Microsoft has disclosed details of a large-scale credential theft campaign that has leveraged a combination of code of conduct-themed lures and legitimate email services to direct users to attacker-controlled domains and steal authentication tokens. The multi-stage campaign, observed between April 14 and 16, 2026, targeted more than 35,000 users across over 13,000 organizations in 26 countries,
Cybersecurity News and Vulnerability Aggregator
Cybersecurity news aggregator
Updated: 8:41 pm
J/K Navigate / Search S Save V Open Link
— or
treemd <(curl -sL https://allsec.sh/md) (as Markdown) Top Cybersecurity Stories Today
While the software industry has made genuine strides over the past few decades to deliver products securely, the furious pace of AI adoption is putting that progress at risk. Businesses are moving fast to self-host LLM infrastructure, drawn by the promise of AI as a force multiplier and the pressure to deliver more value faster. But speed is coming at the expense of security. In the wake of the
Progress Software has released updates to address two security flaws in MOVEit Automation, including a critical bug that could result in an authentication bypass. MOVEit Automation (formerly Central) is a secure, server-based managed file transfer (MFT) solution used to schedule and automate file movement workflows in enterprise environments without requiring any custom scripts. The
Hackers trojanized installers for the DAEMON Tools software and since April 8, delivered a backdoor to thousands of systems that downloaded the product from the official website. [...]
Researchers dropped a reliable root exploit and it didn’t sit idle for long CISA is warning that a newly-disclosed Linux kernel bug dubbed "CopyFail" is already being exploited, just days after researchers dropped a working root-level exploit.…
Latest
Tuesday, May 5
Hi, I have this project which has many tools: a QR code recorder with analytics, a link shortener, and more. But I’m focusing here on the Security Scanner. All the tools in the project are free to use, with no ads at all. Of course, these tools can’t be improved without everyone trying them and sharing feedback, suggestions, or complaints so I can improve them more and more. One of its features is generating a PDF report, and it also has three layers of security scanning. The deep scan is powerful—it takes time, but I believe it is effective. Again, I would love for you to visit and use my tools. Welcome!
In this blog post I introduced several novel techniques: 1.How to get all routes - no need to authenticate. 2. How to get methods to fuzz from pages and not just the bootstrap JS files - the vast majority of methods are in those pages and not the JS files that existing tools and guides point to. 3. How to parse "LWC" components and not just legacy components.
Hackers trojanized installers for the DAEMON Tools software and since April 8, delivered a backdoor to thousands of systems that downloaded the product from the official website. [...]
This is a bit of a long shot, but I figured if anyone would remember, it’d be Reddit. Back in the early 2000s (I’m thinking \~2001–2004), I used to spend time on a site called **areyoufearless.com**. It was one of those raw, early hacker / defacement-era forums — tutorials, tools, crews, all that chaotic energy before everything got locked down or went private. There was also a thing around that time about someone called **Gobo** getting arrested — I distinctly remember people talking about it and even **“Free Gobo” t-shirts** being made and shared around the scene. I’ve tried digging recently and there’s basically nothing left: * Wayback has barely anything useful * No clear records of the forum * No mention of Gobo or what actually happened It feels like that whole layer of the internet just… evaporated. So: * Does anyone else remember **areyoufearless**? * [https://web.archive.org/web/20040607071642/http://www.areyoufearless.com/](https://web.archive.org/web/20040607071642/http://www.areyoufearless.com/) * Any memories of **Nuclear Winter Crew** or similar groups from that site? * And does anyone know what actually happened to **Gobo**? * Found the handles of some of the owners; * [Ghirai](https://web.archive.org/web/20040607071642/http://ghirai.areyoufearless.com/) [triforce](https://web.archive.org/web/20040607071642/http://triforce.areyoufearless.com/) [Read101](https://web.archive.org/web/20040607071642/http://read101.areyoufearless.com/) [tataye](https://web.archive.org/web/20040607071642/http://tataye.areyoufearless.com/) Not looking for anything dodgy — just curious nostalgia from my teens and wondering if anyone else was there / remembers it. Cheers!
Hi guys, I send out a weekly newsletter with the latest cybersecurity vendor reports and research, and thought you might find it useful, so sharing it here. All the reports and research below were published between April 27th - May 3rd. You can get the below into your inbox every week if you want: [https://www.cybersecstats.com/cybersecstatsnewsletter/](https://www.cybersecstats.com/cybersecstatsnewsletter/) # Big Picture Reports **2026 Global Threat Landscape Report (Fortinet)** The 2025 threat trends that Fortinet thinks you need to know about. **Key stats:** * Time-to-exploit is 24 to 48 hours for critical outbreaks, compared to 4.76 days previously. * There were 7,831 confirmed ransomware victims globally, a 389% year-over-year increase from approximately 1,600 victims previously. * Global exploitation attempts increased 25.49% year-over-year. *Read the full report* [*here*](https://www.cybersecstats.com/r/c94c196d?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* **Phishing Trends Threat Report (KnowBe4)** Another source of data that confirms what we have heard before: that attackers are using AI in their phishing campaigns. Interestingly, they’re also getting more creative with calendar invites and Teams-based lures. **Key stats:** * In the last six months, 86% of phishing attacks were AI-driven. * Calendar invite phishing increased by 49%. * Internal team impersonation was present in 30% of phishing attacks by threat actors in Q1 2026. *Read the full report* [*here*](https://www.cybersecstats.com/r/5eea4ac3?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* **The State of Assumed Security (Horizon3.ai)** Two almost comical data points that could be summed up as “CISOs are wildly confident in tools they barely ever test.” **Key stats:** * 97% of CISOs say they are confident their endpoint protection would detect attacker behavior. * 12% of CISOs report testing their endpoint protection detection capability within the last three months. * 30% of organizations patch and then test to confirm that risk has been remediated. *Read the full report* [*here*](https://www.cybersecstats.com/r/ade1f886?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* **2026 Bad Bot Report: Bad Bots in the Agentic Age (Thales)** Bots now make up more of the internet than humans do, and they're going straight after APIs to bypass user-facing defenses. **Key stats:** * In 2025, AI-driven bot attacks surged 12.5x compared to the previous year. * In 2025, bots made up more than 53% of all web traffic, up from 51% the previous year, while human activity fell to 47%. * 27% of bot attacks targeted APIs, allowing bots to bypass user interfaces and interact directly with backend systems at machine speed. *Read the full report* [*here*](https://www.cybersecstats.com/r/9573474f?