Sentinel Logo
Crime crew impersonates help desk, abuses Microsoft Teams to steal your data

Coming in cold with custom Snow malware

A previously unknown threat group using tried-and-tested social engineering tactics - Microsoft Teams chat invitations and helpdesk staff impersonation - is also using custom malware in its data-stealing attacks, according to Google's Threat Intelligence Group.…

 [Link]
ShinyHunters claim they have cruise giant Carnival's booty as 7.5M emails surface

Leak-site bragging meets breach hunters as Have I Been Pwned flags millions of records

Carnival Corporation, the world's largest cruise company, is dealing with choppy waters after Have I Been Pwned flagged what it claimed were 7.5 million unique email addresses all allegedly tied to one of its subsidiaries. …

 [Link]
Governments on high alert after CISA snuffs out Firestarter backdoor on fed network

Latest in long-running pwning of Cisco kit found in mystery Fed agency

A US federal agency was successfully targeted by a previously unknown backdoor malware called Firestarter, according to CISA cybersnoops and their UK counterparts – neither of which disclosed the agency's name.…

 [Link]
Medical data of 500k Biobank volunteers listed for sale on Alibaba, UK minister reveals

World's largest biomedical dataset lifted and shifted on Chinese mega marketplace

Updated  Details of volunteers of UK-based Biobank, which describes itself as the custodian of the world's most comprehensive biomedical dataset, are for sale on Chinese ecommerce site Alibaba.…

 [Link]
Pass the key, passwords have passed their sell-by date

NCSC passes judgment: passkeys pass muster, passwords fail

The UK's National Cyber Security Centre (NCSC) has officially endorsed passkeys as the default authentication standard, marking the first time the agency has told consumers to move away from passwords entirely.…

 [Link]
Another npm supply chain worm is tearing through dev environments

Plus, the payload references 'TeamPCP/LiteLLM method'

Yet another npm supply-chain attack is worming its way through compromised packages, stealing secrets and sensitive data as it moves through developers' environments, and it shares significant overlap with the open source infections attributed to TeamPCP last month.…

 [Link]
France's 'Secure' ID agency probes breach as crooks claim 19M records

Gov admits 'incident' as forum sellers boast of fresh haul covering up to a third of the population

France's National Agency for "Secure" Documents is explaining a potential data spill just as crooks online claim they've nicked a third of the country's ID information.…

 [Link]
macOS ClickFix attacks deliver AppleScript stealers to snarf credentials, wallets

Data from browsers, cryptocurrency wallets, 200+ extensions hoovered up

A ClickFix campaign targeting macOS users delivers an AppleScript-based infostealer that collects credentials and live session cookies from 14 browsers, 16 cryptocurrency wallets, and more than 200 extensions.…

 [Link]
Yet another ex-ransomware negotiator admits turning rogue after payoff from crimelords

Plus: Court papers reveal nonprofit paid a ransom worth nearly $26.8 million

The third of three former ransomware negotiators accused of assisting the ALPHV/BlackCat ransomware gang in extorting US businesses has pleaded guilty, months after his two co-workers did the same.…

 [Link]
AI-assisted intruders pwned Vercel via OAuth abuse and a pilfered employee account

CEO suspects silicon sidekick behind 'surprising velocity' breach - cyber crims shop stolen data for $2M

Vercel's CEO reckons the crooks behind its recent breach likely had a helping hand from AI, saying the attackers moved with "surprising velocity" and a deep understanding of the company's infrastructure.…

 [Link]
Crook claims to leak 'video surveillance footage' of companies

Mexican IT services firm admits it was hacked, but says client operations weren't affected

A Mexican IT infrastructure and digital transformation biz is on clean-up duty after a criminal posted screenshots of what they claimed was company video surveillance footage to a cybercrime forum.…

 [Link]
Adaptavist Group breach spawns imposter emails as ransomware crew claims mega-haul

Fake emails already doing the rounds as ransomware crew boasts about what it allegedly stole

UK enterprise software consultancy The Adaptavist Group is investigating a security breach after an intruder logged in with stolen credentials, while a ransomware crew claims it grabbed far more than the company is currently admitting.…

 [Link]
Scot becomes second Scattered Spider-linked crook to plead guilty in US

Tyler Buchanan admits role in scheme that stole at least $8 million in virtual currency

A Scottish man linked to the Scattered Spider cybercrime crew has pleaded guilty in the US to a phishing and SIM-swap scheme that stole at least $8 million in cryptocurrency.…

 [Link]
North Korea targets macOS users in latest heist

Social engineering: 'low-cost, hard to patch, and scales well'

North Korean criminals set on stealing Apple users' credentials and cryptocurrency are using a combination of social engineering and a fake Zoom software update to trick people into manually running malware on their own computers, according to Microsoft.…

 [Link]
Textbook titan McGraw Hill on ransomware crew's reading list after 13.5M records exposed

Publisher claims misconfigured Salesforce-hosted page leaked data

Textbook giant McGraw Hill has landed on a ransomware crew's leak site after an alleged Salesforce-linked misconfiguration spilled 13.5 million records into the wild.…

 [Link]
Automotive data biz Autovista blames ransomware for service disruption

Some customer orgs tell staff to block inbound email from the provider

Autovista confirms that it called in outside support to help clean up a ransomware infection currently affecting systems in Europe and Australia.…

 [Link]
Ancient Excel bug comes out of retirement for active attacks

Vuln old enough to drive lands on CISA's exploited list

While Microsoft was rolling out its bumper Patch Tuesday updates this week, US cybersecurity agency CISA was readying an alert about a 17-year-old critical Excel flaw now under exploit.…

