The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added a recently disclosed security flaw impacting various Linux distributions to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild. The vulnerability, tracked as CVE-2026-31431 (CVSS score: 7.8), is a case of local privilege escalation (LPE) flaw that could allow an
Cybersecurity News and Vulnerability Aggregator
Cybersecurity news aggregator
Updated: 2:20 pm
J/K Navigate / Search S Save V Open Link
— or
treemd <(curl -sL https://allsec.sh/md) (as Markdown) Top Cybersecurity Stories Today
Mini Shai-Hulud caught spreading credential-stealing malware The wave of supply chain attacks aimed at security and developer tools has washed up more victims, namely SAP and Intercom npm packages, plus the lightning PyPI package.…
Microsoft has confirmed that Windows 11 is getting a new modern Run dialog with dark mode support and faster performance in a new preview build. [...]
The U.S. Department of Justice (DoJ) on Thursday announced the sentencing of two cybersecurity professionals to four years each in prison for their role in facilitating BlackCat ransomware attacks in 2023. Ryan Goldberg, 40, of Georgia, and Kevin Martin, 36, of Texas, were accused of deploying the ransomware against multiple victims located throughout the U.S. between April and December 2023.
Emergency patches out now for those managing the millions of domains assumed to be affected Emergency patches are available for a critical vulnerability in cPanel and WHM that allows attackers to bypass authentication and gain root access to servers managed using it.…
Latest
Sunday, May 3
Cybersecurity researchers have uncovered a large-scale fraud operation that uses Telegram's Mini App feature to run crypto scams, impersonate well-known brands, and distribute Android malware. [...]
DigiCert is not a tiny company, with well over 1000 employees. The company is not in bad shape financially, as by its own account, "DigiCert...announced a record-breaking Q4 for FY2025." ([Link](https://www.digicert.com/news/digicert-achieves-record-growth-in-fy2025)). As a public certificate authority, many of its long-lasting certificates ship on consumer devices by default. Why are companies like DigiCert **still** not using free application allow-listing solutions like AppLocker and App Control for Business (WDAC)? ([Link](https://bugzilla.mozilla.org/show_bug.cgi?id=2033170)) >Threat actor engages user on ENDPOINT1 via support chat, repeatedly sending malicious ZIP file attachments presented as customer screenshots. > >ENDPOINT1 opens malicious file. Initial execution of k3.exe and related binaries from AppData and Public directories. Of course, DigiCert points to a CrowdStrike malfunction: >CrowdStrike support confirms ENDPOINT2 sensor gap. Nonetheless, the fact remains that an application allowlist would have almost certainly prevented this issue. We need to stop pretending AppLocker and/or App Control for Business are some extremely high bars to meet; they are becoming the expected minimum, especially in high-stakes organizations that impact the rest of us.
There is a missing authorization and data-masking gap in Argo CD's ServerSideDiff endpoint that allows an attacker with read-only access to extract plaintext Kubernetes Secret data from etcd via the Kubernetes API server's Server-Side Apply dry-run mechanism. Details: https://github.com/argoproj/argo-cd/security/advisories/GHSA-3v3m-wc6v-x4x3
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added a recently disclosed security flaw impacting various Linux distributions to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild. The vulnerability, tracked as CVE-2026-31431 (CVSS score: 7.8), is a case of local privilege escalation (LPE) flaw that could allow an
Saturday, May 2
A new disclosed cPanel flaw tracked as CVE-2026-41940 is being mass-exploited to breach websites and encrypt data in "Sorry" ransomware attacks. [...]
*As one tends to do on Saturday mornings with coffee in hand, I was reviewing two samples that were attributed to the LunaStealer / LunaGrabber family. Originally I was validating that* `tiquery` *was working with the MCP configuration, however what started as a quick TI check turned into a full static analysis session — and it gave me a good opportunity to put the MalChela MCP integration through its paces in a real workflow. This post walks through how that investigation unfolded, what the pivot points were, and what we found at the bottom of the rabbit hole.*
I genuinely think for the majority of appsec mythos is not needed. From my observations and consulting experience maximum software is a different flavour of the same base system - ecommerce, social media etc etc. and all the bug classes are invariants of each other. I experimented shit ton with Chinese models and they genuinely can find things SOTA can albeit at super slow processing rate and require the context curation upstream to be very well designed.[https://www.hacktron.ai/blog/why-mythos-doesnt-matter-for-us](https://www.hacktron.ai/blog/why-mythos-doesnt-matter-for-us)
A new attack type, dubbed ConsentFix v3, has been circulating on hacker forums, building on the previous technique by adding automation and scaling potential. [...]
