Microsoft has disclosed details of a large-scale credential theft campaign that has leveraged a combination of code of conduct-themed lures and legitimate email services to direct users to attacker-controlled domains and steal authentication tokens. The multi-stage campaign, observed between April 14 and 16, 2026, targeted more than 35,000 users across over 13,000 organizations in 26 countries,
Cybersecurity News and Vulnerability Aggregator
Cybersecurity news aggregator
Updated: 5:41 pm
J/K Navigate / Search S Save V Open Link
— or
treemd <(curl -sL https://allsec.sh/md) (as Markdown) Top Cybersecurity Stories Today
While the software industry has made genuine strides over the past few decades to deliver products securely, the furious pace of AI adoption is putting that progress at risk. Businesses are moving fast to self-host LLM infrastructure, drawn by the promise of AI as a force multiplier and the pressure to deliver more value faster. But speed is coming at the expense of security. In the wake of the
Progress Software has released updates to address two security flaws in MOVEit Automation, including a critical bug that could result in an authentication bypass. MOVEit Automation (formerly Central) is a secure, server-based managed file transfer (MFT) solution used to schedule and automate file movement workflows in enterprise environments without requiring any custom scripts. The
A newly identified supply chain attack targeting DAEMON Tools software has compromised its installers to serve a malicious payload, according to findings from Kaspersky. "These installers are distributed from the legitimate website of DAEMON Tools and are signed with digital certificates belonging to DAEMON Tools developers," Kaspersky researchers Igor Kuznetsov, Georgy Kucherin, Leonid
Researchers dropped a reliable root exploit and it didn’t sit idle for long CISA is warning that a newly-disclosed Linux kernel bug dubbed "CopyFail" is already being exploited, just days after researchers dropped a working root-level exploit.…
Latest
Tuesday, May 5
A 23-year-old university student in Taiwan was arrested for interfering with the TETRA communication system used by the country's high-speed railway network (THSR). [...]
If you are tracking Iranian-nexus activity in the Middle East, this one is worth your time. [Hunt.io](https://hunt.io)'s AttackCapture flagged an open directory on a UAE-hosted VPS that turned out to be a full active C2 environment tied to an intrusion against Oman's government. Toolkit, session logs, and exfiltrated data all exposed. * 12 ministries targeted, 26,000+ citizen records pulled from the Ministry of Justice along with judicial case data and SAM/SYSTEM registry hives * Custom ASPX webshells, six-version Python C2, GodPotato privilege escalation, Chisel tunneling, 50+ exploitation scripts covering ProxyShell, DNN SSRF, and national ID IDOR vulnerabilities * TTPs overlap with known MOIS-linked clusters, full analysis in the post Full post and IOCs: [https://hunt.io/blog/iranian-nexus-oman-government-intrusion](https://hunt.io/blog/iranian-nexus-oman-government-intrusion)
We wrote a guide on securing Claude across the enterprise — here's the core framework (with download)
Hey all - Mike from Airia here. Wanted to share something we put together that I think will resonate with this community, especially those managing AI tool sprawl right now. The core problem we kept hearing from enterprise IT and security teams: Claude is already being used across their orgs, through personal subscriptions, browser extensions, Claude Code, third-party integrations, often entirely outside of sanctioned IT channels. Classic shadow AI, but with a twist: the risk isn't just the app, it's the sensitive data employees are feeding into it. The instinct is to block it. But blocking Claude just moves usage underground and eliminates the visibility you actually need to manage risk. We put together a guide specifically for IT leaders that walks through: * How to discover where Claude is being accessed (web, native apps, CLI, integrations) * Why each surface needs a different control approach * How to balance real-time controls (browser extensions) vs. retrospective monitoring (Compliance API) * Building a governance framework that's actually sustainable as Claude keeps evolving It's a free download -- our marketing team put a gate on it, but if you don't want to fill out the form, DM us and i'll send it to you personally. Looking for any feedback you may have. Thanks.
