The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given U.S. federal agencies four days to secure their servers against a critical vulnerability in the LiteSpeed cPanel user-end plugin, which is actively being exploited in attacks. [...]
Cybersecurity News and Vulnerability Aggregator
Cybersecurity news aggregator
Updated: 12:20 pm
J/K Navigate / Search S Save V Open Link
— or
treemd <(curl -sL https://allsec.sh/md) (as Markdown) Top Cybersecurity Stories Today
Carnival Corporation, the world's largest cruise line operator, has confirmed a data breach affecting nearly 6 million people claimed by the ShinyHunters extortion gang in April 2026. [...]
A new campaign orchestrated by a previously undocumented threat actor has targeted cryptocurrency organizations with an aim to facilitate digital asset theft using recruitment-themed social engineering and bespoke macOS malware. "These campaigns leveraged sophisticated social engineering techniques, custom macOS malware, and deep targeting of CI/CD infrastructure," Wiz researchers Shira Ayal,
Threat actors are targeting systems with high-performance computers in an ongoing cryptojacking campaign spread through a coordinated SEO poisoning operation that also manipulated AI chatbot recommendations. [...]
Anna Turley gives Reform leader 24 hours to report Russian hacking claim in ‘public and national interest’ The Labour chair has given Nigel Farage 24 hours to report to security services the claim that his phone was hacked by Russia-linked actors or the party will do it for him. In a letter to the Reform UK leader, Anna Turley said it was “in the public and national interest” to ensure that a suspected overseas hack of a senior politician’s phone by a hostile state was properly investigated. Continue reading...
Latest
Thursday, May 28
[https://www.securityweek.com/raising-the-cybersecurity-stakes-ante-up-for-the-agentic-era/](https://www.securityweek.com/raising-the-cybersecurity-stakes-ante-up-for-the-agentic-era/)
New AI Usage Report: Enterprise AI Risk Is Heavily Concentrated Among a Small Group of AI "Power users"
State of AI Usage Report 2026 (full report here) by LayerX Security reveals the extent of the enterprise AI visibility gap and why most organizations still don't understand where their AI exposure is actually coming from. The research shows that enterprise AI risk is not distributed evenly across users or platforms. Instead, it is heavily concentrated among a small group of AI power users and a
Dataforge Honeypot uses a split architecture — a lightweight Docker-based detector you deploy on any network segment (LAN, DMZ, VLAN, branch office, etc.), paired with a cloud-hosted director that aggregates events, manages detector configuration, and delivers alerts via email or Telegram. The detector runs decoy service handlers on common ports (SMTP, SSH, TCP, UDP) and has no legitimate users or workload — any inbound connection or probe is inherently suspicious. Events are buffered locally on the detector and uploaded to the director, so a temporary cloud outage won't silently drop tripwire hits. Since the detector is a Docker container, deployment is a single `docker run` command generated by the portal — no manual config files. You can place detectors across multiple segments to catch internal reconnaissance, lateral movement, and port scanning the moment it happens, with alerts reaching you while the attacker is still in the discovery phase.
Carnival Corporation, the world's largest cruise line operator, has confirmed a data breach affecting nearly 6 million people claimed by the ShinyHunters extortion gang in April 2026. [...]
**Google Cloud this week announced an always-on autonomous platform designed to protect enterprises from the rising wave of AI-powered cyberattacks.** [https://www.securityweek.com/google-unveils-ai-threat-defense-platform-to-fight-ai-powered-cyberattacks/](https://www.securityweek.com/google-unveils-ai-threat-defense-platform-to-fight-ai-powered-cyberattacks/)
[https://www.helpnetsecurity.com/2026/05/28/hottest-cybersecurity-open-source-tools-of-the-month-may-2026/](https://www.helpnetsecurity.com/2026/05/28/hottest-cybersecurity-open-source-tools-of-the-month-may-2026/)
Customer data from more than 350 hotels around the world may have been accessed as part of realistic reservation-hijacking scams.
A Canadian man was sentenced to 33 years in prison after pleading guilty to targeting more than 145 children across the United States, some as young as 6 years old, in an eight-year-long sextortion scheme. [...]
