CyberHappenings logo

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

News Summary

Hide ▲
Last updated: 18:45 15/05/2026 UTC
  • MuddyWater Expands Global Campaigns with New Backdoors Targeting US and Israeli Entities The Iran-linked MuddyWater APT (a.k.a. Seedworm, Static Kitten) has expanded its global espionage operations to include a major South Korean electronics manufacturer, government agencies, and an international airport in the Middle East, marking a geographic shift beyond its traditional MENA and Israeli targets. In February 2026, the group spent a week inside the network of the South Korean firm, conducting industrial espionage and intellectual property theft while leveraging DLL sideloading via legitimate Fortemedia and SentinelOne binaries to deploy ChromElevator for browser data exfiltration. MuddyWater’s evolving tradecraft includes the continued use of PowerShell—now orchestrated via Node.js loaders—for reconnaissance, credential theft, and persistence, alongside anti-detection techniques like fake Windows prompts, registry hive theft, and public file-sharing services (sendit.sh) for exfiltration. This follows earlier 2026 campaigns where the group masqueraded as Chaos ransomware to deploy the Darkcomp RAT, targeted US companies with Dindoor/Fakeset backdoors, and expanded its toolset with Rust-based implants like RustyWater. The group’s persistent focus on espionage, use of legitimate tools for evasion, and geographic diversification underscore its adaptability as a state-aligned threat actor linked to Iran’s MOIS. Read
  • Turla’s Kazuar framework upgraded into modular P2P botnet for persistent intrusions Turla (Secret Blizzard, ATG26, Blue Python, Uroburos) has upgraded its Kazuar .NET backdoor into a modular peer-to-peer (P2P) botnet designed for long-term persistence and covert operations against government, diplomatic, and defense targets in Europe and Central Asia. The overhaul introduces a three-tier module architecture—Kernel, Bridge, and Worker—coordinated via droppers such as Pelmeni and ShadowLoader. Kernel modules act as the botnet’s control plane, electing a leader to mediate C2 communication while Workers exfiltrate data, log keystrokes, and profile systems. Communication uses multiple channels including Windows Messaging, Mailslot, named pipes, HTTP, Exchange Web Services, and WebSockets to evade detection. The design emphasizes resilience through internal P2P coordination, multi-path C2 redundancy, and persistent on-disk staging of operational data. Read
  • REMUS infostealer MaaS operation evolves toward session theft and password-manager targeting A malware-as-a-service (MaaS) operation distributing the REMUS infostealer has rapidly evolved since February 2026, transitioning from basic credential theft to a structured platform emphasizing session persistence, password-manager targeting, and operational scalability. The operation demonstrates commercialization practices typical of legitimate software businesses, including versioned updates, customer support, operational dashboards, and delivery reliability claims (~90% callback rate). The infostealer now integrates SOCKS5 proxy support, token restoration workflows, anti-VM evasion, and targeted collection from Discord, Steam, Riot Games, Telegram, and browser-based password managers (Bitwarden, 1Password, LastPass) via IndexedDB and extension storage. This shift reflects a broader underground trend prioritizing authenticated sessions and browser-side authentication artifacts to bypass MFA and maintain long-term access. Read
  • Microsoft deploys automated Windows driver rollback via Windows Update infrastructure Microsoft is implementing Cloud-Initiated Driver Recovery, an automated mechanism to remotely roll back problematic Windows drivers distributed through Windows Update. The feature mitigates prolonged exposure to faulty drivers by enabling Microsoft to trigger a rollback to a previously stable version or the next viable driver without requiring manual intervention from hardware partners or end users. The recovery leverages existing Windows Update infrastructure and is activated only for drivers rejected during the Driver Shiproom evaluation due to quality issues. The capability will begin rollbacks for drivers rejected during Flighting or Gradual Rollout starting September 2026, following a testing phase from May to August 2026. Read
  • Microsoft Edge sandbox escape and Windows 11 privilege escalation zero-days demonstrated at Pwn2Own Berlin 2026 Security researchers at Pwn2Own Berlin 2026, held from May 14 to May 16, 2026, demonstrated 39 unique zero-day exploits across enterprise technologies and AI systems, earning $908,750 in total rewards. Orange Tsai (DEVCORE Research Team) achieved SYSTEM-level remote code execution on Microsoft Exchange by chaining three bugs, earning $200,000 on the second day. Earlier, Tsai had also chained four logic bugs to escape the Microsoft Edge sandbox, earning $175,000 on the first day. Windows 11 privilege escalation zero-days were demonstrated by six teams across both days, including Angelboy and TwinkleStar03, Kentaro Kawane, Marcin Wiążowski, Siyeon Wi, and others, with individual awards ranging from $7,500 to $30,000. Additional exploits targeted Red Hat Enterprise Linux, NVIDIA Container Toolkit, Microsoft Exchange, AI coding agents (OpenAI Codex, Cursor), and other products, with awards totaling $20,000 to $50,000 per entry. All targeted exploits required arbitrary code execution on fully patched systems under Pwn2Own rules. Vendors have 90 days to address disclosed zero-days after the competition. Read
  • Gremlin infostealer evolves into modular stealer with anti-analysis and session hijacking capabilities A previously identified infostealer, Gremlin, has evolved into a modular threat actor toolkit with advanced evasion and session hijacking features. The malware now exfiltrates sensitive data including browser cookies, session tokens, clipboard contents, cryptocurrency wallet data, FTP and VPN credentials to a newly deployed server at 194.87.92.109. Key enhancements include anti-static analysis obfuscation via .NET Resource embedding and XOR encoding, Discord token extraction for social engineering, clipboard manipulation for cryptocurrency redirection, and WebSocket-based active session hijacking to bypass cookie protections. Read
  • Fragnesia Linux Kernel LPE via XFRM ESP-in-TCP Page Cache Corruption Fragnesia (CVE-2026-46300, CVSS 7.8) is a Linux kernel local privilege escalation vulnerability in the XFRM ESP-in-TCP subsystem that enables unprivileged local attackers to corrupt kernel page cache and gain root access. The flaw was discovered by William Bowling of Zellic and the V12 team, with a proof-of-concept exploit published on May 13, 2026. It operates by feeding file contents into a TCP socket, enabling ESP-in-TCP encryption to overwrite page cache memory (including /usr/bin/su) with AES-GCM keystreams, leaving no forensic trace on disk. The vulnerability emerged as an unintended side effect of a patch addressing the Dirty Frag vulnerabilities and affects all Linux kernels prior to disclosure. A candidate upstream fix was submitted to the netdev mailing list on May 13 but remains unmerged, while multiple distributions have issued backported patches. Mitigation strategies include disabling esp4, esp6, and rxrpc modules (which also cover Dirty Frag), restricting unprivileged user namespaces, and monitoring for suspicious XFRM or namespace activity. No in-the-wild exploitation has been observed, but the public PoC and historical context heighten urgency for patching. Read
Last updated: 16:02 15/05/2026 UTC
  • Unmanaged AI Agents Pose Security Risks in Enterprise Environments The proliferation of unmanaged AI agents in enterprise environments continues to escalate security risks, with most companies having 100 AI agents per human employee and 99% of these identities remaining unmanaged. A new study reveals that 93% of global organizations now use or plan to use AI agents for sensitive security tasks such as password resets and VPN access, despite the potential for serious breaches. Only 32% of organizations feel confident in regaining control after an AI-driven credential exposure, highlighting widespread unpreparedness. Traditional security tools prove ineffective at managing AI agents, which are often over-permissioned and abandoned as "zombie" identities. The industry is shifting toward agentic AI systems that operate autonomously, necessitating AI-driven SOC defense platforms and faster public-private partnerships to enhance national resilience. An upcoming webinar will provide a framework for securing AI agents, including strategies for governance, security-by-design, and aligning security with business goals. Read
