Category: Cybersecurity

Microsoft has disrupted infrastructure used by Fox Tempest, a cybercrime-enabling group accused of selling fraudulent code-signing services that helped ransomware operators disguise malware as trusted software.The action, led by Microsoft’s Digital Crimes Unit, targeted a malware-signing-as-a-service operation that allegedly abused legitimate software verification systems, including Microsoft’s Artifact Signing platform. A legal case unsealed in the US District Court for the Southern District of New York said the service had enabled attackers since May 2025 to make malicious files appear authentic,

Hackers stole parts of Grafana Labs’ codebase after gaining access to its GitHub environment through a compromised token, prompting fresh concern over software supply-chain security at a company whose observability tools are embedded across enterprise technology operations.The New York-based open source software developer said an unauthorised party accessed its GitHub environment and downloaded code after obtaining a token with repository access. The attackers then tried to pressure the company into paying a ransom in exchange for deleting the stolen material.

Multiple high-severity vulnerabilities in SEPPmail Secure E-Mail Gateway have exposed organisations using the encrypted messaging appliance to risks ranging from remote code execution to interception of confidential email traffic, with the highest concern centred on publicly reachable systems in Germany, Austria and Switzerland.The flaws affect a product widely used to secure email exchange between companies and external recipients, particularly where encrypted messages, large file transfers and web-based access to protected mail are required. The disclosures cover several components, including the

A fast-moving supply-chain attack has hit a broad set of npm packages linked to the @antv ecosystem, exposing developers and organisations to credential theft through malicious package versions tied to the maintainer account “atool”.The campaign, identified on May 19, 2026, appears to form part of the Mini Shai-Hulud malware wave, a self-spreading operation that has already affected other developer ecosystems through compromised open-source packages. The latest activity centres on data visualisation, charting, graphing, mapping and React component libraries used across

Ukrainian state bodies are facing a sustained phishing campaign by the Russia-linked Gamaredon group, with attackers using weaponised WinRAR archives to deploy GammaDrop and GammaLoad malware in a multi-stage espionage operation aimed at government networks.The campaign, active since September 2025 and still evolving, has targeted Ukrainian state institutions through spoofed messages and compromised government email accounts. The emails are written in Ukrainian and designed to resemble official correspondence, including court-related notices and administrative documents. Their attachments contain malicious RAR archives

Authorities across the Middle East and North Africa have arrested 201 people in a coordinated cybercrime sweep that targeted phishing, malware and online financial fraud networks operating across 13 jurisdictions.Operation Ramz, coordinated by Interpol from October 2025 to 28 February 2026, also identified 382 further suspects and 3,867 victims, marking the first cyber operation of this scale led by the international police body across the MENA region. Investigators seized 53 servers and shared nearly 8,000 pieces of operational intelligence among

Paper Werewolf has expanded its campaign against Russian industrial, financial and transport organisations, using phishing emails, fake Adobe software updates and the EchoGather remote access trojan to deepen access inside targeted networks.The Russian-language threat cluster, also tracked as GOFFEE, was active in the March-April 2026 window with a toolset that shows a clear shift from conventional phishing toward layered intrusion chains. The latest campaign begins with emails carrying PDF attachments that appear to contain official requests or routine business documents.

Security researchers uncovered 47 previously unknown vulnerabilities at Pwn2Own Berlin, underscoring persistent weaknesses in enterprise software, artificial intelligence tools, operating systems and virtualisation platforms even when products are fully patched.The three-day competition, held from May 14 to May 16 alongside OffensiveCon in Berlin, awarded $1,298,250 in cash prizes. The event placed some of the world’s most widely used corporate technologies under controlled attack, with researchers targeting Microsoft, Red Hat, VMware, NVIDIA, OpenAI, Anthropic and other platforms used across modern business

