Microsoft has disclosed details of a large-scale credential theft campaign that has leveraged a combination of code of conduct-themed lures and legitimate email services to direct users to attacker-controlled domains and steal authentication tokens. The multi-stage campaign, observed between April 14 and 16, 2026, targeted more than 35,000 users across over 13,000 organizations in 26 countries,
Cybersecurity News and Vulnerability Aggregator
Cybersecurity news aggregator
Updated: 7:20 am
J/K Navigate / Search S Save V Open Link
— or
treemd <(curl -sL https://allsec.sh/md) (as Markdown) Top Cybersecurity Stories Today
While the software industry has made genuine strides over the past few decades to deliver products securely, the furious pace of AI adoption is putting that progress at risk. Businesses are moving fast to self-host LLM infrastructure, drawn by the promise of AI as a force multiplier and the pressure to deliver more value faster. But speed is coming at the expense of security. In the wake of the
A previously undocumented Linux implant named Quasar Linux (QLNX) is targeting developers' systems with a mix of rootkit, backdoor, and credential-stealing capabilities. [...]
Hackers trojanized installers for the DAEMON Tools software and since April 8, delivered a backdoor to thousands of systems that downloaded the product from the official website. [...]
Researchers dropped a reliable root exploit and it didn’t sit idle for long CISA is warning that a newly-disclosed Linux kernel bug dubbed "CopyFail" is already being exploited, just days after researchers dropped a working root-level exploit.…
Latest
Wednesday, May 6
**Ransomware.live** launches a public dashboard that quantifies exactly how many victims of specific ransomware groups had prior Infostealer infections (Lumma, Redline, etc.) on their networks before the breach. Just recently Coinbase Cartel, one of the most active ransomware groups, was discovered to be using Infostealers as their initial access vector to hack 100+ companies
Securities regulator urges market players to develop new strategies and nail cyber-basics before AI models fuel mass attacks India’s Securities and Exchange Board has advised participants in the nation’s equities industry to immediately revisit their information security systems and practices, in case Anthropic’s Mythos bug-finding AI sparks a cyberattack spree.…
Ran four attacks through a three-VM home lab (Kali, Windows 11, Ubuntu/Splunk), each mapped to a MITRE ATT&CK technique and named after a Cowboy Bebop episode. Full walkthrough with screenshots and Splunk queries in the article: [https://medium.com/@jwilliams.cyber/see-you-space-cowboy-bounty-hunting-threats-with-splunk-911ffbed051a](https://medium.com/@jwilliams.cyber/see-you-space-cowboy-bounty-hunting-threats-with-splunk-911ffbed051a) (No paywall, free to read.)
Presently sponsored by: Report URI: Guarding you from rogue JavaScript! Don’t get pwned; get real-time alerts & prevent breaches #SecureYourSite It's a fascinating display of leverage: the ShinyHunters folks, with very limited resources and experience (their demographic will be teenagers to their early 20s), consistently gaining access to the data of massive brands. Not through technical ingenuity alone (although I'm sure there's a portion of that), but primarily through good ol' social engineering. That's coming through in the disclosure notices from the impacted companies, and Mandiant has a good write-up of it too : These operations primarily leverage sophisticated voice phishing (vishing) and victim-branded credential harvesting sites to gain initial access to corporate environments by obtaining single sign-on (SSO) credentials and multi-factor authentication (MFA) codes Question now is how long their run will go for. There's a very predictable ending if things keep going in this direction but right now, they show little sign of abating.
Tuesday, May 5
Hi all — finally pushed this public after several months of work. Sharing here because this subreddit is where I'd want feedback from before anywhere else. **WAInsight** — https://github.com/akhil-dara/WAInsight (MIT) **Scope.** It doesn't extract data from a phone — that's a separate step with whatever acquisition workflow you already use. WAInsight starts after acquisition. Point it at a folder containing `msgstore.db` + `wa.db` + `Media/` + `Avatars/` and it ingests everything through a 29-stage pipeline into a normalised `analysis.db` (47 indexed tables), then opens a 30-page Qt desktop UI to actually work the case. **Why.** I wanted analysis to be the primary deliverable, not the report. So the UI is built around browsing every chat exactly like opening WhatsApp itself — home-style conversation list, bubbles with edits / revokes / replies / reactions / receipts / forwarded badges / mention chips / pinned-message strip — with forensic provenance one click away on every bubble. Reports are a snapshot of what was found, not the destination. **Capabilities, grouped by what you're actually trying to do:** *Reading the timeline* - Forensic ℹ button on every bubble: msgstore source IDs, every SQL row that fed the bubble, origination flags decoded, per-recipient receipt timeline (delivered / read / played, ms-precise). - Ghost-message recovery from `message_quoted_text` (deleted-for-everyone messages reconstructed inline next to the revoked bubble). - Edit history per message — every revision side-by-side. - Reply chains as click-through badges with cross-conversation "Go to original" jumps. - 60+ system events decoded (group / security / admin / privacy / business / ephemeral) instead of opaque type codes. - Calendar with per-day message counts shown flight-fare style; click+drag to range-filter. - Windowed-flat virtual scroller for chats with 5K+ messages — jumping to message #47K in a 47K-message chat is O(1). *Media analysis* - Folder-shaped Media Dashboard that scales to 200K+ rows at `file://` (sharded AVIF thumbs + chunked metadata + vendored UI engine, sub-millisecond bitset crossfilter). Cascading filters: conversation × sender × MIME × extension × status × date. - Perceptual visual search across the whole case — drop a screenshot, get Exact / Near-Exact / Near-Duplicate / Template-Match tiers (pHash + dHash + edge-map). - Camera-original → WhatsApp tracking: feed an original from `DCIM/`, find every chat that photo was sent in even after WhatsApp's recompression changed the SHA-256. - View-once images and voice notes downloadable from the bubble even after on-device expiry (CDN URL + media_key, AES-CBC + HMAC). - Hash-link auto-rescue: missing media that shares a SHA-256 with another message's on-disk media gets auto-resolved (tagged `recovery_method='hash_linked'`, never confused with a real local copy). - `wa.db` thumbnail blob rendered as fallback when even the bytes are gone. - HD/SD twin pairs surfaced inline with cross-jumps. - Cross-chat propagation: right-click any media → every chat that shared the same SHA-256, chronologically. Says where the bytes were *first seen*, not just where they were last forwarded. - 12-state media recovery taxonomy preserved in every report and dashboard (`original` / `downloaded` / `hash_linked` / `orphan_recovered` / etc.). - Orphaned-media browser: files in `Media/` with no surviving message row + auto-rescue against surviving message hashes. *Identity & devices* - Per-message platform attribution from `key_id` — every bubble carries an inline tag (Android / iPhone / Web/Desktop / Companion #N), confidence-scored. The classifier was its own separate research piece — collected `key_id` samples across real devices on Android, iPhone, Web, and linked companions until the rules held up. Powers the Group Report's *Device Platform Usage* breakdown and the contact's *Device Sessions* tab. - Unified contact registry merged from 5 sources (`jid_map` ∪ `wa_contacts` ∪ `lid_display_name` ∪ group labels ∪ mention names) so every JID resolves to one canonical identity. - Owner-aware everywhere — `sender_id IS NULL` for owner messages gets joined to `case_metadata` so owner activity never surfaces as "Unknown" anywhere in the UI or reports. *Groups & communities* - Past-participant reconstruction from 3 sources: `group_past_participant` ∪ `group_member.is_current=0` ∪ message-presence inference (catches members the roster purged after a long enough gap). - Owner can-post / can-edit