Find notable cyber news and cases, enriched with sources, timelines, and signals.

Recent notable Happenings and Cases

Hide ▲
Last updated: 16:22 29/05/2026 UTC
  • Case Case score 59 Unpatched Gogs Rebase Injection Remote Code Execution Risk Rapid7’s disclosure of an unpatched Gogs Rebase-before-merging argument-injection zero-day advances the case from report to realistic compromise risk, because authenticated users can trigger remote code execution on exposed self-hosted instances.
  • Case Case score 56 FortiClient EMS CVE-2026-35616 exploitation and stealer delivery Observed CVE-2026-35616 exploitation in FortiClient EMS now includes delivery of the EKZ credential stealer, moving the case toward confirmed endpoint/session theft impact rather than just a vulnerability disclosure.
  • Malware Activity H score 49 EKZ Infostealer delivered through FortiClient EMS abuse New EKZ Infostealer activity tied to FortiClient EMS abuse shows the attack chain is operational and targeting browser credential stores plus HTTP exfiltration, strengthening the case’s remediation urgency.
  • Incident H score 40 Marimo notebook and downstream SSH bastion hit by data theft breach Sysdig’s account of LLM-assisted exploitation of a publicly reachable Marimo notebook to steal an SSH key and exfiltrate a PostgreSQL database shows fast post-compromise escalation, raising the real-world threat severity of similar exposures.
  • Law Enforcement H score 40 Dutch police and NCSC seize botnet infrastructure Dutch police and the NCSC seized infrastructure for a 17-million-device botnet, materially advancing disruption of cyberattack services by taking offline the operators’ hosting and control capacity.
Last updated: 20:47 28/05/2026 UTC

Latest updates

Browse →

Marimo notebook and downstream SSH bastion hit by data theft breach

Incident

Updated: 29.05.2026 17:39 · First: 29.05.2026 17:39 · 📰 1 src / 1 articles · H score: 40

A Marimo notebook compromise led to credential theft, SSH access, and exfiltration of an internal PostgreSQL database, expanding a single initial intrusion into deeper post-compromise access. The intrusion used CVE-2026-39987 to reach a downstream SSH bastion server through harvested cloud credentials and AWS Secrets Manager. The attack chain was recorded on May 10, 2026 and included eight SSH sessions plus database theft completed in under two minutes at the bastion stage.

Marimo WebSocket RCE abused after CVE-2026-39987 disclosure

Case

Updated: 29.05.2026 17:39 · First: 10.04.2026 10:37 · 📰 0 src / 2 articles

CVE-2026-39987 in Marimo is being exploited through the /terminal/ws endpoint to give unauthenticated attackers a shell on exposed notebook servers. The first observed abuse arrived about 9 hours and 41 minutes after disclosure and moved into manual reconnaissance and secret-harvesting against internet-facing instances. Marimo released 0.23.0 to fix the flaw, and CISA added CVE-2026-39987 to the KEV catalog with a 2026-05-07 remediation deadline. Available evidence does not quantify how many deployments were reached, but the observed behavior shows rapid weaponization against exposed systems.

MokN raises $15 million Series A

Industry Action

Updated: 29.05.2026 17:34 · First: 29.05.2026 17:34 · 📰 1 src / 1 articles · H score: 10

French cybersecurity startup MokN raised $15 million in a Series A round led by Google Ventures, giving the company new capital to scale its identity-protection business. The financing will help expand the phish-back platform into the US and support new offices in the US and UK. MokN also plans to hire across sales, marketing, customer success, engineering, and R&D to widen its cybersecurity reach.

Underground DDoS sellers commoditize attack services with panels, API access, and reseller plans

Threat Actor Meta

Updated: 29.05.2026 17:32 · First: 29.05.2026 17:32 · 📰 1 src / 1 articles · H score: 18

Underground DDoS sellers are shifting from scattered tools to packaged, resellable services, lowering the barrier for disruptive attacks and widening the buyer pool. Listings seen across 2023 to 2026 increasingly advertise panels, API access, monthly plans, customer support, and botnet-backed capacity instead of scripts or leaked tools. The market is now priced and marketed like a mature service business, with low-cost tests, premium tiers, and reseller options that make attacks easier to launch and redistribute.

