ALL POSTS

Key Findings A single hacker compromised nine Mexican government agencies between December 2025 and February 2026 using Claude Code and GPT-4.1 The attacker generated 5,317 AI-executed commands across 34 sessions, with Claude Code running approximately 75% of remote commands to government systems Over 305 million citizen records were exfiltrated, including 195 million taxpayer records, 220 million civil records, and sensitive health and domestic violence victim data The hacke

Key Findings Adobe released emergency patches for CVE-2026-34621, a critical vulnerability in Acrobat Reader actively exploited in the wild The flaw has a CVSS score of 8.6 and allows arbitrary code execution through prototype pollution in JavaScript Evidence suggests exploitation has been occurring since at least December 2025 Security researcher Haifei Li discovered the vulnerability being used to deliver malicious JavaScript via crafted PDFs Affected versions include Acrob

Key Findings Google has rolled out Device Bound Session Credentials (DBSC) in Chrome 146 for Windows to prevent hackers from using stolen session cookies to access user accounts The system binds login sessions to a device's hardware security chip, making exfiltrated cookies unusable on other machines Early testing shows a measurable drop in successful infostealer attacks through Origin Trials with partners like Okta Over 30 million computers were infected with infostealer mal

Key Findings CPUID's website was compromised for approximately 24 hours (April 9-10, 2026) to distribute trojanized CPU-Z and HWMonitor installers containing STX RAT malware Threat actors manipulated a secondary API to redirect download links to malicious websites hosting infected executables The malware used DLL sideloading with a file named CRYPTBASE.dll to execute payloads while evading detection Over 150 victims identified across individuals and organizations in retail, m

Key Findings Censys identified 5,219 internet-exposed Rockwell Automation PLCs globally, with 74.6% located in the United States Iranian-linked APT groups have been actively targeting these devices since March 2026, causing operational disruptions and financial losses Approximately 3,891 exposed U.S. devices are concentrated on cellular networks, indicating field-deployed infrastructure at utilities and substations Most vulnerable devices run outdated firmware from the MicroL

Key Findings Webloc, an ad-based geolocation surveillance system, tracks up to 500 million mobile devices globally without warrant requirements Law enforcement agencies in the U.S., Hungary, and El Salvador have deployed the tool, including ICE, DHS, and local police departments across multiple cities The system accesses device identifiers, location coordinates, and personal data harvested from mobile apps and digital advertising networks Israeli company Cobwebs Technologies

Key Findings FBI successfully recovered deleted Signal messages from an iPhone using Apple's notification database Messages were extracted even after the Signal app was completely uninstalled from the device Only incoming messages could be recovered, not outgoing ones, confirming data came from notification storage The vulnerability affects any messaging app that displays preview notifications, including WhatsApp and Telegram Users can disable message previews in iPhone and a

Key Findings North Korea-linked Lazarus Group registered legitimate US LLC to distribute malware targeting blockchain developers Hackers created fake company "Blocmerce" in Florida with fabricated CEO and official state filings using real residential addresses GraphAlgo campaign evolved from npm package distribution to hiding malware in GitHub release artifacts Remote Access Trojan (RAT) deployed after developers run test tasks, giving attackers full machine control Campaign

Key Findings GlassWorm campaign discovered using Zig-compiled dropper to infect multiple IDEs on developer machines Malicious VS Code extension "specstudio.code-wakatime-activity-tracker" masquerades as legitimate WakaTime tool Native binary executes outside JavaScript sandbox with full OS-level access to find and compromise all IDE installations Second-stage extension deploys information-stealing malware, avoids execution on Russian systems, and uses Solana blockchain for C2

Key Findings Critical RCE vulnerability CVE-2026-39987 in Marimo (CVSS 9.3) exploited within 9 hours 41 minutes of disclosure Unauthenticated attackers can obtain full interactive shell access on exposed instances through /terminal/ws WebSocket endpoint Affects all Marimo versions up to 0.20.4; patched in version 0.23.0 Unknown threat actor built working exploit from advisory alone, with no public PoC available Attacker conducted credential theft operation and reconnaissance,

