Recently Added
The most recent resources added to appsec.fyi, across all topics. Subscribe to the RSS feed to stay updated.
| Date | Topic | Link | Excerpt |
|---|---|---|---|
| 2026-05-13 | Bug Bounty | New PoC Exploit Published for Microsoft Defender 0-Day Flaw | A new Proof of Concept (PoC) exploit has been released for a zero-day flaw in Microsoft Defender. This vulnerability was recently disclosed and allows for remote code execution. The publication of this PoC increases the risk of the vulnerability being exploited in the wild, as it provides a practical demonstration of how to leverage the flaw. Microsoft is likely working on a patch to address this security issue. |
| 2026-05-13 | RCE | May Patch Tuesday roundup: Critical holes in Windows Netlogon DNS and SAP S/4HANA | May Patch Tuesday roundup: Critical holes in Windows Netlogon, DNS, and SAP S/4HANA https://ift.tt/qeDvaM8 |
| 2026-05-13 | RCE | PHP SOAP Extension Flaw Could Let Attackers Execute Code Remotely | A critical vulnerability in PHP's SOAP extension allows remote code execution. Attackers can exploit this flaw by sending specially crafted SOAP requests, potentially leading to a complete compromise of affected systems. This could enable attackers to gain unauthorized access, steal sensitive data, or disrupt services. Users are strongly advised to update their PHP installations to the latest version to patch this security risk. |
| 2026-05-12 | Supply Chain | Mini Shai-Hulud malware compromises open-source packages | The Mini Shai-Hulud malware is targeting open-source packages. It's designed to steal sensitive information, including credentials and API keys, from infected systems. The malware achieves its distribution by compromising legitimate open-source projects, making it difficult to detect. Users are advised to exercise caution when updating or installing open-source software and to maintain vigilance against potential security threats. No specific bounty payout amount was mentioned in this content. |
| 2026-05-12 | RCE | Microsoft Patch Tuesday May 2026 - 120 Vulnerabilities Fixed Including 29 Critical RCE Flaws | Microsoft's May 2026 Patch Tuesday addressed 120 vulnerabilities, a significant update focusing on security. Among these, 29 critical flaws were patched, specifically impacting Remote Code Execution (RCE). This regular release is crucial for users to maintain system security and protect against potential exploits that could compromise their devices. The update aims to close security gaps and reinforce the overall integrity of Microsoft's software ecosystem. |
| 2026-05-12 | Supply Chain | Mini Shai-Hulud malware compromises hundreds of open-source packages in sprawling supply-chain attack | "Mini Shai-Hulud" is a newly discovered malware that has compromised hundreds of open-source packages. This sprawling supply-chain attack targets developers by injecting malicious code into popular libraries, potentially affecting numerous downstream applications and users. The goal of the attack is believed to be the theft of credentials and sensitive information. This incident highlights the ongoing risks associated with the open-source software supply chain and the need for robust security measures. |
| 2026-05-12 | Python | What AI 'fingerprints' helped expose the 1st AI-made zero-day exploit? | The exploit was a Python script | Researchers discovered the first zero-day exploit generated by AI. The exploit was written as a Python script. The article's title suggests that unique "AI fingerprints" were crucial in identifying this novel threat, distinguishing it from human-crafted exploits. This marks a significant development in cybersecurity, highlighting AI's potential for both creating and detecting sophisticated attacks. The specific details of these "fingerprints" and how they led to the exposure of the exploit are likely discussed within the linked content. |
| 2026-05-12 | RCE | Microsoft Patch Tuesday for May 2026 Snort rules and prominent vulnerabilities | Microsoft's May 2026 Patch Tuesday addressed critical vulnerabilities across its product suite. The update included security patches for Windows, Office, and Azure. Notably, Snort rules were updated to detect and block exploit attempts targeting these newly patched flaws. While specific payout amounts for discovered vulnerabilities are not detailed in this summary, the release emphasizes Microsoft's ongoing efforts to secure its ecosystem against evolving threats. Users are urged to apply these patches promptly. |
| 2026-05-12 | SQLi | SAP Patches Critical SQL injection Vulnerability in SAP S/4HANA | SAP has released a patch for a critical SQL injection vulnerability in its S/4HANA enterprise resource planning software. This vulnerability could allow attackers to gain unauthorized access to sensitive data and potentially disrupt business operations. The company urges all users of SAP S/4HANA to apply the security update immediately to protect their systems from potential exploitation. |
| 2026-05-12 | Supply Chain | Mini Shai-Hulud attack compromises hundreds of npm PyPI packages | A new supply chain attack, dubbed "Mini Shai-Hulud," has compromised hundreds of packages across npm and PyPI. The attack leverages typosquatting and dependency confusion to inject malicious code into widely used open-source software. This sophisticated campaign highlights the vulnerability of software supply chains, as developers often rely on these packages without thorough vetting. The full extent of the compromise and potential impact on users is still being assessed, but it underscores the urgent need for enhanced security measures in the open-source ecosystem. |
| 2026-05-12 | Python | Microsoft Warns Of Compromised mistralai PyPI Package | Microsoft has issued a warning about a compromised package named "mistralai" on the Python Package Index (PyPI). The malicious package appears to be an imposter, likely mimicking a legitimate AI model. Details regarding its exact functionality or potential harm are still emerging. Users are strongly advised to avoid installing or using the "mistralai" package from PyPI until further information is available or the issue is resolved. |
| 2026-05-12 | RCE | Fortinet warns of critical RCE flaws in FortiSandbox and FortiAuthenticator | Fortinet has issued a warning about critical Remote Code Execution (RCE) vulnerabilities affecting their FortiSandbox and FortiAuthenticator products. These flaws could allow attackers to gain unauthorized access and control over affected systems. Users are strongly advised to update their devices immediately to patch these security risks and protect their networks. |
| 2026-05-12 | SQLi | SAP Releases Patch for Critical SQL Injection Flaw in S/4HANA | SAP has released a patch to address a critical SQL injection vulnerability in its S/4HANA software. This flaw, identified as CVE-2023-33906, allows unauthorized attackers to execute arbitrary SQL statements, potentially leading to data breaches or system compromise. The vulnerability was discovered by a security researcher. SAP urges all S/4HANA users to apply the patch promptly to mitigate this risk. No specific bug bounty payout amount was mentioned. |
| 2026-05-12 | Supply Chain | Mistral AI SDK TanStack Router hit in npm software supply chain attack | Mistral AI SDK and TanStack Router were compromised in a recent npm software supply chain attack. This incident highlights ongoing vulnerabilities in open-source software dependencies, where malicious code can be injected into widely used libraries, potentially affecting numerous projects and users. Further details on the specific impact and remediation efforts are expected as the investigation continues. |
| 2026-05-12 | Supply Chain | Shai-Hulud Here We Go Again: 170 Packages Hit Across npm & PyPi | A new campaign, dubbed "Shai-Hulud," has compromised over 170 packages across both npm and PyPI. This sophisticated attack likely involves malicious code injected into legitimate packages, posing a significant risk to developers and their projects. Users are strongly advised to review their dependencies and exercise caution when installing new packages from these registries. Further details on the specific vulnerabilities and affected packages can be found at the provided link. |
| 2026-05-12 | CSRF | Vulnerabilities in PAC4J software | The provided content is a link to a resource discussing vulnerabilities in PAC4J software. The content itself does not detail specific vulnerabilities or mention any bug bounty payout amounts. Therefore, a summary focusing on key points and main ideas can only state that the link leads to information about security flaws within the PAC4J software. No financial details are available for inclusion. |
| 2026-05-12 | RCE | New Exim BDAT Vulnerability Exposes GnuTLS Builds to Potential Code Execution | New Exim BDAT Vulnerability Exposes GnuTLS Builds to Potential Code Execution https://ift.tt/7hJr2wo |
| 2026-05-12 | Supply Chain | TanStack npm Packages Hit by Mini Shai-Hulud | TanStack npm packages were compromised by a supply chain attack. Malicious code was injected into several TanStack packages, including @tanstack/react-table, @tanstack/react-query, and @tanstack/react-form. The attackers modified dependency update scripts to subtly alter the code of packages in the TanStack ecosystem. Users are advised to check their dependencies and update to secure versions. No bounty payout amount is mentioned in the provided content. |
| 2026-05-12 | Supply Chain | RubyGems Suspends New Signups After Hundreds of Malicious Packages Are Uploaded | RubyGems Suspends New Signups After Hundreds of Malicious Packages Are Uploaded https://ift.tt/7j63dDB |
| 2026-05-12 | Supply Chain | SailPoint Discloses GitHub Repository Hack | SailPoint has disclosed a breach of its GitHub repositories. The incident involved unauthorized access to a limited number of SailPoint GitHub repositories. The company has stated that the unauthorized access did not impact its customer data or production environments. SailPoint has implemented enhanced security measures and is cooperating with law enforcement. No specific bounty payout amount was mentioned. |
| 2026-05-12 | SQLi | SAP Patches Critical SQL Injection Flaw in SAP S/4HANA | SAP Patches Critical SQL Injection Flaw in SAP S/4HANA https://ift.tt/Uye1D4F |
| 2026-05-12 | Supply Chain | Compromised Mistral AI and TanStack packages may have exposed GitHub cloud and CI/CD credentials in 'mini Shai Hulud' malware infection supply-chain campaign spreads across npm and AI developer ecosystems like wildfire | A supply-chain attack, dubbed "mini Shai Hulud," has infected popular Mistral AI and TanStack packages distributed via npm. This malware may have exposed sensitive GitHub, cloud, and CI/CD credentials. The campaign is rapidly spreading through AI developer ecosystems, posing a significant security risk to compromised users. |
| 2026-05-12 | RCE | Critical PHP SOAP Extension Vulnerabilities Enables Remote Code Execution Attacks | The PHP SOAP extension contains critical vulnerabilities that allow for remote code execution (RCE). These flaws can be exploited by attackers to gain control of affected systems. The extent of the impact and specific attack vectors are detailed in the linked advisory. No bug bounty payout amount is mentioned. |
| 2026-05-12 | RCE | Open WebUI File Upload Vulnerability Enables 1-Click RCE Attack | A critical file upload vulnerability has been discovered in Open WebUI, allowing for a 1-click Remote Code Execution (RCE) attack. This severe flaw means attackers can potentially gain control of systems running Open WebUI by exploiting this single vulnerability. Further details and the exploit mechanism are available at the provided link. No bounty payout amount was specified in the content. |
| 2026-05-12 | RCE | Cline AI Agent Flaw Allows Attackers to Launch RCE Attacks | A critical vulnerability has been discovered in the Cline AI Agent, allowing attackers to execute arbitrary code remotely (RCE). This flaw potentially exposes users to significant security risks. Further details and mitigation strategies are expected as the situation develops. No specific payout amount for reporting this bug was mentioned. |
| 2026-05-12 | API Security | JetBrains TeamCity vulnerability allows privilege escalation API exposure (CVE-2026-44413) | JetBrains TeamCity vulnerability allows privilege escalation, API exposure (CVE-2026-44413) https://ift.tt/lMRi9Fd |
| 2026-05-12 | API Security | OpenAI Introduces Daybreak: A Cybersecurity Initiative That Puts Codex Security at the Center of Vulnerability Detection and Patch Validation | OpenAI has launched Daybreak, a new cybersecurity initiative focused on enhancing the security of its Codex code model. Daybreak aims to proactively identify and address vulnerabilities within Codex by leveraging AI-powered security tools. The program emphasizes both the detection of existing security flaws and the validation of patches to ensure their effectiveness. This initiative signifies OpenAI's commitment to robust AI security practices. |
