Bug hiding in plain sight for over a decade lands on KEV list CISA is sounding the alarm on a newly-exploited Apache ActiveMQ bug, ordering federal agencies to patch within two weeks as attackers circle a flaw that's been quietly lurking for more than a decade.…
Cybersecurity News and Vulnerability Aggregator
Cybersecurity news aggregator
Updated: 8:00 am
J/K Navigate / Search S Save V Open Link
— or
treemd <(curl -sL https://allsec.sh/md) (as Markdown) Top Cybersecurity Stories Today
OpenAI says its safeguards “sufficiently reduce cyber risk” for now, while GPT-5.4-Cyber is a new cybersecurity-focused model.
Huntress is warning that threat actors are exploiting three recently disclosed security flaws in Microsoft Defender to gain elevated privileges in compromised systems. The activity involves the exploitation of three vulnerabilities that are codenamed BlueHammer (requires GitHub sign-in), RedSun, and UnDefend, all of which were released as zero-days by a researcher known as Chaotic Eclipse (
Microsoft warns that some Windows domain controllers are entering restart loops after installing the April 2026 security updates. [...]
A researcher known as "Chaotic Eclipse" has published a proof-of-concept exploit for a second Microsoft Defender zero-day, dubbed "RedSun," in the past two weeks, protesting how the company works with cybersecurity researchers. [...]
Latest
Saturday, April 18
AETHER: Prototype adaptive deception environment that generates dynamic decoys based on attacker behaviour
Built a prototype deception system called **AETHER** during a recent cybersecurity hackathon. The goal was to explore moving beyond static honeypots toward **behaviour-driven deception environments**. Core idea: * Capture attacker terminal interaction signals (commands, timing, directory traversal patterns) * Generate a behavioural profile of the attacker * Predict likely next actions * Dynamically generate decoy assets (files, services, directories) * Reinforcement loop adjusts deception strategy to maximize engagement The system essentially tries to create **adaptive deception environments tailored to the attacker’s interaction style**. Curious how practitioners here view behaviour-driven deception systems vs traditional honeypots. GitHub: [*https://github.com/gurarpitzz/AETHER-Smart-Honeypot*](https://github.com/gurarpitzz/AETHER-Smart-Honeypot) [*https://github.com/gurarpitzz/AETHER-Concept2*](https://github.com/gurarpitzz/AETHER-Concept2)
* [https://github.com/cispa/trevex](https://github.com/cispa/trevex) * [https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7053.html](https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7053.html) * [https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7050.html](https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7050.html)
Threat actors are exploiting security flaws in TBK DVR and end‑of‑life (EoL) TP-Link Wi-Fi routers to deploy Mirai-botnet variants on compromised devices, according to findings from Fortinet FortiGuard Labs and Palo Alto Networks Unit 42. The attack targeting TBK DVR devices has been found to exploit CVE-2024-3721 (CVSS score: 6.3), a medium-severity command injection vulnerability affecting
There was a very well made investigative research YouTube video going viral about a cybercrime action in relation to the DIY network 5 Minute Crafts. I just wanted to recommend it and it seems to have been taken down in the last 2 days. Does anyone know why? Legal issues? I can’t find any info from the creator. Here is a re upload of the video: https://www.youtube.com/watch?v=x3lrg2uyKqw
Friday, April 17
The Payouts King ransomware is using the QEMU emulator as a reverse SSH backdoor to run hidden virtual machines on compromised systems and bypass endpoint security. [...]
I’m the CTO & Co-Founder of Chainguard — Ask Me Anything about building and securing the software supply chain in the age of AI!
