[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"tag:identity-access":3},{"tag":4,"articles":8,"awareness":455,"events":456,"tips":457,"focus_items":458,"total_count":459},{"slug":5,"name":6,"description":7},"identity-access","Identity & Access","IAM, MFA bypass, credential theft, authentication",[9,18,27,36,45,54,63,72,81,90,99,108,117,126,135,144,153,162,171,180,189,197,206,215,224,233,242,251,260,269,278,287,296,305,313,322,331,340,349,358,367,376,385,394,403,412,421,430,439,446],{"id":10,"title":11,"slug":12,"brief":13,"ai_summary":14,"url":15,"image_url":16,"published_at":17},"cd92bee5-6752-4fad-8cf8-bc25ee36a6fb","Deleted Google API Keys Remain Active up to 23 Minutes, Study Finds","deleted-google-api-keys-remain-active-up-to-23-minutes-study-finds-3f9c32","Deleted Google API keys remain active for up to 23 minutes due to eventual consistency delays.","Aikido Security's research reveals that deleted Google API keys continue to authenticate successfully for an average of 16 minutes, with delays reaching up to 23 minutes. The delay stems from eventual consistency in Google's distributed authentication infrastructure, allowing attackers with leaked keys to access GCP, Gemini, BigQuery, and Maps APIs during the propagation window. Google closed the security report as \"won't fix,\" treating the delay as a known system property rather than a vulnerability.","https:\u002F\u002Fhackread.com\u002Fdeleted-google-api-keys-active-23-minutes\u002F","https:\u002F\u002Fhackread.com\u002Fwp-content\u002Fuploads\u002F2026\u002F05\u002Fdeleted-google-api-keys-active-23-minutes.png","2026-05-21T16:03:12+00:00",{"id":19,"title":20,"slug":21,"brief":22,"ai_summary":23,"url":24,"image_url":25,"published_at":26},"cc033463-8c43-4b80-a8ae-b966a54a41fa","Hackers bypass SonicWall VPN MFA due to incomplete patching","hackers-bypass-sonicwall-vpn-mfa-due-to-incomplete-patching-d03048","SonicWall Gen6 SSL-VPN devices remain vulnerable to MFA bypass despite patching without manual LDAP reconfiguration.","Threat actors exploited CVE-2024-12802 on SonicWall Gen6 SSL-VPN appliances to bypass multi-factor authentication and gain initial network access for ransomware deployment. ReliaQuest documented multiple intrusions between February and March 2026 where attackers successfully authenticated despite MFA being enabled, because organizations patched the firmware but failed to complete required manual LDAP remediation steps. The vulnerability does not affect Gen7\u002FGen8 devices, which are fully mitigated by firmware updates alone.","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fhackers-bypass-sonicwall-vpn-mfa-due-to-incomplete-patching\u002F","https:\u002F\u002Fwww.bleepstatic.com\u002Fcontent\u002Fhl-images\u002F2026\u002F05\u002F20\u002FSonicWall.jpg","2026-05-20T21:19:17+00:00",{"id":28,"title":29,"slug":30,"brief":31,"ai_summary":32,"url":33,"image_url":34,"published_at":35},"16491d03-8e5c-41d1-b2f7-73ae28eb7ee5","Uruguay DNIC allegedly leaked: 5.8M citizen database records exposed","uruguay-dnic-allegedly-leaked-5-8m-citizen-database-records-exposed-33ced1","Uruguay DNIC citizen database with 5.8M records allegedly leaked on underground forum","A threat actor known as LaPampaLeaks claims to have released a database containing 5.8 million Uruguayan citizen records, including national ID numbers (DNIC\u002FCédula de identidad), names, and related identity information. The actor alleges the dataset was previously circulated in closed Telegram groups before being released publicly on an underground forum. The exposed data could facilitate identity theft, phishing, impersonation, and targeted social engineering attacks against Uruguayan residents.","https:\u002F\u002Fdarkwebinformer.com\u002Furuguay-dnic-allegedly-leaked-5-8m-citizen-database-records-exposed\u002F","https:\u002F\u002Fstorage.ghost.io\u002Fc\u002F6b\u002F16\u002F6b16ac9c-cd67-432f-b0f3-bbec941084ff\u002Fcontent\u002Fimages\u002F2026\u002F05\u002F1237985298375698273569872353.png","2026-05-20T15:55:52+00:00",{"id":37,"title":38,"slug":39,"brief":40,"ai_summary":41,"url":42,"image_url":43,"published_at":44},"8fc13a07-6fdf-4c6c-ba8c-d69e802cbce0","Lul...\n\nCISA Admin Leaked AWS GovCloud Keys on GitHub\n\nhttps:\u002F\u002Ft.co\u002FV8j07muRXS","lul-cisa-admin-leaked-aws-govcloud-keys-on-github-https-t-co-v8j07murxs-b16168","CISA administrator accidentally exposed AWS GovCloud credentials on GitHub.","A CISA administrator inadvertently leaked AWS GovCloud access keys to a public GitHub repository. The incident highlights credential management failures and the risk of hardcoded secrets in version control systems. AWS GovCloud provides secure cloud infrastructure for U.S. government agencies, making this exposure a significant security and compliance concern.","https:\u002F\u002Fx.com\u002FDarkWebInformer\u002Fstatus\u002F2056479796209631536",null,"2026-05-18T20:59:25+00:00",{"id":46,"title":47,"slug":48,"brief":49,"ai_summary":50,"url":51,"image_url":52,"published_at":53},"d9f90630-d752-4cd4-8e95-b9bb280959c6","Grafana says stolen GitHub token let hackers steal codebase","grafana-says-stolen-github-token-let-hackers-steal-codebase-0e1551","Grafana Labs' GitHub environment breached via stolen token; source code stolen by CoinbaseCartel extortion gang.","Grafana Labs disclosed a breach of its GitHub environment resulting from a stolen access token that allowed attackers to download the company's source code. CoinbaseCartel, an extortion gang, claimed responsibility and listed Grafana on its data leak site, but Grafana declined to pay the ransom following FBI guidance. The company found no evidence of customer data exposure or impact to customer systems.","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fgrafana-says-stolen-github-token-let-hackers-steal-codebase\u002F","https:\u002F\u002Fwww.bleepstatic.com\u002Fcontent\u002Fhl-images\u002F2026\u002F05\u002F18\u002FGrafana.jpg","2026-05-18T13:46:26+00:00",{"id":55,"title":56,"slug":57,"brief":58,"ai_summary":59,"url":60,"image_url":61,"published_at":62},"7c6d9952-6d10-4b71-95cf-90914a10affd","Tycoon2FA hijacks Microsoft 365 accounts via device-code phishing","tycoon2fa-hijacks-microsoft-365-accounts-via-device-code-phishing-446b21","Tycoon2FA phishing kit adds device-code attacks to hijack Microsoft 365 accounts via Trustifi URLs.","The Tycoon2FA phishing-as-a-service platform, recently disrupted by law enforcement in March 2026, has rebuilt operations and now supports device-code phishing attacks against Microsoft 365 accounts. The kit abuses legitimate Trustifi click-tracking URLs to redirect victims through multiple obfuscation layers, ultimately tricking them into authorizing attacker-controlled devices via OAuth 2.0 device authorization flows. Device-code phishing attacks have surged 37x this year across at least ten PhaaS platforms, with Tycoon2FA adding advanced anti-analysis protections including 230+ vendor blocklists and debugger timing traps.","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Ftycoon2fa-hijacks-microsoft-365-accounts-via-device-code-phishing\u002F","https:\u002F\u002Fwww.bleepstatic.com\u002Fcontent\u002Fhl-images\u002F2026\u002F05\u002F15\u002FMS365.jpg","2026-05-17T14:43:10+00:00",{"id":64,"title":65,"slug":66,"brief":67,"ai_summary":68,"url":69,"image_url":70,"published_at":71},"54e41224-3d2a-4217-8920-4f716d8070f9","Scammers Send Physical Phishing Letters to Steal Ledger Wallet Seed Phrases","scammers-send-physical-phishing-letters-to-steal-ledger-wallet-seed-phrases-3eefce","Scammers mail fake Ledger