ARTICLES COVERED:

1. Chinese Grid Operators Maintain Offensive Cyber Programs - Jamestown (The Jamestown Foundation)
2. GlassWASM: WebAssembly Malware Found in Trojanized Open VSX Extensions (Socket)
3. FishMonger’s arsenal upgraded: SprySOCKS for Windows (ESET)

ARTICLES COVERED:

1. Ababil of Minab Exposed: LA Metro SCADA Backups and Israeli Victim Data Left Open on an Iranian Staging Server (Hunt Intelligence, Inc.)
2. Ransomware Tool Matrix Project Updates: Three Groups To Track (BushidoUK)
3. SBOM Adoption State of Play - 2026 | ENISA (European Union Agency for Cybersecurity)
4. HallWatch: Usermode detector that catches indirect syscalls. Traps Hell's Hall, Tartarus' Gate, RecycledGate, and VEH syscalls & Many more. (Adam Zypherion)

ARTICLES COVERED:

1. Hunting North Korea's job adverts on Google Docs (Kieran Miyamoto)
2. Analysis of APT37 NarwhalRAT Leveraging MS-Themed Phishing and Dead-drop C2 (Genians)
3. Actively Understanding the Dynamics and Risks of the Threat Intelligence Ecosystem - NDSS Symposium (Internet Society)
4. NIST Special Publication (SP) 800-126 Rev. 4, Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.4 (National Institute of Standards and Technology (NIST))
5. Detecting and removing dangerous secrets on dev workstations before Shai-Hulud does (Guillaume Ross)
6. Well-architected best practices for software supply chain security | Amazon Web Services (Amazon Web Services (AWS))
7. 反入侵 Pipeline 2.0 (Agentic) -Anti-intrusion Pipeline 2.0 (Agentic) (Chinese) (奇安信攻防社区)
8. ADR: An Agentic Detection System for Enterprise Agentic AI Security (Uber Technologies, Inc.)
9. Scales — carving an embedded eBPF rootkit (jolmos)
10. OptinMonster supply chain attack hits 1.2 million sites (Sansec)
11. CVE-2026-45454 — Microsoft SharePoint Server Upload Page Folder Path Traversal to Remote Code Execution (Aretiq AI)
12. Unpacking .zip: A First Look at Domain and File Name Confusion (Oregon State University, Georgia Institute of Technology)
13. After applying AI to perform a deep audit of ActiveMQ patches, two new high-risk vulnerabilities were discovered (Chinese) (腾讯安全应急响应中心)
14. Velvet Ant’s Operation Highland: How a China-Nexus Actor Infiltrated an Internal Network Undetected (Sygnia)

ARTICLES COVERED:

1. tracebit_x33fcon_2026: a POC sensor aiming to fingerprint implants in memory using only lowlevel runtime telemetry. (ThreatHunting.io)
2. ModuleStomped: Proof of concept to detect module stomping detection by looking for modified .pdata sections. (0xjbb)
3. Trusting trust - building Nix from a manually verified seed (Helsing)
4. EDRUnChoker: EDRUnChoker - fileless WMI defense that removes EDRChoker QoS throttling policies (sbousseaden)
5. Hardening Intune: The Implementation Guide (TrustedSec, LLC)
6. ADWS-BOF: Beacon Object File for LDAP Queries Through ADWS (Ethan)
7. tunnel-vision-toolkit: Offensive security toolkit for Microsoft Global Secure Access (GSA), Microsoft's Zero Trust Network Access (ZTNA) solution. (Arshia Reisi)
8. Phishing for Lobsters: How We Tricked OpenClaw into Spilling Secrets (Varonis)
9. Roughly 400 AUR (Arch User Repository) packages compromised (Arch Linux)
10. ShinyHunters Targets Education Sector with Oracle PeopleSoft Exploit | Google Cloud Blog (Google Cloud)
11. rax: rax is a CPU emulator that does not trust itself. (Hex-Rays SA)
12. Noradrenaline: Offensive macOS and Linux shared library modules for Poseidon and other agent frameworks. Designed to be small and quick for automation. (atomiczsec)
13. Preliminary analysis of AUR malware (Codex)
14. Covert Kernel/User Communication Channels on Windows: Rootkits, Game Cheats, and Detection (kernullist)

ARTICLES COVERED:

1. Interlock and Rhysida within the Ransomware Ecosystem | IBM (IBM)
2. Detecting Misuse with the Claude Compliance API: The Threat Is in the Content (PaperMtn)
3. Factoring "short-sleeve" RSA keys with polynomials (Trail of Bits)

ARTICLES COVERED:

1. BOD 26-04: Prioritizing Security Updates Based on Risk (Cybersecurity and Infrastructure Security Agency)
2. Behind Khmer Shadow: Targeted espionage against Cambodian government entities (Acronis)
3. Expanded JDY IoT and SOHO botnet enables rapid vulnerability exploitation (Lumen Technologies)
4. BLUERABBIT: A Golang-Based Backdoor with Ransomware and Destructive… (Binary Defense)
5. APT28, an evolution of tradecraft (Sekoia.io)
6. OceanLotus: From external espionage to domestic targeting (ESET)
7. ホテル業界を標的とした不審メールの分析（パート1: キャンペーン概要編）- Analysis of suspicious emails targeting the hotel industry (Part 1: Campaign Overview) (ITOCHU Cyber & Intelligence Inc.)
8. ホテル業界を標的とした不審メールの分析（パート2: 技術詳細編） - Analysis of Suspicious Emails Targeting the Hotel Industry (Part 2: Technical Details) (ITOCHU Cyber & Intelligence Inc.)
9. APT-C-08（蔓灵花）近期钓鱼网站攻击活动分析 - Analysis of Recent Phishing Website Attacks by APT-C-08 (Manlinghua) (WgpSec)
10. Now Available: Practical Guidelines for Preventing and Mitigating Ransomware (www.nccoe.nist.gov)
11. Hardening Intune: The Implementation Guide (TrustedSec)
12. BUMSRAKETE™ — The Most Beautiful, Most Tremendous FreeBSD Vulnerability In The History Of Computing. BELIEVE ME. (Bumsrakete)
13. GreatXML a bitlocker that seems to only work if you ever had Defender Offline Scan (NightmareEclipse)
14. User-to-User Authentication: Down the Rabbit Hole - Part 1 (SpecterOps)
15. DCOMIllusionist: DCOM in memory and fileless lateral movement techniques through .Net deserilization (Synacktiv)
16. Oops, I Weaponized the Database: Abusing AI Features in SQL Server 2025 (SpecterOps)
17. NimSyscallPacker: This Packer can be used to pack any C# Assembly, PE-File or Shellcode into a Nim binary. It will encrypt the target payload, build the corresponding Nim source code accordingly (Fabian Mosch)
18. A Long-running BOF Component Contract (Raphael Mudge)

ARTICLES COVERED:

1. [Op Report] From SSA Phish to AdaptixC2: A Multi-RAT Intrusion (MalBeacon)
2. On affected platforms running Arista EOS where a tunnel decapsulation configuration—such as VXLAN (Virtual Extensible LAN), decap-groups, or a GRE (Generic Routing Encapsulation) tunnel interface) (Arista Networks)

ARTICLES COVERED:

1. Synthetic APTs: the Collapse of TTP-Based Attribution (Alias Robotics)
2. Microsoft Defender now monitors RPC activity (Microsoft)
3. Whoops! I did it again. I patched Windows Kernel at Milan0day 2026 (Ethical Hacker)
4. RoguePlanet: RoguePlanet Windows Defender Vulnerability (MSNightmare)
5. Benchmarking n-day exploit generation [via AI] (Josh Merrill)
6. Understanding modern Chinese cyber operations means shifting from ‘APT’ to composite responsibility (Virtual Routes Community)

ARTICLES COVERED:

