[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"tag:threat-intelligence":3},{"tag":4,"articles":8,"awareness":450,"events":451,"tips":571,"focus_items":572,"total_count":573},{"slug":5,"name":6,"description":7},"threat-intelligence","Threat Intelligence",null,[9,18,26,35,43,52,61,70,79,88,97,105,114,123,130,139,148,157,166,175,183,192,201,210,219,228,237,246,255,264,273,282,291,300,309,318,326,335,344,353,360,369,378,387,396,405,414,423,432,441],{"id":10,"title":11,"slug":12,"brief":13,"ai_summary":14,"url":15,"image_url":16,"published_at":17},"fc2aa533-2f4a-4943-a4ef-a78265a5f8a9","🚨WhatsApp zero-day exploit allegedly advertised for sale\n\nA threat actor on an underground forum...","whatsapp-zero-day-exploit-allegedly-advertised-for-sale-a-threat-actor-on-an-und-a46602","Threat actor claims to sell WhatsApp zero-day exploit for malware installation.","A threat actor is advertising a WhatsApp zero-day exploit for sale on an underground forum, claiming it can install malware or backdoors via private messages. The exploit allegedly works on both phones and desktop platforms. Details remain limited pending further investigation.","https:\u002F\u002Fx.com\u002FDarkWebInformer\u002Fstatus\u002F2058257939362627626","https:\u002F\u002Fpbs.twimg.com\u002Fmedia\u002FHJBmowuXAAAMDOf.jpg","2026-05-23T18:45:07+00:00",{"id":19,"title":20,"slug":21,"brief":22,"ai_summary":23,"url":24,"image_url":7,"published_at":25},"88b3789e-22c1-4c88-bd0b-8ffc2e74d02d","🚨🇨🇱 Chilean Fire Department System Allegedly Breached: VIPER Platform Records and Internal Doc...","chilean-fire-department-system-allegedly-breached-viper-platform-records-and-int-d9f9bd","Chilean Fire Department's VIPER platform allegedly breached; internal records and documents exposed.","The Chilean Fire Department's VIPER platform has been reportedly breached, with threat actors claiming to have accessed internal records and documents. The breach exposes sensitive operational data from a critical emergency response organization. The incident highlights vulnerabilities in government infrastructure security.","https:\u002F\u002Fx.com\u002FDarkWebInformer\u002Fstatus\u002F2058217725382561879","2026-05-23T16:05:20+00:00",{"id":27,"title":28,"slug":29,"brief":30,"ai_summary":31,"url":32,"image_url":33,"published_at":34},"9d590759-1ff7-481e-b07f-777171f7ca18","🚨🇿🇦 Alleged data breach of South African Revenue Service (SARS) by Nullsec https:\u002F\u002Ft.co\u002FciUMwl...","alleged-data-breach-of-south-african-revenue-service-sars-by-nullsec-https-t-co--3af464","Nullsec claims breach of South African Revenue Service (SARS) with alleged data exfiltration.","A threat actor or group operating under the moniker Nullsec has alleged a data breach of South Africa's Revenue Service (SARS). The claim includes purported exfiltration of sensitive data. Details remain limited pending verification of the breach's authenticity and scope.","https:\u002F\u002Fx.com\u002FDarkWebInformer\u002Fstatus\u002F2058214877831762189","https:\u002F\u002Fpbs.twimg.com\u002Fmedia\u002FHJA_ge6XQAAiH2Y.jpg","2026-05-23T15:54:01+00:00",{"id":36,"title":37,"slug":38,"brief":39,"ai_summary":40,"url":41,"image_url":7,"published_at":42},"b8cc999d-a068-43c6-8b3c-2691560886cb","🚨🇺🇸 WisERP Allegedly Targeted: 1.5M U.S. ERP Customer Records Advertised in Auction\n\nhttps:\u002F\u002Ft...","wiserp-allegedly-targeted-1-5m-u-s-erp-customer-records-advertised-in-auction-ht-b9df2f","WisERP breach exposes 1.5M U.S. ERP customer records in dark web auction.","WisERP, a U.S. enterprise resource planning (ERP) software provider, has allegedly been breached with approximately 1.5 million customer records now being advertised for sale on the dark web. The breach appears to affect a significant number of U.S. organizations that rely on the platform for critical business operations. This represents a supply-chain risk to all downstream customers and users of affected WisERP deployments.","https:\u002F\u002Fx.com\u002FDarkWebInformer\u002Fstatus\u002F2058212320468193384","2026-05-23T15:43:51+00:00",{"id":44,"title":45,"slug":46,"brief":47,"ai_summary":48,"url":49,"image_url":50,"published_at":51},"76343cc5-0302-48ea-8ee1-aec0f1f9a5fc","RondoDox Botnet Exploits Critical 2018 Vulnerability to Hijack ASUS Routers","rondodox-botnet-exploits-critical-2018-vulnerability-to-hijack-asus-routers-88d656","RondoDox botnet exploits 2018 ASUS router vulnerability to hijack over 1 million devices.","VulnCheck discovered that the RondoDox botnet is actively exploiting CVE-2018-5999, a critical 2018 vulnerability in ASUS routers, to bypass authentication and hijack over 1 million devices. The vulnerability (CVSS 9.8\u002F10) allows unauthenticated attackers to modify router settings by manipulating the ateCommand_flag parameter. Though exploit code has been public since 2018, real-world exploitation only began in May 2026, with RondoDox using the compromised routers to launch DDoS attacks.","https:\u002F\u002Fhackread.com\u002Frondodox-botnet-2018-vulnerability-hijack-asus-routers\u002F","https:\u002F\u002Fhackread.com\u002Fwp-content\u002Fuploads\u002F2026\u002F05\u002Frondodox-botnet-2018-vulnerability-hijack-asus-routers-2.jpg","2026-05-23T11:16:40+00:00",{"id":53,"title":54,"slug":55,"brief":56,"ai_summary":57,"url":58,"image_url":59,"published_at":60},"f1b72fff-ed9c-408d-b98e-4f021d170880","Malicious Postinstall Hook Found Across 700+ GitHub Repositories, Including Packagist and Node.js Projects","malicious-postinstall-hook-found-across-700-github-repositories-including-packag-4fdf9d","Malicious postinstall hooks discovered across 700+ GitHub repos targeting PHP and Node.js packages via Packagist.","Socket researchers identified a coordinated supply chain campaign affecting eight Composer packages on Packagist, where upstream repositories were modified to include malicious postinstall scripts in package.json files. The scripts attempted to download a Linux binary named gvfsd-network from an attacker-controlled GitHub Releases URL, save it to \u002Ftmp\u002F.sshd, and execute it in the background with disabled TLS verification. A broader GitHub search revealed hundreds of additional references to the same attacker infrastructure across Node.js repositories, suggesting the campaign extends far beyond the confirmed Packagist findings.","https:\u002F\u002Fsocket.dev\u002Fblog\u002Fmalicious-postinstall-hook-found-across-700-github-repos?utm_medium=feed","https:\u002F\u002Fcdn.sanity.io\u002Fimages\u002Fcgdhsj6q\u002Fproduction\u002Fd66a69ec89dc89742b33b6b178982263b5f44386-1672x941.png?w=1000&q=95&fit=max&auto=format","2026-05-22T21:03:29.112+00:00",{"id":62,"title":63,"slug":64,"brief":65,"ai_summary":66,"url":67,"image_url":68,"published_at":69},"971838a3-7c15-45ba-85b7-e1d3fcaac759","AI Has Taken Over Open Source","ai-has-taken-over-open-source-079c96","AI-generated packages surge exponentially on npm, reshaping open source production and consumption.","Socket's analysis reveals AI coding tools have fundamentally transformed npm's ecosystem, driving a 10x increase in package creation since January 2026, identifiable by linguistic markers like em dashes. Simultaneously, AI-generated pull requests are overwhelming maintainers, while AI-driven dependency selection has made the software supply chain largely automated and opaque, creating significant supply-chain security risks that require automated scanning rather than manual review.","https:\u002F\u002Fsocket.dev\u002Fblog\u002Fai-has-taken-over-open-source?utm_medium=feed","https:\u002F\u002Fcdn.sanity.io\u002Fimages\u002Fcgdhsj6q\u002Fproduction\u002F28afd79494a5eae74cf7afee8124384497cef27a-1672x941.png?w=1000&q=95&fit=max&auto=format","2026-05-22T14:22:05.743+00:00",{"id":71,"title":72,"slug":73,"brief":74,"ai_summary":75,"url":76,"image_url":77,"published_at":78},"19a1e6ec-ed96-4ada-a1eb-a6c306e33d45","5,561 GitHub Repositories Hit by Megalodon Supply Chain Attack in Six Hours","5-561-github-repositories-hit-by-megalodon-supply-chain-attack-in-six-hours-ae8ebc","Megalodon attack compromises 