rescana.com
Resources curated from this publisher and indexed across appsec.fyi topic pages. Last item added: 2026-05-10.
| Date Added | Resource | Excerpt |
|---|---|---|
| 2026-05-10 2026 | Supply Chain Attack: Fake OpenAI Repository on Hugging Face Distributes Infostealer Malware Targeting Developers and AI ToolsSupply Chain | Library of techniques detailing a supply chain attack involving a fake OpenAI repository on Hugging Face that distributed an infostealer malware. The malware targeted developers by exfiltrating credentials, session tokens, and cryptocurrency wallets from Chromium and Gecko browsers, Discord tokens, and local files. The attack leveraged typosquatting, social engineering, and evasion tactics like disabling SSL verification and checking for VMs, mapping to MITRE ATT&CK techniques such as T1566 (Phishing) and T1555 (Credentials from Password Stores). |
| 2026-05-10 2026 | JDownloader Website Supply Chain Attack: Installers Replaced with Python RAT Malware (May 2026)Python | Writeup of the JDownloader website supply chain attack (May 2026), detailing how an unpatched CMS vulnerability allowed attackers to replace Windows and Linux installers with a Python RAT and ELF binaries respectively. The attack, active for approximately 24 hours, utilized obfuscation and persistence techniques, including SUID-root binaries for Linux. This incident highlights the risks of unauthorized changes to web content and the importance of verifying digital signatures. |
| 2026-05-06 2026 | Critical DAEMON Tools Supply Chain Attack: Malware-Compromised Windows Installers Threaten Organizations and Home Users (Versions 12.5.0.242112.5.0.2434)Supply Chain | Writeup detailing a critical supply chain attack on DAEMON Tools Windows installers (versions 12.5.0.2421-12.5.0.2434), which distributed malware via trojanized executables signed with a legitimate AVB Disc Soft certificate. The malware, including an info-gatherer, backdoor, and QUIC RAT, exfiltrates system data and deploys advanced implants to targeted organizations and home users, leveraging MITRE ATT&CK techniques like T1195.002 (Supply Chain Compromise) and T1553.002 (Code Signing). |
| 2026-04-30 2026 | OpenWrt 23.05 Authenticated Remote Code Execution (RCE) Vulnerability: Risk Analysis Impact and Mitigation (CVE-2025-62526)RCE | Analysis of CVE-2025-62526, an authenticated RCE vulnerability in OpenWrt 23.05, details how attackers can compromise devices by exploiting flaws in inter-process communication and sandboxing mechanisms, particularly on Lantiq, Intel, and MaxLinear SoCs. Mitigation involves upgrading to OpenWrt 24.10.4, securing credentials, restricting management interface access, and monitoring for unauthorized changes, with historical exploitation of similar flaws by groups like APT41 and Lazarus serving as a precedent. |
| 2026-04-30 2026 | Critical Authenticated Remote Code Execution Vulnerability in JuzaWeb CMS 3.4.2 (CVE-2025-5425) Exploit in the Wild and Mitigation GuidanceRCE | Writeup detailing CVE-2025-5425, a critical authenticated RCE vulnerability in JuzaWeb CMS 3.4.2. This flaw, stemming from broken access control (CWE-266), allows low-privilege users to access the Theme Editor, inject PHP code, and achieve full server compromise. Exploits are publicly available, and exploitation in the wild has been observed. Mitigation involves restricting access to the Theme Editor endpoint and auditing user roles. The vulnerability maps to MITRE ATT&CK techniques T1190 and T1059. |
| 2026-04-30 2026 | CVE-2026-42208: Critical Pre-Auth SQL Injection in LiteLLM Actively Exploited Within 36 Hours of DisclosureSQLi | Writeup of CVE-2026-42208, a critical pre-authentication SQL injection in LiteLLM, which was actively exploited within 36 hours of disclosure. Attackers leveraged improper handling of the HTTP Authorization header to inject SQL into PostgreSQL databases, targeting sensitive data like API keys and provider credentials. Exploitation involved schema enumeration and targeted UNION SELECT payloads, originating from IP addresses associated with 3xK Tech GmbH. Mitigation requires upgrading LiteLLM, rotating credentials, and auditing logs for suspicious activity. |
| 2026-04-29 2026 | CVE-2026-33626: Critical SSRF Vulnerability in LMDeploy Rapidly Exploited in the Wild Technical Analysis and Mitigation GuideSSRF | Analysis of CVE-2026-33626 details a critical Server-Side Request Forgery (SSRF) vulnerability in LMDeploy, exploited rapidly in the wild. This flaw, affecting versions up to 0.12.0 with vision-language support, allows attackers to fetch arbitrary URLs, leading to the exfiltration of cloud metadata, probing of internal services like Redis and MySQL, and network reconnaissance. Exploitation attempts utilized callback infrastructure such as cw2mhnbd.requestrepo.com, originating from IP 103.116.72.119. Mitigation involves upgrading LMDeploy, enforcing IMDSv2, restricting egress, and implementing runtime detection of suspicious outbound connections. |
