The maintainers of the popular Axios HTTP client have published a detailed post-mortem describing how one of its developers was targeted by a social engineering campaign believed to have been conducted by North Korean threat actors. [...]
Cybersecurity News and Vulnerability Aggregator
Cybersecurity news aggregator
Updated: 4:00 pm
J/K Navigate / Search S Save V Open Link
— or
treemd <(curl -sL https://allsec.sh/md) (as Markdown) Top Cybersecurity Stories Today
A China-aligned threat actor has set its sights on European government and diplomatic organizations since mid-2025, following a two-year period of minimal targeting in the region. The campaign has been attributed to TA416, a cluster of activity that overlaps with DarkPeony, RedDelta, Red Lich, SmugX, UNC6384, and Vertigo Panda. "This TA416 activity included multiple
Latest
Sunday, April 5
We've all been there you run a Nmap scan, get 200 lines of output, then spend 20 minutes cross-referencing CVEs, writing up findings, and figuring out your next move. Multiply that across Nessus exports, Volatility dumps, BloodHound data, PCAP captures, and NetExec results and you're spending more time on analysis than actual testing. Syd takes all of that off your plate. Paste in your output from any tool Tenable/Nessus scan results, Nmap output, memory dumps, whatever and Syd extracts the facts, identifies the critical findings, maps attack paths, and gives you actionable next steps. What used to take 30-40 minutes of manual analysis takes seconds. What's in the box: Syd V3 Pro 6 tools: Nmap, Volatility, BloodHound, YARA, NetExec, PCAP Syd Enterprise Pro + full Metasploit integration (module browser, exploit launcher with live msfconsole, AI analysis of session output) Works with output from external tools (Tenable, Nessus, Qualys, etc.) just paste it in Anti-hallucination pipeline deterministic fact extraction before LLM ever touches the data RAG-powered knowledge base for each tool Runs 100% airgapped designed for secure environments Where Syd really shines is the workflow integration. Run your Tenable scan, export the results, paste them into Syd's Nmap page, and within seconds you've got a prioritised breakdown of every host, service, and vulnerability with recommended next steps and exploit suggestions. Same with BloodHound paste your enumeration data and Syd maps out the AD attack paths for you. It doesn't replace your tools, it makes the time between running them and writing your report almost zero. More tools coming for Enterprise: Sliver, Responder, Impacket, Burp Suite, Hashcat and so on.Happy to answer any questions or do a walkthrough if anyone's interested. 📧 [info@sydsec.co.uk](mailto:info@sydsec.co.uk) 🌐 [https://sydsec.co.uk](https://sydsec.co.uk)
Hackers are running a large-scale campaign to steal credentials in an automated way after exploiting React2Shell (CVE-2025-55182) in vulnerable Next.js apps. [...]
True-crime tales of criminals making fools of themselves interview Cybercrime crews have become almost mystical entities, with security vendors assigning them names like Wizard Spider and Velvet Tempest.…
Installing modified APK with Frida Gadget on Android? Testing on my own Android device, I embed Frida Gadget into an APK (Instagram). After modification, install fails or app crashes. What methods allow installing modified APKs? Which Android protections block this? Any tips for test setups?
Manual EVTX analysis in Event Viewer is a nightmare during a live incident. I built Sentinel Thread Pro to automate the noise-to-signal process using the Hayabusa engine and a Streamlit UI. It generates a clean, MITRE-mapped forensic timeline in seconds. It’s completely open source, and I’m looking for feedback from the community to improve the data normalization and detection logic. GitHub Repo: [https://github.com/Adham504/SentinelThread-Forensics](https://github.com/Adham504/SentinelThread-Forensics)
For those who don't know it, GOAD (Game of Active Directory) is an open-source project by \*\*Orange Cyberdefense\*\* that provisions a fully functional but intentionally vulnerable AD environment: multiple domains, trust relationships, misconfigured delegations, weak ACLs, and more. It's essentially a legal, controlled playground for practicing AD attack chains (Kerberoasting, Pass-the-Hash, DCSync, lateral movement...) and building detection coverage against them. GOAD-Light is the lightweight version: 3 VMs (DC01, DC02, SRV02) across two domains with a bidirectional trust, running on Windows Server 2016. Manageable on a decent laptop. I deployed it on VirtualBox + Ubuntu 24.04 and figured I'd document the process properly since the official docs, while solid, can be a bit overwhelming when you're hitting errors at 1am. The guide covers the full deployment with Ansible, but more importantly it documents the actual errors I ran into: \\- \\\`NS\\\_ERROR\\\_FAILURE\\\` on Vagrant launch (vboxusers group not reloaded after install) \\- \\\`couldn't resolve module ansible.windows\\\` (Ansible Galaxy dependency and how to bypass it entirely) \\- \\\`unreachable=1\\\` on DC01 mid-provisioning (DC rebooting after domain promotion, not a real error, just needs patience) \\- VM conflicts from previous installs and how to clean them up cleanly Repo: \[https://github.com/Kjean13/goad-light-deployment\](https://github.com/Kjean13/goad-light-deployment)
When Syrian government accounts were hijacked in March, the breach looked chaotic. But it revealed something more troubling: a state struggling with the most basic layer of cybersecurity.