Hi Reddit, I'm [Matt Moore](https://github.com/mattmoor), CTO & Co-Founder at Chainguard. I've spent the better part of a decade obsessed with one idea: the default values you choose for how software gets built become pervasive, and most of them are wrong. After building and shipping open source infrastructure at Google, Microsoft, and VMware — including Knative, Tekton, GCR, ko, and distroless — I now focus on solving software supply chain security at scale. At Chainguard, we’re helping engineers build safely with AI. We’re the trust layer for your open source artifacts, protecting you from supply chain attacks. We know engineers are shipping code to production faster than ever, and the tooling they use to do so was never designed with supply chain integrity in mind. We didn't start Chainguard because this problem is easy…we started it because we ***thought*** it would be easy. (It is not. As we often say, “this sh\*t is hard.”) But that's what makes it worth doing. I’m here to answer your questions: about supply chain security, how we think about the problem, what we're building, agentic software factories, or anything else. AMA! **Who I Am** As CTO at Chainguard, I focus on: * Designing automated, policy-driven systems that continuously build and verify secure software * Eliminating production drift between what was built, what was tested, and what’s running * Rethinking software maintenance using AI and autonomous agents * Scaling secure open source consumption across thousands of artifacts At Chainguard, we’re building the next evolution of secure software delivery: an Agentic Factory (Factory 2.0) combined with Driftless infrastructure (DriftlessAF), all inside an AI-native organization. Looking forward to all of your questions -- comment below and I'll address them live on Tuesday, April 21 @ 12pm ET! **Links & Resources:** [Learn more about Chainguard’s Factory 2.0 (DriftlessAF)](https://www.chainguard.dev/unchained/driftlessaf-introducing-chainguard-factory-2-0)
I need help i need someone expert in reverse engineering that can help me in play game again that servers shoutdown
Bug hiding in plain sight for over a decade lands on KEV list CISA is sounding the alarm on a newly-exploited Apache ActiveMQ bug, ordering federal agencies to patch within two weeks as attackers circle a flaw that's been quietly lurking for more than a decade.…
* 7-11 (the gas station) * Pitney Bowes * Medronic PLC * The Canada Life Assurance Company * Zara * Carnival Corporation & PLC (yes the cruise people) * Aman Resorts screenshot from their DLS: [https://i.imgur.com/DBuLMoJ.png](https://i.imgur.com/DBuLMoJ.png)
Or, how public information and a €5 tracker exposed an avoidable opsec lapse Militaries around the world spend countless hours training, developing policies, and implementing best operational security practices, so imagine the size of the egg on the face of the Dutch navy when journalists managed to track one of its warships for less than the cost of some hagelslag and a coffee.…
CVE-2026-33825 deep-dive: The researcher commented out the full credential dump. Here's what that means.
Most writeups of BlueHammer describe what it does. I read the actual PoC (FunnyApp.cpp, \~100KB of C++) and the most important line isn't in the oplock setup, the NT object namespace redirect, or the Cloud Files freeze. It's a comment. The filestoleak array ships with one target active and two commented out: const wchar\_t\* filestoleak\[\] = { {L"\\\\Windows\\\\System32\\\\Config\\\\SAM"} /\*,{L"\\\\Windows\\\\System32\\\\Config\\\\SYSTEM"},{L"\\\\Windows\\\\System32\\\\Config\\\\SECURITY"}\*/ }; SAM alone is a partial dump. The hashes are encrypted with the boot key — which lives in SYSTEM. Without SYSTEM you have ciphertext. With SAM + SYSTEM you have NTLM hashes you can pass-the-hash or crack offline. SECURITY adds LSA secrets: service account credentials, cached domain logon hashes, DPAPI master keys. The complete credential package is two uncommented lines away from the published PoC. The author wrote both lines and chose what to ship.
Kyrgyzstan-based cryptocurrency exchange Grinex has suspended its operations after suffering a $13.7 million hack attributed to Western intelligence agencies. [...]
A post-midnight revolt in the House sank the White House's efforts to extend Section 702—a spy program the FBI has used to look into members of Congress, protesters, and political donors.
In cybercrime markets, trust isn't assumed, it's verified. Flare reveals how underground guides teach actors to evaluate carding shops based on data quality, reputation, and survivability. [...]
Huntress is warning that threat actors are exploiting three recently disclosed security flaws in Microsoft Defender to gain elevated privileges in compromised systems. The activity involves the exploitation of three vulnerabilities that are codenamed BlueHammer (requires GitHub sign-in), RedSun, and UnDefend, all of which were released as zero-days by a researcher known as Chaotic Eclipse (
Two weeks ago, Google’s Quantum AI group published a zero-knowledge proof of a quantum circuit so optimized, they concluded that first-generation quantum computers will break elliptic curve cryptography keys in as little as 9 minutes. Today, Trail of Bits is publishing our own zero-knowledge proof that significantly improves Google’s on all metrics. Our result is not due to some quantum breakthrough, but rather the exploitation of multiple subtle memory safety and logic vulnerabilities in Google’s Rust prover code. Google has patched their proof, and their scientific claims are unaffected, but this story reflects the unique attack surface that systems introduce when they use zero-knowledge proofs. Google’s proof uses a zero-knowledge virtual machine (zkVM) to calculate the cost of a quantum circuit on three key metrics. The total number of operations and Toffoli gate count represent the running time of the circuit, and the number of qubits represents the memory requirements. Google, along with their coauthors from UC Berkeley, the Ethereum Foundation, and Stanford, published proofs for two circuits; one minimizes the number of gates, and the other minimizes qubits. Our proof improves on both. Resource Type Google’s Low-Gate
Google this week announced a new set of Play policy updates to strengthen user privacy and protect businesses against fraud, even as it revealed it blocked or removed over 8.3 billion ads globally and suspended 24.9 million accounts in 2025. The new policy updates relate to contact and location permissions in Android, allowing third-party apps to access the contact lists and a user's location in
University student says he plans to move to Android, but concedes iOS engineers acting fast Apple is finally working on a fix for a bug that has locked some users out of their iPhones for months, The Register understands.…
Famously vengeful Knicks owner Jim Dolan has long spied on people at his iconic arenas. WIRED goes deep inside the operation that allegedly tracked a trans woman, lawyers, protesters, and more.