A new campaign orchestrated by a previously undocumented threat actor has targeted cryptocurrency organizations with an aim to facilitate digital asset theft using recruitment-themed social engineering and bespoke macOS malware. "These campaigns leveraged sophisticated social engineering techniques, custom macOS malware, and deep targeting of CI/CD infrastructure," Wiz researchers Shira Ayal,
Wednesday, May 27
Threat actors are targeting systems with high-performance computers in an ongoing cryptojacking campaign spread through a coordinated SEO poisoning operation that also manipulated AI chatbot recommendations. [...]
Anna Turley gives Reform leader 24 hours to report Russian hacking claim in ‘public and national interest’ The Labour chair has given Nigel Farage 24 hours to report to security services the claim that his phone was hacked by Russia-linked actors or the party will do it for him. In a letter to the Reform UK leader, Anna Turley said it was “in the public and national interest” to ensure that a suspected overseas hack of a senior politician’s phone by a hostile state was properly investigated. Continue reading...
There’s an increase in Device Code phishing activity, with Kali365 emerging as one of the most active PhaaS. In the last 24 hours alone, ANYRUN recorded 100+ related analysis sessions. The attack abuses legitimate Microsoft device authentication flows. Victims are shown a user code and instructed to enter it into a real Microsoft device auth page, allowing attackers to capture OAuth access tokens instead of passwords. The risk shifts from credential theft to token abuse, while significantly reducing the number of traditional phishing indicators typically used for detection and triage. Deobfuscated Kali365 JavaScript revealed that after a verification gate, the lure deploys a phishing page, launches a legitimate Microsoft device authentication flow, and then polls /api/status/<session\_id> for session states such as captured, expired, and declined. The code also contains lure-template generators for OneDrive, SharePoint, Teams, Outlook, and Voicemail, and a separate Google device-code authentication flow. Analysis and IOCs: [https://app.any.run/tasks/d078f430-c3cc-44e8-a809-5506205049c3](https://app.any.run/tasks/d078f430-c3cc-44e8-a809-5506205049c3?utm_source=reddit) https://preview.redd.it/qve9gy4y9q3h1.png?width=1080&format=png&auto=webp&s=a5058a4553a38d8e012cc9f51a37b7efa5ae5fc9
On Tuesday, May 26, Iran’s vice president announced that Internet access had started to be restored in the country after being cut off almost three months ago, following the launch of U.S. and Israeli attacks on February 28. Cloudflare Radar data confirms increased activity and indicates a partial restoration of the Internet in Iran. In this blog post, we’ll examine a range of data points that provide a lens into this prolonged shutdown – and the signs that Iran’s citizens are increasingly able to connect once again. As the situation continues to unfold, Radar will have the latest data on Iran’s connectivity . The first shutdown Iranian citizens have experienced two national Internet shutdowns this year. The first began on January 8 around 16:30 UTC (20:00 local time), and we explored the impact seen over the first few days in a blog post . Traffic from Iran remained near zero until January 21, when a small amount of traffic returned, only to disappear a little over 24 hours later. A similar brief restoration also occurred on January 25, before traffic recovered more fully beginning on January 27. The second shutdown In late February, as military strikes on Iran escalated, a second nationwide Internet shutdown began. That sweeping shutdown has persisted for nearly three months. The shutdown began on February 28. On that date, Cloudflare Radar observed a sharp drop in traffic from
I've been hard at work on a NEW phishing technique I'm excited to share. I'm calling it "Vaultjacking" and the impact is honestly a bit sobering. In my blog I demonstrate how a single AiTM landing page can spoof your Google passkey/password manager PIN and use that to access ALL of a victim's third-party credentials (yes, including passkeys). A simple phish on one site can lead to a total compromise of all Chrome-saved credentials.
Cybersecurity researchers have discovered a new malicious package on the npm registry that comes with information stealing capabilities. According to OX Security, the package, named "mouse5212-super-formatter," is designed to upload files from "/mnt/user-data," a dedicated directory used by Anthropic's Claude artificial intelligence (AI) tool to handle uploads and outputs in the background. The
Strong Active Directory passwords don't have to come at the expense of usability. Specops Software explains how passphrases, breached password protection, and self-service resets can improve security without frustrating users. [...]
