Microsoft has fixed a Windows Autopatch bug that caused driver updates restricted by administrative policies to be deployed on some Autopatch-managed Windows devices in the European Union. [...]
Cybersecurity News and Vulnerability Aggregator
Cybersecurity news aggregator
Updated: 9:20 pm
J/K Navigate / Search S Save V Open Link
— or
treemd <(curl -sL https://allsec.sh/md) (as Markdown) Top Cybersecurity Stories Today
A cybersecurity researcher has published proof-of-concept (PoC) exploits for two unpatched Microsoft Windows vulnerabilities named YellowKey and GreenPlasma, which are a BitLocker bypass and a privilege-escalation flaw. [...]
VU#471747: dnsmasq contains several vulnerabilities, including attacker DNS redirect, privilege escalation, and heap manipulation
Overview dnsmasq is affected by multiple memory safety and input validation vulnerabilities, including heap buffer overflows, heap corruption, and code execution flaws. Collectively, these vulnerabilities enable attackers to poison cached DNS records, bypass security controls, crash the dnsmasq process, or under certain conditions, achieve local privilege escalation. dnsmasq has released version 2.92rel2 to fix the vulnerabilities. Description dnsmasq is an open-source networking tool that provides DNS forwarding, DHCP, and network boot services for small-to-medium sized networks and home routing devices. It can also function as a DNS resolver, which is the primary exploitation use case for several of the vulnerabilities described below, tracked collectively as CVE-2026-2291, CVE-2026-4890, CVE-2026-4891, CVE-2026-4892, CVE-2026-4893, and CVE-2026-5172. CVE-2026-2291 dnsmasq's extract_name() function can be abused to cause a heap buffer overflow, enabling an attacker to inject false DNS cache entries. This could cause DNS queries to be redirected to attacker-controlled IP addresses or result in a Denial of Service (DoS). CVE-2026-4890 An infinite-loop flaw in the DNSSEC validation of dnsmasq allows remote attackers to cause Denial of Service (DoS) conditions via a crafted DNS packet. CVE-2026-4891 A heap-based out-of-bounds read vulnerability in the DNSSEC validation of dnsmasq allows remote attackers to leak memory information via a crafted DNS packet. CVE-2026-4892 A heap-based out-of-bounds write vulnerability in the DHCPv6 implementation of dnsmasq allows local attackers to execute arbitrary code with root pr
A critical vulnerability affecting certain configurations of the Exim open-source mail transfer agent could be exploited by an unauthenticated remote attacker to execute arbitrary code. [...]
Foxconn, the world's largest electronics manufacturer, says some of its North American factories are now working to resume normal operations after a cyberattack. [...]
Latest
Wednesday, May 13
Re: their 5/13/26 incident update: [https://www.instructure.com/incident\_update](https://www.instructure.com/incident_update) * *We also identified a vulnerability regarding support tickets in our Free for Teacher environment that was exploited. We temporarily disabled Free for Teacher while we complete a full security review. We know that's disruptive, and we didn't make that call lightly. But keeping the entire Canvas platform secure has to come first.* Does anyone have any more information on this? Trying to prevent it from happening other places
On vendor disclosure timelines, bounty programme incentive misalignment, and the psychological contract
Published two Apple disclosures today (links below). Both confirmed by Apple, both scheduled for "Fall 2026" — six months from filing. I also wrote up the reasoning behind publishing ahead of that window, because I think the reasoning should be on the record. The essay covers: \- The implicit contract between researchers and vendors, and what "honouring it in letter but not in spirit" looks like in practice \- What "Fall 2026" actually means for a one-line bounds check fix \- The 90-day norm, why it exists, and what Project Zero's own data shows about fix times under deadline vs. indefinite windows \- The structural incentive misalignment when a bounty is "pending review" for months — that's not a bounty programme, that's a hush arrangement with a variable payout \- The specific calculus behind each disclosure: both bugs confirmed, both locally/conditionally exploitable only, mitigations available now, fix complexity low It's not a rant. It's a record. [https://stuart-thomas.com/vendor-ethics/](https://stuart-thomas.com/vendor-ethics/) \--- The two disclosures: \- PING-01 (BSS write): [https://stuart-thomas.com/research/ping-sweepmax-bss/](https://stuart-thomas.com/research/ping-sweepmax-bss/) \- SMB-01A (64 GiB amplification): [https://stuart-thomas.com/research/smbd-copychunk-dos/](https://stuart-thomas.com/research/smbd-copychunk-dos/)
A critical vulnerability affecting certain configurations of the Exim open-source mail transfer agent could be exploited by an unauthenticated remote attacker to execute arbitrary code. [...]