Microsoft warns that some Windows domain controllers are entering restart loops after installing the April 2026 security updates. [...]
The National Institute of Standards and Technology (NIST) has announced changes to the way it handles cybersecurity vulnerabilities and exposures (CVEs) listed in its National Vulnerability Database (NVD), stating it will only enrich those that fulfil certain conditions owing to an explosion in CVE submissions. "CVEs that do not meet those criteria will still be listed in the NVD but will not
23-year-old Kamerin Stokes of Memphis, Tennessee, was sentenced to 30 months in prison for selling access to tens of thousands of hacked DraftKings accounts. [...]
Pause your Mythos panic because mainstream models anyone can use already pick holes in popular software Anthropic withheld its Mythos bug-finding model from public release due to concerns that it would enable attackers to find and exploit vulnerabilities before anyone could react.…
An international law enforcement operation has taken down 53 domains and arrested four people in connection with commercial distributed denial-of-service (DDoS) operations that were used by more than 75,000 cybercriminals. The ongoing effort, dubbed Operation PowerOFF, disrupted access to the DDoS-for-hire services, took down the technical infrastructure supporting them, and obtained access to
Thursday, April 16
Presently sponsored by: Report URI: Guarding you from rogue JavaScript! Don’t get pwned; get real-time alerts & prevent breaches #SecureYourSite I love cutting-edge tech, but I hate hyperbole, so I find AI to be a real paradox. Somewhere in that whole mess of overnight influencers, disinformation and ludicrous claims is some real "gold" - AI stuff that's genuinely useful and makes a meaningful difference. This blog post cuts straight to the good stuff, specifically how you can use AI with Have I Been Pwned to do some pretty cool things. I'll be showing examples based on OpenClaw running on the Mac Mini in the hero shot, but they're applicable to other agents that turn HIBP's data into more insightful analysis. So, let me talk about what you can do right now, what we're working on and what you'll be able to do in the future. Model Context Protocol (MCP) A quick MCP primer first: Anthropic came up with the idea of building a protocol that could connect systems to AI apps, and thus the Model Context Protocol was born: Using MCP, AI applications like Claude or ChatGPT can connect to data sources (e.g. local files, databases), tools (e.g. search engines, calculators) and workflows (e.g. specialized prompts)—enabling them to access key information and perform tasks. If I'm honest, I'm a bit on the fence as to how useful this really is ( and I'm not alone ), but creating it was a
Bug or feature? A design flaw – or expected behavior based on a bad design choice, depending on who is telling the story – baked into Anthropic's official Model Context Protocol (MCP) puts as many as 200,000 servers at risk of complete takeover, according to security researchers.…
The latest wave of "Operation PowerOFF," on April 13, 2026, targeted the distributed denial-of-service (DDoS) ecosystem and its users across 21 countries. [...]
A new malware called ZionSiphon, specifically designed for operational technology, is targeting water treatment and desalination environments to sabotage their operations. [...]
Two day intrusion. RDP brute force with a company specific wordlist, Cobalt Strike, and a custom Rust exfiltration platform (RustyRocket) that connected to over 6,900 unique Cloudflare IPs over 443 to pull data from every reachable host over SMB. Recovered the operator README documenting three operating modes and a companion pivoting proxy for segmented networks. Personalized extortion notes addressed by name to each employee with separate templates for leadership and staff. Writeup includes screen recordings of the intrusion, full negotiation chat from their Tor portal, timeline, and IOCs.
