// Articles
389 articles — page 10 of 17
Progress MOVEit Automation — Critical Authentication Bypass Vulnerability Disclosed, Patch Immediately
Progress Software has disclosed a critical authentication bypass vulnerability in MOVEit Automation, the workflow automation component of the MOVEit managed file transfer platform. Given MOVEit's history as the most mass-exploited enterprise application of 2023 (Cl0p ransomware, 2,700+ organisations), any new critical vulnerability requires emergency patching. Organisations should apply the patch and review automation workflow configurations before exploitation begins.
Wireshark CVE-2026-5656 — Remote Code Execution via Malicious PCAP File, Update to 4.4.6
A code execution vulnerability in Wireshark's PCAP/PCAPNG file parser allows a malicious capture file to trigger arbitrary code execution when opened by an analyst. CVE-2026-5656 affects all Wireshark versions prior to 4.4.6 across Windows, macOS, and Linux. The attack vector is especially concerning for security teams that open externally-sourced capture files during incident response or threat hunting — update Wireshark to 4.4.6 immediately.
AccountDumpling Abuses Google AppSheet as Legitimate Phishing Relay to Compromise 30,000 Facebook Accounts
The AccountDumpling campaign has compromised approximately 30,000 Facebook accounts by routing phishing emails through Google AppSheet — a legitimate no-code application platform — to bypass spam filters and email security gateways. The technique exploits trusted sender reputation of Google infrastructure and demonstrates the growing difficulty of filtering phishing delivered through legitimate SaaS platforms.
Two Former Cybersecurity Professionals Sentenced to Four Years for BlackCat/ALPHV Ransomware Operations
A US federal court has sentenced two individuals with professional cybersecurity backgrounds to four-year prison terms for their roles in the BlackCat/ALPHV ransomware-as-a-service operation, marking a notable law enforcement outcome that demonstrates insider security knowledge is not a prosecution shield. The sentences follow guilty pleas and cooperation with investigators.
Cordial Spider and Snarky Spider Drive Multi-Sector SaaS Account Takeover via Vishing and SSO AiTM Attacks
Two newly-designated threat actor clusters — Cordial Spider (UNC6671) and Snarky Spider (UNC6661) — are conducting coordinated vishing and adversary-in-the-middle SSO phishing campaigns against enterprise organisations across finance, technology, and logistics sectors, bypassing MFA to harvest persistent OAuth tokens. Organisations should review SSO conditional access policies and verify help desk vishing verification procedures.
EtherRAT Uses Ethereum Blockchain Transactions as Immutable C2 Channel — Campaign Targeting Government and Finance
Researchers have disclosed EtherRAT, a remote access trojan that encodes command-and-control instructions directly into Ethereum blockchain transactions, creating a C2 channel that cannot be taken down, domain-blocked, or sinkholed. Active campaigns have targeted government and financial organisations in Eastern Europe and the Middle East.
Three Critical Buffer Overflow Vulnerabilities Disclosed in Hashcat — Penetration Testing Toolchain at Risk
Security researchers have disclosed three buffer overflow vulnerabilities (CVE-2026-42482, CVE-2026-42483, CVE-2026-42484) in Hashcat, the widely-used open-source password recovery and penetration testing tool. The flaws can be triggered via maliciously crafted hash files or wordlists and may allow code execution in environments where Hashcat processes untrusted input — including shared red team infrastructure and automated password auditing pipelines.
Instructure (Canvas LMS) Discloses Cybersecurity Incident — Scope of Student and Faculty Data Exposure Under Investigation
Instructure, the company behind Canvas Learning Management System used by thousands of universities and K-12 school districts globally, has disclosed a cybersecurity incident affecting an internal infrastructure component. The scope of student, faculty, and institutional data potentially exposed is under forensic investigation. Institutions running Canvas should activate their incident response contact with Instructure and review data sharing scope.
China-Linked SHADOW-EARTH-053 Targets Asian Governments and NATO Member With ShadowPad Implants
Security researchers have attributed a sustained intrusion campaign against at least seven government ministries across Southeast and Central Asia — and one NATO member state's foreign affairs ministry — to the China-nexus cluster SHADOW-EARTH-053, operating the ShadowPad remote access trojan. The campaign exploits legacy Microsoft Exchange vulnerabilities for initial access and uses living-off-the-land techniques to evade detection.
ConsentFix v3 Automates Azure OAuth Abuse at Scale — MFA-Bypassing Phishing Platform Circulating on Forums
The third iteration of the ConsentFix Azure OAuth phishing toolkit has been observed circulating on cybercriminal forums, adding Pipedream-powered automation to the consent flow abuse technique that allows attackers to gain persistent access to Microsoft 365 tenants without requiring MFA. Enterprise security teams should review conditional access policies governing OAuth app registrations and user consent.
'Sorry' Ransomware Deploys en Masse via cPanel CVE-2026-41940 — 44,000 Hosts Compromised Within 48 Hours of Patch
A ransomware group tracking as 'Sorry' has leveraged the recently-patched cPanel/WHM authentication bypass (CVE-2026-41940) to compromise at least 44,000 web hosting servers globally, deploying a Go-compiled Linux encryptor within 48 hours of the vulnerability's public patch release. The speed of mass exploitation underscores the extreme urgency of applying the cPanel/WHM hotfix.
DEEP#DOOR: Python Backdoor Abuses Cloudflare Tunnels to Bypass Network Detection and Exfiltrate Credentials
Securonix researchers have disclosed DEEP#DOOR, a Python-based backdoor framework that routes command-and-control traffic through legitimate Cloudflare Tunnel infrastructure to evade network security controls. The malware establishes persistence via multiple mechanisms, disables Windows security features at installation, and specifically targets browser-stored passwords, session tokens, and cloud provider credentials.
