#0547
Recorded Futureabout 2 months ago3 min▣LLM reportinfo NIST has significantly reduced its enrichment of CVEs in the National Vulnerability Database (NVD), limiting full analysis to a small subset of critical vulnerabilities. This policy change exposes organizations relying solely on NVD CVSS scores to significant blind spots, necessitating a shift toward threat intelligence-driven prioritization based on real-world weaponization and active exploitation.
#0546
Huntressabout 2 months ago3 min▣LLM reportlow The Department of Defense has finalized the Cybersecurity Maturity Model Certification (CMMC) rule, effective November 10, 2025, shifting from self-attestation to mandatory third-party verification for contractors handling sensitive data. Organizations must proactively prepare their technology, processes, and documentation to meet NIST SP 800-171 requirements and avoid anticipated assessment bottlenecks.
#0545
Huntressabout 2 months ago3 min▣LLM reportlow This article provides an overview of 13 major cybersecurity frameworks, including NIST CSF, CIS Controls, and ISO 27001, detailing their core functions and target audiences. It offers guidance on selecting and implementing the appropriate framework based on regulatory requirements, business goals, and organizational maturity.
#0544
CISAabout 2 months ago4 min▣LLM reportcritical CISA has added CVE-2026-20182, an authentication bypass vulnerability affecting Cisco Catalyst SD-WAN Controllers, to its Known Exploited Vulnerabilities (KEV) catalog due to evidence of active exploitation. Federal agencies and private organizations are strongly urged to apply mitigations outlined in Emergency Directive 26-03 or discontinue use of the product if mitigations are unavailable.
#0543
Cisco Talosabout 2 months ago5 min▣LLM reportmedium The Talos Threat Source newsletter highlights an impending surge in software patching driven by AI vulnerability discovery tools. It also contrasts state-sponsored espionage tactics—which leverage valid credentials and native tools to bypass traditional defenses—with commodity ransomware, while summarizing recent supply chain compromises across developer platforms like Hugging Face and Jenkins.
#0542
Socketabout 2 months ago4 min▣LLM reporthigh TeamPCP has partnered with BreachForums to launch a supply chain attack contest, incentivizing threat actors to compromise open-source packages using the open-sourced Shai-Hulud worm. The campaign targets CI/CD pipelines and developer environments to harvest credentials, posing a significant risk of downstream enterprise compromises.
#0541
Cisco Talosabout 2 months ago7 min▣LLM reportcritical Cisco Talos is tracking active exploitation of multiple vulnerabilities in Cisco Catalyst SD-WAN Controller and Manager. Threat actor UAT-8616 is exploiting CVE-2026-20182 for authentication bypass, while other clusters are chaining CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122 to deploy JSP webshells and post-exploitation frameworks like Sliver and AdaptixC2.
#0540
Microsoftabout 2 months ago6 min▣LLM reportcritical Kazuar is a sophisticated, modular P2P botnet attributed to the Russian state-sponsored actor Secret Blizzard. It utilizes a tripartite architecture (Kernel, Bridge, Worker) and a leader election mechanism to minimize external C2 traffic, relying on Mailslots, Window Messaging, and Named Pipes for internal communication and HTTP, WSS, or EWS for external C2.
#0539
Canadian Centre for Cyber Securityabout 2 months ago3 min▣LLM reporthigh The Canadian Centre for Cyber Security issued a daily digest highlighting critical security updates for GitLab, MongoDB, and VMware Fusion. Notably, MongoDB addressed an undefined behavior vulnerability (CVE-2026-8053) in timeseries collections, and Broadcom patched a privilege escalation flaw (CVE-2026-41702) in VMware Fusion.
#0538
SentinelOneabout 2 months ago7 min▣LLM reporthigh SentinelLABS discovered PCPJack, a cloud-focused worm designed to harvest credentials at scale while actively evicting artifacts of a rival threat actor, TeamPCP. The framework targets exposed cloud services like Docker, Kubernetes, and Redis for propagation and lateral movement, notably omitting cryptomining payloads in favor of credential theft and Sliver C2 deployment.