A week after Dutch FIOD seized 800+ servers, the hosting network's ASN (AS209847) is still scanning at its normal daily rate
After FIOD seized 800+ servers and arrested two operators on May 18, the ELLIO research team reports that scanning from the network's ASN ranges has continued largely uninterrupted - and that while roughly a third of the recently-active ranges (including the legacy Stark blocks 94.131.105.0/24 and 92.118.232.0/24) have since been withdrawn from global routing, the surviving ranges under AS209847 (WorkTitans / THE.Hosting) are still announced and still scanning, at the network's normal daily rate. The sibling ASNs (AS213999 and the Moscow-based AS33993) remain routed and idle. The recent activity skews toward database and ICS/SCADA discovery = MongoDB, Redis, PostgreSQL, Oracle, LDAP, plus DNP3 and EtherNet/IP - alongside known-exploit probes like CVE-2017-17215 and WinRM.
When an employee installs an AI writing assistant, connects a coding copilot to their IDE, or starts summarizing meetings with a new browser tool, they are doing exactly what a productive employee should do: finding faster ways to work. Across most organizations today, employees are running three to five AI tools on any given day. Most were never reviewed by IT. A significant portion connects
The Glassworm botnet targeting developers in software supply-chain attacks has been disrupted after researchers took down its resilient command-and-control infrastructure relying on Solana blockchain transactions and the BitTorrent DHT network. [...]
The FBI warned on Tuesday that the Silent Ransom Group (SRG) extortion gang is now targeting U.S.-based law firms in in-person data theft attacks. [...]
CrowdStrike, in partnership with Google and the Shadowserver Foundation, has announced the simultaneous disruption of all command-and-control (C2) channels associated with GlassWorm, a persistent software chain campaign targeting software developers through malicious packages and extensions. "Since at least early 2025, GlassWorm operators have systematically targeted software developers, a
Threat Intel: Lithuania Investigates B2B Credential Misuse Exposing 600,000 National Registry Records
The Lithuanian Prosecutor General’s Office and the Criminal Police Bureau have initiated a joint investigation into a large-scale data exfiltration incident targeting the **State Enterprise Centre of Registers**. The incident involved the unauthorized copying of over 600,000 records from the country's national Real Estate and Legal Entities Registers. Rather than exploiting an unpatched software vulnerability, the attack mechanics rely on a classic trust-boundary compromise. **The Entry Vector: Cross-Agency Credential Misuse (MITRE T1078)** Forensic tracking indicates that the threat actors executed a series of unauthorized connections originating from foreign infrastructure. The entry vector relied on valid, high-privilege B2B institutional login credentials assigned to external state departments authorized to query the central registry database. Independent statements from legislative and defense officials suggest the specific access pathway was carved out by compromising authenticated accounts belonging to the **Department of Migration under the Ministry of the Interior**. By hijacking these valid inter-agency connection points, the threat actors bypassed perimeter barriers, allowing them to issue massive queries to the backend database without triggering immediate anomaly blocks. **Exfiltration Scope & Impact Profile** The breach was initially identified by internal monitoring in early April 2026, but public disclosure was delayed due to the ongoing criminal inquiry. The exfiltrated data schemas consist of: * Full legal names, dates of birth, and unique national identification numbers. * Registered physical addresses, corporate entity structures, and detailed cadastral/property registry extracts. The Centre of Registers has confirmed that primary consumer-facing vectors - such as telephone contact details, email addresses, bank account numbers, or raw cadastral measurement files - were not part of the exfiltrated datasets. The primary operational risk is tactical intelligence gathering. Security analysts have pointed out that bulk access to unlisted residential addresses linked to legal entities can be leveraged by foreign intelligence services for target profiling, spear-phishing orchestration, or coercion of state personnel, diplomats, and military figures. **Incident Response & Remediation** Following the identification of the unauthorized bulk queries, the Centre of Registers implemented the following controls: 1. Immediate revocation and blocking of all compromised inter-agency institutional accounts. 2. Mandatory credential rotation and strict query-volume throttling across all API and web self-service gateways linked to external state dependencies. 3. The director of the Centre of Registers, Adrijus Jusas, formally stepped down on May 25 following administrative scrutiny regarding legacy IT infrastructure and monitoring gaps. While independent defense officials note the incident matches the operational signatures of state-aligned hybrid surveillance operations, official attribution from the Prosecutor General's Office remains open.
