BrewedIntel Feed

Gladinet Triofox Server Agent Multiple Vulnerabilities

Ben Smith — Wed, 27 May 2026 19:11:55 GMT

AI Summary

Multiple critical vulnerabilities were disclosed in Gladinet Triofox Server Agent version 17.1.10488.57063, including missing authentication (CVE-2026-8364) allowing unauthenticated remote attackers to list, add, change, and delete files on the Triofox Drive; stack-based buffer overflows in WOSDeviceDropFolder.dll (CVE-2026-8363) and WOSDefaultHttpModule.dll (CVE-2026-8362) enabling remote code execution; a path traversal (CVE-2026-8361) for arbitrary file read; and two denial-of-service vulnerabilities (CVE-2026-8360, CVE-2026-8359) via NULL pointer dereference or NULL function pointer call. All vulnerabilities are remotely exploitable without authentication, pose severe risk of complete host compromise, sensitive data exposure, and service disruption, and require immediate patching and network segmentation.

Why do I care?

Attackers can exploit these CVEs without authentication to execute arbitrary code, access sensitive files, or crash the service, potentially leading to ransomware deployment or data theft.

What can I do about it?

Apply the vendor's security update immediately; restrict network access to TCP port 7878 to trusted hosts only; and monitor logs for unusual HTTP requests targeting /resources, /Settings, /profile, /woshome, /status, or /sysinfo.

Classification

Vulnerability, Critical Severity, Denial of Service, Missing Authentication for Critical Function, Path Traversal

Source

Source feed: Tenable Research Advisories | Original source

FortiClient EMS Exploited via CVE-2026-35616 to Deliver EKZ Infostealer Disguised as a Fortinet Patch

Arctic Wolf Labs — Wed, 27 May 2026 18:23:19 GMT

AI Summary

Arctic Wolf reports active exploitation of CVE-2026-35616 in FortiClient EMS to deploy EKZ Infostealer, a credential-stealing malware. The campaign abuses trusted endpoint management infrastructure to push the payload as a fake Fortinet patch. Execution is achieved via PowerShell, silently running the malicious executable. This infostealer collects credentials, posing a significant risk of lateral movement and privilege escalation. Organizations using FortiClient EMS should consider it compromised if unpatched and monitor for anomalous PowerShell activity.

Why do I care?

Exploitation of FortiClient EMS can lead to widespread credential theft across managed endpoints, compromising domain credentials and enabling lateral movement.

What can I do about it?

Apply the latest FortiClient EMS patches, monitor for suspicious PowerShell activity, and enforce application control to block unauthorized executables.

Classification

Vulnerability, High Severity, Credential Theft, Exploit

Source

Source feed: Arctic Wolf Labs | Original source

UK Cyberspying Chief Calls AI ‘an Unstoppable Force’ and Warns About Russia

Associated Press — Wed, 27 May 2026 17:32:14 GMT

AI Summary

The UK's cyber intelligence chief warns that artificial intelligence is an 'unstoppable force' and highlights increasing hostile cyber activity from Russia in the 'gray zone' below the threshold of war. The speech underscores a growing threat landscape where state-sponsored actors leverage AI and other technologies for espionage and disruption. Organizations must remain vigilant and adapt their defenses to counter these persistent threats.

Why do I care?

Russia's escalating gray-zone cyber activities pose a significant risk to national security and organizational assets, potentially leading to data breaches and operational disruption.

What can I do about it?

Enhance threat monitoring for indicators of Russian state-sponsored activity, strengthen incident response capabilities, and invest in AI-driven defense mechanisms to detect advanced threats.

Classification

Other, High Severity, Cyber Espionage, Hybrid Threats

Source

Source feed: SecurityWeek | Original source

Latin American Cybercriminals Hoover Up Government Data

Robert Lemos — Wed, 27 May 2026 16:19:03 GMT

AI Summary

This article reports a purported leak of 5.8 million records of Uruguayan citizens, attributed to Latin American cybercriminals targeting government agencies. The incident highlights ongoing threats to government data for monetization purposes. While details are sparse and unverified, the scale of the leak suggests significant potential for identity theft and privacy violations. Organizations should monitor for exposed data and prepare for possible targeting.

Classification

Other, Medium Severity, Data Theft

Source

Source feed: Dark Reading | Original source

AI-Assisted Exploit Development Outpaces Scanner Detection

Elizabeth Montalbano — Wed, 27 May 2026 16:11:19 GMT

AI Summary

Recent research indicates that attackers are leveraging artificial intelligence to significantly accelerate the development of working exploits for vulnerabilities (CVEs). This AI-assisted approach outpaces traditional detection methods, enabling faster weaponization of known flaws. While specific exploits or campaigns are not yet identified, the trend underscores an evolving threat landscape where AI lowers barriers for exploit development, potentially increasing the frequency of attacks. Organizations should monitor for AI-generated exploit patterns and prioritize patch management.

Classification

Vulnerability, Medium Severity, Exploit Development

Source

Source feed: Dark Reading | Original source

Grandoreiro Malware and BTMOB RAT Campaigns Target Windows and Android Users

info@thehackernews.com (The Hacker News) — Wed, 27 May 2026 16:10:21 GMT

AI Summary

Grandoreiro and BTMOB banking trojan campaigns are targeting Windows and Android users in Latin America and Europe, according to WatchGuard and ESET. The campaigns focus on companies in Spain, Portugal, Mexico, and mobile users in Brazil. These malware families aim to steal financial credentials and sensitive data. Users and organizations should employ robust security solutions, exercise caution with email attachments and links, and keep systems updated to mitigate the risk of infection.

Why do I care?

These campaigns pose a significant threat to financial data and operational integrity, specifically targeting businesses and mobile users in key regions.

What can I do about it?

Implement email filtering to block phishing, deploy endpoint protection with anti-malware capabilities, and educate users about social engineering tactics used by these banking trojans.

Classification

Malware, High Severity, Banking Trojan, RAT

Source

Source feed: The Hacker News | Original source

Evidence at the Moment of Attack. Answers at AI Speed.

Itay Gershon — Wed, 27 May 2026 16:03:11 GMT

AI Summary

Wiz Sensor Forensics is now generally available, providing automatic forensic artifact capture upon detection and leveraging AI to accelerate incident investigation for SOC and IR teams. This tool enhances cloud security operations without introducing new threats.

Classification

Other, Low Severity

Source

Source feed: Wiz Security Research | Original source

Malicious npm Package Stole Files From Claude AI User Directory via GitHub

info@thehackernews.com (The Hacker News) — Wed, 27 May 2026 15:44:29 GMT

AI Summary

A malicious npm package named 'mouse5212-super-formatter' has been discovered targeting Anthropic's Claude AI tool. The package steals files from the '/mnt/user-data' directory, which Claude uses for uploads and outputs. This poses a significant risk to developers and organizations using Claude, as sensitive data could be exfiltrated. The attack vector is a supply chain compromise via the npm registry. Mitigation includes auditing npm dependencies, using package integrity checks, and monitoring for suspicious package behaviors. Users should verify the authenticity of packages before installation and consider using security tools to scan for malicious code.

Why do I care?

This package can exfiltrate sensitive data from Claude AI interactions, potentially exposing confidential business information or intellectual property.

What can I do about it?

Immediately review npm dependencies for any use of 'mouse5212-super-formatter' and similar packages. Implement strict package review policies and use automated security scanners in your CI/CD pipeline.

Classification

Malware, High Severity, Information Stealer, Supply Chain Attack

Source

Source feed: The Hacker News | Original source

Vulnerability in Popular Conference Software Granted Attackers a 100% Talk Acceptance Rate

Eduard Kovacs — Wed, 27 May 2026 14:30:00 GMT

AI Summary

Novee researchers discovered an account takeover vulnerability in the open-source conference management tool Pretalx. This flaw could allow an attacker to gain full control of a victim's account, potentially manipulating talk acceptances or accessing sensitive data. The vulnerability affects a widely used platform for managing call for papers, posing a significant risk to conference organizers and participants. Immediate action is recommended to apply patches or mitigations as soon as they become available to prevent exploitation.

Why do I care?

Account takeover in Pretalx could allow attackers to manipulate conference submissions, steal credentials, or gain unauthorized access to sensitive conference data.

What can I do about it?

Monitor for security updates from the Pretalx project and apply patches promptly. Implement additional security measures such as multi-factor authentication to reduce risk.

Classification

Vulnerability, High Severity, Account Takeover

Source

Source feed: SecurityWeek | Original source

MediaArea heap-based buffer overflow vulnerabilities

Kri Dontje — Wed, 27 May 2026 14:00:14 GMT

AI Summary

Cisco Talos disclosed four heap-based buffer overflow vulnerabilities (CVE-2026-25104, CVE-2026-25713, CVE-2026-28764, CVE-2026-22554) in MediaArea MediaInfoLib version 26.01. These flaws can be triggered by supplying a malicious media file, leading to arbitrary code execution. The vendor has released patches. Organizations should update to the latest version and deploy Snort rules to detect exploitation attempts.

Why do I care?

These vulnerabilities allow remote code execution via specially crafted media files, posing a critical risk to systems using MediaInfoLib.

What can I do about it?

Update MediaInfoLib to the latest patched version and apply Snort signatures from Cisco Talos to detect and block exploitation attempts.

Classification

Vulnerability, Critical Severity, Arbitrary Code Execution, Buffer Overflow

Source

Source feed: Cisco Talos Intelligence Group | Original source

Can you enforce strong Active Directory password rules without frustrating users?

Sponsored by Specops Software — Wed, 27 May 2026 14:00:10 GMT

AI Summary

The article discusses strategies for enforcing strong password policies in Active Directory without frustrating users. It highlights the use of passphrases, breached password protection, and self-service password resets to enhance security. While weak passwords are a common attack vector, the article does not detail a specific active threat. Instead, it provides guidance on improving password hygiene to mitigate credential theft and unauthorized access. Organizations are encouraged to adopt these practices to strengthen their security posture. The overall impact is positive, as it helps prevent common attacks such as password spraying and brute force attempts.

Classification

Vulnerability, Medium Severity, Brute Force, Credential Theft, Password Spraying

Source

Source feed: Bleeping Computer | Original source

Commit to Compromise: A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure

Benjamin Read — Wed, 27 May 2026 13:52:45 GMT

AI Summary

The threat actor JINX-0164 uses LinkedIn social engineering to deliver custom macOS malware to employees of cryptocurrency organizations. This malware facilitates CI/CD pipeline hijacking, enabling the actor to inject malicious code, exfiltrate sensitive data, and compromise the software supply chain. The impact includes unauthorized access to private keys, manipulation of blockchain applications, and potential financial theft. Affected organizations face reputational damage and regulatory scrutiny. Mitigation requires robust security awareness training on social engineering, multi-factor authentication, strict access controls for CI/CD systems, and endpoint detection on macOS devices to detect and respond to the custom malware.

Why do I care?

This targeted threat actor specifically attacks cryptocurrency firms' software development infrastructure, using social engineering and custom macOS malware to hijack CI/CD pipelines, which can lead to supply chain compromise and financial loss.

What can I do about it?