banner on every Group Info page, sourced from `chat.participation_status` + admin flags. - Community LID resolution + comment-author resolution even when WhatsApp only stored the LID. - Group Edit History with profile-picture diff. *Calls* - Synthetic call reconstruction: calls that have no `message` row in their conversation get virtual rows so they render in every participant's chat timeline at the right position. Group voice chats appear inside the group's chat even when WhatsApp didn't write a message row for them. *Cross-case pivots* - Cross-Contact Analysis: pick 2+ contacts, instantly see shared groups, calls between them, file SHA-256 hashes any of them shared in common, cross @-mentions, every conversation any of them appears in. Owner is a first-class pickable contact. - FTS5 global search with sender / conversation / date / ghost filters; results panel as a sidebar inside the chat with click-to-jump highlights. *Reports & handoff* - Per-group landscape-A4 PDF/HTML report: case+evidence provenance banner with source-DB SHA-256 hashes, group identity, owner role, top contributors / forwarders, device platform split, mentions network, activity heatmap, calls, locations (with live-share start/final coords), message-type taxonomy (Type 64/82/90/92/112/116 etc. mapped to readable labels), bot activity, former members. - Per-contact report with section picker. - Offline HTML viewer bundle — single ZIP, opens from `file://` with no Python or server. WhatsApp-Web-style chat list, full message rendering, FTS5-equivalent search. The case officer / opposing counsel can open it in any browser. - Tagged-messages export with three modes (full / tagged-only / tagged ± N day buffer). **Forensic integrity.** Source `msgstore.db` opened with three independent guards (`?mode=ro&immutable=1` URI + `SQLITE_OPEN_READONLY` flag + `PRAGMA query_only=ON`). Source files SHA-256 hashed at ingest. Every action journaled to a hash-chained `chain_of_custody.jsonl` — each entry's hash includes the previous one, so the audit trail is tamper-evident, not just append-only. Original IDs preserved (`message.source_msg_id`, `media.source_media_row_id`, etc.) so every analysis row links back to its msgstore.db / wa.db origin. Timestamps shown local + UTC in brackets so case timezone is unambiguous. **Honest caveats.** Android-only. No automated tests yet. Schema research was done sample-by-sample so there are likely edge cases on WA versions / Business app / regional builds I haven't seen — Business app support is on the roadmap. Validated primarily against my own personal-device datasets. Built solo. PySide6 + SQLite + ~85K lines of Python. There's a deepwiki for it too (https://deepwiki.com/akhil-dara/WAInsight) if you want a deeper architectural read before cloning. Would genuinely value feedback from anyone who works WhatsApp cases regularly — especially edge cases or schema variants that break it. Issues / DMs / comments all welcome.
# Built with vibes, secured by nothing, and somehow surprised when the data walked out the door Over the weekend, [**we reported**](https://blog.hagerstownrapidresponse.com/p/breaking-news-apparent-data-breach-hits-miles-taylors-anti-ice-organizing-site-gtfoice-org) that something was wrong with [GTFOICE.org](http://GTFOICE.org), a high-profile anti-ICE organizing site associated with [**Miles Taylor**](https://www.facebook.com/Newsweek/posts/miles-taylor-a-former-dhs-official-has-launched-gtfo-ice-to-help-americans-find-/1320626276604480/), who previously served as Chief of Staff at the Department of Homeland Security, the same agency that oversees ICE. The project is described as a collaboration between [**DEFIANCE.org**](https://www.defiance.org/six-months#:~:text=GTFO%20ICE%20(%E2%80%9CGET,a%20police%20state.), [**Project Salt Box**](https://projectsaltbox.com/), and [**Save America Movement**](https://saveamericamovement.substack.com/p/how-to-cancel-a-concentration-camp). At first glance, the situation looked like a potential data breach. However, as we began to dig deeper, the picture that emerged was not one of a sophisticated hack, but of a system that may never have had meaningful protections in place to begin with. Nearly 18,000 people entered their [**personal information**](https://archive.is/hHEWv) into the platform, including names, email addresses, phone numbers, and zip codes with the expectation that they would receive a playbook or be connected to local organizing efforts. Instead, that data appears to have been accessible through a publicly exposed API that lacked basic safeguards, such as authentication and rate limiting, meaning that anyone who knew where to look could potentially view and collect large amounts of sensitive information tied to anti-ICE organizing activity. The situation escalated further when members of our team, who had signed up across multiple locations using different phone numbers, received the following message days later: “Hi \*\*\*\*\*, Your email, phone number, location, and other information that you provided to GTFOIce have been forwarded to the authorities, including FBI, HSI, and ICE. Miles Taylor and Xander Schultz are grifters and terrible coders, and should never have been hired for security anything” We cannot independently verify the claim made in that message, but its impact was immediate, amplifying fears about how exposed this data may have been and who could have accessed it. **In practical terms, this means the data people submitted was effectively sitting out in the open online, without real barriers preventing access and without controls to limit how much could be retrieved. The issue was not that someone broke through layers of security, but that the system itself appears to have made that data available in the first place.**
A previously undocumented Linux implant named Quasar Linux (QLNX) is targeting developers' systems with a mix of rootkit, backdoor, and credential-stealing capabilities. [...]
The hacker behind a breach at education technology giant Instructure claims to have stolen 280 million data records for students and staff from 8,809 colleges, school districts, and online education platforms. [...]
In this blog post I introduced several novel techniques: 1.How to get all routes - no need to authenticate. 2. How to get methods to fuzz from pages and not just the bootstrap JS files - the vast majority of methods are in those pages and not the JS files that existing tools and guides point to. 3. How to parse "LWC" components and not just legacy components.
Hackers trojanized installers for the DAEMON Tools software and since April 8, delivered a backdoor to thousands of systems that downloaded the product from the official website. [...]
This is a bit of a long shot, but I figured if anyone would remember, it’d be Reddit. Back in the early 2000s (I’m thinking \~2001–2004), I used to spend time on a site called **areyoufearless.com**. It was one of those raw, early hacker / defacement-era forums — tutorials, tools, crews, all that chaotic energy before everything got locked down or went private. There was also a thing around that time about someone called **Gobo** getting arrested — I distinctly remember people talking about it and even **“Free Gobo” t-shirts** being made and shared around the scene. I’ve tried digging recently and there’s basically nothing left: * Wayback has barely anything useful * No clear records of the forum * No mention of Gobo or what actually happened It feels like that whole layer of the internet just… evaporated. So: * Does anyone else remember **areyoufearless**? * [https://web.archive.org/web/20040607071642/http://www.areyoufearless.com/](https://web.archive.org/web/20040607071642/http://www.areyoufearless.com/) * Any memories of **Nuclear Winter Crew** or similar groups from that site? * And does anyone know what actually happened to **Gobo**? * Found the handles of some of the owners; * [Ghirai](https://web.archive.org/web/20040607071642/http://ghirai.areyoufearless.com/) [triforce](https://web.archive.org/web/20040607071642/http://triforce.areyoufearless.com/) [Read101](https://web.archive.org/web/20040607071642/http://read101.areyoufearless.com/) [tataye](https://web.archive.org/web/20040607071642/http://tataye.areyoufearless.com/) Not looking for anything dodgy — just curious nostalgia from my teens and wondering if anyone else was there / remembers it. Cheers!
