In yet another software supply chain attack, threat actors have managed to compromise the popular Python package Lightning to push two malicious versions to conduct credential theft. According to Aikido Security, Socket, and StepSecurity, the two malicious versions are versions 2.6.2 and 2.6.3, both of which were published on April 30, 2026. The campaign is assessed to be an extension of the
Cybersecurity News and Vulnerability Aggregator
Cybersecurity news aggregator
Updated: 5:41 pm
J/K Navigate / Search S Save V Open Link
— or
treemd <(curl -sL https://allsec.sh/md) (as Markdown) Top Cybersecurity Stories Today
An exploit has been published for a local privilege escalation vulnerability dubbed "Copy Fail" that impacts Linux kernels released since 2017, allowing an unprivileged local attacker to gain root permissions. [...]
The critical CVE-2026-41940 authentication bypass vulnerability in cPanel, WHM, and WP Squared is being actively exploited in the wild and has been leveraged in attempts since late February. [...]
The Internet Is Falling Down, Falling Down, Falling Down (cPanel & WHM Authentication Bypass CVE-2026-41940)
Hello! Yes, it's all a disaster again! Let's get this party started:
A joint international operation involving U.S. and Chinese authorities arrested at least 276 suspects and shut down nine cryptocurrency investment fraud centers. [...]
Latest
Thursday, April 30
OpenAI is rolling out Advanced Account Security for people concerned that their ChatGPT or Codex accounts could be potential targets of phishing attacks.
This CVSS 10.0 RCE vuln has been patched, automatically for some, so better check those workflows If you use Gemini CLI, watch out: Google has patched a CVSS 10.0 vulnerability in its command-line AI tool and is warning anyone running it in headless mode, or through GitHub Actions, to review their workflows.…
to recover your files, kindly send 0.1 BTC to bc1q9nh4revv6yqhj2gc5usncrpsfnh7ypwr9h0sp2 and tweet ty15b6TOTuBuzUhfypJeagHl4e2sAs26, then we will help u <3 This is the message that our website got replaced with. We are also locked out of cPanel and, most importantly our emails. Its quite a serious situation A basic search allowed me to find multiple websites with this exact message, even the same values. So its definitely not targeted at us only. Here is an example website (not us) that appears on google search with this message: [https://www.kingjamesbibleonline.org/](https://www.kingjamesbibleonline.org/) Does anyone have ANY insight into how this might have happened? What is the vulnerability that was exploited on so many website? I would really appreciate any help on direction on how this might have happened, and what the best approach is moving forward.
Two computer crime allegations follow up to 18M lines of data surfacing online French prosecutors say police detained a 15-year-old on April 25 over the alleged theft of millions of records from France Titres (ANTS), the agency handling secure documents.…
The U.S. Federal Bureau of Investigation (FBI) warned the transportation and logistics industry of a sharp rise in cyber-enabled cargo theft, with estimated losses in the United States and Canada reaching nearly $725 million in 2025. [...]
In yet another software supply chain attack, threat actors have managed to compromise the popular Python package Lightning to push two malicious versions to conduct credential theft. According to Aikido Security, Socket, and StepSecurity, the two malicious versions are versions 2.6.2 and 2.6.3, both of which were published on April 30, 2026. The campaign is assessed to be an extension of the
Hey everyone, Full breakdown and logic here: [https://medium.com/@osamamamoussa/real-time-data-protection-building-a-python-powered-active-response-dlp-suite-109a991f113f?postPublishedType=repub](https://medium.com/@osamamamoussa/real-time-data-protection-building-a-python-powered-active-response-dlp-suite-109a991f113f?postPublishedType=repub) I built a custom **Active Response Suite** in Python to enhance standard DLP auditing. **Main Logic:** 1. **File Audit:** Instant detection of PII using **Regex + Luhn’s Algorithm**. 2. **Network Filter:** Hard-blocks exfiltration to unauthorized IPs; auto-encrypts traffic to whitelisted destinations. 3. **USB Protection:** Scans and encrypts sensitive files on removable media upon mounting.
The April 2026 KB5083769 security update breaks third-party backup applications from multiple vendors on systems running Windows 11 24H2 and 25H2. [...]
Long story short - RHEL based distros has algif\_aaed module built-in, so you can't just disable it. We made a [workaround](https://github.com/wgnet/wg.copyfail.patch) - eBPF programs that filter (or kill) programs when they try to create AF\_ALG sockets (except for root). Tested in internally and put to opensource today. Feel free to use, I believe it helps.
