ALL POSTS

Key Findings Over 14,000 F5 BIG-IP APM instances remain exposed online with active exploitation of CVE-2025-53521 Vulnerability reclassified from denial-of-service to critical remote code execution with CVSS score of 9.8 Originally disclosed in October 2025, but severity assessment updated in March 2026 after new findings Shadowserver tracks over 17,100 total BIG-IP APM fingerprints exposed globally, concentrated in US, Europe, and Asia CISA added flaw to Known Exploited Vuln

Key Findings German Federal Criminal Police (BKA) identified two REvil ransomware operators responsible for over 130 attacks across Germany Daniil Maksimovich Shchukin (31), a Russian national operating under the alias UNKN, led the GandCrab/REvil groups from early 2019 through July 2021 Anatoly Sergeevitsch Kravchuk (43), also Russian, served as the technical developer of REvil during the same period The two suspects orchestrated 25 attacks that resulted in €1.9 million in r

Key Findings North Korean state-sponsored hacking group UNC4736 orchestrated a six-month social engineering campaign against Drift, culminating in the theft of $285 million on April 1, 2026 The operation began in fall 2025 with actors posing as a quantitative trading firm, using in-person meetings at cryptocurrency conferences across multiple countries to build trust with Drift contributors UNC4736 is also tracked as AppleJeus, Citrine Sleet, Golden Chollima, and Gleaming Pis

Key Findings CISA added CVE-2026-3502, a flaw in TrueConf Client, to its Known Exploited Vulnerabilities catalog on April 2, 2026 The vulnerability has a CVSS score of 7.8 and allows attackers to download and install malicious updates without integrity verification Threat actors are actively exploiting this flaw by compromising TrueConf servers and replacing legitimate update files with malicious payloads Check Point researchers attributed a wave of attacks called Operation T

Key Findings Qilin ransomware group claims to have breached Die Linke, Germany's left-wing political party, and posted the claim on its Tor data leak site on April 1, 2026 Die Linke discovered the attack on March 27 and confirmed the incident but has not verified whether data was actually stolen The party's membership database was not compromised and no member data was accessed Qilin has provided no proof of the breach despite making the claim Qilin is one of the most prolifi

Key Findings 36 malicious npm packages masquerading as Strapi CMS plugins uploaded by four sock puppet accounts over 13 hours Eight distinct payload variants reveal real-time attack development against a specific target Exploitation chain includes Redis RCE, PostgreSQL database theft, Docker container escape, and persistent C2 implants Packages target cryptocurrency platform infrastructure with hardcoded database credentials and wallet-specific data harvesting Postinstall scr

Key Findings North Korean threat group UNC1069 is conducting coordinated social engineering campaigns against open source maintainers, particularly those managing Node.js and npm packages Attackers use fake LinkedIn profiles, Slack messages, and spoofed video conferencing platforms to build rapport over weeks before delivering remote access trojans Goal is to compromise maintainer credentials and gain write access to popular packages, allowing injection of malicious code into

Key Findings North Korean state-sponsored hackers are running a sophisticated spying campaign against South Korean companies dating back to 2024 Attackers use seemingly harmless LNK shortcut files that trigger hidden PowerShell scripts to steal system data from Windows machines GitHub repositories are being abused as command and control infrastructure to exfiltrate stolen information while bypassing corporate security systems The malware evades detection by checking for secur

Key Findings Crunchyroll experienced a data breach in March 2026 affecting approximately 6.8 million users Attackers gained unauthorized access to the company's Zendesk support system Exposed data included names, login credentials, email addresses, IP addresses, geographic location data, and support ticket contents A subset of 1.2 million email addresses from a larger 2 million record dataset was later provided to Have I Been Pwned 1,195,684 breached accounts were confirmed i

Key Findings Drift Protocol lost $285 million in a sophisticated attack attributed to North Korean-linked hackers on April 1, 2026 Attackers used durable nonce accounts to pre-sign transactions and compromised multisig approvals to gain admin control The operation involved multi-week preparation with staged execution across multiple phases Stolen funds were rapidly drained from multiple vaults within seconds and laundered across wallets This marks the 18th confirmed North Kor

