ALL POSTS

Key Findings ShinyHunters has issued a final warning to Cisco with an April 3, 2026 deadline before publicly leaking over 3 million alleged stolen records The group claims access through three separate breach paths: UNC6040, Salesforce Aura, and compromised AWS accounts Stolen data includes personally identifiable information, GitHub repositories, AWS storage buckets, and internal corporate data Screenshots provided by the group show access to AWS organizational dashboards an

Key Findings WhatsApp alerted approximately 200 users, primarily in Italy, who were tricked into installing a counterfeit iOS app containing spyware The fake app was created by Asigint, an Italian subsidiary of spyware company SIO Spa All affected users have been logged out and advised to uninstall the malicious app and download the official version WhatsApp is pursuing legal action against Asigint to stop further malicious activity The attack relied on social engineering tac

Key Findings Anthropic leaked approximately 512,000 lines of Claude Code source code through a misconfigured npm source map file on March 31, 2026 The leak was discovered within hours by an intern at Solayer Labs and rapidly mirrored across the internet Claude Code generates $2.5 billion annually, representing a significant portion of Anthropic's $19 billion total revenue The exposed code reveals proprietary solutions including a three-layer memory system designed to prevent

Key Findings Attackers compromised the npm account of Axios maintainer Jason Saayman and published malicious versions 1.14.1 and 0.30.4 containing a hidden RAT malware dependency The malicious versions injected "plain-crypto-js@4.2.1" as a fake dependency that deploys cross-platform remote access trojans targeting Windows, macOS, and Linux Both poisoned versions were published within 39 minutes on March 31, 2026, bypassing GitHub Actions CI/CD verification through compromised

Key Findings A dark web marketplace called Threat Market is listing 375 terabytes of alleged Lockheed Martin data for $600 million, with an alternative $374 million price tag The data was allegedly provided by a group claiming to be "APT IRAN" starting March 26, 2026 A separate Iran-linked group called Handala Hack Team claimed around the same time to have accessed personal data of Lockheed Martin engineers and employees No verification of the breach has been confirmed by Loc

Key Findings CVE-2026-3055 is a critical vulnerability (CVSS 9.3) in Citrix NetScaler ADC and Gateway affecting memory through an insufficient input validation flaw Attackers are actively probing the vulnerability via honeypot detection and fingerprinting authentication methods Only affects systems configured as a SAML Identity Provider, though this is a common enterprise configuration No public exploits exist yet, but in-the-wild exploitation is considered imminent Organizat

Key Findings Software defect during routine overnight app update on 12 March exposed financial data for 447,936 customers across Lloyds, Halifax, and Bank of Scotland Privacy barriers between accounts failed for several hours, allowing customers to see strangers' transactions or have their own data exposed Over 114,000 users clicked on rogue transactions and may have viewed sensitive information including National Insurance numbers, payment references, and account details Dat

Key Findings ShinyHunters claims to have breached European Commission systems and stolen over 350GB of data Alleged data includes mail server dumps, databases, confidential documents, and contracts The European Commission confirmed detecting a cyberattack on March 24 affecting cloud infrastructure hosting Europa.eu websites Internal systems were not compromised according to the Commission's investigation AWS denies any security incident occurred within its cloud environment N

Key Findings Iranian government-linked hacking group Handala claimed Friday to have compromised FBI Director Kash Patel's personal email account and released the data publicly The FBI confirmed awareness of the targeting but stated no government information was compromised and the exposed data is historical in nature Handala framed the breach as retaliation for U.S. seizure of its domains and a $10 million State Department reward for information on group members Leaked docume

Key Findings Russian authorities arrested the alleged administrator of LeakBase, a major cybercrime marketplace operating since 2021 The suspect, a resident of Taganrog, is accused of running a platform with over 147,000 users trading stolen data and credentials LeakBase was dismantled in early March 2024 through "Operation Leak," a coordinated international effort involving 14 countries The forum hosted hundreds of millions of compromised account credentials, financial infor

