ALL POSTS

Key Findings Threat actors have weaponized n8n webhooks since October 2025 to deliver malware and fingerprint devices through phishing campaigns Malicious emails containing n8n webhook URLs appear legitimate because they originate from trusted n8n domains Email volume containing these URLs increased 686% from January 2025 to March 2026 Two primary attack methods observed: malware delivery via fake document links and device fingerprinting using invisible tracking pixels Attack

Key Findings ShinyHunters claims to have breached Rockstar Games through third-party cloud provider Anodot, accessing 8.1GB of data Leaked files include anti-cheat source code, player analytics, game assets, support tickets, and financial information Group set April 14, 2026 deadline for ransom payment, threatening data release and "digital disruption" Rockstar minimized impact, stating only non-material corporate information was accessed with no effect on operations or playe

Key Findings Booking.com confirmed a targeted data breach affecting reservation records Exposed data includes names, email addresses, phone numbers, postal addresses, and booking details Payment information was not accessed Company has not disclosed the number of affected users or attack methodology Reservation PIN codes have been reset as a precaution Over 100 million users accessed the mobile app in 2024, amplifying breach severity Attackers can now leverage booking data to

Key Findings Critical remote code execution vulnerability CVE-2025-0520 in ShowDoc is under active exploitation in the wild with a CVSS score of 9.4 Unrestricted file upload flaw allows unauthenticated attackers to deploy web shells and execute arbitrary code on vulnerable servers Vulnerability affects all ShowDoc versions prior to 2.8.7, which was released in October 2020 Over 2,000 exposed ShowDoc instances remain online, with the majority located in China Threat actors hav

Key Findings CPUID's website was compromised for approximately 24 hours (April 9-10, 2026) to distribute trojanized CPU-Z and HWMonitor installers containing STX RAT malware Threat actors manipulated a secondary API to redirect download links to malicious websites hosting infected executables The malware used DLL sideloading with a file named CRYPTBASE.dll to execute payloads while evading detection Over 150 victims identified across individuals and organizations in retail, m

Key Findings Censys identified 5,219 internet-exposed Rockwell Automation PLCs globally, with 74.6% located in the United States Iranian-linked APT groups have been actively targeting these devices since March 2026, causing operational disruptions and financial losses Approximately 3,891 exposed U.S. devices are concentrated on cellular networks, indicating field-deployed infrastructure at utilities and substations Most vulnerable devices run outdated firmware from the MicroL

Key Findings North Korea-linked Lazarus Group registered legitimate US LLC to distribute malware targeting blockchain developers Hackers created fake company "Blocmerce" in Florida with fabricated CEO and official state filings using real residential addresses GraphAlgo campaign evolved from npm package distribution to hiding malware in GitHub release artifacts Remote Access Trojan (RAT) deployed after developers run test tasks, giving attackers full machine control Campaign

Key Findings Threat actors have been actively exploiting a previously unknown zero-day vulnerability in Adobe Reader since at least November 2025 Malicious PDF documents named with invoice-themed filenames use Russian language lures related to oil and gas industry issues to trick victims into opening them The exploit automatically executes obfuscated JavaScript upon opening to harvest sensitive data and receive additional malicious payloads The vulnerability allows execution

Key Findings Over 14,000 F5 BIG-IP APM instances remain exposed online with active exploitation of CVE-2025-53521 Vulnerability reclassified from denial-of-service to critical remote code execution with CVSS score of 9.8 Originally disclosed in October 2025, but severity assessment updated in March 2026 after new findings Shadowserver tracks over 17,100 total BIG-IP APM fingerprints exposed globally, concentrated in US, Europe, and Asia CISA added flaw to Known Exploited Vuln

Key Findings Crunchyroll experienced a data breach in March 2026 affecting approximately 6.8 million users Attackers gained unauthorized access to the company's Zendesk support system Exposed data included names, login credentials, email addresses, IP addresses, geographic location data, and support ticket contents A subset of 1.2 million email addresses from a larger 2 million record dataset was later provided to Have I Been Pwned 1,195,684 breached accounts were confirmed i

