The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday warned of active exploitation of a critical security flaw impacting Lantronix EDS5000 Series devices, urging Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by June 26, 2026. The vulnerability in question is CVE-2025-67038 (CVSS score: 9.8), a code injection flaw that could result in the execution
Cybersecurity News and Vulnerability Aggregator
Cybersecurity news aggregator
Updated: 6:40 pm
J/K Navigate / Search S Save V Open Link
— or
treemd <(curl -sL https://allsec.sh/md) (as Markdown) Top Cybersecurity Stories Today
LastPass announced that hackers accessed customer data from its Salesforce environment after stealing the company's OAuth tokens in the Klue supply chain attack earlier this month. [...]
A coordinated law enforcement operation, in partnership with private sector companies, including Bitdefender, Bitsight, ESET, and Microsoft, has resulted in the takedown of criminal infrastructure powering Amadey and StealC. "The main common goal was to disrupt the 'assembly lines' cybercriminals use to launch ransomware, financial fraud, and attacks on critical infrastructure," Europol said in
Cybersecurity researchers have flagged a new class of CI/CD workflow weakness that allows attackers to hijack workflows and compromise open-source supply chains. The "critical exploitable pattern" has been codenamed Cordyceps by Novee Security. The issue can allow full attacker control of repositories at dozens of the largest organizations worldwide, including Microsoft, Google, Apache, and
Tata Electronics has confirmed in a statement to BleepingComputer that it was the target of a cyberattack that impacted parts of its IT infrastructure. [...]
Latest
Wednesday, June 24
Using Bitwarden Infrastructure to get stuff in and get stuff out (fixed)
Reverse-engineered the Artiphon Orba 2's control protocol (MIDI + SysEx over USB/BLE), spec + Python/JS reference libs
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday warned of active exploitation of a critical security flaw impacting Lantronix EDS5000 Series devices, urging Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by June 26, 2026. The vulnerability in question is CVE-2025-67038 (CVSS score: 9.8), a code injection flaw that could result in the execution
At [Hunt.io](http://Hunt.io) we mapped malicious infrastructure across 10 Eastern European countries (Belarus through Ukraine) over a three-month window and found more than 3,900 active C2 servers across 302 providers. The part that stuck with us: one Bulgarian host, Friendhosting, accounted for about 53.5% of everything we detected in the region. You don't catch that chasing individual IPs or domains, it only shows up at the provider layer. Happy to answer questions on how we pulled the data. Read the full story: [https://hunt.io/blog/eastern-europe-malicious-infrastructure-report](https://hunt.io/blog/eastern-europe-malicious-infrastructure-report)
Open bug bounty programs are buckling under AI-generated noise, triage overload, and coverage blind spots. Synack's PTaaS platform and security researchers on the Synack Red Team preserve what works about incentivized research while fixing what doesn't. The post The Bug Bounty Model Is Failing. It’s Time to Say It Out Loud. appeared first on Synack .
Hi guys, I send out a weekly newsletter with the latest cybersecurity vendor reports and research, and thought you might find it useful, so sharing it here. All the reports and research below were published between June 15th - June 21st. You can get the below into your inbox every week if you want: [https://www.cybersecstats.com/cybersecstatsnewsletter/](https://www.cybersecstats.com/cybersecstatsnewsletter/) # Big Picture Reports **State of Log Management in 2026 (Dynatrace)** AI workloads are straining traditional log management on cost, scale, and complexity. **Key stats:** * AI workloads drive a 93% increase in log volume over the last twelve months. * Organizations exclude an average of 86% of log data to manage costs and system limitations. * Technology teams spend an average of nearly $2.5 million annually on logging solutions. *Read the full report* [*here*](https://www.cybersecstats.com/r/2230cfe2?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* **The CISO Outlook 2026: Authentic intelligence in the age of AI (CSC)** Security leaders think AI is an opportunity. But also a big threat. **Key stats:** * 73% of security leaders view AI as an opportunity rather than a risk. * 86% cite AI-powered domain generation algorithms as a cybersecurity threat. * 79% are concerned that suppliers' and partners' AI tool use poses a cybersecurity risk. *Read the full report* [*here*](https://www.cybersecstats.com/r/497aad41?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* **Life and Times of The Cybersecurity Professional VIII (ISSA & Omdia)** Interesting read for anyone in a security role. Now in its eighth year, The Life and Times of Cybersecurity Professionals, Volume VIII looks at how your peers are feeling about their roles, and what the orgs they’re in are doing (yes, including how many of them are adopting AI). **Key stats:** * 68% of cybersecurity professionals say the job has become harder over the past two years. * 25% increased AI spending without a defined strategy. * 57% of cybersecurity professionals who considered leaving their role in the past eighteen months have considered leaving cybersecurity entirely. *Read the full report* [*here*](https://www.cybersecstats.com/r/f384f171?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* # AI Security and Governance **The State of AI Governance in 2026 (Retool)** If you’re worried about vibe coding and the lack of governance around it, this report will at least make you feel less alone. **Key stats:** * 93% of CTOs, CISOs, and CIOs are concerned about vibe-coded tools running in production. * 8% describe their organization's AI governance as strong. * 22% indicate their organizations have had at least one AI-caused production incident. *Read the full report* [*here*](https://www.cybersecstats.com/r/0b32bcb7?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* **Shadow AI Has Become a Behavioral Data-Movement Risk (Teramind)** Employees are using AI tools on corporate devices and either not telling you about it or outright hiding it. **Key stats:** * 67% of enterprise AI usage occurs through unmanaged personal accounts on corporate devices. * 69% of C-suite leaders prioritize speed over security when using AI tools. * 62% of Gen Z employees are actively hiding their AI use at work. *Read the full report* [*here*](https://www.cybersecstats.com/r/5436958f?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* **What 687 IT and Security Leaders Revealed About Governing AI (Jamf)** Apple-first orgs won't want to hear this: more organizations are experiencing AI incidents as they deploy AI deeper. **Key stats:** * Organizations with deeply integrated AI are 40% more likely to report an AI-related incident than those still exploring. * 22% of organizations have already experienced an AI-related incident involving unexpected costs or a security issue. * 36.7% identify establishing AI governance as a top AI priority for the next twelve months. *Read the full report* [*here*](https://www.cybersecstats.com/r/a5c05c5f?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* **The Data & AI Trust Gap (Veeam)** What’s the difference between AI ambition and results? This report will tell you. **Key stats:** * 99% agree data sovereignty is critical. * 72.5% are actively deprioritizing data sovereignty to accelerate AI. * 88% of enterprises are running AI agents, but only 7% are fully prepared to manage them. *Read the full report* [*here*](https://www.cybersecstats.com/r/248fd270?