5,561 GitHub repos via malicious CI workflows in six hours.","SafeDep discovered Megalodon, a large-scale automated supply chain attack targeting 5,561 GitHub repositories that pushed 5,718 malicious code updates within six hours on May 18, 2026. The attackers used fake GitHub accounts and injected malicious CI\u002FCD workflows to steal cloud credentials and GitHub Actions tokens, enabling credential theft from AWS, Google Cloud, and Azure. The attack resulted in seven poisoned versions of the Tiledesk npm package being published publicly, demonstrating the downstream impact of compromised repositories.","https:\u002F\u002Fhackread.com\u002Fgithub-repositories-megalodon-supply-chain-attack\u002F","https:\u002F\u002Fhackread.com\u002Fwp-content\u002Fuploads\u002F2026\u002F05\u002Fgithub-repositories-megalodon-supply-chain-attack.png","2026-05-22T13:51:21+00:00",{"id":80,"title":81,"slug":82,"brief":83,"ai_summary":84,"url":85,"image_url":86,"published_at":87},"cd92bee5-6752-4fad-8cf8-bc25ee36a6fb","Deleted Google API Keys Remain Active up to 23 Minutes, Study Finds","deleted-google-api-keys-remain-active-up-to-23-minutes-study-finds-3f9c32","Deleted Google API keys remain active for up to 23 minutes due to eventual consistency delays.","Aikido Security's research reveals that deleted Google API keys continue to authenticate successfully for an average of 16 minutes, with delays reaching up to 23 minutes. The delay stems from eventual consistency in Google's distributed authentication infrastructure, allowing attackers with leaked keys to access GCP, Gemini, BigQuery, and Maps APIs during the propagation window. Google closed the security report as \"won't fix,\" treating the delay as a known system property rather than a vulnerability.","https:\u002F\u002Fhackread.com\u002Fdeleted-google-api-keys-active-23-minutes\u002F","https:\u002F\u002Fhackread.com\u002Fwp-content\u002Fuploads\u002F2026\u002F05\u002Fdeleted-google-api-keys-active-23-minutes.png","2026-05-21T16:03:12+00:00",{"id":89,"title":90,"slug":91,"brief":92,"ai_summary":93,"url":94,"image_url":95,"published_at":96},"82ba1008-c993-4751-bc59-0fab8dbd4d3b","GitHub links repo breach to TanStack npm supply-chain attack","github-links-repo-breach-to-tanstack-npm-supply-chain-attack-8023fe","GitHub breach of 3,800 repos linked to malicious Nx Console extension in TanStack npm supply-chain attack","GitHub disclosed a breach of 3,800 internal repositories stemming from an employee installing a malicious version of the Nx Console VS Code extension, which was compromised as part of the TanStack npm supply-chain attack attributed to TeamPCP. The poisoned extension (v18.95.0) was designed to steal credentials for npm, AWS, Kubernetes, GitHub, and GCP\u002FDocker; it was live for ~18 minutes on VS Code Marketplace and 36 minutes on OpenVSX before removal. TeamPCP has claimed access to ~4,000 private GitHub repos and is demanding at least $50,000 for the data.","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fgithub-links-repo-breach-to-tanstack-npm-supply-chain-attack\u002F","https:\u002F\u002Fwww.bleepstatic.com\u002Fcontent\u002Fhl-images\u002F2026\u002F05\u002F21\u002FGitHub_headpic.jpg","2026-05-21T06:54:01+00:00",{"id":98,"title":99,"slug":100,"brief":101,"ai_summary":102,"url":103,"image_url":7,"published_at":104},"d9182c5d-8514-48ef-8186-b4cc21222857","🚨🇮🇩 Perumda Tirta Musi Palembang Alleged Customer Database Sale: 437K+ Utility Records Adverti...","perumda-tirta-musi-palembang-alleged-customer-database-sale-437k-utility-records-f7e546","Perumda Tirta Musi Palembang utility database with 437K+ customer records allegedly for sale.","An Indonesian water utility company, Perumda Tirta Musi Palembang, reportedly had its customer database containing over 437,000 records exposed and advertised for sale. The breach includes personal and utility account information of customers in Palembang. This represents a significant privacy breach affecting a critical infrastructure provider in Indonesia.","https:\u002F\u002Fx.com\u002FDarkWebInformer\u002Fstatus\u002F2057196744161525900","2026-05-20T20:28:19+00:00",{"id":106,"title":107,"slug":108,"brief":109,"ai_summary":110,"url":111,"image_url":112,"published_at":113},"f3cd334c-43e6-40c5-b655-a2f278042b82","First VPN Service — Website Seized by Law Enforcement","first-vpn-service-website-seized-by-law-enforcement-08965a","1VPNS VPN service website seized by joint international law enforcement action.","Law enforcement agencies from France, Netherlands, Switzerland, Romania, Ukraine, United Kingdom, and Luxembourg, coordinated through Europol and Eurojust, have seized the website of 1VPNS VPN service. The seizure notice lists 64 IP addresses associated with the service's infrastructure across multiple VPN protocols (PPTP, L2TP, OpenVPN).","http:\u002F\u002Foperation-saffron.eu","https:\u002F\u002Fpbs.twimg.com\u002Famplify_video_thumb\u002F2057142674721755138\u002Fimg\u002FLsM1wM69HOiDFj2K.jpg","2026-05-20T16:54:12+00:00",{"id":115,"title":116,"slug":117,"brief":118,"ai_summary":119,"url":120,"image_url":121,"published_at":122},"16491d03-8e5c-41d1-b2f7-73ae28eb7ee5","Uruguay DNIC allegedly leaked: 5.8M citizen database records exposed","uruguay-dnic-allegedly-leaked-5-8m-citizen-database-records-exposed-33ced1","Uruguay DNIC citizen database with 5.8M records allegedly leaked on underground forum","A threat actor known as LaPampaLeaks claims to have released a database containing 5.8 million Uruguayan citizen records, including national ID numbers (DNIC\u002FCédula de identidad), names, and related identity information. The actor alleges the dataset was previously circulated in closed Telegram groups before being released publicly on an underground forum. The exposed data could facilitate identity theft, phishing, impersonation, and targeted social engineering attacks against Uruguayan residents.","https:\u002F\u002Fdarkwebinformer.com\u002Furuguay-dnic-allegedly-leaked-5-8m-citizen-database-records-exposed\u002F","https:\u002F\u002Fstorage.ghost.io\u002Fc\u002F6b\u002F16\u002F6b16ac9c-cd67-432f-b0f3-bbec941084ff\u002Fcontent\u002Fimages\u002F2026\u002F05\u002F1237985298375698273569872353.png","2026-05-20T15:55:52+00:00",{"id":124,"title":125,"slug":126,"brief":127,"ai_summary":128,"url":129,"image_url":7,"published_at":122},"b2d03fdb-a589-44a9-a83d-f3d35d14c435","🚨🇺🇾 Uruguay DNIC allegedly leaked: 5.8M citizen database records exposed\n\nhttps:\u002F\u002Ft.co\u002Fn2zsCshQ1r","uruguay-dnic-allegedly-leaked-5-8m-citizen-database-records-exposed-https-t-co-n-544c62","Uruguay's DNIC citizen database with 5.8M records allegedly leaked online.","A database containing 5.8 million records from Uruguay's DNIC (Documento Nacional de Identidad) national identity system has allegedly been exposed and leaked. The breach affects a significant portion of Uruguay's population and raises serious concerns about government data security and citizen privacy. The leaked records likely contain sensitive personal identification information.","https:\u002F\u002Fx.com\u002FDarkWebInformer\u002Fstatus\u002F2057128182663290947",{"id":131,"title":132,"slug":133,"brief":134,"ai_summary":135,"url":136,"image_url":137,"published_at":138},"065a47ed-16ed-43b3-84a0-2714a4d86d05","GitHub Breach: TeamPCP Steals 3,800 Repositories via VS Code Extension","github-breach-teampcp-steals-3-800-repositories-via-vs-code-extension-d10e13","TeamPCP steals 3,800 GitHub repositories via poisoned VS Code extension, demands $95K","GitHub discovered a breach on May 19, 2026, where the financially motivated TeamPCP group (tracked as UNC6780) compromised a developer's corporate device through a malicious VS Code extension, exfiltrating approximately 3,800 internal repositories. The threat actors are now selling the stolen code on a cybercrime forum for $95,000, warning they will leak it publicly if no buyer emerges. This marks the fifth high-profile target hit by TeamPCP this year, reflecting a growing trend of supply chain attacks against developer tooling using the Mini