Analysis and advisories for water, energy, and industrial operators from RedEye Security.
A Featured Chrome extension, Adblock for YouTube, ships dormant infrastructure to inject arbitrary JavaScript on any site a victim visits. No malicious payload has been pushed yet, but a single server-side flag could weaponize it across 10 million browsers with no update and no store review. Its all-sites access and a trivially bypassed youtube.com check make every banking, work, and admin session reachable.
A Featured Chrome extension, Adblock for YouTube, ships dormant infrastructure to inject arbitrary JavaScript on any site a victim visits. No malicious payload has been pushed yet, but a single server-side flag could weaponize it across 10 million browsers with no update and no store review. Its all-sites access and a trivially bypassed youtube.com check make every banking, work, and admin session reachable.
North Korea's Backdoor.Turn tunneled command-and-control through Microsoft Teams and stayed hidden for months. The real risk, as Patrick Duggan argues, is convoC2: the open-source clone that hands the same Teams-relay evasion to any criminal with a GitHub account. It is already in fraud crews' hands, and the only place to catch it is the endpoint.
A Russian-speaking initial access broker has run a credential-harvesting operation against 430,000-plus FortiGate firewalls since February 2026, deploying passive sniffers to scrape cleartext and hashed credentials from device traffic. The multi-vendor campaign has identified over 110 million credentials and now feeds Active Directory intrusions, lateral movement, and a thriving access-for-sale market.
A security firm planted a malicious AI agent skill that passed Cisco's, NVIDIA's, and skills.sh's scanners, borrowed 36,000 GitHub stars, and reportedly reached 26,000 agents. The trick: keep the shipped package clean and host the payload behind an external link rewritten after the scan clears. Here is why the entire trust model around agent skills is broken.
A 29-year-old heap over-read in the Squid web proxy, dubbed Squidbleed (CVE-2026-47729), lets any permitted proxy user leak another user's cleartext HTTP requests, including Authorization headers and session tokens. The flaw lives in Squid's default FTP parser and was caught by an AI model. Proof-of-concept code is public.
CISA is urging every Fortinet customer to rotate credentials and harden devices after the FortiBleed leak exposed authentication data harvested from FortiGate appliances. Attackers can replay leaked credentials and session artifacts to walk straight past perimeter defenses. If you run Fortinet at the edge, treat every device as compromised until proven otherwise.
Paradigm Shift researchers published a working exploit, usbliter8, that achieves arbitrary code execution inside the SecureROM of Apple A12 and A13 chips. Burned into silicon at manufacture, the flaw cannot be patched by any software update. It requires physical access and DFU mode, completes in under two seconds, and affects iPhone XS through iPhone 11, several iPads, and Apple Watch Series 4 and 5.
Microsoft has attributed a supply chain compromise of the Mastra AI agent framework's npm ecosystem to North Korean state-sponsored hackers. Poisoned packages pushed credential-stealing and backdoor payloads to developers building AI agents. The campaign extends Pyongyang's long-running assault on open-source registries and developer machines.
A Russian-speaking threat actor has compromised 86,644 internet-facing FortiGate appliances using leaked credentials and legacy hashing weaknesses. CISA issued an emergency advisory urging password resets, PBKDF2 migration, and MFA. The attack self-propagates by harvesting credentials from traffic passing through breached devices.
Microsoft researchers detailed AutoJack, an exploit chain that lets a single attacker-controlled web page reach a privileged local service through an AI browsing agent and run arbitrary commands on the host. The flaw lives in AutoGen Studio's MCP WebSocket route, which never shipped in the stable PyPI build but did ship unpatched in two pre-releases. No credentials, no extra clicks, no exploitation in the wild yet.
A flaw in Google Cloud's Vertex AI SDK for Python let an attacker with zero access to a victim's project hijack ML model uploads and run code inside Google's serving infrastructure. The only prerequisites were the attacker's own GCP project and the victim's project ID, which is often public. Patch to google-cloud-aiplatform 1.148.0 and set an explicit staging_bucket.
China-linked UNC6508 backdoored REDCap research servers at US and Canadian medical and defense institutions, then abused Google Workspace content compliance rules to silently BCC matching emails to attacker-controlled inboxes for over a year.
Three chained vulnerabilities in LiteLLM let low-privilege users escalate to admin and execute code on AI gateway servers. Critical-severity chain exposes all provider keys, credentials, and prompts flowing through the proxy.