I’ve been looking at phishing resistance around UK government domains, especially in the context of HMRC impersonation, and found something I thought this sub might find interesting. When querying TXT records for undelegated / non-existent gov.uk domains, the namespace appears to return email authentication records anyway. For example: dig TXT randomstring.gov.uk returns: randomstring.gov.uk. 1800 IN TXT "v=DMARC1;p=reject;rua=mailto:govuk-rua@dmarc.service.gov.uk" randomstring.gov.uk. 1800 IN TXT "v=spf1 ?all" If this is intentional, it’s a pretty powerful defensive pattern. The usual anti-spoofing controls protect domains you own and operate. But attackers often abuse names that do not exist yet, for example: hmrc-tax-refund.gov.uk secure-hmrc-payment.gov.uk randomstring.gov.uk If those domains are undelegated and return no DNS, there’s normally no SPF or DMARC policy for receivers to evaluate. In this case, gov.uk seems to be closing that gap by making undelegated direct subdomains signal “don’t trust mail from here”. I haven’t found public documentation from GDS, NCSC, or others describing this as a namespace-level anti-phishing control, so I’m curious whether anyone has seen it documented or knows more about the implementation. A few observations: * This seems to apply to direct \*.gov.uk names. * I didn’t see the same behaviour for nhs.uk or gov.scot The broader point is that most organisations protect the domains they use. This looks like an attempt to protect the surrounding namespace too, which is a much more ambitious phishing defence. I wrote up the full notes here, including background on HMRC phishing and why this matters: [https://cybaa.io/blog/2026-04-27/gov-uk-namespace-spoofing-protection](https://cybaa.io/blog/2026-04-27/gov-uk-namespace-spoofing-protection) I would be interested to hear whether others have seen similar namespace-level SPF/DMARC handling elsewhere or any public information about gov.uk implementing this. After publishing this post in r/DMARC , a commenter pointed out an important flaw in the observed implementation. DMARC receivers do not look for policy at the domain itself. For mail using randomstring.gov.uk in the RFC5322.From header, the receiver queries the TXT records at \_dmarc.randomstring.gov.uk In this case, that lookup appears to return both an SPF record and a DMARC record: `_dmarc.randomstring.gov.uk. 1800 IN TXT "v=spf1 ?all"` `_dmarc.randomstring.gov.uk. 1800 IN TXT "v=DMARC1;p=reject;rua=mailto:govuk-rua@dmarc.service.gov.uk"` That SPF record should not be present at the \_dmarc node. SPF belongs at the domain being used for mail, while DMARC policy belongs under \_dmarc. Under RFC 7489, DMARC policy discovery queries TXT records at \_dmarc.<domain>, discards records that do not start with the current DMARC version tag, and then expects exactly one remaining DMARC policy record. If the remaining DMARC policy set contains multiple records or no records, policy discovery terminates and DMARC processing is not applied. So the underlying idea still appears to be a strong one: protect undelegated gov.uk names by giving receivers a clear anti-spoofing policy. But the wildcard-style implementation seems to be leaking the SPF response into the \_dmarc namespace as well. At best, that is operationally untidy and likely to trigger DMARC validation warnings. At worst, depending on receiver implementation, it could prevent the intended DMARC policy from being applied reliably. There is another possible explanation: this may have been a conscious trade-off rather than a simple mistake. A fully split implementation, where the base undelegated domain and its \_dmarc child return different wildcard TXT responses, is likely more complex to design, test and operate. If the team implementing this expected receiving mail providers to follow RFC 7489 strictly, then the stray SPF record under \_dmarc would be discarded before DMARC policy evaluation. In that world, the lower-cost implementation may have been judged acceptable because the risk only appears when a receiver, validator or security product is itself not handling DMARC discovery as the specification describes. It is also worth noting the SPF policy being returned here is \`v=spf1 ?all\`, not a hard fail policy. Under RFC 7208, a neutral SPF result must be treated exactly like an SPF "none" result. In practice, that means this SPF record does not provide meaningful blocking by itself. The enforcement signal is the DMARC \`p=reject\` policy, and the \`rua\` address means aggregate reports can be sent back to \`govuk-rua@dmarc.service.gov.uk\`. If this implementation is deliberate, one plausible objective is not just blocking spoofed mail, but gathering intelligence on which undelegated \`gov.uk\` names are being abused in the wild. The cleaner implementation would be to ensure that: \- randomstring.gov.uk returns only the SPF-related TXT response needed for SPF evaluation \- \_dmarc.randomstring.gov.uk returns exactly one valid DMARC policy record \- unrelated TXT records are not emitted below \_dmarc This does not undermine the broader defensive concept, but it does mean the current behaviour should not be treated as a perfect reference implementation.
Plus: The NSA tests Anthropic’s Mythos Preview to find vulnerabilities, a Finnish teen is charged over the Scattered Spider hacking spree, and more.
Britain's cyber agency says the bill for years of technical shortcuts is coming due, and it's arriving all at once Britain's cyber agency is warning that AI-fuelled bug hunting is about to flush out years of buried flaws, leaving defenders scrambling to keep up.…
Cybersecurity company Trellix has announced that it suffered a breach that enabled unauthorized access to a "portion" of its source code. It said it "recently identified" the compromise of its source code repository and that it began working with "leading forensic experts" to resolve the matter immediately. It also said it has notified law enforcement of the matter. Trellix did not disclose the
Microsoft has confirmed that Windows 11 is getting a new modern Run dialog with dark mode support and faster performance in a new preview build. [...]
