Palo Alto Networks is warning that hackers are now exploiting a PAN-OS GlobalProtect authentication bypass flaw, tracked as CVE-2026-0257, in attacks attempting to breach corporate networks. [...]
Cybersecurity News and Vulnerability Aggregator
Cybersecurity news aggregator
Updated: 8:40 pm
J/K Navigate / Search S Save V Open Link
— or
treemd <(curl -sL https://allsec.sh/md) (as Markdown) Top Cybersecurity Stories Today
Key Takeaways We just got back from Tenable Exposure 2026 in Boston and three big questions dominated every conversation we had on the floor: The good news is, Synack is exactly positioned to answer these questions. Tenable Finds It. Sara AI Pentesting Proves What’s Exploitable. The Synack and Tenable integration addresses a gap that’s gotten […] The post Tenable Exposure 2026: How AI Pentesting Helps Partners Turn Scanner Findings into Actionable Risk appeared first on Synack .
A new Mini Shai-Hulud supply chain attack campaign, codenamed Miasma, has compromised @redhat-cloud-services packages to steal credentials and secrets from developer machines and deliver a self-propagating worm. "This is effectively a Mini Shai-Hulud campaign: it uses the same core tactics of install-time execution, credential harvesting, CI/CD targeting, encrypted exfiltration, and potential
Overview The PCTCore64.sys Windows kernel driver from PC Tools Internet Security exposes its \\.\PCTCoreDriver device interface with no access control, allowing any user-mode process to interact with the driver and invoke privileged IOCTL (I/O Control) commands. In a Bring Your Own Vulnerable Driver (BYOVD) scenario, a local attacker with the ability to load a Windows driver can exploit the exposed interface to perform sensitive low-level operations on the target device. Description PCTCore64.sys is a Windows kernel driver that implements system monitoring and protection functionality on local Windows systems. The driver creates a Windows Driver Model (WDM) device object \\.\PCTCoreDriver via IoCreateDevice and provides user-mode access through a DOS device symbolic link via IoCreateSymbolicLink . The driver exposes privileged functionality intended for administrative or security operations; however, the device object is created without a restrictive security descriptor. Specifically, the driver does not apply security best practices using either Security Descriptor Definition Language (SDDL) or the IoCreateDeviceSecure API, allowing unprivileged user-mode processes to open handles to the device and issue privileged IOCTL requests. As a result, an attacker may invoke IOCTL handlers capable of performing sensitive low-level operations, including: System-wide handle enumeration Cross-process handle manipulation Credential extraction from lsass.exe Forced termination of a
Microsoft says an ongoing incident is preventing users of its Teams collaboration platform and Office for the web cloud-based productivity suite from opening files. [...]
Latest
Monday, June 1
Key Takeaways We just got back from Tenable Exposure 2026 in Boston and three big questions dominated every conversation we had on the floor: The good news is, Synack is exactly positioned to answer these questions. Tenable Finds It. Sara AI Pentesting Proves What’s Exploitable. The Synack and Tenable integration addresses a gap that’s gotten […] The post Tenable Exposure 2026: How AI Pentesting Helps Partners Turn Scanner Findings into Actionable Risk appeared first on Synack .
Multiple Dashlane users have been locked out of their accounts following brute-force attacks that attempted logins from distant locations and unknown devices. [...]
A new Mini Shai-Hulud supply chain attack campaign, codenamed Miasma, has compromised @redhat-cloud-services packages to steal credentials and secrets from developer machines and deliver a self-propagating worm. "This is effectively a Mini Shai-Hulud campaign: it uses the same core tactics of install-time execution, credential harvesting, CI/CD targeting, encrypted exfiltration, and potential
The Instagram accounts for the Obama White House and the Chief Master Sergeant of the U.S. Space Force were briefly defaced with pro-Iranian images and messages over the weekend, after instructions began circulating on Telegram showing how to trick Meta’s “AI support assistant” bot into resetting account passwords. A screenshot from a video released on Telegram claiming to show how Meta’s AI customer support bot could be tricked into resetting a target’s password. On May 31, word began to spread on several Telegram instant message channels that Meta’s AI bot would happily add an email address to an existing account as part of the bot’s standard password reset flow. A video released on Telegram by pro-Iran hackers claimed to document a remarkably simple exploit that appears to have involved using a VPN connection with an IP address that is in or near the target’s usual hometown, requesting a password reset for the account, and then choosing to chat with Meta’s AI support assistant. From there, the video shows the attacker told the bot to link the account in question to a new email address, after which the bot dutifully sent that address a one-time code that allowed a password reset. The Telegram account that posted the video also linked to screenshots of pro-Iran images, videos and messages that defaced the hacked Instagram accounts, saying hackers had used the exploit to hijack a number of valuable (read: short) Instagram account names that allegedly have a resale value of more than a half million dollars. Meta has not res
A major npm supply-chain incident reportedly hit the @redhat-cloud-services scope, with malicious versions published through an OIDC trusted publishing gap. The concerning part is that the packages could still appear with valid provenance, while the Miasma payload ran during npm install, stole developer/CI credentials, and attempted to spread through npm tokens, Git repos, and dev tooling configs. Apparently, the Miasma worm is an evolved form of the Mini Shai-Hulud worm
Nearly 2,000 WordPress websites were infected with malware that relies on Steam Community profile comments to hide command-and-control (C2) data. [...]