The Apache Software Foundation (ASF) has released security updates to address several security vulnerabilities in the HTTP Server, including a severe vulnerability that could potentially lead to remote code execution (RCE). The vulnerability, tracked as CVE-2026-23918 (CVSS score: 8.8), has been described as a case of "double free and possible RCE" in the HTTP/2 protocol handling. This issue
A newly identified supply chain attack targeting DAEMON Tools software has compromised its installers to serve a malicious payload, according to findings from Kaspersky. "These installers are distributed from the legitimate website of DAEMON Tools and are signed with digital certificates belonging to DAEMON Tools developers," Kaspersky researchers Igor Kuznetsov, Georgy Kucherin, Leonid
Open-source scanner for MCP servers and skill files : attack chain detection and server-card scanning
If you are running MCP servers or loading skill files into your agents, you might want to run this before connecting. Bawbel Scanner v1.1.0 scans MCP server manifests, SKILL.md files, and system prompts for known attack patterns mapped to 45 published vulnerability records. The two things most relevant to local LLM setups: bawbel ssc fetches .well-known/mcp.json from any MCP server and scans the tool descriptions for injection patterns before you connect. A lot of public MCP servers have behavioral instructions embedded in tool descriptions that your agent will follow automatically. The scanner flags these before you add the server to your config. bawbel conform scores the server manifest against the MCP spec. Most servers in the wild are missing required fields, using deprecated transports, or have tool names that do not conform to the spec. The scorer gives you a grade (A+ to F) and lists exactly what to fix. Install: pip install "bawbel-scanner[all]" bawbel ssc https://your-mcp-server.com bawbel conform https://your-mcp-server.com Free threat intel API at api.piranha.bawbel.io if you want to query the full AVE records programmatically. GitHub: github.com/bawbel/bawbel-scanner
The majority of widely used AI clients like: * Claude Code * Claude Desktop * Cursor * LibreChat * Amazon Q CLI have not implemented the critical refresh-token flow of the OAuth standard. This is forcing developers to issue long lived tokens creating a serious security regression in an already solved problem. This write up includes a matrix table of 14 major clients with notes linking to feature requests, pull requests, and multiple forum discussions. It is not all gloom and doom though! There is a work-around solution that security conscious users are using as a stop-gap also discussed, along with a best practices guide for developers implementing their own MCP OAuth Solution. The plan is to update this reference on a monthly basis to track if there is any movement on this open requests.
EMBA v2.0.1 with interactive firmware dependency map available - Check it out and let us know what you are missing
Researchers dropped a reliable root exploit and it didn’t sit idle for long CISA is warning that a newly-disclosed Linux kernel bug dubbed "CopyFail" is already being exploited, just days after researchers dropped a working root-level exploit.…
The FTC will ban data broker Kochava and its subsidiary, Collective Data Solutions (CDS), from selling location data without consumers' explicit consent to settle charges alleging that it sold precise geolocation data collected from hundreds of millions of mobile devices. [...]
A sophisticated China-nexus advanced persistent threat (APT) group has been attributed to attacks targeting government entities in South America since at least late 2024 and government agencies in southeastern Europe in 2025. The activity is being tracked by Cisco Talos under the moniker UAT-8302, with post-exploitation involving the deployment of custom-made malware families that have been put
Critical vulnerabilities can exist in open source software your scanners don't check. HeroDevs reveals how EOL software creates blind spots in CVE feeds and SCA tools, and how you can receive a free end-of-life scan for your projects. [...]
EU AI Act high-risk obligations land August 2026. I built [aiactdirectory.com](http://aiactdirectory.com) as an independent (no pay-to-rank) directory of governance, risk, monitoring, audit, and bias-testing vendors. 187 vendors curated across 10 categories. Mapped against EU AI Act, NIST AI RMF, ISO 42001, plus GDPR-AI overlap. What I'm trying to figure out as a CISO/security buyer: \- Which categories are most useful for procurement \- Which vendors are obvious gaps (the data was scraped + LLM-categorized + manually cleaned, so I'm sure I'm missing names) \- Whether you'd actually use it before going to G2 or Gartner Built solo, no funding, no spam. Just trying to make the landscape easier to navigate. Direct: [aiactdirectory.com](http://aiactdirectory.com)
Cushman & Wakefield activated incident response protocols after serial extortionists issued separate threats Real estate giant Cushman & Wakefield has confirmed a data breach after two cybercrime groups, ShinyHunters and Qilin, separately claimed responsibility for attacks on the company.…
The ShinyHunters extortion gang stole personal information belonging to over 119,000 people after hacking the Vimeo online video platform in April, according to data breach notification service Have I Been Pwned. [...]
Topic of this article: Burp AI.