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* **AI-Powered Attacks Become Top Concern for Security Professionals (Filigran)** AI-powered attacks at scale are apparently the biggest security concern now. **Key stats:** * 41% of cybersecurity professionals identify AI-powered attacks at scale as their biggest security concern. * 32% say AI-driven threats are the top issues boards most often ask about. * 52% say threat intelligence helps inform decisions but still requires significant human judgment. *Read the full report* [*here*](https://www.cybersecstats.com/r/e656bff0?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* # Mid-Market Outlook **The Mid-Market AI Readiness Report (Netrio)** An AI readiness report, but focused on mid-market orgs. **Key stats:** * 82% of mid-market IT leaders say AI is already in production somewhere or in widespread use. * 26% say AI is scaled and governed enterprise-wide. * 73% have either confirmed an AI-related security incident or experienced a near-miss in the past twelve months. *Read the full report* [*here*](https://www.cybersecstats.com/r/4d45064c?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* # Enterprise Perspective **The State of Physical and Digital Identity in the Enterprise (FIDO Alliance & HID)** How fast do you think you can remove an ex-employee’s access? According to this report, probably very fast. Also according to this report, you cannot actually move that fast… **Key stats:** * 94% claim they can revoke all access within twenty-four hours of an employee leaving. * 35% actually experience delays or failures revoking access within that timeframe. * 70% of organizations experience at least one identity-related security incident. *Read the full report* [*here*](https://www.cybersecstats.com/r/37f5fa92?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* **The 2026 Vulnerability Forecast Update: Navigating the AI Epoch (FIRST)** Vulnerability disclosures are completely out of control. **Key stats:** * Annual vulnerability disclosures are on pace to approach 70,000 for the first time in history. * The 2026 projected total of CVE disclosures is approximately 66,000, up from a February median projection of 59,427. * Actual CVE disclosures are running 46.3% above projections published four months earlier. *Read the full report* [*here*](https://www.cybersecstats.com/r/c696d849?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.* # Regional Spotlight **60% of UK Orgs Report Cyberattacks Beyond Email (KnowBe4)** Threats are no longer confined to your employees’ email inboxes. **Key stats:** * 60% of UK cybersecurity professionals say threats are already moving beyond email. * 50% of UK organizations lack strong confidence in detecting threats across messaging and social platforms. * Only 41% of organizations regularly train employees on threats beyond email. *Read the full report* [*here*](https://www.cybersecstats.com/r/404997b2?m=50f43416-1146-4a3d-a1e1-5afc95e09a39)*.*
A coordinated law enforcement operation, in partnership with private sector companies, including Bitdefender, Bitsight, ESET, and Microsoft, has resulted in the takedown of criminal infrastructure powering Amadey and StealC. "The main common goal was to disrupt the 'assembly lines' cybercriminals use to launch ransomware, financial fraud, and attacks on critical infrastructure," Europol said in
I was doing some research around Dirt bikes when I came across this website: [https://atvbikeindia.com/](https://atvbikeindia.com/) It asks you to verify that you are not a robot and then gives you three instructions, which include opening the Run command (pressing Windows+R), then pasting (Ctrl+V), and pressing Enter. I think it copies the command line when we click on the I am not a robot button. It is then trying to install a code using a hidden PowerShell window. I can't figure out what it will do after installing the script because I won't be installing it. Can anyone tell me what the hacker is planning to do here and will it be stopped by a normal antimalware program?
I'm curious about the details of this. I'm sure we will all find out eventually. TLDR; former Huntress employee is disclosing Huntress had an insider threat that leaked information to a known cyber criminal "Devman". That employee is still employed with Huntress and was caught by the FBI. The former employee doing the disclosure is stating he is receiving threats, etc. EDIT: Kyle @ Huntress posted his response to this in the comments. Give credit to a CEO who isn't afraid to jump on Reddit to put out any fires.
Hi everyone, I'm currently in a security testing profile (5+ YoE) and I'm working towards my DevSecOps roadmap. I wanted to have a feedback on the current roadmap I have picked to learn the skills. Additionally if there's anything else that I should incorporate within the roadmap, please let me know. Currently I am incorporating the following roadmap - [https://github.com/milanm/DevOps-Roadmap/](https://github.com/milanm/DevOps-Roadmap/). I've also decided to create a NotebookLM of almost every other resource I could find and later use the conversation for upskilling. **Background** I have fundamental knowledge of the following items: * Core AWS services such as EKS, EC2, RDS, IAM, etc. What they do and why are they used. * Linux and bash scripting - I can create scripts that can perform certain tasks across the system with the help of tools such as cut, awk, etc. for parsing through logs & analyse text files. * Networking - I have a fundamental understanding of networking concepts. How HTTP works, OSI layer, CIDR notations. How DNS, HTTP and SSH work. Its been part of my job. * Git, Azure DevOps - What PRs, pipelines, MRs are. Not very extensive knowledge but I understand how to use git from CLI and why Git is the core of the DevOps process. I've also thought of making a copy of one of the prominent websites (e.g. Netflix) as a major capstone project which can be deployed on AWS. The codebase would be generated by AI with intended vulnerabilities such as XSS or hardcoded secrets or hardcoded SQL statements. I intend to deploy it on AWS primarly. Something that employs either EKS, or create a spot instance on EC2 and deploy the website by installing the required resources. I have thought of the following resources for learning Containers & Container orchestration: * Docker & Kubernetes - Going through videos from Techworld by Nana (1hr crash course and 3hr complete course). * I also have access to Pluralsight through my organization so any recommendations on which course should I refer to would be extremely helpful. Otherwise I shall pick one of the top rated courses. * I've thought of creating a golden image of java, dotnet or any development framework which will be used in my capstone and later create and manage containers using docker and/or k8s. IaC * I've thought of learning both Istio and Terraform since both of them are widely used in multiple different organizations. CI/CD * Creating pipelines within GitLab and introducing SAST (Semgrep), DAST(ZAP), SCA, SBOM creation, secrets scanning, checkov, dockle/trivy. Basically using available open source tools and incorporating them within the pipeline. * Configuring build pass/fail toll gates for each tool. * Employ configuration drift detection For certifications, I have cleared AWS CCP a couple years ago and I know the basics of cloud security. I am currently planning to work on AWS SAA and Security Specialty, along with CCSP to strengthen my AWS cloud knowledge and cloud security knowledge skills. Any feedback on the above roadmap would be extremely helpful.
