Microsoft has disclosed details of a large-scale credential theft campaign that has leveraged a combination of code of conduct-themed lures and legitimate email services to direct users to attacker-controlled domains and steal authentication tokens. The multi-stage campaign, observed between April 14 and 16, 2026, targeted more than 35,000 users across over 13,000 organizations in 26 countries,
Cybersecurity News and Vulnerability Aggregator
Cybersecurity news aggregator
Updated: 12:20 pm
J/K Navigate / Search S Save V Open Link
— or
treemd <(curl -sL https://allsec.sh/md) (as Markdown) Top Cybersecurity Stories Today
While the software industry has made genuine strides over the past few decades to deliver products securely, the furious pace of AI adoption is putting that progress at risk. Businesses are moving fast to self-host LLM infrastructure, drawn by the promise of AI as a force multiplier and the pressure to deliver more value faster. But speed is coming at the expense of security. In the wake of the
The North Korea-aligned state-sponsored hacking group known as ScarCruft has compromised a video game platform in a supply chain espionage attack, trojanizing its components with a backdoor called BirdCallto likely target ethnic Koreans residing in China. While prior versions of the backdoor have primarily targeted Windows users only, the supply chain attack is assessed to have enabled the
Progress Software has released updates to address two security flaws in MOVEit Automation, including a critical bug that could result in an authentication bypass. MOVEit Automation (formerly Central) is a secure, server-based managed file transfer (MFT) solution used to schedule and automate file movement workflows in enterprise environments without requiring any custom scripts. The
Vimeo points finger at analytics supplier Anodot, says no logins or card data were touched More than 119,000 Vimeo users's email addresses were extracted in a breach traced to a third-party analytics vendor, according to Have I Been Pwned.…
Latest
Tuesday, May 5
Vimeo points finger at analytics supplier Anodot, says no logins or card data were touched More than 119,000 Vimeo users's email addresses were extracted in a breach traced to a third-party analytics vendor, according to Have I Been Pwned.…
IOCX v0.7.1 — robustness update focused on malformed PEs, hostile strings, and static‑analysis hardening
Pushed a new IOCX release (v0.7.1) that’s aimed at making the engine much harder to break during static analysis. The focus was adversarial behaviour: malformed binaries, corrupted PE structures, and intentionally hostile IOC‑like strings. If you work with weird samples, tooling pipelines, or large‑scale triage, this release makes IOCX more robust under hostile conditions. **New PE structural heuristics** Six new checks added to catch structural anomalies without blowing up the parser: * overlapping/misaligned sections * inconsistent optional headers (PE32 & PE32+) * broken entrypoint mappings * corrupted data directories * malformed import tables * general PE layout inconsistencies These aren’t detections — they’re deterministic, reason‑coded structural signals to keep analysis stable. **Expanded adversarial PE corpus** Added a full suite of malformed and corrupted PEs, including: * broken RVAs / invalid addressing * truncated Rich headers * fake UPX names + packed‑lookalikes * PE32/PE32+ hybrids * “franken‑PEs” combining multiple faults All outputs are snapshot‑validated to guarantee deterministic behaviour. **Adversarial coverage across all IOC categories** New hostile string fixtures now stress every extractor: * homoglyph + mixed‑script domains * malformed URLs and schemes * broken IPv4/IPv6 * noisy or near‑miss hashes * invalid Base64 * adversarial crypto strings (incl. Base58Check) * long/invalid Windows paths * malformed emails The goal: keep extraction predictable even when the input is intentionally messy. **Parser & extractor hardening** * stable on malformed PE structures * structured, JSON‑safe error metadata * improved domain/URL/crypto/hash extractors * deterministic output across platforms **Links** GitHub: [https://github.com/iocx-dev/iocx](https://github.com/iocx-dev/iocx) PyPI: [https://pypi.org/project/iocx/](https://pypi.org/project/iocx/) **Example** `pip install iocx` `iocx suspicious.exe -a full` If you’re doing malware triage, static analysis, or building automated pipelines that need predictable IOC extraction, v0.7.1 should be a noticeable stability bump. Happy to discuss edge cases or weird samples people want covered next.
Victims losing £280K a day to fake profiles and sob stories Romance fraudsters scammed Britons out of £102 million ($138 million) last year, according to the latest police figures.…
Google overhauls its Android and Chrome vulnerability rewards programs, offering bounties of up to $1.5 million for the most difficult exploits while scaling back payouts for flaws that artificial intelligence (AI) has made easier to find. [...]