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* # AI **Why AI & Automation in SecOps Aren't Delivering What Leaders Think (Swimlane)** The C-suite thinks AI is awesome for security operations. The managers actually working with it disagree (by a lot). **Key stats:** * 87% of enterprises have deployed AI and automation in security operations simultaneously. * 67% of C-suite leaders report being very confident in AI's outputs. * 21% of managers report being very confident in AI's outputs. *Read the full report* [*here*](https://www.cybersecstats.com/r/dd32d316?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* **The Cyber Defense Benchmark: Why Every Frontier LLM Failed (Simbian)** The frontier models did not do well here. The best one still missed over half the attack evidence, and the cost difference between them was pretty wild. **Key stats:** * Anthropic Claude Opus 4.6 detected an average of 46% of attack evidence per MITRE tactic. * Anthropic Opus 4.6 found three times more attack flags than Google Gemini 3 Flash in the benchmark. * Anthropic Opus 4.6 incurred roughly 100 times the detection cost of Google Gemini 3 Flash in the benchmark. *Read the full report* [*here*](https://www.cybersecstats.com/r/e447b9bf?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* **Leading Your Workforce to Triumph With AI (Lenovo)** Pretty much everyone's using AI at work every week, most people aren't telling IT about it, and IT leaders are kind of freaking out about what that means for risk. **Key stats:** * More than 70% of employees worldwide use AI on a weekly basis. * Up to one-third of employees operate beyond IT oversight when using AI. * Only 31% of IT leaders feel confident in their ability to manage cybersecurity risks linked to AI. *Read the full report* [*here*](https://www.cybersecstats.com/r/deea2a93?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* # Consumer AI **Global Study: 73% of Shoppers Using AI in Shopping Journey (Riskified)** Consumers are happy to use AI to shop, but they're not handing over the credit card just yet, and a lot of them are worried about what AI means for fraud risk. **Key stats:** * In Q4 2025, 73% of consumers reported using AI at some point in their shopping journey. * 55.0% of consumers are not comfortable with AI agents making purchases on their behalf. * 53.9% believe AI could increase the risk of online fraud. *Read the full report* [*here*](https://www.cybersecstats.com/r/af10c197?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* # Identity Security **2026 Trends in Identity Attack Path Management (SpecterOps)** Identity attack path management has moved out of the experimentation phase. Adoption is up sharply year over year, and so is spending. **Key stats:** * 35% of organizations have fully implemented an identity-based Attack Path Management solution, up from 21% in 2025. * 75% of organizations report increased identity security spending. * 46% say improving attack path visibility and privilege relationships is a top cybersecurity priority over the next 12 months. *Read the full report* [*here*](https://www.cybersecstats.com/r/1f1d4d2e?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* # IT Security Workforce **Cyberthreat Defense Report (CyberEdge Group)** Security teams expect AI to replace a lot of their jobs. **Key stats:** * 80% of IT security professionals believe AI will significantly reduce the number of people required to perform their current roles. * Among those who expect AI to reduce required headcount, 46% expect this shift to occur within the next two years. * 97% of IT security hiring managers are actively seeking candidates with at least one AI-related skill. *Read the full report* [*here*](https://www.cybersecstats.com/r/327961eb?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* # Fraud **The State of Mule Account Handovers in 2026 (Incognia)** Mule account fraud is growing fast, with financial institutions saying it's tougher to detect than other fraud. **Key stats:** * 81% of fraud prevention, risk, and compliance professionals report an increase in mule-related activity over the past year. * More than 80% report that mule activity is detected reactively rather than prevented before suspicious transactions occur. * 78% of financial institutions make improving mule account detection a high or top priority over the next 12 months. *Read the full report* [*here*](https://www.cybersecstats.com/r/86edcf28?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* **2026 Fraud Insights U.S. Payments Edition (NICE Actimize)** Fraudsters are more strategic about which payment types they go after, and the usual ways of catching them aren't really working. **Key stats:** * Attempted ACH fraud value increased 52% in 2025. * Total ACH payment value increased 11%, creating a nearly 5-to-1 divergence. * A single low-cost device model drove 3% of all mobile account takeover attempts. *Read the full report* [*here*](https://www.cybersecstats.com/r/91352558?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* **Reported losses to scams on social media eight times higher than in 2020 (FTC)** A good reminder to be careful on social media. **Key stats:** * Reported losses for social media scams reached $2.1 billion in 2025, about eight times the 2020 figure. * In 2025, nearly 30% of people who reported losing money to a scam said it started on social media. * $1.1 billion, more than half the money reported lost to scams initiated on social media, was to investment scammers. *Read the full report* [*here*](https://www.cybersecstats.com/r/23e8da28?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* # SMB Security **2026 State of MSP Threat Report (Guardz)** Almost every SMB has compromised users at any given time, and BEC losses are way up. **Key stats:** * 89% of monitored SMBs have at least one user with confirmed credential compromise at any given time. * 31% of users in monitored SMB environments are exposed to compromised passwords each month. * Remote monitoring and management tool abuse accounted for 26% of all detections in monitored SMB environments. *Read the full report* [*here*](https://www.cybersecstats.com/r/5d747c13?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* # Enterprise Perspective **Bridging the Readiness Gap to the Agentic Enterprise (Hyland)** Organizations agree they need connected data for AI, but almost nobody actually has it yet. **Key stats:** * 94% of organizations say well-connected data, processes, and applications are highly important to successful AI adoption. * 27% of organizations say data, processes, and applications are well connected in their organization today. * 65% say their structured data is somewhat or fully prepared for AI use. *Read the full report* [*here*](https://www.cybersecstats.com/r/4ac2d497?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* **2026 State of Security in Business-Built Applications and AI Agents Survey (Nokod)** Citizen developers now massively outnumber professional ones, and security teams basically can't see most of what they're building. **Key stats:** * On average, there are 4 business builders for every professional software developer in enterprises. * Over 80% of security teams at enterprises lack full visibility into the applications and AI agents created by business users. * Enterprises can track only 44% of the AI tools handling sensitive company and user data. *Read the full report* [*here*](https://www.cybersecstats.com/r/a81ef494?