top of page
ALL POSTS
Critical cPanel Vulnerability Actively Exploited Against Government and MSP Infrastructure
Key Findings Unknown threat actor exploiting CVE-2026-41940, a critical authentication bypass vulnerability in cPanel and WHM, targeting government and military entities in Southeast Asia Attack infrastructure originating from IP address 95.111.250[.]175, primarily focusing on Philippines and Laos government and military domains Concurrent targeting of MSPs and hosting providers across Philippines, Laos, Canada, South Africa, and the United States using publicly available pro
May 43 min read
Trellix Confirms Source Code Breach Following Unauthorized Repository Access
Key Findings Trellix discovered unauthorized access to a portion of its source code repository Company engaged forensic experts and notified law enforcement immediately upon discovery No evidence found that source code was altered, exploited, or used in malicious distribution Identity of attackers and duration of access remain unknown Exact nature of accessed data has not been disclosed Investigation ongoing with additional details expected upon completion Background Trellix
May 22 min read
CVE-2026-3854: Critical GitHub Remote Code Execution Vulnerability Discovered
Key Findings Critical vulnerability CVE-2026-3854 allows remote code execution on GitHub through a single git push command Affects GitHub Enterprise Cloud, GitHub Enterprise Server, and related variants Command injection flaw exploitable by any user with repository push access Vulnerability chain enables attackers to bypass sandbox protections and execute arbitrary commands as the git service user Wiz researchers discovered the flaw on March 4, 2026; GitHub patched within two
Apr 282 min read
GitHub CVE-2026-3854: Critical RCE Vulnerability Triggered by Single Git Push
Key Findings Critical command injection vulnerability (CVE-2026-3854, CVSS 8.7) allows authenticated users to achieve remote code execution via a single git push command Affects GitHub.com, GitHub Enterprise Cloud, and GitHub Enterprise Server across multiple versions Flaw stems from unsanitized user-supplied git push options being embedded in internal service headers without proper delimiter handling Exploitation chain allows attackers to bypass sandbox protections, redirect
Apr 283 min read
ADT – 5,488,888 Accounts Breached
Key Findings ShinyHunters conducted two major "pay or leak" extortion campaigns in April 2026 targeting ADT and Udemy ADT breach exposed 5.5 million unique email addresses plus names, phone numbers, and physical addresses Small percentage of ADT records also contained dates of birth and last four digits of Social Security numbers or Tax IDs Udemy breach exposed 1.4 million unique email addresses belonging to customers and instructors Udemy data included names, addresses, phon
Apr 272 min read
SystemBC C2 Infrastructure Exposes Over 1,570 Victims Connected to The Gentlemen Ransomware Campaign
Key Findings A compromised SystemBC C2 server linked to The Gentlemen ransomware operation revealed over 1,570 infected corporate networks globally The Gentlemen has claimed more than 320 victims since emerging in July 2025, establishing itself as one of the most prolific ransomware groups The group targets Windows, Linux, NAS, and BSD systems using Go-based encryption and demonstrates sophisticated defense evasion tactics SystemBC establishes SOCKS5 tunnels using custom RC4-
Apr 212 min read
Vercel Breach Linked to Context AI Hack Exposes Limited Customer Credentials
Key Findings Vercel suffered a breach stemming from the compromise of Context.ai, a third-party AI tool used by an employee Attackers used the compromised account to access internal Vercel systems and non-sensitive environment variables Sensitive environment variables stored in encrypted format show no evidence of unauthorized access A limited subset of customers had credentials compromised and have been notified Threat actor ShinyHunters claimed responsibility and is alleged
Apr 202 min read
ShowDoc Vulnerability From 2020 Patch Now Exploited in Active Server Takeovers
Key Findings Five-year-old ShowDoc vulnerability (CVE-2025-0520) is being actively exploited in global server attacks CVSS score of 9.4 indicates critical severity allowing remote code execution and full server takeover Unrestricted file upload flaw enables attackers to bypass authentication and deploy web shells without credentials Over 2,000 ShowDoc instances remain exposed online, primarily in China, many running unpatched versions US-based security canary confirmed active
Apr 193 min read
n8n Webhooks Exploited Since October 2025 in Malware Distribution Campaign
Key Findings Threat actors have weaponized n8n webhooks since October 2025 to deliver malware and fingerprint devices through phishing campaigns Malicious emails containing n8n webhook URLs appear legitimate because they originate from trusted n8n domains Email volume containing these URLs increased 686% from January 2025 to March 2026 Two primary attack methods observed: malware delivery via fake document links and device fingerprinting using invisible tracking pixels Attack
Apr 162 min read
ShinyHunters Claims Responsibility for Rockstar Games Breach, Begins Data Leaks
Key Findings ShinyHunters claims to have breached Rockstar Games through third-party cloud provider Anodot, accessing 8.1GB of data Leaked files include anti-cheat source code, player analytics, game assets, support tickets, and financial information Group set April 14, 2026 deadline for ransom payment, threatening data release and "digital disruption" Rockstar minimized impact, stating only non-material corporate information was accessed with no effect on operations or playe
