CyberHappenings logo

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

News Summary

Hide ▲
Last updated: 09:00 15/05/2026 UTC
  • MuddyWater Expands Global Campaigns with New Backdoors Targeting US and Israeli Entities The Iran-linked MuddyWater APT (a.k.a. Seedworm, Static Kitten) has expanded its global espionage operations to include a major South Korean electronics manufacturer, government agencies, and an international airport in the Middle East, marking a geographic shift beyond its traditional MENA and Israeli targets. In February 2026, the group spent a week inside the network of the South Korean firm, conducting industrial espionage and intellectual property theft while leveraging DLL sideloading via legitimate Fortemedia and SentinelOne binaries to deploy ChromElevator for browser data exfiltration. MuddyWater’s evolving tradecraft includes the continued use of PowerShell—now orchestrated via Node.js loaders—for reconnaissance, credential theft, and persistence, alongside anti-detection techniques like fake Windows prompts, registry hive theft, and public file-sharing services (sendit.sh) for exfiltration. This follows earlier 2026 campaigns where the group masqueraded as Chaos ransomware to deploy the Darkcomp RAT, targeted US companies with Dindoor/Fakeset backdoors, and expanded its toolset with Rust-based implants like RustyWater. The group’s persistent focus on espionage, use of legitimate tools for evasion, and geographic diversification underscore its adaptability as a state-aligned threat actor linked to Iran’s MOIS. Read
  • Shift to DPU-based security architecture gains traction after VMware hypervisor escape flaws underscore host agent limitations Industry discussions highlight a fundamental rethinking of data center security architectures following recurring VMware ESXi zero-day vulnerabilities and ESXiArgs ransomware campaign, which demonstrated that host-based security agents fail to detect or mitigate hypervisor-level compromises. Security teams increasingly explore Data Processing Unit (DPU)-based security models to offload security workloads from host CPUs, eliminating performance trade-offs while providing tamper-proof, line-rate inspection and policy enforcement. The architecture isolates security functions on dedicated silicon, enabling comprehensive east-west and north-south traffic visibility without host OS dependency, a critical gap exposed by lateral movement attacks and transient workloads in modern AI and containerized environments. Read
  • Microsoft Edge sandbox escape and Windows 11 privilege escalation zero-days demonstrated at Pwn2Own Berlin 2026 Security researchers demonstrated 24 unique zero-day exploits at Pwn2Own Berlin 2026 on May 14, 2026, earning $523,000 in total rewards. Orange Tsai successfully chained four logic bugs to achieve a sandbox escape in Microsoft Edge, receiving $175,000. Windows 11 privilege escalation zero-days were demonstrated by three separate teams—Angelboy and TwinkleStar03 (DEVCORE Internship Program), Marcin Wiązowski, and Kentaro Kawane (GMO Cybersecurity)—each earning $30,000. The exploits targeted fully patched systems under competition rules requiring arbitrary code execution. Read
  • Fragnesia Linux Kernel LPE via XFRM ESP-in-TCP Page Cache Corruption Fragnesia (CVE-2026-46300, CVSS 7.8) is a Linux kernel local privilege escalation vulnerability in the XFRM ESP-in-TCP subsystem that enables unprivileged local attackers to corrupt kernel page cache and gain root access. The flaw was discovered by William Bowling of Zellic and the V12 team, with a proof-of-concept exploit published on May 13, 2026. It operates by feeding file contents into a TCP socket, enabling ESP-in-TCP encryption to overwrite page cache memory (including /usr/bin/su) with AES-GCM keystreams, leaving no forensic trace on disk. The vulnerability emerged as an unintended side effect of a patch addressing the Dirty Frag vulnerabilities and affects all Linux kernels prior to disclosure. A candidate upstream fix was submitted to the netdev mailing list on May 13 but remains unmerged, while multiple distributions have issued backported patches. Mitigation strategies include disabling esp4, esp6, and rxrpc modules (which also cover Dirty Frag), restricting unprivileged user namespaces, and monitoring for suspicious XFRM or namespace activity. No in-the-wild exploitation has been observed, but the public PoC and historical context heighten urgency for patching. Read
  • Foxconn North American operations disrupted by Nitrogen ransomware attack Foxconn confirmed a cyberattack impacting North American factories, disrupting operations and prompting recovery efforts. The Nitrogen ransomware gang has claimed responsibility, alleging theft of 8 TB of data and over 11 million documents, including confidential customer projects and intellectual property. Affected facilities are resuming normal production as incident response continues. The attack underscores the escalating targeting of manufacturing supply chains, where threat actors exploit operational sensitivity and high-value data. Foxconn, a key supplier to major technology firms, faces potential downstream impact as stolen data may include sensitive documentation tied to clients like Apple, Intel, Google, Nvidia, and others. Industry data shows manufacturing as the most heavily targeted sector for ransomware in 2026, with nearly 70% more victims than any other industry, reflecting attackers' focus on organizations where downtime directly halts revenue and production. Read
  • Emergence of TencShell malware leveraging open-source Rshell framework in targeted campaign against global manufacturer China-linked threat actors deployed a previously undocumented malware implant named TencShell against a global manufacturer’s Indian branch in April 2026. The attack chain involved a first-stage dropper, Donut shellcode, a masqueraded .woff web-font resource, memory injection, and web-like C2 communication to deliver a customized Go-based implant derived from the open-source Rshell C2 framework. TencShell mimics Tencent-like web service paths to blend into normal enterprise traffic. If successful, the implant would have provided comprehensive access, including remote command execution, in-memory payload execution, proxying, pivoting, system profiling, and a path to deploy additional tooling. Read
  • Compromised node-ipc npm Package Versions Deploy Stealer Payload via Obfuscated Backdoor Three legitimate versions of the widely used node-ipc npm package were republished with malicious code by an unauthorized maintainer account. The affected versions—9.1.6, 9.2.3, and 12.0.1—contain obfuscated stealer/backdoor functionality that triggers upon package require('node-ipc'), exfiltrating extensive developer and cloud secrets to a rogue command-and-control (C2) server. The attack uses novel anti-detection techniques including host fingerprinting, DNS-based exfiltration via Google Public DNS, and conditional payload execution tied to a SHA-256 hash of the entry module path, indicating targeted operations. This incident follows a prior 2022 protest incident where the original maintainer added destructive capabilities to versions 10.1.1 and 10.1.2 targeting systems in Russia or Belarus. The campaign highlights the risks of dormant package compromise and the use of legitimate npm accounts to deliver supply-chain malware with advanced evasion tactics aimed at bypassing traditional security monitoring. Read
Last updated: 09:45 15/05/2026 UTC
  • Unmanaged AI Agents Pose Security Risks in Enterprise Environments The proliferation of unmanaged AI agents in enterprise environments continues to escalate security risks, with most companies having 100 AI agents per human employee and 99% of these identities remaining unmanaged. A new study reveals that 93% of global organizations now use or plan to use AI agents for sensitive security tasks such as password resets and VPN access, despite the potential for serious breaches. Only 32% of organizations feel confident in regaining control after an AI-driven credential exposure, highlighting widespread unpreparedness. Traditional security tools prove ineffective at managing AI agents, which are often over-permissioned and abandoned as "zombie" identities. The industry is shifting toward agentic AI systems that operate autonomously, necessitating AI-driven SOC defense platforms and faster public-private partnerships to enhance national resilience. An upcoming webinar will provide a framework for securing AI agents, including strategies for governance, security-by-design, and aligning security with business goals. Read