/sbin/ping -G sweepmax has no bounds check on macOS: deterministic BSS out-of-bounds write, confirmed by Apple
The -s flag in /sbin/ping has a maxpayload bounds check. -G sweepmax doesn't. An #ifndef \_\_APPLE\_\_ block removed the original uid guard without adding an equivalent check, so the fill loop walks past the end of the 65,535-byte outpackhdr\[\] BSS global and into adjacent globals. The write is byte-precise and deterministic: byte at offset N gets value (N-1) % 256, fully controlled by -G. Empirically confirmed on macOS 26.4.1 arm64e: \- sweepmax=65637: overwrites the static int s socket fd at BSS+128 with 0x63. Every subsequent setsockopt() returns EBADF. Exit 71. \- sweepmax=65636: runs clean. Binary-searchable threshold, invariant across runs. At higher sweepmax values the loop reaches pointer-type globals (\*outpack, \*hostname, \*shostname). On x86\_64 that's a write-what-where bounded by the sequential value constraint. On arm64e, PAC blocks code-pointer hijack; state corruption is still demonstrable. ping isn't setuid on macOS 11+, so no direct priv-esc. Local only. Fix is one line — symmetric maxpayload check matching what -s already does. Apple confirmed 16 April 2026, fix scheduled Fall 2026. Source is open: [github.com/apple-oss-distributions/network\_cmds](http://github.com/apple-oss-distributions/network_cmds) Full write-up with memory dump evidence: [https://stuart-thomas.com/research/ping-sweepmax-bss/](https://stuart-thomas.com/research/ping-sweepmax-bss/)
Apple's /usr/sbin/smbd (not Samba — Apple's own implementation) processes FSCTL\_SRV\_COPYCHUNK without enforcing any of the three limits MS-SMB2 §3.3.5.15.6 requires: \- MaxChunkCount: 256 → accepted 65,535 chunks \- MaxChunkSize: 1 MiB → accepted 1,048,577 bytes \- MaxDataSize: 16 MiB → accepted \~17 MiB All three tests returned STATUS\_SUCCESS. The spec requires STATUS\_INVALID\_PARAMETER. Attack: one authenticated SMB session, one 256-byte IOCTL, smbd runs 65,535 × (read\_file(1MiB) + write\_file(1MiB)) = 64 GiB disk I/O. The allocator retry loop means it doesn't fail cleanly — it just keeps going. Default macOS isn't exposed (File Sharing off by default). If you have SMB sharing enabled, mitigations are in the disclosure. Disassembly shows the chunk\_count extraction landing unmodified in the parsed struct (no bounds check), and the copy loop with a cbz-only guard (bail if zero, no cmp against 256). CVSS 3.1: 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). Apple confirmed 25 April 2026, fix scheduled Fall 2026. Full write-up with disassembly, runtime captures, and PoC: [https://stuart-thomas.com/research/smbd-copychunk-dos/](https://stuart-thomas.com/research/smbd-copychunk-dos/)
126 Chrome extensions, all secretly the same product, taking 148K users' WhatsApp data and ad cookies
A Brazilian company (wascript.com.br) runs one platform that **126 different Chrome extensions** all share. They look like separate products, WaSeller, waTidy, FR VENDAS PRO, ENOCRM, Cliente Flow, and dozens more, but it's one codebase, one backend, one set of hidden behaviors. **WaSeller alone has 100K users.** I found this network using my own tool for detecting malicious browser extensions, which flagged the cluster by shared code and infrastructure across all 126 listings. None of the listings tell you that: * When you log into WhatsApp Web, the extension sends your name, email, device ID, and your Facebook/Google/TikTok tracking cookies to a server run by whoever sold you the extension. * Every voice message you send goes through their servers before it reaches the person you're sending it to. * The extension downloads and runs JavaScript from a different Brazilian company's server. Google never checks this code. * The 100K-user version has a live Google Tag Manager tag built in. The operator can push any new code to every user from a dashboard with no Chrome Web Store update. * A bridge inside WhatsApp Web gives the extension full access to your contacts, your messages, and the ability to send messages as you. No privacy policy on any listing. The manifest only asks for `tabs`, `storage`, `alarms`. Full list of all 126 extension IDs (check if you have one), tech details, and IOCs: [MalExt Sentry - Malicious Browser Extension Tracker](https://malext.io/reports/WaSteal)
Autonomous drones and ground vehicles will stream “battlefield intelligence” over 5G along the US-Canada border in a bilateral DHS experiment this fall.
I made a video explaining CPU registers for people learning binary exploitation — x86 vs x64 differences included
TL;DR: Single-page applications ship their entire frontend codebase to every visitor, including unauthenticated ones. Even a login page with no visible functionality delivers JavaScript bundles containing route definitions, API endpoint URLs, authentication logic, data models, and sometimes hardcoded secrets. As part of Guard’s continuous penetration testing, we use AI-assisted tooling to extract this information and fuzz the backend APIs it reveals, finding IDORs, unauthenticated endpoints, and exposed backend services that bypass API Gateway authentication. On the automation side, Guard crawls every external web application across a customer’s attack surface, runs Titus to detect and validate embedded secrets, and we are currently building a system named Cato for automated triage of these findings using artificial intelligence at scale. A few weeks ago I was working through a list of web applications on a client’s attack surface as part of Guard’s continuous penetration testing. One of them loaded a login page. No sign-up link. No documentation. No visible functionality beyond a username field, a password field, and a submit button. A traditional scanner would poke at the login form, try some default credentials, and move on. I didn’t move on. That login page was a single-page application, and the browser had just downloaded the entire frontend codebase to render it. I opened DevTools, pulled the webpack bundle, and pointed Claude Code at it. Within a few minutes it had mapped out route definitions for every page in the application, extracted API endpoint URLs for multiple backend services, identified the authentication logic including token handling and refresh flows, and surfaced data models that described what the application stores and processes. The login page presented itself as a dead end. The JavaScript bundl
https://www.nist.gov/news-events/news/2026/04/nist-updates-nvd-operations-address-record-cve-growth NIST can't keep up with the amount of CVEs coming in any more. They are now only reviewing "important"CVEs. Pretty much only if they affect the government, or if they are already known! This is going to leave close to 90% of their CVEs not reviewed. So what do you all think of this? I think this enforces AI is not taking our jobs any time soon as look how undermanned NIST is.
A cybersecurity researcher has published proof-of-concept (PoC) exploits for two unpatched Microsoft Windows vulnerabilities named YellowKey and GreenPlasma, which are a BitLocker bypass and a privilege-escalation flaw. [...]