A Chinese state-sponsored threat actor compromised an isolated network for a decade by hijacking authentication flows through a connected system. The campaign demonstrates sophisticated persistence techniques against air-gapped infrastructure.
Chinese APT group Velvet Ant compromised the Linux login layer itself—backdooring PAM modules and OpenSSH binaries on air-gapped networks since 2016. Sygnia researchers found nine variants recording credentials where ordinary defenses cannot reach.
A critical 9.8 CVSS vulnerability in Splunk Enterprise allows unauthenticated attackers to achieve remote code execution through exposed PostgreSQL sidecar endpoints. WatchTowr Labs published a detailed exploit chain exploiting missing authentication controls.
On June 12, 2026, Anthropic received a US government directive and suspended Fable 5 and Mythos 5 for every customer worldwide, including its own foreign-national employees. The operational lesson for defenders: frontier-AI availability is now a supply-chain dependency policy can sever in minutes. What to do this quarter.
Attackers compromised more than 400 packages in Arch Linux's AUR by adopting orphaned repositories and injecting credential-stealing malware with eBPF rootkit capabilities into build scripts. The Rust-based stealer harvests developer secrets and establishes persistence through systemd services.
Researchers demonstrate a new attack class that weaponizes AI coding agents by injecting malicious instructions through Sentry error reports. 2,388 organizations exposed with an 85% exploitation success rate against popular AI assistants.
The ShinyHunters extortion crew exploited CVE-2026-35273, a 9.8-severity zero-day in Oracle PeopleSoft, to breach over 100 organizations—68% of them universities. Oracle patched after attackers had already exfiltrated student and staff data from multiple institutions.
Two research teams demonstrated separate attacks forcing OpenClaw AI agent to execute malicious code and exfiltrate credentials. Imperva exploited message-object prompt injection via contact names; Varonis succeeded with simple phishing emails that bypassed verification rules.
A critical path traversal flaw in Langflow enables unauthenticated remote code execution and is being actively exploited in the wild. With 7,000 exposed instances and no patch available, organizations running AI development infrastructure face immediate risk.
ServiceNow patched a critical authentication bypass flaw on June 5, 2026, after threat actors exploited it to query customer instance tables. The vulnerability was known internally since April 7 but classified as non-urgent for two months.
Threat actors deployed 37 malicious wheel artifacts across 19 PyPI packages using *-setup.pth files to achieve automatic execution during Python startup. The Hades campaign steals credentials from GitHub, AWS, Azure, npm, and CI/CD platforms while incorporating AI defense evasion and wiper capabilities.
University of Toronto researchers built a proof-of-concept AI worm that uses local open-weight LLMs to autonomously reason through networks, generate runtime exploits, and self-replicate—compromising 62% of test hosts without touching commercial AI services or human input.
Anthropic shipped Claude Fable 5 for general use alongside Claude Mythos 5, the identical model with cyber safeguards removed for Project Glasswing partners. Frontier offensive-cyber capability now sits behind a classifier-and-fallback boundary, not absence, and a sanctioned variant ships with that boundary lifted. What it means for defenders.
CVE-2026-23111, a one-character typo in nf_tables, lets unprivileged users escalate to root and escape containers. Patched February 5, exploits published in April and June—update and reboot now.
CVE-2026-50751, a critical logic flaw in Check Point VPN certificate validation, allows unauthenticated attackers to bypass passwords in IKEv1 configurations. Exploitation tied to Qilin ransomware began May 7, targeting dozens of organizations globally.
A self-replicating worm has infected 73 Microsoft GitHub repositories across Azure, Microsoft, and MicrosoftDocs organizations. The Miasma variant exploits legitimate authentication channels to spread exponentially, compromising developer credentials and propagating through AI coding tools.
OpenAI rolls out Lockdown Mode for ChatGPT to mitigate data exfiltration risks from prompt injection attacks. The optional security feature disables web browsing, image support, and file downloads across Free, Plus, Pro, and Business tiers.
Bright Data's SDK embedded in free consumer apps converts always-on smart TVs and mobile devices into residential proxy exit nodes for AI web scraping. Security researchers found unauthenticated peer channels, VPN bypass on iOS, and traffic limits up to 200 GB monthly.
A security startup's autonomous AI agent discovered 21 zero-days in FFmpeg's 1.5 million lines of code for around $1,000, some bugs dormant for 23 years. The same week, Chrome 149 patched a record 429 vulnerabilities as Google overhauls its bounty program to handle the AI-driven submission flood.