  • UNC6384 Targets Diplomats with PlugX via Captive Portal Hijacks UNC6384, a China-nexus threat actor assessed to share tactical overlaps with Mustang Panda, continues targeted espionage campaigns leveraging advanced social engineering and indirect execution techniques. Recent reporting confirms Mustang Panda’s use of the FDMTP backdoor (version 3.2.5.1) in a months-long campaign against networks in the Asia-Pacific and Japan, involving CDN impersonation, DLL sideloading, and in-memory .NET execution. The group employs modular plugins for persistence, scheduled tasks, and remote file retrieval, with communication over a custom TCP protocol using DMTP. The campaign targeting U.S. government and policy entities via Venezuela-themed spear phishing to deliver the LOTUSLITE backdoor remains under investigation, with moderate-confidence attribution to Mustang Panda. Earlier phases described UNC6384’s captive portal hijacks to deploy PlugX variants (SOGU.SEC) and linked tooling overlaps with Mustang Panda’s Bookworm malware, highlighting the sophistication of PRC-nexus operators in evading detection. Read
  • TeamPCP escalates CanisterWorm campaign with geopolitical targeting and multi-vector attacks TeamPCP has escalated its multi-vector CanisterWorm campaign into a geopolitically targeted operation, now confirmed to have leveraged the Trivy supply-chain attack as an access vector for the Checkmarx compromise. The group compromised PyPI packages (LiteLLM versions 1.82.7–1.82.8 and Telnyx versions 4.87.1–4.87.2) and Checkmarx KICS tooling to deliver credential-stealing malware, harvesting SSH keys, cloud credentials, Kubernetes secrets, database credentials, cryptocurrency wallets, TLS/SSL private keys, and bash history files. Checkmarx has publicly confirmed that the LAPSUS$ threat group leaked data stolen from its private GitHub repository, with access facilitated by the Trivy compromise attributed to TeamPCP. The leaked data, published on both dark web and clearnet portals, did not contain customer information, and Checkmarx has blocked access to the affected repository pending forensic investigation. The campaign’s scope expanded from initial npm package compromises to include GitHub repository hijacking (e.g., Aqua Security), Docker Hub compromise, and CI/CD pipeline targeting, while destructive payloads in Iranian Kubernetes environments highlight TeamPCP’s geopolitical alignment. On May 9, 2026, TeamPCP published a malicious version of the Checkmarx Jenkins AST plugin (2.0.13-829.vc72453fa_1c16) to the Jenkins Marketplace, defacing the plugin’s GitHub repository with pro-TeamPCP messaging. The compromise was facilitated using credentials stolen in the March 2026 Trivy supply-chain attack and occurred outside the plugin’s official release pipeline, lacking a git tag or GitHub release. Checkmarx isolated its GitHub repositories from customer environments and stated no customer data was stored in them. Users are advised to use version 2.0.13-829.vc72453fa_1c16 published on December 17, 2025, or older. Read
  • SAP December 2025 Security Updates Address Three Critical Vulnerabilities SAP’s December 2025 security bulletin addressed 14 vulnerabilities, including three critical flaws, while the May 2026 updates introduced 15 new vulnerabilities with two critical issues in Commerce Cloud and S/4HANA. One critical flaw, CVE-2026-34263, is a missing authentication check in SAP Commerce Cloud allowing unauthenticated attackers to execute arbitrary code. The second critical flaw, CVE-2026-34260, enables low-complexity SQL injection in SAP S/4HANA, risking unauthorized data access and application disruption. SAP’s May 2026 advisory also resolved one high-severity and 11 medium-severity issues, including command injection, missing authorization checks, and XSS. While SAP has not observed active exploitation of these new flaws, historical precedent shows SAP vulnerabilities are frequently targeted, with 14 SAP flaws added to CISA’s Known Exploited Vulnerabilities catalog in recent years, including two used in ransomware attacks. SAP remains a critical enterprise software vendor, serving 99 of the 100 largest global companies and reporting over €36 billion in fiscal year 2025 revenue. Read
  • Phishing-to-outage lifecycle focus of upcoming MSP cyber resilience webinar featuring Kaseya On May 14, 2026 at 2:00 PM ET, BleepingComputer and Kaseya will host a live technical webinar titled "From phishing to fallout: Why MSPs must rethink both security and recovery." Led by Austin O'Saben and Adam Marget, the session will present advanced strategies for MSPs to integrate detection, response, and recovery to mitigate phishing-driven cyber incidents. Modern threat actors increasingly combine AI-generated phishing, business email compromise, ransomware, and SaaS abuse to bypass traditional defenses and disrupt operations. The webinar emphasizes that reliance on prevention alone is insufficient; instead, organizations must strengthen both security posture and recovery readiness, including SaaS backups and business continuity planning. Kaseya experts will detail how integrating backup and disaster recovery (BCDR) into security strategies is critical to reduce downtime and limit incident impact during such attacks. Building on prior coverage, a May 13, 2026 BleepingComputer article highlights that brand impersonation in AI-driven phishing is outpacing traditional email security, and that recovery delays after compromise can prolong operational disruption and increase recovery costs even after containment. Organizations are urged to prepare not only to defend against attacks but also to recover from them quickly. A separate May 7, 2026 article by The Hacker News promotes another webinar, "One Click, Total Shutdown: The 'Patient Zero' Webinar on Killing Stealth Breaches," which focuses on immediate breach containment strategies for AI-driven phishing attacks, including the "Patient Zero" concept and the 5-minute critical window for containment. Read
  • OpenAI, TanStack, and Mistral AI Impacted in Escalating Mini Shai-Hulud Supply Chain Campaign OpenAI has confirmed that two employee devices in its corporate environment were infected via the Mini Shai-Hulud supply chain attack on TanStack, resulting in limited credential theft from internal repositories but no impact on customer data, production systems, or deployed software. OpenAI responded by isolating systems, revoking user sessions, rotating all credentials, temporarily restricting deployment workflows, and auditing user and credential behavior. As a precaution, OpenAI revoked and reissued code-signing certificates for iOS, macOS, Windows, and Android products due to exposure in the incident, with macOS desktop users (ChatGPT Desktop, Codex App, Codex CLI, Atlas) required to update applications before June 12, 2026. The incident reflects a broader escalation of the Mini Shai-Hulud campaign, which initially targeted TanStack and Mistral AI before spreading to UiPath, Guardrails AI, and OpenSearch via stolen CI/CD credentials and legitimate GitHub Actions workflows. TeamPCP continues to refine tactics, including the public distribution of the Shai-Hulud worm through a supply chain attack contest, while targeting developer and cloud credentials across ecosystems. The malware employs advanced persistence, credential harvesting, and destructive sabotage components, with technical innovations such as a multi-tier C2 exfiltration system and a 1-in-6 probability kamikaze wiper on systems in Israel or Iran. Mistral AI separately confirmed impact via trojanized SDKs, with a single developer device affected and no infrastructure breach. Read
  • MuddyWater Expands Global Campaigns with New Backdoors Targeting US and Israeli Entities The Iran-linked MuddyWater APT (a.k.a. Seedworm, Static Kitten) has expanded its global espionage operations to include a major South Korean electronics manufacturer, government agencies, and an international airport in the Middle East, marking a geographic shift beyond its traditional MENA and Israeli targets. In February 2026, the group spent a week inside the network of the South Korean firm, conducting industrial espionage and intellectual property theft while leveraging DLL sideloading via legitimate Fortemedia and SentinelOne binaries to deploy ChromElevator for browser data exfiltration. MuddyWater’s evolving tradecraft includes the continued use of PowerShell—now orchestrated via Node.js loaders—for reconnaissance, credential theft, and persistence, alongside anti-detection techniques like fake Windows prompts, registry hive theft, and public file-sharing services (sendit.sh) for exfiltration. This follows earlier 2026 campaigns where the group masqueraded as Chaos ransomware to deploy the Darkcomp RAT, targeted US companies with Dindoor/Fakeset backdoors, and expanded its toolset with Rust-based implants like RustyWater. The group’s persistent focus on espionage, use of legitimate tools for evasion, and geographic diversification underscore its adaptability as a state-aligned threat actor linked to Iran’s MOIS. Read