https://open.substack.com/pub/aperceptualdrifter/p/the-visible-key?r=7x5h5j
Cybersecurity researchers have discovered 36 malicious packages in the npm registry that are disguised as Strapi CMS plugins but come with different payloads to facilitate Redis and PostgreSQL exploitation, deploy reverse shells, harvest credentials, and drop a persistent implant. "Every package contains three files (package.json, index.js, postinstall.js), has no description, repository,
Fortinet has released out-of-band patches for a critical security flaw impacting FortiClient EMS that it said has been exploited in the wild. The vulnerability, tracked as CVE-2026-35616 (CVSS score: 9.1), has been described as a pre-authentication API access bypass leading to privilege escalation. "An improper access control vulnerability [CWE-284] in FortiClient EMS may allow an
Leveraging Wazuh detection and alerting with Clickdetect | Anomaly Detection | Multiple Source Correlation | by Vinicius Morais
Hello Blueteamsec community! I created this post to explain how to improve Wazuh detection using SQL-based detection in Clickhouse (or another compatible data source like loki, victoria logs). I cover things like Anomaly Detection, Multiple Sources, disconnected agents or agents not sending logs, etc. I hope you enjoy the post
Saturday, April 4
Cisco patched a 9.8/10 CVE yesterday — authentication bypass on IMC that gives full admin access with one HTTP request, no credentials needed
CVE-2026-20093 dropped this week and it’s bad. **Quick breakdown:** \- Affects Cisco Integrated Management Controller (IMC)—the baseboard management system that runs underneath the OS \- CVSS 9.8/10: no auth required, remote exploitable, low complexity \- Attacker sends one crafted HTTP POST to the management interface → resets any user’s password including Admin, leading to full hardware-level control \- No workarounds exist, firmware update is the only fix \- No active exploitation confirmed yet but no PoC needed, the attack is trivial The dangerous part is the attack surface. IMC runs independently of the OS—meaning EDR, SIEM, endpoint hardening are all irrelevant once exploited. Ransomware gangs love BMC-level access because it survives a full OS reinstall. **Affected:** UCS C-Series M5/M6, E-Series M3/M6, Catalyst 8300, APIC servers, Secure Firewall appliances, Catalyst Center—basically anything built on Cisco UCS. Audit your IMC user accounts now before patching and if someone already hit you there’ll be a rogue admin account sitting there. Full breakdown on https://medium.com/@decodingdaily20/cisco-just-patched-a-9-8-10-severity-flaw-that-let-hackers-take-over-servers-without-a-password-7603b0d49271
The maintainers of the popular Axios HTTP client have published a detailed post-mortem describing how one of its developers was targeted by a social engineering campaign believed to have been conducted by North Korean threat actors. [...]
Device code phishing attacks that abuse the OAuth 2.0 Device Authorization Grant flow to hijack accounts have surged more than 37 times this year. [...]
x64dbg Reversing a Jump Tutorial | Breakpoints, Zero Flag, Binary Patching & Cracking Basics - YouTube
Plus: The FBI says a recent hack of its wiretap tools poses a national security risk, attackers stole Cisco source code as part of an ongoing supply chain hacking spree, and more.
Friday, April 3
Ex-CISA official tells The Reg: 'this would weaken the system for managing cyber risk' The US Cybersecurity and Infrastructure Security Agency's budget will see yet another deep cut if Congress approves President Trump's proposal to slash CISA's spending by $707 million in fiscal year 2027.…
Major AI labs are investigating a security incident that impacted Mercor, a leading data vendor. The incident could have exposed key data about how they train AI models.
A new report dubbed "BrowserGate" warns that Microsoft's LinkedIn is using hidden JavaScript scripts on its website to scan visitors' browsers for installed extensions and collect device data. [...]
Telehealth giant Hims & Hers Health is warning that it suffered a data breach after support tickets were stolen from a third-party customer service platform. [...]
A China-aligned threat actor has set its sights on European government and diplomatic organizations since mid-2025, following a two-year period of minimal targeting in the region. The campaign has been attributed to TA416, a cluster of activity that overlaps with DarkPeony, RedDelta, Red Lich, SmugX, UNC6384, and Vertigo Panda. "This TA416 activity included multiple
The Qilin ransomware group has claimed responsibility for an attack against Die Linke ('The Left'), forcing an IT systems outage at the political party, and threatening sensitive data leak. [...]
Praetorian is excited to announce the release of Vespasian, a probabilistic API endpoint discovery, enumeration, and analysis tool. Vespasian watches real HTTP traffic from a headless browser or your existing proxy captures and turns it into API specifications (OpenAPI, GraphQL SDL, WSDL). We built it because pentesters spend the first days of every API engagement manually reconstructing documentation that should already exist. You know the scenario. You are three days into an API penetration test. Documentation was promised during scoping, and it existed at some point, but the Confluence page was last updated eighteen months ago and describes endpoints that have since been replaced. The Swagger UI returns a 404. The mobile app calls endpoints that don’t appear in any documentation at all. Nobody dropped the ball; the API just evolved faster than the docs. So you do what every pentester does: you open Burp Suite, click through the application for an hour, and start reading raw HTTP traffic. You spot JSON responses on /api/v2/ paths. GraphQL queries appear on a different subdomain. There’s a SOAP service that the frontend calls exactly once during login. Endpoint URLs are copied into a spreadsheet. You guess at parameter names. You manually reconstruct the API over the course of a couple days. This part of the project is informative, but it’s also a bottleneck. Vespasian reduces that bottleneck. It observes real HTTP traffic, either by crawling the target with a headless browser or by importing captures you’ve already made in Burp Suite, HAR, or mitmproxy, and generates API specifications automatically. REST endpoints become OpenAPI 3.0. GraphQL endpoints become SDL schemas. SOAP services become WSDL documents. You can try it yourself at
A practical look at securing identities, devices and applications wherever work happens Webinar Promo The shift to hybrid work has reshaped the enterprise perimeter. Users are logging in from home networks, shared spaces and unmanaged devices, while applications span on-prem systems and multiple clouds. Traditional security models were not designed for this level of fragmentation, leaving many organizations struggling to maintain visibility and control without adding friction.…
Threat actors are increasingly using HTTP cookies as a control channel for PHP-based web shells on Linux servers and to achieve remote code execution, according to findings from the Microsoft Defender Security Research Team. "Instead of exposing command execution through URL parameters or request bodies, these web shells rely on threat actor-supplied cookie values to gate execution,
Multi-extortion ransomware relies on stolen data to pressure victims with public leaks. Penta Security explains how its D.AMO platform keeps exfiltrated files encrypted and useless to attackers. [...]
Microsoft is investigating and working to resolve Exchange Online mailbox access issues that have intermittently affected Outlook mobile and macOS users for weeks. [...]