Vimeo points finger at analytics supplier Anodot, says no logins or card data were touched More than 119,000 Vimeo users's email addresses were extracted in a breach traced to a third-party analytics vendor, according to Have I Been Pwned.…
IOCX v0.7.1 — robustness update focused on malformed PEs, hostile strings, and static‑analysis hardening
Pushed a new IOCX release (v0.7.1) that’s aimed at making the engine much harder to break during static analysis. The focus was adversarial behaviour: malformed binaries, corrupted PE structures, and intentionally hostile IOC‑like strings. If you work with weird samples, tooling pipelines, or large‑scale triage, this release makes IOCX more robust under hostile conditions. **New PE structural heuristics** Six new checks added to catch structural anomalies without blowing up the parser: * overlapping/misaligned sections * inconsistent optional headers (PE32 & PE32+) * broken entrypoint mappings * corrupted data directories * malformed import tables * general PE layout inconsistencies These aren’t detections — they’re deterministic, reason‑coded structural signals to keep analysis stable. **Expanded adversarial PE corpus** Added a full suite of malformed and corrupted PEs, including: * broken RVAs / invalid addressing * truncated Rich headers * fake UPX names + packed‑lookalikes * PE32/PE32+ hybrids * “franken‑PEs” combining multiple faults All outputs are snapshot‑validated to guarantee deterministic behaviour. **Adversarial coverage across all IOC categories** New hostile string fixtures now stress every extractor: * homoglyph + mixed‑script domains * malformed URLs and schemes * broken IPv4/IPv6 * noisy or near‑miss hashes * invalid Base64 * adversarial crypto strings (incl. Base58Check) * long/invalid Windows paths * malformed emails The goal: keep extraction predictable even when the input is intentionally messy. **Parser & extractor hardening** * stable on malformed PE structures * structured, JSON‑safe error metadata * improved domain/URL/crypto/hash extractors * deterministic output across platforms **Links** GitHub: [https://github.com/iocx-dev/iocx](https://github.com/iocx-dev/iocx) PyPI: [https://pypi.org/project/iocx/](https://pypi.org/project/iocx/) **Example** `pip install iocx` `iocx suspicious.exe -a full` If you’re doing malware triage, static analysis, or building automated pipelines that need predictable IOC extraction, v0.7.1 should be a noticeable stability bump. Happy to discuss edge cases or weird samples people want covered next.
Every AI tool, workflow automation, and productivity app your employees connected to Google or Microsoft this year left something behind: a persistent OAuth token with no expiration date, no automatic cleanup, and in most organizations, no one watching it. Your perimeter controls don't see it. Your MFA doesn't stop it. And when an attacker gets hold of one, they don't need a password. OAuth
Threat actors are actively exploiting a critical security flaw impacting an open-source content management system (CMS) known as MetInfo, according to new findings from VulnCheck. The vulnerability in question is CVE-2026-29014 (CVSS score: 9.8), a code injection flaw that could result in arbitrary code execution. "MetInfo CMS versions 7.9, 8.0, and 8.1 contain an unauthenticated PHP code
Victims losing £280K a day to fake profiles and sob stories Romance fraudsters scammed Britons out of £102 million ($138 million) last year, according to the latest police figures.…
Google overhauls its Android and Chrome vulnerability rewards programs, offering bounties of up to $1.5 million for the most difficult exploits while scaling back payouts for flaws that artificial intelligence (AI) has made easier to find. [...]
We recently added a C/C++ security checklist to the Testing Handbook and challenged readers to spot the bugs in two code samples : a deceptively simple Linux ping program and a Windows driver registry handler. If you found the inet_ntoa global buffer gotcha or the missing RTL_QUERY_REGISTRY_TYPECHECK flag, nice work. If not, here’s a full walkthrough of both challenges, plus a deep dive into how the Windows registry type confusion escalates from a local denial of service to a kernel write primitive. Since we first released the new C/C++ security checklist, we also developed a new Claude skill, c-review . It turns the checklist into bug-finding prompts that an LLM can run against a codebase. It’s also platform and threat-model aware. Run these commands to install the skill: claude skills add-marketplace https://github.com/trailofbits/skills claude skills enable c-review --marketplace trailofbits/skills The Linux ping program challenge The Linux warmup challenge we showed you in the last blog post has an obvious command injection issue. #include <stdio.h> #include <s
While the software industry has made genuine strides over the past few decades to deliver products securely, the furious pace of AI adoption is putting that progress at risk. Businesses are moving fast to self-host LLM infrastructure, drawn by the promise of AI as a force multiplier and the pressure to deliver more value faster. But speed is coming at the expense of security. In the wake of the
A Latvian national extradited to the United States was sentenced to 8.5 years in prison for his "cold case" negotiator role in the Russian Karakurt ransomware group. [...]