Free CAN bus reverse engineering workstation - offline ML, dual AI engines, UDS security access, MitM gateway, 15 tabs
A Brazilian tech firm that specializes in protecting networks from distributed denial-of-service (DDoS) attacks has been enabling a botnet responsible for an extended campaign of massive DDoS attacks against other network operators in Brazil, KrebsOnSecurity has learned. The firm’s chief executive says the malicious activity resulted from a security breach and was likely the work of a competitor trying to tarnish his company’s public image. An Archer AX21 router from TP-Link. Image: tp-link.com. For the past several years, security experts have tracked a series of massive DDoS attacks originating from Brazil and solely targeting Brazilian ISPs. Until recently, it was less than clear who or what was behind these digital sieges. That changed earlier this month when a trusted source who asked to remain anonymous shared a curious file archive that was exposed in an open directory online. The exposed archive contained several Portuguese-language malicious programs written in Python. It also included the private SSH authentication keys belonging to the CEO of Huge Networks , a Brazilian ISP that primarily offers DDoS protection to other Brazilian network operators. Founded in Miami, Fla. in 2014, Huge Networks’s operations are centered in Brazil. The company originated from protecting game servers against DDoS attacks and evolved into an ISP-focused DDoS mitigation provider. It does not appear in any public abuse complaints and is not associated with any known
Hey r/cybersecurity 👋 We're [Flare.io](http://Flare.io) and we’re excited to host an AMA with myself (Eric), Olivier u/obilodeau (Principal Cybersecurity Researcher), Tammy \[u/CTIQueen\] (Senior Threat Intelligence Researcher), and Estelle u/Puzzleheaded_End4024 (Threat Intelligence Researcher). What we've been working on: • DPRK IT workers: We published research earlier this year on North Korean IT workers infiltrating Western companies. • Infostealers: We've published extensive research on how infostealer logs fuel the cybercrime economy, from Telegram markets to credential stuffing pipelines to initial access brokerage. Including our 2026 State of Enterprise Infostealer Identity Exposure report. • Flare academy: Free trainings for practitioners and students on topics like identity security, ransomware, and cybercrime, and the Flare Academy Discord community. We're happy to talk about: • Cybercrime ecosystems: infostealers, initial access brokers, Telegram markets, dark web forums • Career advice: breaking in, moving up, specializing, or pivoting within cybersecurity • Research methodology: how we scope, conduct, and publish cybercrime research • And more!
When a new asset goes live, attackers start scanning within minutes. Sprocket Security shows how automated attacks move from discovery to compromise in under 24 hours. [...]
While more than two-thirds of human-generated TLS traffic to Cloudflare is already protected by post-quantum cryptography, the world of site-to-site networking has been a different story. For years, the IPsec community remained caught between the high bar of Internet-scale interoperability and the niche requirements of specialized hardware. That gap is now closing. Earlier this month, we announced that Cloudflare has moved its target for full post-quantum security forward to 2029 , spurred by several recent advances in quantum computing. To advance that goal, we’ve made post-quantum encryption in Cloudflare IPsec generally available. Using the new IETF draft for hybrid ML-KEM ( FIPS 203 ), we’ve successfully tested interoperability with branch connectors from Fortinet and Cisco — meaning you can start protecting your wide-area network (WAN) against harvest-now-decrypt-later attacks today using hardware you already have. This post explains how we implemented the new hybrid IPsec handshake, why it took four years longer to land than its TLS counterpart, and how the industry is finally consolidating around a standard that works at Internet scale. Cloudflare IPsec Cloudflare IPsec is a WAN Network-as-a-Service that replaces leg
The internet is noisy this week. We are seeing some wild new tactics, like people using fake cell towers to send scam texts, while some developers are accidentally downloading tools that peek into their private files during a simple install. It is definitely a busy time to be online. Security is always a moving target. Millions of servers are currently sitting online without any passwords, and
An exploit has been published for a local privilege escalation vulnerability dubbed "Copy Fail" that impacts Linux kernels released since 2017, allowing an unprivileged local attacker to gain root permissions. [...]
Coding agents are great at building software. But to deploy to production they need three things from the cloud they want to host their app — an account, a way to pay, and an API token. Until now these have been tasks that humans handle directly. Increasingly, agents handle them on the user’s behalf. The agent needs to perform all the tasks a human customer can. They’re given higher-order problems to solve and choose to use Cloudflare and call Cloudflare APIs. Starting today, agents can provision Cloudflare on behalf of their users. They can create a Cloudflare account, start a paid subscription, register a domain, and get back an API token to deploy code right away. Humans can be in the loop to grant permission and must accept Cloudflare's terms of service, but no human steps are otherwise required from start to finish. There’s no need to go to the dashboard, copy and paste API tokens, or enter credit card details. Without any extra setup, agents have everything they need to deploy a new production application in one shot. And with Cloudflare’s Code Mode MCP server and Agent Skills , they’re even better at it. This all works via a new protocol that we’ve co-designed with Stripe as part of the launch of Stripe Projects . We’re excited to launch this new partnership with Stripe, and also to offer $100,000 in Cloudflare credits to all new startups who incorporate using Stripe Atlas . But this new protocol also makes it possible for any platform with signed-in users to integrate with Cloudflare in the same way Stripe does, with zero friction for the end user. How it works: zero to production without any setup or manual steps
Hi all, I’m Chris from the articles below. I made this Reddit account just to post here. About two years ago we saw a pretty significant brute force campaign against VPN appliances, which is covered in those links. One thing that always stood out to us, and that we never really had a good answer for, was that all of the attacking IPs were coming from legitimate cPanel instances. There were over 1,000 of them. I don’t have any evidence tying this to a specific vulnerability, and I don’t have the full dataset from back then anymore, but I do still have 282 of the attacking IPs/hosts if that’s useful to anyone. It never sat right that 100 percent of the attacking IPs were coming from cPanel hosts. Take it for what it’s worth. Maybe someone with more insight or access can connect the dots. Just figured I’d share. [https://annoyed.engineer/2024/03/23/the-brutus-botnet/](https://annoyed.engineer/2024/03/23/the-brutus-botnet/) [https://www.bleepingcomputer.com/news/security/cisco-warns-of-password-spraying-attacks-targeting-vpn-services/](https://www.bleepingcomputer.com/news/security/cisco-warns-of-password-spraying-attacks-targeting-vpn-services/)
The critical CVE-2026-41940 authentication bypass vulnerability in cPanel, WHM, and WP Squared is being actively exploited in the wild and has been leveraged in attempts since late February. [...]