Most organizations have more internet-facing assets than they know about, and those unknown assets are where attackers look first. This guide breaks down how attack surface management works, how it complements penetration testing, and what separates programs that actually reduce risk from programs that just generate reports. The post Attack Surface Discovery & Management: What Security Teams Need to Know appeared first on Synack .
Service desks have become a favored target for attackers seeking password resets, MFA changes, and access to corporate accounts. Specops Software breaks down how service desk social engineering attacks work and how organizations can defend against them. [...]
Cybersecurity researchers have flagged a new class of CI/CD workflow weakness that allows attackers to hijack workflows and compromise open-source supply chains. The "critical exploitable pattern" has been codenamed Cordyceps by Novee Security. The issue can allow full attacker control of repositories at dozens of the largest organizations worldwide, including Microsoft, Google, Apache, and
MSPs spend too much time talking to other MSPs and not enough time talking to the people they’re supposed to serve. That’s Paul Croker’s view of some of the channel’s biggest growth problems. While most industry events bring technology professionals together, they rarely put them in the same room as the business leaders making […] The post Breaking the MSP Echo Chamber: The Power of Community appeared first on Heimdal Security Blog .
We are standing at the end of an era we never thought to mourn: the era of human-speed threats. For years, cybersecurity moved to a rhythm organizations could follow. A researcher found a bug, a CVE was cataloged, a vendor navigated a patch cycle, and weeks or even months later, a fix was deployed. In this era, dwell time was measured in days, sometimes weeks. We are now approaching an
[https://lucidbitlabs.com/blog/when-defenses-become-attack-surface/](https://lucidbitlabs.com/blog/when-defenses-become-attack-surface/)
A new backdoor dubbed Mistic has been observed in financially motivated attacks targeting organizations in the insurance, education, IT, and professional services sectors. [...]
If you ever wanted to carve out a piece of MFT/Journal - a timeframe, path or file extensions... here's your chance
I worked in forensics for many years and one of the most annoying things in MFT/Journal analysis, is that initial work of prepping the files until they are readable by humans (size, format, timeframe). I used to export to csv, open in emeditor, then carve out the time periods I did not care about, but that took time and was not reliable. Now, with the emergence of AI, I was finally able to create the app that does it. It basically allows you to select a timeframe, extensions you do or do not care about, folders you wish to exclude, and go on your merry way of exporting the valid but carved out MFT for use in other tools or a CSV for use in your favorite tools, too. As this could be a collaborative project... and I will NEVER sell it, it will remain free (and maybe even open source) - what else would you like to see in such an app? Mods, am I allowed to add a link to a free tool here? https://preview.redd.it/smc3u9vl679h1.png?width=2470&format=png&auto=webp&s=8435e8ed9428b9d46396d069816eefe7fe631af1 I am almost certain there is no free or paid software out there that allows this kind of laser-focused carving of MFT files for speed of analysis. If the mods allow it, I'll post a link to the download. It's Freeware.
The U.S. Department of Justice (DoJ) on Tuesday announced the seizure of a cloud computing account put to use by subsidiaries of Cambodia-based corporate conglomerate HuiOne Group, as the Treasury unveiled fresh sanctions against nine individuals and 26 entities linked to Prince Group. "These subsidiaries are alleged to have assisted individuals and organizations in transferring proceeds of
A recently patched vulnerability affecting Cisco’s Unified Communications Manager (Unified CM) product is being exploited in attacks, according to exploit intelligence firm Defused. [https://www.securityweek.com/hackers-exploiting-cisco-unified-cm-vulnerability/](https://www.securityweek.com/hackers-exploiting-cisco-unified-cm-vulnerability/)
Cloudflare provides services that help run 20% of the web, but we don’t do it alone. Developers on our platform use a myriad of tools and services from other companies too. Cloudflare provides a rich API for our platform that enables developers to create automations, CI/CD, and integrations that glue together the various parts of their infrastructure. Earlier this month, we announced self-managed OAuth , making it easier for customers to create and manage their own OAuth clients for delegated access to the Cloudflare API. Cloudflare isn’t new to OAuth. If you’ve used Wrangler, or used integrations from partners like PlanetScale, then you’ve already used it. However, until now, third-party OAuth was only available through a small number of manually onboarded integrations, and was not available to developers more broadly. That meant developers building their own integrations had to rely on API tokens, which are harder to manage and a poor fit for many delegated application flows. Over the last year, we onboarded a growing number of early partners while improving the consent, revocation, and security model behind Cloudflare OAuth. But as our Developer Platform grew and agentic tools drove demand for delegated access, it became clear that opening up OAuth to all customers was critical to the success of our platform. With self-managed OAuth, developers can now offer a standard OAuth flow where customers grant scoped access directly, making it easier to build SaaS integrations, internal developer platforms, and agentic tools while giving users clearer consent, easier revocation, and more control over what an application can do. Scaling the ecosystem securely While our earlier OAuth solution was sufficient for a small number of careful
Presently sponsored by: Report URI: Guarding you from rogue JavaScript! Don’t get pwned; get real-time alerts & prevent breaches #SecureYourSite I know enough about home cinema audiovisual to know there's a lot I don't know. It's conscious incompetence, if you like, which is different to the unconscious incompetence most people have on the topic. That's not to sound derogatory (it's spelled out that way in the competence model ), rather it recognises that this is a super specialised area and as soon as you start scratching the surface, things get very complex and very expensive really fast. But it's also exciting, and what we've got in the pipeline for our house expansion will blow you away. More to come soon
Datadog Security Research investigates a June 2026 adversary-in-the-middle phishing campaign that cloned the AWS console login page to harvest victim credentials and multi-factor authentication codes.