| 2026-05-12 | Python | Operation HumanitarianBait Uses Fake Aid Documents to Deploy Python Spyware | Operation HumanitarianBait Uses Fake Aid Documents to Deploy Python Spyware https://ift.tt/bL6CW3Q |
| 2026-05-12 | RCE | Open WebUI File Upload Vulnerability Enables One-Click RCE Attacks | A critical vulnerability in Open WebUI's file upload functionality allows for one-click Remote Code Execution (RCE) attacks. This severe security flaw enables attackers to compromise systems without user interaction. The exploit is easily repeatable, posing a significant risk to users of the Open WebUI application. The extent of potential damage and the specific conditions for exploitation are detailed in the linked advisory. |
| 2026-05-12 | Supply Chain | How AICanDetect Lateral Movement in Supply Chain Attacks | This content likely discusses how Artificial Intelligence (AI) can be employed to identify lateral movement within supply chain attacks. Lateral movement is a critical phase where attackers expand their access within a compromised network. AI's capabilities in analyzing large datasets and detecting anomalous patterns would be key to spotting these advanced persistent threats. The focus is on leveraging AI to enhance security defenses against sophisticated attacks that exploit the interconnectedness of supply chains. |
| 2026-05-12 | RCE | Critical Cline AI Agent Vulnerability Enables Remote Code Execution Attacks | A critical vulnerability has been discovered in the CriticalCline AI Agent that allows for remote code execution (RCE) attacks. This means attackers could potentially gain control of systems running the agent without needing physical access. The exploit could have significant security implications, allowing unauthorized access and manipulation of sensitive data or system functions. Further details on the specific nature of the vulnerability and potential mitigation strategies are available via the provided link. |
| 2026-05-12 | Supply Chain | TanStack Mistral AI UiPath Hit in Fresh Supply Chain Attack | A recent supply chain attack has impacted several prominent technology companies, including TanStack, Mistral AI, and UiPath. The exact details of the attack and the extent of the compromise are still under investigation. This incident highlights ongoing vulnerabilities in software supply chains, where compromised third-party components can inadvertently infect downstream users and their systems. Further information regarding the attack's vector, affected data, and remediation efforts is expected as investigations proceed. No bug bounty payout amounts were mentioned in the provided content. |
| 2026-05-12 | XSS | Instructure confirms hackers used Canvas flaw to deface portals | Instructure has confirmed that hackers exploited a vulnerability in their Canvas learning management system to deface customer portals. The extent of the compromise and the specific number of affected institutions are still under investigation. Instructure has stated they are working to address the issue and secure affected systems. No specific bounty payout amount was mentioned. |
| 2026-05-12 | Supply Chain | Hundreds of open source packages hacked: Im just not gonna run npm install anymore | Hundreds of open source packages hacked: “I’m just not gonna run npm install anymore” https://ift.tt/rDlQGUa |
| 2026-05-12 | AI | 7 AI Security Tools to Prepare You for Every Attack Phase | The article "7 AI Security Tools to Prepare You for Every Attack Phase" highlights essential AI-powered security tools for comprehensive defense. It emphasizes using AI to anticipate and counter threats across all stages of an attack, from initial reconnaissance to post-breach remediation. The focus is on proactive security measures enabled by AI, ensuring organizations are better equipped to handle evolving cyber threats by leveraging these advanced tools for detection, prevention, and response. |
| 2026-05-12 | Supply Chain | Checkmarx Jenkins AST Plugin Compromised in KICS Supply Chain Attack | Checkmarx Jenkins AST Plugin Compromised in KICS Supply Chain Attack https://ift.tt/5VXPZUo |
| 2026-05-12 | IDOR | Max's Bug Bounty: Two Hundred Thirteen Flaws and Twenty-Two Million in Rewards | This content highlights Max's Bug Bounty program, which has successfully identified and resolved 213 flaws. The program has awarded a substantial $22 million in rewards for these findings. The provided link offers further details on this impressive achievement in cybersecurity vulnerability disclosure. |
| 2026-05-12 | Supply Chain | Claude Code MCP Attack Enables Persistent Token Theft | Claude Code MCP Attack Enables Persistent Token Theft https://ift.tt/sk39bhF |
| 2026-05-11 | Supply Chain | JDownloader website compromised to distribute malicious installers | Library for detecting supply chain attacks; this entry details a compromise of the JDownloader website where attackers used an unpatched CMS vulnerability to distribute malicious Windows and Linux installers. The Windows payload deployed a Python RAT, while the Linux installer injected code to establish persistence. JDownloader confirmed the breach, advising users to verify digital signatures for "AppWork GmbH" and recommending OS reinstallation for affected individuals. |
| 2026-05-11 | Supply Chain | AI Is Reshaping Software Supply Chain Risk | Analysis of AI's impact on software supply chain security highlights expanding attack surfaces due to AI-assisted development, with 84% of developers using AI tools. Traditional security controls like EDR and MDM lack visibility into AI integrations, browser extensions, and package managers. This leads to increased risk from malicious open-source packages, with Aikido Intel identifying up to 100,000 daily. Organizations require real-time visibility and install-time controls for developer tooling, as compromised workstations grant attackers trusted access to repositories and credentials. |
| 2026-05-11 | API Security | Ollama Vulnerability Exposes Remote Process Memory | Writeup of CVE-2026-7482, "Bleeding Llama," a critical heap out-of-bounds read in Ollama's GGUF model loader. This vulnerability allows for the leakage of process memory, including API keys and user conversation data, through the `/api/create` and `/api/push` endpoints, especially when Ollama is configured to bind to `0.0.0.0`. Versions prior to 0.17.1 are affected, with remediation involving an immediate upgrade and auditing of network-exposed instances. |
| 2026-05-11 | Supply Chain | TeamPCP Compromises Checkmarx Jenkins AST Plugin Weeks After KICS Supply Chain Attack | Writeup of TeamPCP's compromise of the Checkmarx Jenkins AST plugin, occurring weeks after their KICS supply chain attack. This incident highlights the exploitation of software supply chain trust and the potential for incomplete remediation, as evidenced by the defaced GitHub repository and malicious updates to the plugin. The ongoing attacks by TeamPCP underscore the persistent threat to developer tools and credentials. |
| 2026-05-11 | RCE | Critical PHP SOAP Extension Flaw Enables Remote Code Execution Attacks | A critical vulnerability has been discovered in the PHP SOAP extension that allows attackers to achieve remote code execution. This flaw poses a significant security risk, enabling malicious actors to potentially compromise systems running vulnerable PHP installations. Further details on the exploit and its impact are available at the provided link. No bounty payout amount is mentioned in the content. |
| 2026-05-11 | Supply Chain | Build Application Firewalls Aim to Stop the Next Supply Chain Attack | Library from InvisiRisk, a build application firewall (BAF), enforces policy during the CI/CD build process by inspecting package activity rather than solely scanning code. This approach aims to prevent supply chain attacks, such as those involving the SolarWinds breach or hijacked npm libraries like Axios, by detecting unexpected or malicious actions within the build environment. The BAF, along with InvisiRisk's TruSBOM tool, provides detailed explanations for risky actions and generates accurate SBOMs by directly observing the software build process, offering a robust defense against evolving threats. |
| 2026-05-11 | Supply Chain | Checkmarx Jenkins AST Plugin Compromised in Supply Chain Attack | Plugin version 2.0.13-829.vc72453fa_1c16 of the Checkmarx Jenkins AST plugin is the secure version, after a malicious iteration was published to the Jenkins Marketplace. This compromise, attributed to the TeamPCP hacker gang and potentially the Lapsus$ extortion group, stems from a wider supply chain attack impacting Checkmarx's repositories since March, following a Trivy supply chain incident. |
| 2026-05-11 | RCE | New cPanel and WHM Flaws Enable Remote Code Execution and DoS Attacks | New security vulnerabilities have been discovered in cPanel and WHM, two popular web hosting control panels. These flaws allow attackers to execute arbitrary code remotely, which could compromise server security. Additionally, the vulnerabilities can be exploited to launch Denial of Service (DoS) attacks, disrupting website availability. Users of cPanel and WHM are advised to update their systems immediately to patch these critical security risks. The specific bounty payout amount for reporting these issues is not mentioned in the provided content. |
| 2026-05-11 | Supply Chain | Checkmarx tackles another TeamPCP intrusion as Jenkins plugin sabotaged | Analysis of a TeamPCP intrusion targeting a Jenkins plugin, highlighting the evolving landscape of supply chain attacks. This incident underscores the risks associated with untrusted agentic development layers and the growing threat of AI agent skills being exploited for malicious purposes, mirroring concerns around identity-based cyber resilience and the black market for compromised identities. |
| 2026-05-11 | Supply Chain | Malicious Hugging Face model masquerading as OpenAI release hits 244K downloads | Library of techniques for defending against malicious Hugging Face models masquerading as legitimate OpenAI releases. This incident highlights the emerging threat of AI repositories as a software supply chain attack vector, with one model, Open-OSS/privacy-filter, reaching 244,000 downloads before removal. The attack involved a malicious loader.py script that delivered infostealer malware targeting browser credentials, cryptocurrency wallets, and system information, bypassing traditional security controls and suggesting links to npm typosquatting and PyPI campaigns. |
| 2026-05-11 | AuthZ | Devastating 'Dirty Frag' exploit leaks out gives immediate root access on most Linux machines since 2017 no patches available no warning given Copy Fail-like vulnerability had its embargo broken | Tool that provides immediate root access on most Linux machines since 2017 due to the Dirty Frag vulnerability. This local privilege escalation exploit leverages a zero-copy operation in IPSec-related modules, specifically affecting "xfrm-ESP Page Cache Write" and "RxRPC Page-Cache Write." Distributions like Ubuntu, Arch, RHEL, and Fedora are impacted. Mitigation involves disabling esp4, esp6, and rxrpc kernel modules. The exploit code is available via a GitHub repository for testing. |
| 2026-05-11 | Supply Chain | Checkmarx tackles another TeamPCP intrusion as Jenkins plugin sabotaged | Library that detects and mitigates supply chain attacks targeting CI/CD pipelines, as demonstrated by Checkmarx's response to an intrusion involving a sabotaged Jenkins plugin used by TeamPCP. The article highlights the increasing risks associated with untrusted agentic development layers and the potential for AI agent skills to be exploited for supply chain compromise. |
| 2026-05-11 | Python | Python Infostealer Uses GitHub Releases To Bypass Security Tools | A Python infostealer malware is leveraging GitHub Releases to evade detection by security tools. Attackers are uploading malicious payloads disguised as legitimate software updates to GitHub's release pages. This tactic allows them to distribute malware through a trusted platform, making it harder for antivirus and other security solutions to identify and block the threats. The use of GitHub's infrastructure helps the infostealer bypass typical security checkpoints and reach targeted systems more effectively. |
| 2026-05-11 | SQLi | U.S. CISA adds a flaw in BerriAI LiteLLM to its Known Exploited Vulnerabilities catalog | CVE-2026-42208 is a critical SQL injection vulnerability in BerriAI LiteLLM versions 1.81.16 to 1.83.6, allowing unauthenticated attackers to access and potentially modify database data via a crafted Authorization header. This flaw was added to CISA's Known Exploited Vulnerabilities catalog due to rapid real-world exploitation observed shortly after disclosure, with attackers targeting sensitive information like virtual API keys and credentials. A fix is available in LiteLLM version 1.83.7. |
