#0694VVolexityabout 1 month ago6 min▣LLM reporthigh VerdantBamboo, a Chinese threat actor, compromised edge appliances including Egnyte Storage Sync, pfSense firewalls, and Synology NAS devices to deploy custom malware (BRICKSTORM, PLENET, AGENTPSD). The attackers exploited a compromised MSP and local privilege escalation misconfigurations to maintain long-term persistence, using the compromised devices to proxy traffic and bypass Microsoft 365 Conditional Access policies.
#0693RReversinglabsabout 1 month ago7 min▣LLM reportcritical A highly coordinated supply chain attack compromised 56 npm packages across 286 versions by abusing the binding.gyp native build configuration to silently execute malicious code during installation. The multi-stage, heavily encrypted payload targets CI/CD environments to harvest cloud credentials, propagates via stolen OIDC tokens, and establishes persistence with a destructive dead man's switch.
#0692
Canadian Centre for Cyber Securityabout 1 month ago3 min▣LLM reportmedium The Canadian Centre for Cyber Security issued advisories regarding Denial of Service vulnerabilities in SolarWinds Serv-U and Web Help Desk, as well as an unspecified vulnerability in Docker Desktop. Organizations are advised to apply the latest vendor patches to mitigate potential risks.
#0691
Morphisecabout 1 month ago4 min▣LLM reporthigh Analysis of VECT 2.0 ransomware reveals critical Windows-specific implementation flaws, including buffer-size mismatches, race conditions from shared global state, and incomplete nonce retention. These defects result in files being partially encrypted, inconsistently modified, or structurally damaged, rendering the attacker's own decryptor incapable of reliable data recovery.
#0690
Recorded Futureabout 1 month ago6 min▣LLM reporthigh The 2026 FIFA World Cup faces a multifaceted threat landscape encompassing cybercriminal fraud, state-sponsored espionage, and physical security risks. Financially motivated actors are actively deploying purchase scams and fake domains to harvest payment card data, while state-aligned groups from Iran, Russia, and China are expected to target telecommunications, logistics, and VIP attendees for intelligence collection and potential disruption.
#0689
CISAabout 1 month ago4 min▣LLM reportmedium NAVTOR NavBox versions 4.16.1.20 and prior contain a hard-coded credentials vulnerability (CVE-2026-21404) within the Windows Communication Foundation (SOAP) implementation. A local attacker can extract these credentials to authenticate against the SOAP interface, gaining access to privileged WCF methods to write or overwrite files within application-defined paths, potentially causing operational disruption.
#0688
CISAabout 1 month ago4 min▣LLM reportmedium Hitachi Energy MACH HiDraw versions 9.22 and prior contain a heap-based buffer overflow vulnerability (CVE-2026-7310, CVSS 5.5) in their XML parser functionality. An authenticated local attacker can exploit this by tricking a user into opening a crafted XML file, potentially leading to denial of service or arbitrary code execution.
#0687
CISAabout 1 month ago4 min▣LLM reporthigh Hitachi Energy ITT600 Explorer contains two high-severity vulnerabilities (CVE-2024-8176, CVE-2025-59375) within its libexpat library implementation. These flaws, triggered via crafted IEC61850 messages or documents during server simulation, can lead to uncontrolled recursion and resource exhaustion, resulting in Denial of Service (DoS) or memory corruption.
#0686
Sophosabout 1 month ago5 min▣LLM reporthigh During a routine certification test, Sophos X-Ops discovered an undeclared XMRig-based crypto-miner bundled with Hola Browser version 1.251.91.0. The incident was attributed to a supply chain compromise affecting the browser's distribution pipeline, which has since been remediated by the vendor.
#0685
Socketabout 1 month ago7 min▣LLM reportcritical A supply chain attack dubbed 'Mini Shai-Hulud' compromised numerous npm packages, notably within the @redhat-cloud-services namespace. The malicious packages use preinstall hooks to execute an obfuscated loader that decrypts and runs a credential-harvesting payload via the Bun runtime, targeting CI/CD secrets, cloud credentials, and developer tokens for encrypted exfiltration.