Two sophisticated supply chain attacks have compromised over 100 npm packages, deploying a Rust-based information stealer with eBPF rootkit capabilities and a self-propagating worm that exploits AI coding assistants. The campaigns target developer credentials across cloud platforms, cryptocurrency wallets, and CI/CD pipelines.
A single malicious notification from WhatsApp, Slack, or SMS could hijack Google Gemini's voice assistant on Android, enabling attackers to control smart homes, poison AI memory, and fake messages from trusted contacts—no malicious app required.
Unknown attackers maintained persistent access to a senior stock exchange executive's Outlook mailbox for five months, exfiltrating data through consumer cloud services to evade detection. The operation used legitimate tools and infrastructure to blend with normal traffic.
A CVSS 7.8 vulnerability in Anthropic's Claude Code GitHub Action allowed attackers to hijack repositories through prompt injection and authentication bypass. The flaw could have poisoned the official action itself, cascading malicious code to all downstream projects.
A single line of debug code left in production builds of six Microsoft 365 Android apps disabled authentication checks, allowing any app on the device to steal user account tokens without password prompts or user interaction. Microsoft patched the flaw affecting billions of app downloads after Enclave Security disclosed it.
A critical vulnerability in GitHub.dev allows attackers to steal full-access GitHub OAuth tokens through a single malicious link. The exploit leverages VS Code's webview mechanism and extension system to bypass security controls and access all private repositories.
A four-person team's single-month Anthropic bill hit $113,421, more than the annual cost of one of those four people. AI crossed from expense to headcount-class spend, and that unmonitored six-figure channel is now both an attack surface and a gift to invoice-fraud crews.
Exploitation timelines have shrunk from days to hours while median patching times increased to 43 days. AI tools like Claude Mythos identified 10,000+ critical vulnerabilities in one month—and attackers have the same capabilities.
The June 2, 2026 White House executive order pairs aggressive 30-to-60-day federal cyber-defense mandates with a no-licensing stance on frontier AI models, and formally recognizes that frontier models now carry benchmark-worthy offensive cyber capability. What the deadlines mean for critical-infrastructure operators, and how Etairos and Caver already deliver what the order spends 60 days reaching toward.
Russian FSB-linked threat group Gamaredon weaponizes CVE-2025-8088 WinRAR vulnerability to deliver modular malware framework targeting Ukrainian organizations. Attack chain deploys GammaPhish HTML applications, GammaWorm propagation tools, and GammaSteel data theft modules.
The codexui-android npm package, downloaded 29,000 times weekly, has been quietly exfiltrating OpenAI Codex authentication tokens to attacker infrastructure for over a month. The campaign extends to Android apps with 60,000+ combined downloads, targeting AI developer workflows with persistent credential theft.
A sophisticated supply chain attack has compromised multiple Red Hat npm packages, deploying a self-propagating worm that steals credentials, cloud identities, and secrets from developer machines. The attack leverages open-sourced tools from the Shai-Hulud campaigns and uses unique encryption per infection to evade detection.
Red Access investigation reveals over 2,000 corporate applications built with AI development platforms are exposing sensitive data on the open internet. Traditional security tools—EDR, DLP, CASB—weren't designed to detect this new category of Shadow AI risk.
Palo Alto Networks CVE-2026-0257 authentication bypass vulnerability is being actively exploited in the wild, allowing attackers to establish unauthorized VPN connections. Rapid7 confirms successful exploitation across numerous customers dating back to May 17, with threat actors gaining internal network access.
New Russian-speaking threat actor GREYVIBE has deployed AI-assisted malware against Ukrainian military, government, and civilian targets since August 2025. WithSecure researchers identify the group as a hybrid operation blending nation-state objectives with cybercriminal tactics and tooling.
A sophisticated supply chain attack campaign compromised 500 downloads of a fake Sicoob banking SDK on NuGet while 14 malicious npm packages targeted AWS credentials and cloud secrets. The attacks demonstrate attackers moving beyond simple typosquatting to manufactured legitimacy tactics.
Security researchers disclosed ChatGPhish, a vulnerability allowing attackers to embed malicious Markdown links and images in web pages that ChatGPT automatically renders when summarizing content. The attack leverages implicit trust in the AI interface to bypass traditional security controls and deliver phishing content directly through chatgpt.com's response renderer.
