[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"tag:malware":3},{"tag":4,"articles":8,"awareness":457,"events":458,"tips":459,"focus_items":460,"total_count":461},{"slug":5,"name":6,"description":7},"malware","Malware",null,[9,18,27,36,45,54,63,72,81,90,99,108,117,126,135,144,153,162,171,180,189,198,207,216,225,234,243,252,261,270,279,288,297,306,315,324,333,342,351,360,369,378,387,396,404,413,421,430,439,448],{"id":10,"title":11,"slug":12,"brief":13,"ai_summary":14,"url":15,"image_url":16,"published_at":17},"fc2aa533-2f4a-4943-a4ef-a78265a5f8a9","🚨WhatsApp zero-day exploit allegedly advertised for sale\n\nA threat actor on an underground forum...","whatsapp-zero-day-exploit-allegedly-advertised-for-sale-a-threat-actor-on-an-und-a46602","Threat actor claims to sell WhatsApp zero-day exploit for malware installation.","A threat actor is advertising a WhatsApp zero-day exploit for sale on an underground forum, claiming it can install malware or backdoors via private messages. The exploit allegedly works on both phones and desktop platforms. Details remain limited pending further investigation.","https:\u002F\u002Fx.com\u002FDarkWebInformer\u002Fstatus\u002F2058257939362627626","https:\u002F\u002Fpbs.twimg.com\u002Fmedia\u002FHJBmowuXAAAMDOf.jpg","2026-05-23T18:45:07+00:00",{"id":19,"title":20,"slug":21,"brief":22,"ai_summary":23,"url":24,"image_url":25,"published_at":26},"f1b72fff-ed9c-408d-b98e-4f021d170880","Malicious Postinstall Hook Found Across 700+ GitHub Repositories, Including Packagist and Node.js Projects","malicious-postinstall-hook-found-across-700-github-repositories-including-packag-4fdf9d","Malicious postinstall hooks discovered across 700+ GitHub repos targeting PHP and Node.js packages via Packagist.","Socket researchers identified a coordinated supply chain campaign affecting eight Composer packages on Packagist, where upstream repositories were modified to include malicious postinstall scripts in package.json files. The scripts attempted to download a Linux binary named gvfsd-network from an attacker-controlled GitHub Releases URL, save it to \u002Ftmp\u002F.sshd, and execute it in the background with disabled TLS verification. A broader GitHub search revealed hundreds of additional references to the same attacker infrastructure across Node.js repositories, suggesting the campaign extends far beyond the confirmed Packagist findings.","https:\u002F\u002Fsocket.dev\u002Fblog\u002Fmalicious-postinstall-hook-found-across-700-github-repos?utm_medium=feed","https:\u002F\u002Fcdn.sanity.io\u002Fimages\u002Fcgdhsj6q\u002Fproduction\u002Fd66a69ec89dc89742b33b6b178982263b5f44386-1672x941.png?w=1000&q=95&fit=max&auto=format","2026-05-22T21:03:29.112+00:00",{"id":28,"title":29,"slug":30,"brief":31,"ai_summary":32,"url":33,"image_url":34,"published_at":35},"19a1e6ec-ed96-4ada-a1eb-a6c306e33d45","5,561 GitHub Repositories Hit by Megalodon Supply Chain Attack in Six Hours","5-561-github-repositories-hit-by-megalodon-supply-chain-attack-in-six-hours-ae8ebc","Megalodon attack compromises 5,561 GitHub repos via malicious CI workflows in six hours.","SafeDep discovered Megalodon, a large-scale automated supply chain attack targeting 5,561 GitHub repositories that pushed 5,718 malicious code updates within six hours on May 18, 2026. The attackers used fake GitHub accounts and injected malicious CI\u002FCD workflows to steal cloud credentials and GitHub Actions tokens, enabling credential theft from AWS, Google Cloud, and Azure. The attack resulted in seven poisoned versions of the Tiledesk npm package being published publicly, demonstrating the downstream impact of compromised repositories.","https:\u002F\u002Fhackread.com\u002Fgithub-repositories-megalodon-supply-chain-attack\u002F","https:\u002F\u002Fhackread.com\u002Fwp-content\u002Fuploads\u002F2026\u002F05\u002Fgithub-repositories-megalodon-supply-chain-attack.png","2026-05-22T13:51:21+00:00",{"id":37,"title":38,"slug":39,"brief":40,"ai_summary":41,"url":42,"image_url":43,"published_at":44},"19308891-aad0-4dd8-b813-d04ede57526f","Microsoft Patches Exploited UnDefend and RedSun Defender Zero-Days","microsoft-patches-exploited-undefend-and-redsun-defender-zero-days-abf255","Microsoft patches two exploited Defender zero-days allowing privilege escalation and DoS attacks.","Microsoft released security patches for two zero-day vulnerabilities in Microsoft Defender that have been actively exploited in the wild. CVE-2026-41091 (CVSS 7.8) allows privilege escalation to System via link-following, while CVE-2026-45498 (CVSS 4.0) causes denial-of-service; both are variants of the BlueHammer exploit publicly disclosed last month. CISA added these flaws to its Known Exploited Vulnerabilities list and mandated federal agencies patch by June 3, 2026.","https:\u002F\u002Fwww.securityweek.com\u002Fmicrosoft-patches-exploited-undefend-and-redsun-defender-zero-days\u002F","https:\u002F\u002Fwww.securityweek.com\u002Fwp-content\u002Fuploads\u002F2026\u002F05\u002FMicrosoft-Defender.jpg","2026-05-21T09:52:05+00:00",{"id":46,"title":47,"slug":48,"brief":49,"ai_summary":50,"url":51,"image_url":52,"published_at":53},"82ba1008-c993-4751-bc59-0fab8dbd4d3b","GitHub links repo breach to TanStack npm supply-chain attack","github-links-repo-breach-to-tanstack-npm-supply-chain-attack-8023fe","GitHub breach of 3,800 repos linked to malicious Nx Console extension in TanStack npm supply-chain attack","GitHub disclosed a breach of 3,800 internal repositories stemming from an employee installing a malicious version of the Nx Console VS Code extension, which was compromised as part of the TanStack npm supply-chain attack attributed to TeamPCP. The poisoned extension (v18.95.0) was designed to steal credentials for npm, AWS, Kubernetes, GitHub, and GCP\u002FDocker; it was live for ~18 minutes on VS Code Marketplace and 36 minutes on OpenVSX before removal. TeamPCP has claimed access to ~4,000 private GitHub repos and is demanding at least $50,000 for the data.","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fgithub-links-repo-breach-to-tanstack-npm-supply-chain-attack\u002F","https:\u002F\u002Fwww.bleepstatic.com\u002Fcontent\u002Fhl-images\u002F2026\u002F05\u002F21\u002FGitHub_headpic.jpg","2026-05-21T06:54:01+00:00",{"id":55,"title":56,"slug":57,"brief":58,"ai_summary":59,"url":60,"image_url":61,"published_at":62},"065a47ed-16ed-43b3-84a0-2714a4d86d05","GitHub Breach: TeamPCP Steals 3,800 Repositories via VS Code Extension","github-breach-teampcp-steals-3-800-repositories-via-vs-code-extension-d10e13","TeamPCP steals 3,800 GitHub repositories via poisoned VS Code extension, demands $95K","GitHub discovered a breach on May 19, 2026, where the financially motivated TeamPCP group (tracked as UNC6780) compromised a developer's corporate device through a malicious VS Code extension, exfiltrating approximately 3,800 internal repositories. The threat actors are now selling the stolen code on a cybercrime forum for $95,000, warning they will leak it publicly if no buyer emerges. This marks the fifth high-profile target hit by TeamPCP this year, reflecting a growing trend of supply chain attacks against developer tooling using the Mini Shai-Hulud infostealer