Shai-Hulud infostealer worm.","https:\u002F\u002Fhackread.com\u002Fgithub-breach-teampcp-repositories-vs-code-extension\u002F","https:\u002F\u002Fhackread.com\u002Fwp-content\u002Fuploads\u002F2026\u002F05\u002Fgithub-data-breach-team-pcp-1.png","2026-05-20T13:55:51+00:00",{"id":140,"title":141,"slug":142,"brief":143,"ai_summary":144,"url":145,"image_url":146,"published_at":147},"26a7eaa6-5b42-4532-8b8f-a309bbe132c3","Verizon DBIR: AI Helped Hackers Exploit Vulnerabilities in 31% of Recent Breaches","verizon-dbir-ai-helped-hackers-exploit-vulnerabilities-in-31-of-recent-breaches-451b50","Verizon DBIR 2026: AI exploited software vulnerabilities in 31% of breaches, compressing exploit timelines from months","Verizon's 2026 Data Breach Investigations Report analyzed 31,000 incidents and 22,000 breaches across 145 countries, revealing that software vulnerabilities have overtaken stolen credentials as the primary attack vector for the first time in 19 years. Generative AI is enabling attackers to weaponize vulnerabilities within hours instead of months, significantly reducing the defensive window. Additional findings include a 60% surge in supply chain breaches, a North Korean identity fraud campaign using 15,000 stolen identities, and tripled employee use of unapproved shadow AI tools increasing data exfiltration risks.","https:\u002F\u002Fhackread.com\u002Fverizon-dbir-ai-hackers-exploit-vulnerabilities-breaches\u002F","https:\u002F\u002Fhackread.com\u002Fwp-content\u002Fuploads\u002F2026\u002F05\u002Fverizon-dbir-ai-hackers-exploit-vulnerabilities-breaches-2.png","2026-05-20T12:32:37+00:00",{"id":149,"title":150,"slug":151,"brief":152,"ai_summary":153,"url":154,"image_url":155,"published_at":156},"9abd38af-d31f-4280-88b4-d0c43085eedd","Banana RAT Malware in Fake Invoices Hits Customers at 16 Brazilian Banks","banana-rat-malware-in-fake-invoices-hits-customers-at-16-brazilian-banks-9adceb","Banana RAT malware targets 16 Brazilian banks via fake invoices, stealing data with QR code fraud.","Banana RAT, a remote access trojan linked to threat group SHADOW-WATER-063, is actively targeting customers at 16 Brazilian banks including Itaú, Bradesco, and Santander. The malware is distributed through fake invoice files and security update screens via WhatsApp and phishing, using fileless execution and a custom FastAPI crypter to evade detection. It enables real-time financial fraud by intercepting banking sessions, replacing Pix QR codes, and freezing user input while attackers steal funds.","https:\u002F\u002Fhackread.com\u002Fbanana-rat-malware-fake-invoices-16-brazilian-banks\u002F","https:\u002F\u002Fhackread.com\u002Fwp-content\u002Fuploads\u002F2026\u002F05\u002Fbanana-rat-malware-fake-invoices-16-brazilian-banks.jpg","2026-05-20T09:14:35+00:00",{"id":158,"title":159,"slug":160,"brief":161,"ai_summary":162,"url":163,"image_url":164,"published_at":165},"f2230bb7-16ed-4af1-9f0b-dae2da6380c8","GitHub confirms they were compromised after an employee device involving a poisoned VS Code exten...","github-confirms-they-were-compromised-after-an-employee-device-involving-a-poiso-559bcf","GitHub confirms employee device compromise via malicious VS Code extension.","GitHub disclosed that one of its employee devices was compromised through a poisoned VS Code extension, leading to unauthorized access. The incident represents a supply-chain attack vector targeting development tools. GitHub has investigated the incident and implemented additional security measures.","https:\u002F\u002Fx.com\u002FDarkWebInformer\u002Fstatus\u002F2057018844309340668","https:\u002F\u002Fpbs.twimg.com\u002Fmedia\u002FHIv_a4UWMAAkIO4.png","2026-05-20T08:41:24+00:00",{"id":167,"title":168,"slug":169,"brief":170,"ai_summary":171,"url":172,"image_url":173,"published_at":174},"a14464ac-0392-4b7f-8321-8acd6cd351fb","GitHub investigates internal repositories breach claimed by TeamPCP","github-investigates-internal-repositories-breach-claimed-by-teampcp-9d422b","GitHub investigates breach of ~4,000 internal repositories claimed by TeamPCP hacker group","GitHub is investigating unauthorized access to its internal repositories after the TeamPCP threat actor claimed to have accessed approximately 4,000 private code repositories. The group is seeking $50,000 for the stolen source code and internal organization data on a hacking forum, claiming they will leak it for free if no buyer is found. GitHub states it has no evidence that customer data outside its internal repositories has been compromised, though it is monitoring infrastructure for follow-on activity.","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fgithub-investigates-internal-repositories-breach-claimed-by-teampcp\u002F","https:\u002F\u002Fwww.bleepstatic.com\u002Fcontent\u002Fhl-images\u002F2026\u002F04\u002F29\u002FGitHub.jpg","2026-05-20T05:08:42+00:00",{"id":176,"title":177,"slug":178,"brief":179,"ai_summary":180,"url":181,"image_url":7,"published_at":182},"ed123a5e-14c3-44f0-9d36-66cf78e721c1","ShinyHunters Goes After Cybersecurity Firm Warning Victims Not to Pay Ransoms\n\nhttps:\u002F\u002Ft.co\u002FFUrgx...","shinyhunters-goes-after-cybersecurity-firm-warning-victims-not-to-pay-ransoms-ht-4ddba3","ShinyHunters targets cybersecurity firm that advises ransomware victims against paying.","ShinyHunters, a known threat actor group, has launched an attack against a cybersecurity firm that publicly advises ransomware victims not to pay extortion demands. The attack appears to be retaliation for the firm's anti-ransom advocacy, representing an escalation in tactics where threat actors target organizations that undermine their business model.","https:\u002F\u002Fx.com\u002FDarkWebInformer\u002Fstatus\u002F2056926203425051080","2026-05-20T02:33:17+00:00",{"id":184,"title":185,"slug":186,"brief":187,"ai_summary":188,"url":189,"image_url":190,"published_at":191},"b0cdc22d-65a4-4a05-9716-c78cb04f2def","New Shai-Hulud malware wave compromises 600 npm packages","new-shai-hulud-malware-wave-compromises-600-npm-packages-629679","Shai-Hulud campaign injects malware into 600+ npm packages to steal developer credentials.","Threat actors published 639 malicious versions across 323 unique packages to npm on May 19, 2026, primarily targeting the @antv ecosystem (charting and visualization libraries). The malware steals GitHub, npm, cloud, Kubernetes, and CI\u002FCD credentials, exfiltrating them via Session P2P network and GitHub repositories to evade detection. This is part of an ongoing Shai-Hulud campaign that began in September 2025 and now includes capabilities to forge valid Sigstore provenance attestations and establish persistence via VS Code and Claude Code configuration.","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fnew-shai-hulud-malware-wave-compromises-600-npm-packages\u002F","https:\u002F\u002Fwww.bleepstatic.com\u002Fcontent\u002Fhl-images\u002F2026\u002F05\u002F19\u002Fbox.jpg","2026-05-19T14:30:22+00:00",{"id":193,"title":194,"slug":195,"brief":196,"ai_summary":197,"url":198,"image_url":199,"published_at":200},"5eda7515-c525-4c85-a916-0114bd22ad13","7-Eleven confirms data breach claimed by the ShinyHunters gang","7-eleven-confirms-data-breach-claimed-by-the-shinyhunters-gang-09f3cb","7-Eleven confirms cyberattack by ShinyHunters gang that stole 600K+ records from Salesforce systems.","7-Eleven confirmed a data breach discovered on April 8, 2026, where attackers gained unauthorized access to systems storing franchisee documents and personal information. The ShinyHunters extortion group claimed responsibility and allegedly stole over 600,000 records from the company's Salesforce environment, eventually leaking a 9.4GB archive after ransom demands were refused. This marks another major victim in ShinyHunters' ongoing campaign targeting Salesforce customers, joining a long list that includes the European Commission, Vimeo, McGraw-Hill, Medtronic, and