Microsoft shipped its largest Patch Tuesday on record today, and two of the fixes close holes that attackers are already exploiting. The release covers 622 of Microsoft's own CVEs by its Security Update Guide count, more than triple June's previous high of around 200. Those two live bugs are the ones to grab first. Microsoft credits incident responders for both. Both are
Cybersecurity News and Vulnerability Aggregator
Cybersecurity news aggregator
treemd <(curl -sL https://allsec.sh/md) (as Markdown) Top Cybersecurity Stories Today
SAP has rolled out updates to address multiple vulnerabilities as part of its July 2026 security updates, including a critical flaw in SAP NetWeaver Application Server ABAP. The vulnerability in question is CVE-2026-44747 (CVSS score: 9.9), an out-of-bounds write flaw that allows an authenticated attacker to leverage logical errors in memory management to cause a memory corruption that could
Latest
I’ve been building **CyberBharat**, a cybersecurity awareness and storytelling platform focused on making cyber, privacy, AI risks, scams, and digital safety understandable for everyday people rather than just security professionals. After nearly two years of creating content, I’ve realized that creators often become too close to their own work and miss obvious opportunities for improvement. I’d appreciate honest feedback from this community on: What do you think is missing from cybersecurity content today? Which topics would make you stop scrolling and actually watch? Are there formats or storytelling styles that work particularly well? If you came across a page like CyberBharat, what would make you follow it? What should I stop doing, do more of, or change completely? Examples of topics I currently cover: AI risks and hidden dangers Data breaches and privacy failures Scams and social engineering Technology regulation and digital rights Cyber stories that impact ordinary people I’m not looking for compliments. I’m looking for brutally practical feedback that can help make the content more valuable and more engaging. If you have examples of creators doing this exceptionally well, I’d love to study them too. Thanks in advance for your time and feedback.
Microsoft shipped its largest Patch Tuesday on record today, and two of the fixes close holes that attackers are already exploiting. The release covers 622 of Microsoft's own CVEs by its Security Update Guide count, more than triple June's previous high of around 200. Those two live bugs are the ones to grab first. Microsoft credits incident responders for both. Both are
Hi guys, I send out a weekly newsletter with the latest cybersecurity vendor reports and research, and thought you might find it useful, so sharing it here. All the reports and research below were published between July 6th - July 12th. You can get the below into your inbox every week if you want: [https://www.cybersecstats.com/cybersecstatsnewsletter/](https://www.cybersecstats.com/cybersecstatsnewsletter/) # Ransomware **GRIT Q2 2026 Ransomware & Cyber Threat Insights Report (GuidePoint Security)** We’ve read and written about the ups and downs of ransomware, but according to GuidePoint, ransomware is not as bad as ever. It's actually much worse than ever. **Key stats:** * 91 active ransomware groups operated across 108 countries in Q2 2026, a record high. * Q2 2026 recorded 2,279 reported ransomware victims, a 7% increase from Q1 2026 and a 43% increase from Q2 2025. * Weekly victim postings never fell below 150 during the quarter. *Read the full report* [*here*](https://www.cybersecstats.com/r/ff7d966a?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* # AI Security **2026 State of AI Security Report (Orca Security)** How AI security is actually going in the cloud, based on real telemetry from more than 1,200 production organizations. **Key stats:** * 99.9% of AI vulnerabilities with an available fix remain unpatched. * 81% of organizations using AI packages have at least one known vulnerability, up from 62% in 2024. * 50% of AI package vulnerabilities have a publicly available exploit, a 250-fold increase over 2024. *Read the full report* [*here*](https://www.cybersecstats.com/r/31ecac85?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* # Phishing & Social Engineering **Phishing by Industry Benchmarking Report 2026 Edition (KnowBe4)** You should probably invest in security awareness training. **Key stats:** * The global average Phish-prone Percentage (PPP) is 33.2% before training. After one year of consistent training, it falls to 4.2%. * Organizations reduce phishing susceptibility by 40% within the first 90 days and by 79% after one year. * The three industries with the highest baseline PPP are Healthcare & Pharmaceuticals at 42.7%, Insurance at 38.1%, and Retail & Wholesale at 36%. *Read the full report* [*here*](https://www.cybersecstats.com/r/a7a80aef?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* # Fraud and Impersonation **2026 State of Executive Impersonation (Outtake)** Good data on how attackers are using AI to impersonate company executives online. **Key stats:** * 53% of organizations had an executive or employee impersonated. * 53.83% of executive impersonation alerts originated from social platforms, and 35.05% from video and visual platforms. * Only 3.57% originated from executive lookalike domains. *Read the full report* [*here*](https://www.cybersecstats.com/r/4658fc42?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* **Fraud & Security Trends Report 2026 (Infobip)** The numbers here are just AI vs AI. Fraudsters use it to send more attacks, and businesses use it to catch them. **Key stats:** * Detected threats increased by 77% as fraudsters use AI to scale and personalize harmful messaging. * Adoption of AI-powered fraud detection grew by 71% year-on-year, and pattern-based detection increased by 105%. * Phishing accounted for 49% of blocked harmful content, and phishing volume grew 94% year-on-year. *Read the full report* [*here*](https://www.cybersecstats.com/r/d84c34ec?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* # Industry-Specific **Cyber Risk, Supersized: 2026 Quick Service & Fast Casual Restaurant Report (VikingCloud)** Rare data on restaurant cybersecurity. **Key stats:** * 94% of leaders describe themselves as confident or very confident in their ability to prevent or detect a cyberattack, yet 80% experienced at least one cyber incident in the past 12 months. * 76% had sensitive data leaked in the past 12 months, including payment card data (40%) and customer personal information (32%). * 10% of restaurant chains have temporarily or permanently closed a location following a cyberattack. *Read the full report* [*here*](https://www.cybersecstats.com/r/e0975882?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* **The state of financial services cybersecurity in 2026 (SonicWall)** A briefing on how financial services got attacked in the first half of 2026, based on data from their global network of security sensors. **Key stats:** * Financial services saw 132,378 IPS hits per device in the first half of 2026, the highest attack intensity of any tracked industry and more than double the cross-sector average. * Malware activity averaged 39,341 hits per firewall, the second-highest per-device malware intensity of any industry, behind only healthcare. * Ten ransomware families were active against the sector, including REvil (Sodinokibi) and Prometheus. *Read the full report* [*here*](https://www.cybersecstats.com/r/857db71a?