DAILY WORKFLOW ARCHIVE

2026-05-20 AI创业新闻

候选线索仅供信息发现,请在引用或实践前回到原始来源核验。

2026-05-20 AI创业新闻

Grafana GitHub Breach Exposes Source Code via TanStack npm Attack

Grafana Labs, on May 19, 2026, said an investigation into its recent breach found no evidence of customer production systems or operations being compromised. It said the scope of the incident is limited to the Grafana Labs GitHub environment, which includes public and private source code along with internal GitHub repositories. “After the initial assessment, we found that in addition to source code, the downloaded content included GitHub repositories that some Grafana Labs teams use to collaborate on and store internal operational information and other details about our business,” it said . “This includes business contact names and email addresses that would be exchanged in a professional relationship context, not information pulled from or processed through the use of production systems or the Grafana Cloud platform.” The open-source visualization software maker also noted that the breach originated from the TanStack npm supply chain attack orchestrated by TeamPCP, which also hit OpenAI and Mistral AI, and that it detected the activity on May 11, 2026.

“We performed analysis and quickly rotated a significant number of GitHub workflow tokens, but a missed token led to the attackers gaining access to our GitHub repositories,” it said. “A subsequent review confirmed that a specific GitHub workflow we originally deemed not impacted had, in fact, been compromised.” The company said it subsequently received an extortion demand from an unnamed threat actor on May 16, but opted against paying the ransom as there is no guarantee that the stolen data would actually be deleted, and could act as a catalyst for future campaigns. Since then, Grafana has taken steps to rotate automation tokens, implement enhanced monitoring, audit all commits for signs of malicious activity, and bolster its overall GitHub security posture. It’s worth mentioning here that a data extortion crew named CoinbaseCartel listed Grafana Labs on its dark web site on May 15, 2026.

The Hacker News has contacted Grafana for comment, and we will update the story if we hear back. The development comes as GitHub said it’s investigating unauthorized access to its internal repositories after the notorious threat actor known as TeamPCP listed the platform’s source code and internal organizations for sale on a cybercrime forum. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

GitHub Investigating TeamPCP Claimed Breach of ~4,000 Internal Repositories

GitHub on Tuesday said it’s investigating unauthorized access to its internal repositories after the notorious threat actor known as TeamPCP listed the platform’s source code and internal organizations for sale on a cybercrime forum. “While we currently have no evidence of impact to customer information stored outside of GitHub’s internal repositories (such as our customers’ enterprises, organizations, and repositories), we are closely monitoring our infrastructure for follow-on activity,” the Microsoft-owned subsidiary said . The company also noted that it will notify customers via established incident response and notification channels if any impact is discovered. The development comes after TeamPCP, a threat actor behind a string of software supply chain attacks targeting open-source packages, listed GitHub’s source code for sale for an asking price of no less than $50,000.

The alleged data dump is said to include about 4,000 repositories. “As always, this is not a ransom,” the group said in a post, according to screenshots shared by Dark Web Informer. “We do not care about extorting GitHub, 1 buyer and we shred the data on our end, it looks like our retirement is soon so if no buyer is found, we leak it for free.” In a follow-up update shared on X, GitHub said it detected and contained a compromise of an employee device involving a poisoned Microsoft Visual Studio Code extension. As a risk mitigation measure, the company has rotated critical secrets, while prioritizing highest-impact credentials.

“Our current assessment is that the activity involved exfiltration of GitHub-internal repositories only,” GitHub
said
. “The attacker’s current claims of ~3,800 repositories are directionally consistent with our investigation so far.”
Following the incident, an X account linked to TeamPCP,
xploitrsturtle2
,
stated
“GitHub knew for hours, they delayed telling you and they won’t be honest in the future. What an amazing run, it’s been an honor to play around with the cats over the past few months.” TeamPCP Compromises durabletask PyPI Package News of the sale comes as TeamPCP’s self-replicating malware campaign, known as Mini Shai-Hulud , continues to expand in reach with the compromise of durabletask, an official Microsoft Python client for the Durable Task workflow execution framework. Three malicious package versions have been identified: 1.4.1, 1.4.2, and 1.4.3.

“The attacker compromised a GitHub account via a previous attack, dumped GitHub secrets from a repository to which the user had access, and from there had access to the PyPi token to publish directly,” Google-owned Wiz said . The payload embedded into the package is a dropper, which is configured to fetch and run a second-stage payload (“rope.pyz”) from an external server (“check.git-service[.]com”). The malware is assessed to be an evolution of the payload deployed in connection with the compromise of the guardrails-ai package last week. Specifically, it’s designed to activate a full-featured infostealer that’s capable of harvesting credentials associated with major cloud providers, password managers, and developer tools, and exfiltrating the data to the attacker-controlled domain.

It’s worth noting that the stealer is configured to execute only on Linux systems. According to SafeDep , the 28KB Python stealer also attempts to read HashiCorp Vault KV secrets, unlock and dump 1Password and Bitwarden password vaults, and access SSH keys, Docker credentials, VPN configurations, and shell history. “If the machine is running inside AWS, it propagates itself to other EC2 instances using SSM. If it’s inside Kubernetes, it propagates through kubectl exec,” Aikido Security said .

“And if it detects Israeli or Iranian system settings, there’s a 1-in-6 chance it plays audio and then runs rm -rf /*.” “After enumerating SSM-managed instances, it uses SendCommand with the AWS-RunShellScript document to execute the rope.pyz payload on up to 5 other EC2 instances per profile,” per StepSecurity . “The propagation script downloads the payload from the primary C2, falling back to the secondary domain t.m-kosche[.]com, and runs it in the background.” Also notable is the use of the FIRESCALE mechanism to identify a backup command-and-control (C2) address in the event the primary domain is unreachable. It does this by searching GitHub’s public commit messages for the pattern “FIRESCALE ." and extracting the C2 information from it. Details of this technique were previously highlighted by Hunt.io.

Because the worm propagates using tokens stolen from infected environments, the number of affected packages is expected to grow. Any machine or pipeline that installed an affected version of the package should be treated as fully compromised. “The package is downloaded roughly 417,000 times a month, and the malicious code runs automatically the moment the package is imported, with no error messages and no visible signs of compromise,” Endor Labs researcher Peyton Kennedy said . Found this article interesting?

Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Trapdoor Android Ad Fraud Scheme Hit 659 Million Daily Bid Requests Using 455 Apps

Cybersecurity researchers have disclosed details of a new ad fraud and malvertising operation dubbed Trapdoor targeting Android device users. The activity, per HUMAN’s Satori Threat Intelligence and Research Team, encompassed 455 malicious Android apps and 183 threat actor-owned command-and-control (C2) domains, turning the infrastructure into a pipeline for multi-stage fraud. “Users unwittingly download a threat actor-owned app, often a utility-style app like a PDF viewer or device cleanup tool,” researchers Louisa Abel, Ryan Joye, João Marques, João Santos, and Adam Sell detailed in a report shared with The Hacker News. “These apps trigger malvertising campaigns that coerce users into downloading additional threat actor-owned apps.

The secondary apps launch hidden WebViews, load threat actor-owned HTML5 domains, and request ads.” The campaign, the cybersecurity company added, is self-sustaining in that an organic app install turns into an illicit revenue generation cycle that can be used to fund follow-on malvertising campaigns. One notable aspect of the activity is the use of HTML5-based cashout sites, a pattern observed in prior threat clusters tracked as SlopAds , Low5 , and BADBOX 2.0 . At the peak of the operation, Trapdoor accounted for 659 million bid requests a day, with Android apps linked to the scheme downloaded more than 24 million times. Traffic associated with the campaign primarily originated from the U.S., which took up more than three-fourths of the traffic volume.

