#0625
Canadian Centre for Cyber Securityabout 1 month ago3 min▣LLM reporthigh The Canadian Centre for Cyber Security released a daily advisory digest summarizing security updates from IBM, Roundcube, Dell, Ubuntu, CISA (ICS), Red Hat, and cPanel. Organizations are strongly encouraged to review the respective vendor advisories and apply available patches to mitigate potential vulnerabilities across enterprise, cloud, and industrial control systems.
#0624
Check Pointabout 1 month ago5 min▣LLM reporthigh This threat intelligence report highlights multiple high-profile breaches, including 7-Eleven and GitHub, alongside the active exploitation of vulnerabilities in Windows Defender, Trend Micro, and Drupal. It also details emerging threats such as the Kali365 phishing kit, AI-driven prompt injection attacks, the Nimbus Manticore IRGC-linked campaign deploying the MiniFast backdoor, and a supply chain attack on Laravel Lang packages.
#0623
Mandiantabout 1 month ago6 min▣LLM reportcritical A critical ViewState deserialization vulnerability (CVE-2026-5426) in the KnowledgeDeliver LMS allows unauthenticated remote code execution due to shared ASP.NET machine keys across deployments. Threat actors are actively exploiting this flaw to deploy the BLUEBEAM in-memory web shell and modify application JavaScript, ultimately distributing targeted Cobalt Strike BEACON payloads to end-users visiting the compromised sites.
#0622
Mandiantabout 1 month ago5 min▣LLM reporthigh Chinese-language Phishing-as-a-Service (PhaaS) platforms are evolving to utilize real-time interception and AI-driven automation to bypass MFA and tokenize stolen payment data into digital wallets. Threat actors leverage encrypted messaging protocols like RCS and iMessage for delivery, while platforms like YY Lai Yu provide highly localized, dynamic phishing infrastructure to target global consumers.
#0621VVolexityabout 1 month ago3 min▣LLM reportlow Volexity has released updates to its Golang reverse engineering tooling to address the growing trend of Go-based malware and obfuscation techniques like Garble. The release introduces GoStringExtractor, a plugin for IDA Pro and Ghidra that organizes unterminated Go string tables, and updates GoResolver to recover runtime type information (RTTI), significantly enhancing static analysis capabilities.
#0620VVolexityabout 1 month ago7 min▣LLM reporthigh The China-aligned threat actor UTA0388 is leveraging Large Language Models (LLMs) to conduct highly tailored, rapport-building spear-phishing campaigns targeting organizations in North America, Asia, and Europe. These campaigns deliver GOVERSHELL, a custom backdoor deployed via DLL search order hijacking, which has undergone rapid, non-iterative development across five variants to evade detection and establish persistent C2.
#0619VVolexityabout 1 month ago6 min▣LLM reporthigh Russian threat actor UTA0355 is conducting targeted phishing campaigns against foreign policy and government professionals by spoofing European security conferences. The attackers use rapport-building techniques and out-of-band messaging to trick victims into authorizing malicious Microsoft 365 OAuth applications and Device Code workflows, granting unauthorized access to their accounts.
#0618RReversinglabsabout 1 month ago6 min▣LLM reportcritical CVE-2026-31431, dubbed Copy Fail, is a critical local privilege escalation vulnerability in the Linux kernel affecting distributions released since 2017. By abusing the AF_ALG socket interface and the authencesn cryptographic template, an attacker can perform a controlled write into the in-memory page cache of setuid binaries, gaining root access without altering on-disk files.
#0617RReversinglabsabout 1 month ago5 min▣LLM reportcritical CVE-2026-31431, also known as Dirty Frag or Copy Fail, is a Linux kernel local privilege escalation vulnerability that allows attackers to write to read-only memory regions via page-cache abuse. Active exploitation was observed prior to the public embargo break, with threat actors deploying ELF binaries, Python scripts, and malicious PyPI packages to achieve root access, notably including adoption by the Multiverze trojan family.
#0616RReversinglabsabout 1 month ago5 min▣LLM reporthigh Threat actors are executing account takeover campaigns by distributing malware disguised as video games via compromised Discord accounts. Upon gaining initial access to a victim's Google account, attackers abuse the Family Link parental control feature by changing the victim's age to under 13 and assigning a malicious parent account. This allows the attackers to reset the password, bypass 2-Step Verification, lock the legitimate user out completely, and demand a ransom for account recovery.