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* **2026 State of Identity Security in Financial Organizations (Secret Double Octopus)** How identity and access management is actually working (or not working) at financial institutions in the US and Canada. **Key stats:** * 94% of IAM leaders and stakeholders at financial services firms report that phishing attacks increased over the past year. * Only 28% of the MFA used for workforce authentication is phishing-resistant. * 54% of financial organizations report that at least half of their applications and infrastructure are legacy, and those legacy systems are protected by MFA at a rate of just 50%. *Read the full report* [*here*](https://www.cybersecstats.com/r/d150e7fe?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* # Regional Spotlight **78% of CISOs say C-level do not fully understand employee-driven cyber risk (MetaCompliance)** CISOs in Europe see employees as their biggest risk, but are finding it difficult to convince their bosses. **Key stats:** * 68% of CISOs identify employees as their organization's biggest security risk as AI amplifies human-targeted attacks. * More than three-quarters of CISOs across Europe say C-level senior decision-makers do not fully understand the cyber risk posed by employees. * 40% of CISOs fear that employees are sharing sensitive information with generative AI platforms. *Read the full report* [*here*](https://www.cybersecstats.com/r/c2a615c6?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* **The State of Secure Collaboration Report 2026 (Wire)** How teams across European enterprises use collaboration tools to share sensitive data (hint: it’s not great from a security perspective). **Key stats:** * 84% rate their collaboration environment as secure, yet 48% share sensitive information through collaboration tools not built for it. * 75% rely on email as their primary external collaboration, 45% on file-sharing links, and 42% on messaging apps like WhatsApp and Signal. * 61% say access to shared files stays active longer than intended. *Read the full report* [*here*](https://www.cybersecstats.com/r/d74abe3e?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.*
Also 1Password. Be careful out there.
SAP has rolled out updates to address multiple vulnerabilities as part of its July 2026 security updates, including a critical flaw in SAP NetWeaver Application Server ABAP. The vulnerability in question is CVE-2026-44747 (CVSS score: 9.9), an out-of-bounds write flaw that allows an authenticated attacker to leverage logical errors in memory management to cause a memory corruption that could
🇨🇳 Suspected Chinese Operators Use Claude Code and DeepSeek to Breach Government Systems Across Four Countries
Our research team pivoted off known TencShell C2 infrastructure and found an open directory exposing an active intrusion, tooling, victim data, operator logs, and cloned login pages, all with notes in Simplified Chinese. The part worth sitting with is how the LLMs were used: Claude Code handled execution and session persistence while DeepSeek-v4-pro drove the reasoning, a split we could trace across the recovered logs. Government systems in Afghanistan, Thailand, and Taiwan were hit directly, with recon and staged phishing against U.S. portals and a parallel campaign against financial services firms. It lines up with Anthropic's November 2025 disclosure of a China-linked operation that used Claude Code to automate intrusions. Full IOCs and the HuntSQL queries in the post.
Any other browser extension that can run a script on claude.ai can still trigger Claude for Chrome tasks aimed at your Gmail, your latest Google Doc and its comments, and your Calendar. Both this and ClaudeBleed need a rogue extension that can already run a script on claude.ai; the difference is scope. Anthropic restricted the arbitrary-prompt path in May as part of its response to the
Cybersecurity researchers have flagged a previously undocumented Rust-based remote access trojan (RAT) codenamed LabubaRAT that masquerades as NVIDIA software to blend into target environments. "LabubaRAT creates a reusable foothold for hands-on activity," Blackpoint Cyber researchers Sam Decker and Nevan Beal said in an analysis published today. "Once deployed, it can profile the host,
Hi everyone, As security defenders, we all know that default alerts in a SIEM can only get us so far. Attackers are constantly finding stealthy ways to execute code, escalate privileges, and establish persistence, making a deep understanding of Windows Event Logs absolutely critical. I’ve put together a comprehensive deep-dive guide on Medium exploring Windows Event Log analysis, forensic investigation, and detection engineering with Sysmon. In this guide, I cover: 1 **The Anatomy of Windows Logs:** How the OS structures and stores .evtx binary XML data. 2 **Demystifying Logon Types (Event ID 4624):** A technical breakdown of different logon types (Type 2, 3, 5, 9, 10) and their forensic value. 3 **Supercharging Visibility with Sysmon:** How to hunt for LOLBins and malicious executions using **Sysmon Event ID 1 (Process Creation)** and **Event ID 3 (Network Connection)**. 4 **Detecting Defense Evasion:** Spotting log clearing attempts (**Event ID 1102 & 104**) and event log service tampering. 5 **A Practical Attack Scenario:** Reconstructing a **PsExec Lateral Movement** attack step-by-step by correlating multiple event logs. I also created a custom infographic (attached/linked below) that visualizes the entire flow to help junior analysts and defenders map these concepts quickly. **Read the full article here:** https://medium.com/@osamamamoussa/beyond-the-basics-deep-dive-windows-event-log-analysis-for-enterprise-soc-defenders-04d13219adef
'The bots are alive!' Jailbroken Gemini spun up new C2 server for Russian fraudster in just 6 minutes
Really good look at how AI-enabled attackers can move fast and accomplish way more with way less technical skill than even six months ago. [https://www.theregister.com/research/2026/07/14/the-bots-are-alive-jailbroken-gemini-spun-up-new-c2-server-for-russian-fraudster-in-just-6-minutes/5270131](https://www.theregister.com/research/2026/07/14/the-bots-are-alive-jailbroken-gemini-spun-up-new-c2-server-for-russian-fraudster-in-just-6-minutes/5270131)
[RustyWater ShellCode Dropper](https://github.com/S3N4T0R-0X0/RustyWater-ShellCode-Dropper) has emerged as a key component in recent Static Kitten (MuddyWater) operations targeting organizations in the Gulf and broader Middle East. Written in Rust and disguised as a legitimate-looking reddit.exe, this implant serves as the main payload and backbone of their attacks. It uses a multi-stage dropper (CertificationKit.ini) that decrypts and deploys the payload at runtime, establishes registry persistence, and injects shellcode into explorer.exe for stealth. What makes it particularly effective is its robust 8-layer anti-analysis system checking for virtual machines, debuggers, sandboxes, low resources, and analysis tools before execution. This ensures it only activates on real victim systems. A clear example of how Iranian APT groups continue to evolve their tooling with Rust for better evasion and persistence in the region.