1. Threat Brief: Active Exploitation of PAN-OS CVE-2026-0257 (Palo Alto Networks)
2. Security Advisory – Action Required – Active Exploitation of Check Point VPN Authentication Bypass (CVE-2026-50751) - Check Point Blog (Check Point Software Technologies Ltd.)
3. Old WinRAR Flaw Fuels Attacks on Ukraine: Two separate Russia-aligned campaigns are still exploiting the WinRAR flaw CVE-2025-8088 against Ukrainian organizations nearly a year after it was patched, (Trend Micro)
4. Don't Fear the Repo: UNK_DeadDrop Phishing Campaign Targets Developers to Steal Cryptocurrency (Proofpoint)
5. Incident de sécurité sur Tchap : la DINUM sécurise la plateforme et informe les usagers après une intrusion maîtrisée - Security incident on Tchap: DINUM secures the platform and informs users (Direction interministérielle du numérique (DINUM))
6. UK Cybercrime Journal: British Universities Struck by ShinyHunters Before Exam Season (BushidoToken)
7. QuasarNix: Reverse Shell Detection with Machine Learning (Dmitrijs Trizna)
8. Security Notice: Former Helm APT Mirror Domain `baltocdn.com` Statement | Helm (Cloud Native Computing Foundation)
9. Visual Studio Code 1.123: Delayed extension auto-updates (Microsoft)
10. Fighting Spyware: An Update From WhatsApp: Today, we’re asking the court to hold NSO in contempt for violating a permanent injunction that barred them from ever targeting WhatsApp and its users. (Meta)

ARTICLES COVERED:

1. Chinese-Cybercrime-Research: Resources to learn more about Chinese-language cybercrime actors. (aurora)
2. Query-Hub: CQL Hub is an open repository of detection and hunting queries for CrowdStrike NextGen SIEM and Falcon LogScale (ByteRay-Labs)
3. Building a safe, effective sandbox to enable Codex on Windows (OpenAI)
4. Z-Jail: A lightweight, multi-layer Linux sandbox combining namespaces, pivot_root, seccomp-bpf, capability dropping, and an evidence-based verdict engine) for secure, auditable code execution. (Division-36)
5. ot-sentinel-rules: Open-source ICS/OT detection rules (Wazuh + Sigma) for Modbus, DNP3, IEC 104, MQTT, and OPC-UA — tested against a real OpenPLC + GNS3 digital twin lab. (Subhash Bharadwaj)
6. On May 31, 2026, Meta discovered that there was a vulnerability in an AI-assisted account recovery system for Instagram ("High Touch Support" or "HTS") that was exploited by unauthorized third parties (Maine Office of the Attorney General)
7. Pwnd Blaster: Hacking your PC using your speaker without ever touching it | nns.ee (Rasmus Moorats)
8. About PCIe DMA Cheats: Protocol, IOMMU, Hardware, and Detection (kernullist)
9. BusyWork: Replacing Sleep with Real Work to Break Behavioral Detection (m4n0w4r)
10. UPnPHostFileRead: Arbitrary file read exploit for the Windows UPnP Device Host service. (SpacePlant)
11. EDRChoker: A tool uses the QoS Policy (Pacer.sys) to throttle Endpoint Detection and Response (EDR) agents from connecting to the server. (Two Seven One Three)
12. cygor: An modular asset discovery framework written in python to automate the repeating manual work (tjnull)

ARTICLES COVERED:

1. CISA and Partners Urge Hardening Automatic Tank Gauge Systems (Cybersecurity and Infrastructure Security Agency)
2. Ongoing Targeted Campaign Against US Law Firms (Google)
3. New China-Linked Cluster OP-512 (ReliaQuest)
4. MUSTANG PANDA x PLUGX - Analysis of the January 2026 sample: a multi-layer execution chain (BlueCyber)
5. PoisonXドライバを用いた日本組織への攻撃キャンペーン - Attack campaign against Japanese organizations using PoisonX driver (株式会社ラック)
6. Investigation into APT 5 and their inner workings of PLA Troop 61786 (The author of the content on the Threat Review Journal blog is not explicitly named.)
7. From Token Bingo to MAX Takeover: Kali365 Operator Expands Operation Across Microsoft Outlook, Okta, Xerox DocuShare, and Other Services (Arctic Wolf)
8. Six Stages Deep and an Endless Loop: Shai-Hulud Is Getting Sophisticated - OX Security (OX Security)
9. Miasma npm Supply Chain Attack: Self-Spreading Worm via Phantom Gyp - StepSecurity (StepSecurity)
10. Inside an Active STX RAT Supply Chain Campaign - A threat actor spent one month building a trojanized software supply chain aimed at a specific type of victim (Cyderes)
11. Game Over: WeedHack – The Rise of Minecraft Malware-as-a-Service Campaigns (McAfee)
12. Unmasking Quellostanco: How a Git Commit Exposed a Threat Actor Targeting Egyptian Infrastructure (co-authored) (M4lcode)
13. The Smart TV in Your LivingRoom Is a Node in the AIScraping Economy (Include Security)
14. Security advisory: Brute force attack on Dashlane user accounts (Dashlane)
15. Popping Root on UniFi OS Server: Unauthenticated RCE Chain Detection & Analysis (Bishop Fox)
16. 21 Zero-Days in FFmpeg (Depthfirst)
17. Seven Years on a Public Clipboard: Pasted Secrets, Türkiye's Exposure, and a Stored XSS (beyondmemory.io)
18. The Privileged Roles Nobody Talks About (TrustedSec)
19. The Detection & Response Chronicles: Covert Operations Through QEMU (NVISO)
20. The Interesting Case of WSL for Payload Staging (Daniel Koifman)
21. Enter the WasmForge: Compiling Sliver into WebAssembly (Praetorian)
22. staged-DLL-Injection-SMB-: Staged DLL injection proof-of-concept built in C using Win32 APIs — developed in an isolated lab environment for red team certification study (CRTO). (kasturixbm5)
23. Trend Micro Deep Security Agent Research: Forcing bmhook/tmhook Reloads to Open a Protection Bypass Window (Matheuz Security)
24. BOF Cocktails in Cobalt Strike (Rasta Mouse)
25. Magecart skimmer turns Stripe into a malware command server (Sansec)
26. Auditing GitLab: The CI/CD Kill Chain - GoGatoZ — a purpose-built Go tool for GitLab CI/CD security auditing that can perform and automate the entire CI/CD kill chain... (Black Hills Information Security, Inc.)
27. About ETW Internals: Architecture, Hooking, Tampering, and Detection (kernullist)
28. Async PICOs and Custom Beacon Wakeups in Cobalt Strike (NCC Group)
29. Address Translation (reisen_1943)
30. The Click that shouldn’t have worked: RCE via clickjacking in Internet Explorer (Positive Technologies)

ARTICLES COVERED:

1. The Blight Reaches Microsoft: 73 Repos Disabled in 105 Seconds (OpenSourceMalware)
2. 1-Click GitHub Token Stealing via a VSCode Bug (Ammar Askar)
3. Enhance your Supply Chain Security with our Package Proxy Tool (Thinkst)

ARTICLES COVERED:

1. VerdantBamboo: Just Another BRICKSTORM in the Firewall (Volexity)
2. Software supply chain attacks: check your dependencies (National Cyber Security Centre)
3. IronWorm Supply Chain Malware Hits npm - OX Security (OX Security)
4. You do surprise me.exe: An unexpected executable in Hola Browser (Sophos X-Ops)
5. The Deny ACE That Never Fires: Non-Canonical ACL Order in Active Directory (Robin Granberg)
6. AzureRedOps: Azure RedOps is a offensive security toolkit for assessing the security posture of Microsoft Entra ID (Mr.Un1k0d3r (TrueCyber Inc.))
7. zannotate: Utility for annotating Internet datasets with contextual metadata (e.g., origin AS, MaxMind GeoIP2, reverse DNS, and WHOIS) (ZMap)
8. MXC Internals: How Microsoft's eXecution Containers Actually Isolate Agent Code | Origin (Origin)
9. FSB’s matryoshka #3/3 - Gamaredon’s gifts that keeps unpacking - GammaSteel (Sekoia.io)
10. FSB’s matryoshka #2/3 - Gamaredon’s gifts that keeps unpacking - GammaLoad (Sekoia.io)

