#0199
Check Pointabout 2 months ago4 min▣LLM reporthigh Check Point Research discovered a vulnerability in ChatGPT's code execution runtime that allowed silent data exfiltration and remote shell access via DNS tunneling. By using malicious prompts or custom GPTs, attackers could bypass outbound network restrictions to steal sensitive user data without triggering security warnings.
#0198
Morphisecabout 2 months ago3 min▣LLM reportinfo The disruption of a major cybercrime forum has led to a fragmented ransomware market, prompting groups like Nova RaaS to artificially inflate their perceived status. Despite aggressive recruitment and branding efforts, structural indicators reveal Nova's operational scale remains far below established market leaders.
#0197
CISAabout 2 months ago3 min▣LLM reporthigh CISA has added CVE-2026-3055, an actively exploited out-of-bounds read vulnerability affecting Citrix NetScaler, to its Known Exploited Vulnerabilities (KEV) Catalog. The agency mandates federal remediation under BOD 22-01 and strongly urges all organizations to prioritize patching to reduce exposure to cyberattacks.
#0196WWatchtowrabout 2 months ago5 min▣LLM reportcritical A second memory overread vulnerability has been identified in Citrix NetScaler appliances under CVE-2026-3055, affecting the '/wsfed/passive?wctx' endpoint. By sending a specially crafted GET request with an empty 'wctx' parameter, attackers can force the appliance to leak sensitive memory, including administrative session IDs, via the 'NSC_TASS' cookie. Active in-the-wild exploitation has been observed since late March.
#0195
Socketabout 2 months ago4 min▣LLM reportcritical Threat actor TeamPCP has formed an alliance with the Vect Ransomware-as-a-Service (RaaS) group to weaponize recent open-source supply chain compromises. By leveraging approximately 300 GB of stolen credentials and tokens harvested from CI/CD pipelines and security tools like Trivy and LiteLLM, the groups intend to facilitate large-scale ransomware deployments across affected enterprise environments.
#0194
Elastic Security Labsabout 2 months ago5 min▣LLM reporthigh Elastic Security Labs identified a cyberattack targeting a South Asian financial institution using two custom malware strains: BRUSHWORM and BRUSHLOGGER. BRUSHWORM functions as a backdoor and USB worm capable of extensive file theft and air-gap bridging, while BRUSHLOGGER captures system-wide keystrokes via DLL side-loading.
#0193
Canadian Centre for Cyber Securityabout 2 months ago3 min▣LLM reporthigh The Canadian Centre for Cyber Security released a daily digest highlighting recent security advisories from WatchGuard, Siemens, FreeBSD, and Ericsson. The advisories cover critical vulnerabilities including remote code execution, denial of service, and insecure deserialization across various operating systems, network appliances, and control system products.
#0192
Palo Alto Networksabout 2 months ago7 min▣LLM reportcritical Unit 42 identified a coordinated cyberespionage campaign targeting a Southeast Asian government entity, involving three distinct China-aligned threat clusters. The attackers utilized a variety of tools including USB worms, custom loaders, and multiple remote access Trojans (PUBLOAD, Masol, Gorem, FluffyGh0st) to establish persistent access, evade detection via DLL sideloading, and exfiltrate sensitive data.
#0191
CISAabout 2 months ago3 min▣LLM reportcritical CISA has added CVE-2025-53521, a Remote Code Execution vulnerability affecting F5 BIG-IP, to its Known Exploited Vulnerabilities (KEV) Catalog due to evidence of active exploitation. All organizations are strongly urged to prioritize timely remediation to reduce exposure to cyberattacks.
#0190
Trend Microabout 2 months ago8 min▣LLM reportcritical A sophisticated supply chain attack by the threat actor TeamPCP compromised the popular AI proxy package LiteLLM via a previously hijacked Trivy GitHub Action. The malicious package deployed a multi-stage payload utilizing a Python .pth file to harvest extensive cloud, Kubernetes, and AI credentials, encrypt them, and exfiltrate them to attacker-controlled infrastructure while establishing a persistent remote code execution backdoor.
