#0196
CISAabout 2 months ago3 min▣LLM reporthigh CISA has added CVE-2026-3055, an actively exploited out-of-bounds read vulnerability affecting Citrix NetScaler, to its Known Exploited Vulnerabilities (KEV) Catalog. The agency mandates federal remediation under BOD 22-01 and strongly urges all organizations to prioritize patching to reduce exposure to cyberattacks.
#0195WWatchtowrabout 2 months ago5 min▣LLM reportcritical A second memory overread vulnerability has been identified in Citrix NetScaler appliances under CVE-2026-3055, affecting the '/wsfed/passive?wctx' endpoint. By sending a specially crafted GET request with an empty 'wctx' parameter, attackers can force the appliance to leak sensitive memory, including administrative session IDs, via the 'NSC_TASS' cookie. Active in-the-wild exploitation has been observed since late March.
#0194
Socketabout 2 months ago4 min▣LLM reportcritical Threat actor TeamPCP has formed an alliance with the Vect Ransomware-as-a-Service (RaaS) group to weaponize recent open-source supply chain compromises. By leveraging approximately 300 GB of stolen credentials and tokens harvested from CI/CD pipelines and security tools like Trivy and LiteLLM, the groups intend to facilitate large-scale ransomware deployments across affected enterprise environments.
#0193
Elastic Security Labsabout 2 months ago5 min▣LLM reporthigh Elastic Security Labs identified a cyberattack targeting a South Asian financial institution using two custom malware strains: BRUSHWORM and BRUSHLOGGER. BRUSHWORM functions as a backdoor and USB worm capable of extensive file theft and air-gap bridging, while BRUSHLOGGER captures system-wide keystrokes via DLL side-loading.
#0192
Canadian Centre for Cyber Securityabout 2 months ago3 min▣LLM reporthigh The Canadian Centre for Cyber Security released a daily digest highlighting recent security advisories from WatchGuard, Siemens, FreeBSD, and Ericsson. The advisories cover critical vulnerabilities including remote code execution, denial of service, and insecure deserialization across various operating systems, network appliances, and control system products.
#0191
Palo Alto Networksabout 2 months ago7 min▣LLM reportcritical Unit 42 identified a coordinated cyberespionage campaign targeting a Southeast Asian government entity, involving three distinct China-aligned threat clusters. The attackers utilized a variety of tools including USB worms, custom loaders, and multiple remote access Trojans (PUBLOAD, Masol, Gorem, FluffyGh0st) to establish persistent access, evade detection via DLL sideloading, and exfiltrate sensitive data.
#0190
CISAabout 2 months ago3 min▣LLM reportcritical CISA has added CVE-2025-53521, a Remote Code Execution vulnerability affecting F5 BIG-IP, to its Known Exploited Vulnerabilities (KEV) Catalog due to evidence of active exploitation. All organizations are strongly urged to prioritize timely remediation to reduce exposure to cyberattacks.
#0189
Trend Microabout 2 months ago8 min▣LLM reportcritical A sophisticated supply chain attack by the threat actor TeamPCP compromised the popular AI proxy package LiteLLM via a previously hijacked Trivy GitHub Action. The malicious package deployed a multi-stage payload utilizing a Python .pth file to harvest extensive cloud, Kubernetes, and AI credentials, encrypt them, and exfiltrate them to attacker-controlled infrastructure while establishing a persistent remote code execution backdoor.
#0188
Cofenseabout 2 months ago4 min▣LLM reportmedium A recent phishing campaign targets Xiaomi users by impersonating corporate HR communications regarding a new certification. The emails contain masked hyperlinks that redirect victims to a convincing replica of the Xiaomi login portal designed to harvest account credentials.
#0187
Socketabout 2 months ago4 min▣LLM reporthigh A widespread phishing campaign is exploiting GitHub Discussions to distribute fake Visual Studio Code security alerts to developers. The campaign uses fabricated CVEs and mass-tagging to trick Windows users into clicking malicious share.google links, which redirect to a JavaScript fingerprinting and Traffic Distribution System (TDS) hosted on an attacker-controlled domain.