A researcher known as "Chaotic Eclipse" has published a proof-of-concept exploit for a second Microsoft Defender zero-day, dubbed "RedSun," in the past two weeks, protesting how the company works with cybersecurity researchers. [...]
HAProxy HTTP/3 -> HTTP/1 Desync: Cross-Protocol Smuggling via a Standalone QUIC FIN (CVE-2026-33555)
u/albinowax ’s work on request smuggling has always inspired me. I’ve followed his research, watched his talks at DEFCON and BlackHat, and spent time experimenting with his labs and tooling. Coming from a web security background, I’ve explored vulnerabilities both from a black-box and white-box perspective — understanding not just how to exploit them, but also the exact lines of code responsible for issues like SQLi, XSS, and broken access control. Request smuggling, however, always felt different. It remained something I could detect and exploit… but never fully trace down to its root cause in real-world server implementations. A few months ago, I decided to go deeper into networking and protocol internals, and now, months later, I can say that I “might” have figured out how the internet works😂 This research on HAProxy (HTTP/3, standalone mode) is the result of that journey — finally connecting the dots between protocol behavior and the actual code paths leading to the bug. (Yes, I used AI 😉 )
Available for free to any company that wants to use it, the “completely anonymous” app puts the pressure on porn sites and social media platforms to start blocking access by minors.
Social engineering: 'low-cost, hard to patch, and scales well' North Korean criminals set on stealing Apple users' credentials and cryptocurrency are using a combination of social engineering and a fake Zoom software update to trick people into manually running malware on their own computers, according to Microsoft.…
Cybersecurity researchers have warned of an active malicious campaign that's targeting the workforce in the Czech Republic with a previously undocumented botnet dubbed PowMix since at least December 2025. "PowMix employs randomized command-and-control (C2) beaconing intervals, rather than persistent connection to the C2 server, to evade the network signature detections," Cisco Talos
Hackers are exploiting a critical vulnerability in Marimo reactive Python notebook to deploy a new variant of NKAbuse malware hosted on Hugging Face Spaces. [...]
Google says it is increasingly using its Gemini AI models to detect and block harmful ads on its advertising platforms, as scammers and threat actors continue to evolve their tactics to evade detection. [...]
Fortune 500 companies and one US defense contractor got taken for $5m in four-year scam Two Americans have been jailed for a combined 200 months for helping North Korea generate $5 million through fraudulent IT worker schemes.…
A new cybercrime platform called ATHR can harvest credentials via fully automated voice phishing attacks that use both human operators and AI agents for the social engineering phase. [...]
AI-powered SOC tools promise automation, but most only speed up triage instead of reducing real workload. Tines shows how real gains come from end-to-end workflows that execute actions across systems, not just summarize alerts. [...]
ThreatsDay Bulletin: Defender 0-Day, SonicWall Brute-Force, 17-Year-Old Excel RCE and 15 More Stories
You know that feeling when you open your feed on a Thursday morning and it's just... a lot? Yeah. This week delivered. We've got hackers getting creative in ways that are almost impressive if you ignore the whole "crime" part, ancient vulnerabilities somehow still ruining people's days, and enough supply chain drama to fill a season of television nobody asked for. Not
Forged metadata made AI reviewer treat hostile changes as though they came from known maintainer Security boffins say Anthropic's Claude can be tricked into approving malicious code with just two Git commands by spoofing a trusted developer's identity.…
I submitted an earlier version of this dataset and was declined on the basis of missing methodology and unverifiable provenance. The feedback was fair. The documentation has since been rewritten to address it directly, and I would very much appreciate a second look. ## What the dataset contains 101,032 samples in total, balanced 1:1 attack to benign. **Attack samples (50,516)** across 27 categories sourced from over 55 published papers and disclosed vulnerabilities. Coverage spans: - Classical injection - direct override, indirect via documents, tool-call injection, system prompt extraction - Adversarial suffixes - GCG, AutoDAN, Beast - Cross-modal delivery - text with image, document, audio, and combined payloads across three and four modalities - Multi-turn escalation - Crescendo, PAIR, TAP, Skeleton Key, Many-shot - Emerging agentic attacks - MCP tool descriptor poisoning, memory-write exploits, inter-agent contagion, RAG chunk-boundary injection, reasoning-token hijacking on thinking-trace models - Evasion techniques - homoglyph substitution, zero-width space insertion, Unicode tag-plane smuggling, cipher jailbreaks, detector perturbation - Media-surface attacks - audio ASR divergence, chart and diagram injection, PDF active content, instruction-hierarchy spoofing **Benign samples (50,516)** are drawn from Stanford Alpaca, WildChat, MS-COCO 2017, Wikipedia (English), and LibriSpeech. The benign set is matched to the surface characteristics of the attack set so that classifiers must learn genuine injection structure rather than stylistic artefacts. ## Methodology The previous README lacked this section entirely. The current version documents the following: 1. **Scope definition.