BuzzSec

A critical security vulnerability impacting the Funnel Builder plugin for WordPress has come under active exploitation in the wild to inject malicious JavaScript code into WooCommerce checkout pages with the goal of stealing payment data. Details of the activity were published by Sansec this week. The vulnerability currently does not have an official CVE identifier. It from The Hacker News https://thehackernews.com/2026/05/funnel-builder-flaw-under-active.html

Article about the bigfin squid. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Blog moderation policy. from Schneier on Security https://www.schneier.com/blog/archives/2026/05/friday-squid-blogging-bigfin-squid.html

The Russian state-sponsored hacking group known as Turla has transformed its custom backdoor Kazuar into a modular peer-to-peer (P2P) botnet that's engineered for stealth and persistent access to compromised hosts. Turla, per the U.S. Cybersecurity and Infrastructure Security Agency (CISA), is assessed to be affiliated with Center 16 of Russia's Federal Security Service (FSB) from The Hacker News https://thehackernews.com/2026/05/turla-turns-kazuar-backdoor-into.html

It's getting harder to distinguish legitimate emails from malicious ones as phishing messages mimic real conversations, use trusted domains and increasingly leverage AI to scale and refine attacks. from KnowBe4 Blog https://blog.knowbe4.com/why-integrate-threat-intelligence-feeds-into-email-security

Cybersecurity researchers have disclosed a set of four security flaws in OpenClaw that could be chained to achieve data theft, privilege escalation, and persistence. The vulnerabilities, collectively dubbed Claw Chain by Cyera, can permit an attacker to establish a foothold, expose sensitive data, and plant backdoors. A brief description of the flaws is below - from The Hacker News https://thehackernews.com/2026/05/four-openclaw-flaws-enable-data-theft.html

Researchers at Bitdefender are tracking 40 separate SMS phishing (smishing) campaigns impersonating transport authorities, toll operators, and parking services around the world. The researchers have observed more than 79,000 scam text messages with over 29,000 unique variants. The attacks are targeting users in multiple languages. from KnowBe4 Blog https://blog.knowbe4.com/traffic-themed-sms-phishing-global-campaigns

Cybersecurity researchers are sounding the alarm about what has been described as "malicious activity" in newly published versions of node-ipc. According to Socket and StepSecurity, three different versions of the npm package have been confirmed as malicious - node-ipc@9.1.6 node-ipc@9.2.3 node-ipc@12.0.1 "Early analysis indicates that node-ipc@9.1.6, node-ipc@9.2.3, and node-ipc@12.0.1 from The Hacker News https://thehackernews.com/2026/05/stealer-backdoor-found-in-3-node-ipc.html

Everything is still on fire. This week feels dumb in the worst way — bad links, weak checks, fake help desks, shady forum posts, and people turning supply chain attacks into some cursed little game for clout and cash. Half of it feels new. Half of it feels like crap we should have fixed years ago. The mess keeps getting louder: users get tricked, boxes get popped, tools meant for normal work from The Hacker News https://thehackernews.com/2026/05/threatsday-bulletin-pan-os-rce-mythos.html

This is a current list of where and when I am scheduled to speak: I’m giving a virtual talk on “The Security of Trust in the Age of AI,” hosted by the Financial Women’s Association of New York , at 6:00 PM ET on May 21, 2026. I’m speaking at the Potsdam Conference on National Cybersecurity  at the Hasso Plattner Institut in Potsdam, Germany. The event runs June 24–25, 2026, and my talk will be the evening of June 24. I’m speaking at the Digital Humanism Conference in Vienna, Austria, on Tuesday, June 26, 2026. I’m speaking at the Nuremberg Digital Festival in Nuremburg, Germany, on Wednesday, July 1, 2026. The list is maintained on this page . from Schneier on Security https://www.schneier.com/blog/archives/2026/05/upcoming-speaking-engagements-56.html

A major phishing operation is targeting soccer/football fans ahead of the 2026 FIFA World Cup, which begins in June, according to researchers at Flare. The attackers have set up at least 79 phishing sites impersonating the official FIFA website. from KnowBe4 Blog https://blog.knowbe4.com/phishing-attacks-begin-targeting-the-2026-fifa-world-cup

The Belarus-aligned threat group known as Ghostwriter has been attributed to a fresh set of attacks targeting governmental organizations in Ukraine. Active since at least 2016, Ghostwriter has been linked to both cyber espionage and influence operations targeting neighboring countries, particularly Ukraine. It's also tracked under the monikers FrostyNeighbor, PUSHCHA, Storm-0257, TA445, UAC‑0057 from The Hacker News https://thehackernews.com/2026/05/ghostwriter-targets-ukrainian.html