Turns out the real problem is not AI but staff still clicking on dodgy emails from 'IT support' Nearly half of UK businesses are still getting breached, and in many cases, the attacker's big breakthrough is an employee clicking "sure, why not" on a fake login page.…
Intro A sophisticated, high-resilience malicious campaign was identified by Atos Threat Research Center (TRC) in March 2026. This operation specifically targets the high-privilege professional accounts of enterprise administrators, DevOps engineers, and security analysts by impersonating administrative utilities they rely on for daily operations. By integrating Search Engine Order (SEO)
A joint international operation involving U.S. and Chinese authorities arrested at least 276 suspects and shut down nine cryptocurrency investment fraud centers. [...]
What type of 'C2 on a sleep cycle' do they leave behind? Novel Chinese spy group found in critical networks in Poland, Asia
Just in time for the Trump-Xi summit Exclusive A novel China-linked threat group infiltrated more than a dozen critical networks in Poland, Asian countries, and possibly beyond, beginning in December 2024 and with activity uncovered as recently as this month.…
Spyware appears to have captured everything from intimate photos to private messages from the smartphone of European celebrity. They were publicly accessible until a researcher flagged the exposure.
Investigation finds no single cause for soldiers falling ill, just bad bolts, cold air, and apparently the soldiers themselves Britain's notorious Ajax armored vehicles are being accepted back from the manufacturer after investigations found no single cause for the symptoms plaguing crews, meaning soldiers will need to grin and bear it.…
Great idea, guys. Let's keep all of the data in an Excel file with weak password protection PWNED Welcome, once again, to PWNED, the weekly column where we recount the adventures of IT explorers who found their own pile of quicksand and then jumped right into it. This week's story involves keeping sensitive information in a very vulnerable place and then not protecting it adequately.…
Google has addressed a maximum severity security flaw in Gemini CLI -- the "@google/gemini-cli" npm package and the "google-github-actions/run-gemini-cli" GitHub Actions workflow -- that could have allowed attackers to execute arbitrary commands on host systems. "The vulnerability allowed an unprivileged external attacker to force their own malicious content to load as Gemini configuration,"
Wednesday, April 29
The Quick Page/Post Redirect plugin, installed on more than 70,000 WordPress sites, had a backdoor added five years ago that allows injecting arbitrary code into users' sites. [...]
What Mythos Means for Penetration Testing as a Service When Anthropic announced the Claude Mythos Preview, the reaction from the security community was immediate. We’re not talking about the next best model. This model is such a leap forward and so capable at finding and exploiting vulnerabilities that Anthropic deemed it too dangerous to release […] The post What GigaOm and Synack Got Right About AI Pentesting appeared first on Synack .
ORNL says portable detector kit can separate real GPS signals from fake ones even at equal strength GPS spoofing, which sends fake satellite-like signals, and GPS jamming, which drowns receivers in noise, are increasingly serious problems. Researchers at Oak Ridge National Laboratory in Tennessee have created what they say is the most effective system yet for detecting GPS interference, which could help blunt such attacks.…
Microsoft's patch for a 0-day exploited by Russian spies fell short. Another Windows flaw is under attack
Second try's a charm? Microsoft and the US Cybersecurity and Infrastructure Security Agency (CISA) warned that attackers are exploiting a zero-click Windows flaw that can expose sensitive information on vulnerable systems.…
Microsoft readies the axe once again for yesterday's security Microsoft has warned users still clinging to legacy TLS versions that the end is nigh for TLS 1.0 and 1.1 on POP3 and IMAP4 connections to Exchange Online.…
The Ukrainian police have arrested three individuals who hacked more than 610,000 Roblox gaming accounts and sold them for a profit of $225,000. [...]