“The threat actors behind Trapdoor also abuse install attribution tools  (technology designed to help legitimate marketers track how users discover apps) to enable malicious behavior only in users acquired through threat actor-run ad campaigns, while suppressing it for organic downloads of the associated apps,” HUMAN said. Trapdoor combines two disparate approaches, malvertising distribution and hidden ad-fraud monetization, where unsuspecting users end up downloading bogus apps masquerading as seemingly harmless utilities that act as a conduit for serving malicious ads for other Trapdoor apps, which are designed to perform automated touch fraud, as well as launch hidden WebViews, load threat actor-controlled washout domains, and request ads. It’s worth noting that only the second-stage app is used to trigger fraud. Once the organically downloaded app is launched, it serves fake pop-up alerts that mimic app update messages to trick users into installing the next-stage app.

This behavior also indicates that the payload is activated only for those who fall victim to the advertising campaign. In other words, anybody who downloads the app directly from the Play Store or sideloads it will not be targeted. Besides this selective activation technique, Trapdoor employs various anti-analysis and obfuscation techniques to sidestep detection. “This operation uses real, everyday software and multiple obfuscation and anti-analysis techniques - such as impersonating legitimate SDKs to blend in - to help fuse malvertising distribution, hidden ad fraud monetization, and multi-stage malware distribution,” Lindsay Kaye, vice president of threat intelligence at HUMAN, said.

Following responsible disclosure, Google has taken steps to remove all identified malicious apps from the Google Play Store, effectively neutralizing the operation. The complete list of Android apps is available here . “Trapdoor shows how determined fraudsters turn everyday app installs into a self-funding pipeline for malvertising and ad fraud,” Gavin Reid, chief information security officer at HUMAN, said. “This is another instance of threat actors co-opting legitimate tools - such as attribution software - to aid in their fraud campaigns and help them evade detection.” “By chaining together utility apps, HTML5 cashout domains, and selective activation techniques that hide from researchers, these actors are constantly evolving, and our Satori team is committed to tracking and disrupting them at scale.” Found this article interesting?

Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

DirtyDecrypt PoC Released for Linux Kernel CVE-2026-31635 LPE Vulnerability

Proof-of-concept (PoC) exploit code has now been released for a recently patched security flaw in the Linux kernel that could allow for local privilege escalation (LPE). Dubbed DirtyDecrypt (aka DirtyCBC), the vulnerability was discovered and reported by the Zellic and V12 security team on May 9, 2026, only to be informed by the maintainers that it was a duplicate of a vulnerability that had already been patched in the mainline. “It’s a rxgk pagecache write due to missing COW [copy-on-write] guard in rxgk_decrypt_skb,” Zellic co-founder Luna Tong (aka cts and gf_256) said in a description shared on GitHub. Although the CVE identifier was not disclosed, the vulnerability in question is CVE-2026-31635 (CVSS score: 7.5) based on the fact that the NIST National Vulnerability Database (NVD) includes a link to the DirtyDecrypt PoC in its CVE record.

“The specific fault sits in rxgk_decrypt_skb(), the function that decrypts an incoming sk_buff (socket buffer) on the receive side,” Moselwal said . “In this code path the kernel handles memory pages that are partly shared with the page cache of other processes – a normal Linux optimisation protected by copy-on-write: as soon as a write to a shared page happens, a private copy is made beforehand so that the write doesn’t bleed into another process’s data.” The absence of this COW guard in rxgk_decrypt_skb means that data gets written to the memory of privileged processes or, depending on the exploit path, to the page cache of privileged files, such as etc/shadow, /etc/sudoers, or a SUID binary, leading to local privilege escalation. DirtyDecrypt impacts only distributions with CONFIG_RXGK enabled, such as Fedora, Arch Linux, and openSUSE Tumbleweed. In containerized environments, worker nodes running a vulnerable version of Linux could provide a pathway to escape the pod.

The vulnerability, per Zellic, is assessed to be a variant of Copy Fail (CVE-2026-31431), Dirty Frag aka Copy Fail 2 (CVE-2026-43284 and CVE-2026-43500), and Fragnesia (CVE-2026-46300), all of which grant root access on vulnerable systems. Copy Fail , a local privilege escalation flaw in the AF_ALG cryptographic socket interface, was disclosed by researchers at Theori on April 29, 2026. It was followed by Dirty Frag a week later. Dirty Frag expands on Copy Fail with two page-cache write primitives.

However, security researcher Hyunwoo Kim was forced to go ahead with public disclosure after the agreed-upon embargo window ended prematurely when a merged patch for CVE-2026-43284 on May 5 led another researcher, who was unaware of the embargo, to analyze and independently publish details of the defect. “I read the commit, recognized the xfrm ESP-in-UDP  MSG_SPLICE_PAGES no-COW path against shared pipe pages as an LPE  primitive, and built a PoC,” the researcher, who goes by the online aliases 0xdeadbeefnetwork and afflicted.sh, noted . “The work is n-day weaponization from a public upstream commit, which is  standard practice once a security-relevant fix lands in a public tree.” Fragnesia is another variant of Dirty Frag and impacts the XFRM ESP-in-TCP subsystem. But the outcome is the same: it allows unprivileged local attackers to modify read-only file contents in the kernel page cache and obtain root privileges.

The development dovetails with the discovery of an LPE flaw in the Linux PackageKit daemon ( CVE-2026-41651 aka Pack2TheRoot, CVSS score: 8.8) and an improper privilege management flaw in the kernel ( CVE-2026-46333 aka ssh-keysign-pwn , CVSS score: 5.5), which allows an unprivileged local user to read root-owned secrets like SSH private keys. Various Linux distributions have released advisories for CVE-2026-46333 - AlmaLinux Amazon Linux CloudLinux Fedora Gentoo Red Hat SUSE Ubuntu Kernel Killswitch? The flurry of new disclosures within a span of a few weeks has prompted Linux kernel developers to review a proposal for an emergency “killswitch” that would allow administrators to disable vulnerable kernel functions at runtime until a patch for a zero-day vulnerability becomes available. “Killswitch lets a privileged operator make a chosen kernel function return a fixed value without executing its body, as a temporary mitigation for a security bug while a real fix is being prepared,” according to a proposal submitted by Linux kernel developer and maintainer Sasha Levin.

“The function returns the operator-supplied value and nothing else runs in its place. There is no allowlist, no return-type check; if the kprobe layer accepts the symbol, killswitch engages it. Once engaged, the change is in effect on every CPU until disengage is written or the system reboots.” Rocky Linux Debuts Security Repository Rocky Linux, for its part, has introduced an optional security repository that allows the distribution to ship urgent security fixes quickly, particularly in scenarios where severe vulnerabilities become public knowledge before coordinated upstream fixes arrive. “The repository is disabled by default.

That’s intentional,” the maintainers said . “The default Rocky Linux experience stays exactly what it has always been: predictable, stable, and fully upstream-compatible. Administrators who want access to accelerated fixes can opt in when they need it.” The security repository specifically caters to “specific, narrow” cases where a significant vulnerability is public, exploit code exists, and upstream patches are not available yet. Rocky Linux has emphasized that it’s not a replacement for the regular release process.

“If we push a fix and upstream decides not to address it, the next upstream kernel release will supersede our patched version,” the maintainers added. “Users who haven’t version-locked their kernel will, at that point, no longer have our fix. That’s the trade-off we accepted when building this.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

In February 2026, a phishing-as-a-service (PhaaS) platform called EvilTokens went live. Within five weeks, it had compromised more than 340 Microsoft 365 organizations across five countries. The targets of the platform received a message asking them to enter a short code at microsoft.com/devicelogin and complete their normal MFA challenge, then walked away believing they had verified a routine sign-in. They had actually handed the operator a valid refresh token scoped to their mailbox, drive, calendar, and contacts, with the lifespan of a tenant policy rather than a session.

The operator never needed a password, never tripped an MFA prompt, and never produced a sign-in event that looked like an intrusion. The attack succeeded because the OAuth consent screen has become an instinctive click, and the controls built to stop credential phishing do not look at the consent layer. Security researchers call the resulting condition consent phishing or OAuth grant abuse. The phishing click that mattered last decade handed over a password.

