Deep Analysis.
Original research, technical writeups, and deep-dive analysis of the most significant vulnerabilities, exploits, and threat actors in mobile security.
Full research articles are available to premium subscribers. Join the waitlist for early access and founding member pricing.
Two Decades of Cyber Threats: How the Attack Surface Evolved From 2004 to 2024 and What Comes Next
Twenty years of cybersecurity intelligence reveals a threat landscape transformed by nation-states, ransomware, and AI. Here's what the arc of history tells defenders.
YellowKey & GreenPlasma: Unpatched Zero-Days Shatter Windows BitLocker's Trusted Encryption Shield
Two unpatched Windows zero-days — YellowKey and GreenPlasma — expose BitLocker-protected drives and enable privilege escalation, with working PoC exploits now public.
When AI Meets Exposed Secrets: How Modern Cloud Infrastructure Became the Attacker's Playground
Cloud secrets and AI infrastructure are converging into a critical attack surface. Here's what defenders need to know before threat actors exploit the gap.
Zero Clicks to Root: How Researchers Cracked the Pixel 10's Defenses Using a Patched Exploit's Blueprint
A new exploit chain targeting the Pixel 10 achieves root access with zero user interaction, built on the bones of a CVE-2025-54957 Dolby audio vulnerability.
GemStuffer Uses RubyGems as a Silent Data Pipeline — Not a Malware Dropper
Over 150 malicious RubyGems packages are being weaponized as a covert exfiltration channel for scraped U.K. council portal data, flipping the supply chain attack playbook.
138 Vulnerabilities, Two Critical RCE Chains: Inside Microsoft's Most Consequential Patch Tuesday
Microsoft's May patch cycle resolves 138 flaws including critical DNS and Netlogon RCE vulnerabilities. Here's what security teams need to prioritize now.
The Remediation Illusion: Why "Fixed" Doesn't Mean Fixed Anymore
Security teams are closing tickets faster than ever — but rarely confirming the fix held. The gap between remediation and validation is becoming a primary attack surface.
Beyond Alert Fatigue: How Attackers Chain Micro-Flaws Into Lethal Breach Paths
Security tools drown teams in low-severity alerts while attackers quietly chain tiny flaws into devastating breach paths. Here's how to see what your AppSec stack is missing.
FamousSparrow's Multi-Wave Assault: Chinese APT Targets Azerbaijani Energy Infrastructure via Exchange
Chinese-linked APT group FamousSparrow conducted a sustained multi-wave intrusion against an Azerbaijani oil and gas firm, signaling dangerous expansion into Caspian energy infrastructure.
Google's Intrusion Logging Is a Turning Point in the War Against Mobile Spyware
Google's new opt-in Intrusion Logging feature brings persistent forensic capabilities to Android, giving defenders a fighting chance against elite spyware operators.
The Calm Before the Storm: Microsoft's Zero-Day-Free Patch Tuesday Masks a 137-Flaw Reality
For the first time in two years, Microsoft's Patch Tuesday arrived without a single zero-day — but 137 vulnerabilities and nine critical flaws still demand immediate attention.
137 Vulnerabilities, 30 Critical: Inside Microsoft's Largest 2026 Patch Drop
Microsoft's May 2026 Patch Tuesday addresses 137 vulnerabilities including 30 Critical flaws, with unauthenticated RCE risks in core Windows networking components demanding immediate enterprise action.
TrickMo Goes Blockchain: How Android's Deadliest Banking Trojan Built an Unkillable C2 on TON
A new TrickMo variant leverages The Open Network blockchain for C2 communications and SOCKS5 proxying to turn infected Android devices into persistent network pivots.
Critical SAP Vulnerabilities Expose Enterprise Core: Commerce Cloud and S/4HANA Under Threat
SAP's May 2026 patch cycle reveals two critical flaws in Commerce Cloud and S/4HANA, putting enterprise ERP and e-commerce infrastructure at serious risk of compromise.
Shai Hulud's Worm Turns: How a Supply Chain Campaign Weaponized Trusted npm and PyPI Packages Against Developers
The Shai Hulud campaign has compromised hundreds of npm and PyPI packages, delivering signed credential-stealing malware targeting developers worldwide.
AI Platform as Attack Vector: How Threat Actors Are Weaponizing Hugging Face to Deliver Infostealer Malware
HiddenLayer exposes a malicious Hugging Face repository impersonating OpenAI to distribute infostealer malware, signaling a dangerous new frontier in AI supply chain attacks.
Social Engineering Meets Silent Proxying: How Attackers Are Weaponizing ClickFix and PySoxy for Stealthy Long-Term Access
Threat actors are chaining ClickFix social engineering with PySoxy SOCKS5 proxying to establish persistent footholds that evade conventional detection. Here's what defenders need to know.
Cross-Platform RCS Encryption Is Here — But Is the Security Promise Already Being Tested?
Apple's iOS 26 brings end-to-end encrypted RCS messaging to iPhone-Android conversations. We analyze what this means for enterprise security, threat actors, and defenders.
The RCS Encryption Watershed: What iOS 26.5's Cross-Platform E2EE Really Means for Mobile Threat Models
Apple's iOS 26.5 brings default end-to-end encrypted RCS messaging between iPhone and Android, fundamentally reshaping the mobile interception threat landscape.
Dirty Frag: The Linux Kernel Exploit Quietly Targeting Enterprise Infrastructure
A new Linux privilege escalation flaw dubbed 'Dirty Frag' echoes the severity of Dirty Pipe and Copy Fail — and may already be under active exploitation in enterprise environments.
AI-Generated Zero-Day: Threat Actors Deploy First Known Machine-Crafted 2FA Bypass in the Wild
Google confirms threat actors used AI to discover and weaponize a zero-day 2FA bypass — marking a historic and dangerous shift in the offensive threat landscape.
Authentication Bypass in cPanel Weaponized: How Mr_Rot13 Is Quietly Owning Shared Hosting Infrastructure
A critical cPanel auth bypass flaw is being actively exploited by threat actor Mr_Rot13 to deploy the Filemanager backdoor across shared hosting environments.
TrickMo Goes Blockchain: Android Banking Trojan Hides C2 Traffic Inside TON Network
A new TrickMo variant routes command-and-control traffic through The Open Network blockchain, making traditional detection methods largely ineffective against this evolved threat.
The Algorithm Turns Adversarial: How LLMs Are Supercharging Exploit Development and Attack Automation
Threat actors are now leveraging large language models to accelerate exploit development and orchestrate complex attacks at scale, fundamentally shifting the attacker-defender dynamic.
The Purple Team Illusion: Why Your Collaborative Security Model Is Failing in Real Time
Most purple teams are just red and blue working in parallel, not together. Structural friction — not human error — is the real vulnerability draining your defenses.
Poisoned Downloads, Cloud Squatters, and Rootkits That Refuse to Die: This Week's Threat Landscape Is a Masterclass in Defender Fatigue
A Linux rootkit, macOS crypto stealer, and WebSocket-based skimmers dominated this week's threat reports. Here's what security teams need to know now.
The AI Exploit Threshold Has Been Crossed: How Hackers Are Using Generative AI to Forge Zero-Days
Google researchers confirm AI-assisted zero-day development against a web admin tool — a watershed moment signaling a fundamental shift in attacker capability.
The Rubicon Has Been Crossed: Threat Actors Now Wielding AI to Forge Zero-Day Exploits
Google's threat intelligence team has documented the first observed case of cybercriminals using AI to develop a zero-day exploit, marking a dangerous new era in offensive security.
Dirty Frag: How Two Linux Kernel Flaws Chain Into a Critical Privilege Escalation Threat
Two high-severity Linux kernel vulnerabilities, dubbed 'Dirty Frag' when chained, expose most Linux distributions to privilege escalation. Here's what defenders need to know.
TrickMo Goes Blockchain: Android Banking Trojan Weaponizes TON Network to Vanish Into Decentralized Infrastructure
A new TrickMo variant leverages The Open Network blockchain for covert C2 communications, making traditional domain-based detection nearly impossible for defenders.
Poisoned Ads, Hijacked Chats: How Attackers Are Using Claude.ai to Deliver Mac Malware
A sophisticated malvertising campaign weaponizes Google Ads and legitimate Claude.ai shared chats to trick Mac users into installing malware. Here's how it works.
Bleeding Llama: How CVE-2026-7482 Exposes 300,000+ Ollama Servers to Total Memory Compromise
A critical out-of-bounds read flaw in Ollama allows unauthenticated attackers to drain entire process memory. Over 300,000 servers are at risk globally.
Supply Chain Ambush: JDownloader's Official Site Weaponized to Deliver Python RAT to Millions of Users
JDownloader's official website was compromised to serve trojanized installers embedding a Python-based RAT, exposing users who trusted the official download source.
Trojan AI: How a Fake OpenAI Repository Weaponized Developer Trust to Deliver Infostealers
Threat actors exploited Hugging Face's trending algorithm using a fake OpenAI repository to distribute infostealer malware targeting Windows developers and AI researchers.