Latest updates

Browse →

Active exploitation of unauthenticated JavaScript injection flaw in Funnel Builder WordPress plugin leading to payment skimming

Updated: · First: 15.05.2026 22:30 · 📰 1 src / 1 articles

A critical unauthenticated vulnerability in the Funnel Builder WordPress plugin (all versions before 3.15.0.3) is being actively exploited to inject malicious JavaScript into WooCommerce checkout pages. The flaw allows attackers to modify plugin settings via an exposed checkout endpoint, enabling arbitrary JavaScript execution on checkout pages. This results in the deployment of a payment card skimmer that collects credit card numbers, CVVs, billing addresses, and other customer data.

Microsoft Edge sandbox escape and Windows 11 privilege escalation zero-days demonstrated at Pwn2Own Berlin 2026

Updated: 15.05.2026 20:47 · First: 14.05.2026 21:53 · 📰 2 src / 2 articles

Security researchers at Pwn2Own Berlin 2026, held from May 14 to May 16, 2026, demonstrated 39 unique zero-day exploits across enterprise technologies and AI systems, earning $908,750 in total rewards. Orange Tsai (DEVCORE Research Team) achieved SYSTEM-level remote code execution on Microsoft Exchange by chaining three bugs, earning $200,000 on the second day. Earlier, Tsai had also chained four logic bugs to escape the Microsoft Edge sandbox, earning $175,000 on the first day. Windows 11 privilege escalation zero-days were demonstrated by six teams across both days, including Angelboy and TwinkleStar03, Kentaro Kawane, Marcin Wiążowski, Siyeon Wi, and others, with individual awards ranging from $7,500 to $30,000. Additional exploits targeted Red Hat Enterprise Linux, NVIDIA Container Toolkit, Microsoft Exchange, AI coding agents (OpenAI Codex, Cursor), and other products, with awards totaling $20,000 to $50,000 per entry. All targeted exploits required arbitrary code execution on fully patched systems under Pwn2Own rules. Vendors have 90 days to address disclosed zero-days after the competition.