ARTICLES COVERED:

1. CVE-2026-45247 (CISA KEV)
2. Impersonation, Click Hijacking, and TDS: Inside a Malware Distribution Ecosystem (Check Point Software Technologies)
3. Inside DesckVB Rat Analysis: From Malspam to In-Memory RAT | Huntress (Huntress)
4. Bring Your Own RWX Region DLL (BYORWXDLL) (S12 - 0x12Dark Development)
5. NuGet Code Execution As A Service (Tier Zero Security)
6. aether: Aether is a Windows memory-forensics and threat hunting tool that scans live process memory for malicious pattern, detect injection techniques, implant signatures, reflectively loaded .NET (0xsp)
7. The Server Seizure That Affects Also Iran's Cyber Operations (Check Point Research)
8. How China's Cyber Operations – and the Contractors Behind Them – Target Critics Abroad (Natto Team)
9. Espionage Campaign Targeted Stock Exchange Executive for Five Months (Broadcom)
10. TA4922: The Suspected Chinese Crime Group is Going Global | Proofpoint US (Proofpoint)
11. HazyBeacon and AWS Lambda Function URL Abuse (Qualys)
12. Operation FlutterBridge: macOS Malvertising Campaign Spreads New FlutterShell Backdoor (Palo Alto Networks)
13. Analysis of APT-C-26 (Lazarus) group's attack activities using CVE-2025-55182 and the Copperhedge component (上海市浦东新区人民法院)

ARTICLES COVERED:

1. Tracking APT28 PixyNetLoader: Evolutions from 2024 to 2026 (Exatrack)
2. Tracking North Korea Nation-State APT Infrastructure: Kimsuky (Idan Malihi)
3. From Token Bingo to MAX Takeover: Kali365 Operator Expands Operation Across Microsoft Outlook, Okta, Xerox DocuShare, and Other Services (Arctic Wolf)
4. Malicious Registrations in the Domain Name Market: An Analysis of gTLD Registrations and Cybercriminal Demand (Interisle Consulting Group, LLC)
5. Dependency Cooldowns - Dependency Cooldowns (People Can Fly)
6. Codex Discovered a Hidden HTTP/2 Bomb (Calif.io)
7. Click Or Trick (CVE-2025-59199): Escaping the Sandbox with Windows URIs (SafeBreach)
8. Unpatched NTLM Coercion in Windows search: URI Handler, Same Bug, No CVE, No Fix | Huntress (Huntress)
9. 새벽에 온 암호화 손님 Endpoint(Midnight) 랜섬웨어 분석 - Analysis of Endpoint (Midnight) Ransomware: The Encrypted Guest That Arrived at Dawn (AhnLab)

ARTICLES COVERED:

1. Miasma: Supply Chain Attack Targeting RedHat npm Packages (Wiz)
2. Mini Shai-Hulud Campaign Hits Red Hat Cloud Services npm Packages (Socket)
3. Multiple redhat-cloud-services npm Packages compromised (StepSecurity)
4. RedSun: Exploiting Windows Defender's Remediation Workflow for Local Privilege Escalation (blog.calif.io)
5. Cybersecurity (CYBER); Cyber Resilience Act (CRA); Cybersecurity requirements for routers, modems intended for the connection to the internet and switches (ETSI)
6. Gamaredon’s gifts that keeps unpacking - GammaPhish and GammaWorm (Sekoia.io)

ARTICLES COVERED:

1. Sapphire Sleet Targets macOS in Multi-Stage Intrusion Campaign (LevelBlue)
2. Tracking The Trackers: Commercial Surveillance Occurring on U.S. Army Networks (Army Cyber Institute)
3. KB4853: Vulnerability Resolved in Veeam Service Provider Console 9.2.1 - "A vulnerability in Veeam Service Provider Console allows for remote code execution." - CVSS 9.4 (Veeam Software)
4. Click Or Trick (CVE-2025-59199): Escaping the Sandbox with Windows URIs (SafeBreach Labs)
5. Instagram Meta AI Vulnerability Allegedly Enables Password Reset for Accounts via prompt injection with bot - now patched (Cryptika)
6. Legitimate-Looking Codex Remote UI Secretly Steals Your AI Tokens (Aikido Security)
7. 179 npm Packages Target Cloud and Finance via oob.moika.tech (SafeDep)

ARTICLES COVERED:

1. Observed Exploitation of PAN-OS GlobalProtect Authentication Bypass Vulnerability (CVE-2026-0257) (Rapid7)
2. CVE-2026-0257 PAN-OS: GlobalProtect Authentication Bypass Vulnerabilities - "Palo Alto Networks has become aware of limited exploit attempts on unpatched PAN-OS devices without mitigations applied." (Palo Alto Networks)
3. Operation XENOFISCAL: SideCopy deploying persistent XenoRAT targeting the MoF, Afghanistan (Quick Heal Technologies Limited)
4. Operation Dragon Weave : Uncovering a China-Linked Campaign Targeting Czech Republic and Taiwan Using Azure Cloud C2 (Seqrite)
5. Meet DriveSurge: A New Threat Actor Using ClickFix and Fake Update Drive-By Attacks in Thousands of Compromised Sites (Silent Push)
6. HunterAgent: Neuro-Symbolic Attack Trace Reconstruction under Anti-Forensics (Guangze Zhao, Yongzheng Zhang, Weilin Gai, Hongri Liu, Yuliang Wei, and Bailing Wang)
7. EDR Incident Response Playbook: Containing Local Account Incidents (Bert-Jan Pals)
8. proxy: A lightweight caching proxy for package registries. (git-pkgs)
9. prempti: Falco-powered policy and visibility layer for AI coding agents (Falco Security)
10. Honeyval: A Comprehensive Evaluation Framework for LLM-powered HTTP Honeypots (Google Research)
11. pydepgate: A zero dependency lightweight static analyzer designed for adversarial-shape code in python to detect supply chain attacks before they reach your interpreter. (Ikari)
12. DriverSentinel: DriverSentinel is a security tool developed in Go that detects malicious and vulnerable drivers on Windows systems by comparing them against the LOLDrivers.io database. (bI8d0)
13. Signal macOS Desktop App Doesn't Actually Delete Messages When it Should (Privacy Guides)
14. How OLTs may have exposed entire ISP networks (Quarkslab)
15. Security of OpenClaw Agents: Fundamentals, Attacks, and Countermeasures (Yuntao Wang, Jianle Ba, Han Liu, Yanghe Pan, Jintao Wei, Zhou Su, Tom H. Luan, and Linkang Du)
16. Visual Studio Extensions Revisited (MDSec)
17. EvilTokens and OAuth Abuse: How Device Code Phishing Bypasses MFA (Netcraft LTD)
18. Adversarial Oracles: LLM-Guided EDR Signature Reduction (Praetorian)
19. Lessons from Penetration Tests on Large-Scale Agent Systems (IBM Research)
20. BYOVD and Looting LSASS in the Modern EDR Era (R.B.C (g3tsyst3m))
21. Inside MicrosoftSystem64: A Supply Chain RAT Exfiltrating to HuggingFace (SafeDep)
22. Typosquatted npm packages used to steal cloud and CI/CD secrets (Microsoft Defender Security Research Team)
23. Malicious npm packages abuse dependency confusion to profile developer environments (Microsoft Defender Security Research Team)
24. A miner with a side of RAT: the unintended gift with your TV show or book - Pirates in the crosshairs: how one cybercrime gang has been infecting book, movie, and TV show fans for years (AO Kaspersky Lab)
25. Supply Chain Compromises Impact Nx Console and GitHub Repositories (Cybersecurity and Infrastructure Security Agency (CISA))
26. Hawk: Golang tool designed to exfiltrate passwords found via the sshd and su services (ProDefense)
27. Dissecting an Undocumented Lua-Wrapped Loader: The BoldTealLayer Campaign (TheOneEyedArgus)
28. SkillSpector: Security scanner for AI agent skills. Detect vulnerabilities, malicious patterns, and security risks. (NVIDIA)
29. One click—and you’re spied on: GFF files criminal complaint alongside journalist Trung Khoa Lê following spyware attack (Society for Civil Rights (GFF))