Cybersecurity researchers have disclosed a security flaw in Gitea, an open-source, self-hosted platform for version control, that allows unauthenticated remote attackers to pull private container images from Gitea deployments without requiring an account, password, or other credentials. The vulnerability, tracked as CVE-2026-27771 (CVSS score: 8.2), affects all versions of Gitea prior to 1.26.2
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given U.S. federal agencies four days to secure their servers against a critical vulnerability in the LiteSpeed cPanel user-end plugin, which is actively being exploited in attacks. [...]
Microsoft has released the KB5089573 preview cumulative update for Windows 11 versions 25H2 and 24H2, which comes with 30 changes, including performance and reliability improvements. [...]
TL;DR: Visit https://sshlabs.compass-security.training to learn more about SSH security. Introduction SSH is a widely used protocol that provides secure access to remote systems. It enables encrypted communication, file transfers, command execution and shell access for system administration. However, when misconfigured, poorly secured or used in an unsafe way, SSH can become an attack vector for attackers. When we perform Linux hardening or infrastructure reviews , we often see that SSH is not used securel
Tuesday, May 26
The Iranian hacking group known as MuddyWater has been linked to a new campaign affecting at least nine organizations across nine countries on four continents in the first quarter of 2026. The activity targeted industrial and electronics manufacturing, education and public-sector bodies, financial services, and professional services, per the Threat Hunter Team from Symantec and Carbon Black.
Encrypted DNS in 2026: DoH, DoT, DoQ and DoH3 protocol comparison — including DNS hijacking attack vectors and what each protocol actually prevents
The security angle on encrypted DNS is often oversimplified. DoH prevents ISP-level snooping and basic DNS hijacking, but doesn't protect against a compromised resolver. DoT is easier to detect and block, which has real implications for threat actors trying to exfiltrate via DNS. DoQ is interesting from a security perspective because QUIC's connection ID migration makes traffic correlation harder. Article includes benchmark data and practical server config — but mostly written for the "which threat model does each protocol address" question.
I published a technical write-up on an old OLX account takeover issue. The core bug was an OTP correctness leak inside the rate-limit state. After repeated invalid OTP attempts, the application showed a lockout message. However, blocked submissions did not become response-equivalent. Invalid codes during lockout still produced the invalid-code signal. The valid code during lockout removed that signal while keeping the lockout message. That made the lockout state act as an oracle for whether the OTP was correct. The broader impact came from reuse of the verification flow across account paths, including recovery/reset-style flows, plus weak session revocation behavior after password change. The write-up focuses on the response-difference behavior, why the validity window mattered, how the issue escalated to account takeover, and why lockout states must stop leaking success/failure information.
There is no excerpt because this is a protected post. The post Protected: The State of AI Risk Management in 2026 appeared first on Heimdal Security Blog .
AI governance requires visibility into how AI tools interact with enterprise data. Varonis explains how its Atlas platform uses Claude Compliance API data to help monitor usage, investigate risk, and support compliance. [...]
SonicWall MFA bypasses are the kind of vulnerabilities that make defenders uncomfortable because they undermine one of the controls organizations trust most. When remote access infrastructure starts failing at the authentication layer, exposure scales very quickly.
Microsoft is testing a new Defender for Endpoint capability that will automatically isolate compromised endpoints to thwart attackers' attempts to move laterally across the network. [...]
Microsoft has rolled out updates to fix a remote code execution vulnerability impacting SharePoint that could be exploited by bad actors in attacks without requiring any specialized conditions to be met. The vulnerability, tracked as CVE-2026-45659, carries a CVSS score of 8.8. It has been assigned an important severity. "Deserialization of untrusted data in Microsoft Office SharePoint allows
Multi-factor authentication (MFA) was supposed to close a critical gap in identity security. It meant that, even if an attacker possessed the account credentials, they couldn't log in without the second factor. While that logic was sound, attackers have now figured out that they don't need to steal the second factor: they just need the user to hand it over. If your workforce authenticates with
As Americans stew over the looming risk of job-stealing AI and data centers in their back yards, the feds are raising the alarm about a new category of threat, documents obtained by WIRED show.