worm.","https:\u002F\u002Fhackread.com\u002Fgithub-breach-teampcp-repositories-vs-code-extension\u002F","https:\u002F\u002Fhackread.com\u002Fwp-content\u002Fuploads\u002F2026\u002F05\u002Fgithub-data-breach-team-pcp-1.png","2026-05-20T13:55:51+00:00",{"id":64,"title":65,"slug":66,"brief":67,"ai_summary":68,"url":69,"image_url":70,"published_at":71},"9abd38af-d31f-4280-88b4-d0c43085eedd","Banana RAT Malware in Fake Invoices Hits Customers at 16 Brazilian Banks","banana-rat-malware-in-fake-invoices-hits-customers-at-16-brazilian-banks-9adceb","Banana RAT malware targets 16 Brazilian banks via fake invoices, stealing data with QR code fraud.","Banana RAT, a remote access trojan linked to threat group SHADOW-WATER-063, is actively targeting customers at 16 Brazilian banks including Itaú, Bradesco, and Santander. The malware is distributed through fake invoice files and security update screens via WhatsApp and phishing, using fileless execution and a custom FastAPI crypter to evade detection. It enables real-time financial fraud by intercepting banking sessions, replacing Pix QR codes, and freezing user input while attackers steal funds.","https:\u002F\u002Fhackread.com\u002Fbanana-rat-malware-fake-invoices-16-brazilian-banks\u002F","https:\u002F\u002Fhackread.com\u002Fwp-content\u002Fuploads\u002F2026\u002F05\u002Fbanana-rat-malware-fake-invoices-16-brazilian-banks.jpg","2026-05-20T09:14:35+00:00",{"id":73,"title":74,"slug":75,"brief":76,"ai_summary":77,"url":78,"image_url":79,"published_at":80},"f2230bb7-16ed-4af1-9f0b-dae2da6380c8","GitHub confirms they were compromised after an employee device involving a poisoned VS Code exten...","github-confirms-they-were-compromised-after-an-employee-device-involving-a-poiso-559bcf","GitHub confirms employee device compromise via malicious VS Code extension.","GitHub disclosed that one of its employee devices was compromised through a poisoned VS Code extension, leading to unauthorized access. The incident represents a supply-chain attack vector targeting development tools. GitHub has investigated the incident and implemented additional security measures.","https:\u002F\u002Fx.com\u002FDarkWebInformer\u002Fstatus\u002F2057018844309340668","https:\u002F\u002Fpbs.twimg.com\u002Fmedia\u002FHIv_a4UWMAAkIO4.png","2026-05-20T08:41:24+00:00",{"id":82,"title":83,"slug":84,"brief":85,"ai_summary":86,"url":87,"image_url":88,"published_at":89},"85b135f4-2343-4a0c-8d98-48bcc2e07203","Microsoft shares mitigation for YellowKey Windows zero-day","microsoft-shares-mitigation-for-yellowkey-windows-zero-day-de9688","Microsoft releases mitigation for YellowKey BitLocker zero-day disclosed by Nightmare Eclipse.","Microsoft has published mitigations for YellowKey (CVE-2026-45585), a Windows BitLocker zero-day vulnerability that allows attackers to access protected drives by placing specially crafted FsTx files on USB or EFI partitions and rebooting into WinRE. The flaw was disclosed by anonymous researcher Nightmare Eclipse, who also leaked multiple other zero-day vulnerabilities (BlueHammer, RedSun, GreenPlasma, and UnDefend) in protest of Microsoft's vulnerability disclosure handling. Microsoft recommends removing autofstx.exe from Session Manager boot execution and configuring BitLocker to TPM+PIN mode as interim protections.","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fmicrosoft\u002Fmicrosoft-shares-mitigation-for-yellowkey-windows-zero-day\u002F","https:\u002F\u002Fwww.bleepstatic.com\u002Fcontent\u002Fhl-images\u002F2025\u002F05\u002F28\u002FWindows-headpic.jpg","2026-05-20T07:31:15+00:00",{"id":91,"title":92,"slug":93,"brief":94,"ai_summary":95,"url":96,"image_url":97,"published_at":98},"b0cdc22d-65a4-4a05-9716-c78cb04f2def","New Shai-Hulud malware wave compromises 600 npm packages","new-shai-hulud-malware-wave-compromises-600-npm-packages-629679","Shai-Hulud campaign injects malware into 600+ npm packages to steal developer credentials.","Threat actors published 639 malicious versions across 323 unique packages to npm on May 19, 2026, primarily targeting the @antv ecosystem (charting and visualization libraries). The malware steals GitHub, npm, cloud, Kubernetes, and CI\u002FCD credentials, exfiltrating them via Session P2P network and GitHub repositories to evade detection. This is part of an ongoing Shai-Hulud campaign that began in September 2025 and now includes capabilities to forge valid Sigstore provenance attestations and establish persistence via VS Code and Claude Code configuration.","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fnew-shai-hulud-malware-wave-compromises-600-npm-packages\u002F","https:\u002F\u002Fwww.bleepstatic.com\u002Fcontent\u002Fhl-images\u002F2026\u002F05\u002F19\u002Fbox.jpg","2026-05-19T14:30:22+00:00",{"id":100,"title":101,"slug":102,"brief":103,"ai_summary":104,"url":105,"image_url":106,"published_at":107},"206773cf-0b98-4f79-8c11-e16551f189fc","INTERPOL ‘Operation Ramz’ seizes 53 malware, phishing servers","interpol-operation-ramz-seizes-53-malware-phishing-servers-355beb","INTERPOL Operation Ramz arrests 200+ individuals, seizes 53 malware and phishing servers across MENA region.","INTERPOL's Operation Ramz resulted in the arrest of over 200 cybercriminals and identification of 382 additional suspects across 13 Middle Eastern and North African countries. Law enforcement seized 53 servers used for phishing, malware distribution, and online fraud that victimized at least 3,867 confirmed victims. The operation, conducted with support from cybersecurity firms including Kaspersky, Group-IB, and TrendMicro, dismantled multiple criminal schemes including investment scams, phishing-as-a-service platforms, and malware distribution networks.","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Finterpol-operation-ramz-seizes-53-malware-phishing-servers\u002F","https:\u002F\u002Fwww.bleepstatic.com\u002Fcontent\u002Fhl-images\u002F2026\u002F05\u002F18\u002FINTERPOL.jpg","2026-05-18T22:15:30+00:00",{"id":109,"title":110,"slug":111,"brief":112,"ai_summary":113,"url":114,"image_url":115,"published_at":116},"0505f0c8-c193-44fc-a050-04ac356a7c6d","SHub macOS infostealer variant spoofs Apple security updates","shub-macos-infostealer-variant-spoofs-apple-security-updates-3e6a28","SHub macOS infostealer variant 'Reaper' spoofs Apple security updates via AppleScript to steal data and install","A new variant of the SHub macOS infostealer, dubbed 'Reaper,' uses AppleScript and fake Apple security update prompts to trick users into executing malicious code. Unlike earlier ClickFix campaigns that relied on Terminal commands, Reaper leverages the applescript:\u002F\u002F URL scheme to bypass Apple's March 2026 mitigations. The malware steals browser data, cryptocurrency wallets, passwords, documents, and establishes persistence via LaunchAgent for remote access.","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fshub-macos-infostealer-variant-spoofs-apple-security-updates\u002F","https:\u002F\u002Fwww.bleepstatic.com\u002Fcontent\u002Fhl-images\u002F2026\u002F05\u002F18\u002FApple.jpg","2026-05-18T21:42:20+00:00",{"id":118,"title":119,"slug":120,"brief":121,"ai_summary":122,"url":123,"image_url":124,"published_at":125},"852d46cc-23b8-49a5-906d-c458ef5c379f","New Reaper Malware Uses Fake Microsoft Domain to Steal macOS Passwords","new-reaper-malware-uses-fake-microsoft-domain-to-steal-macos-passwords-b36ac3","Reaper malware bypasses macOS Tahoe security to steal passwords and install backdoor via fake Microsoft