Researchers at Bitdefender warn that Netflix-themed phishing attacks can have far-reaching consequences if users follow poor security practices. While Netflix is generally associated with a user’s personal life, phishing attacks targeting personal accounts can put users’ employers at risk. from KnowBe4 Blog https://blog.knowbe4.com/warning-netflix-phishing-scams-can-lead-to-serious-consequences

Details have emerged about a new variant of the recent Dirty Frag Linux local privilege escalation (LPE) vulnerability that allows local attackers to gain root access, making it the third such bug to be identified in the kernel within a span of two weeks. Codenamed Fragnesia, the security vulnerability is tracked as CVE-2026-46300 (CVSS score: 7.8) and is rooted in the Linux kernel's XFRM from The Hacker News https://thehackernews.com/2026/05/new-fragnesia-linux-kernel-lpe-grants.html

Cybersecurity researchers have disclosed multiple security vulnerabilities impacting NGINX Plus and NGINX Open, including a critical flaw that remained undetected for 18 years. The vulnerability, discovered by depthfirst, is a heap buffer overflow issue impacting ngx_http_rewrite_module (CVE-2026-42945, CVSS v4 score: 9.2) that could allow an attacker to achieve remote code execution or cause a from The Hacker News https://thehackernews.com/2026/05/18-year-old-nginx-rewrite-module-flaw.html

Introduction The Asia-Pacific and Japan (APJ) region, with its dynamic economic growth and technological advancements, presents unique challenges and opportunities in the realm of human risk management and agentic risk management, particularly within the financial services sector. As financial institutions strive to protect themselves from increasing cyber threats, they must align their security practices with the regulations set forth by central banks across the countries. from KnowBe4 Blog https://blog.knowbe4.com/navigating-the-cybersecurity-landscape-in-india-empowering-human-and-ai-agents

In the ever-evolving world of cybersecurity, staying ahead of the curve is not just a goal—it’s a necessity. As new vulnerabilities emerge, the race to identify and mitigate them begins. But how do we, the guardians of the digital realm, rapidly pinpoint these threats as they become public? Let’s dive into the fascinating world of vulnerability identification and see how the magic happens. The post How to Identify and Exploit New Vulnerabilities appeared first on Black Hills Information Security, Inc. . from Black Hills Information Security, Inc. https://www.blackhillsinfosec.com/how-to-identify-and-exploit-new-vulnerabilities/

A threat actor with affiliations to China has been linked to a "multi-wave intrusion" targeting an unnamed Azerbaijani oil and gas company between late December 2025 and late February 2026, marking an expansion of its targeting. The activity has been attributed by Bitdefender with moderate-to-high confidence to a hacking group known as FamousSparrow (aka UAT-9244), which shares some level of from The Hacker News https://thehackernews.com/2026/05/azerbaijani-energy-firm-hit-by-repeated.html

Introduction The Philippines, like many other nations, is witnessing a dramatic increase in cyber threats, fueled by the rapid adoption of digital technologies and the proliferation of sophisticated cybercriminals. This article examines the evolution of cyber threats in the Philippines, with a focus on phishing, email security and the risks posed by agentic AI. It also highlights the inadequacy of legacy security systems in addressing these challenges and explores the role of KnowBe4's innovative tools, namely Agent Risk Manager (ARM), Collaboration Security and Security Awareness Training , in enhancing cybersecurity preparedness. from KnowBe4 Blog https://blog.knowbe4.com/philippines-cyber-threats-ai-email-security-report

Introduction The Asia-Pacific and Japan (APJ) region, with its dynamic economic growth and technological advancements, presents unique challenges and opportunities in the realm of human risk management and agentic risk management, particularly within the financial services sector. As financial institutions strive to protect themselves from increasing cyber threats, they must align their security practices with the regulations set forth by central banks across the countries. from KnowBe4 Blog https://blog.knowbe4.com/navigating-human-agentic-risks-apj-financial-institutions

Exim has released security updates to address a severe security issue affecting certain configurations that could enable memory corruption and potential code execution. Exim is an open-source Mail Transfer Agent (MTA) designed for Unix-like systems to receive, route, and deliver email. The vulnerability, tracked as CVE-2026-45185, aka Dead.Letter, has been described as a use-after-free from The Hacker News https://thehackernews.com/2026/05/new-exim-bdat-vulnerability-exposes.html

RubyGems, the standard package manager for the Ruby programming language, has temporarily paused account sign ups following what has been described as a "major malicious attack." "We're dealing with a major malicious attack on Ruby Gems right now," Maciej Mensfeld, senior product manager for software supply chain security at Mend.io, said in a post on X. "Signups are paused for the time being. from The Hacker News https://thehackernews.com/2026/05/rubygems-suspends-new-signups-after.html

