Intelligence Feed
Turla Turns Kazuar Backdoor Into Modular P2P Botnet for Persistent Access
The Hacker News
15 May 2026
SEV 6/10
Turla Turns Kazuar Backdoor Into Modular P2P Botnet for Persistent Access Ravie Lakshmanan May 15, 2026 Botnet / Threat Intelligence The Russian state-sponsored hacking group known as Turla has transformed its custom backdoor Kazuar into a modular peer-to-peer (P2P) botnet that's engineered for stealth and persistent access to compromised hosts. Cybersecurity and Infrastructure Security Agency (CISA), is assessed to be affiliated with Center 16 of Russia's Federal Security Service (FSB). It overlaps with activity traced by the broader cybersecurity community under the names ATG26, Blue Python, Iron Hunter, Pensive Ursa, Secret Blizzard (formerly Krypton), Snake, SUMMIT, Uroburos, Venomous Bear, Waterbug, and WRAITH.
Four OpenClaw Flaws Enable Data Theft, Privilege Escalation, and Persistence
The Hacker News
15 May 2026
SEV 8/10
Four OpenClaw Flaws Enable Data Theft, Privilege Escalation, and Persistence Ravie Lakshmanan May 15, 2026 Vulnerability / AI Security Cybersecurity researchers have disclosed a set of four security flaws in OpenClaw that could be chained to achieve data theft, privilege escalation, and persistence. The vulnerabilities, collectively dubbed Claw Chain by Cyera, can permit an attacker to establish a foothold, expose sensitive data, and plant backdoors. A brief description of the flaws is below - CVE-2026-44112 (CVSS score: 9.6/6.3) - A time-of-check/time-of-use (TOCTOU) race condition vulnerability in the OpenShell managed sandbox backend that allows attackers to bypass sandbox restrictions and redirect writes outside the intended mount root.
What 45 Days of Watching Your Own Tools Will Tell You About Your Real Attack Surface
The Hacker News
15 May 2026
SEV 6/10
What 45 Days of Watching Your Own Tools Will Tell You About Your Real Attack Surface The Hacker News May 15, 2026 Endpoint Security / Threat Detection Your Biggest Security Risk Isn't Malware — It's What You Already Trust , we made a simple argument: the most dangerous activity inside most organizations no longer looks like an attack. PowerShell, WMIC, netsh, Certutil, MSBuild — the same trusted utilities your IT team uses every day are also the preferred toolkit of modern threat actors. Bitdefender's analysis of 700,000 high-severity incidents found legitimate-tool abuse in 84% of them .
TanStack Supply Chain Attack Hits Two OpenAI Employee Devices, Forces macOS Updates
The Hacker News
15 May 2026
SEV 6/10
TanStack Supply Chain Attack Hits Two OpenAI Employee Devices, Forces macOS Updates Ravie Lakshmanan May 15, 2026 Supply Chain Attack / Malware OpenAI has disclosed that two of its employee devices in its corporate environment were impacted via the Mini Shai-Hulud supply chain attack on TanStack, but noted that no user data, production systems, or intellectual property were compromised or modified in an unauthorized manner. "Upon identification of the malicious activity, we worked quickly to investigate, contain, and take steps to protect our systems," OpenAI said . "We observed activity consistent with the malware's publicly described behavior, including unauthorized access and credential-focused exfiltration activity, in a limited subset of internal source code repositories to which the two impacted employees had access." The artificial intelligence (AI) upstart said only limited credential material was successfully transferred from these code repositories, adding no other information or code was impacted.
On-Prem Microsoft Exchange Server CVE-2026-42897 Exploited via Crafted Email
The Hacker News
15 May 2026
SEV 8/10
On-Prem Microsoft Exchange Server CVE-2026-42897 Exploited via Crafted Email Ravie Lakshmanan May 15, 2026 Microsoft / Vulnerability Microsoft has disclosed a new security vulnerability impacting on-premise versions of Exchange Server that it said has come under active exploitation in the wild. The vulnerability, tracked as CVE-2026-42897 (CVSS score: 8.1), has been described as a spoofing bug stemming from a cross-site scripting flaw. An anonymous researcher has been credited with discovering and reporting the issue.
CISA Adds Cisco SD-WAN CVE-2026-20182 to KEV After Admin Access Exploits
The Hacker News
15 May 2026
SEV 8/10
CISA Adds Cisco SD-WAN CVE-2026-20182 to KEV After Admin Access Exploits Ravie Lakshmanan May 15, 2026 Vulnerability / Credential Theft The U.S.Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a newly disclosed vulnerability impacting Cisco Catalyst SD-WAN Controller to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to remediate the issue by May 17, 2026. The vulnerability is a critical authentication bypass tracked as CVE-2026-20182 . It's rated 10.0 on the CVSS scoring system, indicating maximum severity.