domain.","SentinelOne discovered Reaper, a new macOS infostealer variant of SHub that bypasses Apple's macOS Tahoe 26.4 security updates. The malware uses typo-squatted domains and fake software download pages to trick users into running hidden commands via Script Editor, then harvests credentials from browsers, password managers, and crypto wallets while installing a persistent backdoor. The backdoor communicates every 60 seconds to attacker infrastructure, enabling remote code execution and installation of additional malware.","https:\u002F\u002Fhackread.com\u002Freaper-malware-fake-microsoft-domain-macos-passwords\u002F","https:\u002F\u002Fhackread.com\u002Fwp-content\u002Fuploads\u002F2026\u002F05\u002Freaper-malware-fake-microsoft-domain-macos-passwords.jpg","2026-05-18T17:37:08+00:00",{"id":127,"title":128,"slug":129,"brief":130,"ai_summary":131,"url":132,"image_url":133,"published_at":134},"d0ecb73f-26c2-4d60-a6c6-3c833eb87c33","Leaked Shai-Hulud malware fuels new npm infostealer campaign","leaked-shai-hulud-malware-fuels-new-npm-infostealer-campaign-70e54c","Leaked Shai-Hulud malware deployed in four malicious npm packages by threat actor.","A threat actor using the account deadcode09284814 published four malicious npm packages embedding the recently leaked Shai-Hulud malware, targeting developer credentials, secrets, and cryptocurrency wallet data. The packages used typosquatting tactics (e.g., chalk-tempalte, axois-utils) and included DDoS botnet functionality in addition to information-stealing capabilities. OXsecurity researchers attributed the malware to a different actor than TeamPCP, noting the unobfuscated source code deployment, and reported the packages were downloaded 2,678 times combined before removal.","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fleaked-shai-hulud-malware-fuels-new-npm-infostealer-campaign\u002F","https:\u002F\u002Fwww.bleepstatic.com\u002Fcontent\u002Fhl-images\u002F2026\u002F05\u002F18\u002FNPM-worms.jpg","2026-05-18T17:28:02+00:00",{"id":136,"title":137,"slug":138,"brief":139,"ai_summary":140,"url":141,"image_url":142,"published_at":143},"a4399ddb-8240-45e7-ae06-2671b8e2243f","First Shai-Hulud Worm Clones Emerge","first-shai-hulud-worm-clones-emerge-07c859","Shai-Hulud worm clones emerge days after source code release on GitHub.","Days after TeamPCP released the Shai-Hulud worm's source code on GitHub, threat actors have begun deploying clones and variants in fresh supply chain attacks targeting NPM developers. A threat actor published four malicious NPM packages, including a direct Shai-Hulud clone called 'chalk-tempalte' and three typo-squatting packages targeting Axios users, with combined weekly downloads exceeding 2,600. Security researchers warn this marks the first phase of an upcoming wave of supply chain attacks leveraging the now-public malware code.","https:\u002F\u002Fwww.securityweek.com\u002Ffirst-shai-hulud-worm-clones-emerge\u002F","https:\u002F\u002Fwww.securityweek.com\u002Fwp-content\u002Fuploads\u002F2025\u002F11\u002Fmalware.jpeg","2026-05-18T09:45:15+00:00",{"id":145,"title":146,"slug":147,"brief":148,"ai_summary":149,"url":150,"image_url":151,"published_at":152},"7c1eb1bd-dea2-4d5d-86f9-c559e543a802","RDP Stealer with Windows Defender Bypass https:\u002F\u002Ft.co\u002F4jNuZxUJMZ","rdp-stealer-with-windows-defender-bypass-https-t-co-4jnuzxujmz-b2608a","RDP stealer malware discovered with Windows Defender evasion capability.","Security researchers have identified a malware variant designed to steal Remote Desktop Protocol (RDP) credentials while evading Windows Defender detection. The malware employs anti-analysis and defense-bypass techniques to establish persistence on compromised systems. This threat is part of a broader trend of credential-theft malware targeting remote access protocols.","https:\u002F\u002Fx.com\u002FDarkWebInformer\u002Fstatus\u002F2055785513496273121","https:\u002F\u002Fpbs.twimg.com\u002Famplify_video_thumb\u002F2055785366729191424\u002Fimg\u002FnXiKMrvVNo80gRaj.jpg","2026-05-16T23:00:35+00:00",{"id":154,"title":155,"slug":156,"brief":157,"ai_summary":158,"url":159,"image_url":160,"published_at":161},"21b98711-d067-4aa1-a794-18b565803f46","PoC Code Published for Critical NGINX Vulnerability","poc-code-published-for-critical-nginx-vulnerability-27a500","PoC code published for critical NGINX heap buffer overflow vulnerability (CVE-2026-42945).","A critical-severity heap buffer overflow vulnerability (CVE-2026-42945, CVSS 9.2) in NGINX's rewrite module was patched this week by F5, 16 years after its introduction. Proof-of-concept exploit code is now publicly available, demonstrating how attackers can trigger denial-of-service or remote code execution by exploiting a two-pass script engine flaw that leads to undersized buffer allocation. The vulnerability affects NGINX servers using rewrite and set directives, and exploitation can be achieved through crafted URIs and heap spray techniques.","https:\u002F\u002Fwww.securityweek.com\u002Fpoc-code-published-for-critical-nginx-vulnerability\u002F","https:\u002F\u002Fwww.securityweek.com\u002Fwp-content\u002Fuploads\u002F2026\u002F05\u002FNginx.jpeg","2026-05-16T10:02:00+00:00",{"id":163,"title":164,"slug":165,"brief":166,"ai_summary":167,"url":168,"image_url":169,"published_at":170},"588fb153-269d-4446-896e-827e0d71454e","Funnel Builder WordPress plugin bug exploited to steal credit cards","funnel-builder-wordpress-plugin-bug-exploited-to-steal-credit-cards-bf2184","Funnel Builder WordPress plugin vulnerability exploited to inject payment card skimmers.","A critical unauthenticated vulnerability in the Funnel Builder WordPress plugin (affecting versions before 3.15.0.3) is being actively exploited to inject malicious JavaScript into WooCommerce checkout pages. Attackers inject payment card skimmers that steal credit card numbers, CVVs, and billing addresses from over 40,000 affected websites. The vendor released a patch and recommends immediate updates and review of External Scripts settings.","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Ffunnel-builder-wordpress-plugin-bug-exploited-to-steal-credit-cards\u002F","https:\u002F\u002Fwww.bleepstatic.com\u002Fcontent\u002Fhl-images\u002F2026\u002F05\u002F15\u002FWoo.jpg","2026-05-15T19:30:33+00:00",{"id":172,"title":173,"slug":174,"brief":175,"ai_summary":176,"url":177,"image_url":178,"published_at":179},"30481466-b893-4cfb-b79f-82c4e440d27e","Popular node-ipc npm package compromised to steal credentials","popular-node-ipc-npm-package-compromised-to-steal-credentials-4a26b3","node-ipc npm package compromised with credential-stealing malware in three versions.","Hackers compromised the popular node-ipc npm package by injecting credential-stealing malware into versions 9.1.6, 9.2.3, and 12.0.1. The malware, hidden in the CommonJS entrypoint, fingerprints systems and exfiltrates sensitive data including cloud credentials, SSH keys, API tokens, and shell histories via DNS TXT queries. Developers using affected versions are urged to immediately remove them and rotate all exposed credentials.","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fpopular-node-ipc-npm-package-compromised-to-steal-credentials\u002F","https:\u002F\u002Fwww.bleepstatic.com\u002Fcontent\u002Fhl-images\u002F2026\u002F05\u002F15\u002Fnpm.jpg","2026-05-15T17:10:42+00:00",{"id":181,"title":182,"slug":183,"brief":184,"ai_summary":185,"url":186,"image_url":187,"published_at":188},"8f7b0107-15c0-4999-a192-58e735999224","Turla