Compromised node-ipc npm Package Versions Deploy Stealer Payload via Obfuscated Backdoor

Updated: 15.05.2026 20:10 · First: 14.05.2026 20:22 · 📰 2 src / 2 articles

Three legitimate versions of the widely used node-ipc npm package (9.1.6, 9.2.3, and 12.0.1) were republished with malicious stealer/backdoor code by an unauthorized maintainer account named 'atiertant', triggering on require('node-ipc') and exfiltrating developer and cloud secrets to a rogue C2 server. The attack features novel evasion tactics including DNS-based exfiltration via a fake Azure-themed domain (sh.azurestaticprovider[.]net), conditional payload execution in version 12.0.1, and targeted collection of 90 categories of credentials. This incident follows a prior 2022 protest-related compromise where the original maintainer added destructive capabilities to versions 10.1.1 and 10.1.2 targeting systems in Russia or Belarus, yet node-ipc retains over 690,000 weekly downloads. Security vendors (Socket, Ox Security, Upwind) confirmed the malicious nature of the affected versions, which skip large files and avoid scanning .git and node_modules directories to reduce operational noise.

Turla’s Kazuar framework upgraded into modular P2P botnet for persistent intrusions

Updated: · First: 15.05.2026 20:10 · 📰 1 src / 1 articles

Turla (Secret Blizzard, ATG26, Blue Python, Uroburos) has upgraded its Kazuar .NET backdoor into a modular peer-to-peer (P2P) botnet designed for long-term persistence and covert operations against government, diplomatic, and defense targets in Europe and Central Asia. The overhaul introduces a three-tier module architecture—Kernel, Bridge, and Worker—coordinated via droppers such as Pelmeni and ShadowLoader. Kernel modules act as the botnet’s control plane, electing a leader to mediate C2 communication while Workers exfiltrate data, log keystrokes, and profile systems. Communication uses multiple channels including Windows Messaging, Mailslot, named pipes, HTTP, Exchange Web Services, and WebSockets to evade detection. The design emphasizes resilience through internal P2P coordination, multi-path C2 redundancy, and persistent on-disk staging of operational data.

Unauthenticated SQL Injection and Arbitrary File Read Vulnerabilities in Avada Builder WordPress Plugin Affect One Million Sites

Updated: 15.05.2026 18:56 · First: 13.05.2026 17:00 · 📰 2 src / 2 articles

Two vulnerabilities in the Avada Builder WordPress plugin—CVE-2026-4782 (arbitrary file read) and CVE-2026-4798 (unauthenticated SQL injection)—have exposed approximately one million WordPress sites to credential theft and full site compromise. The arbitrary file read flaw allows authenticated subscribers to access sensitive server files, including wp-config.php, via the plugin’s shortcode-rendering functionality and custom_svg parameter. Access to wp-config.php can lead to full site takeover by enabling compromise of an administrator account. The unauthenticated SQL injection flaw, rated CVSS 7.5, impacts sites where WooCommerce was enabled and then deactivated, enabling attackers to extract database contents such as password hashes. The vulnerabilities were discovered by security researcher Rafie Muhammad under the Wordfence Bug Bounty Program and reported to the vendor on March 24, 2026, following submission to Wordfence on March 21. The vendor released patches in versions 3.15.2 (April 13) and 3.15.3 (May 12), with site administrators urged to update immediately.

Microsoft Edge plaintext credential exposure via process memory vulnerability

Updated: 15.05.2026 17:49 · First: 07.05.2026 14:33 · 📰 2 src / 2 articles

Microsoft Edge will stop loading saved passwords into process memory in cleartext at startup to reduce exposure, addressing a behavior previously defended as an intentional performance optimization. The change is already in the Canary channel and will roll out to all supported Edge releases (build 148 and newer) as part of the company’s Secure Future Initiative. Credential extraction via memory dumping remains possible only if an attacker already has local administrative privileges, a scenario Microsoft does not classify as a security flaw. Earlier disclosures revealed that Edge decrypts and retains all stored passwords in cleartext memory at startup, a behavior unique among Chromium-based browsers. Exploitation requires local administrative access to dump the browser’s process memory via tools like Task Manager, enabling extraction of plaintext credentials even when not actively in use. Microsoft initially stated the design choice was intentional to speed up sign-in processes.

Gremlin infostealer evolves into modular stealer with anti-analysis and session hijacking capabilities

Updated: · First: 15.05.2026 17:19 · 📰 1 src / 1 articles

A previously identified infostealer, Gremlin, has evolved into a modular threat actor toolkit with advanced evasion and session hijacking features. The malware now exfiltrates sensitive data including browser cookies, session tokens, clipboard contents, cryptocurrency wallet data, FTP and VPN credentials to a newly deployed server at 194.87.92.109. Key enhancements include anti-static analysis obfuscation via .NET Resource embedding and XOR encoding, Discord token extraction for social engineering, clipboard manipulation for cryptocurrency redirection, and WebSocket-based active session hijacking to bypass cookie protections.