A new version of the CloudZ remote access tool (RAT) is deploying a previously unseen malicious plugin called Pheno that hijacks the Microsoft Phone Link connection to steal sensitive codes from mobile devices. [...]
Healthcare giant's maintainers handed May deadline to enact the change The UK's National Health Service (NHS) is ordering all of its technology leaders to temporarily wall off the organization's open source projects over concerns relating to advanced AI and Anthropic's Mythos.…
I built a 100% browser-only EXIF viewer + metadata remover + image-forensics lab — no upload, no account, free
I've been working on this for the last few months and just wanted to share. It's a free browser-based tool for inspecting and removing metadata from photos, videos, audio, PDFs and Office documents — and it has a small image-forensics lab built in. Live: [https://midgardmud.de/tools/exif/](https://midgardmud.de/tools/exif/) Why I built it: every other "EXIF remover" online asks you to upload your private files to a server. That's the opposite of privacy. So I wrote one that runs 100% in the browser via the File API — your file never leaves your device. F12 → Network tab → drop a 50 MB photo → you'll see zero outbound requests. What it does: • Strips metadata from JPG/PNG/WebP/GIF/HEIC/TIFF, MP4/MOV/MKV/WebM/AVI, MP3/FLAC/OGG/WAV, PDF, DOCX/XLSX/PPTX • Privacy Risk Score 0–100 with per-file breakdown so you see what's actually leaking • 4 one-click privacy profiles (Anonymous / Social-safe / Keep camera / GPS-only) • Forensics: ELA, JPEG-Ghost re-save heatmap, DQT compression fingerprint, Noise + CFA/Bayer pattern (defensible alternative to AI-image detectors), Copy-Move clone detection, embedded-thumbnail audit, RGB histogram, hex viewer, structure inspector • SHA-256 + perceptual hash (pHash) per file • ExifTool-compatible JSON export • Per-tag EXIF editor + GPS spoofing for JPEG • C2PA self-signed Content Credentials • Works fully offline as a PWA after first visit • 19 languages Stack: vanilla JS, no framework, no build step, \~12k lines. libheif WASM lazy-loaded for HEIC. Web Worker for big videos so the UI stays responsive. Happy to answer anything about how the parsers work, why I avoided React, or how the JPEG-Ghost / Copy-Move detection is implemented. Feedback very welcome.
The North Korea-aligned state-sponsored hacking group known as ScarCruft has compromised a video game platform in a supply chain espionage attack, trojanizing its components with a backdoor called BirdCallto likely target ethnic Koreans residing in China. While prior versions of the backdoor have primarily targeted Windows users only, the supply chain attack is assessed to have enabled the
A critical security vulnerability in Weaver (Fanwei) E-cology, an enterprise office automation (OA) and collaboration platform, has come under active exploitation in the wild. The vulnerability (CVE-2026-22679, CVSS score: 9.8) relates to a case of unauthenticated remote code execution affecting Weaver E-cology 10.0 versions prior to 20260312. The issue resides in the "/papi/esearch/data/devops/
Microsoft has disclosed details of a large-scale credential theft campaign that has leveraged a combination of code of conduct-themed lures and legitimate email services to direct users to attacker-controlled domains and steal authentication tokens. The multi-stage campaign, observed between April 14 and 16, 2026, targeted more than 35,000 users across over 13,000 organizations in 26 countries,
Vendors all use different formats. This tech translates them all so you can smooth your SOC Academics from Singapore and China have found a way to make AI useful for cyber-defenders, by creating a technique that translates rules from diverse Security Information and Event Managements (SIEMs) so they’re easier to consume across multiple systems.…
Monday, May 4
The Model We’ve Relied on Is Starting to Break Over the past 20 years, I’ve seen the threat landscape evolve from opportunistic attackers, to organized cybercrime, to nation-state campaigns. Each shift forced security teams to adapt. What’s happening right now is different. AI models coming out of Anthropic, OpenAI, Google, and X are rewriting the […] The post Sara AI Pentesting Is Now Generally Available: The Model Is Changing appeared first on Synack .
46% say age checks are easy to bypass, and nearly a third admit getting around them It’s been months since the UK government began requiring stronger age checks under the Online Safety Act, and recent research suggests those measures are falling short of keeping kids away from harmful content. In some cases, even drawing on a mustache has been reported as enough to fool age detection software.…
The Amazon Simple Email Service (SES) is being increasingly abused, a cybersecurity company's telemetry data shows, to send convincing phishing emails that can bypass standard security filters and render reputation-based blocks ineffective. [...]
