Cybersecurity News and Vulnerability Aggregator

The Register • Just now

New

And that unauthorized access? 'A nothing burger,' hacking startup CEO tells El Reg Anthropic's Mythos model is purportedly so good at finding vulnerabilities that the Claude-maker is afraid to make it available to the general public for fear that criminals will take advantage. But early analysis shows that Mythos may not be as dangerous as some would have you believe.…

Mozilla: Anthropic's Mythos found 271 security vulnerabilities in Firefox 150

Ars Technica • Apr 21

Mozilla Used Anthropic’s Mythos to Find and Fix 271 Bugs in Firefox

WIRED • Apr 21

Bleeping Computer • 1h ago

New

Apple has released out-of-band security updates for iPhone and iPad devices to fix a Notification Services flaw that could allow notifications marked for deletion to remain stored on the device. [...]

r/blueteamsec • 1h ago

New

Zero-Day

>**Hi everyone,** **Full technical article with diagrams:** [**https://medium.com/@osamamamoussa/architecting-a-multi-layered-security-ecosystem-from-perimeter-defense-to-micro-segmentation-4d7f5086fbb3**](https://medium.com/@osamamamoussa/architecting-a-multi-layered-security-ecosystem-from-perimeter-defense-to-micro-segmentation-4d7f5086fbb3) **I’ve recently designed a security architecture for a medium-scale enterprise network and wanted to share the technical logic behind it. As an aspiring SOC Analyst, I wanted to build something that reflects a real-world Defense-in-Depth approach.** **The design focuses on:** * **DMZ Segmentation: Using WAF and ESA to protect public-facing assets.** * **Internal Security: Micro-segmentation for Database servers and 802.1X via AAA for all endpoints.** * **Threat Detection: Positioning IPS/IDS and Sandboxing to handle zero-day threats.** * **Visibility: Full logging via SIEM for SOC monitoring.** **I wrote a detailed deep dive explaining the traffic flow and the reasoning behind each appliance. I would really appreciate your feedback on the segmentation logic or if you see any potential blind spots.**

r/cybersecurity • 1h ago

New

Zero-DayCVEPhishing

Vercel breach is pretty interesting, mainly because of how it actually happened. I expected something like a deep infra exploit or zero-day. Instead, it started with an AI tool. From what I understood, a third-party tool Context AI used by an employee got compromised. That exposed access to a Google Workspace account, and from there the attacker just moved through existing OAuth connections into Vercel’s internal systems. That’s what got me. Nothing was hacked in the usual way. They just used access that was already there. Vercel said sensitive env vars were safe, but anything not marked sensitive could be accessed. So basically API keys, tokens, that kind of stuff. There are also reports about GitHub/npm/Linear access, but not everything is confirmed yet. I always thought of these tools as harmless add-ons, but now I’m thinking they’re actually one of the weakest points. They sit there with a lot of permissions and I rarely check them unless something breaks. Feels like the real risk isn’t just your codebase anymore. It’s everything you’ve connected to it. If you’re curious, I wrote a detailed [breakdown](https://entelligence.ai/blogs/how-an-ai-tool-triggered-the-vercel-security-breach) of the whole incident and how it unfolded.

Bleeping Computer • 2h ago

New

CVEMalware

A new Mirai-based malware campaign is actively exploiting CVE-2025-29635, a high-severity command-injection vulnerability affecting D-Link DIR-823X routers, to enlist devices into the botnet. [...]

Bleeping Computer • 3h ago

New

Ransomware

A new Kyber ransomware operation is targeting Windows systems and VMware ESXi endpoints in recent attacks, with one variant implementing Kyber1024 post-quantum encryption. [...]

The Hacker News • 4h ago

New

APTSupply Chain

Cybersecurity researchers have warned of malicious images pushed to the official "checkmarx/kics" Docker Hub repository. In an alert published today, software supply chain security company Socket revealed that unknown threat actors managed to have overwritten existing tags, including v2.1.20 and alpine, while also introducing a new v2.1.21 tag that does not correspond to an official release. The

Self-Propagating Supply Chain Worm Hijacks npm Packages to Steal Developer Tokens

The Hacker News • 4h ago

Anthropic MCP Design Vulnerability Enables RCE, Threatening AI Supply Chain

The Hacker News • Apr 20

WIRED • 6h ago

New

Malware

One group of hackers used AI for everything from vibe coding their malware to creating fake company websites—and stole as much as $12 million in three months.

The Hacker News • 6h ago

New

MalwareAPT

The threat actor known as Harvester has been attributed to a new Linux version of its GoGra backdoor deployed as part of attacks likely targeting entities in South Asia. "The malware uses the legitimate Microsoft Graph API and Outlook mailboxes as a covert command-and-control (C2) channel, allowing it to bypass traditional perimeter network defenses," the Symantec and Carbon Black Threat Hunter

Microsoft traces Universal Print issues to Graph API code change

Bleeping Computer • 11h ago

New GoGra malware for Linux uses Microsoft Graph API for comms

Bleeping Computer • 12h ago

Bleeping Computer • 7h ago

New

The Spanish police have dismantled the largest Spanish-language manga piracy platform, operating since 2014, with millions of monthly users from around the globe. [...]

The DFIR Report • 7h ago

New

Phishing

Key Takeaways We identified an exposed server that provided unusual visibility into a large-scale, multi-victim exploitation and collection operation. Artifacts on the host showed that Claude Code and OpenClaw were embedded in the operator’s day-to-day workflow, supporting troubleshooting, orchestration, and refinement of the collection pipeline. This AI-assisted workflow resulted in the modular platform Bissa scanner […] The post Bissa Scanner Exposed: AI-Assisted Mass Exploitation and Credential Harvesting appeared first on The DFIR Report .

r/cybersecurity • 8h ago

New

Zero-Day

"We had the opportunity to apply an early version of Claude Mythos Preview to Firefox. This week’s release of Firefox 150 includes fixes for 271 vulnerabilities identified during this initial evaluation." - Mozilla

Bleeping Computer • 8h ago

New

Fraud operations now operate like call centers, complete with hiring, training, and performance tracking. Flare reveals how cybercriminals manage "Caller-as-a-Service" operations like a professional sales team. [...]