VoidStealer Tears Through Chrome's App-Bound Encryption — And It Won't Be the Last
VoidStealer malware has found yet another path around Google's App-Bound Encryption, exposing stored credentials and cookies to infostealer attacks.
7.3 Million Downloads Later: How Fake Call History Apps Weaponized the Play Store Against Users
28 fraudulent Android apps amassed 7.3M+ downloads by promising impossible call history access, then silently enrolled victims in paid subscriptions delivering fake data.
TCLBANKER Exposed: How a Evolved Brazilian Banking Trojan Is Weaponizing WhatsApp and Outlook to Siege 59 Financial Platforms
TCLBANKER, a newly documented Brazilian banking trojan, targets 59 financial platforms by spreading via WhatsApp and Outlook worms. Here's what defenders need to know.
GeForce NOW Breach Exposes NVIDIA's Regional Data Handling Blind Spots
NVIDIA confirms a GeForce NOW data breach impacting Armenian users, raising urgent questions about regional data segmentation, third-party vendor risk, and cloud gaming infrastructure security.
The Knowledge Gap That Kills: How Attackers Weaponize Digital Illiteracy Against Everyday Users
Threat actors don't just exploit software — they exploit ignorance. Understanding core digital security concepts is now a frontline defense against modern cyber threats.
PamDOORa: The $1,600 Linux Backdoor That Turns Your Own Authentication System Against You
A new PAM-based Linux backdoor sold on Russian cybercrime forums weaponizes SSH authentication itself, granting silent persistent access via magic passwords and stealth port combinations.
Dirty Frag: The Linux Zero-Day That Hands Attackers the Keys to Every Major Distro
A new Linux privilege escalation zero-day dubbed Dirty Frag grants local attackers full root access across all major distributions with a single command. Here's what defenders need to know.
Zero-Day in Ivanti's Mobile Manager Forces Emergency Federal Patch Deadline
A high-severity zero-day in Ivanti EPMM is actively exploited, prompting CISA to issue a rare four-day patch mandate to all U.S. federal agencies.
RansomHouse Claims Trellix Source Code Breach: When the Defender's Vault Falls Open
RansomHouse hackers claim to have breached Trellix's source code repository, leaking proof images. Here's what it means when a cybersecurity vendor's crown jewels are exposed.
ClickFix Social Engineering Campaign Weaponizes Clipboard to Deploy Vidar Infostealer at Scale
Australia's ACSC warns of ClickFix attacks delivering Vidar infostealer malware. CypherByte breaks down the technique, impact, and what defenders must do now.
CallPhantom Exposed: How Fake Call Log Apps Silently Drained Millions of Android Users
Fraudulent Android apps promising call history lookup for any number quietly subscribed over 7 million users to premium services. Here's how CallPhantom worked.
Cloud Raiders, Worm Wars, and a Zero-Day No One Patched: This Week's Most Dangerous Threats Decoded
A new worm hijacks cloud environments while evicting competitors, a PAN-OS zero-day sits unpatched, and two major threat actors face justice. Here's what defenders must know.
Zero-Click Before Login: How CVE-2025-68670 Handed Attackers the Keys to xrdp Servers
A pre-authentication RCE in xrdp means attackers never need credentials to own a remote desktop server. Here's what that means and what to do now.
Dirty Frag: The Linux Kernel Privilege Escalation That Makes Copy Fail Look Tame
A new unpatched LPE vulnerability dubbed Dirty Frag threatens root access across major Linux distributions, succeeding the already-exploited Copy Fail flaw.
PCPJack's Parquet Gambit: How a Stealth Cloud Credential Thief Evades Detection With Big Data Tricks
PCPJack malware weaponizes Apache Parquet files for pre-validated target discovery across cloud environments, stealing secrets with surgical precision.
TCLBanker: The Self-Replicating Banking Trojan Hiding Inside a Logitech Installer
TCLBanker targets 59 financial platforms by masquerading as a legitimate Logitech tool, then self-spreads via WhatsApp and Outlook to maximize its reach.
ShinyHunters Strikes Again: How a Mass Portal Defacement Campaign Exposed Higher Education's Crumbling Security Perimeter
ShinyHunters breached Instructure's Canvas LMS a second time, defacing login portals across hundreds of universities in a calculated extortion campaign targeting higher education.
PCPJack: The Worm-Like Credential Vacuum Quietly Draining Cloud Environments
PCPJack is a multi-vector credential theft framework exploiting five CVEs to spread worm-like across cloud infrastructure, harvesting secrets from dozens of service categories.
Ivanti EPMM RCE Flaw Under Active Fire: Admin-Level Takeover Now a Reality
CVE-2026-6973 exposes Ivanti EPMM to remote code execution via improper input validation. Active exploitation confirmed — mobile device fleets at critical risk.
Zero-Day in the Palm of Your Hand: Ivanti EPMM RCE Flaw Exploited Before Patch Existed
A high-severity RCE zero-day in Ivanti's EPMM is being actively exploited, putting enterprise mobile fleets at critical risk before defenders could react.
ClickFix Exploits Human Trust: How Vidar Stealer Is Bypassing Australia's Defenses
Australian authorities warn of a surge in ClickFix social engineering attacks delivering Vidar Stealer malware, targeting credentials and sensitive data across enterprise environments.
PCPJack Worm Wages Turf War in the Cloud: Credential Theft Meets Competitor Eviction
PCPJack is a newly identified worm framework targeting exposed cloud infrastructure, stealing credentials while systematically purging rival TeamPCP malware from compromised hosts.
ZiChatBot Uncovered: How Three PyPI Packages Weaponized Zulip APIs to Silently Compromise Windows and Linux Systems
Three trojanized PyPI packages delivered the novel ZiChatBot malware using Zulip APIs as covert C2 channels, targeting both Windows and Linux systems simultaneously.
Critical PAN-OS Buffer Overflow Grants Root Access: Espionage Campaigns Already Underway
A critical buffer overflow in PAN-OS User-ID Authentication Portal is being actively exploited, enabling unauthenticated RCE and root-level access across enterprise network perimeters.
Beagle Backdoor: How Threat Actors Are Weaponizing AI Hype to Compromise Windows Systems
A convincing fake Claude AI site is distributing a previously undocumented Windows backdoor named Beagle, exploiting user trust in legitimate AI tools.
Silent for 30 Days: State-Sponsored Actors Weaponized a Critical PAN-OS Zero-Day Before Anyone Was Watching
A critical PAN-OS firewall zero-day was silently exploited by suspected state-sponsored threat actors for nearly a month before detection, exposing enterprise network perimeters worldwide.
Inside the Laptop Farm Network: How North Korea Quietly Infiltrated Dozens of American Companies
Two Americans were sentenced for running laptop farms that helped North Korean IT workers fraudulently infiltrate nearly 70 U.S. companies, exposing a sophisticated state-sponsored employment fraud operation.
The Exploit Economy Accelerates: Inside Q1 2026's Most Dangerous Vulnerability Trends and APT Command Infrastructure
Q1 2026 saw a sharp rise in published exploits and APT C2 framework abuse. Here's what the data reveals about the shifting threat landscape.
vm2 Sandbox in Flames: Twelve Critical Flaws Let Attackers Escape Node.js Isolation and Execute Arbitrary Code
A dozen critical vulnerabilities in the vm2 Node.js library allow complete sandbox escape and arbitrary code execution, threatening platforms built on untrusted code execution.
Threat Actors Weaponize Vercel's Trusted Infrastructure to Bypass Enterprise Email Defenses
Cofense researchers report a significant surge in phishing campaigns exploiting Vercel's legitimate developer platform to evade security filters and harvest credentials at scale.
xlabs_v1: The Mirai Descendant Weaponizing Android Debug Bridge to Build a Silent DDoS Army
A newly identified Mirai-derived botnet dubbed xlabs_v1 is hijacking IoT devices through exposed ADB interfaces, assembling a distributed attack platform with serious infrastructure implications.
Trojanized by Design: Inside the DAEMON Tools Supply Chain Compromise
Disc Soft's DAEMON Tools Lite was weaponized in a confirmed supply chain attack. Here's what happened, who's at risk, and what defenders must do now.
CloudZ RAT Weaponizes Microsoft Phone Link to Silently Drain Your SMS One-Time Passwords
Cisco Talos exposes CloudZ RAT and its Pheno plugin abusing Microsoft Phone Link to intercept SMS OTPs — bypassing 2FA without touching the victim's phone.
The Forgotten Targets: How Under-Resourced Organizations Became Cybercrime's Easiest Prey — And What's Changing
Schools, local governments, and nonprofits face surging cyberattacks with minimal defenses. UC Berkeley's CLTC is working to close the gap with free tools and research.
OceanLotus Poisons the Well: State-Backed APT Weaponizes PyPI to Deploy ZiChatBot Malware
Kaspersky researchers expose OceanLotus embedding ZiChatBot malware in PyPI wheel packages, targeting Windows and Linux developers in a sophisticated supply chain attack.