17-Million-device botnet cyberattack infrastructure

Malware Activity

Updated: 29.05.2026 17:26 · First: 29.05.2026 17:26 · 📰 1 src / 1 articles · H score: 16

The 17-million-device botnet was disrupted after authorities took its infrastructure offline, cutting off a network used to carry out cyberattacks across computers, tablets, and smartphones. The seizure of more than 200 servers in the Netherlands materially reduced the operation’s reach and availability. The event removes a large-scale malicious platform that could proxy traffic and support other criminal abuse.

Dutch police and NCSC seize botnet infrastructure

Law Enforcement

Updated: 29.05.2026 17:26 · First: 29.05.2026 17:26 · 📰 1 src / 1 articles · H score: 40

Dutch police and the NCSC seized more than 200 servers and took offline a 17 million-device botnet, disrupting infrastructure used for cyberattacks. The action followed a joint investigation and targeted hosting at a local provider in the Netherlands. Authorities said the botnet controlled computers, tablets, and smartphones for criminal abuse.

Silent Ransom Group US law firm IT impersonation campaign

Campaign

Updated: 29.05.2026 16:00 · First: 29.05.2026 16:00 · 📰 1 src / 1 articles · H score: 33

The Silent Ransom Group (SRG) is escalating a campaign against US-based law firms, using IT impersonation, remote access tricks, and in-person access attempts to reach corporate systems. The operation has been active since 2023 and had evolved further by spring 2026, raising the risk of stealthy compromise and data theft across the legal sector.

Google Chrome DBSC rolls out session-cookie theft protection for all users

Security Tool/Service

Updated: 29.05.2026 15:08 · First: 29.05.2026 15:08 · 📰 1 src / 1 articles · H score: 10

Google's Chrome Device Bound Session Credentials (DBSC) is now generally available and rolling out to all users, reducing the risk of account takeovers from stolen session cookies. The feature binds cookies to a specific device so attackers cannot reuse exfiltrated cookies to bypass MFA. The rollout reaches Google Workspace customers, Workspace Individual subscribers, and people using personal Google accounts.

GREYVIBE's Kremlin-aligned role in the Russian cybercrime ecosystem

Threat Actor Meta

Updated: 29.05.2026 14:31 · First: 29.05.2026 14:31 · 📰 1 src / 1 articles · H score: 15

A newly characterized GREYVIBE actor sits in a grey zone between Kremlin-aligned intelligence work and the Russian cybercrime ecosystem, complicating attribution for Ukraine-focused operations. The assessment links the group to Russian-speaking operators and suggests the blend of state tasking and criminal talent is shaping how the actor is organized and deployed. That hybrid profile matters because it weakens traditional clustering based on stable tooling and relationships.

Rising fraud complaints and losses among Americans 60 and older in 2025

Trend

Updated: 29.05.2026 14:07 · First: 29.05.2026 14:07 · 📰 1 src / 1 articles · H score: 31

Americans 60 and older filed over 200,000 fraud complaints in 2025, with complaint volume rising 37% from the prior year. The cohort also recorded nearly $7.8 billion in losses, a 59% year-over-year increase, and the average loss per complainant reached $38,500. The pattern signals sustained elder-fraud pressure across the country and a growing financial burden on older consumers.

Troy Murray sentencing in wire fraud data-selling case

Law Enforcement

Updated: 29.05.2026 14:07 · First: 29.05.2026 14:07 · 📰 1 src / 1 articles · H score: 19

Federal prosecutors sentenced Troy Murray to 121 months in prison in a wire fraud case tied to the sale of elderly Americans' personal information to scammers. The judgment also imposed three years of supervised release and a $5.2 million forfeiture.

Global public exposure of vibe-coded applications across organizations

Trend

Updated: 29.05.2026 13:30 · First: 29.05.2026 13:30 · 📰 1 src / 1 articles · H score: 16

Vibe-coded applications are leaking onto the public internet across organizations, creating a growing exposure trend for corporate, operational, and personal data. A May 2026 investigation found more than 380,000 publicly accessible web assets on leading AI development platforms, including more than 2,000 with sensitive data. The exposed apps were seen across six continents and every industry, with many reachable without basic access controls and some granting admin access by default. The pattern shows a broad governance gap in how employee-built AI apps are deployed and published.

