Bad news for defenders — breaches, new threats, vulnerabilities, and attacks.
The phishing kit known as Tycoon 2FA has seen its prominence decline, with threat actors now reusing its tools in other phishing kits. This shift is occurring amidst a broader surge in phishing attacks.
Grinex, a sanctioned cryptocurrency exchange, has suspended operations following a $13.74 million hack. The exchange attributes the attack to foreign intelligence agencies, citing its hallmarks as evidence of state-sponsored involvement.
Attackers are leveraging a Mirai botnet variant called Nexcorium to compromise TBK DVRs and end-of-life TP-Link Wi-Fi routers. The campaign specifically exploits CVE-2024-3721, a command injection vulnerability in TBK DVRs, to enlist these devices into a distributed denial-of-service (DDoS) botnet.
Maintainers of the Thymeleaf Java template engine have released a critical fix for a Server-Side Template Injection (SSTI) vulnerability, tracked as CVE-2026-40478. This flaw allows unauthenticated attackers to bypass sandbox protections and execute malicious code on servers by injecting crafted input into the template engine. The vulnerability impacts all Thymeleaf versions prior to 3.1.4.RELEASE, and due to the widespread use of Thymeleaf in the Java Spring ecosystem, a significant number of enterprise applications could be affected.
A US-sanctioned currency exchange, Grinex, has reported a $15 million heist, attributing the attack to "unfriendly states." The exchange claims the hackers utilized resources only available to such state actors, suggesting a sophisticated, nation-state-backed operation.
A flawed Cisco software update has introduced a critical vulnerability in over 200 Cisco IOS XE wireless access point models. This flaw causes a log file to grow rapidly, consuming flash memory and preventing further software updates, potentially rendering the devices insecure or bricked.
NIST is reducing its enrichment of CVE data, leading industry groups and ad hoc coalitions to step in and fill the void. This shift means that organizations will rely more on these external groups for detailed information about vulnerabilities. The move may create a more fragmented approach to vulnerability management if not handled carefully.
The Payouts King ransomware group is employing a novel technique by using QEMU virtual machines as a reverse SSH backdoor. This allows them to operate hidden VMs on compromised systems, effectively evading detection by endpoint security solutions.
Cybercriminals are shifting their tactics from traditional 2FA phishing to a more sophisticated method known as device code phishing. This new technique exploits a service's legitimate new-device login flow to trick victims into inadvertently providing their account access credentials.
CISA has issued a directive to federal agencies, mandating a two-week deadline for patching a long-standing vulnerability in Apache ActiveMQ. This critical bug, which has been present for over 13 years, is now actively being exploited by attackers.
Journalists were able to track the location of a Dutch navy frigate by mailing a Bluetooth tracker to the vessel. This incident highlights an operational security (opsec) lapse, despite significant military investment in security training and policies. The tracker was reportedly purchased for a nominal sum.
Kyrgyzstan-based cryptocurrency exchange Grinex has suspended operations following a $13.7 million hack. The exchange has attributed the attack to Western intelligence agencies. This incident highlights ongoing risks in the cryptocurrency space, particularly concerning the potential for state-sponsored attacks.
Artificial intelligence is not creating novel software vulnerabilities but is instead making existing ones more exploitable and dangerous. AI tools can be used by attackers to quickly discover and weaponize known flaws in legacy systems and software.
Underground guides are being used by threat actors to vet stolen credit card shops before engaging with them. These guides focus on evaluating shops based on data quality, seller reputation, and the shop's ability to remain operational.
Threat actors are actively exploiting three zero-day vulnerabilities in Microsoft Defender, identified as BlueHammer, RedSun, and UnDefend. These flaws allow attackers to gain elevated privileges within compromised systems, with two of the vulnerabilities remaining unpatched.
The White House is preparing to grant federal agencies access to a modified version of Anthropic's Claude Mythos AI model. This move aims to leverage the AI's capabilities for identifying cybersecurity vulnerabilities, despite ongoing supply-chain risk designations against Anthropic by the Department of Defense.