Critical PAN-OS Buffer Overflow Weaponized in the Wild: Unauthenticated RCE Puts Enterprise Networks at Immediate Risk
A critical buffer overflow in Palo Alto PAN-OS (CVE-2026-0300, CVSS 9.3) is being actively exploited, enabling unauthenticated remote code execution on exposed firewalls.
CloudZ RAT Weaponizes Windows Phone Link to Intercept OTPs and Drain Credentials
A newly analyzed intrusion campaign deploys the CloudZ RAT alongside an undocumented Pheno plugin to silently harvest credentials and intercept one-time passwords via Windows Phone Link.
Google's Public Ledger Defense: How Binary Transparency Rewires Android's Supply Chain Trust Model
Google's expanded Binary Transparency initiative creates a cryptographic public ledger for Android apps, fundamentally shifting how supply chain integrity is verified at scale.
Zero-Day in PAN-OS Authentication Portal Grants Attackers Full Firewall Control
A critical unpatched RCE vulnerability in Palo Alto Networks PAN-OS is being actively exploited, putting enterprise firewalls at risk of full compromise.
Beyond the Inbox: How Source-Agnostic Investigation Is Redefining Enterprise Threat Detection
Proofpoint's new investigation framework breaks down telemetry silos, enabling security teams to trace modern threats across every data source — not just email.
ScarCruft's Poisoned Playground: How a North Korean APT Weaponized Gaming Software in a Dual-Platform Supply-Chain Attack
North Korea's ScarCruft APT group has embedded backdoors into Windows and Android gaming software, targeting ethnic Korean communities in the Yanbian region via supply-chain compromise.
Edge in the Shadows: How Microsoft's Browser Leaks Enterprise Credentials Through Process Memory
Microsoft Edge stores plaintext passwords in process memory, enabling credential theft by admin-level attackers. Enterprise security teams face serious lateral movement risks.
When the Defender's Blueprint Is Stolen: Inside the Trellix Source Code Breach and What It Means for Supply Chain Security
A breach of Trellix source code may have handed attackers a roadmap to bypass enterprise defenses. Here's what security teams need to know now.
ScarCruft's BirdCall Evolves: How a Trojanized Gaming Platform Became a Cross-Platform Espionage Weapon
North Korea's ScarCruft compromised a video game platform to deploy BirdCall malware across Android and Windows, targeting ethnic Koreans in China in a sophisticated supply chain attack.
The AI Security Debt Is Already Due: One Million Exposed Services and Counting
A mass scan of exposed AI infrastructure reveals catastrophic misconfigurations at scale. Self-hosted LLMs are becoming the easiest entry points in enterprise networks.
Critical MetInfo CMS Flaw Enables Unauthenticated RCE — Active Exploitation Confirmed
A CVSS 9.8 PHP code injection flaw in MetInfo CMS versions 7.9–8.1 is being actively exploited, enabling full server compromise without any authentication.
Dragon's Reach: How UAT-8302 Is Weaponizing Shared APT Malware to Quietly Compromise Governments Across Two Continents
China-linked UAT-8302 is hitting government targets in South America and southeastern Europe with custom shared malware — a cross-regional espionage campaign that demands attention.
Trojanized Trust: How DAEMON Tools' Own Website Became a Malware Distribution Platform
Kaspersky researchers uncovered a sophisticated supply chain attack embedding malware in legitimate, digitally signed DAEMON Tools installers served from the official website.
Inside QLNX: The Stealthy Linux Implant Built to Compromise Developers From the Inside Out
A newly discovered Linux implant called Quasar Linux combines rootkit, backdoor, and credential-stealing capabilities to silently devastate developer environments.
Double Free, Double Trouble: Inside Apache's Critical HTTP/2 Flaw That Could Hand Attackers the Keys
CVE-2026-23918 exposes a double-free memory corruption bug in Apache's HTTP/2 stack, scoring 8.8 CVSS and opening the door to DoS and potential remote code execution.
APT37's BirdCall: North Korea Weaponizes a Game Platform to Deploy Android Backdoors
North Korean threat group APT37 is distributing BirdCall Android malware through a compromised video game platform in a sophisticated supply-chain attack targeting mobile devices.
Silent Bridge: How CloudZ's New Pheno Plugin Turns Microsoft Phone Link Into an OTP Harvesting Machine
A new CloudZ RAT plugin called Pheno hijacks Microsoft Phone Link to silently intercept SMS messages and OTPs from paired mobile devices, bypassing traditional 2FA entirely.
Google's $1.5M Android Bounty Overhaul Signals a New Era in Mobile Exploit Economics
Google restructures its Android and Chrome bug bounty programs, offering up to $1.5M for elite exploits while cutting payouts for AI-discoverable flaws. Here's what it means.
Dead Code Walking: How EOL Software Creates Invisible Vulnerability Corridors in Your Stack
Your SCA scanner gives you a clean bill of health — but if your stack includes end-of-life packages, you may be wide open. Here's what the tools miss.
Silent Cartographers: How Kochava Mapped 300 Million Lives Without Their Knowledge
The FTC's landmark ban on Kochava's location data sales exposes the hidden infrastructure of mobile surveillance capitalism — and what it means for enterprise security teams.
When the Defenders Fall: Inside the Trellix Source Code Breach and What It Means for Enterprise Security
Security vendor Trellix confirmed unauthorized access to its source code repositories, raising urgent questions about supply chain integrity and trust in security tooling.
Supply Chain Ambush: North Korean APT ScarCruft Weaponizes Gaming Platform to Spy on Yanbian Community
North Korean APT ScarCruft compromised a Yanbian gaming site, deploying trojanized Windows and Android apps to surveil ethnic Korean users across the border.
Silent Entry: How a Debug API Backdoor Became a Critical RCE Gateway in Weaver E-cology
CVE-2026-22679 (CVSS 9.8) allows unauthenticated RCE in Weaver E-cology OA platforms via an exposed debug API endpoint — and active exploitation is already underway.
cPanel Zero-Day Frenzy: Auth-Bypass Flaw Puts Millions of Hosted Sites in the Crosshairs
A critical cPanel authentication-bypass vulnerability sparked an exploit frenzy within hours of disclosure, with evidence suggesting zero-day exploitation predates the public advisory by weeks.
Silent Foothold: Threat Actors Weaponize Critical Weaver E-cology Flaw in Ongoing Enterprise Espionage Campaign
A critical vulnerability in Weaver E-cology OA has been actively exploited since March, enabling attackers to execute discovery commands on enterprise networks.
ABCDoor Uncovered: Silver Fox APT Weaponizes Tax Season Against Indian and Russian Organizations
China-backed Silver Fox APT deploys the undocumented ABCDoor backdoor and ValleyRAT across 1,600+ socially engineered messages targeting India and Russia.
Breach Is the Old Game — Attackers Are Now Occupying Your Infrastructure
From AI-crafted phishing to silent Android spyware and kernel-level Linux exploits, this week's threat landscape signals a fundamental shift in attacker doctrine.
Silent Gateway: Critical Authentication Bypass in MOVEit Automation Exposes Enterprise File Transfer Infrastructure
Progress Software patches a critical authentication bypass in MOVEit Automation, threatening enterprise MFT pipelines. Security teams must act immediately.
When the Defenders Fall: Inside the Trellix Source Code Repository Breach
Attackers breached Trellix's source code repository, exposing proprietary security tooling. Here's what this means for the broader threat landscape and your defenses.
Silent Root Access: Unknown Threat Actor Weaponizes Critical cPanel Flaw Against Governments and MSPs
A previously unknown threat actor is exploiting a critical cPanel vulnerability to target government, military, and MSP networks across Southeast Asia and beyond.
Silver Fox's ABCDoor: How a Chinese Threat Actor Is Weaponizing Tax Season Across Two Continents
China-linked Silver Fox targets India and Russia with ABCDoor malware via tax-themed phishing, revealing a calculated cross-border espionage escalation.
Zero-Day to Root: How 'Copy Fail' Became Linux's Most Dangerous Weekend Surprise
CISA confirmed active exploitation of the 'Copy Fail' Linux flaw within 24 hours of PoC release, giving attackers a direct path to full root access on vulnerable systems.
They Don't Need to Hack In: How Fraudsters Are Weaponizing Identity Against Credit Unions
Fraudsters are bypassing credit union security entirely by exploiting legitimate business processes. Stolen identities and structured loan fraud are the new breach vector.
Inside the Telegram Mini App Fraud Machine: Crypto Scams, Brand Impersonation, and Android Malware at Scale
Threat actors are weaponizing Telegram's Mini App ecosystem to run large-scale crypto fraud, impersonate trusted brands, and silently deliver Android malware to unsuspecting users.
Root Access in the Wild: CVE-2026-31431 Signals a New Wave of Linux Privilege Escalation Attacks
CISA's KEV addition of CVE-2026-31431 confirms active exploitation of a critical Linux LPE flaw. Here's what security teams need to know now.
Mass Exploitation Underway: "Sorry" Ransomware Weaponizes Critical cPanel Zero-Day to Devastate Web Hosts
A critical cPanel vulnerability tracked as CVE-2026-41940 is being mass-exploited by the "Sorry" ransomware group, threatening millions of hosted websites globally.