Cisco Catalyst SD-WAN Controller Auth Bypass Actively Exploited to Gain Admin Access
The Hacker News
14 May 2026
SEV 8/10
Cisco Catalyst SD-WAN Controller Auth Bypass Actively Exploited to Gain Admin Access Ravie Lakshmanan May 14, 2026 Vulnerability / Network Security Cisco has released updates to address a maximum-severity authentication bypass flaw in Catalyst SD-WAN Controller that it said has been exploited in limited attacks. The vulnerability, tracked as CVE-2026-20182 , carries a CVSS score of 10.0. "A vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system," Cisco said .
Stealer Backdoor Found in 3 Node-IPC Versions Targeting Developer Secrets
The Hacker News
14 May 2026
SEV 8/10
Stealer Backdoor Found in 3 Node-IPC Versions Targeting Developer Secrets Ravie Lakshmanan May 14, 2026 Developer Security / Supply Chain Attack Cybersecurity researchers are sounding the alarm about what has been described as "malicious activity" in newly published versions of node-ipc. According to Socket StepSecurity , three different versions of the npm package have been confirmed as malicious - node-ipc@9.1.6 node-ipc@9.2.3 node-ipc@12.0.1 "Early analysis indicates that node-ipc@9.1.6, node-ipc@9.2.3, and node-ipc@12.0.1 contain obfuscated stealer/backdoor behavior," Socket said. "The malware appears to fingerprint the host environment, enumerate and read local files, compress and chunk collected data, wrap the payload in a cryptographic envelope, and attempt exfiltration through a network endpoint selected via DNS/address logic." StepSecurity said the heavily obfuscated payload is triggered when the package is required at runtime, and attempts to exfiltrate a broad set of developer and cloud secrets to an external command-and-control (C2) server.
ThreatsDay Bulletin: PAN-OS RCE, Mythos cURL Bug, AI Tokenizer Attacks, and 10+ Stories
The Hacker News
14 May 2026
SEV 9/10
ThreatsDay Bulletin: PAN-OS RCE, Mythos cURL Bug, AI Tokenizer Attacks, and 10+ Stories Ravie Lakshmanan May 14, 2026 Hacking News / Cybersecurity News Everything is still on fire. This week feels dumb in the worst way — bad links, weak checks, fake help desks, shady forum posts, and people turning supply chain attacks into some cursed little game for clout and cash. Half of it feels like crap we should have fixed years ago.
Ghostwriter Targets Ukrainian Government With Geofenced PDF Phishing, Cobalt Strike
The Hacker News
14 May 2026
SEV 8/10
Ghostwriter Targets Ukrainian Government With Geofenced PDF Phishing, Cobalt Strike Ravie Lakshmanan May 14, 2026 Hacktivism / Data Theft The Belarus-aligned threat group known as Ghostwriter has been attributed to a fresh set of attacks targeting governmental organizations in Ukraine. Active since at least 2016, Ghostwriter has been linked to both cyber espionage and influence operations targeting neighboring countries, particularly Ukraine. It's also tracked under the monikers FrostyNeighbor, PUSHCHA, Storm-0257, TA445, UAC‑0057, Umbral Bison (formerly RepeatingUmbra), UNC1151, and White Lynx.
PraisonAI CVE-2026-44338 Auth Bypass Targeted Within Hours of Disclosure
The Hacker News
14 May 2026
SEV 8/10
PraisonAI CVE-2026-44338 Auth Bypass Targeted Within Hours of Disclosure Ravie Lakshmanan May 14, 2026 Vulnerability / API Security Threat actors have been observed attempting to exploit a recently disclosed security vulnerability in PraisonAI , an open-source multi-agent orchestration framework, within four hours of its public disclosure. The vulnerability in question is CVE-2026-44338 (CVSS score: 7.3), a case of missing authentication that exposes sensitive endpoints to anyone, potentially allowing an attacker to invoke the API server's protected functionality without a token. " PraisonAI ships a legacy Flask API server with authentication disabled by default," according to an advisory released by the maintainers earlier this month.
How AI Hallucinations Are Creating Real Security Risks
The Hacker News
14 May 2026
SEV 6/10
How AI Hallucinations Are Creating Real Security Risks The Hacker News May 14, 2026 Artificial Intelligence / Identity Security AI hallucinations are introducing serious security risks into critical infrastructure decision-making by exploiting human trust through highly confident yet incorrect outputs. When an AI model lacks certainty, it doesn’t have a mechanism to recognize that. Instead, it generates the most probable response based on patterns in its training data, even if that response is inaccurate.
Windows Zero-Days Expose BitLocker Bypasses And CTFMON Privilege Escalation
The Hacker News
14 May 2026
SEV 8/10
Windows Zero-Days Expose BitLocker Bypasses And CTFMON Privilege Escalation Ravie Lakshmanan May 14, 2026 Zero-Day / Vulnerability An anonymous cybersecurity researcher who disclosed three Microsoft Defender vulnerabilities has returned with two more zero-days involving a BitLocker bypass and a privilege escalation impacting Windows Collaborative Translation Framework (CTFMON). security defects have been codenamed YellowKey GreenPlasma , respectively, by the researcher, who goes by the online aliases Chaotic Eclipse and Nightmare-Eclipse. The researcher described as "one of the most insane discoveries I ever found," likening the BitLocker bypass to functioning as a backdoor, as the bug is present only in the Windows Recovery Environment ( WinRE ), a built-in framework designed to troubleshoot and repair common unbootable operating system issues.
