Category: Daily Recap

Daily Recap, Exploited vulnerabilities and zero-days dominated the news: LiteSpeed cPanel Plugin CVE-2026-48172 is abused for root access, Drupal core SQL injection issues are being actively exploited and added to CISA KEV, and Trend Micro warned that an Apex One zero-day is in use in the wild. Phishing activity also accelerated with the FBI flagging the Kali365 phishing-as-a-service kit targeting Microsoft 365 tokens, while Ghostwriter used Prometheus to target Ukraine government entities and authorities pursued infrastructure actions including a global VPN service dismantling linked to 25 ransomware groups. #CVE-2026-48172 #LiteSpeed #cPanel #root #Drupal #CISAKEV #DrupalSQLi #ApexOne #Kali365 #Microsoft365 #FBI #Ghostwriter #Prometheus #Ukraine #VPN #Netherlands #Webworm #Discord #MicrosoftGraph

Daily Recap, A wave of urgent patches hit Drupal, Ubiquiti (UniFi OS), Cisco, Microsoft Defender, TrendAI, and Apex One, including in-the-wild exploitation of a Drupal SQLi and an Apex One zero-day. In addition, Google accidentally exposed details of an unfixed Chromium issue, while botnet and malware reporting covered the alleged Kimwolf operation, Showboat Linux activity against Middle East telecoms, and BYOVD-driven exploit chains. #Drupal #UniFiOS #ApexOne #Kimwolf #Showboat #Chromium #CISA #KEV

Daily Recap, Cisco patched a critical Secure Workload flaw that could grant site admin privileges, while Microsoft addressed exploited Defender zero-days and mitigated the YellowKey BitLocker bypass; Drupal disclosed a highly critical core issue impacting PostgreSQL (RCE) and SonicWall cautioned that incomplete VPN MFA patching could enable bypasses. On the threat and supply-chain fronts, GitHub linked a repo breach to the TanStack npm supply-chain attack that later led to a Grafana incident after missed token rotation, webworm activity used EchoCreep and GraphWorm via Discord and the MS Graph API, and law enforcement action included seizure of the First VPN service used in ransomware and data-theft attacks—along with broader AI, identity, and platform enforcement themes highlighted by Microsoft’s RAMPART and Clarity efforts and an FTC Take It Down Act warning. #Cisco #SecureWorkload #Microsoft #Defender #YellowKey #Drupal #PostgreSQL #SonicWall #TanStack #npm #Grafana #EchoCreep #GraphWorm #Discord #MSGraph #FirstVPN #TakeItDownAct

Daily Recap, GitHub confirmed multiple internal repository compromises tied to a malicious VS Code extension, with claims of roughly 3,800–4,000 affected repositories and source code exposure impacting Grafana via a TanStack npm attack. The roundup also covered the Shai-Hulud npm supply-chain campaign targeting 600 packages (with Mini Shai-Hulud expanding further), plus Microsoft disruption of a malware-signing service linked to Fox Tempest, alongside fixes and advisories across Windows, Azure, Drupal, ChromaDB, Linux, and major fraud cases. #VSCode #Grafana #TanStack #TanStacknpm #ShaiHulud #MiniShaiHulud #FoxTempest #YellowKey #Drupal #ChromaDB #PinTheft #Trapdoor #ShinyHunters #7Eleven #Luxembourg #Huawei #CISA #Discord #DBIR2026

Daily Recap, Security experts say AI Bills of Materials (AI BOMs) could become practical by 2026 as organizations push for transparency and governance, while teams are warned that connecting AI to financial accounts and managing shadow AI can shift privacy and cyber-risk tradeoffs. On the threat side, developer tooling and ecosystems are under pressure from supply chain and credential-stealing activity (Nx Console, Mini Shai-Hulud, Shai-Hulud, GitHub Actions), and attackers continue stealthy infection techniques using MSHTA and new SHub macOS infostealer variants. #AI_Bills_of_Materials #Nx_Console #Mini_Shai-Hulud #Shai-Hulud #GitHub_Actions #MSHTA #SHub #ChromaDB #INTERPOL_Operation_Ramz #Grafana