Inside Kamakiri: How a MediaTek Boot ROM Flaw Unlocks Millions of Android Devices
The kamakiri exploit leverages a fundamental flaw in MediaTek's Boot ROM, enabling full device compromise before the OS even loads. Here's what security teams need to know.
Inside the Trellix Source Code Breach: When a Cybersecurity Vendor Becomes the Target
Trellix confirms unauthorized access to its source code repository — a breach that carries cascading implications for enterprise security customers worldwide.
Sleeper Packages, Stolen Secrets: How BufferZoneCorp Weaponized Ruby and Go to Hijack CI Pipelines
A stealthy supply chain campaign used poisoned Ruby gems and Go modules to steal credentials, tamper with GitHub Actions, and plant SSH backdoors in CI environments.
AI-Assisted Research Surfaces a Nine-Year-Old Zero-Day Buried Deep in the Linux Kernel
A researcher at offensive security firm Theori used AI tooling to uncover a dormant zero-day vulnerability hiding in the Linux kernel since 2017. Here's what that means for defenders.
Dormant for Nine Years: How AI Exposed a Critical Linux Flaw Hiding in Plain Sight
An AI-assisted code scan uncovered a nearly decade-old vulnerability in the Linux kernel. A 10-line proof-of-concept exploit confirms the risk is real — and was always there.
Copy Fail: Seven Years of Linux Kernels Exposed to Silent Root Takeover
A newly published exploit dubbed "Copy Fail" allows unprivileged local attackers to gain root on major Linux distros running kernels since 2017. Here's what defenders need to know.
Operation Roblox Breach: How Three Suspects Hijacked 610,000 Gaming Accounts via Malware Networks
Three suspects arrested for distributing malware that compromised over 610,000 Roblox accounts, with stolen credentials sold on Russian dark web marketplaces.
Force Over Diplomacy: How America's Security Pivot Reshapes Cyber Threat Landscapes Across the Western Hemisphere
The US shift to force-driven security strategy against cartels and rival state actors creates new cyber escalation risks. Here's what security teams need to watch.
Copy Fail: How Four Bytes Can Hand an Attacker the Keys to Your Linux Server
CVE-2026-31431 lets any unprivileged local user write four controlled bytes into Linux's page cache — enough to escalate to root on major distributions.
Zero-Day Auth Bypass in cPanel Puts Millions of Hosted Sites at Immediate Risk
CVE-2026-41940 is being actively exploited in the wild, allowing attackers to bypass authentication in cPanel, WHM, and WP Squared since late February. Patch immediately.
Maximum Severity: How Gemini CLI's CVSS 10 Flaw Turned AI Tooling Into a Remote Code Execution Gateway
A CVSS 10.0 flaw in Google's Gemini CLI allowed unauthenticated attackers to hijack AI configuration and execute arbitrary commands on host systems.
AI-Powered Audit Exposes 38 Critical Flaws in Healthcare EHR Platform Used by 100,000 Providers
An AI-assisted security audit of OpenEMR uncovered 38 vulnerabilities enabling RCE, database compromise, and mass patient data theft across 100,000+ healthcare providers.
Silent Miners in the Scheduler: How Attackers Are Hijacking Qinglong to Steal Developer Compute
Two authentication bypass flaws in the Qinglong task scheduler are being actively exploited to deploy cryptominers on developer servers. Here's what you need to know.
North Korea Used an AI to Hide Malware in an npm Package — and Almost Got Away With It
DPRK threat actors planted a RAT inside a legitimate-looking npm SDK, using Claude Opus to craft the malicious code. Here's what defenders need to know.
Operation Mini Shai-Hulud: How Threat Actors Buried Credential Stealers Inside SAP's npm Ecosystem
A sophisticated supply chain campaign dubbed "mini Shai-Hulud" has compromised SAP-related npm packages, injecting credential-stealing malware targeting enterprise JavaScript developers.
Silent Entry: Critical cPanel Auth Bypass Lets Attackers Seize Hosting Infrastructure Without Credentials
A critical authentication bypass in cPanel and WHM threatens millions of hosted websites. Emergency patches are live — unpatched servers remain at severe risk.
Lotus Wiper: How Destructive LotL Malware Is Systematically Dismantling Venezuela's Energy Infrastructure
A sophisticated wiper campaign is targeting Venezuelan energy utilities using living-off-the-land techniques to evade detection while destroying critical operational data at scale.
Path Traversal Under Fire: ConnectWise ScreenConnect Vulnerability Joins CISA's Most Wanted List
CISA adds CVE-2024-1708, a high-severity path traversal flaw in ConnectWise ScreenConnect, to its KEV catalog amid confirmed active exploitation in the wild.
Zero-Day in the Wild: CISA Forces Federal Hand on Critical Windows Exploit
CISA has mandated federal agencies patch an actively exploited Windows zero-day. Here's what the attack chain looks like and why enterprise defenders must act now.
Silent Breach: How a Single GitHub RCE Flaw Put Millions of Private Repositories at Risk
A critical RCE vulnerability in GitHub could have exposed millions of private repositories to attackers. Here's what happened, how it worked, and what defenders must do now.
One OAuth Token, Unlimited Blast Radius: What the Vercel Breach Reveals About Shadow AI and Identity Sprawl
The Vercel breach exposes how a single compromised OAuth integration can cascade into enterprise-wide exposure. Shadow AI adoption is quietly multiplying your attack surface.
36-Hour Window: How Threat Actors Weaponized LiteLLM's Critical SQL Injection Before Defenders Could React
CVE-2026-42208 in BerriAI's LiteLLM was actively exploited within 36 hours of disclosure, exposing AI infrastructure to database manipulation at scale.
North Korea's BlueNoroff Is Weaponizing Your Own Face Against You
BlueNoroff is using AI-generated avatars and stolen victim footage from fake Zoom calls to turn cryptocurrency executives into unwitting malware lures.
AI Gateway Under Fire: Critical Pre-Auth SQL Injection in LiteLLM Puts LLM Infrastructure at Risk
A critical pre-authentication SQL injection flaw in LiteLLM is being actively exploited, exposing AI gateway credentials and sensitive LLM routing data to attackers.
GlassWorm's Self-Replicating VS Code Extensions Are Quietly Poisoning the Developer Supply Chain
Attackers are seeding Open VSX with self-propagating malware disguised as legitimate VS Code extensions. Here's what security teams need to know now.
Vidar Fills the Vacuum: How One Infostealer Seized the Underground After Law Enforcement Dismantled Its Rivals
With Lumma and Rhadamanthys disrupted by law enforcement, Vidar has surged to dominate the infostealer market — and defenders need to take notice now.
The Exploit Window Is Closing: How AI-Powered Vulnerability Discovery Is Rewriting Defensive Playbooks
AI models like Claude Mythos can now find and weaponize vulnerabilities faster than patch cycles allow. NDR and behavioral detection are no longer optional.
When Robots Go Rogue: CVE-2026-25874 Opens Hugging Face's LeRobot to Unauthenticated Remote Code Execution
A critical deserialization flaw in Hugging Face's LeRobot platform scores 9.3 CVSS, exposing 24,000+ starred robotics projects to unauthenticated RCE attacks.
LofyGang Returns: Brazilian Threat Actors Weaponize Minecraft Culture to Deploy LofyStealer
After three years of silence, LofyGang is back with a new stealer malware disguised as a Minecraft cheat tool, targeting gamers through social engineering and voluntary execution.
One Push to Own Them All: Inside the Critical GitHub RCE Flaw That Turns Git Into a Weapon
A single git push command is all it takes to achieve remote code execution on GitHub. Here's what CVE-2026-3854 means for every engineering team on the planet.
Silent Session Wipe: What Microsoft's Outlook Outage Really Means for Mobile Credential Security
A global Outlook outage forced mass iPhone credential resets, exposing the fragile trust chain between cloud auth systems and mobile mail clients.
Windows Shell Spoofing Flaw CVE-2026-32202 Moves From Patched to Actively Exploited — What Security Teams Must Do Now
Microsoft has confirmed active in-the-wild exploitation of CVE-2026-32202, a Windows Shell spoofing vulnerability. Patch immediately and audit exposed systems.
AI Agent Role in Microsoft Entra ID Opens Door to Silent Service Principal Takeover
A privileged built-in role designed for AI agent identity management in Microsoft Entra ID could be weaponized for privilege escalation and full service principal takeover.
Inside UNC6692: How Attackers Are Weaponizing Microsoft Teams, AWS, and Custom Malware in a Single Campaign
UNC6692 blends Teams-based social engineering, AWS S3 abuse, and custom "Snow" malware into a dangerous multi-vector campaign targeting enterprise environments.
GlassWorm's Sleeper Cell Strategy: How 73 Dormant Extensions Hijacked the OpenVSX Ecosystem
The GlassWorm campaign has returned, planting 73 malicious "sleeper" extensions in OpenVSX that activate after a benign install — redefining developer supply chain risk.
Trojan Inbox: How Attackers Hijacked Robinhood's Own Email Infrastructure to Phish Its Users
Threat actors exploited a flaw in Robinhood's account creation flow to inject phishing content into legitimate platform emails, bypassing spam filters entirely.