Threat actors deployed an LLM agent for post-exploitation after breaching a Marimo notebook via CVE-2026-39987, exfiltrating a complete PostgreSQL database in under two minutes. The attack demonstrates how AI agents enable adaptive, real-time exploitation without pre-staged playbooks.
A critical 9.4 CVSS vulnerability in Gogs allows any authenticated user to achieve remote code execution through malicious branch names during rebase operations. Over 1,100 internet-facing instances remain unpatched since disclosure in March 2026.
Threat actors are exploiting CVE-2026-35616, a critical authentication bypass in FortiClient EMS, to deploy credential-stealing malware disguised as legitimate Fortinet updates. The attack abuses trusted endpoint management infrastructure to compromise every managed device without requiring separate intrusion paths.
CrowdStrike, Google, and Shadowserver Foundation have dismantled all four command-and-control channels of GlassWorm malware, ending a 16-month campaign that poisoned over 300 GitHub repositories and targeted developers through trojanized VS Code extensions and malicious packages.
A Nightwing contractor working for CISA exposed AWS GovCloud keys, Entra ID SAML certificates, and plaintext passwords in a public repo for six months while seven scanner alerts went ignored. The exposure is a hygiene failure; the unanswered question is whether the keys were ever abused.
A malicious npm package named mouse5212-super-formatter exfiltrated files from Claude AI's user directory to attacker-controlled GitHub repositories. The campaign, dubbed Malware-Slop, demonstrates how AI-generated malware is lowering entry barriers for threat actors.
North Korean Lazarus Group is using RemotePE, a sophisticated memory-only remote access trojan, to target financial and cryptocurrency organizations. The malware executes entirely in memory with no filesystem artifacts, making detection extremely difficult.
Push-based MFA is failing organizations as attackers weaponize notification fatigue and social engineering to gain legitimate-looking access. The 2022 Cisco breach proves this technique works even against mature security programs.
The FBI has issued a warning about Kali365, a sophisticated phishing-as-a-service platform specifically designed to harvest Microsoft 365 credentials. The service lowers the technical barrier for cybercriminals to launch convincing credential theft campaigns at scale.
Coordinated cross-ecosystem attack targets developers with 34 malicious packages across 384 versions. Campaign specifically targets crypto, DeFi, Solana, and AI developers to steal credentials, SSH keys, and cloud tokens.
Eight Packagist packages compromised with malicious code hidden in package.json files rather than standard Composer manifests. Attack demonstrates sophisticated cross-ecosystem technique that bypasses conventional PHP security scanning focused solely on composer.json.
GitHub introduces mandatory 2FA-gated staged publishing for npm packages and new install source flags, requiring human approval before packages go live. The changes directly address the surge in supply chain attacks like TeamPCP's widespread poisoning campaign.
Multiple Laravel-Lang PHP packages were compromised to distribute a sophisticated credential stealer targeting cloud credentials, cryptocurrency wallets, and authentication tokens. Over 700 malicious versions were published in rapid succession through compromised organization-level access.
Anthropic's Project Glasswing has uncovered over 10,000 high and critical-severity vulnerabilities in globally critical software within one month of operation. The initiative grants 50 partners early access to Claude Mythos Preview, an AI model capable of autonomous vulnerability discovery that's forcing a fundamental shift in patch cycles.
The NSA Artificial Intelligence Security Center released a Cybersecurity Information Sheet on May 20, 2026 warning that Model Context Protocol deployments carry novel and systemic risks established defenses do not adequately address. The agency calls out serialization risks, trust boundaries, agent misuse, dynamic tool invocation, implicit trust, and context sharing.
Belarus-aligned APT Ghostwriter is targeting Ukrainian government entities with multi-stage JavaScript malware disguised as legitimate Prometheus learning platform communications. The campaign leverages compromised accounts and delivers Cobalt Strike payloads through obfuscated registry-based execution.
Automated campaign injected malicious GitHub Actions workflows into 5,561 repositories within six hours, exfiltrating CI secrets, cloud credentials, and tokens to attacker-controlled infrastructure. The attack used forged identities and throwaway accounts to bypass detection.
A single cached AWS access key exposed 98% of a company's cloud environment. Despite billions in security spending, identity-based attacks succeeded in 90% of 2025 breach investigations because tools can't map how credentials chain into exploitable paths.