New Fragnesia Linux Kernel LPE Grants Root Access via Page Cache Corruption
The Hacker News
14 May 2026
SEV 8/10
New Fragnesia Linux Kernel LPE Grants Root Access via Page Cache Corruption Ravie Lakshmanan May 14, 2026 Vulnerability / Linux Details have emerged about a new variant of the recent Dirty Frag Linux local privilege escalation (LPE) vulnerability that allows local attackers to gain root access, making it the third such bug to be identified in the kernel within a span of two weeks. Codenamed Fragnesia , the security vulnerability is tracked as CVE-2026-46300 (CVSS score: 7.8) and is rooted in the Linux kernel's XFRM ESP-in-TCP subsystem. It was discovered by researcher William Bowling of Zellic and the V12 security team.
18-Year-Old NGINX Rewrite Module Flaw Enables Unauthenticated RCE
The Hacker News
14 May 2026
SEV 8/10
18-Year-Old NGINX Rewrite Module Flaw Enables Unauthenticated RCE Ravie Lakshmanan May 14, 2026 Vulnerability / Web Server Cybersecurity researchers have disclosed multiple security vulnerabilities impacting NGINX Plus and NGINX Open, including a critical flaw that remained undetected for 18 years. The vulnerability, discovered depthfirst , is a heap buffer overflow issue impacting ngx_http_rewrite_module (CVE-2026-42945, CVSS v4 score: 9.2) that could allow an attacker to achieve remote code execution or cause a denial-of-service (DoS) with crafted requests. It has been codenamed NGINX Rift .
Microsoft's MDASH AI System Finds 16 Windows Flaws Fixed in Patch Tuesday
The Hacker News
13 May 2026
SEV 8/10
Microsoft's MDASH AI System Finds 16 Windows Flaws Fixed in Patch Tuesday Ravie Lakshmanan May 13, 2026 Vulnerability / Artificial Intelligence Microsoft has unveiled a new multi-model artificial intelligence (AI)-driven system called MDASH to facilitate vulnerability discovery and remediation at scale, adding that it's being tested by some customers as part of a limited private preview. MDASH, short for m ulti-mo d el a gentic s canning h arness, is designed as a model-agnostic system that uses bespoke AI agents for different vulnerability classes to autonomously discover, validate, and prove exploitable defects in complex codebases like Windows. "Unlike single-model approaches, the harness orchestrates more than 100 specialized AI agents across an ensemble of frontier and distilled models to discover, debate, and prove exploitable bugs end-to-end," Taesoo Kim, vice president of agentic security at Microsoft, said .
Azerbaijani Energy Firm Hit by Repeated Microsoft Exchange Exploitation
The Hacker News
13 May 2026
SEV 6/10
Azerbaijani Energy Firm Hit by Repeated Microsoft Exchange Exploitation Ravie Lakshmanan May 13, 2026 Cyber Espionage / Malware A threat actor with affiliations to China has been linked to a "multi-wave intrusion" targeting an unnamed Azerbaijani oil and gas company between late December 2025 and late February 2026, marking an expansion of its targeting. The activity has been attributed by Bitdefender with moderate-to-high confidence to a hacking group known as FamousSparrow (aka UAT-9244), which shares some level of tactical overlap with clusters tracked under the monikers Earth Estries and Salt Typhoon. The attack paves the way for the deployment of two distinct backdoors across three separate waves: Deed RAT (aka Snappybee), a successor of ShadowPad that's used by multiple China-nexus espionage groups, and TernDoor , which was recently discovered in attacks targeting telecommunications infrastructure in South America since 2024.
[Webinar] How Modern Attack Paths Cross Code, Pipelines, and Cloud
The Hacker News
13 May 2026
SEV 6/10
[Webinar] How Modern Attack Paths Cross Code, Pipelines, and Cloud The Hacker News May 13, 2026 AppSec / Webinar TL;DR: Stop chasing thousands of "toast" alerts. Join experts from Wiz to learn how hackers connect tiny flaws to build a "Lethal Chain" to your data—and how to break it. Register for the Strategic Briefing Here .
Most Remediation Programs Never Confirm the Fix Actually Worked
The Hacker News
13 May 2026
SEV 6/10
Most Remediation Programs Never Confirm the Fix Actually Worked The Hacker News May 13, 2026 Cloud Security / Automation Security teams have never had better visibility into their environments and never been worse at confirming what they fix stays fixed. Mandiant's M-Trends 2026 report puts the mean time to exploit at an estimated negative seven days. The Verizon 2025 DBIR puts median time to remediate edge device vulnerabilities at 32 days.