Phishing attacks are increasingly abusing trusted services to evade security filters, according to VIPRE’s Email Threat Trends Report for Q1 2026. The two primary methods of delivery were compromised accounts at 33% and free email services 32%. Additionally, just under 90% of attacks abused open redirects to mask phishing links. from KnowBe4 Blog https://blog.knowbe4.com/phishing-attacks-abuse-trusted-services-vipre-q1-2026

Cybersecurity researchers have flagged a new version of the TrickMo Android banking trojan that uses The Open Network (TON) for command-and-control (C2). The new variant, observed by ThreatFabric between January and February 2026, has been observed actively targeting banking and cryptocurrency wallet users in France, Italy, and Austria. "TrickMo relies on a runtime-loaded APK  (dex.module), from The Hacker News https://thehackernews.com/2026/05/new-trickmo-variant-uses-ton-c2-and.html

from KnowBe4 Blog https://blog.knowbe4.com/cyberheistnews-vol-16-19-crafty-criminals-continue-to-pose-as-help-desks-in-social-engineering-attacks

OpenAI has launched Daybreak, a new cybersecurity initiative that brings together frontier artificial intelligence (AI) model capabilities and Codex Security to help organizations identify and patch vulnerabilities before attackers find a way in using the same issues. "Daybreak combines the intelligence of OpenAI models, the extensibility of Codex as an agentic harness, and our partners across from The Hacker News https://thehackernews.com/2026/05/openai-launches-daybreak-for-ai-powered.html

Apple on Monday officially released iOS 26.5 with support for end-to-end encryption (E2EE) to Rich Communication Services (RCS) in beta as part of a "cross-industry effort" to replace traditional SMS with a more secure alternative. To that end, E2EE RCS messaging is rolling out to iPhone users running iOS 26.5 with supported carriers and Android users on the latest version of Google Messages. from The Hacker News https://thehackernews.com/2026/05/ios-265-brings-default-end-to-end.html

Checkmarx has confirmed that a modified version of the Jenkins AST plugin was published to the Jenkins Marketplace. "If you are using Checkmarx Jenkins AST plugin, you need to ensure that you are using the version 2.0.13-829.vc72453fa_1c16 that was published on December 17, 2025 or previously," the cybersecurity company said in a statement over the weekend. As of writing, Checkmarx has released from The Hacker News https://thehackernews.com/2026/05/teampcp-compromises-checkmarx-jenkins.html

A threat actor named Mr_Rot13 has been attributed to the exploitation of a recently disclosed critical cPanel flaw to deploy a backdoor codenamed Filemanager on compromised environments. The attack exploits CVE-2026-41940, a vulnerability impacting cPanel and WebHost Manager (WHM) that could result in an authentication bypass and allow remote attackers to gain elevated control of the control from The Hacker News https://thehackernews.com/2026/05/cpanel-cve-2026-41940-under-active.html

Google on Monday disclosed that it identified an unknown threat actor using a zero-day exploit that it said was likely developed with an artificial intelligence (AI) system, marking the first time the technology has been put to use in the wild in a malicious context for vulnerability discovery and exploit generation. The activity is said to be the work of cybercrime threat actors who appear to from The Hacker News https://thehackernews.com/2026/05/hackers-used-ai-to-develop-first-known.html

Rough Monday. Somebody poisoned a trusted download again, somebody else turned cloud servers into public housing, and a few crews are still getting into boxes with bugs that should’ve died years ago — the same old holes, same lazy access paths, same “how the hell is this still open” feeling. One report this week basically reads like a guy tripped over root access by accident and decided to stay from The Hacker News https://thehackernews.com/2026/05/weekly-recap-linux-rootkit-macos-crypto.html

Defending a network at 2 am looks a lot like this: an analyst copy-pasting a hash from a PDF into a SIEM query. A red team script is being rewritten by hand so the blue team can use it. A patch waiting on a change-approval window that's longer than the exploitation window itself. Nobody in that chain is incompetent. Every human is doing their job correctly. The problem is the system, its from The Hacker News https://thehackernews.com/2026/05/your-purple-team-isnt-purple-its-just.html

Turns out that LLMs are really good at hiding text messages in other text messages. from Schneier on Security https://www.schneier.com/blog/archives/2026/05/llms-and-text-in-text-steganography.html

A malicious Hugging Face repository managed to take a spot in the platform's trending list by impersonating OpenAI's Privacy Filter open-weight model to deliver a Rust-based information stealer to Windows users. The project, named Open-OSS/privacy-filter, masqueraded as its legitimate counterpart, released by OpenAI late last month (openai/privacy-filter), including copying the entire from The Hacker News https://thehackernews.com/2026/05/fake-openai-privacy-filter-repo-hits-1.html