GitHub confirmed breach of internal repositories after employee device compromise via malicious Nx Console VS Code extension. Attackers exfiltrated 3,800 repositories in attack live for only 18 minutes on Visual Studio Marketplace.
Attackers compromised two popular GitHub Actions repositories, redirecting all existing tags to malicious commits that exfiltrate CI/CD credentials. The attack used imposter commits to bypass pull request reviews and affected any workflow not pinned to specific commit SHAs.
Microsoft has taken down Fox Tempest's malware-signing-as-a-service operation that exploited the company's Artifact Signing system to distribute ransomware and malware to thousands of victims. The service charged criminals $5,000-$9,000 to sign malicious code with fraudulent certificates.
A maximum severity vulnerability (CVSS 10.0) in ChromaDB, a widely-used vector database for AI applications, allows unauthenticated attackers to execute arbitrary code and hijack servers. Organizations running ChromaDB versions before 0.5.15 face immediate risk of complete system compromise.
EvilTokens phishing-as-a-service platform compromised over 340 Microsoft 365 organizations by exploiting OAuth consent flows that sit structurally below MFA controls. Attackers walk away with long-lived refresh tokens that survive password resets and produce no suspicious sign-in events.
Critical heap buffer overflow in NGINX versions 0.6.27 through 1.30.0 is being actively exploited in the wild. The vulnerability, introduced in 2008, allows unauthenticated attackers to crash worker processes or achieve remote code execution on systems without ASLR protection.
Three coordinated attacks on npm, PyPI, and Docker Hub within 48 hours targeted developer credentials rather than code. Attackers are shifting from tampering with software to stealing the access that makes trusted software possible.
A newly disclosed Windows zero-day vulnerability dubbed MiniPlasma allows unprivileged users to escalate to SYSTEM-level access through a flaw in the Print Spooler service. Proof-of-concept code is now publicly available with no patch currently deployed.
The Tycoon2FA phishing-as-a-service platform is hijacking Microsoft 365 accounts by exploiting OAuth device code authentication flows, bypassing multi-factor authentication protections. Security researchers have identified this threat targeting organizations through adversary-in-the-middle attacks since August 2023.
CVE-2026-44338, a critical authentication bypass in PraisonAI's multi-agent orchestration framework, was actively probed within 3 hours and 44 minutes of public disclosure. The flaw affects 32 versions of the Python package and exposes sensitive API endpoints to unauthenticated attackers.
AI models are generating confident but incorrect outputs that drive security decisions, with 36 of 40 tested models more likely to provide wrong answers than correct ones. Organizations deploying AI in cybersecurity operations face risks from missed threats, fabricated alerts, and dangerous remediation recommendations.
Remus infostealer has emerged as a sophisticated Malware-as-a-Service platform targeting browser sessions and credentials. With rapid development cycles and advanced evasion techniques, this threat demands immediate attention from security teams.
Russian FSB-affiliated APT group Turla has re-engineered its Kazuar backdoor from a monolithic framework into a three-tier modular botnet architecture. The transformation enables persistent access through peer-to-peer coordination while reducing detection footprint across compromised government and defense networks.
Anonymous researcher Chaotic Eclipse disclosed two critical Windows zero-days: YellowKey enables BitLocker bypass through Windows Recovery Environment in minutes, while GreenPlasma allows SYSTEM-level privilege escalation via CTFMON. Both vulnerabilities remain unpatched as tensions escalate with Microsoft.
Three malicious versions of the popular Node-IPC npm package contain obfuscated stealer malware designed to exfiltrate developer secrets including AWS, Azure, GCP credentials, and SSH keys. The compromised versions were published after 21 months of package dormancy by a maintainer with no prior publish history.
A grenade-style IED was found underwater at the J.B. Converse Reservoir dam in Mobile, AL on May 13, 2026, the drinking water source for roughly 350,000 residents. Different vector, same target class as the active cyber campaigns against U.S. water systems.
Agentic AI is already running in production environments across organizations, executing tasks and consuming data without security team oversight. The gap between AI deployment speed and security understanding is compounding weekly, creating a supply chain problem that mirrors past technology adoption failures.
TeamPCP threat actors compromised 42 TanStack packages and infiltrated npm/PyPI repositories from Mistral AI, UiPath, OpenSearch, and Guardrails AI using GitHub Actions OIDC token hijacking. The worm produces validly attested malicious packages and includes a destructive wiper component targeting developers who revoke compromised tokens.
