Intelligence · Updated daily

Security Intelligence

AI-analysed threats, vulnerabilities and campaigns. Not just what happened — what it means, who's affected, and what to do about it.

RSS feedCVE index493 entries

Vulnerabilities Malware Campaigns Supply Chain Policy Tools

Priority

criticalVulnerabilityEmerging

MiniPlasma 0-Day Exposes Systemic Patching Failure in Windows Cloud Files Driver

Researcher Chaotic Eclipse has released a working exploit for MiniPlasma, a Windows privilege escalation zero-day in the Cloud Files Mini Filter Driver (cldflt.sys) that grants SYSTEM access on fully patched systems. This represents a complete bypass of Windows security controls and poses immediate risk to all affected Windows installations.

18 May 2026Microsoft Windows, Windows Cloud Files Mini Filter Driver (cldflt.sys)

highVulnerabilityActive

DirtyDecrypt PoC Released: Linux Kernel rxgk LPE Now Weaponised Post-Patch

A proof-of-concept exploit has been released for DirtyDecrypt, a recently patched local privilege escalation vulnerability in the Linux kernel's rxgk module. Attackers with local access can now more easily achieve root-level code execution on affected systems.

18 May 2026Linux kernel (systems running vulnerable rxgk module)

highCampaignActive

Grafana Breach Attributed to Coinbase Cartel: High-Profile Threat Actor Cluster Targeting Observability Infrastructure

Grafana Labs confirmed a data breach attributed to Coinbase Cartel, a cybercriminal group with documented links to ShinyHunters, Scattered Spider, and Lapsus$. The incident targets a critical observability platform used across thousands of organisations for infrastructure monitoring.

18 May 2026Grafana Labs, Grafana Enterprise, Grafana Cloud

highMalwareResolved

Fast16: Archaeological Evidence of State-Sponsored Nuclear Sabotage Predating Stuxnet

Symantec and Carbon Black have analysed the Lua-based Fast16 malware, a pre-Stuxnet cyber sabotage tool designed to corrupt uranium-compression simulations used in nuclear weapons design. The discovery provides historical evidence of advanced persistent threat capabilities targeting critical infrastructure simulation environments.

18 May 2026Nuclear weapons programme simulation systems

highPolicyActive

Windows 11 May 2026 Security Update Deployment Failure: Systemic Installation Issues Across User Base

Microsoft's May 2026 Windows 11 security update (KB5089549) fails to install on multiple systems, returning 0x800f0922 errors. This prevents security patch deployment on affected machines, leaving them exposed to unpatched vulnerabilities.

18 May 2026Windows 11, Microsoft

highVulnerabilityActive

Pwn2Own Berlin 2026 rewards $1.3M in zero-days across Windows, Linux, VMware, and AI products

Security researchers demonstrated previously unknown exploits at Pwn2Own Berlin 2026, earning $1.3 million in total bounties across multiple platforms including Windows, Linux, VMware, Nvidia, and AI systems. The event highlights an active market for zero-day vulnerabilities and signals emerging attack surface in AI products.

18 May 2026Windows, Linux, VMware +2

All intelligence

Showing 19 of 493

mediumPolicyEmerging

South Korea's Deepfake Regulation Test: Can Legal Frameworks Outpace Synthetic Media Technology

South Korea will use its upcoming local elections as a live test of deepfake regulations to assess whether legislative controls can effectively prevent malicious synthetic media in political contexts. The outcome will inform global policy approaches to synthetic content threats.

18 May 2026South Korean electoral system, Voters in South Korean local elections

highVulnerabilityEmerging

Pwn2Own Berlin 2026 reveals 47 zero-days: vulnerability disclosure at scale raises questions about coordinated remediation

Security researchers earned $1.3m by demonstrating 47 zero-day exploits at Pwn2Own Berlin 2026. The volume of disclosed vulnerabilities highlights the ongoing gap between vulnerability discovery and vendor patching capacity.

18 May 2026Multiple vendors (specific products not identified in source)

highCampaignActive

Tycoon2FA expands device-code phishing capability, abusing legitimate email infrastructure to compromise Microsoft 365

The Tycoon2FA phishing kit has added device-code authentication flow attacks to its arsenal and now abuses Trustifi click-tracking URLs to mask malicious redirects, enabling credential theft against Microsoft 365 users at scale.

17 May 2026Microsoft 365, Trustifi

criticalVulnerabilityActive

NGINX CVE-2026-42945 heap overflow under active exploitation with RCE potential

A heap buffer overflow in NGINX's rewrite module (CVE-2026-42945, CVSS 9.2) is being exploited in the wild days after disclosure, affecting versions 0.6.27 through 1.30.0 and potentially enabling remote code execution or worker process crashes.

CVE-2026-42945

17 May 2026NGINX Plus, NGINX Open Source

criticalVulnerabilityEmerging

MiniPlasma: Public PoC for Windows Privilege Escalation Zero-Day Raises Immediate Exploitation Risk

A Windows privilege escalation zero-day called MiniPlasma has had a proof-of-concept exploit publicly released, allowing attackers to achieve SYSTEM-level access on fully patched systems. Public PoC availability significantly increases exploitation risk across all affected Windows environments.

17 May 2026Windows (fully patched systems)

highVulnerabilityActive

Microsoft's Silent Azure Backup Fix Raises Questions on Vulnerability Disclosure Transparency

A security researcher claims Microsoft quietly patched an Azure Backup for AKS vulnerability without issuing a CVE or acknowledging the original report, whilst Microsoft contests the characterisation and denies making product changes. The dispute highlights tensions in coordinated disclosure practices and raises concerns about undisclosed fixes in cloud infrastructure.