The phishing click that matters now hands over a refresh token, and it sits structurally below the identity controls most organizations still treat as the perimeter. Why MFA Cannot See an OAuth Grant A credential phish hands over a username and password that has to be replayed somewhere, and most identity stacks now demand a second factor at the replay. Even adversary-in-the-middle (AiTM) kits produce a session cookie tied to a sign-in event that the SIEM correlates against geography, device, and travel patterns. Figure 1: Credential phishing leaves a sign-in trail the SIEM can correlate.

An OAuth grant produces no replayed credentials. The user authenticates on the legitimate identity provider, finishes the MFA challenge on the legitimate domain, and clicks Accept. The token the attacker walks away with is the system working as designed. It is signed by the identity provider, scoped to whatever the user agreed to, and refreshable.

MFA cannot block it because MFA has already happened. Figure 2: An OAuth grant leaves no replay, just a refreshable token. The other problem is that refresh tokens then extend the window. The tokens EvilTokens issued survived password resets and remained valid for weeks or months, depending on the tenant configuration.

Rotating the password did not invalidate the grant. Only explicit revocation, or a conditional access policy that demanded re-consent, closed it. How Consent Got Normalized This attack vector has existed since OAuth became standard. What changed is the environment it operates in.

Users have been trained to click through consent screens at the rate they once clicked through cookie banners. Every AI agent installs Surface One. Every productivity integration surfaces one. Every browser extension that touches a SaaS account surfaces one.

The volume of legitimate consent that a knowledge worker sees in a month exceeds anything that existed when the original OAuth threat models were written. The scopes themselves use language that does not map cleanly to risk. A scope called “Read your mail” sounds limited, but in practice it covers every message, attachment, and shared thread the user can access. A scope called “Access files when you’re not present” means a long-lived token issued without the user being in front of a screen to revoke it.

The gap between consent language and operational reach is exactly where attackers operate. Toxic Combinations Form Below the Application Owner A single OAuth consent gives an attacker a scoped foothold inside one application. The deeper risk forms when those footholds bridge. A finance user grants an AI meeting summarizer access to their calendar and mailbox.

The same user later grants a productivity assistant access to the company’s shared drive. A third grant connects a CRM enrichment tool to the customer database. Each was approved one at a time. No application owner sanctioned the combination.

The risk surface is now three scopes intersecting through one human identity, where the meeting summarizer’s compromise can reach contract drafts and customer records through the same person. This is called a toxic combination . It consists of a permission breakdown across applications, bridged by an OAuth grant, an integration, or an AI agent, that no single application owner ever authorized as its own risk surface. It cannot be seen by any one application’s audit log because the bridge exists outside of all of them.

Figure 3: A toxic combination between two SaaS apps no owner sanctioned together. The MCP install, the OAuth consent click, and the browser-extension grant: each is a bridge issued at the speed of a single click. Model Context Protocol (MCP) servers are emerging as the next OAuth-style attack surface, letting agents acquire scoped reach through the same trust-once mechanism consent screens already use. The 2025 Salesloft-Drift incident showed what this looks like at scale.

A compromised downstream connector spread across more than 700 Salesforce tenants through OAuth tokens that the customers had legitimately approved. Each customer authorized the integration. None authorized the cascade. What to Check Closing this gap calls for treating OAuth consent the same way the security program already treats authentication.

A small set of questions exposes where the real gap lives. Area to review What it looks like in practice OAuth application inventory Every third-party app holding refresh tokens in the tenant, refreshed continuously rather than at audit time. Grant age and re-consent Tokens issued more than 30 days ago without re-consent, surfaced as a queue. Cross-application identities Identities holding grants across three or more SaaS applications, flagged for review.

Agent and integration bridges AI agents and integrations bridging two systems no application owner sanctioned together. Conditional access on consent Policies that re-trigger on consent events, not only on sign-in events. Token-level revocation A playbook that revokes a single OAuth token rather than suspending the user. Procedural discipline only scales so far.

The bridges live in a graph no individual application owns, and they are created at the speed of an MCP install or an OAuth consent click. Seeing that graph continuously requires a platform built to watch the runtime layer where the bridges actually form. Where AI Security Platforms Fit In A new class of platforms handles a lot of this automatically. They map every OAuth grant, AI agent, and third-party integration into the identity graph the moment it is issued, rather than waiting for the next audit, then surface the bridges, unused tokens, and policy deviations as a continuous operational queue.

One leading example is Reco. It brings AI agent security, identity governance, and threat detection into one control plane. Its Identity Knowledge Graph connects human and non-human identities to the applications, OAuth grants, and integrations they can access across the SaaS estate. Figure 4: Reco’s view of an AI agent’s OAuth grants and connected accounts.

The platform continuously discovers AI agents and OAuth grants as they appear, maps each scope back to the identity that approved it, monitors behaviour for policy deviations, and revokes access at the token level rather than at the user account. That gives security teams visibility into the runtime layer where these trust relationships actually form. Consent phishing will probably not stay at the margins for much longer. Phishing-resistant authentication has received years of investment and scrutiny, while the consent layer still operates largely on trust.

Closing that gap means treating OAuth grants and AI-agent connections with the same visibility, monitoring, and revocation discipline already applied to authentication itself. Learn more about Reco’s AI security platform . Found this article interesting? This article is a contributed piece from one of our valued partners.

Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Drupal to Release Urgent Core Security Updates on May 20, Sites Told to Prepare

Drupal has issued an alert stating that it intends to release a “core security release” for all supported branches on May 20, 2026, from 5-9 p.m. UTC. “The Drupal Security Team urges you to reserve time for core updates at that time because exploits might be developed within hours or days,” the maintainers of the PHP-based content management system (CMS) said . “Not all configurations are affected.

Reserve time on May 20 during the release window to determine whether your sites are affected and in need of an immediate update. Mitigation information will be included in the advisory.” It’s being advised to update to the latest supported patch for the site’s version of Drupal before the deadline so that any outstanding upgrade issues can be addressed. Patches are expected to be available for the following supported branches of Drupal core - 11.3.x 11.2.x 10.6.x 10.5.x “Sites on one of these supported versions should update to the latest patch release for the given branch now in preparation for the security window,” Drupal said. The exact nature of the security issue being addressed is unknown at this stage, but it’s expected to be severe given that Drupal is providing 11.1.x and 10.4.x releases for sites running end-of-life minor core versions.

Ahead of the planned update window - Sites on Drupal 11.1 or 11.0 should update to at least Drupal 11.1.9. Sites on Drupal 10.4, 10.3, 10.2, 10.1, or 10.0 should update to at least Drupal 10.4.9. The idea is that these sites should apply the security update as soon as it is released on May 20, and then upgrade to Drupal 11.3 or 10.6 in the near future. For sites still on end-of-life major core versions, such as Drupal 8 and 9, patch files for Drupal 8.9 and 9.5 will need to be applied manually.

However, Drupal has warned that there is no guarantee the fixes will work correctly, adding that they may introduce other issues or regressions. “However, they may help mitigate the vulnerability for sites still on these old major versions until they upgrade to a supported release,” Drupal said. “We strongly recommend Drupal 8 or 9 sites update to at least Drupal 10.6 soon. Drupal 8 and 9 include numerous other, previously disclosed, security vulnerabilities that will not be addressed by either Drupal Steward or the best-effort patch files.” Drupal also noted that Drupal 7 is not affected by the issue.

