#0562
Akamaiabout 2 months ago4 min▣LLM reportcritical CVE-2026-42945, dubbed 'NGINX Rift', is a critical heap buffer overflow vulnerability in the NGINX HTTP rewrite module (ngxhttprewrite_module). It allows unauthenticated attackers to cause a Denial of Service (DoS) or potentially achieve Remote Code Execution (RCE) by sending crafted HTTP requests to servers configured with specific rewrite directives containing unnamed PCRE captures and a question mark.
#0561
Huntressabout 2 months ago4 min▣LLM reportmedium This article highlights the severe security risks associated with using common, easily guessable passwords. It details how threat actors leverage weak credentials through brute force, password spraying, and credential stuffing attacks to gain unauthorized access to systems, emphasizing the need for robust identity protection and password management.
#0560
Huntressabout 2 months ago5 min▣LLM reportmedium The article outlines 19 critical cloud security challenges facing organizations, emphasizing that misconfigurations, weak identity and access management (IAM), and human error are the primary drivers of cloud compromise. It highlights emerging threats such as AI-powered deepfake social engineering, MFA fatigue, and cloud-targeted extortion, underscoring the need for unified visibility and robust configuration management.
#0559
Huntressabout 2 months ago5 min▣LLM reporthigh Threat actors are increasingly employing defense evasion techniques to actively disable or blind endpoint security controls like AV and EDR. Common methods include manipulating Windows Firewall rules to block telemetry, uninstalling agents via rogue RMMs, and leveraging Bring Your Own Vulnerable Driver (BYOVD) attacks to terminate protected security processes from the kernel.
#0558
Cofenseabout 2 months ago6 min▣LLM reporthigh A recent phishing campaign impersonates Zoom meeting invitations to trick users into downloading a malicious VBS script disguised as a software update. This script silently installs ConnectWise ScreenConnect, a legitimate RMM tool, granting attackers persistent remote access to the compromised system for potential follow-on attacks such as credential theft, lateral movement, or ransomware deployment.
#0557
Trend Microabout 2 months ago5 min▣LLM reportmedium Autonomous AI agents introduce significant security risks by operating within trust boundaries using delegated credentials, effectively bypassing traditional perimeter defenses. Effective security requires "agentic governance," focusing on strict identity management, granular action-level permissions, approval gates for high-risk operations, and comprehensive logging to mitigate threats like prompt injection and scope creep.
#0556KKasperskyabout 2 months ago5 min▣LLM reporthigh Kaspersky's Q1 2026 threat report highlights significant law enforcement actions against major ransomware operators, alongside the emergence of new ransomware groups like The Gentlemen. The quarter also saw active zero-day exploitation of Cisco Secure FMC (CVE-2026-20131) by the Interlock group, a rise in macOS-targeted crypto stealers and supply chain attacks via the Axios npm package, and persistent IoT botnet activity dominated by Mirai variants.
#0555KKasperskyabout 2 months ago5 min▣LLM reporthigh In Q1 2026, mobile banking Trojans saw a significant surge, with Mamont variants driving a 50% increase in malicious installation packages. Additionally, a sophisticated new variant of the SparkCat crypto stealer was identified in official app stores, employing custom virtual machines and OCR techniques to compromise both Android and iOS users.
#0554about 2 months ago6 min▤RecapMay 11 – May 18
Developer Supply Chains Under Siege as Edge Device Exploits Surge
The dominant narrative this week is the coordinated weaponization of the software supply chain, as threat actors like TeamPCP and Mini Shai-Hulud aggressively target developer tools to steal cloud credentials. Because these attackers compromise trusted build systems like GitHub Actions, a single malicious package—such as the compromised TanStack libraries—can cascade into massive downstream breaches, allowing criminals to hold development environments hostage and even deploy destructive dead-man switches if their access is cut off.
In parallel, attackers are bypassing traditional network defenses by exploiting internet-facing edge devices and logging in with stolen credentials. Threat clusters are actively exploiting critical flaws in Cisco Catalyst SD-WAN and Microsoft Exchange, while ransomware groups like The Gentlemen and state-sponsored actors like Secret Blizzard use these footholds to live off the land, hijacking legitimate IT tools to stay hidden for months.
These trends together suggest that perimeter-focused defenses and basic patching are no longer sufficient. Organizations must immediately isolate their CI/CD pipelines from cloud credentials, enforce phishing-resistant multi-factor authentication on all internet-facing systems, and assume that trusted vendor tools may already be compromised.
