#0660
Trend Microabout 1 month ago5 min▣LLM reportcritical At Pwn2Own Berlin 2026, security researchers demonstrated 47 unique zero-day vulnerabilities across AI platforms and traditional enterprise software. Notable exploits included root-level code execution in AI agents via trust boundary failures, a SYSTEM-level RCE in Microsoft Exchange, a pre-authentication RCE in SharePoint, and a cross-tenant guest-to-host escape in VMware ESXi.
#0659
Elastic Security Labsabout 1 month ago6 min▣LLM reporthigh PHANTOMPULSE is a sophisticated RAT attributed to DPRK-aligned actors that utilizes hardware breakpoints to bypass AMSI, WLDP, and ETW. It establishes a resilient, sinkhole-able command and control channel by resolving C2 URLs from blockchain transaction inputs and employs multiple process injection and UAC bypass techniques.
#0658
Canadian Centre for Cyber Securityabout 1 month ago3 min▣LLM reportcritical The Canadian Centre for Cyber Security published a daily digest of nine security advisories covering critical updates for major vendors including Microsoft, IBM, Dell, Ubuntu, Red Hat, Ivanti, and Plesk. Notably, the digest highlights that CVE-2026-41089, a Windows Netlogon Remote Code Execution vulnerability, is actively being exploited in the wild.
#0657
Check Pointabout 1 month ago5 min▣LLM reporthigh This threat intelligence bulletin highlights a surge in data breaches driven by social engineering, alongside the increasing weaponization of AI tools for phishing, malware development, and supply chain attacks. Active exploitation of vulnerabilities in PAN-OS GlobalProtect and Ghost CMS has been observed, while a critical unpatched RCE in Gogs remains a significant risk. Additionally, targeted campaigns like Grandoreiro and JINX-0164 continue to threaten the financial and cryptocurrency sectors using platform-specific malware and DLL side-loading.
#0656
Sekoia.ioabout 1 month ago7 min▣LLM reporthigh Gamaredon (FSB) is conducting an ongoing cyberespionage campaign against Ukrainian targets using a modular, fileless infection chain. The attack leverages HTML smuggling and archive path traversal (CVE-2025-8088) for initial access, followed by the deployment of GammaWorm, which utilizes NTFS Alternate Data Streams (ADS) and Dead Drop Resolvers (DDRs) on legitimate platforms for persistence, propagation, and C2 communication.
#0655KKasperskyabout 1 month ago5 min▣LLM reporthigh This report details primary attack vectors against containerized environments, focusing on container escapes, orchestration API abuse, and supply chain compromises. Threat actors exploit misconfigurations such as excessive Linux capabilities and exposed Docker sockets to break out of containers, while also targeting CI/CD pipelines and public image repositories to establish initial footholds.
#0654about 1 month ago14 min▤RecapMay 2026
Developer Supply Chains Under Siege as Session Hijacking Bypasses MFA
Attackers realized that instead of stealing one user's password, they can steal a developer's credentials and compromise the software everyone uses. This month, the TeamPCP group weaponized the open-source ecosystem by releasing the Mini Shai-Hulud worm, which automatically spreads across npm, PyPI, and Packagist to harvest CI/CD secrets. This culminated in a breach of GitHub's internal repositories via a malicious VS Code extension, proving that developer workstations are now the most valuable targets in the enterprise.
While developers were being targeted at the source, traditional corporate users faced a collapse in authentication trust. Phishing campaigns like Tycoon 2FA and BlackFile shifted from simply stealing passwords to stealing active session tokens and registering persistent rogue devices. Because these techniques bypass multi-factor authentication entirely, a successful phish grants immediate and lasting access, rendering traditional MFA insufficient without additional session monitoring.
Organizations must treat developer environments as high-value assets—restricting extension installations and securing CI/CD pipelines—and transition to phishing-resistant authentication (like FIDO2 keys) while implementing continuous session validation to detect hijacked accounts.
#0653about 1 month ago8 min▤RecapMay 25 – Jun 1
Session Hijacking and Developer Tool Poisoning Collapse Authentication Trust
This week, attackers proved that multi-factor authentication is no longer a reliable gatekeeper. Campaigns like Tycoon 2FA and Chinese-language PhaaS platforms intercept one-time passwords in real time and steal session tokens to maintain persistent access, while infostealers like EKZ Infostealer harvest browser cookies to bypass authentication entirely. Even when victims reset passwords and revoke sessions, attackers retain access through hidden device registrations — meaning standard incident response playbooks are now incomplete.
Developers remain the preferred entry point for supply chain compromise. The Glassworm botnet was disrupted after hiding malware in VSCode extensions and npm packages, while the Megalodon campaign poisoned GitHub Actions workflows across 5,500 repositories. A malicious Sicoob.Sdk NuGet package stole banking certificates from Brazilian developers, and North Korea's Lazarus group compromised the widely used axios npm library — a single attack touching millions of downstream applications.
Organizations must move beyond password-and-MFA reliance: adopt hardware security keys, shorten session lifetimes, delete attacker-registered devices before resetting credentials, and audit developer toolchains and CI/CD pipelines for tampering.