#0537
Sophosabout 2 months ago7 min▣LLM reporthigh Sophos MDR investigated a macOS infostealer infection attributed to an AMOS (Atomic macOS) variant. The attack leverages ClickFix social engineering to trick users into running a malicious Terminal command, which initiates a multi-stage infection chain. The malware captures the user's system password via a spoofed prompt, evades analysis by checking for virtualized environments, and exfiltrates sensitive data like Keychain and browser credentials before establishing persistence via a LaunchDaemon.
#0536
Socketabout 2 months ago4 min▣LLM reporthigh A vulnerability in Composer causes it to inadvertently log GitHub Actions tokens and GitHub App installation tokens to stderr when token validation fails. This was triggered by a recent GitHub token format change, exposing credentials in CI/CD logs and requiring immediate updates to Composer versions 2.9.8, 2.2.28 LTS, or 1.10.28.
#0535
Infobloxabout 2 months ago6 min▣LLM reporthigh Infoblox Threat Intel uncovered a thriving underground economy on Telegram dedicated to unlocking stolen iPhones. Threat actors utilize specialized Windows binaries to extract device information and deploy targeted smishing campaigns via Apple lookalike domains to steal iCloud credentials, allowing them to bypass Activation Lock, wipe the device, and resell the hardware.
#0534
ANY.RUNabout 2 months ago6 min▣LLM reporthigh An 18-month Agent Tesla campaign is targeting LATAM enterprises, particularly in Chile, using procurement-themed phishing lures. The attack chain employs a multi-stage loader protected by .NET Reactor 6.x, utilizing process hollowing into aspnet_compiler.exe to execute the credential-stealing payload entirely in memory. Stolen data is exfiltrated via cleartext FTP to compromised legitimate infrastructure.
#0533KKasperskyabout 2 months ago9 min▣LLM reporthigh Kimsuky (APT43) has updated its arsenal with new PebbleDash and AppleSeed malware variants, including the Rust-based HelloDoor and httpMalice backdoors. The group is increasingly utilizing legitimate services like VSCode Remote Tunnels, Cloudflare Quick Tunnels, and DWAgent for covert C2 and post-exploitation access, primarily targeting South Korean entities and global defense sectors.
#0532
ESETabout 2 months ago8 min▣LLM reporthigh FrostyNeighbor, a Belarus-aligned threat actor, has updated its toolset to target Ukrainian governmental organizations with a multi-stage compromise chain. The attack utilizes spearphishing with malicious PDFs that redirect to a RAR archive containing a JavaScript dropper, which ultimately deploys a Cobalt Strike beacon via the PicassoLoader malware following strict server-side and manual victim validation.
#0531
Check Pointabout 2 months ago7 min▣LLM reportcritical A recent leak of internal communications and backend data from 'The Gentlemen' RaaS operation has revealed the group's highly structured operational model and mature toolset. The threat actors actively exploit edge appliances and NTLM relay vulnerabilities for initial access, followed by extensive use of red-team tools and custom EDR evasion techniques to deploy their cross-platform ransomware.
#0530
Sophosabout 2 months ago5 min▣LLM reportcritical Microsoft's May 2026 Patch Tuesday release addresses 132 CVEs, including 29 Critical vulnerabilities and 14 with a CVSS score of 9.0 or higher. Key threats include a critical authentication bypass in the Microsoft SSO Plugin for Jira & Confluence, unauthorized RCEs in Windows Netlogon and DNS Client, and multiple Office RCEs exploitable via the Preview Pane.
#0529PProjectzeroabout 2 months ago4 min▣LLM reportcritical Project Zero researchers developed a 0-click exploit chain for the Google Pixel 10 by chaining a known Dolby vulnerability (CVE-2025-54957) with a newly discovered, trivial local privilege escalation flaw in the device's VPU driver. The VPU vulnerability allowed unbounded physical memory mapping via the mmap syscall, granting arbitrary read/write access to the kernel image and enabling full device compromise.
#0528
Socketabout 2 months ago6 min▣LLM reportmedium The GemStuffer campaign leverages the RubyGems package registry as an unconventional data exfiltration channel. Threat actors deploy Ruby scripts that scrape UK local government portals, package the harvested data into valid .gem archives, and push them to RubyGems using hardcoded API keys. The malware demonstrates defense evasion by overriding the HOME environment variable to a /tmp directory to isolate its credential environment, or by bypassing the gem CLI entirely to perform direct API POST requests.