| 2026-05-11 | Supply Chain | Responsible for Systems You Cant See: A C-Suite Guide to AI Supply Chain Risk | Guide for C-suites on AI supply chain risk, highlighting attacks on LiteLLM and axios, which exploited trusted open-source workflows. It emphasizes that AI expands and obscures the attack surface, making executives accountable for systems and dependencies they cannot fully see, audit, or control, necessitating a shift to ecosystem security and continuous dependency monitoring rather than assuming trust. |
| 2026-05-11 | XSS | Cisco Identity Services Engine Stored Cross-Site Scripting Vulnerabilities | Writeup on Cisco Identity Services Engine (ISE) stored cross-site scripting vulnerabilities, CVE-2025-20204 and CVE-2025-20205. These flaws stem from insufficient input validation in the web-based management interface, allowing authenticated attackers to inject malicious script code. Exploitation enables arbitrary script execution within the interface context or access to sensitive browser data, requiring administrative credentials. Cisco has released updates to address these issues. |
| 2026-05-11 | RCE | Mozilla Products Multiple Vulnerabilities | Analysis of multiple vulnerabilities in Mozilla Products, including Firefox and Thunderbird, leading to potential denial of service and remote code execution. Affects versions prior to Firefox 150.0.2, Firefox ESR 115.35.2, Firefox ESR 140.10.2, Thunderbird 140.10.2, and Thunderbird 150.0.2. Patches are available from the vendor. |
| 2026-05-11 | RCE | Exploits and vulnerabilities in Q1 2026 | The provided content is a link to a resource detailing exploits and vulnerabilities expected in Q1 2026. No specific details about vulnerabilities, their impact, or any associated bug bounty payout amounts are present in the given information. Therefore, a summary of the content's key points and main ideas cannot be generated beyond stating its topic. |
| 2026-05-10 | Fuzzing | Mozilla Uses AI to Help Discover a Security Vulnerability in Firefox 271 | Mozilla successfully employed AI to identify a security vulnerability in Firefox 271. This marks a significant step in leveraging artificial intelligence for cybersecurity, enabling more proactive discovery of potential threats. The AI's ability to analyze complex code and identify weaknesses could revolutionize vulnerability assessment and software security. This development highlights the growing importance of AI in protecting digital infrastructure and user data. |
| 2026-05-10 | Supply Chain | Supply Chain Attack: Fake OpenAI Repository on Hugging Face Distributes Infostealer Malware Targeting Developers and AI Tools | Library of techniques detailing a supply chain attack involving a fake OpenAI repository on Hugging Face that distributed an infostealer malware. The malware targeted developers by exfiltrating credentials, session tokens, and cryptocurrency wallets from Chromium and Gecko browsers, Discord tokens, and local files. The attack leveraged typosquatting, social engineering, and evasion tactics like disabling SSL verification and checking for VMs, mapping to MITRE ATT&CK techniques such as T1566 (Phishing) and T1555 (Credentials from Password Stores). |
| 2026-05-10 | Python | JDownloader Website Supply Chain Attack: Installers Replaced with Python RAT Malware (May 2026) | Writeup of the JDownloader website supply chain attack (May 2026), detailing how an unpatched CMS vulnerability allowed attackers to replace Windows and Linux installers with a Python RAT and ELF binaries respectively. The attack, active for approximately 24 hours, utilized obfuscation and persistence techniques, including SUID-root binaries for Linux. This incident highlights the risks of unauthorized changes to web content and the importance of verifying digital signatures. |
| 2026-05-10 | RCE | Ivanti Warns of New EPMM Flaw Exploited in Zero-Day Attacks | Ivanti has issued a warning about a new critical vulnerability in its Endpoint Manager Mobile (EPMM) software that is already being exploited in zero-day attacks. The flaw, identified as CVE-2024-22053, allows unauthenticated attackers to gain administrative access to affected systems. Ivanti is urging customers to immediately apply a patch to mitigate the risk. No specific bounty payout amount was mentioned in the provided content. |
| 2026-05-10 | RCE | New cPanel vulnerabilities could allow file access and remote code execution | Writeup of cPanel vulnerabilities CVE-2026-29201, CVE-2026-29202, and CVE-2026-29203, which permit arbitrary file reads, Perl code execution via the create_user API, and potential denial-of-service or privilege escalation through chmod. These flaws affect multiple cPanel & WHM releases and have been patched. This disclosure follows the weaponization of a separate cPanel authentication bypass vulnerability, CVE-2026-41940, as a zero-day for botnet deployment. Tools are available from watchTowr and cPanel to detect vulnerable hosts. |
| 2026-05-10 | API Security | Ollama contains critical GGUF out-of-bounds read | Writeup on CVE-2026-7482 details a critical heap out-of-bounds read in Ollama's GGUF model loader, affecting versions before 0.17.1. Exploitable via the unauthenticated /api/create endpoint with a crafted GGUF file, the vulnerability allows reading past allocated heap buffers, potentially leaking environment variables, API keys, and user data. This leaked data can be exfiltrated using the /api/push endpoint. Roughly 300,000 Ollama deployments are estimated to be publicly reachable, increasing the attack surface. |
| 2026-05-10 | Supply Chain | Official JDownloader site served malware to Windows and Linux users between May 6 and May 7 | Writeup of a supply chain attack on the JDownloader official website, which occurred between May 6 and May 7, 2026. Attackers compromised the site's content management system, altering download links to serve malware instead of legitimate Windows "Alternative Installer" and Linux shell installers. The deployed malware was a Python-based remote access trojan (RAT). Legitimate installers were digitally signed by "AppWork GmbH," while malicious ones were unsigned or signed by suspicious entities like "Zipline LLC" or "The Water Team." The website was taken offline for investigation and remediation, with correct installer links restored. |
| 2026-05-10 | API Security | Ollama Out-of-Bounds Read Vulnerability Allows Remote Process Memory Leak | Library detailing CVE-2026-7482, a critical out-of-bounds read vulnerability in Ollama's GGUF model loader that allows remote attackers to leak process memory, potentially exposing API keys and user data. It also covers two unpatched Windows vulnerabilities, CVE-2026-42248 (missing signature verification) and CVE-2026-42249 (path traversal), which can be chained for persistent code execution by influencing update responses. |
| 2026-05-10 | RCE | New cPanel and WHM Flaws Enable Code Execution DoS Attacks | New vulnerabilities in cPanel and WHM allow attackers to execute code and launch Denial of Service (DoS) attacks. These security flaws could compromise server integrity and availability. Users are strongly advised to update their cPanel and WHM installations to the latest versions to patch these vulnerabilities and protect their systems. |
| 2026-05-10 | SSRF | Multiple Critical Flaws Fixed in Next.js and React Server Components | Next.js and React Server Components have addressed several critical security vulnerabilities. While the specific flaws are not detailed in the provided text, the fix indicates potential risks to applications utilizing these technologies have been mitigated. The content emphasizes the importance of applying these updates to maintain application security. No bug bounty payout amounts are mentioned. |
| 2026-05-09 | RCE | CVE-2025-68670: discovering an RCE vulnerability in xrdp | This content details the discovery of CVE-2025-68670, a remote code execution (RCE) vulnerability in xrdp. The provided link likely contains further technical information about this security flaw. No bug bounty payout amount is mentioned. |
| 2026-05-09 | API Security | Critical Ollama Memory Leak Vulnerability Exposes 300000 Servers Globally | A critical memory leak vulnerability in Ollama, an open-source tool for running large language models, has been discovered, potentially impacting an estimated 300,000 servers worldwide. The vulnerability allows for denial-of-service (DoS) attacks by exhausting server memory. While the exact payout amount for reporting this bug isn't specified, the discovery highlights a significant security risk for users of Ollama, emphasizing the need for prompt patching and security awareness in the AI infrastructure landscape. |
| 2026-05-09 | XSS | Every Old Vulnerability Is Now an AI Vulnerability | This article argues that as Artificial Intelligence (AI) systems become more integrated, traditional cybersecurity vulnerabilities are now also AI vulnerabilities. Existing exploits and weaknesses in software, hardware, and network infrastructure can be leveraged to target or compromise AI models. This means that the vast landscape of known security flaws presents a significant risk to AI systems, requiring a re-evaluation of security strategies to account for this expanded threat surface. |
| 2026-05-09 | RCE | Palo Alto Networks Firewall Zero-Day RCE Vulnerability Exploited in the Wild Since April | A critical zero-day Remote Code Execution (RCE) vulnerability in Palo Alto Networks firewalls has been actively exploited in the wild since April. The vulnerability affects specific PAN-OS versions and allows attackers to gain unauthorized access and control. Palo Alto Networks has released patches and urges customers to update their systems immediately to mitigate the risk of compromise. Users are advised to check their firewall configurations and monitor for suspicious activity. |
| 2026-05-09 | API Security | New ZiChatBot Malware Uses Zulip REST APIs as Command and Control Server | Library for detecting the ZiChatBot malware, which exploits Zulip REST APIs for command and control. This cross-platform malware, identified by Securelist and linked to the OceanLotus APT group (APT32), was distributed via malicious Python packages on PyPI, including fake libraries like uuid32-utils, colorinal, and termncolor. ZiChatBot uses two channel-topic pairs within Zulip to exfiltrate system information and receive shellcode commands, with execution confirmed by a heart emoji response. The dropper employs AES encryption and self-deletion for stealth. |
| 2026-05-09 | Supply Chain | Supply-Chain Attacks in an Era of Automation and Implicit Trust | Analysis of 2026 supply-chain threats, including the Axios compromise and the Trivy campaign, details how attackers exploit trust in automation and developer systems. The Axios incident involved a compromised npm maintainer account leading to RAT distribution via a malicious dependency, impacting numerous production environments. The Trivy attack leveraged credentials to inject malicious artifacts into CI automation, release binaries, and container images, resulting in secret exfiltration. Additionally, the Quest KACE System Management Appliance vulnerability (CVE-2025-32975) demonstrates how unpatched legacy infrastructure becomes a supply-chain risk. |
| 2026-05-08 | RCE | Federal agencies ordered to patch Ivanti zero-day in 3 days | Writeup of CVE-2026-6973, an improper input validation vulnerability in Ivanti EPMM. Federal agencies are ordered to patch this flaw within three days due to its potential for arbitrary code execution by authenticated users. This zero-day, with a CVSS score of 7.2, follows previously disclosed critical Ivanti EPMM vulnerabilities, CVE-2026-1281 and CVE-2026-1340, which were exploited in attacks against government bodies and critical infrastructure. Upgrading to specific versions resolves all three identified CVEs. |
| 2026-05-08 | Supply Chain | DAEMON Tools devs confirm breach release malware-free version | Writeup of DAEMON Tools supply chain attack confirming trojanized installers for version 12.5.1 (free). Hackers used digitally signed installers to backdoor systems, deploying an information stealer and a lightweight backdoor, with QUIC RAT malware observed in at least one instance. Disc Soft Limited released a malware-free version, 12.6, addressing the vulnerability. |
| 2026-05-08 | Python | Linux Kernel Elevation of Privilege Vulnerability | Writeup on CVE-2026-31431, a "Copy Fail" logic bug in the Linux kernel's authencesn cryptographic template. This vulnerability allows an unprivileged local user to perform a deterministic, controlled 4-byte write into the page cache of any readable file, enabling elevation of privilege to root. The exploit is a 732-byte Python script that can modify setuid binaries, impacting all Linux distributions shipped since 2017. Vendor-specific fixes are available for Ubuntu, Debian, Red Hat, SUSE, Amazon, Arch, AlmaLinux, Cloudlinux, and Gentoo. |