Cloudflare's core is the centralized data centers that run our control plane, billing, and analytics -- distinct from the globally distributed edge that handles user traffic. Core servers are bare metal, and when issues happen during reboot, the consequences can cascade fast. Their boot sequence is orchestrated by UEFI , the modern firmware standard that initializes hardware and hands off control to the operating system. Small quirks in that handoff can have outsized consequences. After a routine firmware update, some of our core servers were taking four hours to come back online, rather than just minutes as they did before. What should have been a one-day fleet-wide rollout was stretching into multi-day slogs. New nodes faced the full timeout gauntlet on their very first boot. Maintenance windows ballooned. Engineering teams had to babysit upgrades that should have run unattended. This issue affected the entire Gen12 fleet -- nearly 2,000 units. Every unexpected failure mid-upgrade meant restarting the entire cycle, and new capacity sat idle waiting for the timeout gauntlet to clear. This is the story of how we tracked the cause to a firmware quirk and an over-eager linear search through every available network boot interface, and how we cut total boot and upgrade time from hours back down to minutes. Along the way, we'll share what we learned about UEFI internals, vendor-specific quirks, and the automation strategies that ultimately solved the problem. The network boot interface A network boot interface allows a server to boot its operating system over the network instead of from local storage. This is critical for centralized, automated, and scalable control over how machines start up, especially a
Overview The PCTCore64.sys Windows kernel driver from PC Tools Internet Security exposes its \\.\PCTCoreDriver device interface with no access control, allowing any user-mode process to interact with the driver and invoke privileged IOCTL (I/O Control) commands. In a Bring Your Own Vulnerable Driver (BYOVD) scenario, a local attacker with the ability to load a Windows driver can exploit the exposed interface to perform sensitive low-level operations on the target device. Description PCTCore64.sys is a Windows kernel driver that implements system monitoring and protection functionality on local Windows systems. The driver creates a Windows Driver Model (WDM) device object \\.\PCTCoreDriver via IoCreateDevice and provides user-mode access through a DOS device symbolic link via IoCreateSymbolicLink . The driver exposes privileged functionality intended for administrative or security operations; however, the device object is created without a restrictive security descriptor. Specifically, the driver does not apply security best practices using either Security Descriptor Definition Language (SDDL) or the IoCreateDeviceSecure API, allowing unprivileged user-mode processes to open handles to the device and issue privileged IOCTL requests. As a result, an attacker may invoke IOCTL handlers capable of performing sensitive low-level operations, including: System-wide handle enumeration Cross-process handle manipulation Credential extraction from lsass.exe Forced termination of a
@redhat-cloud-services npm scope backdoored with valid signed SLSA provenance; recovered the GitHub commit-search dead-drop C2 markers
On 1 Jun 2026, 31 packages across the redhat-cloud-services npm scope were republished with an install-time malware payload, and it kept re-arming: at least 4 bursts in one afternoon as the registry purged each batch, version numbers climbing each time. What makes it notable for defenders: ## Valid, signed provenance Every malicious version carries valid SLSA provenance and passes `npm audit signatures`. npm trusted publishing authorizes on (repository + workflow file path), so the attacker pushed a throwaway branch carrying a workflow named `release.yml` set to run on any push with `id-token: write`. GitHub Actions ran it in the repo's context, npm minted a real publish token AND a real attestation, then the branch was deleted. `main` was never touched. The scope publishes from more than one RedHatInsights repo (clients from javascript-clients, the MCP servers from platform-frontend-ai-toolkit), so more than one CI pipeline