Intelligence · Updated daily

Security Intelligence

AI-analysed threats, vulnerabilities and campaigns. Not just what happened — what it means, who's affected, and what to do about it.

RSS feedCVE index401 entries

Vulnerabilities Malware Campaigns Supply Chain Policy Tools

Priority

highCampaignActive

GopherWhisper's Go-Based Backdoor Infrastructure Signals Shift Toward Living-Off-The-Land Tactics in Chinese State Espionage

A China-linked APT group identified as GopherWhisper is conducting targeted campaigns against government entities using multiple Go-based backdoors combined with legitimate service abuse to evade detection. The group's reliance on custom loaders and injectors suggests a maturing operational capability focused on persistence and evasion.

26 April 2026Government agencies (specific sectors not disclosed)

highMalwareResolved

Pre-Stuxnet Lua Malware 'fast16' Reveals Extended Timeline of Sophisticated State-Sponsored Sabotage Operations

Researchers discovered a Lua-based malware framework dating to 2005 that targeted engineering software for cyber sabotage, predating Stuxnet by several years and suggesting a deeper operational history of state-sponsored infrastructure attacks.

26 April 2026High-precision calculation software, Engineering software

highMalwareActive

UNC6692 deploys Snow malware via Microsoft Teams social engineering, signalling expansion of platform-based attack delivery

Threat actor UNC6692 is using Microsoft Teams to socially engineer targets into executing a custom malware suite called Snow, which comprises a browser extension, tunneler, and backdoor. This represents a shift toward trusted communication platforms as malware delivery vectors, complicating detection and increasing organisational risk.

26 April 2026Microsoft Teams, Microsoft 365 users

highVulnerabilityActive

go-zserio Unbounded Memory Allocation via Untrusted Deserialization

go-zserio trusts size fields during deserialization without validation, allowing attackers to trigger excessive memory allocation (DoS). This PoC demonstrates a fundamental input validation flaw affecting all platforms.

GHSA-xhj4-g6w8-2xjw

25 April 2026woven-by-toyota/go-zserio

highVulnerabilityActive

Gemini CLI Workspace Trust Bypass: RCE via Malicious Environment Configuration in CI/CD

Gemini CLI automatically trusted workspace folders in headless/CI mode without validation, allowing malicious `.gemini/` configuration files to execute arbitrary code via environment variable injection. The `--yolo` flag further bypassed tool allowlisting controls.

UNASSIGNED

25 April 2026@google/gemini-cli, run-gemini-cli GitHub Action

criticalVulnerabilityActive

Command Injection in electerm via Unsafe Shell Execution in Package Installation

electerm's install.js contains a command injection flaw where attacker-controlled version strings are directly concatenated into shell commands without sanitization. Defenders must identify vulnerable installations and verify patching, as remote version metadata compromise could lead to arbitrary code execution during package installation.

CVE-2026-41501

25 April 2026electerm/electerm

All intelligence

Showing 19 of 401

informationalPolicyActive

Windows Insider Program Revamp Signals Systemic Reliability Issues in Windows 11

Microsoft is restructuring the Windows Insider Program to better address performance and reliability problems in Windows 11. This indicates widespread quality concerns that Microsoft believes require organisational and process changes to resolve.

26 April 2026Windows 11, Windows Insider Program participants

informationalPolicyEmerging

Microsoft Entra Passkeys on Windows: A Positive Shift Toward Phishing-Resistant Authentication

Microsoft is rolling out native passkey support for Entra-protected resources on Windows devices in late April, enabling phishing-resistant passwordless authentication. This represents a significant step in reducing reliance on password-based authentication across enterprise environments.

25 April 2026Microsoft Entra, Windows devices

highCampaignActive

BlackFile extortion gang weaponises vishing at scale against retail and hospitality

BlackFile, a financially motivated threat actor, has orchestrated a coordinated campaign of data theft and extortion attacks against retail and hospitality organisations since February 2026, combining social engineering with data exfiltration. The group's use of vishing as a primary attack vector suggests a shift toward human-centric compromise rather than technical vulnerability exploitation.

25 April 2026Retail sector organisations, Hospitality sector organisations

informationalPolicyActive

Windows Update UI enhancements reduce disruption but mask underlying forced-restart architecture

Microsoft is expanding user controls in Windows Update to allow deferral and scheduling of restarts, reducing operational disruption. While operationally beneficial, this formalises rather than fundamentally changes the forced-restart model that remains a security and stability concern.

25 April 2026Windows (all supported versions)

criticalMalwareActive

Firestarter persistence on Cisco firewalls reveals post-compromise resilience gap in security appliance architecture

Custom malware called Firestarter persists on Cisco Firepower and ASA devices even after security patches and firmware updates, indicating attackers have achieved privileged compromise that survives standard remediation procedures.

25 April 2026Cisco Firepower Threat Defense (FTD), Cisco Adaptive Security Appliance (ASA), Cisco Secure Firewall

highCampaignActive

ADT breach exposes the extortion playbook: when market leaders become ransomware targets

ADT confirmed a data breach following ShinyHunters' public extortion threat to sell stolen customer data. The incident illustrates how established security vendors remain attractive targets for financially motivated threat actors despite their market position.