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* # Industry-Specific **The State of Cybersecurity In Manufacturing (Resilience)** Manufacturing was the favorite ransomware target of 2025, and it's not even close. **Key stats:** * The manufacturing sector experienced a 61% year-over-year surge in ransomware attacks in 2025, the sharpest growth of any industry. * Manufacturing accounted for more than one in four of all global cyberattacks in 2025. * Ransomware accounted for about 90% of total incurred losses in Resilience's manufacturing insurance portfolio over the past five years. *Read the full report* [*here*](https://www.cybersecstats.com/r/75dbdb1e?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* **Microsegmentation Has Matured: Has Your Architecture Kept Up? (Elisity & Omdia)** Healthcare and manufacturing organizations agree on the need for microsegmentation, they just haven't actually finished doing it. **Key stats:** * 99% of healthcare and manufacturing organizations are implementing or planning microsegmentation. * Over 90% of healthcare and manufacturing organizations have protected fewer than 80% of their critical systems. * 57% rank microsegmentation as their top initiative to stop lateral movement. *Read the full report* [*here*](https://www.cybersecstats.com/r/99bb962c?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* **2026 Medical Device Cybersecurity Index (RunSafe)** Healthcare is still running medical devices with known unpatched vulnerabilities, and when those devices get attacked, it usually disrupts patient care. **Key stats:** * 24% of healthcare organizations report cyberattacks or exploited vulnerabilities involving medical devices. * 80% of cyber incidents involving medical devices cause moderate or significant disruption to patient care. * 44% of healthcare organizations use medical devices with known, unpatched vulnerabilities. *Read the full report* [*here*](https://www.cybersecstats.com/r/1fd46869?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* **2026 NASCIO-Deloitte Cybersecurity Study (Deloitte)** State CISOs are feeling much less confident than they were a few years ago, and budgets are getting cut for the first time in a while. **Key stats:** * Only 26% of state CISOs are extremely or very confident that their state's information assets are protected from cyber threats, down from 48% in 2022. * 63% describe themselves as not very confident in the ability of local government and public higher education to secure public data, up from 35% in 2022. * 16% of state CISOs report their budgets have been cut, up from none in 2024. *Read the full report* [*here*](https://www.cybersecstats.com/r/8c36e6d0?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* # Regional Spotlight **Cyber security breaches survey 2025/2026 (Department for Science, Innovation & Technology)** The UK cybersecurity and breach landscape. **Key stats:** * 43% of businesses and 28% of charities reported having experienced any kind of cyber security breach or attack in the last 12 months. * Phishing attacks remained the most prevalent type of breach or attack by far, experienced by 38% of businesses and 25% of charities. * Among those who experienced a breach or attack, the proportion experiencing phishing attacks only increased among both businesses (from 45% last year to 51% this year) and charities (from 46% last year to 57% this year). *Read the full report* [*here*](https://www.cybersecstats.com/r/321ccad2?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.*
A 23-year-old university student in Taiwan was arrested for interfering with the TETRA communication system used by the country's high-speed railway network (THSR). [...]
If you are tracking Iranian-nexus activity in the Middle East, this one is worth your time. [Hunt.io](https://hunt.io)'s AttackCapture flagged an open directory on a UAE-hosted VPS that turned out to be a full active C2 environment tied to an intrusion against Oman's government. Toolkit, session logs, and exfiltrated data all exposed. * 12 ministries targeted, 26,000+ citizen records pulled from the Ministry of Justice along with judicial case data and SAM/SYSTEM registry hives * Custom ASPX webshells, six-version Python C2, GodPotato privilege escalation, Chisel tunneling, 50+ exploitation scripts covering ProxyShell, DNN SSRF, and national ID IDOR vulnerabilities * TTPs overlap with known MOIS-linked clusters, full analysis in the post Full post and IOCs: [https://hunt.io/blog/iranian-nexus-oman-government-intrusion](https://hunt.io/blog/iranian-nexus-oman-government-intrusion)
The Apache Software Foundation (ASF) has released security updates to address several security vulnerabilities in the HTTP Server, including a severe vulnerability that could potentially lead to remote code execution (RCE). The vulnerability, tracked as CVE-2026-23918 (CVSS score: 8.8), has been described as a case of "double free and possible RCE" in the HTTP/2 protocol handling. This issue
Open-source scanner for MCP servers and skill files : attack chain detection and server-card scanning
If you are running MCP servers or loading skill files into your agents, you might want to run this before connecting. Bawbel Scanner v1.1.0 scans MCP server manifests, SKILL.md files, and system prompts for known attack patterns mapped to 45 published vulnerability records. The two things most relevant to local LLM setups: bawbel ssc fetches .well-known/mcp.json from any MCP server and scans the tool descriptions for injection patterns before you connect. A lot of public MCP servers have behavioral instructions embedded in tool descriptions that your agent will follow automatically. The scanner flags these before you add the server to your config. bawbel conform scores the server manifest against the MCP spec. Most servers in the wild are missing required fields, using deprecated transports, or have tool names that do not conform to the spec. The scorer gives you a grade (A+ to F) and lists exactly what to fix. Install: pip install "bawbel-scanner[all]" bawbel ssc https://your-mcp-server.com bawbel conform https://your-mcp-server.com Free threat intel API at api.piranha.bawbel.io if you want to query the full AVE records programmatically. GitHub: github.com/bawbel/bawbel-scanner
The majority of widely used AI clients like: * Claude Code * Claude Desktop * Cursor * LibreChat * Amazon Q CLI have not implemented the critical refresh-token flow of the OAuth standard. This is forcing developers to issue long lived tokens creating a serious security regression in an already solved problem. This write up includes a matrix table of 14 major clients with notes linking to feature requests, pull requests, and multiple forum discussions. It is not all gloom and doom though! There is a work-around solution that security conscious users are using as a stop-gap also discussed, along with a best practices guide for developers implementing their own MCP OAuth Solution. The plan is to update this reference on a monthly basis to track if there is any movement on this open requests.
