A single leaked username and password for a European fourth‑party engineer granted access to a central Next Generation Operations Support System (NGOSS) portal that managed operational dashboards for over 200 airports, exposing live infrastructure inventories, device statuses, and network diagnostic tools. SVigil detected the credential circulation and the vendor revoked access and enforced emergency MFA to avert potentially massive DoS and baggage-reconciliation outages. #SVigil #NGOSS
Tag: SSO
Amaranth-Dragon (a nexus linked to APT-41) ran highly targeted 2025 espionage campaigns across Southeast Asia using weaponized archives that exploited WinRAR CVE-2025-8088, custom Amaranth Loader, Havoc C2, and a new Telegram-based TGAmaranth RAT. The campaigns used geo-restricted Cloudflare-protected C2s, legitimate hosting (Dropbox, Pastebin), DLL sideloading, and payload encryption to maximize stealth and persistence. #Amaranth-Dragon #TGAmaranth
Amaranth Dragon, a threat actor linked to APT41, has been conducting espionage attacks against government and law enforcement organizations across Southeast Asia by exploiting the WinRAR path traversal flaw CVE-2025-8088. The group used legitimate tools alongside a custom Amaranth Loader and Cloudflare-backed C2 infrastructure to deliver encrypted payloads (including the Havoc framework and the TGAmaranth RAT), employ strict geofencing, and maintain stealth and persistence. #AmaranthDragon #CVE2025-8088 #WinRAR #TGAmaranthRAT
ShinyHunters claims it stole data from over 14 million Panera Bread accounts and leaked a 760MB archive after Panera refused to pay extortion demands. The group said it accessed systems using a Microsoft Entra SSO code obtained through a vishing campaign, and HIBP reported roughly 5.1 million unique email addresses and…
Security researchers attribute the Notepad++ update hijacking to the Chinese state-linked APT Lotus Blossom, which abused the project’s update infrastructure to deliver a newly identified backdoor called Chrysalis to targeted victims. The trojanized NSIS installer sideloaded a renamed Bitdefender Submission Wizard (BluetoothService.exe) to load encrypted shellcode and a malicious DLL, using…
SecurityWeek’s Cyber Insights 2026 gathers experts who warn that cyberwarfare – driven by nation-state pre-positioning, AI-enabled operations, and rising geopolitical tensions – will escalate faster than criminal cybercrime in 2026. The report highlights blurred lines between criminal and state actors, the difficulty of attribution, and the need for improved detection, resilience,…
New Cyble research shows ransomware attacks rose about 30% since late 2025 and continued into January 2026, with many incidents targeting software and manufacturing supply chains. Top groups such as Qilin and CL0P led high-volume claims while several major supply-chain-related breaches and new ransomware affiliates increased the overall threat. #Qilin #CL0P…
Rublevka Team is an affiliate-driven cryptoscam operation that uses JavaScript-based Solana wallet drainers embedded in spoofed landing pages to trick victims into connecting wallets and signing malicious transactions, generating approximately $10.9 million in reported profits. Their infrastructure and monetization include a Telegram bot for campaign automation, shared and rotating domains, ready-made landing pages, and support for many wallet types (notably Phantom) to drain SOL and SPL tokens. #RublevkaTeam #Solana
![Cybersecurity News | Daily Recap [03 Feb 2026]](https://www.hendryadrian.com/tweet/image/DailyRecap.png "Cybersecurity News | Daily Recap [03 Feb 2026]")
Daily Recap, attackers hijacked an OpenVSX publisher to push the GlassWorm macOS infostealer via malicious extension updates and Notepad++ update tampering, while researchers uncovered 341 ClawHub skills, OpenClaw one-click RCE from a critical token-exfiltration bug (CVE-2026-25253), and MoltBot used to push password-stealing malware across developer ecosystems. The Microsoft section notes APT28 exploiting CVE-2026-21509 to deploy the Covenant loader, NTLM is being phased out in favor of Kerberos, a Windows shutdown bug affects Windows 11 and 10 with a temporary workaround, ShinyHunters expanded extortion to vishing and MFA-credential harvesting alongside the PaneraBread breach, and destructive attacks on Polish energy sites via Fortinet devices, with Mozilla adding an AI controls panel in Firefox and policy moves toward stronger age verification and platform oversight. #GlassWorm #OpenVSX #Notepad++ #ClawHub #OpenClaw #MoltBot #AtomicStealer #CVE-2026-25253 #CVE-2026-21509 #APT28 #CovenantLoader #NTLM #Kerberos #PaneraBread #ShinyHunters #Sandworm #PolandGrid #Fortinet #Firefox #VirtualSecureMode
Datadog Security Research uncovered an active campaign that injects malicious NGINX configuration blocks to intercept and proxy legitimate web traffic through attacker-controlled backends. The toolkit automates discovery, injection, persistence, and exfiltration, targeting Baota panel and several Asian TLDs. #React2Shell #Baota
A sophisticated Iranian state-sponsored espionage campaign attributed to APT42 has used patient social engineering to compromise senior defense and government officials before deploying a modular PowerShell backdoor called TAMECAT. TAMECAT operates primarily in memory with modules for browser data theft, screen capture, file crawling, hardcoded AES-256 configuration, and Telegram-based C2 over…
Mountain View has paused its Flock Safety ALPR pilot and turned off all cameras after discovering that out-of-state and nationwide searches accessed the city’s license plate data without authorization. The breach exposed vendor transparency and access-control failures, prompting a City Council review and renewed debate over vendor-managed surveillance. #FlockSafety #MountainView…
Universidad Autónoma de Sinaloa (UAS) reportedly suffered a data breach that exposed personal records for 55,566 students and 12,418 professors, which were posted on a popular hacking forum. The leaked database allegedly includes highly sensitive identifiers and contact information such as full names, CURP, account numbers, addresses, phone numbers, emails, and…
A newly disclosed critical vulnerability in the vLLM Python package (CVE-2026-22778) allows remote code execution by submitting a malicious video URL to multimodal API endpoints, putting millions of AI servers at risk. The flaw stems from a PIL memory-address disclosure combined with a JPEG2000 heap overflow in FFmpeg (bundled with OpenCV);…
French lawmakers approved a social media ban for children under 15 and restrictions on mobile phone use in high schools, passing the bill 130-21 in the National Assembly with implementation expected in September pending Senate review. The measure, championed by President Emmanuel Macron and aligned with recent actions in Australia and…