Turns Kazuar Backdoor Into Modular P2P Botnet for Persistent Access","turla-turns-kazuar-backdoor-into-modular-p2p-botnet-for-persistent-access-309cba","Russian state-sponsored Turla transforms Kazuar backdoor into modular P2P botnet for persistent access.","Turla, a Russian FSB-affiliated state-sponsored group, has evolved its Kazuar backdoor into a sophisticated modular peer-to-peer botnet designed for stealth and long-term system access. The new architecture features three component types—Kernel (coordinator), Bridge (proxy), and Worker (data collection)—with multiple communication channels and anti-analysis capabilities. This upgrade reflects Turla's focus on resilience and operational persistence in targeting government, diplomatic, and defense sectors across Europe and Central Asia.","https:\u002F\u002Fthehackernews.com\u002F2026\u002F05\u002Fturla-turns-kazuar-backdoor-into.html","https:\u002F\u002Fblogger.googleusercontent.com\u002Fimg\u002Fb\u002FR29vZ2xl\u002FAVvXsEg8BT1AOScncZQM_A-0WBdCzTDAHGHSey48_Mywhij-TJupCdzP3s3o-MIImRtMZcoV2OqX3RjRV4COpVqkB1mrH3d_zjwvSTwCEXOq_2m80HgDo-xwAZ1KpR1h8eN9dAHGcKN_PpcE0cBsnv67FcthDycHLBJMYs8NkPszWNiQqdbhyL0YIlwVJn4NtgaR\u002Fs1600\u002Fcode.jpg","2026-05-15T17:10:25+00:00",{"id":190,"title":191,"slug":192,"brief":193,"ai_summary":194,"url":195,"image_url":196,"published_at":197},"47ad4074-ef79-4ed1-b200-9cb96e5552ec","Internet Crime Complaint Center (IC3) | ShinyHunters: Cyber Criminal Group Attacks Learning Management System","internet-crime-complaint-center-ic3-shinyhunters-cyber-criminal-group-attacks-le-4cb45d","FBI warns of ShinyHunters cyber criminal group attacks on learning management systems","The FBI issued a public service announcement warning about ShinyHunters (SH), a cyber criminal group that attacked an online Learning Management System, disrupting service to educational institutions nationwide. ShinyHunters specializes in large-scale data breaches and extortion, targeting tech, finance, and retail sectors, using stolen data for spearphishing and leveraging harassment tactics including threatening calls, texts, and false claims of compromising information. The FBI recommends victims verify requests through known channels, avoid paying extortion demands, and report suspected intrusions to IC3.","https:\u002F\u002Fwww.ic3.gov\u002FPSA\u002F2026\u002FPSA260515","https:\u002F\u002Fpbs.twimg.com\u002Fmedia\u002FHIYDWZwWwAEkW30.png","2026-05-15T17:08:18+00:00",{"id":199,"title":200,"slug":201,"brief":202,"ai_summary":203,"url":204,"image_url":205,"published_at":206},"fcd89353-23f6-4186-bd23-5c6773b4e6be","Hackers Use PyInstaller and AMSI Patching to Deliver XWorm RAT v7.4","hackers-use-pyinstaller-and-amsi-patching-to-deliver-xworm-rat-v7-4-7b3e57","Hackers deploy XWorm RAT v7.4 via PyInstaller with AMSI patching to bypass Windows security.","Security researchers at Point Wild discovered a new campaign distributing XWorm RAT v7.4 malware packaged in PyInstaller files to bypass Windows Defender. The attack uses AMSI Memory Patching to disable AmsiScanBuffer, Base64\u002FSHA-512 encryption, and fake obfuscation routines to evade detection. Once activated, the malware connects to C2 infrastructure to steal credentials, spy via webcam, launch DDoS attacks, and achieve full remote control.","https:\u002F\u002Fhackread.com\u002Fhackers-pyinstaller-amsi-patching-xworm-rat-v7-4\u002F","https:\u002F\u002Fhackread.com\u002Fwp-content\u002Fuploads\u002F2026\u002F05\u002Fhackers-pyinstaller-amsi-patching-xworm-rat-v7-4.jpg","2026-05-15T16:42:58+00:00",{"id":208,"title":209,"slug":210,"brief":211,"ai_summary":212,"url":213,"image_url":214,"published_at":215},"340aaed9-b730-417d-966f-01496eca3df9","In Other News: Big Tech vs Canada Encryption Bill, Cisco’s Free AI Security Spec, Audi App Flaws","in-other-news-big-tech-vs-canada-encryption-bill-cisco-s-free-ai-security-spec-a-406051","SecurityWeek roundup covers Nvidia cloud gaming breach, Android 17 security upgrades, and fake Claude Code malware","This weekly cybersecurity roundup highlights multiple threats and developments: a GeForce NOW data breach via Armenian regional partner exposed user PII, the FBI warns of ShinyHunters' Canvas hacks, and a sophisticated infostealer campaign uses fake Claude Code installers to steal browser credentials. Additionally, Google's Android 17 introduces AI-driven security defenses and post-quantum cryptography, while Iran-linked Seedworm targets electronics manufacturers globally using DLL sideloading.","https:\u002F\u002Fwww.securityweek.com\u002Fin-other-news-big-tech-vs-canada-encryption-bill-ciscos-free-ai-security-spec-audi-app-flaws\u002F","https:\u002F\u002Fwww.securityweek.com\u002Fwp-content\u002Fuploads\u002F2023\u002F10\u002Fcybersecurity-news.jpg","2026-05-15T14:52:16+00:00",{"id":217,"title":218,"slug":219,"brief":220,"ai_summary":221,"url":222,"image_url":223,"published_at":224},"d3fe269f-d683-4dc9-99ce-b0b3a34697a9","TanStack Supply Chain Attack Hits Two OpenAI Employee Devices, Forces macOS Updates","tanstack-supply-chain-attack-hits-two-openai-employee-devices-forces-macos-updat-ef5e7b","TanStack supply chain attack via Mini Shai-Hulud worm compromises two OpenAI employee devices.","OpenAI disclosed that two employee devices were compromised through the Mini Shai-Hulud supply chain attack targeting TanStack, resulting in unauthorized access to limited internal source code repositories and credential exfiltration. No production systems, user data, or intellectual property were compromised. OpenAI revoked and reissued code-signing certificates for macOS apps (ChatGPT Desktop, Codex App, Codex CLI, Atlas) and implemented containment measures including credential rotation and session revocation.","https:\u002F\u002Fthehackernews.com\u002F2026\u002F05\u002Ftanstack-supply-chain-attack-hits-two.html","https:\u002F\u002Fblogger.googleusercontent.com\u002Fimg\u002Fb\u002FR29vZ2xl\u002FAVvXsEj1l4Vq20M4553fkDfGbO9VqLV9Au-6EefivLp8HT2W5QxJvgWf1mr6pg5xsbC5j3FCJzOOCJv_CImY1LjjFYIN_25ajki1iS_EVPvTyeVY7bC3ogcQFzHmE1Xyaz3cRXneilC0rWcb8dLbUapLI_jZ-uBaUkku48absoxM6TG16jS3xxtw9lhhtCvJmemK\u002Fs1600\u002Fchatgpt.jpg","2026-05-15T10:54:44+00:00",{"id":226,"title":227,"slug":228,"brief":229,"ai_summary":230,"url":231,"image_url":232,"published_at":233},"22cbf3d1-3461-4035-ae0d-1d1b0fa73f39","OpenAI Hit by TanStack Supply Chain Attack","openai-hit-by-tanstack-supply-chain-attack-6d47f6","OpenAI hit by TanStack supply chain attack; credentials stolen from code repositories.","OpenAI disclosed impact from the TanStack supply chain attack on May 11, where threat actor TeamPCP compromised 84 malicious artifacts across 42 packages, infecting two OpenAI employee devices with the Shai-Hulud worm. Attackers exfiltrated limited credential material and code-signing certificates for iOS, macOS, Windows, and Android from internal repositories. OpenAI rotated credentials, revoked certificates, and requires macOS users to update apps by June 12, 2026, with no customer data or IP