EMBA v2.0.1 with interactive firmware dependency map available - Check it out and let us know what you are missing
Researchers dropped a reliable root exploit and it didn’t sit idle for long CISA is warning that a newly-disclosed Linux kernel bug dubbed "CopyFail" is already being exploited, just days after researchers dropped a working root-level exploit.…
The FTC will ban data broker Kochava and its subsidiary, Collective Data Solutions (CDS), from selling location data without consumers' explicit consent to settle charges alleging that it sold precise geolocation data collected from hundreds of millions of mobile devices. [...]
A sophisticated China-nexus advanced persistent threat (APT) group has been attributed to attacks targeting government entities in South America since at least late 2024 and government agencies in southeastern Europe in 2025. The activity is being tracked by Cisco Talos under the moniker UAT-8302, with post-exploitation involving the deployment of custom-made malware families that have been put
Critical vulnerabilities can exist in open source software your scanners don't check. HeroDevs reveals how EOL software creates blind spots in CVE feeds and SCA tools, and how you can receive a free end-of-life scan for your projects. [...]
Cushman & Wakefield activated incident response protocols after serial extortionists issued separate threats Real estate giant Cushman & Wakefield has confirmed a data breach after two cybercrime groups, ShinyHunters and Qilin, separately claimed responsibility for attacks on the company.…
The ShinyHunters extortion gang stole personal information belonging to over 119,000 people after hacking the Vimeo online video platform in April, according to data breach notification service Have I Been Pwned. [...]
Topic of this article: Burp AI.
IOCX v0.7.1 — robustness update focused on malformed PEs, hostile strings, and static‑analysis hardening
Pushed a new IOCX release (v0.7.1) that’s aimed at making the engine much harder to break during static analysis. The focus was adversarial behaviour: malformed binaries, corrupted PE structures, and intentionally hostile IOC‑like strings. If you work with weird samples, tooling pipelines, or large‑scale triage, this release makes IOCX more robust under hostile conditions. **New PE structural heuristics** Six new checks added to catch structural anomalies without blowing up the parser: * overlapping/misaligned sections * inconsistent optional headers (PE32 & PE32+) * broken entrypoint mappings * corrupted data directories * malformed import tables * general PE layout inconsistencies These aren’t detections — they’re deterministic, reason‑coded structural signals to keep analysis stable. **Expanded adversarial PE corpus** Added a full suite of malformed and corrupted PEs, including: * broken RVAs / invalid addressing * truncated Rich headers * fake UPX names + packed‑lookalikes * PE32/PE32+ hybrids * “franken‑PEs” combining multiple faults All outputs are snapshot‑validated to guarantee deterministic behaviour. **Adversarial coverage across all IOC categories** New hostile string fixtures now stress every extractor: * homoglyph + mixed‑script domains * malformed URLs and schemes * broken IPv4/IPv6 * noisy or near‑miss hashes * invalid Base64 * adversarial crypto strings (incl. Base58Check) * long/invalid Windows paths * malformed emails The goal: keep extraction predictable even when the input is intentionally messy. **Parser & extractor hardening** * stable on malformed PE structures * structured, JSON‑safe error metadata * improved domain/URL/crypto/hash extractors * deterministic output across platforms **Links** GitHub: [https://github.com/iocx-dev/iocx](https://github.com/iocx-dev/iocx) PyPI: [https://pypi.org/project/iocx/](https://pypi.org/project/iocx/) **Example** `pip install iocx` `iocx suspicious.exe -a full` If you’re doing malware triage, static analysis, or building automated pipelines that need predictable IOC extraction, v0.7.1 should be a noticeable stability bump. Happy to discuss edge cases or weird samples people want covered next.
Every AI tool, workflow automation, and productivity app your employees connected to Google or Microsoft this year left something behind: a persistent OAuth token with no expiration date, no automatic cleanup, and in most organizations, no one watching it. Your perimeter controls don't see it. Your MFA doesn't stop it. And when an attacker gets hold of one, they don't need a password. OAuth
Threat actors are actively exploiting a critical security flaw impacting an open-source content management system (CMS) known as MetInfo, according to new findings from VulnCheck. The vulnerability in question is CVE-2026-29014 (CVSS score: 9.8), a code injection flaw that could result in arbitrary code execution. "MetInfo CMS versions 7.9, 8.0, and 8.1 contain an unauthenticated PHP code
Victims losing £280K a day to fake profiles and sob stories Romance fraudsters scammed Britons out of £102 million ($138 million) last year, according to the latest police figures.…
Google overhauls its Android and Chrome vulnerability rewards programs, offering bounties of up to $1.5 million for the most difficult exploits while scaling back payouts for flaws that artificial intelligence (AI) has made easier to find. [...]
We recently added a C/C++ security checklist to the Testing Handbook and challenged readers to spot the bugs in two code samples : a deceptively simple Linux ping program and a Windows driver registry handler. If you found the inet_ntoa global buffer gotcha or the missing RTL_QUERY_REGISTRY_TYPECHECK flag, nice work. If not, here’s a full walkthrough of both challenges, plus a deep dive into how the Windows registry type confusion escalates from a local denial of service to a kernel write primitive. Since we first released the new C/C++ security checklist, we also developed a new Claude skill, c-review . It turns the checklist into bug-finding prompts that an LLM can run against a codebase. It’s also platform and threat-model aware. Run these commands to install the skill: claude skills add-marketplace https://github.com/trailofbits/skills claude skills enable c-review --marketplace trailofbits/skills The Linux ping program challenge The Linux warmup challenge we showed you in the last blog post has an obvious command injection issue. #include <stdio.h> #include <s
While the software industry has made genuine strides over the past few decades to deliver products securely, the furious pace of AI adoption is putting that progress at risk. Businesses are moving fast to self-host LLM infrastructure, drawn by the promise of AI as a force multiplier and the pressure to deliver more value faster. But speed is coming at the expense of security. In the wake of the
A Latvian national extradited to the United States was sentenced to 8.5 years in prison for his "cold case" negotiator role in the Russian Karakurt ransomware group. [...]