Cybersecurity researchers have disclosed a critical security vulnerability in Ollama that, if successfully exploited, could allow a remote, unauthenticated attacker to leak its entire process memory. The out-of-bounds read flaw, which likely impacts over 300,000 servers globally, is tracked as CVE-2026-7482 (CVSS score: 9.1). It has been codenamed Bleeding Llama by Cyera. Ollama is a from The Hacker News https://thehackernews.com/2026/05/ollama-out-of-bounds-read-vulnerability.html

cPanel has released updates to address three vulnerabilities in cPanel and Web Host Manager (WHM) that could be exploited to achieve privilege escalation, code execution, and denial-of-service. The list of vulnerabilities is as follows - CVE-2026-29201 (CVSS score: 4.3) - An insufficient input validation of the feature file name in the "feature::LOADFEATUREFILE" adminbin call that could result from The Hacker News https://thehackernews.com/2026/05/cpanel-whm-patch-3-new-vulnerabilities.html

Insider trading is rife on Polymarket: Analysis by the Anti-Corruption Data Collective, a non-profit research and advocacy group, found that long-shot bets—­defined as wagers of $2,500 or more at odds of 35 percent or less—­on the platform had an average win rate of around 52 percent in markets on military and defense actions. That compares with a win rate of 25 percent across all politics-focused markets and just 14 percent for all markets on the platform as a whole. It is absolutely insane that this is legal. We already know how insider betting warps sports. Insider betting warping politics—and military actions—is orders of magnitude worse. from Schneier on Security https://www.schneier.com/blog/archives/2026/05/insider-betting-on-polymarket.html

Cybersecurity researchers have discovered fraudulent apps on the official Google Play Store for Android that falsely claimed to offer access to call histories for any phone number, only to trick users into joining a subscription that provided fake data and incurred financial loss. The 28 apps have collectively racked up more than 7.3 million downloads, with one of them alone accounting for over from The Hacker News https://thehackernews.com/2026/05/fake-call-history-apps-stole-payments.html

We’ve long defined cybersecurity as the technical discipline of protecting networks, data and systems. But when viewed through a geopolitical lens, then this definition is no longer sufficient. What we are dealing with today goes beyond protecting organisational data, to protecting economies, sovereignty, and increasingly, human perception. from KnowBe4 Blog https://blog.knowbe4.com/from-cyberwar-to-cognitive-warfare-the-geopolitical-impact-on-cybersecurity-in-africa

A previously undocumented Linux implant codenamed Quasar Linux RAT (QLNX) is targeting developers' systems to establish a silent foothold as well as facilitate a broad range of post-compromise functionality, such as credential harvesting, keylogging, file manipulation, clipboard monitoring, and network tunneling. "QLNX targets developers and DevOps credentials across the software supply chain," from The Hacker News https://thehackernews.com/2026/05/quasar-linux-rat-steals-developer.html

Cybersecurity researchers have disclosed details of a new Linux backdoor named PamDOORa that's being advertised on the Rehub Russian cybercrime forum for $1,600 by a threat actor called "darkworm." The backdoor is designed as a Pluggable Authentication Module (PAM)-based post-exploitation toolkit that enables persistent SSH access by means of a magic password and specific TCP port combination. from The Hacker News https://thehackernews.com/2026/05/new-linux-pamdoora-backdoor-uses-pam.html

In the second timeline of April 2026 I collected 108 events, corresponding to an average of 7.2 events per day, a number that confirms a growing trend, driven by the increasing number of supply chain attacks, compared to the previous timeline, where I collected 94 events (6.27 events/day). from HACKMAGEDDON https://www.hackmageddon.com/2026/05/08/16-30-april-2026-cyber-attacks-timeline/

Ivanti is warning that a new security flaw impacting Endpoint Manager Mobile (EPMM) has been explored in limited attacks in the wild. The high-severity vulnerability, CVE-2026-6973 (CVSS score: 7.2), is a case of improper input validation affecting EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1. It allows "a remotely authenticated user with administrative access to achieve remote code from The Hacker News https://thehackernews.com/2026/05/ivanti-epmm-cve-2026-6973-rce-under.html

Cybersecurity researchers have disclosed details of a new credential theft framework dubbed PCPJack that targets exposed cloud infrastructure and ousts any artifacts linked to TeamPCP from the environments. "The toolset harvests credentials from cloud, container, developer, productivity, and financial services, then exfiltrates the data through attacker-controlled infrastructure while attempting from The Hacker News https://thehackernews.com/2026/05/pcpjack-credential-stealer-exploits-5.html