others.","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002F7-eleven-confirms-data-breach-claimed-by-the-shinyhunters-gang\u002F","https:\u002F\u002Fwww.bleepstatic.com\u002Fcontent\u002Fhl-images\u002F2026\u002F05\u002F19\u002F7-Eleven-headpic.jpg","2026-05-19T14:16:41+00:00",{"id":202,"title":203,"slug":204,"brief":205,"ai_summary":206,"url":207,"image_url":208,"published_at":209},"206773cf-0b98-4f79-8c11-e16551f189fc","INTERPOL ‘Operation Ramz’ seizes 53 malware, phishing servers","interpol-operation-ramz-seizes-53-malware-phishing-servers-355beb","INTERPOL Operation Ramz arrests 200+ individuals, seizes 53 malware and phishing servers across MENA region.","INTERPOL's Operation Ramz resulted in the arrest of over 200 cybercriminals and identification of 382 additional suspects across 13 Middle Eastern and North African countries. Law enforcement seized 53 servers used for phishing, malware distribution, and online fraud that victimized at least 3,867 confirmed victims. The operation, conducted with support from cybersecurity firms including Kaspersky, Group-IB, and TrendMicro, dismantled multiple criminal schemes including investment scams, phishing-as-a-service platforms, and malware distribution networks.","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Finterpol-operation-ramz-seizes-53-malware-phishing-servers\u002F","https:\u002F\u002Fwww.bleepstatic.com\u002Fcontent\u002Fhl-images\u002F2026\u002F05\u002F18\u002FINTERPOL.jpg","2026-05-18T22:15:30+00:00",{"id":211,"title":212,"slug":213,"brief":214,"ai_summary":215,"url":216,"image_url":217,"published_at":218},"0505f0c8-c193-44fc-a050-04ac356a7c6d","SHub macOS infostealer variant spoofs Apple security updates","shub-macos-infostealer-variant-spoofs-apple-security-updates-3e6a28","SHub macOS infostealer variant 'Reaper' spoofs Apple security updates via AppleScript to steal data and install","A new variant of the SHub macOS infostealer, dubbed 'Reaper,' uses AppleScript and fake Apple security update prompts to trick users into executing malicious code. Unlike earlier ClickFix campaigns that relied on Terminal commands, Reaper leverages the applescript:\u002F\u002F URL scheme to bypass Apple's March 2026 mitigations. The malware steals browser data, cryptocurrency wallets, passwords, documents, and establishes persistence via LaunchAgent for remote access.","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fshub-macos-infostealer-variant-spoofs-apple-security-updates\u002F","https:\u002F\u002Fwww.bleepstatic.com\u002Fcontent\u002Fhl-images\u002F2026\u002F05\u002F18\u002FApple.jpg","2026-05-18T21:42:20+00:00",{"id":220,"title":221,"slug":222,"brief":223,"ai_summary":224,"url":225,"image_url":226,"published_at":227},"d0ecb73f-26c2-4d60-a6c6-3c833eb87c33","Leaked Shai-Hulud malware fuels new npm infostealer campaign","leaked-shai-hulud-malware-fuels-new-npm-infostealer-campaign-70e54c","Leaked Shai-Hulud malware deployed in four malicious npm packages by threat actor.","A threat actor using the account deadcode09284814 published four malicious npm packages embedding the recently leaked Shai-Hulud malware, targeting developer credentials, secrets, and cryptocurrency wallet data. The packages used typosquatting tactics (e.g., chalk-tempalte, axois-utils) and included DDoS botnet functionality in addition to information-stealing capabilities. OXsecurity researchers attributed the malware to a different actor than TeamPCP, noting the unobfuscated source code deployment, and reported the packages were downloaded 2,678 times combined before removal.","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fleaked-shai-hulud-malware-fuels-new-npm-infostealer-campaign\u002F","https:\u002F\u002Fwww.bleepstatic.com\u002Fcontent\u002Fhl-images\u002F2026\u002F05\u002F18\u002FNPM-worms.jpg","2026-05-18T17:28:02+00:00",{"id":229,"title":230,"slug":231,"brief":232,"ai_summary":233,"url":234,"image_url":235,"published_at":236},"d9f90630-d752-4cd4-8e95-b9bb280959c6","Grafana says stolen GitHub token let hackers steal codebase","grafana-says-stolen-github-token-let-hackers-steal-codebase-0e1551","Grafana Labs' GitHub environment breached via stolen token; source code stolen by CoinbaseCartel extortion gang.","Grafana Labs disclosed a breach of its GitHub environment resulting from a stolen access token that allowed attackers to download the company's source code. CoinbaseCartel, an extortion gang, claimed responsibility and listed Grafana on its data leak site, but Grafana declined to pay the ransom following FBI guidance. The company found no evidence of customer data exposure or impact to customer systems.","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fgrafana-says-stolen-github-token-let-hackers-steal-codebase\u002F","https:\u002F\u002Fwww.bleepstatic.com\u002Fcontent\u002Fhl-images\u002F2026\u002F05\u002F18\u002FGrafana.jpg","2026-05-18T13:46:26+00:00",{"id":238,"title":239,"slug":240,"brief":241,"ai_summary":242,"url":243,"image_url":244,"published_at":245},"a4399ddb-8240-45e7-ae06-2671b8e2243f","First Shai-Hulud Worm Clones Emerge","first-shai-hulud-worm-clones-emerge-07c859","Shai-Hulud worm clones emerge days after source code release on GitHub.","Days after TeamPCP released the Shai-Hulud worm's source code on GitHub, threat actors have begun deploying clones and variants in fresh supply chain attacks targeting NPM developers. A threat actor published four malicious NPM packages, including a direct Shai-Hulud clone called 'chalk-tempalte' and three typo-squatting packages targeting Axios users, with combined weekly downloads exceeding 2,600. Security researchers warn this marks the first phase of an upcoming wave of supply chain attacks leveraging the now-public malware code.","https:\u002F\u002Fwww.securityweek.com\u002Ffirst-shai-hulud-worm-clones-emerge\u002F","https:\u002F\u002Fwww.securityweek.com\u002Fwp-content\u002Fuploads\u002F2025\u002F11\u002Fmalware.jpeg","2026-05-18T09:45:15+00:00",{"id":247,"title":248,"slug":249,"brief":250,"ai_summary":251,"url":252,"image_url":253,"published_at":254},"2415a12f-2fb1-4f14-86ed-78d05b296bc0","Grafana Confirms Breach After Hackers Claim They Stole Data","grafana-confirms-breach-after-hackers-claim-they-stole-data-46313f","Grafana confirms data breach via compromised GitHub token; source code stolen by Coinbase Cartel.","Grafana Labs suffered a data breach after attackers compromised a token granting access to its GitHub environment, allowing them to download the company's codebase. The cybercrime group Coinbase Cartel, linked to ShinyHunters, Scattered Spider, and Lapsus$, claimed the intrusion and demanded ransom; Grafana declined to pay. The company confirmed no customer or personal data was compromised and operations remain unaffected.","https:\u002F\u002Fwww.securityweek.com\u002Fgrafana-confirms-breach-after-hackers-claim-they-stole-data\u002F","https:\u002F\u002Fwww.securityweek.com\u002Fwp-content\u002Fuploads\u002F2026\u002F05\u002FGrafana.jpeg","2026-05-18T08:34:59+00:00",{"id":256,"title":257,"slug":258,"brief":259,"ai_summary":260,"url":261,"image_url":262,"published_at":263},"71ee27ea-8201-4de7-b6f2-5fc0274467f5","Exploitation of Critical NGINX Vulnerability Begins","exploitation-of-critical-nginx-vulnerability-begins-e3504e","Active in-the-wild exploitation of critical NGINX heap buffer overflow CVE-2026-42945 begins days after patch release.","A critical heap buffer overflow vulnerability (CVE-2026-42945, CVSS 9.2) in NGINX's ngx_http_rewrite_module, lurking for 16 years, is now being actively exploited in the wild just days after F5 released patches. The flaw causes denial-of-service on default configurations and remote code execution if ASLR is disabled. VulnCheck reports active exploitation via crafted HTTP requests on vulnerable deployments, with roughly 5.7M internet-exposed NGINX servers potentially at risk.","https:\u002F\u002Fwww.securityweek.com\u002Fexploitation-of-critical-nginx-vulnerability-begins\u002F","https:\u002F\u002Fwww.securityweek.com\u002Fwp-content\u002Fuploads\u002F2026\u002F05\u002FNginx.jpeg","2026-05-18T07:27:42+00:00",{"id":265,"title":266,"slug":267,"brief":268,"ai_summary":269,"url":270,"image_url":271,"published_at":272},"b0f9510b-1846-472d-a1e1-948ec25b3ef6","Hackers