We recently added a C/C++ security checklist to the Testing Handbook and challenged readers to spot the bugs in two code samples : a deceptively simple Linux ping program and a Windows driver registry handler. If you found the inet_ntoa global buffer gotcha or the missing RTL_QUERY_REGISTRY_TYPECHECK flag, nice work. If not, here’s a full walkthrough of both challenges, plus a deep dive into how the Windows registry type confusion escalates from a local denial of service to a kernel write primitive. Since we first released the new C/C++ security checklist, we also developed a new Claude skill, c-review . It turns the checklist into bug-finding prompts that an LLM can run against a codebase. It’s also platform and threat-model aware. Run these commands to install the skill: claude skills add-marketplace https://github.com/trailofbits/skills claude skills enable c-review --marketplace trailofbits/skills The Linux ping program challenge The Linux warmup challenge we showed you in the last blog post has an obvious command injection issue. #include <stdio.h> #include <s
While the software industry has made genuine strides over the past few decades to deliver products securely, the furious pace of AI adoption is putting that progress at risk. Businesses are moving fast to self-host LLM infrastructure, drawn by the promise of AI as a force multiplier and the pressure to deliver more value faster. But speed is coming at the expense of security. In the wake of the
A Latvian national extradited to the United States was sentenced to 8.5 years in prison for his "cold case" negotiator role in the Russian Karakurt ransomware group. [...]
A new version of the CloudZ remote access tool (RAT) is deploying a previously unseen malicious plugin called Pheno that hijacks the Microsoft Phone Link connection to steal sensitive codes from mobile devices. [...]
Healthcare giant's maintainers handed May deadline to enact the change The UK's National Health Service (NHS) is ordering all of its technology leaders to temporarily wall off the organization's open source projects over concerns relating to advanced AI and Anthropic's Mythos.…
I built a 100% browser-only EXIF viewer + metadata remover + image-forensics lab — no upload, no account, free
I've been working on this for the last few months and just wanted to share. It's a free browser-based tool for inspecting and removing metadata from photos, videos, audio, PDFs and Office documents — and it has a small image-forensics lab built in. Live: [https://midgardmud.de/tools/exif/](https://midgardmud.de/tools/exif/) Why I built it: every other "EXIF remover" online asks you to upload your private files to a server. That's the opposite of privacy. So I wrote one that runs 100% in the browser via the File API — your file never leaves your device. F12 → Network tab → drop a 50 MB photo → you'll see zero outbound requests. What it does: • Strips metadata from JPG/PNG/WebP/GIF/HEIC/TIFF, MP4/MOV/MKV/WebM/AVI, MP3/FLAC/OGG/WAV, PDF, DOCX/XLSX/PPTX • Privacy Risk Score 0–100 with per-file breakdown so you see what's actually leaking • 4 one-click privacy profiles (Anonymous / Social-safe / Keep camera / GPS-only) • Forensics: ELA, JPEG-Ghost re-save heatmap, DQT compression fingerprint, Noise + CFA/Bayer pattern (defensible alternative to AI-image detectors), Copy-Move clone detection, embedded-thumbnail audit, RGB histogram, hex viewer, structure inspector • SHA-256 + perceptual hash (pHash) per file • ExifTool-compatible JSON export • Per-tag EXIF editor + GPS spoofing for JPEG • C2PA self-signed Content Credentials • Works fully offline as a PWA after first visit • 19 languages Stack: vanilla JS, no framework, no build step, \~12k lines. libheif WASM lazy-loaded for HEIC. Web Worker for big videos so the UI stays responsive. Happy to answer anything about how the parsers work, why I avoided React, or how the JPEG-Ghost / Copy-Move detection is implemented. Feedback very welcome.
The North Korea-aligned state-sponsored hacking group known as ScarCruft has compromised a video game platform in a supply chain espionage attack, trojanizing its components with a backdoor called BirdCallto likely target ethnic Koreans residing in China. While prior versions of the backdoor have primarily targeted Windows users only, the supply chain attack is assessed to have enabled the
I've updated my CISO Security Mind Map 2026. I've been updating this since 2023. I can't actually include the image here (no options to upload an image). So use the link. **Top Challenges & Focus Areas 2026** **Protect from ransomware:** Protect, prepare and respond to the pervasive ransomware threat within the organization and at critical (third-party) partners. **Build resilience:** Assume that attacks will occur and that mistakes will be made, how can the overall organization respond & recover and remain resilient. **Business alignment, cost optimization & adhering to (cyber security) regulations:** How can CISO security align with current business pressures to cut costs while retaining protection & resilience levels and protect the business from regulatory issues (fines). **Help to enable AI securely:** How can CISO Security help the organization to safely & securely apply AI to meet evolving business goals (in the AI era). **Protect from AI threats:** How should CISO Security protect from malicious AI usage and new AI threats.