**TL;DR: Bitdefender Labs tracked a multi-wave intrusion targeting an Azerbaijani oil and gas company from late December 2025 through late February 2026. This research documents expansion of Chinese APT activity against South Caucasus energy infrastructure, attributed with moderate-to-high confidence to FamousSparrow (overlapping with the Earth Estries threat ecosystem).** The new DLL sideloading variant is the interesting bit. Standard sideloading fires the payload from `DllMain` or a single export — sandboxes catch it. This one splits logic across two exports: * `Init` patches `StartServiceCtrlDispatcherW` in memory and exits * Host binary runs its normal startup, eventually calls `ComMain, which is`routed through the patched API into the loader and decrypts+executes the Deed RAT No anti-VM, no debugger checks, just an implicit requirement that the host be exercised normally. Run the DLL alone or hit one export in a sandbox and the malware looks inert. Chinese APTs are known to share new and successful techniques across the ecosystem. We saw it play out very clearly with "traditional" DLL sideloading - once it proved effective, it spread across basically every Chinese APT toolkit and then well beyond. Our expectation is the same here: this stealthier multi-export variant is not limited to the LogMeIn Hamachi binary used in this intrusion (there are plenty of other candidate executables with similar call patterns to abuse), and we expect to see it picked up by other Chinese APT groups over the next 12 months. In other words, this is a technique development story, not just a regional targeting story. Full writeup + IOCs: [https://www.bitdefender.com/en-us/blog/businessinsights/famoussparrow-apt-targets-azerbaijani-oil-gas-industry](https://www.bitdefender.com/en-us/blog/businessinsights/famoussparrow-apt-targets-azerbaijani-oil-gas-industry) If you want a primer on how DLL sideloading works in general before diving in, I wrote an explainer here (planning to update it with this new variant soon): [https://techzone.bitdefender.com/en/tech-explainers/what-is-dll-sideloading.html](https://techzone.bitdefender.com/en/tech-explainers/what-is-dll-sideloading.html)
Microsoft has fixed a Windows Autopatch bug that caused driver updates restricted by administrative policies to be deployed on some Autopatch-managed Windows devices in the European Union. [...]
A deep dive into detecting two recent Linux local privilege escalation vulnerabilities — CopyFail (CVE-2026-31431) and DirtyFrag (CVE-2026-43284, CVE-2026-43500) — both of which abuse the kernel page cache through splice() and specific socket subsystems (AF\_ALG, UDP\_ENCAP\_ESPINUDP, RxRPC). The post explains why the common detection approaches (blocking entire socket families or watching for specific file paths) are too broad or too easily bypassed, then walks through a behavior-based detection strategy using eBPF LSM hooks on security\_socket\_setsockopt, tracking per-task call frequency and option values to identify the abnormal patterns that exploits produce but legitimate workloads never do. Includes annotated eBPF code for both detections and a discussion of evasion mitigations.
The company says its new Incognito Chat allows you to use its AI chatbot without anyone else—including Meta—being able to access your conversations.
A threat actor with affiliations to China has been linked to a "multi-wave intrusion" targeting an unnamed Azerbaijani oil and gas company between late December 2025 and late February 2026, marking an expansion of its targeting. The activity has been attributed by Bitdefender with moderate-to-high confidence to a hacking group known as FamousSparrow (aka UAT-9244), which shares some level of
We’ve enabled higher usage limits, faster performance, and better reliability for Browser Run by rebuilding on top of Cloudflare’s Containers . You can now spin up 60 browsers per minute via the Workers binding and run up to 120 concurrently — 4x the previous limit. Also, Quick Action response times dropped more than 50%. You don't need to change anything: these improvements are live today. On top of that, we’re shipping fixes and new features faster than before. Read on to learn how we did it and see the data. Remind me: what is Browser Run? Browser Run enables developers to programmatically control and interact with headless browser instances running on Cloudflare’s global network. That’s useful for end-to-end testing of web applications, securely investigating suspicious URLs, and leveraging how browsers can easily render PDF documents, amongst other quick actions like capturing screenshots and extracting content. More recently, it’s become a critical enabler of AI agents to interact with the web. We’re building Browser Run to be the go-to platform to responsibly utilize automated browsers securely at massive scale. Outgrowing our bunk bed Before adopting Cloudflare Containers, we shared infrastructure with Browser Isolation (BISO). While technically similar, BISO’s larger container images slowed startup and development. Crucially, BISO browsers lacked optimal global distribution, compromising resiliency and latency. Addi
Foxconn, the world's largest electronics manufacturer, says some of its North American factories are now working to resume normal operations after a cyberattack. [...]
Attackers can compromise systems in minutes while patching and response still take hours or days. Picus Security breaks down why autonomous validation is becoming critical for modern defense strategies. [...]
FOSS tool — not commercial. IOCX is a deterministic IOC extraction engine built for malware analysts and DFIR workflows. It’s static‑only (no execution), PE‑aware, and plugin‑extensible. The goal is to extract indicators and structural anomalies reliably, even from malformed or adversarial binaries. **Key behaviours:** * deterministic output (no sandbox variance) * handles malformed PE headers and weird section layouts * extracts IOCs + structural anomalies in one pass * plugin‑extensible enrichment system Repo: [https://github.com/iocx-dev/iocx](https://github.com/iocx-dev/iocx) Site: [https://iocx.dev](https://iocx.dev) Happy to answer technical questions or discuss edge cases.
[Claude Code] Android Reverse engineering Skill being updated with tracker/AD neutralization features
Security teams have never had better visibility into their environments and never been worse at confirming what they fix stays fixed. Mandiant's M-Trends 2026 report puts the mean time to exploit at an estimated negative seven days. The Verizon 2025 DBIR puts median time to remediate edge device vulnerabilities at 32 days. These numbers have understandably driven the industry toward a clear
Microsoft on Tuesday released patches for 138 security vulnerabilities spanning its product portfolio, although none of them have been listed as publicly known or under active attack. Of the 138 flaws, 30 are rated Critical, 104 are rated Important, three are rated Moderate, and one is rated Low in severity. As many as 61 vulnerabilities are classified as privilege escalation bugs, followed by
Cybersecurity researchers are calling attention to a new campaign dubbed GemStuffer that has targeted the RubyGems repository with more than 150 gems that use the registry as a data exfiltration channel rather than for malware distribution. "The packages do not appear designed for mass developer compromise," Socket said. "Many have little or no download activity, and the payloads are repetitive,
We recently published an exploit chain for the Google Pixel 9 that demonstrated it was possible to go from a zero-click context to root on Android in just two exploits. The Dolby 0-click vulnerability existed across all of Android, until it was patched in January 2026. While we had an exploit chain for the Pixel 9, we wanted to see if it was possible to write a similar exploit chain for Pixel 10. Updating the Dolby Exploit Altering our exploit for CVE-2025-54957 was fairly straightforward. The majority of needed changes involved updating offsets calculated for the specific version of the library we targeted on the Pixel 9 to similar offsets in the library for Pixel 10. The only challenge (outside of wishing we’d better documented which syncframes contained offsets) was that the Pixel 10 uses RET PAC in the place of -fstack-protector, which meant that __stack_chk_fail wasn’t available to be overwritten by code. After a bit of trial and error, we used dap_cpdp_init, initialization code that can be overwritten without causing functional problems, as it is called once when the decoder is initialized and never again.
