#0469KKasperskyabout 2 months ago5 min▣LLM reporthigh Attackers are weaponizing Amazon Simple Email Service (SES) using compromised AWS IAM keys to launch highly convincing phishing and Business Email Compromise (BEC) campaigns. Because the emails originate from legitimate Amazon infrastructure, they successfully pass standard authentication protocols like SPF, DKIM, and DMARC, making detection difficult without disrupting legitimate business workflows.
#0468
Canadian Centre for Cyber Securityabout 2 months ago3 min▣LLM reportcritical The Canadian Centre for Cyber Security released a daily digest of five security advisories covering critical vulnerabilities across IBM, Dell, FreeBSD, Ubuntu, and various ICS products. Notable flaws include a Remote Code Execution vulnerability in FreeBSD via malicious DHCP options (CVE-2026-42511) and a Local Privilege Escalation via execve() (CVE-2026-7270).
#0467
Microsoftabout 2 months ago5 min▣LLM reporthigh A large-scale Adversary-in-the-Middle (AiTM) phishing campaign targeted over 35,000 users using sophisticated 'code of conduct' lures. The attack chain leveraged legitimate email services, PDF attachments, and multiple CAPTCHA gates to evade detection, ultimately proxying Microsoft 365 authentication sessions to steal tokens and bypass standard MFA.
#0466
CrowdStrikeabout 2 months ago4 min▣LLM reportinfo The article discusses the impending 'vuln-pocalypse' driven by AI-accelerated vulnerability discovery and fuzzing. Threat actors, including FANCY BEAR and FAMOUS CHOLLIMA, are increasingly leveraging AI to enhance phishing campaigns and exploit zero-days faster, necessitating a shift toward threat-informed patch prioritization and robust post-exploitation behavioral detection.
#0465
Socketabout 2 months ago7 min▣LLM reportcritical A software supply chain campaign attributed to the GitHub account 'BufferZoneCorp' published malicious Ruby gems and Go modules designed to steal developer secrets and compromise CI/CD environments. The packages impersonate legitimate developer tools to execute install-time and runtime payloads that harvest credentials, tamper with GitHub Actions workflows, manipulate Go dependency resolution, and establish SSH persistence.
#0464
Varonisabout 2 months ago5 min▣LLM reportmedium A nuance in the Entra ID Resource Owner Password Credentials (ROPC) protocol allows attackers with compromised credentials to authenticate against a permissive external tenant, generating a 'Sign-in: Success' log in the victim's home tenant. While this cross-tenant authentication does not grant access to the victim's data, it effectively poisons UEBA models and floods the SOC with false positive alerts, creating significant operational disruption and compromising log integrity.
#0463
Cofenseabout 2 months ago12 min▣LLM reporthigh A credential phishing campaign identified by the Cofense Phishing Defense Center targets Meta (Facebook/Instagram) account holders, particularly page administrators, by impersonating Meta's verification badge program. The multi-stage attack chain routes victims through a spoofed Gmail sender to a Google Form, then to a Vercel-hosted phishing page that collects PII, passwords, and 2FA tokens in real time — enabling near-instant account takeover before TOTP codes expire. The abuse of legitimate hosting infrastructure (Google Forms, Vercel) allows the campaign to bypass conventional URL-reputation and email security controls.
#0462
Palo Alto Networksabout 2 months ago7 min▣LLM reporthigh Unit 42 identified 18 high-risk browser extensions masquerading as GenAI productivity tools that function as remote access Trojans, infostealers, and spyware. These extensions exploit browser permissions to intercept API keys, exfiltrate DOM content, establish persistent WebSocket C2 channels, and dynamically route traffic via malicious proxy configurations.
#0461
Huntressabout 2 months ago5 min▣LLM reporthigh The article highlights the evolution of social engineering tactics, emphasizing how attackers abuse trusted workflows, AI platforms, and legitimate infrastructure like OAuth to bypass traditional security controls. Key threats include device code phishing campaigns like EvilTokens that bypass MFA for persistent access, and AI chatbot lures tricking macOS users into executing AMOS infostealer payloads via malicious terminal commands.
#0460
Sophosabout 2 months ago3 min▣LLM reporthigh CVE-2026-31431, dubbed 'Copy Fail', is a high-severity (CVSS 7.8) local privilege escalation vulnerability in the Linux kernel affecting distributions released since 2017. A reliable public PoC is available, allowing unprivileged local users to achieve root access by corrupting the kernel's in-memory page cache of privileged binaries. Immediate patching is recommended, particularly for multi-tenant and containerized environments.