Key Findings 26-year-old Russian citizen Aleksei Olegovich Volkov sentenced to 81 months in prison for ransomware facilitation Volkov operated as initial access broker, providing unauthorized network access to ransomware groups including Yanluowang Facilitated dozens of attacks causing over $9 million in confirmed losses and $24 million in intended losses Arrested in Italy January 2024, extradited to U.S., pleaded guilty November 2025 Must pay $9.1 million in restitution to v

Key Findings Hundreds of organizations compromised through AI-generated phishing campaign leveraging Railway cloud platform Attackers achieved massive scale increase starting March 3, with 50+ new compromises daily as of late March Campaign exploits Microsoft device authentication flow, granting 90-day OAuth tokens without passwords or MFA Affected sectors include construction, law, nonprofits, real estate, manufacturing, finance, healthcare, and government Huntress identifie

Key Findings Payload Ransomware claims to have breached Royal Bahrain Hospital (RBH) 110 GB of data allegedly stolen Threat to release data if ransom not paid by March 23, 2026 Attack targets a healthcare facility serving multiple Middle Eastern countries Background Royal Bahrain Hospital, established in 2011, is a 70-bed healthcare facility providing comprehensive medical services including surgery, maternity care, and diagnostics. Located in Bahrain, the hospital serves pat

Key Findings * Divine Skins data breach exposed 105,814 user accounts * Unauthorized third party accessed systems and deleted all skins from database * Exposed data included email addresses, usernames, and purchase history * Breach disclosed via Discord server in March 2026 Background Divine Skins is a custom League of Legends skin service that allows players to modify their in-game character appearances. The platform has been operating for several years, providing unique cos

Key Findings * ShinyHunters claims to have stolen approximately 1 petabyte of data from Telus Digital * Breach discovered through stolen Google Cloud Platform credentials from a previous Salesforce-related hack * Telus confirms unauthorized access to internal systems * No disruption to customer services reported * Investigations and forensic analysis are ongoing Background Telus Digital, a subsidiary of Canadian telecommunications giant Telus, provides business process outsou

Key Findings * Bell Ambulance experienced a data breach affecting 237,830 individuals * Unauthorized network access occurred in February 2025 * Medusa ransomware group claimed responsibility for the attack * Exposed data includes personal, financial, and medical information * Company offered 12 months of free credit monitoring to affected individuals Background Bell Ambulance is an emergency medical services provider based in Milwaukee, Wisconsin. The organization offers ambu

Key Findings Threat actors are mass-scanning publicly accessible Salesforce Experience Cloud sites using a modified version of the open-source AuraInspector tool. The modified tool is capable of extracting data by exploiting overly permissive guest user settings, allowing access to sensitive CRM data. The activity does not involve a vulnerability in the Salesforce platform but targets customer configuration issues. The campaign is attributed to a known threat actor group, pos

Key Findings The Federal Bureau of Investigation (FBI) seized the LeakBase cybercrime forum (leakbase[.]la) as part of "Operation Leak", an international crackdown led by Europol. LeakBase was a key hub in the cybercrime ecosystem, specializing in trading leaked databases and "stealer logs" containing compromised credentials. The forum had over 142,000 registered users, approximately 32,000 posts, and more than 215,000 private messages as of December 2025. Law enforcement age

Key Findings Hackers abused Anthropic's Claude AI model to develop exploits, create custom tools, and automate the exfiltration of over 150GB of data in a cyberattack targeting Mexican government systems. The attackers compromised 10 Mexican government agencies and a financial institution, starting with the tax authority in December 2025. Hackers sent over 1,000 prompts to Claude and used OpenAI's GPT-4.1 to analyze stolen data. By bypassing AI guardrails and framing actions

Key Findings In February 2026, a data breach allegedly containing data relating to Canada Goose customers was published publicly. The data contained 920k records with 582k unique email addresses and included names, phone numbers, IP addresses, physical addresses, and partial credit card data. Canada Goose stated that the data "appears to relate to past customer transactions" and originated from a breach at a third party in August 2025. The most recent transaction date in the