Intelligence · Updated daily
AI-analysed threats, vulnerabilities and campaigns. Not just what happened — what it means, who's affected, and what to do about it.
Eight git repository management endpoints in Arcane lack admin role enforcement, allowing any authenticated user to read, modify, and exfiltrate stored Git credentials. This breaks the confidentiality and integrity of GitOps configurations and enables lateral movement via credential theft.
The mistralai PyPI package v2.4.6 was compromised with a malicious dropper that executes on module import on Linux systems, bypassing the legitimate release pipeline via PyPI Trusted Publishing. This represents a high-impact supply chain attack affecting all systems that installed this specific version.
Storm-2949 exploited stolen credentials to orchestrate a cloud-wide breach without deploying malware, relying instead on trusted cloud APIs and identity systems to move laterally and exfiltrate data. This represents a significant shift in attack methodology where defenders' own tools become weapons.
A CISA contractor maintained a public GitHub repository containing AWS GovCloud credentials for highly privileged accounts and documentation of CISA's internal software build, test, and deployment processes. The exposure represents a significant compromise of US government infrastructure security practices and threat intelligence operations.
Threat actors compromised the popular GitHub Actions workflow issues-helper by redirecting all repository tags to malicious commits, enabling CI/CD credential theft from potentially thousands of dependent workflows. This represents a sophisticated supply chain attack exploiting the trust model of GitHub Actions.
Interpol-coordinated law enforcement operations arrested over 200 individuals operating cybercriminal scam networks across the Middle East and recovered hundreds of compromised devices used in the scheme. This represents a significant disruption to a regional fraud operation, though the technical sophistication and scale suggest similar networks remain active.
INTERPOL's coordinated law enforcement operation across the Middle East and North Africa resulted in the seizure of 53 malware and phishing servers and over 200 arrests. This represents a significant disruption to cybercriminal infrastructure in a region with historically high threat actor density.
Four chained vulnerabilities in OpenClaw permit attackers to extract credentials, bypass sandbox isolation, and establish persistent backdoor access. This represents a complete compromise pathway from initial execution to system persistence.
Multiple US healthcare organisations have suffered data breaches affecting millions of individuals, with incidents logged across the HHS Office for Civil Rights tracker. This represents a sustained attack pattern against a high-value, regulated sector with significant compliance and operational implications.
Ivanti, Fortinet, SAP, VMware, and n8n have released patches for multiple remote code execution and privilege escalation vulnerabilities, with Ivanti Xtraction's CVE-2026-8043 (CVSS 9.6) enabling arbitrary code execution through external file name control. This coordinated patch release suggests these flaws were likely discovered through vulnerability coordination channels.
YellowKey, a publicly disclosed exploit, reliably bypasses Windows 11 BitLocker default configurations by exploiting TPM-based key storage, but requires physical device access. This substantially weakens encryption guarantees for organisations relying on BitLocker as a mandatory protection.
ShinyHunters ransomware group claims to have stolen over 600,000 Salesforce records from 7-Eleven, including personal and corporate data, with confirmed breach details now public. This represents a significant compromise of a major retail organisation's customer and operational data.
Three separate campaigns hit major package repositories within 48 hours, targeting secrets and credentials stored in developer workstations and CI/CD pipelines. The shift from code injection to credential theft represents a fundamental escalation in supply chain attack sophistication.
A researcher has released a working exploit (MiniPlasma) for an unpatched 2020 Windows CVE, based on original proof-of-concept code. This exposes organisations still running vulnerable systems to immediate privilege escalation attacks.
Researcher Chaotic Eclipse has released a working exploit for MiniPlasma, a Windows privilege escalation zero-day in the Cloud Files Mini Filter Driver (cldflt.sys) that grants SYSTEM access on fully patched systems. This represents a complete bypass of Windows security controls and poses immediate risk to all affected Windows installations.
A proof-of-concept exploit has been released for DirtyDecrypt, a recently patched local privilege escalation vulnerability in the Linux kernel's rxgk module. Attackers with local access can now more easily achieve root-level code execution on affected systems.
Grafana Labs confirmed a data breach attributed to Coinbase Cartel, a cybercriminal group with documented links to ShinyHunters, Scattered Spider, and Lapsus$. The incident targets a critical observability platform used across thousands of organisations for infrastructure monitoring.
Symantec and Carbon Black have analysed the Lua-based Fast16 malware, a pre-Stuxnet cyber sabotage tool designed to corrupt uranium-compression simulations used in nuclear weapons design. The discovery provides historical evidence of advanced persistent threat capabilities targeting critical infrastructure simulation environments.
Microsoft's May 2026 Windows 11 security update (KB5089549) fails to install on multiple systems, returning 0x800f0922 errors. This prevents security patch deployment on affected machines, leaving them exposed to unpatched vulnerabilities.
South Korea will use its upcoming local elections as a live test of deepfake regulations to assess whether legislative controls can effectively prevent malicious synthetic media in political contexts. The outcome will inform global policy approaches to synthetic content threats.
Security researchers demonstrated previously unknown exploits at Pwn2Own Berlin 2026, earning $1.3 million in total bounties across multiple platforms including Windows, Linux, VMware, Nvidia, and AI systems. The event highlights an active market for zero-day vulnerabilities and signals emerging attack surface in AI products.
Security researchers earned $1.3m by demonstrating 47 zero-day exploits at Pwn2Own Berlin 2026. The volume of disclosed vulnerabilities highlights the ongoing gap between vulnerability discovery and vendor patching capacity.
The Tycoon2FA phishing kit has added device-code authentication flow attacks to its arsenal and now abuses Trustifi click-tracking URLs to mask malicious redirects, enabling credential theft against Microsoft 365 users at scale.
A heap buffer overflow in NGINX's rewrite module (CVE-2026-42945, CVSS 9.2) is being exploited in the wild days after disclosure, affecting versions 0.6.27 through 1.30.0 and potentially enabling remote code execution or worker process crashes.
A Windows privilege escalation zero-day called MiniPlasma has had a proof-of-concept exploit publicly released, allowing attackers to achieve SYSTEM-level access on fully patched systems. Public PoC availability significantly increases exploitation risk across all affected Windows environments.