Vpmdhaj npm preinstall credential-harvest campaign

Campaign

Updated: 29.05.2026 12:11 · First: 29.05.2026 12:11 · 📰 1 src / 1 articles · H score: 40

A new vpmdhaj supply-chain campaign has surfaced in 14 malicious npm packages that use a preinstall credential harvester to steal AWS credentials, HashiCorp Vault tokens, npm tokens, and CI/CD secrets from developer hosts. The packages were published on May 28, 2026 and were built to look like legitimate developer tooling. That turns ordinary installs into a high-risk entry point for downstream compromise and secret theft.

FamousSparrow Middle East maritime and energy targeting campaign

Campaign

Updated: 29.05.2026 12:00 · First: 29.05.2026 12:00 · 📰 1 src / 1 articles · H score: 33

China-aligned FamousSparrow escalated a maritime and energy espionage campaign across the Middle East, putting regional shipping and infrastructure intelligence at greater risk. The operation also reached a Venezuelan governmental entity tied to maritime affairs, showing the targeting extended beyond one country. The multi-month pattern during October 2025 to March 2026 points to a sustained effort to track oil shipments and regional political developments.

Charter Communications Salesforce data leak exposes 4.9 million accounts

Data Leak

Updated: 29.05.2026 11:29 · First: 29.05.2026 11:29 · 📰 1 src / 1 articles · H score: 27

The public leak of Charter Communications data exposed 4.9 million accounts, putting names, email addresses, phone numbers, and physical addresses into circulation. The stolen records came from a Salesforce instance and were later posted on a dark web leak site after ransom demands were rejected. A smaller employee-directory subset also added job titles to the exposed set.

Charter Communications hit by network compromise linked to ShinyHunters

Incident

Updated: 26.05.2026 22:46 · First: 26.05.2026 22:46 · 📰 1 src / 2 articles · H score: 25

Charter Communications confirmed a data breach tied to ShinyHunters extortion, with the company saying it is alerting authorities and that no sensitive personal information or CPNI was exfiltrated in recent activity. ShinyHunters claims the compromise began on April 1 through vishing that hit an employee's Microsoft Entra account and led to exports from Salesforce. Have I Been Pwned later analyzed leaked data and said the incident affected 4.9 million accounts, with exposed records including names, email addresses, phone numbers, and physical addresses.

Mouse5212-super-formatter postinstall GitHub exfiltration package

Malware Activity

Updated: 27.05.2026 18:44 · First: 27.05.2026 18:44 · 📰 2 src / 2 articles · H score: 22

The mouse5212-super-formatter npm package is a malicious infostealer that can siphon files from /mnt/user-data, putting Anthropic Claude user data at risk of unauthorized exfiltration. It runs in the postinstall stage, uses a GitHub token or fallback credential, and uploads local files to a threat actor-controlled GitHub account. The package also disguises theft with fake diagnostics and was still downloadable from npm at the time of discovery.

Malware-Slop malicious npm file-theft campaign

Campaign

Updated: 27.05.2026 18:44 · First: 27.05.2026 18:44 · 📰 2 src / 2 articles · H score: 39

Malware-Slop is distributing mouse5212-super-formatter, a malicious npm package that steals local files from Anthropic's Claude workspace directory /mnt/user-data. The package runs in the postinstall stage, authenticates to GitHub, and uploads files to a threat actor-controlled GitHub account while writing a fake diagnostic log to mask the theft. OX Security reported that the package was still live on npm at the time of analysis and had about 676 downloads before removal. The linked GitHub account was created on 2026-05-26, shortly before the first malicious upload, and the package exposed a hardcoded fallback token that let researchers observe the exfiltration flow.

Kimsuky March-April 2026 campaign against South Korean military and corporate entities

Campaign

Updated: 29.05.2026 08:57 · First: 29.05.2026 08:57 · 📰 1 src / 1 articles · H score: 38

The Kimsuky campaign ran through March and April 2026, using spoofed security-installation pages and a fake Webex lure against South Korean military and corporate entities, raising the risk of remote compromise and staged payload delivery.