On July 3, 2026, the Albanian communications authority (AKEP), the operator of the .AL country-code top-level domain (TLD) of Albania, attempted a DNSSEC key rollover. Something went wrong, resulting in DNSSEC validation failures. Any validating DNS resolver receiving these signatures was required by the DNSSEC specification to reject them and return errors to clients. That includes 1.1.1.1 , the public DNS resolver operated by Cloudflare. The .AL TLD is the online home of Albanian government services, banks, and media; it ranks #191 on Cloudflare Radar's TLD ranking . Anyone trying to visit those sites, using a validating resolver, found them unreachable during the incident. The failure had the potential to affect every .AL domain, regardless of where it was hosted or which authoritative nameservers served it. Just two months earlier, a similar incident struck .DE , the TLD of Germany. As we described in our blog post on the incident , our response was to install a Negative Trust Anchor (NTA) for .DE , temporarily suspending DNSSEC validation in 1.1.1.1 to keep domains reachable while the registry resolved the issue. We did the same for .AL . NTAs restore resolution, but silently. A client receiving a response served under an NTA has no way to tell, from the response alone, that DNSSEC validation was bypassed, leaving it unable to distinguish a legitimate answer from a spoofed one. For the .AL incident, 1.1.1.1 addressed that gap for the first time, returning a new Extended DNS Error (EDE) code alongside every affected response to signal that the answer was not DNSSEC-validated due to the presence of an NTA. The graph below shows the SERV
Cybersecurity researchers have discovered 11 old, Microsoft-signed, Unified Extensible Firmware Interface (UEFI) applications that could be abused to bypass Secure Boot on most systems using the modern firmware standard. "An attacker exploiting one of these vulnerable applications can execute untrusted code during system boot, enabling deployment of malicious UEFI bootkits or other malware,"
Researchers at KU Leuven tested 85 of the most popular crypto wallets that run as browser extensions and found that the wallets themselves leak enough to link and track the people using them. The way these wallets talk to websites and blockchain servers can tie a person's separate addresses together and let outsiders follow them from site to site. And on a site that already holds a name or
AI security agents are starting to influence real security decisions. They summarize findings, prioritize remediation, recommend next steps, and help teams move faster. But most still rely on fragmented risk signals: scanner output, severity scores, threat intelligence, configuration findings, and exposure data. That fragmentation matters because attackers do not move through environments one
At least two distinct threat actors are weaponizing a novel evasion technique called OAuth client ID spoofing in cloud campaigns, while slipping past telemetry. The activity allows users to enumerate user accounts and validate stolen credentials in Microsoft Entra ID environments, without ever generating a successful sign-in event that would otherwise alert defenders. And bad actors have begun
Tracing a ClickFix campaign found on `new-blog.artlist[.]io` on July 13. The injected JavaScript queried a Polygon smart contract for its delivery host, loaded a fake reCAPTCHA prompt, and pushed visitors into a PowerShell chain. That chain delivered a signed updater bundle containing several nested loaders. The final payload is a native RAT with browser-store collection, file transfer, process and shell control, remote desktop, keylogging, SOCKS bridging, and Tor-based endpoint fallback. The teardown follows the bytes through `Stream.Toolkit.dat`, the custom `Face.dat` container, `act.exe`, an encrypted ZIP, and the manually mapped final DLL.
Four `asyncapi` packages published with a RAT via compromised GitHub Actions. Stealing browser credentials, SSH keys, npm tokens, AWS secrets, and crypto wallets.
xAI's Grok Build coding CLI was uploading entire Git repositories, full commit history and all, to a Google Cloud Storage bucket run by xAI, not just the files a coding task needed. A researcher publishing as cereblab, testing version 0.2.93, captured one of those uploads, cloned the git bundle out of the intercepted request, and pulled back a file the agent had been told in plain terms not
New repo just went up: [git.projectnightcrawler.dev/NightmareEclipse/LegacyHive](http://git.projectnightcrawler.dev/NightmareEclipse/LegacyHive), created about 2 hours ago. Right now it's empty — just an MIT license and a README that says "N/A," 2 commits total. He'd spoken about his big drop happening today, July 14th, saying he'd make sure Microsoft's "bones are shattered" that day. At one point though he'd also indirectly said he wasn't going to post it, something about still having "chains" on him preventing a release. This repo showing up on the exact date he originally called out suggests that might not hold anymore and it could actually be happening. Nothing in it yet, just watching to see what gets pushed. Worth noting: given how erratic and bipolar his posting history has been, there's really no way to predict what (if anything) actually gets posted. **Update:** Thanks for the 600+ upvotes, really appreciate it. After hours of waiting and anticipation NightmareEclipse finally uploaded their PoC. But I personally have a hard time seeing it as the big bombshell that they described it as.