Sites on any version of Drupal 9 are advised to update to 9.5.11, and those on any version of Drupal 8 should update to Drupal 8.9.20. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

SEPPMail Secure E-Mail Gateway Vulnerabilities Enable RCE and Mail Traffic Access

Critical security vulnerabilities have been disclosed in SEPPMail Secure E-Mail Gateway , an enterprise-grade email security solution, that could be exploited to achieve remote code execution and enable an attacker to read arbitrary mails from the virtual appliance. “These vulnerabilities could have been exploited to read all mail traffic or as an entry vector into the internal network,” InfoGuard Labs researchers Dario Weiss, Manuel Feifel, and Olivier Becker said in a Monday report. The list of identified flaws is as follows - CVE-2026-2743 (CVSS score: 10.0) - A path traversal vulnerability in the SeppMail User Web Interface’s large file transfer (LFT) feature that could enable arbitrary file write, resulting in remote code execution. CVE-2026-7864 (CVSS score: 6.9) - An exposure of sensitive system information vulnerability that leaks server environment variables through an unauthenticated endpoint in the new GINA UI.

CVE-2026-44125 (CVSS score: 9.3) - A missing authorization check vulnerability for multiple endpoints in the new GINA UI that allows unauthenticated remote attackers to access functionality that would otherwise require a valid session. CVE-2026-44126 (CVSS score: 9.2) - A deserialization of untrusted data vulnerability that allows unauthenticated remote attackers to execute code via a crafted serialized object. CVE-2026-44127 (CVSS score: 8.8) - An unauthenticated path traversal vulnerability in “/api.app/attachment/preview” that allows remote attackers to read arbitrary local files and trigger deletion of files in the targeted directory with the privileges of the “api.app” process. CVE-2026-44128 (CVSS score: 9.3) - An eval injection vulnerability that allows unauthenticated remote code execution by taking advantage of the fact that the /api.app/template feature directly passes user-supplied upldd parameter into a Perl eval() statement without any sanitization.

CVE-2026-44129 (CVSS score: 8.3) - An improper neutralization of special elements used in a template engine vulnerability that allows remote attackers to execute arbitrary template expressions and potentially achieve remote code execution depending on the enabled template plugins. In a hypothetical attack scenario, a threat actor could exploit CVE-2026-2743 to overwrite the system’s syslog configuration (“/etc/syslog.conf”) by making use of the “nobody” user’s write access to the file and ultimately obtain a Perl-based reverse shell. The end result is a complete takeover of the SEPPmail appliance, permitting the attacker to read all mail traffic and persist indefinitely on the gateway. One significant hurdle that an attacker must overcome to achieve remote code execution is that syslogd re-reads the configuration only upon receiving the SIGHUP (aka “signal hang up”) signal.

Syslogd is a Linux system daemon responsible for writing system messages to log files or a user’s terminal. “The appliance uses newsyslog for log rotation (e.g., leading to logfile.0), which runs every 15 minutes via cron,” the researchers explained. “newsyslog rotates files that exceed a size limit and then automatically sends a SIGHUP to syslogd. By bloating log files like SEPPMaillog, which has a 10,000 KB limit in this case, we can force a rotation and a subsequent config reload.

These can be filled by just sending web requests.” While CVE-2026-44128 is said to have been fixed by version 15.0.2.1, CVE-2026-44126 was addressed with the release of version 15.0.3. The remaining vulnerabilities have been patched in version 15.0.4. The disclosure comes weeks after SEPPmail shipped updates to resolve another critical flaw ( CVE-2026-27441 , CVSS score: 9.5) that could allow arbitrary operating system command execution. Found this article interesting?

Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Compromised Nx Console 18.95.0 Targeted VS Code Developers with Credential Stealer

Cybersecurity researchers have flagged a compromised version of the Nx Console extension that was published to the Microsoft Visual Studio Code (VS Code) Marketplace. The extension in question is rwl.angular-console (version 18.95.0), a popular user interface and plugin for code editors like VS Code, Cursor, and JetBrains. The VS Code extension has more than 2.2 million installations. The Open VSX version has not been affected by the incident.

“Within seconds of a developer opening any workspace, the compromised extension silently fetched and executed a 498 KB obfuscated payload from a dangling orphan commit hidden inside the official nrwl/nx GitHub repository,” StepSecurity researcher Ashish Kurmi said . The payload is a “multi-stage credential stealer and supply chain poisoning tool” that harvests developer secrets and exfiltrates them via HTTPS, the GitHub API, and DNS tunneling. It also installs a Python backdoor on macOS systems that abuses the GitHub Search API as a dead drop resolver for receiving further commands. In an advisory issued Monday, the maintainers of the extension said the root cause has been traced to one of its developers, whose machine was compromised in a recent security incident that leaked their GitHub credentials.

Although the nature of the prior “incident” was not disclosed, the developer’s credentials have since been temporarily revoked. The access afforded by the credentials is said to have been abused to push an orphaned, unsigned commit to nrwl/nx, which introduces the stealer malware. The malicious action is triggered as soon as a developer opens any workspace in VS Code, leading to the installation of the Bun JavaScript runtime to run an obfuscated “index.js” payload. The malware runs checks to avoid infecting machines likely located in the Russian/CIS time zones and launches itself as a detached background process to kick off the credential harvesting workflow, allowing it to retrieve secrets from 1Password vaults and Anthropic Claude Code configurations, and secrets associated with npm, GitHub, and Amazon Web Services (AWS).

“One capability that stands out: the payload contains full Sigstore integration, including Fulcio certificate issuance and SLSA provenance generation,” StepSecurity said. “Combined with stolen npm OIDC tokens, this means the attacker could publish downstream npm packages with valid, cryptographically signed provenance attestations, making the malicious packages appear as legitimate, verified builds.” The Nx team also acknowledged a “few users were compromised” as a result of this breach. Besides urging users to update to 18.100.0 or later, the maintainers have published the following indicators of compromise - Nx Console version 18.95.0 was installed during the exposure window between May 18, 2026, at 2:36 p.m. CEST and 2:47 p.m.

CEST. Presence of files like ~/.local/share/kitty/cat.py, ~/Library/LaunchAgents/com.user.kitty-monitor.plist, /var/tmp/.gh_update_state, or /tmp/kitty-*. Presence of any of the following running processes: a python process running cat.py and a process with __DAEMONIZED=1 in its environment. Affected users are recommended to terminate the aforementioned processes, delete artifacts on disk, and rotate all credentials reachable from the affected machine, including tokens, secrets, and SSH keys.

The development marks the second time the Nx ecosystem has been targeted within a year. In August 2025, several npm packages were
infected
by a credential stealer as part of a supply chain attack campaign named
s1ngularity
. Unlike the previous iteration, the latest attack targets the VS Code extension. Malicious npm Packages Galore
The findings coincide with the discovery of various malicious packages in the open-source repositories -
iceberg-javascript, supabase-javascript, auth-javascript, microsoft-applicationinsights-common, and ms-graph-types
Five npm packages containing a hidden ELF binary that backdoors Claude Code sessions to steal developer credentials.
noon-contracts
an npm package that impersonates a Noon Protocol smart contract SDK to exfiltrate SSH keys, crypto wallet private keys, AWS credentials, Kubernetes secrets, all .env files, shell history, Docker/Git/npm tokens, and browser wallet storage paths. martinez-polygon-clipping-tony
a trojanized fork of martinez-polygon-clipping that uses a postinstall hook to download a 17MB PyInstaller-packed Windows remote access trojan (RAT) that uses Telegram for command-and-control (C2) for remote shell execution, screenshot capture, file upload/download, and arbitrary Python execution. common-tg-service
an npm package that contains functionality to take over a victim’s Telegram account while masquerading as “Common Telegram service for NestJS applications.” exiouss
an npm package that bundles a ChatGPT and OpenAI session cookie stealer targeting web browsers like Google Chrome, Microsoft Edge, and Brave. k8s-pod-checker, dev-env-setup, and node-perf-utils
three npm packages part of the kube-health-tools cluster that install a large language model (LLM) proxy service on the victim’s machine, allowing the attacker to route LLM traffic through the compromised server A coordinated credential harvesting campaign orchestrated by an Indonesian-speaking threat actor using a set of 38 npm packages that leverages dependency confusion as a way to trick CI/CD pipelines to resolve malicious public packages ahead of legitimate private ones associated with Apple, Google, and Alibaba, among others.