  • Unauthorized access to Trellix source code repository confirmed Trellix confirmed unauthorized access to a portion of its source code repository on May 4, 2026, engaging forensic experts and law enforcement while stating no evidence of exploitation or impact on source code release processes. Security experts warn that access to the source code could give threat actors a tactical roadmap to Trellix’s detection mechanisms, build paths, and potential weaknesses, enabling further supply chain attacks. The incident follows a pattern of recent attacks targeting security vendors and software supply chains, including compromises of vendors like Aqua Security and Checkmarx via the Trivy supply chain attack, which exposed enterprise secrets and involved collaborations between groups like TeamPCP and Lapsus$ for monetization and ransomware deployment. RansomHouse has now claimed responsibility for the breach, alleging the intrusion occurred on April 17, 2026, and resulted in data encryption. The group leaked screenshots purporting to show access to Trellix’s appliance management system as proof of compromise. Trellix acknowledged awareness of the claims and stated it was investigating the reported attack. Read
  • TeamPCP escalates CanisterWorm campaign with geopolitical targeting and multi-vector attacks TeamPCP has escalated its multi-vector CanisterWorm campaign into a geopolitically targeted operation, now confirmed to have leveraged the Trivy supply-chain attack as an access vector for the Checkmarx compromise. The group compromised PyPI packages (LiteLLM versions 1.82.7–1.82.8 and Telnyx versions 4.87.1–4.87.2) and Checkmarx KICS tooling to deliver credential-stealing malware, harvesting SSH keys, cloud credentials, Kubernetes secrets, database credentials, cryptocurrency wallets, TLS/SSL private keys, and bash history files. Checkmarx has publicly confirmed that the LAPSUS$ threat group leaked data stolen from its private GitHub repository, with access facilitated by the Trivy compromise attributed to TeamPCP. The leaked data, published on both dark web and clearnet portals, did not contain customer information, and Checkmarx has blocked access to the affected repository pending forensic investigation. The campaign’s scope expanded from initial npm package compromises to include GitHub repository hijacking (e.g., Aqua Security), Docker Hub compromise, and CI/CD pipeline targeting, while destructive payloads in Iranian Kubernetes environments highlight TeamPCP’s geopolitical alignment. On May 9, 2026, TeamPCP published a malicious version of the Checkmarx Jenkins AST plugin (2.0.13-829.vc72453fa_1c16) to the Jenkins Marketplace, defacing the plugin’s GitHub repository with pro-TeamPCP messaging. The compromise was facilitated using credentials stolen in the March 2026 Trivy supply-chain attack and occurred outside the plugin’s official release pipeline, lacking a git tag or GitHub release. Checkmarx isolated its GitHub repositories from customer environments and stated no customer data was stored in them. Users are advised to use version 2.0.13-829.vc72453fa_1c16 published on December 17, 2025, or older. Read
  • SAP December 2025 Security Updates Address Three Critical Vulnerabilities SAP’s December 2025 security bulletin addressed 14 vulnerabilities, including three critical flaws, while the May 2026 updates introduced 15 new vulnerabilities with two critical issues in Commerce Cloud and S/4HANA. One critical flaw, CVE-2026-34263, is a missing authentication check in SAP Commerce Cloud allowing unauthenticated attackers to execute arbitrary code. The second critical flaw, CVE-2026-34260, enables low-complexity SQL injection in SAP S/4HANA, risking unauthorized data access and application disruption. SAP’s May 2026 advisory also resolved one high-severity and 11 medium-severity issues, including command injection, missing authorization checks, and XSS. While SAP has not observed active exploitation of these new flaws, historical precedent shows SAP vulnerabilities are frequently targeted, with 14 SAP flaws added to CISA’s Known Exploited Vulnerabilities catalog in recent years, including two used in ransomware attacks. SAP remains a critical enterprise software vendor, serving 99 of the 100 largest global companies and reporting over €36 billion in fiscal year 2025 revenue. Read
  • Russian Actors Target Water Systems in Norway, Poland, Denmark, and Romania Russian and allied state-sponsored actors continue to target water systems across Europe as part of a broader hybrid campaign. In Poland, the Internal Security Agency (ABW) has documented cyberattacks against industrial control systems (ICS) at five water treatment plants in 2025, including Jabłonna Lacka, Szczytno, Małdyty, Tolkmicko, and Sierakowo. Attackers gained access to operational systems, modifying parameters with the potential to disrupt public water supplies. The campaign leverages weak password policies and internet-exposed systems, with attribution pointing to Russian APT groups APT28 and APT29, Belarusian-linked UNC1151, and other hacktivist personas acting as state proxies. Earlier incidents in Norway, Poland, and Denmark involved destructive or disruptive actions against water utilities, while Romania experienced a ransomware attack on its national water authority. These attacks form part of a sustained influence operation aimed at undermining Western support for Ukraine and demonstrating asymmetric cyber capabilities against critical infrastructure. Read
  • Quasar Linux (QLNX) multi-stage implant targeting developer environments with rootkit, backdoor, and credential-harvesting capabilities A previously undocumented Linux implant named Quasar Linux (QLNX) has been identified targeting software developers' systems in development and DevOps environments across npm, PyPI, GitHub, AWS, Docker, and Kubernetes. QLNX combines rootkit, backdoor, and credential-harvesting capabilities to establish stealthy, fileless persistence and enable potential supply-chain attacks. The malware dynamically compiles rootkit shared objects and PAM backdoors on target hosts using gcc, employs seven persistence mechanisms, and uses dual-layer stealth techniques including userland LD_PRELOAD rootkits and kernel-level eBPF components. QLNX features a 58-command RAT core, credential harvesting targeting 10+ configuration files (.npmrc, .pypirc, .aws/credentials, .kube/config, .env, etc.), surveillance, networking and lateral movement, process injection, and filesystem monitoring modules. Targeting developer workstations allows bypass of enterprise security controls and access to credentials underpinning software delivery pipelines, enabling attackers to push poisoned packages to public registries or pivot through CI/CD pipelines. Read
  • Phishing-to-outage lifecycle focus of upcoming MSP cyber resilience webinar featuring Kaseya On May 14, 2026 at 2:00 PM ET, BleepingComputer and Kaseya will host a live technical webinar titled "From phishing to fallout: Why MSPs must rethink both security and recovery." Led by Austin O'Saben and Adam Marget, the session will present advanced strategies for MSPs to integrate detection, response, and recovery to mitigate phishing-driven cyber incidents. Modern threat actors increasingly combine AI-generated phishing, business email compromise, ransomware, and SaaS abuse to bypass traditional defenses and disrupt operations. The webinar emphasizes that reliance on prevention alone is insufficient; instead, organizations must strengthen both security posture and recovery readiness, including SaaS backups and business continuity planning. Kaseya experts will detail how integrating backup and disaster recovery (BCDR) into security strategies is critical to reduce downtime and limit incident impact during such attacks. Building on prior coverage, a May 13, 2026 BleepingComputer article highlights that brand impersonation in AI-driven phishing is outpacing traditional email security, and that recovery delays after compromise can prolong operational disruption and increase recovery costs even after containment. Organizations are urged to prepare not only to defend against attacks but also to recover from them quickly. A separate May 7, 2026 article by The Hacker News promotes another webinar, "One Click, Total Shutdown: The 'Patient Zero' Webinar on Killing Stealth Breaches," which focuses on immediate breach containment strategies for AI-driven phishing attacks, including the "Patient Zero" concept and the 5-minute critical window for containment. Read