A new version of the CloudZ remote access tool (RAT) is deploying a previously unseen malicious plugin called Pheno that hijacks the Microsoft Phone Link connection to steal sensitive codes from mobile devices. [...]
Healthcare giant's maintainers handed May deadline to enact the change The UK's National Health Service (NHS) is ordering all of its technology leaders to temporarily wall off the organization's open source projects over concerns relating to advanced AI and Anthropic's Mythos.…
I built a 100% browser-only EXIF viewer + metadata remover + image-forensics lab — no upload, no account, free
I've been working on this for the last few months and just wanted to share. It's a free browser-based tool for inspecting and removing metadata from photos, videos, audio, PDFs and Office documents — and it has a small image-forensics lab built in. Live: [https://midgardmud.de/tools/exif/](https://midgardmud.de/tools/exif/) Why I built it: every other "EXIF remover" online asks you to upload your private files to a server. That's the opposite of privacy. So I wrote one that runs 100% in the browser via the File API — your file never leaves your device. F12 → Network tab → drop a 50 MB photo → you'll see zero outbound requests. What it does: • Strips metadata from JPG/PNG/WebP/GIF/HEIC/TIFF, MP4/MOV/MKV/WebM/AVI, MP3/FLAC/OGG/WAV, PDF, DOCX/XLSX/PPTX • Privacy Risk Score 0–100 with per-file breakdown so you see what's actually leaking • 4 one-click privacy profiles (Anonymous / Social-safe / Keep camera / GPS-only) • Forensics: ELA, JPEG-Ghost re-save heatmap, DQT compression fingerprint, Noise + CFA/Bayer pattern (defensible alternative to AI-image detectors), Copy-Move clone detection, embedded-thumbnail audit, RGB histogram, hex viewer, structure inspector • SHA-256 + perceptual hash (pHash) per file • ExifTool-compatible JSON export • Per-tag EXIF editor + GPS spoofing for JPEG • C2PA self-signed Content Credentials • Works fully offline as a PWA after first visit • 19 languages Stack: vanilla JS, no framework, no build step, \~12k lines. libheif WASM lazy-loaded for HEIC. Web Worker for big videos so the UI stays responsive. Happy to answer anything about how the parsers work, why I avoided React, or how the JPEG-Ghost / Copy-Move detection is implemented. Feedback very welcome.
The North Korea-aligned state-sponsored hacking group known as ScarCruft has compromised a video game platform in a supply chain espionage attack, trojanizing its components with a backdoor called BirdCallto likely target ethnic Koreans residing in China. While prior versions of the backdoor have primarily targeted Windows users only, the supply chain attack is assessed to have enabled the
A critical security vulnerability in Weaver (Fanwei) E-cology, an enterprise office automation (OA) and collaboration platform, has come under active exploitation in the wild. The vulnerability (CVE-2026-22679, CVSS score: 9.8) relates to a case of unauthenticated remote code execution affecting Weaver E-cology 10.0 versions prior to 20260312. The issue resides in the "/papi/esearch/data/devops/
Microsoft has disclosed details of a large-scale credential theft campaign that has leveraged a combination of code of conduct-themed lures and legitimate email services to direct users to attacker-controlled domains and steal authentication tokens. The multi-stage campaign, observed between April 14 and 16, 2026, targeted more than 35,000 users across over 13,000 organizations in 26 countries,
Quick note from a scanning project I've been running. We hit 6,000 web apps with a payment-bypass probe last week, sending a minimal fake \`checkout.session.completed\` event to common webhook paths (\`/api/webhook/stripe\`, \`/api/payments/webhook\`, etc.) without a \`Stripe-Signature\` header. 1,542 returned 200. That means anyone with curl can fire a forged Stripe event at those endpoints and the server processes it as legitimate. Depending on what the handler does with it, the consequences range from "logs a fake event" to "marks attacker's account as paid" to "creates a confirmed order with no payment". The split was roughly: * Custom domains (real production SaaS): \~720 * Render: 198 * Vercel: 142 * Replit: 121 * Railway, Fly, Heroku, others: \~360 Why so many? The Stripe library makes signature verification a one-liner. Every framework has the canonical example. But the dev journey usually goes: build the route locally with a stub handler that just \`console.log\`s the event body, get the upgrade-the-user logic working, leave signature verification on the TODO, ship. Six months later nobody remembers it was ever a TODO. The fix in Express: `\`\`\`js` `app.post('/api/webhook/stripe',` `express.raw({type: 'application/json'}),` `(req, res) => {` `const sig = req.headers['stripe-signature'];` `let event;` `try {` `event = stripe.webhooks.constructEvent(` `req.body, sig, process.env.STRIPE_WEBHOOK_SECRET);` `} catch (err) {` `return res.status(400).send(\`Webhook Error: ${err.message}\`); }` `// proceed with event` `res.json({received: true});` `});` `\`\`\`` The trap: \`express.json()\` globally parses the body before your handler sees it, leaving Stripe's library to compute the signature against parsed-then-stringified JSON, which never matches. Use \`express.raw()\` specifically on the webhook route, before any global JSON parser. FastAPI / Python: read \`await request.body()\` directly, not \`request.json()\`. Same idea. Caveats: a 200 response doesn't prove the app actually grants the attacker something. Some endpoints log every webhook for analytics and return 200 regardless. The 1,542 number is "endpoints accepting unsigned events", not "definitely exploitable". But the misconfiguration is real on its own. Full writeup with the methodology and platform-by-platform breakdown: [https://securityscanner.dev/blog/stripe-webhook-signature-bypass-1500-apps](https://securityscanner.dev/blog/stripe-webhook-signature-bypass-1500-apps) Curious if anyone here has shipped a Stripe webhook recently and can double-check theirs.
Vendors all use different formats. This tech translates them all so you can smooth your SOC Academics from Singapore and China have found a way to make AI useful for cyber-defenders, by creating a technique that translates rules from diverse Security Information and Event Managements (SIEMs) so they’re easier to consume across multiple systems.…
Monday, May 4
The Model We’ve Relied on Is Starting to Break Over the past 20 years, I’ve seen the threat landscape evolve from opportunistic attackers, to organized cybercrime, to nation-state campaigns. Each shift forced security teams to adapt. What’s happening right now is different. AI models coming out of Anthropic, OpenAI, Google, and X are rewriting the […] The post Sara AI Pentesting Is Now Generally Available: The Model Is Changing appeared first on Synack .