A malicious version of the PyTorch Lightning package published on the Python Package Index (PyPI) delivers a credential-stealing payload targeting browsers, environment files, and cloud services. [...]
Key Takeaways Over the past year, the conversation in security has changed faster than most programs have. AI is compressing attacker timelines. Environments are changing daily rather than quarterly. And the model most enterprises still rely on to validate security—periodic penetration testing—is starting to break under the weight of both. The real question isn’t whether […] The post The Shift to Continuous Security Validation: Why Detection Is No Longer Enough appeared first on Synack .
Progress Software has released updates to address two security flaws in MOVEit Automation, including a critical bug that could result in an authentication bypass. MOVEit Automation (formerly Central) is a secure, server-based managed file transfer (MFT) solution used to schedule and automate file movement workflows in enterprise environments without requiring any custom scripts. The
A law firm instructed my first forensic analysis of an LLM system, I've written up some of my methodology
I have worked for about 10 years in cybersecurity, mostly in Incident Response, but I've done a fair bit of forensic work and expert witness cases within that. A year ago I left my old firm to go down the independent consultancy route, and still trying to figure out exactly what I'm doing. A couple months ago a law firm I used to work with reached out recently. Short story is that an LLM agent made a mistake for their client which became litigious. The client firm claimed they had addressed the original issue, but the law firm requested an expert opinion on: a) the root causes of the original issue b) an assessment on whether this could re-occur / validation of the fix This might not fall strictly within the confines of "computerforensics", so apologies if it's slightly off topic. But I figured there could be some practitioners here who might be interested in the methodology. I basically used three techniques to model the differences in generated output between the "bad" model and the fixed "good" model, then commented on the deviations. I don't think this is a huge market right now. But I do see that there are insurance companies starting to underwrite AI risk, so it's possible we could be seeing more of this work over the next few years. I've written up my full approach here: [https://www.analystengine.io/insights/how-to-forensically-analyse-llm-alignment-drift-and-hallucination](https://www.analystengine.io/insights/how-to-forensically-analyse-llm-alignment-drift-and-hallucination) Would be really interested to hear if anyone is doing any similar work lately.
'If you don't have visibility, you can't understand what to protect' When it comes to securing enterprise supply chains, now heavily infused with AI applications and agents, a software bill of materials (SBOM) no longer provides a complete inventory of all the components in the environment. Enter AI-BOMs.…
Using a 1930s trade law, Homeland Security targeted the man—who hasn’t entered the US in more than a decade—following posts on X condemning the killings of Renee Good and Alex Pretti.
This week, the shadows moved faster than the patches. While most teams were still triaging last month’s alerts, attackers had already turned control panels into kill switches, kernels into open doors, and open-source pipelines into silent delivery systems. The game has shifted from breach to occupation. They’re living inside SaaS sessions, pushing code with trusted commits, and scaling
Fraudsters aren't hacking credit unions, they are exploiting normal business processes. Flare reveals how structured loan fraud methods use stolen identities to pass verification and secure funds. [...]
On December 4, 2025, a 17-year-old was arrested in Osaka under Japan’s Unauthorized Access Prohibition Act. The young man had run malicious code to extract the personal data of over 7 million users of Kaikatsu Club, Japan's largest internet cafe chain. When asked, the young man shared his motivation for the hack: he wanted to buy Pokémon cards. In a sense, this is a fairly conventional story.
The China-based cybercrime group known as Silver Fox (aka Monarch, SwimSnake, The Great Thief of Valley, UTG-Q-1000, and Void Arachne) has been linked to a new campaign targeting organizations in Russia and India with a new malware called ABCDoor. The activity involved using phishing emails that mimic correspondence from the Income Tax Department of India in December 2025, followed by a similar
VanGuard — open-source single-binary DFIR toolkit (Velociraptor, Hayabusa, Chainsaw, Loki, YARA) with TUI, air-gap support, and 28 pre-built use cases
We just open-sourced **VanGuard** — a self-contained IR toolkit that bundles Velociraptor, Hayabusa, Chainsaw, Loki, and YARA into a single binary with a terminal UI. Built it because we were tired of the 45-minute tooling setup at the start of every engagement. Download KAPE, remember the flags, set up Velociraptor, manually hash evidence, and track the chain of custody in a spreadsheet. What it does: * Quick triage (20+ Windows, 15+ Linux artifact categories using native commands) * Velociraptor server lifecycle + agent deployment from the TUI * Threat hunting with Hayabusa, Chainsaw, Loki, YARA + live anomaly detection * Memory capture + Volatility 3 analysis * 28 pre-built use cases (ransomware, BEC, credential theft, lateral movement, rootkits) with MITRE ATT&CK mapping * Evidence dual-hashed (MD5 + SHA256), HMAC chain of custody * Runs from USB, works fully offline Cross-platform (Windows + Linux), Apache 2.0, no dependencies. GitHub: [https://github.com/ridgelinecyberdefence/vanguard](https://github.com/ridgelinecyberdefence/vanguard) It's provided as-is — every environment is different, especially with remote ops (WinRM/SSH auth varies by config). Test in a lab first. Issues and suggestions welcome on GitHub.
