Category: Daily Recap

Daily Recap, Sentencing and breach headlines dominated today: a Romania-linked hacking case delivered a 5-year prison term to target Oregon government systems, while Carnival Cruise confirmed a data breach affecting nearly 6 million people; a separate sextortion conviction resulted in a 33-year sentence for targeting 145 children. On the threat side, Grandoreiro malware and the BTMOB RAT campaign continue cross-platform targeting across Windows and Android, alongside GPU mining malware spreading via SEO poisoning and AI chatbots, plus an npm package that reportedly stole files from a Claude AI user directory on GitHub.
#Oregon #RomaniaHack #CarnivalCruise #Grandoreiro #BTMOB #Sextortion #Edamame #npm #ClaudeAI #GitHub #SEOpoisoning #AIChatbots

Daily Recap, CISA ordered U.S. agencies to patch an actively exploited LiteSpeed cPanel plugin zero-day within 4 days, while Microsoft released a fix for a SharePoint RCE flaw and KnowledgeDeliver was exploited as a zero-day to deploy web shells. The FBI warned that Silent Ransom is using in-person tactics like operatives inserting USB drives to steal data, and Glassworm’s botnet was disrupted after a takedown of its C2 infrastructure. #LiteSpeed #cPanel #SharePoint #KnowledgeDeliver #SilentRansom #FBI #ShinyHunters #Charter #MuddyWater #DLLsideloading #LA_Metro #Iran #GRU #Russian #Glassworm #C2 #USBdrives

Daily Recap, AI security and governance advancements stood out as AppOmni launched Marlin AI for autonomous SaaS security investigations and Varonis Atlas added the Claude Compliance API to strengthen AI governance and compliance controls. In threat and patching coverage, an Iranian APT targeted aviation and software firms with updated tools, CISA ordered federal agencies to patch an actively exploited Drupal flaw, and 7-Eleven disclosed a breach impacting about 185,000 people. #AppOmni #Marlin AI #Varonis Atlas #Claude Compliance API #Iranian APT #Drupal #CISA #7-Eleven #Microsoft Defender

Daily Recap, Ghost CMS (CVE-2026-26980) flaws were actively exploited in a large-scale ClickFix campaign to compromise 700+ websites via malicious redirects and payload delivery, while the FBI warned that Kali365 is used to phish Microsoft 365 accounts. The recap also covered healthcare data breaches at the Oncology Institute and Radiology Associates of Richmond (266,000 affected), supply-chain risks involving poisoned Laravel-Lang packages, and broader threat activity including YellowKey and GreenPlasma along with APT activity from Screening Serpens, Nimbus Manticore, and Void Dokkaebi. #GhostCMS #CVE-2026-26980 #ClickFix #Kali365 #Microsoft365 #OncologyInstitute #RadiologyAssociatesofRichmond #Laravel-Lang #AnthropicMythos #Mythos #TrapDoor #MiniShaiHulud #JDownloader #r77 #GeminiCLI #ClaudeCode #YellowKey #GreenPlasma #ScreeningSerpens #NimbusManticore #VoidDokkaebi #CoinbaseCartel #TheGentlemen

Cybersecurity Threat Research ‘Weekly’ Recap. Attackers continued to exploit the software supply chain and developer ecosystems, including crypto-stealers like #TrapDoor and#Mini Shai-Hulud-style install payloads, typosquatted modules with DNS backdoors, and trojanized JDownloader deliverables that included the #r77 rootkit bot. The recap also covers AI- and SEO-lure campaigns impersonating #Gemini CLI and #Claude Code, newly disclosed Windows zero-days #YellowKey and #GreenPlasma, and regional APT activity from #Screening Serpens, #Nimbus Manticore, #Void Dokkaebi, plus continuing crime waves involving #CoinbaseCartel and #The Gentlemen, alongside infrastructure abuse tracked through #VBCloud and #EchoCreep.
#TrapDoor #Mini Shai-Hulud #Coruna #JDownloader #r77 #Gemini CLI #Claude Code #YellowKey #GreenPlasma #LummaStealer #PurpleFox #ScreenConnect #LogMeIn Rescue #Screening Serpens #Nimbus Manticore #Cloud Atlas #VBCloud #PowerShower #RevSocks #Webworm #EchoCreep #GraphWorm #UNG0002 #Cobalt Strike #InvisibleFerret #BeaverTail #CoinbaseCartel #The Gentlemen #ShinyHunters #Andariel #Agent Tesla #ValleyRAT #Banana RAT #Kubernetes #CVE-2021-25740