 [Link]
No honor among thieves as 0APT threatens rival ransomware gang Krybit

Honey, the skids are fighting again

Two rival ransomware gangs have locked horns after 0APT threatened to expose people affiliated with Krybit.…

 [Link]
Fake Linux leader using Slack to con devs into giving up their secrets

Google Sites lure leads to bogus root certificate

Imagine getting asked to do something by a person in authority. An unknown malware slinger targeting open source software developers via Slack impersonated a real Linux Foundation official and used pages hosted on Google.com to steal developers' credentials and take over their systems.…

 [Link]
Booking.com warns reservation data may have checked out with intruders

Travel giant says names, contact details, dates, and hotel messages potentially exposed

Booking.com is warning customers that their reservation details may have been exposed to unknown attackers, in the latest reminder that the travel giant still can't quite keep a lid on the data flowing through its platform.…

 [Link]
Gym giant Basic-Fit confirms data on a million members stolen in cyberattack

Names, addresses, dates of birth, and bank details accessed, though not passwords

Basic-Fit, Europe's largest gym chain, has confirmed data including the bank details of around a million customers was stolen from its systems.…

 [Link]
Rockstar Games gets a taste of grand theft data

ShinyHunters claims it accessed Snowflake metrics via third-party tool

ShinyHunters is back, this time pinning Rockstar Games to its leak site and claiming it didn't so much hack its way in as walk through a door someone else left wide open.…

 [Link]
Crypto? Huh. Good gawd y'all, what is it good for? $45M in this case

Cops bust latest scam, return $12m to bilked victims

US, UK, and Canadian law enforcement Thursday said that they disrupted a $45 million global cryptocurrency scam, freezing $12 million in stolen funds and identifying more than 20,000 cryptocurrency wallet addresses linked to fraud victims across 30 countries.…

 [Link]
'Several dozen' high-value corporations hit by new extortion crew in helpdesk phishing spree

Possible link to Mr. Raccoon's claimed Adobe break-in

A new extortion crew has targeted “several dozen high-value” corporations through phishing and helpdesk social-engineering, according to Google.…

 [Link]
Months-old Adobe Reader zero-day uses PDFs to size up targets

Malicious PDFs abuse legit features to harvest system data and decide which victims get a 2nd-stage payload

Hackers have been quietly exploiting what appears to be a zero-day in Adobe Acrobat Reader for months, using booby-trapped PDFs to profile targets and decide who's worth fully compromising.…

 [Link]
Zephyr Energy loses £700K in cyber hit that rerouted contractor payment

Attackers slipped into the process and redirected funds, leaving the company scrambling to recover the cash

UK-listed oil and gas outfit Zephyr Energy plc has admitted a cyber incident siphoned off roughly £700,000 after a single payment to a contractor was quietly redirected to an attacker-controlled account.…

 [Link]
Dutch healthcare software vendor goes dark after ransomware attack

ChipSoft's website remains down but emails are functioning

A Dutch healthcare software vendor has been knocked offline following a ransomware attack, officials say.…

 [Link]
Hundreds of orgs compromised daily in Microsoft device code phishing attacks

Who needs MFA when you've got EvilTokens?

Hundreds of organizations have been compromised daily by a Microsoft device-code phishing campaign that uses AI and automation at nearly every stage of the attack chain to ultimately snoop through corporate email inboxes and steal financial data.…

 [Link]
US cybercrime losses pass $20B for first time as AI boosts online fraud

Bots are now firmly in the toolbox, helping crooks scale old scams

Crims are taking advantage of AI to sharpen old scams. The FBI reported Monday that cybercrime losses hit a record $20.87 billion in 2025, with help from bots.…

 [Link]
Russia's Fancy Bear still attacking routers to boost fake sites, NCSC warns

200 orgs and 5,000 devices compromised so far in Vlad's latest intelligence grab, Microsoft reckons

The UK's National Cyber Security Centre (NCSC) has issued a fresh warning about Russia's ongoing targeting of routers to steal passwords and other secrets.…

 [Link]
AI recruiting biz Mercor says it was 'one of thousands' hit in LiteLLM supply-chain attack

First public downstream victim, but won't be the last

AI hiring startup Mercor confirmed it was "one of thousands of companies" affected by the LiteLLM supply-chain attack as the fallout from the Trivy compromise continues to spread.…

 [Link]
Don't open that WhatsApp message, Microsoft warns

How to avoid social engineering attacks? Employee training tops the list

Be careful what you click on. Miscreants are abusing WhatsApp messages in a multi-stage attack that delivers malicious Microsoft Installer (MSI) packages, allowing criminals to control victims' machines and access all of their data.…

 [Link]
Iran targets M365 accounts with password-spraying attacks

Researchers say some targets correlate with cities hit by Iranian missile strikes

Suspected Iran-linked threat actors are conducting password-spraying attacks against hundreds of organizations, primarily Middle Eastern municipalities, in campaigns that security researchers believe may have been aimed at supporting bomb-damage assessment following missile strikes.…

 [Link]
Telnyx joins LiteLLM in latest PyPI package poisoning tied to Trivy breach

Also, EU probes Snapchat, RedLine suspect extradited, AstraZeneca leak claim surfaces, and more

infosec in brief  The cybercrime crew linked to the Trivy supply-chain attack has struck again, this time pushing malicious Telnyx package versions to PyPI in an effort to plant credential-stealing malware on developers’ systems.…

 [Link]
European Commission admits attackers broke into public web systems, but says little else

Brussels notifying 'Union entities' whose data may've been snatched in websites breach

