Breaches, ransomware and regulation — analysed the day they break, with the practical lessons your team can act on. Free to read, no account required.

A critical unauthenticated remote-code-execution flaw in Langflow is under active exploitation, with threat actors deploying XMRig cryptocurrency miners on any instance left exposed to the public internet.

QiAnXin's XLab team has identified a Rust-written, two-stage botnet called RustDuck quietly enlisting home routers, IP cameras, Android TV boxes, and exposed Linux servers into a DDoS-for-hire operation. The headline isn't the size of the swarm. It's how fast the code is changing.

A CVSS 9.8 flaw in Oracle's Payments module lets remote attackers seize full control of EBS instances — no credentials required — and exploitation is already underway.

Microsoft's threat research team caught a malicious Chrome extension impersonating Perplexity AI — one that silently intercepted omnibox input, character by character, before users ever saw a search result.

The National Association of Insurance Commissioners confirms attackers exploited an unpatched vulnerability in an internet-facing PeopleSoft server, while disputing the extortion crew's characterization of what was actually stolen.

JFrog researchers found attackers who compromised two legitimate npm maintainer accounts and built a Go module cluster to deliver a Python stealer — hiding execution inside VS Code workspace task definitions rather than the lifecycle hooks most tools actually scan.

A high-severity vulnerability in Amazon's AI coding assistant allowed a hostile repository to hijack ambient AWS credentials the moment a developer clicked 'trust workspace.' Amazon has shipped a patch.

Four security developments from one week paint a coherent picture: surveillance tools reach beyond their intended users, AI threats are operational not theoretical, Mac endpoints carry real risk, and social-engineering crews face real prison time.

Australia's domestic intelligence chief confirmed a foreign state actor had harvested valid login credentials from privileged IT accounts inside a critical infrastructure operator — and was positioned for sabotage, not passive surveillance.

Palo Alto Networks Unit 42 has identified a previously unknown implant — TinyRCT — deployed by an intrusion cluster called CL-STA-1062 against state-owned energy enterprises and government ministries across Southeast Asia.

GRU and FSB-linked operators impersonated tech-support staff and trusted contacts to hijack Signal, Telegram, and WhatsApp accounts belonging to soldiers, politicians, and activists in Ukraine, Europe, and the United States.

Kaspersky researchers tracking a campaign called StrikeShark have identified a previously undocumented loader family dropping Cobalt Strike Beacon on a diplomatic organization in Indonesia and government targets in Taiwan — a targeting profile that points squarely to state-sponsored espionage.

A CVSS 9.3 vulnerability in PTC Windchill and FlexPLM — software trusted by defense contractors, aerospace primes, and automotive manufacturers — is under active exploitation, with attackers establishing persistent backdoors inside some of the most sensitive engineering environments on earth.

The FBI and CISA have updated their advisory on Russian intelligence operators targeting Signal users, warning that attackers have shifted tactics from linked-device hijacking to stealing the Backup Recovery Key — a credential that grants permanent, silent access to a user's full message history.

The former Coinbase security chief takes over at Uber — a company whose breach record, regulatory scrutiny, and expanding data footprint make the hire one of the more consequential CISO appointments in recent memory.

A widely installed ad-blocking extension holds code that can fetch and run arbitrary JavaScript on any page a user visits. No malicious payload has been observed yet. That 'yet' is the problem.

The Industrial Control Systems Cybersecurity Conference returns October 6–8, 2026, at the W Nashville for its 25th anniversary — a milestone that invites hard questions about how much the field has actually changed.

CVE-2026-20245 gave attackers root on enterprise WAN gear while defenders had no patch to apply — and possibly no idea the intrusion was happening.

A threat group called Woodgnat has deployed a custom in-memory backdoor since at least April 2025, quietly auctioning enterprise access to some of the most active ransomware gangs operating today.

CVE-2025-67038 scores a 9.8 CVSS and is already being exploited in the wild. Federal agencies have until June 26, 2026 to patch — a deadline that tells you nothing about how fast attackers are moving right now.

The U.S. government mandates a nationwide shift to quantum-resistant cryptography by 2030, impacting federal agencies and contractors.

A heap out-of-bounds write in FFmpeg's MagicYUV decoder — CVE-2026-8461 — can crash applications or hand attackers remote code execution via a 50 KB video file.