Friday, May 1
Instructure, the company behind the widely used Canvas learning platform, has disclosed that it recently suffered a cybersecurity incident and is now investigating its impact. [...]
For vulnerability research, smaller models run repeatedly can outperform larger frontier models on cost-to-recall.
TL;DR: If a large model finds a 0-day with 90% probability, and a small model with 50% probability, but the small model costs 10x less, it is better to use the small model. We compared the cost and recall of various models in finding real, recent zero-days and found that for most applications, smaller models run repeatedly can significantly outperform larger frontier models on cost-to-recall. Disclaimer: I'm involved with Hacktron, the company that produced this research. This is a factual presentation of our benchmarks, which we hope the community can use to make informed decisions about models like Mythos.
Over the past two and a bit quarters, we've undertaken an intensive engineering effort, internally code-named " Code Orange: Fail Small ", focused on making Cloudflare's infrastructure more resilient, secure, and reliable for every customer. Earlier this month, the Cloudflare team finished this work. While improving resiliency will never be a “job done” and will always be a top priority across our development lifecycle, we have now completed the work that would have avoided the November 18, 2025 and December 5, 2025 global outages. This work focused on several key areas: safer configuration changes, reducing the impact of failure, and revising our “break glass” procedures and incident management. We also introduced measures to prevent drift and regressions over time, and strengthened the way we communicate to our customers during an outage. Here we explain in depth what we shipped, and what it means for you. Safer configuration changes What it means for you : In most cases, Cloudflare internal configuration changes no longer reach our network instantly and are instead rolled out progressively with real-time health monitoring. This allows our observability tools to catch problems and revert issues before they affect your traffic. In order to catch potentially dangerous deployments before they reach production, we've identified high-risk configuration pipelines, and built new tools to manage configuration changes better. For products that run on our network processing customer traffic and receive configuration changes, we no longer deploy these changes instantly across the
A newly discovered Vietnamese-linked operation has been observed using a Google AppSheet as a "phishing relay" to distribute phishing emails with an aim to compromise Facebook accounts. The activity has been codenamed AccountDumpling by Guardio, with the scheme selling the stolen accounts back through an illicit storefront run by the threat actors. In all, roughly 30,000 Facebook accounts are
French authorities have detained a 15-year-old suspected of selling data stolen in a cyberattack on France Titres (ANTS), the country's agency for issuing and managing administrative documents. [...]
MalChela v4.0 is out. The desktop GUI is gone — replaced by a PWA you can reach from any browser on the network. Battery-powered Pi on the table, iPad in hand, no keyboard required. The field kit finally makes sense.
BleepingComputer initially published a story about a new data breach at Instructure. Shortly after publication, we determined that the information was incorrect and primarily based on outdated details from a prior incident. The article has been retracted, and we regret the error. [...]
Cybersecurity researchers are warning of two cybercrime groups that are carrying out "rapid, high-impact attacks" operating almost within the confines of SaaS environments, while leaving minimal traces of their actions. The clusters, Cordial Spider (aka BlackFile, CL-CRI-1116, O-UNC-045, and UNC6671) and Snarky Spider (aka O-UNC-025 and UNC6661), have been attributed to high-speed data theft and
While doing some analysis of Weedhack a remote access trojan/info stealer that uses the Ethereum block chain for C2 infrastructure. I was able to statically decode the eth\_call results to break back the C2 domain it pulls. So I vibe coded a git repository to query the smart contract, decode the results and display the current C2 domain. I'm currently a student so any sort of feedback would be greatly appreciated. The purpose behind this project is to provide an indicator of compromise for weedhack. https://github.com/MrFluent1/Weedhack-C2-Tracking
Raw threat intel isn't enough without real-world context. Criminal IP has partnered with Securonix to integrate exposure-based intelligence into ThreatQ, automating analysis and speeding up investigations. [...]
