Intelligence · Updated daily
AI-analysed threats, vulnerabilities and campaigns. Not just what happened — what it means, who's affected, and what to do about it.
Attackers are exploiting Apple's account change notification system to deliver phishing emails from Apple's own servers, dramatically increasing message authenticity and bypassing traditional spam filters. This technique transforms a security feature into a distribution channel for fraud.
Vercel, a major cloud deployment platform used by thousands of companies, has confirmed a security incident with threat actors claiming to possess stolen data and attempting to sell it. This represents a significant supply-chain risk given Vercel's position in the modern development workflow and the potential scope of compromised customer environments.
Grinex, a UK and US-sanctioned Kyrgyzstan-based cryptocurrency exchange, suspended operations following a $13.74M theft and attributed the attack to Western intelligence agencies. The claim raises questions about attribution credibility, state cyber capabilities against financial infrastructure, and the resilience of sanctioned platforms.
Unmanaged service accounts, API keys, and orphaned credentials represent the largest attack surface in cloud environments, with compromised non-human identities responsible for nearly 7 in 10 cloud breaches in 2024. Organisations typically lack visibility into 40-50 automated credentials per employee that persist after project termination or staff departure.
NAKIVO released v11.2 with enhanced ransomware detection capabilities, faster replication, and support for vSphere 9 and Proxmox VE 9.0. This reflects the broader industry trend of backup vendors integrating proactive threat detection as ransomware operators increasingly target backup infrastructure.
A recent Microsoft Edge update introduced a bug that disables right-click paste functionality in Microsoft Teams desktop client chats, degrading user productivity across organisations relying on both products.
A critical remote code execution flaw in protobuf.js has been exploited with published proof-of-concept code, enabling arbitrary JavaScript execution in applications using this widely-deployed serialisation library. This poses immediate risk to any Node.js or browser-based system consuming untrusted Protocol Buffer messages.
The SCP middleware in charm.land/wish fails to validate resolved paths remain within configured root directories, allowing unauthenticated clients to read/write arbitrary files. This PoC demonstrates a fundamental flaw in path sanitization logic affecting all current versions.
Zebra failed to enforce consensus rules for V5 transaction sighash hash-type validation post-NU5 upgrade, and incorrectly processed V4 transaction hashes. This could allow malicious actors to create blocks accepted by Zebra but rejected by zcashd, causing network partition and double-spend risks.
CISA confirmed that a high-severity remote code execution vulnerability in Apache ActiveMQ, which remained unpatched for 13 years, is now being actively exploited by threat actors following its public disclosure. This represents a typical post-patch exploitation window where defenders face maximum risk.
Phishing remains the primary attack vector for most cybercriminals, and managed service providers are struggling to implement integrated security and recovery strategies proportionate to current threat velocity. MSPs must evolve beyond reactive patching to include workable incident response and business continuity frameworks.
Cybercrime forums now circulate structured guides teaching threat actors how to evaluate carding shops through data quality metrics, seller reputation scoring, and shop longevity assessment. This professionalisation of underground marketplaces reduces friction in stolen payment data transactions and increases the operational security of organised crime networks.
Kyrgyzstan-based cryptocurrency exchange Grinex suffered a $13.7 million breach and suspended operations, publicly blaming Western intelligence agencies without providing technical evidence. The unsubstantiated attribution raises questions about either poor incident response practices or deliberate misdirection.
Payouts King ransomware operators are deploying QEMU virtual machines as covert execution containers, using reverse SSH tunnels to maintain hidden command channels that bypass endpoint detection and response tools. This represents a maturation of VM-based evasion tactics in ransomware operations.
Paperclip's `/api/agents/:id/keys` endpoints fail to validate tenant ownership, allowing any authenticated user to mint valid API tokens for agents in other companies. This bypasses the core multi-tenant security boundary.
Paperclip control-plane API fails to validate company ownership on agent key management endpoints, allowing authenticated board-users from Company A to enumerate, create, and revoke API keys for agents belonging to Company B, resulting in full cross-tenant compromise.
Saltcorn's mobile sync routes embed unauthenticated user-supplied numeric values directly into SQL template literals without parameterization. Any authenticated user with table read access can execute arbitrary SQL, including data exfiltration and (on PostgreSQL) DDEs.
Google is expanding its use of Gemini AI models to detect and block malicious ads across its advertising platforms as threat actors refine evasion techniques. This represents an incremental defensive improvement in an ongoing arms race rather than a structural shift in ad ecosystem security.
Attackers exploited a flaw in Marimo (a reactive Python notebook framework) to execute arbitrary code and deploy NKAbuse malware variants through Hugging Face Spaces, a platform trusted by ML researchers and developers. This represents a supply-chain attack exploiting both a software vulnerability and the trust model of a widely-used ML hosting platform.
A researcher calling themselves 'Chaotic Eclipse' has published a proof-of-concept exploit for 'RedSun', a second Microsoft Defender zero-day discovered in recent weeks. The public disclosure appears motivated by protest over Microsoft's vulnerability coordination practices.
ZionSiphon is a newly discovered malware family purpose-built for operational technology environments, specifically engineered to disrupt water treatment and desalination plants. This represents a shift toward adversary-developed sabotage tools for critical infrastructure rather than repurposed IT malware.
Law enforcement and private sector security research identified and disrupted 75,000 DDoS botnet operators and took down 53 infrastructure domains in a coordinated operation spanning 21 countries. This represents significant progress against organised DDoS-as-a-service providers but signals the need for sustained pressure on the ecosystem.
A stored cross-site scripting (XSS) vulnerability in Decidim's user name field enables arbitrary code execution in victim browsers via passive comment page visits. This represents a critical stored XSS variant with cross-security-boundary impact.
OpenAI discovered that malicious Axios npm packages executed within a GitHub Actions workflow and compromised macOS code-signing certificates used for application distribution. The incident highlights how CI/CD environments remain attractive targets for attackers seeking to inject malware into signed, trusted applications.
US and Indonesian authorities shut down the W3LL phishing service and arrested its developer in the first joint enforcement action targeting a phishing kit provider. This represents a shift toward coordinated international takedowns of infrastructure that enables mass credential theft campaigns.