RubyGems has temporarily disabled new account registration following a major supply chain attack involving hundreds of malicious packages. The attack targeted the package manager's infrastructure and distributed exploits, prompting Mend.io to suspend signups while the incident is contained.
TeamPCP successfully compromised Checkmarx's Jenkins AST plugin just weeks after breaching the company's KICS Docker image, indicating persistent access or incomplete remediation. The attack targeted the Jenkins Marketplace with a malicious plugin version, escalating concerns about supply chain security in DevSecOps tooling.
Google has identified the first known case of threat actors using AI to develop a zero-day exploit—a 2FA bypass in an open-source administration tool. The discovery marks a watershed moment in offensive security capabilities and signals compressed attack timelines.
Compromised FortiGate VPN credentials led to deployment of three Nightmare-Eclipse PE tools and a previously undocumented Go tunneling agent (BeigeBurrow) just eight days after public toolkit release. All privilege escalation attempts failed.
Attackers compromised JDownloader's official website to replace legitimate installers with Python-based remote access trojan malware. The supply chain attack targeted users of the popular download manager with 1.5 billion downloads worldwide.
A critical out-of-bounds read vulnerability (CVE-2026-7482, CVSS 9.1) in Ollama enables unauthenticated attackers to exfiltrate entire process memory from over 300,000 servers. Two additional unpatched Windows vulnerabilities allow persistent code execution through the update mechanism.
Twelve critical vulnerabilities in the widely-used vm2 Node.js sandbox library allow attackers to escape isolation and execute arbitrary code on host systems. Three vulnerabilities scored perfect 10.0 CVSS ratings, affecting all versions through 3.11.1.
A confused deputy flaw in Claude's 7M-user Chrome extension lets any other extension hijack your AI agent and exfiltrate Google Drive, Gmail, and GitHub — no permissions required. Anthropic's patch was bypassed in 3 hours.
Three malicious PyPI packages delivered ZiChatBot malware to Windows and Linux systems, accumulating 2,480 downloads before removal. The attack leveraged Zulip chat APIs for command-and-control, with code similarities linking it to Vietnam-aligned APT32.
A 9-year-old Linux kernel bug in the AEAD crypto interface lets any local user overwrite any file’s page cache and get root. The exploit is 732 bytes of Python. Researchers published it on April 29 — it works on every major distribution.
A new Linux backdoor called PamDOORa is being sold on Russian cybercrime forums for $1,600, targeting PAM authentication modules to steal SSH credentials and maintain persistent access. The malware represents an evolution beyond open-source PAM backdoors with integrated anti-forensic capabilities.
A sophisticated Linux implant is harvesting developer credentials from npm, PyPI, AWS, Docker, and CI/CD systems to poison software packages. The fileless malware uses dual-layer rootkit architecture and seven persistence mechanisms to maintain long-term access.
NVIDIA's VP of applied deep learning told Axios compute costs "far beyond" employee costs for his team. A 2024 MIT study found AI is economically viable in only 23% of roles. Uber's 2026 AI budget is already gone. The economics are still being figured out.
Attackers compromised official DAEMON Tools installers with digitally signed malware starting April 8, 2026, infecting thousands across 100+ countries. Only a dozen organizations received second-stage payloads, indicating sophisticated targeting of government, manufacturing, and research entities.
New credential theft framework PCPJack exploits five CVEs to spread worm-like across cloud environments while deliberately removing TeamPCP artifacts. The campaign targets Docker, Kubernetes, and multiple cloud services to harvest credentials from cloud, container, and financial platforms.
Iranian state-sponsored group MuddyWater deployed fake ransomware attacks via Microsoft Teams social engineering to mask credential theft and persistence operations. The campaign abused legitimate remote access tools and bypassed traditional encryption workflows in favor of data exfiltration.
Gartner confirms AI agent deployment is outpacing governance capabilities. Roughly 50% of enterprise identity activity now occurs outside centralized IAM visibility, creating an invisible layer of unmanaged access that traditional security tools cannot see.
Large-scale scan of 2 million hosts reveals self-hosted AI infrastructure is more vulnerable than any software category previously analyzed. Over 1,600 Ollama APIs responded to unauthenticated requests, exposing everything from personal chatbots to cloud management systems.
Attackers compromised Context.ai via Lumma Stealer, harvested OAuth tokens, and pivoted into Vercel's infrastructure to reach 700+ enterprise customers including Cloudflare, Palo Alto, and Zscaler.