Tuesday, June 23
Tata Electronics has confirmed in a statement to BleepingComputer that it was the target of a cyberattack that impacted parts of its IT infrastructure. [...]
Microsoft has released the KB5095093 preview cumulative update for Windows 11 24H2 and 25H2, which fixes numerous bugs and begins rolling out new features, including the new Point-in-Time restore feature. [...]
Healthcare technology company Xsolis says that sensitive data belonging to nearly 1.4 million individuals was compromised in a phishing attack that gave attackers access to its network. [...]
The private events group, cofounded by Peter Thiel, says a “criminal” hacker is behind a breach that exposed members’ personal details. WIRED found no evidence a break-in was needed to access the files.
A new macOS ClickFix campaign is using Terminal commands to silently download, mount, and launch info-stealing malware from malicious disk image (DMG) files. [...]
On June 22, 2026, President Trump signed Executive Order 14409 , "Securing the Nation Against Advanced Cryptographic Attacks." The order sets a December 31, 2030, deadline for federal agencies to transition their most sensitive systems to post-quantum encryption , and a December 31, 2031, deadline for post-quantum authentication . The EO also directs federal contractors to comply with post-quantum Federal Information Processing Standards ( FIPS ) by the end of 2030. We welcome this executive order. The U.S. government has a long track record of using federal leadership and procurement to drive adoption of new technologies across the broader industry. We've seen this work with IPv6 , with routing security and the Resource Public Key Infrastructure ( RPKI ), and with DNSSEC , and we’re glad to see this tradition continue with post-quantum cryptography. The EO is especially important at this moment because the timeline for Q-Day , the day that quantum computers can break the public-key cryptography used across the Internet, has been accelerated. In April 2026, Cloudflare moved our own target for full post-quantum security to 2029 , following research breakthroughs from Google and
A Russian-speaking initial access broker (IAB) driven by financial gain is assessed to be behind a large-scale credential-harvesting operation known as FortiBleed that has targeted over 430,000 FortiGate firewalls globally. The campaign, active since February 2026, involves collecting credential lists, searching for exposed services, brute-forcing accessible systems, and deploying bespoke
Two men pleaded guilty in the United Kingdom this week to criminal charges stemming from an August 2024 cyberattack that crippled Transport for London , the entity responsible for the public transport network in the Greater London area. The duo were key members of a prolific cybercrime group known as Scattered Spider , and their guilty pleas came on the first day of what was expected to be a six-week trial. Owen Flowers (left) 18, and Thalha Jubair, 20. Image: UK National Crime Agency (NCA). Thalha Jubair , 20, of East London and 18-year-old Owen Flowers of Walsall admitted conspiring to commit unauthorized acts against Transport for London computer systems and causing risk of serious damage to human welfare. According to a report from the BBC, Flowers alone admitted to being part of a conspiracy to hack into U.S. based healthcare providers SSM Health Care Corporation and Sutter Health in September 2024. Jubair is also wanted by U.S. law enforcement agencies. In September 2025, prosecutors in New Jersey unsealed
Security firm AIR built a fake AI agent skill, pushed it through a popular skill marketplace and an Instagram ad, and says it reached roughly 26,000 agents, including some on corporate accounts. Every skill security scanner the firm tested it against marked it safe. The payload was harmless by design: it collected the user's email address and did nothing else. The point was to show
President Trump signed an executive order on June 22 setting hard deadlines for federal agencies to move high-value assets and high-impact systems to post-quantum cryptography. Key establishment must move by December 31, 2030; digital signatures by December 31, 2031. EO 14409 leaves national security systems on a separate track. The deadlines matter because of a threat that does not
GitHub is moving to strengthen software supply chain security by updating "actions/checkout" to block pwn request attacks that exploit the risky use of the "pull_request_target workflow" trigger to run malicious code with the workflow's full privileges. Effective June 18, 2026, the latest version of "actions/checkout," the official GitHub action for checking out a repository into the
Attackers can now weaponize newly disclosed vulnerabilities far faster than most organizations can patch them. Picus Security explains how security teams can validate exploitability before a public exploit even exists. [...]
LastPass announced that hackers accessed customer data from its Salesforce environment after stealing the company's OAuth tokens in the Klue supply chain attack earlier this month. [...]
Every weapon begins as an extension of the hand that holds it. The spear lengthened the reach of the arm. The bow sent the point flying without the throw. The rifle placed a man's death a quarter mile beyond his sight, and the aircraft carried that death across oceans. At each turn, the distance between the warrior and the wound grew wider, and yet one thing never moved: a human chose the target
A vulnerability in Cisco Unified Communications Manager allows unauthenticated attackers to arbitrarily write files in the server which could be used to run arbitrary commands or code on the server.
Cybersecurity researchers have discovered a set of malicious npm packages that are designed to deliver a Windows-based remote access trojan (RAT). The list of identified packages, is below - aes-decode-runner-pro (145 downloads) postcss-minify-selector (256 downloads) postcss-minify-selector-parser (615 downloads) All the packages were published over the past month by an npm user named
Would appreciate any feedback. From the project page: “Recursive-IR is a single-binary orchestration that transforms an OpenSearch stack into a fully capable and customisable DFIR log analytics platform. Incident responders and digital forensics investigators can examine events arranged in a "super timeline" enabling correlation between different source artefacts to better understand the threat actor's full chain of attack. It enables collaborative case-centric investigations with persistent enrichments such as tags, comments, and analyst context, while fully leveraging the strengths of OpenSearch and native OpenSearch Dashboards — scalable observability, visualisation, and Security Analytics for alerting and correlation across ingested forensics artefacts. The platform offers full control over data being analysed with facilities to resolve data type mapping conflicts, mutating fields (e.g., renaming, copying, or stringifying), normalizing log sources with different timezones, and even selecting fields to be used as @timestamp. Artefacts can be reloaded or re-parsed and reloaded easily enabling users to perform modifications such as adding enrichments or mutating fields if needed, a feature which isn't commonly available in traditional SIEMs.” https://github.com/improvisec/recursive-ir
OpenAI on Monday said it's releasing an improved version of its GPT‑5.5‑Cyber model to trusted defenders as part of the Daybreak initiative the artificial intelligence (AI) company announced last month. Calling GPT‑5.5‑Cyber its "strongest model yet for finding and helping patch software vulnerabilities," OpenAI said the model can "sustain deeper analysis across large codebases" to
Monday, June 22
An ongoing malware campaign is targeting WhatsApp users in multiple countries with deceptive messages that push VBScript files, leading to remote system access. [...]
