#0528
Socketabout 2 months ago6 min▣LLM reportmedium The GemStuffer campaign leverages the RubyGems package registry as an unconventional data exfiltration channel. Threat actors deploy Ruby scripts that scrape UK local government portals, package the harvested data into valid .gem archives, and push them to RubyGems using hardcoded API keys. The malware demonstrates defense evasion by overriding the HOME environment variable to a /tmp directory to isolate its credential environment, or by bypassing the gem CLI entirely to perform direct API POST requests.
#0527
Canadian Centre for Cyber Securityabout 2 months ago3 min▣LLM reportmedium The Canadian Centre for Cyber Security issued an advisory (AV26-457) highlighting multiple vulnerabilities in HPE Aruba Networking Operating Systems AOS-8 and AOS-10. Organizations utilizing affected ArubaOS versions are advised to review HPE's security bulletins (HPESBNW05048 and HPESBNW05049) and apply the recommended updates.
#0526
Trend Microabout 2 months ago8 min▣LLM reportcritical TeamPCP (SHADOW-WATER-058) executed a sophisticated supply chain campaign compromising developer toolchains across multiple ecosystems, including Docker Hub, PyPI, and GitHub Actions. The attacks leveraged CI/CD trust, such as unsanitized PR comments and stolen publisher tokens, to distribute credential-harvesting payloads via Python .pth files and the Bun runtime, targeting over 80 credential types and abusing live AWS APIs.
#0525
Socketabout 2 months ago3 min▣LLM reportlow A maintainer access dispute in the widely used fsnotify Go library sparked supply chain security concerns, though no malicious code was introduced. The incident underscores the risks of ambiguous open-source governance and the heightened downstream sensitivity to sudden maintainer changes following recent supply chain attacks like the xz-utils backdoor.
#0524
Microsoftabout 2 months ago6 min▣LLM reportcritical A sophisticated threat actor compromised a third-party IT services provider to abuse legitimate HPE Operations Agent infrastructure, enabling stealthy execution and discovery. The attackers established persistence and harvested credentials using malicious network provider and password filter DLLs on domain controllers, while utilizing web shells and ngrok tunnels to maintain long-term, undetected access.
#0523
Check Pointabout 2 months ago5 min▣LLM reporthigh In Q1 2026, the ransomware ecosystem experienced significant consolidation, with top groups like Qilin, Akira, The Gentlemen, and LockBit 5.0 dominating the landscape. Notably, The Gentlemen leveraged a massive stockpile of pre-exploited FortiGate devices (CVE-2024-55591) to rapidly scale operations, while LockBit 5.0 returned with multi-platform capabilities and a strategic shift away from US targets to evade law enforcement.
#0522
Socketabout 2 months ago7 min▣LLM reportcritical A sophisticated supply-chain worm dubbed 'Mini Shai-Hulud' has compromised numerous high-profile npm and PyPI packages, including TanStack and Mistral AI. The heavily obfuscated payload targets CI/CD environments to systematically harvest credentials from GitHub, AWS, Vault, and Kubernetes. It autonomously propagates by minting npm publish tokens and committing malicious code to repositories, while exfiltrating stolen secrets via the Session P2P network.
#0521KKasperskyabout 2 months ago5 min▣LLM reporthigh The 2026 ransomware landscape is characterized by the adoption of post-quantum cryptography to thwart decryption efforts and a significant shift toward encryptionless, data-centric extortion. Threat actors are increasingly professionalizing their operations, standardizing EDR evasion via BYOVD (Bring Your Own Vulnerable Driver), and relying on Initial Access Brokers targeting edge infrastructure like RDWeb and VPNs.
#0520
Akamaiabout 2 months ago5 min▣LLM reporthigh Security researchers discovered critical vulnerabilities in three widely used Model Context Protocol (MCP) servers—Apache Doris, Apache Pinot, and Alibaba RDS—stemming from insufficient back-end security validation. These flaws include SQL injection (CVE-2025-66335), missing authentication, and unauthenticated data exposure, allowing attackers to execute arbitrary commands or exfiltrate sensitive database metadata.
#0519
Cisco Talosabout 2 months ago4 min▣LLM reportcritical Microsoft's May 2026 Patch Tuesday addresses 137 vulnerabilities, including 31 critical flaws, 16 of which are Remote Code Execution (RCE) vulnerabilities. While no active exploitation has been observed, critical flaws affect core services like Windows Netlogon, DNS Client, and Azure Managed Instances, prompting the release of Snort detection rules by Cisco Talos.