Key Findings ShinyHunters has issued a final warning to Cisco with an April 3, 2026 deadline before publicly leaking over 3 million alleged stolen records The group claims access through three separate breach paths: UNC6040, Salesforce Aura, and compromised AWS accounts Stolen data includes personally identifiable information, GitHub repositories, AWS storage buckets, and internal corporate data Screenshots provided by the group show access to AWS organizational dashboards an

Key Findings Anthropic leaked approximately 512,000 lines of Claude Code source code through a misconfigured npm source map file on March 31, 2026 The leak was discovered within hours by an intern at Solayer Labs and rapidly mirrored across the internet Claude Code generates $2.5 billion annually, representing a significant portion of Anthropic's $19 billion total revenue The exposed code reveals proprietary solutions including a three-layer memory system designed to prevent

Key Findings Google Threat Intelligence Group attributed the Axios npm supply chain attack to UNC1069, a financially motivated North Korean threat group active since at least 2018 Attackers compromised maintainer Jason Saayman's npm account and published two malicious Axios versions (1.14.1 and 0.30.4) within an hour The attack injected a malicious dependency called "plain-crypto-js" that deployed a cross-platform remote access trojan targeting Windows, macOS, and Linux Given

Key Findings High-severity zero-day vulnerability CVE-2026-3502 (CVSS 7.8) in TrueConf video conferencing software exploited against Southeast Asian government networks in campaign dubbed TrueChaos Flaw allows attackers controlling on-premises TrueConf servers to distribute tampered updates and execute arbitrary code on all connected endpoints Patched in TrueConf Windows client version 8.5.3 released earlier this month Campaign attributed with moderate confidence to Chinese-n

Key Findings Software defect during routine overnight app update on 12 March exposed financial data for 447,936 customers across Lloyds, Halifax, and Bank of Scotland Privacy barriers between accounts failed for several hours, allowing customers to see strangers' transactions or have their own data exposed Over 114,000 users clicked on rogue transactions and may have viewed sensitive information including National Insurance numbers, payment references, and account details Dat

Key Findings ShinyHunters claims to have breached European Commission systems and stolen over 350GB of data Alleged data includes mail server dumps, databases, confidential documents, and contracts The European Commission confirmed detecting a cyberattack on March 24 affecting cloud infrastructure hosting Europa.eu websites Internal systems were not compromised according to the Commission's investigation AWS denies any security incident occurred within its cloud environment N

Key Findings Coruna iOS exploit kit uses an updated version of the kernel exploit from Operation Triangulation, a sophisticated 2023 iOS APT campaign The exploit kit includes five full exploit chains and 23 total exploits, targeting iOS 13.0 through 17.2.1 Coruna contains four additional kernel exploits not seen in Triangulation, two developed after the original campaign's discovery Code analysis reveals Coruna was designed with unified architecture rather than patchworked co

Key Findings Hundreds of organizations compromised through AI-generated phishing campaign leveraging Railway cloud platform Attackers achieved massive scale increase starting March 3, with 50+ new compromises daily as of late March Campaign exploits Microsoft device authentication flow, granting 90-day OAuth tokens without passwords or MFA Affected sectors include construction, law, nonprofits, real estate, manufacturing, finance, healthcare, and government Huntress identifie

Key Findings Russian Intelligence Services-linked actors are conducting phishing campaigns targeting Signal and WhatsApp accounts of high-value targets including U.S. government officials, military personnel, politicians, and journalists Thousands of accounts have already been compromised worldwide through these operations Attackers bypass encryption by hijacking accounts rather than breaking encryption itself, using phishing to trick users into sharing verification codes or

Key Findings * Trivy GitHub Actions repositories compromised for second time in a month * 75 out of 76 version tags force-pushed with malicious payload * Attacker aims to steal CI/CD secrets including cloud credentials, cryptocurrency wallets * Likely perpetrated by TeamPCP threat actor group * Compromise stems from incomplete mitigation of previous security incident Background The Trivy vulnerability scanner, maintained by Aqua Security, has experienced a significant securit