** Prompt injection is defined per Greshake et al. and OWASP LLM01 as runtime text that overrides or redirects model behaviour. Pure harmful-content requests without override framing are explicitly excluded. 2. **Four-layer construction.** Hand-crafted seeds, PyRIT template expansion, cross-modal delivery matrix, and matched benign collection. Each layer documents the tool used, the paper referenced, and the design decision behind it. 3. **Label assignment.** Labels are assigned by construction at the category level rather than through per-sample human review. This is stated plainly rather than overclaimed. 4. **Benign edge-case design.** The ten vocabulary clusters used to reduce false positives on security-adjacent language are documented individually. 5. **Quality control.** Deduplication audit results are included: zero duplicate texts in the benign pool, zero benign texts appearing in attacks, one documented legacy duplicate cluster with cause noted. 6. **Known limitations.** Six limitations are stated explicitly: text-based multimodal representation, hand-crafted seed counts, English-skewed benign pool, no inter-rater reliability score, ASR figures sourced from original papers rather than re-measured, and small v4 seed counts for emerging categories. ## Reproducibility Generators are deterministic (`random.seed(42)`). Running them reproduces the published dataset exactly. Every sample carries `attack_source` and `attack_reference` fields with arXiv or CVE links. A reviewer can select any sample, follow the citation, and verify that the attack class is documented in the literature. ## Comparison to existing datasets The README includes a comparison table against deepset (500 samples), jackhhao (2,600), Tensor Trust (126k from an adversarial game), HackAPrompt (600k from competition data), and InjectAgent (1,054). The gap this dataset aims to fill is multimodal cross-delivery combinations and emerging agentic attack categories, neither of which exists at scale in current public datasets. ## What this is not To be direct: this is not a peer-reviewed paper. The README is documentation at the level expected of a serious open dataset submission - methodology, sourcing, limitations, and reproducibility - but it does not replace academic publication. If that bar is a requirement for r/netsec specifically, that is reasonable and I will accept the feedback. ## Links - GitHub: https://github.com/Josh-blythe/bordair-multimodal - Hugging Face: https://huggingface.co/datasets/Bordair/bordair-multimodal I am happy to answer questions about any construction decision, provide verification scripts for specific categories, or discuss where the methodology falls short.
Publisher claims misconfigured Salesforce-hosted page leaked data Textbook giant McGraw Hill has landed on a ransomware crew's leak site after an alleged Salesforce-linked misconfiguration spilled 13.5 million records into the wild.…
Cisco has announced patches to address four critical security flaws impacting Identity Services and Webex Services that could result in arbitrary code execution and allow an attacker to impersonate any user within the service. The details of the vulnerabilities are below - CVE-2026-20184 (CVSS score: 9.8) - An improper certificate validation in the integration of single sign-on (SSO)
A "novel" social engineering campaign has been observed abusing Obsidian, a cross-platform note-taking application, as an initial access vector to distribute a previously undocumented Windows remote access trojan called PHANTOMPULSE in attacks targeting individuals in the financial and cryptocurrency sectors. Dubbed REF6598 by Elastic Security Labs, the activity has been found to leverage
Just migrate already, would you? But if you can't, Redmond will take your cash Microsoft will keep delivering security updates for old versions of Exchange Server and Skype for Business Server, after admitting that some customers aren't ready to make the move to newer products.…
Your cybersecurity is only as good as the physical security of the servers PWNED Welcome back to Pwned, the column where we immortalize the worst vulns that organizations opened up for themselves. If you’re the kind of person who leaves your car doors unlocked with a pile of cash in the center console, this week’s story is for you.…
The Computer Emergencies Response Team of Ukraine (CERT-UA) has disclosed details of a new campaign that has targeted governments and municipal healthcare institutions, mainly clinics and emergency hospitals, to deliver malware capable of stealing sensitive data from Chromium-based web browsers and WhatsApp. The activity, which was observed between March and April
Browser fingerprinting is everywhere Google markets its Chrome browser by citing its superior safety features, but according to privacy consultant Alexander Hanff, Chrome does not protect against browser fingerprinting – a method of tracking people online by capturing technical details about their browser.…
Understanding npm and the importance of dependency cooldowns.