The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) has designated two individuals and a VPN service provider for enabling ransomware actors' and other cybercriminals' malicious activities, including ransomware attacks against Americans. The VPN, named First VPN Service (1VPNS), has been accused of offering its tools to ransomware groups, along with its 45-year-old Ukrainian
A campaign of 148 npm packages disguised as student web proxies turned visitors' browsers into a distributed denial-of-service botnet for roughly two weeks in May, according to new research from JFrog. The packages did not go after the developers who might install them. The operators used the registry as free hosting for a booby-trapped proxy site and let the students who came to dodge
Attackers whose methods line up with the data-extortion group ShinyHunters have spent the past year walking into corporate Salesforce environments without exploiting a single flaw in the platform. The way in has been the trust the organization had already extended, usually through the OAuth connections that tie Salesforce to the apps and third-party vendors around it. In
On July 14, 2026, four npm packages in the @asyncapi namespace, totaling over 3 million weekly downloads, were compromised to deliver credential-stealing malware. We investigate how the attack unfolded and how to know if you're affected.
Most enterprises test less than a third of their attack surface, and attackers have already moved to AI-speed offense. Agentic AI closes the coverage gap, but only when paired with human expertise: an AI-first, human-validated model that secures critical infrastructure without sacrificing operational safety. The post Why the Future of Pentesting Needs Humans and Agentic AI Working Together appeared first on Synack .
I wrote this after spending an unreasonable amount of time making CET-compliant callstack spoofing work end-to-end on hardware with Intel CET enabled. The technique combines three primitives: thread pool execution for a clean stack base, enum callback trampolining for a real signed mid-stack frame, and indirect syscalls. The actual contribution is the CET compliance mechanism: a `jmp`\-based context switch combined with direct shadow stack pointer reconciliation via `RDSSPQ`/`INCSSPQ`, without touching unwind metadata. Different approach from BYOUD. Implemented in Rust with inline assembly.
Cybersecurity researchers have flagged a new macOS information stealer called CrashStealer that's capable of harvesting sensitive data from compromised systems. Unlike other information stealers that are built on AppleScript droppers or Objective-C-based wrappers, CrashStealer is implemented in native C++, according to Jamf Threat Labs. "It validates the victim's login password locally before
Google and Microsoft have pulled ModHeader, a popular header-editing extension with roughly 1.6 million installs across Chrome and Edge, after researchers found a hidden browsing-history collector built into its official store version. The collector was dormant. An empty allow-list kept it switched off, and no proof has emerged that it ever gathered or sent a single browsing domain. The
Somewhere right now, a security tool is quietly finding bugs faster than any human can fix them. That's supposed to be the good news. The catch is that the attackers have the same tools, pointed the other way, and they don't file tickets. That's the shape of this week. Trusted code turns on the people who installed it. Old bugs from last year are still landing because the fix sat in a queue too
The Cybersecurity and Infrastructure Security Agency (CISA) has issued a postmortem on a recent data leak in which a contractor published dozens of internal CISA credentials — including AWS Govcloud keys — in a public GitHub repository for almost six months before being notified by KrebsOnSecurity. Experts say the gaps identified in the agency’s initial response provide important lessons that all security teams should absorb. On May 15, 2026, the security firm GitGuardian asked for help in notifying CISA about the existence of a public GitHub repository called “Private CISA” that included 844 MB of sensitive CISA-related data. One of the exposed files, titled “importantAWStokens,” included the administrative credentials to three Amazon AWS GovCloud servers. Another file — “AWS-Workspace-Firefox-Passwords.csv” — listed plaintext usernames and passwords for dozens of internal CISA systems. CISA quickly acknowledged our initial alert, but took more than 48 hours to invalidate the AWS keys and many other important secrets leaked in the GitHub repo. In its report on the data leak , CISA said the complexities of the agency’s systems and interconnections with federal and industry partners caused its key rotation to take long
Give an AI assistant a memory and access to your inbox, and you hand an attacker a way to rewrite what it thinks it knows about you. A single email can trick that agent into saving a false "fact" about the user, hide the change, and quietly steer its answers in later sessions. When it works, the person reads an ordinary-looking reply and never learns their assistant was tampered with. The
A new phishing-as-a-service (PhaaS) operation called Forg365 is using a combination of device code phishing, adversary-in-the-middle (AitM) tactics, antibot evasion, artificial intelligence (AI)-assisted lure creation, and post-compromise mailbox operations targeting Microsoft 365 accounts. Distributed via Telegram and costing $400 a month (or $3,800 per year), attack chains leverage phishing
Bot mitigation is an adversarial game: attackers adapt, defenders respond, and the cycle continues. At Cloudflare, we stay ahead by combining visibility across our global network with signals from the client-side environment. At the network level, we analyze over 1 trillion requests per day to understand reputation, patterns, and anomalies across more than 20% of the web. On the client side, we’ve pushed detection deeper with Cloudflare Turnstile , which has evolved from a CAPTCHA replacement to a risk-based managed challenge that adapts the amount of friction needed to verify the user is authentic. Today, Turnstile runs nearly 3 billion times per day on some of the most sensitive endpoints on the Internet, helping verify users at key moments like login, signup, and checkout. This improves protection on the most important areas of customer applications, but still leaves limited visibility into the rest of the application — how humans and bots actually interact across the full user journey. This is the visibility gap we’re closing today with our launch of Precursor . Introducing Precursor Precursor is a client-side, session-based verification system, built with privacy in mind, that uses dynamically injected JavaScript to continuously collect behavioral signals as visitors interact with your application. These signals are processed and incorporated into Cloudflare’s bot protection in real time, allowing us to continuously distinguish human traffic from automated or agentic traffic. This extends the client-side detections offered by a
Meta has filed a patent application for an AI that listens to your voice throughout the day, works out how it thinks you are feeling from the way you sound, and keeps a timestamped log of every read. Each read gets pinned to the moment it happened: the time, your location, what you were doing, even how you were using your phone. Some versions in the filing would listen all day; others would
A few days ago, I was sitting with the CISO of a Fortune 50 company, walking through how his security team was thinking about AI agents in the SOC. Smart team. Serious program. They had already connected Claude to a few detection tools and were seeing real value in specific investigations. But as we mapped out the broader architecture, something kept nagging at me. The design they were building
We’ve added a new chapter to our Testing Handbook : a comprehensive guide to security testing Rust programs. This chapter covers the tools and techniques we use at Trail of Bits to validate the security of Rust programs and systems. fn main () {( | f: & dyn Fn ( u128 )-> Box < dyn Iterator < Item =
The SFPD’s exposure of hours of videos from drone platform Skydio reveals how broadly it’s watching the city from above—and how the results can spill online.