Linux CopyFail LPE Added to CISA KEV With Active Exploitation Confirmed — CVE-2026-31431
CISA has added CVE-2026-31431 — the Linux kernel copy-on-write race condition LPE disclosed last week as 'CopyFail' — to the Known Exploited Vulnerabilities catalogue following confirmed active exploitation. All major Linux distributions have patches available. Federal agencies face a May 20 remediation deadline and all enterprise organisations should treat kernel patching as urgent.
PyTorch Lightning PyPI Package Compromised — Credential-Stealing Payload Delivered to AI/ML Development Environments
PyTorch Lightning versions 2.6.2 and 2.6.3 on PyPI were found to contain a credential-stealing postinstall payload, extending the Mini Shai-Hulud supply chain campaign that previously compromised SAP's official npm packages. Organisations running AI/ML workloads should audit Python environments and rotate any credentials stored on affected development or CI/CD systems.
Trellix Confirms Source Code Repository Breach — Forensic Investigation Underway
Cybersecurity vendor Trellix has confirmed unauthorised access to an internal source code repository, with law enforcement notified and a forensic investigation ongoing. The breach raises concerns about potential weaponisation of security product internals against Trellix's enterprise customer base.
DPRK Scales npm Malware Campaign With AI-Generated Code, Fake Tech Firms, and Remote RAT Deployment
North Korean threat actors have launched a new wave of npm supply chain attacks using AI-generated malicious package code that bypasses static analysis tools, fake software development firms as cover identities, and a multi-stage RAT that exfiltrates source code, cryptographic keys, and credentials from developer workstations. The campaign targets blockchain, DeFi, and fintech developers — organisations in these sectors should audit npm dependencies and developer machine security.
FBI Warns of $725M Cyber-Enabled Cargo Theft Wave Targeting Transportation and Logistics
The FBI has issued a warning documenting a sharp surge in cyber-enabled cargo theft targeting the US transportation and logistics industry, with losses exceeding $725 million in 2025. Criminal organisations use phishing, broker impersonation, and freight marketplace account takeovers to divert physical shipments. Supply chain security teams and freight brokers should treat this advisory as a direct threat to physical goods in transit.
GitHub Enterprise Server CVE-2026-3854 — Critical RCE via Single Git Push, No Authentication Required
CVE-2026-3854, a critical-severity remote code execution vulnerability in GitHub Enterprise Server, allows an attacker to execute arbitrary code on the server with a single specially crafted Git push, requiring no authentication. Any internet-exposed or internally-accessible GHES instance is vulnerable. GitHub has released hotfixes across all supported branches; apply immediately.
Linux 'CopyFail' Kernel Privilege Escalation — Root Access on All Major Distributions Since 2017
A newly weaponised local privilege escalation vulnerability in the Linux kernel's copy-on-write mechanism allows unprivileged local users to gain root access on virtually all major Linux distributions running kernels from 2017 onwards. A working public exploit has been released. Kernel patches are available; organisations running Linux servers, containers, and cloud instances should patch immediately.
PhantomRPC — Unpatched Windows Privilege Escalation Technique Abuses COM Server Activation
Security researchers have disclosed PhantomRPC, an unpatched local privilege escalation technique in Windows that abuses the COM server activation mechanism to elevate from standard user to SYSTEM without triggering standard EDR alerts. Microsoft has acknowledged the report but not committed to a patch timeline. Defenders should implement mitigation controls; red teams should incorporate this technique into assessments.
VECT 2.0 Ransomware Irreversibly Corrupts Files Over 131KB on Windows, Linux, and ESXi
VECT 2.0 is a new cross-platform ransomware variant that partially corrupts files larger than 131KB rather than encrypting them — rendering files permanently unrecoverable even after ransom payment, as the overwritten data cannot be reconstructed. Active campaigns have targeted manufacturing, logistics, and healthcare. Standard backup-based recovery strategies may fail against VECT 2.0 if backups were mounted or reachable at the time of attack.
cPanel and WHM CVE-2026-41940 — CVSS 9.8 Authentication Bypass Exploited as Zero-Day Before Patch
CVE-2026-41940, a CVSS 9.8 authentication bypass in cPanel and WHM web hosting control panel software, was exploited in the wild before the vendor issued a patch. All versions from 11.40 onwards are affected. Proof-of-concept code is now public. Web hosting providers, managed service providers, and any organisation running cPanel/WHM for server management should apply the emergency patch immediately.
Jenkins GitHub Plugin CVE-2026-42523 — CVSS 9.0 Stored XSS Enables Pipeline Hijacking and Secret Extraction
CVE-2026-42523, rated CVSS 9.0, is a stored cross-site scripting vulnerability in the Jenkins GitHub Plugin 1.46.0 and earlier. Exploitation allows an attacker with job creation rights to inject malicious JavaScript that executes in the browser of any Jenkins administrator who views the affected job — enabling session hijacking, secret extraction, and full pipeline takeover. Update to GitHub Plugin 1.46.1 or later.
Official SAP npm Packages Compromised to Steal Enterprise Developer Credentials
Threat actors compromised official SAP npm packages to insert credential-harvesting code targeting enterprise developers working on SAP integration projects. The malicious packages exfiltrate environment variables, SSH keys, and cloud credentials from developer workstations. Enterprise teams using SAP npm packages in their CI/CD pipelines should audit package integrity and rotate potentially exposed credentials.