Enforce strong authentication and access controls for CI/CD pipelines, conduct regular security awareness training focused on LinkedIn and other professional networking platforms, and monitor macOS endpoints for anomalous processes or network connections indicative of the custom malware.

Classification

Malware, High Severity, Spear Phishing, Supply Chain Compromise

Source

Source feed: Wiz Security Research | Original source

Glassworm botnet disrupted after resilient C2 infrastructure takedown

Ionut Ilascu — Wed, 27 May 2026 13:28:42 GMT

AI Summary

The Glassworm botnet, targeting developers through software supply-chain attacks, has been disrupted after researchers dismantled its resilient command-and-control infrastructure. The botnet used Solana blockchain transactions and the BitTorrent DHT network for C2 communications, making takedown efforts challenging. The disruption is significant as it prevents further compromise of development environments and potential downstream attacks. Mitigation for organizations includes reviewing software supply chain dependencies and monitoring for unusual blockchain-based communications.

Why do I care?

This botnet specifically targets developers via supply-chain attacks, threatening the integrity of software development pipelines and potentially leading to widespread compromise.

What can I do about it?

Enhance monitoring for anomalous network traffic to blockchain and P2P services, and implement strict software supply-chain verification controls, such as code signing and dependency scanning.

Classification

Malware, High Severity, Botnet, Supply-chain attack

Source

Source feed: Bleeping Computer | Original source

SecurityWeek to Host AI Risk Summit August 11-12 at the Ritz-Carlton, Half Moon Bay

SecurityWeek News — Wed, 27 May 2026 13:00:00 GMT

AI Summary

The article announces the third annual AI Risk Summit, hosted by SecurityWeek at the Ritz-Carlton in Half Moon Bay on August 11-12. It convenes CISOs, security leaders, AI researchers, developers, policymakers, and enterprise risk professionals to discuss AI security and risk management. No specific cyber threats, attacks, or vulnerabilities are reported. The summit focuses on strategic collaboration rather than operational threats. For cybersecurity defenders, the event may offer networking and learning opportunities but does not contain immediate actionable intelligence. The article is purely promotional with no disclosed incidents or malware.

Classification

Other, Low Severity

Source

Source feed: SecurityWeek | Original source

Football Fever Fuels Scam Campaigns Across Email and Social Media

Alina BÎZGĂ — Wed, 27 May 2026 12:56:33 GMT

AI Summary

Bitdefender Labs uncovered over 55 football-themed malvertising campaigns targeting fans via fake online stores, social media ads, IPTV piracy operations, fraudulent apps, and FIFA-themed giveaway/lottery emails. These scams exploit club loyalty and excitement for the FIFA World Cup 2026. Users are urged to verify sources and avoid suspicious links.

Classification

Incident, Medium Severity, Malvertising, Phishing

Source

Source feed: Bitdefender Labs | Original source

Cybersecurity Evolution: How We Went From Perimeter Defense to AI-Native Security

Fahmida Y. Rashid — Wed, 27 May 2026 12:11:30 GMT

AI Summary

This article, part of Dark Reading's 20th anniversary series, reflects on the transformation of the cybersecurity industry from 2006 to today, highlighting a shift from perimeter defense to AI-native security solutions. It provides a historical perspective on the industry's growth and technological evolution, but does not discuss specific threats or incidents.

Classification

Other, Low Severity

Source

Source feed: Dark Reading | Original source

Defending at Machine-Speed: Building AI Threat Readiness with Wiz

Kelsey Nelson — Wed, 27 May 2026 12:00:02 GMT

AI Summary

The article discusses Wiz's approach to helping organizations adopt an AI operating model for AI threat readiness. It emphasizes the need for machine-speed defense mechanisms but lacks specific details on current threats or incidents.

Classification

Other, Low Severity

Source

Source feed: Wiz Security Research | Original source

CISA Adds Three Known Exploited Vulnerabilities to Catalog

CISA — Wed, 27 May 2026 12:00:00 GMT

AI Summary

CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog: CVE-2026-8398 in Daemon Tools Lite, CVE-2026-45321 in TanStack, and CVE-2026-48027 in Nx Console, all with evidence of active exploitation. These vulnerabilities pose significant risks to federal enterprises and are frequently used as attack vectors. CISA's BOD 22-01 mandates remediation by FCEB agencies, and all organizations are urged to prioritize patching these CVEs as part of their vulnerability management practices.

Why do I care?

These actively exploited vulnerabilities are added to CISA's KEV catalog, indicating significant risk and frequent use by attackers to compromise systems.

What can I do about it?

Immediately prioritize patching CVE-2026-8398, CVE-2026-45321, and CVE-2026-48027 in your environment, following the due dates specified in BOD 22-01 or sooner.

Classification

Vulnerability, High Severity, Known Exploited Vulnerability

Source

Source feed: CISA Current Activity | Original source

RevEng.AI Raises $15 Million to Hunt for Flaws and Backdoors in Software Binaries

Ionut Arghire — Wed, 27 May 2026 11:52:55 GMT

AI Summary

RevEng.AI has raised $15 million to develop BinNet, an AI model designed to identify vulnerabilities and backdoors in software binaries. This funding will enhance their ability to analyze released software for security flaws, potentially improving supply chain security. The article highlights the growing use of AI in vulnerability discovery.

Classification

Vulnerability, Low Severity

Source

Source feed: SecurityWeek | Original source

FBI warns of in-person data theft attacks from extortion gang

Sergiu Gatlan — Wed, 27 May 2026 11:51:12 GMT

AI Summary

The FBI warns that the Silent Ransom Group (SRG) is conducting in-person data theft attacks against US law firms. These attacks involve physical intrusion to steal sensitive client data, which is then used for extortion. The group's tactics mark a shift from traditional cyber attacks, escalating physical risks. Organizations must secure premises and enforce strict access controls, while legal firms should implement data encryption and offline backups to mitigate potential ransomware and extortion incidents.

Why do I care?

This extortion gang is bypassing network defenses by physically stealing data, putting your organization at risk of exposure and ransom demands.

What can I do about it?

Enhance physical security measures (e.g., access controls, surveillance) and ensure critical data is encrypted and backed up offline.

Classification

Malware, High Severity, Data Theft, Ransomware

Source

Source feed: Bleeping Computer | Original source

GlassWorm Malware Takedown Disrupts Developer Supply Chain Attack Infrastructure

info@thehackernews.com (The Hacker News) — Wed, 27 May 2026 11:48:37 GMT

AI Summary

In a coordinated effort, CrowdStrike, Google, and the Shadowserver Foundation disrupted all command-and-control channels of GlassWorm, a malware campaign targeting software developers since early 2025. The campaign used malicious packages and extensions to compromise developer environments, potentially leading to supply chain attacks. The takedown prevents further communication with compromised systems, limiting the threat's impact. Developers and organizations should review their software supply chain security and monitor for indicators of compromise associated with GlassWorm.

Why do I care?

This campaign specifically targets software developers, aiming to compromise the software supply chain and potentially affect downstream users.

What can I do about it?

Implement strict package validation, monitor for suspicious extensions, and apply principles of least privilege to development environments.

Classification

Malware, High Severity, Supply Chain Attack

Source

Source feed: The Hacker News | Original source

3 SOC Steps that Shut Down Incident Risks Early

info@thehackernews.com (The Hacker News) — Wed, 27 May 2026 11:45:00 GMT

AI Summary

The article argues that modern cyber incidents often begin as seemingly benign activities that evade traditional fortress-like defenses. It emphasizes the need for Security Operations Centers (SOCs) to shift focus from building strong perimeters to detecting and responding to suspicious behaviors early, before they escalate into full-blown incidents. The piece outlines three operational steps to improve early threat detection and reduce risk, but does not provide specific technical details or case studies.

Classification

Other, Low Severity, General Security Incident

Source

Source feed: The Hacker News | Original source

Romanian Hacker Sentenced to Prison in US for Selling Access to State Network

Eduard Kovacs — Wed, 27 May 2026 11:37:19 GMT

AI Summary

A Romanian hacker, Catalin Dragomir, was sentenced to prison in the United States for selling access to an Oregon state government office's network. The case highlights the ongoing threat of initial access brokers who compromise networks and sell that access to other malicious actors. Organizations, especially government entities, must enforce strong access controls, monitor for unauthorized access, and implement multi-factor authentication to prevent similar breaches.

Why do I care?

This breach demonstrates that even state government networks are targeted by cyber criminals who sell access, leading to potential data theft and further compromise.

What can I do about it?

Ensure strict access controls, enforce multi-factor authentication, and monitor network traffic for unusual activity to prevent unauthorized access and detect breaches early.

Classification

Incident, High Severity, Cyber Crime, Intrusion

Source

Source feed: SecurityWeek | Original source

5 Steps to Managing Shadow AI Tools Without Slowing Down Employees

info@thehackernews.com (The Hacker News) — Wed, 27 May 2026 11:30:00 GMT

AI Summary

The article addresses the rise of shadow AI tools within organizations, where employees use unapproved AI writing assistants, coding copilots, and browser extensions to boost productivity. Without IT oversight, these tools can introduce data leakage, compliance violations, and security vulnerabilities. It outlines a 5-step approach to manage shadow AI effectively: discover all in-use tools, evaluate their security posture, establish clear policies, implement a streamlined approval process, and educate employees on safe AI usage. The goal is to balance innovation with governance, ensuring that productivity gains do not compromise organizational security.

Classification

Other, Medium Severity, Shadow IT

Source

Source feed: The Hacker News | Original source

Lastwall Raises $11.5 Million for Quantum-Resilient Identity Platform

SecurityWeek News — Wed, 27 May 2026 11:01:13 GMT

AI Summary

Lastwall has raised $11.5 million in funding led by BDC Capital's StrongNorth Fund to accelerate its North American expansion. The company focuses on a quantum-resilient identity platform, aiming to enhance cybersecurity against future quantum computing threats. This investment signals growing interest in post-quantum security solutions.

Classification

Other, Low Severity

Source

Source feed: SecurityWeek | Original source

The Credential Crisis: How Stolen Credentials Defeat Modern Security

Kevin Townsend — Wed, 27 May 2026 10:30:00 GMT

AI Summary

The article highlights a growing credential crisis driven by AI-enhanced phishing, session hijacking, and credential abuse. Attackers leverage artificial intelligence to craft highly convincing phishing campaigns and automate session theft, outpacing traditional security defenses. This surge in credential theft poses a significant risk to organizations, as stolen credentials are often the first step in data breaches, ransomware attacks, and account takeovers. Security teams are racing to implement adaptive measures such as behavioral analytics, multi-factor authentication, and real-time threat intelligence to close the gap. Without proactive defense, the prevalence of stolen credentials undermines even modern security architectures, making credential protection a top priority.

Why do I care?

Stolen credentials bypass traditional security controls, allowing attackers to impersonate legitimate users and gain persistent access to sensitive systems and data.

What can I do about it?

Deploy multi-factor authentication across all accounts, implement user behavior analytics to detect anomalous logins, and conduct regular phishing awareness training to reduce exposure.

