Latest stories — Page 33

PCPJack Turns 230 Hijacked Cloud Servers Into a Stealth SMTP Relay Grid
Compromised AWS, Google Cloud, and Azure instances were quietly converted into verified mail relays and resold downstream every five minutes.

Inspector General Pins NVD Backlog on NIST Mismanagement — But the Real Problem Runs Deeper
A Commerce Department IG report calls out strategic failures, duplicated work, and severity scores that matched only 12% of the time. Budget cuts and genAI-driven vuln volume tell the rest of the story.

TA4922 Broadens Phishing Sweep Into U.K., Germany, Italy and South Africa
The China-linked crew is rotating through ValleyRAT, Atlas RAT and freshly minted payloads at a pace researchers describe as unusually fast.

Claude Mythos Preview Reportedly Breached Within Hours, Renewing Agentic AI Risk Questions
An unverified claim of unauthorized access to Anthropic's limited technical preview has defense-sector buyers asking whether agentic models belong on production networks at all.

Public PoC Lands for Cisco Unified CM Root-Write Bug CVE-2026-20230
An unauthenticated SSRF in Cisco Unified Communications Manager opens a path to root. Cisco's PSIRT hasn't observed in-the-wild use — yet.

HTTP/2 Bomb: A Decade-Old Compression Trick Finally Gets a CVE
A chained HPACK attack lets small packets force runaway memory allocation on nginx, Apache, IIS, Envoy, and Cloudflare's Pingora. Patches are partial. Exposure is wide.

One GitHub Issue Was Enough to Pwn Repos Running Claude Code Action
A bug in Anthropic's Claude Code GitHub Action turned issue triage into arbitrary code execution — including, briefly, against the action's own repo.

$7M Says Autonomous Agents Can Fix the Identity Sprawl Problem
Offroad exits stealth with a bet that AI-driven security agents can manage what platform teams stopped being able to track manually — machine identities, third-party app permissions, and the rest of the non-human identity mess.

Webinar Highlights Gaps in Third-Party Risk Management
A critical look at third-party risk programs and their practical failures.

The Week the Tape Came Off: Old Bugs, Cheap C2, and AI That Breaks Things
A roundup of the criminal-economy churn driving this week's intrusions, from plugin holes to agentic AI gone feral.

FlutterShell: A macOS Backdoor Wrapped in Flutter, Dropped by Ad Clicks
Unit 42 traces a malvertising operation to the same crew behind JSCoreRunner, this time hiding a backdoor inside Flutter-built Mac apps.

TA4922 Broadens European Targeting With ValleyRAT, Atlas RAT Loadouts
A China-nexus cluster tracked as TA4922 is hitting orgs in the UK, Germany, Italy, and South Africa, mixing known RATs with newer tooling.

Silent RCE in Hugging Face Transformers Hides Behind a Single Config Field
CVE-2026-4372 lets an attacker own any machine that loads a poisoned model — no warnings, no prompts, no trace. The trust_remote_code flag didn't help.

Five-Month Outlook Intrusion at Global Stock Exchange Exfiltrated via Dropbox, OneDrive
Threat hunters say the executive's mailbox was siphoned in small batches over consumer cloud channels — a pattern consistent with state-aligned espionage rather than financially motivated crime.

Lookalike Open-Source Portals Are SEO-Climbing Their Way to Malware Delivery
A Traffic Distribution System fronts fake project sites to drop Remus Stealer, AnimateClipper, and the SessionGate framework. None of this is an auth problem — but the stolen sessions afterward absolutely are.

CISA Flags Magento Cache Extension Bug as Actively Exploited
CVE-2026-45247, an unsafe deserialization flaw in Mirasvit Cache Warmer, lands in KEV after in-the-wild abuse against Magento storefronts.

Unpacking the 'Son of Mythos': AI's Role in Vulnerability Discovery
As Anthropic and OpenAI expand AI tool access, organizations face both risks and opportunities.

Disruption Week: Feds Yank Millions of Accounts in Crypto Fraud Sweep, Seize $3.8M
DOJ-led action against Southeast Asia 'pig butchering' rings hit infrastructure, not just wallets. The interesting question is what the platforms knew, and when.

GitHub's Browser VSCode Handed Attackers a Skeleton Key to Your Private Repos
An unscoped OAuth token, a Jupyter notebook, and a skipped publisher trust check. That's all it took.

AI Workloads Are Breaking the Public-Cloud Default
Cost pressure and data sensitivity are pushing enterprises back toward private infrastructure — and the provider landscape isn't standing still while they decide.

Redis Patches Two-Year-Old Use-After-Free Surfaced by Autonomous AI Bug Hunter
CVE-2026-23479 sat in the blocking-client code from Redis 7.2.0 until the May 5 fixes. An authenticated user could parlay it into arbitrary OS command execution.