Category: Cybersecurity

A newly disclosed flaw in Starlette has put Python-based AI services under pressure to patch systems that may expose protected endpoints through manipulated HTTP Host headers.The vulnerability, tracked as CVE-2026-48710 and dubbed BadHost, affects Starlette versions up to 1.0.0 and has drawn attention because of Starlette’s role in modern application stacks built around FastAPI, API gateways, model-serving tools and agent frameworks. Starlette 1.0.1 contains the fix, making rapid dependency checks a priority for engineering and security teams running internet-facing services.BadHost

Cisco researchers have warned that leading open-weight large language models can be manipulated through sustained conversations that gradually push them past safety controls, exposing a weakness in systems now being adopted across business, public services and consumer applications.The assessment tested eight widely used open-weight models from Alibaba, DeepSeek, Google, Meta, Microsoft, Mistral, OpenAI and Zhipu AI. The models were examined through automated adversarial testing designed to measure whether they could resist prompt-injection and jailbreak attempts across both single-turn and multi-turn

Thousands of fraudulent FIFA-themed domains are being positioned to exploit supporters before the 2026 World Cup, with cyber-security researchers tracking more than 4,300 suspicious registrations since August 2025.The domains mimic FIFA’s official web presence and are designed to lure fans seeking tickets, merchandise, travel packages, streaming access, betting platforms and hospitality deals. Some use names close to FIFA, the World Cup, host cities or national teams, while others copy the appearance of official pages to capture payments and personal information.The

Hackers are exploiting shared content delivery network infrastructure to hide malicious traffic behind trusted domains, exposing a weakness in DNS-based security controls used by enterprises to block command-and-control activity, data theft and unauthorised tunnelling.The technique, named Underminr by ADAMnetworks, takes advantage of the way large CDNs host many unrelated websites on the same edge IP addresses. A compromised device can make a legitimate DNS lookup for an allowed domain, receive a CDN edge IP address, and then establish an encrypted

A phishing campaign using sponsored Google search advertisements has drained more than $400,000 from cryptocurrency users after directing them to cloned Uniswap websites designed to empty connected wallets.The attack centred on fraudulent ads that appeared above or near legitimate search results for Uniswap, one of the largest decentralised exchanges on Ethereum. Users who clicked the promoted links were taken to interfaces that closely resembled the authentic platform. Once wallets were connected and approvals were signed, funds were transferred to attacker-controlled

Microsoft has issued fixes for a high-severity SharePoint Server vulnerability that could allow authenticated attackers to run code remotely on affected on-premises systems, sharpening security concerns for organisations that continue to rely on self-managed collaboration platforms.Tracked as CVE-2026-45659, the flaw affects SharePoint Server Subscription Edition, SharePoint Server 2019 and SharePoint Enterprise Server 2016. The vulnerability has been assigned a CVSS score of 8.8, placing it in the high-severity range, and stems from deserialisation of untrusted data in Microsoft Office SharePoint.

Developers using Angular’s official Visual Studio Code extension have been urged to update their systems after multiple high-severity flaws were found to expose workstations to remote code execution through malicious project files and dependencies.The vulnerabilities affect Angular Language Service, published as Angular. ng-template on the Visual Studio Marketplace, in all versions before 21.2.4. The patched release closes weaknesses that could allow an attacker to execute commands on a developer’s machine by abusing how the extension processes workspace configuration, documentation comments

China-linked cyber operators have targeted edge routers across Southeast Asia with a custom Linux implant, widening concern that network infrastructure has become a prime entry point for long-term espionage rather than a peripheral security risk.The campaign centres on Linux-based border and edge routers used by organisations to manage traffic entering and leaving enterprise networks. By compromising these devices, the attackers place themselves at a strategic point inside the communications chain, giving them visibility over connected systems and the ability to