World Password Day is no longer just a nudge to pick stronger passwords, it’s a moment to rethink identity. Attackers rarely “hack” systems today; they log in as you. Combine expert guidance on phishing, MFA, password managers, behavioral defenses, and new threats from AI and quantum computing to better secure your accounts now and for the future. from KnowBe4 Blog https://blog.knowbe4.com/world-password-day-2026-treat-identity-as-the-perimeter-and-act-like-it

The hardest part of cybersecurity isn't the technology, it’s the people. Every major breach you’ve read about lately usually starts the same way: one employee, one clever email, and one "Patient Zero" infection. In 2026, hackers are using AI to make these "first clicks" nearly impossible to spot. If a single laptop gets compromised on your watch, do you have a plan to stop it from taking down from The Hacker News https://thehackernews.com/2026/05/one-click-total-shutdown-patient-zero.html

Palo Alto Networks has disclosed that threat actors may have attempted to unsuccessfully exploit a recently disclosed critical security flaw as early as April 9, 2026. The vulnerability in question is CVE-2026-0300 (CVSS score: 9.3/8.7), a buffer overflow vulnerability in the User-ID Authentication Portal service of Palo Alto Networks PAN-OS software that could allow an unauthenticated attacker from The Hacker News https://thehackernews.com/2026/05/pan-os-rce-exploit-under-active-use.html

Having an incident response retainer, or even a pre-approved external incident response firm, is not the same as being ready for an incident. A retainer means someone will answer the phone. Operational readiness determines whether that team can do meaningful work the moment they do.  That distinction matters far more than many organizations realize. In the first hours of a security incident from The Hacker News https://thehackernews.com/2026/05/day-zero-readiness-operational-gaps.html

ICE is developing its own version of smart glasses, with facial recognition tied to various databases. from Schneier on Security https://www.schneier.com/blog/archives/2026/05/smart-glasses-for-the-authorities.html

Cybersecurity researchers have exposed a new Mirai-derived botnet that self-identifies as xlabs_v1 and targets internet-exposed devices running Android Debug Bridge (ADB) to enlist them in a network capable of carrying out distributed denial-of-service (DDoS) attacks. Hunt.io, which detailed the malware, said it made the discovery after identifying an exposed directory on a Netherlands-hosted from The Hacker News https://thehackernews.com/2026/05/mirai-based-xlabsv1-botnet-exploits-adb.html

The Iranian state-sponsored hacking group known as MuddyWater (aka Mango Sandstorm, Seedworm, and Static Kitten) has been attributed to a ransomware attack in what has been described as a "false flag" operation. The attack, observed by Rapid7 in early 2026, has been found to leverage social engineering techniques via Microsoft Teams to initiate the infection sequence. Although the incident from The Hacker News https://thehackernews.com/2026/05/muddywater-uses-microsoft-teams-to.html

To get a valid session token to use with Burp Suite tools, I ended up writing a small Python extension (110 lines of code, but who’s counting?) that obtained a new session token for each request, allowing items like Intruder to work as intended. Cool, I was able to use it during the test, but I would like this to be repeatable. So, this blog is releasing Swapper, a regex pattern-based match/replace Burp Suite extension. The post Swapper – A Pure Regex Match/Replace Burp Extension appeared first on Black Hills Information Security, Inc. . from Black Hills Information Security, Inc. https://www.blackhillsinfosec.com/swapper/

Researchers at Google’s Threat Intelligence Group (GTIG) are tracking a new threat actor that’s impersonating help desks to trick users into installing malware. The threat actor, which GTIG tracks as “UNC6692,” begins by sending a large volume of spam emails to the victim, then initiates contact via Microsoft Teams to ostensibly help the user block the spam. from KnowBe4 Blog https://blog.knowbe4.com/attackers-continue-to-pose-as-help-desks-in-social-engineering-attacks

Analysts recently confirmed what identity security teams have quietly feared: AI agents are being deployed faster than enterprises can govern them. In their inaugural Market Guide for Guardian Agents, Gartner states that “enterprise adoption of AI agents is accelerating, outpacing maturity of governance policy controls.” Enterprise leaders can request access to the Gartner Market Guide for from The Hacker News https://thehackernews.com/2026/05/your-ai-agents-are-already-inside.html

A new rowhammer attack gives complete control of NVIDIA CPUs. On Thursday, two research teams, working independently of each other, demonstrated attacks against two cards from Nvidia’s Ampere generation that take GPU rowhammering into new—­and potentially much more consequential—­territory: GDDR bitflips that give adversaries full control of CPU memory, resulting in full system compromise of the host machine. For the attack to work, IOMMU memory management must be disabled, as is the default in BIOS settings. “Our work shows that Rowhammer, which is well-studied on CPUs, is a serious threat on GPUs as well,” said Andrew Kwong, co-author of one of the papers. “ GDDRHammer: Greatly Disturbing DRAM Rows­Cross-Component Rowhammer Attacks from Modern GPUs .” “With our work, we… show how an attacker can induce bit flips on the GPU to gain arbitrary read/write access to all of the CPU’s memory, resulting in complete compromise of the machine.” Update F...