Cybersecurity researchers have disclosed details of a new China-aligned espionage campaign targeting government and defense sectors across South, East, and Southeast Asia, along with one European government belonging to NATO. Trend Micro has attributed the activity to a threat activity cluster it tracks under the temporary designation SHADOW-EARTH-053. The adversarial collective is assessed to
Exploitation was underway before patches landed, at least one victim reports ransomware demand CISA has added a critical cPanel bug to its known-exploited list, confirming that attackers are already poking holes in one of the internet's most widely used hosting stacks.…
When we first launched Workers eight years ago, it was a direct-to-developers platform. Over the years, we have expanded and scaled the ecosystem so that platforms could not only build on Workers directly, but they could also enable their customers to ship code to us through many multi-tenant applications. We now see on Workers: Applications where users describe what they want, and the AI writes the implementation. Multi-tenant SaaS where every customer's business logic is, at runtime, some TypeScript the platform has never seen before. Agents that write and run their own tools. CI/CD products where every repo defines its own pipeline. Last month, when we shipped the Dynamic Workers open beta , we gave those platforms a clean primitive for the compute side: hand the Workers runtime some code at runtime, get back an isolated, sandboxed Worker, on the same machine, in single-digit milliseconds. Durable Object Facets extended the same idea to storage — each dynamically-loaded app can have its own SQLite database, spun up on demand, with the platform sitting in front, as a supervisor. Artifacts did the same for source control : a Git-native, versioned filesystem you can create by the tens of millions, one per agent, one per session, one per tenant. So, we have dynamic deployment for storage and source control. What’s next? Today, we are bridging durable execution and dynamic deployment with Dynamic Workflows . The gap between durable and dynamic execution
Microsoft has fixed a known issue causing newly introduced Windows security warnings to display incorrectly when opening Remote Desktop (.rdp) files. [...]
Altman's crew now doing the same gatekeeping it recently mocked OpenAI is lining up a limited release of its new GPT-5.5-Cyber model to a handpicked circle of "cyber defenders," just weeks after taking a swipe at Anthropic for doing almost exactly the same thing.…
Microsoft has updated a Windows 11 in-box app removal policy introduced in October to include a dynamic list that lets IT admins choose which preinstalled Store apps to uninstall. [...]
313 Team tells Canonical: pay up or the packets keep coming Canonical says its web infrastructure is under attack after a pro-Iran hacktivist group instructed its members to target the open source giant.…
The managed security services market is projected to grow from $38.31 billion in 2025 to $69.16 billion by 2030[1], with cybersecurity being the fastest-growing sector[2]. Despite this opportunity, many MSPs leave revenue on the table because their go-to-market strategy fails to connect technical expertise with business needs. This execution gap is where most deals stall. MSPs often focus on
Microsoft has released the KB5083631 optional cumulative update for Windows 11, which includes 34 changes, such as a new Xbox mode for Windows PCs, enhanced security and performance for batch files, and performance improvements for launching startup apps. [...]
The U.S. Department of Justice (DoJ) on Thursday announced the sentencing of two cybersecurity professionals to four years each in prison for their role in facilitating BlackCat ransomware attacks in 2023. Ryan Goldberg, 40, of Georgia, and Kevin Martin, 36, of Texas, were accused of deploying the ransomware against multiple victims located throughout the U.S. between April and December 2023.
A new software supply chain attack campaign has been observed using sleeper packages as a conduit to subsequently push malicious payloads that enabled credential theft, GitHub Actions tampering, and SSH persistence. The activity has been attributed to the GitHub account "BufferZoneCorp," which has published a set of repositories that are associated with malicious Ruby gems and Go modules. As of
Start date pushed back a year, annual cost up a third, and UK's now handing out eight million passports a year The Home Office has increased the annual value and overall duration of its new passport production contract, increasing it to a total of £576 million as it starts a third round of engagement with suppliers.…
Thursday, April 30
Mini Shai-Hulud caught spreading credential-stealing malware The wave of supply chain attacks aimed at security and developer tools has washed up more victims, namely SAP and Intercom npm packages, plus the lightning PyPI package.…
KnowBe4 says 86% of phishing it tracked used AI, and inboxes are only the start Give a man a phishing kit and he might get lucky a couple of times; teach an AI to phish and it'll change the landscape, if KnowBe4's latest phishing trends report is accurate.…
One alleged cyber contractor was extradited to the US over the weekend China's "hacker-for-hire ecosystem has gotten out of control," according to Brett Leatherman, assistant director of the FBI's cyber division.…
A new phishing kit named Bluekit offers more than 40 templates targeting popular services and includes basic AI features for generating campaign drafts. [...]
A Romanian national who led an online swatting ring that targeted more than 75 public officials, multiple journalists, and four religious institutions was sentenced to 4 years in federal prison. [...]
OpenAI is rolling out Advanced Account Security for people concerned that their ChatGPT or Codex accounts could be potential targets of phishing attacks.
This CVSS 10.0 RCE vuln has been patched, automatically for some, so better check those workflows If you use Gemini CLI, watch out: Google has patched a CVSS 10.0 vulnerability in its command-line AI tool and is warning anyone running it in headless mode, or through GitHub Actions, to review their workflows.…
Two computer crime allegations follow up to 18M lines of data surfacing online French prosecutors say police detained a 15-year-old on April 25 over the alleged theft of millions of records from France Titres (ANTS), the agency handling secure documents.…
The U.S. Federal Bureau of Investigation (FBI) warned the transportation and logistics industry of a sharp rise in cyber-enabled cargo theft, with estimated losses in the United States and Canada reaching nearly $725 million in 2025. [...]