Classification

Incident, High Severity, Credential Abuse, Phishing, Session Hijacking

Source

Source feed: SecurityWeek | Original source

‘SymJack’ Attack Turns AI Coding Agents Into Supply Chain Attack Delivery Systems

Kevin Townsend — Wed, 27 May 2026 10:15:00 GMT

AI Summary

The 'SymJack' attack exploits AI coding agents by tricking them into installing attacker-controlled MCP servers through malicious repositories and disguised symlinks. This supply chain vector enables silent secret theft, CI pipeline compromise, and malicious code deployment. The threat is critical as it targets the development process itself, potentially affecting downstream users. Mitigation requires strict repository validation, agent permission restrictions, and network monitoring for unauthorized MCP connections.

Why do I care?

This attack can silently compromise the software supply chain by injecting malicious code via trusted AI agents, affecting all downstream users and systems.

What can I do about it?

Enforce strict repository whitelisting, limit AI agent actions to read-only where possible, and monitor for unexpected outbound connections from development environments.

Classification

Other, Critical Severity, Code Injection, Supply Chain Attack, Trojan

Source

Source feed: SecurityWeek | Original source

GlassWorm Botnet Disrupted

Ionut Arghire — Wed, 27 May 2026 10:10:00 GMT

AI Summary

Security firms successfully disrupted the GlassWorm botnet by taking down all four of its command-and-control (C&C) channels. This action mitigates the threat posed by the GlassWorm malware, which previously used these channels to coordinate infected devices. The takedown significantly reduces the botnet's ability to receive commands and exfiltrate data. Organizations should ensure their systems are not compromised by remaining vigilant for signs of infection, though the immediate risk has been lowered. The collaborative effort between security firms demonstrates effective disruption of botnet infrastructure.

Classification

Malware, Medium Severity, Botnet

Source

Source feed: SecurityWeek | Original source

Gitea Vulnerability Exposes Private Container Images without Authentication

info@thehackernews.com (The Hacker News) — Wed, 27 May 2026 10:06:32 GMT

AI Summary

A critical vulnerability in Gitea (CVE-2026-27771) allows unauthenticated remote attackers to pull private container images from self-hosted Gitea deployments without any authentication. This flaw exposes sensitive data such as proprietary code, secrets, and credentials stored in container images, posing a significant risk of data breach and further compromise. The vulnerability affects all Gitea versions prior to 1.26.2. No CVSS score has been assigned, but the ease of exploitation and potential impact warrant immediate attention. Organizations using vulnerable Gitea instances should urgently upgrade to version 1.26.2 or later to mitigate the threat. No workarounds are currently available, making patching the only reliable defense.

Why do I care?

This vulnerability can lead to unauthorized access to private container images, potentially exposing sensitive intellectual property, credentials, and application secrets that could be leveraged for lateral movement and further attacks.

What can I do about it?

Immediately upgrade Gitea to version 1.26.2 or later. Additionally, restrict network access to Gitea instances, monitor for suspicious activity in container registries, and audit access logs for signs of exploitation.

Classification

Vulnerability, High Severity, Information Disclosure, Unauthorized Access

Source

Source feed: The Hacker News | Original source

CISA gives feds 4 days to patch actively exploited cPanel plugin flaw

Sergiu Gatlan — Wed, 27 May 2026 10:06:17 GMT

AI Summary

CISA has issued an emergency directive requiring U.S. federal agencies to patch a critical, actively exploited vulnerability in the LiteSpeed cPanel user-end plugin within four days. This vulnerability allows remote attackers to compromise servers, potentially leading to data breaches or service disruption. Organizations should immediately apply the patch and audit for signs of compromise.

Why do I care?

This critical vulnerability is actively exploited and could allow attackers full control of affected servers, enabling data theft, ransomware, or further network compromise.

What can I do about it?

Immediately apply the vendor-provided patch and scan for indicators of compromise. Ensure robust patch management and monitor for anomalous activity on affected systems.

Classification

Vulnerability, Critical Severity, Exploit

Source

Source feed: Bleeping Computer | Original source

Introducing EvidenceForge: Synthetic security logs that don’t look (as) fake

David J. Bianco — Wed, 27 May 2026 10:00:47 GMT

AI Summary

EvidenceForge, a new open-source tool from Cisco Talos, generates high-quality, realistic synthetic security logs across 20+ Windows, Linux, and network formats. It uses a canonical event model to ensure causal and temporal consistency across log sources, overcoming limitations of anonymized public datasets or costly manual simulations. The tool helps security teams train threat hunters, validate detection logic, and develop ML models with labeled, multi-source telemetry, including realistic background noise and red herrings. While not indistinguishable from production data, it provides practical, high-fidelity datasets for improving detection capabilities.

Classification

Technique, Low Severity

Source

Source feed: Cisco Talos Intelligence Group | Original source

LA Metro Cyberattack Linked to Iranian State-Sponsored Hackers

Eduard Kovacs — Wed, 27 May 2026 09:33:45 GMT

AI Summary

A cyberattack on LA Metro has been linked to Iranian state-sponsored hackers. The attack, initially claimed by a hacktivist group, was found to use infrastructure associated with Iranian government threat actors. This incident highlights the ongoing threat to critical infrastructure from nation-state adversaries. The impact on LA Metro operations and data remains under investigation. Organizations must strengthen their cybersecurity posture to defend against sophisticated state-sponsored attacks, including implementing network segmentation, monitoring for anomalous activity, and conducting regular security assessments. Collaboration with intelligence agencies and sharing of threat indicators is crucial to mitigate such threats.

Why do I care?

State-sponsored actors are targeting US critical infrastructure, which can lead to service disruptions and data breaches.

What can I do about it?

Implement network segmentation, enhance monitoring for indicators of compromise, and ensure incident response plans are up-to-date.

Classification

Incident, High Severity, State-Sponsored Attack

Source

Source feed: SecurityWeek | Original source

Dutch police arrests suspect linked to Ajax football club hack

Sergiu Gatlan — Wed, 27 May 2026 09:09:03 GMT

AI Summary

The Dutch National Police arrested a 35-year-old man suspected of hacking AFC Ajax, a professional football club, earlier this year. The arrest highlights ongoing efforts to combat cybercrime targeting sports organizations. While specific attack methods and impacts are not detailed, the incident underscores the need for robust security measures in the sports industry.

Classification

Other, Medium Severity, Hacking

Source

Source feed: Bleeping Computer | Original source

Windows 11 KB5089573 update released with performance improvements

Sergiu Gatlan — Wed, 27 May 2026 08:33:46 GMT

AI Summary

Microsoft released the KB5089573 preview cumulative update for Windows 11 versions 25H2 and 24H2, including 30 changes focused on performance and reliability enhancements. No security issues or threats are addressed in this update.

Classification

Other, Low Severity

Source

Source feed: Bleeping Computer | Original source

FBI: Hackers Sending Operatives in Person to Insert USB Drives and Steal Data

Ionut Arghire — Wed, 27 May 2026 08:33:34 GMT

AI Summary

The FBI has issued an alert warning that the Silent Ransom Group is targeting law firms by sending operatives in person to physically insert USB drives into systems to steal data. This novel tactic bypasses traditional digital defenses and poses a significant threat, as it combines physical access with ransomware and data theft. Law firms, holding sensitive client information, are at high risk. Organizations must be vigilant against USB-based attacks and implement stringent physical security measures.

Why do I care?

Attackers are using physical delivery of USB drives to gain network access, circumventing standard cybersecurity controls and increasing the risk of data breach and ransomware infection.

What can I do about it?

Enforce strict policies against the use of unknown USB devices, educate employees on the risks, and deploy endpoint detection tools that monitor for malicious USB activity.

Classification

Malware, High Severity, Ransomware

Source

Source feed: SecurityWeek | Original source

AI Chatbot Recommendations Redirect Users to Cryptojacking Malware Sites

info@thehackernews.com (The Hacker News) — Wed, 27 May 2026 07:45:52 GMT

AI Summary

Microsoft warns of an active cryptojacking campaign leveraging AI chatbot interactions to redirect users to malicious download sites. This emerging social engineering technique increases the visibility of infected recommendations, potentially compromising systems for cryptocurrency mining. Users should exercise caution with chatbot-provided links and ensure endpoint security is up-to-date.

Why do I care?

Attackers are exploiting trusted AI chatbot platforms to propagate cryptojacking malware, which can silently consume system resources and degrade performance.

What can I do about it?

Educate users to verify any download links suggested by chatbots, and deploy endpoint detection and response tools capable of identifying cryptojacking behaviors.

Classification

Malware, High Severity, Cryptojacking, Social Engineering

Source

Source feed: The Hacker News | Original source

CISA Urges Immediate Patching of Exploited LiteSpeed cPanel Plugin Zero-Day

Ionut Arghire — Wed, 27 May 2026 06:55:44 GMT

AI Summary

CISA has issued an urgent call for organizations to patch a zero-day vulnerability in the LiteSpeed cPanel plugin, which has been exploited in the wild to execute arbitrary scripts with root privileges. The vulnerability, which was resolved last week, allows attackers to gain full control over affected systems. Immediate patching is critical to prevent complete compromise of web servers.

Why do I care?

This zero-day allows remote attackers to execute code with root privileges, leading to full server compromise and potential lateral movement.

What can I do about it?

Apply the security update provided by the vendor immediately and review system logs for signs of exploitation.

Classification

Vulnerability, Critical Severity, Remote Code Execution, Zero-day Exploit

Source

Source feed: SecurityWeek | Original source

Anthropic Releases New Claude Sandbox, Security Guidance Plugin

Eduard Kovacs — Wed, 27 May 2026 06:43:08 GMT

AI Summary

Anthropic has released a new Claude Sandbox and Security Guidance Plugin that helps developers find and fix vulnerabilities while writing code. The tool has been used extensively internally at Anthropic, indicating its effectiveness in improving code security. This release is part of Anthropic's broader effort to enhance developer tools with AI-driven security features. The plugin aims to reduce the introduction of vulnerabilities during development, potentially lowering the risk of security incidents. While not a direct response to an active threat, it represents a proactive measure for secure coding practices.

Classification

Vulnerability, Low Severity

Source

Source feed: SecurityWeek | Original source

Continuous Offensive Security: The Line We've Been Walking

Wed, 27 May 2026 04:00:00 GMT

AI Summary

The article describes Snyk's Continuous Offensive Security, an approach that integrates DAST, AI pentesting, and agent red teaming to identify exploitable flaws. It is a product overview, not a report on a specific threat, vulnerability, or attack. No actionable threat intelligence is provided.

Classification

Vulnerability, Low Severity

Source

Source feed: Snyk Blog | Original source

From poisoned search results to GPU mining: A cryptojacking campaign abusing ScreenConnect and Microsoft .NET utilities

Microsoft Defender Experts and Microsoft Defender Security Research Team — Tue, 26 May 2026 21:35:34 GMT

AI Summary

Microsoft Defender Experts identified an active cryptojacking campaign that uses SEO poisoning and AI chatbot interactions to lure users into downloading fake system utilities. Impersonating tools like CrystalDiskInfo and HWMonitor, the campaign targets users with high-performance GPUs to maximize mining yield. The attack chain involves DLL sideloading to silently install ScreenConnect, providing persistent remote access that could enable data theft, lateral movement, or ransomware. Over 150 malicious domains have been linked to the campaign since March 2026. Microsoft Defender detects and blocks this activity. Organizations should enable cloud-delivered protection, run EDR in block mode, and enable attack surface reduction rules to mitigate risks.

