Defensive tools, offensive research, blue/red team methods
A malicious npm package named codexui-android, disguised as a remote UI for OpenAI Codex, has been found to exfiltrate developer authentication tokens. Attackers allegedly injected malicious code into the published package that was not present in its public GitHub repository, highlighting risks in the AI software supply chain.
Dashlane experienced a brute-force attack where attackers attempted to access user accounts. The company's security systems automatically locked accounts to prevent further unauthorized access and limited the number of encrypted vault downloads that could be initiated.
A new wave of phishing emails is using SVG files as attachments to deliver malicious content. Threat actors are leveraging the SVG format to embed harmful code, bypassing traditional email filters by presenting the content as an image without any URLs in the email body.
Oracle has released its first monthly Critical Security Patch Update (CSPU), addressing a total of 77 vulnerabilities. These updates are part of Oracle's initiative to deliver critical fixes more rapidly.
This article discusses common mistakes organizations make when conducting tabletop exercises for incident response. It highlights the importance of clear objectives, realistic scenarios, and involving diverse stakeholders to ensure these simulations effectively test preparedness for cyber incidents.
Password manager Dashlane has reported a brute-force attack that resulted in the encrypted vaults of fewer than 20 personal plan users being downloaded. The attack, which occurred on May 31, 2026, targeted the company's two-factor authentication (2FA) system.
A new malware strain dubbed Shai-Hulud is targeting versions of the Red Hat build of Node.js package manager (npm). The malicious code was found embedded in a legitimate-looking package and has been downloaded approximately 80,000 times per week.
A supply-chain attack compromised over 30 npm packages within Red Hat's '@redhat-cloud-services' namespace. The attackers distributed a new variant of the Shai-Hulud malware, named "Miasma," designed to steal developer credentials.
A new supply chain attack campaign, codenamed Miasma, has compromised Red Hat npm packages to steal credentials and secrets. The attack uses install-time execution tactics to harvest credentials, target CI/CD systems, and exfiltrate data with a self-propagating worm.
A sophisticated WordPress malware campaign has been discovered that uses Steam Community profile comments to hide its command-and-control (C2) infrastructure. Attackers are exploiting WordPress sites to inject malicious code, which then communicates with C2 servers disguised within user comments on Steam profiles, making detection more challenging.
The GTA cheat service Atlas Menu has been hacked, with the attacker publishing a database of 64,000 user records to GitHub. The attacker alleges that Atlas Menu was spying on users via screenshots.
Attackers are increasingly exploiting vulnerabilities before organizations can identify and patch them. Faster vulnerability alerts are crucial for reducing exposure and improving security response times.
Dragos has acquired xIoT security firm Phosphorus. This acquisition is expected to enhance asset visibility, device intelligence, and automated remediation workflows for Dragos customers.
Managed Service Providers (MSPs) are evolving beyond basic vCISO (virtual Chief Information Security Officer) tools, which previously focused on assessments, advisory, and reporting. The industry is shifting towards 'Security Growth Platforms' to meet the expanding needs of MSPs and Managed Security Service Providers (MSSPs).
A supply chain attack has been discovered targeting developers using OpenAI Codex. The malicious package, codexui-android, disguised as a legitimate remote web UI for Codex, was downloaded over 29,000 times weekly from npm.
An unidentified Remote Access Trojan (RAT) is distributing the NetSupport RAT malware. This is a concerning development as it indicates a potentially coordinated effort to spread malicious remote access tools.
YARA-X, a popular tool for malware analysis and threat hunting, has released version 1.17.0. This update includes five performance enhancements and one bug fix, aiming to improve the efficiency of its pattern-matching capabilities.
A lone attacker has published 14 malicious npm packages designed to mimic popular OpenSearch and Elasticsearch libraries. These packages were discovered and subsequently removed by Microsoft's security team.
A critical remote code execution (RCE) vulnerability in the open-source Git service Gogs remains unfixed. An exploit module for this vulnerability has been released, and the researcher who discovered it has had no response from the maintainers since reporting it in March.
The Linux Foundation is launching DNS-AID, an open-source project to standardize how AI agents discover and communicate with each other using existing DNS infrastructure. This aims to provide a secure and vendor-neutral directory for AI agents, preventing sprawl and ensuring trust in connectivity.
Swiss researchers have developed a new method for generating truly random numbers using quantum superconducting chips and a long microwave pipe. This advancement aims to overcome biases found in traditional random number generators, which have previously led to security issues in various applications.
MokN has secured $15 million in funding for its "Phish-Back" platform. This platform aims to lure attackers into revealing compromised credentials by deploying realistic decoy access points, allowing organizations to respond proactively before these credentials can be misused.
The DDoS-as-a-Service market has evolved significantly, moving from basic tools to sophisticated platforms that offer tiered pricing, customer support, and reseller programs. This evolution makes DDoS attacks more accessible and potentially more damaging.
A critical-severity zero-day vulnerability in Gogs, a self-hosted Git service, allows authenticated attackers to execute remote code via pull requests with malicious branch names. The flaw has a CVSS score of 9.4 and is described as an argument injection vulnerability.
Google has rolled out its Device Bound Session Credentials (DBSC) security feature to all Chrome users. This new feature aims to prevent account takeovers by protecting against session cookie theft, a common method used by attackers.
A new report highlights the rise of 'shadow AI' applications, where employees build and deploy full applications using AI tools, often without security or IT oversight. These applications are integrated into production systems and published online, significantly expanding the risk surface.