46% say age checks are easy to bypass, and nearly a third admit getting around them It’s been months since the UK government began requiring stronger age checks under the Online Safety Act, and recent research suggests those measures are falling short of keeping kids away from harmful content. In some cases, even drawing on a mustache has been reported as enough to fool age detection software.…
The Amazon Simple Email Service (SES) is being increasingly abused, a cybersecurity company's telemetry data shows, to send convincing phishing emails that can bypass standard security filters and render reputation-based blocks ineffective. [...]
A malicious version of the PyTorch Lightning package published on the Python Package Index (PyPI) delivers a credential-stealing payload targeting browsers, environment files, and cloud services. [...]
Key Takeaways Over the past year, the conversation in security has changed faster than most programs have. AI is compressing attacker timelines. Environments are changing daily rather than quarterly. And the model most enterprises still rely on to validate security—periodic penetration testing—is starting to break under the weight of both. The real question isn’t whether […] The post The Shift to Continuous Security Validation: Why Detection Is No Longer Enough appeared first on Synack .
Progress Software has released updates to address two security flaws in MOVEit Automation, including a critical bug that could result in an authentication bypass. MOVEit Automation (formerly Central) is a secure, server-based managed file transfer (MFT) solution used to schedule and automate file movement workflows in enterprise environments without requiring any custom scripts. The
Cybersecurity firm Trellix disclosed a data breach after attackers gained access to "a portion" of its source code repository. [...]
A law firm instructed my first forensic analysis of an LLM system, I've written up some of my methodology
I have worked for about 10 years in cybersecurity, mostly in Incident Response, but I've done a fair bit of forensic work and expert witness cases within that. A year ago I left my old firm to go down the independent consultancy route, and still trying to figure out exactly what I'm doing. A couple months ago a law firm I used to work with reached out recently. Short story is that an LLM agent made a mistake for their client which became litigious. The client firm claimed they had addressed the original issue, but the law firm requested an expert opinion on: a) the root causes of the original issue b) an assessment on whether this could re-occur / validation of the fix This might not fall strictly within the confines of "computerforensics", so apologies if it's slightly off topic. But I figured there could be some practitioners here who might be interested in the methodology. I basically used three techniques to model the differences in generated output between the "bad" model and the fixed "good" model, then commented on the deviations. I don't think this is a huge market right now. But I do see that there are insurance companies starting to underwrite AI risk, so it's possible we could be seeing more of this work over the next few years. I've written up my full approach here: [https://www.analystengine.io/insights/how-to-forensically-analyse-llm-alignment-drift-and-hallucination](https://www.analystengine.io/insights/how-to-forensically-analyse-llm-alignment-drift-and-hallucination) Would be really interested to hear if anyone is doing any similar work lately.
'If you don't have visibility, you can't understand what to protect' When it comes to securing enterprise supply chains, now heavily infused with AI applications and agents, a software bill of materials (SBOM) no longer provides a complete inventory of all the components in the environment. Enter AI-BOMs.…
This week, the shadows moved faster than the patches. While most teams were still triaging last month’s alerts, attackers had already turned control panels into kill switches, kernels into open doors, and open-source pipelines into silent delivery systems. The game has shifted from breach to occupation. They’re living inside SaaS sessions, pushing code with trusted commits, and scaling
Fraudsters aren't hacking credit unions, they are exploiting normal business processes. Flare reveals how structured loan fraud methods use stolen identities to pass verification and secure funds. [...]
On December 4, 2025, a 17-year-old was arrested in Osaka under Japan’s Unauthorized Access Prohibition Act. The young man had run malicious code to extract the personal data of over 7 million users of Kaikatsu Club, Japan's largest internet cafe chain. When asked, the young man shared his motivation for the hack: he wanted to buy Pokémon cards. In a sense, this is a fairly conventional story.
The China-based cybercrime group known as Silver Fox (aka Monarch, SwimSnake, The Great Thief of Valley, UTG-Q-1000, and Void Arachne) has been linked to a new campaign targeting organizations in Russia and India with a new malware called ABCDoor. The activity involved using phishing emails that mimic correspondence from the Income Tax Department of India in December 2025, followed by a similar
VanGuard — open-source single-binary DFIR toolkit (Velociraptor, Hayabusa, Chainsaw, Loki, YARA) with TUI, air-gap support, and 28 pre-built use cases
We just open-sourced **VanGuard** — a self-contained IR toolkit that bundles Velociraptor, Hayabusa, Chainsaw, Loki, and YARA into a single binary with a terminal UI. Built it because we were tired of the 45-minute tooling setup at the start of every engagement. Download KAPE, remember the flags, set up Velociraptor, manually hash evidence, and track the chain of custody in a spreadsheet. What it does: * Quick triage (20+ Windows, 15+ Linux artifact categories using native commands) * Velociraptor server lifecycle + agent deployment from the TUI * Threat hunting with Hayabusa, Chainsaw, Loki, YARA + live anomaly detection * Memory capture + Volatility 3 analysis * 28 pre-built use cases (ransomware, BEC, credential theft, lateral movement, rootkits) with MITRE ATT&CK mapping * Evidence dual-hashed (MD5 + SHA256), HMAC chain of custody * Runs from USB, works fully offline Cross-platform (Windows + Linux), Apache 2.0, no dependencies. GitHub: [https://github.com/ridgelinecyberdefence/vanguard](https://github.com/ridgelinecyberdefence/vanguard) It's provided as-is — every environment is different, especially with remote ops (WinRM/SSH auth varies by config). Test in a lab first. Issues and suggestions welcome on GitHub.