Hi guys, I send out a weekly newsletter with the latest cybersecurity vendor reports and research, and thought you might find it useful, so sharing it here. All the reports and research below were published between April 27th - May 3rd. You can get the below into your inbox every week if you want: [https://www.cybersecstats.com/cybersecstatsnewsletter/](https://www.cybersecstats.com/cybersecstatsnewsletter/) # Big Picture Reports **2026 Global Threat Landscape Report (Fortinet)** The 2025 threat trends that Fortinet thinks you need to know about. **Key stats:** * Time-to-exploit is 24 to 48 hours for critical outbreaks, compared to 4.76 days previously. * There were 7,831 confirmed ransomware victims globally, a 389% year-over-year increase from approximately 1,600 victims previously. * Global exploitation attempts increased 25.49% year-over-year. *Read the full report* [*here*](https://www.cybersecstats.com/r/c94c196d?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* **Phishing Trends Threat Report (KnowBe4)** Another source of data that confirms what we have heard before: that attackers are using AI in their phishing campaigns. Interestingly, they’re also getting more creative with calendar invites and Teams-based lures. **Key stats:** * In the last six months, 86% of phishing attacks were AI-driven. * Calendar invite phishing increased by 49%. * Internal team impersonation was present in 30% of phishing attacks by threat actors in Q1 2026. *Read the full report* [*here*](https://www.cybersecstats.com/r/5eea4ac3?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* **The State of Assumed Security (Horizon3.ai)** Two almost comical data points that could be summed up as “CISOs are wildly confident in tools they barely ever test.” **Key stats:** * 97% of CISOs say they are confident their endpoint protection would detect attacker behavior. * 12% of CISOs report testing their endpoint protection detection capability within the last three months. * 30% of organizations patch and then test to confirm that risk has been remediated. *Read the full report* [*here*](https://www.cybersecstats.com/r/ade1f886?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* **2026 Bad Bot Report: Bad Bots in the Agentic Age (Thales)** Bots now make up more of the internet than humans do, and they're going straight after APIs to bypass user-facing defenses. **Key stats:** * In 2025, AI-driven bot attacks surged 12.5x compared to the previous year. * In 2025, bots made up more than 53% of all web traffic, up from 51% the previous year, while human activity fell to 47%. * 27% of bot attacks targeted APIs, allowing bots to bypass user interfaces and interact directly with backend systems at machine speed. *Read the full report* [*here*](https://www.cybersecstats.com/r/9573474f?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* # AI **Why AI & Automation in SecOps Aren't Delivering What Leaders Think (Swimlane)** The C-suite thinks AI is awesome for security operations. The managers actually working with it disagree (by a lot). **Key stats:** * 87% of enterprises have deployed AI and automation in security operations simultaneously. * 67% of C-suite leaders report being very confident in AI's outputs. * 21% of managers report being very confident in AI's outputs. *Read the full report* [*here*](https://www.cybersecstats.com/r/dd32d316?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* **The Cyber Defense Benchmark: Why Every Frontier LLM Failed (Simbian)** The frontier models did not do well here. The best one still missed over half the attack evidence, and the cost difference between them was pretty wild. **Key stats:** * Anthropic Claude Opus 4.6 detected an average of 46% of attack evidence per MITRE tactic. * Anthropic Opus 4.6 found three times more attack flags than Google Gemini 3 Flash in the benchmark. * Anthropic Opus 4.6 incurred roughly 100 times the detection cost of Google Gemini 3 Flash in the benchmark. *Read the full report* [*here*](https://www.cybersecstats.com/r/e447b9bf?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* **Leading Your Workforce to Triumph With AI (Lenovo)** Pretty much everyone's using AI at work every week, most people aren't telling IT about it, and IT leaders are kind of freaking out about what that means for risk. **Key stats:** * More than 70% of employees worldwide use AI on a weekly basis. * Up to one-third of employees operate beyond IT oversight when using AI. * Only 31% of IT leaders feel confident in their ability to manage cybersecurity risks linked to AI. *Read the full report* [*here*](https://www.cybersecstats.com/r/deea2a93?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* # Consumer AI **Global Study: 73% of Shoppers Using AI in Shopping Journey (Riskified)** Consumers are happy to use AI to shop, but they're not handing over the credit card just yet, and a lot of them are worried about what AI means for fraud risk. **Key stats:** * In Q4 2025, 73% of consumers reported using AI at some point in their shopping journey. * 55.0% of consumers are not comfortable with AI agents making purchases on their behalf. * 53.9% believe AI could increase the risk of online fraud. *Read the full report* [*here*](https://www.cybersecstats.com/r/af10c197?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* # Identity Security **2026 Trends in Identity Attack Path Management (SpecterOps)** Identity attack path management has moved out of the experimentation phase. Adoption is up sharply year over year, and so is spending. **Key stats:** * 35% of organizations have fully implemented an identity-based Attack Path Management solution, up from 21% in 2025. * 75% of organizations report increased identity security spending. * 46% say improving attack path visibility and privilege relationships is a top cybersecurity priority over the next 12 months. *Read the full report* [*here*](https://www.cybersecstats.com/r/1f1d4d2e?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* # IT Security Workforce **Cyberthreat Defense Report (CyberEdge Group)** Security teams expect AI to replace a lot of their jobs. **Key stats:** * 80% of IT security professionals believe AI will significantly reduce the number of people required to perform their current roles. * Among those who expect AI to reduce required headcount, 46% expect this shift to occur within the next two years. * 97% of IT security hiring managers are actively seeking candidates with at least one AI-related skill. *Read the full report* [*here*](https://www.cybersecstats.com/r/327961eb?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* # Fraud **The State of Mule Account Handovers in 2026 (Incognia)** Mule account fraud is growing fast, with financial institutions saying it's tougher to detect than other fraud. **Key stats:** * 81% of fraud prevention, risk, and compliance professionals report an increase in mule-related activity over the past year. * More than 80% report that mule activity is detected reactively rather than prevented before suspicious transactions occur. * 78% of financial institutions make improving mule account detection a high or top priority over the next 12 months. *Read the full report* [*here*](https://www.cybersecstats.com/r/86edcf28?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* **2026 Fraud Insights U.S. Payments Edition (NICE Actimize)** Fraudsters are more strategic about which payment types they go after, and the usual ways of catching them aren't really working. **Key stats:** * Attempted ACH fraud value increased 52% in 2025. * Total ACH payment value increased 11%, creating a nearly 5-to-1 divergence. * A single low-cost device model drove 3% of all mobile account takeover attempts. *Read the full report* [*here*](https://www.cybersecstats.com/r/91352558?