Wednesday, April 15
Like the majority of the companies participating, it remains a mystery Last week, Anthropic surprised the world by declaring that its latest model, Mythos, is so good at finding vulns that it would create chaos if released. Now, under the title of Project Glasswing, over 50 selected companies and orgs are allowed to test the hyped up LLM to find security holes in their own products. But just how many problems have they really discovered?…
What Are Shadow Admins in AD? A common problem we encounter within many customer Active Directory environments are accounts that, at first glance, may appear innocuous, but that actually have hidden administrative privileges or unrolled privileges equivalent to those of a domain administrator account. We call these accounts shadow domain admins. These accounts don’t show up when you run the net group domain admins command. They won’t appear in your PAM solution’s audit reports. But an attacker who finds one has effectively won the domain. Over the past several years, the problem has gotten significantly worse as organizations undergo digital transformation. Workloads are migrating to AWS and Azure, identity is being federated to the cloud via ADFS, and domain controllers are running as virtual machines on ESXi. The blast radius of a single compromised account now extends well beyond the traditional Active Directory boundary. A shadow admin path in 2016 might have been a service account with an overly permissive ACL. In 2026, it’s an ADFS server running on a hypervisor managed by a VMware admin who doesn’t even know they’re one hop from domain admin, and two hops from your entire AWS environment. In this post, we’ll walk through several real-world examples we routinely discover during engagements and show how Praetorian Guard’s continuous attack path mapping surfaces them before an adversary does. ADFS Servers and the Federation Layer If your organization federates identity to cloud providers using Active Directory Federation Services (ADFS), you’ve almost certainly heard of the Golden SAML technique that was exploited in the SolarWinds (Solorigate) attack. The ADFS server h
No reports of active exploitation (yet) Watch out for more Fortinet vulns! Two critical bugs in Fortinet's sandbox could allow unauthenticated attackers to bypass authentication or execute unauthorized code on vulnerable systems.…
Threat actors have been observed weaponizing n8n, a popular artificial intelligence (AI) workflow automation platform, to facilitate sophisticated phishing campaigns and deliver malicious payloads or fingerprint devices by sending automated emails. "By leveraging trusted infrastructure, these attackers bypass traditional security filters, turning productivity tools into delivery
Some customer orgs tell staff to block inbound email from the provider Autovista confirms that it called in outside support to help clean up a ransomware infection currently affecting systems in Europe and Australia.…
Latest in a string of cases that have earned France an unfortunate title A mother and her ten-year-old son are now free after being kidnapped for around 20 hours while the father was being extorted for hundreds of thousands of euros.…
A recently disclosed critical security flaw impacting nginx-ui, an open-source, web-based Nginx management tool, has come under active exploitation in the wild. The vulnerability in question is CVE-2026-33032 (CVSS score: 9.8), an authentication bypass vulnerability that enables threat actors to seize control of the Nginx service. It has been codenamed MCPwn by Pluto Security. "
Vuln old enough to drive lands on CISA's exploited list While Microsoft was rolling out its bumper Patch Tuesday updates this week, US cybersecurity agency CISA was readying an alert about a 17-year-old critical Excel flaw now under exploit.…
Command prefix will require password by default The latest version of Raspberry Pi OS now requires a password for sudo by default.…
Few technologies have moved from experimentation to boardroom mandate as quickly as AI. Across industries, leadership teams have embraced its broader potential, and boards, investors, and executives are already pushing organizations to adopt it across operational and security functions. Pentera’s AI Security and Exposure Report 2026 reflects that momentum: every CISO surveyed
Open Rights Group says years of reliance on US giants have left Britain exposed Britain has spent years wiring its public sector into US Big Tech, and a new report says that dependence could quickly become a national security headache.…
An analysis by WIRED and Indicator found nearly 90 schools and 600 students around the world impacted by AI-generated deepfake nude images—and the problem shows no signs of going away.