phishing letters with QR codes to steal crypto wallet seed phrases from Italian users.","Scammers are conducting a targeted physical phishing campaign against Ledger hardware wallet users in Italy, sending official-looking letters that impersonate Ledger and include QR codes directing victims to phishing sites where they're tricked into revealing their 24-word recovery seed phrases. The campaign leverages localized Italian language letters and references to fake \"Quantum Resistance\" security updates to create urgency. Ledger has publicly warned users that the company never requests seed phrases and suspects the attacker mailing list originated from a January 2026 breach of Global-e, Ledger's e-commerce processing partner.","https:\u002F\u002Fhackread.com\u002Fscammers-physical-phishing-letters-ledger-wallet-seed\u002F","https:\u002F\u002Fhackread.com\u002Fwp-content\u002Fuploads\u002F2026\u002F05\u002Fscammers-physical-phishing-letters-ledger-wallet-seed.jpeg","2026-05-17T11:55:35+00:00",{"id":73,"title":74,"slug":75,"brief":76,"ai_summary":77,"url":78,"image_url":79,"published_at":80},"d8face62-48ba-4006-a374-d7f2bd3ff423","Critical ‘Claw Chain’ Vulnerabilities Put Thousands of OpenClaw AI Servers at Risk","critical-claw-chain-vulnerabilities-put-thousands-of-openclaw-ai-servers-at-risk-078736","Four critical vulnerabilities in OpenClaw AI servers enable data theft, backdoors, and admin-level compromise.","Security researchers at Cyera discovered four chained vulnerabilities in OpenClaw, a popular autonomous AI agent platform, affecting thousands of internet-exposed servers. The Claw Chain vulnerabilities (CVE-2026-44112, CVE-2026-44113, CVE-2026-44115, CVE-2026-44118) allow attackers to evade sandbox protections, establish persistent backdoors, steal credentials and API keys, and escalate to admin access. OpenClaw released patches on April 23, 2026, but organizations must update immediately and rotate all credentials, as breaches may have already occurred.","https:\u002F\u002Fhackread.com\u002Fclaw-chain-vulnerabilities-openclaw-ai-servers-risk\u002F","https:\u002F\u002Fhackread.com\u002Fwp-content\u002Fuploads\u002F2026\u002F05\u002Fclaw-chain-vulnerabilities-leave-thousands-of-openclaw-ai-agents-exposed-to-attacks.png","2026-05-16T09:16:10+00:00",{"id":82,"title":83,"slug":84,"brief":85,"ai_summary":86,"url":87,"image_url":88,"published_at":89},"4970c85c-1ffa-42c7-b3d3-e70389ac262e","The Next Cybersecurity Challenge May Be Verifying AI Agents","the-next-cybersecurity-challenge-may-be-verifying-ai-agents-e1b78a","Industry develops verification standards for autonomous AI agents operating in enterprise systems.","As AI agents increasingly execute critical business functions—from reading emails to transferring funds—organizations lack reliable mechanisms to verify agent identity, authorization, and instruction integrity. The article discusses why agent verification is structurally different from traditional authentication, explores the emerging gap in trust frameworks, and highlights early industry responses like Anthropic's Cyber Verification Program and the Agent Trust Protocol (ATP), a proposed cryptographic standard for cross-organizational agent verification.","https:\u002F\u002Fhackread.com\u002Fnext-cybersecurity-challenge-verifying-ai-agents\u002F","https:\u002F\u002Fhackread.com\u002Fwp-content\u002Fuploads\u002F2026\u002F05\u002Fnext-cybersecurity-challenge-verifying-ai-agents-1024x576.jpg","2026-05-15T20:55:22+00:00",{"id":91,"title":92,"slug":93,"brief":94,"ai_summary":95,"url":96,"image_url":97,"published_at":98},"f5113217-1426-4350-b4d9-00f000ad71dd","Ícaro Cloud Allegedly Breached: Firewall Configs, VPN Keys, TLS Certificates, and Internal Network Data Exposed Across 20 Spanish Corporate Networks","icaro-cloud-allegedly-breached-firewall-configs-vpn-keys-tls-certificates-and-in-c46ff6","Ícaro Cloud MSP breached; firewall configs, VPN keys, TLS certs exposed across 20 Spanish networks.","A threat actor claims to have breached Ícaro Cloud S.L., a Spanish managed service provider, exposing sensitive data from 20 client networks including firewall backups, VPN keys, TLS certificates, administrator credentials, and internal network topology. The exposed material spans multiple industry sectors (accounting, education, IT, chemicals, hospitality, real estate, transport, healthcare, manufacturing) and allegedly comprises 3,500+ OPNsense configuration backups. The actor claims the breach resulted from reused MSP credentials and is offering the data for sale on underground channels.","https:\u002F\u002Fdarkwebinformer.com\u002Ficaro-cloud-allegedly-breached-firewall-configs-vpn-keys-tls-certificates-and-internal-network-data-exposed-across-20-spanish-corporate-networks\u002F","https:\u002F\u002Fstorage.ghost.io\u002Fc\u002F6b\u002F16\u002F6b16ac9c-cd67-432f-b0f3-bbec941084ff\u002Fcontent\u002Fimages\u002F2026\u002F05\u002F237857823659872356879236598723657985.png","2026-05-15T17:19:11+00:00",{"id":100,"title":101,"slug":102,"brief":103,"ai_summary":104,"url":105,"image_url":106,"published_at":107},"47ad4074-ef79-4ed1-b200-9cb96e5552ec","Internet Crime Complaint Center (IC3) | ShinyHunters: Cyber Criminal Group Attacks Learning Management System","internet-crime-complaint-center-ic3-shinyhunters-cyber-criminal-group-attacks-le-4cb45d","FBI warns of ShinyHunters cyber criminal group attacks on learning management systems","The FBI issued a public service announcement warning about ShinyHunters (SH), a cyber criminal group that attacked an online Learning Management System, disrupting service to educational institutions nationwide. ShinyHunters specializes in large-scale data breaches and extortion, targeting tech, finance, and retail sectors, using stolen data for spearphishing and leveraging harassment tactics including threatening calls, texts, and false claims of compromising information. The FBI recommends victims verify requests through known channels, avoid paying extortion demands, and report suspected intrusions to IC3.","https:\u002F\u002Fwww.ic3.gov\u002FPSA\u002F2026\u002FPSA260515","https:\u002F\u002Fpbs.twimg.com\u002Fmedia\u002FHIYDWZwWwAEkW30.png","2026-05-15T17:08:18+00:00",{"id":109,"title":110,"slug":111,"brief":112,"ai_summary":113,"url":114,"image_url":115,"published_at":116},"ceace358-5d57-4fbe-bb03-865f6251a6c2","Microsoft backpedals: Edge to stop loading passwords into memory","microsoft-backpedals-edge-to-stop-loading-passwords-into-memory-35abd5","Microsoft Edge will stop loading saved passwords into clear-text memory at startup after security disclosure.","Security researcher Tom Jøran Sønstebyseter Rønning disclosed on May 4 that Microsoft Edge loads all saved passwords into process memory in clear text at startup, a behavior Microsoft initially claimed was \"by design.