top of page

ALL POSTS

Bitwarden CLI Compromised in Supply Chain Attack Through Checkmarx

Key Findings Bitwarden CLI version 2026.4.0 was compromised through a malicious GitHub Action in the project's CI/CD pipeline, affecting the npm distribution mechanism The attack was part of the ongoing Checkmarx supply chain campaign, likely orchestrated by threat actor TeamPCP Malicious code in bw1.js executed a preinstall hook that stole GitHub tokens, npm credentials, SSH keys, cloud secrets, and shell history Stolen data was exfiltrated to a fake Checkmarx domain (audit.

UNC6692 Impersonates IT Helpdesk via Microsoft Teams to Distribute SNOW Malware

Key Findings UNC6692 is a previously undocumented threat group using Microsoft Teams to impersonate IT helpdesk staff and deploy custom SNOW malware Attack chain begins with email bombing campaigns followed by Teams-based social engineering to build false urgency Victims are tricked into clicking phishing links that download AutoHotkey scripts deploying SNOWBELT browser extension SNOW malware ecosystem is modular, including SNOWBELT backdoor, SNOWGLAZE tunneler, and SNOWBASIN

Harvester Deploys Linux GoGra Backdoor Across South Asia via Microsoft Graph API

Key Findings Harvester APT group deployed a new Linux variant of GoGra backdoor targeting South Asia, with samples linked to India and Afghanistan Malware abuses Microsoft Graph API and Outlook mailboxes as covert command-and-control infrastructure, bypassing traditional network defenses Linux and Windows versions share nearly identical code and identical developer mistakes, indicating same development team Attack chain uses social engineering to distribute ELF binaries disgu

Supply Chain Worm Spreads Through npm Packages to Steal Developer Authentication Tokens

Key Findings Self-propagating worm dubbed CanisterSprawl detected in six npm packages, spreading via stolen developer credentials Malware executes during package installation to harvest npm tokens, SSH keys, cloud credentials, and browser data Stolen tokens enable attackers to push poisoned package versions, creating a self-replicating supply chain attack Exfiltration occurs through HTTPS webhook and ICP canister infrastructure designed to resist takedowns Campaign includes c

Mustang Panda Deploys Enhanced LOTUSLITE Backdoor Against India and South Korea

Key Findings Mustang Panda, a China-linked hacking group, launched coordinated campaigns in March 2026 targeting India's financial sector and South Korean policy circles The group deployed an updated LOTUSLITE v1.1 backdoor with improved obfuscation techniques and modified command structures Indian banking workers were targeted via fake HDFC Bank support files, while South Korean diplomats received spear-phishing emails impersonating a former US National Security Council offi

Microsoft Issues Emergency Patch for Critical ASP.NET Core Privilege Escalation Vulnerability CVE-2026-40372

Key Findings Microsoft released out-of-band patches for CVE-2026-40372, a critical ASP.NET Core privilege escalation vulnerability with a CVSS score of 9.1 Successful exploitation allows attackers to gain SYSTEM-level privileges and access sensitive files The flaw stems from improper cryptographic signature verification in the DataProtection library versions 10.0.0-10.0.6 Exploitation requires three specific conditions: vulnerable NuGet package in use, runtime loading of the

Lotus Wiper Malware Campaign Targets Venezuelan Energy Infrastructure in Coordinated Destructive Attack

Key Findings Previously undocumented data wiper dubbed Lotus Wiper deployed against Venezuelan energy and utilities sector in late 2025 and early 2026 Multi-stage attack uses two batch scripts to disable system defenses before executing the wiper payload, which overwrites drives and deletes all recoverable data No ransom demands present, indicating destructive intent rather than financial motivation Malware compiled September 2025, uploaded December 2025, suggesting attackers

The Ungoverned Workforce: 92% of Organizations Lack AI Identity Visibility, Cybersecurity Report Reveals

Key Findings 92% of organizations lack full visibility into AI identities operating within their systems 71% of CISOs confirm AI tools have access to critical systems like Salesforce and SAP, but only 16% report this access is governed effectively 95% of security leaders doubt their ability to detect or contain AI misuse 75% of organizations have already discovered unsanctioned AI tools running in their environments 86% do not enforce formal access policies for AI identities

SystemBC C2 Infrastructure Exposes Over 1,570 Victims Connected to The Gentlemen Ransomware Campaign

Key Findings A compromised SystemBC C2 server linked to The Gentlemen ransomware operation revealed over 1,570 infected corporate networks globally The Gentlemen has claimed more than 320 victims since emerging in July 2025, establishing itself as one of the most prolific ransomware groups The group targets Windows, Linux, NAS, and BSD systems using Go-based encryption and demonstrates sophisticated defense evasion tactics SystemBC establishes SOCKS5 tunnels using custom RC4-

Ransomware Negotiator Guilty of Secretly Supporting BlackCat Extortion Operations

Key Findings Angelo Martino, 41-year-old ransomware negotiator from Florida, pleaded guilty to assisting the BlackCat ransomware group while employed at a U.S. incident response firm Martino leaked confidential client information including insurance limits and negotiation strategies to BlackCat operators, enabling higher ransom demands across five victim cases starting April 2023 He conspired with two other cybersecurity professionals, Ryan Goldberg and Kevin Martin, to deplo

