#0714
CISA28 days ago4 min▣LLM reporthigh CISA has added three actively exploited vulnerabilities (CVE-2026-7473, CVE-2026-11645, CVE-2026-20245) affecting Arista EOS, Google Chromium V8, and Cisco Catalyst SD-WAN Manager to its Known Exploited Vulnerabilities (KEV) Catalog. Organizations are strongly urged to prioritize patching these systems to reduce their exposure to ongoing cyberattacks.
#0713
Varonis28 days ago5 min▣LLM reporthigh Varonis Threat Labs demonstrated that enterprise AI agents, specifically an OpenClaw deployment, are vulnerable to traditional phishing and social engineering techniques. In simulated attacks, the agent successfully identified technical phishing indicators like malicious OAuth flows but failed to recognize social context, resulting in the exfiltration of AWS credentials and sensitive CRM data to an external attacker.
#0712RReversinglabs28 days ago5 min▣LLM reporthigh Threat actors are leveraging short-form video platforms like TikTok and Instagram Reels to conduct social engineering campaigns. By posting fake tutorials for premium software and manipulating engagement algorithms, attackers trick users into executing malicious PowerShell commands that deploy Vidarstealer or direct them to fraudulent survey websites.
#0711
Infoblox28 days ago5 min▣LLM reportmedium Infoblox Threat Intel observed a massive surge in residential proxy usage within enterprise environments, with over 65% of customers querying proxy-related domains. These proxies, often installed non-consensually via free apps and IoT devices, allow threat actors to launder traffic, bypass IP reputation controls, and potentially probe internal networks.
#0710
Arctic Wolf28 days ago6 min▣LLM reporthigh Threat actors are proactively targeting the 2026 FIFA World Cup ecosystem, employing mobile-first malware, QR-code phishing against event organizers, and real-time AiTM phishing kits to bypass MFA. The campaigns leverage AI-generated infrastructure and urgency-based lures to distribute Android cryptominers, Windows infostealers, and compromise corporate Google Workspace accounts.
#0709
Akamai28 days ago4 min▣LLM reportmedium The transition to Post-Quantum Cryptography (PQC) introduces significantly larger cryptographic signatures, such as ML-DSA, which will force DNS responses to exceed standard UDP packet limits. This architectural shift will cause frequent fallbacks to TCP, introducing latency spikes and silent timeouts that pose a severe operational risk to automated, high-volume systems like agentic AI workflows. Furthermore, adversaries are already conducting 'Harvest now, decrypt later' attacks, underscoring the immediate need for organizations to map and secure their DNS and DNSSEC configurations across distributed cloud environments.
#0708
Socket28 days ago7 min▣LLM reporthigh A fast-moving supply chain campaign dubbed Mini Shai-Hulud/Miasma is targeting Python developers via malicious PyPI wheels. The threat actors are utilizing novel execution techniques, including trojanized native extensions and split-loader .pth hooks that search sys.path for payloads, to deploy the Hades stealer and harvest credentials from CI/CD pipelines and developer workstations.
#0707
Canadian Centre for Cyber Security28 days ago4 min▣LLM reportcritical The Canadian Centre for Cyber Security issued advisories for actively exploited vulnerabilities in Check Point VPN/Firewall products (CVE-2026-50751, an authentication bypass) and Google Chrome (CVE-2026-11645). Both vulnerabilities have known exploits in the wild, with the Check Point flaw added to the CISA KEV database, necessitating immediate patching.
#0706
CISA28 days ago3 min▣LLM reporthigh CISA has added CVE-2026-42271 (BerriAI LiteLLM Command Injection) and CVE-2026-50751 (Check Point Security Gateway Improper Authentication) to the Known Exploited Vulnerabilities (KEV) catalog due to active exploitation. Organizations are strongly urged to prioritize remediation of these vulnerabilities to reduce exposure to cyberattacks.
#0705
Trend Micro29 days ago7 min▣LLM reportcritical Multiple Russia-aligned threat actors, including SHADOW-EARTH-066 and Earth Dahu, are actively exploiting a patched WinRAR path traversal vulnerability (CVE-2025-8088) to target Ukrainian organizations. The attackers use crafted RAR archives with NTFS Alternate Data Streams to silently drop malicious payloads, such as the evolved GIFTEDCROOK infostealer or HTA-based espionage tools, into the Windows Startup folder and ProgramData directories.
#0704
Microsoft29 days ago7 min▣LLM reporthigh Threat actors are increasingly leveraging the hype around AI platforms like ChatGPT, Claude, and DeepSeek to conduct social engineering attacks. These campaigns utilize phishing, malvertising, and SEO poisoning to distribute infostealers such as Vidar or facilitate credential theft via adversary-in-the-middle (AiTM) infrastructure.