A financially motivated initial access broker has been running brute-force and credential-stuffing attacks against internet-exposed FortiGate appliances since February 2026 — and the TTPs are textbook, repeatable, and preventable.

An active, multi-continent campaign sends malicious Visual Basic Script files over WhatsApp to sideload commercial remote-monitoring software — and most endpoint controls never fire.

A new default in actions/checkout v7, announced June 18, automatically blocks unreviewed fork code from running inside privileged workflows — closing an exploit path that attackers had used for years to steal secrets and poison packages.

Attackers compromised ShapedPlugin's build and distribution pipeline, silently delivering malicious code to paying customers who did everything right.

A new INTERPOL threat report finds cybercrime accelerating across Asia and the South Pacific, with phishing driving initial access, ransomware hitting under-resourced nations hardest, and generative AI removing the last natural barriers to mass fraud.

Apple quietly patched a Bluetooth vulnerability in Beats firmware, Google Cloud's Config Connector carries an unpatched privilege-escalation bug, and the threat group Velvet Ant spent roughly ten years undetected inside a target network. Here is what defenders need to know — and do — right now.

A Dutch-led coalition spanning four countries has taken down command-and-control servers powering the SocGholish malware loader and force-remediated nearly 15,000 compromised websites — marking the latest phase of the largest coordinated botnet-disruption effort in history.

GentleKiller blends signed-driver abuse with a hardcoded hit list of roughly 400 security processes — and every Gentlemen affiliate gets it as standard kit.

France's president is urging wealthy democracies to treat advanced AI governance as a shared responsibility, not a domestic footnote. The gap between political will and enforceable policy remains dangerously wide.

An unauthenticated information-disclosure flaw in the popular WordPress mailer plugin is already under active attack, putting API keys, OAuth tokens, and SMTP credentials at risk on up to 100,000 websites.

A working tethered exploit from Paradigm Shift reaches code burned into the chip at fabrication — and no software update on earth can fix it.

The Vancouver-based competitive intelligence platform says attackers stole OAuth tokens and used them to reach customer Salesforce tenants — adding another entry to a growing list of SaaS-to-CRM supply-chain breaches.

A May 2024 breach of The Gentlemen ransomware-as-a-service platform exposed the group's 'GentleKiller' framework — a pre-packaged tool that lets low-skill affiliates disable enterprise endpoint detection and response software at the kernel level.

A CVSS 8.8 authorization bug in the Airoha Bluetooth audio SDK let any attacker within radio range pair with Studio Buds without the owner's knowledge — and potentially capture microphone audio.

Researchers from Synthient and Qurium traced four years of Android TV box traffic-relaying back to infrastructure connected to NetNut, the residential proxy service owned by Israel's Alarum Technologies — raising hard questions about where legitimate proxy networks end and silent botnets begin.

A use-after-free in NGINX's HTTP/3 module earns a CVSS v4 score of 9.2 — and any deployment with QUIC enabled should treat the patch as same-day work.

A commodity intrusion at a small French automotive business exposed a gap most incident-response playbooks still miss: killing the command-and-control beacon does not end the incident if the attacker already installed OpenSSH and Tailscale.

A signal Google once condemned as a privacy circumvention becomes official ad infrastructure. The ICO is watching. So should your identity and threat-detection teams.

A privilege-escalation zero-day in the Malware Protection Engine — the scanning core shared by every supported Defender variant — has been confirmed by Microsoft, with no patch yet shipped.

Widget Factory's JCE extension contains an unauthenticated arbitrary file-write vulnerability that attackers are already burning in the wild. Federal agencies have three weeks to patch. Everyone else should move faster.

BabaDeda, Lorem Ipsum, and Potemkin loaders all use the same clipboard-paste attack pattern — and education and finance organizations absorbed the bulk of April 2026 hits.

A bucket-squatting vulnerability in the Google Cloud Vertex AI Python SDK let an unauthenticated attacker intercept ML model uploads and run arbitrary code inside Google's managed serving infrastructure — no project credentials required.

CVE-2026-54420 carries a CVSS score of 8.5 and hands attackers root-level control over shared hosting servers. Federal agencies must patch by June 18, 2026. Everyone else should move faster.