Latest updates

Browse →

Active exploitation of Microsoft Exchange Server spoofing vulnerability via crafted email

Updated: 15.05.2026 12:40 · First: 15.05.2026 09:19 · 📰 2 src / 2 articles

A high-severity spoofing vulnerability in on-premises Microsoft Exchange Server (CVE-2026-42897, CVSS 8.1) is being actively exploited in the wild. The flaw arises from improper neutralization of input during web page generation, enabling cross-site scripting (XSS) that permits unauthorized spoofing over a network. Attackers can exploit this by sending a specially crafted email to a user; when opened in Outlook Web Access under specific interaction conditions, arbitrary JavaScript can execute in the browser context, facilitating further unauthorized actions. Microsoft has confirmed active exploitation and reports that patches are not yet available, with mitigation provided via the Exchange Emergency Mitigation Service (EEMS) for Exchange Server 2016, 2019, and Subscription Edition (SE) on-premises servers. Patch availability for some versions is restricted to customers enrolled in the Period 2 Exchange Server ESU program.

Emergence of TencShell malware leveraging open-source Rshell framework in targeted campaign against global manufacturer

Updated: · First: 15.05.2026 11:00 · 📰 1 src / 1 articles

China-linked threat actors deployed a previously undocumented malware implant named TencShell against a global manufacturer’s Indian branch in April 2026. The attack chain involved a first-stage dropper, Donut shellcode, a masqueraded .woff web-font resource, memory injection, and web-like C2 communication to deliver a customized Go-based implant derived from the open-source Rshell C2 framework. TencShell mimics Tencent-like web service paths to blend into normal enterprise traffic. If successful, the implant would have provided comprehensive access, including remote command execution, in-memory payload execution, proxying, pivoting, system profiling, and a path to deploy additional tooling.