The European Commission has admitted that attackers broke into its public-facing web infrastructure and siphoned off data in a bare-bones disclosure that answers the what but ducks most of the how.…

 [Link]
AFC Ajax drops ball as flaws let hackers play admin with tickets and bans

Vulns in Dutch football club's systems didn't just expose data – they let outsiders play with accounts, and even lift stadium bans

Dutch football giant AFC Ajax has admitted to a data breach after an attacker gained access to its internal systems, in an incident that looks less like a stray pass and more like the gates left wide open.…

 [Link]
Scammers have virtual smartphones on speed dial for fraud

They cleverly mimic most traits of a real phone

Smartphones have fast become the basis of our digital identities, securing payment systems and bank accounts. Now virtual devices that pretend to be real handsets have become a key tool for financial scammers, according to one company. …

 [Link]
HackerOne slams supplier for delayed breach notice after staff data exposed

Nearly 300 employees caught up in intrusion at benefits provider Navia

Almost 300 HackerOne employees are caught up in a data breach, with the bug bounty biz slamming a third-party benefits provider for a weeks-long delay in notification.…

 [Link]
Russian initial access broker who fed ransomware crews gets 81 months in US prison

Aleksei Volkov sentenced after enabling attacks that cost victims millions

A Russian national who sold the keys to corporate networks faces nearly seven years in a US prison after prosecutors tied his handiwork to a string of ransomware attacks costing victims millions of dollars.…

 [Link]
Claude attacks were 'Rorschach test' for infosec community, scaring former NSA boss

'It freakin' worked' says Rob Joyce - and shows how relentless AI agents can find holes humans miss

RSAC 2026  The now-infamous Anthropic report about Chinese cyberspies abusing Claude AI to automate cyberattacks was a Rorschach test for the infosec community, according to former NSA cyber boss Rob Joyce.…

 [Link]
Smooth criminals talking their way into cloud environments, Google says

Voice phishing is second most common initial access method across all IR probes, and top in cloud break-ins

RSAC 2026  Voice phishing surged last year to become the second most common method used by cybercriminals to gain initial access to their victims' IT estate – and the No. 1 tactic used when breaking into cloud environments.…

 [Link]
US chip testing firm shrugged off ransomware hit as minor – then came the data leak

Trio-Tech International initially said hack wasn't 'material,' but then stolen data was published

Trio-Tech International initially shrugged off a ransomware attack at a Singapore subsidiary as immaterial, only to reverse course days later after discovering stolen data had been disclosed.…

 [Link]
Russians are posing as Signal support to launch phishing attacks

PLUS: US takes down Iranian propaganda sites; Marketing company asks 'Why Do We Have Your Information?' And more!

Infosec In Brief  Russian intelligence-affiliated parties are posing as customer support services on commercial messaging applications such as Signal to compromise accounts and conduct phishing attacks, the FBI and Cybersecurity and Infrastructure Security Agency (CISA) warned last Friday.…

 [Link]
Feds disrupt monster IoT botnets behind record-breaking DDoS attacks

Millions of hijacked devices powered traffic floods targeting defense systems and beyond

The US government has moved to disrupt a cluster of IoT botnets behind some of the largest DDoS attacks ever recorded, including traffic bursts topping 30 terabits per second.…

 [Link]
Jaguar Land Rover's cyber bailout sets worrying precedent, watchdog warns

Lack of clear criteria risks encouraging firms to lean on state support instead of worrying about insurance

The UK's cyber watchdog has warned that the government's £1.5 billion bailout of Jaguar Land Rover (JLR) risks setting a troubling precedent for how Britain handles major cyber crises.…

 [Link]
Unknown attackers exploit yet another critical SharePoint bug

Last time: Beijing-backed snoops and ransomware crims. Who's next?

Unknown baddies are abusing yet another critical Microsoft SharePoint bug to compromise victims' SharePoint servers, the US government warned.…

 [Link]
Lock down Microsoft Intune, feds warn after Stryker attack

Iran-linked attackers wiped employees' devices using Intune

The US government has urged companies to better secure Microsoft Intune, an endpoint management tool that was abused in last week's cyberattack against med-tech firm Stryker.…

 [Link]
Ransomware crims abused Cisco 0-day weeks before disclosure, says Amazon security boss

Interlock's post-exploit toolkit exposed

Ransomware criminals exploited CVE-2026-20131, a maximum-severity bug in Cisco Secure Firewall Management Center software, as a zero-day vulnerability more than a month before Cisco patched the hole, according to Amazon security boss CJ Moses.…

 [Link]
North Korea's 100,000-strong fake IT worker army rake in $500M a year for Kim Jong Un

Researchers map full org chart of the scam from dodgy recruiters to helpful Western collaborators

Researchers at IBM X‑Force and Flare Research have uncovered data that sheds light on how North Korea's fake IT worker schemes operate and infiltrate companies in order to funnel money back to the regime and steal sensitive information.…

 [Link]
Robotics surgical biz Intuitive discloses phishing attack

Operations and hospital networks not affected, we're told

Robotics-assisted surgical tech firm Intuitive said that unauthorized intruders gained access to some of its internal IT business applications after stealing an employee's credentials during a phishing attack.…