Why do I care?

This campaign combines AI-assisted social engineering and software impersonation to target high-value systems, potentially leading to cryptojacking, persistent remote access, and further compromise like ransomware.

What can I do about it?

Enable cloud-delivered protection, run EDR in block mode, and enable attack surface reduction rules. Also educate users to verify software sources and avoid downloading from untrusted links, especially from AI chatbots.

Classification

Malware, High Severity, Cryptojacking, Social Engineering

Source

Source feed: Microsoft Security Blog | Original source

KnowledgeDeliver flaw exploited as a zero-day to install web shells

Ionut Ilascu — Tue, 26 May 2026 20:07:31 GMT

AI Summary

Attackers exploited a critical zero-day vulnerability in the KnowledgeDeliver learning management system to deploy the Godzilla web shell, enabling persistent remote access. The vulnerability allows unauthenticated code execution, posing a severe risk to affected servers. Immediate patching and monitoring for web shell activity are recommended.

Why do I care?

This zero-day in a widely used LMS could allow attackers to gain persistent access to sensitive educational data and internal networks.

What can I do about it?

Apply vendor patches immediately, monitor for Godzilla web shell indicators, and restrict internet exposure of LMS servers.

Classification

Vulnerability, Critical Severity, Web Shell Deployment, Zero-Day Exploitation

Source

Source feed: Bleeping Computer | Original source

Feeding Frenzy: 'Megalodon' Malware Infects Thousands of GitHub Repos

Rob Wright — Tue, 26 May 2026 19:47:14 GMT

AI Summary

A malware campaign dubbed 'Megalodon' compromised thousands of GitHub repositories in just six hours by pushing malicious commits to over 5,500 repos, stealing credentials and developer secrets. The attack highlights the risks of supply chain attacks and the need for stringent repository security measures.

Why do I care?

This campaign demonstrates how attackers can rapidly compromise developer environments, leading to theft of sensitive credentials and secrets that can be used for further attacks.

What can I do about it?

Implement multi-factor authentication, review repository access controls, monitor for unusual commit activity, and use secret scanning tools to detect exposed credentials.

Classification

Malware, High Severity, Credential Theft

Source

Source feed: Dark Reading | Original source

Charter confirms data breach after ShinyHunters extortion threat

Lawrence Abrams — Tue, 26 May 2026 19:46:01 GMT

AI Summary

Charter Communications confirmed a data breach after the ShinyHunters extortion group threatened to leak stolen data unless a ransom is paid. The breach exposes customer information, potentially including names, contact details, and account data. This incident highlights the ongoing threat from extortion groups who combine data theft with ransom demands. Organizations should prioritize data security, implement robust access controls, and prepare incident response plans to mitigate such risks.

Why do I care?

This breach demonstrates that even large telecom providers are vulnerable to extortion-driven data theft, potentially exposing sensitive customer data and leading to regulatory fines and reputational damage.

What can I do about it?

Enhance data loss prevention measures, monitor for unauthorized access, and ensure rapid incident response capabilities to detect and contain similar breaches.

Classification

Incident, High Severity, Data Breach, Extortion

Source

Source feed: Bleeping Computer | Original source

State Cyber Leaders Beg Congress for More Funding, Support

Arielle Waldman — Tue, 26 May 2026 19:29:56 GMT

AI Summary

State cyber leaders testified before Congress about the detrimental effects of federal cutbacks on cyber grants and information sharing, particularly in light of ongoing damaging attacks against critical infrastructure. The hearing emphasized the need for increased funding and support to bolster state defenses. The reduction in resources threatens the ability of states to protect essential services and coordinate with federal agencies. Without additional investment, critical infrastructure remains vulnerable to sophisticated cyber threats.

Why do I care?

Organizations relying on state-level protections may face increased risk due to underfunded cyber initiatives, potentially leading to cascading impacts on critical infrastructure.

What can I do about it?

Advocate for sustained federal cyber funding and ensure your organization has independent resilience measures to supplement state capabilities.

Classification

Other, High Severity, Critical Infrastructure Attack, Targeted Attack

Source

Source feed: Dark Reading | Original source

The Hackers Behind Shai-Hulud: Lucky or Skilled?

Alexander Culafi — Tue, 26 May 2026 19:18:01 GMT

AI Summary

TeamPCP, the hacking group behind the Shai-Hulud worm, has inflicted significant damage to the open source ecosystem. The article questions whether their success stems from luck or skill, but the impact is undeniable. The worm exploits weaknesses in open source supply chains, affecting a broad range of downstream users. Organizations must recognize that even less sophisticated actors can cause widespread harm. Mitigation requires proactive dependency management, vulnerability scanning, and strict access controls for third-party components.

Why do I care?

The Shai-Hulud worm targets open source ecosystems, potentially compromising widely used libraries and affecting numerous downstream users.

What can I do about it?

Regularly audit and update open source dependencies, and implement integrity checks and code signing for third-party components.

Classification

Malware, High Severity, Worm

Source

Source feed: Dark Reading | Original source

Delta Electronics DIAView Patch Bypass

Ben Smith — Tue, 26 May 2026 19:14:41 GMT

AI Summary

A mitigation bypass for CVE-2025-62582 in Delta Electronics DIAView allows unauthenticated remote attackers to access configured databases. The incomplete fix means systems remain vulnerable to unauthorized database access, posing a critical risk to industrial environments. Immediate patch verification and network segmentation are advised.

Why do I care?

This vulnerability exposes sensitive industrial databases to remote attackers without authentication, enabling data theft or disruption.

What can I do about it?

Verify the DIAView installation has the latest complete patch, restrict network access to DIAView services, and monitor for unauthorized database queries.

Classification

Vulnerability, Critical Severity, Unauthenticated Remote Database Access

Source

Source feed: Tenable Research Advisories | Original source

For Enterprises, Security Remains Agentic AI's Biggest Challenge

Robert Lemos — Tue, 26 May 2026 19:12:52 GMT

AI Summary

The article highlights that while every company needs an agentic AI strategy, the security tools necessary for safe adoption are only beginning to emerge. It emphasizes that agentic AI presents a significant challenge for enterprise security, but does not detail specific threats, attacks, or mitigation steps. The piece serves as a general advisory on the state of AI security readiness.

Classification

Vulnerability, Medium Severity

Source

Source feed: Dark Reading | Original source

Microsoft Issues Out-of-Band SharePoint Patch

Jai Vijayan — Tue, 26 May 2026 18:25:44 GMT

AI Summary

Microsoft has issued an out-of-band patch for a critical vulnerability in SharePoint. This vulnerability could allow attackers to gain elevated access, potentially compromising sensitive data. Organizations should apply the patch immediately.

Why do I care?

SharePoint often contains sensitive corporate data, making it a prime target for attackers.

What can I do about it?

Apply the out-of-band patch as soon as possible and review access controls to mitigate risk.

Classification

Vulnerability, Critical Severity, Remote Code Execution

Source

Source feed: Dark Reading | Original source

Understanding Illicit Ecosystems: The Hybrid Threat of “The Com”

Flashpoint — Tue, 26 May 2026 16:29:43 GMT

AI Summary

This article analyzes 'The Com,' a decentralized hybrid threat ecosystem combining hacking, extortion, and real-world violence. It operates through three pillars: HACKER Com (economic engine using social engineering and supply chain attacks), EXTORT Com (ideological driver), and IRL Com (enforcement via physical violence). The Com targets Fortune 500 companies to fund domestic terrorism and recruits adolescents into a victim-to-perpetrator pipeline. Key groups include Scattered Spider, LAPSUS$, ShinyHunters, and DragonForce. The threat poses significant financial and societal risks, requiring integrated security, parental oversight, and law enforcement collaboration to disrupt.

Why do I care?

The Com merges cybercrime with domestic terrorism, using sophisticated social engineering and supply chain attacks to breach enterprises and radicalize youth, posing severe financial and security risks.

What can I do about it?

Implement robust identity and access management, train helpdesk staff to detect vishing attempts, monitor for living-off-the-land tools, and establish cross-sector information sharing to detect and disrupt these activities.

Classification

Incident, Critical Severity, Cyber-Fraud, Extortion, Social Engineering

Source

Source feed: Flashpoint Intel Blog | Original source

MuddyWater Uses DLL Side-Loading in Espionage Campaign Targeting 9 Countries

info@thehackernews.com (The Hacker News) — Tue, 26 May 2026 15:48:41 GMT

AI Summary

The Iranian APT group MuddyWater has been linked to a DLL side-loading espionage campaign targeting at least nine organizations across nine countries on four continents in Q1 2026. The campaign impacted industrial manufacturing, electronics, education, government, financial services, and professional services sectors. The threat actor used DLL side-loading to execute malicious code, likely to evade detection. This campaign represents an ongoing state-sponsored espionage effort. Organizations in targeted sectors should enhance monitoring for DLL side-loading and review their security controls to detect and prevent such attacks.

Why do I care?

MuddyWater is an Iranian state-sponsored group conducting espionage globally; this campaign shows active targeting of diverse sectors across multiple countries, indicating a broad threat to organizational intellectual property and sensitive data.

What can I do about it?

Implement application control policies to restrict DLL loading to known and trusted locations, monitor for anomalous DLL side-loading events, and conduct user awareness training to defend against the initial infection vector likely phishing.

Classification

Incident, High Severity, Espionage

Source

Source feed: The Hacker News | Original source

How Varonis Atlas integrates Claude Compliance API for AI governance

Sponsored by Varonis — Tue, 26 May 2026 14:01:11 GMT

AI Summary

Varonis Atlas integrates Claude Compliance API to enhance AI governance by providing visibility into how AI tools interact with enterprise data. This integration helps organizations monitor usage, investigate risks, and support compliance efforts. The article discusses the need for AI governance and how Varonis addresses it.

Classification

Other, Low Severity

Source

Source feed: Bleeping Computer | Original source

AppOmni’s Marlin AI Brings Autonomous Investigation to SaaS Security

Kevin Townsend — Tue, 26 May 2026 14:00:00 GMT

AI Summary

AppOmni launched Marlin AI, an autonomous investigation tool for SaaS security that analyzes misconfigurations, correlates activity across enterprise environments, and provides remediation recommendations without full automation.

Classification

Vulnerability, Low Severity

Source

Source feed: SecurityWeek | Original source

Iranian APT Targets Aviation, Software Companies With Updated Tools

Ionut Arghire — Tue, 26 May 2026 13:26:17 GMT

AI Summary

Nimbus Manticore, an Iranian Advanced Persistent Threat (APT) group, continues its operations targeting aviation and software companies with updated tools. The group has remained active during and after the US military campaign against Iran. This threat actor focuses on espionage and potential disruption in critical sectors. The impact includes intellectual property theft and supply chain compromise. Organizations in aviation and software industries must enhance monitoring and apply threat intelligence to defend against evolving tactics.

Why do I care?

As an Iranian APT targets critical aviation and software sectors, organizations in these industries face heightened risk of espionage and data theft.

What can I do about it?

