#0515
Trail of Bits17 days ago▣LLM reportinfo Trail of Bits has released gosentry, an enhanced fork of the Go toolchain designed to significantly improve native Go fuzzing capabilities by integrating LibAFL and Nautilus. The tool allows security researchers and developers to perform struct-aware and grammar-based fuzzing, successfully identifying complex vulnerabilities such as integer overflows, data races, and goroutine leaks that standard Go fuzzing often misses.
The Canadian Centre for Cyber Security published a daily advisory digest on May 12, 2026, highlighting critical security updates from SAP, Siemens, Schneider Electric, Ivanti, and Mozilla. The advisories cover a wide range of enterprise software, industrial control systems, and web browsers, requiring immediate patching to mitigate potential exploitation.
#0513
Trend Micro17 days ago▣LLM reporthigh Trend Micro identified two distinct threat campaigns, SHADOW-AETHER-040 and SHADOW-AETHER-064, leveraging agentic AI to orchestrate attacks against Latin American government and financial institutions. The attackers utilized AI models like Anthropic's Claude to dynamically generate scripts, analyze configurations, and establish SOCKS5 tunnels for lateral movement, demonstrating a shift towards AI-assisted, signature-evasive intrusion operations.
#0512
Socket17 days ago▣LLM reportcritical A critical sandbox escape vulnerability (CVE-2026-26956) in the vm2 Node.js library allows attackers to execute arbitrary OS commands by leveraging WebAssembly.JSTag via VM.run(). The flaw affects versions 0.2.2 through 3.10.4 on Node.js runtimes exposing this tag, prompting the release of vm2 3.10.5 and a free Certified Patch from Socket to remove the tag from the sandbox environment.
#0511
Mandiant17 days ago▣LLM reporthigh Google Threat Intelligence Group (GTIG) reports an escalation in adversaries leveraging generative AI for vulnerability discovery, autonomous malware orchestration, and defense evasion. Notable developments include the AI-assisted discovery of a zero-day 2FA bypass, the PROMPTSPY Android backdoor utilizing the Gemini API for autonomous UI navigation, and supply chain attacks by TeamPCP targeting AI dependencies like LiteLLM to extract cloud secrets.
#0510
Varonis17 days ago▣LLM reportcritical Varonis Threat Labs identified a Remote Code Execution (RCE) vulnerability in Azure Cosmos for PostgreSQL caused by improper input validation of the loglineprefix parameter within the Azure management API. By utilizing form feed and newline characters, attackers could bypass single-quote restrictions to inject arbitrary PostgreSQL configurations, such as archive_command, ultimately leading to arbitrary OS command execution on the underlying managed database node.
#0509
Canadian Centre for Cyber Security17 days ago▣LLM reportcritical The Canadian Centre for Cyber Security released a daily digest highlighting critical vulnerabilities across Cisco, IBM, Dell, Ubuntu, and various ICS platforms. Notably, Cisco ASA and FTD devices are affected by a newly identified persistence mechanism known as the FIRESTARTER backdoor, which survives previous patches for CVE-2025-20333, CVE-2025-20362, and CVE-2025-20363.
#0508Trend Micro17 days ago▣LLM reporthigh In May 2026, threat actor SHADOW-AETHER-015 compromised Instructure's Canvas LMS backend, exposing sensitive data from 8,809 global educational institutions. The breach, likely facilitated via API exploitation or third-party integration compromise, exposed PII and private communications, creating significant risk for highly targeted follow-on spear-phishing and credential abuse campaigns.
#0507
Elastic Security Labs17 days ago▣LLM reportcritical Copy Fail and DirtyFrag are critical Linux kernel privilege escalation vulnerabilities that exploit page cache corruption via legitimate kernel interfaces like AF_ALG and splice(). These flaws allow local attackers to corrupt the in-memory view of setuid binaries or critical files like /etc/passwd to gain root access. Copy Fail has been exploited in the wild, prompting CISA to add it to the Known Exploited Vulnerabilities catalog.
