The C0XMO botnet is spreading through DD-WRT router firmware and other internet-facing devices, increasing the pool of systems available for DDoS attacks. It exploits CVE-2021-27137 for unauthenticated code execution, then brute-forces SSH and Telnet credentials to expand. The malware can persist with cron jobs and shell startup changes, detect CPU architecture, deploy a matching binary, and remove rival botnet clients. Its support for 19 DDoS methods makes each infected device useful for both propagation and attack traffic.

DD-WRT router firmware is affected by CVE-2021-27137, a buffer overflow now being used by C0XMO to deliver malware and enable unauthenticated remote code execution. The flaw expands risk for internet-facing routers because exploitation does not require credentials. Successful abuse can turn exposed devices into botnet nodes and give attackers arbitrary code execution on the device.

Since 2022, Silent Ransom Group has operated as a standalone data-theft extortion actor after the Conti syndicate shut down, changing how it monetizes access and pressure. The shift away from traditional ransomware encryption gives the group a more focused extortion model built around stolen data and leak threats. That operating-model change shapes its current extortion business across high-value victim sectors.

Emphere raised $2.1 million in pre-seed funding from AI2 Incubator and Outsiders Fund, giving the Seattle startup capital to expand its AI-driven vulnerability remediation platform. The company plans to use the money to accelerate platform development and grow its customer base. The funding supports a product aimed at helping software teams identify what is exploitable, apply fixes automatically, and ship safer releases at scale.

Everest Forms Pro has an actively exploited critical remote code execution flaw, CVE-2026-3300, that lets unauthenticated attackers run PHP and take over WordPress sites. The bug affects versions through 1.9.12, and WPEverest fixed it in 1.9.13 on March 18, 2026. Wordfence says abuse began on April 13, 2026, and its firewall has blocked more than 29,300 exploit attempts so far.

The Everest Forms developer released a patch for CVE-2026-3300 in Everest Forms Pro on March 18, closing an unauthenticated arbitrary code execution flaw affecting versions 1.9.12 and earlier. The update matters because the vulnerable plugin could let attackers gain complete control of WordPress sites before administrators apply the fix.

Active exploitation of CVE-2026-3300 in Everest Forms Pro is driving complete site compromise risk for WordPress sites. Attackers have been using the flaw for arbitrary code execution since April 13, 2026. More than 29,300 exploit attempts have already been blocked, showing sustained exploitation at scale.

OpenAI ChatGPT is rolling out Lockdown Mode for eligible personal accounts, reducing the risk of prompt-injection-driven data exfiltration. The update adds stricter limits on web- and network-connected features while also introducing active session review and logout controls for suspicious account activity.

Researchers reverse-engineered Bright Data's iOS SDK and found it can turn consumer devices into exit nodes for web-scraping traffic. The teardown showed the job channel has no real authentication and that iOS traffic bypasses a configured VPN, increasing exposure on home and managed devices. The SDK's behavior also reduces visibility for normal app-monitoring tools.

SolarWinds Serv-U mitigation guidance now covers CVE-2026-28318, reducing unauthenticated DoS risk from specially crafted POST requests. SolarWinds says the flaw is addressed in version 15.5.4 HF1 and recommends limiting access to known addresses. Operators should also block requests containing "content-encoding" because the service does not require that functionality.

CISA added CVE-2026-28318 affecting SolarWinds Serv-U to the Known Exploited Vulnerabilities (KEV) catalog after evidence of active exploitation. The high-severity flaw is a denial-of-service (DoS) issue in SolarWinds Serv-U multi-protocol file server software that can be triggered by specially crafted POST requests using `Content-Encoding: deflate` to crash the service without authentication. SolarWinds says the bug is fixed in Serv-U 15.5.4 HF1, and administrators are advised to limit access to known addresses and block requests containing "content-encoding" until patching is complete. FCEB agencies must remediate by June 19, 2026 under BOD 22-01.