PhantomRPC: Five Exploit Paths Hidden Inside Windows' Own RPC Architecture
An unpatched architectural flaw in Windows RPC lets attackers escalate privileges via five distinct exploit paths. No CVE assigned — but the risk is real and immediate.
Old Tricks, New Damage: Fast16 Malware and the Week the Threat Landscape Broke Again
Fast16 malware, fake help desks, and abused remote tools dominated this week's threat landscape — proving attackers don't need new tricks to cause serious damage.
Before Stuxnet, There Was fast16: The Malware That Rewrote Cyber Warfare History
A newly uncovered malware framework called fast16 predates Stuxnet by five years, fundamentally rewriting our understanding of state-sponsored cyber sabotage.
The CAPTCHA Trap: How Fake Verification Pages Are Quietly Emptying Mobile Bills and Crypto Wallets at Scale
Threat actors are weaponizing fake CAPTCHA pages to trigger IRSF charges and funnel victims into crypto scams across 120 documented Keitaro campaigns.
GlassWorm v2 Hides in Plain Sight: 73 Fake VS Code Extensions Weaponize Developer Trust
73 cloned VS Code extensions on Open VSX deliver GlassWorm v2 infostealer malware, targeting developers through a sophisticated supply chain campaign.
PhantomCore's Triple-Threat Exploit Chain: How a Pro-Ukrainian Hacktivist Group Is Systematically Dismantling Russian Enterprise Video Infrastructure
PhantomCore leverages a chained three-vulnerability exploit against TrueConf servers to achieve RCE on Russian networks. Here's what defenders need to know.
Before Stuxnet: The Fast16 Malware That May Have Quietly Rewritten Cyberwar History
Newly identified "fast16" malware suggests nation-state sabotage of Iran's nuclear program predates Stuxnet, reshaping our understanding of ICS cyberwarfare origins.
OAuth Token Hijacking and the Supply Chain Blindspot: How Vercel Got Burned by a Trusted Partner
Stolen OAuth tokens from a third-party AI platform gave attackers unauthorized access to Vercel's internal systems, exposing the fragility of connected-app trust chains.
The Human Exploit: Why Romance Scam Victims Fall Through the Cracks of Every System Designed to Help Them
Romance scams are sophisticated social engineering operations, yet victims face a fragmented response from law enforcement, banks, and government. Here's why that must change.
UNC6692's "Snow" Malware Suite Exploits Microsoft Teams Trust to Deliver Multi-Stage Backdoor
Threat group UNC6692 weaponizes Microsoft Teams social engineering to deploy Snow, a custom malware suite featuring a browser extension, tunneler, and backdoor.
Before Stuxnet There Was fast16: The Ghost Framework That Rewrote ICS Sabotage History
A newly uncovered Lua-based cyberweapon predating Stuxnet by years targeted precision engineering software — rewriting what we know about early ICS sabotage doctrine.
Four Vulnerabilities Under Active Exploitation: CISA's KEV Update Exposes Critical Gaps in Remote Access, Digital Signage, and Consumer Routing Infrastructure
CISA has added four actively exploited flaws across SimpleHelp, Samsung MagicINFO 9, and D-Link routers to its KEV catalog, with federal remediation deadlines set for May 2026.
The Double-Edged Sword: How Windows Update's New Restart Controls Could Reshape Enterprise Patch Compliance
Microsoft's new Windows Update restart controls promise less disruption — but security teams must weigh user convenience against dangerous patch delay risks.
Firestarter: The Ghost in Cisco's Firewall That Refuses to Die
A custom implant called Firestarter is surviving firmware updates and security patches on Cisco firewall hardware, raising serious questions about perimeter security trust.
FIRESTARTER Backdoor Haunts Federal Cisco Firepower Device — And Survives Every Patch Attempt
A sophisticated backdoor called FIRESTARTER compromised a federal Cisco Firepower device in September 2025, persisting through security patches and alarming government cybersecurity agencies.
10,000 Zimbra Servers Under Active Fire: How a Silent XSS Flaw Became a Mass Exploitation Campaign
Over 10,000 Zimbra Collaboration Suite servers remain unpatched against an actively exploited XSS vulnerability. Here's what defenders need to know now.
Pack2TheRoot: How PackageKit's Daemon Became a Root Access Highway for Local Attackers
A critical flaw in the PackageKit daemon lets local Linux users escalate to root by abusing package install and removal workflows. Here's what defenders need to know.
Microsoft's Entra Passkey Rollout: The End of Password-Based Phishing or a New Attack Surface?
Microsoft is deploying FIDO2 passkey authentication across Entra-protected Windows environments. We break down what this means for enterprise security teams.
500,000 UK Health Records Surface on Chinese Ecommerce: Inside the Biobank Breach
Health records from 500,000 UK Biobank volunteers appeared for sale on Chinese ecommerce platforms. We break down what happened, who's at risk, and what defenders must do now.
13 Hours to Zero: How CVE-2026-33626 Turned LMDeploy Into an Open Door for Attackers
A critical SSRF flaw in LMDeploy was weaponized in under 13 hours post-disclosure, exposing AI infrastructure worldwide to data theft and internal network attacks.
Tropic Trooper's Silent Takeover: Trojanized PDF Reader Deploys C2 Beacons Through VS Code Tunnels
Tropic Trooper weaponizes SumatraPDF to deploy AdaptixC2 beacons, abusing VS Code tunnels for stealthy remote access against Chinese-speaking targets.
Worm-Propagating npm Packages Are Silently Harvesting Developer Credentials at Scale
Malicious npm packages with worm-like self-propagation are actively targeting developer environments to steal credentials. Here's what security teams need to know.
GopherWhisper: Inside the China-Aligned APT Quietly Burrowing Through Mongolia's Government Networks
ESET Research has exposed GopherWhisper, a sophisticated China-aligned threat actor systematically targeting Mongolian governmental institutions with a multi-stage malware arsenal.
PhantomRPC: How Attackers Are Weaponizing Windows' Own RPC Architecture Against Itself
A newly discovered technique lets attackers spawn a fake RPC server to hijack Windows privilege escalation. Here's what security teams need to know.
Zero-Auth File Upload: How the Breeze Cache Plugin Became an Open Door for Attackers
A critical unauthenticated file upload flaw in the Breeze Cache WordPress plugin is being actively exploited, giving attackers full server access without credentials.
The Déjà Vu Attack Surface: Why $290M DeFi Heists and macOS LotL Abuse Keep Succeeding With the Same Old Tricks
From a $290M DeFi hack to macOS living-off-the-land abuse and rogue SIM farms, threat actors keep winning with recycled techniques defenders already know.
The IT Helpdesk That Wasn't: How UNC6692 Weaponized Microsoft Teams Trust to Deploy SNOW Malware
A newly identified threat cluster is exploiting enterprise trust in IT helpdesk communications via Microsoft Teams to silently deploy a custom malware suite dubbed SNOW.
Digging for Data: How State-Sponsored Hackers Are Targeting the Critical Minerals Supply Chain
Critical minerals have become the new battleground for nation-state cyber operations. Here's what security teams protecting energy and mining infrastructure need to know.
Ghost Notifications: How a Silent iOS Logging Flaw Let Deleted Signal Messages Come Back From the Dead
A subtle iOS notification retention bug quietly preserved "deleted" Signal messages on-device, enabling forensic recovery by law enforcement — and potentially any attacker with physical access.
Vercel's Expanding Breach: How One Compromised Vendor Became a Supply Chain Crisis
Vercel's investigation into the Context.ai-linked breach reveals more compromised customer accounts, exposing how modern deployment platforms become high-value lateral movement targets.
Zero-Delay Warfare: How AI Has Collapsed the Exploit Window to Near Zero
AI-powered attackers now find and exploit vulnerabilities faster than humans can patch them. The era of the Collapsing Exploit Window demands a fundamentally different defense posture.
BlueHammer Zero-Day: When Your Defender Becomes the Attack Surface
A critical privilege escalation flaw in Microsoft Defender is being exploited in active zero-day attacks, prompting CISA to mandate federal patching. Here's what you need to know.
AI Agents Under Siege: Ten Live Prompt Injection Payloads Expose the Fragile Trust Layer of Autonomous Systems
Forcepoint researchers discovered 10 active prompt injection payloads targeting AI agents in the wild, revealing how attackers are systematically weaponizing autonomous AI pipelines.
Ghost in the Notification Tray: How iOS Silently Retained Deleted Message Data
A patched iOS flaw kept deleted message notifications accessible long after users believed their data was gone. Here's what actually happened under the hood.
Dead Routers Walking: Mirai Botnet Weaponizes Unpatched D-Link DIR-823X Flaw at Scale
A new Mirai campaign is actively exploiting CVE-2025-29635 in end-of-life D-Link DIR-823X routers. Affected devices will never receive patches, making botnet enlistment inevitable.
Ghost Notifications: How a Silent iOS Flaw Kept Your Deleted Alerts Alive
A quietly patched iOS flaw allowed deleted notifications to persist in device storage, raising serious concerns about data residency and forensic exposure on Apple devices.