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* **Reported losses to scams on social media eight times higher than in 2020 (FTC)** A good reminder to be careful on social media. **Key stats:** * Reported losses for social media scams reached $2.1 billion in 2025, about eight times the 2020 figure. * In 2025, nearly 30% of people who reported losing money to a scam said it started on social media. * $1.1 billion, more than half the money reported lost to scams initiated on social media, was to investment scammers. *Read the full report* [*here*](https://www.cybersecstats.com/r/23e8da28?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* # SMB Security **2026 State of MSP Threat Report (Guardz)** Almost every SMB has compromised users at any given time, and BEC losses are way up. **Key stats:** * 89% of monitored SMBs have at least one user with confirmed credential compromise at any given time. * 31% of users in monitored SMB environments are exposed to compromised passwords each month. * Remote monitoring and management tool abuse accounted for 26% of all detections in monitored SMB environments. *Read the full report* [*here*](https://www.cybersecstats.com/r/5d747c13?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* # Enterprise Perspective **Bridging the Readiness Gap to the Agentic Enterprise (Hyland)** Organizations agree they need connected data for AI, but almost nobody actually has it yet. **Key stats:** * 94% of organizations say well-connected data, processes, and applications are highly important to successful AI adoption. * 27% of organizations say data, processes, and applications are well connected in their organization today. * 65% say their structured data is somewhat or fully prepared for AI use. *Read the full report* [*here*](https://www.cybersecstats.com/r/4ac2d497?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* **2026 State of Security in Business-Built Applications and AI Agents Survey (Nokod)** Citizen developers now massively outnumber professional ones, and security teams basically can't see most of what they're building. **Key stats:** * On average, there are 4 business builders for every professional software developer in enterprises. * Over 80% of security teams at enterprises lack full visibility into the applications and AI agents created by business users. * Enterprises can track only 44% of the AI tools handling sensitive company and user data. *Read the full report* [*here*](https://www.cybersecstats.com/r/a81ef494?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* # Industry-Specific **The State of Cybersecurity In Manufacturing (Resilience)** Manufacturing was the favorite ransomware target of 2025, and it's not even close. **Key stats:** * The manufacturing sector experienced a 61% year-over-year surge in ransomware attacks in 2025, the sharpest growth of any industry. * Manufacturing accounted for more than one in four of all global cyberattacks in 2025. * Ransomware accounted for about 90% of total incurred losses in Resilience's manufacturing insurance portfolio over the past five years. *Read the full report* [*here*](https://www.cybersecstats.com/r/75dbdb1e?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* **Microsegmentation Has Matured: Has Your Architecture Kept Up? (Elisity & Omdia)** Healthcare and manufacturing organizations agree on the need for microsegmentation, they just haven't actually finished doing it. **Key stats:** * 99% of healthcare and manufacturing organizations are implementing or planning microsegmentation. * Over 90% of healthcare and manufacturing organizations have protected fewer than 80% of their critical systems. * 57% rank microsegmentation as their top initiative to stop lateral movement. *Read the full report* [*here*](https://www.cybersecstats.com/r/99bb962c?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* **2026 Medical Device Cybersecurity Index (RunSafe)** Healthcare is still running medical devices with known unpatched vulnerabilities, and when those devices get attacked, it usually disrupts patient care. **Key stats:** * 24% of healthcare organizations report cyberattacks or exploited vulnerabilities involving medical devices. * 80% of cyber incidents involving medical devices cause moderate or significant disruption to patient care. * 44% of healthcare organizations use medical devices with known, unpatched vulnerabilities. *Read the full report* [*here*](https://www.cybersecstats.com/r/1fd46869?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* **2026 NASCIO-Deloitte Cybersecurity Study (Deloitte)** State CISOs are feeling much less confident than they were a few years ago, and budgets are getting cut for the first time in a while. **Key stats:** * Only 26% of state CISOs are extremely or very confident that their state's information assets are protected from cyber threats, down from 48% in 2022. * 63% describe themselves as not very confident in the ability of local government and public higher education to secure public data, up from 35% in 2022. * 16% of state CISOs report their budgets have been cut, up from none in 2024. *Read the full report* [*here*](https://www.cybersecstats.com/r/8c36e6d0?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* # Regional Spotlight **Cyber security breaches survey 2025/2026 (Department for Science, Innovation & Technology)** The UK cybersecurity and breach landscape. **Key stats:** * 43% of businesses and 28% of charities reported having experienced any kind of cyber security breach or attack in the last 12 months. * Phishing attacks remained the most prevalent type of breach or attack by far, experienced by 38% of businesses and 25% of charities. * Among those who experienced a breach or attack, the proportion experiencing phishing attacks only increased among both businesses (from 45% last year to 51% this year) and charities (from 46% last year to 57% this year). *Read the full report* [*here*](https://www.cybersecstats.com/r/321ccad2?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.*
A 23-year-old university student in Taiwan was arrested for interfering with the TETRA communication system used by the country's high-speed railway network (THSR). [...]
If you are tracking Iranian-nexus activity in the Middle East, this one is worth your time. [Hunt.io](https://hunt.io)'s AttackCapture flagged an open directory on a UAE-hosted VPS that turned out to be a full active C2 environment tied to an intrusion against Oman's government. Toolkit, session logs, and exfiltrated data all exposed. * 12 ministries targeted, 26,000+ citizen records pulled from the Ministry of Justice along with judicial case data and SAM/SYSTEM registry hives * Custom ASPX webshells, six-version Python C2, GodPotato privilege escalation, Chisel tunneling, 50+ exploitation scripts covering ProxyShell, DNN SSRF, and national ID IDOR vulnerabilities * TTPs overlap with known MOIS-linked clusters, full analysis in the post Full post and IOCs: [https://hunt.io/blog/iranian-nexus-oman-government-intrusion](https://hunt.io/blog/iranian-nexus-oman-government-intrusion)
The Apache Software Foundation (ASF) has released security updates to address several security vulnerabilities in the HTTP Server, including a severe vulnerability that could potentially lead to remote code execution (RCE). The vulnerability, tracked as CVE-2026-23918 (CVSS score: 8.8), has been described as a case of "double free and possible RCE" in the HTTP/2 protocol handling. This issue
The majority of widely used AI clients like: * Claude Code * Claude Desktop * Cursor * LibreChat * Amazon Q CLI have not implemented the critical refresh-token flow of the OAuth standard. This is forcing developers to issue long lived tokens creating a serious security regression in an already solved problem. This write up includes a matrix table of 14 major clients with notes linking to feature requests, pull requests, and multiple forum discussions. It is not all gloom and doom though! There is a work-around solution that security conscious users are using as a stop-gap also discussed, along with a best practices guide for developers implementing their own MCP OAuth Solution. The plan is to update this reference on a monthly basis to track if there is any movement on this open requests.