was abused. Provenance proves where a build came from, not what it does. ## IOCs (from a sandbox detonation) C2 is a GitHub commit-search dead-drop, no hardcoded host. The implant queries `api.github.com/search/commits` for marker strings to locate its drop point: - `thebeautifulmarchoftime` - `IfYouInvalidateThisTokenItWillNukeTheComputerOfTheOwner` - User-Agent: `python-requests/2.31.0` Searchable in GitHub commit search / audit logs, and the drop-point commits can be purged. (Not in the public writeups yet; contributed to the issue below.) Behavior: - Env-gated: only fires when `CI` / `GITHUB_ACTIONS` are set (dormant in a bare sandbox), which is why a lot of dynamic analysis misses it. - Credential reads within ms of install: `~/.aws/credentials`, `~/.ssh/id_rsa`, `~/.git-credentials`, `~/.docker/config.json`. - All egress DNS-resolved, no hardcoded-IP C2, no cloud metadata probe in our run. ## Detection - Pin to integrity (lockfile) and expect re-arming: `latest` was malicious far more often than not across the afternoon. - A kernel agent that returns `-EPERM` on credential-file reads kills the job before the C2 fires. - Behavioral checks at publish time catch this regardless of how clean the provenance looks. ## Sources - StepSecurity, original report + writeup: https://github.com/RedHatInsights/platform-frontend-ai-toolkit/issues/57 and https://www.stepsecurity.io/blog/multiple-redhat-cloud-services-npm-packages-compromised - SafeDep, the OIDC/SLSA provenance-abuse technique (AntV wave): https://safedep.io/mini-shai-hulud-strikes-again-314-npm-packages-compromised/ - Recovered C2 markers contributed to the RedHatInsights issue: https://github.com/RedHatInsights/platform-frontend-ai-toolkit/issues/57#issuecomment-4594221102 - Full first-hand method (detonation, provenance anatomy, checksums): https://leitwacht.eu/blog/valid-provenance-malicious-package Disclosure: I founded Leitwacht; the agent referenced is our open-source CE binary.
Microsoft says an ongoing incident is preventing users of its Teams collaboration platform and Office for the web cloud-based productivity suite from opening files. [...]
Attackers are exploiting vulnerabilities faster than many organizations can identify and patch them. SecAlerts explains why faster vulnerability alerts can help reduce exposure and improve response times. [...]
Monday hit like a cron job with anger issues. A busted auth path here, a repo-side faceplant there, some "patched-ish" thing already getting chewed on in the wild, and then the usual bonus round: poisoned dev tools, sketchy forum chatter, phishing kits pretending to be productivity, and AI lowering the bar for people who already thought 'curl | sh' had a personality. The vibe is simple: old
CISA's latest patch deadlines are a reminder that attackers tend to focus on the same things defenders depend on most: edge devices, security tools, and internet-facing applications. When PAN-OS, Defender, and Langflow all show up on the radar at once, patching becomes a risk management exercise, not just maintenance.
A new cyber espionage campaign codenamed Operation Dragon Weave has been observed targeting officials and citizens in the Czech Republic and Taiwan to deliver an AdaptixC2 agent. According to Seqrite Labs, targets of the campaign include government, research, academic, technology, and financial services sectors. The activity entails distributing spear-phishing emails containing ZIP attachments
Microsoft is working to address an ongoing incident preventing customers from setting up multi-factor authentication (MFA) or accessing the My Sign-Ins platform. [...]
Three years ago, the practical question for an MSP building a cybersecurity practice was which "vCISO platform" to buy. The term was good shorthand for the work at the time: assessments, advisory, reporting, maybe a compliance module bolted on the side. The work has since outgrown the descriptor. A Security Growth Platform is the more precise name for what MSPs and MSSPs need from the software
In this excerpt from WIRED Book Club pick The Yahoo Boys, journalist Carlos Barragán traces one scammer’s journey from flop to fortune.
Thanks to the newly detailed FROST technique, telltale SSD activity can be measured in the browser using simple JavaScript.