#0553
CISAabout 2 months ago3 min▣LLM reporthigh CISA has added CVE-2026-42897, a Cross-Site Scripting (XSS) vulnerability in Microsoft Exchange Server, to its Known Exploited Vulnerabilities (KEV) Catalog due to evidence of active exploitation. Organizations are strongly urged to prioritize remediation of this flaw to reduce exposure to cyberattacks.
#0552
Mandiantabout 2 months ago6 min▣LLM reporthigh UNC6671, operating under the BlackFile brand, conducts sophisticated vishing and Adversary-in-the-Middle (AiTM) attacks to bypass MFA and compromise SSO platforms like Microsoft 365 and Okta. Once inside, the group uses automated Python and PowerShell scripts to rapidly exfiltrate sensitive data via APIs, often masking their activity as routine file access events, before launching aggressive extortion campaigns.
#0551
Recorded Futureabout 2 months ago5 min▣LLM reportcritical In April 2026, 37 high-impact vulnerabilities were actively exploited, heavily impacting enterprise systems and edge infrastructure. Notable exploitation includes the delivery of the Nexcorium botnet via CVE-2024-3721 in TBK DVR devices and complete service takeovers of Nginx UI instances via CVE-2026-33032, a missing authentication flaw.
#0550
Canadian Centre for Cyber Securityabout 2 months ago4 min▣LLM reportcritical The Canadian Centre for Cyber Security issued advisories warning of active exploitation of two critical vulnerabilities. CVE-2026-20182 affects Cisco Catalyst SD-WAN devices, allowing unauthenticated remote attackers to bypass authentication and gain root privileges, while CVE-2026-42897 is a spoofing vulnerability affecting on-premises Microsoft Exchange Servers.
#0549
Akamaiabout 2 months ago6 min▣LLM reportcritical The TeamPCP threat actor deployed the Mini Shai-Hulud worm in a sophisticated supply chain attack targeting the npm ecosystem via a GitHub Actions CI cache-poisoning technique. The malware steals credentials, establishes persistence via developer tools like VS Code and Claude Code, and features a destructive dead man switch that wipes the victim's home directory if access tokens are revoked.
#0548
Palo Alto Networksabout 2 months ago5 min▣LLM reporthigh Gremlin stealer has evolved from a basic credential harvester into a sophisticated, modular infostealer capable of active financial fraud and live session hijacking. Recent variants employ advanced anti-analysis techniques, including Themida packing, .NET resource section payload hiding with XOR encryption, and extensive code obfuscation, significantly complicating static detection efforts.
#0547
CrowdStrikeabout 2 months ago5 min▣LLM reporthigh The CrowdStrike 2026 Financial Services Threat Landscape Report highlights a 43% global increase in hands-on-keyboard intrusions against the financial sector. The threat landscape is dominated by eCrime ransomware operations, DPRK-nexus cryptocurrency theft via supply chain compromises, and China-nexus intelligence collection leveraging Operational Relay Box (ORB) networks and DLL search-order hijacking.
#0546
Recorded Futureabout 2 months ago3 min▣LLM reportinfo NIST has significantly reduced its enrichment of CVEs in the National Vulnerability Database (NVD), limiting full analysis to a small subset of critical vulnerabilities. This policy change exposes organizations relying solely on NVD CVSS scores to significant blind spots, necessitating a shift toward threat intelligence-driven prioritization based on real-world weaponization and active exploitation.
#0545
Huntressabout 2 months ago3 min▣LLM reportlow The Department of Defense has finalized the Cybersecurity Maturity Model Certification (CMMC) rule, effective November 10, 2025, shifting from self-attestation to mandatory third-party verification for contractors handling sensitive data. Organizations must proactively prepare their technology, processes, and documentation to meet NIST SP 800-171 requirements and avoid anticipated assessment bottlenecks.
#0544
Huntressabout 2 months ago3 min▣LLM reportlow This article provides an overview of 13 major cybersecurity frameworks, including NIST CSF, CIS Controls, and ISO 27001, detailing their core functions and target audiences. It offers guidance on selecting and implementing the appropriate framework based on regulatory requirements, business goals, and organizational maturity.
#0543
CISAabout 2 months ago4 min▣LLM reportcritical CISA has added CVE-2026-20182, an authentication bypass vulnerability affecting Cisco Catalyst SD-WAN Controllers, to its Known Exploited Vulnerabilities (KEV) catalog due to evidence of active exploitation. Federal agencies and private organizations are strongly urged to apply mitigations outlined in Emergency Directive 26-03 or discontinue use of the product if mitigations are unavailable.