ARTICLES COVERED:

1. CVE-2026-0257 (CISA KEV)
2. Pathfinding Labs: Deploy, test, and learn from 100+ intentionally vulnerable AWS environments (Datadog Security Labs)
3. Authenticated RCE via Argument Injection in Gogs (NOT FIXED) (Rapid7)

ARTICLES COVERED:

1. GREYVIBE: A Russia-nexus group leveraging AI across state-aligned operations (WithSecure)
2. Malware seller hunted across three continents (Nees Kathimerines Ekdoseis Single-Member S.A.)
3. Zero Trust Implementation Guidelines (National Security Agency)
4. Romanian National Sentenced for Selling Access to Networks of Oregon State Government Office and Other U.S. Victims (U.S. Department of Justice)
5. Law firm Wiley Rein hit with class action over data breach tied to Chinese hackers (Thomson Reuters)
6. Gezamenlijke actie politie en NCSC legt groot botnetwerk plat | Joint police and NCSC NL operation shuts down large bot network (Nationaal Cyber Security Centrum)
7. Casdoor contains multiple authentication bypass and access management vulnerabilities (Carnegie Mellon University)
8. The approval prompt is lying: a critical coding agent security flaw - A symlink-hijack RCE in six AI coding agents (Adversa AI)
9. FROST: Fingerprinting Remotely using OPFS-based SSD Timing (Hannes Weissteiner)
10. Inside a 176-Package npm Campaign Built to Beat Your Internal Dependencies (Sonatype)
11. Why I Built My Own LLM Benchmark for THOR Finding Triage (Florian Roth)

ARTICLES COVERED:

1. Who is Salt Typhoon Really? Unraveling the Attribution Challenge (open.substack.com)
2. The War Between Wars: How an IRGC Cyber Front Runs Destructive OT and IT Attacks Under Cover of a Ceasefire (Segev-Magen Technologies Ltd. and Segev-Magen Technologies Inc.)
3. Designing secure access with ZTNA (National Cyber Security Centre (NCSC))

ARTICLES COVERED:

1. CVE-2026-48172 (CISA KEV)
2. The Evolution of Chinese-language Phishing Services (Google)
3. Silent Ransom Group Impersonating IT Personnel through Social Engineering (Federal Bureau of Investigation (FBI))
4. Ababil of Minab: An Iran-Linked Destruction and Exfiltration Campaign Targeting the U.S. and the Middle East (Gambit Security)
5. Analysis of YoroTrooper's Attacks Against the CIS and Surrounding Regions (腾讯科技)
6. The practice of cyber-threat intelligence in organizations: A socio-technical case study of a mature financial organization (www.sciencedirect.com)
7. White House: Ensuring Effective and Efficient Agency Logging and Network Visibility to Defend Against Evolving Cyber Threats (Office of Management and Budget)
8. CERT-IN: Blueprint for Reducing Exposure and Defending against AI-Assisted Vulnerabilities Exploitation in Digital Infrastructure - patch between 12 hours and 5 days they state (CERT-In (Indian Computer Emergency Response Team))
9. Advisory X41-2026-002: Request Host Header not Validated in Starlette (X41 D-Sec GmbH)
10. The epoll UAF - an epoll uaf race in fs/eventpoll.c (guysrd)
11. Microsoft Copilot Cowork Exfiltrates Files (PromptArmor)
12. GHSL-2026-140: Heap Buffer Write Overflow in 7-Zip (GitHub Security Lab)
13. JOMANGY: INJ3CTOR3's Self-Healing FreePBX Toll Fraud Campaign - Cyble (Cyble)
14. Top ethical hacker Chompie warns AI tools could put her out of business (BBC)
15. Tycoon 2FA AiTM detection for Entra ID and Google (Elastic)
16. sylvia: iOS Syscall Explorer for IDA 9.X (Christian Stolev)
17. 浅谈AI Agent的行为检测思路 -A Brief Discussion on Behavior Detection Approaches for AI Agents (mp.weixin.qq.com)
18. MSIT Launches Early “Incident Investigation Review Committee” for Proactive Security Incident Response (Law Business Research Ltd)

ARTICLES COVERED:

1. RemotePE: The Lazarus RAT that lives in memory (Fox-IT)
2. North Korean cyber hackers and masterminds behind gambling sites... Sentenced to 5 years in prison in the first trial (Yonhap News Agency)
3. Paved With Intent: ROADtools and Nation-State Tactics in the Cloud (Palo Alto Networks)
4. Sharp Eyes: Mass surveillance of foreigners in China - Part 1 (NetAskari)
5. Exploitation of KnowledgeDeliver via ViewState Deserialization Vulnerability (Google)
6. Apex One and Vision One – Standard Endpoint Protection (SEP) May 2026 Security Bulletin - TrendAI has observed at least one instance of an attempt to actively exploit one of these vulnerabilities (Trend Micro)
7. Supply Chain Attack Targets Laravel-Lang Packages with Credential Stealer (Aikido Security)
8. CVE-2026-20700: A controlled exploration of dyld's page-in linking and chained fixup machinery as a PAC signing oracle, in the context of CVE-2026-20700. (R3n3r0)
9. Fix: CVE-2025-33073 NTLM reflection not exploitable on pre-NT10.0 systems by azoxlpf · Pull Request #1245 · Pennyw0rth/NetExec (Pennyw0rth)
10. relay_bible: Technical Reference to multiple relay techniques (rootsecdev)
11. SYLK 文件格式的武器化滥用 – Weaponization and abuse of the SYLK file format (Ghost Wolf Lab)
12. The Gold Mine Red Teamers Never Touch - "read the Windows source code. Both Windows XP and Server 2003." [to make their tools blend in] (Abdul Mhanni)
13. honeyslop: Code canaries to quickly triage hallucinated ('slop') vulnerability reports (Gadi Evron, John Cartwright, Daniel Cuthbert, and Michal Kamensky)
14. YouTube SMS Blaster Ad Displays Scam Messages That Impersonate Telcos (Eric Priezkalns)
15. Twee mannen aangehouden voor phishing - Two men arrested for phishing (Politie)
16. Putin appoints Rostec cybersecurity specialist linked to GRU hackers from Fancy Bear as aide to Sergei Shoigu in Russia’s Security Council (Roman Dobrokhotov )?kagi_q=who+is+the+founder+or+owner+of+The+Insider+%28theins.press%29)

ARTICLES COVERED:

1. The Future and Past of Residential Proxies (Qurium Media Foundation)
2. Tracking TamperedChef Clusters via Certificate and Code Reuse (Palo Alto Networks)
3. Kazuar Evolves From Backdoor to Resilient Espionage Ecosystem (PolySwarm)
4. FIOD houdt twee verdachten aan wegens overtreding sanctiewetgeving - An investigation by the FIOD reveals that this new company actually functions as a front for the sanctioned entities. (Fiscale Inlichtingen- en Opsporingsdienst (FIOD))
5. Malicious Postinstall Hook Found Across 700+ GitHub Repositories, Including Packagist and Node.js Projects (Socket)
6. How Attackers Force Microsoft to Send Phishing Emails (Abnormal Security)
7. Phantom Killer: Reverse Engineering and Weaponizing a Lenovo Driver to Terminate EDR Processes (Jehad Abudagga)
8. Primitive Process Injection: APC Tandem (S12)
9. mkPIVM: Generate polymorphic, position-independent virtual machines (PIVMs) from arbitrary x86/x64 shellcode. (D7EAD)
10. OpenPetya: A Proof-of-Concept bootkit inspired by Petya ransomware, written in Assembly, C, and C++ (iss4cf0ng)
11. V8 Wasm Type-Confusion Colony - A multi-agent fuzzing system that hunts WebAssembly type-confusion bugs in V8. Instead of running a single fuzzer loop, it runs a colony of LLM-driven agents (Qriousec)
12. angr: A powerful and user-friendly binary analysis platform! (angr)
13. Suricata 8.0.5 and 7.0.16 released! - fixed various critical and high severity vulnerabilities (Open Information Security Foundation (OISF))
14. FatGid - FreeBSD 14.x kernel LPE (Przemyslaw Frasunek .io)
15. Microsoft Authenticator App Details now exposed in Entra SignInLogs (Nicola Suter)
16. Introducing RAMPART and Clarity: Open source tools to bring safety into Agent development workflow (Microsoft)
17. keyhog: The fastest, most accurate secret scanner. 896 detectors, Hyperscan SIMD, GPU acceleration, 96% recall. Built in Rust. (santhsecurity)
18. np-audit: Static security analysis for npm packages. Detects obfuscated code, malicious patterns, and known vulnerabilities before installation. (KoblerS)
19. Manage [VSCode] extensions in enterprise environments (Microsoft)
20. Ledger: An aggressor script that tracks operational changes made during a red team engagement. Gives you a full audit trail of what was changed and what still needs to be cleaned up. (shellkraft)
21. A Systematic Literature Review on Machine Learning for Intrusion Detection Systems (MDPI)
22. Machine Overmatch: What Salt Typhoon Reveals About China’s Data-Centric Intelligence Strategy (Metamorphic Media)
23. Analyzing Void Dokkaebi’s Cython-Compiled InvisibleFerret Malware (Trend Micro)
24. Disrupting Fox Tempest: A cybercrime service that turned “verified” software into a pathway for ransomware (Microsoft)
25. Microsoft’s MSHTA Legacy Tool Still Powers Malware Campaigns on Windows (Bitdefender)
26. Inside SHADOW-WATER-063’s Banana RAT: From Build Server to Banking Fraud (Trend Micro)

ARTICLES COVERED:

1. Cybercriminal VPN used by ransomware actors dismantled in global crackdown – VPN service featured in almost every major Europol-supported cybercrime investigation | Europol (Europol)
2. VELVET CHOLLIMA Infostealer Campaign Using Trading App as Lure (CrowdStrike)
3. Introducing Showboat: A new malware family taunts defenses and targets international telecom firms (Lumen Technologies)
4. From edge appliance to enterprise compromise: Multi-stage Linux intrusion via F5 and Confluence (Microsoft Defender Security Research Team)
5. CLR-Stomp: .NET CLR-Stomping (Nettitude)
6. VPN Exploitation When Patched Doesn't Mean Protected (ReliaQuest)
7. Open Directory, Open Season: Inside Red Lamassu’s JFMBackdoor (PwC)

ARTICLES COVERED:

1. Threat Intelligence Report: ZionSiphon OT Malware First Attempts? Psyops? Both? (DomainTools)
2. North Korean-Linked Threat Actor Targets Developers with New npm Infostealer RAT (OX Security)
3. Coruna Respawned: Compromised art-template npm Package Leads to iOS Browser Exploit Kit (Socket)
4. Windows BitLocker Security Feature Bypass Vulnerability (Microsoft)
5. CVE-2026-28910: Breaking macOS App Sandbox Data Containers, TCC, and Hijacking Apps Using Archive Utility (Talal Haj Bakry and Tommy Mysk)
6. Google API keys keep working after you delete them long enough to be exploited (Aikido)
7. A Deep Dive into Codex Windows Sandbox (Jonathan Johnson)
8. veilgate: Asymmetric defense against AI red-team agents. VeilGate scores every request, diverts likely agents into a per-IP-coherent fake application, and measures the cost it imposes (C0oki3s)
9. r-tec Blog | The 429 Microsoft Graph Mystery (r-tec Cyber Security)
10. GhostTree: Unveiling Path Manipulation Techniques to Bypass Windows Security (Varonis)
11. Azure Tenant Enumeration is Dead (Sprocket Security)
12. AI-generated reporting: Lessons learned from Cisco Talos Incident Response (Cisco)
13. CrabLoader: A PoC Cobalt Strike UDRL written in Rust (qmadev)
14. Striga: Lifting x86 to LLVM IR with Python (mrexodia)

ARTICLES COVERED:

1. CVE-2026-9082 (CISA KEV)
2. Iran-linked Operators Suspected in ATG Breaches (Censys)
3. From PDB strings to MaaS: Tracking a commodity BadIIS ecosystem used by Chinese-speaking threat (Cisco Talos)
4. Operation Dragon Whistle: UNG0002 Targets Chinese Academia via Weaponized Institutional Lure (Quick Heal Technologies Ltd.)
5. Webworm: New burrowing techniques (ESET)
6. Grafana Labs security update: Latest on TanStack npm supply chain ransomware incident | Grafana Labs (Grafana Labs)
7. Compromised Nx Console version 18.95.0 (Nrwl)
8. From Y2K to Patch Tuesday 2025: 25 Years of Bugs in the Windows 2000 Source Tree (Matt Suiche)
9. How a single image takes control of a Mac understanding an ExifTool vulnerability (CVE-2026-3102) (AO Kaspersky Lab)
10. CVE-2026-46333: Local Root Privilege Escalation and Credential Disclosure in the Linux Kernel ptrace Path (Qualys)
11. New Age of Collisions: Reading Arbitrary Files Pre-Auth as root in cPanel (CVE-2026-29205) (Searchlight Cyber)

ARTICLES COVERED:

1. Why China Is Now a Peer Competitor to the United States in Cyberspace (Center for Strategic and International Studies (CSIS))
2. FalkorDB: A super fast Graph Database uses GraphBLAS under the hood for its sparse adjacency matrix graph representation. (FalkorDB)
3. Remote Process Read Primitive via NtCreateThreadEx Exit Code (S12 - 0x12Dark Development)
4. nginx-rift-private-lab: Private Nginx Rift ASLR lab, exploit chain, and demo recordings (Hamid Kashfi)
5. laimap: Discover Exposed AI Services (Bishop Fox)
6. persisthunt: Linux Persistence Detection, Hunting and Arftifact Collection script (raj3shp)
7. We are investigating unauthorized access to GitHub’s internal repositories. Yesterday we detected and contained a compromise of an employee device involving a poisoned VS Code extension. (GitHub)

ARTICLES COVERED:

1. How Storm-2949 turned a compromised identity into a cloud-wide breach (Microsoft)
2. New Actors Deploy Shai-Hulud Clones: TeamPCP Copycats Are Here (www.ox.security)
3. Active Supply Chain Attack Compromises @antv Packages on npm... (socket.dev)

ARTICLES COVERED:

1. Exclusive: Hackers have breached tank readers at US gas stations; officials suspect Iran is responsible | CNN Politics (CNN)
2. Rekomendacja Pełnomocnika Rządu ds. Cyberbezpieczeństwa dotycząca komunikatora Signal - Recommendation of the Government Plenipotentiary for Cybersecurity regarding the Signal messenger (Kancelaria Prezesa Rady Ministrów)
3. SHub Reaper | macOS Stealer Spoofs Apple, Google, and Microsoft in a Single Attack Chain (SentinelOne)

ARTICLES COVERED:

1. uspected China-Linked Threat Actor Targets Global Manufacturer with Undocumented TencShell Malware (Cato Networks)
2. Chinese APT Campaign Targets Entities with Updated FDMTP Backdoor (Darktrace)
3. Static Kitten APT Adversary Simulation (S3N4T0R)
4. DirtyCBC: When Linux Kernel Decrypt-Before-MAC Turns Authenticated Encryption Into a Page-Cache Write (delphoslabs.com)
5. Mullvad exit IPs as a fingerprinting vector (tmctmt)
6. An Improper Access Control vulnerability [CWE-284] in FortiAuthenticator may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests. (Fortinet)
7. LID: LID — Linux Integrity Drift: Bypassing AppArmor via eBPF pathname rewriting. Pre-LSM syscall argument manipulation with zero audit footprint. "Linux is Dying" (Azizcan Daştan)
8. HWMonitor Trojanized for STX RAT DLL Sideloading (Gurucul)
9. Inside AD CS Escalation: Unpacking Advanced Misuse Techniques and Tools (Palo Alto Networks)
10. Popular node-ipc npm Package Infected with Credential Steale... (Socket)
11. We Have Packet Capture at Home (Axelarator)
12. Admiralty System for CTI Claude skill (tsale)
13. Gremlin Stealer's Evolved Tactics: Hiding in Plain Sight With Resource Files (unit42.paloaltonetworks.com)

ARTICLES COVERED:

1. Static Kitten APT Adversary Simulation (S3N4T0R)
2. uspected China-Linked Threat Actor Targets Global Manufacturer with Undocumented TencShell Malware (Cato Networks)
3. Chinese APT Campaign Targets Entities with Updated FDMTP Backdoor (Thoma Bravo .com)
4. Admiralty System for CTI Claude skill (**tsale**)
5. DirtyCBC: When Linux Kernel Decrypt-Before-MAC Turns Authenticated Encryption Into a Page-Cache Write (Delphos Labs)
6. Mullvad exit IPs as a fingerprinting vector (Thomas M. C. T.)
7. An Improper Access Control vulnerability [CWE-284] in FortiAuthenticator may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests. (Fortinet)
8. LID: LID — Linux Integrity Drift: Bypassing AppArmor via eBPF pathname rewriting. Pre-LSM syscall argument manipulation with zero audit footprint. "Linux is Dying" (Azizcan Daştan)
9. HWMonitor Trojanized for STX RAT DLL Sideloading (Gurucul .com)
10. Inside AD CS Escalation: Unpacking Advanced Misuse Techniques and Tools (Palo Alto Networks, Inc.)
11. Popular node-ipc npm Package Infected with Credential Steale... (Socket)
12. Gremlin Stealer's Evolved Tactics: Hiding in Plain Sight With Resource Files (Palo Alto Networks)
13. We Have Packet Capture at Home (axelarator)

ARTICLES COVERED:

1. Analysis of APT-C-55 (Kimsuky) group's attack activities involving the distribution of malicious payloads via GitHub and Dropbox. (Tencent)
2. FamousSparrow APT Targets Azerbaijani Oil and Gas Industry (Bitdefender)
3. Fast16: Pre-Stuxnet Sabotage Tool Was Built to Subvert Nuclear Weapons Simulations (Broadcom)
4. Help-Desk Lures Drop KongTuke's Evolved ModeloRAT (ReliaQuest .com)
5. Welcome to BlackFile: Inside a Vishing Extortion Operation (Google Cloud)
6. OrBit (Re)turns: Tracking an open-source Linux rootkit across four years of forks and deployments (Intezer)
7. Alert Number: I-051526-PSA | 15 May 2026 ShinyHunters: Cyber Criminal Group Attacks Learning Management System (Federal Bureau of Investigation (FBI))
8. Triggering the Secure Boot Certificate Update with Intune Remediations (Sastu Insights)
9. QEMUtiny is a memory corruption vulnerability in QEMU's implementation of CXL Type-3 device emulation, reported against QEMU master 007b29752e and confirmed working against 5e61afe (May 11, 2026). (V12 Security)
10. One Is a Fluke, 3 Is a Pattern: MCP Back-End Vulnerabilities (Akamai)
11. CVE-2026-20182: Critical authentication bypass in Cisco Catalyst SD-WAN Controller (FIXED) (Rapid7)
12. Ongoing exploitation of Cisco Catalyst SD-WAN vulnerabilities (Cisco Talos)
13. Fragnesia (CVE-2026-46300) is a universal Linux local privilege escalation exploit (V12 Security)
14. FFFFirefox - A One-Day Wonder Renderer Exploit (kiddo-pwn)
15. MiniPlasma, a powerful LPE (Nightmare-Eclipse)
16. DoublePulsar: A User-Defined Reflective Loader in the Crystal Palace and Tradecraft Garden Era (memN0ps)
17. Stop Being Weird — Life After Call Stack Spoofing Under CET (Sizeable-Bingus)
18. Novel Evilginx Frontend - Lowering the barrier for token theft reuse (Paul Newton)

ARTICLES COVERED:

1. CVE-2026-42897 (CISA KEV)

ARTICLES COVERED:

1. CVE-2026-20182 (CISA KEV)
2. Thus Spoke…The Gentlemen (Check Point Research)
3. YellowKey: YellowKey Bitlocker Bypass Vulnerability (Nightmare-Eclipse)

ARTICLES COVERED:

1. Gamaredon's infection chain: Spoofed emails, GammaDrop and GammaLoad (HarfangLab)
2. Shai-Hulud: Another Wave and Going Open Source (Stream Security)
3. Android Intrusion Logging as a new source of data for consensual forensic analysis - Amnesty International Security Lab (Amnesty International Security Lab)
4. Undermining the trust boundary: Investigating a stealthy intrusion through third-party compromise (Microsoft)

ARTICLES COVERED:

1. Seedworm: Iran-Linked Hackers Breached Korean Electronics Maker in Global Spying Campaign (Threat Hunter Team at Broadcom)
2. Adversaries Leverage AI for Vulnerability Exploitation, Augmented Operations, and Initial Access - some leaps pending technical details (Google Threat Intelligence)
3. Detecting Remote Thread Creation with Windows Driver (S12 - 0x12Dark Development)
4. bits from the release team - Aided by the efforts of the Reproducible Builds project, we've decided it's time to say that Debian must ship reproducible packages (The content posted at the URL is controlled by the **Debian Release Team** . **Paul Gevers** is listed as the sender of the announcement .)
5. Claude Code RCE: Exploiting Deeplink Handlers via Settings Injection (0day.click)
6. AMD has identified a vulnerability in the CPU operation (op/µop) cache on Zen 2‑based products that can cause incorrect instructions to be executed at a higher privilege level. (Advanced Micro Devices, Inc.)
7. rxrpc_privesc: RxRPC privesc PoC without fcrypt() restrictions (sgkdev)
8. Mythos finds a curl vulnerability (Daniel Stenberg)
9. Threat Actor Mr_Rot13 Actively Exploits CVE-2026-41940 for Backdoor Deployment (XLab's Cyber Threat Insight and Analysis System (CTIA))
10. Reverse Engineering a Multi Stage File Format Steganography Chain of the TeamPCP Telnyx Campaign (Hussein Muhaisen)
11. esp32-c5-deauth: A deauth with nuker for 2.4Ghz and 5Ghz controlled by BLE with Android app (The content posted at the URL is controlled by **maxbrito500**.)
12. LOLRMM Publishers - PR merges 182 new code signing certificates and adds important safety warnings to entries containing certificates from major software vendors. (The content posted at the URL is controlled by **MHaggis**.)
13. How Cloudflare responded to the “Copy Fail” Linux vulnerability (**Cloudflare** controls the content posted at the provided URL .)