The Indian Computer Emergency Response Team (CERT-In) has issued new guidelines requiring organizations to patch critical security vulnerabilities in internet-exposed systems within 12 hours of being flagged where "feasible" to safeguard against potential threats stemming from threat actors' abuse of artificial intelligence (AI) tools and large language models (LLMs) to automate vulnerability
The Iranian state-sponsored threat actor known as Nimbus Manticore (aka Screening Serpens and UNC1549) has been attributed to a fresh campaign using lures impersonating organizations in the aviation and software sectors across the U.S., Europe, and the Middle East following the joint U.S.-Israeli military campaign against the country in late February 2026. The activity, besides embracing
Monday, May 25
Presently sponsored by: Report URI: Guarding you from rogue JavaScript! Don’t get pwned; get real-time alerts & prevent breaches #SecureYourSite Today, we welcome the 45th government onboarded to Have I Been Pwned’s free gov service: Bhutan. The Bhutan Computer Incident Response Team, BtCIRT, now has access to monitor Bhutanese government domains against the data in HIBP. As Bhutan’s national CIRT, BtCIRT is responsible for consuming threat intelligence and sharing relevant insights with its constituents, helping identify and respond to cyber risks affecting government services and the people who depend on them. This is exactly the sort of organisation the HIBP government service was built to support: national cybersecurity teams using breach data to identify leaked credentials and compromised databases associated with their government domains. BtCIRT now joins the growing list of national CIRTs and government cybersecurity teams using HIBP to better understand their exposure, respond quickly when new breaches appear, and reduce the risk posed by compromised credentials before attackers can take advantage.
Ciaran Martin says Reform UK leader’s allegation over Guardian report on £5m gift ‘entirely unsubstantiated’ Nigel Farage’s claim that a Russian hack was behind a Guardian report on the £5m gift he received from a crypto billionaire has been described as “without any merit” by a former head of the National Cyber Security Centre. Ciaran Martin, founding chief executive of the agency, which is part of GCHQ, said Farage’s allegation, if true, would have major implications for UK policy towards Russia but that the Reform UK leader had yet to provide “a shred of evidence”. Continue reading...
Authorities in the Netherlands have arrested the co-owners of two related Internet hosting companies for operating IT infrastructure used by Russia to carry out cyberattacks, influence operations and disinformation campaigns inside the European Union. The two men were the focus of a 2025 KrebsOnSecurity story about how their hosting companies had assumed control over the technical infrastructure of Stark Industries Solutions , an Internet service provider sanctioned last year by the EU as a frequent staging ground for cyber mischief from Russia’s intelligence agencies. An investigator with the Tax Intelligence and Investigation Service (FIOD), the Dutch financial crimes agency, during the raid. Image: FIOD. The Dutch daily news outlet de Volkskrant reports that the Dutch financial crime agency FIOD on May 18 arrested a 57-year-old from Amsterdam and a 39-year-old from The Hague, charging them with violating sanctions law by directly or indirectly making economic resources available to EU-sanctioned ent
Threat actors are exploiting a recently disclosed critical security flaw in Ghost CMS to inject malicious JavaScript code with an aim to fuel ClickFix attacks. According to QiAnXin XLab, the activity involves the exploitation of CVE-2026-26980 (CVSS score: 9.4), an SQL injection vulnerability in Ghost's Content API that could allow an unauthenticated attacker to read arbitrary data from the
Ask a cybersecurity pro about Network Detection and Response (NDR) and you might still hear "Noisy," "Too much data." But ask the teams running NDR that includes agentic AI capabilities and you'll hear they're actually using it to catch threats earlier, triage faster, and chase fewer false positives. The old complaint lingers in part because reputations are sticky, and because NDR has evolved
As attackers ramp up their AI exploit development, the search for software vulnerabilities is changing rapidly.
Cybersecurity researchers have shed light on a cross-platform malware called RemotePE that has been put to use by the North Korea-linked Lazarus Group in attacks targeting financial and cryptocurrency organizations. RemotePE, per NCC Group subsidiary Fox-IT, is part of a multi-stage attack chain that involves two loaders tracked as DPAPILoader and RemotePELoader. "DPAPILoader decrypts and
To reduce the amount of noise from questions, we have disabled self-posts in favor of a unified questions thread every week. Feel free to ask any question about reverse engineering here. If your question is about how to use a specific tool, or is specific to some particular target, you will have better luck on the [Reverse Engineering StackExchange](http://reverseengineering.stackexchange.com/). See also /r/AskReverseEngineering.