earn $1,298,250 for 47 zero-days at Pwn2Own Berlin 2026","hackers-earn-1-298-250-for-47-zero-days-at-pwn2own-berlin-2026-89f8f0","Pwn2Own Berlin 2026 awards $1.3M for 47 zero-day exploits across enterprise and AI products.","Security researchers at Pwn2Own Berlin 2026 (May 14–16) collected $1,298,250 in rewards for discovering and exploiting 47 zero-day vulnerabilities in enterprise software, web browsers, and AI systems. DEVCORE won the competition with $505,000 after chaining multiple bugs in Microsoft SharePoint, Exchange, Edge, and Windows 11. Vendors have 90 days to patch before TrendMicro's Zero Day Initiative publicly discloses the flaws.","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fhackers-earn-1-298-250-for-47-zero-days-at-pwn2own-berlin-2026\u002F","https:\u002F\u002Fwww.bleepstatic.com\u002Fcontent\u002Fhl-images\u002F2025\u002F05\u002F19\u002FPwn2Own_Berlin.jpg","2026-05-18T05:33:20+00:00",{"id":274,"title":275,"slug":276,"brief":277,"ai_summary":278,"url":279,"image_url":280,"published_at":281},"7a6c3f2f-8746-4464-be55-d924d7692ac2","Hackers Earn $1.3 Million at Pwn2Own Berlin 2026","hackers-earn-1-3-million-at-pwn2own-berlin-2026-7f023c","Pwn2Own Berlin 2026 awards $1.3M for 47 zero-day exploits across Windows, Linux, VMware, Nvidia, and AI products.","White hat hackers earned $1,298,250 at Pwn2Own Berlin 2026 by demonstrating 47 unique vulnerabilities in Microsoft Exchange, Edge, SharePoint, VMware ESX, and AI products including LiteLLM, OpenAI Codex, and LM Studio. Top teams Devcore and StarLabs SG captured nearly $750,000, with Devcore earning $200,000 for a Microsoft Exchange remote code execution exploit and StarLabs SG winning $200,000 for VMware ESX cross-tenant code execution. Eight exploit attempts failed, and some registered white hat hackers reportedly disclosed findings directly to vendors when all event slots filled.","https:\u002F\u002Fwww.securityweek.com\u002Fhackers-earn-1-3-million-at-pwn2own-berlin-2026\u002F","https:\u002F\u002Fwww.securityweek.com\u002Fwp-content\u002Fuploads\u002F2025\u002F08\u002FPwn2Own-hackers-hacking-competition.jpeg","2026-05-18T04:05:21+00:00",{"id":283,"title":284,"slug":285,"brief":286,"ai_summary":287,"url":288,"image_url":289,"published_at":290},"7c6d9952-6d10-4b71-95cf-90914a10affd","Tycoon2FA hijacks Microsoft 365 accounts via device-code phishing","tycoon2fa-hijacks-microsoft-365-accounts-via-device-code-phishing-446b21","Tycoon2FA phishing kit adds device-code attacks to hijack Microsoft 365 accounts via Trustifi URLs.","The Tycoon2FA phishing-as-a-service platform, recently disrupted by law enforcement in March 2026, has rebuilt operations and now supports device-code phishing attacks against Microsoft 365 accounts. The kit abuses legitimate Trustifi click-tracking URLs to redirect victims through multiple obfuscation layers, ultimately tricking them into authorizing attacker-controlled devices via OAuth 2.0 device authorization flows. Device-code phishing attacks have surged 37x this year across at least ten PhaaS platforms, with Tycoon2FA adding advanced anti-analysis protections including 230+ vendor blocklists and debugger timing traps.","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Ftycoon2fa-hijacks-microsoft-365-accounts-via-device-code-phishing\u002F","https:\u002F\u002Fwww.bleepstatic.com\u002Fcontent\u002Fhl-images\u002F2026\u002F05\u002F15\u002FMS365.jpg","2026-05-17T14:43:10+00:00",{"id":292,"title":293,"slug":294,"brief":295,"ai_summary":296,"url":297,"image_url":298,"published_at":299},"54e41224-3d2a-4217-8920-4f716d8070f9","Scammers Send Physical Phishing Letters to Steal Ledger Wallet Seed Phrases","scammers-send-physical-phishing-letters-to-steal-ledger-wallet-seed-phrases-3eefce","Scammers mail fake Ledger phishing letters with QR codes to steal crypto wallet seed phrases from Italian users.","Scammers are conducting a targeted physical phishing campaign against Ledger hardware wallet users in Italy, sending official-looking letters that impersonate Ledger and include QR codes directing victims to phishing sites where they're tricked into revealing their 24-word recovery seed phrases. The campaign leverages localized Italian language letters and references to fake \"Quantum Resistance\" security updates to create urgency. Ledger has publicly warned users that the company never requests seed phrases and suspects the attacker mailing list originated from a January 2026 breach of Global-e, Ledger's e-commerce processing partner.","https:\u002F\u002Fhackread.com\u002Fscammers-physical-phishing-letters-ledger-wallet-seed\u002F","https:\u002F\u002Fhackread.com\u002Fwp-content\u002Fuploads\u002F2026\u002F05\u002Fscammers-physical-phishing-letters-ledger-wallet-seed.jpeg","2026-05-17T11:55:35+00:00",{"id":301,"title":302,"slug":303,"brief":304,"ai_summary":305,"url":306,"image_url":307,"published_at":308},"c37eadb5-f0ce-4735-a8ae-ef3ce524e866","Grafana Says It Rejected Ransom Demand After Source Code Theft","grafana-says-it-rejected-ransom-demand-after-source-code-theft-9a110e","Grafana confirms source code theft via compromised GitHub token; rejects ransom demand.","Grafana Labs disclosed that attackers obtained a compromised GitHub token to access and download part of its source code repository. The company confirmed no customer data or systems were affected and rejected a subsequent ransom demand from the threat actor, citing FBI guidance against paying extortion. Grafana has revoked the compromised credentials and implemented additional safeguards while conducting a post-incident review.","https:\u002F\u002Fhackread.com\u002Fgrafana-source-code-theft-rejected-ransom-demand\u002F","https:\u002F\u002Fhackread.com\u002Fwp-content\u002Fuploads\u002F2026\u002F05\u002Fgrafana-source-code-theft-rejected-ransom-demand-2.png","2026-05-17T10:17:46+00:00",{"id":310,"title":311,"slug":312,"brief":313,"ai_summary":314,"url":315,"image_url":316,"published_at":317},"7c1eb1bd-dea2-4d5d-86f9-c559e543a802","RDP Stealer with Windows Defender Bypass https:\u002F\u002Ft.co\u002F4jNuZxUJMZ","rdp-stealer-with-windows-defender-bypass-https-t-co-4jnuzxujmz-b2608a","RDP stealer malware discovered with Windows Defender evasion capability.","Security researchers have identified a malware variant designed to steal Remote Desktop Protocol (RDP) credentials while evading Windows Defender detection. The malware employs anti-analysis and defense-bypass techniques to establish persistence on compromised systems. This threat is part of a broader trend of credential-theft malware targeting remote access protocols.","https:\u002F\u002Fx.com\u002FDarkWebInformer\u002Fstatus\u002F2055785513496273121","https:\u002F\u002Fpbs.twimg.com\u002Famplify_video_thumb\u002F2055785366729191424\u002Fimg\u002FnXiKMrvVNo80gRaj.jpg","2026-05-16T23:00:35+00:00",{"id":319,"title":320,"slug":321,"brief":322,"ai_summary":323,"url":324,"image_url":7,"published_at":325},"50c04eb4-1141-41ce-901f-55a3b5269c08","Another Windows zero day released by Nightmare Eclipse (sort of)\n\nIt turns out Microsoft just str...","another-windows-zero-day-released-by-nightmare-eclipse-sort-of-it-turns-out-micr-6327af","Microsoft failed to properly patch 2020 Windows CVE, allowing Nightmare Eclipse exploitation.","A Windows zero-day vulnerability has been exploited by the Nightmare Eclipse threat actor, stemming from Microsoft's incomplete patching of a CVE originally disclosed in 2020. The flaw remained unresolved despite prior remediation attempts, allowing attackers to leverage the unpatched weakness for active exploitation.","https:\u002F\u002Fx.com\u002Fvxunderground\u002Fstatus\u002F2055556704998138251","2026-05-16T07:51:23+00:00",{"id":327,"title":328,"slug":329,"brief":330,"ai_summary":331,"url":332,"image_url":333,"published_at":334},"7c8582f5-6a9e-485c-9795-2cbe4c4970f5","Stych Allegedly Breached: 1.34M Customer Database Entries Exposed from French Mobility Service Records","stych-allegedly-breached-1-34m-customer-database-entries-exposed-from-french-mob-d4f79a","Threat