Key Findings UAT-10362, a sophisticated threat actor, conducted targeted spear-phishing campaigns against Taiwanese NGOs and universities starting in October 2025 LucidRook, a Lua-based malware stager, was delivered through password-protected RAR and 7-Zip archives with decryption passwords included in phishing emails Two distinct infection chains were identified: one using Windows Shortcut files and another using .NET executables masquerading as antivirus software Both chain

Key Findings Critical flaw in EngageLab SDK affected up to 50 million Android devices, including over 30 million crypto wallet installations Intent redirection vulnerability allowed malicious apps to bypass Android sandbox protections and access private data EngageLab released patch in version 5.2.1 on November 3, 2025, after Microsoft's coordinated disclosure in April 2025 No active exploitation confirmed in the wild Vulnerable apps were removed from Google Play Store follow

Key Findings Threat actors have been actively exploiting a previously unknown zero-day vulnerability in Adobe Reader since at least November 2025 Malicious PDF documents named with invoice-themed filenames use Russian language lures related to oil and gas industry issues to trick victims into opening them The exploit automatically executes obfuscated JavaScript upon opening to harvest sensitive data and receive additional malicious payloads The vulnerability allows execution

Key Findings A coordinated hack-for-hire campaign targeting journalists and activists across the Middle East and North Africa has been active since at least 2022, with operations continuing into 2025 The campaign is attributed to Bitter, a threat actor with suspected ties to the Indian government, operating as a likely contracted espionage service Two Egyptian journalists and critics of their government, Mostafa Al-A'sar and Ahmed Eltantawy, were targeted with sophisticated s

North Korean-linked threat actor "Contagious Interview" has distributed over 1,700 malicious packages across npm, PyPI, Go, Rust, and Packagist ecosystems since January 2025 Malicious code is hidden within legitimate-looking functions and only executes at runtime, not during installation, making detection harder Packages function as malware loaders delivering second-stage payloads with infostealer, RAT, and post-compromise capabilities including keylogging and remote access C

Key Findings Iran-affiliated cyber actors are actively targeting internet-exposed programmable logic controllers (PLCs) across U.S. critical infrastructure sectors including government, water systems, and energy Attacks have caused diminished PLC functionality, manipulated display data, operational disruption, and financial losses Threat actors are exploiting Rockwell Automation and Allen-Bradley PLCs, specifically CompactLogix and Micro850 devices Initial access is gained th

Key Findings Russian GRU-attributed threat group Forest Blizzard compromised over 18,000 routers across 120+ countries for large-scale espionage before being neutralized Attackers exploited known vulnerabilities in TP-Link and MicroTik routers to hijack DNS settings and steal credentials via man-in-the-middle attacks Campaign impacted more than 200 organizations and at least 5,000 consumer devices globally, including government agencies and critical infrastructure sectors FBI

Key Findings CVE-2025-59528, a maximum-severity code injection vulnerability (CVSS 10.0), is being actively exploited against Flowise, an open-source AI platform The flaw allows remote code execution with only an API token required for exploitation Over 12,000 Flowise instances are exposed and vulnerable to attack Exploitation activity has been confirmed originating from a single Starlink IP address The vulnerability was patched in version 3.0.6 but remains unpatched on thous

Key Findings China-based Storm-1175 executes rapid ransomware attacks, sometimes completing full intrusions within 24 hours The group exploits newly disclosed vulnerabilities before organizations can patch them, leveraging over 16 different flaws since 2023 Primary targets include healthcare, education, finance, and services sectors across the US, UK, and Australia Storm-1175 has weaponized zero-day exploits before public disclosure, demonstrating advanced capabilities The gr

Key Findings New RowHammer attack called GPUBreach exploits GDDR6 memory bit-flips in NVIDIA GPUs to achieve full CPU privilege escalation and system compromise Attack corrupts GPU page tables to grant arbitrary GPU memory read/write access to unprivileged processes Uniquely bypasses IOMMU protections without requiring them to be disabled, unlike competing attacks Researchers demonstrated the exploit on NVIDIA RTX A6000 GPU, spawning a root shell on the host system Current mi