To reduce the amount of noise from questions, we have disabled self-posts in favor of a unified questions thread every week. Feel free to ask any question about reverse engineering here. If your question is about how to use a specific tool, or is specific to some particular target, you will have better luck on the [Reverse Engineering StackExchange](http://reverseengineering.stackexchange.com/). See also /r/AskReverseEngineering.
\\#ransomware #kratos #minifilter #Windows
GreyNoise's Threat Brief Library is now live in the Visualizer — browse, search, filter, and download weekly At The Edge briefs, Executive Situation Reports, and more, all built on primary-source sensor data.
Hand-crafted 974-byte Android 14 APK (API 34) — Bypassing build-tool bloat by exploiting PackageInstaller structure.
A read-only, deterministic file-observer that emits a hashed, reproducible manifest — where would this fall short for real casework?
Up front: I'm an enthusiast, not a forensics professional, and this is not a validated forensics tool — it's not write-blocking, it hasn't been through any formal tool-validation, and I'm not going to pretend otherwise. I built it for reproducible file observation and I keep thinking it might be useful for first-pass triage, but the people who'd actually know are here, not where I usually hang out. So I'd rather you tell me where it falls short than nod along. ## What it does file-observer walks a directory and emits a single deterministic JSON manifest describing every file. It's read-only — it never writes to a file, never executes file content, and never modifies source. (Like any triage tool, you'd point it at a working copy or a mounted image, not originals.) The properties that made me think of this sub: - **Reproducible output.** Same bytes in → byte-identical manifest out, every run, regardless of worker count (there's a test that fails CI if a parallel scan differs from a serial one). It's determinism, not tool-validation — but the output is stable enough to diff and defend. - **SHA-256 per file**, plus identical-hash duplicate clustering across the tree. - **Content-vs-extension MIME mismatch + polyglot detection** — flags a file whose actual signature doesn't match its extension, and files that satisfy more than one format's structure. Useful for spotting renamed or disguised files. - **Metadata extraction, stdlib, bounded and never-crashing on hostile input:** image EXIF (make/model, timestamps, and GPS-presence — presence, deliberately not coordinates), video container/QuickTime capture fields (device make/model, creation dates, GPS-presence), PDF producer/creator/creation-date/encryption + a born-digital-vs-scanned/OCR provenance read, email envelopes (.eml/.msg: from/to/subject/date/message-id/attachments), and Office/OLE2 document fields. - **Structural safety flags** — has_macros (VBA), has_javascript (PDF), has_ole_objects, has_external_references. Observations, not verdicts. - **Integrity envelope** — optional HMAC-SHA256 manifest signature and a previous_manifest_checksum chain, if you want a tamper-evident record of the observation itself. - **Delta between two scans** — what was added/modified/removed since a prior manifest. Everything runs bounded and read-only, and it degrades to a per-file error record rather than crashing on a malformed or hostile file. ## Where I know it's weak (and where I don't) Honest limits: it's triage/observation, not analysis — no carving, no timeline, no registry/artifact parsing. Metadata is bounded observation, so a null means "not seen within the read window," not "not present." GPS is presence-only by design. And reproducible ≠ validated — I've oracle-checked the parsers against tools like exiftool, but that's not the same as CFTT-style validation. What I don't know is whether any of this is actually useful in a real workflow, or whether it's a toy next to the tooling you already trust. That's the question. Where would this break, mislead, or fail to matter for real casework? ## Try it pip install "file-observer[all]" Repo: https://github.com/russalo/file-observer I'd genuinely rather hear "here's why this is useless for X" than a pat on the head — I'm isolated from people who do this for a living, and that's exactly the gap I'm trying to close.
Plus: The Pentagon is training amateurs to become part of its hacker army, a Flock license plate reader error led to cops surrounding a car reviewer, and more.