 [Link]
Apple patches bug used to read deleted messages
FBI used exploit to extract user data.
 [Link]
Rental platform 2Apply pinged for 'excessive' data collection
Personal info unfairly taken, privacy commissioner says.
 [Link]
Are you being judged by your age rather than your skills?
New studies find older workers routinely disregarded by peers.
 [Link]
Claude Mythos AI spurs cyber warnings for Australian firms
Anthropic's unreleased model raises eyebrows with authorities.
 [Link]
Workers paid more to return to the office
Visibility 'quietly becoming a form of currency'.
 [Link]
NSW Treasury worker arrested over data breach
Thousands of government documents allegedly stolen.
 [Link]
What's next for Apple under new CEO John Ternus?
With Tim Cook stepping down, a new era begins.
 [Link]
Apple CEO Tim Cook stepping down
Hardware chief John Ternus to take over.
 [Link]
NZ-founded shoe brand Allbirds sells its sole to AI
Shares spike on surprise pivot to GPU neocloud.
 [Link]
AI firm allegedly fabricated 'virtually all' customers, revenue
Execs of company once worth $2b charged with fraud.
 [Link]
One CISO For 10,000 companies: Cybersecurity On Too Few Shoulders

This week in cybersecurity from the editors at Cybercrime Magazine Sausalito, Calif. – Apr. 24, 2026 – Read the full story in it-daily.net According to the 2026 CISO Report, published by Cybersecurity Ventures in collaboration with Sophos, a massive gap exists in strategic security leadership. Worldwide,

The post One CISO For 10,000 companies: Cybersecurity On Too Few Shoulders appeared first on Cybercrime Magazine.

 [Link]
Anthropic’s Mythos Preview Just Changed The Threat Landscape In Ways The Security Industry Isn’t Fully Prepared For

The attacker’s blind spot just disappeared –Mayuresh Ektare, Senior Vice President, Product Management San Jose, Calif. – Apr. 23, 2026 Today’s attackers largely treat software as a black box. Some study open-source software (OSS) to tailor their techniques, but doing this at scale has always

The post Anthropic’s Mythos Preview Just Changed The Threat Landscape In Ways The Security Industry Isn’t Fully Prepared For appeared first on Cybercrime Magazine.

 [Link]
Keeper Security: The Identity Security Platform For Humans, Machines, And AI Agents

This week in cybersecurity from the editors at Cybercrime Magazine Sausalito, Calif. – Apr. 23, 2026 – Watch the YouTube video Keeper Security is transforming cybersecurity for people and organizations around the world. The company’s next-generation privileged access management solution deploys in minutes and seamlessly integrates

The post Keeper Security: The Identity Security Platform For Humans, Machines, And AI Agents appeared first on Cybercrime Magazine.

 [Link]
Saudi Arabia’s Cybersecurity Startups Guard the Region’s Digital Shift

This week in cybersecurity from the editors at Cybercrime Magazine Sausalito, Calif. – Apr. 22, 2026 – Read the full story in Cairo SCENE Digital transformation across the Middle East has accelerated rapidly in recent years, and cybersecurity has followed close behind. Saudi Arabia is one

The post Saudi Arabia’s Cybersecurity Startups Guard the Region’s Digital Shift appeared first on Cybercrime Magazine.

 [Link]
Best Cybercrime and Cybersecurity Podcasts for CISOs In 2026

This week in cybersecurity from the editors at Cybercrime Magazine Sausalito, Calif. – Apr. 20, 2026 – Listen to the podcast The Cybercrime Magazine Podcast tops Million Podcast’s curated list of the best 60 cybercrime podcasts to listen to in 2026. These podcasts are ranked based on their Apple

The post Best Cybercrime and Cybersecurity Podcasts for CISOs In 2026 appeared first on Cybercrime Magazine.

 [Link]
He Pled Guilty To Blackmailing Apple. What Really Happened.

This week in cybersecurity from the editors at Cybercrime Magazine Sausalito, Calif. – Apr. 17, 2026 – Listen to the podcast episode Kerem Albayrak from north London threatened to wipe 319 million accounts unless Apple gave him iTunes gift cards worth $100,000 (£76,000), BBC reported in a

The post He Pled Guilty To Blackmailing Apple. What Really Happened. appeared first on Cybercrime Magazine.

 [Link]
Stellar Cyber Unveils New Agentic AI Capabilities for the Human-Augmented Autonomous SOC

New automation and AI-driven triage capabilities dramatically reduce alert noise and accelerate investigations for modern security teams San Jose, Calif. – Apr. 16, 2026 As security operations teams struggle to keep pace with escalating alert volumes and increasingly automated attacks, Stellar Cyber just introduced new

The post Stellar Cyber Unveils New Agentic AI Capabilities for the Human-Augmented Autonomous SOC appeared first on Cybercrime Magazine.

 [Link]
CISO Salaries In 2026: $150K to $1M; Stock Grants, Bonuses, Other Compensation

This week in cybersecurity from the editors at Cybercrime Magazine Sausalito, Calif. – Apr. 15, 2026 – Read the full story from RSAC The top line on chief information security officer pay packages in 2026 is that CISOs are earning more than ever, writes Steve Morgan, founder

The post CISO Salaries In 2026: $150K to $1M; Stock Grants, Bonuses, Other Compensation appeared first on Cybercrime Magazine.

 [Link]
Scamdemic: Over $1 Trillion Annually Lost To Online Fraud; AI Lends A Helping Hand

This week in cybersecurity from the editors at Cybercrime Magazine Sausalito, Calif. – Apr. 14, 2026 – Read the full story in Time For the past few years, it’s escaped no one that levels of Internet and telephone fraud have skyrocketed. TIME reports that one in four

The post Scamdemic: Over $1 Trillion Annually Lost To Online Fraud; AI Lends A Helping Hand appeared first on Cybercrime Magazine.