Daily Recap, Multiple breaches and supply-chain weaknesses dominated headlines, including 7-Eleven confirming a breach tied to a ShinyHunters ransom demand and Grafana warning that a stolen GitHub token enabled attackers to steal part of its codebase. On the exploit and identity fronts, DirtyDecrypt Linux privilege escalation, in-the-wild exploitation of NGINX CVE-2026-42945, the Windows MiniPlasma zero-day (SYSTEM access), and Tycoon2FA device-code phishing targeting Microsoft 365 accounts were highlighted. #ShinyHunters #7-Eleven #Grafana #GitHub #DirtyDecrypt #NGINX #CVE-2026-42945 #MiniPlasma #OpenClaw #Claw%20Chain #Tycoon2FA #Microsoft%20365 #BlackFile #UNC6671 #Qilin #The%20Gentlemen #Kimsuky #Gamaredon #Pwn2Own%20Berlin%202026 #KB5089549

Cybersecurity Threat Research ‘Weekly’ Recap. The roundup highlights multiple supply-chain and identity attacks, including TeamPCP’s workflow poisoning, malicious npm republishing via node-ipc, and AI-assisted device-code phishing operations tied to BlackFile / UNC6671 and Tycoon 2FA. It also covers credential stealer delivery and evolving ransomware/extortion dynamics (e.g., Qilin and The Gentlemen), alongside state-sponsored espionage/influence campaigns like Kimsuky, Gamaredon, FrostyNeighbor, Fast16, and Doppelgänger.

Daily Recap, Active exploitation activity focused on WordPress and e-commerce attacks, including Funnel Builder issues impacting WooCommerce checkout skimming and Avada Builder flaws that can steal site credentials, alongside a critical NGINX vulnerability with publicly available PoC code. On the defensive and risk side, CISA directed U.S. federal agencies to patch an actively exploited Cisco SD-WAN bug, while supply-chain threats continued with OpenAI warning macOS users to update after a TanStack npm incident and node-ipc being compromised to steal credentials, as researchers also advanced findings around Turla’s Kazuar and the OpenClaw vulnerability cluster. #FunnelBuilder #WooCommerce #AvadaBuilder #NGINX #CiscoSD-WAN #CISA #TanStack #node-ipc #Turla #Kazuar #OpenClaw #THORChain #MicrosoftExchange #Windows11 #TakeItDownAct #FTC #TinaPeters #JaredPolis

Daily Recap, Microsoft warned that an Exchange Server zero-day is actively exploited, while Cisco faced an exploited SD-WAN auth-bypass and an 18-year-old NGINX flaw enabling DoS and potential RCE. OpenAI confirmed a TanStack-related supply-chain breach, and Ghostwriter used geofenced PDF phishing with Cobalt Strike against the Ukrainian government.
#ExchangeServer #Microsoft #Cisco #SD-WAN #NGINX #WordPress #BurstStatistics #OpenAI #TanStack #NodeIPC #Ghostwriter #UkrainianGovernment #CobaltStrike #ShaiHulud #TeamPCP #MistralAI #AmericanLendingCenter

Daily Recap, Microsoft pushed May Patch Tuesday fixes for 137 vulnerabilities (including 13 critical flaws) and addressed a zero-click Outlook issue, while Fortinet flagged critical RCE risks in FortiSandbox and FortiAuthenticator and Exim disclosed a BDAT flaw impacting GnuTLS-built systems. Across supply chain and incidents, RubyGems suspended new signups after hundreds of malicious packages tied to the Mini Shai-Hulud campaign, while Foxconn confirmed disruption tied to the Nitrogen ransomware gang and OpenLoop Health disclosed exposure affecting 716,000 people.
#MayPatchTuesday #Outlook #FortiSandbox #FortiAuthenticator #Exim #GnuTLS #RubyGems #MiniShaiHulud #TrickMo #TONC2 #Foxconn #Nitrogen #OpenLoopHealth #Canvas #Instructure #Daybreak #Exaforce #WhiteCircle #Android17 #Signal