Caeruleus – Latin, deep blue The Bluetooth Low Energy (BLE) tooling space is fragmented and decaying. Picture a typical BLE testing session: you spin up bettercap to run ble.recon and ble.enum , your trusty (but deprecated) gatttool to read and write handles, and, when it’s time to fuzz that one writable characteristic, dig up that custom Bleak script you copy-paste between directories and projects. That’s the BLE testing tax, and we got tired of paying it. So we built Caeruleus : a single Go binary that covers the whole BLE lifecycle, built on top of the BlueZ stack for Linux. Caeruleus lets you scan, enumerate, read/write/notify characteristics, fuzz, and run structured security assessment workflows against your Bluetooth Low Energy devices. The BLE tes
Overview GNU Wget, versions 1.25.0 and earlier, contains a server-side request forgery (SSRF) vulnerability in its implementation of FTP passive mode. Because Wget does not properly validate IP addresses obtained from PASV responses, an attacker-controlled FTP endpoint can redirect the client’s connection to arbitrary IPs, potentially exposing internal network host and service responses. This vulnerability has been remediated in a recent update by GNU; see the Solutions section below for resolution guidance. Description GNU Wget is a widely used command-line utility for retrieving content over HTTP, HTTPS, and FTP. When operating over FTP in passive mode, Wget relies on the server’s PASV response to determine which IP address and port to use for the data connection. CVE-2026-15146 GNU Wget does not validate the IP address provided by an FTP PASV response while operating in FTP passive mode. A malicious FTP server, or an HTTP server that redirects to an FTP URL, can exploit this behavior to redirect Wget’s data connection to an arbitrary IP address and port. This allows an attacker to forge server-side requests (SSRF) from the machine running Wget, potentially accessing localhost services or internal network resources. This issue belongs to a known class of FTP PASV vulnerabilities such as CVE-2021-40491 , which was previously remediated in GNU Inetutils. Impact A remote attacker controlling or influencing an FTP endpoint can induce Wget to establish connections to otherwise inaccessible internal network addresses. This may allow the attacker to retrieve service banners, access internal HTTP endpoints, or exfiltrate data from internal systems reach
In 2021, we shipped Smart Tiered Cache . The idea: for each origin behind your site, Cloudflare picks the single best upper-tier data center to route through, based on real-time latency. Flip one switch, and we find the fastest path from our network to your origin. That works as long as an origin IP lives in one fixed place. Public cloud origins usually don't. They sit behind anycast or regional unicast front ends, so one origin IP can look equally close to a dozen Cloudflare data centers at once — and the latency probes have nothing to lock onto. Smart Tiered Cache handles this the safe way: when there's no clear winner, it falls back to several upper tiers. Nothing breaks. You just lose the thing that made a single closest tier worth it, which is cache efficiency. Smart Tiered Cache for Public Cloud Regions fixes this by letting you provide a cloud region hint. With that hint, Cloudflare can map public cloud origins to the right region and select better primary and fallback upper tiers, even when the origin IP itself looks anycast or ambiguous. We made our most popular tiered cache topology smarter Since it was launched, Smart Tiered Cache has become the most popular tiered cache topology among Cloudflare customers. It’s available to all plans, for free. Much of our work aims to continually improve it. Over time, we’ve extended Smart Tiered Cache to handle more origin architectures, including: November 2024 : Smart Tiered Cache for R2 : We taught Smart Tiered Cache to automatically select the closest upper tier to where the R2 bucket actually lives, reducing latency with zero configuration.
There are several major managed detection and response (MDR) companies to choose from. We’ve compared the main offerings of the best MDR providers to help you decide which is right for your organisation. Maybe it was a near miss, or a security team stretched too thin and drowning in alerts from dozens of tools. Whatever […] The post Top 6 Managed Detection and Response Providers appeared first on Heimdal Security Blog .
I reverse-engineered the DJI Spark smart battery I2C/SMBus protocol and documented the captures, firmware, and hardware
Security testing identifies vulnerabilities, weaknesses, and misconfigurations before attackers can exploit them. This guide covers every major method, when to use each, and how to build a program that finds what actually matters. The post What Is Security Testing? A Practitioner’s Guide to Methods, Tools, and When to Use Each appeared first on Synack .
Overview PayRange is a mobile payment app that allows users to pay for vending machines, laundromats, and other unattended machines using a smartphone with Bluetooth. Two vulnerabilities were discovered in version 7.0.7 of the PayRange app that is available in the Google Play store. Description A vulnerability (CVE-2026-13462) exists in the PayRange Android app that causes invalid SSL certificates to be accepted in application WebViews. A second vulnerability (CVE-2026-13461) exists that allows the injection of JavaScript, which can be used to escape the WebView sandbox and perform a number of dangerous actions on the user's device. These vulnerabilities were discovered in version 7.0.7 of the PayRange app. The PayRange app bypasses Android's SSL trust chain and accepts certificates that match any of the following rules (including self-signed certificates): Common Name ends with "payrange.com" Common Name contains "stripe.com" Common Name contains "fetlifestatus.com" AND any of these conditions are true: Issuer Common Name is "R10" Issuer Common Name is "R3" Issuer Common Name contains "Network Solutions" The attack vector is an on-path interception. If an attacker can direct traffic intended for a legitimate server to a device they control, they can negotiate a TLS connection with the user's device using any trusted certificate that matches the rule set. They are then able to inject content into the WebView and harvest credentials, issue malicious requests and read data entered by the user, including exchanges with the PayRange and Stripe servers. Impact An attacker may be able to intercept any information they can convince the
Hi everyone, I've recently released **Auditor 1.0.0**, a command-line utility for file hashing and integrity verification, and I'd like to share some of the new features that may be useful for digital forensics workflows. # New: Verified file copy Two new commands have been added to perform file copies while ensuring end-to-end integrity. **clone** * Reads each source file and computes its hash. * Copies the file to the destination. * Reads the copied file, recomputes its hash, and verifies it against the source. * Can also generate audit/hash files if they don't already exist. **chkcopy** Similar to `clone`, but additionally validates the source against previously generated audit files before copying: * Verifies that the audit files exist. * Recomputes the source hash and compares it with the recorded value. * Copies the file. * Verifies the copied file by hashing it again and comparing it with the source. Both commands support configurable retry logic (number of attempts and delay between retries), which is particularly useful when copying over network shares where transient I/O or connection failures may occur. # Compatibility with existing checksum tools Auditor can now verify checksum files generated by other utilities, including: * `fsum` * `sha256sum` * `b3sum` * and others This makes it easier to integrate Auditor into existing workflows without requiring proprietary hash lists. # Multiple hash encodings Besides the traditional hexadecimal (Base16) representation, Auditor now supports: * Base32 * Base64 * Base85 This is handy when working with systems that exchange hashes in different encodings (for example, some forensic monitoring systems that use Base32). # Windows, Linux and macOS Precompiled binaries are available for Windows, Linux and macOS. The Linux build has also been updated to run cleanly under **WSL (Windows Subsystem for Linux)**, which may be useful for investigators who automate their workflow with Linux shell scripts while working on Windows. Documentation and downloads: [https://thash.org/auditor](https://thash.org/auditor) # Breaking change in v1.0.0 The default behavior has changed. Previous versions enabled the **thash** method by default. Starting with **v1.0.0**, Auditor computes standard hashes by default, producing exactly the same values as tools such as `sha256sum`, `b3sum`, and `fsum`. The **thash** algorithm is still available, but it must now be explicitly enabled with: `-t` or `--thash` This change was made to improve interoperability while keeping thash available for situations where faster integrity verification of very large datasets is desirable. Feedback, bug reports and feature suggestions are always welcome.
