#0719
CISA28 days ago4 min▣LLM reporthigh Schneider Electric EcoStruxure Panel Servers contain an insecure default initialization vulnerability (CVE-2026-6866, CVSS 7.5) that can lead to unauthorized authentication. Under rare circumstances, credentials may revert to initial settings, allowing attackers to access sensitive information using known default credentials.
#0718
CISA28 days ago4 min▣LLM reporthigh Siemens KACO Blueplanet Inverters contain two vulnerabilities, including a hard-coded cryptographic key issue (CVE-2025-40946) that allows attackers to derive device credentials from serial numbers, and an SQL injection (CVE-2026-41125) in the KACO Meteor server enabling privilege escalation. Siemens has released firmware updates for select models and recommends network isolation for affected devices.
#0717
CISA28 days ago4 min▣LLM reporthigh CISA has added three actively exploited vulnerabilities (CVE-2026-7473, CVE-2026-11645, CVE-2026-20245) affecting Arista EOS, Google Chromium V8, and Cisco Catalyst SD-WAN Manager to its Known Exploited Vulnerabilities (KEV) Catalog. Organizations are strongly urged to prioritize patching these systems to reduce their exposure to ongoing cyberattacks.
#0716
Varonis28 days ago5 min▣LLM reporthigh Varonis Threat Labs demonstrated that enterprise AI agents, specifically an OpenClaw deployment, are vulnerable to traditional phishing and social engineering techniques. In simulated attacks, the agent successfully identified technical phishing indicators like malicious OAuth flows but failed to recognize social context, resulting in the exfiltration of AWS credentials and sensitive CRM data to an external attacker.
#0715RReversinglabs28 days ago5 min▣LLM reporthigh Threat actors are leveraging short-form video platforms like TikTok and Instagram Reels to conduct social engineering campaigns. By posting fake tutorials for premium software and manipulating engagement algorithms, attackers trick users into executing malicious PowerShell commands that deploy Vidarstealer or direct them to fraudulent survey websites.
#0714
Infoblox28 days ago5 min▣LLM reportmedium Infoblox Threat Intel observed a massive surge in residential proxy usage within enterprise environments, with over 65% of customers querying proxy-related domains. These proxies, often installed non-consensually via free apps and IoT devices, allow threat actors to launder traffic, bypass IP reputation controls, and potentially probe internal networks.
#0713
Arctic Wolf28 days ago6 min▣LLM reporthigh Threat actors are proactively targeting the 2026 FIFA World Cup ecosystem, employing mobile-first malware, QR-code phishing against event organizers, and real-time AiTM phishing kits to bypass MFA. The campaigns leverage AI-generated infrastructure and urgency-based lures to distribute Android cryptominers, Windows infostealers, and compromise corporate Google Workspace accounts.
#0712
Akamai28 days ago4 min▣LLM reportmedium The transition to Post-Quantum Cryptography (PQC) introduces significantly larger cryptographic signatures, such as ML-DSA, which will force DNS responses to exceed standard UDP packet limits. This architectural shift will cause frequent fallbacks to TCP, introducing latency spikes and silent timeouts that pose a severe operational risk to automated, high-volume systems like agentic AI workflows. Furthermore, adversaries are already conducting 'Harvest now, decrypt later' attacks, underscoring the immediate need for organizations to map and secure their DNS and DNSSEC configurations across distributed cloud environments.
#0711
Socket28 days ago7 min▣LLM reporthigh A fast-moving supply chain campaign dubbed Mini Shai-Hulud/Miasma is targeting Python developers via malicious PyPI wheels. The threat actors are utilizing novel execution techniques, including trojanized native extensions and split-loader .pth hooks that search sys.path for payloads, to deploy the Hades stealer and harvest credentials from CI/CD pipelines and developer workstations.
#0710
Canadian Centre for Cyber Security28 days ago4 min▣LLM reportcritical The Canadian Centre for Cyber Security issued advisories for actively exploited vulnerabilities in Check Point VPN/Firewall products (CVE-2026-50751, an authentication bypass) and Google Chrome (CVE-2026-11645). Both vulnerabilities have known exploits in the wild, with the Check Point flaw added to the CISA KEV database, necessitating immediate patching.
#0709
CISA28 days ago3 min▣LLM reporthigh CISA has added CVE-2026-42271 (BerriAI LiteLLM Command Injection) and CVE-2026-50751 (Check Point Security Gateway Improper Authentication) to the Known Exploited Vulnerabilities (KEV) catalog due to active exploitation. Organizations are strongly urged to prioritize remediation of these vulnerabilities to reduce exposure to cyberattacks.