CERT/CC • 8h ago

New

CVEAI

Overview Ollama’s model quantization engine contains a vulnerability that allows an attacker with access to the model upload interface to read and potentially exfiltrate heap memory from the server. This issue may lead to unintended behavior, including unauthorized access to sensitive data and, in some cases, broader system compromise. Description Ollama is an open-source tool designed to run large language models (LLMs) locally on personal systems, including macOS, Windows, and Linux. Ollama supports model quantization, an optimization technique that reduces the numerical precision used in models to improve performance and efficiency. An out-of-bounds heap read/write vulnerability has been identified in Ollama’s model processing engine. By uploading a specially crafted GPT-Generated Unified Format (GGUF) file and triggering the quantization process, an attacker can cause the server to read beyond intended memory boundaries and write the leaked data into a new model layer. CVE-2026-5757: Unauthenticated remote information disclosure vulnerability in Ollama's model quantization engine allows an attacker to read and exfiltrate the server's heap memory, potentially leading to sensitive data exposure, further compromise, and stealthy persistence. The vulnerability is caused by three combined factors: No Bounds Checking: The quantization engine trusts tensor metadata (like element count) from the user-supplied GGUF file header without verifying it against the actual size of the provided data. Unsafe Memory Access: Go's unsafe.Slice is used to create a memory slice based on the attacker-controlled element count, which can extend far beyond the legitimate data buffer and into the application's heap. &

Cloudflare • 9h ago

New

Rust Workers run on the Cloudflare Workers platform by compiling Rust to WebAssembly, but as we’ve found, WebAssembly has some sharp edges. When things go wrong with a panic or an unexpected abort, the runtime can be left in an undefined state. For users of Rust Workers, panics were historically fatal, poisoning the instance and possibly even bricking the Worker for a period of time. While we were able to detect and mitigate these issues, there remained a small chance that a Rust Worker would unexpectedly fail and cause other requests to fail along with it. An unhandled Rust abort in a Worker affecting one request might escalate into a broader failure affecting sibling requests or even continue to affect new incoming requests. The root cause of this was in wasm-bindgen, the core project that generates the Rust-to-JavaScript bindings Rust Workers depend on, and its lack of built-in recovery semantics. In this post, we’ll share how the latest version of Rust Workers handles comprehensive Wasm error recovery that solves this abort-induced sandbox poisoning. This work has been contributed back into wasm-bindgen as part of our collaboration within the wasm-bindgen organization formed last year . First with panic=unwind support, which ensures that a single failed request never poisons other requests, and then with abort recovery mechanisms that guarantee Rust code on Wasm can never re-execute after an abort. Initial recovery mitigations Our initial attempts to address reliability in this area focused on understanding and containing failures caused by Rust panics and aborts in producti

Bleeping Computer • 9h ago

New

Supply Chain

A new supply chain attack targeting the Node Package Manager (npm) ecosystem is stealing developer credentials and attempting to spread through packages published from compromised accounts. [...]

r/cybersecurity • 9h ago

New

PhishingAPT

A bill currently in Congress — H.R. 8250, the Parents Decide Act — proposes requiring age verification built into operating systems as a way to protect minors online. The intent is understandable, but the implementation raises some serious questions worth bringing to your representative's attention. A few concerns worth considering: If OS-level verification requires government-issued ID, that data becomes a centralized target. Prior large-scale breaches show no system is immune — and the stakes here are higher than a typical account compromise. Users without reliable internet access, or those setting up devices offline, may face real barriers just to use their own hardware. Operating systems are foundational infrastructure. Embedding identity verification at that layer could have effects far beyond the scope of protecting minors online. I recently wrote to my own representative about this. If you're in the US and have concerns, I'd encourage you to do the same — it takes about 5 minutes via your representative's contact form. I've put together a template below that anyone can adapt. Find your representative here: [https://www.house.gov/representatives/find-your-representative](https://www.house.gov/representatives/find-your-representative) TEMPLATE LETTER >Dear Representative \[Last Name\], >I am writing as a constituent from \[Your State/District\] to share my concerns regarding H.R. 8250, the Parents Decide Act. >I support the intent of protecting minors online; however, I am concerned that requiring age verification at the operating system level may create unintended consequences for privacy, security, and equitable access to technology. >I see three practical issues with this approach. First, if users must submit government-issued identification for OS-level verification, that data becomes a high-value target for theft. Prior large-scale breaches show no system is immune, and mandating identity documents at the device level could expose millions of users to serious risk. Second, users without reliable internet access or those setting up offline systems may face barriers during device initialization. Third, operating systems are foundational infrastructure, and embedding identity verification at that layer may have effects well beyond the scope of individual apps or services. >I encourage you to consider alternatives that protect minors without these tradeoffs — such as stronger parental controls, improved app-level safety standards, or privacy-preserving age assurance methods that avoid device-wide identity verification. >I would also appreciate clarification on how this bill handles users who set up devices offline or prefer not to provide identity-linked data to OS providers. >Thank you for your time and service. >Sincerely, >\[Your Name\] >\[Your State/District\]

Bleeping Computer • 9h ago

New

CVE

Microsoft is preparing to roll out a new Efficiency Mode for Microsoft Teams for systems with limited CPU and memory resources to improve app responsiveness. [...]

The Register • 10h ago

New

AI

Along with a bunch of new services to make sure those same agents don't cause chaos Google Cloud chief operating officer Francis deSouza has summed up his company's security strategy du jour as follows: "You need to use AI to fight AI."…

The Register • 10h ago

New

Gov admits 'incident' as forum sellers boast of fresh haul covering up to a third of the population France's National Agency for "Secure" Documents is explaining a potential data spill just as crooks online claim they've nicked a third of the country's ID information.…

French govt agency confirms breach as hacker offers to sell data

Bleeping Computer • Apr 21

r/Malware • 10h ago

New

CVEMalware

I documented a broader GitHub malware campaign that appears to include the fraudulent **UNICORN-Binance-WebSocket-API** repo I wrote about earlier. At this point I have **19 confirmed repositories** that decode to the same C2, share the same staged Windows payload flow, and reuse the same or highly similar `utils/` dropper architecture. The visible patterns also include repeated commit choreography, manipulated-looking stars/forks, and overlapping fork accounts across campaign repos. Write-up: [https://blog.technopathy.club/nailproxy-space-github-malware-campaign](https://blog.technopathy.club/nailproxy-space-github-malware-campaign) I am not asking anyone to touch the infrastructure or execute anything. If others want to independently validate additional public samples via static source review and metadata correlation, more confirmation would be useful.

The Register • 10h ago

New

Cloud

Judges say cops face-slurping not a problem under current human rights laws London's Metropolitan Police Service (MPS) has survived a legal challenge that attempted to curb its rollout of live facial recognition (LFR) technology across the capital.…

The Hacker News • 11h ago

New

Malware

Cybersecurity researchers have discovered a previously undocumented data wiper that has been used in attacks targeting Venezuela at the end of last year and the start of 2026. Dubbed Lotus Wiper, the novel file wiper has been used in a destructive campaign targeting the energy and utilities sector in Venezuela, per findings from Kaspersky. "Two batch scripts are responsible for initiating the

New Lotus data wiper used against Venezuelan energy, utility firms

Bleeping Computer • Apr 21

The Hacker News • 11h ago

New

On January 31, 2026, researchers disclosed that Moltbook, a social network built for AI agents, had left its database wide open, exposing 35,000 email addresses and 1.5 million agent API tokens across 770,000 active agents. The more worrying part sat inside the private messages. Some of those conversations held plaintext third-party credentials, including OpenAI API keys shared between agents,

The Hacker News • 12h ago

New

CVE

Microsoft has released out-of-band updates to address a security vulnerability in ASP.NET Core that could allow an attacker to escalate privileges. The vulnerability, tracked as CVE-2026-40372, carries a CVSS score of 9.1 out of 10.0. It's rated Important in severity. An anonymous researcher has been credited with discovering and reporting the flaw. "Improper verification of cryptographic

The Register • 13h ago

New

CVE

Gartner sees accelerating growth in IT spending, powered by cloud and AI infrastructure investment A day after the International Energy Agency (IEA) said the US/Israel/Iran war was creating the worst energy crisis ever faced by the ‌world, Gartner increased its growth forecasts for global IT spending by nearly three percentage points.…

Bleeping Computer • 13h ago

New

Microsoft has released out-of-band (OOB) security updates to patch a critical ASP.NET Core privilege escalation vulnerability. [...]