Microsoft Patches 138 Vulnerabilities, Including DNS and Netlogon RCE Flaws
The Hacker News
13 May 2026
SEV 8/10
Microsoft Patches 138 Vulnerabilities, Including DNS and Netlogon RCE Flaws Ravie Lakshmanan May 13, 2026 Patch Tuesday / Vulnerability Microsoft on Tuesday released patches for 138 security vulnerabilities spanning its product portfolio, although none of them have been listed as publicly known or under active attack. Of the 138 flaws, 30 are rated Critical, 104 are rated Important, three are rated Moderate, and one is rated Low in severity. As many as 61 vulnerabilities are classified as privilege escalation bugs, followed by 32 remote code execution, 15 information disclosure, 14 spoofing, eight denial-of-service, six security feature bypass, and two tampering flaws.
GemStuffer Abuses 150+ RubyGems to Exfiltrate Scraped U.K. Council Portal Data
The Hacker News
13 May 2026
SEV 6/10
GemStuffer Abuses 150+ RubyGems to Exfiltrate Scraped U.K. Council Portal Data Ravie Lakshmanan May 13, 2026 Software Supply Chain / Data Exfiltration Cybersecurity researchers are calling attention to a new campaign dubbed GemStuffer that has targeted the RubyGems repository with more than 150 gems that use the registry as a data exfiltration channel rather than for malware distribution. "The packages do not appear designed for mass developer compromise," Socket said .
Android Adds Intrusion Logging for Sophisticated Spyware Forensics
The Hacker News
13 May 2026
SEV 6/10
Android Adds Intrusion Logging for Sophisticated Spyware Forensics Ravie Lakshmanan May 13, 2026 Encryption / Spyware Google on Tuesday unveiled a new opt-in Android feature called Intrusion Logging for storing forensic logs to better analyze sophisticated spyware attacks. Intrusion Logging, available as part of Advanced Protection Mode , enables "persistent and privacy-preserving forensics logging to allow for investigation of devices in the event of a suspected compromise," the company said. The feature, it added, was developed in partnership with Amnesty International and Reporters Without Borders.
New Exim BDAT Vulnerability Exposes GnuTLS Builds to Potential Code Execution
The Hacker News
12 May 2026
SEV 8/10
New Exim BDAT Vulnerability Exposes GnuTLS Builds to Potential Code Execution Ravie Lakshmanan May 12, 2026 Vulnerability / Email Security Exim has released security updates to address a severe security issue affecting certain configurations that could enable memory corruption and potential code execution. Exim is an open-source Mail Transfer Agent (MTA) designed for Unix-like systems to receive, route, and deliver email. The vulnerability, tracked as CVE-2026-45185 (CVSS score: 9.8), aka Dead.Letter, has been described as a use-after-free vulnerability in Exim's binary data transmission (BDAT) message body parsing when a TLS connection is handled by GnuTLS.
RubyGems Suspends New Signups After Hundreds of Malicious Packages Are Uploaded
The Hacker News
12 May 2026
SEV 6/10
RubyGems Suspends New Signups After Hundreds of Malicious Packages Are Uploaded Ravie Lakshmanan May 12, 2026 Supply Chain Attack / Software Security RubyGems , the standard package manager for the Ruby programming language, has temporarily paused account sign ups following what has been described as a "major malicious attack." "We're dealing with a major malicious attack on RubyGems right now," Maciej Mensfeld, senior product manager for software supply chain security at Mend.io, said in a post on X. "Signups are paused for the time being. Hundreds of packages involved – mostly targeting us, but some carrying exploits." Visitors to RubyGems' sign up page are now greeted with the message: "New account registration has been temporarily disabled." Mend.io, which secures RubyGems, said it intends to release more details once the incident is contained.
New TrickMo Variant Uses TON C2 and SOCKS5 to Create Android Network Pivots
The Hacker News
12 May 2026
SEV 6/10
New TrickMo Variant Uses TON C2 and SOCKS5 to Create Android Network Pivots Ravie Lakshmanan May 12, 2026 Malware / Mobile Security Cybersecurity researchers have flagged a new version of the TrickMo Android banking trojan that uses The Open Network (TON) for command-and-control (C2). The new variant, observed by ThreatFabric between January and February 2026, has been observed actively targeting banking and cryptocurrency wallet users in France, Italy, and Austria. "TrickMo relies on a runtime-loaded APK (dex.module), used also by the previous variant, but updated with new features adding new network-oriented functionality, including reconnaissance, SSH tunnelling, and SOCKS5 proxying capabilities that allow infected devices to function as programmable network pivots and traffic-exit nodes," the Dutch mobile security company said in a report shared with The Hacker News.