 [Link]
Anthropic’s New Mythos Agent Has Created A Stir In The Cybersecurity Market

This week in cybersecurity from the editors at Cybercrime Magazine Sausalito, Calif. – Apr. 13, 2026 – Read the full story in Barron’s Cybersecurity stocks could be set for a massive boost from risks tied to Anthropic’s latest advances in artificial intelligence, stemming from the limited

The post Anthropic’s New Mythos Agent Has Created A Stir In The Cybersecurity Market appeared first on Cybercrime Magazine.

 [Link]
Researchers Uncover Pre-Stuxnet ‘fast16’ Malware Targeting Engineering Software
Cybersecurity researchers have discovered a new Lua-based malware created years before the notorious Stuxnet worm that aimed to sabotage Iran's nuclear program by destroying uranium enrichment centrifuges. According to a new report published by SentinelOne, the previously undocumented cyber sabotage framework dates back to 2005, primarily targeting high-precision calculation software to tamper
 [Link]
CISA Adds 4 Exploited Flaws to KEV, Sets May 2026 Federal Deadline
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added four vulnerabilities impacting SimpleHelp, Samsung MagicINFO 9 Server, and D-Link DIR-823X series routers to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The list of vulnerabilities is below - CVE-2024-57726 (CVSS score: 9.9) - A missing authorization vulnerability in
 [Link]
FIRESTARTER Backdoor Hit Federal Cisco Firepower Device, Survives Security Patches
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has revealed that an unnamed federal civilian agency's Cisco Firepower device running Adaptive Security Appliance (ASA) software was compromised in September 2025 with a new malware called FIRESTARTER. FIRESTARTER, per CISA and the U.K.'s National Cyber Security Centre (NCSC), is assessed to be a backdoor designed for remote access
 [Link]
NASA Employees Duped in Chinese Phishing Scheme Targeting U.S. Defense Software
The Office of Inspector General (OIG) of the U.S. National Aeronautics and Space Administration (NASA) has revealed how a Chinese national posed as a U.S. researcher as part of a spear-phishing campaign to obtain sensitive information from the space agency, as well as from government entities, universities, and private companies, in violation of export control laws. "For years, NASA employees
 [Link]
Bridging the AI Agent Authority Gap: Continuous Observability as the Decision Engine
The AI Agent Authority Gap - From Ungoverned to Delegation As discussed in our previous article, AI agents are exposing a structural gap in enterprise security, but the problem is often framed too narrowly. The issue is not simply that agents are new actors. It is that agents are delegated actors. They do not emerge with independent authority. They are triggered, invoked, provisioned, or
 [Link]
26 FakeWallet Apps Found on Apple App Store Targeting Crypto Seed Phrases
Cybersecurity researchers have discovered a set of malicious apps on the Apple App Store that impersonate popular cryptocurrency wallets in an attempt to steal recovery phrases and private keys since at least fall 2025. "Once launched, these apps redirect users to browser pages designed to look similar to the App Store and distribute trojanized versions of legitimate wallets," Kaspersky
 [Link]
Tropic Trooper Uses Trojanized SumatraPDF and GitHub to Deploy AdaptixC2
Chinese-speaking individuals are the target of a new campaign that uses a trojanized version of SumatraPDF reader to deploy the AdaptixC2 Beacon post-exploitation agent and ultimately facilitate the abuse of Microsoft Visual Studio Code (VS Code) tunnels for remote access. Zscaler ThreatLabz, which discovered the campaign last month, has attributed it with high confidence to Tropic Trooper (aka
 [Link]
LMDeploy CVE-2026-33626 Flaw Exploited Within 13 Hours of Disclosure
A high-severity security flaw in LMDeploy, an open-source toolkit for compressing, deploying, and serving LLMs, has come under active exploitation in the wild less than 13 hours after its public disclosure. The vulnerability, tracked as CVE-2026-33626 (CVSS score: 7.5), relates to a Server-Side Request Forgery (SSRF) vulnerability that could be exploited to access sensitive data. "A server-side
 [Link]
UNC6692 Impersonates IT Help Desk via Microsoft Teams to Deploy SNOW Malware
A previously undocumented threat activity cluster known as UNC6692 has been observed leveraging social engineering tactics via Microsoft Teams to deploy a custom malware suite on compromised hosts. "As with many other intrusions in recent years, UNC6692 relied heavily on impersonating IT help desk employees, convincing their victim to accept a Microsoft Teams chat invitation from an account
 [Link]
Bitwarden CLI Compromised in Ongoing Checkmarx Supply Chain Campaign
Bitwarden CLI, the command-line interface for the password manager Bitwarden, has reportedly been compromised as part of a newly discovered and ongoing Checkmarx supply chain campaign, according to findings from JFrog and Socket. "The affected package version appears to be @bitwarden/cli@2026.4.0, and the malicious code was published in 'bw1.js,' a file included in the package contents," the
 [Link]
ThreatsDay Bulletin: $290M DeFi Hack, macOS LotL Abuse, ProxySmart SIM Farms +25 New Stories
You scroll past one incident and see another that feels familiar, like it should have been fixed years ago, but it still works with small changes. Same bugs. Same mistakes. The supply chain is messy. Packages you did not check are stealing data, adding backdoors, and spreading. Attacking the systems behind apps is easier than breaking the apps themselves. The exploits are simple but still work
 [Link]
[Webinar] Mythos Reality Check: Beating Automated Exploitation at AI Speed
Imagine a world where hackers don't sleep, don't take breaks, and find weak spots in your systems instantly. Well, that world is already here. Thanks to AI, attackers are now launching automated, large-scale exploits faster than ever before. The time you have to fix a vulnerability before it gets attacked is shrinking to zero. We call this the Collapsing Exploit Window, and it means your