A Brazilian tech firm that specializes in protecting networks from distributed denial-of-service (DDoS) attacks has been enabling a botnet responsible for an extended campaign of massive DDoS attacks against other network operators in Brazil, KrebsOnSecurity has learned. The firm’s chief executive says the malicious activity resulted from a security breach and was likely the work of a competitor trying to tarnish his company’s public image. An Archer AX21 router from TP-Link. Image: tp-link.com. For the past several years, security experts have tracked a series of massive DDoS attacks originating from Brazil and solely targeting Brazilian ISPs. Until recently, it was less than clear who or what was behind these digital sieges. That changed earlier this month when a trusted source who asked to remain anonymous shared a curious file archive that was exposed in an open directory online. The exposed archive contained several Portuguese-language malicious programs written in Python. It also included the private SSH authentication keys belonging to the CEO of Huge Networks , a Brazilian ISP that primarily offers DDoS protection to other Brazilian network operators. Founded in Miami, Fla. in 2014, Huge Networks’s operations are centered in Brazil. The company originated from protecting game servers against DDoS attacks and evolved into an ISP-focused DDoS mitigation provider. It does not appear in any public abuse complaints and is not associated with any known
While more than two-thirds of human-generated TLS traffic to Cloudflare is already protected by post-quantum cryptography, the world of site-to-site networking has been a different story. For years, the IPsec community remained caught between the high bar of Internet-scale interoperability and the niche requirements of specialized hardware. That gap is now closing. Earlier this month, we announced that Cloudflare has moved its target for full post-quantum security forward to 2029 , spurred by several recent advances in quantum computing. To advance that goal, we’ve made post-quantum encryption in Cloudflare IPsec generally available. Using the new IETF draft for hybrid ML-KEM ( FIPS 203 ), we’ve successfully tested interoperability with branch connectors from Fortinet and Cisco — meaning you can start protecting your wide-area network (WAN) against harvest-now-decrypt-later attacks today using hardware you already have. This post explains how we implemented the new hybrid IPsec handshake, why it took four years longer to land than its TLS counterpart, and how the industry is finally consolidating around a standard that works at Internet scale. Cloudflare IPsec Cloudflare IPsec is a WAN Network-as-a-Service that replaces leg
The internet is noisy this week. We are seeing some wild new tactics, like people using fake cell towers to send scam texts, while some developers are accidentally downloading tools that peek into their private files during a simple install. It is definitely a busy time to be online. Security is always a moving target. Millions of servers are currently sitting online without any passwords, and
Coding agents are great at building software. But to deploy to production they need three things from the cloud they want to host their app — an account, a way to pay, and an API token. Until now these have been tasks that humans handle directly. Increasingly, agents handle them on the user’s behalf. The agent needs to perform all the tasks a human customer can. They’re given higher-order problems to solve and choose to use Cloudflare and call Cloudflare APIs. Starting today, agents can provision Cloudflare on behalf of their users. They can create a Cloudflare account, start a paid subscription, register a domain, and get back an API token to deploy code right away. Humans can be in the loop to grant permission and must accept Cloudflare's terms of service, but no human steps are otherwise required from start to finish. There’s no need to go to the dashboard, copy and paste API tokens, or enter credit card details. Without any extra setup, agents have everything they need to deploy a new production application in one shot. And with Cloudflare’s Code Mode MCP server and Agent Skills , they’re even better at it. This all works via a new protocol that we’ve co-designed with Stripe as part of the launch of Stripe Projects . We’re excited to launch this new partnership with Stripe, and also to offer $100,000 in Cloudflare credits to all new startups who incorporate using Stripe Atlas . But this new protocol also makes it possible for any platform with signed-in users to integrate with Cloudflare in the same way Stripe does, with zero friction for the end user. How it works: zero to production without any setup or manual steps
Cybersecurity researchers have disclosed details of a stealthy Python-based backdoor framework called DEEP#DOOR that comes with capabilities to establish persistent access and harvest a wide range of sensitive information from compromised hosts. "The intrusion chain begins with execution of a batch script ('install_obf.bat') that disables Windows security controls, dynamically extracts an
Turns out the real problem is not AI but staff still clicking on dodgy emails from 'IT support' Nearly half of UK businesses are still getting breached, and in many cases, the attacker's big breakthrough is an employee clicking "sure, why not" on a fake login page.…
Intro A sophisticated, high-resilience malicious campaign was identified by Atos Threat Research Center (TRC) in March 2026. This operation specifically targets the high-privilege professional accounts of enterprise administrators, DevOps engineers, and security analysts by impersonating administrative utilities they rely on for daily operations. By integrating Search Engine Order (SEO)
What type of 'C2 on a sleep cycle' do they leave behind? Novel Chinese spy group found in critical networks in Poland, Asia
Just in time for the Trump-Xi summit Exclusive A novel China-linked threat group infiltrated more than a dozen critical networks in Poland, Asian countries, and possibly beyond, beginning in December 2024 and with activity uncovered as recently as this month.…
Emergency patches out now for those managing the millions of domains assumed to be affected Emergency patches are available for a critical vulnerability in cPanel and WHM that allows attackers to bypass authentication and gain root access to servers managed using it.…
Spyware appears to have captured everything from intimate photos to private messages from the smartphone of European celebrity. They were publicly accessible until a researcher flagged the exposure.