Sunday, May 24
Presently sponsored by: Report URI: Guarding you from rogue JavaScript! Don’t get pwned; get real-time alerts & prevent breaches #SecureYourSite Well, that didn't last long! Recording this on Saturday morning my time, I observed ShinyHunters having gone quiet since the massive haul that would have been the Instructure ransom. It was two weeks almost to the hour since I'd first heard rumour of payment being made, and I posited that groups like this often go quiet after they feel the heat, only to emerge shortly after, the drug that is hacking being too strong to ignore. Anyway, here we now are: ShinyHunters Claims 3 New Victims https://t.co/v8Wf457Gbp : U.S.-based dental benefits administrator and oral health company. Charter Communications, Inc.: U.S. telecommunications and cable company best known for Spectrum internet, TV, mobile, and phone services. … pic.twitter.com/epWcVVGRHa — Dark Web Informer (@DarkWebInformer) May 22, 2026 DentaQuest has since been removed, but their website is currently returning "Access Denied", which isn't a great look. Obviously, the broken website doesn&apos
Saturday, May 23
Plus: Google publishes a live exploit for an unpatched flaw, the feds arrest two men accused of creating thousands of nonconsensual deepfake nudes, and more.
Friday, May 22
Just added an interactive security map to my project NoEyes showing exactly what the server sees (and doesn't)
repo : [https://github.com/Ymsniper/NoEyes](https://github.com/Ymsniper/NoEyes)
Lawmakers in both houses of Congress are demanding answers from the U.S. Cybersecurity & Infrastructure Security Agency (CISA) after KrebsOnSecurity reported this week that a CISA contractor intentionally published AWS GovCloud keys and a vast trove of other agency secrets on a public GitHub account. The inquiry comes as CISA is still struggling to contain the breach and invalidate the leaked credentials. On May 18, KrebsOnSecurity reported that a CISA contractor with administrative access to the agency’s code development platform had created a public GitHub profile called “ Private-CISA ” that included plaintext credentials to dozens of internal CISA systems. Experts who reviewed the exposed secrets said the commit logs for the code repository showed the CISA contractor disabled GitHub’s built-in protection against publishing sensitive credentials in public repos. CISA acknowledged the leak but has not responded to questions about the duration of the data exposure. However, experts who reviewed the now-defunct Private-CISA archive said it was originally created in November 2025, and that it exhibits a pattern consistent with an individual operator using the repository as a working scratchpad o
Harvard and \~140 other compromised legitimate sites are now spreading ClickFix malware. hxxps://hir.harvard.edu/israel-and-international-football-a-breaking-point/ hxxps://hir.harvard.edu/a-better-way-forward-an-interview-with-paul-ryan/ Both contain a remote load script in it's HTML that reverses it's C2 `sj.ssc/ipa/orp.eralfduolccitats` to original form and then displays the ClickFix box from it. C2: hxxps://staticcloudflare.pro AnyRun identifies the loading pattern well: * [https://app.any.run/tasks/2ac73567-8bdf-41b0-999e-08057deb3dd3](https://app.any.run/tasks/2ac73567-8bdf-41b0-999e-08057deb3dd3) * [https://app.any.run/tasks/8362c5f5-11ab-4b34-b7a5-8e2fb2d6355c](https://app.any.run/tasks/8362c5f5-11ab-4b34-b7a5-8e2fb2d6355c) Sandbox detonation of one of the ClickFix payloads: [https://app.any.run/tasks/bf4b5c8d-f76d-4398-b465-9a1d8ec899bb](https://app.any.run/tasks/bf4b5c8d-f76d-4398-b465-9a1d8ec899bb) Original post and more discovered compromised URL's: [https://x.com/rifteyy/status/2057842147630411877](https://x.com/rifteyy/status/2057842147630411877)
"When performing security assessments on HTTP-based applications, whether web, mobile, APIs, or thick clients, the standard workflow is straightforward: put Burp Suite in the middle, and you’re good to go. Most of the time, that’s all you need. Every now and then, though, you run into a small but significant class of applications where that workflow breaks down. Custom protocols, payload encryption, request signatures, replay protection, non-standard encoding, these are the scenarios where you can no longer work manually the way you’re used to, and where Burp’s automated tools (Intruder, Scanner) stop being useful because they’re operating on data they can’t meaningfully read or modify. In this talk I took one of these complexities as example, additional payload encryption**,** and used it as a vehicle to explore advanced approaches based on **custom Burp extensions** to restore full testability: working manually in Proxy and Repeater, running automated tools like Intruder and Scanner, and even driving external tools like SQLMap through Burp, all as if the complexity simply weren’t there."