ARTICLES COVERED:

1. EtwWatcher (Jonathan Johnson)
2. LUKSbox: Store sensitive files in the cloud, or on shared media without trusting the host. LUKSbox is a Rust-based encrypted-container tool with passphrase, FIDO2, TPM 2.0 etc (Sébastien Dudek)
3. CHERIoT-Ibex: Closing the door on memory safety vulnerabilities with hardware-enforced protection (Microsoft)
4. Fine of nearly £1m issued against South Staffordshire Plc and South Staffordshire Water Plc following major cyber attack and data breach (Information Commissioner's Office (ICO))
5. Donuts and Beagles: Fake Claude site spreads backdoor (Sophos X-Ops)

ARTICLES COVERED:

1. NZ announces sanctions on malicious Russian cyber actors, online platforms (Beehive.govt.nz)
2. Python Backdoor Threat Analysis Following an AI Deepfake Impersonation Campaign (www.genians.co.kr)
3. Unmanaged PowerShell Execution: Hunting Beyond powershell.exe (The content posted at the URL is controlled by **Nesrine Cherrabi**.)
4. Now You See Me: AADGraphActivityLogs (Cloudbrothers)
5. Update: Ongoing Checkmarx Supply Chain Security Incident (Checkmarx)
6. page_inject: CVE-2026-31431-killed page-cache exploit — code exec into containers sharing the same image layer (The content posted at the URL is controlled by **sgkdev**.)
7. The GNU MP Bignum Library - "We suspect that GMP's extremely tight loops around MULX make the Zen 5 cores use much more power than specified, making cooling solutions inadequate." (The Free Software Foundation controls the content posted at https://gmplib.org.)
8. Static Devirtualization of Themida (Back Engineering Labs)
9. AI in the Breach: How an Adversary Leveraged AI to Target a Water Utility’s OT (Dragos)

ARTICLES COVERED:

1. CVE-2026-42208 (CISA KEV)
2. Member of Prolific Russian Ransomware Group Sentenced to Prison (United States Department of Justice)
3. EasterBunny: advanced espionage artifacts attributed to APT29 (LAB52)
4. Where Have All the Complex Windows Malware and Their Analyses Gone? (r136a1.dev)
5. PCPJack | Cloud Worm Evicts TeamPCP and Steals Credentials at Scale (SentinelOne (SentinelLABS))
6. Let's Encrypt Status: Due to an issue with the cross-signed certificate from our Generation X root to our new Generation Y root, all issuance has been switched back to our Generation X root cert (Let's Encrypt)
7. Analyse des DNS-Ausfalls vom 5. Mai 2026 - Analysis of the DNS outage of May 5, 2026 (DENIC editorial team)
8. When prompts become shells: RCE vulnerabilities in AI agent frameworks (Microsoft)
9. Shift-Happens-Uncovering-to-builtin-command-injection-in-Windows-context-menus: Shift Happens: Uncovering two built-in command injections in Windows context menus (p0dalirius)
10. MOVEit Automation Critical Security Alert Bulletin – April 2026 – (CVE-2026-4670, CVE-2026-5174) (Progress)
11. Copy_Fail2-Electric_Boogaloo: Copy Fail 2: Electric Boogaloo (0xdeadbeefnetwork)
12. PositiveIntent: Evasive loader for .NET Framework assemblies (The content posted at the URL is controlled by **Mister-Joe**.)
13. The Accidental C2: Exploring Dev Tunnels for Remote Access (SpecterOps)
14. Living of the Land - DISM Sandbox Provider Hijack (NasBench)
15. SunnyDayBPF: SunnyDayBPF: eBPF-based post-syscall user-buffer telemetry deception (Azizcan Daştan)
16. Tracking the "Sorry" Extortionist Campaign Against cPanel Websites (afx_IDE)
17. Writing a Naive LLVM-based Devirtualizer (The content posted at the URL is by **eversinc33**.)
18. Lorem Ipsum Malware: Trojanized MS Teams Installers Deliver Multi-Stage Loader and Backdoor (BlueVoyant)
19. HyperVenom: Using Hyper-V for Ring -1 Control from Usermode | HyperVenom (The content posted at the URL is controlled by **gsmll**.)

ARTICLES COVERED:

1. Bleeding Llama: Critical Unauthenticated Memory Leak in Ollama (Cyera Research)

ARTICLES COVERED:

1. CVE-2026-0300 (CISA KEV)
2. CVE-2026-6973 (CISA KEV)
3. We are aware of a very limited number of customers exploited with CVE-2026-6973. Successful exploitation requires Admin authentication. (Ivanti)
4. Unpacking Russian-Iranian Private-Sector Cyber Connections (Margin Research)
5. OceanLotus suspected of distributing ZiChatBot malware via wheel packages in PyPI (Kaspersky Global Research and Analysis Team (GReAT))
6. Student Arrested in Taiwan for using SDR and Handheld Radios to Halt Four High Speed Trains with TETRA Hack (**RTL-SDR.com** is a blog that started as a hobby to share tutorials and curate content related to RTL-SDR dongles . The website itself is not controlled by a large media conglomerate like RTL Group , but rather by the individuals who contribute to and manage the blog .)
7. Dirty Frag: Universal Linux LPE (Hyunwoo Kim)
8. Two U.S. Nationals Sentenced for Facilitating Fraudulent Remote Information Technology Worker Schemes to Generate Revenue for the Democratic People’s Republic of Korea (United States Department of Justice)
9. Revealed: Russia’s top secret spy school teaching hacking and election meddling (The Guardian)

ARTICLES COVERED:

1. Muddying the Tracks: The State-Sponsored Shadow Behind Chaos Ransomware (Rapid7)
2. Iranian-Nexus Operation Against Oman's Government: 12 Ministries Hit and 26,000 Citizen Records Exposed (Hunt.io)
3. UAT-8302 and its box full of malware (Cisco Talos)
4. A rigged game: ScarCruft compromises gaming platform in a supply-chain attack (ESET Research)
5. CVE-2026-0300 PAN-OS: Unauthenticated user initiated Buffer Overflow Vulnerability in User-ID™ Authentication Portal (Palo Alto Networks)
6. Inadvertent Injections (The content posted at the URL is controlled by sud0woodo.)

ARTICLES COVERED:

1. Popular DAEMON Tools software compromised (Securelist)
2. Accelerating Vulnerability Detection and Response at Oracle (Oracle)
3. The cPanel Zero-Day Was Active for 64 Days Before Anyone Knew (webhosting.today)

ARTICLES COVERED:

1. 《APT高级威胁研究报告》（2026 版）- Advanced Threat Research Report (2026 Edition) (book.yunzhan365.com)
2. 蔓灵花组织使用NUITKA打包的python样本进行投递 - The Manlinghua organization used Python samples packaged in NUITKA for delivery. (mp.weixin.qq.com)
3. vanguard: VanGuard is a self-contained incident response toolkit built in Go that gives DFIR teams a single binary for triage, threat hunting, memory forensics, disk collection, remote operations (ridgelinecyberdefence)
4. GIDR: A behavioral intrusion detection system for Windows. Files are innocent until proven guilty at runtime. When malicious behavior is detected, the entire attack chain is traced to root (The content posted at the URL is controlled by **tandrlemandrle**.)
5. Added new vulnerable samples for IoBitUnlocker, Zemana and TfSysMon (magicsword-io)
6. 38 CVEs in Healthcare Software Used by 100,000 Medical Providers (AISLE)
7. CVE-2026-31431：我用 DeepSeek 复现了 AI 发现Copy Fail 提权的全过程 - CVE-2026-31431: I used DeepSeek to reproduce the entire process of AI detecting Copy Fail privilege escalation. (The content posted at the URL is controlled by **Tencent**, the Chinese tech giant that owns WeChat (also known as Weixin). Tencent has close ties with the Chinese Communist Party (CCP), and as of 2023, the government held a small stake in the company. WeChat's external link content management is governed by Tencent's specifications.)
8. dMSA Ouroboros: Self-Sustaining Credential Extraction in Windows Server 2025 | Huntress (Huntress)
9. AMSI Page Guard Bypass (Rust PoC) (github.com)
10. N-Day Research with AI: Using Ollama and n8n (The content posted at the URL is controlled by **ghostbyt3** .)
11. Recursively fuzzing MS-RPC structures and monitoring using ETW (Incendium)
12. nginxpulse: 轻量级 Nginx 访问日志分析与可视化面板，提供实时统计、PV 过滤、IP 归属地与客户端解析。- A lightweight Nginx access log analysis and visualization dashboard, providing real-time statistics, PV filtering, IP geolocation etc (likaia)
13. gdrv3.sys - Reverse Engineering a Signed Kernel Driver with 13 Hardware Access Primitives (Zonifer)