An unusual campaign wherein seven npm packages under the @hd-team organization have been found to act as a stager for configurations used by a Chinese sports gambling and pirated streaming platform named Douqiu to determine the backend servers to connect to. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

In yet another software supply chain attack, threat actors have compromised the popular GitHub Actions workflow, actions-cool/issues-helper , to run malicious code that harvests sensitive credentials and exfiltrates them to an attacker-controlled server. “Every existing tag in the repository has been moved to point to an imposter commit that does not appear in the action’s normal commit history,” StepSecurity researcher Varun Sharma said . “That commit contains malicious code that exfiltrates credentials from CI/CD pipelines that run the action.” An imposter commit refers to a deceptive software supply chain attack strategy in which malicious code is injected into a project by referencing a commit or tag that exists only in an adversary-controlled fork, rather than the original trusted repository. As a result, attackers can bypass standard Pull Request (PR) reviews and achieve arbitrary code execution.

The imposter commit, per the cybersecurity company, contains code that, upon being executed within a GitHub Actions runner, performs a series of actions - Downloads the Bun JavaScript runtime to the runner. Reads memory from the Runner.Worker process to extract credentials. Makes an outbound HTTPS call to an attacker-controlled domain (“t.m-kosche[.]com”) to transmit the stolen data. StepSecurity said 15 tags associated with a second GitHub action, “actions-cool/maintain-one-comment” have also been compromised with the same functionality.

GitHub has since disabled access to the repository due to a “violation of GitHub’s terms of service.” It’s currently not known what led the Microsoft-owned subsidiary to this decision. Interestingly, the exfiltration domain “t.m-kosche[.]com” has been observed in the latest wave of the Mini Shai-Hulud campaign targeting npm packages from the @antv ecosystem, indicating the two clusters of activity could be related. In a statement shared with The Hacker News, Philipp Burckhardt, head of threat intelligence at Socket, said the @antv npm compromise is likely linked to the actions-cool hack, citing overlaps in the exfiltration domain. “That points to the same Mini Shai-Hulud activity cluster, not a separate npm-only incident,” Burckhardt added.

“We’re still being careful about the exact initial access path, but the overlap is strong enough that we’re treating them as related.” “Because every tag now resolves to malicious commits, any workflow that references the action by version pulls the malicious code on its next run,” StepSecurity said. “Only workflows pinned to a known-good full commit SHA are unaffected.” (The story was updated after publication to include a response from Socket.) Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Mini Shai-Hulud Pushes Malicious AntV npm Packages via Compromised Maintainer Account

Cybersecurity researchers have discovered a fresh software supply chain attack campaign that has compromised various npm packages associated with the @antv ecosystem as part of the ongoing Mini Shai-Hulud attack wave. “The attack affects packages tied to the npm maintainer account atool, including echarts-for-react, a widely used React wrapper for Apache ECharts with roughly 1.1 million weekly downloads,” Socket said . The list of affected packages include @antv packages such as @antv/g2, @antv/g6, @antv/x6, @antv/l7, @antv/s2, @antv/f2, @antv/g, @antv/g2plot, @antv/graphin, and @antv/data-set, as well as related packages outside the @antv namespace, including echarts-for-react, timeago.js, size-sensor, canvas-nest.js, and others. The application security company said the tradecraft matches Mini Shai-Hulud, where a compromised maintainer account is leveraged to push out trojanized versions in quick succession.

The development comes as the supply chain attack campaign continues to slither its way through the software supply chain, worming through different open-source registries rapidly and infecting hundreds of software packages by embedding credential-stealing code into popular development tools. “The potential blast radius is significant because the affected publishing account is connected to widely used packages across data visualization, graphing, mapping, charting, and React component ecosystems,” Socket said. “Even if only a subset of those packages received malicious updates, the popularity of the package ecosystem creates meaningful downstream exposure for organizations that automatically pull new dependency versions.” The attacker is said to have published 639 malicious versions across 323 unique packages, including 558 versions across 279 unique @antv packages. The stealer payload harvests more than 20 credential types, Amazon Web Services, Google Cloud, Microsoft Azure, GitHub, npm, SSH, Kubernetes, Vault, Stripe, database connection strings, and attempts Docker container escape via the host socket.

The stealer is identical to the Mini Shai-Hulud payload used in the SAP compromise . The collected data is eventually serialized, compressed, encrypted, and exfiltrated to a threat actor-controlled domain (“t.m-kosche[.]com:443”) and to “filev2.getsession[.]org/file/” via the Session P2P network. As a fallback mechanism, the malware leverages the stolen GitHub token to create a public repository under the victim’s account and commit the data in a JSON file. The repositories feature the description “niagA oG eW ereH :duluH-iahS,” which reverses to “Shai-Hulud: Here We Go Again.” As of writing, there are more than 2,500 repositories in GitHub containing this marker.

Shai-Hulud Framework “These repositories are created using GitHub tokens stolen from compromised CI/CD environments,” StepSecurity said . “The sheer volume, over two thousand repositories, provides a lower bound on the number of unique environments whose credentials were successfully exfiltrated. If your GitHub token was among those stolen, the attacker has used it to create at least one of these repositories under an account they control.” Furthermore, the malware incorporates an npm propagation logic that abuses the stolen npm tokens to first validate them through the npm registry API, enumerates packages maintained by the token owner, downloads package tarballs, injects the malicious payload, adds a preinstall hook, increases the package versions, and republishes them using the compromised maintainer’s identity. “The attack uses two execution paths,” SafeDep said .

“Each compromised version adds a preinstall hook (bun run index.js). 630 of the 637 malicious versions also inject an optionalDependencies entry [pointing to imposter commits ] that delivers a second copy of the payload via the legitimate antvis/G2 GitHub repository.” “The 22-minute publish burst across 317 packages (637 versions), with an identical obfuscated payload, rules out a gradual or targeted operation. This was automated, rapid exfiltration using a stolen token.” Another noteworthy feature introduced in the latest version of the payload is a Sigstore attestation pipeline , allowing the attacker to sign artifacts with legitimate Sigstore certificates when running in CI environments using a newly minted OIDC token. The Supply-chain Levels for Software Artifacts (SLSA) provenance forgery renders a legitimate release indistinguishable from a malicious version.

“The certificate subject reflects the identity of the CI runner whose OIDC token the worm minted, a legitimate identity that did not authorize the publish,” Endor Labs said . “The attestation proves where the package was built. It does not prove the build was authorized.” Additional analyses into the incident have been published by various security vendors - Aikido Security JFrog Snyk Upwind Wiz The self-replicating Mini Shai-Hulud campaign is assessed to be the work of a financially motivated threat actor named TeamPCP. However, as of last week, the activity has entered an aggressive, new phase after TeamPCP released the entire source code for other threat actors to use as part of a supply chain attack contest announced in partnership with BreachForums.

“The open-sourcing of a production offensive framework is not unprecedented, but it’s unusual for an active campaign,” Datadog said . “It lowers the barrier for other actors to adopt TeamPCP’s playbook including the more sophisticated techniques like OIDC token abuse, provenance forgery, and AI tool persistence hooks.” Since then, an unknown threat actor has uploaded four malicious npm packages , one of which contains a near-verbatim copy of the Shai-Hulud worm with its own command-and-control infrastructure, an indication that cloned versions of the worm may infest open-source ecosystems. This copycat wave , in turn, complicates attribution efforts, while the attacks continue to facilitate credential theft and open the door for follow-on exploitation. The incident once again demonstrates how compromising tools that are already trusted inside enterprise networks can be abused as delivery vehicles for malware.