A critical security vulnerability in Weaver (Fanwei) E-cology, an enterprise office automation (OA) and collaboration platform, has come under active exploitation in the wild. The vulnerability (CVE-2026-22679, CVSS score: 9.8) relates to a case of unauthenticated remote code execution affecting Weaver E-cology 10.0 versions prior to 20260312. The issue resides in the "/papi/esearch/data/devops/
Microsoft has disclosed details of a large-scale credential theft campaign that has leveraged a combination of code of conduct-themed lures and legitimate email services to direct users to attacker-controlled domains and steal authentication tokens. The multi-stage campaign, observed between April 14 and 16, 2026, targeted more than 35,000 users across over 13,000 organizations in 26 countries,
Quick note from a scanning project I've been running. We hit 6,000 web apps with a payment-bypass probe last week, sending a minimal fake \`checkout.session.completed\` event to common webhook paths (\`/api/webhook/stripe\`, \`/api/payments/webhook\`, etc.) without a \`Stripe-Signature\` header. 1,542 returned 200. That means anyone with curl can fire a forged Stripe event at those endpoints and the server processes it as legitimate. Depending on what the handler does with it, the consequences range from "logs a fake event" to "marks attacker's account as paid" to "creates a confirmed order with no payment". The split was roughly: * Custom domains (real production SaaS): \~720 * Render: 198 * Vercel: 142 * Replit: 121 * Railway, Fly, Heroku, others: \~360 Why so many? The Stripe library makes signature verification a one-liner. Every framework has the canonical example. But the dev journey usually goes: build the route locally with a stub handler that just \`console.log\`s the event body, get the upgrade-the-user logic working, leave signature verification on the TODO, ship. Six months later nobody remembers it was ever a TODO. The fix in Express: `\`\`\`js` `app.post('/api/webhook/stripe',` `express.raw({type: 'application/json'}),` `(req, res) => {` `const sig = req.headers['stripe-signature'];` `let event;` `try {` `event = stripe.webhooks.constructEvent(` `req.body, sig, process.env.STRIPE_WEBHOOK_SECRET);` `} catch (err) {` `return res.status(400).send(\`Webhook Error: ${err.message}\`); }` `// proceed with event` `res.json({received: true});` `});` `\`\`\`` The trap: \`express.json()\` globally parses the body before your handler sees it, leaving Stripe's library to compute the signature against parsed-then-stringified JSON, which never matches. Use \`express.raw()\` specifically on the webhook route, before any global JSON parser. FastAPI / Python: read \`await request.body()\` directly, not \`request.json()\`. Same idea. Caveats: a 200 response doesn't prove the app actually grants the attacker something. Some endpoints log every webhook for analytics and return 200 regardless. The 1,542 number is "endpoints accepting unsigned events", not "definitely exploitable". But the misconfiguration is real on its own. Full writeup with the methodology and platform-by-platform breakdown: [https://securityscanner.dev/blog/stripe-webhook-signature-bypass-1500-apps](https://securityscanner.dev/blog/stripe-webhook-signature-bypass-1500-apps) Curious if anyone here has shipped a Stripe webhook recently and can double-check theirs.
Vendors all use different formats. This tech translates them all so you can smooth your SOC Academics from Singapore and China have found a way to make AI useful for cyber-defenders, by creating a technique that translates rules from diverse Security Information and Event Managements (SIEMs) so they’re easier to consume across multiple systems.…
I got tired of trying to find specific BSides talks scattered across hundreds of independent YouTube channels, so I built [allbsides.com](https://allbsides.com) — every BSides talk on YouTube, transcribed, tagged, and searchable. **What's in there:** * 8,643 talks from 5,927 speakers across 227 chapters in 68 countries * 280 days of combined runtime, 60M words of transcripts * Coverage from 2011 to current **What you can do:** * Search by tool, technique, speaker, chapter, or topic * Filter by red/blue/purple team, difficulty level, or talk style (Talk/Demo/Workshop/Keynote/Panel) * Browse all 4,000+ tools, frameworks, and protocols mentioned across the talks * Find upcoming CFPs * Get full transcripts on every talk page **Useful for:** self-directed learning, CFP prep, team learning paths, finding that one talk you remember seeing years ago. **The build:** Solo project. Go, vanilla JS, SQLite, BunnyCDN. Tagging done with a Haiku -> Sonnet -> Opus pipeline with manual verification. **Cost:** Free, no ads, no sign-up, no tracking beyond basic counters. **Honest disclaimers:** * \~50% of talks have technology tags so far; rest is queued * Coverage depends on what chapters upload to YouTube Genuinely open to feedback. If you've spoken at a BSides, search your name — you're probably in there.
Monday, May 4
The Model We’ve Relied on Is Starting to Break Over the past 20 years, I’ve seen the threat landscape evolve from opportunistic attackers, to organized cybercrime, to nation-state campaigns. Each shift forced security teams to adapt. What’s happening right now is different. AI models coming out of Anthropic, OpenAI, Google, and X are rewriting the […] The post Sara AI Pentesting Is Now Generally Available: The Model Is Changing appeared first on Synack .
46% say age checks are easy to bypass, and nearly a third admit getting around them It’s been months since the UK government began requiring stronger age checks under the Online Safety Act, and recent research suggests those measures are falling short of keeping kids away from harmful content. In some cases, even drawing on a mustache has been reported as enough to fool age detection software.…
The Amazon Simple Email Service (SES) is being increasingly abused to send convincing phishing emails that can bypass standard security filters and render reputation-based blocks ineffective. [...]
Hey everyone, John Strand here. I’m teaching Information Security Core Skills live starting May 11th at 12:00 PM EDT. This is a 16-hour, hands-on class for people who are new to security, or folks who want the fundamentals explained in a way that actually connects to real work. At Black Hills Information Security, we see a lot of the same issues show up across assessments. This class is built around those patterns: practical attacks, practical defenses, and the core controls that matter. We’ll also cover how to use AI in a practical way. Not as a replacement for learning the fundamentals, but as a tool to help you move faster, ask better questions, and understand what you’re working on. Live training is pay-what-you-can: $25 to $300. If you’re trying to build a real foundation in security, this is the class I’d point you to. Thanks! strandjs
A malicious version of the PyTorch Lightning package published on the Python Package Index (PyPI) delivers a credential-stealing payload targeting browsers, environment files, and cloud services. [...]