Implement robust security controls, monitor for indicators of compromise, and segment networks to limit lateral movement.

Classification

Adversary, High Severity, APT

Source

Source feed: SecurityWeek | Original source

Phishing Campaign Deploys JavaScript-Driven PureLogs Variant to Steal Sensitive Data

Tue, 26 May 2026 13:00:00 GMT

AI Summary

FortiGuard Labs has identified a sophisticated phishing campaign that delivers an obfuscated JavaScript variant of the PureLogs information stealer. The attack chain involves JavaScript execution, PowerShell scripts, and process hollowing techniques to evade detection and steal sensitive data, including credentials and other confidential information. This campaign poses a significant threat to organizations, potentially leading to data breaches and further compromise. Mitigation strategies include enhancing email security to block malicious attachments, implementing endpoint detection rules for process hollowing and suspicious PowerShell activity, and conducting regular cybersecurity awareness training to reduce the risk of phishing attacks.

Why do I care?

This phishing campaign deploys a known infostealer capable of credential theft and data exfiltration, posing significant risk to organizational data and potential lateral movement within networks.

What can I do about it?

Implement robust email security filtering, conduct phishing simulations to raise user awareness, and deploy endpoint detection rules specifically for process hollowing and anomalous PowerShell execution.

Classification

Incident, High Severity, Info Stealer, Phishing

Source

Source feed: FortiGuard Labs Threat Research | Original source

How Security Leaders Cut Through Complexity to Drive Better Outcomes

Emma Burdett — Tue, 26 May 2026 12:51:10 GMT

AI Summary

The article summarizes a panel discussion at the Rapid7 Global Cybersecurity Summit, where security leaders share strategies for managing increasing complexity in cybersecurity. Topics include reducing noise from excessive alerts, rethinking metrics to focus on risk rather than activity, and aligning security priorities with business impact. Speakers from Netscout, Target RWE, and Culligan International emphasize practical approaches like clarifying ownership, improving cross-team coordination, and validating investments in MDR and consolidation. The session aims to help CISOs and security operations teams cut through complexity to achieve better security outcomes.

Classification

Other, Low Severity

Source

Source feed: Rapid7 Security Research | Original source

State of SDLC Security 2026: How Risk Scales in Modern Development

Wiz Threat Research — Tue, 26 May 2026 12:45:02 GMT

AI Summary

This article provides a high-level overview of current trends in software development lifecycle (SDLC) security, focusing on how code, developer tooling, automation, and artificial intelligence are influencing application security. It does not detail specific threats, incidents, or vulnerabilities but rather discusses the evolving risk landscape in modern development environments. The content is generic and lacks actionable threat intelligence or concrete mitigation advice.

Classification

Vulnerability, Low Severity

Source

Source feed: Wiz Security Research | Original source

Microsoft Defender can now automatically isolate hacked endpoints

Sergiu Gatlan — Tue, 26 May 2026 12:19:43 GMT

AI Summary

Microsoft is testing a new automatic isolation capability in Defender for Endpoint that instantly isolates compromised endpoints to prevent attackers from moving laterally across the network. This feature aims to contain breaches quickly, especially against ransomware and advanced threats that rely on lateral movement. By automating the isolation process, it reduces the time for response and minimizes the attack surface. Organizations should consider enabling this feature to enhance their security posture and prevent widespread compromise.

Classification

Other, Low Severity

Source

Source feed: Bleeping Computer | Original source

Webinar: Too many tools are slowing network incident response

BleepingComputer — Tue, 26 May 2026 12:16:24 GMT

AI Summary

This article promotes a webinar discussing how IT teams face inefficiencies due to the need to switch between multiple tools during network incident response. It highlights how automation and AI-assisted workflows can reduce manual coordination and improve response times. The content is informational and does not describe a specific cyber threat or attack.

Classification

Other, Low Severity

Source

Source feed: Bleeping Computer | Original source

Remembering Tim Wilson, Whose Legacy Lives on at Dark Reading

Kelly Jackson Higgins — Tue, 26 May 2026 12:00:00 GMT

AI Summary

This article is a tribute to Tim Wilson, co-founder and former editor-in-chief of Dark Reading, who passed away five years ago. It commemorates his role in building and elevating the media platform. No cybersecurity threats, incidents, or malicious entities are discussed.

Classification

Other, Low Severity

Source

Source feed: Dark Reading | Original source

CISA Adds One Known Exploited Vulnerability to Catalog

CISA — Tue, 26 May 2026 12:00:00 GMT

AI Summary

CISA added CVE-2026-48172, a privilege escalation vulnerability in the LiteSpeed cPanel plugin, to its Known Exploited Vulnerabilities catalog due to active exploitation. This flaw poses significant risks to federal enterprises and is a frequent vector for malicious actors. CISA mandates remediation for federal agencies under BOD 22-01 and urges all organizations to prioritize patching this and other KEV-listed vulnerabilities to reduce exposure to cyberattacks.

Why do I care?

This actively exploited privilege escalation vulnerability in the LiteSpeed cPanel plugin can allow attackers to gain elevated access, posing significant risk to servers running cPanel.

What can I do about it?

Immediately apply the vendor-provided patch for CVE-2026-48172 and prioritize remediation of all vulnerabilities in CISA's KEV catalog as part of your vulnerability management program.

Classification

Vulnerability, High Severity, Privilege Escalation

Source

Source feed: CISA Current Activity | Original source

185,000 Likely Impacted by 7-Eleven Data Breach

Ionut Arghire — Tue, 26 May 2026 11:59:40 GMT

AI Summary

A data breach at 7-Eleven has potentially impacted 185,000 individuals, with leaked personal information including email addresses, names, physical addresses, and dates of birth. The threat actor group ShinyHunters claimed responsibility for the leak. This exposure of sensitive data increases the risk of identity theft and targeted social engineering attacks. Organizations must reinforce data protection and incident response protocols, while affected individuals should monitor accounts for suspicious activity and remain vigilant against phishing attempts.

Why do I care?

The breach of 185,000 customer records, including names, addresses, and dates of birth, provides cybercriminals with valuable data for identity theft and social engineering attacks, posing a direct threat to organizational reputation and customer trust.

What can I do about it?

Immediately implement enhanced monitoring for account takeover attempts, deploy phishing awareness training tailored to the leaked data, and review data access controls to prevent similar exposures.

Classification

Incident, High Severity, Data Breach

Source

Source feed: SecurityWeek | Original source

New AI DDoS Attacks Are Smarter. Learn How to Fight Back in This Webinar

info@thehackernews.com (The Hacker News) — Tue, 26 May 2026 11:58:00 GMT

AI Summary

The article highlights the growing trend of AI-powered DDoS attacks, which are becoming smarter and more difficult to mitigate. Hackers leverage artificial intelligence to identify system weaknesses and automate attacks, increasing speed and impact. While no specific incidents or actors are detailed, the key threat is the enhanced sophistication of DDoS campaigns, posing greater risk to website availability and data integrity. Organizations should proactively invest in AI-driven defense mechanisms and maintain robust incident response plans to counter these evolving threats. The article serves as a warning but lacks concrete evidence or technical depth.

Classification

Malware, Medium Severity, Distributed Denial of Service (DDoS)

Source

Source feed: The Hacker News | Original source

Microsoft Patches SharePoint RCE Flaw CVE-2026-45659 Across Server Versions

info@thehackernews.com (The Hacker News) — Tue, 26 May 2026 11:49:53 GMT

AI Summary

Microsoft has released patches for CVE-2026-45659, a critical remote code execution vulnerability in SharePoint Server with a CVSS score of 8.8. The flaw allows unauthenticated attackers to execute arbitrary code without special conditions, posing a significant risk to enterprise environments. Organizations are urged to apply the updates immediately to prevent potential compromise.

Why do I care?

This unauthenticated RCE vulnerability in SharePoint could allow attackers to take full control of affected servers, leading to data theft or ransomware deployment.

What can I do about it?

Prioritize applying the latest security patches from Microsoft for all affected SharePoint versions; consider network segmentation and access controls as interim mitigations.

Classification

Vulnerability, High Severity, Remote Code Execution

Source

Source feed: The Hacker News | Original source

Anthropic Expands Claude’s Enterprise Security Governance With 28 New Integrations

Eduard Kovacs — Tue, 26 May 2026 11:44:53 GMT

AI Summary

Anthropic has expanded Claude's enterprise security governance capabilities through 28 new integrations with leading cybersecurity vendors. Notable partners include CrowdStrike, Palo Alto Networks, Microsoft, Okta, Zscaler, Netskope, Cloudflare, Fortinet, and Wiz. These integrations aim to strengthen Claude's security posture and provide enterprises with better governance tools. While no specific threats are disclosed, the announcement underscores the growing importance of AI security in enterprise environments. The integrations cover key areas such as endpoint protection, network security, identity management, and cloud security. This move highlights the trend of embedding AI assistants into broader security ecosystems to enhance threat detection and response.

Classification

Vulnerability, Low Severity

Source

Source feed: SecurityWeek | Original source

Hackers Exploited KnowledgeDeliver Zero-Day for Web Shell Deployment

Ionut Arghire — Tue, 26 May 2026 11:14:31 GMT

AI Summary

Hackers have been actively exploiting a zero-day vulnerability in KnowledgeDeliver, leveraging hardcoded machineKey values in its configuration file to perform ViewState deserialization attacks. This enables remote code execution and subsequent web shell deployment on affected servers. The attack grants persistent access and control over compromised systems, posing a significant threat to organizations using the software. To mitigate, administrators should apply available patches, replace hardcoded keys with cryptographically random values, and enforce ViewState integrity checks. Immediate investigation for signs of compromise is recommended.

Why do I care?

This zero-day allows attackers to achieve remote code execution and deploy web shells, giving them persistent access to critical infrastructure. Any organization using KnowledgeDeliver is at risk of complete compromise.

What can I do about it?

Apply security patches immediately, rotate hardcoded machineKey values to secure random keys, and enable ViewState tamper detection. Conduct a thorough review for signs of web shell activity.

Classification

Vulnerability, Critical Severity, Remote Code Execution, Web Shell Deployment

Source

Source feed: SecurityWeek | Original source

Watch on Demand: Threat Detection & Incident Response Summit – All Sessions Available

SecurityWeek News — Tue, 26 May 2026 11:00:00 GMT

AI Summary

This article announces the availability of on-demand sessions from the Threat Detection & Incident Response Summit, offering free access to tools, strategies, and frameworks for building a resilient security program. It is not a threat advisory but a promotional piece for industry event content.

Classification

Other, Low Severity

Source

Source feed: SecurityWeek | Original source

Open Source DockSec Uses AI to Cut Through Vulnerability Noise in Docker Images

Mike Lennon — Tue, 26 May 2026 10:45:00 GMT

AI Summary

DockSec, an OWASP incubator project, is an open-source tool that aggregates findings from multiple container security scanners and leverages AI to produce plain-English remediation guidance and exact Dockerfile fixes. It aims to reduce the noise from vulnerability reports, helping developers prioritize and address issues efficiently. The tool is designed to improve container security by automating the correlation of scan results and providing actionable insights. No specific threats or malware are mentioned in the article.