Key Findings Drift Protocol, a Solana-based decentralized exchange, lost approximately $285 million on April 1, 2026 in a sophisticated social engineering attack Attackers exploited durable nonce mechanisms to obtain unauthorized multisig approvals and gain control of the Security Council administrative powers The attack involved multi-week preparation starting as early as March 23, 2026, with staged execution and pre-signed transactions Threat actors created a fictitious ass

Key Findings At least 766 Next.js hosts across multiple geographic regions and cloud providers compromised through CVE-2025-55182 exploitation Threat cluster UAT-10608 attributed to the campaign by Cisco Talos Critical vulnerability (CVSS 10.0) in React Server Components and Next.js App Router enables remote code execution NEXUS Listener framework deployed post-compromise to harvest and exfiltrate credentials via web-based GUI Stolen data includes database credentials, SSH ke

Key Findings ShinyHunters has issued a final warning to Cisco with an April 3, 2026 deadline before publicly leaking over 3 million alleged stolen records The group claims access through three separate breach paths: UNC6040, Salesforce Aura, and compromised AWS accounts Stolen data includes personally identifiable information, GitHub repositories, AWS storage buckets, and internal corporate data Screenshots provided by the group show access to AWS organizational dashboards an

Key Findings Apple expanded iOS 18.7.7 availability on April 1, 2026 to protect users from the DarkSword exploit kit, which targets iOS versions 18.4 through 18.7 The update now covers iPhone XR through iPhone 16e and multiple iPad models, allowing users to patch vulnerabilities without upgrading to iOS 26 DarkSword spreads through watering hole attacks on compromised legitimate websites and can deploy backdoors and data miners for persistent access Approximately 20% of users

Key Findings WhatsApp alerted approximately 200 users, primarily in Italy, who were tricked into installing a counterfeit iOS app containing spyware The fake app was created by Asigint, an Italian subsidiary of spyware company SIO Spa All affected users have been logged out and advised to uninstall the malicious app and download the official version WhatsApp is pursuing legal action against Asigint to stop further malicious activity The attack relied on social engineering tac

Key Findings New malware campaign since late February 2026 distributes malicious VBS files through WhatsApp messages Attack chain uses renamed Windows utilities and legitimate cloud services to evade detection Malware exploits UAC bypass techniques to gain elevated privileges and install remote access tools like AnyDesk Campaign combines social engineering, living-off-the-land tactics, and registry manipulation for persistence Background Microsoft's Defender Security Research

Key Findings Google patched CVE-2026-5281, a use-after-free vulnerability in the WebGPU Dawn component that is actively being exploited This marks the fourth Chrome zero-day under active exploitation in 2026 Users are urged to update immediately to Chrome 146.0.7680.177/178 (Windows/macOS) or 146.0.7680.177 (Linux) The vulnerability affects graphics processing capabilities and could allow attackers to execute malicious code or crash the browser Google withheld technical explo

Key Findings Anthropic leaked approximately 512,000 lines of Claude Code source code through a misconfigured npm source map file on March 31, 2026 The leak was discovered within hours by an intern at Solayer Labs and rapidly mirrored across the internet Claude Code generates $2.5 billion annually, representing a significant portion of Anthropic's $19 billion total revenue The exposed code reveals proprietary solutions including a three-layer memory system designed to prevent

Key Findings Google Threat Intelligence Group attributed the Axios npm supply chain attack to UNC1069, a financially motivated North Korean threat group active since at least 2018 Attackers compromised maintainer Jason Saayman's npm account and published two malicious Axios versions (1.14.1 and 0.30.4) within an hour The attack injected a malicious dependency called "plain-crypto-js" that deployed a cross-platform remote access trojan targeting Windows, macOS, and Linux Given

Key Findings Anthropic confirmed Claude Code source code was accidentally exposed via npm package version 2.1.88 due to human error in packaging, not a security breach Nearly 2,000 TypeScript files and over 512,000 lines of code were leaked through a source map file and quickly spread across public repositories The leaked codebase revealed advanced features including KAIROS autonomous daemon mode, self-healing memory architecture, Undercover Mode for stealth contributions, an