Webinar: What the Riskiest SOC Alerts Go Unanswered - and How Radiant Security Can Help
The Hacker News
12 May 2026
SEV 6/10
Webinar: What the Riskiest SOC Alerts Go Unanswered - and How Radiant Security Can Help The Hacker News May 12, 2026 Threat Detection / AI Security Why do the Riskiest SOC Alerts Go Unanswered? Security operations teams are drowning in alerts. But the real problem isn't always alert volume; it's the blind spots.
Mini Shai-Hulud Worm Compromises TanStack, Mistral AI, Guardrails AI & More Packages
The Hacker News
12 May 2026
SEV 8/10
Mini Shai-Hulud Worm Compromises TanStack, Mistral AI, Guardrails AI & More Packages Ravie Lakshmanan May 12, 2026 Supply Chain Attack / Malware TeamPCP , the threat actor behind the recentsupply chain attack spree, has been linked to the compromise of the npm and PyPI packages from TanStack, UiPath, Mistral AI, OpenSearch, and Guardrails AI as part of a fresh Mini Shai-Hulud campaign. The affected npm packages have been modified to include an obfuscated JavaScript file ("router_init.js") that's designed to profile the execution environment and launch a comprehensive credential stealer capable of targeting cloud providers, cryptocurrency wallets, AI tools, messaging apps, and CI systems, including Github Actions, multiple reports from Aikido Security , Endor Labs , SafeDep , Socket , StepSecurity , and Snyk show. The data is exfiltrated to the "filev2.getsession[.]org" domain.
Why Agentic AI Is Security's Next Blind Spot
The Hacker News
12 May 2026
SEV 6/10
Why Agentic AI Is Security's Next Blind Spot The Hacker News May 12, 2026 Artificial Intelligence / Threat Detection Agentic AI is already running in production environments across many organizations today. It is executing tasks, consuming data, and taking actions — most likely without meaningful involvement from the security team. The industry conversation has largely framed this as a question of policy: allow it, restrict it, or monitor it?
Instructure Reaches Ransom Agreement with ShinyHunters to Stop 3.65TB Canvas Leak
The Hacker News
12 May 2026
SEV 6/10
Instructure Reaches Ransom Agreement with ShinyHunters to Stop 3.65TB Canvas Leak Ravie Lakshmanan May 12, 2026 Vulnerability / Network Security American educational technology company Instructure, the parent company of Canvas, said it reached an "agreement" with a decentralized cybercrime extortion group after it breached its network and threatened to leak stolen information from thousands of schools and universities. In an update shared on Monday, the Utah-based firm said it "reached an agreement with the unauthorized actor involved in this incident," citing "concerns about the potential publication of data." In taking the controversial decision to pay a ransom to avoid a leak, the company said the agreement covers all its impacted customers and that the pilfered data was returned to it, along with digital confirmation of data destruction. It also said it has been informed that none of the company's customers will be separately extorted as a result of the hack.
OpenAI Launches Daybreak for AI-Powered Vulnerability Detection and Patch Validation
The Hacker News
12 May 2026
SEV 6/10
OpenAI Launches Daybreak for AI-Powered Vulnerability Detection and Patch Validation Ravie Lakshmanan May 12, 2026 Vulnerability / AI Security OpenAI has launched Daybreak , a new cybersecurity initiative that brings together frontier artificial intelligence (AI) model capabilities and Codex Security to help organizations identify and patch vulnerabilities before attackers find a way in using the same issues. "Daybreak combines the intelligence of OpenAI models, the extensibility of Codex as an agentic harness, and our partners across the security flywheel to help make the world safer for everyone," the AI upstart said . "Defenders can bring secure code review, threat modeling, patch validation, dependency risk analysis, detection, and remediation guidance into the everyday development loop so software becomes more resilient from the start." Like Anthropic's Mythos , the idea is to leverage AI to tilt the balance in favor of defenders and help detect and address security issues before they are found by bad actors.
iOS 26.5 Brings Default End-to-End Encrypted RCS Messaging Between iPhone and Android
The Hacker News
12 May 2026
SEV 6/10
iOS 26.5 Brings Default End-to-End Encrypted RCS Messaging Between iPhone and Android Ravie Lakshmanan May 12, 2026 Encryption / Mobile Security Apple on Monday officially released iOS 26.5 with support for end-to-end encryption (E2EE) to Rich Communication Services (RCS) in beta as part of a "cross-industry effort" to replace traditional SMS with a more secure alternative. To that end, E2EE RCS messaging is rolling out to iPhone users running iOS 26.5 with supported carriers and Android users on the latest version of Google Messages. The feature is enabled by default for both new and existing conversations in both platforms.