The Hacker News • 14h ago

New

Malware

Cybersecurity researchers have discovered a new variant of a known malware called LOTUSLITE that's distributed via a theme related to India's banking sector. "The backdoor communicates with a dynamic DNS-based command-and-control server over HTTPS and supports remote shell access, file operations, and session management, indicating a continued espionage-focused capability set rather than

The Hacker News • 14h ago

New

CVE

A critical security vulnerability has been disclosed in a Python-based sandbox called Terrarium that could result in arbitrary code execution. The vulnerability, tracked as CVE-2026-5752, is rated 9.3 on the CVSS scoring system. "Sandbox escape vulnerability in Terrarium allows arbitrary code execution with root privileges on a host process via JavaScript prototype chain traversal," according to

Google Patches Antigravity IDE Flaw Enabling Prompt Injection Code Execution

The Hacker News • Apr 21

Vibe coding upstart Lovable denies data leak, cites 'intentional behavior,' then throws HackerOne under the bus

The Register • Apr 20

r/cybersecurity • 14h ago

New

CVEData BreachMalwarePhishingAPT

I recently tracked down the operator behind the "TdataS" Telegram session stealer. How? Because he tested his own malware on his own computer. His stealer performed perfectly. It packaged up his own personal data, snapped a screenshot of his desktop (exposing his source code), and exfiltrated it straight to a public drop zone I was monitoring. Using 100% passive OSINT-no exploits, no bypassed authentication, I traced his Gofile tokens and Telegram sessions to unmask his entire operation. It's the ultimate OpSec fail, and a goldmine for Threat Intel analysts. Dive into the full case study: [**https://maordayanofficial.medium.com/tdatas-stealer-from-c2-discovery-to-operator-attribution-via-operational-security-failures-d11d78cc8e85**](https://maordayanofficial.medium.com/tdatas-stealer-from-c2-discovery-to-operator-attribution-via-operational-security-failures-d11d78cc8e85)

Bleeping Computer • 15h ago

New

Zero-Day

Over 1,300 Microsoft SharePoint servers exposed online remain unpatched against a spoofing vulnerability that was exploited as a zero-day and is still being abused in ongoing attacks. [...]

The Register • 17h ago

New

Cloud

Mozilla CTO says AI means developers finally have a chance to get on top of security The Mozilla has revealed it tested Anthropic’s bug-finding “Mythos” AI model and feels the results it experienced represent a watershed moment for software defenders.…

The Guardian • 18h ago

New

2Apply’s over-collection of personal information adds to the power of the real estate industry in the competitive rental market, Carly Kind says Follow our Australia news live blog for latest updates Get our breaking news email , free app or daily news podcast An online rental platform has been urged to stop collecting users’ personal information after the Australian privacy commissioner found the gathering of “excessive” data compounded the vulnerability of tenants amid the housing crisis. RentTech platforms are increasingly used by real estate agents in Australia for people applying for rental properties to submit applications and supporting documentation . The Australian Housing and Urban Research Institute has identified 57 different rent platforms operating in Australia. Continue reading...

Synack • 19h ago

New

AI

How Security Teams Are Really Using Agentic AI Security leaders aren’t waiting to see how agentic AI plays out. They’re already betting on it, and they’ve developed strong opinions about what separates a real penetration testing solution from a rebranded scanner or other DAST tools. In fact, recent research from Fortune and Lightspeed Ventures shows […] The post The New Standard: Why 64% of Firms Prefer Human-Validated AI Pentesting appeared first on Synack .

Troy Hunt • 22h ago

New

Presently sponsored by: Report URI: Guarding you from rogue JavaScript! Don’t get pwned; get real-time alerts & prevent breaches #SecureYourSite Looking back at this milestone video, it's the audience question towards the end I liked most: "are you happy"? Charlotte and I have chosen a path that's non-traditional, intense and at times, pretty stressful. There's no clear delineation of when work starts and ends, no holidays where we don't work, nor weekends, birthdays or Christmases. But we do so on our terms. It gives us a life of means and choices, one with excitement and adventure, and, above all, one with purpose, where we feel like we're doing something that makes a meaningful difference. I hope you enjoy this week's video, it's more personal than usual, but yeah, that's kinda what you do at milestones 

The Register • Apr 21

New

PhishingAPT

NCSC boss says China's whole-of-state cyber machine has become Britain's peer competitor in cyberspace State-sponsored cyberattacks from Chinese intelligence and military agencies display "an eye-watering level of sophistication," UK National Cyber Security Centre CEO Richard Horne is expected to say in a less-than-cheery opening speech to kick off its annual conference.…

The Register • Apr 21

New

Ransomware

Lawmakers decry CISA cuts: 'We are shooting ourselves in the foot' If a cyberattack leads to a death, that's murder. A former FBI cyber division chief urged the US Justice Department to consider felony homicide charges against ransomware actors when attacks on hospitals lead to patient deaths.…

r/computerforensics • Apr 21

New

AI

Adding to the DFIR + AI theme, in case you didn't see it on LinkedIn, we released an MCP server for Autopsy last week (and Cyber Triage). This allows you to connect Claude Desktop (or similar) to Autopsy and ask questions about the results. It's a read-only interface, so your original data won't get modified by the AI. We've also been doing an Intro DFIR+AI series if you are just starting to really pay attention to how to integrate these things: Autopsy Release: [https://www.autopsy.com/autopsy-4-23-0-release-claude-ai-assistant-mcp-cyber-triage-integration/](https://www.autopsy.com/autopsy-4-23-0-release-claude-ai-assistant-mcp-cyber-triage-integration/) AI Blogs: * [How to Let AI Access Your DFIR and SOC Investigation Data](https://www.cybertriage.com/ai/how-to-let-ai-access-your-dfir-and-soc-investigation-data/) * [MCP Servers for DFIR and SOC Investigations using AI](https://www.cybertriage.com/ai/intro-to-mcp-servers-for-dfir-and-soc-investigations-using-ai/) * [How To Share Your “SKILLS” With the LLM](https://www.cybertriage.com/blog/ai-dfir-how-to-share-your-skills-with-the-llm/)

The Hacker News • Apr 21

New

RansomwareMalwareAPT

Threat actors associated with The Gentlemen ransomware‑as‑a‑service (RaaS) operation have been observed attempting to deploy a known proxy malware called SystemBC. According to new research published by Check Point, the command-and-control (C2 or C&C) server linked to SystemBC has led to the discovery of a botnet of more than 1,570 victims. "SystemBC establishes SOCKS5 network tunnels within

r/netsec • Apr 21

New

CVE

CVE-2026-32604 and CVE-2026-32613 are both 10.0 severity vulnerabilities in Spinnaker, which allow attackers to execute arbitrary code and access production cloud environments and source control. They provide an easy path from a compromised workstation to more sensitive areas. Our blog post contains a comprehensive technical breakdown and working POCs.

