe in tools like **Claude Code** and the **Gemini CLI**. https://preview.redd.it/zdg32192ic0h1.png?width=2023&format=png&auto=webp&s=a1458500b3765ccb1a7fb4018a9dcd2203bd7a1a # Keeping the AI Honest: The Ghassan Elsman Protocol (GEP) Triage gives us the data, but the **Ghassan Elsman Protocol (GEP)** ensures the AI doesn't mess it up. The GEP is a strict set of rules hardcoded into the workflow to maintain a perfect chain of custody: 1. **Case Awareness:** The Initial Report is injected directly into the prompt to ground the AI in reality. 2. **Pre-Flight Ping:** Validates backend connectivity to stop silent failures. 3. **Evidence Anchoring:** Automatically tags and preserves raw hashes, IPs, and timestamps in the chat history. 4. **Chain of Custody:** Every truncation or data preservation event is meticulously logged. 5. **Non-Repudiation:** Messages are assigned deterministic, hash-linked IDs so records can't be altered. 6. **Context Pinning:** Critical evidence is locked and excluded from automated AI summarization. 7. **Tool Traceability:** Every tool the AI uses (like querying LOLBAS) is logged with exact execution counts. 8. **Machine-Readable Synthesis:** You get a clean JSON audit trail at the end to prove compliance. # What's Next: Bridging Analysis and Anatomy While The Eye handles the high-speed analysis, our educational hub, **Eye Describe**, In upcoming updates, we are going to start building a bridge between these two tools. The goal is to gradually integrate visual references alongside the AI's findings. We want to reach a point where the AI doesn't just give you an answer, but helps point you toward the structural anatomy of the artifact it analyzed. It’s an iterative, ongoing project, but we believe it is an important step toward total forensic transparency. This is the very first release of The Eye. You might hit a few bumps connecting to certain local backends or managing specific CLI tools, but we are actively squashing bugs and refining the experience over the next few weeks. Please submit any issues you find! The latest source code and release are available right now on our GitHub. For those waiting for the compiled `.exe` version, it will be dropping very soon on our official website. **GitHub :** [https://github.com/Ghassan-elsman/Crow-Eye](https://github.com/Ghassan-elsman/Crow-Eye) **good hunting**
The compression of the exploit timeline: Why n-day gaps and 90-day embargoes are failing in practice.
The traditional vulnerability disclosure timeline relies on a fundamental assumption: exploit development and vulnerability discovery take time. Over the last 12 months the integration of LLMs into offensive tooling has demonstrably broken this assumption. I recently published a technical write-up arguing that the 90-day disclosure window is effectively dead backed by three specific observations from recent incidents: 1. **Automated Diff Analysis (30-minute n-days) :** The safety net between a patch release and an in-the-wild exploit is gone. Taking a recent React security patch (CVE-2026-23870), I used an LLM to analyze the diff, identify the vulnerable path, and write a working DoS PoC in roughly 30 minutes. The human reverse-engineering bottleneck has been bypassed. 2. **Vulnerability Convergence :** I recently reported a critical P0 to a vendor and was told I was the 11th reporter in 6 weeks. LLM assisted scanners are causing independent researchers to converge on the same bugs simultaneously. An embargo no longer contains the vulnerability; it simply provides a head start to whichever threat actor also found it. 3. **The Linux Kernel (Copy Fail & Dirty Frag) :** The recent kernel exploits highlight this perfectly. Copy Fail (CVE-2026-31431) went from an automated AI scan to a public PoC to nation state weaponization in days. Shortly after the embargo for Dirty Frag (CVE-2026-43284 / CVE-2026-43500) was broken in hours because an unrelated third party independently discovered the same bug class using similar tooling. The defense cannot operate on monthly cycles when the offense is operating in hours. The focus needs to shift to real-time, PR-level AI scanning to match the pace. can read the full technical breakdown and case studies on my blog:[https://blog.himanshuanand.com/2026/05/the-90-day-disclosure-policy-is-dead/](https://blog.himanshuanand.com/2026/05/the-90-day-disclosure-policy-is-dead/) I am curious if the researchers here are experiencing similar convergence rates or if you view this as a temporary anomaly while legacy codebases are scanned with new tools.
Saturday, May 9
I built a realistic enterprise security architecture guide covering SPOFs, insider threats, and budget implementation
Plus: Meta officially kills encrypted Instagram DMs, the Trump administration targets “violent left wing extremists,” leaked documents reveal Russia's school for elite hackers, and more.