TeamPCP Compromises Checkmarx Jenkins AST Plugin Weeks After KICS Supply Chain Attack
The Hacker News
11 May 2026
SEV 6/10
TeamPCP Compromises Checkmarx Jenkins AST Plugin Weeks After KICS Supply Chain Attack Ravie Lakshmanan May 11, 2026 Supply Chain Attack / DevSecOps Checkmarx has confirmed that a modified version of the Jenkins AST plugin was published to the Jenkins Marketplace. "If you are using Checkmarx Jenkins AST plugin, you need to ensure that you are using the version 2.0.13-829.vc72453fa_1c16 that was published on December 17, 2025 or previously," the cybersecurity company said in a statement over the weekend. As of writing, Checkmarx has released 2.0.13-848.v76e89de8a_053 on both GitHub and the Jenkins Marketplace.
cPanel CVE-2026-41940 Under Active Exploitation to Deploy Filemanager Backdoor
The Hacker News
11 May 2026
SEV 8/10
cPanel CVE-2026-41940 Under Active Exploitation to Deploy Filemanager Backdoor Ravie Lakshmanan May 11, 2026 Vulnerability / Ransomware A threat actor named Mr_Rot13 has been attributed to the exploitation of a recently disclosed critical cPanel flaw to deploy a backdoor codenamed Filemanager on compromised environments. The attack exploits CVE-2026-41940 , a vulnerability impacting cPanel and WebHost Manager (WHM) that could result in an authentication bypass and allow remote attackers to gain elevated control of the control panel. According to a new report from QiAnXin XLab, the security defect has been exploited by a number of threat actors shortly after its public disclosure late last month, resulting in malicious behaviors like cryptocurrency mining, ransomware, botnet propagation, and backdoor implantation.
Hackers Used AI to Develop First Known Zero-Day 2FA Bypass for Mass Exploitation
The Hacker News
11 May 2026
SEV 6/10
Hackers Used AI to Develop First Known Zero-Day 2FA Bypass for Mass Exploitation Ravie Lakshmanan May 11, 2026 Artificial Intelligence / Vulnerability Google on Monday disclosed that it identified an unknown threat actor using a zero-day exploit that it said was likely developed with an artificial intelligence (AI) system, marking the first time the technology has been put to use in the wild in a malicious context for vulnerability discovery and exploit generation. The activity is said to be the work of cybercrime threat actors who appear to have collaborated together to plan what the tech giant described as a "mass vulnerability exploitation operation." "Our analysis of exploits associated with this campaign identified a zero-day vulnerability implemented in a Python script that enables the user to bypass two-factor authentication (2FA) on a popular open-source, web-based system administration tool," Google Threat Intelligence Group (GTIG) said in a report shared with The Hacker News. The tech giant said it worked with the impacted vendor to responsibly disclose the flaw and get it fixed in order to proactively disrupt the activity.
⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and More
The Hacker News
11 May 2026
SEV 8/10
⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and More Ravie Lakshmanan May 11, 2026 Cybersecurity / Hacking Rough Monday. Somebody poisoned a trusted download again, somebody else turned cloud servers into public housing, and a few crews are still getting into boxes with bugs that should’ve died years ago — the same old holes, same lazy access paths, same “how the hell is this still open” feeling. One report this week basically reads like a guy tripped over root access by accident and decided to stay there.
Your Purple Team Isn't Purple — It's Just Red and Blue in the Same Room
The Hacker News
11 May 2026
SEV 6/10
Your Purple Team Isn't Purple — It's Just Red and Blue in the Same Room The Hacker News May 11, 2026 Artificial Intelligence / Penetration Testing Defending a network at 2 am looks a lot like this: an analyst copy-pasting a hash from a PDF into a SIEM query. A red team script is being rewritten by hand so the blue team can use it. A patch waiting on a change-approval window that's longer than the exploitation window itself.
Fake OpenAI Privacy Filter Repo Hits #1 on Hugging Face, Draws 244K Downloads
The Hacker News
11 May 2026
SEV 6/10
Fake OpenAI Privacy Filter Repo Hits #1 on Hugging Face, Draws 244K Downloads Ravie Lakshmanan May 11, 2026 Supply Chain Attack / Threat Intelligence A malicious Hugging Face repository managed to take a spot in the platform's trending list by impersonating OpenAI's Privacy Filter open-weight model to deliver a Rust-based information stealer to Windows users. The project, named Open-OSS/privacy-filter , masqueraded as its legitimate counterpart released by OpenAI late last month ( openai/privacy-filter ), including copying the entire description verbatim to trick unsuspecting users into downloading it. Access to the malicious model has since been disabled by Hugging Face.
Ollama Out-of-Bounds Read Vulnerability Allows Remote Process Memory Leak
The Hacker News
10 May 2026
SEV 8/10
Ollama Out-of-Bounds Read Vulnerability Allows Remote Process Memory Leak Ravie Lakshmanan May 10, 2026 Vulnerability / Data Breach Cybersecurity researchers have disclosed a critical security vulnerability in Ollama that, if successfully exploited, could allow a remote, unauthenticated attacker to leak its entire process memory. The out-of-bounds read flaw, which likely impacts over 300,000 servers globally, is tracked as CVE-2026-7482 (CVSS score: 9.1). It has been codenamed
Bleeding Llama by Cyera.