Threat actors are attempting to actively exploit a critical security flaw impacting WP Maps Pro, a WordPress plugin that has had over 15,000 sales on the Envato Market, to create malicious administrator accounts on susceptible sites. WP Maps Pro allows site owners to embed customizable Google Maps and OpenStreetMap with markers, listings, and advanced location features on WordPress sites. It is
Presently sponsored by: Report URI: Guarding you from rogue JavaScript! Don’t get pwned; get real-time alerts & prevent breaches #SecureYourSite Today, I loaded the 1,000th data breach into Have I Been Pwned . Reflecting on that milestone number, I pondered how to mark the occasion in writing, and what immediately came to mind was a very simple question: why is it still needed? Especially considering the emergence of privacy regulations such as GDPR and CCPA in the 12 and a half years since I started HIBP, what possible purpose does it still serve? The title kinda gives the answer away, and the big number we hit today coincided with another pattern that makes everything worse: increasingly long lag times for disclosure. This is all going to be anecdotal, and as far as I know, there are no hard numbers for me to cite, but the evidence is everywhere. Here's what I mean: New breach: Cruise operator Carnival was targeted in a ShinyHunters “pay or leak” attack last week. 8.7M records with 7.5M email addresses and loyalty program data were published yesterday. 85% were already in @haveibeenpwned . Read more: https://t.co/QhqNt0WucV — Have I Been Pwned (@haveibeenpwned) April 24, 2026
To reduce the amount of noise from questions, we have disabled self-posts in favor of a unified questions thread every week. Feel free to ask any question about reverse engineering here. If your question is about how to use a specific tool, or is specific to some particular target, you will have better luck on the [Reverse Engineering StackExchange](http://reverseengineering.stackexchange.com/). See also /r/AskReverseEngineering.
Presently sponsored by: Report URI: Guarding you from rogue JavaScript! Don’t get pwned; get real-time alerts & prevent breaches #SecureYourSite I'm finding it quite fascinating to watch the current spate of ShinyHunters breaches and dumps. There's the obvious criminality of it all, but then there's also the response from organisations (or lack thereof, as it relates to disclosure to victims), the appearance and disappearance of victims on their dark web site, the speculation around payments and so on and so forth. And it's seemingly endless - I mentioned DentaQuest during the video, and sure enough, the next day, a 233GB corpus allegedly from them was dropped. By the next update, it might be BCD Travel as well and who knows which other services will appear on the "pay or leak" list. Strange times, I can't remember it ever being this crazy before TBH.
Sunday, May 31
[https://youtu.be/1W8gCFU8B0U](https://youtu.be/1W8gCFU8B0U) Thought it would be fun to share some learnings I made when building a similar lab at work but for me. Not exactly what I built at work (I think mines a bit better TBH) but this first video could be a jumping off point for different ways to do this 😄 Open to suggestions and feedback ❤️ Edit: I've fixed the audio so it should be better now!
Hackers are targeting WordPress websites running a vulnerable version of the WP Maps Pro plugin, which allows creating rogue administrator accounts without authentication. [...]
Dutch authorities have announced the takedown of a botnet that enslaved millions of infected devices, including computers, tablets, smartphones, and IoT devices, to carry out malicious attacks. The bot network, per the Dutch Politie and the National Cyber Security Center (NCSC), consisted of at least 17 million infected devices. More than 200 servers located in the Netherlands acted as the
Source: [https://x.com/nextronresearch/status/2060014483242651694?s=20](https://x.com/nextronresearch/status/2060014483242651694?s=20) Copy: [https://bazaar.abuse.ch/sample/bb1b4e46f1e4a7f17b1b04ee08c33400b2b6fd2327612a4d84da81e2656ba48b/](https://bazaar.abuse.ch/sample/bb1b4e46f1e4a7f17b1b04ee08c33400b2b6fd2327612a4d84da81e2656ba48b/)
Saturday, May 30
I reverse engineered how Plex gates its Pass features, then wrote a tiny patch that flips them all on (Linux)
Palo Alto Networks is warning that hackers are now exploiting a PAN-OS GlobalProtect authentication bypass flaw, tracked as CVE-2026-0257, in attacks attempting to breach corporate networks. [...]
Plus: A ransomware group is now stealing data in person, BusPatrol wants to hand its license plate surveillance data to the cops, and more.
Friday, May 29
The website, which compares human beings to extraterrestrials, touts arrest numbers from the Trump administration’s sweeping immigration crackdown. But some of its details are really out there.
Threat actors are abusing ChatGPT's content-sharing feature to display fake OpenAI outage pages that direct users to download malware disguised as the ChatGPT desktop application. [...]