 [Link]
Project Glasswing Proved AI Can Find the Bugs. Who's Going to Fix Them?
Last week, Anthropic announced Project Glasswing, an AI model so effective at discovering software vulnerabilities that they took the extraordinary step of postponing its public release. Instead, the company has given access to Apple, Microsoft, Google, Amazon, and a coalition of others to find and patch bugs before adversaries can. Mythos Preview, the model that led to Project Glasswing, found
 [Link]
China-Linked GopherWhisper Infects 12 Mongolian Government Systems with Go Backdoors
Mongolian governmental institutions have emerged as the target of a previously undocumented China-aligned advanced persistent threat (APT) group tracked as GopherWhisper. "The group wields a wide array of tools mostly written in Go, using injectors and loaders to deploy and execute various backdoors in its arsenal," Slovakian cybersecurity company ESET said in a report shared with The Hacker
 [Link]
Vercel Finds More Compromised Accounts in Context.ai-Linked Breach
Vercel on Wednesday revealed that it has identified an additional set of customer accounts that were compromised as part of a security incident that enabled unauthorized access to its internal systems. The company said it made the discovery after expanding its investigation to include an extra set of compromise indicators, alongside a review of requests to the Vercel network and environment
 [Link]
Apple Fixes iOS Flaw That Let FBI Recover Deleted Signal Messages
Apple has rolled out a software fix for iOS and iPadOS to address a Notification Services flaw that stored notifications marked for deletion on the device. The vulnerability, tracked as CVE-2026-28950 (CVSS score: N/A), has been described as a logging issue that has been addressed with improved data redaction. "Notifications marked for deletion could be unexpectedly retained on the device,"
 [Link]
Malicious KICS Docker Images and VS Code Extensions Hit Checkmarx Supply Chain
Cybersecurity researchers have warned of malicious images pushed to the official "checkmarx/kics" Docker Hub repository. In an alert published today, software supply chain security company Socket revealed that unknown threat actors managed to have overwritten existing tags, including v2.1.20 and alpine, while also introducing a new v2.1.21 tag that does not correspond to an official release. The
 [Link]
Self-Propagating Supply Chain Worm Hijacks npm Packages to Steal Developer Tokens
Cybersecurity researchers have flagged a fresh set of packages that have been compromised by bad actors to deliver a self-propagating worm that spreads through stolen developer npm tokens. The supply chain worm has been detected by both Socket and StepSecurity, with the companies tracking the activity under the name CanisterSprawl owing to the use of an ICP canister to exfiltrate the stolen data
 [Link]
Harvester Deploys Linux GoGra Backdoor in South Asia Using Microsoft Graph API
The threat actor known as Harvester has been attributed to a new Linux version of its GoGra backdoor deployed as part of attacks likely targeting entities in South Asia. "The malware uses the legitimate Microsoft Graph API and Outlook mailboxes as a covert command-and-control (C2) channel, allowing it to bypass traditional perimeter network defenses," the Symantec and Carbon Black Threat Hunter
 [Link]
Lotus Wiper Malware Targets Venezuelan Energy Systems in Destructive Attack
Cybersecurity researchers have discovered a previously undocumented data wiper that has been used in attacks targeting Venezuela at the end of last year and the start of 2026. Dubbed Lotus Wiper, the novel file wiper has been used in a destructive campaign targeting the energy and utilities sector in Venezuela, per findings from Kaspersky. "Two batch scripts are responsible for initiating the
 [Link]
Toxic Combinations: When Cross-App Permissions Stack into Risk
On January 31, 2026, researchers disclosed that Moltbook, a social network built for AI agents, had left its database wide open, exposing 35,000 email addresses and 1.5 million agent API tokens across 770,000 active agents. The more worrying part sat inside the private messages. Some of those conversations held plaintext third-party credentials, including OpenAI API keys shared between agents,
 [Link]
Microsoft Patches Critical ASP.NET Core CVE-2026-40372 Privilege Escalation Bug
Microsoft has released out-of-band updates to address a security vulnerability in ASP.NET Core that could allow an attacker to escalate privileges. The vulnerability, tracked as CVE-2026-40372, carries a CVSS score of 9.1 out of 10.0. It's rated Important in severity. An anonymous researcher has been credited with discovering and reporting the flaw. "Improper verification of cryptographic
 [Link]
Mustang Panda’s New LOTUSLITE Variant Targets India Banks, South Korea Policy Circles
Cybersecurity researchers have discovered a new variant of a known malware called LOTUSLITE that's distributed via a theme related to India's banking sector. "The backdoor communicates with a dynamic DNS-based command-and-control server over HTTPS and supports remote shell access, file operations, and session management, indicating a continued espionage-focused capability set rather than
 [Link]
Cohere AI Terrarium Sandbox Flaw Enables Root Code Execution, Container Escape
A critical security vulnerability has been disclosed in a Python-based sandbox called Terrarium that could result in arbitrary code execution. The vulnerability, tracked as CVE-2026-5752, is rated 9.3 on the CVSS scoring system. "Sandbox escape vulnerability in Terrarium allows arbitrary code execution with root privileges on a host process via JavaScript prototype chain traversal," according to
 [Link]
SystemBC C2 Server Reveals 1,570+ Victims in The Gentlemen Ransomware Operation
Threat actors associated with The Gentlemen ransomware‑as‑a‑service (RaaS) operation have been observed attempting to deploy a known proxy malware called SystemBC. According to new research published by Check Point, the command-and-control (C2 or C&C) server linked to SystemBC has led to the discovery of a botnet of more than 1,570 victims. "SystemBC establishes SOCKS5 network tunnels within