#0506
Recorded Future17 days ago▣LLM reportlow This article provides a comprehensive overview of 14 common payment fraud tactics, including phishing, account takeover, and wire transfer fraud, highlighting the projected $362 billion in global losses by 2028. It emphasizes the need for organizations, particularly in e-commerce and finance, to implement layered defenses such as PCI compliance, 3D Secure authentication, and machine learning-based anomaly detection to mitigate financial and reputational damage.
#0505Elastic Security Labs17 days ago▣LLM reportmedium The article details a defensive architecture using Elastic Security to detect web server probing and directory fuzzing against Traefik reverse proxies. By analyzing HTTP 403 and 404 error thresholds, security teams can trigger automated workflows that dynamically update Cloudflare WAF rules to block malicious source IPs at the edge.
The Canadian Centre for Cyber Security issued advisories for Microsoft Edge, cPanel/WHM, and critical Linux kernel vulnerabilities (CVE-2026-43284, CVE-2026-43500) dubbed 'Dirty Frag'. The Linux flaws allow local privilege escalation to root, have public PoCs, and currently lack a universal patch, requiring immediate module-disabling mitigations.
#0503Varonis17 days ago▣LLM reportcritical The threat group ShinyHunters compromised Instructure's Canvas learning management system, likely via voice phishing (vishing) targeting their interconnected Salesforce environment. The breach resulted in the theft of 3.65 TB of sensitive data affecting 275 million users, which the actors are now leveraging in an active extortion campaign and which poses a severe downstream phishing risk.
#0502
Akamai17 days ago▣LLM reporthigh Akamai has disclosed CVE-2026-34354, a local privilege escalation vulnerability in the Guardicore Platform Agent and Zero Trust Client for macOS and Linux. The vulnerability leverages an unauthenticated IPC socket and a TOCTOU flaw to make root-owned files world-writable, alongside a secondary command injection vector in a diagnostic tool.
#0501KKaspersky17 days ago▣LLM reportcritical Kaspersky researchers discovered CVE-2025-68670, a pre-authentication Remote Code Execution (RCE) vulnerability in the xrdp server for Linux. The flaw stems from a stack buffer overflow in the xrdpwmparsedomaininformation function when processing specially crafted domain names during the Secure Settings Exchange phase, allowing an attacker to overwrite the return address and execute arbitrary code.
#0500
CISA17 days ago▣LLM reporthigh CISA has added CVE-2026-42208, a SQL Injection vulnerability affecting BerriAI LiteLLM, to its Known Exploited Vulnerabilities (KEV) Catalog due to evidence of active exploitation. Organizations are strongly urged to prioritize timely remediation of this vulnerability to reduce their exposure to cyberattacks.
#0499Socket17 days ago▣LLM reportcritical A supply chain attack utilizing five malicious NuGet packages typosquatting Chinese .NET libraries has been discovered distributing a cross-platform infostealer. The malware leverages .NET Reactor and JIT hooking via module initializers to execute automatically upon assembly load, targeting credentials and cryptocurrency wallets across developer workstations and CI/CD pipelines.
#0498Socket17 days ago▣LLM reportinfo The release of pnpm 11 introduces significant supply chain security enhancements, including a default 24-hour minimum release age for packages, the blocking of exotic subdependencies, and a streamlined allowBuilds model. These features are designed to mitigate rapid supply chain attacks, such as the recent Mini Shai-Hulud campaign, by restricting install-time execution and unexpected dependency sources.
#0497Elastic Security Labs17 days ago▣LLM reporthigh Elastic Security Labs identified TCLBANKER, a new Brazilian banking trojan distributed via DLL sideloading that features robust anti-analysis mechanisms and environment-gated payload decryption. The malware deploys a full-featured banking trojan with a WPF-based social engineering overlay framework, alongside worm modules that self-propagate by hijacking WhatsApp Web sessions and Microsoft Outlook accounts.
#0496Recorded Future17 days ago▣LLM reporthigh The emergence of cryptographically relevant quantum computers (CRQCs) poses a critical threat to modern public-key encryption. Threat actors are already conducting 'Harvest Now, Decrypt Later' (HNDL) operations to intercept and store long-lived sensitive data, necessitating immediate organizational planning for post-quantum cryptography (PQC) migration and cryptographic agility.