cPanel, WHM Release Fixes for Three New Vulnerabilities — Patch Now
The Hacker News
09 May 2026
SEV 9/10
cPanel, WHM Release Fixes for Three New Vulnerabilities — Patch Now Ravie Lakshmanan May 09, 2026 Vulnerability / Web Hosting cPanel has released updates to address three vulnerabilities in cPanel and Web Host Manager (WHM) that could be exploited to achieve privilege escalation, code execution, and denial-of-service. The list of vulnerabilities is as follows - CVE-2026-29201 (CVSS score: 4.3) - An insufficient input validation of the feature file name in the "feature::LOADFEATUREFILE" adminbin call that could result in an arbitrary file read. CVE-2026-29202 (CVSS score: 8.8) - An insufficient input validation of the "plugin" parameter in the "create_user API" call that could result in arbitrary Perl code execution on behalf of the already authenticated account's system user.
TCLBANKER Banking Trojan Targets Financial Platforms via WhatsApp and Outlook Worms
The Hacker News
08 May 2026
SEV 6/10
TCLBANKER Banking Trojan Targets Financial Platforms via WhatsApp and Outlook Worms Ravie Lakshmanan May 08, 2026 Malware / Threat Intelligence Threat hunters have flagged a previously undocumented Brazilian banking trojan dubbed TCLBANKER that's capable of targeting 59 banking, fintech, and cryptocurrency platforms. The activity is being tracked by Elastic Security Labs under the moniker REF3076 . The malware family is assessed to be a major update of the Maverick family, which is known to leverage a worm called SORVEPOTEL to spread via WhatsApp Web to a victim's contacts.
Fake Call History Apps Stole Payments From Users After 7.3 Million Play Store Downloads
The Hacker News
08 May 2026
SEV 6/10
Fake Call History Apps Stole Payments From Users After 7.3 Million Play Store Downloads Ravie Lakshmanan May 08, 2026 Android / Mobile Security Cybersecurity researchers have discovered fraudulent apps on the official Google Play Store for Android that falsely claimed to offer access to call histories for any phone number, only to trick users into joining a subscription that provided fake data and incurred financial loss. The 28 apps have collectively racked up more than 7.3 million downloads, with one of them alone accounting for over 3 million downloads, before they were taken down from the official app storefront.The activity, codenamed CallPhantom by Slovakian cybersecurity company ESET, primarily targeted Android users in India and the broader Asia-Pacific region. "The offending apps, which we named CallPhantom based on their false claims, purport to provide access to call histories, SMS records, and even WhatsApp call logs for any phone number," ESET security researcher Lukáš Štefanko said in a report shared with The Hacker News.
One Click, Total Shutdown: The "Patient Zero" Webinar on Killing Stealth Breaches
The Hacker News
08 May 2026
SEV 6/10
One Click, Total Shutdown: The "Patient Zero" Webinar on Killing Stealth Breaches The Hacker News May 08, 2026 Artificial Intelligence / Threat Detection The hardest part of cybersecurity isn't the technology, it’s the people. Every major breach you’ve read about lately usually starts the same way: one employee, one clever email, and one "Patient Zero" infection. In 2026, hackers are using AI to make these "first clicks" nearly impossible to spot.
Quasar Linux RAT Steals Developer Credentials for Software Supply Chain Compromise
The Hacker News
08 May 2026
SEV 6/10
Quasar Linux RAT Steals Developer Credentials for Software Supply Chain Compromise Ravie Lakshmanan May 08, 2026 Linux / DevOps A previously undocumented Linux implant codenamed Quasar Linux RAT (QLNX) is targeting developers' systems to establish a silent foothold as well as facilitate a broad range of post-compromise functionality, such as credential harvesting, keylogging, file manipulation, clipboard monitoring, and network tunneling. "QLNX targets developers and DevOps credentials across the software supply chain," Trend Micro researchers Aliakbar Zahravi and Ahmed Mohamed Ibrahim said in a technical analysis of the malware. "Its credential harvester extracts secrets from high-value files such as .npmrc (npm tokens), .pypirc (PyPI credentials), .git-credentials, .aws/credentials, .kube/config, .docker/config.json, .vault-token, Terraform credentials, GitHub CLI tokens, and .env files.
One Missed Threat Per Week: What 25M Alerts Reveal About Low-Severity Risk
The Hacker News
08 May 2026
SEV 6/10
One Missed Threat Per Week: What 25M Alerts Reveal About Low-Severity Risk The Hacker News May 08, 2026 Threat Detection / AI Security The dark secret of enterprise security operations is that defenders have quietly institutionalized the practice of not looking. This is not just anecdotal, but rather backed by a recent report investigating more than 25 million security alerts, including informational and low-severity, across live enterprise environments. The dataset behind these findings includes 10 million monitored endpoints and identities, 82,000 forensic endpoint investigations including live memory scans, 180 million files analyzed, and telemetry from 7 million IP addresses, 3 million domains and URLs, and over 550,000 phishing emails.
