Intelligence · Updated daily
AI-analysed threats, vulnerabilities and campaigns. Not just what happened — what it means, who's affected, and what to do about it.
A CISA contractor intentionally published AWS GovCloud credentials and classified agency materials to a public GitHub repository, forcing CISA into active remediation whilst Congress demands accountability for what appears to be a deliberate insider breach.
Drupal has confirmed active exploitation of CVE-2026-9082 with security firms detecting attacks against thousands of websites shortly after public disclosure. The rapid weaponisation indicates this is a severe vulnerability with immediate real-world impact.
European and North American authorities have shut down First VPN, a criminal VPN service that facilitated ransomware attacks, data theft, and DDoS operations for approximately 25 ransomware groups. The coordinated takedown represents a significant disruption to organised cybercrime infrastructure, though similar services remain operational.
The FBI has warned of Kali365, a Telegram-based phishing-as-a-service platform that captures legitimate OAuth tokens to gain unauthorised access to Microsoft 365 environments. The service has been actively used in campaigns since at least April 2024.
Dutch financial crime authorities arrested two operators and seized 800 servers from a web hosting company that provided infrastructure for coordinated cyberattacks, interference campaigns, and disinformation operations. This represents a significant disruption to a criminal supply chain enabling multiple threat actors.
A missing single-quote escape in Twig's Compiler::string() method allows attackers to break out of PHP string literals via malicious {% use %} template names, achieving unauthenticated remote code execution even in sandboxed environments.
BoxLite's read-only mount implementation relies on MS_RDONLY flag applied post-boot rather than kernel-level enforcement, allowing container processes with unrestricted capabilities to remount directories as read-write. This breaks sandbox isolation in scenarios where untrusted code accesses host credentials, configuration, and source code.
Canadian authorities arrested a 23-year-old suspected operator of Kimwolf, an IoT botnet that compromised millions of devices for large-scale DDoS attacks. The arrest and cross-border charges signal coordinated enforcement against botnet operators who target journalists and security researchers.
Insufficient validation in Cisco Secure Workload's REST APIs allows unauthenticated remote attackers to obtain Site Admin privileges. This represents a complete authentication bypass affecting a platform commonly used for workload security and compliance monitoring.
Cisco patched a CVSS 10.0 flaw in Secure Workload REST API that permits unauthenticated remote attackers to access sensitive data through insufficient validation and authentication controls. Organisations running Secure Workload must patch immediately as the vulnerability requires no credentials or user interaction.
CISA has introduced a nomination form allowing researchers, vendors, and industry partners to submit vulnerabilities for inclusion in its Known Exploited Vulnerabilities (KEV) catalog. This democratises the vulnerability reporting process and potentially accelerates the identification of actively exploited bugs.
Google publicly exposed technical details of an unpatched Chromium vulnerability that permits JavaScript execution after browser closure, enabling remote code execution. Early disclosure before a fix is available significantly increases attacker adoption risk.
Compromised versions of @cap-js database packages (sqlite, postgres, db-service) published April 29, 2026 harvested credentials and attempted self-propagation. Any system with these versions installed must assume all local credentials (npm tokens, cloud keys, SSH keys, GitHub PATs) are compromised.
Unit 42 documents a shift in npm ecosystem attacks toward wormable malware, CI/CD persistence, and multi-stage payload delivery following the Shai Hulud incident. This represents an escalation in sophistication and suggests adversaries are moving beyond simple package hijacking to establish durable infrastructure.
Quantum Bridge secured $8 million in Series A funding for quantum-safe key distribution technology, bringing total capitalisation to $16 million. This reflects accelerating investment in post-quantum cryptography solutions ahead of anticipated quantum computing threats.
GitHub confirmed that a breach of its internal repositories resulted from a compromised employee device running a malicious version of the Nx Console VS Code extension, after the extension's developer account was itself compromised.
The FTC has issued warning letters to 12 major technology firms for allegedly failing to comply with the Take It Down Act, which requires platforms to provide accessible removal mechanisms for nonconsensual intimate imagery and process deletion requests within 48 hours. This represents the first significant enforcement action under the statute and signals regulatory intent to hold platforms accountable for abuse prevention infrastructure.
Ukrainian cyberpolice and U.S. law enforcement identified and disrupted an infostealer malware operation run by an 18-year-old from Odesa who had compromised approximately 28,000 user accounts from a California-based online retailer. The case demonstrates effective international law enforcement coordination against financially-motivated cybercriminals operating from Eastern Europe.
An unauthenticated attacker can bypass JWT session validation and rewrite upstream authority headers by exploiting a shared header check with a predictable or hardcoded router key, allowing unauthorized access to backend services including external APIs.
Coder's Azure identity validation fails to verify PKCS#7 signatures, allowing attackers to forge identity claims and steal workspace agent tokens without authentication. This enables downstream credential theft including SSH keys, OAuth tokens, and workspace secrets.
Cisco Talos disclosed 11 vulnerabilities across four vendors, with eight in TP-Link networking equipment alongside single flaws in Adobe Photoshop, OpenVPN, and Norton VPN. All have been patched by vendors following Cisco's coordinated disclosure policy.
Verizon's 2026 Data Breach Investigations Report reveals vulnerability exploitation has become the leading breach vector, surpassing credential theft, driven by accelerated attack timelines, delayed patch deployment, and increasing ransomware sophistication.
Grafana Labs suffered a GitHub environment breach on May 19, 2026, exposing source code and internal repositories but not production systems. The incident appears connected to a TanStack npm attack vector, raising concerns about compromised package distribution.
A zero-day vulnerability in Huawei equipment was exploited to take down Luxembourg's entire telecoms network in 2023. The flaw remains unpatched and unacknowledged by Huawei, creating ongoing risk for other operators using affected equipment.
TeamPCP claims to have breached GitHub's internal repositories and accessed approximately 4,000 private code repositories. This represents a potential supply-chain risk if the breach is verified, as GitHub's internal systems are trusted infrastructure for the software development ecosystem.