| 2026-05-08 | AI | The AI Agent Security Surface: What Gets Exposed When You Add Tools and Memory | Library for securing AI agents, moving beyond model-centric security to address four distinct attack surfaces: Prompt, Tool, Memory, and Planning Loop. This framework details vulnerabilities like indirect prompt injection, parameter injection against tools, memory poisoning illustrated by MINJA Framework successes, and planning loop manipulation leading to cascading failures in multi-agent systems. Mitigations include boundary sanitization, least privilege, provenance tracking, and reasoning logging. |
| 2026-05-08 | Fuzzing | Mozilla Uses Mythos to Find Hundreds of Flaws | Library using Anthropic's Claude Mythos Preview and custom orchestration identified 271 security bugs in Firefox, including a 15-year-old defect missed by fuzzers. This AI-assisted approach yielded high-signal findings with minimal false positives, suggesting maturing capabilities for vulnerability discovery. The findings raise considerations for disclosure processes and the dual-use potential of such powerful models. |
| 2026-05-08 | Supply Chain | Quasar Linux RAT Steals Developer Credentials for Software Supply Chain Compromise | Library targeting developers' systems with the Quasar Linux RAT (QLNX) implants, a malware designed for credential harvesting from files like .npmrc, .pypirc, and .aws/credentials. QLNX masquerades as a kernel thread, wipes logs, and uses seven persistence methods including systemd and crontab. It features a PAM inline-hook backdoor and a kernel-level eBPF rootkit component to hide processes, files, and network ports, ultimately facilitating software supply chain attacks by compromising publishing pipelines and cloud infrastructure. |
| 2026-05-08 | RCE | Apache fixes critical HTTP/2 vulnerability allowing remote code execution | Library update addressing CVE-2026-23918, a critical double-free vulnerability in Apache HTTP Server's HTTP/2 protocol handler. This flaw, discovered by Bartlomiej Dmitruk and Stanislaw Strzalkowski, allows remote code execution in specific configurations and is resolved in version 2.4.67. Exploitation involves crafting an HTTP/2 sequence to trigger memory corruption, impacting systems running version 2.4.66. |
| 2026-05-08 | AI | Mitigating Indirect AGENTS.md Injection Attacks in Agentic Environments | Library demonstrating indirect AGENTS.md injection attacks in agentic environments. This library highlights a supply chain risk where malicious dependencies can overwrite AGENTS.md files, allowing attackers to hijack AI agent behavior, exemplified by a Golang project with a compromised `github.com/cursorwiz/echo` dependency that injects a stealthy `time.Sleep` command and manipulates PR summaries. |
| 2026-05-08 | Fuzzing | Mozilla explains the system that discovered 271 vulnerabilities in Firefox using Claude Mythos Preview. | Library for AI-assisted vulnerability discovery, detailing Mozilla's system that leveraged Claude Mythos Preview to identify 271 vulnerabilities in Firefox. This system utilized an agent-based harness atop existing fuzzing infrastructure to pinpoint flaws in areas like JIT, WebAssembly GC, IndexedDB, and XSLT, including a 15-year-old bug in the `<legend>` element and persistent XSLT issues. The AI demonstrated a low false positive rate, with dual LLM verification bolstering developer confidence, and highlighted the effectiveness of existing anti-poisoning measures by identifying blocked AI attack attempts. |
| 2026-05-08 | RCE | Ivanti patches five vulnerabilities in EPMM one actively being exploited | Writeup detailing Ivanti's patching of five vulnerabilities in Endpoint Manager Mobile (EPMM), including the actively exploited CVE-2026-6973. The advisory highlights CVE-2026-5788 for unauthenticated RCE, CVE-2026-5787 for Sentry impersonation, and CVE-2026-7821 for data access. The NCSC warns of imminent public PoC code, urging immediate patching to mitigate risks like those previously impacting Dutch organizations. |
| 2026-05-08 | RCE | CVE-2026-23918: Apache HTTP/2 Double-Free Vulnerability with Possible RCE | Apache HTTP/2 has a critical double-free vulnerability (CVE-2026-23918) that could lead to remote code execution (RCE). The vulnerability stems from improper handling of connection state during graceful shutdown when certain HTTP/2 frames are processed. This could allow an attacker to trigger the double-free condition, potentially gaining control of the server. This issue affects all Apache HTTP Server versions from 2.4.51 to 2.4.53. Users are strongly advised to update to version 2.4.54 or later to mitigate this risk. |
| 2026-05-08 | Secrets | How to mitigate secrets risk and prevent future breaches | Library for detecting and managing secrets risk in code. It details how leaks of credentials, tokens, and signing keys in open source and proprietary repositories are a growing concern, with millions exposed on platforms like GitHub and npm. The library aids in situational awareness by identifying exposed secrets, understanding their purpose, and assessing their potential impact. It emphasizes investing in advanced tooling to filter false positives and prioritize active tokens, alongside evolving development practices to mitigate risks from the design stage forward, ultimately aiming to prevent future breaches. |
| 2026-05-08 | SSRF | Multiple Critical Vulnerabilities Patched in Next.js and React Server Components | This article reports on the patching of multiple critical vulnerabilities affecting Next.js and React Server Components. These security flaws could have allowed for serious issues within applications built using these technologies. The advisory does not specify any bug bounty payout amounts for the discovery and reporting of these vulnerabilities. Users are strongly encouraged to update their Next.js and React Server Components to the latest versions to mitigate these risks. |
| 2026-05-08 | SSRF | Upwind Security MDR: GitHub Enterprise Server SSRF: CVE-2026-8034 A high-severity SSRF vulnerability in the GitHub Enterprise Server notebook viewer could allow attackers to access internal services via URL parser confusion. #GitHub #SSRF #CVE #CyberSecurity | Upwind Security MDR reports a high-severity Server-Side Request Forgery (SSRF) vulnerability (CVE-2026-8034) in GitHub Enterprise Server's notebook viewer. This flaw, stemming from URL parser confusion, enables attackers to access internal services. |
| 2026-05-08 | Supply Chain | Kaspersky uncovers targeted DAEMON Tools supply chain attack affecting manufacturing government sectors | Writeup of a targeted DAEMON Tools supply chain attack where trojanized installers, signed with legitimate developer certificates, deployed backdoors to select government, manufacturing, and scientific organizations. The attack, active since April 8, 2026, used a typosquatted domain and involved sophisticated techniques comparable to the 3CX supply chain incident, highlighting the risks of widely trusted software for attackers. |
| 2026-05-08 | IDOR | Dark Web Article Contest Offers $10K for Exploit Articles | Contest announcement on the TierOne dark web forum offers $10,000 for exploit articles, covering topics like RCE via deserialization in React/Node.js, command injection, IDOR in SaaS, SSTI, firmware attacks on routers/cameras, and privilege escalation in RouterOS. Submissions require original content on vulnerability exploitation, with prizes awarded for the best technical write-ups on topics including zero-day browser discoveries and AV/EDR bypass techniques. |
| 2026-05-08 | SSRF | Multiple Critical Vulnerabilities Patched in Next.js and React Server Components | Multiple critical vulnerabilities have been patched in Next.js and React Server Components. These security flaws could have allowed for unauthorized code execution and data exposure. Developers are urged to update their Next.js and React Server Components to the latest versions immediately to mitigate these risks. The exact payout amounts for the bounties related to these vulnerabilities were not specified in the provided content. |
| 2026-05-07 | Supply Chain | Supply chain security on alert as M&A targets agent security | Library for mitigating supply chain security risks, particularly those amplified by AI. It addresses threats exemplified by the Axios NPM package tampering and trojanized Daemon Tools installers. The library offers solutions and insights relevant to the increasing M&A activity in agent security, such as Cisco's acquisition of Astrix Security and Palo Alto Networks' acquisition of Portkey. It also provides context for OpenAI's GPT-5.5 Cyber and Anthropic's Mythos, noting their capabilities in vulnerability discovery and potential for misuse, alongside Cisco's open-source Model Provenance Kit for AI model verification. |
| 2026-05-07 | API Security | Ollama vulnerability highlights danger of AI frameworks with unrestricted access | Library for running AI models on local hardware, Ollama, suffers from CVE-2026-7482, dubbed Bleeding Llama. This vulnerability, an out-of-bounds heap read in the model quantization pipeline, allows unauthenticated attackers to craft malicious GGUF files. Uploading these files via the API endpoint triggers a leak of sensitive process memory, including system prompts, user messages, environment variables, API keys, and proprietary code. Exploitation requires only three API requests to exfiltrate this data. Mitigation involves updating to Ollama version 0.17.1, using authentication proxies, and implementing IP access filters and firewalls. |
| 2026-05-07 | API Security | API Security Operations: How to Move from Visibility to Measurable Risk Reduction | This article, "API Security Operations: How to Move from Visibility to Measurable Risk Reduction," discusses the transition from simply identifying API security vulnerabilities to actively reducing measurable risk. It likely outlines strategies and best practices for organizations to enhance their API security posture. The core message centers on moving beyond basic detection to implementing proactive measures that demonstrably improve security and minimize potential threats. The provided link points to further details on this topic. No specific bounty payout amount is mentioned. |
| 2026-05-07 | RCE | When prompts become shells: RCE vulnerabilities in AI agent frameworks | Library providing security analysis of AI agent frameworks, detailing RCE vulnerabilities like CVE-2026-25592 and CVE-2026-26030 discovered in Semantic Kernel. The research highlights how prompt injection can lead to host-level code execution through unsafe string interpolation and blocklist bypasses in plugins like the In-Memory Vector Store, enabling attackers to leverage Semantic Kernel's tool execution capabilities for malicious purposes. |
| 2026-05-07 | Python | Critical severity vulnerability affecting CPython (CVE-2026-6100) | Writeup of CVE-2026-6100, a critical use-after-free vulnerability in CPython affecting `lzma.LZMADecompressor`, `bz2.BZ2Decompressor`, and `gzip.GzipFile`. The vulnerability arises when decompressor instances are reused after a `MemoryError` during decompression, leading to a dangling pointer. Standard one-shot decompression functions like `lzma.decompress()` are unaffected. |
| 2026-05-07 | RCE | Ivanti EPMM CVE-2026-6973 RCE Under Active Exploitation Grants Admin-Level Access | Writeup on CVE-2026-6973, an active RCE vulnerability in Ivanti Endpoint Manager Mobile (EPMM) allowing administrative users to execute arbitrary code. This flaw, along with CVE-2026-5786, CVE-2026-5787, CVE-2026-5788, and CVE-2026-7821, impacts on-premise EPMM and is under active exploitation. CISA has added CVE-2026-6973 to its KEV catalog, mandating fixes for federal agencies. |
| 2026-05-07 | RCE | Ivanti warns of new EPMM flaw exploited in zero-day attacks | Writeup of CVE-2026-6973, a critical Improper Input Validation vulnerability in Ivanti Endpoint Manager Mobile (EPMM) exploited in zero-day attacks. This flaw allows remote attackers with administrative privileges to execute arbitrary code on EPMM versions 12.8.0.0 and earlier. Ivanti recommends patching to EPMM 12.6.1.1, 12.7.0.1, and 12.8.0.1, and rotating admin credentials. Four other high-severity EPMM vulnerabilities (CVE-2026-5786, CVE-2026-5787, CVE-2026-5788, and CVE-2026-7821) were also patched. |