Investigation finds no single cause for soldiers falling ill, just bad bolts, cold air, and apparently the soldiers themselves Britain's notorious Ajax armored vehicles are being accepted back from the manufacturer after investigations found no single cause for the symptoms plaguing crews, meaning soldiers will need to grin and bear it.…
Great idea, guys. Let's keep all of the data in an Excel file with weak password protection PWNED Welcome, once again, to PWNED, the weekly column where we recount the adventures of IT explorers who found their own pile of quicksand and then jumped right into it. This week's story involves keeping sensitive information in a very vulnerable place and then not protecting it adequately.…
HexDig 1.0.0 a lightweight binwalk alternative working both on Windows and Linux, written in C++, give it a try!
Google has addressed a maximum severity security flaw in Gemini CLI -- the "@google/gemini-cli" npm package and the "google-github-actions/run-gemini-cli" GitHub Actions workflow -- that could have allowed attackers to execute arbitrary commands on host systems. "The vulnerability allowed an unprivileged external attacker to force their own malicious content to load as Gemini configuration,"
Wednesday, April 29
What Mythos Means for Penetration Testing as a Service When Anthropic announced the Claude Mythos Preview, the reaction from the security community was immediate. We’re not talking about the next best model. This model is such a leap forward and so capable at finding and exploiting vulnerabilities that Anthropic deemed it too dangerous to release […] The post What GigaOm and Synack Got Right About AI Pentesting appeared first on Synack .
ORNL says portable detector kit can separate real GPS signals from fake ones even at equal strength GPS spoofing, which sends fake satellite-like signals, and GPS jamming, which drowns receivers in noise, are increasingly serious problems. Researchers at Oak Ridge National Laboratory in Tennessee have created what they say is the most effective system yet for detecting GPS interference, which could help blunt such attacks.…
Microsoft readies the axe once again for yesterday's security Microsoft has warned users still clinging to legacy TLS versions that the end is nigh for TLS 1.0 and 1.1 on POP3 and IMAP4 connections to Exchange Online.…
The Internet Is Falling Down, Falling Down, Falling Down (cPanel & WHM Authentication Bypass CVE-2026-41940)
Hello! Yes, it's all a disaster again! Let's get this party started:
As we commonly know in appsec, not every vulnerability, even if critical 10 is relevant. This is a take from my buddy Brian Vermeer at Snyk, he's a Java Champion and offers his opinion as a developer to the Thymeleaf vulnerability [CVE-2026-40478](https://security.snyk.io/vuln/SNYK-JAVA-ORGTHYMELEAF-16078379)
GrassMarlin leaks sensitive information, provided your targeting phishing skills are sharp enough The Cybersecurity and Infrastructure Security Agency (CISA) is warning anyone who uses GrassMarlin, a tool developed by the National Security Agency (NSA), about a new vulnerability that attackers can use to snoop on sensitive information.…
Cybersecurity researchers have discovered malicious code in an npm package after a malicious package as a dependency to the project by Anthropic's Claude Opus large language model (LLM). The package in question is "@validate-sdk/v2," which is listed on npm as a utility software development kit (SDK) for hashing, validation, encoding/decoding, and secure random generation. However, its real
A newly analyzed Go-based macOS remote access trojan (RAT), internally named Minirat, has surfaced in the wild using anti-VM checks, LaunchAgent persistence, and AES-encrypted command and control (C2) configuration to maintain stealthy, long-term access on victim endpoints. According to [SafeDep](https://safedep.io/malicious-velora-dex-sdk-npm-compromised-rat/), the initial infection vector was a malicious npm package (velora-dex-sdk) that dropped the Go-based macOS RAT onto developer endpoints.
Every security team has a version of the same story. The quarter ends with hundreds of vulnerabilities closed. The dashboards are bursting with green. Then someone in a leadership meeting asks: "So, are we actually safer now?" Crickets. The room goes quiet because an honest answer requires context – which is something that patch counts and CVSS scores were never designed to provide. Exposure
LibAFL is all the rage in the fuzzing community these days, especially with LLVM’s libFuzzer being placed in maintenance mode . Written in Rust, LibAFL claims improved performance, modularity, state-of-the-art fuzzing techniques, and libFuzzer compatibility . For these reasons, I set out to add LibAFL support to Ruzzy , our coverage-guided fuzzer for pure Ruby code and Ruby C extensions. This gives Ruby developers and security researchers access to a more advanced and actively maintained fuzzing engine without changing how they write their fuzzing harnesses. Ruzzy was originally built on top of LLVM’s libFuzzer, so using LibAFL’s compatibility layer should be easy enough. However, digging around in the internals of complex systems is never quite as simple as it seems. In this post, I will investigate some of the deep plumbing inside these fuzzing engines, take a detour into executable and linkable format (ELF) files, and ultimately add LibAFL support to Ruzzy. Building with libafl_libfuzzer Ruzzy currently supports Linux, so I use a Dockerfile for development and for production fuzzing campaigns. To that end, using a similar Dockerfile for LibAFL support is the simplest integration point. LibAFL provides excellent documentation a
Today, we're launching Project Swarm — a research initiative that opens the GreyNoise deception platform to the global security community. Project Swarm transforms GreyNoise from a proprietary sensor network into a collective intelligence platform.
