#0265
NCSCabout 2 months ago7 min▣LLM reporthigh Russian state-sponsored threat actor APT28 is exploiting vulnerable SOHO routers to modify DHCP and DNS settings, redirecting user traffic to malicious infrastructure. This DNS hijacking facilitates Adversary-in-the-Middle (AitM) attacks designed to harvest credentials and OAuth tokens for web and email services.
#0264
Cofenseabout 2 months ago4 min▣LLM reporthigh A recent phishing campaign exploits public anxiety regarding the Middle East conflict by distributing fake government emergency alerts. The emails use embedded QR codes to direct victims through a deceptive human verification check, ultimately landing them on a fraudulent Microsoft sign-in page designed to harvest their credentials.
#0263
Microsoftabout 2 months ago7 min▣LLM reportcritical Storm-1175 is a financially motivated threat actor that rapidly exploits N-day and zero-day vulnerabilities in web-facing assets to deploy Medusa ransomware. The group utilizes a high-tempo attack chain, leveraging LOLBins, RMM tools, and credential theft to move laterally and exfiltrate data before executing ransomware, often completing the entire attack lifecycle within days.
#0262
CISAabout 2 months ago3 min▣LLM reporthigh CISA has added CVE-2026-35616, an improper access control vulnerability in Fortinet FortiClient EMS, to its Known Exploited Vulnerabilities (KEV) Catalog due to evidence of active exploitation. All organizations are strongly urged to prioritize the timely remediation of this vulnerability to reduce their exposure to cyberattacks.
#0261
Palo Alto Networksabout 2 months ago5 min▣LLM reportmedium Unit 42 researchers demonstrated a red-teaming methodology against Amazon Bedrock's multi-agent applications, highlighting the risks of prompt injection in orchestrated AI systems. By systematically bypassing agent guardrails, attackers can extract sensitive instructions, map tool schemas, and invoke integrated tools with malicious inputs, though built-in Bedrock Guardrails effectively mitigate these threats.
#0260
Trend Microabout 2 months ago7 min▣LLM reporthigh Following an accidental source code leak of Anthropic's Claude Code via npm, threat actors rapidly deployed fake GitHub repositories to distribute a Rust-compiled dropper. This dropper, part of a broader rotating-lure campaign, deploys Vidar stealer and GhostSocks proxy while utilizing extensive anti-analysis checks and PowerShell to disable Windows Defender.
#0259
Elastic Security Labsabout 2 months ago3 min▣LLM reportlow Elastic has released nine new third-party integrations for Q1 2026, enhancing visibility across macOS, cloud environments, email security, and SIEM platforms. These integrations provide out-of-the-box data normalization, prebuilt dashboards, and AI-driven analysis capabilities to streamline security operations and threat detection.
#0258
Varonisabout 2 months ago4 min▣LLM reporthigh The source code for Anthropic's Claude Code CLI was accidentally exposed through .map files in a public npm release. This leak reveals the internal architecture, permission models, and safety guardrails of the AI agent, potentially allowing attackers to craft targeted prompt injections or distribute tampered dependencies through unofficial repositories.
#0257
Trend Microabout 2 months ago5 min▣LLM reporthigh Following an accidental leak of Anthropic's Claude Code source material, threat actors rapidly deployed a social engineering campaign using fake GitHub repositories. The campaign distributes trojanized archives containing a Rust-compiled dropper that deploys Vidar stealer and GhostSocks proxy malware, specifically targeting developers seeking AI tools.
#0256
Zscaler ThreatLabzabout 2 months ago5 min▣LLM reportcritical In March 2026, severe software supply chain attacks targeted popular open-source packages. A North Korean threat actor compromised the Axios NPM package to distribute a cross-platform RAT, while the TeamPCP group poisoned the LiteLLM PyPI package to harvest cloud and infrastructure secrets.