Four npm packages in the SAP CAP ecosystem were hijacked in the Mini Shai-Hulud campaign, exfiltrating CI/CD secrets and npm tokens from 1,800+ developers with 570K+ combined weekly downloads.
Attackers hijacked the Axios npm maintainer account in March 2026 and published two versions containing a cross-platform remote access trojan that erased its own install traces after execution.
A fake @bitwarden/cli package lived 90 minutes on npm, pulled 334 times, and deployed a credential harvester plus the first known malware specifically engineered to extract secrets from AI coding assistant sessions.
ShinyHunters breached Vimeo by compromising Anodot, a third-party analytics vendor with a trusted integration, extracting 119K email addresses before dumping the data after extortion demands were refused.
ShinyHunters dumped 100GB of McGraw-Hill data after a Salesforce misconfiguration exposed 13.5 million records, the third major Salesforce-vector breach claimed by the group in two months.
ShinyHunters social-engineered an ADT employee into handing over their Okta SSO credentials. One phone call gave attackers access to Salesforce and 5.5 million customer records.
A 48-hour phishing campaign used AI-generated code of conduct violation emails to target 35,000 Microsoft 365 users. AiTM relay bypassed MFA entirely, capturing live session tokens.
The EvilTokens PhaaS campaign exploited Microsoft's OAuth device code flow to capture persistent refresh tokens across 340 organizations in five countries. MFA provided no protection.
ShinyHunters listed Medtronic on their breach marketplace April 17, claiming 9 million patient records and terabytes of corporate data from the maker of pacemakers and insulin pumps.
Everest ransomware listed Fiserv on May 3 with 1,064 user credentials and 170 vendor credentials claimed. Fiserv processes payments for 10,000+ financial institutions.
A third-party vendor breach exposed Booking.com customer reservation details including travel dates, home addresses, and special requests. Targeted phishing hit affected users within days.
Japanese police arrested three minors who automated 220,000 fraudulent signups using ChatGPT. No prior coding experience required.
One attacker, nine agencies, 195 million citizen records. Claude Code executed 75% of the remote commands used in the campaign.
Threat actor GTG-2002 used Claude Code to fully automate cyber extortion across 17 targets in one month. Anthropic detected and disclosed the campaign.
Google GTIG found malware that queries the Gemini API on an hourly schedule to regenerate its own VBScript code. Signature-based detection is useless against it.
Google GTIG confirmed APT28 deployed PROMPTSTEAL in Ukraine operations. The tool queries Qwen2.5-Coder via Hugging Face to generate attack commands dynamically.
CISA officials are evaluating a 3-day patching SLA for actively exploited CVEs. The stated justification is AI-compressed exploit timelines. Enterprise IT is not ready.
A use-after-free in Chrome's WebGPU Dawn engine is being exploited in the wild. CISA added it to the KEV catalog with a 14-day federal patch deadline.
An auth bypass in cPanel/WHM was exploited from Feb 23 to Apr 28 with no patch available, compromising 44,000+ servers and putting 1.5 million at risk.
Microsoft patched 163 CVEs including a wormable kernel RCE in the Windows TCP/IP stack and two zero-days already under active exploitation at release.
GRU-linked APT28 exploited unpatched TP-Link routers to perform DNS hijacking, intercepting M365 logins and capturing session tokens from NATO and Ukrainian targets.
Lazarus Group created two US shell companies to run fake developer interviews, delivering a 3-stage malware chain targeting cryptocurrency wallet private keys.
CVE-2026-0625 in four EOL D-Link router models has been exploited by Mirai since November 2025. D-Link confirmed no patch is coming; replacement is the only fix.
OAuth tokens connected to Google and Microsoft environments bypass MFA, never expire, and persist after employee departures. New research shows 80% of security leaders recognize the risk, but 45% do nothing to monitor these persistent access grants at scale.
Mythos generates functional exploit code at 72.4% accuracy. The NHS locked down 850 repos. They're not wrong — here's what that actually means for your security posture.
Microsoft Edge loads every saved password into unencrypted memory at launch and keeps them there. Microsoft calls it working as intended. Your engineering workstation is probably running Edge.
CyberAv3ngers actively compromising Unitronics PLCs in water treatment, energy, and manufacturing. Live exposure data, incidents, and assessment guidance.