The Register • Apr 21

New

CISA gives federal agencies 4 days to patch America's lead cyber-defense agency has warned that three Cisco Catalyst SD-WAN Manager bugs are under attack, and given federal agencies just four days to patch the security holes.…

Praetorian • Apr 21

New

CVE

When 500,000 Findings Hide 14 Real Threats Modern enterprises ingest vulnerability data from dozens of sources: endpoint detection and response platforms, vulnerability scanners, cloud security posture tools, container image scanners. A large organization can easily accumulate hundreds of thousands of individual findings. The standard response is to sort by CVSS score, filter for criticals, and start patching. But vulnerability management needs to shift from CVSS-based severity ranking to contextual exploit chain analysis — evaluating how individual vulnerabilities combine into realistic attack paths. The problem is that CVSS scores evaluate vulnerabilities in isolation. A renderer vulnerability in a web browser is serious, but the browser sandbox contains it. A sandbox escape is dangerous, but it requires an initial foothold to exploit. Neither finding alone tells you the full story. But if the same endpoint is vulnerable to both, an attacker can chain them together into a zero click, full host compromise with no user interaction beyond visiting a webpage. That combined risk is qualitatively different from anything either CVE represents on its own. Recently, we used Praetorian Guard to analyze a customer environment containing roughly 500,000 vulnerability findings ingested from the customer’s CrowdStrike deployment. Guard integrates with over

WIRED • Apr 21

New

PolicyCloud

A lawsuit from the Consumer Federation of America accuses Meta of misleading consumers about its efforts to combat scams advertisements on its platforms.

The Register • Apr 21

New

Malware

Data from browsers, cryptocurrency wallets, 200+ extensions hoovered up A ClickFix campaign targeting macOS users delivers an AppleScript-based infostealer that collects credentials and live session cookies from 14 browsers, 16 cryptocurrency wallets, and more than 200 extensions.…

The Hacker News • Apr 21

New

Cloud

Cybersecurity researchers have identified 22 new vulnerabilities in popular models of serial-to-IP converters from Lantronix and Silex that could be exploited to hijack susceptible devices and tamper with data exchanged by them. The vulnerabilities have been collectively codenamed BRIDGE:BREAK by Forescout Research Vedere Labs, which identified nearly 20,000 Serial-to-Ethernet converters exposed

CERT/CC • Apr 21

New

CVE

Overview Radware Alteon has a reflected Cross-Site Scripting (XSS) vulnerability in the parameter ReturnTo of the route /protected/login. This vulnerability allows an attacker to execute JavaScript in the host browser. Description CVE-2026-5754: Reflected Cross-Site Scripting (XSS) vulnerability in Radware Alteon 34.5.4.0 vADC load-balancer allows an attacker to inject malicious scripts into the website, potentially leading to unauthorized actions, data theft, or other malicious activities. A reflected Cross-Site Scripting (XSS) vulnerability exists in the ReturnTo parameter of the /protected/login route in Radware Alteon version 34.5.4.0. The vulnerability arises from the lack of user input sanitization, allowing an attacker to inject malicious scripts. Specifically, when a user requests a resource that redirects to a Microsoft SAML login page, the load-balancer redirects the user to the login page with a ReturnTo parameter that fails to sanitize user input. An attacker can exploit this by injecting a malicious payload in the ReturnTo parameter, which will be executed in the victim's browser. An example attack flow is below: Attacker creates link with XSS payload in ReturnTo parameter. Victim clicks malicious link, redirecting to login page. Load-balancer reflects malicious ReturnTo parameter, executing XSS payload. Attacker performs JavaScript code execution in the victim's browser. Impact The impact of this vulnerability is significant, as it allows an attacker to execute arbitrary JavaScript

Krebs on Security • Apr 21

New

RansomwarePhishing

A 24-year-old British national and senior member of the cybercrime group “ Scattered Spider ” has pleaded guilty to wire fraud conspiracy and aggravated identity theft. Tyler Robert Buchanan admitted his role in a series of text-message phishing attacks in the summer of 2022 that allowed the group to hack into at least a dozen major technology companies and steal tens of millions of dollars worth of cryptocurrency from investors. Buchanan’s hacker handle “ Tylerb ” once graced a leaderboard in the English-language criminal hacking scene that tracked the most accomplished cyber thieves. Now in U.S. custody and awaiting sentencing, the Dundee, Scotland native is facing the possibility of more than 20 years in prison. Two photos published in a Daily Mail story dated May 3, 2025 show Buchanan as a child (left) and as an adult being detained by airport authorities in Spain. “M&S” in this screenshot refers to Marks & Spencer, a major U.K. retail chain that suffered a ransomware attack last year at the hands of Scattered Spider. Scattered Spider is the name given to a prolific English-speaking cybercrime group known for using social engineering tactics to break into companies and steal data for ransom, often impersonating employees or contractors to deceive IT help desks into granting access. As part of his guilty plea, Buchanan admitted conspiring with other Scattered Spider members to launch tens of thousan

Ransomware Negotiator Pleads Guilty to Aiding BlackCat Attacks in 2023

The Hacker News • Apr 21

Scot becomes second Scattered Spider-linked crook to plead guilty in US

The Register • Apr 20

The Register • Apr 21

New

Ransomware

Plus: Court papers reveal nonprofit paid a ransom worth nearly $26.8 million The third of three former ransomware negotiators accused of assisting the ALPHV/BlackCat ransomware gang in extorting US businesses has pleaded guilty, months after his two co-workers did the same.…

Bleeping Computer • Apr 21

New

Fraud prevention and user experience don't have to be a tradeoff. IPQS shows how combining identity, device, and network signals stops fraud without adding friction. [...]

Bleeping Computer • Apr 21

New

Ofcom, the United Kingdom's independent communications regulator, has launched an investigation into Telegram based on evidence suggesting it's being used to share child sexual abuse material (CSAM). [...]

CERT/CC • Apr 21

New

CVE

Overview Terrarium is a sandbox-based code execution platform that enables users to run and execute code in a controlled environment, providing a secure way to test and validate code. However, a vulnerability has been discovered in Terrarium that allows arbitrary code execution with root privileges on the host Node.js process. This vulnerability is caused by a JavaScript prototype chain traversal in the Pyodide WebAssembly environment. Description The root cause of the vulnerability lies in the configuration of jsglobals objects in service.ts . Specifically, the mock document object is created using a standard JavaScript object literal, which inherits properties from Object.prototype . This inheritance chain allows sandbox code to traverse up to the function constructor, create a function that returns globalThis , and from there access Node.js internals, including require() . As a result, an attacker can escape the sandbox and execute arbitrary system commands as root within the container. CVE-2026-5752 Sandbox Escape Vulnerability in Terrarium allows arbitrary code execution with root privileges on a host process via JavaScript prototype chain traversal. Impact Applications that use Terrarium for sandboxed code execution may be compromised, allowing an attacker to: Execute arbitrary commands as root inside the container Access and modify sensitive files, including /etc/passwd and environment variables Reach other services on the container's network, including databases and internal APIs

VU#915947: SGLang is vulnerable to remote code execution when rendering chat templates from a model file

CERT/CC • Apr 20

The Hacker News • Apr 21

New

Security teams often present MTTR as an internal KPI. Leadership sees it differently: every hour a threat dwells inside the environment is an hour of potential data exfiltration, service disruption, regulatory exposure, and brand damage. The root cause of slow MTTR is almost never "not enough analysts." It is almost always the same structural problem: threat intelligence that exists