\" Microsoft has now backpedaled and announced that future Edge versions will no longer load passwords into memory, with the fix prioritized across all supported channels (Stable, Beta, Dev, Canary, Extended Stable) starting with build 148.","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fmicrosoft\u002Fmicrosoft-edge-to-stop-loading-cleartext-passwords-in-memory-on-startup\u002F","https:\u002F\u002Fwww.bleepstatic.com\u002Fcontent\u002Fhl-images\u002F2026\u002F05\u002F15\u002FMicrosoft-Edge.jpg","2026-05-15T14:49:39+00:00",{"id":118,"title":119,"slug":120,"brief":121,"ai_summary":122,"url":123,"image_url":124,"published_at":125},"a9b22630-c61d-48c1-9851-4f34b7324698","Inside the REMUS Infostealer: Session Theft, MaaS, and Rapid Evolution","inside-the-remus-infostealer-session-theft-maas-and-rapid-evolution-84eb27","REMUS infostealer malware evolves into MaaS platform targeting session tokens and password managers.","REMUS, a new infostealer malware, has rapidly evolved from a basic credential-stealing tool into a sophisticated malware-as-a-service (MaaS) platform between February and May 2026. Analysis of 128 underground posts reveals the operator's focus shifted from simple password theft to session-token harvesting, password-manager targeting (1Password, LastPass, Bitwarden), and operational scalability with features like worker tracking, statistics pages, and SOCKS5 proxy support. The operation demonstrates how modern MaaS platforms increasingly resemble legitimate software businesses with continuous development cycles and customer-oriented features.","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Finside-the-remus-infostealer-session-theft-maas-and-rapid-evolution\u002F","https:\u002F\u002Fwww.bleepstatic.com\u002Fcontent\u002Fposts\u002F2026\u002F05\u002Finfostealer-header.jpg","2026-05-15T14:02:12+00:00",{"id":127,"title":128,"slug":129,"brief":130,"ai_summary":131,"url":132,"image_url":133,"published_at":134},"fb0e4e90-3b21-47e6-a6df-92a94bdb6898","Microsoft warns of Exchange zero-day flaw exploited in attacks","microsoft-warns-of-exchange-zero-day-flaw-exploited-in-attacks-3e8a4c","Microsoft warns of actively exploited Exchange Server zero-day XSS flaw affecting OWA users.","Microsoft disclosed a high-severity zero-day vulnerability (CVE-2026-42897) in Exchange Server 2016, 2019, and Subscription Edition that allows attackers to execute arbitrary JavaScript in Outlook on the Web via specially crafted emails. While patches are not yet available, Microsoft is providing automatic mitigation through the Exchange Emergency Mitigation Service (EEMS) and the Exchange on-premises Mitigation Tool (EOMT), though applying mitigations causes some functionality issues including broken calendar printing and image display in OWA.","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fmicrosoft\u002Fmicrosoft-warns-of-exchange-zero-day-flaw-exploited-in-attacks\u002F","https:\u002F\u002Fwww.bleepstatic.com\u002Fcontent\u002Fhl-images\u002F2026\u002F05\u002F15\u002FMicrosoft-Exchange.jpg","2026-05-15T09:40:42+00:00",{"id":136,"title":137,"slug":138,"brief":139,"ai_summary":140,"url":141,"image_url":142,"published_at":143},"23428b97-1461-4c00-b597-073fed468953","1\u002F2‼️🇧🇷 Nuvidio allegedly breached: 40K files including KYC records, biometrics, private keys,...","1-2-nuvidio-allegedly-breached-40k-files-including-kyc-records-biometrics-privat-158846","Brazilian identity verification provider Nuvidio allegedly breached; 40K files with KYC, biometrics, private keys","A threat actor claims to have breached Nuvidio, a Brazilian identity verification and biometric onboarding provider. The alleged breach exposed approximately 40,000 files containing sensitive data including KYC (Know Your Customer) records, biometric data, private keys, customer video calls, and cloud infrastructure information. The breach affects customers of the platform, raising significant concerns about identity theft and unauthorized access to financial systems.","https:\u002F\u002Fx.com\u002FDarkWebInformer\u002Fstatus\u002F2055016260933652983","https:\u002F\u002Fpbs.twimg.com\u002Fmedia\u002FHITiJeRWUAA2YYN.jpg","2026-05-14T20:03:51+00:00",{"id":145,"title":146,"slug":147,"brief":148,"ai_summary":149,"url":150,"image_url":151,"published_at":152},"00b7dc1a-5944-4d63-927f-a9e0dc673384","1\u002F2‼️🇬🇹 Guatemalan Ministry of Finance allegedly breached: 130,000 RGAE registrations and 235,0...","1-2-guatemalan-ministry-of-finance-allegedly-breached-130-000-rgae-registrations-76a1cc","Guatemalan Ministry of Finance allegedly breached; 130K RGAE registrations and 235K PDFs exposed via IDOR.","A threat actor claims to have compromised Guatemala's Registro General de Adquisiciones del Estado (RGAE) system operated by the Ministry of Finance, exposing approximately 130,000 RGAE registrations and 235,000 sensitive PDFs totaling 324.5GB. The breach was reportedly facilitated through Insecure Direct Object Reference (IDOR) vulnerabilities and unauthenticated API access. This represents a significant exposure of government procurement and financial registration data.","https:\u002F\u002Fx.com\u002FDarkWebInformer\u002Fstatus\u002F2054983250775253320","https:\u002F\u002Fpbs.twimg.com\u002Fmedia\u002FHITEBO_XkAAubR6.jpg","2026-05-14T17:52:41+00:00",{"id":154,"title":155,"slug":156,"brief":157,"ai_summary":158,"url":159,"image_url":160,"published_at":161},"4f51b55c-8f9f-4cc9-8208-58751c74fcb6","Cyber-Enabled Cargo Crime: How Cybercrime Tradecraft is Used to Steal Freight","cyber-enabled-cargo-crime-how-cybercrime-tradecraft-is-used-to-steal-freight-8063ea","Cyber-enabled cargo crime uses phishing and stolen credentials to redirect freight shipments to criminal warehouses.","The National Motor Freight Traffic Association (NMFTA) reports that cargo theft has evolved from traditional hijackings to sophisticated cyber-enabled attacks mirroring ransomware kill chains. Threat actors use phishing emails, credential theft, and email compromise to intercept shipment notifications and alter delivery routes, redirecting legitimate freight worth $725M annually to black markets. These attacks represent a significant paradigm shift in transportation security, combining cybercrime tradecraft with supply chain logistics exploitation.","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fcyber-enabled-cargo-crime-how-cybercrime-tradecraft-is-used-to-steal-freight\u002F","https:\u002F\u002Fwww.bleepstatic.com\u002Fcontent\u002Fposts\u002F2026\u002F05\u002F14\u002Ftrucking-logistics-header-image.jpg","2026-05-14T15:21:32+00:00",{"id":163,"title":164,"slug":165,"brief":166,"ai_summary":167,"url":168,"image_url":169,"published_at":170},"be37fef0-37bc-408f-a140-87b19dc7603c","mutreasury Allegedly Breached: Admin Credentials and API Keys Exposed From the Egyptian University Payment Gateway Covering 28+ Universities, Sold With a Zero-Day Vulnerability","mutreasury-allegedly-breached-admin-credentials-and-api-keys-exposed-from-the-eg-413d86","mutreasury payment gateway breach exposes admin credentials, API keys, and student data from 28+ Egyptian universities;","A threat actor claiming the handle INT3X has breached mutreasury, Egypt's centralized university payment gateway serving 28+ institutions, and is selling the stolen database along with an unauthenticated-access zero-day vulnerability. The dump includes administrative credentials, ERP integration API tokens, transaction records linking student PII to payments, and credentials for national payment processors (e-Finance, Khales, Fawry). The actor is using a public preview of 4 major universities as proof-of-concept and claims the zero-day enables full persistence and real-time data extraction from the remaining 24+ connected institutions.","https:\u002F\u002Fdarkwebinformer.com\u002Fmutreasury-allegedly-breached-admin-credentials-and-api-keys-exposed-from-the-egyptian-university-payment-gateway-covering-28-universities-sold-with-a-zero-day-vulnerability\u002F","https:\u002F\u002Fstorage.ghost.io\u002Fc\u002F6b\u002F16\u002F6b16ac9c-cd67-432f-b0f3-bbec941084ff\u002Fcontent\u002Fimages\u002F2026\u002F05\u002F823768598273648972365897263598723589764.png","2026-05-14T15:03:20+00:00",{"id":172,"title":173,"slug":174,"brief":175,"ai_summary":176,"url":177,"image_url":178,"published_at":179},"3434193e-be2e-4d87-ac38-10ec47e6508d","Ghostwriter