Cybersecurity researchers have disclosed details of a vulnerability in OpenAI ChatGPT that leverages the artificial intelligence (AI) assistant's implicit trust in Markdown links and images to trigger prompt injections and open the door to phishing attacks. The technique has been codenamed ChatGPhish by Permiso Security. "The chatgpt.com response renderer trusts Markdown links and Markdown
An unknown threat actor has been observed using a large language model (LLM) agent to conduct post-compromise actions after obtaining initial access following the exploitation of a publicly-accessible Marimo network using a recently disclosed vulnerability. "The attacker compromised an internet-reachable Marimo notebook via CVE-2026-39987, extracted two cloud credentials from the compromised
DDoS attacks are increasingly being sold like subscription services, complete with pricing tiers, support, and reseller programs. Flare explores how the DDoS-as-a-Service market has evolved from scattered tools into polished attack platforms. [...]
A previously undocumented threat actor dubbed GREYVIBE has been attributed to ongoing and persistent attacks targeting Ukraine and Ukraine-related entities since at least August 2025. GREYVIBE, per WithSecure, is assessed to be a Russian-speaking group operating broadly in the Russian time zone, with the activities aligning with Kremlin state interests, specifically when it comes to
Shadow AI used to mean employees pasting things they shouldn't into ChatGPT. It now means something bigger: employees building full applications with AI, wiring them into production systems, and publishing them on the open internet. Without Security or IT in the loop. The artifact moved from a prompt to a product. The risk surface moved with it. In The Shadow Builders report (get it here), a
Cybersecurity researchers have discovered a malicious NuGet package that masquerades as a C# software development kit for Sicoob, one of Brazil's largest cooperative financial systems, to siphon client IDs and PFX certificates. According to Socket, versions 2.0.0 through 2.0.4 of "Sicoob.Sdk" contain functionality to exfiltrate sensitive information, including PFX certificates that are used to
We found a cluster of 1,001 IPs across 306 networks and 64 countries, tied to eight shared staging servers and a single TLS and HTTP fingerprint that appears nowhere else, plus smaller botnets that fall into clean separate islands.
I built an independent benchmark with 20 real CVEs across 15 CWE categories, 5 models (3 OpenAI, 2 Poolside Laguna), three prompt conditions: full advisory, behavioral description only, and location only (file and function, no description of the flaw). I have three findings worth sharing: * **No model reliably fixes real vulnerabilities.** The best solve rate (gpt-5.5) is 50% overall and 60% under the most favorable condition. The failure modes (e.g, wrong-search drift, budget exhaustion mid-implementation, plausible-but-incomplete patches that pass every visible test) are structured and repeatable across models and tasks. * **Token cost varies 4x for equivalent outcomes.** The Laguna models consume 3–4x more tokens than OpenAI models of the same capability tier, with no improvement in solve rate. * **The locate condition is the benchmark's sharpest instrument.** Give a model only a file and function (no description of the flaw). Every model drops. The differences between models are within noise at this scale, but it's the condition that most closely resembles what a security researcher actually does: reading code cold and recognizing independently that something is wrong. Benchmark code and evaluation traces are open sourced.
The North Korean state-sponsored threat actor known as Kimsuky (aka Velvet Chollima) has been attributed to a fresh set of cyber attacks targeting South Korean military and corporate entities through March and April 2026. "Kimsuky employed a range of tailored social engineering tactics, such as spoofing security software installation pages and crafting a fake Webex meeting page that leveraged
Thursday, May 28
Discovery During a recent network security assessment, we were working on an environment that was well-hardened – Patching was current, password policies were strong, and network segmentation was in place. So, as part of our enumeration of all network assets, we started looking for default credentials and this led us to multiple Canon enterprise printers configured with default administrator credentials. Enterprise printers are an interesting attack surface because it is common practice to have them configured with domain credentials. So, with administrative access, we tried to execute auth-back attacks by modifying the printer’s configuration to point to our server for credential capture or relay. However, network segmentation controls blocked this attack, as outbound controls prevented traffic from reaching our attacker-controlled subnet. We needed a different approach. We turned our attention to how the printer handled stored credentials. Specifically, we were curious to look at what happened to them during export. While exploring the printer’s administrative interface, we found a configuration export feature that allows administrators to back up device settings. This immediately raised a question: how were stored credentials being protected during export? Canon’s documentation states that exporting sensitive data requires encryption and the web interface presents encryption options (Security Level 1 and 2) that appear mandatory. However, we quickly discovered that these controls are implemented client-side without server-side validation. Vulnerability Canon imageRUNNER ADVANCE DX printers provide a configuration export feature that is accessible through the web management interface. The web UI appears to enforce encryption by requiring a user-supplied pass
Key Takeaways AI generates findings at scale, but scale without trust creates risk. The real security challenge isn’t discovery—it’s knowing which findings are real, exploitable, and worth acting on before automated systems take action. False positives become operationally dangerous in AI-driven environments. Model hallucination, single-tool reliance, and misinterpreted context can cause AI to fabricate vulnerabilities […] The post AI Can’t Fix What It Can’t Trust: Why Continuous Security Validation Matters appeared first on Synack .