What makes the campaign truly dangerous is that one compromise feeds into the next, resulting in an ever-expanding blast radius as more packages are hacked. “This campaign is built for credential theft at scale,” Trend Micro said in a report last week. “Organizations using GitHub Actions, PyPI, Docker Hub, GHCR [GitHub Container Registry], VS Code extensions, and cloud-connected CI runners are directly exposed to this risk.” Users who have installed the poisoned versions are recommended to rotate their credentials, enable two-factor authentication (2FA), audit GitHub for the Shai-Hulud-related strings, and switch to a safe version. “If it wasn’t clear already, TeamPCP is here to stay, and npm malware isn’t going anywhere without a proper re-review of their registry’s security,” OX Security said .

“Following their competition for the largest supply chain on BreachForums and the spreading of their own source code, it seems that the group is going to continue exploiting the package dependencies and CI/CD actions to ultimately infect millions of machines and steal information and crypto currency.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

INTERPOL Operation Ramz Disrupts MENA Cybercrime Networks with 201 Arrests

INTERPOL has coordinated a first-of-its-kind cybercrime crackdown across the Middle East and North Africa (MENA) that led to 201 arrests and the identification of an additional 382 suspects. The initiative involved the efforts of 13 countries from the region between October 2025 and February 2026, aiming to investigate and neutralize malicious infrastructure, arrest perpetrators behind these activities, and prevent future losses. “The operation focused on neutralizing phishing and malware threats, as well as tackling cyber scams that inflict severe cost to the region,” INTERPOL said in a statement. “In addition to the arrests made, 3,867 victims were identified, and 53 servers were seized.” The operation, codenamed Ramz , led to the disruption of a phishing-as-a-service (PhaaS) by Algerian authorities after its server was confiscated, along with a computer, a mobile phone, and hard drives containing phishing software and scripts.

One suspect was arrested in connection with the scheme. Elsewhere, Moroccan officials seized computers, smartphones, and external hard drives that contained banking data and software used for phishing operations. Authorities also identified a legitimate server located in a private residence in Oman that contained sensitive information. The server suffered from multiple critical security vulnerabilities and was infected by malware.

INTERPOL said actions were taken to disable the server. In a similar case, compromised devices were discovered in Qatar, with the owners themselves unaware that their systems were being used to spread “malicious threats.” Although the exact nature of these threats was not disclosed, the impacted machines are said to have been secured, and the device owners were alerted to take appropriate security measures. Lastly, Jordanian police identified a computer that was used to run financial fraud scams, where unsuspecting users were tricked into investing their assets in a seemingly legitimate trading platform, only for it to shut down once the funds were deposited. “A raid uncovered 15 individuals carrying out the scams, but investigators determined that they were victims of human trafficking who had been recruited under the false promise of employment from their home countries in Asia,” INTERPOL said.

“Upon arrival in Jordan, their passports were confiscated, and they were forced or coerced into participating in the scheme. Two individuals suspected of orchestrating the operation were arrested.” Group-IB, which was one of the private sector companies that participated in the effort, said it provided “actionable intelligence” on over 5,000 compromised accounts, including those that were associated with government infrastructure, and shared details about active phishing infrastructure across the region. “Cybercrime is borderless, and the only effective response is one that is equally borderless,” Joe Sander, CEO of Team Cymru, said . “Operation Ramz is exactly that kind of response, law enforcement and trusted private-sector partners pooling intelligence, moving in concert, and dismantling the infrastructure that criminals depend on.” Countries that took part in Operation Ramz included Algeria, Bahrain, Egypt, Iraq, Jordan, Lebanon, Libya, Morocco, Oman, Palestine, Qatar, Tunisia, and the U.A.E.

Series of Law Enforcement Actions The arrests come against the backdrop of a string of law enforcement actions announced by Germany and the U.S. Department of Justice (DoJ) in recent weeks - The sentencing of Thomasz Szabo (aka Plank, Jonah, and Cypher), 27, of Romania, to 48 months in prison for his role as the mastermind of an online swatting ring that targeted more than 75 public officials, four religious institutions, and multiple journalists. The indictment of Owe Martin Andresen (aka Speedstepper), the suspected main administrator of the illicit darknet marketplace, Dream Market, on money laundering charges, following his arrest in Germany last week. The shutdown of a relaunched version of the Crimenetwork marketplace (it was originally dismantled in December 2024) and the arrest of a suspected administrator, a 35-year-old German citizen, on the Spanish island of Mallorca.

The conviction of Sohaib Akhter , 34, of Alexandria, Virginia, by a federal jury for deleting 96 databases storing U.S. government information and stealing the plaintext password of an individual who had submitted a complaint to the Equal Employment Opportunity Commission’s Public Portal. The sentencing of Alan Bill , 33, of Bratislava, the Slovakian Administrator of Kingdom Market , to 200 months (more than 16 years) in prison after he pleaded guilty to a conspiracy to distribute controlled substances, illegal drugs, stolen financial data, counterfeit documents, and malware earlier this January. The sentencing of David Jose Gomez Cegarra , 25, of Venezuela to time served and pay restitution totaling $294,820 in connection with a string of ATM jackpotting incidents between October 5 and November 11, 2024, in the U.S.

states of New York, Massachusetts, and Illinois. The arrest of a 21-year-old from Dordrecht for their involvement in a tool called JokerOTP that’s used by cybercriminals to intercept one-time passwords (OTPs) and two-factor authentication (2FA) codes for hijacking online accounts by impersonating trusted organizations such as banks, cryptocurrency exchanges, and other major service providers. The sentencing of Marlon Ferro (aka GothFerrari), 20, of Santa Ana, California, to 78 months in prison in connection with a social engineering conspiracy that stole more than $250 million in cryptocurrency from victims across the U.S. between late 2023 and early 2025.

“This [social engineering] scheme blended sophisticated online fraud with old-fashioned burglary to drain victims of millions of dollars in digital assets,” U.S. Attorney Jeanine Ferris Pirro stated. “The conspiracy’s operatives typically targeted individuals believed to hold significant cryptocurrency holdings. Its members manipulated victims into surrendering access to their digital wallets through elaborate fraud schemes.

When victims stored their cryptocurrency in hardware wallets, physical devices that cannot be accessed remotely, the enterprise turned to Ferro.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

⚡ Weekly Recap: Exchange 0-Day, npm Worm, Fake AI Repo, Cisco Exploit and More

Monday opens with a trust problem. A mail server flaw is under active use. A network control system was targeted. Trusted packages were poisoned.

A fake model page pushed a stealer. Then came the familiar ransom claim: the data was returned and deleted. The pattern is clear. One weak dependency can leak keys.

One leaked key can open cloud access. One cloud foothold can become a production incident. AI is speeding up vulnerability discovery, attackers are moving quickly, and old exposure still keeps paying off. Patch the quiet risks first.

Let’s get into it. ⚡ Threat of the Week On-Prem Microsoft Exchange Server Exploited in the Wild —Microsoft disclosed a security vulnerability impacting on-premise versions of Exchange Server, which has come under active exploitation in the wild. The vulnerability, tracked as CVE-2026-42897 (CVSS score: 8.1), has been described as a spoofing bug stemming from a cross-site scripting flaw. An anonymous researcher has been credited with discovering and reporting the issue.

Microsoft is providing a temporary mitigation through its Exchange Emergency Mitigation Service, while it’s readying a permanent fix for the security defect. There are currently no details on how the vulnerability is being exploited, the identity of the threat actor behind the activity, or the scale of such efforts. It’s also unclear who the targets are and if any of those attacks were successful. The Case for Autonomous Validation in Four On-Demand Sessions Enterprise CISOs, an industry analyst, and security leaders covered why point-in-time testing no longer matches the speed of modern threats, and how teams are using validation evidence to prioritize remediation, prove control effectiveness, and report risk to leadership.