RSA and ECC, cryptographic algorithms that we’ve all relied on for decades, are vulnerable to the attack of sufficiently advanced quantum computers. Such quantum computers do not exist yet, but they seem to be coming sooner than expected. Luckily, the solution is already available: migrate to ML-KEM encryption and ML-DSA signatures, which are designed to be resistant to quantum attack. They were standardized in 2024 by the U.S. National Institute of Standards and Technology (NIST) after an eight-year open international competition. The migration to post-quantum cryptography is in full swing now. At the time of writing, the majority of traffic handled by Cloudflare is already using ML-KEM encryption, and is thus secured against the threat to data posed by harvest-now-decrypt-later attacks. But encryption is only one part of the equation: to be fully secure against quantum computers capable of breaking classical cryptography, we aim to deploy post-quantum signatures to protect authentication systems from unauthorized access. We are targeting 2029 for Cloudflare to be fully post-quantum secure. ML-DSA, the best all-around post-quantum signature scheme standardized today, has its downsides: it’s much larger on the wire, and many tricks we were able to perform with RSA and ECC simply cannot be done with ML-DSA. There are better post-quantum signature schemes on the horizon: last month, NIST announced that it is advancing nine
A Majority of European Lawmakers Voted Against Letting Big Tech Read Our Messages. They’re Going to Anyway
Companies will once again be allowed to scan citizens’ personal texts, emails, and social media messages via the “Chat Control” bill to find child abuse material online.
Overview Two vulnerabilities have been discovered in Xerte Online Toolkits, an open-source e-learning authoring toolsuite intended for the creation of learning materials within a web browser. CVE-2026-14261 tracks the persistence of the /setup/ directory after installation, which allows an unauthenticated attacker to reconfigure the application to point to a remote database they control in order to gain administrative access. CVE-2026-12116 tracks an editable antivirus binary path that can be redirected to a PHP interpreter, causing uploaded files to be executed as PHP code and resulting in remote code execution (RCE). Version v3.15.5 or v3.14.6 of Xerte Online Toolkits fixes these vulnerabilities. Description Xerte Online Toolkits is a suite of a free, open-source e-learning authoring tools that allows users to make educational materials directly in-browser. The toolset is installed from multiple packages, and creates a setup folder that persists after installation. CVE-2026-14261 A vulnerability in Xerte Online Toolkits allows for authentication bypass and remote code execution via reinstallation through the /setup/ folder, enabling attackers to reinstall the service to a remote database they control. CVE-2026-12116 A vulnerability in Xerte Online Toolkits allows for RCE through the antivirus binary path in the tools server settings. The antivirus binary runs on all uploaded files, but the path to the binary can be modified using the configuration menu. An attacker can achieve remote code execution by redirecting the path to a PHP interpreter, causing any uploaded PHP scripts to be executed. During installation, Xerte creates a /setup/
An MSG database tracked and categorized hundreds of celebs, famous Knicks superfans, and even some of Taylor Swift’s wedding guests. Labels included “LGBTQIA,” “DO NOT HOST,” and low to high “risk.”
A malicious commit disguised as SDK telemetry briefly compromised @injectivelabs/sdk-ts, exfiltrating wallet mnemonics and private keys.
Our 2026 State of Vulnerabilities Report surfaces what Synack finds in tested customer environments. At a recent webinar, two of our most decorated researchers from the Synack Red Team describe the threat landscape they’re seeing beyond the report findings. Here's what the data shows, what practitioners have experienced, and what your security program should do about the gap. The post The 2026 State of Vulnerabilities: What the Data Misses, According to Our Red Team appeared first on Synack .