#0459
Socketabout 2 months ago6 min▣LLM reportcritical The Mini Shai-Hulud supply chain attack campaign has expanded into the PHP ecosystem by compromising the widely used intercom/intercom-php package on Packagist. The malicious artifact abuses Composer plugin execution to download the Bun runtime and execute an obfuscated JavaScript payload designed to harvest and exfiltrate sensitive credentials from developer environments and CI/CD pipelines.
#0458
Huntressabout 2 months ago6 min▣LLM reporthigh A threat actor utilized compromised VPN credentials to access a partner network, pivoting via a customized Impacket smbexec.py to enable RDP and establish an interactive session. The attacker then installed the open-source monitoring tool Komari directly from GitHub, leveraging its native WebSocket capabilities as a persistent, SYSTEM-level command-and-control (C2) backdoor disguised as the Windows Update Service.
#0457
Socketabout 2 months ago6 min▣LLM reportcritical The official intercom-client npm package (version 7.0.4) was compromised in a supply chain attack attributed to the Mini Shai-Hulud campaign and linked to the TeamPCP threat actor. The malicious package executes during installation via a preinstall hook to harvest cloud, Kubernetes, and Vault credentials from developer and CI/CD environments, exfiltrating them via the GitHub API.
#0456
CrowdStrikeabout 2 months ago4 min▣LLM reporthigh CORDIAL SPIDER and SNARKY SPIDER are executing rapid, SaaS-centric data theft and extortion campaigns by leveraging vishing and AiTM phishing pages. By capturing session tokens and authentication data, these actors bypass traditional endpoint defenses and pivot directly into SSO-integrated SaaS environments via the organization's Identity Provider (IdP).
#0455
Elastic Security Labsabout 2 months ago4 min▣LLM reportinfo The article details how modern Digital Forensics and Incident Response (DFIR) leverages Osquery within Elastic Security to perform distributed, real-time endpoint investigations. By querying artifacts like Prefetch, Shimcache, and Shellbags, analysts can rapidly reconstruct attack timelines, such as tracing a phishing email to the execution of Mimikatz, without requiring full disk images.
#0454
Canadian Centre for Cyber Securityabout 2 months ago3 min▣LLM reportmedium The Canadian Centre for Cyber Security issued an advisory (AV26-411) regarding unspecified vulnerabilities in Microsoft Edge Stable Channel versions prior to 147.0.3912.98. Administrators are advised to review the Microsoft release notes and apply the necessary updates to mitigate potential exploitation.
#0453
Huntressabout 2 months ago7 min▣LLM reporthigh A ClickFix social engineering campaign tricks users into executing a malicious command via a fake CAPTCHA on fraudulent background removal websites. This command uses the legacy finger.exe utility to download CastleLoader, an advanced Python-based loader that employs reflective PE loading and API evasion (such as ReplaceTextW hooking) to deploy NetSupport RAT and a custom .NET stealer (CastleStealer) for credential and data exfiltration.
#0452
CISAabout 2 months ago3 min▣LLM reporthigh CISA has added CVE-2026-31431, an 'Incorrect Resource Transfer Between Spheres' vulnerability affecting the Linux Kernel, to its Known Exploited Vulnerabilities (KEV) Catalog due to evidence of active exploitation. Organizations are strongly urged to prioritize the timely remediation of this vulnerability to reduce their exposure to cyberattacks.
#0451
Socketabout 2 months ago6 min▣LLM reportcritical The popular PyPI package 'lightning' was compromised in a supply chain attack affecting versions 2.6.2 and 2.6.3. The malicious package executes an obfuscated JavaScript payload via the Bun runtime to harvest cloud and developer credentials, poison GitHub repositories by impersonating Anthropic's Claude Code, and infect local npm packages.
#0450
Socketabout 2 months ago7 min▣LLM reportcritical A suspected TeamPCP-linked supply chain attack compromised multiple SAP CAP and Cloud MTA npm packages by injecting malicious preinstall scripts. The attack leverages a downloaded Bun runtime to execute an obfuscated payload that harvests extensive credentials from developer machines and CI/CD pipelines, exfiltrating data via attacker-controlled GitHub repositories and establishing persistence through VSCode and Claude AI configurations.