Four sessions, all on demand. Watch Now ➝ 🔔 Top News Cisco Catalyst SD-WAN Controller Flaw Under Attack —A sophisticated threat actor tracked as UAT-8616 has been attributed to the exploitation of CVE-2026-20182, a critical authentication bypass in Cisco Catalyst SD-WAN Controller. “8616 performed similar post-compromise actions after successfully exploiting CVE-2026-20182, as was observed in the exploitation of CVE-2026-20127 by the same threat actor,” Cisco Talos said. “UAT-8616 attempted to add SSH keys, modify NETCONF configurations, and escalate to root privileges.” UAT-8616 is the same threat actor that was behind the weaponization of CVE-2026-20127 earlier this year to gain unauthorized access to SD-WAN systems.

Cisco isn’t the only security vendor facing a barrage of attacks on its customers, but it is among the most heavily targeted, along with Fortinet and Ivanti. “For nation-state operators, a bug like this (as seen with the actively exploited CVE-2026-20127) is ideal for pre-positioning,” Rapid7 said . “They are usually not looking for a smash and grab. They want persistence.

They want access that blends in. They want to sit in the right place long enough to observe, influence, and pivot when the time is right. An SD-WAN controller is a great place to do that, because it lives in the middle of trust relationships most organizations rarely question.” Blast Radius of TeamPCP Attacks Expands —A new wave of the Mini Shai-Hulud campaign compromised dozens of TanStack npm packages as part of a broader supply chain attack worming through developer ecosystems , including packages tied to UiPath, Mistral AI, OpenSearch and PyPI. The activity has been attributed to TeamPCP, which has orchestrated a series of high-profile supply chain attacks targeting popular open-source projects in recent months.

The goal is the same across all attack campaigns — use poisoned, open-source software to deploy stealer malware and harvest user credentials, API keys, SSH keys, and other secrets. TeamPCP is said to be weaponizing credentials and secrets obtained in the supply chain attacks to access organizations’ cloud infrastructure, not to mention turn into an initial access broker for follow-on attacks like ransomware by teaming up with other cybercrime groups. In some waves, the attackers used the Trufflehog scanner to validate those credentials. The escalating attacks show that TeamPCP prioritizes speed rather than subtlety and stealth.

Supply chain attacks have become an increasingly serious concern because of the sheer scale at which trusted dependencies are reused. A single poisoned package can rapidly propagate into thousands of downstream applications, enterprise environments, and production systems. The development coincided with the compromise of the node-ipc package to distribute a stealer malware. It’s currently not known who is behind the attack.

Since the library is a dependency for hundreds of other packages, which in turn could be dependencies for even more packages, the attack could have cascading consequences. Apple and Google Roll Out Cross-Platform E2EE for RCS Messages —End-to-end encrypted (E2EE) Rich Communication Services (RCS) messaging is being rolled out in beta between iPhone and Android devices, closing one of the biggest interoperability gaps in mainstream mobile messaging. The feature is available to iPhone users on iOS 26.5 with supported carriers and to Android users on the latest version of Google Messages. Encrypted conversations are marked with a padlock icon in the chat interface.

The wider rollout to iPadOS, macOS, and watchOS will follow in future software updates, Apple said. Instructure Reaches Ransom Agreement with ShinyHunters —Instructure, the developer of school information portal Canvas, said it struck a deal with the ShinyHunters group, which breached its systems, stole a massive amount of data, and disrupted thousands of schools that rely on the company’s software. The company did not say what it had given the threat actors in exchange for the destruction of the data, but it’s fair to say it likely made the controversial decision to make a ransom payment. The company said it also received “digital confirmation” that the hackers destroyed any remaining copies in the form of “shred logs.” In addition, the agreement included the return of the stolen data, assurances that affected customers would not be extorted, and a commitment that individual institutions would not need to engage with the threat actor.

While it remains to be seen if the threat actors will keep their side of the bargain, it’s worth highlighting a key problem with paying a ransom: once attackers have a victim’s data, there is no guarantee it was not copied or shared with others. As of May 12, the listing for Instructure has been removed from the ShinyHunters’ data leak site. The group said: “The data is deleted, gone. The company and it’s [sic] customers will not further be targeted or contacted for payment by us.” Fake Hugging Face Repository Delivers Stealer Malware —A malicious Hugging Face repository managed to take a spot in the platform’s trending list by impersonating OpenAI’s Privacy Filter open-weight model to deliver a Rust-based information stealer to Windows users.

The project, named Open-OSS/privacy-filter, masqueraded as its legitimate counterpart, released by OpenAI late last month (openai/privacy-filter), including copying the entire description verbatim to trick unsuspecting users into downloading it. The description accompanying the fake model diverged from the legitimate project in one aspect: instructing users to run start.bat on Windows or execute python loader.py on Linux and macOS to deploy the stealer. Access to the malicious model has since been disabled by Hugging Face. The incident highlights how public AI model registries are emerging as a new software supply chain risk for enterprises, emphasizing why AI model supply chain security needs the same level of rigor as software supply chain security.

It’s essential to verify publisher identity, check model card provenance, and scan for unexpected binary downloads. OpenAI Announces Daybreak —OpenAI announced Daybreak, a new initiative based on its frontier large language models (LLMs) and its artificial intelligence (AI)-powered coding assistant, Codex, to help developers secure their software from the ground up. Like Anthropic’s Mythos and Project Glasswing, the initiative makes it possible to scan a codebase to identify flaws and fix them, triage vulnerability backlog and prioritize fixes by severity, impact, or exploitability, and automate vulnerability detection, validation and response. In a related development, Microsoft detailed its own AI-assisted vulnerability discovery system called MDASH , which orchestrates more than 100 specialized AI agents across multiple frontiers and distilled AI models to find vulnerabilities in the tech giant’s own codebases.

MDASH is designed to run a structured pipeline that goes through distinct stages: preparation, scanning, validation, deduplication, and proof construction. The emergence of Daybreak and MDASH comes amid a spike in vulnerability discovery, mainly fueled by the use of AI tools. Five months into 2026, Microsoft has already patched more than 500 vulnerabilities in its software, a rate that could see the company break its own annual record for the most number of security fixes in a year. The U.K.

National Cyber Security Centre (NCSC) has also warned organizations that they should prepare for a surge of software updates driven by AI-assisted vulnerability discovery. At this stage, access to these advanced tools is tightly controlled. OpenAI has framed the access controls as a response to the dual-use nature of the underlying technology. The same AI capabilities that allow defenders to identify vulnerabilities and accelerate remediation could be misused by bad actors.