Even limited voter rolls can be linked to identify people, research shows Your voter data could be used against you. A foreign intelligence service that wished to identify the family members of deployed military personnel could do so by cross-referencing public voter record data and social media posts.…
To reduce the amount of noise from questions, we have disabled self-posts in favor of a unified questions thread every week. Feel free to ask any question about reverse engineering here. If your question is about how to use a specific tool, or is specific to some particular target, you will have better luck on the [Reverse Engineering StackExchange](http://reverseengineering.stackexchange.com/). See also /r/AskReverseEngineering.
A coordinated international operation involving U.S. and Chinese authorities has arrested at least 276 suspects and shut down nine scam centers used for cryptocurrency investment fraud schemes targeting Americans, resulting in millions of dollars in losses. The crackdown was led by the Dubai Police, under the United Arab Emirates (UAE) Ministry of Interior, in partnership with the U.S. Federal
Prioritize resilience over productivity, say CISA, NCSC and their friends from Oz, NZ, Canada Information security agencies from the nations of the Five Eyes security alliance have co-authored guidance on the use of agentic AI that warns the technology will likely misbehave and amplifies organizations’ existing frailties, and therefore recommend slow and careful adoption of the tech.…
Sunday, May 3
Acoustic Keystroke Recovery - Reconstructing Typed Text from a Laptop Microphone (Full Guide, 85% success rate)
Around 85% success rate of keystroke recovery with our script :)
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added a recently disclosed security flaw impacting various Linux distributions to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild. The vulnerability, tracked as CVE-2026-31431 (CVSS score: 7.8), is a case of local privilege escalation (LPE) flaw that could allow an
Saturday, May 2
*As one tends to do on Saturday mornings with coffee in hand, I was reviewing two samples that were attributed to the LunaStealer / LunaGrabber family. Originally I was validating that* `tiquery` *was working with the MCP configuration, however what started as a quick TI check turned into a full static analysis session — and it gave me a good opportunity to put the MalChela MCP integration through its paces in a real workflow. This post walks through how that investigation unfolded, what the pivot points were, and what we found at the bottom of the rabbit hole.*
Plus: The NSA tests Anthropic’s Mythos Preview to find vulnerabilities, a Finnish teen is charged over the Scattered Spider hacking spree, and more.
Britain's cyber agency says the bill for years of technical shortcuts is coming due, and it's arriving all at once Britain's cyber agency is warning that AI-fuelled bug hunting is about to flush out years of buried flaws, leaving defenders scrambling to keep up.…
Cybersecurity company Trellix has announced that it suffered a breach that enabled unauthorized access to a "portion" of its source code. It said it "recently identified" the compromise of its source code repository and that it began working with "leading forensic experts" to resolve the matter immediately. It also said it has notified law enforcement of the matter. Trellix did not disclose the
Friday, May 1
For vulnerability research, smaller models run repeatedly can outperform larger frontier models on cost-to-recall.
TL;DR: If a large model finds a 0-day with 90% probability, and a small model with 50% probability, but the small model costs 10x less, it is better to use the small model. We compared the cost and recall of various models in finding real, recent zero-days and found that for most applications, smaller models run repeatedly can significantly outperform larger frontier models on cost-to-recall. Disclaimer: I'm involved with Hacktron, the company that produced this research. This is a factual presentation of our benchmarks, which we hope the community can use to make informed decisions about models like Mythos.