Daily Recap, Exploited vulnerabilities and zero-days dominated the news: LiteSpeed cPanel Plugin CVE-2026-48172 is abused for root access, Drupal core SQL injection issues are being actively exploited and added to CISA KEV, and Trend Micro warned that an Apex One zero-day is in use in the wild. Phishing activity also accelerated with the FBI flagging the Kali365 phishing-as-a-service kit targeting Microsoft 365 tokens, while Ghostwriter used Prometheus to target Ukraine government entities and authorities pursued infrastructure actions including a global VPN service dismantling linked to 25 ransomware groups. #CVE-2026-48172 #LiteSpeed #cPanel #root #Drupal #CISAKEV #DrupalSQLi #ApexOne #Kali365 #Microsoft365 #FBI #Ghostwriter #Prometheus #Ukraine #VPN #Netherlands #Webworm #Discord #MicrosoftGraph

Daily Recap, A wave of urgent patches hit Drupal, Ubiquiti (UniFi OS), Cisco, Microsoft Defender, TrendAI, and Apex One, including in-the-wild exploitation of a Drupal SQLi and an Apex One zero-day. In addition, Google accidentally exposed details of an unfixed Chromium issue, while botnet and malware reporting covered the alleged Kimwolf operation, Showboat Linux activity against Middle East telecoms, and BYOVD-driven exploit chains. #Drupal #UniFiOS #ApexOne #Kimwolf #Showboat #Chromium #CISA #KEV

Daily Recap, Cisco patched a critical Secure Workload flaw that could grant site admin privileges, while Microsoft addressed exploited Defender zero-days and mitigated the YellowKey BitLocker bypass; Drupal disclosed a highly critical core issue impacting PostgreSQL (RCE) and SonicWall cautioned that incomplete VPN MFA patching could enable bypasses. On the threat and supply-chain fronts, GitHub linked a repo breach to the TanStack npm supply-chain attack that later led to a Grafana incident after missed token rotation, webworm activity used EchoCreep and GraphWorm via Discord and the MS Graph API, and law enforcement action included seizure of the First VPN service used in ransomware and data-theft attacks—along with broader AI, identity, and platform enforcement themes highlighted by Microsoft’s RAMPART and Clarity efforts and an FTC Take It Down Act warning. #Cisco #SecureWorkload #Microsoft #Defender #YellowKey #Drupal #PostgreSQL #SonicWall #TanStack #npm #Grafana #EchoCreep #GraphWorm #Discord #MSGraph #FirstVPN #TakeItDownAct

Daily Recap, GitHub confirmed multiple internal repository compromises tied to a malicious VS Code extension, with claims of roughly 3,800–4,000 affected repositories and source code exposure impacting Grafana via a TanStack npm attack. The roundup also covered the Shai-Hulud npm supply-chain campaign targeting 600 packages (with Mini Shai-Hulud expanding further), plus Microsoft disruption of a malware-signing service linked to Fox Tempest, alongside fixes and advisories across Windows, Azure, Drupal, ChromaDB, Linux, and major fraud cases. #VSCode #Grafana #TanStack #TanStacknpm #ShaiHulud #MiniShaiHulud #FoxTempest #YellowKey #Drupal #ChromaDB #PinTheft #Trapdoor #ShinyHunters #7Eleven #Luxembourg #Huawei #CISA #Discord #DBIR2026

Daily Recap, Security experts say AI Bills of Materials (AI BOMs) could become practical by 2026 as organizations push for transparency and governance, while teams are warned that connecting AI to financial accounts and managing shadow AI can shift privacy and cyber-risk tradeoffs. On the threat side, developer tooling and ecosystems are under pressure from supply chain and credential-stealing activity (Nx Console, Mini Shai-Hulud, Shai-Hulud, GitHub Actions), and attackers continue stealthy infection techniques using MSHTA and new SHub macOS infostealer variants. #AI_Bills_of_Materials #Nx_Console #Mini_Shai-Hulud #Shai-Hulud #GitHub_Actions #MSHTA #SHub #ChromaDB #INTERPOL_Operation_Ramz #Grafana