Classification

Vulnerability, Low Severity

Source

Source feed: SecurityWeek | Original source

MFA Prompt Bombing: Why Your Second Factor Isn't Saving You

info@thehackernews.com (The Hacker News) — Tue, 26 May 2026 10:30:00 GMT

AI Summary

The article discusses MFA prompt bombing, a social engineering attack where attackers push repeated MFA approval requests to users who have already had their credentials compromised. By annoying or confusing the user, the attacker tricks them into approving a request, granting unauthorized access without needing to steal the second factor. This technique undermines the security of traditional MFA, as users become the weak link. The threat is significant because it can lead to account takeovers and data breaches, and many organizations rely solely on MFA without additional defenses. The article emphasizes that awareness and technical mitigations like number matching are necessary to counter this evolving threat.

Why do I care?

MFA prompt bombing turns your own security tool against you, allowing attackers to bypass multi-factor authentication without technical sophistication. If users are not trained to recognize these prompts, a single approval can lead to account compromise.

What can I do about it?

Implement number matching in MFA prompts to force users to enter a code from the login screen, making blind approval ineffective. Additionally, enable conditional access policies to block requests from unusual locations or devices, and educate users to never approve unexpected MFA requests.

Classification

Incident, High Severity, MFA Prompt Bombing, Social Engineering

Source

Source feed: The Hacker News | Original source

Lithuania Suspects Foreign Involvement in Data Leak of Over 600,000 National Register Entries

Associated Press — Tue, 26 May 2026 10:26:56 GMT

AI Summary

Lithuanian authorities are investigating a massive data leak of over 600,000 entries from national data registers, with suspicions of foreign involvement. The breach exposes sensitive citizen data, posing risks of identity theft and espionage. Immediate investigation and enhanced security measures are required.

Why do I care?

This data leak of national registers indicates potential state-sponsored activity and exposes sensitive citizen data, increasing risk of identity theft and espionage.

What can I do about it?

Organizations should audit access to sensitive databases, implement robust monitoring for unauthorized data access, and prepare incident response for data exfiltration.

Classification

Incident, High Severity, Data Leak

Source

Source feed: SecurityWeek | Original source

AI Threat Landscape Digest March-April 2026

matthewsu — Tue, 26 May 2026 10:09:59 GMT

AI Summary

The March-April 2026 AI Threat Landscape Digest reveals that offensive AI operations have advanced to real-time autonomous deployment across criminal and state-sponsored actors. Notably, a financially motivated operator breached nine Mexican government agencies using Claude Code for exploitation and GPT-4.1 for intelligence analysis, stealing tax records, civil registry data, and patient files. The attacker weaponized agentic configuration files (e.g., CLAUDE.md) as persistent jailbreak vectors. Key findings include AI-orchestrated attacks moving to criminal use, commercialization of AI attack platforms, and large-scale harvesting of AI provider API keys. This evolution underscores the urgent need for organizations to secure AI credentials and monitor for AI-driven intrusion patterns.

Why do I care?

AI-powered attacks are now operational, enabling adversaries to automate exploitation and rapidly compromise critical infrastructure, as demonstrated by the sustained breach of multiple government agencies.

What can I do about it?

Secure API keys for AI services as high-value assets, enforce strict access controls on agentic configuration files, and deploy monitoring to detect anomalous AI model usage patterns indicative of compromise.

Classification

Vulnerability, High Severity, Data Theft, Espionage, Ransomware

Source

Source feed: Check Point Research | Original source

Admins of Bulletproof Hosting Service Used by Russian Hackers Arrested in Netherlands

Ionut Arghire — Tue, 26 May 2026 09:47:19 GMT

AI Summary

The article reports the arrest of two administrators of Dutch companies that provided bulletproof hosting services to Russia-aligned threat actors. This law enforcement operation disrupts a key infrastructure component used by cybercriminals, potentially hindering their ability to host malicious content and launch attacks. While the arrests are a positive step, organizations should remain cautious as the broader threat landscape persists. The impact of this action may reduce the availability of resilient hosting for malware command-and-control, phishing sites, and other illicit activities.

Classification

Other, Medium Severity

Source

Source feed: SecurityWeek | Original source

CERT-In Mandates 12-Hour Patching for Internet-Facing Flaws Amid AI-Assisted Attacks

info@thehackernews.com (The Hacker News) — Tue, 26 May 2026 09:13:02 GMT

AI Summary

CERT-In has issued guidelines requiring organizations to patch critical vulnerabilities in internet-exposed systems within 12 hours, citing the increasing use of AI and LLMs by threat actors to automate exploitation. The mandate aims to reduce the window of exposure and prevent large-scale automated attacks. Organizations must prioritize patching and establish rapid response workflows to comply.

Why do I care?

Organizations with internet-facing systems face elevated risk as adversaries leverage AI to exploit known vulnerabilities at scale. Delayed patching increases exposure to automated attacks.

What can I do about it?

Implement automated vulnerability scanning and patching systems to meet the 12-hour window. Monitor CERT-In advisories and prioritize critical flaws in internet-exposed assets.

Classification

Vulnerability, High Severity, Vulnerability Exploitation

Source

Source feed: The Hacker News | Original source

BTMOB: A stealthy RAT burrowing deep into Android devices

Tue, 26 May 2026 08:50:00 GMT

AI Summary

BTMOB is a stealthy remote access trojan (RAT) targeting Android devices. It combines remote access capabilities with ready-made campaign tools, lowering the barrier for full device compromise. This malware can allow attackers to execute commands, steal data, and maintain persistent access. The threat is significant for organizations as it can lead to complete compromise of mobile devices, potentially exposing sensitive corporate data. Mitigation involves robust mobile security practices, including app vetting, device management, and endpoint protection solutions.

Why do I care?

BTMOB poses a high risk as it enables full compromise of Android devices, potentially exposing sensitive organizational data and providing attackers with a foothold into corporate networks.

What can I do about it?

Enforce strict mobile device management policies, restrict app installations to trusted sources, and deploy mobile threat defense solutions that can detect and block such malware.

Classification

Malware, High Severity, Android Malware, Remote Access Trojan

Source

Source feed: ESET WeLiveSecurity | Original source

CISA orders feds to patch actively exploited Drupal vulnerability

Sergiu Gatlan — Tue, 26 May 2026 08:46:45 GMT

AI Summary

CISA has mandated that U.S. federal agencies patch a critical SQL injection vulnerability in Drupal CMS by Wednesday, citing active exploitation. The vulnerability could allow attackers to compromise vulnerable servers. This directive underscores the urgency and potential impact on government networks, and all organizations using Drupal should prioritize patching.

Why do I care?

This vulnerability is actively exploited in the wild, allowing attackers to gain unauthorized access to Drupal-based servers, potentially leading to data breaches or full compromise.

What can I do about it?

Apply the latest Drupal security update immediately. If immediate patching is not possible, implement virtual patching or additional Web Application Firewall (WAF) rules to mitigate SQL injection attempts.

Classification

Vulnerability, Critical Severity, Exploitation of Vulnerability

Source

Source feed: Bleeping Computer | Original source

Microsoft: Domain Controller lookup may fail on Windows Server 2016

Sergiu Gatlan — Tue, 26 May 2026 07:41:25 GMT

AI Summary

Microsoft confirmed a new known issue in Windows Server 2016 where domain controller (DC) lookups may fail after installing the KB5087537 May 2026 security update. This issue can disrupt authentication and directory services, potentially impacting domain-joined devices and user logins. The problem specifically affects DCs running Windows Server 2016 that have the update applied. Microsoft is investigating and will provide a fix in a future release. In the meantime, administrators may need to plan for potential service interruptions and consider applying available workarounds if applicable. This is not a security vulnerability but a functionality bug introduced by the update.

Classification

Other, Medium Severity, Known Issue

Source

Source feed: Bleeping Computer | Original source

Iranian Hackers Deploy MiniFast and MiniJunk V2 via Phishing and SEO Poisoning

info@thehackernews.com (The Hacker News) — Tue, 26 May 2026 07:13:05 GMT

AI Summary

Iranian state-sponsored threat actor Nimbus Manticore (also known as Screening Serpens and UNC1549) is conducting a campaign using phishing emails and SEO poisoning to deploy MiniFast and MiniJunk V2 malware. The lures impersonate organizations in the aviation and software sectors across the US, Europe, and the Middle East. This campaign follows joint US-Israeli military actions against Iran in late February 2026. These malware strains provide persistent access and data exfiltration capabilities. The threat is high due to the actor's state sponsorship and broad targeting. Mitigations include employee awareness training, robust email filtering, browser security controls, and monitoring for unusual outbound traffic.

Why do I care?

This campaign demonstrates continued Iranian cyber aggression targeting critical sectors, with potential for espionage and disruption.

What can I do about it?

Implement advanced email and web filtering, enforce multi-factor authentication, and maintain updated endpoint detection to counter these threats.

Classification

Incident, High Severity, Drive-by Compromise, Spear Phishing

Source

Source feed: The Hacker News | Original source

7-Eleven data breach exposes personal information of 185,000 people

Sergiu Gatlan — Tue, 26 May 2026 07:01:12 GMT

AI Summary

7-Eleven suffered a data breach perpetrated by the ShinyHunters extortion gang, resulting in the theft of personal information belonging to over 183,000 individuals. The exposed data could include names, addresses, and payment card details, putting victims at risk of identity theft and financial fraud. The breach highlights the evolving tactics of extortion groups who target data for ransom. Organizations should prioritize data classification, implement robust access controls, and employ continuous monitoring to detect anomalous activity indicative of a breach.

Why do I care?

This breach demonstrates that even major retail chains are vulnerable to extortion groups, putting customer data at risk and potentially damaging brand reputation.

What can I do about it?

Implement strong access controls, monitor for unusual data access patterns, and regularly test incident response procedures to quickly contain and mitigate such breaches.

Classification

Malware, High Severity, Data Breach, Extortion

Source

Source feed: Bleeping Computer | Original source

Third-Party Cyberattack Impacts Patient Information at The Oncology Institute

Pierluigi Paganini — Tue, 26 May 2026 05:25:00 GMT

AI Summary

The Oncology Institute disclosed a data breach stemming from a third-party software provider, likely Cognizant's TriZetto, which exposed sensitive patient information including names, addresses, Social Security numbers, and health data. The incident, discovered in November 2025 and confirmed in May 2026, affected over 3.4 million patients and may involve other healthcare providers. No ransomware group has claimed responsibility, and the attackers remain unidentified. The breach originated from unauthorized access to a web portal used for insurance eligibility verification. Financial data was not compromised, and no related fraud has been reported. The Oncology Institute and TriZetto have implemented additional security measures. This incident underscores the risk of third-party vulnerabilities in healthcare, demanding robust vendor oversight and continuous monitoring to protect patient data.

Why do I care?

Healthcare data breaches expose highly sensitive personal and medical information, leading to identity theft, regulatory penalties, and loss of patient trust; third-party vendors can be a weak link in your security chain.

What can I do about it?

Conduct thorough security assessments of all third-party vendors, enforce strict data access controls, and implement continuous monitoring for unauthorized activity; also, ensure incident response plans include vendor compromise scenarios.