Google on Tuesday unveiled a new opt-in Android feature called Intrusion Logging for storing forensic logs to better analyze sophisticated spyware attacks. Intrusion Logging, available as part of Advanced Protection Mode, enables "persistent and privacy-preserving forensics logging to allow for investigation of devices in the event of a suspected compromise," the company said. The feature, it
A static analysis of the open-sourced Shai-Hulud offensive framework attributed to TeamPCP, covering its credential harvesting, supply chain poisoning, and exfiltration capabilities.
Tuesday, May 12
The U.S. House Committee on Homeland Security is calling on Instructure executives to testify about two cyberattacks by the ShinyHunters extortion group that targeted the company's Canvas platform, allowing threat actors to steal student data and disrupt schools during final exams. [...]
Artificial intelligence platforms may be just as susceptible to social engineering as human beings, but they are proving remarkably good at finding security vulnerabilities in human-made computer code. That reality is on full display this month with some of the more widely-used software makers — including Apple , Google , Microsoft , Mozilla and Oracle — fixing near record volumes of security bugs, and/or quickening the tempo of their patch releases. As it does on the second Tuesday of every month, Microsoft today released software updates to address at least 118 security vulnerabilities in its various Windows operating systems and other products. Remarkably, this is the first Patch Tuesday in nearly two years that Microsoft is not shipping any fixes to deal with emergency zero-day flaws that are already being exploited. Nor have any of the flaws fixed today been previously disclosed (potentially giving attackers a heads up in how to exploit the weakness). Sixteen of the vulnerabilities earned Microsoft’s most-dire “critical” label, meaning malware or miscreants could abuse these bugs to seize remote control over a vulnerable Windows device with little or no help from the user. Rapid7 has done much of the heavy lifting in identifying some of the more concerning critical weaknesses this month, including: CVE-2026-41089 : A critical stack-based buffer overflow in Windows Netlogon that offers an attacker SYSTEM privileges on the domain controller. No privileges or user interaction are required, and attack complexity is low. Patches are available for all versions of Windows Server from 2012 onwards.
Silverfort published research two weeks ago showing the Agent ID Administrator role could take over any service principal in a tenant. Microsoft patched the specific flaw. But the underlying primitive is unchanged: if you own a service principal, you own its permissions. The attack is simple. Gain ownership of a service principal that holds a directory role. Add a client secret. Authenticate as that service principal. Inherit every permission it holds. If the target has a Global Administrator, that's a full tenant takeover. 99% of tenants have at least one privileged service principal. Most organizations don't audit who owns them. Here's what most environments look like: *→ Service principals created by developers who left 12+ months ago* *→ Ownership assigned at creation time, never reviewed* *→ Credentials that haven't been rotated since the application was registered* *→ Application-level permissions that bypass every user-scoped control* *→ No alert when someone changes ownership or adds credentials* We wrote a post covering: *1. The attack chain — how ownership becomes takeover in four steps* *2. Where to check in the Entra admin center — the portal paths most admins never open* *3. Three PowerShell audit queries you can run in 30 minutes* *4. Two KQL detection rules for Sentinel — ownership changes and credential additions* *5. The consolidated audit script you can hand to your security lead* The organizations that get compromised through service principal abuse aren't the ones that failed to patch a specific vulnerability. They're the ones that never governed the primitive. Full post with all queries and detection rules: [https://training.ridgelinecyber.com/blog/service-principal-ownership-attack-path/](https://training.ridgelinecyber.com/blog/service-principal-ownership-attack-path/)
The Information Commissioner's Office has fined South Staffordshire Water Plc and parent company South Staffordshire Plc £963,900 ($1.3 million) over a cyberattack that exposed the personal data of 663,887 customers and employees. [...]
Signal has introduced new in-app confirmations and warning messages as additional safeguards against phishing and social engineering attempts that could lead to various forms of fraud. [...]
In the US, fired and laid-off workers often have their digital credentials deactivated before they learn about the loss of their jobs; indeed, the inability to log in to a corporate system may be the first an employee knows of the situation. Although not a generous or humane approach to staff reduction, it does follow from the simple fact that a fired employee with access to company systems is a security risk. Just ask the Akhter twin brothers, accused of wiping out 96 databases hosting US government information in the minutes after both were fired last year from their shared employer. Read full article Comments ]]>
Iran’s traditional naval fleet has been almost completely destroyed by US-Israeli raids. But Iran’s military has put a fleet of small vessels on the water that is crippling every passageway.
Fortinet has released security patches for two critical vulnerabilities in FortiSandbox and FortiAuthenticator that could enable attackers to run commands or arbitrary code. [...]
GitHub - iss4cf0ng/OpenBootloader: A Proof-of-Concept of simple bootloader, written in Assembly (NASM) and C language.
There is a lot of non-data driven discussions around using AI in investigations. Some people think it will be amazing. Some think its a disaster. A lot of other people are undecided. The community needs data to help navigate this and I'm hoping you can help. We launched a challenge a couple of weeks back. 1. Submit anonymized screen shots of where AI was amazing, where it was a disaster, and where it was "meh...." 2. Our panel of judges (skeptics and advocates) will review them 3. The public will vote 4. Winners get bragging rights 5. All anonymous submissions are posted on github. Judges: * Heather Barnhart (SANS) * Alexis Brignoni (LEAPPS) * Eric Capuano (Digital Defense Institute) * Brian Carrier (Sleuth Kit Labs – Organizer) * Filip Stojkovski (BlinkOps) Full details are here: [https://www.cybertriage.com/blog/aidfir-2026-challenge-the-good-vs-the-ugly/](https://www.cybertriage.com/blog/aidfir-2026-challenge-the-good-vs-the-ugly/) Please send in your best submissions!
