#0660
Check Pointabout 1 month ago5 min▣LLM reporthigh This threat intelligence bulletin highlights a surge in data breaches driven by social engineering, alongside the increasing weaponization of AI tools for phishing, malware development, and supply chain attacks. Active exploitation of vulnerabilities in PAN-OS GlobalProtect and Ghost CMS has been observed, while a critical unpatched RCE in Gogs remains a significant risk. Additionally, targeted campaigns like Grandoreiro and JINX-0164 continue to threaten the financial and cryptocurrency sectors using platform-specific malware and DLL side-loading.
#0659
Sekoia.ioabout 1 month ago7 min▣LLM reporthigh Gamaredon (FSB) is conducting an ongoing cyberespionage campaign against Ukrainian targets using a modular, fileless infection chain. The attack leverages HTML smuggling and archive path traversal (CVE-2025-8088) for initial access, followed by the deployment of GammaWorm, which utilizes NTFS Alternate Data Streams (ADS) and Dead Drop Resolvers (DDRs) on legitimate platforms for persistence, propagation, and C2 communication.
#0658KKasperskyabout 1 month ago5 min▣LLM reporthigh This report details primary attack vectors against containerized environments, focusing on container escapes, orchestration API abuse, and supply chain compromises. Threat actors exploit misconfigurations such as excessive Linux capabilities and exposed Docker sockets to break out of containers, while also targeting CI/CD pipelines and public image repositories to establish initial footholds.
#0657about 1 month ago8 min▤RecapMay 25 – Jun 1
Session Hijacking and Developer Tool Poisoning Collapse Authentication Trust
This week, attackers proved that multi-factor authentication is no longer a reliable gatekeeper. Campaigns like Tycoon 2FA and Chinese-language PhaaS platforms intercept one-time passwords in real time and steal session tokens to maintain persistent access, while infostealers like EKZ Infostealer harvest browser cookies to bypass authentication entirely. Even when victims reset passwords and revoke sessions, attackers retain access through hidden device registrations — meaning standard incident response playbooks are now incomplete.
Developers remain the preferred entry point for supply chain compromise. The Glassworm botnet was disrupted after hiding malware in VSCode extensions and npm packages, while the Megalodon campaign poisoned GitHub Actions workflows across 5,500 repositories. A malicious Sicoob.Sdk NuGet package stole banking certificates from Brazilian developers, and North Korea's Lazarus group compromised the widely used axios npm library — a single attack touching millions of downstream applications.
Organizations must move beyond password-and-MFA reliance: adopt hardware security keys, shorten session lifetimes, delete attacker-registered devices before resetting credentials, and audit developer toolchains and CI/CD pipelines for tampering.
#0656about 1 month ago14 min▤RecapMay 2026
Developer Supply Chains Under Siege as Session Hijacking Bypasses MFA
Attackers realized that instead of stealing one user's password, they can steal a developer's credentials and compromise the software everyone uses. This month, the TeamPCP group weaponized the open-source ecosystem by releasing the Mini Shai-Hulud worm, which automatically spreads across npm, PyPI, and Packagist to harvest CI/CD secrets. This culminated in a breach of GitHub's internal repositories via a malicious VS Code extension, proving that developer workstations are now the most valuable targets in the enterprise.
While developers were being targeted at the source, traditional corporate users faced a collapse in authentication trust. Phishing campaigns like Tycoon 2FA and BlackFile shifted from simply stealing passwords to stealing active session tokens and registering persistent rogue devices. Because these techniques bypass multi-factor authentication entirely, a successful phish grants immediate and lasting access, rendering traditional MFA insufficient without additional session monitoring.
Organizations must treat developer environments as high-value assets—restricting extension installations and securing CI/CD pipelines—and transition to phishing-resistant authentication (like FIDO2 keys) while implementing continuous session validation to detect hijacked accounts.
#0655
Canadian Centre for Cyber Securityabout 1 month ago3 min▣LLM reporthigh The Canadian Centre for Cyber Security issued a daily digest highlighting recent security updates from Microsoft and Oracle. The advisories cover vulnerabilities in Microsoft Edge and critical flaws across several Oracle enterprise products, urging administrators to apply the latest patches to prevent potential exploitation.
#0654
ESETabout 1 month ago5 min▣LLM reporthigh ESET's Q4 2025–Q1 2026 APT Activity Report highlights global espionage and destructive campaigns by state-aligned actors. Notable incidents include a major supply chain compromise of the 'axios' npm library by Lazarus, destructive wiper attacks on Polish critical infrastructure by Sandworm, and the deployment of new edge-device implants like PhiliKit against Ivanti VPNs by China-aligned groups.
#0653
Socketabout 1 month ago6 min▣LLM reportcritical A malicious NuGet package named Sicoob.Sdk impersonated the official C# SDK for the Brazilian financial cooperative Sicoob. The package was designed to silently exfiltrate sensitive banking authentication material, including PFX certificates and passwords, as well as raw transaction data, to a third-party Sentry telemetry endpoint, posing a severe risk of API impersonation and financial data exposure.