The JaredFromSubway Ethereum MEV (Maximal Extractable Value) bot suffered a $15 million loss after an attacker manipulated the opportunity-detection logic by creating fake cryptocurrency trading opportunities. [...]
Overview Two vulnerabilities have been identified in FastStone Image Viewer 8.3 that may allow remote code execution or control-flow corruption when processing specially crafted image files. The affected components include the JPEG 2000 (JP2) parser and the PSD file parser. An attacker can exploit these vulnerabilities by causing the application to automatically or interactively process malicious image files. Description FastStone Image Viewer is a software tool for browsing, editing, and managing images, offering features like full‑screen viewing, batch processing, red‑eye removal, and a wide range of editing effects. It supports virtually all major image and RAW formats and includes conveniences like slideshows, comparison tools, scanner support, and screen capture. CVE-2026-30040 A critical heap-based buffer overflow vulnerability exists in FastStone Image Viewer, versions 8.3 and earlier. The issue is triggered during the parsing of JPEG 2000 (JP2) files due to a malformed QCD (quantization default, 0xFF5C ) marker in the FSViewer.exe process. By exploiting this flaw, a remote attacker can overwrite the EIP (instruction pointer) and execute arbitrary code in the context of the current process via a crafted JP2 file. Notably, this issue does not require the victim to directly open the crafted JP2 file. When the application enumerates directories during automatic thumbnail generation, files within two directory levels are parsed by the JP2 decoder. If the malicious JP2 file is present within this enumeration range (for example in the user’s Downloads folder), the vulnerability is triggered automatically. CVE-2026-30041 An integer overflow vulnerability exists in the PSD parser of FastStone Image Viewe
The Images service, built in Rust on Workers , runs on every machine in Cloudflare’s edge network. To handle client connections, we use hyper , an open-source HTTP library for Rust. Last year, we introduced the Images binding to enable custom, programmatic workflows for processing remote images in Workers. At the end of 2025, we rearchitected the binding to provide a more direct, local connection between the Workers runtime and the Images service. Shortly after rollout, we received reports that transformation requests from the binding were failing — but only intermittently and only for larger images. Even stranger, the responses for these requests returned a 200 status without any errors logged. The image data was simply cut short: A response that should have been two megabytes might arrive with a few hundred kilobytes instead. We spent six weeks chasing a nearly invisible bug — a race condition that occurred only under specific conditions — in the hyper library that impacted how the Images binding returned processed image data back to the client. In the end, it took four lines of code to fix it. Hops, handoffs, and hyper When developers build on Cloudflare, they compose full-stack applications from a set of platform services that are accessible to Workers through bindings. Bindings provide direct APIs to resources on the Developer Platform like compute ,
Amid concerns about AI models’ cybersecurity capabilities, OpenAI revealed an improved version of GPT-5.5-Cyber and its “Patch the Planet” initiative to fix open-source software bugs.
What happens when you clear dozens of Trail of Bits engineers’ schedules, pair them with every open-source maintainer they can contact, and unleash the latest frontier models like GPT-5.5-Cyber on critical open-source targets? Thanks to our partnership with OpenAI and its Daybreak initiative, we can report that the impact is hundreds of discovered bugs, 64 pull requests, and 51 issues filed across 19 projects (with many more still undergoing coordinated disclosure). That was just the first week of Patch the Planet . Frontier models like GPT-5.5-Cyber are producing a firehose of security findings, and already-stretched maintainers must sift through all of it to separate real vulnerabilities from plausible-sounding false positives. Patch the Planet is different: with our experts orchestrating and triaging findings, we handle the work of fixing and hardening the code alongside the people who maintain it. The first week of Patch the Planet covered 19 projects across cryptography, networking, language infrastructure, and software supply chain. Among these 19 projects were cURL, NATS, pyca, Sigstore, aiohttp, the Go project, freenginx, Python and python.org, urllib3, PyPI, SimpleX, Valkey, and RustCrypto. Over 30 projects have joined the initiative so far, and we’re rapidly expanding it to include more; if you maintain an open-source project, apply to join !
A heap over-read in the Squid web proxy can leak another user's cleartext HTTP request, including any credentials or session tokens it carries, to anyone already allowed to send traffic through the same proxy. The bug traces to a 1997 FTP-parsing change and is still live in Squid's default configuration. Researchers at Calif.io disclosed it in June and named it Squidbleed (
Overview Microsoft Windows Recovery Environment (WinRE) provides a mechanism for recovering and repairing Windows systems using an alternate boot environment. Under certain platform implementations, access to WinRE may allow an attacker to bypass firmware security controls, including administrator-configured UEFI/BIOS passwords. An attacker with physical or administrative access to a device may be able to leverage WinRE-related boot mechanisms to circumvent firmware protections and gain unauthorized access to system resources. Description Microsoft Windows versions 10 and 11 include the WinRE capability, a recovery platform that supports features such as the F11 recovery menu and the Reset this PC functionalities. WinRE is commonly used for system recovery, troubleshooting, and remote support scenarios. When WinRE is invoked, the system reboots into a recovery environment that may use an alternate boot path from the standard operating system startup sequence. Depending on the platform and firmware implementation, the alternate boot path may not consistently enforce the same UEFI/BIOS security controls that are applied during a normal boot process. A security concern has been identified in certain WinRE implementations where administrative UEFI/BIOS passwords may not be enforced during specific recovery operations. This inconsistency in the boot execution path may allow an attacker with physical access to a device to bypass firmware-level protections. Such scenarios are commonly associated with "Evil Maid" attacks, in which an attacker gains temporary physical access to an unattended system and modifies its boot configuration or security settings. In UEFI-based systems, the UEFI boot manager sup
In May 2026 an attacker compromised a UK medical practice endpoint without delivering a single malicious file. They used PowerShell and the .NET compiler built into Windows to build a Remcos remote access trojan on the machine itself, so signature antivirus had no known sample to match. The thing that caught it was DNS filtering, […] The post How attackers built a RAT on a Windows machine using its own .NET compiler appeared first on Heimdal Security Blog .