In previous blog posts we’ve talked about getting nerd sniped . Today we’re going to talk about a kind of nerd sniping that any offensive security tool creator is familiar with; when your tool gets signatured. This normally kicks off a frustrating spiral of back and forth changes between the tool author and security vendors until the tool author runs out of resources to keep responding to changes. Like many parts of the security space, LLMs have changed how this story might end. The Classic Offensive Security Tooling Lifecycle There’s a lifecycle to most offensive security tooling. First you encounter a problem that’s common or problematic enough that you want to automate it, so you write a tool. Then you use that tool privately until you decide the time has arrived to open source it. This is a cool moment, you get to share your techniques with the community and if you’re really lucky, maybe the fundamental problem your tool exposes is fixed. Much more likely, once it’s open sourced it eventually gets signatured to the point that you
A critical security vulnerability has been disclosed in Gogs, a popular open-source self-hosted Git service, that allows an authenticated user to execute arbitrary code under certain conditions. The security flaw, per Rapid7, is rated 9.4 on the CVSS scoring system. It does not have a CVE identifier. "The vulnerability allows any authenticated user to achieve remote code execution (RCE) on
The US military has long known that cheap fixes could stop location data from exposing its troops. It adopted almost none—and now says adversaries are using the data to target soldiers during a war.
Threat actors are continuing to exploit a critical, now-patched security flaw impacting FortiClient Endpoint Management Server (EMS) deployments to deliver a credential-stealing malware family dubbed EKZ Infostealer. "The campaign abused trusted endpoint management infrastructure to deliver malware across managed endpoints," Arctic Wolf said. "Threat actors disguised the credential stealer
Microsoft has come out strongly in favor of Coordinated Vulnerability Disclosure (CVD), urging the research community to share their findings and give affected vendors an opportunity to better understand the impact and address them before they are publicly disclosed. The development comes after a researcher named Chaotic Eclipse (aka Nightmare-Eclipse) disclosed details of multiple zero-day
ThreatsDay Bulletin: Claude Security Plugin, Azure Priv-Esc, Kali365 MFA Bypass, FIFA Scams +15 More
Every time you think the industry has finally stopped doing some reckless, low-effort crap, somebody spins up a fresh box full of sketchy loaders, fake installers, recycled social-engineering bait, and enough exposed infrastructure to make you wonder if prod is just a public beta now - meanwhile some researcher casually drops a technique that turns a "minor" foothold into total account
Cloudflare processes more than a billion events every second. Our network spans 330+ cities in 120+ countries. Behind every HTTP request, every Worker invocation, every R2 read operation, there is data, and a lot of it. For years, that data was not very easy to access. It lived in dozens of production databases, ClickHouse clusters, Kafka streams, Google Cloud buckets, BigQuery datasets, and a long tail of pipelines. To answer a simple question like "How many domains that signed up today are in the Top 100 by traffic?", an analyst at Cloudflare had to know which system to ask, what credentials to use, what query language to write, and whether the data they were looking at was sampled, fresh, or seven-days stale. As a result, it was difficult to glean informed insights from the data. To solve this problem, we built two in-house tools: Town Lake, Cloudflare's unified data analytics platform, and Skipper, an AI data agent that runs on top of it. Town Lake is a single SQL interface to everything Cloudflare knows, and Skipper is how anyone at Cloudflare can ask questions in plain English and get correct, auditable answers back in seconds. This is the story of how we built both. The shape of the problem If you have ever worked at a company that went through a hyper-growth period, you know what data sprawl looks like. Ours had a few specific symptoms: Too many disparate systems. A product engineer who wanted to investigate a customer issue might need to query Postgres for account metadata, ClickHouse for analytics events, BigQuery for usage rollups, R2 for raw logs, and Kafka topics for real-time signals. Each system had its own credentials, its own language, and its own retention policy. Sampled data. This is fine for dashboards, but doesn’t work for domains like billing. Our
New AI Usage Report: Enterprise AI Risk Is Heavily Concentrated Among a Small Group of AI "Power users"
State of AI Usage Report 2026 (full report here) by LayerX Security reveals the extent of the enterprise AI visibility gap and why most organizations still don't understand where their AI exposure is actually coming from. The research shows that enterprise AI risk is not distributed evenly across users or platforms. Instead, it is heavily concentrated among a small group of AI power users and a
Customer data from more than 350 hotels around the world may have been accessed as part of realistic reservation-hijacking scams.