actor claims breach of Stych French driving school platform exposing 1.34M customer records.","A threat actor using the moniker ActorLagui allegedly breached Stych, a French mobility training and driving school platform, and is offering a database dump containing 1.34M customer records for sale. The exposed dataset includes personally identifiable information such as names, email addresses, phone numbers, postal codes, birthdates, nationalities, and driver training\u002Flicense attributes. The breach was reported on May 14, 2026, and the threat actor claims the data is fresh and unprocessed.","https:\u002F\u002Fdarkwebinformer.com\u002Fstych-allegedly-breached-1-34m-customer-database-entries-exposed-from-french-mobility-service-records\u002F","https:\u002F\u002Fstorage.ghost.io\u002Fc\u002F6b\u002F16\u002F6b16ac9c-cd67-432f-b0f3-bbec941084ff\u002Fcontent\u002Fimages\u002F2026\u002F05\u002F92378956298376598237569827356986723467894.png","2026-05-15T17:52:31+00:00",{"id":336,"title":337,"slug":338,"brief":339,"ai_summary":340,"url":341,"image_url":342,"published_at":343},"ee3e3265-b56d-4e46-b054-6bdbcb13f0c0","Auchan Allegedly Breached: 1.29M Customer Database Entries Exposed from French Retail Records","auchan-allegedly-breached-1-29m-customer-database-entries-exposed-from-french-re-353158","Auchan retail breach exposes 1.29M customer records with personal and loyalty data.","A threat actor known as Lagui claims to be selling a database dump allegedly breached from Auchan, the French multinational retail group. The exposed dataset contains over 1.29 million customer entries including names, email addresses, phone numbers, addresses, customer IDs, and loyalty card identifiers. The actor describes the data as fresh and unprocessed, being offered through direct contact channels.","https:\u002F\u002Fdarkwebinformer.com\u002Fauchan-allegedly-breached-1-29m-customer-database-entries-exposed-from-french-retail-records\u002F","https:\u002F\u002Fstorage.ghost.io\u002Fc\u002F6b\u002F16\u002F6b16ac9c-cd67-432f-b0f3-bbec941084ff\u002Fcontent\u002Fimages\u002F2026\u002F05\u002F723578962398476928357629837468927356928738.png","2026-05-15T17:35:01+00:00",{"id":345,"title":346,"slug":347,"brief":348,"ai_summary":349,"url":350,"image_url":351,"published_at":352},"f5113217-1426-4350-b4d9-00f000ad71dd","Ícaro Cloud Allegedly Breached: Firewall Configs, VPN Keys, TLS Certificates, and Internal Network Data Exposed Across 20 Spanish Corporate Networks","icaro-cloud-allegedly-breached-firewall-configs-vpn-keys-tls-certificates-and-in-c46ff6","Ícaro Cloud MSP breached; firewall configs, VPN keys, TLS certs exposed across 20 Spanish networks.","A threat actor claims to have breached Ícaro Cloud S.L., a Spanish managed service provider, exposing sensitive data from 20 client networks including firewall backups, VPN keys, TLS certificates, administrator credentials, and internal network topology. The exposed material spans multiple industry sectors (accounting, education, IT, chemicals, hospitality, real estate, transport, healthcare, manufacturing) and allegedly comprises 3,500+ OPNsense configuration backups. The actor claims the breach resulted from reused MSP credentials and is offering the data for sale on underground channels.","https:\u002F\u002Fdarkwebinformer.com\u002Ficaro-cloud-allegedly-breached-firewall-configs-vpn-keys-tls-certificates-and-internal-network-data-exposed-across-20-spanish-corporate-networks\u002F","https:\u002F\u002Fstorage.ghost.io\u002Fc\u002F6b\u002F16\u002F6b16ac9c-cd67-432f-b0f3-bbec941084ff\u002Fcontent\u002Fimages\u002F2026\u002F05\u002F237857823659872356879236598723657985.png","2026-05-15T17:19:11+00:00",{"id":354,"title":355,"slug":356,"brief":357,"ai_summary":358,"url":359,"image_url":7,"published_at":352},"65a2ab9c-e2dc-400b-aed5-f91874117b09","‼️🇪🇸 Ícaro Cloud Allegedly Breached: Firewall Configs, VPN Keys, TLS Certificates, and Internal...","icaro-cloud-allegedly-breached-firewall-configs-vpn-keys-tls-certificates-and-in-7e448a","Ícaro Cloud breach exposes firewall configs, VPN keys, and TLS certs for 20 Spanish firms.","Spanish cloud provider Ícaro Cloud allegedly suffered a breach exposing sensitive infrastructure data from approximately 20 corporate networks, including firewall configurations, VPN keys, TLS certificates, and internal network information. The incident affects multiple Spanish organizations and represents a significant security compromise of foundational network and cryptographic materials.","https:\u002F\u002Fx.com\u002FDarkWebInformer\u002Fstatus\u002F2055337207603380526",{"id":361,"title":362,"slug":363,"brief":364,"ai_summary":365,"url":366,"image_url":367,"published_at":368},"8f7b0107-15c0-4999-a192-58e735999224","Turla Turns Kazuar Backdoor Into Modular P2P Botnet for Persistent Access","turla-turns-kazuar-backdoor-into-modular-p2p-botnet-for-persistent-access-309cba","Russian state-sponsored Turla transforms Kazuar backdoor into modular P2P botnet for persistent access.","Turla, a Russian FSB-affiliated state-sponsored group, has evolved its Kazuar backdoor into a sophisticated modular peer-to-peer botnet designed for stealth and long-term system access. The new architecture features three component types—Kernel (coordinator), Bridge (proxy), and Worker (data collection)—with multiple communication channels and anti-analysis capabilities. This upgrade reflects Turla's focus on resilience and operational persistence in targeting government, diplomatic, and defense sectors across Europe and Central Asia.","https:\u002F\u002Fthehackernews.com\u002F2026\u002F05\u002Fturla-turns-kazuar-backdoor-into.html","https:\u002F\u002Fblogger.googleusercontent.com\u002Fimg\u002Fb\u002FR29vZ2xl\u002FAVvXsEg8BT1AOScncZQM_A-0WBdCzTDAHGHSey48_Mywhij-TJupCdzP3s3o-MIImRtMZcoV2OqX3RjRV4COpVqkB1mrH3d_zjwvSTwCEXOq_2m80HgDo-xwAZ1KpR1h8eN9dAHGcKN_PpcE0cBsnv67FcthDycHLBJMYs8NkPszWNiQqdbhyL0YIlwVJn4NtgaR\u002Fs1600\u002Fcode.jpg","2026-05-15T17:10:25+00:00",{"id":370,"title":371,"slug":372,"brief":373,"ai_summary":374,"url":375,"image_url":376,"published_at":377},"fcd89353-23f6-4186-bd23-5c6773b4e6be","Hackers Use PyInstaller and AMSI Patching to Deliver XWorm RAT v7.4","hackers-use-pyinstaller-and-amsi-patching-to-deliver-xworm-rat-v7-4-7b3e57","Hackers deploy XWorm RAT v7.4 via PyInstaller with AMSI patching to bypass Windows security.","Security researchers at Point Wild discovered a new campaign distributing XWorm RAT v7.4 malware packaged in PyInstaller files to bypass Windows Defender. The attack uses AMSI Memory Patching to disable AmsiScanBuffer, Base64\u002FSHA-512 encryption, and fake obfuscation routines to evade detection. Once activated, the malware connects to C2 infrastructure to steal credentials, spy via webcam, launch DDoS attacks, and achieve full remote control.","https:\u002F\u002Fhackread.com\u002Fhackers-pyinstaller-amsi-patching-xworm-rat-v7-4\u002F","https:\u002F\u002Fhackread.com\u002Fwp-content\u002Fuploads\u002F2026\u002F05\u002Fhackers-pyinstaller-amsi-patching-xworm-rat-v7-4.jpg","2026-05-15T16:42:58+00:00",{"id":379,"title":380,"slug":381,"brief":382,"ai_summary":383,"url":384,"image_url":385,"published_at":386},"6ae543ca-30c1-4051-8134-94cb69d506d3","1\u002F2‼️🇦🇷 Banco Central de la República Argentina, IOMA, and GDEBA allegedly breached: credit sco...","1-2-banco-central-de-la-republica-argentina-ioma-and-gdeba-allegedly-breached-cr-4f07d0","Argentine Central Bank, IOMA, and GDEBA suffer alleged data breach exposing credit scores and government documents.","A threat actor claims to have breached Banco Central de la República Argentina (BCRA), IOMA (medical insurance), and GDEBA (Buenos Aires government agency), leaking credit scoring data, affiliate records, and government PDF documents. The incident affects critical Argentine financial and government institutions. Details on the scope and verification of the breach remain limited pending further