Cybersecurity researchers have disclosed details of a new campaign that delivers CastleStealer by means of a previously unreported malware loader dubbed OXLOADER. According to Elastic Security Labs, the campaign leverages malicious Google Ads as a starting point to distribute the malware. Evidence indicates that the threat actor is likely Russian-speaking and financially motivated, owing to the
AI models capable of devastating attacks on governments and business months away, rare Five Eyes statement warns
Signal agencies in Australia, the US, the UK, New Zealand and Canada sound alarm after Trump blocks foreign nationals from Anthropic’s Fable AI model Powerful AI models capable of devastating new cyber attacks on governments and businesses are mere months away, intelligence agencies for the Five Eyes have warned in a rare joint statement, urging leaders to “act now”. The surprising public intervention by signals agencies for Australia, the US, the UK, New Zealand and Canada comes after the Trump administration earlier this month decided to block “foreign nationals” from using a much-hyped AI model built by tech company Anthropic, called Fable. Continue reading...
Google has set September 30, 2026, as the day it begins enforcing Android developer verification in the first four countries, and the major device-maker app stores are in from the start. On that date, certified Android phones in Brazil, Indonesia, Singapore, and Thailand will block normal installs of apps whose developers have not registered an identity with Google, whether the app
Earlier this month, I spoke at the Gartner Security & Risk Management Summit about a blind spot most security programs are still not accounting for - how attackers are circumventing AI security programs by using legacy infrastructure to hijack AI agents. AI adoption is moving faster than security programs can account for. Roughly 71% of organizations are piloting AI agents across their
From fake tickets to cloned websites, AI is magnifying World Cup scams. Can fans distinguish between what’s real and what’s not?
At 06:34am on 2 June 2026, an attacker logged on to a customer’s network. In a single automated burst, they switched on remote desktop and created a rogue administrator account. And deleted the evidence behind them. The intrusion reached 34 endpoints and was over in under ten seconds. Heimdal Extended Threat Protection (XTP) and Ransomware […] The post Attacker enables RDP, creates admin, erases evidence in ten seconds appeared first on Heimdal Security Blog .
To reduce the amount of noise from questions, we have disabled self-posts in favor of a unified questions thread every week. Feel free to ask any question about reverse engineering here. If your question is about how to use a specific tool, or is specific to some particular target, you will have better luck on the [Reverse Engineering StackExchange](http://reverseengineering.stackexchange.com/). See also /r/AskReverseEngineering.
Sunday, June 21
[**clearmic.net**](http://clearmic.net) **is malware, do not download it** Someone sent me this site asking if it was legitimate. I ran the installer in a sandbox and it's a RAT. It looks like a mic clarity app but bundles a hidden second executable that runs in the background. Here's what it actually does: logs your keystrokes, captures your screen, hijacks your clipboard, records microphone audio, and sends everything out to a remote server encrypted. It also deletes Windows Shadow Copies which is standard ransomware behaviour to stop you recovering your files. It actively checks if it's running in a sandbox too, which is why I'm glad I tested it before running it on a real machine. Full sandbox analysis if you want to dig into it yourself: [https://tria.ge/260621-vsjxnaet4k/behavioral2](https://tria.ge/260621-vsjxnaet4k/behavioral2) If you already ran this, disconnect from the internet and run Malwarebytes immediately. Change your passwords from a different device, especially Discord, email, and anything with saved credentials in your browser. Spread this around so people don't get caught out.
Reverse once, run forever: designing client-side defenses that assume the attacker has already read every line
I reverse engineered Windows Copilot into a free OpenAI compatible API (GPT-4o, no API key, no billing)
The cryptographic keys that secure your computer’s boot sequence will start to expire on June 24. Here’s what that means for you.
Saturday, June 20
An AI pair of eyes sitting over your shoulder, catching what you miss while you're deep in an investigation. Repo: [**https://github.com/hasamba/DFIR-Companion**](https://github.com/hasamba/DFIR-Companion) Landing page: [**https://hasamba.github.io/DFIR-Companion/**](https://hasamba.github.io/DFIR-Companion/) EDIT: Hands-on lab: [**https://killercoda.com/dfir-companion/scenario/killercoda**](https://killercoda.com/dfir-companion/scenario/killercoda) Honestly, it started out of frustration. I'm sitting on an investigation, open Velociraptor, spot an interesting lead, start digging into it, find another lead, and so on, and then suddenly I realize I completely forgot to go back to the other findings from the first artifact. The sheer amount of information you need to process during an investigation is simply more than one pair of eyes can handle, no matter how much coffee you've had. So I started building something to help myself and it ended up going somewhere I didn't expect. The original idea was a browser extension that takes screenshots every few seconds, so I could scroll back and see what I missed. Pretty dumb idea in hindsight, actually. But then the question came up: if I already have all those screenshots, why not let AI go through them while I work? And from there it exploded. Today it's a real-time dashboard that updates live as I investigate. It identifies findings, automatically builds an event timeline, extracts IOCs and enriches them from multiple sources, creating playbook that suggests what to check next, suggest hunt queries for velociraptor, run them and collect back the results, checks for data leaks, and answers the standard questions every investigation report needs: access vector, lateral movement, privilege escalation, etc. If a client confirms a finding-"that's legit, it's our weekly scan", one click and the entire analysis updates accordingly. The coolest part, to me, is that this started as a Velociraptor-specific solution but in practice became an AI layer on top of every tool I have open in the browser: SIEM, Security Onion, Splunk4DFIR, VolWeb, you name it. Even tools with no built-in AI suddenly get smarter, and all the data consolidates in one place instead of me jumping between ten tabs. Important to understand: this is NOT another detection layer. Your Sigma, YARA, and Suricata rules are already doing their job. This tool is the layer after detection-it takes all the verdicts from your tools, correlates them, and builds the "so what." The tool didn't stop at screenshots either. You can feed it almost any DFIR output and it will automatically detect the format and import it deterministically (no burning tokens on AI for that). Additional features: • Data correlation • Threat intel enrichment — with OPSEC in mind • AI input anonymization • Asset ↔ IoC graph • Targeted query generation • Export to multiple platforms • Free-form case Q&A against an LLM and much more... If you work in DFIR, Blue Team, or SOC — I'd love for you to try it out, open issues, suggest features, submit PRs, or just tell me what you think.
