ALL POSTS

Key Findings Two malicious Microsoft Visual Studio Code (VS Code) extensions, disguised as AI-powered coding assistants, have over 1.5 million combined installs and are stealing developer source code. The extensions, "ChatGPT - 中文版" and "ChatGPT - ChatMoss（CodeMoss）", capture every file being opened and every source code modification, and send the data to servers located in China without user knowledge or consent. The extensions also incorporate real-time monitoring and devic

Key Findings: Ongoing campaign targeting Indian users with a multi-stage backdoor as part of a suspected cyber espionage operation Phishing emails impersonating the Income Tax Department of India to trick victims into downloading a malicious archive Malware known as Blackmoon (aka KRBanker) and a legitimate enterprise tool called SyncFuture TSM used as the final payload Sophisticated attack involving anti-analysis, privilege escalation, DLL sideloading, commercial-tool repurp

Key Findings A critical vulnerability (CVE-2025-56005) with a CVSS score of 9.8 has been discovered in the PLY (Python Lex-Yacc) library, a popular parsing library used in the Python community. The vulnerability allows Remote Code Execution (RCE) and stems from an undocumented "picklefile" parameter in the `yacc()` function. The issue is caused by the unsafe deserialization of untrusted data using Python's `pickle.load()` method. The project's maintainer, David Beazley, has a

Key Findings: The North Korean threat actor Konni has been observed using PowerShell malware generated using artificial intelligence (AI) tools to target developers and engineering teams in the blockchain sector. The phishing campaign has targeted Japan, Australia, and India, highlighting the adversary's expansion of the targeting scope beyond South Korea, Russia, Ukraine, and European nations. Konni, also tracked as Earth Imp, Opal Sleet, Osmium, TA406, and Vedalia, has been

Key Findings: A critical vulnerability has been discovered in the Linux kernel's x86 page fault handling mechanism, existing since 2020. The flaw was caused by inconsistent disabling of hardware interrupts, leading to potential catastrophic scenarios. The vulnerability was not limited to user-space address errors, but involved a more complex interplay between address ranges and execution context. The remediation required a fundamental shift in approach, moving away from selec

Key Findings The FBI obtained BitLocker encryption keys from Microsoft to access encrypted data on laptops seized during a fraud investigation in Guam. Microsoft provides these recovery keys to law enforcement when presented with a valid legal order, as the keys are often backed up to users' Microsoft accounts by default. This practice raises privacy concerns, as it allows authorities to bypass the encryption meant to protect users' data, even if the device owner has not know

Key Findings Symantec and VMware Carbon Black researchers have uncovered a new ransomware strain called Osiris, used in a November 2025 attack against a major Southeast Asian food service franchise operator. Osiris leverages the POORTRY driver in a bring-your-own-vulnerable-driver (BYOVD) attack to disable security software on targeted systems. The new ransomware has full-featured capabilities, including the ability to stop services and processes, select files and folders to

Key Findings The Russian nation-state hacking group known as Sandworm attempted a significant cyber attack targeting Poland's power sector in late December 2025. The attack involved the deployment of a previously undocumented wiper malware called DynoWiper. The attack was ultimately unsuccessful, with no evidence of successful disruption to Poland's energy infrastructure. This activity occurred on the 10th anniversary of Sandworm's 2015 attack against the Ukrainian power grid

CISA Updates KEV Catalog with Four Actively Exploited Software Vulnerabilities Key Findings: CISA added four security vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild. The vulnerabilities affect Synacor Zimbra Collaboration Suite, Versa Concerto SD-WAN orchestration platform, Vite Vitejs, and eslint-config-prettier npm package. CISA has ordered Federal Civilian Executive Branch (FCEB) agencies to apply th

Key Findings Fortinet confirmed attacks are bypassing FortiCloud SSO authentication, affecting even fully patched devices, similar to recent SSO flaws. Threat actors automate firewall changes, add users, enable VPNs, and steal configs, in campaigns resembling December 2025 exploits of critical FortiCloud SSO flaws. Arctic Wolf researchers reported a new automated attack cluster observed since January 15, 2026, targeting FortiGate devices. Attackers created generic accounts fo