Critical security flaws in n8n have exposed how quickly workflow automation platforms can become high-value targets when they connect business systems, credentials, data stores and artificial intelligence tools inside one operating layer.The vulnerabilities affect n8n versions before 1.123.43, 2.20.7 and 2.22.1, with security advisories warning that attackers with workflow creation or modification rights could combine weaknesses to achieve remote code execution on affected servers. The most serious issues carry critical severity ratings and could allow compromise of the host running

Users of JDownloader have been warned to check systems and delete suspicious installer files after attackers compromised the project’s official website and redirected selected Windows and Linux downloads to malware-laced files during a narrow but serious exposure window on May 6 and May 7, 2026.The breach affected users who downloaded the Windows “Download Alternative Installer” or the Linux shell installer from jdownloader. org during that period. The main software packages were not altered. Instead, attackers changed website links so that

Gunra ransomware has expanded from a relatively narrow Windows-focused threat into a structured cybercrime franchise, raising concern among security teams as its operators shift from a Conti-derived locker to their own Ransomware-as-a-Service model.The group, first observed in April 2025, initially drew attention after attacks on five companies in South Korea. Its early malware showed similarities to Conti, the once-dominant ransomware operation whose leaked source code reshaped the criminal market by allowing newer gangs to recycle and adapt proven encryption techniques.

Security teams are assessing two publicly released proof-of-concept exploits that target Windows BitLocker protections and privilege controls, widening concern over exposure on enterprise systems after Microsoft’s May security update cycle.The exploits, identified as YellowKey and GreenPlasma, were published by a security researcher using the online name Nightmare-Eclipse, also known as Chaotic Eclipse. Both flaws remain unpatched, with one focused on bypassing BitLocker drive protections and the other aimed at gaining SYSTEM-level privileges through Windows internals.YellowKey has drawn the sharper attention

Microsoft Edge, Windows 11 and AI infrastructure tools were breached on the opening day of Pwn2Own Berlin 2026, underscoring how quickly security researchers are finding weaknesses across browsers, operating systems and enterprise artificial intelligence platforms.The contest, staged alongside OffensiveCon in Berlin on 14 May, produced 24 unique zero-day vulnerabilities and $523,000 in rewards on its first day. The results placed DEVCORE at the top of the early Master of Pwn rankings after a standout exploit against Microsoft Edge, while successful

Security teams are racing to contain a high-severity PraisonAI flaw after exploitation attempts were detected within hours of public disclosure, underscoring how quickly attackers are probing exposed artificial intelligence infrastructure.The vulnerability, tracked as CVE-2026-44338, affects PraisonAI versions from 2.5.6 to before 4.6.34. It stems from a legacy Flask API server shipped with authentication disabled by default. Where that server is reachable over a network, any unauthorised caller can access the /agents endpoint and trigger the configured agents. yaml workflow through

A suspected China-linked hacking group attempted to breach the India operations of a global manufacturer using TencShell, a previously undocumented malware implant built from an open-source command-and-control framework and adapted for stealthy enterprise intrusion.The attempted compromise, detected in April 2026, centred on a third-party user connected to the manufacturer’s environment, underscoring the growing security risks created by supplier, contractor and partner access. The attack was blocked before the operator could establish persistent remote control, but the tools and tradecraft observed

A critical flaw in the Burst Statistics WordPress plugin has put more than 200,000 websites at risk of unauthorised administrator access, intensifying concern over the security of third-party tools used across the world’s most popular content management system.The vulnerability, tracked as CVE-2026-8181, affects Burst Statistics versions 3.4.0 through 3.4.1.1 and carries a CVSS severity score of 9.8, placing it in the critical category. A patched version, 3.4.2, has been released, and website administrators using the plugin have been urged to

Cybercrime operators linked to TeamPCP and BreachForums have turned software supply-chain compromise into a public contest, offering a $1,000 prize for the largest open-source package breach and raising fears that attacks on developer ecosystems are being normalised as competitive sport.Announced on underground channels and amplified by threat-intelligence trackers, the campaign asks participants to use Shai-Hulud-linked tooling to compromise package ecosystems. The prize is modest, but the format is significant: it reframes operational intrusion as a community challenge, encouraging copycat