Authors: Yun Zheng Hu and Mick Koomen Summary Last year, we published research
In March 2026, attackers exploited a pull_request_target misconfiguration in the aquasecurity/trivy-action GitHub Action to exfiltrate organization and repository secrets, then used those credentials to backdoor LiteLLM on PyPI (see Trivy’s post-mortem for the full timeline). zizmor is a static analyzer that GitHub Actions users run to catch exactly these misconfigurations before they ship. When GitHub Actions added support for YAML anchors in September 2025, a small but high-value slice of the ecosystem started writing workflows that zizmor could only analyze on a best-effort basis. Over the past three months, Trail of Bits collaborated with the zizmor maintainers to bring zizmor ’s anchor support up to full coverage. First, we fixed parsing bugs that caused crashes, produced wrong-location findings, and silently mishandled aliased values. Second, we surfaced deserialization edge cases that broke zizmor on otherwise valid workflows. Finally, we helped align zizmor ’s expression evaluator with GitHub’s own Known Answer Tests . We validated all of this against a new corpus of 41,253 workflows from 6,612 high-value open-source repositories. The result: 20 filed issues, 15 merged pull requests. Building the test corpus To u
GreyNoise compared 119,842 malicious IPs against 11 major threat feeds. The average coverage: just 2%, exposing the limits of static blocklists.
Thursday, May 21
Canadian authorities on Wednesday arrested a 23-year-old Ottawa man on suspicion of building and operating Kimwolf , a fast spreading Internet-of-Things botnet that enslaved millions of devices for use in a series of massive distributed denial-of-service (DDoS) attacks over the past six months. KrebsOnSecurity publicly named the suspect in February 2026 after the accused launched a volley of DDoS, doxing and swatting campaigns against this author and a security researcher. He now faces criminal hacking charges in both Canada and the United States. A criminal complaint unsealed today in an Alaska district court charges Jacob Butler , a.k.a. “ Dort ,” of Ottawa, Canada with operating the Kimwolf DDoS botnet. A statement from the Department of Justice says the complaint against Butler was unsealed following the defendant’s arrest in Canada by the Ontario Provincial Police pursuant to a U.S. extradition warrant. Butler is currently in Canadian custody awaiting an initial court hearing scheduled for early next week. The government said Kimwolf targeted infected devices which were traditionally “firewalled” from the rest of the internet, such as digital photo frames and web cameras. The infected systems were then rented to other cybercriminals, or forced to participate in record-smashing DDoS attacks, as well as assaults that affected Internet address ranges for the Department of Defense . Consequently, the DoD’s Defense Criminal Investigative Service is investigating the case, with assistance from the FBI field office in Anchorage. “KimWolf was tied to DDoS attacks which were measured at nearly 30 Terabits per second, a record in recorded DDoS attack volume,R
Three firms will pay nearly $1 million for selling “Active Listening” technology that they claimed tapped people’s phones for advertising. The FTC alleges the “tech” was just pricey email lists.
How TeamPCP's Python Toolkit Survives a C2 Takedown: FIRESCALE, GitHub, and the Victim's Own Account
Researchers tore apart the second-stage Python toolkit used in the Mini Shai-Hulud supply chain campaign. The delivery via trojanized npm/PyPI packages got coverage elsewhere. This goes deeper into what actually runs on the machine after. 13 modules, parallel execution, 90+ credential targets. Here's what stood out: * FIRESCALE is a dead-drop resolver that queries GitHub's commit search API globally looking for a signed backup C2 address. The RSA public key is embedded in the malware. No attacker repo to take down, the redirect can come from any account * When both C2 paths fail, the malware creates a public repo under the victim's own GitHub account and commits the credential harvest there. Operator retrieves it via public API, no auth required * The AWS module covers all 19 regions including both GovCloud partitions, restricted to US government and defense contractors * Kubernetes certs loaded entirely in kernel memory via memfd\_create. Nothing hits disk * Geopolitical wiper targets Israeli/Iranian systems with a 1-in-6 probability gate, specifically designed to evade single-run sandbox analysis