An exposed staging server in the Netherlands with no authentication required left the operator's full toolkit publicly accessible. Two ELF binaries, infection payloads, SOCKS5 credentials, and a target list, enough to fully reconstruct a commercial DDoS-for-hire operation. Key findings: * Mirai-derived botnet sold as a tiered DDoS-for-hire service, game servers and Minecraft hosts as primary attack targets * ADB on TCP/5555 as the infection vector, over 4M hosts observed with that port open in the past 180 days, any running ADB is a potential recruit into the botnet * 21 flood variants including RakNet and OpenVPN-shaped UDP to bypass common filters * ChaCha20 string encryption broken via known-plaintext due to weak key material and full nonce reuse across all 16 decryption calls * Full operation inside a single bulletproof /24, Offshore LC, Netherlands, covering C2, staging, distribution, and co-located Monero cryptojacking infrastructure Full IOC set, MITRE ATT&CK mapping, and HuntSQL queries in the report. [hunt.io/blog/xlabs-v1-ddos-for-hire-operation-exposed](http://hunt.io/blog/xlabs-v1-ddos-for-hire-operation-exposed)
The Internet Is Falling Down, Falling Down, Falling Down (cPanel & WHM Authentication Bypass CVE-2026-41940)
Hello! Yes, it's all a disaster again! Let's get this party started:
As we commonly know in appsec, not every vulnerability, even if critical 10 is relevant. This is a take from my buddy Brian Vermeer at Snyk, he's a Java Champion and offers his opinion as a developer to the Thymeleaf vulnerability [CVE-2026-40478](https://security.snyk.io/vuln/SNYK-JAVA-ORGTHYMELEAF-16078379)
GrassMarlin leaks sensitive information, provided your targeting phishing skills are sharp enough The Cybersecurity and Infrastructure Security Agency (CISA) is warning anyone who uses GrassMarlin, a tool developed by the National Security Agency (NSA), about a new vulnerability that attackers can use to snoop on sensitive information.…
Cybersecurity researchers have discovered malicious code in an npm package after a malicious package as a dependency to the project by Anthropic's Claude Opus large language model (LLM). The package in question is "@validate-sdk/v2," which is listed on npm as a utility software development kit (SDK) for hashing, validation, encoding/decoding, and secure random generation. However, its real
A newly analyzed Go-based macOS remote access trojan (RAT), internally named Minirat, has surfaced in the wild using anti-VM checks, LaunchAgent persistence, and AES-encrypted command and control (C2) configuration to maintain stealthy, long-term access on victim endpoints. According to [SafeDep](https://safedep.io/malicious-velora-dex-sdk-npm-compromised-rat/), the initial infection vector was a malicious npm package (velora-dex-sdk) that dropped the Go-based macOS RAT onto developer endpoints.
A single third-party OAuth integration can become a direct path into your environment. Push explains how the Vercel breach shows a compromised OAuth app can lead to widespread impact across downstream customers. [...]
GitHub: Zounds, a genuinely helpful AI-assisted bug report that isn't total slop! Here, Wiz, take this wad of cash
Claude ploughs through months of work in rapid time, helps Wiz researchers nab lucrative award Wiz researchers are set for a tidy payday thanks to their discovery of a high-severity flaw in GitHub's git infrastructure that handed remote attackers full read/write access to private GitHub repositories using a single command.…
'Online platforms can rely on our app,' says Commish, 'there are no more excuses' The European Commission has recommended EU member states adopt an age verification app designed to protect children from harmful online content.…
Every security team has a version of the same story. The quarter ends with hundreds of vulnerabilities closed. The dashboards are bursting with green. Then someone in a leadership meeting asks: "So, are we actually safer now?" Crickets. The room goes quiet because an honest answer requires context – which is something that patch counts and CVSS scores were never designed to provide. Exposure
LibAFL is all the rage in the fuzzing community these days, especially with LLVM’s libFuzzer being placed in maintenance mode . Written in Rust, LibAFL claims improved performance, modularity, state-of-the-art fuzzing techniques, and libFuzzer compatibility . For these reasons, I set out to add LibAFL support to Ruzzy , our coverage-guided fuzzer for pure Ruby code and Ruby C extensions. This gives Ruby developers and security researchers access to a more advanced and actively maintained fuzzing engine without changing how they write their fuzzing harnesses. Ruzzy was originally built on top of LLVM’s libFuzzer, so using LibAFL’s compatibility layer should be easy enough. However, digging around in the internals of complex systems is never quite as simple as it seems. In this post, I will investigate some of the deep plumbing inside these fuzzing engines, take a detour into executable and linkable format (ELF) files, and ultimately add LibAFL support to Ruzzy. Building with libafl_libfuzzer Ruzzy currently supports Linux, so I use a Dockerfile for development and for production fuzzing campaigns. To that end, using a similar Dockerfile for LibAFL support is the simplest integration point. LibAFL provides excellent documentation a
32 phone calls, 17 email chains, a 5-day ordeal, and no help during the daddy of all stuffups, claim those affected GoDaddy is currently investigating claims that it handed complete control of a valid 27-year-old domain to another customer, without requiring them to pass any authentication processes or upload any supporting documents.…
Yet another reason not to feast on OpenClaw Thirty ClawHub skills published by a single author are silently co-opting AI agents and creating a mass cryptocurrency mining swarm – without any malware or user consent.…
In yet another instance of threat actors quickly jumping on the exploitation bandwagon, a newly disclosed critical security flaw in BerriAI's LiteLLM Python package has come under active exploitation in the wild within 36 hours of the bug becoming public knowledge. The vulnerability, tracked as CVE-2026-42208 (CVSS score: 9.3), is an SQL injection that could be exploited to modify the underlying
Today, we're launching Project Swarm — a research initiative that opens the GreyNoise deception platform to the global security community. Project Swarm transforms GreyNoise from a proprietary sensor network into a collective intelligence platform.
Tuesday, April 28
CREST Helps Raise the Bar for the Researchers Behind Your Pentest When a cybersecurity company tells you its testers are vetted, what does that actually mean? Most of the time, it means the company ran its own screening, trusted its own judgment, and hoped you’d trust it too. That works, right up until the pentest […] The post What CREST Means for Your Next Synack Engagement appeared first on Synack .