New Linux PamDOORa Backdoor Uses PAM Modules to Steal SSH Credentials
The Hacker News
08 May 2026
SEV 6/10
New Linux PamDOORa Backdoor Uses PAM Modules to Steal SSH Credentials Ravie Lakshmanan May 08, 2026 Malware / Threat Intelligence Cybersecurity researchers have disclosed details of a new Linux backdoor named PamDOORa that's being advertised on the Rehub Russian cybercrime forum for $1,600 by a threat actor called "darkworm." The backdoor is designed as a Pluggable Authentication Module ( PAM )-based post-exploitation toolkit that enables persistent SSH access by means of a magic password and specific TCP port combination. It's also capable of harvesting credentials from all legitimate users who authenticate through the compromised system. "The tool, called PamDOORa, is a new PAM-based backdoor, designed to serve as a post-exploitation backdoor, enabling authentication to servers via OpenSSH," Flare.io researcher Assaf Morag said in a technical report.
Linux Kernel Dirty Frag LPE Exploit Enables Root Access Across Major Distributions
The Hacker News
08 May 2026
SEV 8/10
Linux Kernel Dirty Frag LPE Exploit Enables Root Access Across Major Distributions Ravie Lakshmanan May 08, 2026 Linux / Vulnerability Details have emerged about a new, unpatched local privilege escalation (LPE) vulnerability impacting the Linux kernel. Dubbed Dirty Frag , it has been described as a successor to Copy Fail (CVE-2026-31431, CVSS score: 7.8), a recently disclosed LPE flaw impacting the Linux kernel that has since come under active exploitation in the wild. The vulnerability was reported to Linux kernel maintainers on April 30, 2026.
Ivanti EPMM CVE-2026-6973 RCE Under Active Exploitation Grants Admin-Level Access
The Hacker News
07 May 2026
SEV 9/10
Ivanti EPMM CVE-2026-6973 RCE Under Active Exploitation Grants Admin-Level Access Ravie Lakshmanan May 07, 2026 Vulnerability / Network Security Ivanti is warning that a new security flaw impacting Endpoint Manager Mobile (EPMM) has been explored in limited attacks in the wild. The high-severity vulnerability, CVE-2026-6973 (CVSS score: 7.2), is a case of improper input validation affecting EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1. It allows "a remotely authenticated user with administrative access to achieve remote code execution," Ivanti said in an advisory released today.
PCPJack Credential Stealer Exploits 5 CVEs to Spread Worm-Like Across Cloud Systems
The Hacker News
07 May 2026
SEV 8/10
PCPJack Credential Stealer Exploits 5 CVEs to Spread Worm-Like Across Cloud Systems Ravie Lakshmanan May 07, 2026 Threat Intelligence / Cloud Security Cybersecurity researchers have disclosed details of a new credential theft framework dubbed PCPJack that targets exposed cloud infrastructure and ousts any artifacts linked to TeamPCP from the environments. "The toolset harvests credentials from cloud, container, developer, productivity, and financial services, then exfiltrates the data through attacker-controlled infrastructure while attempting to spread to additional hosts," SentinelOne security researcher Alex Delamotte said in a report published today. PCPJack is specifically designed to target cloud services like Docker, Kubernetes, Redis, MongoDB, RayML, and vulnerable web applications, allowing the operators to spread in a worm-like fashion, aswell as move laterally within the compromised networks.
PAN-OS RCE Exploit Under Active Use Enabling Root Access and Espionage
The Hacker News
07 May 2026
SEV 8/10
PAN-OS RCE Exploit Under Active Use Enabling Root Access and Espionage Ravie Lakshmanan May 07, 2026 Vulnerability / Cyber Espionage Palo Alto Networks has disclosed that threat actors may have attempted to unsuccessfully exploit a recently disclosed critical security flaw as early as April 9, 2026. The vulnerability in question is CVE-2026-0300 (CVSS score: 9.3/8.7), a buffer overflow vulnerability in the User-ID Authentication Portal service of Palo Alto Networks PAN-OS software that could allow an unauthenticated attacker to execute arbitrary code with root privileges by sending specially crafted packets. While fixes are expected to be released starting May 13, 2026, customers are advised to secure access to the PAN-OS User-ID Authentication Portal by restricting access to trusted zones, or by disabling it entirely if it's not used.
ThreatsDay Bulletin: Edge Plaintext Passwords, ICS 0-Days, Patch-or-Die Alerts and 25+ New Stories
The Hacker News
07 May 2026
SEV 8/10
ThreatsDay Bulletin: Edge Plaintext Passwords, ICS 0-Days, Patch-or-Die Alerts and 25+ New Stories Ravie Lakshmanan May 07, 2026 Hacking News / Cybersecurity News Bad week. Turns out the easiest way to get hacked in 2026 is still the same old garbage: shady packages, fake apps, forgotten DNS junk, scam ads, and stolen logins getting dumped into Discord channels like it’s normal. Some of these attack chains don’t even feel sophisticated anymore.