RubyGems, the standard package manager for the Ruby programming language, has temporarily paused account sign ups following what has been described as a "major malicious attack." "We're dealing with a major malicious attack on RubyGems right now," Maciej Mensfeld, senior product manager for software supply chain security at Mend.io, said in a post on X. "Signups are paused for the time being.
CUBIC, standardized in RFC 9438 , is the default congestion controller in Linux, and as a result governs how most TCP and QUIC connections on the public Internet probe for available bandwidth, back off when they detect loss, and recover afterward. At Cloudflare, our open-source implementation of QUIC, quiche , uses CUBIC as its default congestion controller, meaning this code is in the critical path for a significant share of the traffic we serve. In this post, we’ll tell the story of a bug in which CUBIC's congestion window (cwnd) gets permanently pinned at its minimum and never recovers from a congestion collapse event. The story starts with a Linux kernel change aimed at bringing CUBIC into line with the app-limited exclusion described in RFC 9438 §4.2-12 — a fix to a real problem in TCP that, when ported to our QUIC implementation, surfaced unexpected behaviors in quiche. It has a happy ending: an elegant (near-)one-line fix that broke the cycle. CUBIC's logic in a nutshell Before we dive into the core problem, a quick refresher on Congestion Control Algorithms (CCAs) may help to set the stage. The central knob a CCA turns is the congestion window ( cwnd ): the sender-side cap on how many bytes can be in flight (sent but not yet acknowledged) at any moment. A larger cwnd lets the sender push more data per round trip; a smaller cwnd throttles it. Every loss-based CCA, CUBIC included, is ultimately a policy for how to grow cwnd when the network looks healthy and how to sh
Cybersecurity researchers have flagged a new version of the TrickMo Android banking trojan that uses The Open Network (TON) for command-and-control (C2). The new variant, observed by ThreatFabric between January and February 2026, has been observed actively targeting banking and cryptocurrency wallet users in France, Italy, and Austria. "TrickMo relies on a runtime-loaded APK (dex.module),
TeamPCP, the threat actor behind the recentsupply chain attack spree, has been linked to the compromise of the npm and PyPI packages from TanStack, UiPath, Mistral AI, OpenSearch, and Guardrails AI as part of a fresh Mini Shai-Hulud campaign. The affected npm packages have been modified to include an obfuscated JavaScript file ("router_init.js") that's designed to profile the execution
Go’s native fuzzing is useful, but it stands far behind state-of-the-art tooling that the Rust, C, and C++ ecosystems offer with LibAFL and AFL++. Path constraints are hard to solve. Structured inputs usually need handmade parsing. It doesn’t even detect several common bug classes, such as integer overflows, goroutine leaks, data races, and execution timeouts. So to make it better, we built gosentry , a fuzzing-oriented fork of the Go toolchain that keeps the standard testing.F workflow while using a stronger fuzzing stack underneath to tackle those issues. With gosentry, go test -fuzz uses LibAFL by default. It can fuzz structs natively, run grammar-based fuzzing with Nautilus, detect bug classes that it couldn’t detect before, and create a fuzzing campaign coverage report in one command. If you already have Go fuzz harnesses, you don’t need to rewrite them. Point them at gosentry’s binary and you get all of the above through the same go test -fuzz interface, with a few new flags: ./bin/go test -fuzz = FuzzHarness --focus-on-new-code = false --catch-races = true --catch-leaks = true Figure 1: Basic gosentry usage gosentry keeps the harness API and changes the engine and the surrounding tooling — you
Agentic AI is already running in production environments across many organizations today. It is executing tasks, consuming data, and taking actions — most likely without meaningful involvement from the security team. The industry conversation has largely framed this as a question of policy: allow it, restrict it, or monitor it? However, that framing misses the point. The more urgent
AI Will Absorb 99.98% of SOC Triage Within a Year, as 79% of IT teams brace for AI-driven workload shift
COPENHAGEN, DENMARK, 12 May 2026 — Heimdal’s managed SOC processes three million alerts a month. In the year ahead, fewer than 500 of those, less than 0.02%, are expected to need a human analyst. That’s the forecast from Heimdal founder Morten Kjaersgaard, based on the trajectory of AI Wingman SOC as it absorbs the bulk […] The post AI Will Absorb 99.98% of SOC Triage Within a Year, as 79% of IT teams brace for AI-driven workload shift appeared first on Heimdal Security Blog .
A pre-auth remote code execution vulnerability was found in the CWMP implementation of ipTIME routers, allowing unauthenticated attackers to execute arbitrary code remotely.
OpenAI has launched Daybreak, a new cybersecurity initiative that brings together frontier artificial intelligence (AI) model capabilities and Codex Security to help organizations identify and patch vulnerabilities before attackers find a way in using the same issues. "Daybreak combines the intelligence of OpenAI models, the extensibility of Codex as an agentic harness, and our partners across
Apple on Monday officially released iOS 26.5 with support for end-to-end encryption (E2EE) to Rich Communication Services (RCS) in beta as part of a "cross-industry effort" to replace traditional SMS with a more secure alternative. To that end, E2EE RCS messaging is rolling out to iPhone users running iOS 26.5 with supported carriers and Android users on the latest version of Google Messages.
Lockbit Black Loader and Shellcode Analysis - Full Thought process, Technical Writeup and Blue Team perspective
Monday, May 11
Presently sponsored by: Report URI: Guarding you from rogue JavaScript! Don’t get pwned; get real-time alerts & prevent breaches #SecureYourSite Today, we welcome the 43rd government onboarded to Have I Been Pwned's free gov service, Bangladesh. The BGD e-GOV CIRT department now has full access to query all their government domains via API, and monitor them against future breaches. Bangladesh joins a growing list of national governments using HIBP to help protect their public sector digital assets, and we look forward to supporting their efforts to identify exposure of government email addresses in data breaches and respond quickly when new incidents appear.
Key Takeaways Sara Pentest and Sara Pentest+ Are Now Generally Available Since releasing Sara Pentest as general availability earlier this month, we’ve also shipped a set of platform updates that make it easier to scope, launch, and act on Sara findings at scale. This post walks through what’s new with the Synack PTaaS platform, and […] The post What’s New with Sara Pentest: Closing the Coverage Gap, One Test at a Time appeared first on Synack .