EMBA v2.0.1 with interactive firmware dependency map available - Check it out and let us know what you are missing
Researchers dropped a reliable root exploit and it didn’t sit idle for long CISA is warning that a newly-disclosed Linux kernel bug dubbed "CopyFail" is already being exploited, just days after researchers dropped a working root-level exploit.…
The FTC will ban data broker Kochava and its subsidiary, Collective Data Solutions (CDS), from selling location data without consumers' explicit consent to settle charges alleging that it sold precise geolocation data collected from hundreds of millions of mobile devices. [...]
Critical vulnerabilities can exist in open source software your scanners don't check. HeroDevs reveals how EOL software creates blind spots in CVE feeds and SCA tools, and how you can receive a free end-of-life scan for your projects. [...]
Cushman & Wakefield activated incident response protocols after serial extortionists issued separate threats Real estate giant Cushman & Wakefield has confirmed a data breach after two cybercrime groups, ShinyHunters and Qilin, separately claimed responsibility for attacks on the company.…
The ShinyHunters extortion gang stole personal information belonging to over 119,000 people after hacking the Vimeo online video platform in April, according to data breach notification service Have I Been Pwned. [...]
Topic of this article: Burp AI.
IOCX v0.7.1 — robustness update focused on malformed PEs, hostile strings, and static‑analysis hardening
Pushed a new IOCX release (v0.7.1) that’s aimed at making the engine much harder to break during static analysis. The focus was adversarial behaviour: malformed binaries, corrupted PE structures, and intentionally hostile IOC‑like strings. If you work with weird samples, tooling pipelines, or large‑scale triage, this release makes IOCX more robust under hostile conditions. **New PE structural heuristics** Six new checks added to catch structural anomalies without blowing up the parser: * overlapping/misaligned sections * inconsistent optional headers (PE32 & PE32+) * broken entrypoint mappings * corrupted data directories * malformed import tables * general PE layout inconsistencies These aren’t detections — they’re deterministic, reason‑coded structural signals to keep analysis stable. **Expanded adversarial PE corpus** Added a full suite of malformed and corrupted PEs, including: * broken RVAs / invalid addressing * truncated Rich headers * fake UPX names + packed‑lookalikes * PE32/PE32+ hybrids * “franken‑PEs” combining multiple faults All outputs are snapshot‑validated to guarantee deterministic behaviour. **Adversarial coverage across all IOC categories** New hostile string fixtures now stress every extractor: * homoglyph + mixed‑script domains * malformed URLs and schemes * broken IPv4/IPv6 * noisy or near‑miss hashes * invalid Base64 * adversarial crypto strings (incl. Base58Check) * long/invalid Windows paths * malformed emails The goal: keep extraction predictable even when the input is intentionally messy. **Parser & extractor hardening** * stable on malformed PE structures * structured, JSON‑safe error metadata * improved domain/URL/crypto/hash extractors * deterministic output across platforms **Links** GitHub: [https://github.com/iocx-dev/iocx](https://github.com/iocx-dev/iocx) PyPI: [https://pypi.org/project/iocx/](https://pypi.org/project/iocx/) **Example** `pip install iocx` `iocx suspicious.exe -a full` If you’re doing malware triage, static analysis, or building automated pipelines that need predictable IOC extraction, v0.7.1 should be a noticeable stability bump. Happy to discuss edge cases or weird samples people want covered next.
Every AI tool, workflow automation, and productivity app your employees connected to Google or Microsoft this year left something behind: a persistent OAuth token with no expiration date, no automatic cleanup, and in most organizations, no one watching it. Your perimeter controls don't see it. Your MFA doesn't stop it. And when an attacker gets hold of one, they don't need a password. OAuth
Threat actors are actively exploiting a critical security flaw impacting an open-source content management system (CMS) known as MetInfo, according to new findings from VulnCheck. The vulnerability in question is CVE-2026-29014 (CVSS score: 9.8), a code injection flaw that could result in arbitrary code execution. "MetInfo CMS versions 7.9, 8.0, and 8.1 contain an unauthenticated PHP code
Victims losing £280K a day to fake profiles and sob stories Romance fraudsters scammed Britons out of £102 million ($138 million) last year, according to the latest police figures.…
Google overhauls its Android and Chrome vulnerability rewards programs, offering bounties of up to $1.5 million for the most difficult exploits while scaling back payouts for flaws that artificial intelligence (AI) has made easier to find. [...]
We recently added a C/C++ security checklist to the Testing Handbook and challenged readers to spot the bugs in two code samples : a deceptively simple Linux ping program and a Windows driver registry handler. If you found the inet_ntoa global buffer gotcha or the missing RTL_QUERY_REGISTRY_TYPECHECK flag, nice work. If not, here’s a full walkthrough of both challenges, plus a deep dive into how the Windows registry type confusion escalates from a local denial of service to a kernel write primitive. Since we first released the new C/C++ security checklist, we also developed a new Claude skill, c-review . It turns the checklist into bug-finding prompts that an LLM can run against a codebase. It’s also platform and threat-model aware. Run these commands to install the skill: claude skills add-marketplace https://github.com/trailofbits/skills claude skills enable c-review --marketplace trailofbits/skills The Linux ping program challenge The Linux warmup challenge we showed you in the last blog post has an obvious command injection issue. #include <stdio.h> #include <s
While the software industry has made genuine strides over the past few decades to deliver products securely, the furious pace of AI adoption is putting that progress at risk. Businesses are moving fast to self-host LLM infrastructure, drawn by the promise of AI as a force multiplier and the pressure to deliver more value faster. But speed is coming at the expense of security. In the wake of the
A Latvian national extradited to the United States was sentenced to 8.5 years in prison for his "cold case" negotiator role in the Russian Karakurt ransomware group. [...]
A new version of the CloudZ remote access tool (RAT) is deploying a previously unseen malicious plugin called Pheno that hijacks the Microsoft Phone Link connection to steal sensitive codes from mobile devices. [...]
Healthcare giant's maintainers handed May deadline to enact the change The UK's National Health Service (NHS) is ordering all of its technology leaders to temporarily wall off the organization's open source projects over concerns relating to advanced AI and Anthropic's Mythos.…
I built a 100% browser-only EXIF viewer + metadata remover + image-forensics lab — no upload, no account, free
I've been working on this for the last few months and just wanted to share. It's a free browser-based tool for inspecting and removing metadata from photos, videos, audio, PDFs and Office documents — and it has a small image-forensics lab built in. Live: [https://midgardmud.de/tools/exif/](https://midgardmud.de/tools/exif/) Why I built it: every other "EXIF remover" online asks you to upload your private files to a server. That's the opposite of privacy. So I wrote one that runs 100% in the browser via the File API — your file never leaves your device. F12 → Network tab → drop a 50 MB photo → you'll see zero outbound requests. What it does: • Strips metadata from JPG/PNG/WebP/GIF/HEIC/TIFF, MP4/MOV/MKV/WebM/AVI, MP3/FLAC/OGG/WAV, PDF, DOCX/XLSX/PPTX • Privacy Risk Score 0–100 with per-file breakdown so you see what's actually leaking • 4 one-click privacy profiles (Anonymous / Social-safe / Keep camera / GPS-only) • Forensics: ELA, JPEG-Ghost re-save heatmap, DQT compression fingerprint, Noise + CFA/Bayer pattern (defensible alternative to AI-image detectors), Copy-Move clone detection, embedded-thumbnail audit, RGB histogram, hex viewer, structure inspector • SHA-256 + perceptual hash (pHash) per file • ExifTool-compatible JSON export • Per-tag EXIF editor + GPS spoofing for JPEG • C2PA self-signed Content Credentials • Works fully offline as a PWA after first visit • 19 languages Stack: vanilla JS, no framework, no build step, \~12k lines. libheif WASM lazy-loaded for HEIC. Web Worker for big videos so the UI stays responsive. Happy to answer anything about how the parsers work, why I avoided React, or how the JPEG-Ghost / Copy-Move detection is implemented. Feedback very welcome.