Friday, May 8
Overview A privilege escalation vulnerability has been discovered in Linux kernel versions version 4.17 (released 2017) and later. Many popular distributions and Linux-based containers are affected. This vulnerability was publicly disclosed on April 29, 2026, has been assigned CVE ID CVE-2026-31431 , and is commonly referred to as "Copy Fail." Description The Linux kernel, since version 4.17, includes the algif_aead module, which provides user space access to authenticated encryption with associated data (AEAD) operations via the AF_ALG interface. This module may be available as a loadable kernel module or compiled directly into the kernel, depending on the Linux distribution or the custom built Linux install. According to the https://copy.fail disclosure statement: An unprivileged local user can write 4 controlled bytes into the page cache of any readable file on a Linux system, and use that to gain root. The vulnerability is caused by a logic flaw in the Linux kernel’s algif_aead ( AF_ALG) implementation. An unprivileged local user can reliably perform a controlled 4-byte write into the page cache of any readable file without race conditions or timing dependencies. Critically, the corrupted page is not marked dirty, so the modified contents are never written back to disk. The underlying file remains unchanged, allowing the in-memory corruption to bypass checksum and file integrity verification mechanisms. Because subsequent reads are served from the page cache, an attacker can target a setuid binary and modify it
JDownloader is compromised! * The replaced malicious executable contains the official and benign JDownloader in resources along with an XOR encrypted blob also available in resources * The encrypted blob after 8 minutes of waiting to prevent sandbox noise is decrypted and executed, the next stage contains also several XOR encrypted resources and the official Python installer * After decrypting resources, they contain PyArmor encrypted file and PyArmor runtime * Delivers sophisticated Python remote access malware See AnyRun execution chain along with the 8 minute wait before the payload starts: [https://app.any.run/tasks/e0cecc2d-5571-49fe-a549-cc7d1b8b5908](https://app.any.run/tasks/e0cecc2d-5571-49fe-a549-cc7d1b8b5908) IOC's: * Initial delivered installer -> 5a6636ce490789d7f26aaa86e50bd65c7330f8e6a7c32418740c1d009fb12ef3 * Stage 2 payload -> 77a60b5c443f011dc67ace877f5b2ad7773501f3d82481db7f4a5238cf895f80 * PyArmor encrypted blob: 5fdbee7aa7ba6a5026855a35a9fe075967341017d3cb932e736a12dd00ed590a * hxxps://parkspringshotel\[.\]com/m/Lu6aeloo.php (most likely another compromised URL) * hxxpx://auraguest\[.\]lk/m/douV2quu.php (most likely another compromised URL)
With the launch of the first 16 satellites, Russia begins construction of a network for satellite internet that aims to cover the entire country by 2030. But getting there won’t be easy.
Thousands of schools around the US were paralyzed on Thursday after education tech firm Instructure shut down access to its Canvas platform following a breach by hackers going by the name ShinyHunters.
SASS King Part 2: reverse-engineering ptxas heuristic decisions and what the compiled binary actually reveals
An ongoing data extortion attack targeting the widely-used education technology platform Canvas disrupted classes and coursework at school districts and universities across the United States today, after a cybercrime group defaced the service’s login page with a ransom demand that threatened to leak data from 275 million students and faculty across nearly 9,000 educational institutions. A screenshot shared by a reader showing the extortion message that was shown on the Canvas login page today. Canvas parent firm Instructure responded to today’s defacement attacks by disabling the platform, which is used by thousands of schools, universities and businesses to manage coursework and assignments, and to communicate with students. Instructure acknowledged a data breach earlier this week, after the cybercrime group ShinyHunters claimed responsibility and said they would leak data on tens of millions of students and faculty unless paid a ransom. The stated deadline for payment was initially set at May 6, but it was later pushed back to May 12. In a statement on May 6, Instructure said the investigation so far shows the stolen information includes “certain identifying information of users at affected institutions, such as names, email addresses, and student ID numbers, as well as as messages among users.” The company said it found no evidence the breached data included more sensitive information, such as passwo
A look at how to secure Kubernetes secrets
Thursday, May 7
Chrome users were caught off guard by a 4-GB Google AI model baked into Chrome, sparking privacy concerns. The good news: You can easily uninstall it. The bad? You might not want to.