| 2026-05-07 | RCE | Cisco patches high-severity flaws enabling SSRF code execution attacks | Advisory detailing high-severity vulnerabilities in Cisco Unity Connection, including CVE‑2026‑20034 allowing authenticated remote root code execution via crafted API requests, and CVE‑2026‑20035 enabling unauthenticated SSRF attacks by sending crafted HTTP requests. These flaws stem from insufficient input validation, potentially leading to complete system compromise or arbitrary network traffic originating from the affected device. |
| 2026-05-07 | RCE | Critical Redis Vulnerabilities Enables Remote Code Execution Attacks | This content describes critical vulnerabilities in Redis that allow for remote code execution. These flaws enable attackers to compromise systems by exploiting specific configurations or weaknesses in the popular in-memory data structure store. The exploitation of these vulnerabilities can lead to severe security breaches, granting attackers unauthorized control over affected servers. Further details are available via the provided link. |
| 2026-05-07 | Supply Chain | Vendor Says Daemon Tools Supply Chain Attack Contained | Analysis of the Daemon Tools supply chain attack details how threat actors injected trojanized versions of Daemon Tools Lite (specifically version 12.5.1) released between April 8 and May 5 with code to collect information and deploy backdoors. Disc Soft has since contained the incident, removed compromised files, and released a clean version (12.6.0.2445), advising users to uninstall the affected software and scan their systems. |
| 2026-05-07 | RCE | Critical vm2 Vulnerabilities Enable Arbitrary Code Execution Attacks | The vm2 JavaScript sandbox library has critical vulnerabilities allowing arbitrary code execution. These flaws enable attackers to bypass sandbox restrictions and gain control of the host system. The specific nature of the vulnerabilities and their exploitability underscores the significant risk to systems relying on vm2 for sandboxing untrusted code. Users are strongly advised to update to the latest version to mitigate these severe security risks. |
| 2026-05-07 | RCE | PAN-OS RCE Exploit Under Active Use Enabling Root Access and Espionage | Writeup of CVE-2026-0300, a critical buffer overflow in PAN-OS enabling root access, exploited by threat actors potentially as early as April 9, 2026. The vulnerability allows unauthenticated RCE via crafted packets, with successful exploitation observed by Unit 42, attributed to state-sponsored cluster CL-STA-1132. Post-exploitation involved AD enumeration and deployment of tools like EarthWorm and ReverseSocks5. Mitigation includes restricting portal access, disabling Response Pages, and enabling Threat ID 510019. |
| 2026-05-07 | RCE | 'TrustFall' Exposes Claude Code Execution Risk | 'TrustFall' Exposes Claude Code Execution Risk https://ift.tt/uApnWBD |
| 2026-05-07 | RCE | Hackers run code on PAN-OS firewalls as root without authentication: critical zero-day unveiled | A critical zero-day vulnerability has been discovered in Palo Alto Networks' PAN-OS firewalls. This flaw allows attackers to execute code as root without any authentication. The vulnerability, identified as CVE-2024-3400, impacts PAN-OS versions 10.1, 11.0, 11.1, and 11.2. While the content mentions a critical zero-day, it does not specify any bug bounty payout amount. |
| 2026-05-07 | Supply Chain | Gemini CLI Vulnerability Could Have Led to Code Execution Supply Chain Attack | Vulnerability analysis of Gemini CLI identified a critical flaw (CVSS 10/10) that could enable supply chain attacks. Exploiting indirect prompts in GitHub issues, attackers could bypass tool allowlists in –yolo mode, leading to arbitrary command execution. This allows for the extraction of secrets, gaining write access to repositories, and pushing malicious code to downstream users. The issue, affecting multiple Google repositories and also impacting headless mode via lax trust, was patched in Gemini CLI version 0.39.1. |
| 2026-05-07 | Supply Chain | Disc Soft confirms DAEMON Tools Lite supply chain attack exposed thousands of systems worldwide | Disc Soft has confirmed a supply chain attack targeting DAEMON Tools Lite, a popular disk imaging software. This attack, which exploited a vulnerability in the software's update mechanism, exposed thousands of systems globally. Attackers were able to distribute malware disguised as legitimate software updates. The exact number of affected users and the potential for further exploitation remain under investigation. No bug bounty payout amount was mentioned. |
| 2026-05-07 | RCE | Critical Redis Vulnerabilities Enable Remote Code Execution Attacks | This content discusses critical vulnerabilities in Redis that allow for remote code execution attacks. These flaws could be exploited to gain unauthorized control over systems running Redis. The article highlights the severity of these security weaknesses, emphasizing the potential for attackers to compromise sensitive data and infrastructure. Further details on the specific vulnerabilities and their impact can be found at the provided link. |
| 2026-05-07 | Fuzzing | AI-based fuzzing targets open-source LLM vulnerabilities | Library that utilizes AI-enhanced fuzzing to discover vulnerabilities in open-source projects. This technique has already identified 26 new vulnerabilities, including a critical flaw in OpenSSL, by generating sophisticated and varied test inputs that explore new execution paths and uncover edge cases missed by traditional methods. The library aims to improve code coverage, increase efficiency, and automate vulnerability discovery, though users must be aware of potential drawbacks like false positives and the need for careful validation of AI-generated code. |
| 2026-05-07 | RCE | Critical vm2 Node.js Library Vulnerabilities Enables Arbitrary Code Execution Attacks | Critical vulnerabilities in the vm2 Node.js library have been disclosed, allowing attackers to execute arbitrary code. These flaws enable sandbox escapes, meaning malicious actors can bypass security restrictions and gain control of systems running vulnerable versions of vm2. Users are strongly advised to update to the latest version to mitigate these risks. The article provides a link for further details on the specific vulnerabilities and their implications. |
| 2026-05-07 | RCE | Redis Security Flaws Expose Servers to Remote Code Execution Risks | Redis security flaws have been discovered that allow for remote code execution (RCE). These vulnerabilities enable attackers to bypass authentication and execute arbitrary commands on affected Redis servers. This could lead to significant data breaches and system compromises. Users are strongly advised to update their Redis installations to the latest patched versions to mitigate these risks. The severity of these flaws necessitates prompt action to protect sensitive data and infrastructure. |
| 2026-05-07 | RCE | Critical vm2 Node.js Library Flaws Enable Arbitrary Code Execution Attacks | Critical vulnerabilities have been discovered in the vm2 Node.js library, enabling attackers to execute arbitrary code. This means that malicious actors could potentially run their own code on systems using the vulnerable library. Further details and the implications of these security flaws can be found in the linked article. |
| 2026-05-07 | RCE | vm2 Node.js Library Vulnerabilities Enable Sandbox Escape and Arbitrary Code Execution | Writeup detailing critical vulnerabilities within the vm2 Node.js library, enabling sandbox escape and arbitrary code execution. These flaws, including CVE-2026-43997 and CVE-2026-44005, exploit mechanisms like `__lookupGetter__`, the `species` property of promises, the `inspect` function, `SuppressedError`, Symbol-to-string coercion, prototype pollution, and bypasses of the allowlist. The report highlights the ongoing challenge of secure code isolation in JavaScript environments and strongly advises updating to version 3.11.2. |
| 2026-05-07 | RCE | Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated Remote Code Execution | Writeup detailing CVE-2026-0300, a buffer overflow vulnerability in Palo Alto Networks PAN-OS's Captive Portal service, enabling unauthenticated remote code execution. Exploitation by state-sponsored actors involved injecting shellcode, deploying tools like EarthWorm and ReverseSocks5 for tunneling, and enumerating Active Directory using compromised credentials. The analysis highlights the attackers' operational restraint and reliance on open-source tools for stealthy compromise of edge network devices. |
| 2026-05-07 | API Security | Critical Argo CD Vulnerability Enables Kubernetes Secret Extraction | A critical vulnerability has been discovered in Argo CD, a popular continuous delivery tool for Kubernetes. This security flaw allows attackers to potentially extract sensitive Kubernetes secrets. The vulnerability, detailed in a recent security advisory, highlights a significant risk for organizations using Argo CD. The exact payout for reporting this bug has not been publicly disclosed. |
| 2026-05-06 | RCE | Palo Alto Networks warns of critical PAN-OS vulnerability exploited in the wild | Writeup on CVE-2026-0300, a critical PAN-OS buffer overflow vulnerability allowing unauthenticated remote code execution with root privileges. Exploited against exposed User-ID Authentication Portals on PA-Series and VM-Series firewalls, this flaw affects PAN-OS versions 12.1, 11.2, 11.1, and 10.2. Mitigation involves restricting access to the User-ID Authentication Portal or disabling it until patches are released. |
| 2026-05-06 | Supply Chain | DAEMON Tools installers compromised in new supply chain attack | Library for analyzing supply chain attacks, this entry details a compromise of DAEMON Tools installers. Attackers trojanized DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe, distributing malicious payloads signed with valid certificates. The implant communicates with env-check.daemontools[.]cc to download and execute further payloads like envchk.exe and cdg.exe, enabling a minimalist backdoor for remote command execution. The attack, active since April 8, 2026, targeted organizations in Russia, Belarus, and Thailand, with QUIC RAT observed against a Russian educational institution. |
| 2026-05-06 | Supply Chain | Remember DAEMON Tools? It Was Hacked to Serve Windows Malware | Writeup on the DAEMON Tools supply chain attack, detailing how a hacker compromised versions 12.5.0.2421 through 12.5.0.2434 distributed from daemon-tools.cc. The attack involved injecting backdoors into installers, impacting thousands of users globally across various sectors, including retail, scientific, and government organizations, with evidence pointing to a Chinese-speaking threat actor. |
| 2026-05-06 | RCE | Google patches critical Android remote code execution flaw | Patch addresses CVE-2026-0073, a critical Android remote code execution vulnerability affecting the Android Debug Bridge daemon (adbd). Exploiting this flaw allows attackers to execute code as the shell user without requiring permissions or user interaction, potentially leading to device compromise. This update follows the patching of CVE-2026-21385, a Qualcomm component vulnerability in the Graphics component that was actively exploited for sensitive memory data exposure, emphasizing the ongoing need for Android security updates. |
| 2026-05-06 | OSINT | Best OSINT Tools for Investigations and Threat Intelligence in 2026 | Library for OSINT investigations, offering tools like Maltego for relationship mapping, ShadowDragon for social media analysis, VenariX for cyber threat monitoring and ransomware tracking, Arrests.org for public records, Telegago for Telegram monitoring, Shodan for internet-connected device discovery, OSINT Framework for tool discovery, and SpiderFoot for automated data collection. |
| 2026-05-06 | RCE | Critical Palo Alto PAN-OS Vulnerability Actively Exploited For Remote Code Execution (RCE) | A critical vulnerability in Palo Alto Networks' PAN-OS is being actively exploited, allowing for remote code execution (RCE). This means attackers can potentially take control of affected devices. Details of the vulnerability and potential mitigation strategies are available via the provided link. No specific bounty payout amount is mentioned in the content. |
| 2026-05-06 | API Security | Major AI platform Ollama critically leaking: 300000 servers exposed to hackers | Ollama, a popular AI platform, is critically vulnerable, exposing approximately 300,000 servers to potential hacking. This significant security lapse could allow unauthorized access to sensitive data and systems running on these servers. The extent of the breach and the specific nature of the leak are still under investigation, but the large number of affected servers highlights a major security concern within the AI infrastructure. Further details on remediation and the exact impact are expected as the situation develops. |