6 LLMs (GPT-5.2, Claude Opus 4.6, Gemini 2.5 Pro, DeepSeek V3, Llama 4 Maverick, Grok 4) were tested with 89 prompts across Python and JavaScript.
Key Takeaways Over the past year, the conversation in security has changed faster than most programs have. AI is compressing attacker timelines. Environments are changing daily rather than quarterly. And the model most enterprises still rely on to validate security—periodic penetration testing—is starting to break under the weight of both. The real question isn’t whether […] The post The Shift to Continuous Security Validation: Why Detection Is No Longer Enough appeared first on Synack .
Progress Software has released updates to address two security flaws in MOVEit Automation, including a critical bug that could result in an authentication bypass. MOVEit Automation (formerly Central) is a secure, server-based managed file transfer (MFT) solution used to schedule and automate file movement workflows in enterprise environments without requiring any custom scripts. The
Cybersecurity firm Trellix disclosed a data breach after attackers gained access to "a portion" of its source code repository. [...]
We are Alex and Armaan, insider risk researchers on the DTEX i3 team. We spend most of our time analyzing how new technologies introduce risk inside corporate environments, especially when they operate with legitimate access and little visibility. Recently, our work has focused on agentic AI on endpoints. These are autonomous or semi-autonomous AI agents that run locally on user devices, execute commands, access files, and interact with external services, often without continuous human input. This research is covered in DTEX’s latest [i3 Threat Advisory: Detecting Agentic AI on Endpoints Before Data Exfiltration,](https://www.dtex.ai/resources/i%C2%B3-threat-advisory-detecting-agentic-ai-on-endpoints-before-data-exfiltration/?utm_medium=ama&utm_source=reddit&utm_campaign=AI&utm_content=reddit-ama&utm_keyword=) where we break down how these agents are deployed, how they behave, and how they can quietly introduce insider risk. We mapped real endpoint indicators tied to agent setup, persistence, and activity, including things like containerized AI agents, credential exposure in process parameters, message-driven execution via apps like Telegram, and patterns that signal potential data exfiltration. The key challenge is that this doesn’t look like traditional threats. There’s no malware, no exploit. Just legitimate access, automation, and a lack of visibility. We are here to answer questions about: * how agentic AI operates on endpoints in real environments * what makes AI agents an insider risk (even without malicious intent) * how these tools create new paths for data exfiltration and credential exposure * what behavioral and technical signals can reveal agent activity * where detection breaks down, even with modern security stacks * what organizations can realistically do today to reduce risk Ask us anything and [join our workshop](https://www.dtex.ai/events/ita-workshop-agentic-ai-moving-to-the-endpoint/?utm_medium=ama&utm_source=reddit&utm_campaign=AI&utm_content=reddit-ama&utm_keyword=) (hosted by the DTEX i3 team) on May 12 to dive deeper into the advisory.
A law firm instructed my first forensic analysis of an LLM system, I've written up some of my methodology
I have worked for about 10 years in cybersecurity, mostly in Incident Response, but I've done a fair bit of forensic work and expert witness cases within that. A year ago I left my old firm to go down the independent consultancy route, and still trying to figure out exactly what I'm doing. A couple months ago a law firm I used to work with reached out recently. Short story is that an LLM agent made a mistake for their client which became litigious. The client firm claimed they had addressed the original issue, but the law firm requested an expert opinion on: a) the root causes of the original issue b) an assessment on whether this could re-occur / validation of the fix This might not fall strictly within the confines of "computerforensics", so apologies if it's slightly off topic. But I figured there could be some practitioners here who might be interested in the methodology. I basically used three techniques to model the differences in generated output between the "bad" model and the fixed "good" model, then commented on the deviations. I don't think this is a huge market right now. But I do see that there are insurance companies starting to underwrite AI risk, so it's possible we could be seeing more of this work over the next few years. I've written up my full approach here: [https://www.analystengine.io/insights/how-to-forensically-analyse-llm-alignment-drift-and-hallucination](https://www.analystengine.io/insights/how-to-forensically-analyse-llm-alignment-drift-and-hallucination) Would be really interested to hear if anyone is doing any similar work lately.
'If you don't have visibility, you can't understand what to protect' When it comes to securing enterprise supply chains, now heavily infused with AI applications and agents, a software bill of materials (SBOM) no longer provides a complete inventory of all the components in the environment. Enter AI-BOMs.…
Using a 1930s trade law, Homeland Security targeted the man—who hasn’t entered the US in more than a decade—following posts on X condemning the killings of Renee Good and Alex Pretti.