Tuesday, April 28
CREST Helps Raise the Bar for the Researchers Behind Your Pentest When a cybersecurity company tells you its testers are vetted, what does that actually mean? Most of the time, it means the company ran its own screening, trusted its own judgment, and hoped you’d trust it too. That works, right up until the pentest […] The post What CREST Means for Your Next Synack Engagement appeared first on Synack .
Attackers are exploiting a security gap in U.S. businesses. Fake Microsoft, Adobe, and OneDrive pages deliver RMM software instead of payloads, giving attackers direct access to the environment. Because these tools are widely used across enterprises, attackers can establish access before activity is flagged as malicious. Combined with trusted or compromised infrastructure, this delays detection and increases attacker dwell time. The analysis session showing how attackers gain remote access through a fake Microsoft Store page delivering an RMM installer disguised as Adobe software: [https://app.any.run/tasks/e072ae4e-214c-4039-957d-7c0cbe682da8/](https://app.any.run/tasks/e072ae4e-214c-4039-957d-7c0cbe682da8/) Full article: [https://any.run/cybersecurity-blog/rmm-blind-spot-for-cisos/](https://any.run/cybersecurity-blog/rmm-blind-spot-for-cisos/) https://preview.redd.it/8p0wbleb7zxg1.png?width=2048&format=png&auto=webp&s=a58037806908430aa3ccc65908a072e00089e443
The war in Iran has drawn attention to arrests in the United Arab Emirates over online content, but the legal framework behind that enforcement has existed for years.
ByteToBreach have breached Ikeja Electric, encrypting 50+ hosts, disrupting systems, and taking multiple subdomains offline. The actor also have stolen customer, employee, and business databases, source code, Active Directory data with offline cracked passwords, and impacted metering platforms linked to several vendors. Threat actor: ByteToBreach Sector: Energy / Utilities Data type: Customer records, employee data, business databases, source code, Active Directory credentials Observed: Apr 28, 2026 Sources: [https://x.com/H4ckmanac/status/2049126582694875608](https://x.com/H4ckmanac/status/2049126582694875608) [https://x.com/CyhawkAfrica/status/2049109369522934179](https://x.com/CyhawkAfrica/status/2049109369522934179) [https://darkforums.su/Thread-NG-Ikeja-Electric-Databases-Ransomware](https://darkforums.su/Thread-NG-Ikeja-Electric-Databases-Ransomware) https://preview.redd.it/5wua149b7yxg1.png?width=2503&format=png&auto=webp&s=133a682cd6ee178877db97f9cb59f7c60d3d8cc8
**Summary:** I’m disclosing a full-chain CVSS 10.0 RCE affecting Microsoft Semantic Kernel (.NET v1.74) and the new Agent Framework 1.0. **The Timeline & Conflict:** \> \* **March 24:** Initial disclosure sent to MSRC with PoC. * **April 8:** MSRC closed the case as "Developer Error / Configuration Issue." * **The Reality:** Despite the rejection, Microsoft silently merged mitigations in PRs #13683 and #13702 without assigning a CVE. This results in a "False Green" for enterprise SCA tools (Snyk/Checkmarx/Dependabot) while the bypasses remain functional. **Technical Scope:** * **Architectural Trust Gap (CWE-1039):** Auto-invocation logic treats non-deterministic LLM output as a high-privilege system coordinator without a sandbox boundary. * **6 Day-Zero Bypasses:** Discovery of Type Confusion and Unicode homoglyphs that defeat the "hardened" baseline in the April 2026 releases. * **Versioning:** Persistence confirmed from .NET v1.7x through the Agent Framework 1.0 re-baseline. Full paper, .cast exploit recordings, and a production-ready C# remediation filter are available at the link.
AI agents may soon be buying your stuff for you. The FIDO Alliance has teamed up with Google and Mastercard to try to ensure that shopping in the near future isn't a complete disaster.