Attackers are exploiting a security gap in U.S. businesses. Fake Microsoft, Adobe, and OneDrive pages deliver RMM software instead of payloads, giving attackers direct access to the environment. Because these tools are widely used across enterprises, attackers can establish access before activity is flagged as malicious. Combined with trusted or compromised infrastructure, this delays detection and increases attacker dwell time. The analysis session showing how attackers gain remote access through a fake Microsoft Store page delivering an RMM installer disguised as Adobe software: [https://app.any.run/tasks/e072ae4e-214c-4039-957d-7c0cbe682da8/](https://app.any.run/tasks/e072ae4e-214c-4039-957d-7c0cbe682da8/) Full article: [https://any.run/cybersecurity-blog/rmm-blind-spot-for-cisos/](https://any.run/cybersecurity-blog/rmm-blind-spot-for-cisos/) https://preview.redd.it/8p0wbleb7zxg1.png?width=2048&format=png&auto=webp&s=a58037806908430aa3ccc65908a072e00089e443
'Full recovery is impossible for anyone, including the attacker' Organizations hit by the wave of Trivy and LiteLLM supply-chain compromises that paid Vect in hopes of recovering their data likely did not get much back, according to Check Point Research. That's because the ransomware Vect uses isn't actually ransomware at all, but a wiper that destroys any file larger than 128KB.…
Cybersecurity researchers have disclosed details of a critical security vulnerability impacting GitHub.com and GitHub Enterprise Server that could allow an authenticated user to obtain remote code execution with a single "git push" command. The flaw, tracked as CVE-2026-3854 (CVSS score: 8.7), is a case of command injection that could allow an attacker with push access to a repository to achieve
The war in Iran has drawn attention to arrests in the United Arab Emirates over online content, but the legal framework behind that enforcement has existed for years.
A cybercrime group of Brazilian origin has resurfaced after more than three years to orchestrate a campaign that targets Minecraft players with a new stealer called LofyStealer (aka GrabBot). "The malware disguises itself as a Minecraft hack called 'Slinky,'" Brazil-based cybersecurity company ZenoX said in a technical report. "It uses the official game icon to induce voluntary execution,
ByteToBreach have breached Ikeja Electric, encrypting 50+ hosts, disrupting systems, and taking multiple subdomains offline. The actor also have stolen customer, employee, and business databases, source code, Active Directory data with offline cracked passwords, and impacted metering platforms linked to several vendors. Threat actor: ByteToBreach Sector: Energy / Utilities Data type: Customer records, employee data, business databases, source code, Active Directory credentials Observed: Apr 28, 2026 Sources: [https://x.com/H4ckmanac/status/2049126582694875608](https://x.com/H4ckmanac/status/2049126582694875608) [https://x.com/CyhawkAfrica/status/2049109369522934179](https://x.com/CyhawkAfrica/status/2049109369522934179) [https://darkforums.su/Thread-NG-Ikeja-Electric-Databases-Ransomware](https://darkforums.su/Thread-NG-Ikeja-Electric-Databases-Ransomware) https://preview.redd.it/5wua149b7yxg1.png?width=2503&format=png&auto=webp&s=133a682cd6ee178877db97f9cb59f7c60d3d8cc8
Names, phone numbers, physical addresses also included in Shiny Hunters alleged data dump Updated Logistics technology company Pitney Bowes, which makes franking machines for US postage, is the latest scalp claimed by ShinyHunters and its ongoing spree of pay-or-leak attacks against major organizations.…
**Summary:** I’m disclosing a full-chain CVSS 10.0 RCE affecting Microsoft Semantic Kernel (.NET v1.74) and the new Agent Framework 1.0. **The Timeline & Conflict:** \> \* **March 24:** Initial disclosure sent to MSRC with PoC. * **April 8:** MSRC closed the case as "Developer Error / Configuration Issue." * **The Reality:** Despite the rejection, Microsoft silently merged mitigations in PRs #13683 and #13702 without assigning a CVE. This results in a "False Green" for enterprise SCA tools (Snyk/Checkmarx/Dependabot) while the bypasses remain functional. **Technical Scope:** * **Architectural Trust Gap (CWE-1039):** Auto-invocation logic treats non-deterministic LLM output as a high-privilege system coordinator without a sandbox boundary. * **6 Day-Zero Bypasses:** Discovery of Type Confusion and Unicode homoglyphs that defeat the "hardened" baseline in the April 2026 releases. * **Versioning:** Persistence confirmed from .NET v1.7x through the Agent Framework 1.0 re-baseline. Full paper, .cast exploit recordings, and a production-ready C# remediation filter are available at the link.
Threat hunters are warning that the cybercriminal operation known as VECT 2.0 acts more like a wiper than a ransomware due to a critical flaw in its encryption implementation across Windows, Linux, and ESXi variants that renders recovery impossible even for the threat actors. The fact that VECT's locker permanently destroys large files rather than encrypting them means even victims who opt to
AI agents may soon be buying your stuff for you. The FIDO Alliance has teamed up with Google and Mastercard to try to ensure that shopping in the near future isn't a complete disaster.