This week, the shadows moved faster than the patches. While most teams were still triaging last month’s alerts, attackers had already turned control panels into kill switches, kernels into open doors, and open-source pipelines into silent delivery systems. The game has shifted from breach to occupation. They’re living inside SaaS sessions, pushing code with trusted commits, and scaling
Fraudsters aren't hacking credit unions, they are exploiting normal business processes. Flare reveals how structured loan fraud methods use stolen identities to pass verification and secure funds. [...]
On December 4, 2025, a 17-year-old was arrested in Osaka under Japan’s Unauthorized Access Prohibition Act. The young man had run malicious code to extract the personal data of over 7 million users of Kaikatsu Club, Japan's largest internet cafe chain. When asked, the young man shared his motivation for the hack: he wanted to buy Pokémon cards. In a sense, this is a fairly conventional story.
The China-based cybercrime group known as Silver Fox has been linked to a new campaign targeting organizations in Russia and India with a new malware called ABCDoor. The activity involved using phishing emails that mimic correspondence from the Income Tax Department of India in December 2025, followed by a similar campaign aimed at Russian entities in January 2026. "Both waves followed a nearly
CISA has warned that threat actors have started exploiting the "Copy Fail" Linux security vulnerability in the wild, one day after Theori researchers disclosed it and shared a proof-of-concept (PoC) exploit. [...]
Microsoft has confirmed that the April 2026 security updates are causing failures in third-party backup applications using the psmounterex.sys driver. [...]
VanGuard — open-source single-binary DFIR toolkit (Velociraptor, Hayabusa, Chainsaw, Loki, YARA) with TUI, air-gap support, and 28 pre-built use cases
We just open-sourced **VanGuard** — a self-contained IR toolkit that bundles Velociraptor, Hayabusa, Chainsaw, Loki, and YARA into a single binary with a terminal UI. Built it because we were tired of the 45-minute tooling setup at the start of every engagement. Download KAPE, remember the flags, set up Velociraptor, manually hash evidence, and track the chain of custody in a spreadsheet. What it does: * Quick triage (20+ Windows, 15+ Linux artifact categories using native commands) * Velociraptor server lifecycle + agent deployment from the TUI * Threat hunting with Hayabusa, Chainsaw, Loki, YARA + live anomaly detection * Memory capture + Volatility 3 analysis * 28 pre-built use cases (ransomware, BEC, credential theft, lateral movement, rootkits) with MITRE ATT&CK mapping * Evidence dual-hashed (MD5 + SHA256), HMAC chain of custody * Runs from USB, works fully offline Cross-platform (Windows + Linux), Apache 2.0, no dependencies. GitHub: [https://github.com/ridgelinecyberdefence/vanguard](https://github.com/ridgelinecyberdefence/vanguard) It's provided as-is — every environment is different, especially with remote ops (WinRM/SSH auth varies by config). Test in a lab first. Issues and suggestions welcome on GitHub.
A previously unknown threat actor has been observed targeting government and military entities in Southeast Asia, alongside a smaller cluster of managed service providers (MSPs) and hosting providers in the Philippines, Laos, Canada, South Africa, and the U.S., by exploiting the recently disclosed vulnerability in cPanel. The activity, detected by Ctrl-Alt-Intel on May 2, 2026, involves the
Even limited voter rolls can be linked to identify people, research shows Your voter data could be used against you. A foreign intelligence service that wished to identify the family members of deployed military personnel could do so by cross-referencing public voter record data and social media posts.…
To reduce the amount of noise from questions, we have disabled self-posts in favor of a unified questions thread every week. Feel free to ask any question about reverse engineering here. If your question is about how to use a specific tool, or is specific to some particular target, you will have better luck on the [Reverse Engineering StackExchange](http://reverseengineering.stackexchange.com/). See also /r/AskReverseEngineering.
Prioritize resilience over productivity, say CISA, NCSC and their friends from Oz, NZ, Canada Information security agencies from the nations of the Five Eyes security alliance have co-authored guidance on the use of agentic AI that warns the technology will likely misbehave and amplifies organizations’ existing frailties, and therefore recommend slow and careful adoption of the tech.…
Sunday, May 3
Microsoft Defender is detecting legitimate DigiCert root certificates as Trojan:Win32/Cerdigent.A!dha, resulting in widespread false-positive alerts, and in some cases, removing certificates from Windows. [...]
Acoustic Keystroke Recovery - Reconstructing Typed Text from a Laptop Microphone (Full Guide, 85% success rate)
Around 85% success rate of keystroke recovery with our script :)
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added a recently disclosed security flaw impacting various Linux distributions to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild. The vulnerability, tracked as CVE-2026-31431 (CVSS score: 7.8), is a case of local privilege escalation (LPE) flaw that could allow an
Saturday, May 2
*As one tends to do on Saturday mornings with coffee in hand, I was reviewing two samples that were attributed to the LunaStealer / LunaGrabber family. Originally I was validating that* `tiquery` *was working with the MCP configuration, however what started as a quick TI check turned into a full static analysis session — and it gave me a good opportunity to put the MalChela MCP integration through its paces in a real workflow. This post walks through how that investigation unfolded, what the pivot points were, and what we found at the bottom of the rabbit hole.*
Plus: The NSA tests Anthropic’s Mythos Preview to find vulnerabilities, a Finnish teen is charged over the Scattered Spider hacking spree, and more.