#0703
Morphisec29 days ago5 min▣LLM reportcritical The third wave of the Shai-Hulud supply chain worm, dubbed Miasma, targets the npm ecosystem by utilizing weaponized binding.gyp files to bypass lifecycle script monitoring. It establishes deep persistence within AI assistant and IDE configuration directories, evades detection through dormancy and EDR checks, and abuses valid Sigstore attestations to masquerade as legitimate packages.
#0702
Canadian Centre for Cyber Security29 days ago4 min▣LLM reportcritical The Canadian Centre for Cyber Security released a daily digest covering seven security advisories from major vendors. Notably, Check Point has observed active exploitation of a critical authentication bypass vulnerability (CVE-2026-50751) affecting its VPN and Firewall products, requiring immediate mitigation.
#0701
Cofense29 days ago6 min▣LLM reporthigh A recent phishing campaign impersonates Amazon security alerts to deliver a custom remote access trojan (RAT) dubbed HarborWatch Agent. The attack leverages the ClickFix technique, using a fake CAPTCHA page to socially engineer victims into manually executing a malicious PowerShell command via the Windows Run dialog. Once executed, the script downloads the RAT, which collects system information and communicates with a C2 infrastructure managed via a panel called Harbor Sentinel.
#0700
Check Point29 days ago5 min▣LLM reportcritical This threat intelligence report highlights active exploitation of critical vulnerabilities, including a Windows Netlogon RCE (CVE-2026-41089) and an Android Framework flaw. It also details significant data breaches affecting DentaQuest and the UN WFP, emerging AI-driven threats such as EDR evasion labs, a supply chain compromise of the Hola browser, and Iranian state-sponsored espionage operations utilizing Dutch hosting infrastructure.
#069929 days ago7 min▤RecapJun 1 – Jun 8
Trojanized Build Pipelines and Blind-Spot Appliances Redefine the Perimeter
Attackers are bypassing traditional network defenses by compromising the tools developers use to build software and the AI assistants they rely on to write code. Campaigns like Mini Shai-Hulud and Miasma - The Spreading Blight flooded package registries with malicious code that steals cloud credentials and CI/CD tokens, while researchers proved that public AI agent skill marketplaces are completely ineffective at catching malicious add-ons.
Nation-state actors and cybercriminals are simultaneously shifting their focus to blind spots in corporate networks and trusted platforms. The VerdantBamboo group exploited firewalls to bypass conditional access, while UNC3753 used IT impersonation to trick law firm employees into installing remote access tools, and Kali365 expanded its phishing infrastructure to steal multi-factor authentication tokens.
Defenders must shift their focus from perimeter email filtering to securing the software build pipeline and monitoring edge appliances for anomalous traffic. Hunt for unexpected connections to cloud storage APIs and review developer environments for compromised packages or AI skills.
#0698
Socket30 days ago7 min▣LLM reportcritical A coordinated supply chain attack compromised 19 PyPI packages, utilizing malicious .pth files to achieve execution at Python startup. The loader downloads the Bun runtime to execute an obfuscated JavaScript stealer targeting developer secrets, cloud credentials, and CI/CD tokens, exfiltrating data via GitHub repositories and Actions.
#0697
CISAabout 1 month ago3 min▣LLM reporthigh CISA has added CVE-2026-28318, an uncontrolled resource consumption vulnerability in SolarWinds Serv-U, to its Known Exploited Vulnerabilities (KEV) Catalog due to evidence of active exploitation. Organizations are strongly urged to prioritize timely remediation to reduce exposure to cyberattacks.
#0696
Mandiantabout 1 month ago7 min▣LLM reporthigh The financially motivated threat cluster UNC3753 is conducting a fast-paced data theft and extortion campaign against US legal and professional services. The group leverages vishing and IT helpdesk impersonation to trick targets into installing legitimate RMM and screen-sharing tools, enabling rapid data exfiltration from corporate repositories and VDI environments. Notably, the campaign also involves suspected physical intrusions where actors use USB media to steal data directly from endpoints.
#0695
Canadian Centre for Cyber Securityabout 1 month ago3 min▣LLM reporthigh The Canadian Centre for Cyber Security released an advisory highlighting an authenticated privilege escalation vulnerability (CVE-2026-20245) affecting Cisco Catalyst SD-WAN Manager. Administrators are advised to review Cisco's security advisories and apply the necessary updates to prevent unauthorized privilege elevation within the management infrastructure.