North Korea's 'Contagious Interview' Campaign Turns Developer Repos Into Self-Spreading RAT Factories
DPRK operatives are weaponizing compromised developer repositories to autonomously spread remote access trojans, blurring the line between targeted scam and worm-class threat.
Harvester's Linux GoGra Backdoor Weaponizes Microsoft Graph API as a Ghost Channel
The Harvester APT has deployed a new Linux GoGra backdoor variant targeting South Asia, using Microsoft Graph API and Outlook mailboxes as covert C2 infrastructure to evade perimeter defenses.
Before the Payload Lands: How AI Neutralized Three Zero-Day Supply Chain Attacks at Machine Speed
SentinelOne's AI-driven defense stopped three zero-day supply chain attacks without ever needing to identify the payload. Here's what that means for modern security.
LOTUSLITE Resurfaces: Mustang Panda Pivots to Indian Banking and Korean Policy Targets in Precision Espionage Campaign
A new LOTUSLITE variant attributed to Mustang Panda is actively targeting India's banking sector and South Korean policy circles in a focused cyber-espionage operation.
Critical ASP.NET Core Flaw Enables Full Privilege Escalation via Broken Cryptographic Verification
Microsoft's emergency patch for CVE-2026-40372 addresses a CVSS 9.1 cryptographic verification failure in ASP.NET Core that could hand attackers system-level privileges.
Lotus Wiper: Inside the Destructive Malware Campaign Dismantling Venezuela's Power Grid
A newly discovered data wiper dubbed Lotus Wiper is actively targeting Venezuela's energy sector in a sophisticated destructive campaign with geopolitical implications.
Critical ASP.NET Core Flaw Forces Microsoft Into Emergency Patch Mode — What's Really at Stake
Microsoft issued rare out-of-band patches for a critical ASP.NET Core privilege escalation flaw. Here's the full technical breakdown and what your team must do now.
GoGra's Linux Ghost: How Attackers Are Hiding Malware Inside Microsoft's Own Infrastructure
A Linux variant of the GoGra backdoor weaponizes Microsoft's Graph API and Outlook inboxes to deliver payloads, making malicious traffic nearly invisible to defenders.
Microsoft Teams Efficiency Mode: The Hidden Security Trade-offs Behind Resource Throttling
Microsoft's new Teams Efficiency Mode throttles CPU and memory on constrained hardware — but what security monitoring capabilities get quietly sacrificed in the process?
ProxySmart Exposed: How One Platform Is Powering an Industrial-Scale SIM Farm Underground Economy
Researchers have linked ProxySmart software to 90+ SIM farms enabling fraud at industrial scale. Here's what the infrastructure looks like and how to defend against it.
1,300+ SharePoint Servers Left Bleeding: The Spoofing Vulnerability That Won't Die
Over 1,300 Microsoft SharePoint servers remain exposed to an actively exploited spoofing vulnerability. Here's what defenders need to know right now.
NGate Returns: AI-Assisted Malware Hijacks NFC Payments by Hiding Inside Trojanized Apps
A new NGate variant trojanizes legitimate NFC payment apps to silently relay card data to attackers. ESET researchers suspect AI may have assisted in its development.
Turned Against You: How Attackers Are Weaponizing Windows Defender Itself
Three proof-of-concept exploits are actively turning Microsoft's built-in antivirus into an attack tool. Two remain unpatched, leaving millions of Windows systems exposed.
Inside The Gentlemen's Operation: How a Single SystemBC C2 Server Exposed 1,570+ Ransomware Victims
A compromised SystemBC C2 server linked to The Gentlemen RaaS operation has revealed a botnet of over 1,570 victims, exposing the full proxy-tunnel playbook behind modern ransomware delivery.
Prompt Injection to Sandbox Escape: How Google's AI Filesystem Agent Became an RCE Vector
A sanitization flaw in Google's AI-based Antigravity tool allowed attackers to inject prompts, escape the sandbox, and execute arbitrary code — exposing the fragile security model of agentic AI.
Trusted Access Weaponized: How CVE-2026-1731 Turns Bomgar RMM Into a Ransomware Delivery Rail
A critical RCE flaw in Bomgar's RMM tooling is being actively exploited to deploy ransomware and compromise downstream supply chains at scale.
BRIDGE:BREAK: 22 Flaws Turn Industrial Serial Bridges Into Invisible Attack Vectors
22 vulnerabilities in Lantronix and Silex serial-to-IP converters expose ~20,000 devices to hijacking. Here's what defenders need to know.
Lotus Wiper: The Silent Destroyer Targeting Venezuela's Critical Energy Grid
A newly discovered data-wiping malware named Lotus struck Venezuelan energy and utility firms, signaling a dangerous evolution in destructive cyberattacks against critical infrastructure.
NFC Pickpocketing Goes Digital: NGate Malware Turns Android Into a Card Skimmer
NGate malware weaponizes a trojanized HandyPay app to silently steal NFC card data and PINs from Brazilian victims, enabling real-world ATM fraud.
Prompt Injection Meets File System Access: How Google's Antigravity IDE Became a Code Execution Gateway
A chained vulnerability in Google's Antigravity agentic IDE allowed attackers to bypass Strict mode protections via prompt injection and unsanitized file search inputs, enabling arbitrary code execution.
NGate Returns: Trojanized HandyPay App Weaponizes NFC Relay Attacks Against Brazilian Banking Users
A new NGate variant trojanizes the legitimate HandyPay app to silently relay NFC card data and harvest PINs from Brazilian Android users.
The Front Door Is Wide Open: How Identity-Based Attacks Made Exploits Obsolete
Attackers no longer need zero-days when stolen credentials work just as well. Identity-based intrusions are now the dominant initial access vector in modern breaches.
NGate Returns: Trojanized HandyPay App Weaponizes NFC to Silently Drain Payment Cards
A dangerous new NGate variant hides inside a fake HandyPay app to intercept NFC payment data, enabling real-world card cloning without physical access.
6,400 Apache ActiveMQ Servers Under Active Attack: Code Injection Flaw Opens Door to Full System Compromise
Over 6,400 internet-exposed Apache ActiveMQ servers remain vulnerable to an actively exploited high-severity code injection flaw enabling remote takeover.
Federal Alarm: Cisco Catalyst SD-WAN Manager Flaw Under Active Exploitation — What Network Defenders Must Know Now
CISA has flagged a critical Cisco Catalyst SD-WAN Manager vulnerability as actively exploited, giving federal agencies just four days to patch. Here's what's at stake.
Inside the Vercel Breach: How a Sophisticated Attacker Weaponized Third-Party Tooling Against a Cloud Giant
Vercel confirms a targeted cyber incident after a threat actor exploited a third-party tool in its ecosystem. Here's what happened and what it means for cloud security.
CISA's KEV Catalog Expands: PaperCut Auth Bypass and Cisco SD-WAN Flaws Under Active Exploitation
CISA added 8 vulnerabilities to its KEV catalog, including a critical PaperCut authentication bypass and three Cisco SD-WAN flaws with federal patch deadlines set for April–May 2026.
OAuth Tokens Are the New Skeleton Key: How an AI Tool Cracked Vercel From the Inside
A Vercel employee's AI tool access enabled a data breach via stolen OAuth tokens — exposing how AI integrations are quietly expanding enterprise attack surfaces.
Inside the Machine: How Gentlemen Ransomware Is Weaponizing a 1,570-Host SystemBC Botnet Against Corporate Targets
A Gentlemen ransomware affiliate has been caught leveraging a SystemBC proxy botnet of over 1,570 compromised corporate hosts, signaling a dangerous evolution in ransomware delivery infrastructure.
Bending Trust: How Attackers Are Hijacking the Pipelines You Already Rely On
From Vercel's supply chain to rogue Android RATs, attackers aren't breaking systems anymore — they're quietly bending the trust that holds them together.
Poisoned AI Models as Attack Vectors: CVE-2026-5760 Turns GGUF Files Into RCE Weapons
A CVSS 9.8 flaw in SGLang allows attackers to execute arbitrary code by serving malicious GGUF model files, threatening AI infrastructure pipelines globally.
Formbook's Invisible Hand: How DLL Side-Loading and JavaScript Obfuscation Are Rewriting the Evasion Playbook
WatchGuard researchers expose a sophisticated Formbook campaign layering DLL side-loading with obfuscated JavaScript to slip past modern defenses undetected.
ZionSiphon: Inside the Malware Engineered to Poison Your Water Supply
ZionSiphon targets operational technology in water treatment facilities, combining ICS scanning with active sabotage capabilities — a rare and dangerous convergence.
The Clock is Dead: How Frontier AI Has Eliminated the Exploit Window Defenders Once Relied On
Frontier AI models are compressing exploit development from weeks to hours, fundamentally dismantling the time-based security assumptions defenders have built their strategies around.
ZionSiphon: Nation-State Malware Puts Israel's Water and Desalination Infrastructure in the Crosshairs
A newly identified malware strain named ZionSiphon is actively targeting Israeli water treatment and desalination OT systems, capable of persistent access and critical configuration tampering.