FFmpeg now has 21 confirmed zero-days, creating risk for any product that bundles the media library and processes untrusted video input. The findings include heap and stack overflows in parsers and demuxers, and each bug has a reproducible proof-of-concept. Several flaws were latent for 15 to 20 years, including one stack overflow dating to 2003. Some issues already map to CVE-2026-39210 through CVE-2026-39218, while the rest are fixed but not yet numbered.

Google shipped Chrome 149 with patches for 429 security bugs, including CVE-2026-10881 in ANGLE, creating a broad browser update for users on Linux, Windows, and macOS. The release is the largest Chrome security bundle on record and includes a CVSS 9.6 flaw that can let a crafted page escape the sandbox and run code on the host. Users need to update to 149.0.7827.53 on Linux or 149.0.7827.53/54 on Windows and macOS, or confirm auto-update has run.

The Miasma self-replicating supply-chain campaign has hit 73 Microsoft repositories across four GitHub organizations, forcing GitHub to disable access and raising the risk of further secret theft and repository compromise. The latest wave also re-compromised the durabletask package and spread through additional repositories, showing that the operation is still actively mutating. Its use of direct commits and a 4.3 MB payload runner means developers can trigger infection simply by cloning affected code and opening it in supported tooling.

CVE-2026-20245 in Cisco Catalyst SD-WAN Manager is an actively exploited high-severity vulnerability that can let an authenticated local attacker with netadmin privileges upload a crafted file and execute arbitrary commands as root. Cisco says the issue affects On-Prem Deployment, Cisco SD-WAN Cloud-Pro, Cisco SD-WAN Cloud (Cisco Managed), and Cisco SD-WAN for Government (FedRAMP), and that exploitation has already caused configuration changes pushed to edge devices in limited cases. Cisco also said no patches or mitigations are currently available and advised checking /var/log/scripts.log for IoCs.

CVE-2026-45247 is a critical deserialization of untrusted data flaw in Mirasvit Cache Warmer that enables unauthenticated remote code execution on affected Magento servers. The vulnerability affects versions prior to 1.11.12 and is being actively exploited in the wild. Fixes were released on May 25, 2026.

SolarWinds released Serv-U 15.5.4 Hotfix 1 for CVE-2026-28318, an actively exploited denial-of-service flaw that can crash exposed Serv-U servers. The update fixes an uncontrolled resource consumption weakness and covers the Windows and Linux file transfer product used for MFT and FTP services. Administrators that cannot patch immediately were told to restrict access and block POST requests containing content-encoding.

The Brickstorm malware set enabled UNC5221 / VerdantBamboo to keep long-term access inside victim infrastructure, including Microsoft 365, raising the risk of stealthy follow-on intrusion. The operation blended stolen credentials with SSL VPN access and proxying to avoid controls that would normally block entry. The malware also extended into internal appliances and supporting infrastructure, including a Synology NAS device and an affected managed services provider (MSP). Persistent access lasting at least 18 months made the compromise harder to detect and easier to re-use.

UNC5221's BRICKSTORM espionage campaign targets U.S. legal services, SaaS providers, BPOs, and technology companies by planting a stealth backdoor on edge appliances and then moving into virtualization and identity layers. The activity has been observed since March 2025, with an average dwell time of 393 days, theft of source code and other intellectual property, and prior exploitation of Ivanti Connect Secure flaws CVE-2023-46805 and CVE-2024-21887. Google released a BRICKSTORM shell script scanner, but the full victim count and the complete downstream impact remain unknown.

A Miasma supply-chain campaign has expanded across GitHub and npm, now linked to 57 npm packages and more than 286 malicious versions. The latest wave uses a 157-byte binding.gyp file to trigger code execution during npm install, then stages payloads that steal developer secrets, target AI-assisted IDE workflows, and inject persistent backdoor files into project repositories. Earlier activity in the same campaign affected @redhat-cloud-services packages and spread through compromised GitHub access and poisoned releases. The campaign remains focused on developer projects, CI/CD environments, and downstream package propagation.