disclosure.","https:\u002F\u002Fx.com\u002FDarkWebInformer\u002Fstatus\u002F2055324130321530972","https:\u002F\u002Fpbs.twimg.com\u002Fmedia\u002FHIX6OB5W0AAqYZi.jpg","2026-05-15T16:27:13+00:00",{"id":388,"title":389,"slug":390,"brief":391,"ai_summary":392,"url":393,"image_url":394,"published_at":395},"bb88fd2f-48ac-45ea-ab10-dd60da6c35fe","‼️🇺🇸 Nike allegedly breached: 61.7M database lines exposed from payments and offers datasets\n\nA...","nike-allegedly-breached-61-7m-database-lines-exposed-from-payments-and-offers-da-58ee7c","Nike allegedly breached; 61.7M database records exposed from payments and offers datasets","A threat actor claims to have breached Nike and is selling a database containing 61.7 million records from payments and offers datasets. The alleged breach includes sensitive customer information stored in JSON file format. The threat actor is actively marketing the stolen data for sale.","https:\u002F\u002Fx.com\u002FDarkWebInformer\u002Fstatus\u002F2055320195149726138","https:\u002F\u002Fpbs.twimg.com\u002Fmedia\u002FHIX20vOXsAAbEee.jpg","2026-05-15T16:11:35+00:00",{"id":397,"title":398,"slug":399,"brief":400,"ai_summary":401,"url":402,"image_url":403,"published_at":404},"9345e020-ee55-4396-ad10-4a9f69f76784","‼️🇨🇦 Aviso Wealth allegedly breached: 261K customer records exposed from Canadian wealth manage...","aviso-wealth-allegedly-breached-261k-customer-records-exposed-from-canadian-weal-e0a89f","Aviso Wealth breach exposes 261K customer records from Canadian wealth manager","A threat actor claims to have breached Aviso Wealth, a Canadian wealth management and financial services company, exposing approximately 261,000 customer records. The attacker allegedly is offering the stolen data for sale. The breach affects customers of the wealth management platform and potentially includes sensitive financial and personal information.","https:\u002F\u002Fx.com\u002FDarkWebInformer\u002Fstatus\u002F2055315051775426874","https:\u002F\u002Fpbs.twimg.com\u002Fmedia\u002FHIXyCp-WcAA0Gjo.jpg","2026-05-15T15:51:08+00:00",{"id":406,"title":407,"slug":408,"brief":409,"ai_summary":410,"url":411,"image_url":412,"published_at":413},"0f823573-53f9-41ad-87e0-2be3520e3a5a","‼️🇪🇸 CA Indosuez Wealth Management allegedly breached: 200K lines of account holder PII exposed...","ca-indosuez-wealth-management-allegedly-breached-200k-lines-of-account-holder-pi-852997","CA Indosuez Wealth Management suffers alleged breach exposing 200K lines of account holder PII.","A threat actor claims to have breached CA Indosuez Wealth Management, the global wealth management division of Crédit Agricole, and leaked approximately 200,000 lines of personally identifiable information from Spanish financial records. The leaked data includes account holder details and sensitive financial information, raising concerns about data protection compliance and customer privacy.","https:\u002F\u002Fx.com\u002FDarkWebInformer\u002Fstatus\u002F2055307032924762419","https:\u002F\u002Fpbs.twimg.com\u002Fmedia\u002FHIXq2R5WwAAi4DS.jpg","2026-05-15T15:19:17+00:00",{"id":415,"title":416,"slug":417,"brief":418,"ai_summary":419,"url":420,"image_url":421,"published_at":422},"89549a1e-2e91-43d2-b57f-141dda2754dc","‼️🇺🇸 Eli Lilly allegedly breached: 1.2K internal repositories and 40GB of Veeva Vault documents...","eli-lilly-allegedly-breached-1-2k-internal-repositories-and-40gb-of-veeva-vault--fb335c","Eli Lilly allegedly breached; 1.2K repos and 40GB Veeva Vault documents exposed for $70K","A threat actor claims to have compromised Eli Lilly's internal repositories and Veeva Vault documents containing sensitive drug development and clinical trial data. The alleged breach includes 1,200 internal codebases and 40GB of confidential materials, with the attacker reportedly offering the data for sale at $70,000. The incident affects a major pharmaceutical company's critical development infrastructure and could expose proprietary drug formulations and clinical trial information.","https:\u002F\u002Fx.com\u002FDarkWebInformer\u002Fstatus\u002F2055301601019969821","https:\u002F\u002Fpbs.twimg.com\u002Fmedia\u002FHIXl2PDXsAAZjdT.jpg","2026-05-15T14:57:41+00:00",{"id":424,"title":425,"slug":426,"brief":427,"ai_summary":428,"url":429,"image_url":430,"published_at":431},"a9b22630-c61d-48c1-9851-4f34b7324698","Inside the REMUS Infostealer: Session Theft, MaaS, and Rapid Evolution","inside-the-remus-infostealer-session-theft-maas-and-rapid-evolution-84eb27","REMUS infostealer malware evolves into MaaS platform targeting session tokens and password managers.","REMUS, a new infostealer malware, has rapidly evolved from a basic credential-stealing tool into a sophisticated malware-as-a-service (MaaS) platform between February and May 2026. Analysis of 128 underground posts reveals the operator's focus shifted from simple password theft to session-token harvesting, password-manager targeting (1Password, LastPass, Bitwarden), and operational scalability with features like worker tracking, statistics pages, and SOCKS5 proxy support. The operation demonstrates how modern MaaS platforms increasingly resemble legitimate software businesses with continuous development cycles and customer-oriented features.","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Finside-the-remus-infostealer-session-theft-maas-and-rapid-evolution\u002F","https:\u002F\u002Fwww.bleepstatic.com\u002Fcontent\u002Fposts\u002F2026\u002F05\u002Finfostealer-header.jpg","2026-05-15T14:02:12+00:00",{"id":433,"title":434,"slug":435,"brief":436,"ai_summary":437,"url":438,"image_url":439,"published_at":440},"c9fc924c-2d60-4142-b750-3b96533b9ea6","Microsoft Warns of Exchange Server Zero-Day Exploited in the Wild","microsoft-warns-of-exchange-server-zero-day-exploited-in-the-wild-5e3df7","Microsoft warns of CVE-2026-42897 Exchange Server zero-day exploited in active attacks.","Microsoft disclosed CVE-2026-42897, a spoofing and cross-site scripting (XSS) vulnerability affecting Exchange Server Subscription Edition, 2016, and 2019. The zero-day, which exploits Exchange Outlook Web Access (OWA) via specially crafted emails, is actively being exploited in the wild. Microsoft has released mitigation guidance while developing a permanent patch.","https:\u002F\u002Fwww.securityweek.com\u002Fmicrosoft-warns-of-exchange-server-zero-day-exploited-in-the-wild\u002F","https:\u002F\u002Fwww.securityweek.com\u002Fwp-content\u002Fuploads\u002F2026\u002F05\u002FExchange.jpg","2026-05-15T12:06:53+00:00",{"id":442,"title":443,"slug":444,"brief":445,"ai_summary":446,"url":447,"image_url":448,"published_at":449},"9acc7029-8b0b-4116-8928-26f700daaa85","What 45 Days of Watching Your Own Tools Will Tell You About Your Real Attack Surface","what-45-days-of-watching-your-own-tools-will-tell-you-about-your-real-attack-sur-42e8c6","Bitdefender analysis finds legitimate-tool abuse in 84% of high-severity incidents, launches attack surface assessment","Bitdefender reports that 84% of 700,000 analyzed high-severity incidents involved abuse of legitimate Windows administration tools (PowerShell, WMIC, netsh, Certutil, MSBuild) rather than malware. The company introduces a complimentary 45-day Internal Attack Surface Assessment service that profiles user-endpoint behavior and identifies over-entitled access to living-off-the-land binaries, helping organizations reduce attack surface by 30-70% without disrupting business operations. This reflects a shift toward preemptive attack surface reduction as threat actors increasingly blend in with legitimate administrative activity.","https:\u002F\u002Fthehackernews.com\u002F2026\u002F05\u002Fwhat-45-days-of-watching-your-own-tools.html","https:\u002F\u002Fblogger.googleusercontent.com\u002Fimg\u002Fb\u002FR29vZ2xl\u002FAVvXsEhVcSUDrpIZyFrHqIlIGnXfIShsEamRNviaM6TguPwmQI9KkhrIXOQbQ0WVKiOkcBGkFqKTKZmK16zPChmlcCbZHIkX3K_C0sjnyXYJjpZuJXO3OiIhUe7Ez8jCNiTxh0FGYS2-RR6HKsl9pWJVgc_uXAtHXj0hgU-mLSsOh-QHft6A92KtgWPQhk1OVPA\u002Fs1600\u002FAttack-Surface.jpg","2026-05-15T11:00:00+00:00",[],[452,465,475,484,492,500,508,517,526,536,544,554,561],{"id":453,"title":454,"slug":455,"description":456,"url":457,"start_date":458,"end_date":7,"location":459,"is_virtual":460,"category":461,"tags":462},"5a88a58f-c5bb-4a00-b8f6-ac52faf5dda9","Qubit