#0189
Cofenseabout 2 months ago4 min▣LLM reportmedium A recent phishing campaign targets Xiaomi users by impersonating corporate HR communications regarding a new certification. The emails contain masked hyperlinks that redirect victims to a convincing replica of the Xiaomi login portal designed to harvest account credentials.
#0188
Socketabout 2 months ago4 min▣LLM reporthigh A widespread phishing campaign is exploiting GitHub Discussions to distribute fake Visual Studio Code security alerts to developers. The campaign uses fabricated CVEs and mass-tagging to trick Windows users into clicking malicious share.google links, which redirect to a JavaScript fingerprinting and Traffic Distribution System (TDS) hosted on an attacker-controlled domain.
#0187
Trend Microabout 2 months ago6 min▣LLM reportcritical The Russia-aligned APT group Pawn Storm has launched a sophisticated campaign deploying the PRISMEX malware suite against Ukrainian and NATO defense supply chains. The attack chain leverages two critical vulnerabilities, CVE-2026-21509 and CVE-2026-21513, to achieve zero-click execution, utilizing advanced steganography and COM hijacking to evade detection while communicating via legitimate cloud services.
#0186
Infobloxabout 2 months ago6 min▣LLM reporthigh Cybercriminals are increasingly abusing the Keitaro adtech platform to optimize the distribution of malware, phishing, and scams. By leveraging Keitaro's built-in tracking, cloaking, and traffic distribution capabilities, actors can efficiently target victims, evade detection, and scale operations across multiple threat types including wallet drainers and infostealers.
#0185
Cisco Talosabout 2 months ago4 min▣LLM reporthigh The Talos 2025 Year in Review highlights a significant shift towards attackers targeting identity infrastructure and network components to bypass MFA and gain privileged access. Key threats include widespread exploitation of React2Shell, supply chain attacks targeting CI/CD pipelines, and the dominance of Qilin ransomware.
#0184
Elastic Security Labsabout 2 months ago6 min▣LLM reportcritical VoidLink is a cloud-native Linux malware framework that employs a hybrid Loadable Kernel Module (LKM) and eBPF architecture to achieve deep system concealment. It features advanced evasion techniques such as delayed initialization, an ICMP covert command channel, and eBPF-driven manipulation of Netlink sockets to hide network connections from diagnostic tools. Analysis indicates the framework was developed iteratively using AI-assisted workflows, highlighting a growing trend of LLM-facilitated malware creation.
#0183
Canadian Centre for Cyber Securityabout 2 months ago3 min▣LLM reportcritical The Canadian Centre for Cyber Security issued advisories regarding a critical RCE vulnerability in PTC Windchill and FlexPLM, and an actively exploited critical vulnerability (CVE-2026-33634) that temporarily compromised the Aqua Security Trivy ecosystem supply chain.
#0182
CISAabout 2 months ago2 min▣LLM reporthigh CISA has added CVE-2026-33634, an embedded malicious code vulnerability in Aqua Security Trivy, to its Known Exploited Vulnerabilities (KEV) Catalog due to evidence of active exploitation. Organizations are strongly urged to prioritize timely remediation to reduce their exposure to cyberattacks.
#0181
ANY.RUNabout 2 months ago6 min▣LLM reporthigh A sophisticated, long-running Magecart campaign has been compromising e-commerce websites to steal payment card data, with a notable focus on the Spanish payment ecosystem. The attackers utilize multi-stage JavaScript payloads, mimic legitimate payment gateways like Redsys, and exfiltrate stolen data in real-time via WebSockets to evade traditional detection mechanisms.
#0180
Socketabout 2 months ago5 min▣LLM reportcritical A supply chain attack campaign utilizing five typosquatted npm packages targets Solana and Ethereum developers. The packages silently intercept private keys during routine cryptographic operations and exfiltrate them to a Telegram bot, leveraging transitive dependencies and obfuscation to evade detection.