The North Korea-aligned state-sponsored hacking group known as ScarCruft has compromised a video game platform in a supply chain espionage attack, trojanizing its components with a backdoor called BirdCallto likely target ethnic Koreans residing in China. While prior versions of the backdoor have primarily targeted Windows users only, the supply chain attack is assessed to have enabled the
A critical security vulnerability in Weaver (Fanwei) E-cology, an enterprise office automation (OA) and collaboration platform, has come under active exploitation in the wild. The vulnerability (CVE-2026-22679, CVSS score: 9.8) relates to a case of unauthenticated remote code execution affecting Weaver E-cology 10.0 versions prior to 20260312. The issue resides in the "/papi/esearch/data/devops/
Microsoft has disclosed details of a large-scale credential theft campaign that has leveraged a combination of code of conduct-themed lures and legitimate email services to direct users to attacker-controlled domains and steal authentication tokens. The multi-stage campaign, observed between April 14 and 16, 2026, targeted more than 35,000 users across over 13,000 organizations in 26 countries,
Quick note from a scanning project I've been running. We hit 6,000 web apps with a payment-bypass probe last week, sending a minimal fake \`checkout.session.completed\` event to common webhook paths (\`/api/webhook/stripe\`, \`/api/payments/webhook\`, etc.) without a \`Stripe-Signature\` header. 1,542 returned 200. That means anyone with curl can fire a forged Stripe event at those endpoints and the server processes it as legitimate. Depending on what the handler does with it, the consequences range from "logs a fake event" to "marks attacker's account as paid" to "creates a confirmed order with no payment". The split was roughly: * Custom domains (real production SaaS): \~720 * Render: 198 * Vercel: 142 * Replit: 121 * Railway, Fly, Heroku, others: \~360 Why so many? The Stripe library makes signature verification a one-liner. Every framework has the canonical example. But the dev journey usually goes: build the route locally with a stub handler that just \`console.log\`s the event body, get the upgrade-the-user logic working, leave signature verification on the TODO, ship. Six months later nobody remembers it was ever a TODO. The fix in Express: `\`\`\`js` `app.post('/api/webhook/stripe',` `express.raw({type: 'application/json'}),` `(req, res) => {` `const sig = req.headers['stripe-signature'];` `let event;` `try {` `event = stripe.webhooks.constructEvent(` `req.body, sig, process.env.STRIPE_WEBHOOK_SECRET);` `} catch (err) {` `return res.status(400).send(\`Webhook Error: ${err.message}\`); }` `// proceed with event` `res.json({received: true});` `});` `\`\`\`` The trap: \`express.json()\` globally parses the body before your handler sees it, leaving Stripe's library to compute the signature against parsed-then-stringified JSON, which never matches. Use \`express.raw()\` specifically on the webhook route, before any global JSON parser. FastAPI / Python: read \`await request.body()\` directly, not \`request.json()\`. Same idea. Caveats: a 200 response doesn't prove the app actually grants the attacker something. Some endpoints log every webhook for analytics and return 200 regardless. The 1,542 number is "endpoints accepting unsigned events", not "definitely exploitable". But the misconfiguration is real on its own. Full writeup with the methodology and platform-by-platform breakdown: [https://securityscanner.dev/blog/stripe-webhook-signature-bypass-1500-apps](https://securityscanner.dev/blog/stripe-webhook-signature-bypass-1500-apps) Curious if anyone here has shipped a Stripe webhook recently and can double-check theirs.
Vendors all use different formats. This tech translates them all so you can smooth your SOC Academics from Singapore and China have found a way to make AI useful for cyber-defenders, by creating a technique that translates rules from diverse Security Information and Event Managements (SIEMs) so they’re easier to consume across multiple systems.…
Monday, May 4
The Model We’ve Relied on Is Starting to Break Over the past 20 years, I’ve seen the threat landscape evolve from opportunistic attackers, to organized cybercrime, to nation-state campaigns. Each shift forced security teams to adapt. What’s happening right now is different. AI models coming out of Anthropic, OpenAI, Google, and X are rewriting the […] The post Sara AI Pentesting Is Now Generally Available: The Model Is Changing appeared first on Synack .
46% say age checks are easy to bypass, and nearly a third admit getting around them It’s been months since the UK government began requiring stronger age checks under the Online Safety Act, and recent research suggests those measures are falling short of keeping kids away from harmful content. In some cases, even drawing on a mustache has been reported as enough to fool age detection software.…
Cybersecurity firm Kaspersky reports that the Amazon Simple Email Service (SES) is being increasingly abused to send convincing phishing emails that can bypass standard security filters and render reputation-based blocks ineffective. [...]
A malicious version of the PyTorch Lightning package published on the Python Package Index (PyPI) delivers a credential-stealing payload targeting browsers, environment files, and cloud services. [...]
Key Takeaways Over the past year, the conversation in security has changed faster than most programs have. AI is compressing attacker timelines. Environments are changing daily rather than quarterly. And the model most enterprises still rely on to validate security—periodic penetration testing—is starting to break under the weight of both. The real question isn’t whether […] The post The Shift to Continuous Security Validation: Why Detection Is No Longer Enough appeared first on Synack .
Progress Software has released updates to address two security flaws in MOVEit Automation, including a critical bug that could result in an authentication bypass. MOVEit Automation (formerly Central) is a secure, server-based managed file transfer (MFT) solution used to schedule and automate file movement workflows in enterprise environments without requiring any custom scripts. The
Cybersecurity firm Trellix disclosed a data breach after attackers gained access to "a portion" of its source code repository. [...]
'If you don't have visibility, you can't understand what to protect' When it comes to securing enterprise supply chains, now heavily infused with AI applications and agents, a software bill of materials (SBOM) no longer provides a complete inventory of all the components in the environment. Enter AI-BOMs.…
This week, the shadows moved faster than the patches. While most teams were still triaging last month’s alerts, attackers had already turned control panels into kill switches, kernels into open doors, and open-source pipelines into silent delivery systems. The game has shifted from breach to occupation. They’re living inside SaaS sessions, pushing code with trusted commits, and scaling
On December 4, 2025, a 17-year-old was arrested in Osaka under Japan’s Unauthorized Access Prohibition Act. The young man had run malicious code to extract the personal data of over 7 million users of Kaikatsu Club, Japan's largest internet cafe chain. When asked, the young man shared his motivation for the hack: he wanted to buy Pokémon cards. In a sense, this is a fairly conventional story.