Friday, June 19
A crafted MPLS packet can trigger an out-of-bounds read in mpls\_do\_error, leaking 4 bytes of adjacent kernel stack memory back in an ICMP/MPLS error response. It requires MPLS enabled, but the leak is remote and repeatable. Fixed in OpenBSD-current on 2026-06-18.
Everyone's writing code with AI agents today. But the moment an agent needs to deploy something — and needs to sign up and create an account — it slams face-first into a wall built for humans: a browser-based OAuth flow, a dashboard to click through, an API token to copy-paste, a multi-factor authentication prompt to satisfy. For an interactive copilot sitting next to a developer, that's annoying. For a background agent, it's a hard stop. Today we're rolling out Temporary Cloudflare Accounts for Agents. Agents can now deploy websites , APIs , and agents right away, without first needing to sign up for an account. Any agent can now run wrangler deploy --temporary and deploy a Worker to Cloudflare. This temporary deployment stays live for 60 minutes, during which time you can claim the temporary account, making it permanently your own. If you don't, it expires on its own. Our goal? Let your agent code and ship. Why frictionless deployments matter for AI agents Frictionless temporary accounts matter more than it might first seem: Background AI sessions have no human in the loop, and are becoming the norm . Any auth step that needs a browser, a copy-paste, or "click here in 60 seconds" means an agent gets stuck and may choose to d
In the previous post we walked through WasmForge, our Go-to-WebAssembly loader that takes existing signatured Go tools and ships them as opsec-safe binaries. This approach doesn’t just apply to Go, however, as there are many languages that can compile to WebAssembly. Another language of interest to us, especially regarding legacy tools which have been over-signatured, is C#. In short, we got several GhostPack tools working through WasmForge. Rubeus and Seatbelt both run as PE binaries that pass through the same outer host which we use for Sliver, with most of their commands functioning at full parity to the original C# code. The mechanism is .NET’s NativeAOT-WASI toolchain plus a non-trivial amount of bridge code that we wrote with heavy LLM assistance. The release of this post also heralds our open-sourcing of the entire toolchain. This is also the last post in this series, so we’ll talk about the open source release at the end. If you’d like to skip ahead and try out the tool, you can grab it from github.com/praetorian-inc/wasmforge . The Most Signatured Tools on the Internet If Go tools are signatured into oblivion, C# tools are signatured and salted . Every major red team C# tool released in the last decade has a YARA rule with the project name in its title, several rules covering specific function names, and a handful of b
Thursday, June 18
The tech sector was the only industry in Synack's 2026 State of Vulnerabilities Report to get slower at remediating critical vulnerabilities—growing from 74 to 98 days while manufacturing, government, and financial services all improved. This post breaks down the technical and cultural forces driving that gap, and what it takes to close it. The post The Tech Sector’s Critical Vulnerability Paradox appeared first on Synack .
Overview Multiple vendor-signed UEFI applications are vulnerable to Secure Boot bypass via a "Bring Your Own Vulnerable Driver" (BYOVD)-style attack. If a target system trusts the affected vendor’s certificate, an attacker can exploit these applications to execute arbitrary code during the early pre-boot phase before the operating system initializes. To mitigate this risk, system administrators should apply updates to the UEFI Forbidden Signature Database (DBX) that revoke trust in the affected vendor-signed binaries, preventing these vulnerable applications from executing during the boot process. Description The Unified Extensible Firmware Interface ( UEFI ) standard defines the modern firmware architecture used to initialize hardware and transfer control to the operating system during system startup. On systems with Secure Boot enabled, UEFI applications and drivers must be cryptographically signed and verified before execution. Trust for these signatures is established through several firmware-managed databases, including the authorized signature database (DB), which commonly contains certificates from original equipment manufacturer (OEM) vendors, operating system authorities, and other supply-chain partners in the UEFI ecosystem. The UEFI shell is a command-line application that allows advanced users to interact directly with the UEFI environment to run diagnostics or special tasks prior to the operating system boot. Other UEFI applications, such as bootloaders, manage the operating system startup sequence or load specific drivers before the main OS initializes. Some of these applications possess functionalities that can manipulate system memory, modify sensitive NVRAM variables, or load raw drivers. If a vendor-signed application inadvertently exposes the
A few weeks ago, we published our initial findings from Project Glasswing , looking at what happens when you point frontier security models at an enterprise codebase. We also explored how our defensive structures adapt to protect our infrastructure and customers from threats posed by frontier AI . Since then, the AI ecosystem has continued to shift rapidly — developers who've built tightly around a single model have already experienced what happens when that model is no longer available or gets superseded by a more capable one. These market shifts only reinforce our core thesis: no matter which underlying model is leading the pack on any given day, the future of agentic workflows will not be found in standalone models, prompts, or single-agent sessions. Moving from a localized security "skill" to a continuous, fleet-wide scanning pipeline requires an architecture where models are treated as interchangeable components. Relying on a single model inherently limits defensive coverage, as the same system will tend to look at code paths through the exact same lens. To counter this, models should be frequently interchanged and cross-tested. By varying the models across the pipeline — such as using one model for initial discovery and an entirely different one for validation — we can ensure that vulnerabilities are cross-checked by distinct sets of logic. Furthermore, a true enterprise-scale harness must look beyond isolated repositories to trace vulnerabilities across cross-repo dependencies, ultimately filtering thousands of raw candidates down to a trusted, triaged queue of actionable fixes. This post serves as a practical look at how to build that model-agnostic layer, focusing on how we manage state controls, eliminate false positives, and coordinate end-to-end triage at scale. Two