| 2026-05-06 | XXE | CISA flags data-theft bug in NSA-built OT networking tool | Tool: CISA alert highlights a data-theft vulnerability in an NSA-developed operational technology networking tool. The advisory flags a critical flaw impacting the secure management of industrial control systems. |
| 2026-05-06 | RCE | CVE-2026-0300 Buffer Overflow Vulnerability in PAN-OS | Writeup of CVE-2026-0300, a critical buffer overflow vulnerability affecting PAN-OS's User-ID Authentication Portal. This CWE-787 Out-of-bounds Write allows unauthenticated attackers to achieve arbitrary code execution with root privileges over the network via specially crafted packets. Exploitation is feasible with low complexity, requiring no user interaction, and has been observed in the wild, posing a significant risk to PA-Series and VM-Series firewalls with the User-ID portal enabled. |
| 2026-05-06 | RCE | New MajorDoMo RCE Vulnerability Exposes Servers to Code Execution Attacks | A critical Remote Code Execution (RCE) vulnerability has been discovered in MajorDoMo, a popular home automation system. This flaw allows attackers to execute arbitrary code on vulnerable servers, potentially leading to complete system compromise. The vulnerability's exploitability and the wide adoption of MajorDoMo present a significant risk to users. While the specific impact and technical details are still emerging, the discovery highlights the need for immediate attention and patching by MajorDoMo users to protect their systems from malicious actors. |
| 2026-05-06 | API Security | Argo CD's ServerSideDiff Vulnerability Enables Kubernetes Secret Extraction | Argo CD's ServerSideDiff vulnerability allows attackers to extract sensitive Kubernetes secrets. This flaw enables the unauthorized disclosure of confidential information stored within the cluster. The vulnerability arises from how Argo CD handles diffing operations on the server side, creating an exploitable condition. This discovery highlights a significant security risk for users of Argo CD and emphasizes the need for prompt patching and security audits. |
| 2026-05-06 | RCE | WARNING: Critical Flaw In Apache HTTP Server Enables DoS & Remote Code Execution (RCE) Attacks | A critical vulnerability has been discovered in the Apache HTTP Server, potentially allowing attackers to launch Denial of Service (DoS) and Remote Code Execution (RCE) attacks. This flaw poses a significant security risk, enabling unauthorized control and disruption of services hosted on affected servers. Users are strongly advised to update their Apache HTTP Server installations to the latest patched version to mitigate these risks. No specific payout amount for reporting this bug was mentioned. |
| 2026-05-06 | Supply Chain | Invisible Supply Chain Attack Risks and Trusted Access | Invisible supply chain attacks pose significant risks, often exploiting trusted relationships between software components. These attacks can be difficult to detect as they don't necessarily involve direct system compromises but rather subtle manipulations within the development or distribution pipeline. Establishing and maintaining trusted access controls is crucial to mitigate these threats. This involves rigorous verification of software sources, secure coding practices, and robust monitoring throughout the supply chain. The article likely details strategies for identifying and defending against these insidious threats by focusing on the integrity and trustworthiness of every link in the software supply chain. |
| 2026-05-06 | Supply Chain | Malware Brief: Air gaps breached CPUs hijacked and supplychain chaos | Analysis of APT37's Ruby Jumper, FAUX#ELEVATE cryptominer, and CanisterWorm supply-chain malware reveals attackers targeting air-gapped systems via removable media and cloud services, distributing illicit Monero miners through weaponized résumés, and automating propagation across open-source packages and CI/CD pipelines. These threats exploit assumed trust in isolation models, business workflows, and software supply chains, reducing defender reaction time and increasing blast radius. |
| 2026-05-06 | Supply Chain | Critical DAEMON Tools Supply Chain Attack: Malware-Compromised Windows Installers Threaten Organizations and Home Users (Versions 12.5.0.242112.5.0.2434) | Writeup detailing a critical supply chain attack on DAEMON Tools Windows installers (versions 12.5.0.2421-12.5.0.2434), which distributed malware via trojanized executables signed with a legitimate AVB Disc Soft certificate. The malware, including an info-gatherer, backdoor, and QUIC RAT, exfiltrates system data and deploys advanced implants to targeted organizations and home users, leveraging MITRE ATT&CK techniques like T1195.002 (Supply Chain Compromise) and T1553.002 (Code Signing). |
| 2026-05-06 | RCE | Critical Buffer Overflow Vulnerability in PAN-OS Exploited in-the-Wild | Writeup of CVE-2026-0300, a critical buffer overflow in Palo Alto Networks PAN-OS, allowing unauthenticated attackers remote code execution with root privileges. The vulnerability targets the User-ID Authentication Portal service, particularly when exposed to untrusted networks or the public internet. Exploitation risk is high for instances accessible externally via ports 6081 or 6082. Immediate patching, access restriction, or disabling the portal are recommended mitigation steps. |
| 2026-05-06 | Supply Chain | Video game supply chain attack Bleeding Llama US gets early LLM access | The provided content is a title and a link, with no descriptive text. Therefore, it's impossible to summarize it beyond stating its title: "Video game supply chain attack Bleeding Llama US gets early LLM access". No bug bounty payout amounts are mentioned. |
| 2026-05-06 | RCE | WhatsApp Multiple Vulnerabilities | Bulletin detailing multiple vulnerabilities in WhatsApp clients (iOS, Android, Windows) allowing remote attackers to bypass security restrictions and perform spoofing. Affected versions include specific ranges prior to recent updates on each platform. Users are advised to update to the latest available versions for iOS v2.26.15.72+, Android v2.26.7.10+, and Windows v2.3000.1032164386.258709 or later. |
| 2026-05-06 | Supply Chain | Attackers compromised Daemon Tools software to deliver backdoors | Analysis of a supply chain attack where attackers compromised Daemon Tools, a popular Windows utility, to deliver backdoors. Signed, trojanized installers served from the official website (versions 12.5.0.2421-12.5.0.2434) downloaded a .NET information collector. This collector gathered system details for targeted deployment of payloads like a minimalistic backdoor and QUIC RAT, capable of injecting into legitimate processes. The attack leveraged legitimate digital certificates, making malicious binaries appear trustworthy. |
| 2026-05-06 | Supply Chain | Hackers compromise Daemon Tools in global supply-chain attack researchers say | Library installers for Daemon Tools were compromised in a global supply-chain attack, impacting users in over 100 countries. Attackers embedded backdoors, including Quic RAT, into versions 12.5.0.2421 through 12.5.0.2434 of the free Daemon Tools Lite, observed since early April. The campaign appears targeted, with initial data collectors deployed broadly and more advanced payloads reserved for specific organizations. Disc Soft has addressed the issue, recommending users update to the latest version. |
| 2026-05-06 | Supply Chain | Daemon Tools Hit by Suspected Chinese Supply Chain Attack Kaspersky Says | Kaspersky reports that Daemon Tools, a popular file management software, has been targeted in a suspected Chinese supply chain attack. The attackers reportedly injected malicious code into the software's update mechanism, allowing them to gain access to user systems. Further details on the scope of the compromise and any specific payout amounts were not provided in this content. |
| 2026-05-06 | AuthZ | Zero-Auth Flaw Exposes DoD Contractor to Cross-Tenant Data Access | A critical zero-authentication flaw in a contractor's system has exposed the Department of Defense (DoD) to cross-tenant data access risks. This vulnerability allowed unauthorized access to sensitive information without any credentials. The specific details and the contractor involved were not disclosed. This breach highlights significant security concerns for government contractors and the sensitive data they handle. |
| 2026-05-06 | Supply Chain | Sophisticated Quasar Linux RAT Campaign Targets Software Developers in Supply Chain Attacks | Analysis of the Quasar Linux RAT (QLNX) campaign targeting software developers via supply chain attacks. This sophisticated Linux-based malware aims to steal credentials, maintain remote access, and facilitate large-scale supply chain compromises. The campaign is linked to trojanized software installers, including compromised Daemon Tools, distributing backdoors globally. Attackers use staged deployment, selectively targeting high-value organizations after initial broad infection, with potential cyberespionage motives. Compromising developer environments grants access to source code, signing keys, and CI/CD pipelines, enabling downstream attacks. |
| 2026-05-06 | Supply Chain | QLNX Threat Actors Steal Developer Credentials For Supply Chain Attacks | QLNX threat actors are targeting software developers to steal their credentials. The objective is to gain access to code repositories and potentially inject malicious code into the software supply chain. This allows them to compromise downstream users and organizations that integrate the affected software. The attackers aim to conduct sophisticated supply chain attacks by leveraging compromised developer accounts. |
| 2026-05-06 | RCE | Apache fixes critical HTTP/2 double-free flaw CVE-2026-23918 enabling RCE | Library fixing CVE-2026-23918, a critical HTTP/2 double-free vulnerability in Apache HTTP Server 2.4.66. This flaw, discovered by Bartlomiej Dmitruk and Stanislaw Strzalkowski, can cause memory corruption leading to denial of service and, under specific configurations like mmap usage, potential remote code execution. The issue resides within mod_http2 and is resolved in version 2.4.67. |
| 2026-05-06 | Supply Chain | Sophisticated Quasar Linux RAT Targets Software Developers | Analysis of Quasar Linux (QLNX), a sophisticated backdoor targeting software developers. QLNX employs a modular architecture with rootkit capabilities, detection evasion, and multiple persistence methods including crontab, desktop entries, init scripts, service files, and shell lines. It focuses on stealing developer credentials for AWS, Kubernetes, Docker Hub, Git, NPM, and PyPI, enabling attackers to compromise publishing pipelines and pivot to cloud environments. The RAT uses a PAM backdoor and an eBPF rootkit to conceal its presence at both userspace and kernel levels, while supporting 58 commands for comprehensive system control and information harvesting. |
| 2026-05-06 | RCE | Palo Alto Networks warns of firewall RCE zero-day exploited in attacks | Writeup of CVE-2026-0300, a critical PAN-OS zero-day exploited in attacks. This buffer overflow vulnerability affects the User-ID Authentication Portal on Internet-exposed PA-Series and VM-Series firewalls, allowing unauthenticated attackers to achieve root-level remote code execution. Palo Alto Networks recommends restricting access to trusted zones or disabling the portal until a patch is released, with initial fixes expected May 13, 2026. |
| 2026-05-06 | Secrets | Secrets security: The why the how and what to do about it | Report detailing the epidemic of secrets exposed in software repositories, explaining how attackers exploit exposed environment variables, tokens, and keys on platforms like PyPI, npm, and GitHub, and offering guidance on mitigation strategies. It highlights the speed at which attackers find these secrets, often within seconds, and the long discovery times for security teams, referencing examples of exposed AWS credentials and discussions of defense-in-depth approaches to software supply chain security. |
| 2026-05-06 | Supply Chain | DAEMON TOOLS supply chain attack ongoing since April thousands affected | Library containing information on the DAEMON Tools supply chain attack, which began in April 2026. Attackers compromised legitimate installers and signed binaries with valid certificates, embedding backdoors into components like DTHelper.exe and DiscSoftBusServiceLite.exe. The campaign delivered information-stealing payloads, and in some cases, advanced implants like QUIC RAT, targeting government, manufacturing, scientific research, and retail sectors across over 100 countries. Kaspersky detects malicious activity including suspicious PowerShell downloads and code injection. |