U.S. District Judge John F. Kness sentenced Darren Hughes in a Nemesis Market drug-trafficking case, extending federal punishment for sales conducted through a dark web marketplace. The sentence adds major legal exposure to the defendant after his November 2025 conviction and follows sales involving methamphetamine and fentanyl pills.

The Asin Android spyware activity is being distributed through fake utility, PDF, and war-map apps, putting Arabic-speaking users at risk of covert surveillance on Android devices. ESET found the malware spreading across multiple waves starting in early 2025, with some lures marketed through Facebook and Telegram accounts. Artifacts seen through mid-January 2026 suggest the distribution remains active and may be aimed at Arabic-speaking journalists and OSINT practitioners.

Over 900 internet-exposed ATG systems across the United States are being targeted in ongoing attacks, creating risk of alert tampering, fuel or chemical leaks, and equipment failure. The affected devices support monitoring across critical infrastructure sectors, including gas stations and industrial storage sites. Attackers are abusing hardcoded credentials, authentication bypasses, SQL injection, OS command execution, and privilege escalation flaws to modify system settings. Defenders are being told to restrict Internet access, replace default passwords, apply updates, and enforce VPNs or ACLs where possible.

On 2026-06-05, CISA, the FBI, the NSA, the Department of Energy, and other U.S. partners issued a joint advisory telling critical infrastructure organizations to secure internet-exposed ATG systems because ongoing attacks could lead to tampered alerts, leaks, and equipment failure.

Security teams are being pushed to treat browser sessions as the primary detection surface for phishing, credential theft, and ClickFix. Browser-native attacks can move past network, DNS, and endpoint controls without being stopped. Visibility inside the browser is presented as the only reliable way to catch malicious rendering and user interaction before the attack continues onto the host. The operational takeaway is to close the browser-layer blind spot rather than rely on downstream telemetry alone.

Enterprise users are showing a sharp rise in shadow AI, credential abuse, and browser-native attack exposure, increasing risk at the browser layer. The trend matters because employees are moving sensitive work into personal AI accounts while attackers continue to target browser sessions and evade traditional controls. Browser telemetry and breach data together point to a widening visibility gap across 2025-2026.

OP-512 is an active espionage campaign targeting Microsoft IIS servers with a bespoke web shell framework, increasing the risk of stealthy remote access on exposed legacy systems. The activity was assessed as China-linked and appears tuned to organizations whose sector and geography fit those intelligence priorities. The campaign stands out for using custom tooling, timestomping, and DNS/HTTP self-reporting to reduce detection and preserve access.

AI adoption in SOCs is rising fast, but the 2026 benchmark shows most teams are still getting limited value from deployments. The SOC-CMM 2026 Maturity Report drew on survey data from roughly 200 SOCs collected between late January and mid-March 2026, and only about 10% said AI delivered excellent value while 71% said it delivered some value or none. The gap suggests the current wave of SOC AI is expanding faster than operational maturity and workflow integration.

OWASP rolled out the Enterprise Adoption Maturity Model, a new agentic AI security framework that helps organizations align governance with deployed agents. Introduced through the GenAI Security Project and presented at Infosecurity Europe 2026, the framework gives teams a practical way to judge whether their controls match the autonomy of shadow AI, custom agents, and multi-agent systems. It matters because mismatches can leave organizations deploying agentic systems without the monitoring, containment, and identity controls they need. The model pushes teams toward either adding agent-specific controls or reducing permissions and autonomy until existing governance can keep pace.

The GorgonAgora campaign is using 5,714 fake .shop storefronts to steal payment data, widening card-theft risk across brand-impersonation checkout pages. The operation has been active since August 2025 and routes stolen card data to a single skimmer server in Moldova. It impersonates major brands including Starbucks, Ford, Sony, Mattel, Hasbro, Lego, Disney, and Toyota.