 [Link]
22 BRIDGE:BREAK Flaws Expose Thousands of Lantronix and Silex Serial-to-IP Converters
Cybersecurity researchers have identified 22 new vulnerabilities in popular models of serial-to-IP converters from Lantronix and Silex that could be exploited to hijack susceptible devices and tamper with data exchanged by them. The vulnerabilities have been collectively codenamed BRIDGE:BREAK by Forescout Research Vedere Labs, which identified nearly 20,000 Serial-to-Ethernet converters exposed
 [Link]
Ransomware Negotiator Pleads Guilty to Aiding BlackCat Attacks in 2023
A third individual who was employed as a ransomware negotiator has pleaded guilty to conducting ransomware attacks against U.S. companies in 2023. Angelo Martino, 41, of Land O'Lakes, Florida, teamed up with the operators of the BlackCat ransomware starting in April 2023 to assist the e-crime gang in extracting higher amounts as ransoms. "Working as a negotiator on behalf of five different
 [Link]
5 Places where Mature SOCs Keep MTTR Fast and Others Waste Time
Security teams often present MTTR as an internal KPI. Leadership sees it differently: every hour a threat dwells inside the environment is an hour of potential data exfiltration, service disruption, regulatory exposure, and brand damage.  The root cause of slow MTTR is almost never "not enough analysts." It is almost always the same structural problem: threat intelligence that exists
 [Link]
NGate Campaign Targets Brazil, Trojanizes HandyPay to Steal NFC Data and PINs
Cybersecurity researchers have discovered a new iteration of an Android malware family called NGate that has been found to abuse a legitimate application called HandyPay instead of NFCGate. "The threat actors took the app, which is used to relay NFC data, and patched it with malicious code that appears to have been AI-generated," ESET security researcher Lukáš Štefanko said in a
 [Link]
No Exploit Needed: How Attackers Walk Through the Front Door via Identity-Based Attacks
The cybersecurity industry has spent the last several years chasing sophisticated threats like zero-days, supply chain compromises, and AI-generated exploits. However, the most reliable entry point for attackers still hasn't changed: stolen credentials. Identity-based attacks remain a dominant initial access vector in breaches today. Attackers obtain valid credentials through credential stuffing
 [Link]
Google Patches Antigravity IDE Flaw Enabling Prompt Injection Code Execution
Cybersecurity researchers have discovered a vulnerability in Google's agentic integrated development environment (IDE), Antigravity, that could be exploited to achieve code execution. The flaw, since patched, combines Antigravity's permitted file-creation capabilities with an insufficient input sanitization in Antigravity's native file-searching tool, find_by_name, to bypass the program's Strict
 [Link]
CISA Adds 8 Exploited Flaws to KEV, Sets April-May 2026 Federal Deadlines
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added eight new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, including three flaws impacting Cisco Catalyst SD-WAN Manager, citing evidence of active exploitation. The list of vulnerabilities is as follows - CVE-2023-27351 (CVSS score: 8.2) - An improper authentication vulnerability in PaperCut
 [Link]
SGLang CVE-2026-5760 (CVSS 9.8) Enables RCE via Malicious GGUF Model Files
A critical security vulnerability has been disclosed in SGLang that, if successfully exploited, could result in remote code execution on susceptible systems. The vulnerability, tracked as CVE-2026-5760, carries a CVSS score of 9.8 out of 10.0. It has been described as a case of command injection leading to the execution of arbitrary code. SGLang is a high-performance, open-source serving
 [Link]
⚡ Weekly Recap: Vercel Hack, Push Fraud, QEMU Abused, New Android RATs Emerge & More
Monday’s recap shows the same pattern in different places. A third-party tool becomes a way in, then leads to internal access. A trusted download path is briefly swapped to deliver malware. Browser extensions act normally while pulling data and running code. Even update channels are used to push payloads. It’s not breaking systems—it’s bending trust. There’s also a shift in how attacks run.
 [Link]
Why Most AI Deployments Stall After the Demo
The fastest way to fall in love with an AI tool is to watch the demo. Everything moves quickly. Prompts land cleanly. The system produces impressive outputs in seconds. It feels like the beginning of a new era for your team. But most AI initiatives don't fail because of bad technology. They stall because what worked in the demo doesn't survive contact with real operations. The gap between a
 [Link]
Anthropic MCP Design Vulnerability Enables RCE, Threatening AI Supply Chain
Cybersecurity researchers have discovered a critical "by design" weakness in the Model Context Protocol's (MCP) architecture that could pave the way for remote code execution and have a cascading effect on the artificial intelligence (AI) supply chain. "This flaw enables Arbitrary Command Execution (RCE) on any system running a vulnerable MCP implementation, granting attackers direct access to
 [Link]
Researchers Detect ZionSiphon Malware Targeting Israeli Water, Desalination OT Systems
Cybersecurity researchers have flagged a new malware called ZionSiphon that appears to be specifically designed to target Israeli water treatment and desalination systems. The malware has been codenamed ZionSiphon by Darktrace, highlighting its ability to set up persistence, tamper with local configuration files, and scan for operational technology (OT)-relevant services on the local subnet.
 [Link]
Vercel Breach Tied to Context AI Hack Exposes Limited Customer Credentials