#0708
Trend Micro29 days ago7 min▣LLM reportcritical Multiple Russia-aligned threat actors, including SHADOW-EARTH-066 and Earth Dahu, are actively exploiting a patched WinRAR path traversal vulnerability (CVE-2025-8088) to target Ukrainian organizations. The attackers use crafted RAR archives with NTFS Alternate Data Streams to silently drop malicious payloads, such as the evolved GIFTEDCROOK infostealer or HTA-based espionage tools, into the Windows Startup folder and ProgramData directories.
#0707
Microsoft29 days ago7 min▣LLM reporthigh Threat actors are increasingly leveraging the hype around AI platforms like ChatGPT, Claude, and DeepSeek to conduct social engineering attacks. These campaigns utilize phishing, malvertising, and SEO poisoning to distribute infostealers such as Vidar or facilitate credential theft via adversary-in-the-middle (AiTM) infrastructure.
#0706
Morphisec29 days ago5 min▣LLM reportcritical The third wave of the Shai-Hulud supply chain worm, dubbed Miasma, targets the npm ecosystem by utilizing weaponized binding.gyp files to bypass lifecycle script monitoring. It establishes deep persistence within AI assistant and IDE configuration directories, evades detection through dormancy and EDR checks, and abuses valid Sigstore attestations to masquerade as legitimate packages.
#0705
Canadian Centre for Cyber Security29 days ago4 min▣LLM reportcritical The Canadian Centre for Cyber Security released a daily digest covering seven security advisories from major vendors. Notably, Check Point has observed active exploitation of a critical authentication bypass vulnerability (CVE-2026-50751) affecting its VPN and Firewall products, requiring immediate mitigation.
#0704
Cofense29 days ago6 min▣LLM reporthigh A recent phishing campaign impersonates Amazon security alerts to deliver a custom remote access trojan (RAT) dubbed HarborWatch Agent. The attack leverages the ClickFix technique, using a fake CAPTCHA page to socially engineer victims into manually executing a malicious PowerShell command via the Windows Run dialog. Once executed, the script downloads the RAT, which collects system information and communicates with a C2 infrastructure managed via a panel called Harbor Sentinel.
#0703
Check Point29 days ago5 min▣LLM reportcritical This threat intelligence report highlights active exploitation of critical vulnerabilities, including a Windows Netlogon RCE (CVE-2026-41089) and an Android Framework flaw. It also details significant data breaches affecting DentaQuest and the UN WFP, emerging AI-driven threats such as EDR evasion labs, a supply chain compromise of the Hola browser, and Iranian state-sponsored espionage operations utilizing Dutch hosting infrastructure.
#070229 days ago7 min▤RecapJun 1 – Jun 8
Trojanized Build Pipelines and Blind-Spot Appliances Redefine the Perimeter
Attackers are bypassing traditional network defenses by compromising the tools developers use to build software and the AI assistants they rely on to write code. Campaigns like Mini Shai-Hulud and Miasma - The Spreading Blight flooded package registries with malicious code that steals cloud credentials and CI/CD tokens, while researchers proved that public AI agent skill marketplaces are completely ineffective at catching malicious add-ons.
Nation-state actors and cybercriminals are simultaneously shifting their focus to blind spots in corporate networks and trusted platforms. The VerdantBamboo group exploited firewalls to bypass conditional access, while UNC3753 used IT impersonation to trick law firm employees into installing remote access tools, and Kali365 expanded its phishing infrastructure to steal multi-factor authentication tokens.
Defenders must shift their focus from perimeter email filtering to securing the software build pipeline and monitoring edge appliances for anomalous traffic. Hunt for unexpected connections to cloud storage APIs and review developer environments for compromised packages or AI skills.
#0701
Socket30 days ago7 min▣LLM reportcritical A coordinated supply chain attack compromised 19 PyPI packages, utilizing malicious .pth files to achieve execution at Python startup. The loader downloads the Bun runtime to execute an obfuscated JavaScript stealer targeting developer secrets, cloud credentials, and CI/CD tokens, exfiltrating data via GitHub repositories and Actions.
#0700
CISAabout 1 month ago3 min▣LLM reporthigh CISA has added CVE-2026-28318, an uncontrolled resource consumption vulnerability in SolarWinds Serv-U, to its Known Exploited Vulnerabilities (KEV) Catalog due to evidence of active exploitation. Organizations are strongly urged to prioritize timely remediation to reduce exposure to cyberattacks.