A webinar is being offered to Managed Service Providers (MSPs) and corporations on how to address evolving cyberattacks, particularly those initiated by phishing. The session will focus on integrating security and recovery strategies to mitigate risk and ensure business continuity.
This article highlights several distinct cybersecurity-related news items. These include the passage of the Satellite Cybersecurity Act, a $90,000 reward offered for a Chrome browser vulnerability, and the arrest of a teenage hacker. Other mentions cover ShinyHunters targeting Rockstar Games, an exploited ShowDoc vulnerability, and the EPA increasing its cybersecurity budget.
A new proof-of-concept exploit named 'RedSun' has been disclosed, which abuses Microsoft Defender's handling of cloud-tagged files to escalate privileges. The exploit leverages a flaw where Defender attempts to restore rather than delete certain flagged files, allowing attackers to overwrite system files and gain SYSTEM-level privileges.
Anthropic has developed Claude Mythos Preview, an AI model capable of identifying and exploiting software vulnerabilities. Due to its power, Anthropic has restricted access to a limited number of organizations under Project Glasswing, rather than releasing it publicly.
Kamerin Stokes, involved in the DraftKings data breach, has been sentenced to prison. He continued to sell stolen credentials on an online marketplace even after pleading guilty to his role in the attack.
US lawmakers held a private discussion focused on the rapid advancements in Artificial Intelligence. The meeting was characterized by widespread anxiety and concerns about the potential destructive capabilities of AI, reflecting the broader societal unease surrounding the technology's implications.
Apple is reportedly developing a fix for a bug that has prevented some iPhone users from accessing their devices for months. The issue, described as a character flaw in the passcode system, has led to significant frustration and users contemplating switching to Android. Apple engineers are said to be working quickly to resolve the problem.
A remote code execution vulnerability in Apache ActiveMQ, identified as CVE-2026-34197, has been actively exploited in the wild. This vulnerability became publicly known in early April. The article highlights the ongoing exploitation of this specific flaw.
CISA has issued a warning about a critical vulnerability in Apache ActiveMQ that is actively being exploited by attackers. This flaw remained undetected for 13 years before being patched earlier this month.
The article discusses how certain electoral systems and voter registration processes can lead to voter disenfranchisement, which is framed as a privacy issue. It highlights concerns about data accuracy, access to information, and potential manipulation within these systems.
Two individuals have been sentenced in the US for their roles in a scheme that facilitated North Korean IT workers obtaining employment at numerous US companies. The facilitators misused the identities of dozens of US citizens to help these North Korean workers secure these positions.
A new malware strain named ZionSiphon has been identified, specifically targeting Industrial Control Systems (ICS) within Israeli water treatment and desalination facilities. This malware is configured to operate on systems critical to the operation of these essential services.
Microsoft has issued a warning that some Windows domain controllers are experiencing unexpected reboot loops following the installation of the April 2026 security updates. The issue appears to be affecting specific configurations, and Microsoft is actively investigating a resolution. Users are advised to hold off on applying these updates until further guidance is provided.
A vulnerability in Cursor AI could allow attackers to gain shell access to developer machines. This was achieved by chaining an indirect prompt injection with a sandbox bypass and Cursor's remote tunnel feature.
NIST is limiting the enrichment of CVEs in its National Vulnerability Database (NVD) due to a 263% surge in submissions. Only CVEs meeting specific criteria will receive detailed analysis, while others will be listed without enrichment. This change aims to manage the overwhelming volume of vulnerability data.
Kamerin Stokes, 23, of Memphis, Tennessee, has been sentenced to 30 months in prison for his role in selling access to tens of thousands of hacked DraftKings accounts. He was involved in a scheme to steal and sell these credentials on the dark web.
The article reports that Anthropic's advanced AI model, Claude Opus, was used to generate a Chrome exploit, which was then sold on a dark web forum for $2,283. This incident highlights concerns about AI models being used by malicious actors to discover and weaponize zero-day vulnerabilities.