Targets Ukrainian Government With Geofenced PDF Phishing, Cobalt Strike","ghostwriter-targets-ukrainian-government-with-geofenced-pdf-phishing-cobalt-stri-47a09d","Ghostwriter targets Ukrainian government with geofenced PDF phishing delivering Cobalt Strike.","Belarus-aligned threat group Ghostwriter has launched fresh attacks against Ukrainian governmental organizations using geofenced PDF phishing emails impersonating Ukrtelecom. The attack chain delivers PicassoLoader malware, which then deploys Cobalt Strike Beacon for post-exploitation. The campaign demonstrates operational maturity with anti-analysis techniques, credential harvesting, and selective victim targeting based on system fingerprinting.","https:\u002F\u002Fthehackernews.com\u002F2026\u002F05\u002Fghostwriter-targets-ukrainian.html","https:\u002F\u002Fblogger.googleusercontent.com\u002Fimg\u002Fb\u002FR29vZ2xl\u002FAVvXsEhEld5BcqD9rYWVjx7o_XlV5pN_9djvilow0iIYP-LlFEzGReX8fTPZ0gKi9zMGVLTT8qddHu5FyBMaZpQroEzYFpsoPWf96hD7JeTdqsROemmavXW2pDxNwc9kjvpJdhahmXA5Ng88tN1lyO5rqzC3K6JNwPFPWBo7OzSsaiQIN8JJsXvMrGhewMfzpouF\u002Fs1600\u002Fuk.jpg","2026-05-14T14:00:37+00:00",{"id":181,"title":182,"slug":183,"brief":184,"ai_summary":185,"url":186,"image_url":187,"published_at":188},"31f8929b-55a0-40d2-ac68-2f2f8273f283","KongTuke hackers now use Microsoft Teams for corporate breaches","kongtuke-hackers-now-use-microsoft-teams-for-corporate-breaches-1e80b9","KongTuke IAB now exploits Microsoft Teams for social engineering, delivering ModeloRAT in under five minutes.","Initial access broker KongTuke has shifted tactics to use Microsoft Teams for social engineering attacks against corporate networks, impersonating IT staff to trick users into running malicious PowerShell commands. The attacks deliver ModeloRAT, a Python-based remote access trojan that establishes persistent access with enhanced C2 resilience, multiple backdoor channels, and sophisticated persistence mechanisms designed to survive standard cleanup procedures. The campaign has been active since at least April 2026, with the threat actor rotating through multiple Microsoft 365 tenants to evade detection and blocking.","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fkongtuke-hackers-now-use-microsoft-teams-for-corporate-breaches\u002F","https:\u002F\u002Fwww.bleepstatic.com\u002Fcontent\u002Fhl-images\u002F2026\u002F02\u002F17\u002FMicrosoft-Teams.jpg","2026-05-14T12:12:40+00:00",{"id":190,"title":191,"slug":192,"brief":193,"ai_summary":194,"url":195,"image_url":43,"published_at":196},"299b5559-f84f-4a81-a449-d123c065c4df","Siemens Opcenter RDnL","siemens-opcenter-rdnl-5fb307","Siemens Opcenter RDnL affected by missing authentication in ActiveMQ Artemis (CVE-2026-27446)","Siemens Opcenter RDnL is vulnerable to a missing authentication flaw in Apache ActiveMQ Artemis that allows unauthenticated attackers on adjacent networks to force broker federation connections to rogue brokers. The vulnerability (CVE-2026-27446, CVSS 7.1) enables message injection\u002Fexfiltration and availability impacts across all affected versions. Siemens recommends immediate patching to Apache Artemis 2.52.0 or later, with mitigations including Core protocol filtering, acceptor reconfiguration, and two-way SSL enforcement.","https:\u002F\u002Fwww.cisa.gov\u002Fnews-events\u002Fics-advisories\u002Ficsa-26-134-09","2026-05-14T12:00:00+00:00",{"id":198,"title":199,"slug":200,"brief":201,"ai_summary":202,"url":203,"image_url":204,"published_at":205},"cbdedcc2-65cc-4e36-b2ff-c969229c96b8","How AI Hallucinations Are Creating Real Security Risks","how-ai-hallucinations-are-creating-real-security-risks-81c127","AI hallucinations pose critical security risks in infrastructure decision-making through confident but inaccurate","AI hallucinations—confidently presented but factually incorrect outputs—are creating serious security vulnerabilities in critical infrastructure and cybersecurity operations. When AI models lack certainty, they generate plausible-sounding but false information without recognizing their limitations, potentially triggering automated systems and human decision-making errors. Organizations must treat all AI-generated security responses as unverified until human validation, particularly given that most tested AI models are more likely to provide confident incorrect answers than correct ones on difficult questions.","https:\u002F\u002Fthehackernews.com\u002F2026\u002F05\u002Fhow-ai-hallucinations-are-creating-real.html","https:\u002F\u002Fblogger.googleusercontent.com\u002Fimg\u002Fb\u002FR29vZ2xl\u002FAVvXsEi45HPlwBwWVoL1fRSEGy7bjtz4Z05lAO8NWxLqPrzQ93c3j5aaj_CaK5gCrJC6aYP0ePV36n27rw33vJv5mUXf3mtdOEItJjHrSkzckVGAdTU2UMp8s-HAVjNUE7jVDeTH0UikGxNZWeB6J3qVNguP2iO5V5-qUgW3g_IqxZ9cMEZy0tS0iEsl8MnSjB0\u002Fs1600\u002Fkeeper.jpg","2026-05-14T11:30:00+00:00",{"id":207,"title":208,"slug":209,"brief":210,"ai_summary":211,"url":212,"image_url":213,"published_at":214},"e4ccef1b-9702-4a75-9091-9b670d042d7d","Your iPhone Gets Stolen. Then the Hacking Begins","your-iphone-gets-stolen-then-the-hacking-begins-1d03ce","Underground ecosystem sells iPhone unlocking tools and phishing kits to criminals targeting stolen devices.","Researchers at Infoblox have uncovered a thriving underground market across Telegram and the web where criminals purchase affordable unlocking tools and phishing kits designed to compromise stolen iPhones. The ecosystem includes phishing pages mimicking Apple's Find My service, jailbreak tools, and voice-calling scripts, with traffic to phishing domains increasing 350% year-over-year. Stolen phones worth $50–$200 when locked can fetch $500–$1,000 when unlocked, incentivizing thieves to gain access to bank accounts and crypto wallets.","https:\u002F\u002Fwww.wired.com\u002Fstory\u002Fyour-iphone-gets-stolen-then-the-hacking-begins\u002F","https:\u002F\u002Fmedia.wired.com\u002Fphotos\u002F6a04f441c21c453beb0a3dc7\u002Fmaster\u002Fpass\u002FGettyImages-2234913437.jpg","2026-05-14T10:00:00+00:00",{"id":216,"title":217,"slug":218,"brief":219,"ai_summary":220,"url":221,"image_url":222,"published_at":223},"12fcfa1e-7378-4515-a3b1-e25d6a2b882a","Iranian hackers targeted major South Korean electronics maker","iranian-hackers-targeted-major-south-korean-electronics-maker-b0773e","Iran-linked MuddyWater targets South Korean electronics maker and 8+ orgs in espionage campaign.","The Iran-linked threat group MuddyWater (Seedworm\u002FStatic Kitten) conducted a broad cyber-espionage campaign targeting at least nine organizations including a major South Korean electronics manufacturer, government agencies, and industrial firms across multiple countries. The attackers employed DLL sideloading of legitimate tools (Fortemedia, SentinelOne binaries) to deploy ChromElevator and PowerShell-based payloads for reconnaissance, credential theft, and persistent access, demonstrating increased operational maturity and geographic expansion.","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Firanian-hackers-targeted-major-south-korean-electronics-maker\u002F","https:\u002F\u002Fwww.bleepstatic.com\u002Fcontent\u002Fhl-images\u002F2026\u002F04\u002F07\u002FIranian-hackers.jpg","2026-05-13T21:59:33+00:00",{"id":225,"title":226,"slug":227,"brief":228,"ai_summary":229,"url":230,"image_url":231,"published_at":232},"596c87f2-f1e1-4038-aa8b-6fece2b2130e","Packagist Urges Immediate Composer Update After GitHub Actions Token Leak","packagist-urges-immediate-composer-update-after-github-actions-token-leak-e1f413","Composer