Daily Recap, Major patch and supply-chain updates hit across SAP Commerce Cloud, SAP S/4HANA, and Apple’s macOS/iOS, while cPanel CVE-2026-41940 is actively exploited to drop a Filemanager backdoor. In parallel, the Shai-Hulud worm campaign weaponized signed TanStack, Mistral AI, and Guardrails AI npm packages, and extortion pressure drove an Instructure agreement with ShinyHunters over a 3.65TB Canvas leak.
#SAP #CommerceCloud #S4HANA #Apple #macOS #iOS #cPanel #CVE-2026-41940 #Filemanager #ShaiHulud #TanStack #MistralAI #GuardrailsAI #Instructure #ShinyHunters #Canvas #GhostLock #WestPharmaceuticalServices #FCC #Texas #Netflix #GM

Daily Recap, Google warned that attackers are using AI to craft a zero-day exploit for a web admin tool and reported the first AI-generated exploit detected before public use. Elsewhere, attackers leveraged Google ads and Claude.ai to push Mac malware, compromised Checkmarx’s Jenkins AST Plugin in a supply chain attack, and targeted multiple organizations through phishing and enterprise breaches.
#AI #Google #Claude.ai #Jenkins #Checkmarx #SailPoint #GitHub #Instructure #Canvas #ActiveDirectory #TrickMo #TON #Crimenetwork

Cybersecurity Threat Research ‘Weekly’ Recap. The week covered a wide range of campaigns and breaches, including infostealer/RAT distribution (Operation HumanitarianBait, OpenClaw/Hologram, Remcos RAT, GhostLoader, Vidar, Quasar Linux/QLNX, PCPJack) and phishing that abused trusted cloud/OAuth infrastructure (Code-of-conduct phishing, Trusted Infrastructure Phishing). It also highlighted Linux/kernel exploitation (Copy Fail/DirtyFrag, CVE-2026-43284, CVE-2026-43500), enterprise/cloud incidents (Canvas/Instructure with ShinyHunters, CallPhantom, malicious NuGet packages), and network/edge attacks (Nexcorium targeting CVE-2024-3721, PAN-OS zero-day RCE).
#OperationHumanitarianBait #OpenClaw #Hologram #Remcos #GhostLoader #Vidar #QuasarLinux #QLNX #PCPJack #CodeofconductPhishing #TrustedInfrastructurePhishing #InstallFix #ClaudeCode #OperationSilentRotor #OperationGriefLure #ScarCruft #APT37 #BirdCall #CVE-2026-43284 #CVE-2026-43500 #Canvas #Instructure #ShinyHunters #CallPhantom #Nexcorium #CVE-2024-3721 #PANOS

Daily Recap, Fake OpenAI repositories on Hugging Face pushed an infostealer, while the TCLBANKER banking trojan spread through WhatsApp and Outlook alongside fake call-history apps that reportedly amassed 7.3 million Play Store downloads before stealing payments; PamDOORa also emerged as a new Linux backdoor. In other headlines, cPanel and WHM released fixes for three vulnerabilities, Braintrust urged API key rotation after a breach, NVIDIA confirmed a GeForce NOW breach affecting Armenian users, and ShinyHunters claimed a second attack against Instructure. #HuggingFace #OpenAI #Infostealer #TCLBANKER #WhatsApp #Outlook #PlayStore #PamDOORa #Linux #cPanel #WHM #Braintrust #NVIDIA #GeForceNOW #Armenian #ShinyHunters #Instructure #APIKey

Daily Recap, Ivanti pushed urgent fixes for an actively exploited EPMM zero-day in EPMM after CISA ordered federal agencies to patch the targeted flaw within 4 days, while Linux “Dirty Frag” and a Palo Alto edge-device zero-day demonstrated continued exploitation of high-risk vulnerabilities. In other updates, RansomHouse claimed Trellix source-code theft, ShinyHunters’ Canvas extortion campaign reportedly affected nearly 9,000 schools, and new threats included TCLBanker spreading via WhatsApp and Outlook alongside PCPJack’s credential-stealing worm behavior. #Ivanti #EPMM #CISA #DirtyFrag #PaloAlto #RansomHouse #Trellix #ShinyHunters #Canvas #Zara #TCLBanker #WhatsApp #Outlook #PCPJack #TeamPCP #Vidar #ClickFix #Claude #Chrome #RansomHouse #NorthKorea #SOC