| 2026-04-19 2026 | Critical Apache Tika CVE-2025-66516: XXE VulnerabilityXXE | Library that helps secure applications against the critical Apache Tika CVE-2025-66516 XXE vulnerability. This flaw allows attackers to submit crafted PDF files with malicious XFA content to achieve sensitive file disclosure, SSRF, and potential RCE. It affects specific versions of `tika-core`, `tika-parser-pdf-module`, and `tika-parsers`, and has seen active exploitation in the wild with over 500 vulnerable instances discovered. |
| 2026-04-17 2026 | Critical Supply Chain Attack on EssentialPlugin WordPress Suite Exposes Over 400000 Websites to MalwareSupply Chain | Writeup of a critical supply chain attack on the EssentialPlugin WordPress suite, impacting over 400,000 websites. The attack involved a dormant backdoor, introduced after the plugin's acquisition, which activated to enable arbitrary file writes and malware injection. The technique utilized unauthenticated REST API endpoints and PHP object injection to create a backdoor file (wp-comments-posts.php) and modify wp-config.php, leading to spam pages and redirects. Mitigation involves immediate removal of affected plugins and manual inspection for malicious files. |
| 2026-04-17 2026 | April 2026 Patch Tuesday: Critical Vulnerabilities in SAP Adobe Microsoft SharePoint Fortinet and ColdFusion Threaten Enterprise SecuritySQLi | Advisory detailing critical vulnerabilities patched in April 2026 across SAP Business Planning and Consolidation (CVE-2026-27681, SQL injection), Adobe Acrobat Reader (CVE-2026-34621, RCE, actively exploited), Adobe ColdFusion (CVE-2026-34619, CVE-2026-27304, CVE-2026-27305, CVE-2026-27282, CVE-2026-27306, path traversal, ACE), Fortinet FortiSandbox (CVE-2026-39813, CVE-2026-39808, path traversal, command injection), and Microsoft SharePoint Server (CVE-2026-32201, spoofing, data exposure, actively exploited), posing risks of data exfiltration and system compromise. |
| 2026-04-14 2026 | CPUID Supply Chain Attack: STX RAT Malware Distributed via Trojanized CPU-Z and HWMonitor DownloadsSupply Chain | Writeup of the CPUID supply chain attack, detailing how attackers compromised the official website for HWMonitor and CPU-Z, distributing trojanized installers via Cloudflare R2. This attack leveraged DLL sideloading with a malicious cryptbase.dll to execute a five-stage in-memory attack chain, ultimately deploying STX RAT, a remote access trojan capable of stealing credentials, session cookies, and crypto wallet keys. The incident highlights the risks of compromised download channels, affecting global users across various sectors. |
| 2026-04-12 2026 | Google Chrome 147 Security Update: Patches 60 Vulnerabilities Including Critical WebML Remote Code Execution FRCE | Analysis of Google Chrome 147, which patched 60 vulnerabilities including critical heap buffer overflow (CVE-2026-5858) and integer overflow (CVE-2026-5859) flaws in the WebML component. These vulnerabilities, awarded $86,000 in bug bounties, enable remote code execution via crafted web pages. The advisory details technical aspects, exploitation potential, affected versions, and mitigation strategies such as immediate patching. While no in-the-wild exploitation is reported, the significant risk necessitates vigilance, especially concerning APT groups. |
| 2026-04-12 2026 | Critical Marimo Python Notebook RCE Vulnerability (CVE-2026-39987) Exploited Within 10 Hours of DisclosureRCE | Analysis of CVE-2026-39987 details a critical RCE vulnerability in Marimo, an open-source Python notebook platform, allowing unauthenticated attackers shell access via a misconfigured WebSocket endpoint. Exploitation occurred within 10 hours of disclosure, focusing on credential harvesting and reconnaissance using T1190, T1552, and T1083 MITRE ATT&CK techniques. Mitigation involves upgrading to Marimo 0.23.0+, auditing logs, and rotating compromised credentials. |
| 2026-01-19 2026 | Critical XSS Vulnerability in StealC Malware Admin Panel Allows Researchers to Infiltrate and Monitor Threat Actor OperationsXSS | Writeup of a persistent XSS vulnerability in the StealC malware admin panel, version 2.0, which allowed researchers to infiltrate and monitor threat actor operations. Exploitation led to the exfiltration of session cookies and system fingerprints from operators like YouTubeTA, revealing their location and hardware. The flaw enabled the observation of live sessions, stolen data, and malware management, demonstrating that even criminal infrastructure is susceptible to common web application vulnerabilities. |