#0255
Trail of Bitsabout 2 months ago3 min▣LLM reportlow Trail of Bits has open-sourced CoBRA, a highly effective tool designed to deobfuscate Mixed Boolean-Arithmetic (MBA) expressions commonly used by malware authors and software protectors. Available as a CLI tool, C++ library, and LLVM pass, CoBRA successfully simplifies nearly 100% of complex MBA expressions, significantly aiding reverse engineering and malware analysis efforts.
#0254
Cisco Talosabout 2 months ago5 min▣LLM reportcritical A critical supply chain attack compromised the official Axios npm package, deploying malicious versions v1.14.1 and v0.30.4. The packages contained a fake runtime dependency that automatically executed post-install, downloading platform-specific Remote Access Trojans (RATs) to Windows, MacOS, and Linux systems to facilitate credential exfiltration and remote access.
#0253
Recorded Futureabout 2 months ago1 min▣LLM reportlow This article is an employee spotlight featuring Kyle Kohler, a Senior Product Manager at Recorded Future, discussing his daily responsibilities and the company's broad approach to threat intelligence.
#0252
Akamaiabout 2 months ago4 min▣LLM reportmedium The U.S. Department of Health and Human Services (HHS) Notice of Proposed Rulemaking (NPRM) emphasizes that healthcare organizations must move beyond basic HIPAA compliance to achieve true cybersecurity resilience. To combat the rising threat of ransomware, organizations are urged to implement continuous asset monitoring and microsegmentation to contain lateral movement, reduce the blast radius of attacks, and protect electronic protected health information (ePHI).
#0251
Socketabout 2 months ago4 min▣LLM reportcritical The lead maintainer of the widely used Axios npm package fell victim to a sophisticated social engineering attack. Attackers tricked the maintainer into installing a Remote Access Trojan (RAT) during a fake MS Teams meeting, enabling session hijacking that bypassed 2FA and allowed the unauthorized publication of malicious Axios versions to the npm registry.
#0250
Mandiantabout 2 months ago7 min▣LLM reportcritical Threat actors are increasingly targeting VMware vSphere environments, specifically the vCenter Server Appliance (VCSA) and ESXi hypervisors, to establish deep persistence and bypass traditional EDR solutions. This defender's guide outlines a comprehensive strategy to secure the virtualization control plane against advanced malware like BRICKSTORM, emphasizing infrastructure hardening, Zero Trust network segmentation, and enhanced OS-level forensic visibility using auditd and AIDE.
#0249WWatchtowrabout 2 months ago6 min▣LLM reportcritical Security researchers discovered a pre-authenticated Remote Code Execution (RCE) chain in Progress ShareFile Storage Zone Controller. By chaining an Execution After Redirect (EAR) authentication bypass (CVE-2026-2699) with an arbitrary file upload vulnerability (CVE-2026-2701), attackers can reconfigure the storage repository to the webroot and extract an ASPX webshell, achieving full system compromise.
#0248
Trend Microabout 2 months ago2 min▣LLM reportlow The White House Office of the National Cyber Director (ONCD) has released a new National Cyber Strategy detailing six pillars of focus. The strategy emphasizes modernizing federal networks, securing critical infrastructure, maintaining superiority in emerging technologies like AI, and building cyber talent capacity.
#0247
Socketabout 2 months ago4 min▣LLM reporthigh A supply chain attack compromised Axios version 1.14.1 on npm by injecting a malicious dependency, plain-crypto-js. The attack's impact was significantly amplified by default semver range resolutions and dynamic execution tools like npx, which bypassed standard lockfile protections during the exposure window.
#0246
Cofenseabout 2 months ago3 min▣LLM reportinfo Organizations face a dual challenge of combating rapidly evolving polymorphic phishing attacks using AI-driven automation while ensuring these opaque security tools comply with strict data governance regulations like GDPR and DORA. Security teams must prioritize transparent, auditable AI solutions to bridge this compliance gap.