#0652
Canadian Centre for Cyber Securityabout 1 month ago3 min▣LLM reporthigh The Canadian Centre for Cyber Security issued a daily digest highlighting recent security updates from Microsoft and Oracle. The advisories cover vulnerabilities in Microsoft Edge and critical flaws across several Oracle enterprise products, urging administrators to apply the latest patches to prevent potential exploitation.
#0651
ESETabout 1 month ago5 min▣LLM reporthigh ESET's Q4 2025–Q1 2026 APT Activity Report highlights global espionage and destructive campaigns by state-aligned actors. Notable incidents include a major supply chain compromise of the 'axios' npm library by Lazarus, destructive wiper attacks on Polish critical infrastructure by Sandworm, and the deployment of new edge-device implants like PhiliKit against Ivanti VPNs by China-aligned groups.
#0650
Socketabout 1 month ago6 min▣LLM reportcritical A malicious NuGet package named Sicoob.Sdk impersonated the official C# SDK for the Brazilian financial cooperative Sicoob. The package was designed to silently exfiltrate sensitive banking authentication material, including PFX certificates and passwords, as well as raw transaction data, to a third-party Sentry telemetry endpoint, posing a severe risk of API impersonation and financial data exposure.
#0649
Cisco Talosabout 1 month ago4 min▣LLM reportinfo This week's Threat Source newsletter highlights the importance of combining EPSS and CVSS for risk-based vulnerability prioritization. It also introduces EvidenceForge, a new open-source tool by Cisco Talos for generating synthetic security logs, and summarizes recent security news including the 'Megalodon' GitHub supply chain attack and 'Underminr' domain-fronting techniques.
#0648
CISAabout 1 month ago4 min▣LLM reportcritical A critical vulnerability (CVE-2026-7786, CVSS 9.8) affects the Jinan USR IOT Technology Limited (PUSR) USR-W610 RS232/485 to Wi-Fi/Ethernet Converter. The device firmware version 7.03T.07 contains hard-coded plaintext administrative credentials, allowing unauthenticated remote attackers to extract the credentials and gain full administrator access to the device. The vendor has not responded to coordination attempts, necessitating immediate network isolation of affected devices.
#0647
CISAabout 1 month ago4 min▣LLM reportmedium Schneider Electric EcoStruxure Machine Expert HVAC versions prior to 1.10.0 are affected by a cleartext storage vulnerability (CVE-2026-6332, CVSS 5.5). This flaw allows an authorized local attacker accessing the software to view sensitive information, leading to the potential disclosure of protected source code and a loss of confidentiality. Updating to version 1.10.0 resolves the issue.
#0646
CISAabout 1 month ago4 min▣LLM reporthigh ABB EIBPORT building management systems running firmware prior to version 3.9.2 contain a high-severity Cross-Site Scripting (XSS) vulnerability (CVE-2021-22291). Successful exploitation allows attackers to steal session IDs, leading to unauthenticated device access, sensitive information disclosure, and unauthorized configuration changes.
#0645
WithSecureabout 1 month ago5 min▣LLM reporthigh WithSecure identified GREYVIBE, a Russia-nexus threat group targeting Ukrainian entities using spear-phishing, ClickFix, and fraudulent websites. The group systematically leverages Generative AI to develop custom malware (PhantomRelay, LegionRelay, FallSpy) and obfuscators, blending state-aligned intelligence gathering with cybercrime ecosystem overlaps.
#0644
Microsoftabout 1 month ago6 min▣LLM reportcritical The Gentlemen ransomware, operated by Storm-2697, is a Go-based encryptor that combines robust Curve25519/XChaCha20 encryption with aggressive lateral movement capabilities. It utilizes multiple redundant propagation methods (PsExec, WMI, scheduled tasks, services) to maximize network compromise while employing extensive defense evasion techniques to hinder detection and recovery.
#0643
Canadian Centre for Cyber Securityabout 1 month ago3 min▣LLM reportcritical The Canadian Centre for Cyber Security released a daily digest highlighting critical security updates for Drupal, Veeam, Zimbra, and Notepad++. Notably, a highly critical arbitrary PHP code execution vulnerability (SA-CONTRIB-2026-038) was patched in the Drupal AlternativeCommerce module, requiring immediate attention from administrators.
#0642
Cisco Talosabout 1 month ago4 min▣LLM reporthigh Security research highlights a heap overflow vulnerability within DICOM parsing, specifically targeting Orthanc servers during image uploads. By exploiting the complex DICOM file format, attackers can trigger an out-of-bounds write, posing a significant risk to hospital PACS systems that automatically ingest and decode these files.
#0641
Palo Alto Networksabout 1 month ago5 min▣LLM reporthigh The 2026 FIFA World Cup presents a massive, multi-jurisdictional attack surface threatened by state-nexus disruptive operations and financially motivated cybercrime. Key risks include Iran-aligned actors targeting municipal OT infrastructure, pro-Russian hacktivists launching high-volume DDoS attacks against tournament services, and cybercriminals deploying ransomware against the hospitality supply chain.