Per Google, hacking groups are already using AI models to boost the speed, scale, and sophistication of their attacks, as well as perform reconnaissance and build better malware. 🔥 Trending CVEs Bugs drop weekly, and the gap between a patch and an exploit is shrinking fast. These are the heavy hitters for the week: high-severity, widely used, or already being poked at in the wild. Check the list, patch what you have, and hit the ones marked urgent first — CVE-2026-42945 (NGINX Plus and NGINX Open), CVE-2026-44112 (OpenClaw), CVE-2026-42897 (Microsoft Exchange Server), CVE-2026-41096 (Microsoft Windows DNS), CVE-2026-42826 (Microsoft Azure DevOps), CVE-2026-20182 (Cisco Catalyst SD-WAN Controller), CVE-2026-44338 (PraisonAI), CVE-2026-46300 , CVE-2026-46333 (Linux Kernel), CVE-2026-45185 (Exim), CVE-2026-8043 (Ivanti Xtraction), CVE-2026-44277 (Fortinet FortiAuthenticator), CVE-2026-26083 (Fortinet FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS), CVE-2026-34260, CVE-2026-34263 (SAP), CVE-2026-42231, CVE-2026-42232, CVE-2026-44791, CVE-2026-44789, CVE-2026-44790 , CVE-2026-42236 , CVE-2026-42230 ( n8n ), CVE-2026-6815 (Casdoor), CVE-2026-2291, CVE-2026-4890, CVE-2026-4891, CVE-2026-4892, CVE-2026-4893, CVE-2026-5172 (dnsmasq), CVE-2026-6787, CVE-2026-6788 (WatchGuard Agent on Windows), CVE-2026-23479, CVE‑2026‑25243, CVE-2026-25588, CVE‑2026‑25589 (Redis), CVE-2026-41002 , CVE-2026-40982 , CVE-2026-40981 , CVE-2026-41713 , CVE-2026-41712 , CVE-2026-41705 (Spring), CVE-2026-6722 (PHP ext-soap), CVE-2026-43824 (Argo CD), CVE-2026-27174 (MajorDoMo), CVE-2026-25254, CVE-2026-25293 (Qualcomm), CVE-2026-28819, CVE-2026-43668, CVE-2026-28972 (Apple macOS), CVE-2026-44413 (JetBrains TeamCity), CVE-2026-42010, CVE-2026-33845, CVE-2026-42009, CVE-2026-33846, CVE-2026-1584 (GnuTLS), CVE-2026-30905 , CVE-2026-30906 (Zoom), CVE-2026-4782, CVE-2026-4798 (Avada Builder plugin), CVE-2026-43898 (SandboxJS), CVE-2026-8509, CVE-2026-8510 (Google Chrome), CVE-2026-44578 (Next.js), CVE-2025-14177 (PHP), CVE-2026-33439 (OpenAM), CVE-2025-66335 (Apache Doris MCP), an authentication validation bypass in Apache Pinot MCP, and an information disclosure flaw in Alibaba RDS MCP.

🎥 Cybersecurity Webinars
AppSec Tools Blind to Lethal Chains: Code → Pipeline → Cloud Attacks
Your AppSec tools are drowning in alerts but completely blind to how real attackers breach you. Modern threats don’t exploit single bugs — they chain tiny weaknesses across code, pipelines, and cloud into lethal attack paths. Join the webinar to discover the 3 deadliest cross-lifecycle patterns from Wiz experts (ex-Okta/GitLab) and learn how to map & stop them. AI is making DDoS attacks dangerously intelligent.

Are you ready? AI is turning DDoS attacks into smart, adaptive weapons that scan weaknesses in real-time, mimic legit traffic, and dodge traditional defenses. With a 358% surge in incidents, it’s time to upgrade your strategy. Join the webinar to learn the latest tactics and how to defend effectively.

📰 Around the Cyber World Flaw in Apple’s Memory Integrity Enforcement —Calif said it discovered a new way of circumventing Apple’s Memory Integrity Enforcement (MIE), a new hardware-assisted memory safety system, and achieved privilege escalation. The discovery was made possible while testing an early version of Anthropic’s Mythos Preview in April. “It’s the first public macOS kernel memory corruption exploit on M5 silicon, surviving MIE,” Calif said. “The exploit is a data-only kernel local privilege escalation chain targeting macOS 26.4.1 (25E253).

It starts from an unprivileged local user, uses only normal system calls, and ends with a root shell. The implementation path involves two vulnerabilities and several techniques, targeting bare-metal M5 hardware with kernel MIE enabled.” Additional details are currently withheld to give Apple time to address the issues. Mustang Panda Delivers Updated FDMTP Tool —A new campaign consistent with tradecraft associated with Mustang Panda has been observed targeting the Asia-Pacific and Japan (APJ) region to deliver an updated version of FDMTP using DLL side-loading. The malware is designed to connect to an external server and receive commands from the remote server, profile compromised hosts, and load additional plugins to handle scheduled tasks, manage Windows Registry persistence, or retrieve files or commands.

The activity has been spotted since September 2025. New Flaw in Burst Statistics Plugin Exploited —Threat actors are exploiting a critical flaw in the Burst Statistics WordPress plugin (CVE-2026-8181, CVSS score: 9.8), which “allows unauthenticated attackers who know a valid administrator username to fully impersonate that administrator for the duration of any REST API request, including WordPress core endpoints such as /wp-json/wp/v2/users, by supplying any arbitrary and incorrect password in a Basic Authentication header,” per Wordfence. An attacker could exploit this flaw to create a new administrator-level account with no prior authentication and seize control of the site. The plugin has over 200,000 installations.

Wordfence said it has blocked thousands of attacks targeting this vulnerability. CISA and Others Release Guidance to Strengthen AI Supply Chain —Multiple government cyber agencies issued a joint guidance to help public and private sector stakeholders improve transparency in their AI systems and supply chains. “A software bill of materials (SBOM) acts as an ‘ingredients list’ for software that better positions organizations to understand their supply chains and make risk-informed decisions about how to protect their critical systems,” the agencies said. “Because AI systems are software systems, these recommendations should be considered in addition to the general minimum elements for an SBOM .” Stealer Malware Continues to Evolve —Cybersecurity researchers disclosed details of various new and emerging information stealers like Salat , Gremlin , and Reaper , the last of which is a new SHub macOS stealer variant that spoofs Apple, Google, and Microsoft across a multi-stage attack chain to steal credentials, exfiltrate business files, and establish persistent backdoor access.

“Reaper uses fake WeChat and Miro installers as lures,” SentinelOne researcher Phil Stokes said. “The payload may be hosted on a typo-squatted Microsoft domain, executed under the guise of an Apple security update, and persist from a fake Google Software Update directory.” Unlike other macOS stealers that trick users into opening and pasting malicious commands into the Terminal app, Reaper relies on the applescript:// URL scheme to trigger the execution of a malicious AppleScript, thereby bypassing Terminal-based mitigations Apple introduced in late March 2026. According to a report published by Flare.io last week, one in four infostealer victims has active access to corporate infrastructure: VPN credentials, SaaS sessions, cloud platforms. “One in six gaming-related infections involves a user with corporate infrastructure access,” it said .

“16% of victims infected through gaming lures also held active credentials for VPNs, SaaS platforms, or cloud environments, creating a direct pipeline from personal device use to enterprise compromise.” Flaws in myAudi Platform —Multiple security flaws have been discovered in the myAudi connected car platform, allowing anyone with knowledge of a vehicle’s VIN to add it to their account as a guest and access sensitive data. The leaked information included the embedded SIM’s IMEI and ICCID identifiers, the GPS location of the primary owner when they triggered a “honk & flash” command, and vehicle lock status. One of the identified issues has been fixed by Audi and CARIAD. 🔧 Cybersecurity Tools Rustinel → It is an open-source endpoint detection tool for Windows and Linux.

It collects system activity using ETW on Windows and eBPF on Linux, checks events against Sigma rules, YARA rules, and IOCs, and writes alerts in ECS NDJSON format for use in SIEM or log pipelines. It is built for blue teams, detection engineers, researchers, and testing environments, not as a full replacement for commercial EDR. Giskard → It is an open-source Python tool for testing and evaluating LLM agents and AI systems. It helps developers check whether an AI app behaves correctly, stays grounded in context, follows safety rules, and handles multi-turn conversations reliably.

Its current version focuses on lightweight evaluation workflows, while related scanning and RAG evaluation features are still being developed or are available in older versions. VanGuard → It is a cross-platform incident response toolkit for Windows and Linux that lets security teams collect evidence, run triage, perform threat hunting, capture memory, gather disk artifacts, manage Velociraptor workflows, and generate reports from a single portable binary without installation. It includes 28 pre-built investigation workflows, supports offline use, and tracks evidence with hashing, chain of custody, and audit logging. Disclaimer: This is strictly for research and learning.

It hasn’t been through a formal security audit, so don’t just blindly drop it into production. Read the code, break it in a sandbox first, and make sure whatever you’re doing stays on the right side of the law. Conclusion The message is simple: trust less, check more. Bad packages, fake pages, weak plugins, leaked keys, and old bugs all lead to the same place.

Patch first. Rotate keys. Review what you run in prod. That’s the work.

That’s the recap. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.