The next major breach hitting your clients probably won't come from inside their walls. It'll come through a vendor they trust, a SaaS tool their finance team signed up for, or a subcontractor nobody in IT knows about. That's the new attack surface, and most organizations are underprepared for it. Cynomi's new guide, Securing the Modern Perimeter: The Rise of Third-Party
Mixed Boolean-Arithmetic (MBA) obfuscation disguises simple operations like x + y behind tangles of arithmetic and bitwise operators. Malware authors and software protectors rely on it because no standard simplification technique covers both domains simultaneously; algebraic simplifiers don’t understand bitwise logic, and Boolean minimizers can’t handle arithmetic. We’re releasing CoBRA , an open-source tool that simplifies the full range of MBA expressions used in the wild. Point it at an obfuscated expression and it recovers a simplified equivalent: $ cobra-cli --mba "(x&y)+(x|y)" x + y $ cobra-cli --mba "((a^b)|(a^c)) + 65469 * ~((a&(b&c))) + 65470 * (a&(b&c))" --bitwidth 16 67 + (a | b | c) CoBRA simplifies 99.86% of the 73,000+ expressions drawn from seven independent datasets. It ships as a CLI tool, a C++ library, and an LLVM pass plugin. If you’ve hit MBA obfuscation during malware analysis, reversing software protection schemes, or tearing apart VM-based obfuscators, CoBRA gives you readable expressions back. Why existing approaches fall short The core difficulty is that verifying MBA identities requires reasoning about how bits and arithmetic interact under modular wrapping, where values silently overflow and wrap around at fixed bit-widths. An identity like (x ^ y) + 2 * (x & y) == x + y is true precisely because of this interaction, but algebraic simplifiers only see the arithmetic and Boolean minimizers only see the logic; neither can verify it alone. Obfuscator
Cybersecurity researchers have discovered a new version of the SparkCat malware on the Apple App Store and Google Play Store, more than a year after the trojan was discovered targeting both the mobile operating systems. The malware has been found to conceal itself within seemingly benign apps, such as enterprise messengers and food delivery services, while
A former core infrastructure engineer has pleaded guilty to locking Windows admins out of 254 servers as part of a failed extortion plot targeting his employer, an industrial company headquartered in Somerset County, New Jersey. [...]
The Quizlet flashcards, which WIRED found through basic Google searches, seem to include sensitive information about gate security at Customs and Border Protection locations.
Solana-based decentralized exchange Drift has confirmed that attackers drained about $285 million from the platform during a security incident that took place on April 1, 2026. "Earlier today, a malicious actor gained unauthorized access to Drift Protocol through a novel attack involving durable nonces, resulting in a rapid takeover of Drift’s Security Council administrative powers," the&
Starting this week, Microsoft has begun force-upgrading unmanaged devices running Windows 11 24H2 Home and Pro editions to Windows 11 25H2. [...]
The European Union's Cybersecurity Service (CERT-EU) has attributed the European Commission cloud hack to the TeamPCP threat group, saying the resulting breach exposed the data of at least 29 other Union entities. [...]
Thursday, April 2
A new MaaS has been promoted on Telegram as combining spyware, stealer, and remote access capabilities, Kaspersky reports. April 2026
‘Uncanny Valley’: Iran’s Threats on US Tech, Trump’s Plans for Midterms, and Polymarket’s Pop-up Flop
In this episode, we discuss Iran’s threats to target US tech firms, gear up for the midterm elections, and get a scene report from the Polymarket pop-up bar in DC.
Built a small experiment: turn a file into a “sonic fingerprint” in the browser I wanted to share a side project we put together: [https://listen.maliscope.com/](https://listen.maliscope.com/) It takes a file and turns it into a deterministic audio representation of file characteristics. A few important caveats: * it runs locally in the browser * it does not claim to detect malware through music * it is not a verdict engine * it is just an experimental visualization The idea was not “can analysts detect malware by ear?” but more: what happens if you represent file structure and characteristics as sound instead of another chart? I thought some people here might find it interesting, even if only as a weird security-adjacent experiment.
The Drift Protocol lost at least $280 million after a threat actor took control of its Security Council administrative powers in a planned, sophisticated operation. [...]
As strikes continue on Iran’s nuclear facilities, the real danger isn’t the explosion, but what happens if critical safety systems fail—and how that risk could spread across the Gulf.
A few days ago I wrote about how the Trivy ecosystem got turned into a credential stealer. One of my takeaways was “pin by SHA.” Every supply chain security guide says it, I’ve said it, every subreddit says it, and the GitHub Actions hardening docs say it. The Trivy attack proved it wrong, and I think we need to talk about why.
Overview Artifex's MuPDF contains an integer overflow vulnerability, CVE-2026-3308, in versions up to and including 1.27.0. Using a specially crafted PDF, an attacker can trigger an integer overflow resulting in out-of-bounds heap writes. This heap corruption typically causes the application to crash, but in some cases could be exploited to enable arbitrary code execution. Description Artifex MuPDF is a lightweight framework for viewing and converting PDF, XPS, and e-book files. A vulnerability exists in pdf_load_image_imp , which is responsible for preparing image data for decoding. The function processes image parameters including w (width), h (height), and bpc (bits per component), which are used to determine the amount of memory allocated during image decoding. The current implementation validates these parameters against SIZE_MAX rather than INT_MAX , but because stride calculations use integer-sized values, this check does not sufficiently protect against integer overflow when exceedingly large values are supplied. When the overflow occurs, the resulting corrupted values are passed into the fz_unpack_stream function, which expands packed image samples into a destination buffer during image decoding. Because this too-small overflow value is used to calculate the size of the destination buffer, not enough memory is allocated for the actual size of the image. This causes fz_unpack_stream to write beyond the bounds of the allocated heap buffer, resulting in a heap out-of-bounds write. Impact Successful exploitation results in a heap out-of-bounds write during PDF image decoding.
Posted by Adam Gavish, Google GenAI Security Team Indirect prompt injection (IPI) is an evolving threat vector targeting users of complex AI applications with multiple data sources, such as Workspace with Gemini. This technique enables the attacker to influence the behavior of an LLM by injecting malicious instructions into the data or tools used by the LLM as it completes the user’s query. This may even be possible without any input directly from the user. IPI is not the kind of technical problem you “solve” and move on. Sophisticated LLMs with increasing use of agentic automation combined with a wide range of content create an ultra-dynamic and evolving playground for adversarial attacks. That’s why Google takes a sophisticated and comprehensive approach to these attacks. We’re continuously improving LLM resistance to IPI attacks and launching AI application capabilities with ever-improving defenses.