vulnerability exposed GitHub Actions tokens in CI logs due to token format validation regex mismatch.","Packagist urgently warned PHP projects to update Composer after a GitHub token format change caused authentication tokens to be exposed in GitHub Actions CI logs. Composer versions 2.9.8, 2.2.28 LTS, and 1.10.28 fix a vulnerability where the tool would print full GITHUB_TOKEN or GitHub App installation token values to stderr when validation failed against an outdated regex pattern. Although GitHub has since rolled back the token format change, the fix is critical for projects that may have already exposed credentials during the brief exposure window.","https:\u002F\u002Fsocket.dev\u002Fblog\u002Fpackagist-urges-immediate-composer-update?utm_medium=feed","https:\u002F\u002Fcdn.sanity.io\u002Fimages\u002Fcgdhsj6q\u002Fproduction\u002F53eba9063cf50df4d6f251fc17f0eb10144405c4-2048x2048.jpg?w=1000&q=95&fit=max&auto=format","2026-05-13T14:08:18.701+00:00",{"id":234,"title":235,"slug":236,"brief":237,"ai_summary":238,"url":239,"image_url":240,"published_at":241},"fcf2c449-2921-4383-8b71-cb4e4de479b4","Microsoft Patches Critical Zero-Click Outlook Vulnerability Threatening Enterprises","microsoft-patches-critical-zero-click-outlook-vulnerability-threatening-enterpri-41bfbc","Microsoft patches critical zero-click Outlook RCE vulnerability CVE-2026-40361 affecting enterprises.","Microsoft released a patch for CVE-2026-40361, a critical zero-click remote code execution vulnerability in Outlook's email rendering engine that can be exploited when victims read or preview emails. Researcher Haifei Li, who discovered the flaw, compared it to BadWinmail (CVE-2015-6172), an \"enterprise killer\" vulnerability from over a decade ago with identical attack vectors. The vulnerability affects a DLL shared by Word and Outlook, and while Microsoft rated it as \"exploitation more likely,\" Li emphasized that threat actors should not be underestimated despite only releasing a proof-of-concept.","https:\u002F\u002Fwww.securityweek.com\u002Fmicrosoft-patches-critical-zero-click-outlook-vulnerability-threatening-enterprises\u002F","https:\u002F\u002Fwww.securityweek.com\u002Fwp-content\u002Fuploads\u002F2023\u002F03\u002FMicrosoft-Outlook-CVE-2023-23397.jpg","2026-05-13T10:33:46+00:00",{"id":243,"title":244,"slug":245,"brief":246,"ai_summary":247,"url":248,"image_url":249,"published_at":250},"4ae44407-278c-4c2a-8754-02e9744a8864","Fortinet warns of critical RCE flaws in FortiSandbox and FortiAuthenticator","fortinet-warns-of-critical-rce-flaws-in-fortisandbox-and-fortiauthenticator-b3d857","Fortinet patches critical RCE flaws in FortiSandbox and FortiAuthenticator.","Fortinet released security patches for two critical remote code execution vulnerabilities affecting FortiAuthenticator (CVE-2026-44277) and FortiSandbox (CVE-2026-26083). Both flaws stem from improper access control and missing authorization checks that allow unauthenticated attackers to execute arbitrary commands. While not currently known to be exploited in the wild, Fortinet vulnerabilities have a history of frequent exploitation in ransomware and cyber-espionage campaigns, with CISA tracking 24 Fortinet CVEs in its actively exploited vulnerabilities catalog.","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Ffortinet-warns-of-critical-rce-flaws-in-fortisandbox-and-fortiauthenticator\u002F","https:\u002F\u002Fwww.bleepstatic.com\u002Fcontent\u002Fhl-images\u002F2025\u002F12\u002F29\u002FFortinet.jpg","2026-05-12T18:23:09+00:00",{"id":252,"title":253,"slug":254,"brief":255,"ai_summary":256,"url":257,"image_url":258,"published_at":259},"35ad453e-f3d2-4de1-8b5e-06fd08b8d435","FutureShop Egypt Allegedly Breached Exposing Thousands of Customer, Order, and Delivery Records From the Egyptian Grocery Delivery Platform","futureshop-egypt-allegedly-breached-exposing-thousands-of-customer-order-and-del-921e79","FutureShop Egypt breached via unauthenticated API exposure, leaking 3,893 customer profiles and 5,181 orders.","A threat actor claims to have breached FutureShop Egypt, an Egyptian grocery delivery platform, by exploiting an exposed API requiring no authentication. The breach exposed 3,893 customer records with full names, verified phone numbers, and email addresses; 5,181 order records with prices and delivery details; 2,438 delivery addresses with GPS coordinates; and 643 admin panel store orders. The compromised data spans from October 2025 to May 2026 and was shared for free via a Telegram channel.","https:\u002F\u002Fdarkwebinformer.com\u002Ffutureshop-egypt-allegedly-breached-exposing-thousands-of-customer-order-and-delivery-records-from-the-egyptian-grocery-delivery-platform\u002F","https:\u002F\u002Fstorage.ghost.io\u002Fc\u002F6b\u002F16\u002F6b16ac9c-cd67-432f-b0f3-bbec941084ff\u002Fcontent\u002Fimages\u002F2026\u002F05\u002F427938459876235987623598726598723658792.png","2026-05-12T17:49:19+00:00",{"id":261,"title":262,"slug":263,"brief":264,"ai_summary":265,"url":266,"image_url":267,"published_at":268},"d44e47e2-e468-4e49-bc87-a4a16b1af992","Fake Claude Code Installer Targets Developers With Browser Credential Stealer","fake-claude-code-installer-targets-developers-with-browser-credential-stealer-88ef43","Fake Claude Code installer malware targets developers to steal browser credentials and encryption keys.","Researchers at Ontinue discovered a malware campaign using fake Claude Code installation pages to distribute obfuscated PowerShell scripts that steal browser passwords, cookies, and encryption keys from Chromium-based browsers. The malware bypasses Google's Application-Bound Encryption by injecting a payload into browser processes and exploiting the IElevator2 COM interface, then exfiltrates stolen data to mt7263.com and establishes persistence via scheduled tasks.","https:\u002F\u002Fhackread.com\u002Ffake-claude-code-installer-devs-browser-credential-stealer\u002F","https:\u002F\u002Fhackread.com\u002Fwp-content\u002Fuploads\u002F2026\u002F05\u002Ffake-claude-code-installer-devs-browser-credential-stealer.jpg","2026-05-12T17:47:36+00:00",{"id":270,"title":271,"slug":272,"brief":273,"ai_summary":274,"url":275,"image_url":276,"published_at":277},"c5d967da-0f21-492f-b0e4-d823a4c46e89","Android 17 to expand banking scam call and privacy protections","android-17-to-expand-banking-scam-call-and-privacy-protections-12dc40","Android 17 introduces banking scam call detection, device theft protection, and expanded threat detection features.","Android 17, rolling out next month, adds multiple security and privacy features including automatic detection and termination of spoofed banking scam calls via app-level verification with partner banks (Revolut, Itaú, Nubank), expanded Live Threat Detection for stalkerware and malicious apps, and enhanced device theft protection via biometric-locked 'Mark as lost' feature. Additional protections include APK malware scanning, OTP hiding, post-quantum cryptography, temporary location sharing, and improved accessibility service restrictions.","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fandroid-17-to-expand-banking-scam-call-and-privacy-protections\u002F","https:\u002F\u002Fwww.bleepstatic.com\u002Fcontent\u002Fhl-images\u002F2026\u002F05\u002F12\u002F0_Android-Shield.jpg","2026-05-12T17:00:00+00:00",{"id":279,"title":280,"slug":281,"brief":282,"ai_summary":283,"url":284,"image_url":285,"published_at":286},"70ec6bb4-9b07-457e-b624-622d90f644ba","Undermining the trust boundary: Investigating a stealthy intrusion through third-party