In the first quarter of 2026, government-directed shutdowns figured prominently, with prolonged Internet blackouts in both Uganda and Iran, a stark contrast to the lack of observed government-directed shutdowns in the same quarter a year prior. This quarter, we also observed a number of Internet disruptions caused by power outages , including three separate collapses of Cuba's national electrical grid. Military action continued to disrupt connectivity in Ukraine and also impacted hyperscaler cloud infrastructure in the Middle East. Severe weather knocked out Internet connectivity in Portugal, while cable damage disrupted connectivity in the Republic of Congo. A technical problem hit Verizon Wireless in the United States, and unknown issues briefly disrupted connectivity for customers of providers in Guinea and the United Kingdom. This post is intended as a summary overview of observed and confirmed disruptions and is not an exhaustive or complete list of issues that have occurred during the quarter. A larger list of detected traffic anomalies is available in the Cloudflare Radar Outage Center . Note that both bytes-based and request-based traffic graphs are used within this post to illustrate the impact of the observed disruptions, with the choice of metric generally made based on which better illustrates the impact of the disruption. Government-directed shutdowns Uganda In advance of the January 15 presidentia
Every security program is betting on the same assumption: once a system is connected, the problem is solved. Open a ticket, stand up a gateway, push the data through. Done. That assumption is wrong. It is also a major reason Zero Trust programs stall. New research my team just published puts numbers on it. The Cyber360: Defending the Digital Battlespace report, based on a survey of 500 security
Cybersecurity researchers have disclosed details of a critical security flaw impacting LeRobot, Hugging Face's open-source robotics platform with nearly 24,000 GitHub stars, that could be exploited to achieve remote code execution. The vulnerability in question is CVE-2026-25874 (CVSS score: 9.3), which has been described as a case of untrusted data deserialization stemming from the use of the
SIEM is not enough. Classical DFIR is not the full answer either. And “better logging” is too weak a frame. The real gap is evidentiary continuity in modern, cloud-heavy, application-driven environments.
When patching isn’t fast enough, NDR helps contain the next era of threats. If you’ve been tracking advancements in AI, you know the exploit window, the short buffer that organizations relied on to patch and protect after a vulnerability disclosure, is closing fast. Anthropic’s new model, Claude Mythos, and its Project Glasswing, showed that finding exploitable vulnerabilities and subtle cracks
Linux vendor touts European independence at SUSECON as majority stakeholder quietly explores its options European-based SUSE devoted much of the annual SUSECON event to its sovereignty-focused pitch - even as reports swirl that its majority stakeholder is exploring a $6 billion sale which could land the Linux vendor in American hands.…
After i updated it i closed it and a white screen with a logo like this https://preview.redd.it/uu1nklpdjwxg1.png?width=270&format=png&auto=webp&s=00db4e765f7348eb8dd29c42df79ae988d11cabf thats next to the file name popped up, it was instant so im not sure if its malware and i have super bad anxiety and not sure if this is something to do with the download setup modrinth uses or what, ik this is pretty specific so if no one can help its completly fine. Not sure if this is off topic and im freaking out and dont know what community to post this in.
A Chinese national accused of being a member of the Silk Typhoon hacking group has been extradited to the U.S. from Italy. Xu Zewei, 34, was arrested in July 2025 by Italian authorities for his alleged links to the Chinese state-sponsored threat group and for orchestrating cyber attacks against American organizations and government agencies between February 2020 and June 2021, including
On paper, the vast majority of crisis plans look reasonable, actionable and complete. Once the rubber hits the road, however, chaos emerges quickly. This is where tabletop simulations come into play. Tabletops Exercises (TTX) simulate real-world crises in a controlled environment. They introduce time pressure, incomplete information, and uncertainty, forcing teams to adapt and revealing whether plans hold up under stress. Over the years we have facilitated many tabletop exercises, ranging from small teams of IT teams to full executive crisis staff. The scenarios vary, but the findings are remarkably consistent. Here are some of the most important learnings from the tabletop exercises and real incidents
Presently sponsored by: Report URI: Guarding you from rogue JavaScript! Don’t get pwned; get real-time alerts & prevent breaches #SecureYourSite This is so "peak 2026" - writing an equality policy to ensure people treat our AI bot with the same respect as they do their human counterparts. It's intentionally a bit tongue-in-cheek, but it's there for a purpose: we simply don't have the capacity to deal with every request we get, and we need Bruce to be the coalface of support. I did wonder, when having ChatGPT create this, whether there's some deeper psychology behind the importance of interacting politely with bots, or indeed whether there will ever be an actual (like, serious) standard or law around treating bots with respect. Has this been in a movie somewhere? Let me know, but for now, I'll drop the (slightly revised) policy below, just for the laughs 藍
Monday, April 27
Vendor confirms repo data exposure after Lapsus$ claims source code, secrets dump Software security testing outfit Checkmarx has become the latest organization caught up in an ongoing attack on security-tool providers. The biz said data posted online appears to have come from one of its GitHub repositories after the Lapsus$ extortion crew claimed to have dumped the company’s source code, secrets, and other sensitive data.…
The suspected shooter at Saturday night’s White House Correspondents’ Dinner faces three felony charges. He remains in custody following Monday’s hearing.
Ransomware is getting weird, folks. A new report says attacks jumped 22 percent in Q1 2026, but the real twist is how messy things have become. You still have big names like Akira and Qilin, but newer groups like The Gentlemen are exploding in activity, while shady leak sites are posting possibly fake “breaches” just to scare companies into paying. Even wilder, groups like ShinyHunters are skipping encryption entirely and just stealing data through compromised logins and SaaS apps. It is less about locking files now and more about leverage, and honestly, that might be harder to defend against.
To reduce the amount of noise from questions, we have disabled self-posts in favor of a unified questions thread every week. Feel free to ask any question about reverse engineering here. If your question is about how to use a specific tool, or is specific to some particular target, you will have better luck on the [Reverse Engineering StackExchange](http://reverseengineering.stackexchange.com/). See also /r/AskReverseEngineering.