Researchers warn that residential proxies used to route malicious traffic are a big problem for IP reputation systems, as there is no clear distinction between attackers and legitimate users. [...]
Cisco has released updates to address a critical security flaw in the Integrated Management Controller (IMC) that, if successfully exploited, could allow an unauthenticated, remote attacker to bypass authentication and gain access to the system with elevated privileges. The vulnerability, tracked as CVE-2026-20093, carries a CVSS score of 9.8 out of a maximum of 10.0. "This
Threat actors are exploiting vacant homes as "drop addresses" to intercept mail and enable fraud. Flare shows how postal services and fake identities are abused to turn mail into a fraud vector. [...]
Cloudflare data shows that 32% of traffic across our network originates from automated traffic . This includes search engine crawlers, uptime checkers, ad networks — and more recently, AI assistants looking to the web to add relevant data to their knowledge bases as they generate responses with retrieval-augmented generation (RAG). Unlike typical human behavior, AI agents , crawlers, and scrapers’ automated behavior may appear aggressive to the server responding to the requests. For instance, AI bots frequently issue high-volume requests, often in parallel. Rather than focusing on popular pages, they may access rarely visited or loosely related content across a site, often in sequential, complete scans of the websites. For example, an AI assistant generating a response may fetch images, documentation, and knowledge articles across dozens of unrelated sources. Although Cloudflare already makes it easy to control and limit automated access to your content, many sites may want to serve AI traffic. For instance, an application developer may want to guarantee that their developer documentation is up-to-date in foundational AI models, an e-commerce site may want to ensure that product descriptions are part of LLM search results, or publishers may want to get paid for their content through mechanisms such as pay per crawl . Website operators therefore face a dichotomy: tune for AI crawlers, or for human traffic. Given both exhibit widely different traffic patterns, current cache architectures force operators to choose one approach to save resources. In this
The latest ThreatsDay Bulletin is basically a cheat sheet for everything breaking on the internet right now. No corporate fluff or boring lectures here, just a quick and honest look at the messy reality of keeping systems safe this week. Things are moving fast. The list includes researchers chaining small bugs together to create massive backdoors, old software flaws
A financially motivated operation codenamed REF1695 has been observed leveraging fake installers to deploy remote access trojans (RATs) and cryptocurrency miners since November 2023. "Beyond cryptomining, the threat actor monetizes infections through CPA (Cost Per Action) fraud, directing victims to content locker pages under the guise of software registration," Elastic
In December 2025, we shared the first-ever The State of Trusted Open Source report, featuring insights from our product data and customer base on open source consumption across our catalog of container image projects, versions, images, language libraries, and builds. These insights shed light on what teams pull, deploy, and maintain day to day, alongside the vulnerabilities and
A WIRED analysis of DHS records identified dozens of specialized federal agents who used force against US civilians during the largest known deployment of its kind in US history.
Meta-owned messaging platform WhatsApp said it alerted about 200 users who were tricked into installing a bogus version of its iOS app that was infected with spyware. According to reports from Italian newspaper La Repubblica and news agency ANSA, the vast majority of the targets are located in Italy. It's assessed that the threat actors behind the activity used social engineering
Connected devices can leave an otherwise secure network vulnerable Pwned Welcome to Pwned, The Register's new column, where we highlight the worst infosec own goals so you can, hopefully, protect against them. Caffeine is an essential tool for most IT defenders, so, on balance, we're sure it has protected against a lot more exploits than it has caused. But in this case, the desire for everyone's favorite stimulant led to a massive breach.…
Apple on Wednesday expanded the availability of iOS 18.7.7 and iPadOS 18.7.7 to a broader range of devices to protect users from the risk posed by a recently disclosed exploit kit known as DarkSword. "We enabled the availability of iOS 18.7.7 for more devices on April 1, 2026, so users with Automatic Updates turned on can automatically receive important security
Cisco source code stolen by ShinyHunters via Trivy supply-chain attack. AWS keys breached, 300+ repos cloned and more
Cisco reportedly suffered a breach of its internal development environment after attackers leveraged credentials stolen during the recent Trivy supply-chain compromise. More details linked with sample data
First public downstream victim, but won't be the last AI hiring startup Mercor confirmed it was "one of thousands of companies" affected by the LiteLLM supply-chain attack as the fallout from the Trivy compromise continues to spread.…
Attackers route malicious traffic through ordinary home internet connections — and to a reputation feed, the source IP is indistinguishable from a legitimate user's connection. GreyNoise analyzed 4 billion sessions over 90 days and found that 39% of unique IPs targeting the edge come from residential address space. 78% vanish after just 1–2 sessions, before any reputation system can flag them. The report documents why detection must shift from where the traffic comes from to what it is doing.
Wednesday, April 1
Introduction The Zodiac Killer, one of America’s most notorious unsolved serial killer cases, sent numerous encrypted messages to newspapers during his reign of terror in the late 1960s and early 1970s. While his 408-character cipher was eventually cracked, the shorter “Z32” cipher that accompanied a map of the San Francisco Bay Area has remained unsolved for over five decades. The Z32 cipher consists of just 32 characters combining both letters and symbols. Alongside this cipher, the Zodiac included a chilling note: “The Map coupled with this code will tell you where the bomb is set. You have until next Fall to dig it up.”
Plus: how to train your human AI interview Amazon has seen a 40 percent efficiency gain by using AI tools to pentest its products before and after launch, according to security chief CJ Moses.…
Finding Value in the AI Noise Over the past year, the cybersecurity conversation has shifted hard toward AI. Walk through any conference and you’ll see it everywhere: agentic systems, autonomous testing, and machines operating at a scale that humans simply can’t match. A lot of that progress is real. At Synack, we’re investing heavily in […] The post Why AI Alone Won’t Fix the Security Problem appeared first on Synack .