compromised.","https:\u002F\u002Fwww.securityweek.com\u002Fopenai-hit-by-tanstack-supply-chain-attack\u002F","https:\u002F\u002Fwww.securityweek.com\u002Fwp-content\u002Fuploads\u002F2025\u002F11\u002FOpenAI.jpeg","2026-05-15T10:37:00+00:00",{"id":235,"title":236,"slug":237,"brief":238,"ai_summary":239,"url":240,"image_url":241,"published_at":242},"0762b931-bc65-4874-bd53-971acd74b670","CalPhishing Scam Uses EvilTokens Kit, Outlook Invites to Steal M365 Sessions","calphishing-scam-uses-eviltokens-kit-outlook-invites-to-steal-m365-sessions-27fe4b","CalPhishing campaign exploits Outlook invites and device code phishing to steal M365 tokens and bypass MFA.","Security researchers from Fortra have identified an active phishing campaign called CalPhishing that abuses Outlook calendar invites (.ics files) to deliver phishing payloads without user interaction. The campaign uses device code phishing (ConsentFix) and the EvilTokens phishing kit to steal M365 session tokens, enabling attackers to bypass MFA and compromise enterprise accounts. The threat persists because meeting entries remain on calendars unless hard-deleted, leaving victims vulnerable long after the initial email is removed.","https:\u002F\u002Fhackread.com\u002Fcalphishing-eviltokens-kit-outlook-invites-m365\u002F","https:\u002F\u002Fhackread.com\u002Fwp-content\u002Fuploads\u002F2026\u002F05\u002Fcalphishing-eviltokens-kit-outlook-invites-m365.jpg","2026-05-15T10:30:22+00:00",{"id":244,"title":245,"slug":246,"brief":247,"ai_summary":248,"url":249,"image_url":250,"published_at":251},"db774f55-cdc0-43e9-8cb7-97202d95a48c","TeamPCP Ups the Game, Releases Shai-Hulud Worm’s Source Code","teampcp-ups-the-game-releases-shai-hulud-worm-s-source-code-1dd603","TeamPCP releases Shai-Hulud worm source code on GitHub, fueling supply chain attacks with monetary rewards.","The hacking group TeamPCP publicly released the source code for its Shai-Hulud worm on GitHub, accompanied by detailed deployment instructions, enabling copycat attacks across the open source ecosystem. TeamPCP and BreachForums simultaneously announced a \"supply chain challenge\" offering monetary rewards to cybercriminals who use the worm in attacks. Security researchers warn this will likely spawn variants and trigger a significant spike in sophisticated supply chain compromise activity.","https:\u002F\u002Fwww.securityweek.com\u002Fteampcp-ups-the-game-releases-shai-hulud-worms-source-code\u002F","https:\u002F\u002Fwww.securityweek.com\u002Fwp-content\u002Fuploads\u002F2025\u002F11\u002FNPM-code-software-development.jpeg","2026-05-15T09:47:09+00:00",{"id":253,"title":254,"slug":255,"brief":256,"ai_summary":257,"url":258,"image_url":259,"published_at":260},"fb0e4e90-3b21-47e6-a6df-92a94bdb6898","Microsoft warns of Exchange zero-day flaw exploited in attacks","microsoft-warns-of-exchange-zero-day-flaw-exploited-in-attacks-3e8a4c","Microsoft warns of actively exploited Exchange Server zero-day XSS flaw affecting OWA users.","Microsoft disclosed a high-severity zero-day vulnerability (CVE-2026-42897) in Exchange Server 2016, 2019, and Subscription Edition that allows attackers to execute arbitrary JavaScript in Outlook on the Web via specially crafted emails. While patches are not yet available, Microsoft is providing automatic mitigation through the Exchange Emergency Mitigation Service (EEMS) and the Exchange on-premises Mitigation Tool (EOMT), though applying mitigations causes some functionality issues including broken calendar printing and image display in OWA.","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fmicrosoft\u002Fmicrosoft-warns-of-exchange-zero-day-flaw-exploited-in-attacks\u002F","https:\u002F\u002Fwww.bleepstatic.com\u002Fcontent\u002Fhl-images\u002F2026\u002F05\u002F15\u002FMicrosoft-Exchange.jpg","2026-05-15T09:40:42+00:00",{"id":262,"title":263,"slug":264,"brief":265,"ai_summary":266,"url":267,"image_url":268,"published_at":269},"d17eca6a-e1a0-47f2-8d85-0f6be86ea17a","Daily Dose of Dark Web Informer - May 14th, 2026","daily-dose-of-dark-web-informer-may-14th-2026-92ea64","Daily dark web threat intelligence digest reporting multiple breaches, CVEs, and exposed credentials across global","This is a curated daily digest from Dark Web Informer summarizing recent breach claims, CVE disclosures, and threat intelligence findings across multiple sectors and countries. Highlights include alleged breaches at CoreWeave (GPU cloud provider), McKissock\u002FColibri Real Estate (3.3M+ records), Nuvidio (KYC and biometric data), and critical vulnerabilities in Cisco SD-WAN and NGINX. The digest aggregates claims from dark web forums and public sources without independent verification.","https:\u002F\u002Fdarkwebinformer.com\u002Fdaily-dose-of-dark-web-informer-may-14th-2026\u002F","https:\u002F\u002Fstorage.ghost.io\u002Fc\u002F6b\u002F16\u002F6b16ac9c-cd67-432f-b0f3-bbec941084ff\u002Fcontent\u002Fimages\u002Fsize\u002Fw1200\u002F2026\u002F02\u002F23597862398746923879872364987342598723.png","2026-05-14T22:25:52+00:00",{"id":271,"title":272,"slug":273,"brief":274,"ai_summary":275,"url":276,"image_url":277,"published_at":278},"f94e7fe8-0d87-48ba-ab80-37da53d43de5","OpenAI confirms security breach in TanStack supply chain attack","openai-confirms-security-breach-in-tanstack-supply-chain-attack-22f033","OpenAI confirms two employee devices breached in TanStack supply chain attack via Mini Shai-Hulud malware.","OpenAI disclosed that two employee devices were compromised during the \"Mini Shai-Hulud\" supply chain campaign attributed to the TeamPCP extortion gang, which targeted hundreds of npm and PyPI packages. The attack exposed limited credentials from internal source code repositories but did not impact customer data, production systems, or intellectual property; OpenAI rotated code-signing certificates and revoked sessions as a precaution. The broader TanStack supply chain attack exploited CI\u002FCD pipeline vulnerabilities across multiple projects including Mistral AI, UiPath, and OpenSearch, delivering malware designed to steal developer credentials, establish persistence, and sabotage systems.","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fopenai-confirms-security-breach-in-tanstack-supply-chain-attack\u002F","https:\u002F\u002Fwww.bleepstatic.com\u002Fcontent\u002Fhl-images\u002F2023\u002F04\u002F11\u002FOpenAI_headpic.jpeg","2026-05-14T19:07:24+00:00",{"id":280,"title":281,"slug":282,"brief":283,"ai_summary":284,"url":285,"image_url":286,"published_at":287},"3664679b-3384-4934-af30-3cd1d468edc9","Fake Job Interview Apps Drop JobStealer Malware on Windows and macOS","fake-job-interview-apps-drop-jobstealer-malware-on-windows-and-macos-3280c2","JobStealer malware spreads via fake job interview apps on Windows and macOS targeting crypto wallets.","Hackers are distributing JobStealer malware through fake video conferencing apps disguised as legitimate job interview platforms. The malware targets both Windows and macOS users, stealing cryptocurrency wallets, browser credentials, passwords, and sensitive files. The campaign uses convincing fake websites impersonating services like Cisco Webex and distributes malware via DMG files and Terminal commands on macOS, with Windows variants following similar patterns.","https:\u002F\u002Fhackread.com\u002Ffake-job-interview-jobstealer-malware-windows-macos\u002F","https:\u002F\u002Fhackread.com\u002Fwp-content\u002Fuploads\u002F2026\u002F05\u002Ffake-job-interview-jobstealer-malware-windows-macos-3.jpg","2026-05-14T17:25:10+00:00",{"id":289,"title":290,"slug":291,"brief":292,"ai_summary":293,"url":294,"image_url":295,"published_at":296},"9118dacb-dc4e-4d55-8fe1-08774d67f4da","Stealer