Daily Recap, Multiple breaches and supply-chain weaknesses dominated headlines, including 7-Eleven confirming a breach tied to a ShinyHunters ransom demand and Grafana warning that a stolen GitHub token enabled attackers to steal part of its codebase. On the exploit and identity fronts, DirtyDecrypt Linux privilege escalation, in-the-wild exploitation of NGINX CVE-2026-42945, the Windows MiniPlasma zero-day (SYSTEM access), and Tycoon2FA device-code phishing targeting Microsoft 365 accounts were highlighted. #ShinyHunters #7-Eleven #Grafana #GitHub #DirtyDecrypt #NGINX #CVE-2026-42945 #MiniPlasma #OpenClaw #Claw%20Chain #Tycoon2FA #Microsoft%20365 #BlackFile #UNC6671 #Qilin #The%20Gentlemen #Kimsuky #Gamaredon #Pwn2Own%20Berlin%202026 #KB5089549

Cybersecurity Threat Research ‘Weekly’ Recap. The roundup highlights multiple supply-chain and identity attacks, including TeamPCP’s workflow poisoning, malicious npm republishing via node-ipc, and AI-assisted device-code phishing operations tied to BlackFile / UNC6671 and Tycoon 2FA. It also covers credential stealer delivery and evolving ransomware/extortion dynamics (e.g., Qilin and The Gentlemen), alongside state-sponsored espionage/influence campaigns like Kimsuky, Gamaredon, FrostyNeighbor, Fast16, and Doppelgänger.

Daily Recap, Active exploitation activity focused on WordPress and e-commerce attacks, including Funnel Builder issues impacting WooCommerce checkout skimming and Avada Builder flaws that can steal site credentials, alongside a critical NGINX vulnerability with publicly available PoC code. On the defensive and risk side, CISA directed U.S. federal agencies to patch an actively exploited Cisco SD-WAN bug, while supply-chain threats continued with OpenAI warning macOS users to update after a TanStack npm incident and node-ipc being compromised to steal credentials, as researchers also advanced findings around Turla’s Kazuar and the OpenClaw vulnerability cluster. #FunnelBuilder #WooCommerce #AvadaBuilder #NGINX #CiscoSD-WAN #CISA #TanStack #node-ipc #Turla #Kazuar #OpenClaw #THORChain #MicrosoftExchange #Windows11 #TakeItDownAct #FTC #TinaPeters #JaredPolis

Daily Recap, Microsoft warned that an Exchange Server zero-day is actively exploited, while Cisco faced an exploited SD-WAN auth-bypass and an 18-year-old NGINX flaw enabling DoS and potential RCE. OpenAI confirmed a TanStack-related supply-chain breach, and Ghostwriter used geofenced PDF phishing with Cobalt Strike against the Ukrainian government.
#ExchangeServer #Microsoft #Cisco #SD-WAN #NGINX #WordPress #BurstStatistics #OpenAI #TanStack #NodeIPC #Ghostwriter #UkrainianGovernment #CobaltStrike #ShaiHulud #TeamPCP #MistralAI #AmericanLendingCenter

Daily Recap, Microsoft pushed May Patch Tuesday fixes for 137 vulnerabilities (including 13 critical flaws) and addressed a zero-click Outlook issue, while Fortinet flagged critical RCE risks in FortiSandbox and FortiAuthenticator and Exim disclosed a BDAT flaw impacting GnuTLS-built systems. Across supply chain and incidents, RubyGems suspended new signups after hundreds of malicious packages tied to the Mini Shai-Hulud campaign, while Foxconn confirmed disruption tied to the Nitrogen ransomware gang and OpenLoop Health disclosed exposure affecting 716,000 people.
#MayPatchTuesday #Outlook #FortiSandbox #FortiAuthenticator #Exim #GnuTLS #RubyGems #MiniShaiHulud #TrickMo #TONC2 #Foxconn #Nitrogen #OpenLoopHealth #Canvas #Instructure #Daybreak #Exaforce #WhiteCircle #Android17 #Signal