25 April 2026ADT

criticalVulnerabilityActive

OpenC3 COSMOS Script Runner: Privilege Escalation via Docker Network Access and Credential Exposure

Authenticated users with script execution permissions can bypass API access controls by directly connecting to internal services (Redis, S3) via shared Docker network, escalating privileges to administrative level. This PoC demonstrates the exploitation chain requires minimal effort once script execution is granted.

GHSA-2wvh-87g2-89hr

24 April 2026openc3inc/openc3-cosmos-script-runner-api

mediumPolicyEmerging

Rituals Membership Breach Exposes Customer PII: Another Retail Target for Credential Harvesting

Dutch cosmetics retailer Rituals suffered a data breach affecting its 'My Rituals' membership database, with attackers extracting customer names and addresses. The incident highlights ongoing targeting of loyalty programme databases by threat actors seeking PII for fraud and resale.

24 April 2026Rituals (Dutch cosmetics retailer), My Rituals membership programme

criticalSupply ChainActive

Checkmarx KICS Supply-Chain Compromise: Multi-Vector Attack on Developer Infrastructure

Attackers compromised Docker images, VSCode extensions, and Open VSX packages for the Checkmarx KICS static analysis tool to steal credentials and sensitive data from developer environments. The compromise affects any developer using these distribution channels.

24 April 2026Checkmarx KICS, Docker Hub, VSCode Extension Marketplace +1

highMalwareActive

Trigona Ransomware Operators Deploy Bespoke Data Exfiltration Tool to Accelerate Theft Operations

Trigona ransomware operators have developed a custom command-line exfiltration utility to speed up data theft from compromised networks. This represents a shift toward operationalised tooling that reduces dwell time and increases the volume of data stolen per attack.

24 April 2026Enterprise networks (unspecified sectors)

criticalSupply ChainContained

NPM supply-chain compromise: Bitwarden CLI trojanised to harvest developer credentials at scale

Attackers uploaded a malicious @bitwarden/cli package to npm that stole developer credentials and could propagate to downstream projects. The compromise was discovered and remediated rapidly, but represents a successful attack on a trusted security tool distribution channel.

24 April 2026Bitwarden CLI, npm ecosystem, developers using @bitwarden/cli

criticalVulnerabilityActive

Unauthenticated file upload in Breeze Cache exposes millions of WordPress sites to direct compromise

A file upload vulnerability in the widely-installed Breeze Cache WordPress plugin allows attackers to upload arbitrary files without authentication, enabling remote code execution on affected servers. Active exploitation is underway.

24 April 2026Breeze Cache WordPress plugin

highCampaignActive

Teams as attack surface: threat actors weaponise Microsoft's collaboration platform for helpdesk impersonation and lateral movement

Microsoft has observed threat actors increasingly abusing external Teams channels to impersonate helpdesk staff, deceive users into credential disclosure, and establish footholds for lateral movement within enterprise networks. The attack exploits Teams' legitimacy and ubiquity to bypass social engineering defences.

21 April 2026Microsoft Teams, Enterprise organisations using Microsoft 365

highCampaignActive

Seiko USA website defacement signals shift toward Shopify platform targeting in extortion campaigns

Attackers defaced the Seiko USA website and claim to have exfiltrated customer data from its Shopify database, demanding ransom under threat of public disclosure. This represents a continued trend of threat actors targeting e-commerce platforms as high-value sources of customer personally identifiable information.

21 April 2026Seiko USA, Shopify platform

highCampaignActive

Gentlemen ransomware gang escalates infrastructure through SystemBC botnet integration

Gentlemen ransomware operators have integrated SystemBC proxy malware into their attack chain, leveraging a botnet of over 1,570 corporate hosts to obfuscate command-and-control communications and expand operational resilience. This represents a maturation of the gang's infrastructure and signals they are adopting commodity malware to increase attack surface.

21 April 2026Corporate networks (estimated 1,570+ victims)

highMalwareActive

App Store Supply Chain Compromise: 26 Wallet Impersonators Exploit Apple's Curation Gap in High-Value Crypto Market

26 fraudulent cryptocurrency wallet apps mimicking Metamask, Coinbase, Trust Wallet, and OneKey were distributed through Apple's App Store in China, designed to harvest seed phrases and drain user funds. This represents a significant supply chain compromise of a trusted platform targeting high-value assets.

21 April 2026Apple App Store, Metamask, Coinbase +2

criticalCampaignActive

North Korean State Actors Exploit DeFi Security Gaps in $290M KelpDAO Theft

Lazarus Group actors conducted a $290 million theft from KelpDAO, a DeFi protocol, likely exploiting smart contract or operational security vulnerabilities. This represents a significant escalation in state-sponsored targeting of decentralised finance infrastructure.

21 April 2026KelpDAO

highSupply ChainContained

Third-party AI tool compromise enables supply-chain attack against Vercel infrastructure

Vercel suffered a breach originating from a compromised Context.ai account used by an employee, allowing attackers to pivot into internal systems via Google Workspace takeover. The incident exposes how AI tooling adoption introduces new attack surfaces in security-sensitive environments.

20 April 2026Vercel, Context.ai

highPolicyActive

NIST Triage Collapse: Vulnerability Rating Backlog Forces Abandonment of Low-Priority CVE Scoring

NIST will cease assigning severity scores to lower-priority vulnerabilities, unable to keep pace with the volume of submissions. This degrades the utility of the Common Vulnerability Scoring System and creates ambiguity for defenders prioritising patch cycles.

20 April 2026NIST CVE Programme, All organisations relying on CVSS scoring