REMUS infostealer MaaS operation evolves toward session theft and password-manager targeting

Updated: · First: 15.05.2026 17:02 · 📰 1 src / 1 articles

A malware-as-a-service (MaaS) operation distributing the REMUS infostealer has rapidly evolved since February 2026, transitioning from basic credential theft to a structured platform emphasizing session persistence, password-manager targeting, and operational scalability. The operation demonstrates commercialization practices typical of legitimate software businesses, including versioned updates, customer support, operational dashboards, and delivery reliability claims (~90% callback rate). The infostealer now integrates SOCKS5 proxy support, token restoration workflows, anti-VM evasion, and targeted collection from Discord, Steam, Riot Games, Telegram, and browser-based password managers (Bitwarden, 1Password, LastPass) via IndexedDB and extension storage. This shift reflects a broader underground trend prioritizing authenticated sessions and browser-side authentication artifacts to bypass MFA and maintain long-term access.

Chained OpenClaw vulnerabilities enable agent-based data theft and persistence in MCP runtimes

Updated: · First: 15.05.2026 16:35 · 📰 1 src / 1 articles

A chain of four vulnerabilities (CVE-2026-44112, CVE-2026-44113, CVE-2026-44115, CVE-2026-44118) in OpenClaw’s OpenShell sandbox and MCP loopback runtime allows attackers to bypass sandbox restrictions, read sensitive files, escalate to owner-level privileges, and establish persistence. Exploitation begins with code execution inside the sandbox via a malicious plugin, prompt injection, or compromised input, then progresses through credential exposure, privilege escalation, and backdoor deployment. Impact includes unauthorized data theft, full runtime control, and persistent compromise of affected hosts. The vulnerabilities are leveraged in a four-step chain: initial code execution, file and credential exposure via TOCTOU and heredoc bypass, privilege escalation via spoofable ownership flags, and final persistence through configuration tampering and backdoor planting.

Microsoft deploys automated Windows driver rollback via Windows Update infrastructure

Updated: · First: 15.05.2026 15:29 · 📰 1 src / 1 articles

Microsoft is implementing Cloud-Initiated Driver Recovery, an automated mechanism to remotely roll back problematic Windows drivers distributed through Windows Update. The feature mitigates prolonged exposure to faulty drivers by enabling Microsoft to trigger a rollback to a previously stable version or the next viable driver without requiring manual intervention from hardware partners or end users. The recovery leverages existing Windows Update infrastructure and is activated only for drivers rejected during the Driver Shiproom evaluation due to quality issues. The capability will begin rollbacks for drivers rejected during Flighting or Gradual Rollout starting September 2026, following a testing phase from May to August 2026.

Dark Reading columnists revisit pivotal security writings in 20th anniversary retrospective

Updated: · First: 15.05.2026 15:00 · 📰 1 src / 1 articles

Dark Reading commemorated its 20th anniversary by inviting prominent cybersecurity industry leaders to revisit their past columns and assess their relevance through a historical lens. The initiative involved selecting influential past writings from the Dark Reading archives, many of which had been archived via the Wayback Machine due to platform migrations over two decades. Contributing columnists including Robert Hansen (RSnake), Katie Moussouris, Rich Mogull, Richard Stiennon, and Bruce Schneier contributed reflections on how their topics have evolved and the enduring or fading accuracy of their original insights.

Ransomware Compromise at American Lending Center Exposes PII of 123,000 Individuals

Updated: · First: 15.05.2026 14:06 · 📰 1 src / 1 articles

A ransomware attack against American Lending Center (ALC), a California-based non-bank lender managing a $3 billion portfolio of government-guaranteed small business loans, led to the compromise of internal networks and potential theft of personally identifiable information (PII) for 123,000 individuals. The incident was detected in July 2025, and a forensic investigation completed on April 8, 2026, confirmed unauthorized access and execution of ransomware. Compromised data includes names, dates of birth, and Social Security numbers, though ALC reports no evidence of subsequent misuse as of the disclosure.

Bitdefender launches Internal Attack Surface Assessment to map and reduce trusted-tool abuse risks in enterprise Windows environments

Updated: · First: 15.05.2026 14:00 · 📰 1 src / 1 articles

Bitdefender publicly announces a 45-day Internal Attack Surface Assessment program designed to identify and reduce exposure from trusted utilities abused in attacks. The assessment targets Windows endpoints and maps living-off-the-land binaries (LOLBins), remote administration tools, tampering utilities, cryptominers, and piracy tools to specific users and devices with minimal operational impact. It leverages GravityZone PHASR—a Proactive Hardening and Attack Surface Reduction technology—to produce prioritized remediation roadmaps. Early adopters reported up to 70% attack surface reduction within 30 days without end-user disruption or malware investigation overhead.

OpenAI, TanStack, and Mistral AI Impacted in Escalating Mini Shai-Hulud Supply Chain Campaign

Updated: 15.05.2026 13:54 · First: 29.04.2026 19:26 · 📰 6 src / 10 articles

OpenAI has confirmed that two employee devices in its corporate environment were infected via the Mini Shai-Hulud supply chain attack on TanStack, resulting in limited credential theft from internal repositories but no impact on customer data, production systems, or deployed software. OpenAI responded by isolating systems, revoking user sessions, rotating all credentials, temporarily restricting deployment workflows, and auditing user and credential behavior. As a precaution, OpenAI revoked and reissued code-signing certificates for iOS, macOS, Windows, and Android products due to exposure in the incident, with macOS desktop users (ChatGPT Desktop, Codex App, Codex CLI, Atlas) required to update applications before June 12, 2026. The incident reflects a broader escalation of the Mini Shai-Hulud campaign, which initially targeted TanStack and Mistral AI before spreading to UiPath, Guardrails AI, and OpenSearch via stolen CI/CD credentials and legitimate GitHub Actions workflows. TeamPCP continues to refine tactics, including the public distribution of the Shai-Hulud worm through a supply chain attack contest, while targeting developer and cloud credentials across ecosystems. The malware employs advanced persistence, credential harvesting, and destructive sabotage components, with technical innovations such as a multi-tier C2 exfiltration system and a 1-in-6 probability kamikaze wiper on systems in Israel or Iran. Mistral AI separately confirmed impact via trojanized SDKs, with a single developer device affected and no infrastructure breach.