Critical Authentication Bypass in Cisco Catalyst SD-WAN Exploited Since 2023

Updated: 15.05.2026 08:28 · First: 25.02.2026 20:01 · 📰 9 src / 13 articles

A critical authentication bypass vulnerability (CVE-2026-20182) in Cisco Catalyst SD-WAN Controller and Manager is being actively exploited in the wild, enabling unauthenticated remote attackers to bypass authentication and obtain administrative privileges. The flaw stems from a malfunction in the peering authentication mechanism within the 'vdaemon' service and impacts all deployment models. CVE-2026-20182 was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog on May 15, 2026, mandating federal patching by May 17, 2026. Cisco has attributed exploitation with high confidence to UAT-8616, the same cluster responsible for weaponizing CVE-2026-20127 since at least 2023. The threat actor leverages the flaw for post-compromise actions, including adding SSH keys, modifying NETCONF configurations, and attempting to escalate to root privileges. Infrastructure overlaps with Operational Relay Box (ORB) networks, commonly linked to Chinese state-sponsored actors. Threat actors have chained CVE-2026-20182 with CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122 to enable unauthorized access, deploying web shells, malware frameworks, and tools such as Godzilla, Behinder, XenShell, and credential stealers. Cisco recommends immediate updates, restricting access to management interfaces, and monitoring for indicators of compromise.

Authentication bypass in Burst Statistics WordPress plugin enables admin takeover (CVE-2026-8181)

Updated: · First: 15.05.2026 00:07 · 📰 1 src / 1 articles

Unpatched installations of the WordPress analytics plugin Burst Statistics (versions 3.4.0 and 3.4.1) are being actively exploited due to a critical authentication bypass flaw, CVE-2026-8181. The vulnerability allows unauthenticated remote attackers to impersonate any privileged WordPress user—including administrators—during REST API requests by supplying an arbitrary password. Successful exploitation can grant full administrative control, enabling site takeover, database access, backdoor deployment, visitor redirection to malicious destinations, malware distribution, and creation of rogue administrator accounts. Admin usernames may be exposed through public content or API endpoints, or guessed via brute-force methods. The issue stems from incorrect handling of authentication results in the ‘wp_authenticate_application_password()’ function, where WP_Error and null values are erroneously treated as authenticated states.

Cross-Platform Supply Chain Attack Expands with Mini Shai-Hulud Malware via PyPI and npm Ecosystems

Updated: 14.05.2026 22:07 · First: 29.04.2026 19:26 · 📰 5 src / 8 articles

The Mini Shai-Hulud supply chain attack has escalated into a multi-ecosystem campaign, now confirmed to have breached OpenAI’s internal systems via compromised TanStack packages. Two OpenAI employees’ devices were infected, resulting in limited credential theft from internal repositories but no impact on customer data, production systems, or deployed software. OpenAI responded by isolating systems, rotating credentials, and updating code-signing certificates for macOS applications, requiring user updates by June 12, 2026. The attack initially targeted TanStack and Mistral AI, spreading to UiPath, Guardrails AI, and OpenSearch through stolen CI/CD credentials and legitimate GitHub Actions workflows. Researchers identified hundreds of compromised npm and PyPI packages (373 npm package-version entries across 169 names, with at least double that number across organizations) designed to steal developer credentials, self-propagate via compromised maintainer accounts, and abuse trusted publishing workflows. The malware employs heavily obfuscated JavaScript payloads with Bun-based execution, targets IDE integrations for persistence, and includes destructive sabotage components on Linux systems. Threat actors, assessed as TeamPCP, continue refining tactics to maximize reach and evade detection, underscoring the urgency for credential rotation and provenance verification across ecosystems.

Microsoft Edge sandbox escape and Windows 11 privilege escalation zero-days demonstrated at Pwn2Own Berlin 2026

Updated: · First: 14.05.2026 21:53 · 📰 1 src / 1 articles

Security researchers demonstrated 24 unique zero-day exploits at Pwn2Own Berlin 2026 on May 14, 2026, earning $523,000 in total rewards. Orange Tsai successfully chained four logic bugs to achieve a sandbox escape in Microsoft Edge, receiving $175,000. Windows 11 privilege escalation zero-days were demonstrated by three separate teams—Angelboy and TwinkleStar03 (DEVCORE Internship Program), Marcin Wiązowski, and Kentaro Kawane (GMO Cybersecurity)—each earning $30,000. The exploits targeted fully patched systems under competition rules requiring arbitrary code execution.

Compromised node-ipc npm Package Versions Deploy Stealer Payload via Obfuscated Backdoor

Updated: · First: 14.05.2026 20:22 · 📰 1 src / 1 articles

Three legitimate versions of the widely used node-ipc npm package were republished with malicious code by an unauthorized maintainer account. The affected versions—9.1.6, 9.2.3, and 12.0.1—contain obfuscated stealer/backdoor functionality that triggers upon package require('node-ipc'), exfiltrating extensive developer and cloud secrets to a rogue command-and-control (C2) server. The attack uses novel anti-detection techniques including host fingerprinting, DNS-based exfiltration via Google Public DNS, and conditional payload execution tied to a SHA-256 hash of the entry module path, indicating targeted operations. This incident follows a prior 2022 protest incident where the original maintainer added destructive capabilities to versions 10.1.1 and 10.1.2 targeting systems in Russia or Belarus. The campaign highlights the risks of dormant package compromise and the use of legitimate npm accounts to deliver supply-chain malware with advanced evasion tactics aimed at bypassing traditional security monitoring.