NightSpire has moved from an emerging ransomware operation to a fast-scaling cyber-extortion threat, using exposed Remote Desktop Protocol access, legitimate administration tools and a Tor-based leak site to pressure victims across multiple sectors.First observed in early 2025, the group has built its campaign around double extortion, stealing sensitive files before encrypting systems and then threatening public exposure if victims refuse to pay. Its operations show a blend of familiar ransomware tradecraft and adaptive tactics that complicate detection, particularly when attackers

Hackers are exploiting a critical vulnerability in Ghost CMS to compromise more than 700 websites and turn trusted publishing pages into delivery points for ClickFix malware, escalating concerns over unpatched content management systems used by media, universities, fintech firms, software companies and research organisations.The flaw, tracked as CVE-2026-26980, is a SQL injection vulnerability in Ghost’s Content API. It affects Ghost versions from 3.24.0 through 6.19.0 and was fixed in version 6.19.1, released in February 2026. The vulnerability carries a critical

Iran-linked hackers have expanded cyber-espionage operations against aviation and software organisations in the United States, Europe and the Middle East, using fake recruitment pitches and search-engine manipulation to deliver malware capable of long-term surveillance and data theft.The campaign has been tied to Nimbus Manticore, also tracked as UNC1549, Screening Serpens, Smoke Sandstorm and Iranian Dream Job. The group is assessed to be aligned with Iran’s Islamic Revolutionary Guard Corps and has built a reputation for targeting defence, aviation, telecommunications, energy

A targeted cyber-espionage campaign has struck China’s higher education sector, using deceptive PDF-style shortcut files to install Cobalt Strike beacons on victim machines and open a path for remote control.The operation, labelled Dragon Whistle, has focused on Changzhou University and related academic users by exploiting a familiar administrative pressure point: compulsory student fitness testing tied to the 2026 National Student Physical Fitness and Health Standards. The lure was designed to resemble a formal university notice, packaged in a ZIP archive

PuTTY users have been urged to move to version 0.84 after the maintainers fixed three low-severity security flaws affecting SSH key exchange, NIST ECDSA signature verification, and Telnet or Rlogin session prompt handling.The update, released on 22 May 2026, addresses defects that could allow a malicious server or a man-in-the-middle attacker to crash a PuTTY session or mislead a user during older, insecure remote-login workflows. The maintainers have not identified any route for code execution, but the flaws touch sensitive

Organisations using Apache CXF have been urged to patch a newly disclosed LDAP injection flaw that could allow attackers to retrieve arbitrary certificates from vulnerable XKMS repositories, sharpening concerns over certificate-management weaknesses in enterprise Java service environments.The flaw, tracked as CVE-2026-44930, affects the LDAP certificate repository used by the XKMS server component in Apache CXF. It has been classified as an important security issue by the project, while vulnerability scoring records show a sharper risk profile under one assessment because

North Korea-linked hackers have upgraded the InvisibleFerret malware to bypass script-based security tools, converting its Python code into compiled modules that are harder for defenders to inspect and block.The campaign is attributed to Void Dokkaebi, also tracked as Famous Chollima, a threat group associated with operations against software developers, cryptocurrency firms and technology workers. The latest version uses Cython-compiled files, appearing as. pyd modules on Windows and. so files on macOS, marking a technical shift from the readable Python scripts

US federal investigators have warned that a new phishing-as-a-service platform called Kali365 is enabling cybercriminals to steal Microsoft 365 access tokens and bypass multi-factor authentication without capturing victims’ passwords.The platform, first observed in April 2026 and distributed mainly through Telegram, marks a sharper turn in identity-based attacks because it abuses legitimate Microsoft authentication flows rather than relying on fake login pages alone. By capturing OAuth access and refresh tokens, operators can gain continued access to email, files, chats and cloud

Cybersecurity teams are reviewing exposed SonicWall firewall interfaces after a sharp burst of internet scanning activity hit SonicOS management endpoints, with almost 597,000 sessions observed on 12 May, the highest single-day total for the tracked activity over a 90-day period.The surge, recorded between 9 May and 18 May, stood out because the 12 May peak was about 46 times higher than the normal daily volume seen during the previous 30 days. Researchers tracking the activity said the pattern resembled earlier