The AI Protocol Nobody Audited: How MCP's "By Design" Flaw Opens a Back Door to Your Entire Stack
A critical architectural weakness in Anthropic's Model Context Protocol enables arbitrary remote code execution, threatening the rapidly expanding AI tool supply chain.
Nexcorium Botnet Campaign Weaponizes DVR Command Injection to Expand Mirai's IoT Stranglehold
FortiGuard Labs confirms active exploitation of CVE-2024-3721 in TBK DVR devices, deploying a Mirai-based botnet variant targeting vulnerable network-connected surveillance hardware.
App Store's Walled Garden Has a Crypto Problem: FakeWallet Stealer Bypasses Apple's Defenses
Over 20 phishing apps impersonating crypto wallets slipped past Apple's App Store review in March 2026, actively draining user funds through sophisticated seed phrase harvesting.
Third-Party AI Tool Becomes the Breach Door: How the Context.ai Compromise Walked Into Vercel's Core Infrastructure
A compromised third-party AI tool gave attackers a foothold into Vercel's internal systems via a hijacked Google Workspace account. Here's what the chain looked like.
Threat Actors Weaponize Apple's Own Infrastructure to Deliver Convincing iPhone Purchase Scams
Attackers are exploiting Apple's account change notification system to embed phishing content inside legitimate Apple emails, bypassing spam filters and deceiving users.
Inside the Vercel Breach: How Threat Actors Targeted the Platform Powering Millions of Web Applications
Vercel has confirmed a security breach after threat actors claimed access to internal systems and began selling stolen data. Here's what defenders need to know.
Silent Serializer: How a Critical Protobuf.js Flaw Opens the Door to Remote Code Execution
A critical RCE vulnerability in protobuf.js puts millions of JavaScript applications at risk. PoC exploit code is now public — here's what defenders need to know.
Nexcorium Rising: How a Mirai Variant Is Quietly Hijacking Surveillance Infrastructure for Global DDoS Operations
A new Mirai variant dubbed Nexcorium is actively exploiting CVE-2024-3721 in TBK DVR devices, conscripting surveillance hardware into a growing DDoS botnet.
BlueHammer, RedSun, UnDefend: Three Defender Zero-Days Weaponized in Active Privilege Escalation Campaign
Threat actors are actively exploiting three Microsoft Defender zero-days — two still unpatched — to escalate privileges on compromised systems. Here's what defenders need to know now.
The Exploit Arms Race Has a New Combatant: How Commercial AI Is Rewriting Vulnerability Research
Commercial AI models are rapidly closing the gap between vulnerability discovery and weaponized exploits. Security teams must adapt before the window vanishes.
From Nuisance to Nightmare: How Dragon Boss Adware Quietly Became an AV Killer
A seemingly harmless adware platform weaponized a March 2025 update to disable Windows Defender and stage future payloads — undetected on millions of devices.
Inside Google's 8.3 Billion Ad Purge: What Android 17's Privacy Overhaul Means for the Mobile Threat Landscape
Google blocked 8.3B malicious ads and suspended 24.9M accounts in 2025. Android 17's new permission model reshapes mobile privacy defenses.
Dormant for 13 Years: The Apache ActiveMQ Zero-Day Now Tearing Through Enterprise Infrastructure
A critical Apache ActiveMQ vulnerability, undetected for over a decade, is now being actively exploited in the wild after CISA issued an emergency warning to federal agencies.
Phishing Rings, State-Linked Malware, and Hijacked Servers: A Week of Compounding Threats
Three converging threat campaigns — W3LL takedown, AgingFly malware, and Nginx exploitation — reveal how adversaries are scaling precision attacks across every infrastructure layer.
Trusted by Banks, Weaponized by Design: How a Single Taboola Pixel Silently Routed Live Banking Sessions to Temu
A bank-approved Taboola pixel quietly redirected authenticated user sessions to a Temu tracking endpoint — no consent, no alerts, no violations logged.
Ancient Code, Active Exploits: Defender 0-Day, 17-Year-Old Excel RCE, and the Week Threat Actors Won Thursday
A Defender zero-day, brute-forced SonicWall appliances, and a 17-year-old Excel RCE flaw converge in one of 2025's most operationally dense threat weeks.
PowMix Botnet Dissected: How Randomized C2 Beaconing Is Helping Attackers Blind Czech Enterprise Defenses
The PowMix botnet has been quietly targeting Czech workers since December 2025, using randomized C2 intervals to slip past network signature detection tools.
CISA Sounds the Alarm: Apache ActiveMQ Flaw Under Active Attack Threatens Enterprise Infrastructure
CVE-2026-34197 in Apache ActiveMQ Classic is now actively exploited in the wild, earning a CISA KEV listing and demanding urgent enterprise response.
Operation PowerOFF Dismantles Global DDoS-for-Hire Empire: 53 Domains Seized, 3 Million Criminal Accounts Exposed
International law enforcement seizes 53 DDoS-for-hire domains and exposes 3 million criminal accounts, striking at the heart of the booter-as-a-service economy.
AI vs. Adversarial Advertising: How Google's Gemini Is Reshaping the Malvertising Battlefront
Google is deploying Gemini AI to detect and block malicious ads at scale. Here's what it means for the evolving malvertising threat landscape.
NKAbuse Resurfaces: How a Python Notebook Flaw Turned Hugging Face Into a Malware Delivery Network
Attackers are exploiting a critical Marimo vulnerability to deploy NKAbuse malware directly from Hugging Face Spaces, weaponizing trusted AI infrastructure against enterprise targets.
From Leak to Live Exploit: Three Windows Zero-Days Now Actively Weaponized in the Wild
Three recently leaked Windows vulnerabilities enabling SYSTEM-level privilege escalation are now being actively exploited. Security teams must act immediately.
RedSun Zero-Day: Researcher Drops Second Microsoft Defender Exploit in Two Weeks, Granting Full SYSTEM Access
A researcher named "Chaotic Eclipse" has released a PoC exploit dubbed "RedSun" targeting Microsoft Defender, escalating privileges to SYSTEM level with no patch in sight.
ZionSiphon: Inside the OT Malware Built to Poison Water at Scale
ZionSiphon is a purpose-built OT malware targeting water treatment and desalination systems. Here's how it works and why critical infrastructure defenders must act now.
Engines of Extortion: Ransomware Attacks on the Automotive Sector Have Doubled in a Year
Ransomware now accounts for over 40% of cyberattacks targeting carmakers. CypherByte breaks down what's driving the surge and what defenders must do now.
The NVD Enrichment Gap: How NIST's Triage Decision Is Quietly Reshaping Vulnerability Intelligence
NIST will stop enriching pre-2026 CVEs in the NVD, creating a growing blind spot in vulnerability intelligence that security teams can no longer afford to ignore.
Broken by Design: How Malformed APKs Are Blindsiding Android Security Tools at Scale
Over 3,000 Android malware samples exploit deliberate APK structural corruption to evade static analysis tools, exposing a systemic blind spot in mobile threat detection.
Inside the Laptop Farm Deception: How North Korea Quietly Infiltrated 100+ American Companies
Two US nationals have been jailed for running North Korean laptop farms that placed fraudulent remote workers inside over 100 firms. Here's how the scheme worked.
Machine-Speed or Bust: How Frontier AI Is Rewriting the Rules of Cyber Defense
As OpenAI and Anthropic push AI boundaries, SentinelOne's research reveals why autonomous, AI-native defense is no longer optional — it's existential.
Beyond the Battlefield: Iran's Cyber Arsenal and What It Means for Your Business Right Now
As geopolitical tensions with Iran escalate, security teams must prepare for state-sponsored cyber operations targeting critical infrastructure and enterprise networks globally.
MCPwn: How CVE-2026-33032 Turns Your Nginx Dashboard Into an Open Door
A critical authentication bypass in nginx-ui is being actively exploited in the wild, granting attackers full control of Nginx servers with no credentials required.
Trusted Infrastructure Turned Weapon: How Threat Actors Are Hijacking n8n Automation to Bypass Email Security
Attackers have weaponized the n8n workflow automation platform since October 2025, using its trusted webhooks to deliver malware and fingerprint victims through phishing campaigns.
Windows Task Host Under Active Fire: CISA Confirms SYSTEM-Level Privilege Escalation Being Weaponized
CISA has flagged an actively exploited Windows Task Host vulnerability enabling SYSTEM-level privilege escalation. Federal agencies and enterprise defenders must act now.
Supply Chain Siege: How 30+ Compromised WordPress Plugins Turned Trusted Tools Into Backdoors
The EssentialPlugin suite was weaponized to silently inject malware across thousands of WordPress sites. Here's what defenders need to know now.
AgingFly Malware Targets Ukrainian Hospitals and Government: Credential Theft Campaign Exposes Critical Infrastructure
A new malware family dubbed AgingFly is actively targeting Ukrainian government bodies and hospitals, stealing browser credentials and WhatsApp data in a sophisticated espionage campaign.