The China-based cybercrime group known as Silver Fox (aka Monarch, SwimSnake, The Great Thief of Valley, UTG-Q-1000, and Void Arachne) has been linked to a new campaign targeting organizations in Russia and India with a new malware called ABCDoor. The activity involved using phishing emails that mimic correspondence from the Income Tax Department of India in December 2025, followed by a similar
VanGuard — open-source single-binary DFIR toolkit (Velociraptor, Hayabusa, Chainsaw, Loki, YARA) with TUI, air-gap support, and 28 pre-built use cases
We just open-sourced **VanGuard** — a self-contained IR toolkit that bundles Velociraptor, Hayabusa, Chainsaw, Loki, and YARA into a single binary with a terminal UI. Built it because we were tired of the 45-minute tooling setup at the start of every engagement. Download KAPE, remember the flags, set up Velociraptor, manually hash evidence, and track the chain of custody in a spreadsheet. What it does: * Quick triage (20+ Windows, 15+ Linux artifact categories using native commands) * Velociraptor server lifecycle + agent deployment from the TUI * Threat hunting with Hayabusa, Chainsaw, Loki, YARA + live anomaly detection * Memory capture + Volatility 3 analysis * 28 pre-built use cases (ransomware, BEC, credential theft, lateral movement, rootkits) with MITRE ATT&CK mapping * Evidence dual-hashed (MD5 + SHA256), HMAC chain of custody * Runs from USB, works fully offline Cross-platform (Windows + Linux), Apache 2.0, no dependencies. GitHub: [https://github.com/ridgelinecyberdefence/vanguard](https://github.com/ridgelinecyberdefence/vanguard) It's provided as-is — every environment is different, especially with remote ops (WinRM/SSH auth varies by config). Test in a lab first. Issues and suggestions welcome on GitHub.
A previously unknown threat actor has been observed targeting government and military entities in Southeast Asia, alongside a smaller cluster of managed service providers (MSPs) and hosting providers in the Philippines, Laos, Canada, South Africa, and the U.S., by exploiting the recently disclosed vulnerability in cPanel. The activity, detected by Ctrl-Alt-Intel on May 2, 2026, involves the
Even limited voter rolls can be linked to identify people, research shows Your voter data could be used against you. A foreign intelligence service that wished to identify the family members of deployed military personnel could do so by cross-referencing public voter record data and social media posts.…
To reduce the amount of noise from questions, we have disabled self-posts in favor of a unified questions thread every week. Feel free to ask any question about reverse engineering here. If your question is about how to use a specific tool, or is specific to some particular target, you will have better luck on the [Reverse Engineering StackExchange](http://reverseengineering.stackexchange.com/). See also /r/AskReverseEngineering.
A coordinated international operation involving U.S. and Chinese authorities has arrested at least 276 suspects and shut down nine scam centers used for cryptocurrency investment fraud schemes targeting Americans, resulting in millions of dollars in losses. The crackdown was led by the Dubai Police, under the United Arab Emirates (UAE) Ministry of Interior, in partnership with the U.S. Federal
Prioritize resilience over productivity, say CISA, NCSC and their friends from Oz, NZ, Canada Information security agencies from the nations of the Five Eyes security alliance have co-authored guidance on the use of agentic AI that warns the technology will likely misbehave and amplifies organizations’ existing frailties, and therefore recommend slow and careful adoption of the tech.…
Sunday, May 3
Acoustic Keystroke Recovery - Reconstructing Typed Text from a Laptop Microphone (Full Guide, 85% success rate)
Around 85% success rate of keystroke recovery with our script :)
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added a recently disclosed security flaw impacting various Linux distributions to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild. The vulnerability, tracked as CVE-2026-31431 (CVSS score: 7.8), is a case of local privilege escalation (LPE) flaw that could allow an
Saturday, May 2
*As one tends to do on Saturday mornings with coffee in hand, I was reviewing two samples that were attributed to the LunaStealer / LunaGrabber family. Originally I was validating that* `tiquery` *was working with the MCP configuration, however what started as a quick TI check turned into a full static analysis session — and it gave me a good opportunity to put the MalChela MCP integration through its paces in a real workflow. This post walks through how that investigation unfolded, what the pivot points were, and what we found at the bottom of the rabbit hole.*
Plus: The NSA tests Anthropic’s Mythos Preview to find vulnerabilities, a Finnish teen is charged over the Scattered Spider hacking spree, and more.
Britain's cyber agency says the bill for years of technical shortcuts is coming due, and it's arriving all at once Britain's cyber agency is warning that AI-fuelled bug hunting is about to flush out years of buried flaws, leaving defenders scrambling to keep up.…
Friday, May 1
How about an unscheduled, impromptu Friday night 13Cubed episode? Let’s talk about Copy Fail. [https://www.youtube.com/watch?v=ZVmpK-9rP0Q](https://www.youtube.com/watch?v=ZVmpK-9rP0Q) More here: [https://nullsec.us/cve-2026-31431-copy-fail-forensics/](https://nullsec.us/cve-2026-31431-copy-fail-forensics/)
For vulnerability research, smaller models run repeatedly can outperform larger frontier models on cost-to-recall.
TL;DR: If a large model finds a 0-day with 90% probability, and a small model with 50% probability, but the small model costs 10x less, it is better to use the small model. We compared the cost and recall of various models in finding real, recent zero-days and found that for most applications, smaller models run repeatedly can significantly outperform larger frontier models on cost-to-recall. Disclaimer: I'm involved with Hacktron, the company that produced this research. This is a factual presentation of our benchmarks, which we hope the community can use to make informed decisions about models like Mythos.
Over the past two and a bit quarters, we've undertaken an intensive engineering effort, internally code-named " Code Orange: Fail Small ", focused on making Cloudflare's infrastructure more resilient, secure, and reliable for every customer. Earlier this month, the Cloudflare team finished this work. While improving resiliency will never be a “job done” and will always be a top priority across our development lifecycle, we have now completed the work that would have avoided the November 18, 2025 and December 5, 2025 global outages. This work focused on several key areas: safer configuration changes, reducing the impact of failure, and revising our “break glass” procedures and incident management. We also introduced measures to prevent drift and regressions over time, and strengthened the way we communicate to our customers during an outage. Here we explain in depth what we shipped, and what it means for you. Safer configuration changes What it means for you : In most cases, Cloudflare internal configuration changes no longer reach our network instantly and are instead rolled out progressively with real-time health monitoring. This allows our observability tools to catch problems and revert issues before they affect your traffic. In order to catch potentially dangerous deployments before they reach production, we've identified high-risk configuration pipelines, and built new tools to manage configuration changes better. For products that run on our network processing customer traffic and receive configuration changes, we no longer deploy these changes instantly across the
MalChela v4.0 is out. The desktop GUI is gone — replaced by a PWA you can reach from any browser on the network. Battery-powered Pi on the table, iPad in hand, no keyboard required. The field kit finally makes sense.