A newly identified supply chain attack targeting DAEMON Tools software has compromised its installers to serve a malicious payload, according to findings from Kaspersky. "These installers are distributed from the legitimate website of DAEMON Tools and are signed with digital certificates belonging to DAEMON Tools developers," Kaspersky researchers  Igor Kuznetsov, Georgy Kucherin, Leonid from The Hacker News https://thehackernews.com/2026/05/daemon-tools-supply-chain-attack.html

A sophisticated China-nexus advanced persistent threat (APT) group has been attributed to attacks targeting government entities in South America since at least late 2024 and government agencies in southeastern Europe in 2025. The activity is being tracked by Cisco Talos under the moniker UAT-8302, with post-exploitation involving the deployment of custom-made malware families that have been put from The Hacker News https://thehackernews.com/2026/05/china-linked-uat-8302-targets.html

Cybercriminals are getting smarter and faster. Social engineering attacks are evolving rapidly, and AI is making them more convincing than ever. According to the 2025 Verizon Data Breach Investigations Report, up to 68% of cyberattacks involve some form of social engineering. Meanwhile, 95% of cybersecurity professionals say AI is making phishing attacks harder to detect, and 65% believe attackers will soon rely on AI as their primary tool. from KnowBe4 Blog https://blog.knowbe4.com/introducing-the-new-ai-native-knowbe4-sat

Threat actors are actively exploiting a critical security flaw impacting an open-source content management system (CMS) known as MetInfo, according to new findings from VulnCheck. The vulnerability in question is CVE-2026-29014 (CVSS score: 9.8), a code injection flaw that could result in arbitrary code execution. "MetInfo CMS versions 7.9, 8.0, and 8.1 contain an unauthenticated PHP code from The Hacker News https://thehackernews.com/2026/05/metinfo-cms-cve-2026-29014-exploited.html

While the software industry has made genuine strides over the past few decades to deliver products securely, the furious pace of AI adoption is putting that progress at risk. Businesses are moving fast to self-host LLM infrastructure, drawn by the promise of AI as a force multiplier and the pressure to deliver more value faster. But speed is coming at the expense of security. In the wake of the from The Hacker News https://thehackernews.com/2026/05/we-scanned-1-million-exposed-ai.html

DarkSword is a sophisticated piece of malware —probably government designed—that targets iOS. Google Threat Intelligence Group (GTIG) has identified a new iOS full-chain exploit that leveraged multiple zero-day vulnerabilities to fully compromise devices. Based on toolmarks in recovered payloads, we believe the exploit chain to be called DarkSword. Since at least November 2025, GTIG has observed multiple commercial surveillance vendors and suspected state-sponsored actors utilizing DarkSword in distinct campaigns. These threat actors have deployed the exploit chain against targets in Saudi Arabia, Turkey, Malaysia, and Ukraine. DarkSword supports iOS versions 18.4 through 18.7 and utilizes six different vulnerabilities to deploy final-stage payloads. GTIG has identified three distinct malware families deployed following a successful DarkSword compromise: GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER. The proliferation of this single exploit chain across disparate threat actors mi...

An active phishing campaign has been observed targeting multiple vectors since at least April 2025, with legitimate Remote Monitoring and Management (RMM) software as a way to establish persistent remote access to compromised hosts. The activity, codenamed VENOMOUS#HELPER, has impacted over 80 organizations, most of which are in the U.S., according to Securonix. It shares overlaps with clusters from The Hacker News https://thehackernews.com/2026/05/phishing-campaign-hits-80-orgs-using.html

Progress Software has released updates to address two security flaws in MOVEit Automation, including a critical bug that could result in an authentication bypass. MOVEit Automation (formerly Central) is a secure, server-based managed file transfer (MFT) solution used to schedule and automate file movement workflows in enterprise environments without requiring any custom scripts.  The from The Hacker News https://thehackernews.com/2026/05/progress-patches-critical-moveit.html

This week, the shadows moved faster than the patches. While most teams were still triaging last month’s alerts, attackers had already turned control panels into kill switches, kernels into open doors, and open-source pipelines into silent delivery systems. The game has shifted from breach to occupation. They’re living inside SaaS sessions, pushing code with trusted commits, and scaling from The Hacker News https://thehackernews.com/2026/05/weekly-recap-ai-powered-phishing.html

Deepfake-driven fraud has caused $2.19 billion in losses globally, with $1.65 billion reported in 2025 alone, according to an analysis by Surfshark. More than half of these losses were due to investment scams using deepfakes of high-profile figures. from KnowBe4 Blog https://blog.knowbe4.com/report-deepfake-fraud-causes-billions-in-losses