Over the past two and a bit quarters, we've undertaken an intensive engineering effort, internally code-named " Code Orange: Fail Small ", focused on making Cloudflare's infrastructure more resilient, secure, and reliable for every customer. Earlier this month, the Cloudflare team finished this work. While improving resiliency will never be a “job done” and will always be a top priority across our development lifecycle, we have now completed the work that would have avoided the November 18, 2025 and December 5, 2025 global outages. This work focused on several key areas: safer configuration changes, reducing the impact of failure, and revising our “break glass” procedures and incident management. We also introduced measures to prevent drift and regressions over time, and strengthened the way we communicate to our customers during an outage. Here we explain in depth what we shipped, and what it means for you. Safer configuration changes What it means for you : In most cases, Cloudflare internal configuration changes no longer reach our network instantly and are instead rolled out progressively with real-time health monitoring. This allows our observability tools to catch problems and revert issues before they affect your traffic. In order to catch potentially dangerous deployments before they reach production, we've identified high-risk configuration pipelines, and built new tools to manage configuration changes better. For products that run on our network processing customer traffic and receive configuration changes, we no longer deploy these changes instantly across the
MalChela v4.0 is out. The desktop GUI is gone — replaced by a PWA you can reach from any browser on the network. Battery-powered Pi on the table, iPad in hand, no keyboard required. The field kit finally makes sense.
Cybersecurity researchers are warning of two cybercrime groups that are carrying out "rapid, high-impact attacks" operating almost within the confines of SaaS environments, while leaving minimal traces of their actions. The clusters, Cordial Spider (aka BlackFile, CL-CRI-1116, O-UNC-045, and UNC6671) and Snarky Spider (aka O-UNC-025 and UNC6661), have been attributed to high-speed data theft and
When we first launched Workers eight years ago, it was a direct-to-developers platform. Over the years, we have expanded and scaled the ecosystem so that platforms could not only build on Workers directly, but they could also enable their customers to ship code to us through many multi-tenant applications. We now see on Workers: Applications where users describe what they want, and the AI writes the implementation. Multi-tenant SaaS where every customer's business logic is, at runtime, some TypeScript the platform has never seen before. Agents that write and run their own tools. CI/CD products where every repo defines its own pipeline. Last month, when we shipped the Dynamic Workers open beta , we gave those platforms a clean primitive for the compute side: hand the Workers runtime some code at runtime, get back an isolated, sandboxed Worker, on the same machine, in single-digit milliseconds. Durable Object Facets extended the same idea to storage — each dynamically-loaded app can have its own SQLite database, spun up on demand, with the platform sitting in front, as a supervisor. Artifacts did the same for source control : a Git-native, versioned filesystem you can create by the tens of millions, one per agent, one per session, one per tenant. So, we have dynamic deployment for storage and source control. What’s next? Today, we are bridging durable execution and dynamic deployment with Dynamic Workflows . The gap between durable and dynamic execution
Altman's crew now doing the same gatekeeping it recently mocked OpenAI is lining up a limited release of its new GPT-5.5-Cyber model to a handpicked circle of "cyber defenders," just weeks after taking a swipe at Anthropic for doing almost exactly the same thing.…
313 Team tells Canonical: pay up or the packets keep coming Canonical says its web infrastructure is under attack after a pro-Iran hacktivist group instructed its members to target the open source giant.…
Start date pushed back a year, annual cost up a third, and UK's now handing out eight million passports a year The Home Office has increased the annual value and overall duration of its new passport production contract, increasing it to a total of £576 million as it starts a third round of engagement with suppliers.…
Thursday, April 30
One alleged cyber contractor was extradited to the US over the weekend China's "hacker-for-hire ecosystem has gotten out of control," according to Brett Leatherman, assistant director of the FBI's cyber division.…
OpenAI is rolling out Advanced Account Security for people concerned that their ChatGPT or Codex accounts could be potential targets of phishing attacks.