Checkmarx has confirmed that a modified version of the Jenkins AST plugin was published to the Jenkins Marketplace. "If you are using Checkmarx Jenkins AST plugin, you need to ensure that you are using the version 2.0.13-829.vc72453fa_1c16 that was published on December 17, 2025 or previously," the cybersecurity company said in a statement over the weekend. As of writing, Checkmarx has released
A threat actor named Mr_Rot13 has been attributed to the exploitation of a recently disclosed critical cPanel flaw to deploy a backdoor codenamed Filemanager on compromised environments. The attack exploits CVE-2026-41940, a vulnerability impacting cPanel and WebHost Manager (WHM) that could result in an authentication bypass and allow remote attackers to gain elevated control of the control
VU#471747: dnsmasq contains several vulnerabilities, including attacker DNS redirect, privilege escalation, and heap manipulation
Overview dnsmasq is affected by multiple memory safety and input validation vulnerabilities, including heap buffer overflows, heap corruption, and code execution flaws. Collectively, these vulnerabilities enable attackers to poison cached DNS records, bypass security controls, crash the dnsmasq process, or under certain conditions, achieve local privilege escalation. dnsmasq has released version 2.92rel2 to fix the vulnerabilities. Description dnsmasq is an open-source networking tool that provides DNS forwarding, DHCP, and network boot services for small-to-medium sized networks and home routing devices. It can also function as a DNS resolver, which is the primary exploitation use case for several of the vulnerabilities described below, tracked collectively as CVE-2026-2291, CVE-2026-4890, CVE-2026-4891, CVE-2026-4892, CVE-2026-4893, and CVE-2026-5172. CVE-2026-2291 dnsmasq's extract_name() function can be abused to cause a heap buffer overflow, enabling an attacker to inject false DNS cache entries. This could cause DNS queries to be redirected to attacker-controlled IP addresses or result in a Denial of Service (DoS). CVE-2026-4890 An infinite-loop flaw in the DNSSEC validation of dnsmasq allows remote attackers to cause Denial of Service (DoS) conditions via a crafted DNS packet. CVE-2026-4891 A heap-based out-of-bounds read vulnerability in the DNSSEC validation of dnsmasq allows remote attackers to leak memory information via a crafted DNS packet. CVE-2026-4892 A heap-based out-of-bounds write vulnerability in the DHCPv6 implementation of dnsmasq allows local attackers to execute arbitrary code with root pr
Google on Monday disclosed that it identified an unknown threat actor using a zero-day exploit that it said was likely developed with an artificial intelligence (AI) system, marking the first time the technology has been put to use in the wild in a malicious context for vulnerability discovery and exploit generation. The activity is said to be the work of cybercrime threat actors who appear to
Overview Casdoor contains an arbitrary file write vulnerability in the implementation of its "Local File System" storage provider. Due to insufficient sanitization of user-supplied paths, an authenticated user with file upload permissions can escape the intended storage directory and write files elsewhere on the target filesystem. The vulnerability allows attackers to bypass Casdoor’s storage sandbox and perform unauthorized actions with the privileges of the Casdoor runtime user. Description Casdoor is an open-source identity and access management (IAM) platform and Model Context Protocol (MCP) gateway that provides authentication, single sign-on, and multi-protocol identity services for applications. Internally, it uses its Local File System storage provider to save files to a dedicated $CASDOOR/files/ directory. During a file upload via the /api/upload-resource endpoint, the Casdoor application determines the target storage filepath by concatenating the user-supplied parameters pathPrefix and fullFilePath . However, values provided for pathPrefix are not properly sanitized, so directory traversal sequences such as ../../ are accepted without any integrity or permission checks beyond those of the OS user running the Casdoor process. The application does not verify that the destination filepath remains inside the dedicated storage directory, and it will create or overwrite any file that the Casdoor process has permission to modify. CVE-2026-6815 An arbitrary file write vulnerability exists in Casdoor's Local File System storage provider. Due to insufficient path sanitization, an authenticated attacker with file upload privileges can perform a path tra
The EtherRAT malware family was first reported by Sysdig back in December 2025. At that time, the initial access vector was exploitation of CVE-2025-55182 (React2Shell) targeting Linux servers. In March 2026, a Windows variant campaign was reported by Atos, with their investigation showing evidence of activity going back to the previous December. In April, we […] The post Flash Alert: EtherRat and TukTuk C2 End in The Gentleman Ransomware appeared first on The DFIR Report .
Rough Monday. Somebody poisoned a trusted download again, somebody else turned cloud servers into public housing, and a few crews are still getting into boxes with bugs that should’ve died years ago — the same old holes, same lazy access paths, same “how the hell is this still open” feeling. One report this week basically reads like a guy tripped over root access by accident and decided to stay
Health service has given US tech firm ‘unlimited access’ to certain data to build integrated platform, according to reports UK politics live – latest updates MPs have warned that an NHS decision to grant Palantir access to identifiable patient information in its plan to use AI to improve the health service is “dangerous” and will fuel public fears that data privacy is not being prioritised. NHS England has allowed staff from the US tech firm and other contractors to access patient data before it has been pseudonymised, despite internal fears of a “risk of loss of public confidence”, the Financial Times reported. Continue reading...
I recently published a security research post on the myAudi connected vehicle platform. I found that anyone with a VIN can access a sensitive informations about car and ownership I think the topic is useful beyond Audi itself, because many vendors now rely on these “connected vehicle” platforms and mobile apps, often with very similar architectures and assumptions
To reduce the amount of noise from questions, we have disabled self-posts in favor of a unified questions thread every week. Feel free to ask any question about reverse engineering here. If your question is about how to use a specific tool, or is specific to some particular target, you will have better luck on the [Reverse Engineering StackExchange](http://reverseengineering.stackexchange.com/). See also /r/AskReverseEngineering.
I’m happy to announce that we are releasing the beta version of RAPTR, a fully open source, API driven collaboration platform built specifically for red and purple team engagements. Check out the code on GitHub , read the docs , or try out the latest build at our sandbox . Why I built it Up until recently, our team relied on PurpleOps for our Purple Team engagements . It’s a solid tool and served as a good starting point for us. Eventually, we needed more out of it, so we maintained our own custom f
Learn how malicious Claude Code skills can abuse dynamic context commands to execute before model-level prompt injection defenses can intervene.