#0186
Trend Microabout 2 months ago6 min▣LLM reportcritical The Russia-aligned APT group Pawn Storm has launched a sophisticated campaign deploying the PRISMEX malware suite against Ukrainian and NATO defense supply chains. The attack chain leverages two critical vulnerabilities, CVE-2026-21509 and CVE-2026-21513, to achieve zero-click execution, utilizing advanced steganography and COM hijacking to evade detection while communicating via legitimate cloud services.
#0185
Infobloxabout 2 months ago6 min▣LLM reporthigh Cybercriminals are increasingly abusing the Keitaro adtech platform to optimize the distribution of malware, phishing, and scams. By leveraging Keitaro's built-in tracking, cloaking, and traffic distribution capabilities, actors can efficiently target victims, evade detection, and scale operations across multiple threat types including wallet drainers and infostealers.
#0184
Cisco Talosabout 2 months ago4 min▣LLM reporthigh The Talos 2025 Year in Review highlights a significant shift towards attackers targeting identity infrastructure and network components to bypass MFA and gain privileged access. Key threats include widespread exploitation of React2Shell, supply chain attacks targeting CI/CD pipelines, and the dominance of Qilin ransomware.
#0183
Elastic Security Labsabout 2 months ago6 min▣LLM reportcritical VoidLink is a cloud-native Linux malware framework that employs a hybrid Loadable Kernel Module (LKM) and eBPF architecture to achieve deep system concealment. It features advanced evasion techniques such as delayed initialization, an ICMP covert command channel, and eBPF-driven manipulation of Netlink sockets to hide network connections from diagnostic tools. Analysis indicates the framework was developed iteratively using AI-assisted workflows, highlighting a growing trend of LLM-facilitated malware creation.
#0182
Canadian Centre for Cyber Securityabout 2 months ago3 min▣LLM reportcritical The Canadian Centre for Cyber Security issued advisories regarding a critical RCE vulnerability in PTC Windchill and FlexPLM, and an actively exploited critical vulnerability (CVE-2026-33634) that temporarily compromised the Aqua Security Trivy ecosystem supply chain.
#0181
CISAabout 2 months ago2 min▣LLM reporthigh CISA has added CVE-2026-33634, an embedded malicious code vulnerability in Aqua Security Trivy, to its Known Exploited Vulnerabilities (KEV) Catalog due to evidence of active exploitation. Organizations are strongly urged to prioritize timely remediation to reduce their exposure to cyberattacks.
#0180
ANY.RUNabout 2 months ago6 min▣LLM reporthigh A sophisticated, long-running Magecart campaign has been compromising e-commerce websites to steal payment card data, with a notable focus on the Spanish payment ecosystem. The attackers utilize multi-stage JavaScript payloads, mimic legitimate payment gateways like Redsys, and exfiltrate stolen data in real-time via WebSockets to evade traditional detection mechanisms.
#0179
Socketabout 2 months ago5 min▣LLM reportcritical A supply chain attack campaign utilizing five typosquatted npm packages targets Solana and Ethereum developers. The packages silently intercept private keys during routine cryptographic operations and exfiltrate them to a Telegram bot, leveraging transitive dependencies and obfuscation to evade detection.
#0178
NCSCabout 2 months ago4 min▣LLM reporthigh The NCSC has issued an alert regarding two vulnerabilities in customer-managed Citrix NetScaler ADC and Gateway appliances. CVE-2026-3055 allows for a memory overread in SAML IDP configurations, while CVE-2026-4368 causes user session mixups via a race condition in Gateway or AAA virtual server configurations. Immediate patching is strongly recommended.
#0177
Varonisabout 2 months ago4 min▣LLM reporthigh Varonis Threat Labs identified a Local File Inclusion (LFI) vulnerability (CVE-2026-4270) in the AWS Remote MCP Server that allows authenticated users to read arbitrary files. By exploiting the AWS CLI shorthand file-loading syntax via the aws___call_aws tool, attackers can bypass access restrictions and extract sensitive file contents through error messages.