US cyber authorities have added a critical Drupal Core SQL injection flaw to their exploited-vulnerabilities list after attacks began targeting unpatched websites using PostgreSQL databases, escalating pressure on government agencies, universities, media groups and enterprises that rely on the open-source content management platform.The vulnerability, tracked as CVE-2026-9082, affects Drupal Core versions from 8.9.0 through several 10. x and 11. x branches before the fixed releases issued on May 20, 2026. The flaw sits in Drupal’s database abstraction layer and can

Dubai Police have warned that selling or promoting counterfeit products through social media and digital marketplaces is a criminal offence, intensifying scrutiny of online accounts that use advertising, influencer posts and informal e-commerce channels to move fake goods across the UAE.The warning, issued through the Anti-Economic Crimes Department at the General Department of Criminal Investigation, targets commercial account owners, advertisers and young social media users who may be approached by unknown parties offering payment to market products without verifying their

Anthropic’s Claude Mythos Preview has identified more than 10,000 high- or critical-severity software vulnerabilities through Project Glasswing, intensifying debate over whether frontier AI is becoming a defensive breakthrough or a new accelerant for cyber risk.The findings, disclosed after the initiative’s first month of operation, mark a sharp escalation in AI-assisted vulnerability discovery across software used in operating systems, browsers, cloud platforms, open-source projects and financial infrastructure. Anthropic has restricted wider access to Mythos Preview while giving selected technology companies, banks

Hackers have compromised the Laravel-Lang open-source ecosystem, turning trusted PHP localisation packages into a vehicle for credential theft and remote code execution across developer machines and build systems.The attack, detected on May 22, targeted packages used by Laravel applications to manage translations, attributes and HTTP status messages. Security teams tracking the incident identified malicious activity across laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes and laravel-lang/actions, with more than 700 historical package versions or tags affected across the wider organisation. Earlier confirmed findings covered 233

Cybercriminals are exploiting demand for AI coding tools by pushing fake Gemini CLI and Claude Code installation pages into search results, using the sites to deliver a fileless PowerShell infostealer aimed at developer workstations.The campaign, active since early March 2026, marks a sharper turn in financially motivated attacks against software teams as AI assistants become embedded in daily coding workflows. The attackers are not merely imitating well-known brands; they are copying the installation habits developers already trust, then using those

Hosting providers using LiteSpeed’s user-end cPanel plugin are confronting an actively exploited privilege-escalation flaw that can allow any authenticated cPanel account to run scripts as root and take control of affected Linux servers.The vulnerability, tracked as CVE-2026-48172, has been rated at the maximum severity level by security trackers and affects LiteSpeed cPanel user-end plugin versions from 2.3 through 2.4.4. LiteSpeed patched the initial flaw in version 2.4.5 and later urged administrators to move to cPanel plugin version 2.4.7, bundled with

Hackers are exploiting unsupported F5 BIG-IP appliances to gain SSH access to enterprise Linux systems, turning trusted edge infrastructure into entry points for deeper attacks on identity systems and internal applications.A May 22 threat intelligence disclosure detailed a multi-stage intrusion that began with an exposed F5 BIG-IP load balancer and moved through Linux infrastructure, an internal Atlassian Confluence server and eventually Active Directory. The case underlines a widening risk for organisations that continue to operate end-of-life appliances at the network

Google’s publication of exploit code for an unresolved Chromium security flaw has intensified scrutiny of how browser vulnerabilities are handled when technical details surface before a patch is ready.The issue affects the Chromium codebase that underpins Google Chrome, Microsoft Edge, Brave, Opera, Vivaldi and several other browsers used across desktop and mobile environments. Security researchers say the flaw can be abused through the Background Fetch API and Service Workers, allowing a malicious or compromised website to keep browser-side code running