#0652
Cisco Talosabout 1 month ago4 min▣LLM reportinfo This week's Threat Source newsletter highlights the importance of combining EPSS and CVSS for risk-based vulnerability prioritization. It also introduces EvidenceForge, a new open-source tool by Cisco Talos for generating synthetic security logs, and summarizes recent security news including the 'Megalodon' GitHub supply chain attack and 'Underminr' domain-fronting techniques.
#0651
CISAabout 1 month ago4 min▣LLM reportcritical A critical vulnerability (CVE-2026-7786, CVSS 9.8) affects the Jinan USR IOT Technology Limited (PUSR) USR-W610 RS232/485 to Wi-Fi/Ethernet Converter. The device firmware version 7.03T.07 contains hard-coded plaintext administrative credentials, allowing unauthenticated remote attackers to extract the credentials and gain full administrator access to the device. The vendor has not responded to coordination attempts, necessitating immediate network isolation of affected devices.
#0650
CISAabout 1 month ago4 min▣LLM reportmedium Schneider Electric EcoStruxure Machine Expert HVAC versions prior to 1.10.0 are affected by a cleartext storage vulnerability (CVE-2026-6332, CVSS 5.5). This flaw allows an authorized local attacker accessing the software to view sensitive information, leading to the potential disclosure of protected source code and a loss of confidentiality. Updating to version 1.10.0 resolves the issue.
#0649
CISAabout 1 month ago4 min▣LLM reporthigh ABB EIBPORT building management systems running firmware prior to version 3.9.2 contain a high-severity Cross-Site Scripting (XSS) vulnerability (CVE-2021-22291). Successful exploitation allows attackers to steal session IDs, leading to unauthenticated device access, sensitive information disclosure, and unauthorized configuration changes.
#0648
WithSecureabout 1 month ago5 min▣LLM reporthigh WithSecure identified GREYVIBE, a Russia-nexus threat group targeting Ukrainian entities using spear-phishing, ClickFix, and fraudulent websites. The group systematically leverages Generative AI to develop custom malware (PhantomRelay, LegionRelay, FallSpy) and obfuscators, blending state-aligned intelligence gathering with cybercrime ecosystem overlaps.
#0647
Microsoftabout 1 month ago6 min▣LLM reportcritical The Gentlemen ransomware, operated by Storm-2697, is a Go-based encryptor that combines robust Curve25519/XChaCha20 encryption with aggressive lateral movement capabilities. It utilizes multiple redundant propagation methods (PsExec, WMI, scheduled tasks, services) to maximize network compromise while employing extensive defense evasion techniques to hinder detection and recovery.
#0646
Canadian Centre for Cyber Securityabout 1 month ago3 min▣LLM reportcritical The Canadian Centre for Cyber Security released a daily digest highlighting critical security updates for Drupal, Veeam, Zimbra, and Notepad++. Notably, a highly critical arbitrary PHP code execution vulnerability (SA-CONTRIB-2026-038) was patched in the Drupal AlternativeCommerce module, requiring immediate attention from administrators.
#0645
Cisco Talosabout 1 month ago4 min▣LLM reporthigh Security research highlights a heap overflow vulnerability within DICOM parsing, specifically targeting Orthanc servers during image uploads. By exploiting the complex DICOM file format, attackers can trigger an out-of-bounds write, posing a significant risk to hospital PACS systems that automatically ingest and decode these files.
#0644
Palo Alto Networksabout 1 month ago5 min▣LLM reporthigh The 2026 FIFA World Cup presents a massive, multi-jurisdictional attack surface threatened by state-nexus disruptive operations and financially motivated cybercrime. Key risks include Iran-aligned actors targeting municipal OT infrastructure, pro-Russian hacktivists launching high-volume DDoS attacks against tournament services, and cybercriminals deploying ransomware against the hospitality supply chain.
#0643KKasperskyabout 1 month ago6 min▣LLM reporthigh A cybercrime campaign is targeting users of pirated media sites with a fake video player update that deploys a modified SilentCryptoMiner and a Remote Access Trojan (RAT). The malware utilizes DLL side-loading, DNS tunneling for initial check-ins, and a DGA for C2 communications, while employing a Watchdog component to ensure persistence via a rogue Google Update service.
#0642
Canadian Centre for Cyber Securityabout 1 month ago3 min▣LLM reporthigh The Canadian Centre for Cyber Security published a daily digest of 8 security advisories on May 27, 2026. The digest highlights critical updates across multiple enterprise platforms, notably including an out-of-band patch from Microsoft for a SharePoint Remote Code Execution vulnerability (CVE-2026-45659) and a mandatory signing key rotation for GitHub Enterprise Server.
#0641
Arctic Wolfabout 1 month ago6 min▣LLM reportcritical Threat actors exploited CVE-2026-35616, an improper access control vulnerability in FortiClient EMS, to deploy a novel credential stealer named EKZ Infostealer to managed endpoints. The attackers abused legitimate VPN scripting workflows to execute malicious PowerShell commands that downloaded the stealer, which subsequently harvested browser credentials and exfiltrated them to a threat-actor-controlled server.