Cloudflare • Apr 21

New

CVEPhishing

For us humans to interact with the online world, we need a gateway: keyboard, screen, browser, device. What is called "human detection" online are patterns that humans use when interacting with such devices. These patterns have changed in recent years: a startup CEO now uses their browser to summarize the news, a tech enthusiast automates the process to book their concert tickets when sales open at night, someone who's visually impaired enables accessibility on their screen reader, and companies route their employee traffic through zero trust proxies. At the same time, website owners are still looking to protect their data, manage their resources, control content distribution, and prevent abuse. These problems aren’t solved by knowing whether the client is a human or a bot: There are wanted bots and there are unwanted humans. These problems require knowing intent and behavior. The ability to detect automation remains critical. However, as the distinctions between actors become blurry, the systems we build now should accommodate a future where "bots vs. humans" is not the important data point. What actually matters is not humanity in the abstract, but questions such as: is this attack traffic, is that crawler load proportional to the traffic it returns, do I expect this user to connect from this new country, are my ads being gamed? What we discuss with the term “bots” is really two stories. The first is whether website owners should let known crawlers through when they are not getting traffic back. We have touched on this with bot authentication with http message signatures for crawlers that want to identify without being impersonated. The second is the emergence of new clients that do not embed the same behaviors as web browsers historically did, which matters for systems such as private rate limit . In thi

The Hacker News • Apr 21

New

MalwareAPT

Cybersecurity researchers have discovered a new iteration of an Android malware family called NGate that has been found to abuse a legitimate application called HandyPay instead of NFCGate. "The threat actors took the app, which is used to relay NFC data, and patched it with malicious code that appears to have been AI-generated," ESET security researcher Lukáš Štefanko said in a

The Register • Apr 21

New

CVE

CEO suspects silicon sidekick behind 'surprising velocity' breach - cyber crims shop stolen data for $2M Vercel's CEO reckons the crooks behind its recent breach likely had a helping hand from AI, saying the attackers moved with "surprising velocity" and a deep understanding of the company's infrastructure.…

r/Malware • Apr 21

New

Malware

IOCX v0.7.0 is out. It’s a static IOC extraction and PE‑analysis engine built for DFIR and malware‑analysis workflows focused on deterministic behaviour. This release adds a deterministic heuristic engine, new adversarial PE samples, and a contract‑testing framework to keep output stable across runs. **Key changes in v0.7.0:** **Deterministic heuristic engine (new)**   Snapshot‑tested heuristics for: * anti‑debug API usage * TLS callback anomalies * packer‑like section layouts + entropy * RWX sections * import‑table anomalies * signature anomalies Runs under `analysis_level = full` and is designed to avoid false‑positive reconstruction. **Adversarial PE samples (new)**   Three intentionally hostile binaries covering: * rich/atypical imports * high‑entropy + malformed Rich Headers * split/reversed/null‑interspersed strings Useful to validate deterministic heuristics and literal-only IOC extraction. **Rich Header crash fix**   Malformed Rich Headers with non‑UTF8 bytes could break JSON serialization. v0.7.0 adds a deep sanitiser that hex‑encodes nested byte structures for deterministic, JSON‑safe output. **Snapshot‑driven contract testing**   Each sample has a byte‑for‑byte JSON snapshot. Output must match exactly — same file, same output, every time. **Performance** Remains \~28 MB/s on typical PE samples. **Links** GitHub: [https://github.com/iocx-dev/iocx](https://github.com/iocx-dev/iocx)   PyPI: [https://pypi.org/project/iocx/](https://pypi.org/project/iocx/) **Example** `pip install iocx` `iocx suspicious.exe -a full` Happy to hear feedback from anyone working with obfuscated or adversarial PE samples.

r/computerforensics • Apr 21

New

A new 13Cubed episode is now available. I’ve got some thoughts about AI. Let’s talk about how it’s changing digital forensics, how I actually use it in practice, and what you need to know if you’re in or entering the field. [https://www.youtube.com/watch?v=wKn-9sKBqX8](https://www.youtube.com/watch?v=wKn-9sKBqX8)

The Register • Apr 21

New

Mexican IT services firm admits it was hacked, but says client operations weren't affected A Mexican IT infrastructure and digital transformation biz is on clean-up duty after a criminal posted screenshots of what they claimed was company video surveillance footage to a cybercrime forum.…

The Hacker News • Apr 21

New

Zero-DayData BreachSupply Chain

The cybersecurity industry has spent the last several years chasing sophisticated threats like zero-days, supply chain compromises, and AI-generated exploits. However, the most reliable entry point for attackers still hasn't changed: stolen credentials. Identity-based attacks remain a dominant initial access vector in breaches today. Attackers obtain valid credentials through credential stuffing

The Register • Apr 21

New

No facial recognition privacy intrusions either! Well, maybe a little London's Metropolitan Police is trialing new retail technology to help curtail the city's pervasive shoplifting problem… and it doesn't rely on live facial recognition (LFR).…

r/computerforensics • Apr 21

New

Forensic readiness is not yet a clean standalone category, but enterprises are already spending on the underlying problem through digital forensics, incident response, and evidence-focused security workflows.

WIRED • Apr 21

New

There’s a lot of love all over the world for GrapheneOS, the gold standard of mobile security. There’s very little love between the two guys at the center of its history.

Heimdal Security • Apr 21

New

COPENHAGEN, Denmark, 21 April 2026 — Heimdal today unveiled the next phase of its AI strategy, expanding AI Wingman with three new layers – Assist, Triage and SOC – alongside the introduction of Third-Party AI Containment. Together, these capabilities build on Heimdal’s existing AI-powered protection and give organisations a clearer way to manage AI safely, speed […] The post Heimdal Expands AI Strategy with AI Wingman and Third-Party AI Containment appeared first on Heimdal Security Blog .

The Register • Apr 21

New

RansomwareData BreachAPT

Fake emails already doing the rounds as ransomware crew boasts about what it allegedly stole UK enterprise software consultancy The Adaptavist Group is investigating a security breach after an intruder logged in with stolen credentials, while a ransomware crew claims it grabbed far more than the company is currently admitting.…

The Register • Apr 21

New

APT

Admins are tired of taking photos, so this enables secure on-site unattended enrolment Japanese industrial giant Panasonic has created a new form of QR code it says will only work on designated devices and environments.…

The Hacker News • Apr 21

New

CVECloud

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added eight new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, including three flaws impacting Cisco Catalyst SD-WAN Manager, citing evidence of active exploitation. The list of vulnerabilities is as follows - CVE-2023-27351 (CVSS score: 8.2) - An improper authentication vulnerability in PaperCut

The Register • Apr 21

New

Malware

And China is loving it Iranian media is claiming that the US used backdoors and/or botnets to disable networking equipment during the current war, and Chinese state media is dining out on the allegations.…

Synack • Apr 21

New

What Happens When Sara Pentest Gets Six Hours With a Live Application In a single six-hour session, with no human intervention, Sara found and fully exploited multiple high-severity vulnerabilities across a live application including a SQL injection (SQLi), an admin account takeover, and stored cross-site scripting. In fact, 70% of Sara’s findings on this target […] The post How Sara Pentest is Changing the Game for AI Pentesting appeared first on Synack .