Sunday, April 26
A 31-year-old engineer and self-described indie game developer is suspected of firing shots at the annual event attended by President Donald Trump, high-profile media figures, and US government officials.
Saturday, April 25
We have been toying with evading EDRs at Vulnetic with moderate success, so this time we wanted to put it against an in-house AI SOC. The idea is that the defense gets streamed logs on the network and can make decisions like quarantining or blocking potential attackers while also sifting through logs being streamed. This was with the last gen Anthropic models, so we will be redoing these tests with the newest gen from OpenAI and Anthropic shortly as in initial testing they seem to be 15-20% better already. I think defense is lagging behind offense and there will be a come to Jesus moment where open weight models in a decent harness can evade modern SIEMs / detection mechanisms and when that happens there will be a problem. With regards to AI, it comes down to proper access control and so the fundamentals of networking and defense in depth will be vital in the future to fight against these AI threats. Happy to answer any questions and always looking for cool experiments to try!
Plus: Spy firms tap into a global telecom weakness to track targets, 500,000 UK health records go up for sale on Alibaba, Apple patches a revealing notification bug, and more.
Friday, April 24
Hey guys, I would like to share a project that I have been working for the past few weeks. I came across this project: [https://lots-project.com](https://lots-project.com/), and I thought why not develop a fully feature C2 framework that abuses these sites. The framework is named Phoenix, and is currently supporting Disc0rd and Telegr4m (Reddit broke down due to the latest DM update) for communication. These are a fraction of the available commands : ✅ /browser\_dump ✅ /keylog ✅ /recaudio ✅ /screenshot ✅ /webcam\_snap ✅ /stream\_webcam ✅ /stream\_desktop ✅ /bypass\_uac ✅ /get\_system I released the whole project on GitHub if you would like to check it out: [https://github.com/xM0kht4r/Phoenix-Framework](https://github.com/xM0kht4r/Phoenix-Framework) But why? I enjoy malware, and writing a custom C2 is something I wanted to do for a long time. I would like to also clarify that I made this project for educational and research purposes only. I have no intent of selling or distributing malware hence why I’m sharing my work with other fellow hacking enthusiasts. The github repos serve as a reference for future malware research opportunities. I know that malware development is a gray area, but you can’t defend against something if you don’t understand how it works in depth. I would like to also mention that I’m still a beginner, and this project helped me improve my Rust skills. I’m looking forward to hearing your feedback!
I wrote a custom jellyfin addon to get back access to ssh
A US surveillance program that lets the FBI view Americans’ communications without a warrant is up for renewal. A new bill aims to address mounting lawmaker concerns—with smoke and mirrors.
Full disclosure: I work on community at Always Further, the team behind this. Not the author. Posting because Luke's approach to tackling this challenge is unique and of an interest to the netsec community. The core idea: if an AI agent is compromised, any log the agent itself writes becomes part of the attack surface. The post walks through how they split auditing into a supervisor process the sandboxed child can't reach, then uses the same Merkle tree + hash-chain construction RFC 6962 (Certificate Transparency) uses to make edits, truncation, and reordering all detectable. There's a concrete threat-model table near the end that lists what each attack looks like and what structurally stops it. Worth skipping to if you don't want the crypto primer.
How a simple consumer data breach spiralled into a national security crisis in US-South Korea relations
Washington’s focus on online retailer Coupang has led to accusations that the Trump administration is tying issues of national security to domestic corporate matters When South Korea’s biggest online retailer revealed last year that a data breach had compromised tens of millions of customer accounts, it appeared to be a corporate crisis. But five months later the issue has grown into a diplomatic storm, threatening to further degrade relations between Seoul and the Trump administration. Coupang, often described as South Korea’s answer to Amazon, is a US-incorporated company whose business is overwhelmingly based in South Korea. Headquartered in Seattle and listed on the New York Stock Exchange, it is run by Korean-American billionaire Bom Kim. In November last year the company disclosed that a former employee had stolen an internal security key, enabling unauthorised access to data from 33.7 million users. Continue reading...
Thursday, April 23
Researchers have finally cracked Fast16, mysterious code capable of silently tampering with calculation and simulation software. It was created in 2005—and likely deployed by the US or an ally.