Active exploitation of Microsoft Exchange Server spoofing vulnerability via crafted email

Updated: 15.05.2026 12:40 · First: 15.05.2026 09:19 · 📰 2 src / 2 articles

A high-severity spoofing vulnerability in on-premises Microsoft Exchange Server (CVE-2026-42897, CVSS 8.1) is being actively exploited in the wild. The flaw arises from improper neutralization of input during web page generation, enabling cross-site scripting (XSS) that permits unauthorized spoofing over a network. Attackers can exploit this by sending a specially crafted email to a user; when opened in Outlook Web Access under specific interaction conditions, arbitrary JavaScript can execute in the browser context, facilitating further unauthorized actions. Microsoft has confirmed active exploitation and reports that patches are not yet available, with mitigation provided via the Exchange Emergency Mitigation Service (EEMS) for Exchange Server 2016, 2019, and Subscription Edition (SE) on-premises servers. Patch availability for some versions is restricted to customers enrolled in the Period 2 Exchange Server ESU program.

Emergence of TencShell malware leveraging open-source Rshell framework in targeted campaign against global manufacturer

Updated: · First: 15.05.2026 11:00 · 📰 1 src / 1 articles

China-linked threat actors deployed a previously undocumented malware implant named TencShell against a global manufacturer’s Indian branch in April 2026. The attack chain involved a first-stage dropper, Donut shellcode, a masqueraded .woff web-font resource, memory injection, and web-like C2 communication to deliver a customized Go-based implant derived from the open-source Rshell C2 framework. TencShell mimics Tencent-like web service paths to blend into normal enterprise traffic. If successful, the implant would have provided comprehensive access, including remote command execution, in-memory payload execution, proxying, pivoting, system profiling, and a path to deploy additional tooling.

Critical Authentication Bypass in Cisco Catalyst SD-WAN Exploited Since 2023

Updated: 15.05.2026 08:28 · First: 25.02.2026 20:01 · 📰 9 src / 13 articles

A critical authentication bypass vulnerability (CVE-2026-20182) in Cisco Catalyst SD-WAN Controller and Manager is being actively exploited in the wild, enabling unauthenticated remote attackers to bypass authentication and obtain administrative privileges. The flaw stems from a malfunction in the peering authentication mechanism within the 'vdaemon' service and impacts all deployment models. CVE-2026-20182 was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog on May 15, 2026, mandating federal patching by May 17, 2026. Cisco has attributed exploitation with high confidence to UAT-8616, the same cluster responsible for weaponizing CVE-2026-20127 since at least 2023. The threat actor leverages the flaw for post-compromise actions, including adding SSH keys, modifying NETCONF configurations, and attempting to escalate to root privileges. Infrastructure overlaps with Operational Relay Box (ORB) networks, commonly linked to Chinese state-sponsored actors. Threat actors have chained CVE-2026-20182 with CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122 to enable unauthorized access, deploying web shells, malware frameworks, and tools such as Godzilla, Behinder, XenShell, and credential stealers. Cisco recommends immediate updates, restricting access to management interfaces, and monitoring for indicators of compromise.

Authentication bypass in Burst Statistics WordPress plugin enables admin takeover (CVE-2026-8181)

Updated: · First: 15.05.2026 00:07 · 📰 1 src / 1 articles

Unpatched installations of the WordPress analytics plugin Burst Statistics (versions 3.4.0 and 3.4.1) are being actively exploited due to a critical authentication bypass flaw, CVE-2026-8181. The vulnerability allows unauthenticated remote attackers to impersonate any privileged WordPress user—including administrators—during REST API requests by supplying an arbitrary password. Successful exploitation can grant full administrative control, enabling site takeover, database access, backdoor deployment, visitor redirection to malicious destinations, malware distribution, and creation of rogue administrator accounts. Admin usernames may be exposed through public content or API endpoints, or guessed via brute-force methods. The issue stems from incorrect handling of authentication results in the ‘wp_authenticate_application_password()’ function, where WP_Error and null values are erroneously treated as authenticated states.

Instructure breach claimed by ShinyHunters results in theft of 280 million records from 8,809 schools and universities

Updated: 14.05.2026 23:19 · First: 02.05.2026 02:43 · 📰 6 src / 6 articles

Instructure, the company behind the Canvas Learning Management System, confirmed a cybersecurity incident that began with an intrusion on April 25, 2026, attributed to the ShinyHunters extortion gang. The actor claimed to have stolen approximately 3.65 TB of data, including records from 8,809 educational institutions, and escalated its extortion campaign with a school-by-school ransom approach. ShinyHunters exploited multiple cross-site scripting (XSS) vulnerabilities in Canvas’ Free-For-Teacher environment to gain access to authenticated admin sessions during a second intrusion on May 7, 2026. The threat actor defaced Canvas login portals with extortion messages demanding ransom negotiations by May 12, 2026, and temporarily took Canvas offline to contain the activity. No data was compromised during the defacement, but the 3.65 TB of exfiltrated data from the initial breach remained the primary concern. On May 13, 2026, Instructure reached an agreement with ShinyHunters, reporting that the stolen data had been returned with digital confirmation of destruction and assurances against further extortion. The company disclosed the breach originated from an undisclosed flaw in Free-For-Teacher support tickets, enabling the exfiltration of about 275 million records, including usernames, email addresses, course names, enrollment information, and messages. Course content, submissions, and credentials were not compromised. Instructure implemented further mitigations, including disabling Free-For-Teacher accounts, revoking credentials, rotating keys, and deploying additional controls. Researchers warned the leaked data could facilitate impersonation attacks, urging institutions to issue phishing advisories and direct communications to stakeholders. Congressional scrutiny has now emerged, with the U.S. House Committee on Homeland Security and the Senate Committee on Health, Education, Labor, and Pensions requesting briefings on Instructure’s response, potential ransom payment, and the company’s handling of a prior 2025 Salesforce breach linked to ShinyHunters. The incident has raised broader questions about the company’s incident response capabilities and obligations to the education sector.