From Exploit Code to Production Detection: Building a CVE-2026-31431 (Copy Fail) detection with Agents
CVE-2026-31431 (Copy Fail) lets any unprivileged user corrupt the Linux page cache via AF_ALG sockets to escalate privileges. This post covers the exploit mechanics and how Datadog Security Research used coding agents to ship a detection content pack in a single session.
Wednesday, May 27
Anna Turley gives Reform leader 24 hours to report Russian hacking claim in ‘public and national interest’ The Labour chair has given Nigel Farage 24 hours to report to security services the claim that his phone was hacked by Russia-linked actors or the party will do it for him. In a letter to the Reform UK leader, Anna Turley said it was “in the public and national interest” to ensure that a suspected overseas hack of a senior politician’s phone by a hostile state was properly investigated. Continue reading...
There’s an increase in Device Code phishing activity, with Kali365 emerging as one of the most active PhaaS. In the last 24 hours alone, ANYRUN recorded 100+ related analysis sessions. The attack abuses legitimate Microsoft device authentication flows. Victims are shown a user code and instructed to enter it into a real Microsoft device auth page, allowing attackers to capture OAuth access tokens instead of passwords. The risk shifts from credential theft to token abuse, while significantly reducing the number of traditional phishing indicators typically used for detection and triage. Deobfuscated Kali365 JavaScript revealed that after a verification gate, the lure deploys a phishing page, launches a legitimate Microsoft device authentication flow, and then polls /api/status/<session\_id> for session states such as captured, expired, and declined. The code also contains lure-template generators for OneDrive, SharePoint, Teams, Outlook, and Voicemail, and a separate Google device-code authentication flow. Analysis and IOCs: [https://app.any.run/tasks/d078f430-c3cc-44e8-a809-5506205049c3](https://app.any.run/tasks/d078f430-c3cc-44e8-a809-5506205049c3?utm_source=reddit) https://preview.redd.it/qve9gy4y9q3h1.png?width=1080&format=png&auto=webp&s=a5058a4553a38d8e012cc9f51a37b7efa5ae5fc9
On Tuesday, May 26, Iran’s vice president announced that Internet access had started to be restored in the country after being cut off almost three months ago, following the launch of U.S. and Israeli attacks on February 28. Cloudflare Radar data confirms increased activity and indicates a partial restoration of the Internet in Iran. In this blog post, we’ll examine a range of data points that provide a lens into this prolonged shutdown – and the signs that Iran’s citizens are increasingly able to connect once again. As the situation continues to unfold, Radar will have the latest data on Iran’s connectivity . The first shutdown Iranian citizens have experienced two national Internet shutdowns this year. The first began on January 8 around 16:30 UTC (20:00 local time), and we explored the impact seen over the first few days in a blog post . Traffic from Iran remained near zero until January 21, when a small amount of traffic returned, only to disappear a little over 24 hours later. A similar brief restoration also occurred on January 25, before traffic recovered more fully beginning on January 27. The second shutdown In late February, as military strikes on Iran escalated, a second nationwide Internet shutdown began. That sweeping shutdown has persisted for nearly three months. The shutdown began on February 28. On that date, Cloudflare Radar observed a sharp drop in traffic from
A week after Dutch FIOD seized 800+ servers, the hosting network's ASN (AS209847) is still scanning at its normal daily rate
After FIOD seized 800+ servers and arrested two operators on May 18, the ELLIO research team reports that scanning from the network's ASN ranges has continued largely uninterrupted - and that while roughly a third of the recently-active ranges (including the legacy Stark blocks 94.131.105.0/24 and 92.118.232.0/24) have since been withdrawn from global routing, the surviving ranges under AS209847 (WorkTitans / THE.Hosting) are still announced and still scanning, at the network's normal daily rate. The sibling ASNs (AS213999 and the Moscow-based AS33993) remain routed and idle. The recent activity skews toward database and ICS/SCADA discovery = MongoDB, Redis, PostgreSQL, Oracle, LDAP, plus DNP3 and EtherNet/IP - alongside known-exploit probes like CVE-2017-17215 and WinRM.