Federal agents pulled two of the internet's busiest deepfake nude sites offline, marking the first publicly announced domain seizure under a law signed just weeks ago.

The DPRK-linked threat cluster known as Contagious Interview has added a deceptively simple new lure to its arsenal: a polite request to review some code.

Attackers rewrote PKGBUILD scripts across more than 400 Arch User Repository packages, turning the normal build process into a credential-harvesting operation — with a kernel-level rootkit waiting for any build that ran as root.

A China-nexus threat actor planted rogue authentication modules on victim networks and stayed undetected for close to ten years — by targeting the one layer most incident-response playbooks quietly trust.

The FBI, Google, and Lumen's Black Lotus Labs jointly knocked a Chinese phishing-as-a-service operation offline after it registered nearly one million malicious domains. The AI angle is real — but narrower than headlines suggest.

Faced with an export-control-style directive it disputes, Anthropic suspended two frontier AI models worldwide rather than build nationality-gated access infrastructure. The standoff raises hard questions about who controls frontier AI and how.

Splunk addresses a severe flaw in its Enterprise software that could allow unauthenticated users to execute arbitrary code.

No malware, no nation-state tradecraft — just valid credentials that nobody revoked. A disgruntled ex-employee deleted accounts and disrupted classrooms for months before federal charges ended it.

The Trump administration's push to treat frontier AI as dual-use technology forced Anthropic to pull two models entirely — a compliance signal that reshapes how AI labs think about regulatory risk.

A pseudonymous researcher dropped an alleged Windows Recovery Environment exploit days after Patch Tuesday. A respected vulnerability analyst couldn't replicate it. The researcher is already hunting a workaround.

Attackers hijacked more than 400 community-maintained Arch User Repository packages this week, silently modifying build scripts to drop a Rust-based credential harvester — and, when the build ran as root, an eBPF rootkit capable of hiding itself from every standard Linux detection tool.

A hobbyist find targeting XML configuration files in the Windows Recovery Environment exposes a fundamental gap in full-disk encryption's trust model — and no Microsoft patch exists yet.

A write-anywhere bug in the popular open-source AI workflow builder carries a CVSS 8.8 score and is already seeing opportunistic mass exploitation — patch immediately or assume compromise.

The extortion crew tracked as UNC6240 spent May 27 through June 9 inside university PeopleSoft environments — stealing student records, HR files, and financial data — while Oracle's advisory sat unpublished.

GitHub's decision to disable lifecycle hooks in npm 12 removes the single most-abused primitive in JavaScript supply chain attacks. Here is what defenders, DevOps teams, and security engineers need to know before the cutover.

GitHub's decision to disable automatic lifecycle script execution in npm v12 closes a well-worn supply chain attack path — but security engineers warn the threat is far from finished.

A new binding directive replaces severity-score timelines with a four-factor risk model. Federal agencies must remediate the highest-risk vulnerabilities within 72 hours. The rest of the industry should be paying close attention.

An exploit named RoguePlanet has surfaced, targeting Microsoft Defender with a local privilege escalation vulnerability, raising security concerns.

Microsoft addresses a record number of vulnerabilities amid AI-assisted bug discoveries and a high-profile researcher threatening further zero-day releases.

The June 2026 cumulative update for Windows 10 22H2 Extended Security Updates enrollees bundles this month's vulnerability fixes and adds diagnostic hooks for a looming Secure Boot certificate transition that could leave unpatched systems open to bootkit attacks.

A federal jury awarded Meta roughly $168 million in May after NSO's Pegasus spyware abused a WhatsApp voice-call flaw in 2019. Now Meta says NSO's operators are back — this time with social-engineering lures — and is asking a judge to hold the vendor in contempt.

CVE-2026-20245 lets an authenticated attacker escalate to root through the CLI. Mandiant reported the bug after spotting real intrusions, and Cisco has confirmed unauthorized configuration changes in the wild.

A weaponized proof-of-concept for a use-after-free in nf_tables dropped on June 8, 2026 — four months after the upstream fix — and it works reliably against hardened kernels with KASLR and SMAP enabled.

A self-replicating campaign is chaining stolen developer tokens into an ever-widening blast radius — and Microsoft's own GitHub organizations were not immune.