A newly documented malware framework has exposed how attackers are turning open-source offensive tools into stealthy intrusion platforms capable of screen control, browser data access and Windows privilege escalation.The framework, tracked as TencShell, was detected during an attempted attack on a global manufacturing organisation through a third-party connection at its India site. The operation was blocked before attackers could establish lasting control, but the technical evidence points to a carefully staged campaign designed to hide inside ordinary enterprise traffic while

Iran-linked cyber-espionage operators have used trusted, digitally signed software components to breach organisations across four continents, widening concerns over state-backed campaigns that hide inside legitimate enterprise tools.Seedworm, also tracked as MuddyWater, Temp Zagros, Static Kitten and Mango Sandstorm, has been linked to intrusions affecting at least nine organisations in early 2026. The victims included a major South Korean electronics manufacturer, public-sector bodies, an international airport in the Middle East, industrial manufacturers in Southeast Asia, a financial services provider in Latin

Microsoft’s BitLocker encryption faces renewed scrutiny after a public proof-of-concept exploit showed how protected Windows drives could be accessed through the recovery environment without the recovery key under specific physical-access conditions.The vulnerability, named YellowKey by the researcher using the aliases Nightmare-Eclipse and Chaotic Eclipse, targets the interaction between Windows Recovery Environment and BitLocker-protected volumes. The public demonstration indicates that an attacker with physical access to a device may be able to use a prepared USB drive and boot into recovery

Foxconn has confirmed a cyberattack on some of its North American factories after the Nitrogen ransomware group claimed it stole 8 terabytes of data and more than 11 million files from the world’s largest electronics contract manufacturer.The company said its cybersecurity team activated response measures to protect production and deliveries, with affected factories returning to normal operations. The statement did not identify the number of sites hit, the point of intrusion, whether customer data was compromised, or whether any

Security researchers have released a proof-of-concept attack that can unlock BitLocker-protected Windows 11 drives within minutes on systems that remain exposed to a legacy Secure Boot trust path, sharpening concern over the limits of software patching when certificate revocation has not been completed. The technique, called BitUnlocker, targets CVE-2025-48804, a BitLocker security-feature bypass tied to Windows Recovery Environment handling and physical access to a machine.The attack does not require stolen account credentials or malware already running inside Windows. Its

Checkmarx customers using Jenkins pipelines have been urged to review their environments after a modified version of the company’s Jenkins AST plugin was pushed to the official Jenkins Marketplace, extending a wider software supply chain campaign tied to compromised developer tooling.The affected release has been identified as version 2026.5.09 of the Checkmarx AST Scanner plugin, distributed as tampered HPI, JAR and POM artifacts. The exposed window ran from 01:25 UTC on May 9 to 08:47 UTC on May 10, creating

Android users across parts of Europe face a sharper mobile-fraud threat after a redesigned TrickMo variant began targeting banking, fintech, cryptocurrency wallet and authenticator applications with stronger stealth, persistence and network-control features.The malware, tracked as TrickMo C, does not appear to be a wholly new family. It is an overhaul of a known Android banking trojan that has been under active development for years, with its operators now shifting emphasis from visible new victim-facing functions to deeper architectural changes that

Mac users searching for Claude downloads are being targeted through sponsored Google results that lead to legitimate-looking Claude shared chats carrying malicious installation instructions, exposing a weakness in how trusted platforms can be misused to deliver malware.The campaign centres on users looking for Claude or Claude Code for macOS. Instead of relying only on fake websites, the attackers are placing paid search ads that display the claude. ai domain and then direct users to publicly shared Claude conversations. Those pages