For the past four years, a sprawling Android-based botnet called Popa has forced millions of consumer TV boxes to relay Internet traffic linked to advertising fraud, account takeovers, and mass data-scraping efforts. This week, researchers from multiple security firms concluded that the Popa botnet is linked to NetNut , a “residential proxy” provider operated by the publicly-traded Israeli firm Alarum Technologies Ltd [NASDAQ: ALAR]. Malicious streaming devices sold online that enroll the user’s home Internet address in a residential proxy service. Image: HUMAN Security. Popa is a massive botnet, but by all accounts it is unlike traditional botnets that enlist compromised systems in destructive activities, such as coordinating huge distributed denial-of-service attacks. Rather, Popa appears designed with a singular purpose: Implementing a persistent communications layer capable of registering a device, maintaining long-lived encrypted connections, and opening communication tunnels on demand. Experts say P
Introduction Merely a few years ago, when asking about the state of quantum computing or the need for Post-Quantum Cryptography (PQC), the response would usually revolve around the ongoing PQC competition that NIST had brought to life in an attempt to identify algorithms for standardization. In 2022, Cloudflare started experimenting 1 with hybrid key agreement on its production edge, though most of the world outside a handful of research labs had barely registered that any of this mattered. The core argument of that work was that organizations n
Twelve years ago this month, Cloudflare launched an ambitious project built on a simple idea: people shouldn’t be knocked offline just because someone more powerful disagrees with them. Today, Project Galileo provides free access to cybersecurity services to more than 3,400 websites belonging to journalists, human rights defenders, and other nonprofit organizations in 120 countries. We continue to believe that a better Internet is one where anyone with an idea can reach a global audience. Each year on the anniversary of Project Galileo, we announce new products, programs, and strategic partnerships. To celebrate our 12th anniversary this year, we’re publishing our first comprehensive report on cyberattacks targeting civil society, releasing case studies that explore the security needs of 16 Project Galileo participants, and announcing new project partners. Introducing a new annual report on cyberattacks against global civil society Because Project Galileo now includes 3,400 domains belonging to organizations in over 120 countries, Cloudflare has access to unique data regarding the cyber threats, attacks, and trends targeting civil society — a critical pillar of global democracy. In addition, because the Cloudflare network spans more than 335 cities in 125 countries and more than 20% of the web
Artist Morry Kolman will be livestreaming feeds of the NBA champions’ ticker-tape parade from NYC’s traffic cameras—and this time, the city’s Department of Transportation isn’t demanding he stop.
Internal Home Office tests of age-verification technology show the risks of life-altering errors. It’s moving forward anyway.
Continuing our Agent ID series, this post demonstrates how a privileged agent could be compromised through its third-party blueprint. This leads to a cross-tenant incident similar to Midnight Blizzard, since an attacker with control over an agent blueprint can authenticate as any agent associated with that blueprint.
Wednesday, June 17
Overview The SignalRGB kernel driver, SignalIo.sys , contains two vulnerabilities involving improper access control and unsafe memory handling. The device object is created with an overly permissive Discretionary Access Control List (DACL) that allows user-mode processes to access privileged hardware operations through input/output control (IOCTL) commands. Additionally, several IOCTL handlers are susceptible to NULL pointer dereference conditions, which further enables low-privilege users to trigger kernel crashes and cause Denial of Service (DoS). Version 1.3.7.0 of the SignalRGB driver remediates these vulnerabilities. Description SignalRGB is a Windows application used for RGB lighting control and hardware monitoring. Its kernel component, SignalIo.sys , provides the low-level interfaces required to access and interact with hardware resources. The SignalIo.sys driver exposes privileged functionality intended for administrative or security operations, but the device object is created without a restrictive security descriptor. Specifically, the driver does not apply security best practices by using either Security Descriptor Definition Language (SDDL) or the IoCreateDeviceSecure API, thereby allowing unprivileged user-mode processes to open handles to the device and issue privileged IOCTL requests. CVE-2026-8049 The \\.\SignalIo device object is created without an explicit SDDL security descriptor and without FILE_DEVICE_SECURE_OPEN . This results in overly permissive default access control, allowing any authenticated local user to obtain a handle to the
Worth a MalExt Report? A 2 Million-User Chrome Extension Added Give Freely/Wildlink in a 5-Day Update
I've been reversing the 2M+ user Volume Booster Chrome extension and found something interesting. Between v1.0.3 (2025-06-27) and v1.0.4 (2025-07-02), the extension added: "content_scripts": [{ "matches": ["<all_urls>"], "js": [ "vendor/GiveFreely-content.umd.js", "content-script.js" ] }] The previous version was essentially a small audio booster. The newer version introduces a Give Freely / Wildlink component that appears to support merchant detection, affiliate attribution, and donation campaigns. No new permissions were added, meaning existing users would have received the update automatically without a new Chrome permission approval prompt. I've also found the same Give Freely / Wildlink infrastructure in multiple unrelated extensions, which makes me think it's being distributed as a white-label monetization/fundraising SDK. I'm still investigating and considering whether this is worth adding to MalExt. At this point I don't have evidence of malware, credential theft, or anything overtly malicious just a significant expansion of functionality in a 2M-user extension. Curious what others think. Is this a transparency/privacy concern, or just a normal extension monetization model? Any opinions or prior research on Give Freely / Wildlink would be appreciated so i can added to [malext.io](http://malext.io)
Overview Earlier this year, a team at Praetorian was building Constantine , our automated 0-day discovery engine. I wanted to find techniques worth folding into it, so on the side I started poking at the FreeBSD kernel with Claude Code, running on Opus 4.6, which was the latest Opus model at the time. A few days of work turned up real bugs and a weekend after that produced two working exploits capable of escaping from a FreeBSD jail. This article is part of a two-part series. In part one, I will be focusing on the methodology used to uncover the identified vulnerabilities and part two will focus on the methodology we leveraged to develop and exploit the vulnerabilities. It’s been several months since I disclosed roughly eight separate vulnerabilities to the FreeBSD security team. The reality is that this is a volunteer team and they are likely overwhelmed by the sheer number of vulnerabilities being identified within FreeBSD by various security researchers leveraging large language models. Because of this, we can really only publicly discuss a single vulnerability we reported CVE-2026-3038 , a fairly straight-