Hackers are turning Middle East telecoms and hosting networks into a major command-and-control layer, exposing a regional cyber risk that now extends beyond compromised devices to the infrastructure patterns that sustain attacks.A three-month mapping of malicious activity between 1 February and 1 May identified more than 1,350 active C2 servers across 98 infrastructure providers in 14 countries, including Saudi Arabia, the UAE, Turkey, Israel, Iraq, Iran, Egypt, Kuwait, Lebanon, Jordan, Bahrain, Syria, Cyprus and Palestine. The findings point to a

Companies are pushing vulnerable software into production even as artificial intelligence expands the speed, volume and complexity of application development across global supply chains.New industry findings show 75% of organisations often or sometimes deploy code they already know contains security weaknesses, underscoring a persistent gap between software delivery targets and risk controls. The figure marks only a limited improvement from last year’s 81%, suggesting that boards and engineering leaders have yet to turn security policy into routine development practice.The findings

Cybercriminals are expanding phishing infrastructure built around the 2026 FIFA World Cup, with threat researchers mapping 222 malicious or suspicious domains to 203 unique IP addresses as fraud campaigns target fans, sponsors, travel operators and online shoppers before the tournament opens on 11 June.The findings point to a much broader operation than the first wave of 79 lookalike domains that impersonated FIFA and ticketing-related services. The latest mapping suggests a distributed ecosystem rather than a single phishing cluster, with domains

Russian state-backed cyber groups are broadening their entry points into targeted networks, using remote access services, stolen credentials, compromised suppliers and tailored social engineering to penetrate government, critical infrastructure and commercial systems.The pattern marks a shift from single-vector intrusions towards layered access operations designed to look like ordinary business activity. Remote Desktop Protocol, virtual private network accounts, cloud identities, internet-facing routers, edge devices and third-party service providers have become central to campaigns aimed at intelligence collection, persistence and, in some

Apache OFBiz users have been urged to move to version 24.09.06 after disclosure of an authentication bypass flaw that can be chained to remote code execution, exposing enterprise resource planning systems to takeover through a manipulated password-change workflow.Tracked as CVE-2026-45434, the vulnerability affects Apache OFBiz versions before 24.09.06. It stems from improper authentication handling in the platform’s password-change logic, where a forced password reset condition may be treated in a way that allows access to protected functions instead of blocking

Google has issued a Chrome security update after fixing multiple flaws that could allow attackers to execute code remotely, disrupt browser sessions, steal information, bypass restrictions or spoof content on affected systems.The update moves Chrome’s stable desktop channel to version 148.0.7778.178/179 for Windows and macOS, and 148.0.7778.178 for Linux. It is being rolled out globally through the browser’s automatic update mechanism, though users and administrators may need to relaunch Chrome for the protection to take effect.The latest patch addresses 16

GitHub has confirmed unauthorised access to about 3,800 internal repositories after an employee device was compromised through a poisoned Visual Studio Code extension, raising fresh concerns over the security of developer tools and software supply chains.The Microsoft-owned platform said it detected and contained the compromise on May 19, removed the malicious extension version, isolated the affected endpoint and began incident response measures. Its assessment so far indicates that the activity was limited to GitHub-internal repositories, with no evidence that customer

Millions of browser users have been targeted by CypherLoc, a scareware campaign built to freeze screens, mimic security alerts and push victims towards fraudulent technology support operators.Security researchers tracking the activity said about 2.8 million attacks have been observed since the start of 2026, underscoring the scale of a threat that relies less on advanced malware and more on pressure, confusion and trust in familiar security warnings. The campaign uses browser-lock techniques to make users believe their device has been

Microsoft has disrupted infrastructure used by Fox Tempest, a cybercrime-enabling group accused of selling fraudulent code-signing services that helped ransomware operators disguise malware as trusted software.The action, led by Microsoft’s Digital Crimes Unit, targeted a malware-signing-as-a-service operation that allegedly abused legitimate software verification systems, including Microsoft’s Artifact Signing platform. A legal case unsealed in the US District Court for the Southern District of New York said the service had enabled attackers since May 2025 to make malicious files appear authentic,