Sunday, May 10
Presently sponsored by: Report URI: Guarding you from rogue JavaScript! Don’t get pwned; get real-time alerts & prevent breaches #SecureYourSite Well, it's the day before the Instructure "pay or leak" deadline (at least by my Aussie watch), and the company remains removed from the ShinyHunters website. In its place sits a press statement that amounts to "we're not making any statements". So did they pay? And if so, what lofty figure would an incident of this scale command? The lawsuits are already being prepared (search for "instructure class action lawsuit"), so perhaps that will be the catalyst for transparency. What a crazy time.
Across all major ShinyHunters campaigns (AT&T/Snowflake, Salesforce, Canvas/Instructure), only one event has both a publicly stated payment amount and a known approximate settlement date: the May 2024 AT&T payment of \~5.7 BTC (\~$370K), confirmed by *Wired* but never published with a transaction hash. I use that as the analytical anchor for an end-to-end on-chain analysis using only free public data. **Pipeline (5 stages):** 1. BigQuery bulk filter on amount and time window → 500 candidates. 2. Recipient profiling via Blockstream Esplora (lifetime tx count, spend shape). 3. Sender-side cluster analysis using common-input ownership; looking for broker-aggregation patterns. 4. Depth-12 concurrent forward trace, top-K=4 fan-out. 5. Terminal attribution via OKLink, BitInfoCharts, WalletExplorer. **Result:** A single highest-fit candidate: 5.71997804 BTC paid 2024-05-17 22:04 UTC to a fresh recipient, spent in 6 min, laundered through a 6-cycle automated peel chain, terminating at an exchange deposit cluster. Funding side shows broker-aggregation fingerprint (4× 1.147 BTC peels in a 90-min window pre-payout). Upstream hub addresses appear reused across multiple victims of the same laundering service, active through 2025. Paper closes with the legal pathway from chain endpoint to indictment and a scoped compliance-request template. **Limitations (explicit in §5):** Ranking under a scoring scheme, not positive ID. No off-chain ground truth. Documented OKLink vs. Arkham label conflict on the dominant terminal, resolved via behavioural audit. No formal null-distribution analysis yet. Score weights are author judgements. **Asking for:** 1. Technical feedback / methodology critique. 2. arXiv [cs.CR](http://cs.CR) endorsement — endorsement code: **ZQXBSQ** [github.com/tr4m0ryp/shinyhunters-gotta-catch-em-all/blob/main/Gotta\_Catch\_Em\_All\_ShinyHunters.pdf](http://github.com/tr4m0ryp/shinyhunters-gotta-catch-em-all/blob/main/Gotta_Catch_Em_All_ShinyHunters.pdf) Tooling and dataset released for reuse
I am proud to announce the release of **Crow-Eye v0.10.0**. This milestone marks the official launch of **The Eye** a robust intelligence layer designed to integrate your own AI agents directly into **Crow-Eye,** This isn't just a regular update; it’s a massive milestone for us . My goal from day one has been to build an ecosystem that doesn't just chase known signatures, but actually gives investigators the power to hunt zero-days But as we celebrate this release and introduce our new AI layer, we need to talk about the elephant in the room. # The Problem with AI in Forensics There’s a huge rush right now to slap AI onto cybersecurity tools, and honestly, a lot of it is dangerous. We are seeing "black box" solutions where investigators feed raw data into an LLM and just trust the answers it spits out. In DFIR, an AI hallucination can ruin a case. An answer without mathematical, binary proof is worthless. If an AI agent cannot anchor its reasoning to exact offsets, hashes, and unmanipulated timestamps, we cannot trust it. To fix this, I realized we had to architect a system where the AI is bound by the exact same strict evidentiary rules as a human analyst. # The Starting Line: Automated Triage Before the AI even wakes up, Crow-Eye does the heavy lifting. When you launch **The Eye**, the platform immediately runs a high-speed Automated Triage phase. It queries the underlying SQLite databases to map out the ground truth: active users, execution histories, accessed files, USB devices, and Auto Run configs. This builds a comprehensive **Initial Report**. This report isn't the final investigation it’s the baseline. It’s the verified starting line before we let the AI touch the data. # The Brain of "The Eye" I believe you should have total control over your data and your analytical "brain." That’s why The Eye is completely modular. You can plug in whatever intelligence fits your environment: * **Cloud AI Models:** Hook up your public API keys for high-performance reasoning. * **Offline Servers & Local Inference:** For air-gapped labs where privacy is non-negotiable. * *Dev Note:* A lot of my testing and development for The Eye was actually done using **LM Studio** and Google’s open-weights models (like the **Gemma** family). If you're a solo investigator, running Gemma locally on your own machine is incredibly powerful. Just a tip: push your context window as high as possible to handle the dense forensic payloads! * **CLI Agents:** If you are a developer or researcher, you can hook up your own custom-built local agents, or seamlessly pipe in tools like **Claude Code** and the **Gemini CLI**. https://preview.redd.it/zdg32192ic0h1.png?width=2023&format=png&auto=webp&s=a1458500b3765ccb1a7fb4018a9dcd2203bd7a1a # Keeping the AI Honest: The Ghassan Elsman Protocol (GEP) Triage gives us the data, but the **Ghassan Elsman Protocol (GEP)** ensures the AI doesn't mess it up. The GEP is a strict set of rules hardcoded into the workflow to maintain a perfect chain of custody: 1. **Case Awareness:** The Initial Report is injected directly into the prompt to ground the AI in reality. 2. **Pre-Flight Ping:** Validates backend connectivity to stop silent failures. 3. **Evidence Anchoring:** Automatically tags and preserves raw hashes, IPs, and timestamps in the chat history. 4. **Chain of Custody:** Every truncation or data preservation event is meticulously logged. 5. **Non-Repudiation:** Messages are assigned deterministic, hash-linked IDs so records can't be altered. 6. **Context Pinning:** Critical evidence is locked and excluded from automated AI summarization. 7. **Tool Traceability:** Every tool the AI uses (like querying LOLBAS) is logged with exact execution counts. 8. **Machine-Readable Synthesis:** You get a clean JSON audit trail at the end to prove compliance. # What's Next: Bridging Analysis and Anatomy While The Eye handles the high-speed analysis, our educational hub, **Eye Describe**, In upcoming updates, we are going to start building a bridge between these two tools. The goal is to gradually integrate visual references alongside the AI's findings. We want to reach a point where the AI doesn't just give you an answer, but helps point you toward the structural anatomy of the artifact it analyzed. It’s an iterative, ongoing project, but we believe it is an important step toward total forensic transparency. This is the very first release of The Eye. You might hit a few bumps connecting to certain local backends or managing specific CLI tools, but we are actively squashing bugs and refining the experience over the next few weeks. Please submit any issues you find! The latest source code and release are available right now on our GitHub. For those waiting for the compiled `.exe` version, it will be dropping very soon on our official website. **GitHub :** [https://github.com/Ghassan-elsman/Crow-Eye](https://github.com/Ghassan-elsman/Crow-Eye) **good hunting**
Saturday, May 9
Plus: Meta officially kills encrypted Instagram DMs, the Trump administration targets “violent left wing extremists,” leaked documents reveal Russia's school for elite hackers, and more.