compromise","undermining-the-trust-boundary-investigating-a-stealthy-intrusion-through-third--c175cd","Microsoft incident response reveals stealthy third-party compromise exploiting trusted HPE operations agent.","Microsoft Incident Response investigated a sophisticated intrusion where threat actors compromised a third-party IT services provider and abused HPE Operations Agent (OA) to establish persistent access without using exploits or malware. The attackers leveraged legitimate administrative mechanisms and trusted operational relationships to conduct credential theft and lateral movement while remaining undetected. The investigation demonstrates how modern intrusions exploit implicit trust boundaries in third-party management relationships rather than relying on noisy exploit-driven techniques.","https:\u002F\u002Fwww.microsoft.com\u002Fen-us\u002Fsecurity\u002Fblog\u002F2026\u002F05\u002F12\u002Fundermining-the-trust-boundary-investigating-a-stealthy-intrusion-through-third-party-compromise\u002F","https:\u002F\u002Fwww.microsoft.com\u002Fen-us\u002Fsecurity\u002Fblog\u002Fwp-content\u002Fuploads\u002F2026\u002F05\u002FFeatured-image-3P-IT.png","2026-05-12T15:00:00+00:00",{"id":288,"title":289,"slug":290,"brief":291,"ai_summary":292,"url":293,"image_url":294,"published_at":295},"5e1d3ccc-e7bd-40aa-b9d0-d75181ac4ef1","When Responder forces a NetBIOS election and wins https:\u002F\u002Ft.co\u002Fwihk8U3OKM","when-responder-forces-a-netbios-election-and-wins-https-t-co-wihk8u3okm-8654c6","Responder tool exploits NetBIOS election mechanism to intercept network traffic.","The article discusses how the Responder tool leverages NetBIOS election protocols to force a win in network elections, allowing attackers to intercept and potentially redirect network traffic. This technique demonstrates a vulnerability in how NetBIOS name resolution handles election mechanisms, which Responder exploits for credential harvesting and man-in-the-middle attacks.","https:\u002F\u002Fx.com\u002FSwiftOnSecurity\u002Fstatus\u002F2054211355914244170","https:\u002F\u002Fpbs.twimg.com\u002Fmedia\u002FHIIGV08WcAAiyUF.jpg","2026-05-12T14:45:27+00:00",{"id":297,"title":298,"slug":299,"brief":300,"ai_summary":301,"url":302,"image_url":303,"published_at":304},"6952a7d8-dfb6-4000-81ce-df9f1801aa6c","OLG Stuttgart - 4 U 353\u002F24","olg-stuttgart-4-u-353-24-1da7a8","German appeals court partially upholds GDPR data subject rights against social media company tracking via third-party","In OLG Stuttgart case 4 U 353\u002F24, a German appellate court partially upheld a data subject's GDPR claims against a social media platform operator whose 'Business Tools' tracked users across third-party websites without sufficient legal basis. The court found the data processing unlawful, upheld the right to restrict processing and access personal data, but dismissed claims for injunctive relief and erasure. The decision establishes that joint controllers bear the burden of proving consent and cannot rely on inadequate 'self-help tools' to satisfy transparency obligations.","https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=OLG_Stuttgart_-_4_U_353\u002F24&diff=51625&oldid=51624","https:\u002F\u002Fgdprhub.eu\u002Fimages\u002F4\u002F4c\u002FCourts_logo1.png","2026-05-12T14:31:42+00:00",{"id":306,"title":307,"slug":308,"brief":309,"ai_summary":310,"url":311,"image_url":43,"published_at":312},"c1a8c39b-908d-4257-91cb-d9da37bb2b92","ABB WebPro SNMP Card PowerValue Multiple Vulnerabilities","abb-webpro-snmp-card-powervalue-multiple-vulnerabilities-ea26b4","ABB WebPro SNMP Card PowerValue contains three critical vulnerabilities enabling authentication bypass and DoS attacks.","ABB disclosed three internally discovered vulnerabilities affecting WebPro SNMP Card PowerValue versions ≤1.1.8.k: improper Modbus protocol implementation causing service unavailability (CVE-2025-4675), authentication bypass via single-character validation allowing brute force (CVE-2025-4676), and missing session timeout on ports 23\u002F502 enabling resource exhaustion DoS (CVE-2025-4677). All vulnerabilities are fixed in version 1.1.8.p, which ABB strongly recommends customers deploy immediately.","https:\u002F\u002Fwww.cisa.gov\u002Fnews-events\u002Fics-advisories\u002Ficsa-26-132-06","2026-05-12T12:00:00+00:00",{"id":314,"title":315,"slug":316,"brief":317,"ai_summary":318,"url":319,"image_url":320,"published_at":321},"9006e7eb-07b2-4c4a-be63-d3bfe7e6825c","Customer data exposure at CB Financial Services (CBFV) prompts material cybersecurity filing","customer-data-exposure-at-cb-financial-services-cbfv-prompts-material-cybersecur-421e4f","CB Financial Services discloses material breach exposing customer names, SSNs, birthdates via unauthorized AI app.","CB Financial Services reported a material cybersecurity incident on May 5, 2026 involving improper handling of non-public customer data (names, social security numbers, birth dates) through an unauthorized AI-based software application at its Community Bank subsidiary. The company stated that banking operations and core systems were not disrupted, and no material financial impact is expected, but is investigating the scope and root cause with external advisors while notifying affected customers and coordinating with regulators.","https:\u002F\u002Fwww.stocktitan.net\u002Fsec-filings\u002FCBFV\u002F8-k-cb-financial-services-inc-reports-material-event-9d71c207862a.html","https:\u002F\u002Fstatic.stocktitan.net\u002Ffiling-covers\u002Fcbfv_8-K.webp","2026-05-11T20:33:48+00:00",{"id":323,"title":324,"slug":325,"brief":326,"ai_summary":327,"url":328,"image_url":329,"published_at":330},"79ab07f4-e691-4588-af19-12c24ffc3d79","1\u002F2‼️🇮🇳 BLS International allegedly breached exposing 29 million records, source code, and SSH...","1-2-bls-international-allegedly-breached-exposing-29-million-records-source-code-3cad8f","BLS International breach exposes 29M records, source code, SSH keys from Indian visa services provider","BLS International, a major Indian visa services provider, has allegedly suffered a significant data breach exposing approximately 29 million records, backend source code, Amazon S3 bucket dumps, MySQL root access credentials, and SSH private keys. The threat actor claims to be selling these stolen assets on the dark web. This breach affects a critical infrastructure provider handling sensitive visa application data for multiple countries.","https:\u002F\u002Fx.com\u002FDarkWebInformer\u002Fstatus\u002F2053886693619404997","https:\u002F\u002Fpbs.twimg.com\u002Fmedia\u002FHIDew6LWkAAuKpl.jpg","2026-05-11T17:15:21+00:00",{"id":332,"title":333,"slug":334,"brief":335,"ai_summary":336,"url":337,"image_url":338,"published_at":339},"39bc6529-96c4-459c-85e1-db94e50d225a","Hackers Used AI to Develop First Known Zero-Day 2FA Bypass for Mass Exploitation","hackers-used-ai-to-develop-first-known-zero-day-2fa-bypass-for-mass-exploitation-5a38a1","Google discloses first known zero-day 2FA bypass likely developed using AI by unknown threat actors.","Google's Threat Intelligence Group identified an unknown threat actor exploiting a zero-day vulnerability in a web-based system administration tool, with analysis suggesting AI was weaponized to discover and develop the exploit. The vulnerability enables 2FA bypass on valid credentials and was disclosed responsibly to the affected vendor. The discovery marks the first confirmed use of AI in the wild for malicious vulnerability discovery and exploit