Zero-Click Server Takeover: Nginx UI's MCP Flaw Is Being Exploited Right Now
A critical authentication bypass in Nginx UI is actively exploited in the wild, enabling full server takeover with zero credentials. Patch immediately.
April's Patch Tuesday Unmasked: Two Active Zero-Days Hidden Inside Microsoft's Largest 2025 Patch Drop
Microsoft's April 2025 Patch Tuesday addressed two actively exploited zero-days among 160+ vulnerabilities. Here's what security teams must act on immediately.
Authentication Bypass in nginx-ui's MCP Interface Reaches CVSS 9.8 — Active Exploitation Confirmed
A critical authentication bypass in nginx-ui's MCP interface (CVE-2026-33032) is actively exploited in the wild, scoring CVSS 9.8 and exposing web infrastructure globally.
88% of Global Brute-Force Traffic Traced to Middle East: What's Driving the Surge and Who's at Risk
Barracuda research reveals 88% of Q1 brute-force attacks originated from the Middle East. CypherByte breaks down the infrastructure, tactics, and defensive posture organizations need now.
Silent Compromise: Russian-Linked Actors Suspected in Sophisticated iPhone Spyware Campaign
Russian threat actors are suspected of deploying advanced iPhone spyware against high-value targets. CypherByte breaks down the tradecraft, technical indicators, and what defenders must do now.
Blind Spots in the Cloud: How Visibility Gaps Are Leaving Workloads Exposed
As cloud infrastructure scales faster than security controls, attackers exploit the gaps. Here's what's at risk and how to close the exposure window.
Poisoned at the Source: Inside the LiteLLM Supply Chain Attack Targeting AI Infrastructure
A sophisticated supply chain attack against the LiteLLM/Axios ecosystem threatened global AI deployments. Here's how autonomous EDR stopped it cold — and what it means for your stack.
The Perimeter Is Already Dead: How Attackers Are Using Your Edge Devices Against You
Edge devices have become the primary breach vector for sophisticated threat actors. Once inside, attackers pivot directly to identity infrastructure — and defenders are losing the race.
Trust Turned Weapon: Inside the 19-Hour CPU-Z Watering Hole Attack That Hijacked a Trusted Download Button
Threat actors compromised cpuid.com at the API level, silently redirecting legitimate CPU-Z downloads to malware for 19 hours. Here's how it worked.
Power Vacuum in Caracas: Mapping the Threat Landscape After Maduro's Capture
Venezuela's post-Maduro transition under Acting President Rodríguez reshapes Latin American risk. Here's what security and intelligence teams need to understand now.
Industrial Control Systems Under Siege: Inside the Q4 2025 ICS Threat Surge
Kaspersky's Q4 2025 ICS threat report reveals escalating attack volumes against industrial automation systems worldwide. Here's what every OT security team needs to know.
Beyond the Missiles: Iran's Cyber Arsenal and the Digital Battlefield Behind the US-Israeli Strikes
As kinetic strikes reshape the Middle East, Iran's cyber capabilities pose escalating risks to critical infrastructure worldwide. Here's what security teams must know now.
Threat Surge: 139% Spike in High-Impact Vulnerabilities and Interlock Ransomware's Cisco Zero-Day Exploitation Signal a Dangerous New Quarter
March 2026 saw 31 critical vulnerabilities demand immediate remediation as the Interlock ransomware group weaponized a Cisco FMC zero-day in active campaigns.
Beyond the Battlefield: How an Iran War Scenario Rewrites the Cyber Threat Playbook for Global Business
Escalating conflict involving Iran carries serious cyber spillover risks for global enterprises. Here's what security teams must prepare for now.
165 Vulnerabilities, One Under Active Exploit: Inside Microsoft's Massive April 2026 Patch Tuesday
Microsoft's April 2026 Patch Tuesday drops 165 fixes including one actively exploited flaw and critical RCE bugs in core Windows infrastructure. Here's what security teams must prioritize.
A Decade-Old Amazon Tablet Still Yields to Modern Exploitation: Bootloader Analysis of the Fire HD6/HD7 2014
Researchers successfully unlocked the bootloader of Amazon's 2014 Fire HD tablets, exposing how aging consumer hardware retains exploitable attack surfaces years after end-of-life.
Inside MediaTek's Achilles Heel: How DA2 Exploitation Unlocks Millions of Android Devices
Researchers expose critical weaknesses in MediaTek's second-stage Download Agent, enabling low-level device compromise across a vast swath of Android hardware.
Inside the Black Box: Reverse Engineering MediaTek Bootloaders Exposes the Hidden Attack Surface of a Billion Devices
Original research into MediaTek's LK bootloader reveals deep reversibility of firmware trusted by hundreds of millions of Android devices worldwide.
Microsoft's Largest 2026 Patch Drop: Two Active Zero-Days Hidden Inside 164-CVE Avalanche
April 2026 Patch Tuesday delivers 164 CVEs including two actively exploited zero-days and eight critical flaws demanding immediate enterprise attention.
167 Vulnerabilities, a SharePoint Zero-Day, and 'BlueHammer': April 2026 Patch Tuesday Is a Five-Alarm Fire
Microsoft's April 2026 Patch Tuesday drops fixes for 167 CVEs including a SharePoint zero-day and the publicly disclosed Windows Defender flaw 'BlueHammer.' Patch now.
North Korean Threat Actor STARDUST CHOLLIMA Poisons the Axios npm Well in Sophisticated Supply Chain Strike
A North Korean state-linked actor likely compromised the widely-used Axios npm package, threatening millions of JavaScript projects worldwide with stealthy supply chain malware.
Coruna Rises: How Operation Triangulation's iPhone Exploit Kit Got a Dangerous Upgrade
Kaspersky GReAT reveals Coruna, an evolved exploit framework targeting iPhones via CVE-2023-32434 and CVE-2023-38606, extending Operation Triangulation's legacy threat.
CrystalX RAT: When Spyware Moonlights as a Prank Tool to Evade Detection
CrystalX blends spyware, credential theft, and prankware into a MaaS RAT — using humor as camouflage for serious surveillance capabilities.
Follow the Money: How Cybercriminals Evolved Their Financial Attack Playbook in 2025
Kaspersky's 2025 financial threat report reveals surging infostealer activity, adaptive phishing campaigns, and shifting regional targeting patterns that every security team needs to understand.
Clipboard Hijacked: How a Fake Proxifier Install Silently Drains Crypto Wallets Through a Multi-Stage Attack Chain
Threat actors are weaponizing trojanized Proxifier software to deliver ClipBanker malware, silently replacing clipboard crypto addresses to steal funds.
JanelaRAT Returns: How a Stealthy Financial Trojan Is Quietly Draining Latin American Bank Accounts
Kaspersky GReAT exposes an evolved JanelaRAT campaign targeting LATAM financial users with updated infection chains and evasion tactics.
The Spyware Industrial Complex: How Mercenary Surveillance Tools Are Outpacing Democratic Oversight
Citizen Lab's landmark submission to Canadian parliament exposes how commercial spyware vendors operate in legal gray zones, threatening civil society globally.
The Accountability Void: How the Mercenary Spyware Industry Operates Beyond the Reach of Law
Citizen Lab's UN submission exposes how commercial surveillance vendors weaponize zero-days against civil society with near-total impunity. Here's what security teams need to know.
The AI Malware Threshold Has Been Crossed: VoidLink Proves Solo Developers Can Now Build Production-Grade Threats
AI-assisted malware development is no longer experimental. VoidLink's discovery signals a fundamental shift in the threat actor capability floor.
TrueConf Zero-Day Weaponized Against Southeast Asian Governments: Inside Operation TrueChaos
A zero-day in TrueConf client software (CVE-2026-3502) was exploited in targeted attacks against Southeast Asian government entities. Here's what defenders need to know.
Silent Attack: How Your Phone's AI Audio Features Opened a Zero-Click Door to Pixel 9
AI-powered audio transcription in Google Messages silently decodes every incoming attachment — handing attackers a zero-click exploit surface via flawed Dolby and Monkey's Audio decoders.
Breaking the Pixel 9 Sandbox: How a Hardware AV1 Decoder Became a Kernel Exploit Gateway
Google's Pixel 9 mediacodec sandbox can be escaped via the /dev/bigwave AV1 acceleration driver, enabling full kernel-level compromise from a 0-click RCE chain.
Silent Compromise: How Audio Transcription Became the Zero-Click Front Door on Pixel 9
Google's own Project Zero exposed how Dolby audio decoding and background transcription services create a pre-interaction exploit chain on Pixel 9 devices.
Silence Becomes Weaponized: How a macOS Audio Daemon Became a Full Exploit Chain
A type confusion flaw in macOS coreaudiod has been weaponized into a working exploit. Here's what security teams need to know.
Beyond the Grammar: Why Mutational Fuzzing Alone Isn't Enough to Secure Modern Attack Surfaces
Google Project Zero's deep dive into mutational grammar fuzzing reveals critical gaps in one of security research's most celebrated bug-hunting techniques.
Get full access to every research article
Subscribe below — waitlist members get first access and founding member pricing.
Free tier always available. Premium pricing announced at launch.