Britain's cyber agency says the bill for years of technical shortcuts is coming due, and it's arriving all at once Britain's cyber agency is warning that AI-fuelled bug hunting is about to flush out years of buried flaws, leaving defenders scrambling to keep up.…
Friday, May 1
For vulnerability research, smaller models run repeatedly can outperform larger frontier models on cost-to-recall.
TL;DR: If a large model finds a 0-day with 90% probability, and a small model with 50% probability, but the small model costs 10x less, it is better to use the small model. We compared the cost and recall of various models in finding real, recent zero-days and found that for most applications, smaller models run repeatedly can significantly outperform larger frontier models on cost-to-recall. Disclaimer: I'm involved with Hacktron, the company that produced this research. This is a factual presentation of our benchmarks, which we hope the community can use to make informed decisions about models like Mythos.
Over the past two and a bit quarters, we've undertaken an intensive engineering effort, internally code-named " Code Orange: Fail Small ", focused on making Cloudflare's infrastructure more resilient, secure, and reliable for every customer. Earlier this month, the Cloudflare team finished this work. While improving resiliency will never be a “job done” and will always be a top priority across our development lifecycle, we have now completed the work that would have avoided the November 18, 2025 and December 5, 2025 global outages. This work focused on several key areas: safer configuration changes, reducing the impact of failure, and revising our “break glass” procedures and incident management. We also introduced measures to prevent drift and regressions over time, and strengthened the way we communicate to our customers during an outage. Here we explain in depth what we shipped, and what it means for you. Safer configuration changes What it means for you : In most cases, Cloudflare internal configuration changes no longer reach our network instantly and are instead rolled out progressively with real-time health monitoring. This allows our observability tools to catch problems and revert issues before they affect your traffic. In order to catch potentially dangerous deployments before they reach production, we've identified high-risk configuration pipelines, and built new tools to manage configuration changes better. For products that run on our network processing customer traffic and receive configuration changes, we no longer deploy these changes instantly across the
MalChela v4.0 is out. The desktop GUI is gone — replaced by a PWA you can reach from any browser on the network. Battery-powered Pi on the table, iPad in hand, no keyboard required. The field kit finally makes sense.
Cybersecurity researchers are warning of two cybercrime groups that are carrying out "rapid, high-impact attacks" operating almost within the confines of SaaS environments, while leaving minimal traces of their actions. The clusters, Cordial Spider (aka BlackFile, CL-CRI-1116, O-UNC-045, and UNC6671) and Snarky Spider (aka O-UNC-025 and UNC6661), have been attributed to high-speed data theft and
While doing some analysis of Weedhack a remote access trojan/info stealer that uses the Ethereum block chain for C2 infrastructure. I was able to statically decode the eth\_call results to break back the C2 domain it pulls. So I vibe coded a git repository to query the smart contract, decode the results and display the current C2 domain. I'm currently a student so any sort of feedback would be greatly appreciated. The purpose behind this project is to provide an indicator of compromise for weedhack. https://github.com/MrFluent1/Weedhack-C2-Tracking
When we first launched Workers eight years ago, it was a direct-to-developers platform. Over the years, we have expanded and scaled the ecosystem so that platforms could not only build on Workers directly, but they could also enable their customers to ship code to us through many multi-tenant applications. We now see on Workers: Applications where users describe what they want, and the AI writes the implementation. Multi-tenant SaaS where every customer's business logic is, at runtime, some TypeScript the platform has never seen before. Agents that write and run their own tools. CI/CD products where every repo defines its own pipeline. Last month, when we shipped the Dynamic Workers open beta , we gave those platforms a clean primitive for the compute side: hand the Workers runtime some code at runtime, get back an isolated, sandboxed Worker, on the same machine, in single-digit milliseconds. Durable Object Facets extended the same idea to storage — each dynamically-loaded app can have its own SQLite database, spun up on demand, with the platform sitting in front, as a supervisor. Artifacts did the same for source control : a Git-native, versioned filesystem you can create by the tens of millions, one per agent, one per session, one per tenant. So, we have dynamic deployment for storage and source control. What’s next? Today, we are bridging durable execution and dynamic deployment with Dynamic Workflows . The gap between durable and dynamic execution
Altman's crew now doing the same gatekeeping it recently mocked OpenAI is lining up a limited release of its new GPT-5.5-Cyber model to a handpicked circle of "cyber defenders," just weeks after taking a swipe at Anthropic for doing almost exactly the same thing.…
313 Team tells Canonical: pay up or the packets keep coming Canonical says its web infrastructure is under attack after a pro-Iran hacktivist group instructed its members to target the open source giant.…
The managed security services market is projected to grow from $38.31 billion in 2025 to $69.16 billion by 2030[1], with cybersecurity being the fastest-growing sector[2]. Despite this opportunity, many MSPs leave revenue on the table because their go-to-market strategy fails to connect technical expertise with business needs. This execution gap is where most deals stall. MSPs often focus on
The U.S. Department of Justice (DoJ) on Thursday announced the sentencing of two cybersecurity professionals to four years each in prison for their role in facilitating BlackCat ransomware attacks in 2023. Ryan Goldberg, 40, of Georgia, and Kevin Martin, 36, of Texas, were accused of deploying the ransomware against multiple victims located throughout the U.S. between April and December 2023.