The China-based cybercrime group known as Silver Fox has been linked to a new campaign targeting organizations in Russia and India with a new malware called ABCDoor. The activity involved using phishing emails that mimic correspondence from the Income Tax Department of India in December 2025, followed by a similar campaign aimed at Russian entities. "Both waves followed a nearly identical from The Hacker News https://thehackernews.com/2026/05/silver-fox-deploys-abcdoor-malware-via.html

A previously unknown threat actor has been observed targeting government and military entities in Southeast Asia, alongside a smaller cluster of managed service providers (MSPs) and hosting providers in the Philippines, Laos, Canada, South Africa, and the U.S., by exploiting the recently disclosed vulnerability in cPanel. The activity, detected by Ctrl-Alt-Intel on May 2, 2026, involves the from The Hacker News https://thehackernews.com/2026/05/critical-cpanel-vulnerability.html

Polymarket is a platform where people can bet on real-world events, political and otherwise. Leaving the ethical considerations of this aside (for one, it facilitates assassination ), one of the issues with making this work is the verification of these real-world events. Polymarket gamblers have threatened a journalist because his story was being used to verify an event. And now, gamblers are taking hair dryers to weather sensors to rig weather bets. There’s also insider trading : a lot of it . from Schneier on Security https://www.schneier.com/blog/archives/2026/05/hacking-polymarket.html

A coordinated international operation involving U.S. and Chinese authorities has arrested at least 276 suspects and shut down nine scam centers used for cryptocurrency investment fraud schemes targeting Americans, resulting in millions of dollars in losses. The crackdown was led by the Dubai Police, under the United Arab Emirates (UAE) Ministry of Interior, in partnership with the U.S. Federal from The Hacker News https://thehackernews.com/2026/05/global-crackdown-arrests-276-shuts-9.html

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added a recently disclosed security flaw impacting various Linux distributions to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild. The vulnerability, tracked as CVE-2026-31431 (CVSS score: 7.8), is a case of local privilege escalation (LPE) flaw that could allow an from The Hacker News https://thehackernews.com/2026/05/cisa-adds-actively-exploited-linux-root.html

A newly discovered Vietnamese-linked operation has been observed using a Google AppSheet as a "phishing relay" to distribute phishing emails with an aim to compromise Facebook accounts. The activity has been codenamed AccountDumpling by Guardio, with the scheme selling the stolen accounts back through an illicit storefront run by the threat actors. In all, roughly 30,000 Facebook accounts are from The Hacker News https://thehackernews.com/2026/05/30000-facebook-accounts-hacked-via.html

John N Just, Ed.D. - Chief Learning Officer What's New: Celebrating World Password Day and Beyond Happy May! This month, we are putting a major spotlight on World Password Day (May 7) . While the "traditional" password might be evolving into passkeys and biometrics, the human element of authentication remains the #1 target for social engineers. To help you celebrate, we’ve released a dedicated suite of content designed to move your users beyond "Password123!" and into a mindset of strategic defense. From deep dives into the psychology of a credential harvest to practical guides on mastering password managers, our updates are built to help you strengthen your organization's defenses. Just in time for World Password Day!  World Password Day and You Video Module Celebrate the first Thursday in May by reinforcing strong, unique password practices. This video highlights the fundamental habits needed...

Microsoft warns that a new criminal threat actor dubbed “Storm-2755” is launching payroll-pirate attacks against Canadian users. These attacks use social engineering to compromise employee accounts and divert salary payments to attacker-controlled bank accounts. from KnowBe4 Blog https://blog.knowbe4.com/alert-payroll-hijacking-attacks-are-targeting-canadian-employees

Cybersecurity researchers have disclosed details of a new China-aligned espionage campaign targeting government and defense sectors across South, East, and Southeast Asia, along with one European government belonging to NATO. Trend Micro has attributed the activity to a threat activity cluster it tracks under the temporary designation SHADOW-EARTH-053. The adversarial collective is assessed to from The Hacker News https://thehackernews.com/2026/05/china-linked-hackers-target-asian.html

Someone pleaded guilty to secretly working for a ransomware gang as he negotiated ransomware payments for clients. from Schneier on Security https://www.schneier.com/blog/archives/2026/05/a-ransomware-negotiator-was-working-for-a-ransomware-gang.html

The U.S. Department of Justice (DoJ) on Thursday announced the sentencing of two cybersecurity professionals to four years each in prison for their role in facilitating BlackCat ransomware attacks in 2023. Ryan Goldberg, 40, of Georgia, and Kevin Martin, 36, of Texas, were accused of deploying the ransomware against multiple victims located throughout the U.S. between April and December 2023. from The Hacker News https://thehackernews.com/2026/05/two-cybersecurity-professionals-get-4.html