OpenAI on Tuesday unveiled GPT-5.4-Cyber, a variant of its latest flagship model, GPT‑5.4, that's specifically optimized for defensive cybersecurity use cases, days after rival Anthropic unveiled its own frontier model, Mythos. "The progressive use of AI accelerates defenders – those responsible for keeping systems, data, and users safe – enabling them to find and fix problems
Tuesday, April 14
Microsoft today pushed software updates to fix a staggering 167 security vulnerabilities in its Windows operating systems and related software, including a SharePoint Server zero-day and a publicly disclosed weakness in Windows Defender dubbed “ BlueHammer .” Separately, Google Chrome fixed its fourth zero-day of 2026, and an emergency update for Adobe Reader nixes an actively exploited flaw that can lead to remote code execution. Redmond warns that attackers are already targeting CVE-2026-32201 , a vulnerability in Microsoft SharePoint Server that allows attackers to spoof trusted content or interfaces over a network. Mike Walters , president and co-founder of Action1 , said CVE-2026-32201 can be used to deceive employees, partners, or customers by presenting falsified information within trusted SharePoint environments. “This CVE can enable phishing attacks, unauthorized data manipulation, or social engineering campaigns that lead to further compromise,” Walters said. “The presence of active exploitation significantly increases or
Crow-eye v0.9.0 is out! Now with Direct Forensic Image Parsing, a rebuilt Timeline, and full Linux support.
Hey everyone! we just released version 0.9.0 of Crow-eye, and it brings some major updates we've been working hard on. A big focus for us in this version was removing the friction of dealing with forensic images. We actually added direct support for analyzing images right inside Crow-eye, so you don't need any other mounting software to get started. You can just point it at the image and let it parse. Right now we support parsing directly from: \* E01 / Ex01 \* VHDX / VHD \* VMDK \* ISO \* Raw / DD We also decided it was time to move on from the old timeline prototype. We built a brand new version of the Timeline Visualization from the ground up, making it way easier to correlate everything and actually see the full picture in one place. https://preview.redd.it/t22zt7ty68vg1.png?width=3439&format=png&auto=webp&s=7d5bc5f51cb0e93029ce0641813636a068ba3d58 And finally, something a lot of people asked for: Crow-eye is now completely cross-platform! We updated all the parsers so they no longer depend on Windows APIs for offline artifacts. This means you can now run it natively on Linux to parse offline artifacts and process those forensic images without needing a Windows machine. GitHub : [https://github.com/Ghassan-elsman/Crow-Eye](https://github.com/Ghassan-elsman/Crow-Eye) Let me know how it runs for you, what you think of the new timeline, or if you run into any bugs or issues!
Hello, I downloaded a sample from Malwarebazaar. It was a .bat file around 208.38 KB. I set it up into [AnyRun](https://any.run), and started the analysis. \--- **Threat Type:** XWorm v6.5 (RAT) + Stealer sold as Malware-as-a-Service. Capabilities include credential theft, keylogging, screenshot capture, file exfiltration, and hijacking of crypto wallets and accounts. **Execution Process:** 1. `.bat` file runs -> checks for sandbox using `findstr.exe` 2. Uses `certutil.exe` to Base64-decode an embedded payload 3. `cscript.exe` executes decoded VBScript, dropping `svchost.exe` (fake) to %TEMP% 4. Payload launches, copies itself to `%APPDATA%\main.exe` and the startup folder for persistence 5. Connects to C2 and sends system fingerprint via Telegram Bot API # IOCs **Dropper SHA256:** dea6cfb3234780ceeea718787e027cc6d2de18cfead1f8cc234e0ad268987868 **Dropped Payload SHA256:** 7f2b0ffbc5b149b4f9858589763bacdebf63ea1b3a00532e9278d613f75462ea * **C2:** `23.160(.)168.174:3212` * **AES Key:** `<666666>` * **Mutex:** `XUH24Sz2TPub4OF4` * **USB drop name:** `XWorm V6.5 by c3lestial(.)fun` Full Analysis: [https://app.any.run/tasks/1cd22443-8259-49c0-8e6e-a0ca93b0371c](https://app.any.run/tasks/1cd22443-8259-49c0-8e6e-a0ca93b0371c)
OpenAI says its safeguards “sufficiently reduce cyber risk” for now, while GPT-5.4-Cyber is a new cybersecurity-focused model.
The UK designated Xinbi Guarantee as an enabler of crypto scammers and human trafficking weeks ago. Telegram is still hosting it in plain sight.
Two high-severity security vulnerabilities have been disclosed in Composer, a package manager for PHP, that, if successfully exploited, could result in arbitrary command execution. The vulnerabilities have been described as command injection flaws affecting the Perforce VCS (version control software) driver. Details of the two flaws are below - CVE-2026-40176 (CVSS
Internal emails obtained by WIRED reveal how a conservative legal group with a direct line into FCC chairman Brendan Carr’s office built the case against Jimmy Kimmel and his employees.