Identity-Based Attacks: How Adversaries Bypass Security by Walking Through the Front Door

Key Findings Stolen credentials remain the most reliable initial access vector for attackers, despite industry focus on zero-days and sophisticated exploits Identity-based attacks are accelerating due to AI automation of credential testing, custom tooling development, and phishing sophistication Traditional linear incident response models fail against real-world breaches that evolve and expand unpredictably The Dynamic Approach to Incident Response (DAIR) uses iterative loops

Anthropic MCP Design Flaw Exposes Critical RCE Risk in AI Supply Chain

Key Findings Critical "by design" vulnerability in Anthropic's Model Context Protocol (MCP) architecture enables remote code execution (RCE) on any system running vulnerable MCP implementations Unsafe defaults in STDIO transport interface configuration allow attackers to execute arbitrary OS commands and access sensitive data, API keys, and chat histories Vulnerability affects over 7,000 publicly accessible servers and software packages totaling more than 150 million download

Scattered Spider Hacker Tyler Buchanan Pleads Guilty to $8M Crypto Theft and Corporate Computer Hacking

Key Findings Tyler Robert Buchanan, 24, from Dundee, Scotland pleaded guilty to hacking dozens of companies and stealing at least $8 million in cryptocurrency Arrested in Spain in May 2024 after entering via Barcelona; extradited to US custody where he has remained since April 2025 Used SMS phishing campaigns targeting corporate employees between 2021 and 2023 to steal login credentials and access systems Employed SIM swap attacks and intercepted two-factor authentication cod

Claude Opus Generated a Chrome Exploit for $2,283

Key Findings Claude Opus 4.6 successfully generated a functional Chrome exploit chain for $2,283 in API costs across 2.33 billion tokens The exploit targeted Discord's bundled Chrome version 138, which lagged nine major versions behind current upstream releases Exploit development required approximately 20 hours of human guidance, with the AI frequently getting stuck and requiring operator intervention Bug bounty programs like Google's v8CTF offer $5,000-$10,000 per valid exp

Vercel Breach Linked to Context AI Hack Exposes Limited Customer Credentials

Key Findings Vercel suffered a breach stemming from the compromise of Context.ai, a third-party AI tool used by an employee Attackers used the compromised account to access internal Vercel systems and non-sensitive environment variables Sensitive environment variables stored in encrypted format show no evidence of unauthorized access A limited subset of customers had credentials compromised and have been notified Threat actor ShinyHunters claimed responsibility and is alleged

Rising Cyber Threats Drive Escalating Cargo Theft Crisis in Global Logistics

Key Findings Coordinated cyber attacks on logistics and trucking companies are directly enabling real-world cargo theft linked to organized crime North American cargo theft losses reached 6.6 billion dollars in 2025, with cyberattacks playing a central role Threat actors use remote management tools to maintain persistent access and coordinate freight theft operations Attackers deployed a novel "signing-as-a-service" technique to evade detection and establish trusted remote ac

ShowDoc Vulnerability From 2020 Patch Now Exploited in Active Server Takeovers

Key Findings Five-year-old ShowDoc vulnerability (CVE-2025-0520) is being actively exploited in global server attacks CVSS score of 9.4 indicates critical severity allowing remote code execution and full server takeover Unrestricted file upload flaw enables attackers to bypass authentication and deploy web shells without credentials Over 2,000 ShowDoc instances remain exposed online, primarily in China, many running unpatched versions US-based security canary confirmed active

Operation PowerOFF: 75,000 DDoS-for-Hire Service Users Identified and Warned

Key Findings Law enforcement from 21 countries completed a major crackdown on DDoS-for-hire services on April 13, 2026, resulting in 4 arrests and seizure of 53 web domains Over 75,000 warning letters and emails were sent to users of illegal DDoS services, targeting young people and hobbyists Authorities identified details on more than 3 million criminal user accounts during the investigation Operation PowerOFF deployed innovative enforcement tactics including Google ads and

Hidden VMs: How Hackers Leverage QEMU to Steal Data and Spread Malware Stealthily

Key Findings Sophos researchers identified a significant uptick in threat actors using QEMU, an open-source emulator, to hide malware in virtual machines and evade detection Two distinct campaigns since late 2025 leverage QEMU for defense evasion: STAC4713 linked to PayoutsKing ransomware and STAC3725 exploiting CitrixBleed2 Attackers use hidden VMs to maintain long-term access, steal credentials and data, deploy ransomware, and leave minimal forensic traces on host systems T

Grinex Exchange Collapses Following $13.7M Cyber Attack, Cites Western Intelligence Involvement

Key Findings Kyrgyzstan-based crypto exchange Grinex shut down operations after suffering a $13.7 million cyber heist on April 15, 2026 The exchange blamed Western intelligence agencies for the attack, claiming it showed "unprecedented level of resources and technology" Stolen funds belonged to Russian users, with over 1 billion rubles taken from customer wallets Hackers quickly converted stolen USDT to TRX or ETH to prevent Tether from freezing the assets Grinex is believed

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page