Backdoor Found in 3 Node-IPC Versions Targeting Developer Secrets","stealer-backdoor-found-in-3-node-ipc-versions-targeting-developer-secrets-958ff8","Stealer backdoor discovered in 3 node-ipc npm package versions targeting developer credentials.","Cybersecurity researchers discovered malicious code in three versions of the popular node-ipc npm package (9.1.6, 9.2.3, 12.0.1) published by a compromised account. The stealer\u002Fbackdoor harvests 90 categories of developer and cloud secrets—including AWS, Google Cloud, Azure, SSH keys, GitHub tokens, and Kubernetes credentials—and exfiltrates them via HTTPS and DNS tunneling to a C2 server. The attack uses sophisticated obfuscation and anti-detection techniques, including SHA-256 fingerprinting to target specific projects and DNS-based exfiltration to bypass corporate security controls.","https:\u002F\u002Fthehackernews.com\u002F2026\u002F05\u002Fstealer-backdoor-found-in-3-node-ipc.html","https:\u002F\u002Fblogger.googleusercontent.com\u002Fimg\u002Fb\u002FR29vZ2xl\u002FAVvXsEhTj2m9-HHmDEDzKIsalsJ_HJcwcUsIFajvcpTLP9QMyqS9F_JroTH7lXeOGZFuO6j6F-RzbIo1kBIQ0udSFQGzjN2hxO8ZfyFeHM5557BPI1sjiJ7cEMJJE62t11e07Wt1CsmAntpLHSM0XbnQDvVYNBfNdAOsob9kN6G6-mQjKX68fEE1nzy_Bn4TvxyK\u002Fs1600\u002Fnode.jpg","2026-05-14T17:22:43+00:00",{"id":298,"title":299,"slug":300,"brief":301,"ai_summary":302,"url":303,"image_url":304,"published_at":305},"aa9b6454-e13d-4366-9eb6-907d5da71be6","node-ipc npm Package Compromised in Supply Chain Attack","node-ipc-npm-package-compromised-in-supply-chain-attack-4ed0f2","node-ipc npm package compromised again with stealer\u002Fbackdoor malware in versions 9.1.6, 9.2.3, 12.0.1","Socket's threat detection system identified malicious versions of the widely-used node-ipc npm package within minutes of publication. The compromised versions 9.1.6, 9.2.3, and 12.0.1 contain obfuscated stealer\u002Fbackdoor code that fingerprints hosts, exfiltrates files, and attempts data exfiltration through DNS-selected endpoints. This marks the second major compromise of node-ipc, following the notorious 2022 incident and intermediate malicious versions in 2024.","https:\u002F\u002Fsocket.dev\u002Fblog\u002Fnode-ipc-package-compromised?utm_medium=feed","https:\u002F\u002Fcdn.sanity.io\u002Fimages\u002Fcgdhsj6q\u002Fproduction\u002F5bc29841f7aeae15eaf536fdf59b10d710268253-1047x661.png?w=1000&q=95&fit=max&auto=format","2026-05-14T15:48:51.85+00:00",{"id":307,"title":308,"slug":309,"brief":310,"ai_summary":311,"url":312,"image_url":313,"published_at":314},"3434193e-be2e-4d87-ac38-10ec47e6508d","Ghostwriter Targets Ukrainian Government With Geofenced PDF Phishing, Cobalt Strike","ghostwriter-targets-ukrainian-government-with-geofenced-pdf-phishing-cobalt-stri-47a09d","Ghostwriter targets Ukrainian government with geofenced PDF phishing delivering Cobalt Strike.","Belarus-aligned threat group Ghostwriter has launched fresh attacks against Ukrainian governmental organizations using geofenced PDF phishing emails impersonating Ukrtelecom. The attack chain delivers PicassoLoader malware, which then deploys Cobalt Strike Beacon for post-exploitation. The campaign demonstrates operational maturity with anti-analysis techniques, credential harvesting, and selective victim targeting based on system fingerprinting.","https:\u002F\u002Fthehackernews.com\u002F2026\u002F05\u002Fghostwriter-targets-ukrainian.html","https:\u002F\u002Fblogger.googleusercontent.com\u002Fimg\u002Fb\u002FR29vZ2xl\u002FAVvXsEhEld5BcqD9rYWVjx7o_XlV5pN_9djvilow0iIYP-LlFEzGReX8fTPZ0gKi9zMGVLTT8qddHu5FyBMaZpQroEzYFpsoPWf96hD7JeTdqsROemmavXW2pDxNwc9kjvpJdhahmXA5Ng88tN1lyO5rqzC3K6JNwPFPWBo7OzSsaiQIN8JJsXvMrGhewMfzpouF\u002Fs1600\u002Fuk.jpg","2026-05-14T14:00:37+00:00",{"id":316,"title":317,"slug":318,"brief":319,"ai_summary":320,"url":321,"image_url":322,"published_at":323},"62666ac4-5061-4999-9b12-a080a85c7566","FamousSparrow Targeted Oil and Gas Industry via MS Exchange Server Exploit","famoussparrow-targeted-oil-and-gas-industry-via-ms-exchange-server-exploit-1429e6","FamousSparrow targeted Azerbaijani oil and gas firm via ProxyNotShell exploit across three attack waves.","Bitdefender Labs uncovered a multi-wave campaign by China-linked threat actor FamousSparrow against an Azerbaijani energy company between December 2025 and February 2026. The group exploited ProxyNotShell vulnerabilities in Microsoft Exchange servers to deploy Deed RAT and Terndoor backdoors, using techniques including DLL sideloading, rootkit installation, and process hiding to maintain persistent access and move laterally across the victim network.","https:\u002F\u002Fhackread.com\u002Ffamoussparrow-oil-gas-ms-exchange-server-exploit\u002F","https:\u002F\u002Fhackread.com\u002Fwp-content\u002Fuploads\u002F2026\u002F05\u002Ffamoussparrow-oil-gas-ms-exchange-server-exploit.jpg","2026-05-14T12:20:02+00:00",{"id":325,"title":326,"slug":327,"brief":328,"ai_summary":329,"url":330,"image_url":331,"published_at":332},"31f8929b-55a0-40d2-ac68-2f2f8273f283","KongTuke hackers now use Microsoft Teams for corporate breaches","kongtuke-hackers-now-use-microsoft-teams-for-corporate-breaches-1e80b9","KongTuke IAB now exploits Microsoft Teams for social engineering, delivering ModeloRAT in under five minutes.","Initial access broker KongTuke has shifted tactics to use Microsoft Teams for social engineering attacks against corporate networks, impersonating IT staff to trick users into running malicious PowerShell commands. The attacks deliver ModeloRAT, a Python-based remote access trojan that establishes persistent access with enhanced C2 resilience, multiple backdoor channels, and sophisticated persistence mechanisms designed to survive standard cleanup procedures. The campaign has been active since at least April 2026, with the threat actor rotating through multiple Microsoft 365 tenants to evade detection and blocking.","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fkongtuke-hackers-now-use-microsoft-teams-for-corporate-breaches\u002F","https:\u002F\u002Fwww.bleepstatic.com\u002Fcontent\u002Fhl-images\u002F2026\u002F02\u002F17\u002FMicrosoft-Teams.jpg","2026-05-14T12:12:40+00:00",{"id":334,"title":335,"slug":336,"brief":337,"ai_summary":338,"url":339,"image_url":340,"published_at":341},"ad6c46f7-73a5-48a6-98fc-85a3c27930b0","Chinese APTs Expand Targets, Update Backdoors in Recent Campaigns","chinese-apts-expand-targets-update-backdoors-in-recent-campaigns-58012a","Salt Typhoon and Twill Typhoon expand targeting with updated backdoors across Azerbaijan, Asia-Pacific regions.","Two China-linked APT groups have intensified operations with expanded targeting and updated malware tools. Salt Typhoon targeted an Azerbaijani energy company using ProxyNotShell exploits and updated Deed RAT via DLL sideloading, while Twill Typhoon has targeted Asia-Pacific entities with a new modular .NET-based RAT framework called FDMTP. Both campaigns demonstrate sustained, adaptive intrusion activity with repeated access attempts and payload