generation.","https:\u002F\u002Fthehackernews.com\u002F2026\u002F05\u002Fhackers-used-ai-to-develop-first-known.html","https:\u002F\u002Fblogger.googleusercontent.com\u002Fimg\u002Fb\u002FR29vZ2xl\u002FAVvXsEgF329-zAoI4gwIW3h3gRYiDJjcRSyWPM4DLHFQwNNGfLTVaROqIfQZ0QB1FwWGmvMGuyNAF9Q6QBYcwLsqMsCka5Lqu82CzUbrBULnUDQwtY_4z6KiOEKSETes6as77XfUCaJVBUOCovZz8jajp6vBp9AAjHiS7BEviANEH0FxmzZwdrTapD3R-gPQWKJ1\u002Fs1600\u002Fai-hacker.jpg","2026-05-11T15:45:00+00:00",{"id":341,"title":342,"slug":343,"brief":344,"ai_summary":345,"url":346,"image_url":347,"published_at":348},"a5b8e771-0da4-401a-b528-68d221694510","Why Changing Passwords Doesn’t End an Active Directory Breach","why-changing-passwords-doesn-t-end-an-active-directory-breach-ecea65","Password resets alone don't remove attackers from AD; cached credentials and Kerberos tickets enable persistence.","Resetting a compromised password in Active Directory and hybrid Entra ID environments doesn't immediately revoke all authentication paths, allowing attackers to maintain access through cached credentials, active Kerberos tickets, forged Golden\u002FSilver Tickets, or persistent ACL permissions. The article explains three post-reset credential states and attack techniques including pass-the-hash, Kerberoasting, and ticket forgery that bypass simple password changes. Effective remediation requires invalidating active sessions, purging tickets, reviewing permissions, and addressing underlying persistence mechanisms beyond credential resets.","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fwhy-changing-passwords-doesnt-end-an-active-directory-breach\u002F","https:\u002F\u002Fwww.bleepstatic.com\u002Fcontent\u002Fposts\u002F2026\u002F05\u002F04\u002Fwhy-changing-passwords-doesnt-end-an-active-directory-breach.png","2026-05-11T13:53:56+00:00",{"id":350,"title":351,"slug":352,"brief":353,"ai_summary":354,"url":355,"image_url":356,"published_at":357},"dcd970d5-7ab6-4904-8b63-2afa666b11bb","Google Detects First AI-Generated Zero-Day Exploit","google-detects-first-ai-generated-zero-day-exploit-e7aa31","Google identifies first AI-generated zero-day exploit designed to bypass 2FA on web administration tool.","Google has identified a zero-day vulnerability believed to be the first developed using artificial intelligence, created by a prominent cybercrime group to bypass two-factor authentication on an open-source web-based system administration tool. The exploit was implemented as a Python script and distributed for mass exploitation. The report also details how Chinese state-sponsored group UNC2814 and North Korean APT45 are actively using AI tools and techniques, including jailbreaks and recursive prompt analysis, to enhance vulnerability discovery and validate exploit capabilities at scale.","https:\u002F\u002Fwww.securityweek.com\u002Fgoogle-detects-first-ai-generated-zero-day-exploit\u002F","https:\u002F\u002Fwww.securityweek.com\u002Fwp-content\u002Fuploads\u002F2023\u002F10\u002FZero-Day-Exploit.jpg","2026-05-11T13:04:21+00:00",{"id":359,"title":360,"slug":361,"brief":362,"ai_summary":363,"url":364,"image_url":365,"published_at":366},"9c273dab-9c8e-4fcd-ad38-4dec8fedd4e2","Hackers Exploit Vercel GenAI to Mass-Produce Convincing Phishing Sites","hackers-exploit-vercel-genai-to-mass-produce-convincing-phishing-sites-9e0dac","Hackers abuse Vercel GenAI to mass-produce convincing phishing sites mimicking Microsoft, Adidas, Nike.","Cybersecurity researchers at Cofense have discovered hackers exploiting Vercel's v0.dev generative UI platform to create high-quality phishing websites that mimic major brands like Microsoft, Adidas, Nike, and Spotify. By leveraging GenAI, even minimally skilled attackers can now rapidly produce convincing fake login pages and integrate them with Telegram bots for real-time credential theft, making detection significantly harder. The low barrier to entry (free\u002Fcheap Vercel accounts) and ease of regenerating sites after takedown represent a new threat vector that traditional security detection methods struggle to identify.","https:\u002F\u002Fhackread.com\u002Fhackers-exploit-vercel-genai-phishing-sites\u002F","https:\u002F\u002Fhackread.com\u002Fwp-content\u002Fuploads\u002F2026\u002F05\u002Fhackers-exploit-vercel-genai-phishing-sites.png","2026-05-11T10:34:38+00:00",{"id":368,"title":369,"slug":370,"brief":371,"ai_summary":372,"url":373,"image_url":374,"published_at":375},"7e1c0be9-86b4-407f-93f9-c0c1b905db21","Over 500 Organizations Hit in Years-Long Phishing Campaign","over-500-organizations-hit-in-years-long-phishing-campaign-6a0646","Operation HookedWing phishing campaign steals 2,000+ credentials from 500+ organizations over four years.","SOCRadar has documented Operation HookedWing, a sophisticated phishing campaign active since 2022 that has compromised over 500 organizations across aviation, critical infrastructure, energy, government, logistics, and technology sectors, stealing more than 2,000 user credentials. The campaign uses GitHub repositories and compromised servers to host personalized phishing pages mimicking Microsoft Outlook, with infrastructure expanding and tactics evolving in 2024–2025 to include French-language lures and obfuscated domains. Analysis suggests geopolitical targeting focused on high-privilege credentials and sensitive-access environments, indicating potential nation-state involvement or targeting of strategic interest.","https:\u002F\u002Fwww.securityweek.com\u002Fover-500-organizations-hit-in-years-long-phishing-campaign\u002F","https:\u002F\u002Fwww.securityweek.com\u002Fwp-content\u002Fuploads\u002F2025\u002F11\u002FAI-phishing.jpeg","2026-05-11T03:49:18+00:00",{"id":377,"title":378,"slug":379,"brief":380,"ai_summary":381,"url":382,"image_url":383,"published_at":384},"9e7655d1-a163-46ed-b398-99d2ca73532c","Hackers Trick DigiCert Into Issuing Certificates Used to Sign Malware","hackers-trick-digicert-into-issuing-certificates-used-to-sign-malware-c87b0b","DigiCert revokes 60 code signing certificates after attackers breach support systems to issue malware signatures.","Hackers tricked DigiCert support staff into executing malware via a disguised ZIP file attachment, compromising two endpoints and gaining access to certificate issuance systems. Using stolen initialization codes as bearer credentials, the attackers procured valid EV Code Signing certificates and used them to sign the Zhong Stealer malware. DigiCert revoked all 60 affected certificates within 24 hours of discovery after an independent researcher disclosed the abuse.","https:\u002F\u002Fhackread.com\u002Fhackers-digicert-issue-certificates-sign-malware\u002F","https:\u002F\u002Fhackread.com\u002Fwp-content\u002Fuploads\u002F2026\u002F05\u002Fhackers-digicert-issue-certificates-sign-malware.png","2026-05-10T16:53:52+00:00",{"id":386,"title":387,"slug":388,"brief":389,"ai_summary":390,"url":391,"image_url":392,"published_at":393},"ee3a76fe-f489-4b6b-a8f7-ca638048e4d3","‼️9,500 passport and national ID card scans allegedly being sold mainly from France and Turkey\n\nA...","9-500-passport-and-national-id-card-scans-allegedly-being-sold-mainly-from-franc-4f46fd","Threat actor selling 9,542 passport and ID card scans from France, Turkey, and other nations.","A threat actor is selling a 4.01GB compressed archive containing 9,542 scans of passports and national identity cards, primarily sourced from France and Turkey but spanning multiple countries. The sale represents a significant identity theft risk and suggests widespread document compromise across multiple jurisdictions. The archive is being marketed on underground forums and poses immediate risk