#0615about 1 month ago7 min▤RecapMay 18 – May 25
Software Supply Chain and AI Exploitation Dominate Threat Landscape
The software supply chain has become the primary battlefield for attackers because compromising a single developer tool can cascade into thousands of enterprise networks. Campaigns like Mini Shai-Hulud and TrapDoor are stealing credentials and injecting backdoors across major code registries, while the Laravel Lang Compromise and the Coruna Exploit Kit show how malicious code can automatically execute to steal secrets or exploit end users. As a result, organizations must treat developer environments as high-value targets, because a single compromised package or malicious VS Code extension can lead to catastrophic breaches like the GitHub internal repository theft by TeamPCP.
In parallel, artificial intelligence is simultaneously accelerating attacks and creating dangerous new attack surfaces. Threat actors are using AI to automate influence campaigns like Patriot Bait and crack passwords, while also impersonating AI tools like Gemini CLI and Claude Code to deliver infostealers. Furthermore, attackers are directly targeting exposed AI infrastructure, such as Ollama AI endpoints, and manipulating AI coding assistants via hidden prompt injections in campaigns like TrapDoor, which means AI systems are both the weapon and the target.
These trends together suggest that traditional perimeter defenses are failing against supply chain and AI-driven threats. Managers should immediately enforce strict vetting of open-source packages, restrict developer access to unverified extensions, and ensure AI infrastructure is not exposed to the public internet.
#0614
Socketabout 1 month ago7 min▣LLM reportcritical The TrapDoor campaign is a sophisticated supply chain attack targeting crypto, DeFi, and AI developers across npm, PyPI, and Crates.io. The threat actor deployed over 34 malicious packages that utilize ecosystem-specific execution methods to steal credentials, wallets, and SSH keys, while uniquely leveraging AI configuration files like .cursorrules to trick AI assistants into executing exfiltration workflows.
#0613
CISAabout 1 month ago4 min▣LLM reportmedium ABB Terra AC Wallbox (JP) versions 1.8.33 and prior are affected by multiple buffer overflow vulnerabilities (CVE-2025-10504, CVE-2025-12142, CVE-2025-12143) with a CVSS score of 6.1. Successful exploitation requires a threat actor to hijack the Bluetooth connection, potentially allowing them to pollute memory, alter firmware behavior, and take remote control of the device.
#0612
CISAabout 1 month ago4 min▣LLM reportcritical ABB has disclosed multiple vulnerabilities in B&R Automation Studio versions prior to 6.5, stemming from an outdated third-party SQLite component. These flaws, which include heap-based buffer overflows and integer overflows, could potentially be exploited to achieve remote code execution, data exposure, or denial of service, though no active exploitation has been observed.
#0611
Check Pointabout 1 month ago5 min▣LLM reportcritical This threat intelligence report highlights a surge in ransomware activity, critical zero-day vulnerabilities in Windows, and the active exploitation of Cisco Catalyst SD-WAN controllers. Additionally, it details emerging AI-driven threats, including malicious Hugging Face repositories and the abuse of AI website generators for phishing, alongside an APT intrusion by FamousSparrow targeting the energy sector.
#0610
ANY.RUNabout 1 month ago7 min▣LLM reporthigh Modern social engineering attacks have evolved to closely mimic legitimate business workflows, utilizing techniques like ClickFix, OAuth device code abuse, and in-browser blob phishing. These tactics bypass traditional security controls and create "gray-zone" alerts that require deep behavioral analysis to determine the true scope of compromise, such as credential theft, token abuse, or RMM deployment.
#0609
Socketabout 1 month ago6 min▣LLM reportcritical A massive supply chain attack compromised over 700 historical versions of Laravel Lang packages, injecting an RCE backdoor via Composer's autoloader. The backdoor delivers a sophisticated, cross-platform PHP information stealer designed to harvest cloud credentials, CI/CD secrets, browser data, and local configuration files.
#0608
Zscaler ThreatLabzabout 2 months ago3 min▣LLM reportinfo The article discusses the rapid enterprise adoption of agentic AI and emphasizes the need for deliberate innovation and governance. It highlights ACSC guidelines advocating for the integration of AI services into a Modern Defensible Architecture using principles like least privilege, segmentation, comprehensive logging, and human-in-the-loop oversight to mitigate the risks of autonomous compromise.
#0607
Socketabout 2 months ago4 min▣LLM reportmedium The integration of AI coding tools has fundamentally altered the open-source ecosystem, driving an exponential increase in npm package creation and automating dependency selection. This shift transforms the software supply chain into an automated black box, bypassing traditional human review processes and elevating the risk of supply chain malware infections, thereby requiring automated behavioral analysis for mitigation.
#0606
Socketabout 2 months ago5 min▣LLM reporthigh A widespread supply chain attack compromised hundreds of GitHub repositories by injecting malicious postinstall scripts into package.json files and GitHub Actions workflows. The payload uses curl to download a remote Linux binary disguised as an SSH daemon, primarily targeting PHP projects that bundle JavaScript build tools to bypass standard Composer dependency reviews.