Intelligence · Updated daily
AI-analysed threats, vulnerabilities and campaigns. Not just what happened — what it means, who's affected, and what to do about it.
A researcher calling themselves 'Chaotic Eclipse' has published a proof-of-concept exploit for 'RedSun', a second Microsoft Defender zero-day discovered in recent weeks. The public disclosure appears motivated by protest over Microsoft's vulnerability coordination practices.
ZionSiphon is a newly discovered malware family purpose-built for operational technology environments, specifically engineered to disrupt water treatment and desalination plants. This represents a shift toward adversary-developed sabotage tools for critical infrastructure rather than repurposed IT malware.
Law enforcement and private sector security research identified and disrupted 75,000 DDoS botnet operators and took down 53 infrastructure domains in a coordinated operation spanning 21 countries. This represents significant progress against organised DDoS-as-a-service providers but signals the need for sustained pressure on the ecosystem.
A stored cross-site scripting (XSS) vulnerability in Decidim's user name field enables arbitrary code execution in victim browsers via passive comment page visits. This represents a critical stored XSS variant with cross-security-boundary impact.
OpenAI discovered that malicious Axios npm packages executed within a GitHub Actions workflow and compromised macOS code-signing certificates used for application distribution. The incident highlights how CI/CD environments remain attractive targets for attackers seeking to inject malware into signed, trusted applications.
US and Indonesian authorities shut down the W3LL phishing service and arrested its developer in the first joint enforcement action targeting a phishing kit provider. This represents a shift toward coordinated international takedowns of infrastructure that enables mass credential theft campaigns.
wolfSSL's improper validation of hash algorithm identity and length in ECDSA signature verification allows attackers to forge valid certificates, potentially compromising any system relying on wolfSSL for TLS authentication.
ShinyHunters gang leaked analytics data stolen from Rockstar Games following a breach at Anodot, a third-party analytics provider. This illustrates how trusted vendor compromises can expose major game publishers to data exfiltration without direct infrastructure compromise.
Hackers breached Dutch fitness chain Basic-Fit and accessed data for approximately one million members. This represents a significant exposure of personal information in a sector that has historically underinvested in security controls.
Unauthenticated credential disclosure in Juju CloudSpec API allows any authenticated controller user to retrieve cloud bootstrap credentials, bypassing intended role-based access controls. This PoC demonstrates privilege escalation through API permission misconfiguration affecting multiple recent versions.
Paperclip instances with default configuration allow unauthenticated account creation, authentication bypass, and privilege escalation to RCE through a six-step API chain. This affects all publicly accessible deployments running in authenticated mode without explicit hardening.
Daptin's cloudstore.file.upload action fails to validate user-supplied filenames, enabling unauthenticated attackers to write arbitrary files to disk via path traversal and zip slip attacks. This vulnerability bypasses authentication entirely and presents immediate RCE risk.
Storm-2755, a financially motivated threat actor, is compromising Microsoft employee accounts to redirect salary payments. This represents a shift in targeting from external victims to internal credential compromise for direct financial gain.
Attackers compromised CPUID's API and modified download links on the official website to serve malicious versions of CPU-Z and HWMonitor, two ubiquitous hardware monitoring tools. This represents a high-impact supply-chain attack affecting potentially millions of end-users who trust these downloads.
Qualys analysed one billion CISA KEV (Known Exploited Vulnerabilities) remediation records and found that most critical flaws are actively exploited in the wild before organisations can deploy patches. This exposes a fundamental timing mismatch between vulnerability disclosure and attacker speed.
Iranian-linked cyber operators have mapped nearly 4,000 internet-exposed Rockwell Automation programmable logic controllers across U.S. critical infrastructure. This reconnaissance indicates preparation for potential disruptive attacks against operational technology networks.
OpenAI has launched a $100 monthly Pro subscription tier matching Anthropic's Claude pricing, reflecting competitive pressure in the generative AI market. This pricing escalation may influence how organisations evaluate AI tool security postures and dependency risks.
German authorities have publicly identified Daniil Maksimovich Shchukin, a 31-year-old Russian national, as the operator behind the REvil and GandCrab ransomware groups. The disclosure represents a significant attribution success but raises questions about law enforcement coordination and timing given the geopolitical context.
North Korean threat actors conducted a methodical six-month social engineering operation against Drift, a Solana-based decentralised exchange, culminating in a $285 million theft in April 2026. The campaign demonstrates DPRK's shift toward patient, targeted infiltration of high-value cryptocurrency platforms rather than opportunistic attacks.
Threat actors are conducting large-scale automated attacks exploiting CVE-2025-55182 (React2Shell) in vulnerable Next.js applications to harvest credentials at scale. This represents a shift from opportunistic patching cycles to industrialised credential theft targeting the JavaScript framework ecosystem.
Scammers are distributing fake traffic violation notices via SMS with embedded QR codes that direct victims to phishing sites harvesting payment details and personal information. The shift to QR codes likely reflects successful SMS URL filtering deployed by carriers.
An unauthenticated attacker can execute arbitrary code as root by POSTing to a public webhook endpoint that triggers automation workflows containing Bash steps with unsanitized template processing. This requires zero authentication and demonstrates complete server compromise.
pyLoad's fix for CVE-2026-33992 validates only the initial download URL but fails to validate HTTP redirect targets, allowing authenticated attackers to reach internal addresses. The PoC demonstrates that pycurl's automatic redirect following (FOLLOWLOCATION=1, MAXREDIRS=10) completely bypasses IP filtering.
Fortinet released emergency patches for CVE-2026-35616, a pre-authentication API access control flaw in FortiClient EMS that allows unauthenticated attackers to escalate privileges. The vulnerability is being actively exploited in the wild.
Researchers identified 36 malicious npm packages masquerading as Strapi CMS plugins that exploit Redis and PostgreSQL instances, harvest credentials, deploy reverse shells, and install persistent implants. This represents a coordinated supply-chain attack targeting development environments with potential access to production infrastructure.