The Computer Emergency Response Team of Ukraine (CERT-UA) has disclosed details of a new phishing campaign in which the cybersecurity agency itself was impersonated to distribute a remote administration tool known as AGEWHEEZE. As part of the attacks, the threat actors, tracked as UAC-0255, sent emails on March 26 and 27, 2026, posing as CERT-UA to distribute a password-protected ZIP archive
1. macOS ClickFix Campaign Targets Claude Code Users with **AMOS Stealer** and Backdoor Access 2. **RUTSSTAGER**: Registry-Stored DLL Leads to OrcusRAT Deployment 3. **Kamasers**: A Multi-Vector DDoS Botnet Targeting Organizations Worldwide 4. **MicroStealer**: A Fast-Spreading Infostealer with Limited Detection * This one is super interesting in my opinion; the chain and way it is created makes the detection complicated - obfuscated java modules are pain to deal with - ends up most of the time without any static engine flags Source: [https://any.run/cybersecurity-blog/major-cyber-attacks-march-2026/](https://any.run/cybersecurity-blog/major-cyber-attacks-march-2026/)
We could tell you no for free The UK government will spend about £630,000 running a discussion panel on its digital identity card plans, which minister James Frith said will "consider different perspectives and debate trade-offs" alongside a formal consultation .…
Exactly 8 years ago today, we launched the 1.1.1.1 public DNS resolver , with the intention to build the world’s fastest resolver — and the most private one. We knew that trust is everything for a service that handles the "phonebook of the Internet." That’s why, at launch, we made a unique commitment to publicly confirm that we are doing what we said we would do with personal data. In 2020, we hired an independent firm to check our work , instead of just asking you to take our word for it. We shared our intention to update such examinations in the future. We also called on other providers to do the same, but, as far as we are aware, no other major public resolver has had their DNS privacy practices independently examined. At the time of the 2020 review, the 1.1.1.1 resolver was less than two years old, and the purpose of the examination was to prove our systems made good on all the commitments we made about how our 1.1.1.1 resolver functioned, even commitments that did not impact personal data or user privacy. Since then, Cloudflare’s technology stack has grown significantly in both scale and complexity. For example, we built an entirely new platform that powers our 1.1.1.1 resolver and other DNS systems. So we felt it was vital to review our systems, and our 1.1.1.1 resolver privacy commitments in particular, once again with a rigorous and independent review. Today, we are sharing the results of our most recent privacy examination by the same Big 4 accounting firm. Its independent examination is available on our compliance page . Foll
The cost of building software has drastically decreased. We recently rebuilt Next.js in one week using AI coding agents. But for the past two months our agents have been working on an even more ambitious project: rebuilding the WordPress open source project from the ground up. WordPress powers over 40% of the Internet . It is a massive success that has enabled anyone to be a publisher, and created a global community of WordPress developers. But the WordPress open source project will be 24 years old this year. Hosting a website has changed dramatically during that time. When WordPress was born, AWS EC2 didn’t exist. In the intervening years, that task has gone from renting virtual private servers, to uploading a JavaScript bundle to a globally distributed network at virtually no cost. It’s time to upgrade the most popular CMS on the Internet to take advantage of this change. Our name for this new CMS is EmDash. We think of it as the spiritual successor to WordPress. It’s written entirely in TypeScript. It is serverless, but you can run it on your own hardware or any platform you choose. Plugins are securely sandboxed and can run in their own isolate , via Dynamic Workers , solving the fundamental security problem with the WordPress plugin architecture. And under the hood, EmDash is powered by Astro , the fastest web framework for content-driven websites. EmDash is fully open source, MIT licensed, and available on GitHub . While EmDash aims to be compatible with WordPress functionality, no WordPress code was used to create EmDas
There is a character that keeps appearing in enterprise security departments, and most CISOs know exactly who that is. It doesn’t build. It doesn’t enable. Its entire function is to say "No." No to ChatGPT. No to DeepSeek. No to the file-sharing tool the product team swears by. For years, this looked like security. But in 2026, "Doctor No" is no longer just a management headache &
Google on Thursday released security updates for its Chrome web browser to address 21 vulnerabilities, including a zero-day flaw that it said has been exploited in the wild. The high-severity vulnerability, CVE-2026-5281 (CVSS score: N/A), concerns a use-after-free bug in Dawn, an open-source and cross-platform implementation of the WebGPU standard. "Use-after-free in Dawn in Google Chrome prior
Code coverage is one of the most dangerous quality metrics in software testing. Many developers fail to realize that code coverage lies by omission: it measures execution, not verification. Test suites with high coverage can obfuscate the fact that critical functionality is untested as software develops over time. We saw this when mutation testing uncovered a high-severity Arkis protocol vulnerability , overlooked by coverage metrics, that would have allowed attackers to drain funds. Today, we’re announcing MuTON and mewt , two new mutation testing tools optimized for agentic use, along with a configuration optimization skill to help agents set up campaigns efficiently. MuTON provides first-class support for TON blockchain languages (FunC, Tolk, and Tact), while mewt is the language-agnostic core that also supports Solidity, Rust, Go, and more. The goal of mutation testing is to systematically introduce bugs (mutants) and check if your tests catch them, flagging hot spots where code is insufficiently tested. However, mutation testing tools have historically been slow and language-specific. MuTON and mewt are built to change that. To understand how, it helps to first understand what they’re replacing. The regex era Mutation testing dates to the 1970s, but for a long time, the technique rarely saw much adoption in the blockchain space as a software quality measurement. Testing frameworks are coupled tightly to target languages, making support for new languages expensive.
ESET says factory outages, lost revenue, and supply chain disruption are becoming routine Nearly 80 percent of British manufacturers say they've been hit by a cyber incident in the past year, as new research suggests disruption on the factory floor is no longer an exception but business as usual.…
I wrote a custom decompiler for the bytecode used by Naughty Dog in the The Last of Us & Uncharted games
Tuesday, March 31
How to avoid social engineering attacks? Employee training tops the list Be careful what you click on. Miscreants are abusing WhatsApp messages in a multi-stage attack that delivers malicious Microsoft Installer (MSI) packages, allowing criminals to control victims' machines and access all of their data.…
Writeup : [https://github.com/califio/publications/blob/main/MADBugs/CVE-2026-4747/write-up.md](https://github.com/califio/publications/blob/main/MADBugs/CVE-2026-4747/write-up.md)
Researchers say some targets correlate with cities hit by Iranian missile strikes Suspected Iran-linked threat actors are conducting password-spraying attacks against hundreds of organizations, primarily Middle Eastern municipalities, in campaigns that security researchers believe may have been aimed at supporting bomb-damage assessment following missile strikes.…
PSA: That 'Disable NTLMv1' GPO you set years ago? It’s lying to you. LmCompatibilityLevel set to 5 is not enough.