Even limited voter rolls can be linked to identify people, research shows Your voter data could be used against you. A foreign intelligence service that wished to identify the family members of deployed military personnel could do so by cross-referencing public voter record data and social media posts.…
To reduce the amount of noise from questions, we have disabled self-posts in favor of a unified questions thread every week. Feel free to ask any question about reverse engineering here. If your question is about how to use a specific tool, or is specific to some particular target, you will have better luck on the [Reverse Engineering StackExchange](http://reverseengineering.stackexchange.com/). See also /r/AskReverseEngineering.
A coordinated international operation involving U.S. and Chinese authorities has arrested at least 276 suspects and shut down nine scam centers used for cryptocurrency investment fraud schemes targeting Americans, resulting in millions of dollars in losses. The crackdown was led by the Dubai Police, under the United Arab Emirates (UAE) Ministry of Interior, in partnership with the U.S. Federal
Prioritize resilience over productivity, say CISA, NCSC and their friends from Oz, NZ, Canada Information security agencies from the nations of the Five Eyes security alliance have co-authored guidance on the use of agentic AI that warns the technology will likely misbehave and amplifies organizations’ existing frailties, and therefore recommend slow and careful adoption of the tech.…
Sunday, May 3
Acoustic Keystroke Recovery - Reconstructing Typed Text from a Laptop Microphone (Full Guide, 85% success rate)
Around 85% success rate of keystroke recovery with our script :)
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added a recently disclosed security flaw impacting various Linux distributions to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild. The vulnerability, tracked as CVE-2026-31431 (CVSS score: 7.8), is a case of local privilege escalation (LPE) flaw that could allow an
Saturday, May 2
*As one tends to do on Saturday mornings with coffee in hand, I was reviewing two samples that were attributed to the LunaStealer / LunaGrabber family. Originally I was validating that* `tiquery` *was working with the MCP configuration, however what started as a quick TI check turned into a full static analysis session — and it gave me a good opportunity to put the MalChela MCP integration through its paces in a real workflow. This post walks through how that investigation unfolded, what the pivot points were, and what we found at the bottom of the rabbit hole.*
Plus: The NSA tests Anthropic’s Mythos Preview to find vulnerabilities, a Finnish teen is charged over the Scattered Spider hacking spree, and more.
Britain's cyber agency says the bill for years of technical shortcuts is coming due, and it's arriving all at once Britain's cyber agency is warning that AI-fuelled bug hunting is about to flush out years of buried flaws, leaving defenders scrambling to keep up.…
Friday, May 1
For vulnerability research, smaller models run repeatedly can outperform larger frontier models on cost-to-recall.
TL;DR: If a large model finds a 0-day with 90% probability, and a small model with 50% probability, but the small model costs 10x less, it is better to use the small model. We compared the cost and recall of various models in finding real, recent zero-days and found that for most applications, smaller models run repeatedly can significantly outperform larger frontier models on cost-to-recall. Disclaimer: I'm involved with Hacktron, the company that produced this research. This is a factual presentation of our benchmarks, which we hope the community can use to make informed decisions about models like Mythos.
Over the past two and a bit quarters, we've undertaken an intensive engineering effort, internally code-named " Code Orange: Fail Small ", focused on making Cloudflare's infrastructure more resilient, secure, and reliable for every customer. Earlier this month, the Cloudflare team finished this work. While improving resiliency will never be a “job done” and will always be a top priority across our development lifecycle, we have now completed the work that would have avoided the November 18, 2025 and December 5, 2025 global outages. This work focused on several key areas: safer configuration changes, reducing the impact of failure, and revising our “break glass” procedures and incident management. We also introduced measures to prevent drift and regressions over time, and strengthened the way we communicate to our customers during an outage. Here we explain in depth what we shipped, and what it means for you. Safer configuration changes What it means for you : In most cases, Cloudflare internal configuration changes no longer reach our network instantly and are instead rolled out progressively with real-time health monitoring. This allows our observability tools to catch problems and revert issues before they affect your traffic. In order to catch potentially dangerous deployments before they reach production, we've identified high-risk configuration pipelines, and built new tools to manage configuration changes better. For products that run on our network processing customer traffic and receive configuration changes, we no longer deploy these changes instantly across the
MalChela v4.0 is out. The desktop GUI is gone — replaced by a PWA you can reach from any browser on the network. Battery-powered Pi on the table, iPad in hand, no keyboard required. The field kit finally makes sense.
Cybersecurity researchers are warning of two cybercrime groups that are carrying out "rapid, high-impact attacks" operating almost within the confines of SaaS environments, while leaving minimal traces of their actions. The clusters, Cordial Spider (aka BlackFile, CL-CRI-1116, O-UNC-045, and UNC6671) and Snarky Spider (aka O-UNC-025 and UNC6661), have been attributed to high-speed data theft and
When we first launched Workers eight years ago, it was a direct-to-developers platform. Over the years, we have expanded and scaled the ecosystem so that platforms could not only build on Workers directly, but they could also enable their customers to ship code to us through many multi-tenant applications. We now see on Workers: Applications where users describe what they want, and the AI writes the implementation. Multi-tenant SaaS where every customer's business logic is, at runtime, some TypeScript the platform has never seen before. Agents that write and run their own tools. CI/CD products where every repo defines its own pipeline. Last month, when we shipped the Dynamic Workers open beta , we gave those platforms a clean primitive for the compute side: hand the Workers runtime some code at runtime, get back an isolated, sandboxed Worker, on the same machine, in single-digit milliseconds. Durable Object Facets extended the same idea to storage — each dynamically-loaded app can have its own SQLite database, spun up on demand, with the platform sitting in front, as a supervisor. Artifacts did the same for source control : a Git-native, versioned filesystem you can create by the tens of millions, one per agent, one per session, one per tenant. So, we have dynamic deployment for storage and source control. What’s next? Today, we are bridging durable execution and dynamic deployment with Dynamic Workflows . The gap between durable and dynamic execution
Altman's crew now doing the same gatekeeping it recently mocked OpenAI is lining up a limited release of its new GPT-5.5-Cyber model to a handpicked circle of "cyber defenders," just weeks after taking a swipe at Anthropic for doing almost exactly the same thing.…
313 Team tells Canonical: pay up or the packets keep coming Canonical says its web infrastructure is under attack after a pro-Iran hacktivist group instructed its members to target the open source giant.…
Start date pushed back a year, annual cost up a third, and UK's now handing out eight million passports a year The Home Office has increased the annual value and overall duration of its new passport production contract, increasing it to a total of £576 million as it starts a third round of engagement with suppliers.…
Thursday, April 30
Mini Shai-Hulud caught spreading credential-stealing malware The wave of supply chain attacks aimed at security and developer tools has washed up more victims, namely SAP and Intercom npm packages, plus the lightning PyPI package.…
One alleged cyber contractor was extradited to the US over the weekend China's "hacker-for-hire ecosystem has gotten out of control," according to Brett Leatherman, assistant director of the FBI's cyber division.…
OpenAI is rolling out Advanced Account Security for people concerned that their ChatGPT or Codex accounts could be potential targets of phishing attacks.