Active exploitation of PAN-OS RCE zero-day CVE-2026-0300 via User-ID Authentication Portal

Updated: 14.05.2026 19:07 · First: 07.05.2026 13:57 · 📰 3 src / 3 articles

State-sponsored threat actors tracked as CL-STA-1132 exploited the critical PAN-OS firewall zero-day CVE-2026-0300 since at least April 9, 2026, achieving initial unauthenticated remote code execution by April 16–17, 2026. The vulnerability, a buffer overflow in the User-ID Authentication Portal service, enabled root-level arbitrary code execution on exposed PA-Series and VM-Series firewalls. Attackers injected shellcode into nginx worker processes and immediately began erasing forensic artifacts, including crash kernel messages and nginx records, to evade detection. Post-compromise activity included Active Directory enumeration and deployment of EarthWorm and ReverseSocks5 tunneling tools on April 29, 2026, targeting additional network devices. The adversary’s use of open-source tools and disciplined, intermittent operational sessions over weeks minimized signature-based detection while maintaining stealth. Over 5,400 PAN-OS VM-Series firewalls remain exposed on the internet, predominantly in Asia and North America. CISA added CVE-2026-0300 to its Known Exploited Vulnerabilities Catalog on May 7, 2026, mandating federal remediation by May 9, 2026. Palo Alto Networks released initial patches for CVE-2026-0300 on May 14, 2026.

UNC6384 Targets Diplomats with PlugX via Captive Portal Hijacks

Updated: 14.05.2026 18:00 · First: 25.08.2025 21:11 · 📰 5 src / 8 articles

UNC6384, a China-nexus threat actor assessed to share tactical overlaps with Mustang Panda, continues targeted espionage campaigns leveraging advanced social engineering and indirect execution techniques. Recent reporting confirms Mustang Panda’s use of the FDMTP backdoor (version 3.2.5.1) in a months-long campaign against networks in the Asia-Pacific and Japan, involving CDN impersonation, DLL sideloading, and in-memory .NET execution. The group employs modular plugins for persistence, scheduled tasks, and remote file retrieval, with communication over a custom TCP protocol using DMTP. The campaign targeting U.S. government and policy entities via Venezuela-themed spear phishing to deliver the LOTUSLITE backdoor remains under investigation, with moderate-confidence attribution to Mustang Panda. Earlier phases described UNC6384’s captive portal hijacks to deploy PlugX variants (SOGU.SEC) and linked tooling overlaps with Mustang Panda’s Bookworm malware, highlighting the sophistication of PRC-nexus operators in evading detection.

Shift to DPU-based security architecture gains traction after VMware hypervisor escape flaws underscore host agent limitations

Updated: · First: 14.05.2026 17:00 · 📰 1 src / 1 articles

Industry discussions highlight a fundamental rethinking of data center security architectures following recurring VMware ESXi zero-day vulnerabilities and ESXiArgs ransomware campaign, which demonstrated that host-based security agents fail to detect or mitigate hypervisor-level compromises. Security teams increasingly explore Data Processing Unit (DPU)-based security models to offload security workloads from host CPUs, eliminating performance trade-offs while providing tamper-proof, line-rate inspection and policy enforcement. The architecture isolates security functions on dedicated silicon, enabling comprehensive east-west and north-south traffic visibility without host OS dependency, a critical gap exposed by lateral movement attacks and transient workloads in modern AI and containerized environments.

Android Intrusion Logging feature introduced to enhance forensic analysis of advanced spyware attacks

Updated: 14.05.2026 16:30 · First: 13.05.2026 09:55 · 📰 2 src / 2 articles

Google launched Android Intrusion Logging on May 12, 2026 as part of Advanced Protection Mode to provide persistent, encrypted forensic logging for investigating advanced spyware compromises on Android devices. Developed with civil society organizations including Amnesty International and Reporters Without Borders, the feature captures daily device and network activities such as app processes, security events, spyware installations, and DNS connections, storing encrypted logs for 12 months on Google servers. Users must explicitly share logs for forensic analysis, and the feature is opt-in for Pixel devices running Android 16 and newer with Advanced Protection Mode enabled. The feature was developed to address gaps in spyware forensic analysis where previous methods relied on incidental, partial, and short-lived logs. Additional updates to Advanced Protection Mode include USB protection, restricted accessibility services, disabled device-to-device unlocking, Chrome WebGPU removal, chat scam detection, and enterprise device support, enhancing protections for high-risk users against scams, fraud, and targeted attacks.

Fragnesia Linux Kernel LPE via XFRM ESP-in-TCP Page Cache Corruption

Updated: 14.05.2026 16:00 · First: 14.05.2026 10:06 · 📰 2 src / 2 articles

Fragnesia (CVE-2026-46300, CVSS 7.8) is a Linux kernel local privilege escalation vulnerability in the XFRM ESP-in-TCP subsystem that enables unprivileged local attackers to corrupt kernel page cache and gain root access. The flaw was discovered by William Bowling of Zellic and the V12 team, with a proof-of-concept exploit published on May 13, 2026. It operates by feeding file contents into a TCP socket, enabling ESP-in-TCP encryption to overwrite page cache memory (including /usr/bin/su) with AES-GCM keystreams, leaving no forensic trace on disk. The vulnerability emerged as an unintended side effect of a patch addressing the Dirty Frag vulnerabilities and affects all Linux kernels prior to disclosure. A candidate upstream fix was submitted to the netdev mailing list on May 13 but remains unmerged, while multiple distributions have issued backported patches. Mitigation strategies include disabling esp4, esp6, and rxrpc modules (which also cover Dirty Frag), restricting unprivileged user namespaces, and monitoring for suspicious XFRM or namespace activity. No in-the-wild exploitation has been observed, but the public PoC and historical context heighten urgency for patching.