updates.","https:\u002F\u002Fwww.securityweek.com\u002Fchinese-apts-expand-targets-update-backdoors-in-recent-campaigns\u002F","https:\u002F\u002Fwww.securityweek.com\u002Fwp-content\u002Fuploads\u002F2025\u002F04\u002FChinese-Technology-Cyberwar.jpg","2026-05-14T12:11:15+00:00",{"id":343,"title":344,"slug":345,"brief":346,"ai_summary":347,"url":348,"image_url":349,"published_at":350},"5f73262d-7480-44de-ae7f-19f7a9dba653","Foxconn Attack Highlights Manufacturing's Cyber Crisis","foxconn-attack-highlights-manufacturing-s-cyber-crisis-45a791","Nitrogen ransomware hits Foxconn North American facilities amid 600 attacks on manufacturers this year.","Foxconn experienced a Nitrogen ransomware attack on its North American operations, highlighting a broader manufacturing sector crisis with 600 reported attacks this year. Threat actors are increasingly targeting manufacturers due to their high operational sensitivity and low tolerance for downtime, making them lucrative extortion targets.","https:\u002F\u002Fwww.darkreading.com\u002Fcyberattacks-data-breaches\u002Ffoxconn-attack-manufacturing-cyber-crisis","https:\u002F\u002Feu-images.contentstack.com\u002Fv3\u002Fassets\u002Fblt6d90778a997de1cd\u002Fblt2bde2506b3de4da9\u002F6a04dd5c239afae6399403b6\u002Ffoxconn_ada_Images_shutterstock.jpg?width=1280&auto=webp&quality=80&disable=upscale","2026-05-14T12:00:00+00:00",{"id":352,"title":353,"slug":354,"brief":355,"ai_summary":356,"url":357,"image_url":358,"published_at":359},"6cae8af4-e049-44aa-ba1c-4351be664471","Kimsuky targets organizations with PebbleDash-based tools","kimsuky-targets-organizations-with-pebbledash-based-tools-109f90","Kimsuky deploys PebbleDash-based tools linked to AppleSeed malware cluster","Kaspersky researchers have identified a suite of new tools based on PebbleDash being used by the North Korean-linked Kimsuky threat actor in recent campaigns. The analysis reveals these tools are connected to the AppleSeed malware cluster, expanding the known toolkit of this persistent state-sponsored group.","https:\u002F\u002Fsecurelist.com\u002Fkimsuky-appleseed-pebbledash-campaigns\u002F119785\u002F","https:\u002F\u002Fmedia.kasperskycontenthub.com\u002Fwp-content\u002Fuploads\u002Fsites\u002F43\u002F2026\u002F05\u002F14081540\u002FSL-Kimsuki-featured-scaled.jpg","2026-05-14T11:00:58+00:00",{"id":361,"title":362,"slug":363,"brief":364,"ai_summary":365,"url":366,"image_url":367,"published_at":368},"8a2e1bdf-9ffa-4e64-b492-25c615f4e6ef","China-Linked Twill Typhoon Uses Fake Apple and Yahoo Sites for Espionage","china-linked-twill-typhoon-uses-fake-apple-and-yahoo-sites-for-espionage-4c9593","China-linked Twill Typhoon uses fake Apple and Yahoo CDN sites with FDMTP malware to spy on Asia-Pacific organizations.","Darktrace discovered a sustained cyberattack campaign by Chinese threat group Twill Typhoon targeting organizations across Japan and Asia-Pacific since September 2025. The attackers use DLL sideloading with legitimate tools (Sogou Pinyin, Windows utilities) and fake CDN domains (yahoo-cdn.it.com, icloud-cdn.net) to maintain persistent access via the FDMTP malware framework. The modular approach allows attackers to deploy plugins and evade detection by mimicking normal system behavior.","https:\u002F\u002Fhackread.com\u002Fchinatwill-typhoon-fake-apple-yahoo-sites-espionage\u002F","https:\u002F\u002Fhackread.com\u002Fwp-content\u002Fuploads\u002F2026\u002F05\u002Fchinatwill-typhoon-fake-apple-yahoo-sites-espionage.jpg","2026-05-14T10:32:00+00:00",{"id":370,"title":371,"slug":372,"brief":373,"ai_summary":374,"url":375,"image_url":376,"published_at":377},"2defd61d-04e9-42f8-bbf5-2aa4f0dce3c6","FrostyNeighbor: Fresh mischief and digital shenanigans","frostyneighbor-fresh-mischief-and-digital-shenanigans-de5136","ESET reports FrostyNeighbor cyberespionage group updates toolset targeting Ukrainian government.","ESET researchers documented new cyberespionage activities attributed to FrostyNeighbor (also known as Ghostwriter, UNC1151, and Storm-0257), a Belarus-aligned threat actor targeting governmental and military organizations in Ukraine and Eastern Europe. Since March 2026, the group has deployed updated compromise chains using JavaScript variants of PicassoLoader to deliver Cobalt Strike beacons, employing spearphishing with weaponized PDFs impersonating Ukrainian telecommunications companies and geographic-based server-side validation to evade detection. The group continues evolving its tactics across multiple document formats and exploits (including CVE-2023-38831 and CVE-2024-42009), while abusing legitimate services like Slack and Canarytokens.","https:\u002F\u002Fwww.welivesecurity.com\u002Fen\u002Feset-research\u002Ffrostyneighbor-fresh-mischief-digital-shenanigans\u002F","https:\u002F\u002Fweb-assets.esetstatic.com\u002Fwls\u002F2026\u002F05-26\u002Ffrostyneighbor\u002Ffrosty-neighbor-belarus-ukraine-apt-cyberespionage.jpg","2026-05-14T09:35:50+00:00",{"id":379,"title":380,"slug":381,"brief":382,"ai_summary":383,"url":384,"image_url":385,"published_at":386},"49be262e-42e8-4a01-86c9-b1df7e1fd541","TeamPCP and BreachForums Launch $1,000 Contest for Supply Chain Attacks","teampcp-and-breachforums-launch-1-000-contest-for-supply-chain-attacks-0f2fdb","TeamPCP and BreachForums launch $1,000 contest rewarding supply chain attacks on open source packages.","TeamPCP, in collaboration with BreachForums, announced a competition offering $1,000 USD in Monero to attackers who successfully compromise open source packages using their Shai-Hulud attack tool. Winners are determined by download counts of compromised packages, incentivizing both high-impact single targets and broad ecosystem compromise. The contest functions as a recruitment mechanism for lower-tier threat actors, with the prize amount negligible compared to the value of credentials stolen from CI\u002FCD pipelines and enterprise environments.","https:\u002F\u002Fsocket.dev\u002Fblog\u002Fteampcp-supply-chain-attack-contest?utm_medium=feed","https:\u002F\u002Fcdn.sanity.io\u002Fimages\u002Fcgdhsj6q\u002Fproduction\u002Fd62d781ca0fc098a88c5bc51fdd08215d3bcb83f-1254x1254.png?w=1000&q=95&fit=max&auto=format","2026-05-14T02:49:33.417+00:00",{"id":388,"title":389,"slug":390,"brief":391,"ai_summary":392,"url":393,"image_url":394,"published_at":395},"2b1f8903-1d8f-47b8-9c1f-de08f4c53cdd","TeamPCP Claims Sale of Mistral AI Repositories Amid Mini Shai-Hulud Attack","teampcp-claims-sale-of-mistral-ai-repositories-amid-mini-shai-hulud-attack-f2ae58","TeamPCP claims to sell 5GB of Mistral AI repositories after Mini Shai-Hulud supply chain attack.","Following the Mini Shai-Hulud supply chain attack that poisoned npm and PyPI packages, a TeamPCP-linked threat actor claims to be selling approximately 5GB of alleged internal Mistral AI repositories for $25,000 on a hacking forum. The listing references roughly 450 repositories covering AI training, inference, fine-tuning, and enterprise projects, though the authenticity remains unverified. The claims suggest attackers are expanding beyond poisoned packages to target internal development systems and intellectual property.","https:\u002F\u002Fhackread.com\u002Fteampcp-mistral-ai-repositories-mini-shai-hulud-attack\u002F","https:\u002F\u002Fhackread.com\u002Fwp-content\u002Fuploads\u002F2026\u002F05\u002Fteampcp-mistral-ai-repositories-mini-shai-hulud-attack-2.png","2026-05-14T00:37:05+00:00",{"id":397,"title":398,"slug":399,"brief":400,"ai_summary":401,"url":402,"image_url":268,"published_at":403},"8ac27af4-850b-4732-82ba-eae17c80509b","Daily