A new software supply chain attack campaign has been observed using sleeper packages as a conduit to subsequently push malicious payloads that enabled credential theft, GitHub Actions tampering, and SSH persistence. The activity has been attributed to the GitHub account "BufferZoneCorp," which has published a set of repositories that are associated with malicious Ruby gems and Go modules. As of
Start date pushed back a year, annual cost up a third, and UK's now handing out eight million passports a year The Home Office has increased the annual value and overall duration of its new passport production contract, increasing it to a total of £576 million as it starts a third round of engagement with suppliers.…
Thursday, April 30
Mini Shai-Hulud caught spreading credential-stealing malware The wave of supply chain attacks aimed at security and developer tools has washed up more victims, namely SAP and Intercom npm packages, plus the lightning PyPI package.…
One alleged cyber contractor was extradited to the US over the weekend China's "hacker-for-hire ecosystem has gotten out of control," according to Brett Leatherman, assistant director of the FBI's cyber division.…
OpenAI is rolling out Advanced Account Security for people concerned that their ChatGPT or Codex accounts could be potential targets of phishing attacks.
This CVSS 10.0 RCE vuln has been patched, automatically for some, so better check those workflows If you use Gemini CLI, watch out: Google has patched a CVSS 10.0 vulnerability in its command-line AI tool and is warning anyone running it in headless mode, or through GitHub Actions, to review their workflows.…
Two computer crime allegations follow up to 18M lines of data surfacing online French prosecutors say police detained a 15-year-old on April 25 over the alleged theft of millions of records from France Titres (ANTS), the agency handling secure documents.…
A Brazilian tech firm that specializes in protecting networks from distributed denial-of-service (DDoS) attacks has been enabling a botnet responsible for an extended campaign of massive DDoS attacks against other network operators in Brazil, KrebsOnSecurity has learned. The firm’s chief executive says the malicious activity resulted from a security breach and was likely the work of a competitor trying to tarnish his company’s public image. An Archer AX21 router from TP-Link. Image: tp-link.com. For the past several years, security experts have tracked a series of massive DDoS attacks originating from Brazil and solely targeting Brazilian ISPs. Until recently, it was less than clear who or what was behind these digital sieges. That changed earlier this month when a trusted source who asked to remain anonymous shared a curious file archive that was exposed in an open directory online. The exposed archive contained several Portuguese-language malicious programs written in Python. It also included the private SSH authentication keys belonging to the CEO of Huge Networks , a Brazilian ISP that primarily offers DDoS protection to other Brazilian network operators. Founded in Miami, Fla. in 2014, Huge Networks’s operations are centered in Brazil. The company originated from protecting game servers against DDoS attacks and evolved into an ISP-focused DDoS mitigation provider. It does not appear in any public abuse complaints and is not associated with any known
Coding agents are great at building software. But to deploy to production they need three things from the cloud they want to host their app — an account, a way to pay, and an API token. Until now these have been tasks that humans handle directly. Increasingly, agents handle them on the user’s behalf. The agent needs to perform all the tasks a human customer can. They’re given higher-order problems to solve and choose to use Cloudflare and call Cloudflare APIs. Starting today, agents can provision Cloudflare on behalf of their users. They can create a Cloudflare account, start a paid subscription, register a domain, and get back an API token to deploy code right away. Humans can be in the loop to grant permission and must accept Cloudflare's terms of service, but no human steps are otherwise required from start to finish. There’s no need to go to the dashboard, copy and paste API tokens, or enter credit card details. Without any extra setup, agents have everything they need to deploy a new production application in one shot. And with Cloudflare’s Code Mode MCP server and Agent Skills , they’re even better at it. This all works via a new protocol that we’ve co-designed with Stripe as part of the launch of Stripe Projects . We’re excited to launch this new partnership with Stripe, and also to offer $100,000 in Cloudflare credits to all new startups who incorporate using Stripe Atlas . But this new protocol also makes it possible for any platform with signed-in users to integrate with Cloudflare in the same way Stripe does, with zero friction for the end user. How it works: zero to production without any setup or manual steps
Turns out the real problem is not AI but staff still clicking on dodgy emails from 'IT support' Nearly half of UK businesses are still getting breached, and in many cases, the attacker's big breakthrough is an employee clicking "sure, why not" on a fake login page.…
Spyware appears to have captured everything from intimate photos to private messages from the smartphone of European celebrity. They were publicly accessible until a researcher flagged the exposure.
Wednesday, April 29
What Mythos Means for Penetration Testing as a Service When Anthropic announced the Claude Mythos Preview, the reaction from the security community was immediate. We’re not talking about the next best model. This model is such a leap forward and so capable at finding and exploiting vulnerabilities that Anthropic deemed it too dangerous to release […] The post What GigaOm and Synack Got Right About AI Pentesting appeared first on Synack .