GreyVibe AI-assisted cyberespionage campaign targeting Ukraine-linked organizations

Campaign

Updated: 29.05.2026 01:24 · First: 29.05.2026 01:24 · 📰 2 src / 2 articles · H score: 39

GreyVibe is running an AI-assisted cyberespionage campaign against Ukrainian and Ukraine-related organizations, expanding the threat to military, government, civilian, and business targets. The operation has been active since at least August 2025 and uses multiple lure-and-delivery chains to push phishing, malware, and credential-theft workflows. Researchers linked the activity to a likely Russian-aligned operator set, though the group’s exact state affiliation remains unconfirmed.

GreyVibe custom malware activity with LegionRelay, PhantomRelay, and FallSpy

Malware Activity

Updated: 29.05.2026 01:24 · First: 29.05.2026 01:24 · 📰 2 src / 2 articles · H score: 41

GREYVIBE is a Russian-speaking malware activity targeting Ukraine and Ukraine-related entities since at least August 2025. The group uses spear-phishing e-mails, fake CAPTCHA/ClickFix pages, and fraudulent websites to deliver custom tooling including PhantomMail, PhantomRelay, PhantomRelayV1, LegionRelay, FallSpy, and WireGuard. The activity spans Windows remote access, browser and file theft, and Android spyware, broadening the operation from delivery into sustained compromise and surveillance.

Grandoreiro and BTMOB banking trojan activity targeting Windows and Android

Malware Activity

Updated: 27.05.2026 19:10 · First: 27.05.2026 19:10 · 📰 2 src / 2 articles · H score: 36

BTMOB is an Android remote access trojan sold as malware-as-a-service on the clearweb and in private Telegram channels, with a builder that generates customized phishing payloads. The activity is mostly active in Brazil and Latin America, including campaigns that use localized lures and fake Google Play delivery. The malware can steal data, intercept financial transactions, capture screenshots, and abuse Android Accessibility Services for elevated access. ESET also ties the offering to $700 monthly pricing or a $5,000 lifetime license.

BTMOB Android RAT no-code builder malware activity

Malware Activity

Updated: 26.05.2026 17:00 · First: 26.05.2026 17:00 · 📰 2 src / 2 articles · H score: 28

BTMOB is an Android RAT sold as malware-as-a-service on the clearweb and in private Telegram channels, with a no-code APK builder that generates customized phishing payloads. The activity targets users mainly in Brazil and Latin America, uses phishing sites that mimic streaming services, cryptocurrency mining platforms, and Google Play, and has included lures themed as an Argentinian government agency. Once installed, the malware can exfiltrate data, capture screenshots, and abuse Android Accessibility Services for deeper access. ESET says the builder lets operators tailor permissions and behavior without coding, increasing the pace of payload generation and making defense harder.

BTMOB phishing campaign targeting Brazil and Latin America

Campaign

Updated: 29.05.2026 00:10 · First: 29.05.2026 00:10 · 📰 1 src / 1 articles · H score: 39

BTMOB phishing activity is using localized fake-app lures to target users in Brazil and Latin America, increasing the risk of malicious installs and account compromise. The operation has been seen impersonating an Argentinian government agency and other trusted themes to make the download path look legitimate. The recurring lure pattern shows an active regional campaign rather than a one-off phishing attempt.

BTMOB Android MaaS platform expands low-code phishing payload production

Threat Actor Meta

Updated: 29.05.2026 00:10 · First: 29.05.2026 00:10 · 📰 1 src / 1 articles · H score: 21

BTMOB has been exposed as a malware-as-a-service Android trojan with a builder interface, making it easier for cybercriminals to mass-produce tailored phishing payloads and expand mobile fraud operations. Its clearweb advertising and Telegram sales channels lower the barrier to entry for buyers seeking ready-made Android attack infrastructure. The service's customization features and regional focus increase the scale and flexibility of credential-theft and transaction-fraud activity.