Apr 153 min read
Booking.com Data Breach: Hackers Accessed Customer Information, Systems Now Secured
Key Findings Booking.com confirmed a targeted data breach affecting reservation records Exposed data includes names, email addresses, phone numbers, postal addresses, and booking details Payment information was not accessed Company has not disclosed the number of affected users or attack methodology Reservation PIN codes have been reset as a precaution Over 100 million users accessed the mobile app in 2024, amplifying breach severity Attackers can now leverage booking data to
Apr 142 min read
Attackers Exploiting Unpatched ShowDoc Servers Via CVE-2025-0520
Key Findings Critical remote code execution vulnerability CVE-2025-0520 in ShowDoc is under active exploitation in the wild with a CVSS score of 9.4 Unrestricted file upload flaw allows unauthenticated attackers to deploy web shells and execute arbitrary code on vulnerable servers Vulnerability affects all ShowDoc versions prior to 2.8.7, which was released in October 2020 Over 2,000 exposed ShowDoc instances remain online, with the majority located in China Threat actors hav
Apr 142 min read
CPUID Website Breach Deploys STX RAT Through Compromised CPU-Z and HWMonitor Downloads
Key Findings CPUID's website was compromised for approximately 24 hours (April 9-10, 2026) to distribute trojanized CPU-Z and HWMonitor installers containing STX RAT malware Threat actors manipulated a secondary API to redirect download links to malicious websites hosting infected executables The malware used DLL sideloading with a file named CRYPTBASE.dll to execute payloads while evading detection Over 150 victims identified across individuals and organizations in retail, m
Apr 123 min read
Iranian APT Attacks Target Thousands of Exposed US Industrial Devices
Key Findings Censys identified 5,219 internet-exposed Rockwell Automation PLCs globally, with 74.6% located in the United States Iranian-linked APT groups have been actively targeting these devices since March 2026, causing operational disruptions and financial losses Approximately 3,891 exposed U.S. devices are concentrated on cellular networks, indicating field-deployed infrastructure at utilities and substations Most vulnerable devices run outdated firmware from the MicroL
Apr 112 min read
Lazarus Hackers Use Real US LLCs to Distribute Malware in GraphAlgo Scam
Key Findings North Korea-linked Lazarus Group registered legitimate US LLC to distribute malware targeting blockchain developers Hackers created fake company "Blocmerce" in Florida with fabricated CEO and official state filings using real residential addresses GraphAlgo campaign evolved from npm package distribution to hiding malware in GitHub release artifacts Remote Access Trojan (RAT) deployed after developers run test tasks, giving attackers full machine control Campaign
Apr 112 min read
Adobe Reader Zero-Day Under Active Exploitation: Malicious PDFs Weaponized in the Wild
Key Findings Threat actors have been actively exploiting a previously unknown zero-day vulnerability in Adobe Reader since at least November 2025 Malicious PDF documents named with invoice-themed filenames use Russian language lures related to oil and gas industry issues to trick victims into opening them The exploit automatically executes obfuscated JavaScript upon opening to harvest sensitive data and receive additional malicious payloads The vulnerability allows execution
Apr 92 min read
Thousands of F5 BIG-IP APM Instances Remain Vulnerable to Active RCE Exploits
Key Findings Over 14,000 F5 BIG-IP APM instances remain exposed online with active exploitation of CVE-2025-53521 Vulnerability reclassified from denial-of-service to critical remote code execution with CVSS score of 9.8 Originally disclosed in October 2025, but severity assessment updated in March 2026 after new findings Shadowserver tracks over 17,100 total BIG-IP APM fingerprints exposed globally, concentrated in US, Europe, and Asia CISA added flaw to Known Exploited Vuln
Apr 62 min read
Crunchyroll Data Breach Impacts Nearly 1.2 Million Accounts
Key Findings Crunchyroll experienced a data breach in March 2026 affecting approximately 6.8 million users Attackers gained unauthorized access to the company's Zendesk support system Exposed data included names, login credentials, email addresses, IP addresses, geographic location data, and support ticket contents A subset of 1.2 million email addresses from a larger 2 million record dataset was later provided to Have I Been Pwned 1,195,684 breached accounts were confirmed i
Apr 42 min read
ShinyHunters Claims Theft of 3M+ Cisco Records in Latest Breach Threat
Key Findings ShinyHunters has issued a final warning to Cisco with an April 3, 2026 deadline before publicly leaking over 3 million alleged stolen records The group claims access through three separate breach paths: UNC6040, Salesforce Aura, and compromised AWS accounts Stolen data includes personally identifiable information, GitHub repositories, AWS storage buckets, and internal corporate data Screenshots provided by the group show access to AWS organizational dashboards an
Apr 22 min read
Anthropic Leaks 512,000 Lines of Claude Source Code in Security Blunder
Key Findings Anthropic leaked approximately 512,000 lines of Claude Code source code through a misconfigured npm source map file on March 31, 2026 The leak was discovered within hours by an intern at Solayer Labs and rapidly mirrored across the internet Claude Code generates $2.5 billion annually, representing a significant portion of Anthropic's $19 billion total revenue The exposed code reveals proprietary solutions including a three-layer memory system designed to prevent
Apr 13 min read
bottom of page