Active exploitation of PAN-OS RCE zero-day CVE-2026-0300 via User-ID Authentication Portal

Updated: 14.05.2026 19:07 · First: 07.05.2026 13:57 · 📰 3 src / 3 articles

State-sponsored threat actors tracked as CL-STA-1132 exploited the critical PAN-OS firewall zero-day CVE-2026-0300 since at least April 9, 2026, achieving initial unauthenticated remote code execution by April 16–17, 2026. The vulnerability, a buffer overflow in the User-ID Authentication Portal service, enabled root-level arbitrary code execution on exposed PA-Series and VM-Series firewalls. Attackers injected shellcode into nginx worker processes and immediately began erasing forensic artifacts, including crash kernel messages and nginx records, to evade detection. Post-compromise activity included Active Directory enumeration and deployment of EarthWorm and ReverseSocks5 tunneling tools on April 29, 2026, targeting additional network devices. The adversary’s use of open-source tools and disciplined, intermittent operational sessions over weeks minimized signature-based detection while maintaining stealth. Over 5,400 PAN-OS VM-Series firewalls remain exposed on the internet, predominantly in Asia and North America. CISA added CVE-2026-0300 to its Known Exploited Vulnerabilities Catalog on May 7, 2026, mandating federal remediation by May 9, 2026. Palo Alto Networks released initial patches for CVE-2026-0300 on May 14, 2026.

UNC6384 Targets Diplomats with PlugX via Captive Portal Hijacks

Updated: 14.05.2026 18:00 · First: 25.08.2025 21:11 · 📰 5 src / 8 articles

UNC6384, a China-nexus threat actor assessed to share tactical overlaps with Mustang Panda, continues targeted espionage campaigns leveraging advanced social engineering and indirect execution techniques. Recent reporting confirms Mustang Panda’s use of the FDMTP backdoor (version 3.2.5.1) in a months-long campaign against networks in the Asia-Pacific and Japan, involving CDN impersonation, DLL sideloading, and in-memory .NET execution. The group employs modular plugins for persistence, scheduled tasks, and remote file retrieval, with communication over a custom TCP protocol using DMTP. The campaign targeting U.S. government and policy entities via Venezuela-themed spear phishing to deliver the LOTUSLITE backdoor remains under investigation, with moderate-confidence attribution to Mustang Panda. Earlier phases described UNC6384’s captive portal hijacks to deploy PlugX variants (SOGU.SEC) and linked tooling overlaps with Mustang Panda’s Bookworm malware, highlighting the sophistication of PRC-nexus operators in evading detection.

Shift to DPU-based security architecture gains traction after VMware hypervisor escape flaws underscore host agent limitations

Updated: · First: 14.05.2026 17:00 · 📰 1 src / 1 articles

Industry discussions highlight a fundamental rethinking of data center security architectures following recurring VMware ESXi zero-day vulnerabilities and ESXiArgs ransomware campaign, which demonstrated that host-based security agents fail to detect or mitigate hypervisor-level compromises. Security teams increasingly explore Data Processing Unit (DPU)-based security models to offload security workloads from host CPUs, eliminating performance trade-offs while providing tamper-proof, line-rate inspection and policy enforcement. The architecture isolates security functions on dedicated silicon, enabling comprehensive east-west and north-south traffic visibility without host OS dependency, a critical gap exposed by lateral movement attacks and transient workloads in modern AI and containerized environments.

Android Intrusion Logging feature introduced to enhance forensic analysis of advanced spyware attacks

Updated: 14.05.2026 16:30 · First: 13.05.2026 09:55 · 📰 2 src / 2 articles

Google launched Android Intrusion Logging on May 12, 2026 as part of Advanced Protection Mode to provide persistent, encrypted forensic logging for investigating advanced spyware compromises on Android devices. Developed with civil society organizations including Amnesty International and Reporters Without Borders, the feature captures daily device and network activities such as app processes, security events, spyware installations, and DNS connections, storing encrypted logs for 12 months on Google servers. Users must explicitly share logs for forensic analysis, and the feature is opt-in for Pixel devices running Android 16 and newer with Advanced Protection Mode enabled. The feature was developed to address gaps in spyware forensic analysis where previous methods relied on incidental, partial, and short-lived logs. Additional updates to Advanced Protection Mode include USB protection, restricted accessibility services, disabled device-to-device unlocking, Chrome WebGPU removal, chat scam detection, and enterprise device support, enhancing protections for high-risk users against scams, fraud, and targeted attacks.

Fragnesia Linux Kernel LPE via XFRM ESP-in-TCP Page Cache Corruption

Updated: 14.05.2026 16:00 · First: 14.05.2026 10:06 · 📰 2 src / 2 articles

Fragnesia (CVE-2026-46300, CVSS 7.8) is a Linux kernel local privilege escalation vulnerability in the XFRM ESP-in-TCP subsystem that enables unprivileged local attackers to corrupt kernel page cache and gain root access. The flaw was discovered by William Bowling of Zellic and the V12 team, with a proof-of-concept exploit published on May 13, 2026. It operates by feeding file contents into a TCP socket, enabling ESP-in-TCP encryption to overwrite page cache memory (including /usr/bin/su) with AES-GCM keystreams, leaving no forensic trace on disk. The vulnerability emerged as an unintended side effect of a patch addressing the Dirty Frag vulnerabilities and affects all Linux kernels prior to disclosure. A candidate upstream fix was submitted to the netdev mailing list on May 13 but remains unmerged, while multiple distributions have issued backported patches. Mitigation strategies include disabling esp4, esp6, and rxrpc modules (which also cover Dirty Frag), restricting unprivileged user namespaces, and monitoring for suspicious XFRM or namespace activity. No in-the-wild exploitation has been observed, but the public PoC and historical context heighten urgency for patching.