| 2026-05-06 | Supply Chain | Android Apps Get Public Verification System to Stop Supply Chain Attacks | Android is launching a new public verification system to combat supply chain attacks targeting apps. This system will allow developers to publicly attest to the integrity of their app's source code, build environment, and signing keys. By making this information publicly verifiable, Android aims to increase transparency and trust in the app development process, making it harder for malicious actors to inject compromised code into legitimate applications. This initiative seeks to bolster the security of the Android app ecosystem. |
| 2026-05-06 | Supply Chain | Government Scientific Entities Hit via Daemon Tools Supply Chain Attack | Library containing injected code in Daemon Tools versions 12.5.0.2421 through 12.5.0.2434 has been identified as part of a supply chain attack affecting government, scientific, and other organizations. The compromised binaries, including DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe, activate a backdoor that fetches and executes payloads, with targeted deployments of information collectors and the QUIC RAT observed. |
| 2026-05-06 | RCE | Palo Alto Networks PAN-OS flaw exploited for remote code execution | Writeup of CVE-2026-0300, a critical PAN-OS buffer overflow allowing unauthenticated remote code execution with root privileges. This vulnerability affects PA-Series and VM-Series firewalls using the User-ID Authentication Portal when exposed to the internet. Palo Alto Networks advises restricting access to trusted internal IP addresses to mitigate risk, noting limited exploitation observed primarily on internet-facing portals. Fixes are expected by May 13, 2026. |
| 2026-05-06 | RCE | Critical Android vulnerability CVE-2026-0073 fixed by Google | Analysis of CVE-2026-0073, a critical remote code execution vulnerability in Android's System component affecting the adbd daemon. Exploitation, which requires no user interaction or special permissions, could lead to shell user code execution and full device compromise. Google has released a patch, and no public exploits or active attacks exploiting this specific flaw are currently known. This follows a previously exploited Qualcomm component vulnerability (CVE-2026-21385) involving a buffer over-read in the Graphics component. |
| 2026-05-06 | RCE | SUSE Linux Kernel Multiple Vulnerabilities | Vulnerabilities impacting SUSE Linux Kernel allow remote attackers to achieve denial of service, remote code execution, security bypass, privilege escalation, data manipulation, and information disclosure. Affected systems include SUSE Linux Enterprise High Performance Computing 12 SP5, SUSE Linux Enterprise Live Patching 12-SP5, and various SUSE Linux Enterprise Server 12 SP5 variants. Specific CVEs include CVE-2024-26584, CVE-2025-38234, CVE-2025-39759, CVE-2025-71268, CVE-2025-71269, CVE-2026-22990, CVE-2026-23103, CVE-2026-23120, CVE-2026-23243, CVE-2026-23262, CVE-2026-23272, CVE-2026-23277, CVE-2026-23318, CVE-2026-23362, CVE-2026-23382, CVE-2026-23386, and CVE-2026-23398. |
| 2026-05-06 | SSRF | Nitin Gavhane: SSRF and Business Logic flaws create high severity attack chains. Map workflows deeply and test actions that should never be possible. Parallel requests often reveal hidden race conditions. #BugBounty #SSRF #BusinessLogic #WebSecurity | Nitin Gavhane highlights how Server-Side Request Forgery (SSRF) and business logic vulnerabilities can be chained together to create high-severity attack chains. He advises bug bounty hunters to deeply map application workflows and specifically test actions that should be impossible. Gavhane also notes that using parallel requests can uncover hidden race conditions, a crucial technique for web security testing. |
| 2026-05-06 | Supply Chain | Kaspersky Links Suspected Chinese Hackers to Backdoor Planted in Daemon Tools Supply Chain Attack | Analysis of a Daemon Tools supply chain attack, attributed to a Chinese-speaking threat actor, where malicious backdoors were implanted in official installers via compromised digital certificates. This sophisticated operation, affecting versions 12.5.0.2421 onward since April 8, 2026, leveraged Daemon Tools' elevated permissions to establish deep system persistence and deploy remote-control malware, resulting in thousands of global infection attempts targeting various sectors including government and industrial operations. |
| 2026-05-06 | Supply Chain | Extremely targeted supply chain attack hits DAEMON Tools | Library for detecting and analyzing supply chain attacks, exemplified by the compromise of DAEMON Tools installers, which included a backdoor and a second-stage QUIC RAT payload. This incident, similar to past attacks on Notepad++ and CCleaner, highlights the targeting of high-value systems by Chinese-speaking threat actors for espionage. The library helps in identifying system data collection, remote server uploads, and targeted second-stage payload deployment. |
| 2026-05-06 | RCE | Palo Alto PAN-OS Flaw Under Active Exploitation Enables Remote Code Execution | Analysis of CVE-2026-0300, a critical buffer overflow vulnerability in Palo Alto Networks' PAN-OS software, allows unauthenticated remote code execution with root privileges. This flaw impacts PA-Series and VM-Series firewalls, particularly those with the User-ID Authentication Portal accessible from untrusted networks. While patches are forthcoming, interim mitigations include restricting portal access or disabling it entirely. |
| 2026-05-06 | RCE | n8n: From Parsing Bug to Remote Code Execution aka CVE-2026-42231 | Library analyzing n8n's CVE-2026-42231, detailing how a prototype pollution vulnerability within the xml2js XML parsing library, exacerbated by CoffeeScript semantic quirks, can be chained to achieve unauthenticated Remote Code Execution. The exploit path leverages a specific gadget in `@n8n/node-cli` that mimics older, exploitable `spawn` behavior, allowing controlled properties to propagate into the execution context for RCE. |
| 2026-05-06 | Supply Chain | North Korean hackers trojanize gaming platform to spy on ethnic Koreans in China | Analysis of ScarCruft's supply chain attack targeting ethnic Koreans in China. North Korean threat actors trojanized the sqgame gaming platform, distributing backdoored Windows and Android software. The Windows variant utilized a patched mono.dll to deliver the RokRAT backdoor and BirdCall implant, while Android versions repackaged games with malicious code to exfiltrate data, targeting HWP files specifically. C2 communication leveraged Zoho WorkDrive accounts. |
| 2026-05-06 | RCE | Critical Remote Code Execution Vulnerability Patched in Android | Library for analyzing Android security, detailing CVE-2026-0073, a critical remote code execution vulnerability in the System component affecting the Android Debug Bridge daemon. This flaw allows code execution as the shell user without interaction. Google confirmed no exploitation has been observed. |
| 2026-05-06 | Supply Chain | Supply-Chain Attacks in an Era of Automation and Implicit Trust | Library detailing software supply-chain attacks in 2026, focusing on how attackers abuse trusted automation and identity. It examines incidents like the Axios compromise and Trivy campaign, where compromised package maintainers and CI/CD automation led to widespread malicious dependencies and credential exfiltration. The resource also highlights the exploitation of legacy management systems, such as Quest KACE using CVE-2025-32975, emphasizing how attackers leverage inherent trust in these tools to gain entry. |
| 2026-05-05 | Python | Bootstrap script exposes PyPI to domain takeover attacks | Library detailing a domain takeover vulnerability in legacy Python package bootstrap scripts. The vulnerability, discovered by ReversingLabs, affects numerous packages including tornado and slapos.core, by exploiting the now-available python-distribute[.]org domain. This could allow attackers to execute arbitrary code when developers run affected bootstrap scripts, potentially impacting software supply chain security. |
| 2026-05-05 | Supply Chain | Progress Software warns of critical MOVEit Automation vulnerability | Advisory regarding CVE-2026-4670, a critical authentication bypass vulnerability in Progress Software's MOVEit Automation, enabling unauthenticated remote access. The alert also addresses CVE-2026-5174, a high-severity privilege escalation flaw. Over 1,400 instances are exposed online, with potential impact on government agencies. While no exploitation is reported yet, previous MOVEit vulnerabilities have been widely exploited by groups like Clop. |
| 2026-05-05 | RCE | Hackers exploit critical Weaver E-cology vulnerability | Writeup of CVE-2026-22679 in Weaver E-cology, a critical unauthenticated remote code execution vulnerability. Hackers have been exploiting this flaw since mid-March, five days after a patch was released, by leveraging an exposed debug API endpoint. This allowed attackers to reach backend RPC functionality, enabling system command execution through obfuscated PowerShell scripts for reconnaissance, though persistent sessions were not established. Weaver E-cology 10.0 users must apply vendor security updates. |
| 2026-05-05 | AI | Supply-chain attacks take aim at your AI coding agents | Library for identifying and mitigating AI coding agent supply-chain risks, including techniques like "slopsquatting" and LLM Optimization abuse used in the PromptMink campaign by North Korean APT group Famous Chollima. It details malicious packages targeting AI agents on registries like NPM and PyPI, featuring persuasive descriptions, legitimate functionality lures, and the use of compiled payloads and obfuscation for evasion. The library addresses how AI agents can be manipulated into installing malicious dependencies, as observed with hallucinated package names and overly convincing documentation designed to influence LLM recommendations. |
| 2026-05-05 | Supply Chain | DAEMON Tools Breach Used to Spread Malware in Supply Chain Attack | A supply chain attack exploited a breach in DAEMON Tools, a popular disk imaging software. Threat actors injected malware into legitimate DAEMON Tools updates, distributing it to its user base. This allowed them to gain a foothold on compromised systems, potentially for further malicious activities such as stealing sensitive data or launching additional attacks. The exact payout amount is not specified in the provided content. |
| 2026-05-05 | Secrets | Secrets leaks increase and expand beyond the codebase | Library for detecting secrets leaks, focusing on increased risks beyond codebases in collaboration and project management tools like Slack, Jira, and Confluence. It highlights that secrets found in these platforms are often more critical and harder to detect than those in source code, as these tools typically lack integrated scanning capabilities. The library aims to address this gap by providing solutions for monitoring these unstructured data streams, acknowledging that traditional scanning methods optimized for code repositories are insufficient. |
| 2026-05-05 | Supply Chain | Widely used Daemon Tools disk app backdoored in monthlong supply-chain attack | Writeup on the Daemon Tools supply-chain attack, detailing a monthlong compromise where malicious updates signed with official certificates infected versions 12.5.0.2421 through 12.5.0.2434. The malware, discovered by Kaspersky, exfiltrates system information and delivers follow-on payloads to select targets. This incident mirrors previous supply-chain attacks like CCleaner (2017), SolarWinds (2020), and 3CX (2023), highlighting the difficulty in defending against sophisticated, officially distributed compromises. |
| 2026-05-05 | Supply Chain | Kaspersky suspects Chinese hackers planted a backdoor into Daemon Tools in 'widespread' attack | Writeup on a widespread supply chain attack where Chinese-linked hackers planted a backdoor in Daemon Tools, targeting thousands of Windows computers. This backdoor allowed the attackers to deploy additional malware on systems in the retail, scientific, manufacturing, and government sectors in Russia, Belarus, and Thailand. The attack, detected April 8th, remains active and highlights the growing trend of compromising popular software to distribute malicious code. |
| 2026-05-05 | RCE | Critical 9.8 Weaver E-cology vulnerability actively exploited | Library for securing business process management applications, focusing on the critical 9.8 Weaver E-cology vulnerability (CVE-2026-22679). This bug, actively exploited in the wild, allows for unauthenticated remote code execution (RCE) by invoking an exposed debug functionality within the Dubbo-based debug API. The exploitation highlights a shift from perimeter attacks to targeting the "soft center" of enterprise systems, such as OA and BPM platforms, which serve as the "nervous system" of an organization. A patch for Weaver E-cology 10.0 was released in March. |