In the first quarter of 2026, government-directed shutdowns figured prominently, with prolonged Internet blackouts in both Uganda and Iran, a stark contrast to the lack of observed government-directed shutdowns in the same quarter a year prior. This quarter, we also observed a number of Internet disruptions caused by power outages , including three separate collapses of Cuba's national electrical grid. Military action continued to disrupt connectivity in Ukraine and also impacted hyperscaler cloud infrastructure in the Middle East. Severe weather knocked out Internet connectivity in Portugal, while cable damage disrupted connectivity in the Republic of Congo. A technical problem hit Verizon Wireless in the United States, and unknown issues briefly disrupted connectivity for customers of providers in Guinea and the United Kingdom. This post is intended as a summary overview of observed and confirmed disruptions and is not an exhaustive or complete list of issues that have occurred during the quarter. A larger list of detected traffic anomalies is available in the Cloudflare Radar Outage Center . Note that both bytes-based and request-based traffic graphs are used within this post to illustrate the impact of the observed disruptions, with the choice of metric generally made based on which better illustrates the impact of the disruption. Government-directed shutdowns Uganda In advance of the January 15 presidentia
SIEM is not enough. Classical DFIR is not the full answer either. And “better logging” is too weak a frame. The real gap is evidentiary continuity in modern, cloud-heavy, application-driven environments.
After i updated it i closed it and a white screen with a logo like this https://preview.redd.it/uu1nklpdjwxg1.png?width=270&format=png&auto=webp&s=00db4e765f7348eb8dd29c42df79ae988d11cabf thats next to the file name popped up, it was instant so im not sure if its malware and i have super bad anxiety and not sure if this is something to do with the download setup modrinth uses or what, ik this is pretty specific so if no one can help its completly fine. Not sure if this is off topic and im freaking out and dont know what community to post this in.
On paper, the vast majority of crisis plans look reasonable, actionable and complete. Once the rubber hits the road, however, chaos emerges quickly. This is where tabletop simulations come into play. Tabletops Exercises (TTX) simulate real-world crises in a controlled environment. They introduce time pressure, incomplete information, and uncertainty, forcing teams to adapt and revealing whether plans hold up under stress. Over the years we have facilitated many tabletop exercises, ranging from small teams of IT teams to full executive crisis staff. The scenarios vary, but the findings are remarkably consistent. Here are some of the most important learnings from the tabletop exercises and real incidents
Presently sponsored by: Report URI: Guarding you from rogue JavaScript! Don’t get pwned; get real-time alerts & prevent breaches #SecureYourSite This is so "peak 2026" - writing an equality policy to ensure people treat our AI bot with the same respect as they do their human counterparts. It's intentionally a bit tongue-in-cheek, but it's there for a purpose: we simply don't have the capacity to deal with every request we get, and we need Bruce to be the coalface of support. I did wonder, when having ChatGPT create this, whether there's some deeper psychology behind the importance of interacting politely with bots, or indeed whether there will ever be an actual (like, serious) standard or law around treating bots with respect. Has this been in a movie somewhere? Let me know, but for now, I'll drop the (slightly revised) policy below, just for the laughs 藍
Monday, April 27
The suspected shooter at Saturday night’s White House Correspondents’ Dinner faces three felony charges. He remains in custody following Monday’s hearing.
Kaspersky recently disclosed PhantomRPC, a privilege escalation technique affecting all Windows versions (tested on Server 2022/2025)
The core issue: Windows RPC runtime doesn't verify whether the server a high-privileged client connects to is legitimate. If a target RPC server is unavailable, an attacker with SeImpersonatePrivilege can spin up a fake RPC server mimicking the same endpoint, wait for a SYSTEM-level client to connect, then call RpcImpersonateClient to escalate privileges. Five confirmed escalation paths: \- gpupdate /force → SYSTEM (coerces Group Policy service) \- Microsoft Edge launch → Administrator (no coercion needed) \- WDI background service → SYSTEM (fires every 5–15 min automatically) \- ipconfig + disabled DHCP → Administrator \- w32tm.exe → Administrator via non-existent named pipe Microsoft assessed this as moderate severity, issued no CVE, and has no patch planned — justification being that SeImpersonatePrivilege is a prerequisite. Questions for the community: 1. Are you monitoring for RPC\_S\_SERVER\_UNAVAILABLE (Event ID 1 via ETW) in your environment? 2. Any Sigma/Defender rules already written for this? 3. Do you agree with Microsoft's severity assessment given how common SeImpersonatePrivilege is on IIS/SQL servers? Kaspersky's full write-up + PoC: [https://securelist.com/phantomrpc-rpc-vulnerability/119428/](https://securelist.com/phantomrpc-rpc-vulnerability/119428/)
Ransomware is getting weird, folks. A new report says attacks jumped 22 percent in Q1 2026, but the real twist is how messy things have become. You still have big names like Akira and Qilin, but newer groups like The Gentlemen are exploding in activity, while shady leak sites are posting possibly fake “breaches” just to scare companies into paying. Even wilder, groups like ShinyHunters are skipping encryption entirely and just stealing data through compromised logins and SaaS apps. It is less about locking files now and more about leverage, and honestly, that might be harder to defend against.