Threat actors are actively exploiting three recently disclosed Windows zero-day vulnerabilities in live attacks. These exploits are being used to gain SYSTEM or elevated administrator privileges on compromised systems. The vulnerabilities allow for privilege escalation, a critical step in many attack chains.
NIST has announced it will no longer enrich most CVE (Common Vulnerabilities and Exposures) data, significantly reducing the descriptive information available for many security flaws. This decision aims to reduce processing costs and expedite the release of CVE data. The change could impact automated security tools and analysts who rely on this enriched data for threat prioritization.
A high-severity vulnerability in Apache ActiveMQ Classic, CVE-2026-34197, has been added to CISA's Known Exploited Vulnerabilities (KEV) catalog due to active exploitation. This mandates federal agencies to patch the flaw, highlighting its immediate and significant threat.
The SANS Internet Storm Center is reporting a new infection chain involving Lumma Stealer and the Sectop RAT, also known as ArechClient2. This sophisticated attack leverages Lumma Stealer to compromise systems and then deploys the Sectop RAT to maintain persistence and potentially steal further information.
A design flaw in Anthropic's Model Context Protocol (MCP) could expose up to 200,000 servers to complete takeover, according to security researchers. Anthropic, however, argues that the behavior is an intended feature stemming from a poor design choice. This disagreement highlights potential security risks in widely adopted AI protocols.
Cisco has issued advisories for critical vulnerabilities in its Webex services, specifically affecting the SSO integration with Control Hub. Admins must install a new identity provider certificate to mitigate a flaw that could allow unauthenticated attackers to impersonate users.
An architectural choice in Anthropic's reference implementation of the Model Context Protocol (MCP) may expose AI agent systems to remote code execution. Unsafe defaults in how MCP configurations are handled over the STDIO interface have allowed researchers to execute commands on real company services and thousands of open-source projects.
A new malware named ZionSiphon has been identified, specifically designed to target operational technology within water treatment and desalination facilities. Its primary objective is to disrupt and sabotage the critical operations of these systems.
NIST is changing how it handles CVEs due to an overwhelming volume of submissions, leading to a significant backlog. The agency will now prioritize enriching CVEs in CISA's Known Exploited Vulnerabilities catalog and those related to federal government software and critical software.
New York's proposed budget includes provisions mandating censorware on all 3D printers sold in the state, which would surveil prints for forbidden designs and create felony charges for possessing or sharing certain design files. Experts argue this algorithmic print blocking is unfeasible and will stifle innovation, free expression, and privacy.
A researcher has released a proof-of-concept exploit for a new Microsoft Defender zero-day vulnerability named "RedSun." This exploit, published in protest of Microsoft's handling of security researchers, allows an attacker to gain SYSTEM privileges.
North Korean threat actors, under the guise of Sapphire Sleet, are targeting macOS users with a malware called ClickFix. This attack leverages deceptive tactics, such as fake job offers and phony Zoom updates, to trick users into downloading the malware. ClickFix is designed to steal credentials and sensitive data from compromised Mac devices.
A previously benign adware campaign, Dragon Boss, has evolved to become a significant threat by incorporating capabilities to evade Windows Defender. The update, released in March 2025, establishes persistence through scheduled tasks and manipulates system settings to exclude future malicious payloads from antivirus detection.
North Korean threat actors are targeting macOS users with a new campaign that employs social engineering and a fake Zoom software update. The malware is designed to steal user credentials and cryptocurrency, leveraging a technique that requires manual execution by the victim.
A newly discovered botnet named PowMix has been actively targeting workers in the Czech Republic since December 2025. The botnet utilizes randomized command-and-control (C2) beaconing intervals to evade network signature detection systems.
Hackers are exploiting a critical vulnerability in the Marimo reactive Python notebook to deploy a new variant of NKAbuse malware. This malware is being hosted on Hugging Face Spaces, a platform for sharing AI models and applications.
Push notifications on smartphones can reveal sensitive information, as both Apple and Google require judicial orders to share this data with law enforcement. Forensic tools can even recover deleted notification content, including from secure messaging apps. The article outlines how notifications can be a privacy risk at the transmission stage (via cloud servers) and on the device itself.