Attackers used a fake Hugging Face repository posing as an OpenAI privacy tool to spread credential-stealing malware to Windows users, exposing a widening security gap in the fast-growing market for open AI models.The repository, named Open-OSS/privacy-filter, climbed to the top of Hugging Face’s trending list and recorded about 244,000 downloads before access was disabled. Its model card closely mirrored OpenAI’s legitimate Privacy Filter project, a tool designed to detect and redact personally identifiable information in unstructured text. That imitation gave

Cybersecurity teams are tracking a stealthy espionage-style malware operation that uses GitHub Releases to hide a Python-based infostealer behind humanitarian-themed phishing material aimed at Russian-speaking targets.The campaign, tracked as Operation HumanitarianBait, begins with phishing emails carrying a RAR archive that contains a malicious Windows shortcut file. The lure presents itself as a Russian-language humanitarian aid request or application form, exploiting a sensitive social context while keeping the victim’s attention on a decoy document as the infection chain runs silently in

Cybersecurity teams are racing to contain attacks against cPanel and WHM servers after a critical authentication bypass flaw opened a path for unauthorised access to hosting control panels used across large parts of the web.The vulnerability, tracked as CVE-2026-41940, affects cPanel & WHM versions after 11.40, including DNSOnly, as well as WP Squared versions up to 136.1.6. It carries a CVSS score of 9.8, placing it in the critical category because an attacker can exploit it remotely without credentials or

 Cybercriminals have used artificial intelligence to identify and weaponise a previously unknown software flaw, marking a significant escalation in the use of AI for offensive cyber operations.The attempted campaign targeted a widely used open-source, web-based system administration tool and centred on a zero-day vulnerability that could bypass two-factor authentication when valid user credentials were already available. The operation was disrupted before it could be used in a wider mass-exploitation attack, limiting immediate damage but raising concern across the security industry

Cybercriminals are using fake Claude Code installation pages to push a PowerShell-based information stealer at developers, marking a sharper turn in attacks that exploit the rush to adopt AI coding tools.The campaign impersonates Anthropic’s Claude Code, a command-line assistant used by software teams to write, review and debug code. Victims are drawn through sponsored search results or cloned documentation pages that resemble legitimate installation guides. Instead of installing the tool, the copied command launches a Windows infection chain built around

Cybercriminals are exploiting interest in OpenClaw with a counterfeit installer that delivers a Rust-based information stealer designed to harvest cryptocurrency wallet data, browser secrets and password-manager credentials.The campaign centres on a fake OpenClaw download site and a typosquatted GitHub organisation that impersonates the legitimate open-source AI assistant project. Victims are lured into downloading what appears to be a Windows installer, but the archive instead contains a large malicious executable engineered to avoid routine security checks and frustrate automated analysis.The malware

German and Spanish police have shut down a revived version of Crimenetwork, the German-speaking dark web marketplace that had re-emerged within days of its 2024 takedown, arresting a 35-year-old German citizen at his home in Mallorca under a European arrest warrant.The suspect, from the Recklinghausen district in North Rhine-Westphalia, is accused of building and administering a new technical infrastructure for Crimenetwork after the original platform was dismantled in December 2024. The relaunched marketplace had gathered more than 22,000 users and

Mac users searching for Claude installation help are being targeted by a malvertising campaign that turns Google-sponsored results and legitimate Claude shared-chat pages into a malware delivery route.The campaign, disclosed on 10 May by security researcher Berk Albayrak, uses search ads that appear to point to Anthropic’s real claude. ai domain. Users looking for terms such as “Claude mac download” are led to a shared Claude chat that presents itself as an official “Claude Code on Mac” installation guide and

Windows users seeking Claude-branded desktop tools have been targeted by a fake Anthropic-themed website distributing Beagle, a previously undocumented backdoor delivered through a DLL sideloading chain that gives attackers remote control over infected machines. The campaign used the domain claude-pro[.]com to imitate Claude’s official interface and lure visitors into downloading a supposed Claude-Pro Relay installer aimed at developers working with Claude Code.The fraudulent site copied the visual cues of the real Claude service, including similar colours and fonts, but its