to affected individuals.","https:\u002F\u002Fx.com\u002FDarkWebInformer\u002Fstatus\u002F2053517308031598975","https:\u002F\u002Fpbs.twimg.com\u002Fmedia\u002FHH-O_hzXYAUV0Ah.jpg","2026-05-10T16:47:33+00:00",{"id":395,"title":396,"slug":397,"brief":398,"ai_summary":399,"url":400,"image_url":401,"published_at":402},"1c459a21-8814-48e7-b4e5-9d6fecfd0ac7","We observed a phishing campaign pivot to evade static analysis, shifting from credential theft to...","we-observed-a-phishing-campaign-pivot-to-evade-static-analysis-shifting-from-cre-7e922a","Phishing campaign pivots to OAuth device code attacks using runtime-fetched landing pages.","Researchers observed a phishing campaign evolving its tactics to evade static analysis by shifting from credential theft to OAuth device code phishing. The attackers replaced hardcoded URLs with dynamically fetched landing pages and used blob URLs for generated images to bypass detection mechanisms.","https:\u002F\u002Fx.com\u002FUnit42_Intel\u002Fstatus\u002F2052830994885955870","https:\u002F\u002Fpbs.twimg.com\u002Fmedia\u002FHH0e1gHWAAYwedE.jpg","2026-05-08T19:20:23+00:00",{"id":404,"title":405,"slug":406,"brief":407,"ai_summary":408,"url":409,"image_url":410,"published_at":411},"53e43741-6a2f-48bd-bacb-42e452c2c23e","Ransomware negotiator tied to $56M in attacks was sentenced, DPRK-linked fraudulent IT worker sch...","ransomware-negotiator-tied-to-56m-in-attacks-was-sentenced-dprk-linked-fraudulen-ca0709","Ransomware negotiator sentenced for $56M attacks; DPRK IT fraud disrupted; PCPJack targets cloud credentials; Palo Alto","A ransomware negotiator was sentenced for involvement in attacks totaling $56 million. Additionally, law enforcement disrupted DPRK-linked fraudulent IT worker schemes, researchers discovered PCPJack malware targeting cloud infrastructure to steal credentials, and a Palo Alto Networks firewall zero-day vulnerability is under active exploitation.","https:\u002F\u002Fx.com\u002FSentinelOne\u002Fstatus\u002F2052813317811347693","https:\u002F\u002Fpbs.twimg.com\u002Fmedia\u002FHH0O0TiW4AYe-iP.jpg","2026-05-08T18:10:09+00:00",{"id":413,"title":414,"slug":415,"brief":416,"ai_summary":417,"url":418,"image_url":419,"published_at":420},"9fccd3bf-e89e-48a5-b5c8-b88ba36054f5","‼️🇦🇺 1,169 Australian websites allegedly being sold as full panel access by a single threat act...","1-169-australian-websites-allegedly-being-sold-as-full-panel-access-by-a-single--731b26","Threat actor claims to be selling full admin access to 1,169 Australian websites.","A threat actor is allegedly offering full panel access to 1,169 Australian websites for sale, providing credentials in url:user:pass format. The listings reportedly grant entry to what appears to be a control panel or administrative interface. This represents a significant credential compromise affecting multiple Australian organizations across unknown sectors.","https:\u002F\u002Fx.com\u002FDarkWebInformer\u002Fstatus\u002F2052797375945879598","https:\u002F\u002Fpbs.twimg.com\u002Fmedia\u002FHH0AVMLXUAYdUyn.jpg","2026-05-08T17:06:48+00:00",{"id":422,"title":423,"slug":424,"brief":425,"ai_summary":426,"url":427,"image_url":428,"published_at":429},"2bb15b13-4976-4d9d-8ea2-c3e716c020e5","Security Incident Update & FAQs","security-incident-update-faqs-5fe463","Instructure Canvas LMS suffers unauthorized access via Free-For-Teacher account vulnerability; personal data of","Instructure detected unauthorized activity in Canvas LMS on April 29, 2026, and again on May 7, 2026, both exploiting a vulnerability in Free-For-Teacher accounts. The threat actor accessed and modified student and teacher pages, prompting Instructure to take Canvas offline temporarily, revoke credentials, and shut down Free-For-Teacher accounts. Exposed data includes names, email addresses, student ID numbers, and Canvas messages; passwords, dates of birth, government IDs, and financial information were not compromised.","https:\u002F\u002Fwww.instructure.com\u002Fincident_update","https:\u002F\u002Fwww.instructure.com\u002Fsites\u002Fdefault\u002Ffiles\u002Fimage\u002F2025-07\u002F2025-Meta-OG-thumb-ENG_0.jpg","2026-05-08T16:25:43+00:00",{"id":431,"title":432,"slug":433,"brief":434,"ai_summary":435,"url":436,"image_url":437,"published_at":438},"e96f2be5-9a8f-443b-a095-2724cc2a5012","Community Choice Credit Union Allegedly Breached Exposing 1M+ Premium Credit Client Records","community-choice-credit-union-allegedly-breached-exposing-1m-premium-credit-clie-698897","Community Choice Credit Union allegedly breached; 1M+ premium client records with full card numbers exposed.","A threat actor known as MDGhost is advertising a dataset of over 1 million records from Community Choice Credit Union, including full credit card numbers, names, issuing banks, and addresses. Screenshots allegedly show backend admin panel access with member account summaries, loans, and deposits data. The compromise affects a US banking institution and represents a critical exposure of sensitive financial and personal information.","https:\u002F\u002Fdarkwebinformer.com\u002Fcommunity-choice-credit-union-allegedly-breached-exposing-1m-premium-credit-client-records\u002F","https:\u002F\u002Fstorage.ghost.io\u002Fc\u002F6b\u002F16\u002F6b16ac9c-cd67-432f-b0f3-bbec941084ff\u002Fcontent\u002Fimages\u002F2026\u002F05\u002F123795862987356982735691823569872356983.png","2026-05-08T15:06:06+00:00",{"id":440,"title":441,"slug":442,"brief":443,"ai_summary":444,"url":445,"image_url":43,"published_at":438},"dfd0c9ef-aeef-4707-824a-b65dd026501c","‼️🇺🇸 Community Choice Credit Union Allegedly Breached Exposing 1M+ Premium Credit Client Record...","community-choice-credit-union-allegedly-breached-exposing-1m-premium-credit-clie-298904","Community Choice Credit Union allegedly breached, exposing 1M+ premium client records.","Community Choice Credit Union reportedly suffered a data breach exposing over 1 million premium credit client records. The incident involves sensitive personal and financial information belonging to credit union members. Details regarding the breach method, timeline, and remediation efforts are still emerging.","https:\u002F\u002Fx.com\u002FDarkWebInformer\u002Fstatus\u002F2052767000082973081",{"id":447,"title":448,"slug":449,"brief":450,"ai_summary":451,"url":452,"image_url":453,"published_at":454},"305c89f3-b003-4d84-b809-07b2e4929adb","Former govt contractor convicted for wiping dozens of federal databases","former-govt-contractor-convicted-for-wiping-dozens-of-federal-databases-4328b9","Former federal contractor convicted for destroying 96 government databases after termination.","A 34-year-old Virginia man, Sohaib Akhter, was convicted of conspiring to destroy dozens of U.S. government databases after being fired from his contractor role in February 2025. Along with his twin brother Muneeb, he accessed systems without authorization, deleted approximately 96 databases containing sensitive investigative documents and FOIA records across multiple federal agencies, and attempted to cover their tracks using AI to clear system logs. Sohaib faces up to 21 years in prison at sentencing on September 9, 2026, while Muneeb faces up to 45 years for additional charges including aggravated identity theft and theft of government records.","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fformer-govt-contractor-convicted-for-wiping-dozens-of-federal-databases\u002F","https:\u002F\u002Fwww.bleepstatic.com\u002Fcontent\u002Fhl-images\u002F2025\u002F12\u002F04\u002FHackers.jpg","2026-05-08T08:45:04+00:00",[],[],[],[],50]