AI-driven cybersecurity investment surge widens startup capital gap, fueling consolidation wave

Updated: · First: 14.05.2026 16:00 · 📰 1 src / 1 articles

Cybersecurity investment activity in 2026 has surged due to AI adoption, with $3.8 billion in venture financing outpacing $2.6 billion in merger and acquisition (M&A) deal value during Q1 2026. The influx of capital is disproportionately directed toward AI-native security startups, creating a widening ‘valley of death’ for non-AI companies struggling to secure follow-on funding. AI-driven security offerings are expanding enterprise attack surfaces while simultaneously disrupting traditional sectors such as vulnerability management. Analysts anticipate a consolidation wave in 2026-2027, with predictions of multibillion-dollar acquisitions by hyperscalers and AI frontier model providers targeting strategic cybersecurity capabilities.

Foxconn North American operations disrupted by Nitrogen ransomware attack

Updated: 14.05.2026 15:00 · First: 13.05.2026 15:49 · 📰 2 src / 2 articles

Foxconn confirmed a cyberattack impacting North American factories, disrupting operations and prompting recovery efforts. The Nitrogen ransomware gang has claimed responsibility, alleging theft of 8 TB of data and over 11 million documents, including confidential customer projects and intellectual property. Affected facilities are resuming normal production as incident response continues. The attack underscores the escalating targeting of manufacturing supply chains, where threat actors exploit operational sensitivity and high-value data. Foxconn, a key supplier to major technology firms, faces potential downstream impact as stolen data may include sensitive documentation tied to clients like Apple, Intel, Google, Nvidia, and others. Industry data shows manufacturing as the most heavily targeted sector for ransomware in 2026, with nearly 70% more victims than any other industry, reflecting attackers' focus on organizations where downtime directly halts revenue and production.

Authentication Bypass in PraisonAI Legacy API Server Exploited Within Hours

Updated: · First: 14.05.2026 14:40 · 📰 1 src / 1 articles

Within four hours of public disclosure, threat actors exploited CVE-2026-44338, an authentication bypass vulnerability in PraisonAI’s legacy Flask API server, to access sensitive endpoints without credentials. The flaw, affecting versions 2.5.6 through 4.6.33, stems from hard-coded authentication disablement (AUTH_ENABLED = False) and allows unauthenticated enumeration of configured agents and execution of agents.yaml workflows via /agents and /chat endpoints. Impact varies depending on the workflow’s permissions but includes quota exhaustion and exposure of PraisonAI.run() results. A patched version (4.6.34) is available. Exploitation activity was observed originating from IP 146.190.133[.]49 and using the User-Agent CVE-Detector/1.0.

AI hallucination risks driving incorrect security decisions in critical infrastructure

Updated: · First: 14.05.2026 14:30 · 📰 1 src / 1 articles

AI hallucinations—confidently presented yet factually incorrect outputs—are introducing significant security risks in critical infrastructure and cybersecurity operations by exploiting human trust in authoritative-sounding responses. A 2025 evaluation of 40 AI models using the AA-Omniscience benchmark revealed that 36 models were more likely to provide confidently incorrect answers than correct ones on difficult questions, emphasizing the systemic nature of this issue. These hallucinations manifest in cybersecurity through missed threats, fabricated threats, and incorrect remediation actions, all of which can lead to operational disruptions, financial loss, or cascading security incidents. The primary vulnerability stems from a lack of inherent verification mechanisms in base language models, which prioritize coherence over factual accuracy, particularly when integrated into automated or high-stakes decision-making workflows.

Dell SupportAssist Remediation service update triggers critical Windows BSOD crashes

Updated: · First: 14.05.2026 13:03 · 📰 1 src / 1 articles

Dell confirmed that a recent update to its SupportAssist Remediation service (version 5.5.16.0) is causing Windows blue-screen-of-death (BSOD) crashes across Dell and Alienware systems. The crashes stem from a critical process error (0xEF_DellSupportAss_BUGCHECK_CRITICAL_PROCESS) introduced in the update, prompting users to uninstall or disable the service as a temporary workaround. The issue has affected systems since late May 2026, with Dell engineering actively investigating a permanent fix.

BitLocker bypass via WinRE and privilege escalation flaws disclosed in Windows

Updated: 14.05.2026 12:25 · First: 13.05.2026 19:37 · 📰 2 src / 2 articles

A security researcher publicly disclosed two unpatched Windows vulnerabilities, YellowKey and GreenPlasma, including proof-of-concept (PoC) exploits, enabling BitLocker bypass and local privilege escalation (LPE) respectively. The researcher, known as Chaotic Eclipse or Nightmare Eclipse, criticized Microsoft's handling of prior disclosures, leading to these new disclosures ahead of the next Patch Tuesday. YellowKey exploits the Windows Recovery Environment (WinRE) to bypass BitLocker encryption on Windows 11, Windows Server 2022, and Windows Server 2025 systems, allowing unrestricted access to encrypted volumes without requiring user credentials. The attack leverages specially crafted 'FsTx' files placed on a USB drive or the EFI partition, triggering a shell upon recovery mode entry. The researcher emphasized that even TPM+PIN configurations do not mitigate YellowKey. GreenPlasma is an LPE flaw enabling SYSTEM-level access through arbitrary section creation in writable SYSTEM directories, with a partial PoC released. Microsoft has not yet patched either vulnerability and has not assigned a CVE identifier to GreenPlasma.