AI-driven cybersecurity investment surge widens startup capital gap, fueling consolidation wave

Updated: · First: 14.05.2026 16:00 · 📰 1 src / 1 articles

Cybersecurity investment activity in 2026 has surged due to AI adoption, with $3.8 billion in venture financing outpacing $2.6 billion in merger and acquisition (M&A) deal value during Q1 2026. The influx of capital is disproportionately directed toward AI-native security startups, creating a widening ‘valley of death’ for non-AI companies struggling to secure follow-on funding. AI-driven security offerings are expanding enterprise attack surfaces while simultaneously disrupting traditional sectors such as vulnerability management. Analysts anticipate a consolidation wave in 2026-2027, with predictions of multibillion-dollar acquisitions by hyperscalers and AI frontier model providers targeting strategic cybersecurity capabilities.

Foxconn North American operations disrupted by Nitrogen ransomware attack

Updated: 14.05.2026 15:00 · First: 13.05.2026 15:49 · 📰 2 src / 2 articles

Foxconn confirmed a cyberattack impacting North American factories, disrupting operations and prompting recovery efforts. The Nitrogen ransomware gang has claimed responsibility, alleging theft of 8 TB of data and over 11 million documents, including confidential customer projects and intellectual property. Affected facilities are resuming normal production as incident response continues. The attack underscores the escalating targeting of manufacturing supply chains, where threat actors exploit operational sensitivity and high-value data. Foxconn, a key supplier to major technology firms, faces potential downstream impact as stolen data may include sensitive documentation tied to clients like Apple, Intel, Google, Nvidia, and others. Industry data shows manufacturing as the most heavily targeted sector for ransomware in 2026, with nearly 70% more victims than any other industry, reflecting attackers' focus on organizations where downtime directly halts revenue and production.

Authentication Bypass in PraisonAI Legacy API Server Exploited Within Hours

Updated: · First: 14.05.2026 14:40 · 📰 1 src / 1 articles

Within four hours of public disclosure, threat actors exploited CVE-2026-44338, an authentication bypass vulnerability in PraisonAI’s legacy Flask API server, to access sensitive endpoints without credentials. The flaw, affecting versions 2.5.6 through 4.6.33, stems from hard-coded authentication disablement (AUTH_ENABLED = False) and allows unauthenticated enumeration of configured agents and execution of agents.yaml workflows via /agents and /chat endpoints. Impact varies depending on the workflow’s permissions but includes quota exhaustion and exposure of PraisonAI.run() results. A patched version (4.6.34) is available. Exploitation activity was observed originating from IP 146.190.133[.]49 and using the User-Agent CVE-Detector/1.0.

AI hallucination risks driving incorrect security decisions in critical infrastructure

Updated: · First: 14.05.2026 14:30 · 📰 1 src / 1 articles

AI hallucinations—confidently presented yet factually incorrect outputs—are introducing significant security risks in critical infrastructure and cybersecurity operations by exploiting human trust in authoritative-sounding responses. A 2025 evaluation of 40 AI models using the AA-Omniscience benchmark revealed that 36 models were more likely to provide confidently incorrect answers than correct ones on difficult questions, emphasizing the systemic nature of this issue. These hallucinations manifest in cybersecurity through missed threats, fabricated threats, and incorrect remediation actions, all of which can lead to operational disruptions, financial loss, or cascading security incidents. The primary vulnerability stems from a lack of inherent verification mechanisms in base language models, which prioritize coherence over factual accuracy, particularly when integrated into automated or high-stakes decision-making workflows.

Dell SupportAssist Remediation service update triggers critical Windows BSOD crashes

Updated: · First: 14.05.2026 13:03 · 📰 1 src / 1 articles

Dell confirmed that a recent update to its SupportAssist Remediation service (version 5.5.16.0) is causing Windows blue-screen-of-death (BSOD) crashes across Dell and Alienware systems. The crashes stem from a critical process error (0xEF_DellSupportAss_BUGCHECK_CRITICAL_PROCESS) introduced in the update, prompting users to uninstall or disable the service as a temporary workaround. The issue has affected systems since late May 2026, with Dell engineering actively investigating a permanent fix.

BitLocker bypass via WinRE and privilege escalation flaws disclosed in Windows

Updated: 14.05.2026 12:25 · First: 13.05.2026 19:37 · 📰 2 src / 2 articles

A security researcher publicly disclosed two unpatched Windows vulnerabilities, YellowKey and GreenPlasma, including proof-of-concept (PoC) exploits, enabling BitLocker bypass and local privilege escalation (LPE) respectively. The researcher, known as Chaotic Eclipse or Nightmare Eclipse, criticized Microsoft's handling of prior disclosures, leading to these new disclosures ahead of the next Patch Tuesday. YellowKey exploits the Windows Recovery Environment (WinRE) to bypass BitLocker encryption on Windows 11, Windows Server 2022, and Windows Server 2025 systems, allowing unrestricted access to encrypted volumes without requiring user credentials. The attack leverages specially crafted 'FsTx' files placed on a USB drive or the EFI partition, triggering a shell upon recovery mode entry. The researcher emphasized that even TPM+PIN configurations do not mitigate YellowKey. GreenPlasma is an LPE flaw enabling SYSTEM-level access through arbitrary section creation in writable SYSTEM directories, with a partial PoC released. Microsoft has not yet patched either vulnerability and has not assigned a CVE identifier to GreenPlasma.