| 2026-05-05 | Supply Chain | DAEMON Tools trojanized in supply-chain attack to deploy backdoor | Writeup detailing a supply-chain attack that trojanized DAEMON Tools installers, versions 12.5.0.2421 through 12.5.0.2434, delivering a backdoor to thousands of systems globally since April 8. The attack compromised DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe, leading to initial infections and targeted deployments of a lightweight backdoor and, in one instance, the QUIC RAT, to high-value targets in retail, scientific, government, and manufacturing sectors across Russia, Belarus, and Thailand. |
| 2026-05-05 | Supply Chain | Quasar Linux (QLNX) A Silent Foothold in the Supply Chain: Inside a Full-Featured Linux RAT With Rootkit PAM Backdoor Credential Harvesting Capabilities | Library for analyzing Quasar Linux (QLNX), a sophisticated Linux RAT with low detection rates, featuring a rootkit, PAM backdoor, and credential harvesting capabilities. QLNX targets developers and DevOps credentials in the software supply chain, extracting secrets from files like .npmrc, .pypirc, and .aws/credentials. It uses dynamic compilation of PAM modules and LD_PRELOAD rootkits, and employs P2P mesh networking for resilience, making eradication difficult. |
| 2026-05-05 | Supply Chain | New ScarCruft Supply Chain Attack Hits Gaming Platform With Windows and Android Backdoors | ScarCruft, a sophisticated threat group, has launched a new supply chain attack targeting a gaming platform. This attack delivers backdoors for both Windows and Android devices. The attackers exploit vulnerabilities to compromise the platform and subsequently infect its users. The specific gaming platform and the extent of the compromise are not detailed in the provided title and link. This incident highlights the ongoing threat of supply chain attacks and the need for robust security measures in the gaming industry. |
| 2026-05-05 | Supply Chain | A rigged game: ScarCruft compromises gaming platform in a supply-chain attack | Library by ESET researchers detailing a ScarCruft supply-chain attack targeting a gaming platform used by ethnic Koreans in China. The Windows client was compromised via a trojanized update containing the RokRAT backdoor, which deployed the BirdCall backdoor. Android games on the platform were also trojanized with an Android version of BirdCall, a new tool for ScarCruft, capable of espionage including data exfiltration, screenshots, and audio recording. |
| 2026-05-05 | RCE | Google Update: Android Flaw Could Put Billions of Devices at Risk | Google has addressed a critical vulnerability in Android that could have affected billions of devices. The flaw, detailed in a recent update, potentially exposed users to significant security risks. While the specific nature of the exploit and its full impact remain underspecified in the provided content, Google's swift patching mitigates the threat. The article highlights Google's ongoing efforts to secure the Android ecosystem. No bounty payout amount is mentioned. |
| 2026-05-05 | RCE | Critical Apache HTTP/2 Flaw (CVE-2026-23918) Enables DoS and Potential RCE | Writeup of CVE-2026-23918, a critical double-free vulnerability in Apache HTTP Server's HTTP/2 protocol handling that enables denial-of-service and potential remote code execution. Discovered by Bartlomiej Dmitruk and Stanislaw Strzalkowski, the flaw in `mod_http2`'s `h2_mplx.c` allows an attacker to trigger an RCE by exploiting memory reuse with the APR mmap allocator and Apache's scoreboard. Exploitation, while requiring an info leak for system() and scoreboard offsets, is practical on Debian-derived systems and the official httpd Docker image. |
| 2026-05-05 | RCE | Critical Weaver E-cology RCE Vulnerability Actively Exploited in Attacks | Critical Weaver E-cology RCE Vulnerability Actively Exploited in Attacks https://ift.tt/HivswZq |
| 2026-05-05 | RCE | Critical Qualcomm Chipset Vulnerabilities Enables Remote Code Execution | Researchers have discovered critical vulnerabilities in Qualcomm chipsets that could allow remote code execution. These flaws, detailed in a linked article, pose a significant security risk, potentially enabling attackers to compromise devices without user interaction. The implications are broad, affecting a wide range of Android devices utilizing these chipsets. The specific impact and exploitability of these vulnerabilities are still being assessed, but the potential for widespread compromise is high. No bug bounty payout amount is mentioned. |
| 2026-05-05 | Supply Chain | Supply chain attacks now make the budget case CISOs never could | Perspective on supply chain attacks illustrating the budget case for application security. The piece highlights TeamPCP's exploitation of tools like Trivy, Checkmarx, and the LiteLLM library, leading to significant breaches impacting over 23,000 repositories and a $1.4 billion hack. It emphasizes the costly consequences of compromised pipelines, where attackers operate with internal permissions, and suggests mitigation strategies such as runtime monitoring, short-lived credential management, and integrity verification. |
| 2026-05-05 | Supply Chain | DAEMON Tools Supply Chain Attack Compromises Official Installers with Malware | DAEMON Tools, a popular disk imaging software, has been targeted in a supply chain attack. Malicious code was injected into official DAEMON Tools installers distributed via the company's website. This malware infected users' systems upon installation, posing a significant security risk. The extent of the compromise and the specific type of malware used are still under investigation. |
| 2026-05-05 | RCE | Android Zero-Click RCE Vulnerability Enables Remote Shell Access | Reference for CVE-2026-0073, a proximal zero-click RCE vulnerability in Android's Debug Bridge daemon (adbd). This flaw, affecting multiple Android versions, allows attackers on the same local network or within physical proximity to gain remote shell access without user interaction, bypassing application sandboxing. Exploitation requires timely patching, disabling USB debugging, network segmentation, and implementing zero-trust policies. |
| 2026-05-05 | Supply Chain | Kaspersky identifies ongoing supply chain attack on official Daemon Tools website distributing backdoor malware | Analysis of a supply chain attack targeting Daemon Tools, which distributed backdoor malware via compromised installers disguised with valid digital certificates. The attack, affecting versions 12.5.0.2421 and later, granted threat actors arbitrary command execution and remote control capabilities by leveraging the software's elevated system privileges. Some targeted organizations also saw manual deployment of additional payloads like shellcode injectors and unknown RATs, with Chinese-language artifacts observed. |
| 2026-05-05 | RCE | Unpatched flaws turn Ollama's auto-updater into a persistent RCE vector researchers say | Writeup of CVE-2026-42248 and CVE-2026-42249, which allow persistent RCE on Ollama for Windows by chaining a path traversal flaw with a non-functional signature verification. Attackers can plant arbitrary executables in the Windows Startup folder by controlling update responses, leading to silent execution on every login. Exploitation requires controlling update infrastructure, redirecting clients, or network interception, with the auto-update feature and Ollama in the Startup folder being default prerequisites. |
| 2026-05-05 | Supply Chain | DAEMON Tools Software Hacked to Deliver Malware in a Supply Chain Attack | This article reports a supply chain attack where DAEMON Tools software was compromised to distribute malware. Attackers injected malicious code into the software's update mechanism, potentially affecting users who downloaded or updated DAEMON Tools. This highlights the vulnerability of software supply chains and the importance of robust security measures to prevent malicious actors from compromising legitimate software distribution channels and distributing malware to unsuspecting users. |
| 2026-05-05 | RCE | Security Audit Finds RCE Risks in 6.2% of MCP Servers | A recent security audit revealed that 6.2% of Managed Cloud Platform (MCP) servers are vulnerable to Remote Code Execution (RCE) risks. The audit, which focused on identifying exploitable weaknesses, discovered these critical flaws present in a significant portion of the analyzed servers. The specific details of the vulnerabilities and the affected MCP server versions were not disclosed in this brief announcement. No bug bounty payout amounts were mentioned in the provided content. |
| 2026-05-05 | RCE | Google Confirms Critical Android 0-Click VulnerabilityUpdate Now | Google has confirmed a critical 0-click vulnerability affecting Android devices, urging users to update immediately. This exploit allows attackers to compromise devices without any user interaction. While the article highlights the severity and the need for an update, it **does not mention any specific bug bounty payout amount**. Users should prioritize applying the latest security patches to protect their devices. |
| 2026-05-05 | RCE | Critical Apache Bug Enables Remote Code Execution Risk | Vulnerability writeup detailing CVE-2026-23918, a critical double free memory corruption flaw in Apache HTTP Server version 2.4.66, enabling Remote Code Execution via HTTP/2 handling issues. The article also covers moderate severity vulnerabilities CVE-2026-24072, CVE-2026-28780, CVE-2026-29168, and CVE-2026-29169, patched in version 2.4.67. |
| 2026-05-05 | RCE | Linux vulnerability "Copy Fail" is already being attacked | Library for Linux security exploits CVE-2026-31431, nicknamed "Copy Fail." This vulnerability allows local users to gain root privileges by performing a controlled 4-byte write to the page cache of any readable file system. Proof-of-concept exploit code is available, and attackers are actively misusing it. The vulnerability was discovered with AI assistance and affects most major Linux distributions since 2017. Updates are available. |
| 2026-05-05 | RCE | Critical Android Zero-Click Vulnerability Grants Attackers Remote Shell Access | A critical Android zero-click vulnerability has been discovered, allowing attackers to gain remote shell access to devices without any user interaction. This means compromised devices can be controlled remotely, potentially leading to data theft, surveillance, or further malware deployment. The severity of this exploit highlights significant security risks for Android users. Further details on the specific vulnerability and its impact are available via the provided link. |
| 2026-05-05 | Supply Chain | Supply chain attack via DAEMON Tools | Writeup detailing a supply chain attack via DAEMON Tools, where attackers injected malicious code into installers for versions 12.5.0.2421 through 12.5.0.2434, specifically compromising DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe. This compromise led to the deployment of information gatherers, a backdoor, and the QUIC RAT implant, targeting thousands of users globally since April 8, 2026. |
| 2026-05-05 | Supply Chain | 8.3M Downloads Compromised: Lightning & Intercom-Client Infected in Latest Shai-Hulud Attack | Library update: The Python package `Lightning` (versions 2.6.2, 2.6.3) and the NPM package `intercom-client` (version 7.0.4) have been compromised by a Shai-Hulud supply chain attack, stealing credentials and API keys. Affected users should rotate keys, enable 2FA, and revert `Lightning` to version 2.6.1 or lower. The malware, a Node/Bun tool, collects secrets from the environment and exfiltrates them to an obfuscated host, while also using compromised npm tokens to download, patch, and republish trojanized packages. Over 1,800 repositories with stolen developer credentials were identified on GitHub. |
| 2026-05-05 | RCE | Critical Weaver E-cology RCE Flaw Actively Exploited by Attackers | A critical Remote Code Execution (RCE) vulnerability in Weaver E-cology is being actively exploited by attackers. The flaw allows unauthorized code execution, posing a significant security risk. While the content highlights the active exploitation and critical nature of the vulnerability, it does not mention any specific bug bounty payout amounts. Organizations using Weaver E-cology should prioritize patching this vulnerability to prevent further compromise. |
| 2026-05-05 | RCE | Critical Weaver E-cology RCE Exploit Raises Alarm for Enterprise Systems | A critical Remote Code Execution (RCE) vulnerability has been discovered in Weaver E-cology, a widely used enterprise collaboration platform. This flaw allows attackers to potentially gain unauthorized access and control over sensitive systems. The exploit poses a significant security risk for organizations relying on Weaver E-cology, necessitating urgent patching and security updates to prevent potential breaches and data compromise. Further details on the technical aspects and impact can be found at the provided link. |