Google has released Chrome 148, which addresses a significant number of security vulnerabilities. The update resolves 151 security defects, including several critical-severity flaws that could have allowed for remote code execution.
Two high-severity vulnerabilities (CVE-2026-48778 and CVE-2026-48800) in Notepad++ allow local attackers to execute arbitrary code by tampering with the editor's XML configuration files. These flaws affect versions up to 8.9.6 and were patched in version 8.9.6.1.
A malicious NuGet package named 'Sicoob.Sdk' has been found to steal banking credentials, specifically client IDs and PFX certificates, from users in Brazil. This package, disguised as a legitimate software development kit for Sicoob, a major financial cooperative, contains functions to exfiltrate this sensitive information.
The Gentlemen ransomware is evolving with a self-propagating Go-based encryptor that can spread laterally across networks. This sophisticated malware identifies and deploys itself to additional systems using harvested credentials and legitimate administrative tools, leading to broader business disruptions.
IBM and Red Hat are launching Project Lightwell, a new initiative backed by a $5 billion investment and 20,000 engineers, to create an 'enterprise clearinghouse' for open source applications. This AI-powered platform aims to accelerate the discovery and remediation of vulnerabilities in open source software, addressing the challenge of rapid patching in enterprise environments.
A critical argument injection vulnerability has been discovered in the open-source Gogs Git service, allowing authenticated users to execute code remotely. The maintainer of Gogs has not responded to the vulnerability disclosure for over two months, leaving it unpatched and highlighting potential risks associated with self-hosted code platforms from smaller open-source projects.
A new Android remote access trojan (RAT) called BTMOB is being offered to cybercriminals. It features a builder interface that allows attackers to create custom phishing payloads, making it easier to target specific users and organizations. This advanced customization aims to increase the effectiveness of phishing campaigns.
A disgruntled developer allegedly injected malicious code into a popular Java testing library, jqwik. The hidden code was designed to instruct AI coding assistants to delete application output, potentially disrupting development processes.
This article analyzes a year of files uploaded to DShield sensors, revealing trends in the most frequent threats. Activity peaked during the winter months (December 2025 - February 2026) before declining in March 2026.
Dutch law enforcement conducted a raid on THE.Hosting, a bulletproof hosting provider with alleged ties to Russian cybercrime. The operation resulted in the seizure of 800 servers and the arrest of two individuals. However, the core IP address space of the hosting provider was left untouched, suggesting the operation may not significantly disrupt their long-term operations.
A critical RCE vulnerability has been found in Gogs, an open-source self-hosted Git service. This flaw allows any authenticated user to execute arbitrary code on the server under specific circumstances. Rapid7 has rated the vulnerability a 9.4 on the CVSS scale, and it does not currently have a CVE identifier.
The article argues that agentic AI, which involves AI models interacting with software tools, is not inherently risky. Instead, the primary security risks arise from how organizations choose to deploy these agents, particularly concerning the overlap in their functionalities and access.
Managed Service Providers (MSPs) often face an overwhelming volume of security alerts, making it difficult to identify genuine threats. Kaseya highlights how Security Information and Event Management (SIEM) solutions can help MSPs cut through this 'noise' by improving visibility, reducing alert fatigue, and enabling faster threat response.
A new Android malware named BTMOB has been identified that can perform a full device takeover. It is distributed through phishing lures and is capable of financial theft, data exfiltration, and providing remote access to attackers.
IBM and Red Hat are investing $5 billion in "Project Lightwell" to strengthen the security of open-source software supply chains. This initiative aims to address vulnerabilities without disrupting existing production systems.
A major malware operation known as GlassWorm, which targeted developers by poisoning software repositories, has been disrupted by a coordinated effort led by CrowdStrike. Despite this takedown, the broader problem of securing the open-source ecosystem and distinguishing real threats from automated noise remains a significant challenge for defenders.
This article announces a webinar that will discuss why network incidents often take too long to resolve, even when detection is fast. It will explore how automation and AI can help IT teams improve incident response times and reduce delays.
CISA is addressing multiple software supply chain attacks that target developer ecosystems, including CI/CD pipelines. These attacks involve malicious VS Code extensions and poisoned GitHub Action workflows, leading to unauthorized access and exfiltration of sensitive information like credentials and tokens. The incidents highlight the exploitation of developer tools and processes by threat actors.
Edamame, a startup based in France, has launched a new runtime verification platform. This platform is designed to detect when AI coding agents deviate from their intended tasks, steal secrets, or engage in supply-chain attacks by analyzing host telemetry and AI data in real time.
CISOs are grappling with the challenge of "agentic era" cybersecurity, where attacks occur at machine speed. The industry needs to develop scalable remediation strategies to address these advanced threats.
Google has launched a new AI Threat Defense platform designed to combat AI-powered cyberattacks. This platform integrates capabilities from Mandiant, Wiz, and Gemini to provide customers with AI-driven defenses.
The industrialization of exploitation through adversarial AI has fundamentally changed cybersecurity, shifting the landscape from a battle of elite skills to one where threat actors with compute and AI tooling can operate at machine speed. This new paradigm bypasses traditional defenses that relied on predictable attacker patterns and human speed.
A company CEO admitted to filling a file share with inappropriate content and then calling for help after deleting it. The incident came to light alongside a separate story about a missing school iPad that reappeared after being used to upload a video to YouTube.
The FBI has reported that a threat group, known by various names including The Silent Ransom Group (SRG), is successfully gaining physical access to US law firms by impersonating IT support personnel. Once inside, they insert USB devices into victim computers to install malware or steal data, a tactic that has been used for decades but is now being effectively employed in person.