Unmanaged AI Agents Pose Security Risks in Enterprise Environments

Updated: 14.05.2026 12:20 · First: 23.10.2025 14:55 · 📰 3 src / 3 articles

The proliferation of unmanaged AI agents in enterprise environments continues to escalate security risks, with most companies having 100 AI agents per human employee and 99% of these identities remaining unmanaged. A new study reveals that 93% of global organizations now use or plan to use AI agents for sensitive security tasks such as password resets and VPN access, despite the potential for serious breaches. Only 32% of organizations feel confident in regaining control after an AI-driven credential exposure, highlighting widespread unpreparedness. Traditional security tools prove ineffective at managing AI agents, which are often over-permissioned and abandoned as "zombie" identities. The industry is shifting toward agentic AI systems that operate autonomously, necessitating AI-driven SOC defense platforms and faster public-private partnerships to enhance national resilience. An upcoming webinar will provide a framework for securing AI agents, including strategies for governance, security-by-design, and aligning security with business goals.

UK ICO releases mitigation guidance for AI-powered cyber threats

Updated: · First: 14.05.2026 12:00 · 📰 1 src / 1 articles

The UK Information Commissioner’s Office (ICO) published a five-step plan to counter AI-powered cyber threats, emphasizing foundational cybersecurity controls, layered defenses, and AI-specific governance. The guidance targets AI-enhanced phishing, deepfake social engineering, automated exploitation, adaptive malware, and AI model poisoning. It aligns with the NCSC’s Cyber Assessment Framework and GDPR obligations, requiring organizations to implement Cyber Essentials controls, MFA, least-privilege access, and incident response testing, with explicit oversight of AI-driven security tools.

Indictment of alleged Dream Market administrator Owe Martin Andresen for international money laundering

Updated: · First: 14.05.2026 11:55 · 📰 1 src / 1 articles

The alleged main administrator of the now-defunct dark web marketplace Dream Market, identified as Owe Martin Andresen (aka 'Speedstepper'), has been indicted in the U.S. on 12 counts of international concealment money laundering. Andresen, arrested in Germany, is accused of laundering over $2 million in proceeds from Dream Market operations between August 2023 and April 2025. The charges stem from the alleged movement of dormant marketplace cryptocurrency wallets’ funds into new wallets in late 2022, followed by the purchase of gold bars using those funds in August 2023. German authorities recovered approximately $1.7 million in gold bars, over $23,000 in cash, and evidence of additional proceeds totaling $1.2 million during searches of his residence and two other locations on May 7, 2026.

Fragnasia Linux privilege escalation flaw enables root access via XFRM ESP-in-TCP logic bug

Updated: · First: 14.05.2026 10:34 · 📰 1 src / 1 articles

A high-severity logic bug in the Linux XFRM ESP-in-TCP subsystem, tracked as CVE-2026-46300 and named Fragnasia, allows unprivileged local attackers to gain root privileges by corrupting the kernel page cache of read-only files, including critical binaries like /usr/bin/su. Discovered by William Bowling of Zellic, the vulnerability is the second known member of the Dirty Frag vulnerability class and provides a direct memory-write primitive to overwrite kernel page cache memory without requiring race conditions. All Linux kernels released before May 13, 2026 are affected. A proof-of-concept exploit has been publicly released, enabling attackers to achieve root shells on vulnerable systems.

Heap Overflow in NGINX ngx_http_rewrite_module Enables Unauthenticated RCE (CVE-2026-42945)

Updated: · First: 14.05.2026 09:00 · 📰 1 src / 1 articles

A critical heap-based buffer overflow vulnerability in the ngx_http_rewrite_module of NGINX Plus and NGINX Open Source, tracked as CVE-2026-42945 (CVSS v4: 9.2) and codenamed NGINX Rift, has been disclosed. The flaw allows unauthenticated remote code execution (RCE) or denial-of-service (DoS) when specific crafted HTTP requests are sent to a vulnerable server. The vulnerability persists for 18 years and is exploitable via malformed rewrite directives containing unnamed PCRE capture groups and replacement strings with question marks. Successful exploitation corrupts the heap in the NGINX worker process, enabling code execution if ASLR is disabled or DoS via repeated worker crashes. Impact is severe due to the unauthenticated nature of the attack, absence of prerequisites, and potential to disrupt all services served by the affected NGINX instance.

West Pharmaceutical Services sustains cyber intrusion with data theft and partial system encryption

Updated: · First: 14.05.2026 01:23 · 📰 1 src / 1 articles

A cyber intrusion against West Pharmaceutical Services, a U.S.-based pharmaceutical manufacturer with over 10,800 employees and annual revenues exceeding $3 billion, resulted in data exfiltration and partial system encryption. The compromise was detected on May 4, 2026, with an SEC filing on May 7, 2026 confirming material impact. The attacker accessed and stole data from the corporate network and encrypted select systems, triggering a global response that included containment measures, law enforcement notification, and engagement of external forensic experts. The incident disrupted global business operations, with core enterprise systems supporting shipping and manufacturing restored and partial manufacturing resumption achieved. Full system restoration remains incomplete, and no timeline or financial impact estimate has been provided.

MuddyWater Expands Global Campaigns with New Backdoors Targeting US and Israeli Entities

Updated: 14.05.2026 00:59 · First: 22.10.2025 18:00 · 📰 12 src / 21 articles

The Iran-linked MuddyWater APT (a.k.a. Seedworm, Static Kitten) has expanded its global espionage operations to include a major South Korean electronics manufacturer, government agencies, and an international airport in the Middle East, marking a geographic shift beyond its traditional MENA and Israeli targets. In February 2026, the group spent a week inside the network of the South Korean firm, conducting industrial espionage and intellectual property theft while leveraging DLL sideloading via legitimate Fortemedia and SentinelOne binaries to deploy ChromElevator for browser data exfiltration. MuddyWater’s evolving tradecraft includes the continued use of PowerShell—now orchestrated via Node.js loaders—for reconnaissance, credential theft, and persistence, alongside anti-detection techniques like fake Windows prompts, registry hive theft, and public file-sharing services (*sendit.sh*) for exfiltration. This follows earlier 2026 campaigns where the group masqueraded as Chaos ransomware to deploy the Darkcomp RAT, targeted US companies with Dindoor/Fakeset backdoors, and expanded its toolset with Rust-based implants like RustyWater. The group’s persistent focus on espionage, use of legitimate tools for evasion, and geographic diversification underscore its adaptability as a state-aligned threat actor linked to Iran’s MOIS.