The Register • Apr 20

New

Installation and pre-approval without consent looks dubious under EU law One app should not modify another app without asking for and receiving your explicit consent. Yet Anthropic's Claude Desktop for macOS installs files that affect other vendors' applications without disclosure, even before those applications have been installed, and authorizes browser extensions without consent.…

The Hacker News • Apr 20

New

CVE

A critical security vulnerability has been disclosed in SGLang that, if successfully exploited, could result in remote code execution on susceptible systems. The vulnerability, tracked as CVE-2026-5760, carries a CVSS score of 9.8 out of 10.0. It has been described as a case of command injection leading to the execution of arbitrary code. SGLang is a high-performance, open-source serving

The Hacker News • Apr 20

New

CVEMalwarePhishing

Monday’s recap shows the same pattern in different places. A third-party tool becomes a way in, then leads to internal access. A trusted download path is briefly swapped to deliver malware. Browser extensions act normally while pulling data and running code. Even update channels are used to push payloads. It’s not breaking systems—it’s bending trust. There’s also a shift in how attacks run.

Cloudflare • Apr 20

New

CVEAPT

Today marks the end of our first Agents Week, an innovation week dedicated entirely to the age of agents. It couldn’t have been more timely: over the past year, agents have swiftly changed how people work. Coding agents are helping developers ship faster than ever. Support agents resolve tickets end-to-end. Research agents validate hypotheses across hundreds of sources in minutes. And people aren't just running one agent: they're running several in parallel and around the clock. As Cloudflare's CTO Dane Knecht and VP of Product Rita Kozlov noted in our welcome to Agents Week post , the potential scale of agents is staggering: If even a fraction of the world's knowledge workers each run a few agents in parallel, you need compute capacity for tens of millions of simultaneous sessions. The one-app-serves-many-users model the cloud was built on doesn't work for that. But that's exactly what developers and businesses want to do: build agents, deploy them to users, and run them at scale. Getting there means solving problems across the entire stack. Agents need compute that scales from full operating systems to lightweight isolates. They need security and identity built into how they run. They need an agent toolbox : the right models, tools, and context to do real work. All the code that agents generate needs a clear path from afternoon prototype to production app. And finally, as agents drive a growing share of Internet traffic, the web itself needs to adapt for the emerging agentic web . Turns out, the containerless, serverless compute platform we launched eight years ago with Workers was ready-made for this moment. Since then, we've grown it into a full platform, and this week we shipped the next wave of primitives purpose-built for agents, organized around exactly those problems. We are here to create Cloud 2.0 — the agentic cloud. Infr

Cloudflare • Apr 20

New

APT

In the last 30 days, 93% of Cloudflare’s R&D organization used AI coding tools powered by infrastructure we built on our own platform. Eleven months ago, we undertook a major project: to truly integrate AI into our engineering stack. We needed to build the internal MCP servers, access layer, and AI tooling necessary for agents to be useful at Cloudflare. We pulled together engineers from across the company to form a tiger team called iMARS (Internal MCP Agent/Server Rollout Squad). The sustained work landed with the Dev Productivity team, who also own much of our internal tooling including CI/CD, build systems, and automation. Here are some numbers that capture our own agentic AI use over the last 30 days: 3,683 internal users actively using AI coding tools (60% company-wide, 93% across R&D), out of approximately 6,100 total employees 47.95 million AI requests 295 teams are currently utilizing agentic AI tools and coding assistants. 20.18 million AI Gateway requests per month 241.37 billion tokens routed through AI Gateway 51.83 billion tokens processed on Workers AI The impact on developer velocity internally is clear: we’ve never seen a quarter-to-quarter increase in merge requests to this degree. As AI tooling adoption has grown the 4-week rolling average has climbed from ~5,600/week to over 8,700. The week of March 23 hit 10,952, nearly double the Q4 baseline. MCP servers were the starting point, but the team quickly realized we needed to go further: rethink how standards are codified, how code gets reviewed, how engineers onboard, and how changes propagate across thousands of repos. Thi

Cloudflare • Apr 20

New

CVE

Code review is a fantastic mechanism for catching bugs and sharing knowledge, but it is also one of the most reliable ways to bottleneck an engineering team. A merge request sits in a queue, a reviewer eventually context-switches to read the diff, they leave a handful of nitpicks about variable naming, the author responds, and the cycle repeats. Across our internal projects, the median wait time for a first review was often measured in hours. When we first started experimenting with AI code review, we took the path that most other people probably take: we tried out a few different AI code review tools and found that a lot of these tools worked pretty well, and a lot of them even offered a good amount of customisation and configurability! Unfortunately, though, the one recurring theme that kept coming up was that they just didn’t offer enough flexibility and customisation for an organisation the size of Cloudflare. So, we jumped to the next most obvious path, which was to grab a git diff, shove it into a half-baked prompt, and ask a large language model to find bugs. The results were exactly as noisy as you might expect, with a flood of vague suggestions, hallucinated syntax errors, and helpful advice to "consider adding error handling" on functions that already had it. We realised pretty quickly that a naive summarisation approach wasn't going to give us the results we wanted, especially on complex codebases. Instead of building a monolithic code review agent from scratch, we decided to build a CI-native orchestration system around OpenCode , an open-source coding agent. Today, when an engineer at Cloudflare opens a merge request, it gets an initial pass from a coordinated smörgåsbord of AI agents. Rather than relying on one model with a massive, generic prompt, we launch up to seven specialised reviewers covering security, performance

The Hacker News • Apr 20

New

Phishing

The fastest way to fall in love with an AI tool is to watch the demo. Everything moves quickly. Prompts land cleanly. The system produces impressive outputs in seconds. It feels like the beginning of a new era for your team. But most AI initiatives don't fail because of bad technology. They stall because what worked in the demo doesn't survive contact with real operations. The gap between a

WIRED • Apr 20

New

Phishing

Years before the figure skater became an Olympic superstar, a Chinese operative tried to stalk her father and monitored other US residents deemed dissidents against China. And that’s just the beginning.

r/ReverseEngineering • Apr 20

New

To reduce the amount of noise from questions, we have disabled self-posts in favor of a unified questions thread every week. Feel free to ask any question about reverse engineering here. If your question is about how to use a specific tool, or is specific to some particular target, you will have better luck on the [Reverse Engineering StackExchange](http://reverseengineering.stackexchange.com/). See also /r/AskReverseEngineering.