This afternoon, we sent the following email to our global team. One of our core values at Cloudflare is transparency, and we believe it's important that you hear this directly from us because it’s a major moment at Cloudflare. Team: We are writing to let you know directly that we’ve made the decision to reduce Cloudflare’s workforce by more than 1,100 employees globally. The way we work at Cloudflare has fundamentally changed. We don’t just build and sell AI tools and platforms. We are our own most demanding customer. Cloudflare’s usage of AI has increased by more than 600% in the last three months alone. Employees across the company from engineering to HR to finance to marketing run thousands of AI agent sessions each day to get their work done. That means we have to be intentional in how we architect our company for the agentic AI era in order to supercharge the value we deliver to our customers and to honor our mission to help build a better Internet for everyone, everywhere. Today is a hard day. This decision unfortunately means saying goodbye to teammates who have contributed meaningfully to our mission and to building Cloudflare into one of the world’s most successful companies. We want to be clear that this decision is not a reflection of the individual work or talent of those leaving us. Instead, we are reimagining every internal process, team, and role across the company. Today’s actions are not a cost-cutting exercise or an assessment of individuals’ performance; they are about Cloudflare defining how a world-class, high-growth company operates and creates value in the agentic AI era. This is a moment we need to own as founders and leaders of the company. Matthew has personally sent out every offer letter we've extended. It is a practice he has always looked forward to because it represented our growth and the incredible talent joining our mission. It didn’t feel rig
On April 29, 2026, a Linux kernel local privilege escalation vulnerability was publicly disclosed under the name "Copy Fail" ( CVE-2026-31431 ). Cloudflare’s Security and Engineering teams began assessing the vulnerability as soon as it was disclosed. We reviewed the exploit technique, evaluated exposure across our infrastructure, and validated that our existing behavioral detections could identify the exploit pattern within minutes. There was no impact to the Cloudflare environment, no customer data was at risk, and no services were disrupted at any point. Read on to learn how our preparedness paid off. Background Our Linux kernel release process Cloudflare operates a global Linux server infrastructure at an immense scale, with datacenters located across 330 cities . We maintain a custom Linux kernel build based on the community's Long-Term Support (LTS) versions to manage updates effectively at this volume. At any given time, we may utilize multiple LTS versions from various series, such as 6.12 or 6.18, which benefit from extended update periods. The community regularly merges and releases security and stability updates which trigger an automated job to generate a new internal kernel build approximately every week. These builds undergo testing in our staging data centers to ensure stability before a global rollout. Following a successful release, the Edge Reboot Release (ERR) pipeline manages a systematic update and reboot of the edge infrastructure on a four-week cycle. Our control plane infrastructure typically adopts the most recent kernel, with reboots scheduled according to specific workload requir
Companies like Lovable, Base44, Replit, and Netlify use AI to let anyone build a web app in seconds—and in thousands of cases, spill highly sensitive data onto the public internet.
Wednesday, May 6
To stop children from bypassing its age checks, Meta is revamping its age-verification tools with an AI system that analyzes images and videos for “visual cues,” such as height and bone structure.
On May 5, 2026, at roughly 19:30 UTC, DENIC, the registry operator for the .de country-code top-level domain (TLD), started publishing incorrect DNSSEC signatures for the .de zone. Any validating DNS resolver receiving these signatures was required by the DNSSEC specification to reject them and return SERVFAIL to clients, including 1.1.1.1 , the public DNS resolver operated by Cloudflare. The country-code top-level domain for Germany, .de , is one of the largest on the Internet. On Cloudflare Radar , it consistently ranks among the most broadly queried TLDs globally. An outage at this level of the DNS hierarchy has the potential to make millions of domains unreachable. In this post, we’ll walk through what we saw, the impact of these events, and how we applied temporary mitigations while DENIC resolved the issue. How DNSSEC works DNSSEC (Domain Name System Security Extensions) adds cryptographic authentication to DNS. When a zone is signed with DNSSEC, each set of records is accompanied by a digital signature known as an RRSIG record that lets a resolver verify the records haven’t been tampered with. Unlike encrypted DNS protocols, such as DNS over TLS (DoT) and DNS over HTTPs (DoH), DNSSEC is about integrity, not privacy. The records are visible, but their authenticity can be proven. What makes DNSSEC unique is that the signatures travel together with the records they protect. This means int
The start of support for macOS malware analysis in MalChela...
It's not just you. Scammers, hackers, and other cybercriminals are complaining about “AI shit” flooding platforms where they discuss cyberattacks and other illegal activity.