#0684
Sekoia.ioabout 1 month ago7 min▣LLM reportcritical Gamaredon, an FSB-linked threat actor, has deployed a highly evasive, fileless stealer dubbed GammaSteel targeting Ukrainian entities. The malware leverages Windows DPAPI to encrypt and stage payloads within the registry, actively monitoring local, network, and USB drives for sensitive documents to exfiltrate via legitimate cloud services and dynamic C2 infrastructure.
#0683
ANY.RUNabout 1 month ago4 min▣LLM reportmedium ANY.RUN's Q1 2026 Cyber Risk Report highlights a significant acceleration in attacker operational tempo, with the median time-to-persistence dropping to 21 seconds and LOTL execution occurring in 16 seconds. The data also shows a marked increase in loader-based attacks, credential theft, and the weaponization of trusted tools via JavaScript LOLBAS techniques, emphasizing the critical need for rapid, behavior-based detection capabilities.
#0682
CISAabout 1 month ago3 min▣LLM reporthigh CISA has added CVE-2026-45247, a deserialization of untrusted data vulnerability affecting the Mirasvit Full Page Cache Warmer, to its Known Exploited Vulnerabilities (KEV) Catalog. The addition is based on evidence of active exploitation, and CISA strongly urges all organizations to prioritize its remediation to reduce exposure to cyberattacks.
#0681
Cofenseabout 1 month ago5 min▣LLM reportmedium Threat actors are weaponizing legitimate online services, such as Zoom, by embedding malicious links and phone numbers into arbitrary text fields like usernames and meeting descriptions. By triggering automated emails from these services and forwarding them to victims, attackers successfully bypass traditional email security protocols (SPF, DKIM, DMARC) and Secure Email Gateways.
#0680
Canadian Centre for Cyber Securityabout 1 month ago4 min▣LLM reporthigh The Canadian Centre for Cyber Security released a daily digest highlighting vulnerabilities in Google Chrome, ABB T-MAC Plus control systems, and Phoenix Contact CHARX SEC-3xxx charging controllers. Organizations are advised to apply the latest patches and firmware updates to mitigate potential exploitation, particularly concerning an unauthenticated log download vulnerability in Phoenix Contact devices.
#0679
Check Pointabout 1 month ago8 min▣LLM reporthigh Check Point Research uncovered a large-scale malware distribution ecosystem that uses search engine optimization and impersonated open-source project sites to drive traffic to a sophisticated Traffic Distribution System (TDS). The TDS employs click hijacking and strict gating to selectively deliver malware, including the SessionGate loader, RemusStealer, and AnimateClipper, while actively evading automated analysis through one-time key releases and file inflation.
#0678
Trail of Bitsabout 1 month ago6 min▣LLM reporthigh Security researchers successfully bypassed multiple AI agent skill scanners, including ClawHub, Cisco's skill-scanner, and skills.sh integrations, using techniques like file truncation, embedded payloads, Python bytecode poisoning, and prompt injection. The findings highlight that automated scanning of AI agent skills is fundamentally flawed due to the complex mix of natural language, code, and limited scanner context windows, necessitating a shift towards curated, trusted skill repositories.
#0677
Sekoia.ioabout 1 month ago6 min▣LLM reporthigh Gamaredon, a Russia-nexus threat actor, utilizes a multi-stage VBScript loader framework named GammaLoad to establish persistent access and deploy subsequent payloads like GammaSteel. The infection chain leverages Dead Drop Resolvers on legitimate platforms, stores C2 configurations in the Windows Registry, and uses Alternate Data Streams (ADS) combined with Scheduled Tasks for stealthy execution.
#0676KKasperskyabout 1 month ago7 min▣LLM reporthigh A newly discovered malware campaign dubbed Argamal targets users downloading adult games, utilizing DLL sideloading and COM hijacking to deploy a sophisticated Remote Access Trojan (RAT). The malware establishes persistence by hijacking the Windows Color System Calibration Loader and grants attackers full system control, including surveillance, file exfiltration, and arbitrary command execution.
#0675
Socketabout 1 month ago7 min▣LLM reporthigh A targeted supply chain attack attributed to Famous Chollima compromised a development branch of the legitimate PHP package 'roberts/leads' on Packagist. The attackers injected an obfuscated JavaScript loader into a tailwind.js configuration file, which utilizes blockchain RPC infrastructure as a dead drop to retrieve and execute secondary payloads like DEV#POPPER RAT, likely as part of a Contagious Interview developer lure.