GreyNoise • Apr 20

New

Zero-Day

Before Cisco disclosed a CVSS 10.0 zero-day, GreyNoise sensors had already observed eight surges of targeting activity compressing from 39 days to 2 days. A new study finds this pattern repeated across 33 CVEs and 16 vendor families — with a median lead time of 11 days. Read the full findings.

r/computerforensics • Apr 18

New

Phishing

**Hey everyone,** I just pushed Crow-Eye version 0.9.1. I completely rewrote the LNK/JumpList parsers from scratch, enhanced the Prefetch parser, and standardized global UTC time handling across all artifacts. It’s faster, more resilient, and the expanded timeline visualization now supports even more artifacts. But while pushing these updates, I wanted to talk about a growing problem in our field: **The "Black Box" of Forensics.** Right now, most people depend heavily on parsers without really knowing the behavior underneath them. With AI becoming more prevalent, this problem is only going to get worse. People will start trusting outputs without understanding the binary structure or the forensic anatomy of what they are actually looking at. I have a different vision. I believe AI should make it easier for researchers to develop parsers and understand data, not just blindly output answers. That’s why I decided we need a backbone , something to help the next generation deeply understand the forensic anatomy we are studying. # 👁️ Introducing "Eye-Describe": Visualizing the Binary Truth To fix this, I am building a new educational suite called Eye-Describe. It aims to visually explain the internal binary structures of forensic artifacts directly to the user. It will show investigators exactly how the parsers work under the hood. When you are looking at extracted data (like Prefetch or Amcache), you won't just see the result. Eye-Describe will visually highlight the binary structure of the artifact, showing you exactly where in the hex data that specific evidence was extracted from, and why it matters. **A Live Example: The Windows Boot Disk Explorer** To give you a taste of this philosophy, I’ve published the first piece of this initiative online: The Interactive Tool: Windows Boot Disk Explorer (https://crow-eye.com/Eye-Describe/windows\_boot\_disk\_explorer) The Deep-Dive Article: The Anatomy of the Windows Boot Process (https://crow-eye.com/booting-process) Instead of just listing partitions, this interactive tool visually breaks down the actual physical disk architecture (UEFI+GPT vs. BIOS+MBR). When you click a segment (like the ESP or MSR), it reveals its specific forensic role, the file structure inside it, and a node-based visualization showing exactly how the files interact during the system startup sequence. https://preview.redd.it/b5m273lvu0wg1.png?width=1447&format=png&auto=webp&s=d209ec6a07b5280c796aa21b8a741f8473bfb4de \--- Coming in Crow-Eye 0.10.0: "The Eye" AI Agent While we are building out this Eye-Describe educational backbone, we are simultaneously working on our AI integration. In our next major release (0.10.0), we are introducing **The Eye** a feature that allows users to connect their own API keys or CLI agents directly into Crow-Eye. This isn't just a basic chatbot. The Eye will have direct access to the parser results generated by Crow-Eye, making it deeply aware of both your specific forensic data and general artifact behavior. It will assist investigators by: Spotting the Unseen: By analyzing the parsed results across all artifacts, The Eye can proactively spot anomalies, correlations, or hidden tracks that you might have missed during manual review. Building & Testing Hypotheses: You can propose an attack scenario, and the agent will use the actual parsed evidence to help you verify if the artifacts support or refute that hypothesis, helping you build a clear picture of the attack. Evaluating Trust: It will understand the nuances of different artifacts advising you on what data is highly reliable (like the MFT) versus what might be easily manipulated or fragile. Querying the Database: Helping you search through massive datasets using natural language. \--- 🤝 Open Call to Researchers & Reverse Engineers I’d love for you to check out the Boot Disk Explorer concept and read the article. Let me know what you think what artifacts do you think are the hardest for students to grasp and would benefit most from this kind of visual binary breakdown? If you have deep knowledge about the binary structure of specific Windows artifacts and want to help visualize them, please reach out! I believe collaborating on this will massively help the DFIR community and the next generation of investigators. You can contact me directly at: [Ghassanelsman@gmail.com](mailto:Ghassanelsman@gmail.com) GitHub Repo: [https://github.com/Ghassan-elsman/Crow-Eye](https://github.com/Ghassan-elsman/Crow-Eye) Eye-Describe : [https://crow-eye.com/Eye-Describe/windows\_boot\_disk\_explorer](https://crow-eye.com/Eye-Describe/windows_boot_disk_explorer) Boot Process Article: [https://crow-eye.com/booting-process](https://crow-eye.com/booting-process) Happy hunting!

WIRED • Apr 18

New

Data Breach

Plus: Major data breaches at a gym chain and hotel giant, a disruptive DDoS attack against Bluesky, dubious ICE hires, and more.

r/Malware • Apr 18

New

This is ModsHub (formerly FiveMods) - a GTA V/FiveM software claiming to have over 1,2 million active users. It falls under the family TamperedChef. It shares similarities with previous TC-classified software - e.g. it collects a lot of system user data, provides extensive logging, various backup domains, obfuscated C2 communication and scheduled task set to autorun every day at 18:00 with a custom argument. We have also discovered a more capable variant (**which does not fall under the same business/network**) called Network Graphics that includes for example WebSocket connection that shares undeniable similarities with ModsHub - the code, technical functionality, behaviour and **code signer Danylo Babenko** are all almost identical. Full report: [https://rifteyy.org/report/tamperedchef-within-gta-v-modding-community](https://rifteyy.org/report/tamperedchef-within-gta-v-modding-community)

Praetorian • Apr 17

New

The Kill Chain models how an attack succeeds. The Attack Helix models how the offensive baseline improves. The Tipping Point One person. Two AI subscriptions. Ten government agencies. 150 gigabytes of sovereign data. In December of 2025, a single unidentified operator used Anthropic’s Clau

WIRED • Apr 17

New

A post-midnight revolt in the House sank the White House's efforts to extend Section 702—a spy program the FBI has used to look into members of Congress, protesters, and political donors.

Cloudflare • Apr 17

New

APT

The web has always had to adapt to new standards. It learned to speak to web browsers, and then it learned to speak to search engines. Now, it needs to speak to AI agents. Today, we are excited to introduce isitagentready.com — a new tool to help site owners understand how they can make their sites optimized for agents, from guiding agents on how to authenticate, to controlling what content agents can see, the format they receive it in, and how they pay for it. We are also introducing a new dataset to Cloudflare Radar that tracks the overall adoption of each agent standard across the Internet. We want to lead by example. That is why we are also sharing how we recently overhauled Cloudflare's Developer Documentation to make it the most agent-friendly documentation site, allowing AI tools to answer questions faster and significantly cheaper. How agent-ready is the web today? The short answer: not very. This is expected, but also shows how much more effective agents can be than they are today, if standards are adopted. To analyze this, Cloudflare Radar took the 200,000 most visited domains on the Internet; filtered out categories where agent readiness isn't important (like redirects, ad-servers, and tunneling services) to focus on businesses, publishers, and platforms that AI agents might realistically need to interact with; and scanned them using our new tool. The result is a new “Adoption

Trail of Bits • Apr 17

New

CVE

Two weeks ago, Google’s Quantum AI group published a zero-knowledge proof of a quantum circuit so optimized, they concluded that first-generation quantum computers will break elliptic curve cryptography keys in as little as 9 minutes. Today, Trail of Bits is publishing our own zero-knowledge proof that significantly improves Google’s on all metrics. Our result is not due to some quantum breakthrough, but rather the exploitation of multiple subtle memory safety and logic vulnerabilities in Google’s Rust prover code. Google has patched their proof, and their scientific claims are unaffected, but this story reflects the unique attack surface that systems introduce when they use zero-knowledge proofs. Google’s proof uses a zero-knowledge virtual machine (zkVM) to calculate the cost of a quantum circuit on three key metrics. The total number of operations and Toffoli gate count represent the running time of the circuit, and the number of qubits represents the memory requirements. Google, along with their coauthors from UC Berkeley, the Ethereum Foundation, and Stanford, published proofs for two circuits; one minimizes the number of gates, and the other minimizes qubits. Our proof improves on both. Resource Type Google’s Low-Gate

WIRED • Apr 17

New

Famously vengeful Knicks owner Jim Dolan has long spied on people at his iconic arenas. WIRED goes deep inside the operation that allegedly tracked a trans woman, lawyers, protesters, and more.