If you set LmCompatibilityLevel to 5 a couple years back and called it done, there's a good chance NTLMv1 is still running in your environment. Not because the setting doesn't work. Because it doesn't work the way you think it does. This isn't just aimed at people who never fully switched to Kerberos. It's also for the ones who are pretty sure they did. For people not deep into auth protocols: NTLMv1 and NTLMv2 are both considered unsafe today. NTLMv1 especially. It uses DES encryption, which with a weak password can be cracked in seconds. And because NTLM never sends your actual password (challenge-response, the hash gets passed not the plaintext), it's also wide open to pass-the-hash. An attacker intercepts the hash and reuses it to authenticate as you. Responder is the tool that makes this trivial and it's been around forever.Silverfort's research puts 64% of authentications in AD environments still on NTLM. Here's the actual problem with the registry fix. LMCompatibilityLevel is supposed to tell your DCs to reject NTLMv1 traffic and require NTLMv2 or Kerberos instead. Sounds reasonable. But enforcement runs through the Netlogon Remote Protocol (MS-NRPC), the mechanism application servers use to forward auth requests to your domain controllers. There's a structure in that protocol called NETLOGON\_LOGON\_IDENTITY\_INFO with a field called ParameterControl. That field contains a flag that can explicitly request NTLMv1, and your DC will honor it regardless of what Group Policy says. The policy controls what Windows clients send. It has no authority over what applications request on the server side. Any third party or homegrown app that hasn't been audited can still be sending NTLMv1 traffic and you'd have no idea. Silverfort built a POC to confirm this. They set the ParameterControl flag in a simulated misconfigured service and forced NTLMv1 authentications through a DC that was configured to block them. Worked. They reported it to Microsoft, Microsoft confirmed it but didn't classify it as a vulnerability. Their response was to announce full removal of NTLMv1 starting with Windows Server 2025 and Windows 11 24H2. So that's something, atleast. If you're not on those versions, you're still exposed and there's no patch coming. What you can do right now: turn on NTLM audit logging across your domain. Registry keys exist to capture all NTLM traffic so you can actually see what's authenticating how. From there, map every app using NTLM, whether primary or as a fallback, and look specifically for anything requesting NTLMv1 messages. That's your exposure.
The GPS Next-Generation Operational Control System was due for completion in 2016. Ten years later, the software for controlling the military’s GPS satellites still doesn’t work.
The University of North Georgia is one of the lesser known of the nation's senior military colleges (SMCs). But last week it beat out all the other five SMCs—and two of the elite service academies—in a capture-the-flag hacker contest staged at the Pentagon's Cyber Workforce Summit. The contest was designed by specialists from the Air Force Research Laboratory to be operationally realistic. In the first round, teams had to geo-locate a targeted individual through his devices and apps, prevent him from getting warning messages, and then call in an air strike to kill him. More details and quotes from UNG students—plus the team from The Citadel they bested in the final—in my latest story.
dexfinder: A Lightning-fast, Pure-Go Alternative to Android's veridex with N-level Call Tracing & ProGuard Deobfuscation
Posted by Dirk G ö hmann, Tony Mendez, and the Vulnerability Rewards Program Team 2025 marked a special year in the history of vulnerability rewards and bug bounty programs at Google: our 15th anniversary ! Originally started in 2010 , our vulnera
I reverse-engineered the WHOOP 4.0 Bluetooth protocol and built a PoC Flutter app. Read /research first!
Vessels are increasingly being abandoned during the war on Iran, revealing a hidden failure in the global systems that keep goods—and people—moving.
We're proud to introduce Programmable Flow Protection : a system designed to let Magic Transit customers implement their own custom DDoS mitigation logic and deploy it across Cloudflare’s global network. This enables precise, stateful mitigation for custom and proprietary protocols built on UDP. It is engineered to provide the highest possible level of customization and flexibility to mitigate DDoS attacks of any scale. Programmable Flow Protection is currently in beta and available to all Magic Transit Enterprise customers for an additional cost. Contact your account team to join the beta or sign up at this page . Programmable Flow Protection is customizable Our existing DDoS mitigation systems have been designed to understand and protect popular, well-known protocols from DDoS attacks. For example, our Advanced TCP Protection system uses specific known characteristics about the TCP protocol to issue challenges and establish a client’s legitimacy. Similarly, our Advanced DNS Protection builds a per-customer profile of DNS queries to mitigate DNS attacks. Our generic DDoS mitigation platform also understands common patterns across a variety of other well known protocols, including NTP, RDP, SIP, and many others. However, custom or proprietary UDP protocols have always bee
This post is adapted from a talk I gave at [un]prompted , the AI security practitioner conference. Thanks to Gadi Evron for inviting me to speak. You can watch the recorded presentation below or download the slides . Most companies hand out ChatGPT licenses and wait for the productivity numbers to move. We built a system instead. A year ago, about 5% of Trail of Bits was on board with our AI initiative. The other 95% ranged from passively skeptical to actively resistant. Today we have 94 plugins, 201 skills, 84 specialized agents, and on the right engagements, AI-augmented auditors finding 200 bugs a week. This post is the playbook for how we got there. We open sourced most of it , so you can steal it today. A recent Fortune article reported that a National Bureau of Economic Research study of
Hijacked maintainer account let attackers slip cross-platform trojan into 100M-downloads-a-week Axios Updated One of npm's most widely used HTTP client libraries briefly became a malware delivery vehicle after attackers hijacked a maintainer's account and slipped a remote-access trojan (RAT) into two seemingly legitimate axios releases, in what's being described as "one of the most impactful npm supply chain attacks on record."…
This post is part of a small blog series covering common Entra ID security findings observed during real-world assessments. Each article explores selected findings in more detail to provide a clearer understanding of the underlying risks and practical implications. Part 1: Privileged Foreign Enterprise Applications Introduction: What Are Unprotected Groups? Groups in Entra ID have various properties, such as: Group type: Security, Microsoft 365 (Unified), or Dynamic Security enabled: Yes / No Visibility: Public / Private Synced from on-premises: Yes / No Role-assignable: Yes / No These properties influence various aspects, such as whether Microsoft 365 resources are linked to the group, how membership is assigned, and how the group can be used for permission assignments. This blog post primarily focuses on security groups. Who Can Edit Security Groups? Some of these properties also determine who can edit the membership of a group. By default, numerous administrative roles can edit the membership of security groups, such as: User Administrator Groups Administrator Knowledge Administrator Knowledge Manager Windows 365 Administrator
Presently sponsored by: Report URI: Guarding you from rogue JavaScript! Don’t get pwned; get real-time alerts & prevent breaches #SecureYourSite Day by day, I find we're eeking more goodness out of OpenClaw and finding the sweet spot between what the humans do well and the agent can run off and do on its own. Significantly, we're shifting more and more of the workload to the latter as all 3 of us at HIBP HQ get better at assigning workloads to machines. In addition to my use of my "PwnedClaw" bot to help catalogue and process data breaches, Stefan and I are both using GitHub Copilot in Visual Studio extensively, and Charlotte is using her own Telegram bot, "Pwny," plugged into OpenClaw to crawl all our content and look for inconsistencies while designing revised user interfaces. Over the last couple of weeks, I've spent US$854 on Claude tokens, which feels like a lot until you look at it like an employee doing work for you. But we've barely scratched the surface, and I can't wait to see the things we do with this in the weeks and months to come
An attacker hijacked an axios maintainer's npm account to publish malicious releases that deliver a cross-platform RAT.