As we commonly know in appsec, not every vulnerability, even if critical 10 is relevant. This is a take from my buddy Brian Vermeer at Snyk, he's a Java Champion and offers his opinion as a developer to the Thymeleaf vulnerability [CVE-2026-40478](https://security.snyk.io/vuln/SNYK-JAVA-ORGTHYMELEAF-16078379)
A newly analyzed Go-based macOS remote access trojan (RAT), internally named Minirat, has surfaced in the wild using anti-VM checks, LaunchAgent persistence, and AES-encrypted command and control (C2) configuration to maintain stealthy, long-term access on victim endpoints. According to [SafeDep](https://safedep.io/malicious-velora-dex-sdk-npm-compromised-rat/), the initial infection vector was a malicious npm package (velora-dex-sdk) that dropped the Go-based macOS RAT onto developer endpoints.
LibAFL is all the rage in the fuzzing community these days, especially with LLVM’s libFuzzer being placed in maintenance mode . Written in Rust, LibAFL claims improved performance, modularity, state-of-the-art fuzzing techniques, and libFuzzer compatibility . For these reasons, I set out to add LibAFL support to Ruzzy , our coverage-guided fuzzer for pure Ruby code and Ruby C extensions. This gives Ruby developers and security researchers access to a more advanced and actively maintained fuzzing engine without changing how they write their fuzzing harnesses. Ruzzy was originally built on top of LLVM’s libFuzzer, so using LibAFL’s compatibility layer should be easy enough. However, digging around in the internals of complex systems is never quite as simple as it seems. In this post, I will investigate some of the deep plumbing inside these fuzzing engines, take a detour into executable and linkable format (ELF) files, and ultimately add LibAFL support to Ruzzy. Building with libafl_libfuzzer Ruzzy currently supports Linux, so I use a Dockerfile for development and for production fuzzing campaigns. To that end, using a similar Dockerfile for LibAFL support is the simplest integration point. LibAFL provides excellent documentation a
Today, we're launching Project Swarm — a research initiative that opens the GreyNoise deception platform to the global security community. Project Swarm transforms GreyNoise from a proprietary sensor network into a collective intelligence platform.
Tuesday, April 28
CREST Helps Raise the Bar for the Researchers Behind Your Pentest When a cybersecurity company tells you its testers are vetted, what does that actually mean? Most of the time, it means the company ran its own screening, trusted its own judgment, and hoped you’d trust it too. That works, right up until the pentest […] The post What CREST Means for Your Next Synack Engagement appeared first on Synack .
The war in Iran has drawn attention to arrests in the United Arab Emirates over online content, but the legal framework behind that enforcement has existed for years.
ByteToBreach have breached Ikeja Electric, encrypting 50+ hosts, disrupting systems, and taking multiple subdomains offline. The actor also have stolen customer, employee, and business databases, source code, Active Directory data with offline cracked passwords, and impacted metering platforms linked to several vendors. Threat actor: ByteToBreach Sector: Energy / Utilities Data type: Customer records, employee data, business databases, source code, Active Directory credentials Observed: Apr 28, 2026 Sources: [https://x.com/H4ckmanac/status/2049126582694875608](https://x.com/H4ckmanac/status/2049126582694875608) [https://x.com/CyhawkAfrica/status/2049109369522934179](https://x.com/CyhawkAfrica/status/2049109369522934179) [https://darkforums.su/Thread-NG-Ikeja-Electric-Databases-Ransomware](https://darkforums.su/Thread-NG-Ikeja-Electric-Databases-Ransomware) https://preview.redd.it/5wua149b7yxg1.png?width=2503&format=png&auto=webp&s=133a682cd6ee178877db97f9cb59f7c60d3d8cc8
AI agents may soon be buying your stuff for you. The FIDO Alliance has teamed up with Google and Mastercard to try to ensure that shopping in the near future isn't a complete disaster.
In the first quarter of 2026, government-directed shutdowns figured prominently, with prolonged Internet blackouts in both Uganda and Iran, a stark contrast to the lack of observed government-directed shutdowns in the same quarter a year prior. This quarter, we also observed a number of Internet disruptions caused by power outages , including three separate collapses of Cuba's national electrical grid. Military action continued to disrupt connectivity in Ukraine and also impacted hyperscaler cloud infrastructure in the Middle East. Severe weather knocked out Internet connectivity in Portugal, while cable damage disrupted connectivity in the Republic of Congo. A technical problem hit Verizon Wireless in the United States, and unknown issues briefly disrupted connectivity for customers of providers in Guinea and the United Kingdom. This post is intended as a summary overview of observed and confirmed disruptions and is not an exhaustive or complete list of issues that have occurred during the quarter. A larger list of detected traffic anomalies is available in the Cloudflare Radar Outage Center . Note that both bytes-based and request-based traffic graphs are used within this post to illustrate the impact of the observed disruptions, with the choice of metric generally made based on which better illustrates the impact of the disruption. Government-directed shutdowns Uganda In advance of the January 15 presidentia