An autonomous AI fuzzer exposed 21 previously unknown vulnerabilities in the media library embedded in nearly every video-capable product on earth. Days later, Google released Chrome 149 with 429 patches — the largest single browser security update on record. Neither story is routine.

A financially motivated extortion crew is impersonating IT staff over the phone, tricking employees into handing over remote access, and exfiltrating privileged client files before most firms even open a help ticket.

CVE-2026-28318 crashes the Serv-U file transfer service in the wild. Federal agencies have roughly three weeks to patch. Everyone else should treat that deadline as their own.

A reverse-engineering of Bright Data's iOS SDK reveals how consumer apps — including always-on televisions — quietly enlist household devices as exit nodes in a massive residential proxy network increasingly serving AI data demands.

A single crafted link was enough to drain a developer's GitHub OAuth token from the browser-based VS Code editor — granting read/write access to private repositories with no second click required.

A high-severity authorization vulnerability in Cisco's SD-WAN control plane is under active attack across on-premises, cloud, and FedRAMP deployments. Cisco has confirmed exploitation and has not yet released a fix.

A new --cooldown flag for Bundler delays installation of freshly published gems, buying defenders the time attackers have long exploited.

JFrog researchers caught two parallel attacks inside the npm registry — one hiding inside the Linux kernel, the other replicating across 50-plus packages by hijacking maintainer credentials.

A threat actor quietly converted compromised business workloads on three major cloud platforms into a verified mail-relay network, refreshing its inventory every five minutes and burning victims' IP reputations in the process.

A Commerce Department watchdog formally faulted NIST for strategic failures, duplicated enrichment work, and CVSS scores so inconsistent that independent evaluators agreed with them barely one time in eight.

A China-linked threat crew is cycling through commodity and custom malware at an unusually fast clip — and it has started targeting organizations far outside its traditional Asia-Pacific base.

A May 18 coordinated takedown froze $3.8 million in crypto and pulled millions of social-media and email accounts linked to Southeast Asian fraud compounds. The dollar figure is almost beside the point.

A malicious Jupyter notebook, a bypassed publisher trust check, and a single browser tab were all an attacker needed to steal an OAuth token granting access to every repository tied to a GitHub account.

A use-after-free flaw in Redis's blocking-client code went undetected from version 7.2.0 until patches landed on May 5, 2025 — and it took an autonomous AI auditing tool, not a human researcher, to surface it.

A malware-as-a-service operation active since January 2026 is using YouTube tutorials and fake Minecraft clients to silently hand attackers full remote control of victims' machines — and the infection count keeps climbing.

CVE-2024-21182 earned a CVSS 7.3 score and a July 2024 Oracle patch. Neither was enough to stop threat actors from finding the organizations that never bothered.

A critical unauthenticated privilege-escalation flaw in the WP Maps Pro plugin lets anyone register a full administrator account — no login, no phishing, no waiting. Active exploitation is already underway.

A sophisticated campaign named Miasma has weaponized npm packages tied to the Red Hat ecosystem, silently harvesting developer credentials and burrowing into CI/CD pipelines the moment a compromised package lands on disk.

An unknown actor targeted the 2FA layer on personal-plan accounts on May 31, 2026. The vaults left the server encrypted. Whether they stay that way depends entirely on how strong each user's master password is.
Phishing remains the number one attack vector for cyber criminals. Learn the telltale signs of a phishing email and how to protect yourself and your organisation from these increasingly sophisticated attacks.
Compromised credentials are implicated in the majority of hacking-related breaches. Discover best practices for creating and managing strong passwords, implementing MFA, and using password managers across your organisation.
Attackers don't just hack computers — they hack people. Understand the psychology behind social engineering attacks and how to train your team to recognise manipulation tactics.
Ensure your organisation meets GDPR requirements with our comprehensive training checklist. From data handling procedures to breach notification protocols, cover all the essentials.
When a security incident occurs, every minute counts. This guide walks through the critical first 24 hours of incident response, from detection to containment and communication.
With hybrid work becoming the norm, securing remote environments is essential. Learn about VPN best practices, secure home networks, and protecting sensitive data outside the office.
Sign up and start training your team in minutes. No sales calls, no demos — just pick a plan and go. Phishing simulations, video courses, and certificates from day one.