Monday, March 30
Check Point says outbound controls blocked web traffic but overlooked DNS OpenAI talks up data security for its AI services, yet Check Point says that ChatGPT allowed data to leak through a DNS side channel before the flaw was fixed.…
HIBP Mega Update: Passkeys, k-Anonymity Searches, Massive Speed Enhancements and a Bulk Domain Verification API
Presently sponsored by: Report URI: Guarding you from rogue JavaScript! Don’t get pwned; get real-time alerts & prevent breaches #SecureYourSite For a hobby project built in my spare time to provide a simple community service, Have I Been Pwned sure has, well, "escalated". Today, we support hundreds of thousands of website visitors each day, tens of millions of API queries, and hundreds of millions of password searches. We're processing billions of compromised records each year provided by breached companies, white hat researchers, hackers and law enforcement agencies. And it's used by every conceivable demographic: infosec pros, "mums and dads", customer support services, and, according to the data, more than half the Fortune 500 who are actively monitoring the exposure of their domains. So yeah, "escalated" seems fair! Amidst all the time spent processing data, we've been trying to figure out where to invest energy in building new stuff. In essence, data breaches are pretty simple: you've got a bunch of exposed email addresses attributed to a source, sitting next to a whole bunch of fields we describe with metadata. Our goal has always been to help people use this data to do good after bad things happen, and today we're launching a bunch of new features to do just that. So, here goes: New Features, New Plans In the beginning (ok, in "recent years"), there was one plan we referred to as "Pwned", and within that, there were various levels. For example, the entry-level plan has been "Pwned 1," and to this day, more than half our subscriptions are on it. That&apo
Overview Kyverno, versions 1.16.0 to present, contains an SSRF vulnerability in its CEL-based HTTP functions, which lack URL validation or namespace scoping and allow namespaced policies to trigger arbitrary internal HTTP requests. An attacker with only namespace-level permissions can exploit this to access sensitive internal services via the highly privileged Kyverno admission controller. Description Kyverno is an open-source, Kubernetes-native policy engine that functions as a dynamic admission controller for the Kubernetes API. It is designed to manage the lifecycle of cluster resources by validating, mutating, and generating configurations based on YAML-defined policies. Within a security context, the engine is frequently utilized to enforce Pod Security Standards, verify image signatures via Cosign, and audit resource configurations for compliance. Because Kyverno operates with high-level permissions to intercept and modify API requests, it represents a critical component of the cluster's security posture and trust boundary. A server-side request forgery vulnerability exists in Kyverno’s CEL-based HTTP functions (Get and Post) used by namespaced policy types in the policies.kyverno.io API group. Unlike Kyverno’s resource library, which enforces namespace boundaries, the HTTP library at pkg/cel/libs/http/http.go performs no URL validation or scoping; i.e., there are no blocklists, namespace restrictions, or destination checks. As a result, these policies can issue arbitrary HTTP requests from the Kyverno admission controller pod. Impact An authenticated attacker with only namespace-scoped permissions can create a malicious namespaced policy that sends an internal http.Get() request, captures the response in a CEL var
so, i built SPiCa: a high performance eBPF rootkit detection engine. the name comes from the Hatsune Miku song SPiCa, and the actual star Spica. Spica is a spectroscopic binary two stars orbiting so closely they look like one, i thought that was a sick concept for a security tool, so i built the architecture around it. SPiCa uses two completely independent observation channels to watch the kernel, if a rootkit tries to silence one, the other catches the discrepancy. the "binary star" architecture most basic rootkits bypass standard tools by hooking standard helper functions like bpf\_get\_current\_pid\_tgid(), SPiCa completely ignores those and establishes its own ground truth using two channels: the software channel (btf tracepoint): it attaches to sched\_switch but uses CO-RE to read the task\_struct directly from kernel memory. the hardware channel (nmi perf event): this is the fun part, it fires on hardware CPU cycle counters via Non-Maskable Interrupts (NMI) on every single logical core, a rootkit can't just cli/sti its way out of this in software; they'd have to reprogram the actual PMU registers. messing with the rootkits (build time obfuscation) a lot of modern rootkits hook the ring buffers and drop events that match hidden PIDs. to defeat this, SPiCa generates a random 64-bit key from /dev/urandom at compile time and bakes it directly into the eBPF bytecode, there are no BPF maps for the rootkit to look up, the engine XORs the PID and TGID before writing to the ring buffer, the rootkit inspects the event, sees a garbage PID that doesn't match its hidden list, and lets it pass right through to my userspace engine, which reverses the XOR. the userspace differential engine the userspace side is written in Rust/Tokio, it constantly reads both ring buffers and cross references them with /proc, if the math isn't mathing it throws an alert: \[DKOM\] - the kernel scheduled the process, but it's hidden from /proc \[TAMPER\] - the NMI hardware channel sees it, but the eBPF tracepoint never did (someone hooked the tracepoint) \[GHOST\] - it's sitting in /proc, but the kernel hasn't scheduled it in >5 seconds (spoofed /proc entry) \[SILENT\] - one channel suddenly stops sending events while the other is fine (someone detached a program or zeroed a struct) \[DUPE\] - a rootkit is forging task\_struct->tgid to impersonate a legit process, but the start times don't match try it out i built this mostly as a passion project to learn eBPF, but it actually works pretty well against standard evasion techniques. ```Bash # install the dependencies (arch/debian/fedora) make install-deps make install-tools # compile everything make all # run it (needs root) sudo ./target/release/spica ``` i know it's not a silver bullet (if someone hooks the NMI dispatch path directly, it's game over, though they'll probably kernel panic their box trying), but it was a ton of fun to build. repo is fully open-source (GPLv2), next up is spica-network, which is going to do the same dual-channel concept to catch hidden C2 traffic by diffing XDP and TC. let me know if you manage to break the logic!