Friday, May 8
JDownloader is compromised! * The replaced malicious executable contains the official and benign JDownloader in resources along with an XOR encrypted blob also available in resources * The encrypted blob after 8 minutes of waiting to prevent sandbox noise is decrypted and executed, the next stage contains also several XOR encrypted resources and the official Python installer * After decrypting resources, they contain PyArmor encrypted file and PyArmor runtime * Delivers sophisticated Python remote access malware See AnyRun execution chain along with the 8 minute wait before the payload starts: [https://app.any.run/tasks/e0cecc2d-5571-49fe-a549-cc7d1b8b5908](https://app.any.run/tasks/e0cecc2d-5571-49fe-a549-cc7d1b8b5908) IOC's: * Initial delivered installer -> 5a6636ce490789d7f26aaa86e50bd65c7330f8e6a7c32418740c1d009fb12ef3 * Stage 2 payload -> 77a60b5c443f011dc67ace877f5b2ad7773501f3d82481db7f4a5238cf895f80 * PyArmor encrypted blob: 5fdbee7aa7ba6a5026855a35a9fe075967341017d3cb932e736a12dd00ed590a * hxxps://parkspringshotel\[.\]com/m/Lu6aeloo.php (most likely another compromised URL) * hxxpx://auraguest\[.\]lk/m/douV2quu.php (most likely another compromised URL)
With the launch of the first 16 satellites, Russia begins construction of a network for satellite internet that aims to cover the entire country by 2030. But getting there won’t be easy.
Thousands of schools around the US were paralyzed on Thursday after education tech firm Instructure shut down access to its Canvas platform following a breach by hackers going by the name ShinyHunters.
SASS King Part 2: reverse-engineering ptxas heuristic decisions and what the compiled binary actually reveals
An ongoing data extortion attack targeting the widely-used education technology platform Canvas disrupted classes and coursework at school districts and universities across the United States today, after a cybercrime group defaced the service’s login page with a ransom demand that threatened to leak data from 275 million students and faculty across nearly 9,000 educational institutions. A screenshot shared by a reader showing the extortion message that was shown on the Canvas login page today. Canvas parent firm Instructure responded to today’s defacement attacks by disabling the platform, which is used by thousands of schools, universities and businesses to manage coursework and assignments, and to communicate with students. Instructure acknowledged a data breach earlier this week, after the cybercrime group ShinyHunters claimed responsibility and said they would leak data on tens of millions of students and faculty unless paid a ransom. The stated deadline for payment was initially set at May 6, but it was later pushed back to May 12. In a statement on May 6, Instructure said the investigation so far shows the stolen information includes “certain identifying information of users at affected institutions, such as names, email addresses, and student ID numbers, as well as as messages among users.” The company said it found no evidence the breached data included more sensitive information, such as passwo
A look at how to secure Kubernetes secrets
Thursday, May 7
Chrome users were caught off guard by a 4-GB Google AI model baked into Chrome, sparking privacy concerns. The good news: You can easily uninstall it. The bad? You might not want to.
This afternoon, we sent the following email to our global team. One of our core values at Cloudflare is transparency, and we believe it's important that you hear this directly from us because it’s a major moment at Cloudflare. Team: We are writing to let you know directly that we’ve made the decision to reduce Cloudflare’s workforce by more than 1,100 employees globally. The way we work at Cloudflare has fundamentally changed. We don’t just build and sell AI tools and platforms. We are our own most demanding customer. Cloudflare’s usage of AI has increased by more than 600% in the last three months alone. Employees across the company from engineering to HR to finance to marketing run thousands of AI agent sessions each day to get their work done. That means we have to be intentional in how we architect our company for the agentic AI era in order to supercharge the value we deliver to our customers and to honor our mission to help build a better Internet for everyone, everywhere. Today is a hard day. This decision unfortunately means saying goodbye to teammates who have contributed meaningfully to our mission and to building Cloudflare into one of the world’s most successful companies. We want to be clear that this decision is not a reflection of the individual work or talent of those leaving us. Instead, we are reimagining every internal process, team, and role across the company. Today’s actions are not a cost-cutting exercise or an assessment of individuals’ performance; they are about Cloudflare defining how a world-class, high-growth company operates and creates value in the agentic AI era. This is a moment we need to own as founders and leaders of the company. Matthew has personally sent out every offer letter we've extended. It is a practice he has always looked forward to because it represented our growth and the incredible talent joining our mission. It didn’t feel rig
Companies like Lovable, Base44, Replit, and Netlify use AI to let anyone build a web app in seconds—and in thousands of cases, spill highly sensitive data onto the public internet.
Wednesday, May 6
To stop children from bypassing its age checks, Meta is revamping its age-verification tools with an AI system that analyzes images and videos for “visual cues,” such as height and bone structure.