Shift from checkbox compliance to continuous third-party risk assessment in GRC frameworks

Updated: · First: 14.05.2026 00:17 · 📰 1 src / 1 articles

Cybersecurity stakeholders are transitioning from static, annual compliance assessments toward continuous third-party and enterprise risk monitoring due to limitations of traditional checkbox-based governance, risk, and compliance (GRC) models. Threat actors exploit vulnerabilities and supply-chain attack vectors faster than annual audits can detect, rendering periodic questionnaires and paper-based compliance ineffective. Leading security professionals and organizations are adopting continuous monitoring platforms that integrate AI-driven evidence collection, attack surface visibility, and real-time control validation to assess and communicate risk more accurately.

Compromise of Ruby gems and Go modules via poisoned packages leads to credential theft and CI pipeline manipulation

Updated: 14.05.2026 00:09 · First: 01.05.2026 12:43 · 📰 3 src / 4 articles

A dual-pronged software supply chain attack continues to unfold, with initial compromise via poisoned Ruby gems and Go modules tied to the GitHub account “BufferZoneCorp” for credential theft and CI pipeline manipulation. Concurrently, the GemStuffer campaign abuses the RubyGems registry as a data transport channel, embedding scraped content from U.K. local government council portals (Lambeth, Wandsworth, Southwark) into over 150+ valid .gem archives and republishing them using hardcoded API keys. New vendor research highlights automated scraper-worm mechanics, noisy but intentional execution indicative of testing or registry abuse, and direct API uploads bypassing the gem CLI. Security teams are advised to audit /tmp folders, block unauthorized gem pushes in CI pipelines, and lock down systems allowed to publish to public registries.

The Gentlemen RaaS group breached, internal data leaked exposing operations and TTPs

Updated: · First: 13.05.2026 23:47 · 📰 1 src / 1 articles

The Russian ransomware-as-a-service (RaaS) operation known as The Gentlemen suffered a data breach of its internal infrastructure, resulting in the theft and public sale of 16 GB of sensitive data including communications, tooling, and operational documentation. The anonymous threat actors leaked a 44 MB sample proving authenticity, which Check Point Research analyzed to reveal detailed operational structure, tactics, techniques, and procedures (TTPs), payment models, and leadership dynamics of The Gentlemen. The group, led by a figure identified as "zeta88," has executed over 332 confirmed attacks in 2026 alone, making it the second most active ransomware group globally. The breach represents a significant reputational and operational risk, though immediate disruption to ongoing activities is not expected.

Exim BDAT Memory Corruption Flaw in GnuTLS Builds Enables Code Execution

Updated: 13.05.2026 23:23 · First: 12.05.2026 19:44 · 📰 2 src / 2 articles

A severe use-after-free vulnerability in Exim's BDAT message body parsing under GnuTLS configurations (CVE-2026-45185) allows unauthenticated attackers to trigger memory corruption and achieve code execution, impacting Exim versions 4.97 through 4.99.2. The flaw enables heap corruption via a single-byte write into freed allocator metadata during TLS shutdown, granting further exploitation primitives. Exploitation requires establishing a TLS connection and using the CHUNKING (BDAT) SMTP extension; no mitigations exist beyond upgrading to Exim 4.99.3. Exploitation could result in arbitrary code execution, access to Exim data and emails, and potential lateral movement depending on server permissions. The vulnerability was disclosed by Federico Kirschbaum of XBOW and patched in Exim version 4.99.3. A proof-of-concept exploit was developed by XBOW using AI-driven tools, achieving success on non-PIE binaries with and without ASLR.

Phishing-to-outage lifecycle focus of upcoming MSP cyber resilience webinar featuring Kaseya

Updated: 13.05.2026 18:45 · First: 17.04.2026 15:20 · 📰 6 src / 6 articles

On May 14, 2026 at 2:00 PM ET, BleepingComputer and Kaseya will host a live technical webinar titled "From phishing to fallout: Why MSPs must rethink both security and recovery." Led by Austin O'Saben and Adam Marget, the session will present advanced strategies for MSPs to integrate detection, response, and recovery to mitigate phishing-driven cyber incidents. Modern threat actors increasingly combine AI-generated phishing, business email compromise, ransomware, and SaaS abuse to bypass traditional defenses and disrupt operations. The webinar emphasizes that reliance on prevention alone is insufficient; instead, organizations must strengthen both security posture and recovery readiness, including SaaS backups and business continuity planning. Kaseya experts will detail how integrating backup and disaster recovery (BCDR) into security strategies is critical to reduce downtime and limit incident impact during such attacks. Building on prior coverage, a May 13, 2026 BleepingComputer article highlights that brand impersonation in AI-driven phishing is outpacing traditional email security, and that recovery delays after compromise can prolong operational disruption and increase recovery costs even after containment. Organizations are urged to prepare not only to defend against attacks but also to recover from them quickly. A separate May 7, 2026 article by The Hacker News promotes another webinar, "One Click, Total Shutdown: The 'Patient Zero' Webinar on Killing Stealth Breaches," which focuses on immediate breach containment strategies for AI-driven phishing attacks, including the "Patient Zero" concept and the 5-minute critical window for containment.