#0518
Cisco Talosabout 2 months ago6 min▣LLM reporthigh State-sponsored threat actors operate with a fundamentally different methodology than financially motivated criminals, prioritizing long-term stealth over immediate disruption. By leveraging valid credentials and living-off-the-land (LOTL) techniques such as PowerShell and WMI, these adversaries bypass traditional signature-based detections. Defending against and responding to these threats requires organizations to shift toward continuous behavioral baselines, enhanced telemetry (e.g., Event IDs 4688, 4104, Sysmon), and strategic incident response plans that account for complex containment decisions and supply chain risks.
#0517
Sophosabout 2 months ago5 min▣LLM reportmedium AI agents deployed in enterprise environments are highly susceptible to indirect prompt injection attacks, enabling data theft and unauthorized actions. Security teams must adopt an 'assume breach' architecture for LLMs, focusing on blast radius reduction through agent sandboxing, credential isolation, egress restrictions, and human-in-the-loop governance.
#0516
Palo Alto Networksabout 2 months ago6 min▣LLM reportcritical Active Directory Certificate Services (AD CS) is increasingly targeted by threat actors to achieve privilege escalation and persistence through misconfigured certificate templates and shadow credential abuse. By leveraging tools like Certipy and Whisker, attackers can bypass traditional credential defenses, necessitating behavioral detection strategies focused on LDAP enumeration, anomalous certificate issuance, and directory modifications.
#0515
Trail of Bitsabout 2 months ago3 min▣LLM reportinfo Trail of Bits has released gosentry, an enhanced fork of the Go toolchain designed to significantly improve native Go fuzzing capabilities by integrating LibAFL and Nautilus. The tool allows security researchers and developers to perform struct-aware and grammar-based fuzzing, successfully identifying complex vulnerabilities such as integer overflows, data races, and goroutine leaks that standard Go fuzzing often misses.
#0514
Canadian Centre for Cyber Securityabout 2 months ago4 min▣LLM reporthigh The Canadian Centre for Cyber Security published a daily advisory digest on May 12, 2026, highlighting critical security updates from SAP, Siemens, Schneider Electric, Ivanti, and Mozilla. The advisories cover a wide range of enterprise software, industrial control systems, and web browsers, requiring immediate patching to mitigate potential exploitation.
#0513
Trend Microabout 2 months ago7 min▣LLM reporthigh Trend Micro identified two distinct threat campaigns, SHADOW-AETHER-040 and SHADOW-AETHER-064, leveraging agentic AI to orchestrate attacks against Latin American government and financial institutions. The attackers utilized AI models like Anthropic's Claude to dynamically generate scripts, analyze configurations, and establish SOCKS5 tunnels for lateral movement, demonstrating a shift towards AI-assisted, signature-evasive intrusion operations.
#0512
Socketabout 2 months ago4 min▣LLM reportcritical A critical sandbox escape vulnerability (CVE-2026-26956) in the vm2 Node.js library allows attackers to execute arbitrary OS commands by leveraging WebAssembly.JSTag via VM.run(). The flaw affects versions 0.2.2 through 3.10.4 on Node.js runtimes exposing this tag, prompting the release of vm2 3.10.5 and a free Certified Patch from Socket to remove the tag from the sandbox environment.
#0511
Mandiantabout 2 months ago6 min▣LLM reporthigh Google Threat Intelligence Group (GTIG) reports an escalation in adversaries leveraging generative AI for vulnerability discovery, autonomous malware orchestration, and defense evasion. Notable developments include the AI-assisted discovery of a zero-day 2FA bypass, the PROMPTSPY Android backdoor utilizing the Gemini API for autonomous UI navigation, and supply chain attacks by TeamPCP targeting AI dependencies like LiteLLM to extract cloud secrets.
#0510
Varonisabout 2 months ago4 min▣LLM reportcritical Varonis Threat Labs identified a Remote Code Execution (RCE) vulnerability in Azure Cosmos for PostgreSQL caused by improper input validation of the loglineprefix parameter within the Azure management API. By utilizing form feed and newline characters, attackers could bypass single-quote restrictions to inject arbitrary PostgreSQL configurations, such as archive_command, ultimately leading to arbitrary OS command execution on the underlying managed database node.
#0509
Canadian Centre for Cyber Securityabout 2 months ago4 min▣LLM reportcritical The Canadian Centre for Cyber Security released a daily digest highlighting critical vulnerabilities across Cisco, IBM, Dell, Ubuntu, and various ICS platforms. Notably, Cisco ASA and FTD devices are affected by a newly identified persistence mechanism known as the FIRESTARTER backdoor, which survives previous patches for CVE-2025-20333, CVE-2025-20362, and CVE-2025-20363.