Conference Prague 2026","qubit-conference-prague-2026","Qubit Conference Prague 2026 stands out as a leading event for cybersecurity professionals, bringing together CISOs, security leaders, and practitioners from a broad spectrum of organizations. The conference explores the latest trends and persistent challenges in the cybersecurity sector, including emerging threats, defensive strategies, and organizational resilience. Attendees benefit from technical presentations, expert panels, and networking opportunities.","https:\u002F\u002Fwww.qubitconference.com\u002F","2026-05-18","Prague, Czech Republic",false,"conference",[5,463,464],"governance","incident-response",{"id":466,"title":467,"slug":468,"description":469,"url":470,"start_date":458,"end_date":7,"location":471,"is_virtual":460,"category":461,"tags":472},"7c6da40b-e67d-4d9d-884a-6e7dabeb15f6","OzCon 2026","ozcon-2026","OzCon is a focused, one-day information security event designed to provide a thorough overview of the current security landscape from the perspective of hackers and attackers. The conference delivers practical insights into offensive techniques, threat methodologies, and defensive countermeasures. Security professionals and practitioners attend to understand emerging attack vectors and strengthen organizational defenses.","https:\u002F\u002Fwww.ozcon.org\u002F","Overland Park, United States",[473,5,474],"red-team","penetration-testing",{"id":476,"title":477,"slug":478,"description":479,"url":480,"start_date":458,"end_date":7,"location":481,"is_virtual":460,"category":461,"tags":482},"d0e6aab2-d099-4e34-b8b3-d2bef8e35933","CrowdTour: Nairobi 2026","crowdtour-nairobi-2026","CrowdTour Nairobi is a focused one-day event that unites cybersecurity professionals with the goal of advancing organizational defense strategies. The event is carefully organized to facilitate knowledge sharing, technical presentations, and networking among the local security community. Attendees learn about current threats, best practices, and practical defensive measures.","https:\u002F\u002Fwww.crowdtourevents.com\u002F","Nairobi, Kenya",[483,5,464],"blue-team",{"id":485,"title":486,"slug":487,"description":488,"url":489,"start_date":458,"end_date":7,"location":490,"is_virtual":460,"category":461,"tags":491},"535ce92f-3894-40f7-8d77-89423b868ae8","Red Hot Cyber Conference 2026","red-hot-cyber-conference-2026","A prominent annual event dedicated to advancing digital technologies, encouraging innovation, and raising awareness about cyber risks. The conference unites industry professionals to discuss contemporary cybersecurity challenges and emerging threats.","https:\u002F\u002Fwww.redhot-cyber.com\u002F","Rome, Italy",[5,463,464],{"id":493,"title":494,"slug":495,"description":496,"url":497,"start_date":458,"end_date":7,"location":498,"is_virtual":460,"category":461,"tags":499},"896ee2d6-3f60-4aaa-ab6e-4e441ded53ff","CyberX | Egypt 2026","cyberx-egypt-2026","A premier cybersecurity conference designed to unite industry leaders, government representatives, and technology professionals. Part of a regional series addressing the cybersecurity landscape and emerging threats in the region.","https:\u002F\u002Fwww.cyberxegypt.com\u002F","Cairo, Egypt",[5,463,464],{"id":501,"title":502,"slug":503,"description":504,"url":505,"start_date":458,"end_date":7,"location":506,"is_virtual":460,"category":461,"tags":507},"d0ac20e4-ea5e-4484-913a-d176c2cca609","You Sh0t the Sheriff (YSTS) 2026","you-sh0t-the-sheriff-ysts-2026","You Sh0t the Sheriff 2026 is a premier cybersecurity and hacking conference dedicated to advancing knowledge in threat research, penetration testing, and sophisticated defense strategies. The event brings together security researchers, ethical hackers, and defensive professionals to share cutting-edge techniques and insights. Attendees can expect technical deep-dives, live demonstrations, and hands-on learning opportunities.","https:\u002F\u002Fwww.ysts.org\u002F","São Paulo, Brazil",[5,473,474],{"id":509,"title":510,"slug":511,"description":512,"url":7,"start_date":513,"end_date":514,"location":515,"is_virtual":460,"category":461,"tags":516},"dad303ff-5c95-45fb-97f0-4cd3e71e7a08","CyberWiseCon Europe 2026","cyberwisecon-europe-2026","A major European cybersecurity conference covering a broad range of security topics. The event attracts CISOs, security leaders, and professionals interested in the latest cybersecurity strategies and emerging threats.","2026-05-19","2026-05-22","Vilnius, Lithuania",[463,5,464],{"id":518,"title":519,"slug":520,"description":521,"url":7,"start_date":522,"end_date":523,"location":524,"is_virtual":460,"category":461,"tags":525},"3a443f86-5768-4206-ba3e-052015caf480","CYSAT Europe","cysat-europe","A cybersecurity conference in Paris focusing on threat intelligence and cyber attacks. The event brings together security professionals and analysts to discuss incident response, threat analysis, and defense strategies.","2026-05-20","2026-05-21","Paris, France",[5,464],{"id":527,"title":528,"slug":529,"description":530,"url":7,"start_date":531,"end_date":532,"location":533,"is_virtual":460,"category":461,"tags":534},"d3c65a35-8e7f-4303-b3b9-310fccbe93cd","CONFidence 2026","confidence-2026","A prominent security conference in Krakow attracting international security professionals and researchers. The event covers a wide range of cybersecurity topics including threats, vulnerabilities, and defense strategies.","2026-05-25","2026-05-26","Krakow, Poland",[5,535],"vulnerability-management",{"id":537,"title":538,"slug":539,"description":540,"url":7,"start_date":541,"end_date":542,"location":533,"is_virtual":460,"category":461,"tags":543},"46cd57b3-c494-4aed-a058-3272178dfe44","Update Conference Krakow 2026","update-conference-krakow-2026","A technology and cybersecurity update conference in Krakow offering both in-person and online participation. The event covers current security trends, emerging threats, and best practices for security professionals.","2026-05-27","2026-05-28",[5,463],{"id":545,"title":546,"slug":547,"description":548,"url":549,"start_date":550,"end_date":551,"location":552,"is_virtual":460,"category":461,"tags":553},"7c4c0287-869c-47e1-bc2a-9e3ef70d20dc","Infosecurity Europe","infosecurity-europe","Europe's leading cybersecurity event in London attracting thousands of security professionals, vendors, and decision-makers. The conference features keynotes, technical sessions, and exhibitions covering all aspects of information security.","https:\u002F\u002Fwww.infosecurityeurope.com\u002F","2026-06-02","2026-06-04","London, United Kingdom",[463,5,464],{"id":555,"title":556,"slug":557,"description":558,"url":559,"start_date":550,"end_date":551,"location":552,"is_virtual":460,"category":461,"tags":560},"9d8050bb-e41d-41c4-a395-b6bd7d58bc65","Infosecurity Europe 2026","infosecurity-europe-2026","Europe's most cost-efficient cybersecurity event combining senior leadership content with SANS-led tactical hands-on workshops. With free entry and practitioner-focused training, this conference attracts a broad audience of security professionals from enterprise and mid-market organizations seeking both strategic and operational insights.","https:\u002F\u002Fwww.infosec.co.uk\u002F",[535,483,5],{"id":562,"title":563,"slug":564,"description":565,"url":566,"start_date":567,"end_date":568,"location":569,"is_virtual":460,"category":461,"tags":570},"6861ee81-9428-4ea1-bb05-dd9f57e60fb9","Black Hat USA 2026","black-hat-usa-2026","The premier vendor-neutral conference where leading security researchers present original offensive and defensive research with real-world applicability. Attendees gain early exposure to cutting-edge attack techniques and defense strategies that will shape the threat landscape in the coming year.","https:\u002F\u002Fwww.blackhat.com\u002F","2026-08-01","2026-08-06","Las Vegas, United States",[473,5,535],[],[],63]