FBI public service announcement on fake FIFA websites

Public Sector Action

Updated: 28.05.2026 22:08 · First: 28.05.2026 22:08 · 📰 1 src / 1 articles · H score: 21

The FBI warned on May 28, 2026 that fake FIFA websites are being used to steal data and sell fraudulent tickets and hospitality packages ahead of the 2026 World Cup. The PSA points to typosquatted domains such as fiffa[.]com and fake portals like jobs-fifa[.]com and fifa-hiring[.]com. The warning tells fans and online users to verify URLs and avoid suspicious links as the tournament approaches.

FortiClient EMS improper access control flaw (CVE-2026-35616)

Vulnerability

Updated: 05.04.2026 21:45 · First: 05.04.2026 21:45 · 📰 3 src / 4 articles · H score: 52

CVE-2026-35616 is an actively exploited improper access control flaw in FortiClient Enterprise Management Server (EMS) that lets unauthenticated attackers execute code or commands via specially crafted requests. In May 2026, Arctic Wolf observed attacks abusing EMS management paths to modify configuration and deliver EKZ, an undocumented credential stealer, through FortiClient-managed VPN scripting workflows. The payload was disguised as a Fortinet endpoint update, launched through fortitray.exe and cmd.exe, and used PowerShell to exfiltrate browser data to an attacker-controlled VPS over HTTP. Fortinet released emergency hotfixes for 7.4.5 and 7.4.6, and later addressed the flaw in FortiClient EMS 7.4.7 and later.

Fortinet FortiClient EMS emergency patch release (CVE-2026-35616, CVE-2026-21643)

Security Patch Release

Updated: 07.04.2026 12:26 · First: 07.04.2026 12:26 · 📰 3 src / 3 articles · H score: 59

Fortinet FortiClient EMS is a security-patch release happening centered on CVE-2026-35616 and CVE-2026-21643. Fortinet issued an out-of-band emergency hotfix after confirming that CVE-2026-35616 was exploited in the wild. The vendor said the flaw is a critical CVSS 9.1 improper access control issue that could let an unauthenticated attacker execute unauthorized code or commands through crafted requests. Fortinet also stated that customers running EMS 7.4.5 and 7.4.6 should install the fix immediately and that 7.4.7 would include the remediation as well. Follow-on reporting in May 2026 shows attackers abusing the same FortiClient Endpoint Management Server (EMS) management path to deliver malware to managed endpoints. Arctic Wolf observed a disguised FortiEndpoint_Patch.exe update, execution through fortitray.exe and cmd.exe, and a Base64-encoded PowerShell chain that downloaded a credential stealer and exfiltrated browser data to 83.138.53[.]110 over HTTP POST.

EKZ Infostealer delivered through FortiClient EMS abuse

Malware Activity

Updated: 28.05.2026 20:25 · First: 28.05.2026 20:25 · 📰 1 src / 1 articles · H score: 49

A new EKZ Infostealer delivery chain is using FortiClient EMS abuse to silently install a credential stealer and siphon browser data from affected endpoints. The malware is being launched through FortiClient-managed VPN scripting workflows after attackers modify EMS configuration and policies. It targets Chromium and Firefox data stores, including saved credentials, cookies, and payment details, which raises account-takeover risk. The payload is also exfiltrating stolen data to an attacker-controlled VPS over HTTP.

FortiClient EMS CVE-2026-35616 exploitation and stealer delivery

Case

Updated: 28.05.2026 20:25 · First: 05.04.2026 21:45 · 📰 0 src / 2 articles

FortiClient EMS exploitation around CVE-2026-35616 has moved from critical flaw disclosure into observed abuse of endpoint-management infrastructure to push a disguised credential stealer across managed devices. Attackers used the pre-authentication access bypass to gain privileged control over EMS settings and launch a PowerShell-based chain through trusted Fortinet processes, with stolen browser data sent to 83.138.53[.]110. Fortinet issued fixes for affected 7.4.5 and 7.4.6 deployments and directs customers to 7.4.7 or later, while the vulnerability is also listed in CISA KEV. Available exposure tracking found more than 2,000 internet-accessible EMS instances online, so patching needs to be paired with compromise review rather than treated as a routine update.