Key Findings Halo Security, a leading provider of external attack surface management and penetration testing services, has achieved SOC 2 Type II compliance after a multi-month audit by Insight Assurance. SOC 2 Type II certification validates that Halo Security's security controls not only are properly designed but also operate effectively and consistently over time. The extended audit period assessed Halo Security's operational effectiveness, consistency, continuous monitori

Key Findings A public proof-of-concept (PoC) exploit has been released for a critical vulnerability in the Android operating system. The vulnerability allows malicious applications to escalate their privileges and gain access to sensitive permissions without the user's knowledge or consent. The vulnerability affects both the main Android OS as well as the WearOS platform, putting a wide range of Android devices at risk. The exploit has been confirmed to work on multiple Andro

Background Citizen Lab, a research organization at the University of Toronto, conducted an investigation into the use of Cellebrite phone-cracking technology by the Jordanian government against domestic activists and human rights defenders. The incidents occurred between late 2023 and mid-2025, during a time of protests in support of Palestinians. The cases involved a political activist, student organizer, activist/researcher, and human rights defender, three of whom had iPho

VoidLink Malware Puts Cloud Systems on High Alert With Custom Built Attacks Summary Key Points: VoidLink is a highly adaptable threat targeting cloud environments Discovered by Check Point Research in January 2026 and reported by Hackread.com This Chinese-developed framework is designed to infiltrate critical business infrastructure Background VoidLink is a malware that has been putting cloud environments on high alert. It was first brought to light by Check Point Research on

Key Findings A critical Remote Code Execution (RCE) vulnerability with a CVSS score of 9.8 has been discovered in the Laravel Reverb framework. The vulnerability, which allows unauthenticated attackers to execute arbitrary code, affects an estimated 7 million websites and applications that use the Laravel Reverb framework. The vulnerability is caused by insecure deserialization of user-supplied data, which can lead to remote code execution. Successful exploitation of this vul

Key Findings Arctic Wolf observed a new cluster of automated malicious activity targeting Fortinet FortiGate firewalls since January 15, 2026. The attacks involve the creation of generic user accounts for persistence, configuration changes granting VPN access to those accounts, and exfiltration of firewall configurations. This activity shares similarities with a December 2025 campaign that exploited critical Fortinet authentication bypass vulnerabilities (CVE-2025-59718 and C

Key Findings Researchers at watchTowr Labs have discovered a critical vulnerability in SmarterMail, tracked as WT-2026-0001, that allows unauthenticated attackers to hijack administrative accounts and achieve full Remote Code Execution (RCE). The vulnerability lies within the force-reset-password API endpoint, which fails to implement proper security checks for system administrators. Attackers can simply send a JSON request with IsSysAdmin set to true, the target username, an

Key Findings Cisco patched a critical zero-day remote code execution (RCE) flaw, tracked as CVE-2026-20045 (CVSS score of 8.2), that is actively being exploited in attacks. The vulnerability allows an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device. The bug affects Cisco Unified CM, Unified CM SME, IM & Presence, Unity Connection, and Webex Calling Dedicated Instance. Cisco is aware of attempted exploitat

Key Findings 64% of third-party applications access sensitive data without legitimate business justification, up from 51% last year - a 25% year-over-year spike. Malicious web activity across critical public-sector infrastructure surged dramatically, with government websites seeing a rise from 2% to 12.9%, and 1 in 7 Education websites now showing active compromise, quadrupling year-over-year. Widely used third-party tools like Google Tag Manager (8%), Shopify (5%), and Faceb

Key Findings VoidLink is a sophisticated Linux malware framework, built largely by a single developer with assistance from an artificial intelligence (AI) model. The malware reached over 88,000 lines of code in a short timeframe, showcasing the efficiency enabled by AI-driven development. Operational security failures by the developer exposed development artifacts, providing clear evidence that VoidLink was produced predominantly through AI-driven processes. VoidLink includes