Troy Hunt • Apr 16

New

CVE

Presently sponsored by: Report URI: Guarding you from rogue JavaScript! Don’t get pwned; get real-time alerts & prevent breaches #SecureYourSite I love cutting-edge tech, but I hate hyperbole, so I find AI to be a real paradox. Somewhere in that whole mess of overnight influencers, disinformation and ludicrous claims is some real "gold" - AI stuff that's genuinely useful and makes a meaningful difference. This blog post cuts straight to the good stuff, specifically how you can use AI with Have I Been Pwned to do some pretty cool things. I'll be showing examples based on OpenClaw running on the Mac Mini in the hero shot, but they're applicable to other agents that turn HIBP's data into more insightful analysis. So, let me talk about what you can do right now, what we're working on and what you'll be able to do in the future. Model Context Protocol (MCP) A quick MCP primer first: Anthropic came up with the idea of building a protocol that could connect systems to AI apps, and thus the Model Context Protocol was born: Using MCP, AI applications like Claude or ChatGPT can connect to data sources (e.g. local files, databases), tools (e.g. search engines, calculators) and workflows (e.g. specialized prompts)—enabling them to access key information and perform tasks. If I'm honest, I'm a bit on the fence as to how useful this really is ( and I'm not alone ), but creating it was a

r/netsec • Apr 16

New

CVE

Two day intrusion. RDP brute force with a company specific wordlist, Cobalt Strike, and a custom Rust exfiltration platform (RustyRocket) that connected to over 6,900 unique Cloudflare IPs over 443 to pull data from every reachable host over SMB. Recovered the operator README documenting three operating modes and a companion pivoting proxy for segmented networks. Personalized extortion notes addressed by name to each employee with separate templates for leadership and staff. Writeup includes screen recordings of the intrusion, full negotiation chat from their Tor portal, timeline, and IOCs.

r/netsec • Apr 16

New

CVE

u/albinowax ’s work on request smuggling has always inspired me. I’ve followed his research, watched his talks at DEFCON and BlackHat, and spent time experimenting with his labs and tooling. Coming from a web security background, I’ve explored vulnerabilities both from a black-box and white-box perspective — understanding not just how to exploit them, but also the exact lines of code responsible for issues like SQLi, XSS, and broken access control. Request smuggling, however, always felt different. It remained something I could detect and exploit… but never fully trace down to its root cause in real-world server implementations. A few months ago, I decided to go deeper into networking and protocol internals, and now, months later, I can say that I “might” have figured out how the internet works😂 This research on HAProxy (HTTP/3, standalone mode) is the result of that journey — finally connecting the dots between protocol behavior and the actual code paths leading to the bug. (Yes, I used AI 😉 )

WIRED • Apr 16

New

Available for free to any company that wants to use it, the “completely anonymous” app puts the pressure on porn sites and social media platforms to start blocking access by minors.

r/netsec • Apr 16

New

CVEAI

I submitted an earlier version of this dataset and was declined on the basis of missing methodology and unverifiable provenance. The feedback was fair. The documentation has since been rewritten to address it directly, and I would very much appreciate a second look. ## What the dataset contains 101,032 samples in total, balanced 1:1 attack to benign. **Attack samples (50,516)** across 27 categories sourced from over 55 published papers and disclosed vulnerabilities. Coverage spans: - Classical injection - direct override, indirect via documents, tool-call injection, system prompt extraction - Adversarial suffixes - GCG, AutoDAN, Beast - Cross-modal delivery - text with image, document, audio, and combined payloads across three and four modalities - Multi-turn escalation - Crescendo, PAIR, TAP, Skeleton Key, Many-shot - Emerging agentic attacks - MCP tool descriptor poisoning, memory-write exploits, inter-agent contagion, RAG chunk-boundary injection, reasoning-token hijacking on thinking-trace models - Evasion techniques - homoglyph substitution, zero-width space insertion, Unicode tag-plane smuggling, cipher jailbreaks, detector perturbation - Media-surface attacks - audio ASR divergence, chart and diagram injection, PDF active content, instruction-hierarchy spoofing **Benign samples (50,516)** are drawn from Stanford Alpaca, WildChat, MS-COCO 2017, Wikipedia (English), and LibriSpeech. The benign set is matched to the surface characteristics of the attack set so that classifiers must learn genuine injection structure rather than stylistic artefacts. ## Methodology The previous README lacked this section entirely. The current version documents the following: 1. **Scope definition.** Prompt injection is defined per Greshake et al. and OWASP LLM01 as runtime text that overrides or redirects model behaviour. Pure harmful-content requests without override framing are explicitly excluded. 2. **Four-layer construction.** Hand-crafted seeds, PyRIT template expansion, cross-modal delivery matrix, and matched benign collection. Each layer documents the tool used, the paper referenced, and the design decision behind it. 3. **Label assignment.** Labels are assigned by construction at the category level rather than through per-sample human review. This is stated plainly rather than overclaimed. 4. **Benign edge-case design.** The ten vocabulary clusters used to reduce false positives on security-adjacent language are documented individually. 5. **Quality control.** Deduplication audit results are included: zero duplicate texts in the benign pool, zero benign texts appearing in attacks, one documented legacy duplicate cluster with cause noted. 6. **Known limitations.** Six limitations are stated explicitly: text-based multimodal representation, hand-crafted seed counts, English-skewed benign pool, no inter-rater reliability score, ASR figures sourced from original papers rather than re-measured, and small v4 seed counts for emerging categories. ## Reproducibility Generators are deterministic (`random.seed(42)`). Running them reproduces the published dataset exactly. Every sample carries `attack_source` and `attack_reference` fields with arXiv or CVE links. A reviewer can select any sample, follow the citation, and verify that the attack class is documented in the literature. ## Comparison to existing datasets The README includes a comparison table against deepset (500 samples), jackhhao (2,600), Tensor Trust (126k from an adversarial game), HackAPrompt (600k from competition data), and InjectAgent (1,054). The gap this dataset aims to fill is multimodal cross-delivery combinations and emerging agentic attack categories, neither of which exists at scale in current public datasets. ## What this is not To be direct: this is not a peer-reviewed paper. The README is documentation at the level expected of a serious open dataset submission - methodology, sourcing, limitations, and reproducibility - but it does not replace academic publication. If that bar is a requirement for r/netsec specifically, that is reasonable and I will accept the feedback. ## Links - GitHub: https://github.com/Josh-blythe/bordair-multimodal - Hugging Face: https://huggingface.co/datasets/Bordair/bordair-multimodal I am happy to answer questions about any construction decision, provide verification scripts for specific categories, or discuss where the methodology falls short.

Datadog Security Labs • Apr 16

New

Understanding npm and the importance of dependency cooldowns.