\*\*TL;DR: [awstore.cloud](http://awstore.cloud) sells "cheap Claude API access" on Plati Market and other reseller platforms. It's actually a malware delivery system that uses Claude Code itself to execute a PowerShell dropper on your machine. I analyzed it, here's what you need to know.\*\* Posting this because I nearly got hit and want to warn others. This is a really clever attack that abuses how Claude Code works. \## The setup (why it looks legit): \- They sell API access on \*\*legitimate reseller marketplaces\*\* like Plati Market \- Prices are \*\*suspiciously cheap\*\* compared to official Anthropic pricing \- They present themselves as a normal API provider/reseller \- Documentation, payment processing, all looks professional \- Classic "too good to be true" - but the resale marketplace gives them credibility \## The weird red flag I ignored: After a brief downtime, the service came back with a notice saying \*\*"currently only Claude Code for Windows works"\*\* Think about that for a second. \*\*API is API.\*\* If their endpoint is a real Claude-compatible proxy, it should work with any client - curl, Python SDK, whatever. "Only Claude Code on Windows works" makes ZERO technical sense for a legitimate API reseller. That was the tell. I should've stopped there. Instead I tested it on a throwaway VM. \## What actually happens when you use it: 1. You configure Claude Code with their \`ANTHROPIC\_BASE\_URL=[https://api.awstore.cloud\`](https://api.awstore.cloud`) and their token 2. You send literally ANY prompt to Claude Code 3. Instead of a normal Claude response, the server returns what looks like a \*\*"configuration message"\*\*/ setup instruction 4. Claude Code, thinking this is a legitimate tool-use response, 5. \*\*executes a PowerShell command without asking\*\* 6. That PowerShell command downloads and runs the dropper from \`api.awstore.cloud\` 7. You're now infected \*\*The attack vector IS Claude Code itself.\*\* They're not tricking you into running something - they're tricking Claude Code into running something on your behalf. That's why it only "works on Windows with Claude Code" - because that's the only client that has the tool execution capability they're abusing. \## What the malware does once it's in: \*\*4-stage deployment\*\* : PowerShell → Go binary → VBS obfuscation → .NET payload \- Hides in \`%LOCALAPPDATA%\\Microsoft\\SngCache\\\` and \`%LOCALAPPDATA%\\Microsoft\\IdentityCRL\\\` (legit-looking Microsoft folders) \- Creates a scheduled task \`\\Microsoft\\Windows\\Maintenance\\CodeAssist\` that runs at every logon with SYSTEM privileges \- Tunnels ALL your system traffic through their SOCKS5 proxy at \`2.27.43.246:1080\` (Germany, bulletproof hosting) \- Disables PowerShell script block logging and wipes event logs \- Drops what [Tria.ge](http://Tria.ge) identified as \*\*Aura Stealer\*\* (credential/browser/wallet theft) \- Keeps your Claude Code hijacked so every future prompt goes through them \## Geopolitical fingerprint (interesting): \- Hard-coded check: \*\*if country = Ukraine → immediately exit, no infection\*\* \- CIS countries (Russia, Belarus, Kazakhstan, etc.) → locale gets masked to en-US before infection, then restored after reboot to hide tracks \- Rest of the world → full infection Pretty clear Russian-speaking threat actor profile based on targeting. \## Red flags for ANY "cheap Claude API" service: \- Sold on reseller marketplaces (Plati, similar) \- Prices way below official Anthropic pricing \- Claims of "unlimited" or "cracked" access \- Client-specific restrictions that make no technical sense ("only works with Claude Code", "only on Windows") \- Sketchy support channels (Telegram, Discord DMs) \- Requires you to change \`ANTHROPIC\_BASE\_URL\` to their domain \## If you used awstore.cloud: \*\*Assume full compromise. Treat that machine as burned.\*\* 1. Disconnect from network immediately 2. Check \`\~/.claude/settings.json\` → remove any \`ANTHROPIC\_BASE\_URL\` override 3. Check Task Scheduler for \`\\Microsoft\\Windows\\Maintenance\\CodeAssist\` 4. Check for processes: \`claude-code.exe\`, \`awproxy.exe\`, \`proxy.exe\`, \`tun2socks.exe\` 5. Change 6. \*\*every password\*\* 7. \- browser saved creds, SSH keys, API tokens, crypto wallets, everything 8. Rotate any API keys, tokens, or credentials that were in your shell history or project files 9. Ideally: 10. \*\*nuke the machine and reinstall Windows\*\* \## Network IOCs to block: [api.awstore.cloud](http://api.awstore.cloud)(C2 domain) [2.27.43.246](http://2.27.43.246)(SOCKS5 proxy, AS215439) \## File hashes (SHA256): claude-code.exe: e692b647018bf74ad7403d5b8cf981c8cfaa777dd7f16a747e3d3f80f5300971 awproxy.exe: 8736f7040f587472f66e85e895709e57605c8e7805522334ae664e3145a81127 proxy.exe: e86f7ba0413a3a4b1d7e1a275b3d1ef62345c9d3fd761635ff188119b8122c85 tun2socks.exe: 90547fe071fe471b02da83dd150b5db7ce02454797e7f288d489b1ff0c4dd67c \## The bigger picture: This is the \*\*first in-the-wild attack I've seen that weaponizes an LLM agent's tool-use capability against its own user via a malicious API endpoint\*\* . It's going to get copied. Expect more fake API providers targeting Cursor, Cline, Continue, etc. \*\*Rule of thumb: only use official API providers.\*\* The real Claude API is \`api.anthropic.com\`. If a "reseller" needs you to change the base URL to a domain you've never heard of, they control what your AI agent executes on your machine. Full stop. Share this with your dev communities. Campaign is very fresh (started April 22-23, 2026) and actively spreading via reseller marketplaces. Stay safe.
Posted by Thomas Brunner, Yu-Han Liu, Moni Pande At Google, our Threat Intelligence teams are dedicated to staying ahead of real-world adversarial activity, proactively monitoring emerging threats before they can impact users. Right now, Indirect Prompt Injection (IPI) is a top priority for the security community, anticipating it as a primary attack vector for adversaries to target and compromise AI agents. But while the danger of IPI is widely discussed, are threat actors actually exploiting this vector today – and if so, how? To answer these questions and to uncover real-world abuse, we initiated a broad sweep of the public web to monitor for known indirect prompt injection patterns. This is what we found. The threat of indirect prompt injection