Threat Intel: Lithuania Investigates B2B Credential Misuse Exposing 600,000 National Registry Records
The Lithuanian Prosecutor General’s Office and the Criminal Police Bureau have initiated a joint investigation into a large-scale data exfiltration incident targeting the **State Enterprise Centre of Registers**. The incident involved the unauthorized copying of over 600,000 records from the country's national Real Estate and Legal Entities Registers. Rather than exploiting an unpatched software vulnerability, the attack mechanics rely on a classic trust-boundary compromise. **The Entry Vector: Cross-Agency Credential Misuse (MITRE T1078)** Forensic tracking indicates that the threat actors executed a series of unauthorized connections originating from foreign infrastructure. The entry vector relied on valid, high-privilege B2B institutional login credentials assigned to external state departments authorized to query the central registry database. Independent statements from legislative and defense officials suggest the specific access pathway was carved out by compromising authenticated accounts belonging to the **Department of Migration under the Ministry of the Interior**. By hijacking these valid inter-agency connection points, the threat actors bypassed perimeter barriers, allowing them to issue massive queries to the backend database without triggering immediate anomaly blocks. **Exfiltration Scope & Impact Profile** The breach was initially identified by internal monitoring in early April 2026, but public disclosure was delayed due to the ongoing criminal inquiry. The exfiltrated data schemas consist of: * Full legal names, dates of birth, and unique national identification numbers. * Registered physical addresses, corporate entity structures, and detailed cadastral/property registry extracts. The Centre of Registers has confirmed that primary consumer-facing vectors - such as telephone contact details, email addresses, bank account numbers, or raw cadastral measurement files - were not part of the exfiltrated datasets. The primary operational risk is tactical intelligence gathering. Security analysts have pointed out that bulk access to unlisted residential addresses linked to legal entities can be leveraged by foreign intelligence services for target profiling, spear-phishing orchestration, or coercion of state personnel, diplomats, and military figures. **Incident Response & Remediation** Following the identification of the unauthorized bulk queries, the Centre of Registers implemented the following controls: 1. Immediate revocation and blocking of all compromised inter-agency institutional accounts. 2. Mandatory credential rotation and strict query-volume throttling across all API and web self-service gateways linked to external state dependencies. 3. The director of the Centre of Registers, Adrijus Jusas, formally stepped down on May 25 following administrative scrutiny regarding legacy IT infrastructure and monitoring gaps. While independent defense officials note the incident matches the operational signatures of state-aligned hybrid surveillance operations, official attribution from the Prosecutor General's Office remains open.
TL;DR: Visit https://sshlabs.compass-security.training to learn more about SSH security. Introduction SSH is a widely used protocol that provides secure access to remote systems. It enables encrypted communication, file transfers, command execution and shell access for system administration. However, when misconfigured, poorly secured or used in an unsafe way, SSH can become an attack vector for attackers. When we perform Linux hardening or infrastructure reviews , we often see that SSH is not used securel
Tuesday, May 26
Encrypted DNS in 2026: DoH, DoT, DoQ and DoH3 protocol comparison — including DNS hijacking attack vectors and what each protocol actually prevents
The security angle on encrypted DNS is often oversimplified. DoH prevents ISP-level snooping and basic DNS hijacking, but doesn't protect against a compromised resolver. DoT is easier to detect and block, which has real implications for threat actors trying to exfiltrate via DNS. DoQ is interesting from a security perspective because QUIC's connection ID migration makes traffic correlation harder. Article includes benchmark data and practical server config — but mostly written for the "which threat model does each protocol address" question.
As Americans stew over the looming risk of job-stealing AI and data centers in their back yards, the feds are raising the alarm about a new category of threat, documents obtained by WIRED show.
Monday, May 25
Presently sponsored by: Report URI: Guarding you from rogue JavaScript! Don’t get pwned; get real-time alerts & prevent breaches #SecureYourSite Today, we welcome the 45th government onboarded to Have I Been Pwned’s free gov service: Bhutan. The Bhutan Computer Incident Response Team, BtCIRT, now has access to monitor Bhutanese government domains against the data in HIBP. As Bhutan’s national CIRT, BtCIRT is responsible for consuming threat intelligence and sharing relevant insights with its constituents, helping identify and respond to cyber risks affecting government services and the people who depend on them. This is exactly the sort of organisation the HIBP government service was built to support: national cybersecurity teams using breach data to identify leaked credentials and compromised databases associated with their government domains. BtCIRT now joins the growing list of national CIRTs and government cybersecurity teams using HIBP to better understand their exposure, respond quickly when new breaches appear, and reduce the risk posed by compromised credentials before attackers can take advantage.