ARTICLES COVERED:

1. Active exploitation of cPanel/WHM critical vulnerability (ASD's ACSC)
2. Inside Shadow-Earth-053: A China-Aligned Cyberespionage Campaign Against Government and Defense Sectors in Asia (Trend Micro (US))
3. Impacket-IoCs: This repo contains the results of an internal re-write of impacket I undertook at my current company. It contains some of the IoCs found within the library (ThatTotallyRealMyth)
4. Study of Post Quantum status of Widely Used Protocols (Cisco Research (Tushin Mallick, Ashish Kundu, and Ramana Kompella))
5. AI-powered honeypots: Turning the tables on malicious AI agents (Talos Intelligence)
6. A hacker group was detained in Lviv Oblast, which hacked game accounts and received almost UAH 10 million in profit from their sale in Russia (gp.gov.ua)
7. Important Update From Trellix - "Trellix recently identified unauthorized access to a portion of our source code repository. " (Trellix)
8. ARP Around and Find Out: Hijacking GPO UNC Paths for Code Execution… (TrustedSec)
9. code-needle: A VS Code plugin to execute arbitrary JavaScript code at runtime over a local HTTP endpoint. (chvancooten)
10. copy.golf — golf your exploits - copy.fail smaller exploits (**Kabir Acharya** is the individual who controls the content posted at https://copy.golf/.)
11. Malicious Ruby Gems and Go Modules Impersonate Developer Tools to Steal Secrets and Poison CI (Socket)
12. Malicious Intercom PHP Package Spreads Mini Shai-Hulud Attack to Packagist via Composer Plugin (Semgrep)
13. Possible supply chain attack on version 2.6.3 · Issue #21689 · Lightning-AI/pytorch-lightning (Lightning-AI)
14. DragonBreath: Dragon in the Kernel (Ransom-ISAC team)
15. Watch Guard! Qilin affiliate exploits network appliances for initial access (Ctrl-Alt-Intel)
16. Meet Bluekit: The AI-Powered All-in-One Phishing Kit (Varonis Threat Labs)
17. IRQL - Incident Response Query Language - A collection of Kusto (KQL) functions that unify security logs behind a consistent, analyst-friendly dialect (The content posted at the URL is controlled by **Saar Ron, John Lambert, and Diana Damenova**.)
18. Holy-Grail-PCAP: "Holy Grail PCAP" is a capture file offering exceptional coverage across nearly all tcpdump/Wireshark encapsulation types and dissectors. (Sharon Brizinov .)

ARTICLES COVERED:

1. Russian Hacker Pleads Guilty in Oil and Gas Facility Attacks (**Bloomberg L.P.** controls the content posted at the provided URL . Bloomberg L.P. is a privately held financial, software, data, and media company co-founded by **Michael Bloomberg** . Michael Bloomberg is the majority owner of Bloomberg L.P. . Bloomberg News is a division of Bloomberg L.P. .)
2. South-East Asian Military Entities Targeted via cPanel (CVE-2026-41940) (Ctrl-Alt-Intel)
3. Two Americans Who Attacked Multiple U.S. Victims Using ALPHV BlackCat Ransomware Sentenced to Prison (United States Department of Justice)
4. April 27th - What happened with our feature flag configuration | The ClickUp Blog (ClickUp)
5. VECT: Ransomware by design, Wiper by accident - Check Point Research (Check Point Research)
6. Qilin Ransomware Enumerates RDP Authentication History on a Compromised Server | Cryptika Cybersecurity (Cryptika)
7. Seven Queries to Audit the Sentinel Detections Your SOC May Have Missed. (Rohitashokgowd)
8. month-of-bypasses: Proof-of-Concepts for Detection Engineering Purposes Only (Persistent Security)
9. Blog: Evolving the Android & Chrome VRPs for the AI Era (Google Bug Hunters)
10. pydep-vector-runner: A lightweight runner that guards against weird startup behaviors in python. Lightweight version of PyDepGuard's coderunner. (The content posted at the URL is controlled by **Ikari**.)
11. How to block CVE-2026-31431 (Copy Fail) (SEC West)
12. wg.copyfail.patch: CVE-2026-31431 eBPF fix - Copy.fail (The content posted at the URL is controlled by **wgnet**.)
13. Auditing Application Permissions in Microsoft Entra ID: Hidden Risks, Pitfalls, and Quarkslab's QAZPT Tool (Quarkslab)
14. VisualSploit: Backdoor Visual Studio project files with custom shellcode, which executes whenever the project is opened or built. (Meltedd)
15. DoomSyscalls: Clean Indirect Syscalls with Hook Evasion & Return Address Spoofing. (SilentisVox)
16. Agentic Malware Analysis: From Task Automation to Deep Analysis (github.com)

ARTICLES COVERED:

1. Analyzing the Silver Fox tax campaign and the new ABCDoor backdoor (AO Kaspersky Lab)
2. Careful adoption of agentic AI services (Australian Signals Directorate's Australian Cyber Security Centre (ASD's ACSC), United States Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Canadian Centre for Cyber Security (Cyber Centre), New Zealand National Cyber Security Centre (NCSC-NZ), and United Kingdom National Cyber Security Centre (NCSC-UK))
3. WordPress Plugin Hijacked in 2020 Hid a Dormant Backdoor for Years (The content posted on the website is controlled by **anadnet** .)
4. CVE-2026-42167 Allows Auth Bypass And RCE In ProFTPD - in an extension, not core (ZeroPath)
5. Security Advisory: Firmware Update Required — Gen 6, Gen 7, and Gen 8 Firewalls (SonicWall)
6. New Vulnerabilities in NVIDIA NeMo and Meta PyTorch Enable Full System Compromise (Cato Networks)
7. Making Vulnerable Drivers Exploitable Without Hardware - The BYOVD Perspective (atos.net)
8. Komari Red: The Monitoring Tool with a Built-in Reverse Shell (Huntress)
9. Preparing for a ‘vulnerability patch wave’ (National Cyber Security Centre)

ARTICLES COVERED:

1. CVE-2026-41940 (CISA KEV)
2. Security: CVE-2026-41940 - cPanel & WHM / WP2 Security Update 04/28/2026 (cPanel)
3. Prolific Chinese state-sponsored contract hacker extradited from Italy (U.S. Attorney's Office, Southern District of Texas)
4. The Federal Bureau of Investigation is publishing this Public Service Announcement to warn the public of cyber threat actors increasingly using sophisticated, cyber-enabled tactics to steal cargo (Federal Bureau of Investigation)
5. Adapting Zero Trust Principles to Operational Technology (CISA)
6. 2033170 - DigiCert: Misissued code signing certificates (DigiCert)
7. SQL injection in Proxy API key verification in LiteLLM (BerriAI)
8. Living off the Cloud (SANS Institute)
9. Three Bugs Walk Into a PDF: Prototype Pollution, Served Cold (StarLabs)

ARTICLES COVERED:

1. xlabs_v1 DDoS-for-Hire Operation Exposed: How an Operator's Debug Build Unraveled a Commercial Game-Server Botnet (hunt.io)
2. Copy Fail — 732 Bytes to Root (theori-io)
3. TeamPCP-Linked Supply Chain Attack Hits SAP CAP and Cloud MTA npm Packages (socket.dev)
4. The Internet Is Falling Down, Falling Down, Falling Down (cPanel & WHM Authentication Bypass CVE-2026-41940) (watchTowr Labs)
5. SAP Cloud Build Tool Packaged A Mini Shai-Hulud Malicious Dependency That Uses Bun (semgrep.dev)