Classification

Vulnerability, High Severity, Data Breach

Source

Source feed: Security Affairs (Data Breach) | Original source

KnowledgeDeliver LMS Flaw Exploited to Deploy Godzilla and Cobalt Strike

info@thehackernews.com (The Hacker News) — Tue, 26 May 2026 05:19:38 GMT

AI Summary

A high-severity zero-day vulnerability (CVE-2026-5426, CVSS 7.5) in Digital Knowledge KnowledgeDeliver LMS, popular in Japan, was exploited to deploy the Godzilla web shell and subsequently Cobalt Strike Beacon. The flaw stems from hard-coded ASP.NET machine keys, enabling remote code execution. Organizations using this LMS should prioritize patching to prevent full compromise.

Why do I care?

Unpatched vulnerabilities in internal-facing applications like LMS can be leveraged for initial access and deployment of advanced persistent threats.

What can I do about it?

Apply the vendor patch immediately and review machine key rotation practices to prevent similar flaws.

Classification

Vulnerability, High Severity, C2 Framework, Web Shell

Source

Source feed: The Hacker News | Original source

Possible ACR Stealer From Page Impersonating Claude, (Tue, May 26th)

Tue, 26 May 2026 00:01:48 GMT

AI Summary

The article, though lacking detail, indicates the potential emergence of an information stealer called ACR Stealer distributed through a phishing page impersonating Claude. This suggests an ongoing threat where users may be tricked into downloading malware disguised as a legitimate application. Without further information, the true impact and distribution remain unclear, but organizations should be aware of the possibility of credential theft and data exfiltration. The limited content prevents a full assessment, but the mention of a new stealer warrants caution.

Classification

Malware, Medium Severity, Info Stealer

Source

Source feed: SANS Internet Storm Center | Original source

340 Million OnlyFans Profiles Allegedly Rebuilt from Leaks

Pierluigi Paganini — Mon, 25 May 2026 17:10:45 GMT

AI Summary

An unknown threat actor using the alias 'Euphoric_Reply_5727' is selling a dataset claiming to contain records of 340 million OnlyFans users on a cybercrime forum. However, investigation reveals the dataset was not obtained via a direct breach of OnlyFans. Instead, it was assembled by correlating data from previous breaches and public information, including usernames, emails, phone numbers, and account details. While the data appears partially authentic, its value lies in linking online personas to real-world identities. The privacy risk is significant, as this composite data can be used for targeted phishing, impersonation, stalking, and blackmail. This incident highlights a growing trend of threat actors building searchable identity databases from combined leaked and public data. OnlyFans users are advised to be vigilant against phishing attempts and review their privacy settings.

Classification

Other, Medium Severity, Data Aggregation, Identity Theft, Phishing Campaign

Source

Source feed: Security Affairs (Data Breach) | Original source

Anthropic’s restricted Claude Mythos model may be coming to Claude Code

Mayank Parmar — Mon, 25 May 2026 17:07:33 GMT

AI Summary

Anthropic is preparing to roll out the restricted Claude Mythos model to Claude Code, raising concerns about major security risks to both private and public software. The model, announced in April, is intended to be limited but its integration into a developer tool could be exploited by adversaries to generate malicious code, automate attacks, or bypass security controls. The primary impact is an increased threat surface for software supply chains and development environments. Mitigation relies on Anthropic's restrictions and developer vigilance in vetting AI-generated outputs.

Why do I care?

The Mythos model's release in Claude Code could empower adversaries to generate sophisticated malware or automate attacks, directly threatening software integrity and security.

What can I do about it?

Enforce strict review of all AI-generated code, implement behavioral analysis for anomalies, and consider limiting use of such models until risks are fully assessed.

Classification

Vulnerability, High Severity, AI Model Risk

Source

Source feed: Bleeping Computer | Original source

25th May – Threat Intelligence Report

urias — Mon, 25 May 2026 15:08:40 GMT

AI Summary

This week's threat intelligence report covers multiple high-impact incidents. ShinyHunters breached 7-Eleven, stealing over 600,000 Salesforce records. GitHub suffered a breach via a weaponized VS Code extension, exfiltrating 3,800 internal repositories. Grafana Labs also experienced a breach but refused ransom. The FBI warned about Kali365, a phishing kit targeting Microsoft 365 with device-code phishing that bypasses MFA. AI threats include campaigns compromising nine Mexican government agencies and a Russian actor using AI for propaganda and credential theft. Critical vulnerabilities include actively exploited Windows Defender flaws, Trend Micro Apex One directory traversal, and Drupal SQL injection under active mass attack. Threat intelligence reveals Nimbus Manticore (IRGC-linked) using SEO poisoning to deliver MiniFast backdoor, a 124% surge in hacktivism and ransomware in Germany, Austria, and Switzerland, Showboat Linux malware targeting telecoms, and a Laravel supply chain attack. Patching, multi-factor authentication, and monitoring for token theft are critical mitigations.

Why do I care?

Defenders should be concerned about the breadth of attacks including supply chain compromise, AI-driven phishing, and rapid exploitation of critical vulnerabilities, which pose significant risks to organizational security and data integrity.

What can I do about it?

Prioritize patching for Windows Defender, Trend Micro Apex One, and Drupal; implement phishing-resistant MFA; monitor for OAuth token abuse; restrict access to GitHub and CI/CD pipelines; and review AI email filters for injection evasion.

Classification

Vulnerability, High Severity, Data Breach, Exploit, Phishing

Source

Source feed: Check Point Research | Original source

Microsoft Access VBA, (Mon, May 25th)

Mon, 25 May 2026 14:14:58 GMT

AI Summary

This article briefly notes that Microsoft Access files can contain VBA code, which may be used for macro-based attacks. No specific threats, campaigns, or vulnerabilities are mentioned. The information is generic and does not describe any active exploitation or targeted attacks.

Classification

Malware, Low Severity, Malware Delivery

Source

Source feed: SANS Internet Storm Center | Original source

⚡ Weekly Recap: Linux Flaws, Defender 0-Days, Router Botnets, and Supply Chain Chaos

info@thehackernews.com (The Hacker News) — Mon, 25 May 2026 14:13:27 GMT

AI Summary

This weekly recap highlights a range of current threats, including a malicious development tool used in supply chain attacks, resurgence of old vulnerabilities, zero-days in security products, and increasingly sophisticated phishing campaigns. The impact is broad, affecting organizations that fail to maintain rigorous patching and oversight of third-party tools. Attackers are exploiting neglected systems and leveraging targeted phishing to gain initial access. Mitigation requires comprehensive patch management, heightened awareness of supply chain risks, and deployment of advanced email security measures. Organizations should prioritize auditing legacy systems and enforcing multi-factor authentication to reduce exposure.

Classification

Other, Medium Severity, Phishing, Vulnerability Exploitation

Source

Source feed: The Hacker News | Original source

Exploitation of KnowledgeDeliver via ViewState Deserialization Vulnerability

Google Threat Intelligence Group — Mon, 25 May 2026 14:00:00 GMT

AI Summary

Mandiant investigated a critical vulnerability (CVE-2026-5426) in KnowledgeDeliver LMS, allowing unauthenticated Remote Code Execution via ViewState deserialization due to hardcoded ASP.NET machine keys. An unknown threat actor exploited this to deploy the BLUEBEAM in-memory web shell, tamper with files, and trick users into downloading a fake installer, leading to Cobalt Strike BEACON backdoor infections. Impact includes full server compromise and potential user infection. Immediate remediation requires rotating machine keys, restricting access, and monitoring for indicators such as Event ID 1316, suspicious process launches from w3wp.exe, and file changes. This incident underscores the severe risk of shared secrets in deployment templates.

Why do I care?

This vulnerability enables unauthenticated remote code execution, allowing attackers to compromise the web server and infect all visitors with malware, resulting in extensive breach of sensitive data and systems.

What can I do about it?

Immediately generate and apply unique cryptographically strong machine keys for each KnowledgeDeliver instance, restrict LMS access to trusted IP ranges, and conduct thorough threat hunting using the provided IOCs and event log patterns.

Classification

Vulnerability, Critical Severity, Backdoor, Remote Code Execution, Web Shell

Source

Source feed: Mandiant Frontline Blog | Original source

2 PhaaS 2 Furious: The Evolution of Chinese-language Phishing Services

Google Threat Intelligence Group — Mon, 25 May 2026 14:00:00 GMT

AI Summary

The article details a rapidly evolving Chinese-language Phishing-as-a-Service (PhaaS) ecosystem leveraging AI automation and encrypted delivery channels (RCS, iMessage) to bypass carrier filters. Operators utilize real-time interception panels to capture credentials and OTPs, bypassing MFA instantly. Monetization has shifted toward digital wallet provisioning and tokenization, enabling direct unauthorized financial control beyond traditional account takeovers. Platforms like Darcula and YY Lai Yu lower the technical barrier for global affiliates, targeting lucrative international markets with highly localized, AI-generated lures. Mitigation requires moving beyond basic user awareness toward robust technical controls. Organizations should prioritize adopting FIDO2/WebAuthn security keys to neutralize real-time OTP interception, alongside implementing risk-based authentication and device fingerprinting during financial provisioning to render stolen credentials unusable.

Why do I care?

High-severity PhaaS platforms now bypass MFA in real-time and tokenize stolen cards for direct financial theft, lowering the barrier for global affiliates and rapidly escalating losses.

What can I do about it?

Deploy FIDO2/WebAuthn hardware keys to neutralize OTP interception, and enforce risk-based verification with device fingerprinting during digital wallet provisioning to block credential weaponization.

Classification

Incident, High Severity, Credential Harvesting, Financial Fraud, MFA Bypass

Source

Source feed: Mandiant Frontline Blog | Original source

Ghost CMS Vulnerability Exploited to Hack Over 700 Websites

Eduard Kovacs — Mon, 25 May 2026 13:27:12 GMT

AI Summary

An unidentified Ghost CMS vulnerability was exploited to compromise over 700 websites, including those of major universities like Harvard and Oxford, as well as DuckDuckGo. The attack leveraged a public-facing application vulnerability to gain unauthorized access, potentially resulting in defacement or data theft. The widespread impact underscores the critical need for prompt patching of content management systems. While details on the specific attack vector remain limited, organizations using Ghost CMS should prioritize updates and implement web application firewall rules to mitigate exploitation risk.

Why do I care?

A critical vulnerability in Ghost CMS is actively being exploited, leading to compromise of high-profile websites; defenders must act quickly to prevent their sites from being hacked.

What can I do about it?

Immediately patch Ghost CMS to the latest version, review server logs for signs of exploitation, and enable Web Application Firewall (WAF) rules to block common exploit patterns.

Classification

Vulnerability, High Severity, Exploit

Source

Source feed: SecurityWeek | Original source

TeamPCP Supply Chain Campaign: Activity Through 2026-05-24, (Mon, May 25th)

Mon, 25 May 2026 13:26:06 GMT

AI Summary

TeamPCP is conducting a sophisticated supply chain campaign across three package ecosystems, including GitHub and Microsoft. They have trojanized a Microsoft-published Python SDK, compromised GitHub's internal codebase, and open-sourced their own framework. This widespread campaign puts downstream users at significant risk of compromise. Immediate verification of package integrity and monitoring for anomalous behavior is recommended.