VU#849433: Adalo Database API Enables Cross-App User Data Extraction via Over-Fetching and Missing Authorization Controls
Overview Adalo’s no‑code application platform exposes complete user records through its database API for all applications built on both V1 and V2. Due to a platform-level flaw, authenticated users can retrieve full user data belonging to any Adalo application, regardless of configuration. This issue affects more than one million applications and placing developers and their end users at risk of data exposure that they cannot prevent or remediate. Description Adalo is a Software-as-a-Service (SaaS) provider for building no-code applications. In theory, each application or tenant (customer) is logically isolated with separate databases, users, and configurations. CVE-2026-10706 Unrestricted Disclosure of Full User Records The Adalo database API contains a flaw which allows the backend to return complete user records for every list component request, regardless of which fields the component is configured to display. The database does not enforce ownership‑aware, server‑side authorization checks, allowing authenticated users of any Adalo application to query database and table identifiers belonging to other applications and retrieve full records, including fields not requested. This issue is amplified by the permissive CORS policy, plaintext storage of all text files and evidence suggests that deleted records may remain accessible. CVE-2026-10708 Exposure and Reuse of Long-Lived JWT Tokens The JWT tokens are visible in client‑side requests and remain valid for approximately twenty days. Once copied, they can be reused from any external website or script to query the database API directly. Because the platform allows requests from any origin, attackers can repeatedly query the API and extract large volumes of user data without interacting with the applica
Presently sponsored by: Report URI: Guarding you from rogue JavaScript! Don’t get pwned; get real-time alerts & prevent breaches #SecureYourSite How's this for a location?! I mean, last week was nice with Scott in Mallorca, but Marrakech is, well, wow Anyway, about those data breaches... This week I'm talking about the futility of attempting to remove piss from a pool , yet here we are, with various companies wanting to place that message alongside the very data breaches they can do nothing about! As I say in the post, I don't question the good intentions behind setting up a service to try to scrub data from legally operating data brokers, but the marketing machines behind those organisations that regularly reach out to me for product placement don't really seem to grasp that reality. At least now they have a nice explainer courtesy of that post
Many internal services at Cloudflare need to read and modify the same control-plane state from across our 330+ global data centers. They need guarantees that different readers never see inconsistent state, and that the system remains available for writes even when some data centers or links fail. But Cloudflare’s network runs across the entire Internet, and the Internet is an unpredictable place. Servers and data centers go down. Queues fill up. Links and cables get cut. These conditions make it difficult to run a globally available data system that guarantees strong consistency (e.g., that all readers are guaranteed to read all prior writes) because hostile conditions hinder distributed system replicas’ ability to reliably synchronize data with one another. One way to synchronize data safely despite adverse network conditions is via a consensus algorithm, which allows a set of machines to agree on the same sequence of values, such as key-value store put and get operations, as long as a majority remains alive and able to communicate. Unfortunately, commonly deployed consensus algorithms like Raft suffer in wide-area networks like Cloudflare’s because they rely on leaders and timeouts . The leader is the only replica allowed to make writes, and if it fails due to a crash or network degradation, the system becomes unavailable until some other replica times out and a new leader is elected. And these timeout values are hard to configure in networks with unpredictable latencies. We have experienced multiple incidents caused by unavailable leaders in consensus-driven systems. And so, for the past year, Cloudflare’s Research team has been building a new distributed consensus service called Meerkat powered by a consensus algorithm called
A cybersecurity startup dangling millions of dollars to acquire zero-day security vulnerabilities in popular software is run by a pair of far-right conspiracy theorists and convicted felons whose most recent ventures included fake intelligence companies and a now-defunct AI-based lobbying platform they operated under assumed names. The X/Twitter account IRIS C2 (@C2IRIS) has gained more than 4,000 followers since its creation in January 2025, posting frequently about security vulnerabilities, AI and software exploits. IRIS C2 says it is a company in McLean, Va. that sells offensive cybersecurity capabilities. The IRIS C2 website dangles the possibility of million-dollar payouts for exploits to attract talent. “Our business model is this,” reads a pinned post on top of the IRIS C2 account on X. “Attract the very best vulnerability researchers and exploit developers in the world to join our company. This mostly revolves around junior engineers with raw talent/extremely high IQ. We don’t care if they have a college degree/industry experience.” The website linked in that profile — irisc2[.]com — says the company is hiring for a number of open positions, and a recent post on its LinkedIn page enthuses about an overwhelming
In April we released Mewt , our open-source mutation-testing engine that finds the gaps in your test suite. Today we’re expanding it with support for DAML, the language Canton Network applications are written in. Mewt now reads DAML, generates several classes of mutants (including two built for DAML’s authorization primitives), and runs them through your existing test suite to count how many mutants survive. If you want to try it, simply install Mewt from the repository , point a mewt.toml at your project and its test command, and use mewt run . For a team shipping DAML to production, that count is what a passing test run is actually worth: it puts a number on how much your suite checks, whereas a green run on its own does not. Why DAML’s coverage reports lie Test coverage is the most reassuring lie in smart-contract development. Hitting 100% line coverage tells you the test runner walked the code; it does not tell you whether any test would fail if that code stopped doing what it is supposed to. We have been grading test harnesses by how many mutants they kill since at least 2019 , and our primer on finding the bugs your tests don’t catch shows how a green suite can still miss the bug that matters. DAML’s built-in coverage measures execution at the template and choice level: which templates were created and which choices were exercised over the test run. It reports whether each ch
Scammers are hijacking government websites to upload ads for “leaked” OnlyFans content. Thousands of copyright complaints from adult creators are helping people avoid malicious links.
Burst water mains. Evacuated hospitals. In a closed-door simulation, insurers played out their response to a mass disruption by China’s Volt Typhoon hackers—and found a nightmare scenario.
Your client is no longer just buying your security advice. They’re auditing whether you live by it. That was a clear message from my exclusive interview with Heather MacDonald Alford, an MSP finance specialist and owner of Counting Creators. Heather’s exactly the kind of customer MSPs should be paying attention to. She’s informed, commercially minded, and willing to challenge vendors to […] The post Cyber-Aware Customers Are Raising the Bar for MSPs and Other Vendors appeared first on Heimdal Security Blog .
Datadog Security Research has tracked multiple coordinated campaigns enumerating GitHub organizations, repositories, and users through the public GitHub API, abusing leaked access tokens, and cloning private repositories.