Dose of Dark Web Informer - May 13th, 2026","daily-dose-of-dark-web-informer-may-13th-2026-14aa17","Dark Web Informer daily digest reports multiple breaches, ransomware hits, and supply chain attacks across global","The Daily Dark Web Informer digest for May 13th, 2026 aggregates multiple threat intelligence reports including breaches at Akitatek, Vietnam's Ministry of Health, SIVVI, and others exposing hundreds of thousands of records. Notable incidents include ransomware attacks on NTN Bearing Corporation and Foxconn, a supply chain attack affecting Mistral AI, and the District Health Information Software (DHIS2) breach impacting 30+ national health systems serving 3.2 billion people. The digest also highlights a supply chain attack competition and ongoing dark web marketplace activity.","https:\u002F\u002Fdarkwebinformer.com\u002Fdaily-dose-of-dark-web-informer-may-13th-2026\u002F","2026-05-13T22:37:29+00:00",{"id":405,"title":406,"slug":407,"brief":408,"ai_summary":409,"url":410,"image_url":411,"published_at":412},"22ce4da3-55e7-45bb-8200-6af143a5a116","Security advisories | Mistral Docs","security-advisories-mistral-docs-ee7f61","TanStack supply chain attack compromises Mistral AI SDK packages on npm and PyPI","Mistral AI's SDKs were impacted by a supply chain attack via compromised TanStack dependency, resulting in malicious npm and PyPI package versions being published. The npm packages were inoffensive (broken references), but the PyPI package (v2.4.6) contained malicious code that harvests credentials on Linux systems. Mistral's infrastructure was not compromised; affected versions have been removed and forensics confirm an affected developer device was involved.","https:\u002F\u002Fdocs.mistral.ai\u002Fresources\u002Fsecurity-advisories","https:\u002F\u002Fdocs.mistral.ai\u002Fapi\u002Fog?eyebraw=%28developers%29+%3E+resources+%3E+security-advisories&title=Security+advisories&type=generic&description=Security+advisories+and+remediation+guidance+for+incidents+affecting+Mistral+packages.","2026-05-13T22:00:59+00:00",{"id":414,"title":415,"slug":416,"brief":417,"ai_summary":418,"url":419,"image_url":420,"published_at":412},"587adb59-1a67-48a5-9de8-a47f5343e1c9","‼️🇫🇷 Mistral AI has confirmed they were impacted by the recent TanStack supply chain attack.\n\nh...","mistral-ai-has-confirmed-they-were-impacted-by-the-recent-tanstack-supply-chain--1ca7b6","Mistral AI confirms impact from TanStack supply chain attack.","Mistral AI has disclosed that it was affected by the recent TanStack supply chain attack, which compromised a popular open-source dependency. The attack leveraged a compromised package to distribute malicious code to downstream users. Mistral AI's confirmation adds to the growing list of organizations impacted by this supply chain incident.","https:\u002F\u002Fx.com\u002FDarkWebInformer\u002Fstatus\u002F2054683350468596166","https:\u002F\u002Fpbs.twimg.com\u002Fmedia\u002FHIOzdFUWMAAqfaX.png",{"id":422,"title":423,"slug":424,"brief":425,"ai_summary":426,"url":427,"image_url":428,"published_at":429},"12fcfa1e-7378-4515-a3b1-e25d6a2b882a","Iranian hackers targeted major South Korean electronics maker","iranian-hackers-targeted-major-south-korean-electronics-maker-b0773e","Iran-linked MuddyWater targets South Korean electronics maker and 8+ orgs in espionage campaign.","The Iran-linked threat group MuddyWater (Seedworm\u002FStatic Kitten) conducted a broad cyber-espionage campaign targeting at least nine organizations including a major South Korean electronics manufacturer, government agencies, and industrial firms across multiple countries. The attackers employed DLL sideloading of legitimate tools (Fortemedia, SentinelOne binaries) to deploy ChromElevator and PowerShell-based payloads for reconnaissance, credential theft, and persistent access, demonstrating increased operational maturity and geographic expansion.","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Firanian-hackers-targeted-major-south-korean-electronics-maker\u002F","https:\u002F\u002Fwww.bleepstatic.com\u002Fcontent\u002Fhl-images\u002F2026\u002F04\u002F07\u002FIranian-hackers.jpg","2026-05-13T21:59:33+00:00",{"id":431,"title":432,"slug":433,"brief":434,"ai_summary":435,"url":436,"image_url":437,"published_at":438},"296ff0d7-dcaf-4b95-9797-2f1c205e5bdb","Attackers Weaponize RubyGems for Data Dead Drops","attackers-weaponize-rubygems-for-data-dead-drops-a2878c","Threat actors publish malicious RubyGems packages with scrapers targeting UK government servers.","Attackers have published RubyGems packages containing scraper code that targets public-facing UK government servers. The packages appear designed for data exfiltration or reconnaissance, though the threat actors' ultimate objective remains unclear. This represents a supply chain attack leveraging the Ruby package ecosystem.","https:\u002F\u002Fwww.darkreading.com\u002Fapplication-security\u002Fattackers-weaponize-rubygems-data-dead-drops","https:\u002F\u002Feu-images.contentstack.com\u002Fv3\u002Fassets\u002Fblt6d90778a997de1cd\u002Fblt5c3a7f42da5b1b95\u002F6a04cc6a3840020cbc815a66\u002Fruby_Zerilli_Media_Alamy.jpg?width=1280&auto=webp&quality=80&disable=upscale","2026-05-13T21:09:20+00:00",{"id":440,"title":441,"slug":442,"brief":443,"ai_summary":444,"url":445,"image_url":446,"published_at":447},"3fd3bc5c-2676-4a16-a6bc-b89d2f444d74","Windows BitLocker zero-day gives access to protected drives, PoC released","windows-bitlocker-zero-day-gives-access-to-protected-drives-poc-released-0e4efb","Researcher releases PoC exploits for YellowKey BitLocker bypass and GreenPlasma privilege escalation zero-days.","A cybersecurity researcher operating as Chaotic Eclipse\u002FNightmare-Eclipse has published proof-of-concept exploits for two unpatched Windows zero-day vulnerabilities: YellowKey, a BitLocker bypass affecting Windows 11 and Server 2022\u002F2025, and GreenPlasma, a privilege escalation flaw in CTFMON. The researcher justified public disclosure citing dissatisfaction with Microsoft's handling of previous bug reports, and has promised further exploit releases.","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fwindows-bitlocker-zero-day-gives-access-to-protected-drives-poc-released\u002F","https:\u002F\u002Fwww.bleepstatic.com\u002Fcontent\u002Fhl-images\u002F2026\u002F02\u002F13\u002FWindows-headpic.jpg","2026-05-13T16:37:49+00:00",{"id":449,"title":450,"slug":451,"brief":452,"ai_summary":453,"url":454,"image_url":455,"published_at":456},"8fdcdc88-a9f0-49c6-bd40-574df2c31c07","📢 Breached and TeamPCP announce supply chain attack competition with $1,000 USD prize and open-s...","breached-and-teampcp-announce-supply-chain-attack-competition-with-1-000-usd-pri-e63443","Breached and TeamPCP announce $1K prize competition for largest supply chain attack.","The operator of the Breached forum has partnered with TeamPCP to host a competition offering $1,000 USD in Monero (XMR) to whoever executes the most significant supply chain attack. The competition appears to include the open-sourcing of the Shai Hulud worm, a malware tool designed to compromise software supply chains.","https:\u002F\u002Fx.com\u002FDarkWebInformer\u002Fstatus\u002F2054590267252940870","https:\u002F\u002Fpbs.twimg.com\u002Fmedia\u002FHINe88ZWoAAeIXf.jpg","2026-05-13T15:51:06+00:00",[],[],[],[],50]