A Brazilian tech firm that specializes in protecting networks from distributed denial-of-service (DDoS) attacks has been enabling a botnet responsible for an extended campaign of massive DDoS attacks against other network operators in Brazil, KrebsOnSecurity has learned. The firm’s chief executive says the malicious activity resulted from a security breach and was likely the work of a competitor trying to tarnish his company’s public image. An Archer AX21 router from TP-Link. Image: tp-link.com. For the past several years, security experts have tracked a series of massive DDoS attacks originating from Brazil and solely targeting Brazilian ISPs. Until recently, it was less than clear who or what was behind these digital sieges. That changed earlier this month when a trusted source who asked to remain anonymous shared a curious file archive that was exposed in an open directory online. The exposed archive contained several Portuguese-language malicious programs written in Python. It...

The internet is noisy this week. We are seeing some wild new tactics, like people using fake cell towers to send scam texts, while some developers are accidentally downloading tools that peek into their private files during a simple install. It is definitely a busy time to be online. Security is always a moving target. Millions of servers are currently sitting online without any passwords, and from The Hacker News https://thehackernews.com/2026/04/threatsday-bulletin-sms-blaster-busts.html

The biggest challenge in email security today isn’t just detecting a threat; it’s the speed of response across a global landscape. As we head into the second half of 2026, the stakes with speed have gotten higher. According to SQ Magazine, AI-generated phishing attempts are 68% harder to detect than they were just a year ago, and the average cost of an AI-powered breach has climbed to $5.72 million. from KnowBe4 Blog https://blog.knowbe4.com/global-human-network-closes-email-detection-gap

Intro A sophisticated, high-resilience malicious campaign was identified by Atos Threat Research Center (TRC) in March 2026. This operation specifically targets the high-privilege professional accounts of enterprise administrators, DevOps engineers, and security analysts by impersonating administrative utilities they rely on for daily operations. By integrating Search Engine Order (SEO) from The Hacker News https://thehackernews.com/2026/04/etherrat-distribution-spoofing.html

Researchers have reverse-engineered a piece of malware named Fast16. It’s almost certainly state-sponsored, probably US in origin, and was deployed against Iran years before Stuxnet: “…the Fast16 malware was designed to carry out the most subtle form of sabotage ever seen in an in-the-wild malware tool: By automatically spreading across networks and then silently manipulating computation processes in certain software applications that perform high-precision mathematical calculations and simulate physical phenomena, Fast16 can alter the results of those programs to cause failures that range from faulty research results to catastrophic damage to real-world equipment.” Another news article . Lots of interesting details at the links. from Schneier on Security https://www.schneier.com/blog/archives/2026/04/fast16-malware.html

Cybersecurity researchers have disclosed details of a Linux local privilege escalation (LPE) flaw that could allow an unprivileged local user to obtain root. The high-severity vulnerability tracked as CVE-2026-31431 (CVSS score: 7.8) has been codenamed Copy Fail by Xint.io and Theori. "An unprivileged local user can write four controlled bytes into the page cache of any readable file on a Linux from The Hacker News https://thehackernews.com/2026/04/new-linux-copy-fail-vulnerability.html

Cybersecurity researchers have discovered malicious code in an npm package after a malicious package as a dependency to the project by Anthropic's Claude Opus large language model (LLM). The package in question is "@validate-sdk/v2," which is listed on npm as a utility software development kit (SDK) for hashing, validation, encoding/decoding, and secure random generation. However, its real from The Hacker News https://thehackernews.com/2026/04/new-wave-of-dprk-attacks-uses-ai.html

This blog will not dive too deeply into BloodHound itself; instead, we will focus on various methods to collect AD data to provide BloodHound as input. The post A Practical Guide to BloodHound Data Collection appeared first on Black Hills Information Security, Inc. . from Black Hills Information Security, Inc. https://www.blackhillsinfosec.com/bloodhound-data-collection/

In February 2026, researchers uncovered a shift that completely changed the game: threat actors are now using custom AI setups to automate attacks directly into the kill chain. We aren't just talking about AI writing better phishing emails anymore. We’re talking about autonomous agents mapping Active Directory and seizing Domain Admin credentials in minutes. The problem? Most defensive workflows from The Hacker News https://thehackernews.com/2026/04/webinar-how-to-automate-exposure.html

A phishing campaign is targeting senior executives with social engineering attacks conducted over Microsoft Teams, according to researchers at ReliaQuest. The researchers believe former associates of the Black Basta criminal gang are running this operation. from KnowBe4 Blog https://blog.knowbe4.com/phishing-attacks-target-executives-via-microsoft-teams