Also, EU probes Snapchat, RedLine suspect extradited, AstraZeneca leak claim surfaces, and more infosec in brief The cybercrime crew linked to the Trivy supply-chain attack has struck again, this time pushing malicious Telnyx package versions to PyPI in an effort to plant credential-stealing malware on developers’ systems.…
I was going through my startup apps and scanned brave and noticed in the parent executable this https://www.virustotal.com/gui/file/b25093f6574ff5b2d7ffd787b487c7182427fe43d52d6a15601ca50ff34910fd
Overview Four vulnerabilities have been identified in CrewAI, including remote code execution (RCE), arbitrary local file read, and server-side request forgery (SSRF). CVE-2026-2275 is directly caused by the Code Interpreter Tool. The other three vulnerabilities result from improper default configuration settings within the main CrewAI agent and associated Docker images. An attacker who can interact with a CrewAI agent that has the Code Interpreter Tool enabled may exploit these issues through prompt injection, ultimately chaining the vulnerabilities together. The vendor has provided a statement addressing some, but not all, of the reported vulnerabilities. Description CrewAI is a tool for building and orchestrating multi-agent AI systems. These agents are intended to work together to complete tasks, and developers define those tasks and workflows. CrewAI supports various tools, including one called the "Code Interpreter Tool", intended for execution of Python code within a secure Docker container. CVE-2026-2275 origintate from the Code Interpreter tool itself. The remaining vulnerabilities stem from insecure fallback behaviors and configuration issues in the CrewAI agent and Docker environment. Exploitation of CVE-2026-2275 may enable attackers to trigger the additional vulnerabilities. The vulnerabilities are listed below: CVE-2026-2275 The CrewAI CodeInterpreter tool falls back to SandboxPython when it cannot reach Docker, which can enable code execution through arbitrary C function calls. This vulnerability can be triggered if: allow_code_execution=True is enabled in the agent configuration, or if the Code Interpreter Tool is manually added to the agent by the developer. CVE-2026-2286 CrewAI contains a
Researchers say attackers are already looting vulnerable boxes In-the-wild exploitation of a critical Citrix NetScaler bug has begun less than a week after disclosure, with researchers warning that attackers are already poking and pillaging vulnerable boxes.…
Career-limiting stupidity and rudeness exposed, with terminal consequences Who, Me? The week before Easter may be a short one for many in the Reg -reading world, but that won't stop us from opening it with a fresh installment of Who, Me? It's the reader-contributed column in which you share stories of things you did at work that had interesting consequences.…
Client-side skimming attacks have a boring superpower: they can steal data without breaking anything. The page still loads. Checkout still completes. All it needs is just one malicious script tag. If that sounds abstract, here are two recent examples of such skimming attacks: In January 2026, Sansec reported a browser-side keylogger running on an employee merchandise store for a major U.S. bank, harvesting personal data, login credentials, and credit card information. In September 2025, attackers published malicious releases of widely used npm packages . If those packages were bundled into front-end code, end users could be exposed to crypto-stealing in the browser. To further our goal of building a better Internet, Cloudflare established a core tenet during our Birthday Week 2025 : powerful security features should be accessible without requiring a sales engagement . In pursuit of this objective, we are announcing two key changes today: First, Cloudflare Client-Side Security Advanced (formerly Page Shield add-on ) is now available to self-serve customers. And second, domain-based threat intelligence is now complimentary for all customers on the free Client-Side Security bundle . In this post, we’ll explain how this product works and highlight a new AI detection system designed to identify malicious JavaScript whil
Public policy professor says it will make America less secure but hits Netgear’s lobbying goals The United States’ ban on foreign-made SOHO routers won’t improve security, and only makes sense as “industrial policy disguised as cybersecurity,” according to Milton Mueller, Professor at the University of Georgia’s School of Public Policy and founder of its Internet Governance Project.…
Sunday, March 29
Please, We Beg, Just One Weekend Free Of Appliances (Citrix NetScaler CVE-2026-3055 Memory Overread Part 2)
Today, we woke up with a nagging feeling: what if Citrix had, in fact, patched multiple Memory Overread vulnerabilities as part of CVE-2026-3055? While we've been using our analysis from Part 1 (please read it first, as this post will be brief) to accurately identify exploitable Citrix NetScaler appliances across the watchTowr client base, we couldn't help but wonder: could there be more hiding in Citrix's patches? These thoughts, and worse, naturally come to us at 6 am on a Sunday morning. Welcome back to the hellscape, and yet another watchTowr Labs blog post. What we can confidently conclude, post-analysis, is that CVE-2026-3055 is not one singular memory overread vulnerability. In fact, this CVE ID has been assigned to at least two memory overread vulnerabilities , affecting the following endpoints: /saml/login /wsfed/pass