This CVSS 10.0 RCE vuln has been patched, automatically for some, so better check those workflows If you use Gemini CLI, watch out: Google has patched a CVSS 10.0 vulnerability in its command-line AI tool and is warning anyone running it in headless mode, or through GitHub Actions, to review their workflows.…
A Brazilian tech firm that specializes in protecting networks from distributed denial-of-service (DDoS) attacks has been enabling a botnet responsible for an extended campaign of massive DDoS attacks against other network operators in Brazil, KrebsOnSecurity has learned. The firm’s chief executive says the malicious activity resulted from a security breach and was likely the work of a competitor trying to tarnish his company’s public image. An Archer AX21 router from TP-Link. Image: tp-link.com. For the past several years, security experts have tracked a series of massive DDoS attacks originating from Brazil and solely targeting Brazilian ISPs. Until recently, it was less than clear who or what was behind these digital sieges. That changed earlier this month when a trusted source who asked to remain anonymous shared a curious file archive that was exposed in an open directory online. The exposed archive contained several Portuguese-language malicious programs written in Python. It also included the private SSH authentication keys belonging to the CEO of Huge Networks , a Brazilian ISP that primarily offers DDoS protection to other Brazilian network operators. Founded in Miami, Fla. in 2014, Huge Networks’s operations are centered in Brazil. The company originated from protecting game servers against DDoS attacks and evolved into an ISP-focused DDoS mitigation provider. It does not appear in any public abuse complaints and is not associated with any known
Coding agents are great at building software. But to deploy to production they need three things from the cloud they want to host their app — an account, a way to pay, and an API token. Until now these have been tasks that humans handle directly. Increasingly, agents handle them on the user’s behalf. The agent needs to perform all the tasks a human customer can. They’re given higher-order problems to solve and choose to use Cloudflare and call Cloudflare APIs. Starting today, agents can provision Cloudflare on behalf of their users. They can create a Cloudflare account, start a paid subscription, register a domain, and get back an API token to deploy code right away. Humans can be in the loop to grant permission and must accept Cloudflare's terms of service, but no human steps are otherwise required from start to finish. There’s no need to go to the dashboard, copy and paste API tokens, or enter credit card details. Without any extra setup, agents have everything they need to deploy a new production application in one shot. And with Cloudflare’s Code Mode MCP server and Agent Skills , they’re even better at it. This all works via a new protocol that we’ve co-designed with Stripe as part of the launch of Stripe Projects . We’re excited to launch this new partnership with Stripe, and also to offer $100,000 in Cloudflare credits to all new startups who incorporate using Stripe Atlas . But this new protocol also makes it possible for any platform with signed-in users to integrate with Cloudflare in the same way Stripe does, with zero friction for the end user. How it works: zero to production without any setup or manual steps
Spyware appears to have captured everything from intimate photos to private messages from the smartphone of European celebrity. They were publicly accessible until a researcher flagged the exposure.
Wednesday, April 29
What Mythos Means for Penetration Testing as a Service When Anthropic announced the Claude Mythos Preview, the reaction from the security community was immediate. We’re not talking about the next best model. This model is such a leap forward and so capable at finding and exploiting vulnerabilities that Anthropic deemed it too dangerous to release […] The post What GigaOm and Synack Got Right About AI Pentesting appeared first on Synack .
A newly analyzed Go-based macOS remote access trojan (RAT), internally named Minirat, has surfaced in the wild using anti-VM checks, LaunchAgent persistence, and AES-encrypted command and control (C2) configuration to maintain stealthy, long-term access on victim endpoints. According to [SafeDep](https://safedep.io/malicious-velora-dex-sdk-npm-compromised-rat/), the initial infection vector was a malicious npm package (velora-dex-sdk) that dropped the Go-based macOS RAT onto developer endpoints.
LibAFL is all the rage in the fuzzing community these days, especially with LLVM’s libFuzzer being placed in maintenance mode . Written in Rust, LibAFL claims improved performance, modularity, state-of-the-art fuzzing techniques, and libFuzzer compatibility . For these reasons, I set out to add LibAFL support to Ruzzy , our coverage-guided fuzzer for pure Ruby code and Ruby C extensions. This gives Ruby developers and security researchers access to a more advanced and actively maintained fuzzing engine without changing how they write their fuzzing harnesses. Ruzzy was originally built on top of LLVM’s libFuzzer, so using LibAFL’s compatibility layer should be easy enough. However, digging around in the internals of complex systems is never quite as simple as it seems. In this post, I will investigate some of the deep plumbing inside these fuzzing engines, take a detour into executable and linkable format (ELF) files, and ultimately add LibAFL support to Ruzzy. Building with libafl_libfuzzer Ruzzy currently supports Linux, so I use a Dockerfile for development and for production fuzzing campaigns. To that end, using a similar Dockerfile for LibAFL support is the simplest integration point. LibAFL provides excellent documentation a
Today, we're launching Project Swarm — a research initiative that opens the GreyNoise deception platform to the global security community. Project Swarm transforms GreyNoise from a proprietary sensor network into a collective intelligence platform.
Tuesday, April 28
CREST Helps Raise the Bar for the Researchers Behind Your Pentest When a cybersecurity company tells you its testers are vetted, what does that actually mean? Most of the time, it means the company ran its own screening, trusted its own judgment, and hoped you’d trust it too. That works, right up until the pentest […] The post What CREST Means for Your Next Synack Engagement appeared first on Synack .
The war in Iran has drawn attention to arrests in the United Arab Emirates over online content, but the legal framework behind that enforcement has existed for years.