Cybersecurity researchers are warning of two cybercrime groups that are carrying out "rapid, high-impact attacks" operating almost within the confines of SaaS environments, while leaving minimal traces of their actions. The clusters, Cordial Spider (aka BlackFile, CL-CRI-1116, O-UNC-045, and UNC6671) and Snarky Spider (aka O-UNC-025 and UNC6661), have been attributed to high-speed data theft and
When we first launched Workers eight years ago, it was a direct-to-developers platform. Over the years, we have expanded and scaled the ecosystem so that platforms could not only build on Workers directly, but they could also enable their customers to ship code to us through many multi-tenant applications. We now see on Workers: Applications where users describe what they want, and the AI writes the implementation. Multi-tenant SaaS where every customer's business logic is, at runtime, some TypeScript the platform has never seen before. Agents that write and run their own tools. CI/CD products where every repo defines its own pipeline. Last month, when we shipped the Dynamic Workers open beta , we gave those platforms a clean primitive for the compute side: hand the Workers runtime some code at runtime, get back an isolated, sandboxed Worker, on the same machine, in single-digit milliseconds. Durable Object Facets extended the same idea to storage — each dynamically-loaded app can have its own SQLite database, spun up on demand, with the platform sitting in front, as a supervisor. Artifacts did the same for source control : a Git-native, versioned filesystem you can create by the tens of millions, one per agent, one per session, one per tenant. So, we have dynamic deployment for storage and source control. What’s next? Today, we are bridging durable execution and dynamic deployment with Dynamic Workflows . The gap between durable and dynamic execution
Altman's crew now doing the same gatekeeping it recently mocked OpenAI is lining up a limited release of its new GPT-5.5-Cyber model to a handpicked circle of "cyber defenders," just weeks after taking a swipe at Anthropic for doing almost exactly the same thing.…
313 Team tells Canonical: pay up or the packets keep coming Canonical says its web infrastructure is under attack after a pro-Iran hacktivist group instructed its members to target the open source giant.…
Start date pushed back a year, annual cost up a third, and UK's now handing out eight million passports a year The Home Office has increased the annual value and overall duration of its new passport production contract, increasing it to a total of £576 million as it starts a third round of engagement with suppliers.…
Thursday, April 30
Mini Shai-Hulud caught spreading credential-stealing malware The wave of supply chain attacks aimed at security and developer tools has washed up more victims, namely SAP and Intercom npm packages, plus the lightning PyPI package.…
One alleged cyber contractor was extradited to the US over the weekend China's "hacker-for-hire ecosystem has gotten out of control," according to Brett Leatherman, assistant director of the FBI's cyber division.…
OpenAI is rolling out Advanced Account Security for people concerned that their ChatGPT or Codex accounts could be potential targets of phishing attacks.
A Brazilian tech firm that specializes in protecting networks from distributed denial-of-service (DDoS) attacks has been enabling a botnet responsible for an extended campaign of massive DDoS attacks against other network operators in Brazil, KrebsOnSecurity has learned. The firm’s chief executive says the malicious activity resulted from a security breach and was likely the work of a competitor trying to tarnish his company’s public image. An Archer AX21 router from TP-Link. Image: tp-link.com. For the past several years, security experts have tracked a series of massive DDoS attacks originating from Brazil and solely targeting Brazilian ISPs. Until recently, it was less than clear who or what was behind these digital sieges. That changed earlier this month when a trusted source who asked to remain anonymous shared a curious file archive that was exposed in an open directory online. The exposed archive contained several Portuguese-language malicious programs written in Python. It also included the private SSH authentication keys belonging to the CEO of Huge Networks , a Brazilian ISP that primarily offers DDoS protection to other Brazilian network operators. Founded in Miami, Fla. in 2014, Huge Networks’s operations are centered in Brazil. The company originated from protecting game servers against DDoS attacks and evolved into an ISP-focused DDoS mitigation provider. It does not appear in any public abuse complaints and is not associated with any known
Coding agents are great at building software. But to deploy to production they need three things from the cloud they want to host their app — an account, a way to pay, and an API token. Until now these have been tasks that humans handle directly. Increasingly, agents handle them on the user’s behalf. The agent needs to perform all the tasks a human customer can. They’re given higher-order problems to solve and choose to use Cloudflare and call Cloudflare APIs. Starting today, agents can provision Cloudflare on behalf of their users. They can create a Cloudflare account, start a paid subscription, register a domain, and get back an API token to deploy code right away. Humans can be in the loop to grant permission and must accept Cloudflare's terms of service, but no human steps are otherwise required from start to finish. There’s no need to go to the dashboard, copy and paste API tokens, or enter credit card details. Without any extra setup, agents have everything they need to deploy a new production application in one shot. And with Cloudflare’s Code Mode MCP server and Agent Skills , they’re even better at it. This all works via a new protocol that we’ve co-designed with Stripe as part of the launch of Stripe Projects . We’re excited to launch this new partnership with Stripe, and also to offer $100,000 in Cloudflare credits to all new startups who incorporate using Stripe Atlas . But this new protocol also makes it possible for any platform with signed-in users to integrate with Cloudflare in the same way Stripe does, with zero friction for the end user. How it works: zero to production without any setup or manual steps
Spyware appears to have captured everything from intimate photos to private messages from the smartphone of European celebrity. They were publicly accessible until a researcher flagged the exposure.
Wednesday, April 29
What Mythos Means for Penetration Testing as a Service When Anthropic announced the Claude Mythos Preview, the reaction from the security community was immediate. We’re not talking about the next best model. This model is such a leap forward and so capable at finding and exploiting vulnerabilities that Anthropic deemed it too dangerous to release […] The post What GigaOm and Synack Got Right About AI Pentesting appeared first on Synack .
A newly analyzed Go-based macOS remote access trojan (RAT), internally named Minirat, has surfaced in the wild using anti-VM checks, LaunchAgent persistence, and AES-encrypted command and control (C2) configuration to maintain stealthy, long-term access on victim endpoints. According to [SafeDep](https://safedep.io/malicious-velora-dex-sdk-npm-compromised-rat/), the initial infection vector was a malicious npm package (velora-dex-sdk) that dropped the Go-based macOS RAT onto developer endpoints.
LibAFL is all the rage in the fuzzing community these days, especially with LLVM’s libFuzzer being placed in maintenance mode . Written in Rust, LibAFL claims improved performance, modularity, state-of-the-art fuzzing techniques, and libFuzzer compatibility . For these reasons, I set out to add LibAFL support to Ruzzy , our coverage-guided fuzzer for pure Ruby code and Ruby C extensions. This gives Ruby developers and security researchers access to a more advanced and actively maintained fuzzing engine without changing how they write their fuzzing harnesses. Ruzzy was originally built on top of LLVM’s libFuzzer, so using LibAFL’s compatibility layer should be easy enough. However, digging around in the internals of complex systems is never quite as simple as it seems. In this post, I will investigate some of the deep plumbing inside these fuzzing engines, take a detour into executable and linkable format (ELF) files, and ultimately add LibAFL support to Ruzzy. Building with libafl_libfuzzer Ruzzy currently supports Linux, so I use a Dockerfile for development and for production fuzzing campaigns. To that end, using a similar Dockerfile for LibAFL support is the simplest integration point. LibAFL provides excellent documentation a