Web infrastructure provider Vercel has disclosed a security breach that allows bad actors to gain unauthorized access to "certain" internal Vercel systems. The incident stemmed from the compromise of Context.ai, a third-party artificial intelligence (AI) tool, that was used by an employee at the company. "The attacker used that access to take over the employee's Vercel Google Workspace account,
 [Link]
[Webinar] Eliminate Ghost Identities Before They Expose Your Enterprise Data
In 2024, compromised service accounts and forgotten API keys were behind 68% of cloud breaches. Not phishing. Not weak passwords. Unmanaged non-human identities that nobody was watching. For every employee in your org, there are 40 to 50 automated credentials: service accounts, API tokens, AI agent connections, and OAuth grants. When projects end or employees leave, most
 [Link]
$13.74M Hack Shuts Down Sanctioned Grinex Exchange After Intelligence Claims
Grinex, a Kyrgyzstan-incorporated cryptocurrency exchange sanctioned by the U.K. and the U.S. last year, said it's suspending operations after it blamed Western intelligence agencies for a $13.74 million hack. The exchange said it fell victim to what it described as a large-scale cyber attack that bore hallmarks of foreign intelligence agency involvement. This attack led to the theft of over 1
 [Link]
Mirai Variant Nexcorium Exploits CVE-2024-3721 to Hijack TBK DVRs for DDoS Botnet
Threat actors are exploiting security flaws in TBK DVR and end‑of‑life (EoL) TP-Link Wi-Fi routers to deploy Mirai-botnet variants on compromised devices, according to findings from Fortinet FortiGuard Labs and Palo Alto Networks Unit 42. The attack targeting TBK DVR devices has been found to exploit CVE-2024-3721 (CVSS score: 6.3), a medium-severity command injection vulnerability affecting
 [Link]
Three Microsoft Defender Zero-Days Actively Exploited; Two Still Unpatched
Huntress is warning that threat actors are exploiting three recently disclosed security flaws in Microsoft Defender to gain elevated privileges in compromised systems. The activity involves the exploitation of three vulnerabilities that are codenamed BlueHammer (requires GitHub sign-in), RedSun, and UnDefend, all of which were released as zero-days by a researcher known as Chaotic Eclipse (
 [Link]
Google Blocks 8.3B Policy-Violating Ads in 2025, Launches Android 17 Privacy Overhaul
Google this week announced a new set of Play policy updates to strengthen user privacy and protect businesses against fraud, even as it revealed it blocked or removed over 8.3 billion ads globally and suspended 24.9 million accounts in 2025. The new policy updates relate to contact and location permissions in Android, allowing third-party apps to access the contact lists and a user's location in
 [Link]
NIST Limits CVE Enrichment After 263% Surge in Vulnerability Submissions
The National Institute of Standards and Technology (NIST) has announced changes to the way it handles cybersecurity vulnerabilities and exposures (CVEs) listed in its National Vulnerability Database (NVD), stating it will only enrich those that fulfil certain conditions owing to an explosion in CVE submissions. "CVEs that do not meet those criteria will still be listed in the NVD but will not
 [Link]
Operation PowerOFF Seizes 53 DDoS Domains, Exposes 3 Million Criminal Accounts
An international law enforcement operation has taken down 53 domains and arrested four people in connection with commercial distributed denial-of-service (DDoS) operations that were used by more than 75,000 cybercriminals. The ongoing effort, dubbed Operation PowerOFF, disrupted access to the DDoS-for-hire services, took down the technical infrastructure supporting them, and obtained access to
 [Link]
Apache ActiveMQ CVE-2026-34197 Added to CISA KEV Amid Active Exploitation
A recently disclosed high-severity security flaw in Apache ActiveMQ Classic has come under active exploitation in the wild, per the U.S. Cybersecurity and Infrastructure Security Agency (CISA). To that end, the agency has added the vulnerability, tracked as CVE-2026-34197 (CVSS score: 8.8), to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian
 [Link]
Newly Discovered PowMix Botnet Hits Czech Workers Using Randomized C2 Traffic
Cybersecurity researchers have warned of an active malicious campaign that's targeting the workforce in the Czech Republic with a previously undocumented botnet dubbed PowMix since at least December 2025. "PowMix employs randomized command-and-control (C2) beaconing intervals, rather than persistent connection to the C2 server, to evade the network signature detections," Cisco Talos
 [Link]
ThreatsDay Bulletin: Defender 0-Day, SonicWall Brute-Force, 17-Year-Old Excel RCE and 15 More Stories
You know that feeling when you open your feed on a Thursday morning and it's just... a lot? Yeah. This week delivered. We've got hackers getting creative in ways that are almost impressive if you ignore the whole "crime" part, ancient vulnerabilities somehow still ruining people's days, and enough supply chain drama to fill a season of television nobody asked for. Not 
 [Link]
Cisco Patches Four Critical Identity Services, Webex Flaws Enabling Code Execution
Cisco has announced patches to address four critical security flaws impacting Identity Services and Webex Services that could result in arbitrary code execution and allow an attacker to impersonate any user within the service. The details of the vulnerabilities are below - CVE-2026-20184 (CVSS score: 9.8) - An improper certificate validation in the integration of single sign-on (SSO)
 [Link]
Obsidian Plugin Abuse Delivers PHANTOMPULSE RAT in Targeted Finance, Crypto Attacks
A "novel" social engineering campaign has been observed abusing Obsidian, a cross-platform note-taking application, as an initial access vector to distribute a previously undocumented Windows remote access trojan called PHANTOMPULSE in attacks targeting individuals in the financial and cryptocurrency sectors. Dubbed REF6598 by Elastic Security Labs, the activity has been found to leverage
 [Link]
More sources will be added in due sources from other feeds.
Sentinel Footer
© 2022 QFINITY (Pty) Ltd. All rights reserved. Reg# 2020/503529/07. VAT#: 9066 648 263