Why do I care?

This campaign demonstrates sophisticated supply chain compromise targeting multiple ecosystems, including Microsoft and GitHub, putting downstream users at risk.

What can I do about it?

Verify the integrity of third-party packages, monitor for anomalous behavior, and restrict use of untrusted repositories.

Classification

Malware, Critical Severity, Supply Chain Attack, Trojanized Software

Source

Source feed: SANS Internet Storm Center | Original source

TeamPCP Supply Chain Campaign: Activity Through 2026-05-24, (Mon, May 25th)

Mon, 25 May 2026 13:25:47 GMT

AI Summary

TeamPCP supply chain campaign operates across three package ecosystems, compromising GitHub's internal codebase and trojanizing a Microsoft-published Python SDK. The group has also open-sourced its attack framework. This campaign poses a critical threat to software supply chain integrity, impacting major tech platforms. Immediate review of dependencies and enhanced supply chain security measures are recommended.

Why do I care?

Supply chain attacks can undermine trust in widely used software, as seen with TeamPCP compromising GitHub internal and Microsoft SDKs, potentially affecting downstream users.

What can I do about it?

Implement strict package integrity verification, monitor for unauthorized changes, and use software composition analysis to detect trojanized components.

Classification

Malware, Critical Severity, Supply Chain Attack, Trojanized Software

Source

Source feed: SANS Internet Storm Center | Original source

Netherlands Seizes 800 Servers, Arrests 2 for Aiding Cyberattacks

BrianKrebs — Mon, 25 May 2026 13:21:49 GMT

AI Summary

Dutch authorities arrested Andrey Nesterenko and Youssef Zinad, co-owners of hosting companies MIRhosting and WorkTitans BV, for providing IT infrastructure to Russian state-backed cyber operations. Their services supported large-scale DDoS attacks, influence campaigns, and disinformation targeting EU entities, including a municipal election in Denmark. The arrests followed EU sanctions against Stark Industries Solutions, a key staging ground for Russian cyberattacks. Investigators seized over 800 servers, laptops, and phones, disrupting a critical resource for Russian hybrid warfare. The case highlights how seemingly legitimate hosting providers can enable state-sponsored aggression, emphasizing the need for robust sanctions enforcement and vigilance against enabling infrastructure.

Why do I care?

These hosting providers directly enabled Russian cyberattacks and influence operations against EU targets, including government networks and elections, creating significant risk for public and private sector organizations.

What can I do about it?

Review network logs for connections to known malicious infrastructure, enforce strict vendor risk assessments for hosting providers, and participate in threat intelligence sharing to identify and block enabling services.

Classification

Incident, High Severity, DDoS, Disinformation, Influence Operations

Source

Source feed: Krebs on Security | Original source

FBI warns of Kali365 phishing service targeting Microsoft 365 accounts

Lawrence Abrams — Mon, 25 May 2026 12:45:54 GMT

AI Summary

The FBI has issued a warning regarding Kali365, a phishing-as-a-service (PhaaS) platform actively targeting Microsoft 365 environments. This service exploits OAuth device code authentication flows to silently harvest session tokens, effectively circumventing multi-factor authentication (MFA) protections. Successful exploitation allows adversaries to hijack corporate accounts, gain unauthorized access to sensitive data, and facilitate further lateral movement or ransomware deployment. The primary impact includes widespread credential compromise and potential data exfiltration across organizations relying on Microsoft 365. To mitigate this threat, defenders must prioritize monitoring OAuth application consent grants, enforce Conditional Access policies restricting device code authentication, and implement continuous token validation. Regular security awareness training should also emphasize phishing recognition to reduce initial user compromise.

Why do I care?

The Kali365 PhaaS platform actively bypasses MFA by stealing OAuth session tokens, posing a critical risk of account hijacking and data exfiltration across Microsoft 365 environments.

What can I do about it?

Enforce Conditional Access policies to block or restrict device code authentication, monitor OAuth consent grants for suspicious applications, and implement continuous token validation to detect and invalidate compromised sessions.

Classification

Incident, High Severity, Account Hijacking, MFA Bypass, Phishing

Source

Source feed: Bleeping Computer | Original source

Oncology Institute Discloses Third-Party Data Breach

Eduard Kovacs — Mon, 25 May 2026 12:17:02 GMT

AI Summary

The Oncology Institute disclosed a data breach caused by a third-party vendor, which has not been explicitly named but is potentially TriZetto. The brief announcement provides no details on the extent of the breach, types of data exposed, or impact on patients. This incident underscores the risks associated with third-party access to sensitive healthcare data. Organizations should review vendor security practices and ensure robust monitoring.

Classification

Other, Medium Severity, Data Breach

Source

Source feed: SecurityWeek | Original source

Drupal Core SQL injection Vulnerability Added to CISA KEV (CVE-2026-9082)

Diksha Ojha — Mon, 25 May 2026 12:06:39 GMT

AI Summary

A critical SQL injection vulnerability (CVE-2026-9082) in Drupal Core has been added to CISA's Known Exploited Vulnerabilities catalog. This flaw affects sites using PostgreSQL databases and can be exploited by anonymous users, potentially leading to privilege escalation and remote code execution. Drupal reported active exploitation in the wild. Affected versions include Drupal 8.9 through 11.3.x. CISA has set a patching deadline of May 27, 2026. Organizations running Drupal with PostgreSQL should immediately upgrade to the latest patched versions (e.g., 11.3.10, 10.6.9) or apply manual patches for unsupported branches. Qualys QID 734308 is available for detection.

Why do I care?

This vulnerability is actively exploited in the wild and can allow unauthenticated attackers to achieve remote code execution, potentially leading to full server compromise without any user interaction.

What can I do about it?

Immediately apply the patched Drupal versions (11.3.10, 11.2.12, 11.1.10, 10.6.9, 10.5.10, 10.4.10) or manual patches for Drupal 9.5 and 8.9. For PostgreSQL deployments, prioritize this patch as the highest urgency.

Classification

Vulnerability, Critical Severity, Privilege Escalation, Remote Code Execution, SQL Injection

Source

Source feed: Qualys ThreatPROTECT | Original source

Ghost CMS CVE-2026-26980 Exploited to Hijack 700+ Sites for ClickFix Attacks

info@thehackernews.com (The Hacker News) — Mon, 25 May 2026 12:02:46 GMT

AI Summary

Threat actors are actively exploiting a critical SQL injection vulnerability (CVE-2026-26980, CVSS 9.4) in Ghost CMS to inject malicious JavaScript and launch ClickFix attacks. According to QiAnXin XLab, over 700 websites have been compromised. The vulnerability allows unauthenticated attackers to read arbitrary data from the Content API and inject scripts. Organizations using Ghost CMS should prioritize patching to prevent site hijacking and data theft.

Why do I care?

This vulnerability allows unauthenticated attackers to inject malicious scripts into Ghost CMS sites, leading to widespread compromise and potential data breaches.

What can I do about it?

Immediately apply the security patch for CVE-2026-26980 and ensure Ghost CMS is updated to the latest version. Monitor for signs of JavaScript injection or unauthorized access.

Classification

Vulnerability, Critical Severity, SQL Injection, Website Hijacking

Source

Source feed: The Hacker News | Original source

The Alert Firehose Finally Meets Its Match

info@thehackernews.com (The Hacker News) — Mon, 25 May 2026 11:30:00 GMT

AI Summary

The article discusses how Network Detection and Response (NDR) systems enhanced with agentic AI are overcoming historical criticisms of being noisy and generating too much data. Teams using such AI-powered NDR report improved threat detection, faster triage, and fewer false positives. The piece highlights the evolution of NDR and the role of AI in making network security more efficient.

Classification

Other, Low Severity

Source

Source feed: The Hacker News | Original source

266,000 Affected by Data Breach at Radiology Associates of Richmond

Ionut Arghire — Mon, 25 May 2026 11:17:07 GMT

AI Summary

Radiology Associates of Richmond suffered a data breach affecting 266,000 individuals, with threat actors stealing names and protected health information from their systems. The incident underscores the persistent risk to healthcare organizations handling sensitive personal data. Immediate steps include notifying affected individuals, offering credit monitoring, and reviewing access controls to prevent future breaches.

Classification

Vulnerability, High Severity, Data Breach

Source

Source feed: SecurityWeek | Original source

Anthropic: Mythos Detected 23,000 Potential Vulnerabilities Across 1,000 OSS Projects

Eduard Kovacs — Mon, 25 May 2026 10:58:07 GMT

AI Summary

Anthropic's Mythos tool detected 23,000 potential vulnerabilities across 1,000 open source projects, with many confirmed as critical or high-severity. This large-scale discovery indicates a significant security challenge for organizations using OSS components, as these vulnerabilities can be easily exploited if left unpatched. The expected increase in findings underscores the need for continuous vulnerability scanning and proactive patch management to reduce attack surface. The report serves as a reminder of the importance of securing the open source supply chain.

Why do I care?

The vulnerabilities discovered by Mythos directly impact the security posture of any organization using the affected open source components, potentially allowing attackers to gain initial access or execute code.

What can I do about it?

Conduct immediate inventory of OSS dependencies, apply patches for verified critical vulnerabilities, and implement automated scanning tools in the CI/CD pipeline to catch future flaws.

Classification

Vulnerability, High Severity, Vulnerability Discovery

Source

Source feed: SecurityWeek | Original source

Laravel-Lang Packages Poisoned for Malware Delivery

Ionut Arghire — Mon, 25 May 2026 10:41:07 GMT

AI Summary

In a targeted supply chain attack, malicious tags were published within a 15-minute window to the Laravel-Lang packages. These tags introduced backdoors designed to exfiltrate CI secrets. The incident highlights the continued risk of repository compromise and the need for robust supply chain security measures. Users should verify package integrity and monitor for unusual updates.

Why do I care?

This attack demonstrates how seemingly legitimate package updates can be weaponized to steal CI secrets, compromising downstream systems.

What can I do about it?

Implement strict package version pinning, verify digital signatures, and monitor for unexpected package releases or tags.

Classification

Malware, High Severity, Supply Chain Attack

Source

Source feed: SecurityWeek | Original source

DocketWise Data Breach Impacts 143,000

Ionut Arghire — Mon, 25 May 2026 09:37:27 GMT

AI Summary

A data breach at DocketWise exposed personal information of 143,000 individuals, including names, addresses, Social Security numbers, financial details, and medical data. The attackers accessed third-party partner repositories, indicating supply chain risk. The breach highlights the severe impact of compromised third-party services. Affected individuals face risks of identity theft and financial fraud. Organizations should review third-party security postures, implement strict access controls, and continuously monitor partner integrations. Incident response should include notifying affected parties, offering credit monitoring, and enhancing data encryption protocols to mitigate future risks.

Why do I care?

This breach demonstrates that attackers can leverage third-party access to steal sensitive data, affecting not only the primary organization but also its customers and partners.

What can I do about it?

Conduct thorough security assessments of all third-party partners, enforce least privilege access, and implement continuous monitoring of third-party connections for unusual activity.

Classification

Incident, High Severity, Data Breach

Source

Source feed: SecurityWeek | Original source