Intelligence · Updated daily
AI-analysed threats, vulnerabilities and campaigns. Not just what happened — what it means, who's affected, and what to do about it.
Torg Grabber is a new infostealer malware targeting 850 browser extensions, predominantly cryptocurrency wallets, to exfiltrate private keys and sensitive account credentials. This represents a significant threat to the crypto ecosystem given the direct targeting of wallet software.
Threat actors are abusing Bubble, a legitimate no-code app builder, to host credential-stealing phishing pages targeting Microsoft accounts whilst evading detection systems. The abuse of trusted platforms reduces security signal effectiveness and complicates credential compromise mitigation.
Threat actors are actively exploiting the PolyShell vulnerability in Magento 2 and Adobe Commerce, with attacks targeting 56% of all vulnerable instances. This represents a widespread, in-the-wild exploitation campaign affecting a substantial portion of the e-commerce attack surface.
GitHub is integrating machine learning-based bug detection into Code Security alongside CodeQL, extending vulnerability coverage to languages and frameworks not fully addressed by pattern-matching SAST. This represents a shift in how platforms approach detection breadth at scale.
CISA has added CVE-2026-33017, a code injection vulnerability in Langflow, to its Known Exploited Vulnerabilities Catalog based on confirmed active exploitation. Code injection vulnerabilities represent a direct path to remote code execution and are frequently weaponised by threat actors.
Threat actors used compromised credentials to inject malware into Trivy releases and related GitHub Actions repositories, affecting users of v0.69.4-0.69.6 and action workflows. This demonstrates a critical supply chain attack vector targeting security tooling infrastructure.
Scriban's TemplateContext caches type accessors by Type alone, ignoring MemberFilter changes. Reusing a context with a tightened filter after a permissive render allows attackers to access members that should be hidden, bypassing sandbox restrictions.
PTC has disclosed a critical remote code execution vulnerability in Windchill and FlexPLM product lifecycle management platforms. Exploitation could grant attackers complete control over enterprise systems managing design, manufacturing, and supply chain data.
A memory leak vulnerability in Grassroots DICOM (GDCM) 3.2.2 allows remote attackers to trigger denial-of-service conditions by submitting specially crafted DICOM files. This affects healthcare systems that rely on GDCM for medical image processing.
Schneider Electric patched a critical untrusted deserialization vulnerability in EcoStruxure Foxboro DCS workstations and servers that enables remote code execution. The vulnerability affects control software on engineering stations but spares runtime components, yet poses significant risk to DCS environments managing critical infrastructure.
Schneider Electric Plant iT/Brewmaxx versions 9.60 and above contain four critical vulnerabilities (CVSS 9.9) enabling privilege escalation to remote code execution. Organizations using this brewing and plant management software face immediate risk of full system compromise.
Pharos Controls Mosaic Show Controller firmware 2.15.3 contains an unauthenticated remote code execution vulnerability allowing attackers to execute arbitrary commands with root privileges. This impacts live event production infrastructure with no authentication barrier.
Threat actors are actively exploiting CVE-2025-32975, a critical remote code execution flaw in Quest KACE Systems Management Appliance (SMA), against unpatched internet-exposed instances since March 2026. SMA is enterprise-grade IT infrastructure management software, making compromises particularly damaging.
VoidStealer malware has developed a novel technique to bypass Chrome's Application-Bound Encryption (ABE) by leveraging debugger access to extract the browser's master encryption key. This enables attackers to decrypt sensitive stored data including passwords and payment information without user interaction.
Threat actors compromised the Trivy security scanner and weaponized the breach to deploy CanisterWorm, a self-spreadingmalware leveraging ICP canisters, across 47 npm packages. This represents a particularly dangerous supply chain attack where defensive tooling becomes the attack vector.
Russian state-affiliated threat actors are conducting targeted phishing campaigns against Signal and WhatsApp users to compromise accounts of high-intelligence-value individuals. This represents a shift in targeting strategy prioritizing messaging platform access over traditional malware deployment.
Attackers are weaponizing Microsoft Azure Monitor's alert notification system to send convincing phishing emails impersonating Microsoft Security Team warnings about unauthorized charges. This exploits the trust users place in legitimate Azure infrastructure.
Google is introducing 'Advanced Flow,' a controlled mechanism for Android power users to sideload APKs from unverified developers with enhanced security guardrails. This represents a strategic shift toward flexible but security-conscious OS design.
Trivy, a widely-used vulnerability scanner, was breached by TeamPCP and weaponized to distribute infostealer malware through official releases and GitHub Actions integrations. This represents a direct attack on the CI/CD pipelines of thousands of organizations relying on Trivy for security.
AVideo's `plugin/Live/test.php` accepts unauthenticated user input to trigger outbound HTTP requests without validation, enabling attackers to probe internal networks, access cloud metadata endpoints, and potentially pivot to internal services.
GitHub Actions workflows that directly interpolate untrusted issue fields (title, body, labels) into shell `run` blocks using template expressions are vulnerable to command injection. This PoC demonstrates that unauthenticated attackers can trigger arbitrary code execution and exfiltrate secrets by crafting malicious issue titles.
CISA has issued an emergency patching order for CVE-2026-20131, a maximum-severity vulnerability in Cisco Secure Firewall Management Center, requiring federal agencies to remediate by March 22, 2026. This indicates either active exploitation or imminent threat intelligence suggesting weaponization.
International law enforcement shut down 373,000 dark web sites distributing fake child sexual abuse material (CSAM) packages, disrupting a fraud scheme that victimizes both potential offenders seeking illegal content and defrauds them. This represents a significant takedown of deceptive criminal commerce infrastructure.
Oracle released an emergency out-of-band patch for an unauthenticated remote code execution vulnerability in Identity Manager and Web Services Manager (CVE-2026-21992). This is a critical identity infrastructure flaw that likely enables complete system compromise without credentials.
Russian state-linked threat actors are executing targeted phishing campaigns against Signal and WhatsApp users, with thousands of accounts already compromised. This represents a sophisticated effort to penetrate secure communications infrastructure used by journalists, activists, and government officials.