17 May 2026Microsoft Azure Backup for AKS

highVulnerabilityActive

Unauthenticated Directory Enumeration in Remote Sunrise Helper for Windows 2026.14

Remote Sunrise Helper for Windows 2026.14 permits unauthenticated attackers to enumerate files and directories via an improperly secured API or web interface. This PoC demonstrates information disclosure that could facilitate follow-on attacks.

16 May 2026Remote Sunrise Helper for Windows 2026.14

highVulnerabilityActive

Windows Snipping Tool NTLMv2 Hash Interception – Local Credential Relay Risk

The Snipping Tool can be abused to trigger NTLM authentication flows that leak NTLMv2 hashes to attacker-controlled network locations. Defenders must monitor for suspicious UNC path access and enforce network segmentation to prevent hash relay attacks.

16 May 2026Microsoft/Windows Snipping Tool

criticalCampaignActive

UNC6671's BlackFile Campaign: Vishing and AiTM as a Vector to Cloud Extortion at Scale

UNC6671 operates BlackFile, an extortion campaign using sophisticated vishing and adversary-in-the-middle techniques to bypass MFA and compromise Microsoft 365 and Okta environments, exfiltrating corporate data for extortion. The attack chain circumvents traditional perimeter defences by targeting human authentication vectors rather than technical infrastructure.

16 May 2026Microsoft 365, Okta, Cloud environments

mediumCampaignActive

Aggregated Security Digest: Multiple Vectors from Cloud Gaming Breaches to Legislative Pressure

SecurityWeek reports on multiple concurrent security issues including an Nvidia cloud gaming data breach, Canvas LMS compromise by ShinyHunters following FBI warning, Android 17 hardening, and automotive/enterprise vulnerabilities. The clustering suggests defenders face distributed pressure across consumer, educational, and enterprise sectors.

16 May 2026Nvidia, Canvas LMS, Android +2

highMalwareActive

Turla Weaponises Kazuar Backdoor as P2P Botnet: FSB-Linked Group Escalates Persistence Capabilities

Russian state-sponsored group Turla has rebuilt its Kazuar backdoor into a modular peer-to-peer botnet designed for stealth and persistent command-and-control. This represents a significant operational upgrade that complicates detection and attribution for defenders.

16 May 2026Enterprise networks (sector-agnostic), Government and critical infrastructure organisations

highVulnerabilityActive

THORChain vault compromise exposes multi-signature custody weaknesses in DeFi infrastructure

THORChain suffered a $10.7 million theft from one of six vaults, indicating a compromise of their multi-signature custody mechanism. This demonstrates that even established DeFi platforms remain vulnerable to sophisticated attacks targeting key management and vault architecture.

16 May 2026THORChain

criticalVulnerabilityActive

Active exploitation of Funnel Builder plugin vulnerability exposes WooCommerce payment data

Attackers are actively exploiting a critical flaw in the Funnel Builder WordPress plugin to inject malicious JavaScript into WooCommerce checkout pages, enabling payment card theft from customer transactions.

16 May 2026Funnel Builder plugin for WordPress, WooCommerce

criticalVulnerabilityActive

Marten Full-Text Search SQL Injection via Unparameterized regConfig

Marten's full-text search APIs directly interpolate user-supplied regConfig parameters into SQL queries without sanitization, enabling unauthenticated SQL injection against PostgreSQL backends. The PoC confirms multiple attack vectors including time-based exfiltration and arbitrary query execution.

CVE-2026-45288

15 May 2026JasperFx/marten

criticalVulnerabilityActive

VM2 Sandbox Escape via Async Generator Type Confusion

VM2 fails to properly isolate host exceptions thrown during async generator cleanup, allowing attackers to break sandbox confinement and execute arbitrary host code. This PoC reliably demonstrates RCE by constructing a type-confused Error object that escapes sandbox restrictions.

CVE-2026-45411

15 May 2026vm2

informationalPolicyActive

Cyber Incident Signals as Financial Indicators: Exploring the Intersection of Security Breach Data and Market Trading

SentinelOne Labs researchers examined whether publicly disclosed breach signals and market timing models can be used to predict or capitalise on stock price movements following cyber incidents, exploring the emerging intersection of cybersecurity data and financial markets.

15 May 2026

informationalPolicyEmerging

Data Center Security-Performance Tradeoff Revisited for AI Infrastructure

SecurityWeek publishes guidance on implementing security controls in AI data centres without proportional performance degradation. This reflects growing industry recognition that security and throughput constraints can be co-optimised through architectural choices.

15 May 2026

criticalSupply ChainActive

Supply-chain compromise in node-ipc npm package: three malicious versions distribute data-stealing backdoor

Three versions of the widely-used node-ipc npm package (9.1.6, 9.2.3, 12.0.1) were found to contain malicious code designed to exfiltrate developer secrets and credentials. This represents a direct compromise of a critical infrastructure dependency affecting Node.js projects globally.

15 May 2026node-ipc npm package, Node.js projects using affected versions

highSupply ChainActive

Coordinated supply chain compromise targets AI companies through TanStack and ecosystem packages

A supply chain campaign has compromised the TanStack npm library and related packages on npm and PyPI, affecting multiple AI companies including OpenAI. The attack leverages trusted open-source dependencies to distribute malicious code to downstream users.

15 May 2026OpenAI, TanStack, npm ecosystem +2