When you hire an elite Red Team, you start with an implicit signal of their talent. You review their resumes, their standing within the research community, certifications with trusted vendors like OffSec and CREST. You assume they can navigate your specific tech stack and pivot through your environment. But in offensive security, assumptions are liabilities. […] The post Validating AI Pentesting with Explicit Signals from Synack Red Team appeared first on Synack .
Google has announced the integration of a Rust-based Domain Name System (DNS) parser into the modem firmware as part of its ongoing efforts to beef up the security of Pixel devices and push memory-safe code at a more foundational level. "The new Rust-based DNS parser significantly reduces our security risk by mitigating an entire class of vulnerabilities in a risky area, while also laying
This post is part of a small blog series covering common Entra ID security findings observed during real-world assessments. Each article explores selected findings in more detail to provide a clearer understanding of the underlying risks and practical implications. Part 1: Privileged Foreign Enterprise Applications Part 2: Privileged Unprotected Groups Part 3: Weak Privileged Identity Management Configuration Conditional Access Policies Conditional Access policies are among the most important security controls in Entra ID. As the name suggests, they define under which conditions access is allowed within a tenant. They are used to enforce protections such as MFA, restrict access based on device state or location, and apply stronger controls to sensitive applications or privileged accounts. At the same time, Conditional Access is a broad and complex topic. The
Presently sponsored by: Report URI: Guarding you from rogue JavaScript! Don’t get pwned; get real-time alerts & prevent breaches #SecureYourSite I'm starting to become pretty fond of Bruce. Actually, I've had a bit of an epiphany: an AI assistant like Bruce isn't just about auto-responding to tickets in an entirely autonomous manner; it's also pretty awesome at responding with just a little bit of human assistance. Charlotte and I both replied to some tickets today that were way too specific for Bruce to ever do on his own, but by feeding in just a little bit of additional info (such as the number of domains someone was presently monitoring), Bruce was able to construct a really good reply and "own" the ticket. So maybe that's the sweet spot: auto-reply to the really obvious stuff and then take just a little human input on everything else.
Monday, April 13
The current version of RAGFlow, a widely-deployed Retrieval Augmented Generation solution, contains a post-auth vulnerability that allows for arbitrary code execution. This post includes a POC, walkthrough and patch. The TL;DR is to make sure your RAGFlow instances aren't on the public internet, that you have the minimum number of necessary users, and that those user accounts are protected by complex passwords. (This is especially true if you're using Infinity for storage.)
More than 70 organizations, including the ACLU, EPIC, and Fight for the Future, say the AI smart glasses feature would endanger abuse victims, immigrants, and LGBTQ+ people.
Root cause: the $forbiddenphpstrings blocklist is only enforced in blacklist mode -> the default whitelist mode never touches it. The whitelist regex is also blind to PHP dynamic callable syntax (('exec')('cmd')). Either bug alone limits impact; together they reach OS command execution. Coordinated disclosure - patch available as of 4/4/2026.
Undisclosed number of names and contact and reservation details accessed in latest cybercrime attempt The accommodation reservation website Booking.com has suffered a data breach with “unauthorised parties” gaining access to customers’ details. The platform said it “noticed some suspicious activity involving unauthorised third parties being able to access some of our guests’ booking information”. Continue reading...
To reduce the amount of noise from questions, we have disabled self-posts in favor of a unified questions thread every week. Feel free to ask any question about reverse engineering here. If your question is about how to use a specific tool, or is specific to some particular target, you will have better luck on the [Reverse Engineering StackExchange](http://reverseengineering.stackexchange.com/). See also /r/AskReverseEngineering.
Introducing the Glasswing-Readiness Assessment In my last post, we looked at the emergence of Anthropic’s Mythos and how it has collapsed the exploit timeline from weeks to days. But once you accept that the speed of the adversary has changed, a more difficult question remains for security leaders: What do we actually do now? The […] The post Become Mythos-Ready and Close the AI Coverage Gap with Synack appeared first on Synack .
Sunday, April 12
drakoarmy/akamai-vm-reverse: Decompiled and cleaned Akamai v3 VM powering the latest sensor_data challenge script.
Saturday, April 11
Project RVBBIT: An educational Linux kernel rootkit demonstrating modern stealth (DKOM, eBPF bypass, syscall hooking)
Plus: Iran’s internet blackout hits the 1,000-hour mark, cryptocurrency scams result in a record amount of money stolen from Americans, and more.
From AI-generated images to restricted satellite data, the systems used to verify what’s real online are struggling to keep up.