This CVSS 10.0 RCE vuln has been patched, automatically for some, so better check those workflows If you use Gemini CLI, watch out: Google has patched a CVSS 10.0 vulnerability in its command-line AI tool and is warning anyone running it in headless mode, or through GitHub Actions, to review their workflows.…
A Brazilian tech firm that specializes in protecting networks from distributed denial-of-service (DDoS) attacks has been enabling a botnet responsible for an extended campaign of massive DDoS attacks against other network operators in Brazil, KrebsOnSecurity has learned. The firm’s chief executive says the malicious activity resulted from a security breach and was likely the work of a competitor trying to tarnish his company’s public image. An Archer AX21 router from TP-Link. Image: tp-link.com. For the past several years, security experts have tracked a series of massive DDoS attacks originating from Brazil and solely targeting Brazilian ISPs. Until recently, it was less than clear who or what was behind these digital sieges. That changed earlier this month when a trusted source who asked to remain anonymous shared a curious file archive that was exposed in an open directory online. The exposed archive contained several Portuguese-language malicious programs written in Python. It also included the private SSH authentication keys belonging to the CEO of Huge Networks , a Brazilian ISP that primarily offers DDoS protection to other Brazilian network operators. Founded in Miami, Fla. in 2014, Huge Networks’s operations are centered in Brazil. The company originated from protecting game servers against DDoS attacks and evolved into an ISP-focused DDoS mitigation provider. It does not appear in any public abuse complaints and is not associated with any known
Coding agents are great at building software. But to deploy to production they need three things from the cloud they want to host their app — an account, a way to pay, and an API token. Until now these have been tasks that humans handle directly. Increasingly, agents handle them on the user’s behalf. The agent needs to perform all the tasks a human customer can. They’re given higher-order problems to solve and choose to use Cloudflare and call Cloudflare APIs. Starting today, agents can provision Cloudflare on behalf of their users. They can create a Cloudflare account, start a paid subscription, register a domain, and get back an API token to deploy code right away. Humans can be in the loop to grant permission and must accept Cloudflare's terms of service, but no human steps are otherwise required from start to finish. There’s no need to go to the dashboard, copy and paste API tokens, or enter credit card details. Without any extra setup, agents have everything they need to deploy a new production application in one shot. And with Cloudflare’s Code Mode MCP server and Agent Skills , they’re even better at it. This all works via a new protocol that we’ve co-designed with Stripe as part of the launch of Stripe Projects . We’re excited to launch this new partnership with Stripe, and also to offer $100,000 in Cloudflare credits to all new startups who incorporate using Stripe Atlas . But this new protocol also makes it possible for any platform with signed-in users to integrate with Cloudflare in the same way Stripe does, with zero friction for the end user. How it works: zero to production without any setup or manual steps
Spyware appears to have captured everything from intimate photos to private messages from the smartphone of European celebrity. They were publicly accessible until a researcher flagged the exposure.
Wednesday, April 29
What Mythos Means for Penetration Testing as a Service When Anthropic announced the Claude Mythos Preview, the reaction from the security community was immediate. We’re not talking about the next best model. This model is such a leap forward and so capable at finding and exploiting vulnerabilities that Anthropic deemed it too dangerous to release […] The post What GigaOm and Synack Got Right About AI Pentesting appeared first on Synack .
A newly analyzed Go-based macOS remote access trojan (RAT), internally named Minirat, has surfaced in the wild using anti-VM checks, LaunchAgent persistence, and AES-encrypted command and control (C2) configuration to maintain stealthy, long-term access on victim endpoints. According to [SafeDep](https://safedep.io/malicious-velora-dex-sdk-npm-compromised-rat/), the initial infection vector was a malicious npm package (velora-dex-sdk) that dropped the Go-based macOS RAT onto developer endpoints.
LibAFL is all the rage in the fuzzing community these days, especially with LLVM’s libFuzzer being placed in maintenance mode . Written in Rust, LibAFL claims improved performance, modularity, state-of-the-art fuzzing techniques, and libFuzzer compatibility . For these reasons, I set out to add LibAFL support to Ruzzy , our coverage-guided fuzzer for pure Ruby code and Ruby C extensions. This gives Ruby developers and security researchers access to a more advanced and actively maintained fuzzing engine without changing how they write their fuzzing harnesses. Ruzzy was originally built on top of LLVM’s libFuzzer, so using LibAFL’s compatibility layer should be easy enough. However, digging around in the internals of complex systems is never quite as simple as it seems. In this post, I will investigate some of the deep plumbing inside these fuzzing engines, take a detour into executable and linkable format (ELF) files, and ultimately add LibAFL support to Ruzzy. Building with libafl_libfuzzer Ruzzy currently supports Linux, so I use a Dockerfile for development and for production fuzzing campaigns. To that end, using a similar Dockerfile for LibAFL support is the simplest integration point. LibAFL provides excellent documentation a
Today, we're launching Project Swarm — a research initiative that opens the GreyNoise deception platform to the global security community. Project Swarm transforms GreyNoise from a proprietary sensor network into a collective intelligence platform.
Tuesday, April 28
CREST Helps Raise the Bar for the Researchers Behind Your Pentest When a cybersecurity company tells you its testers are vetted, what does that actually mean? Most of the time, it means the company ran its own screening, trusted its own judgment, and hoped you’d trust it too. That works, right up until the pentest […] The post What CREST Means for Your Next Synack Engagement appeared first on Synack .