Kopia RCE, Gogs Zero‑Day, FBI $20.9B Loss
Researchers discovered CVE‑2026‑45695, a critical 9.8‑scored flaw in Kopia’s /api/v1/repo/exists endpoint that forwards SFTP settings directly to the SSH binary, enabling unauthenticated remote code execution via ProxyCommand injection. The bug affects Kopia versions ≤0.22.3 when run without password protection on network‑exposed interfaces. Updating to 0.23.0 or restricting the server to localhost mitigates the risk.
Wiz Research uncovered a critical zero‑day in the self‑hosted Git service Gogs, where authenticated users can exploit a symlink bypass to write arbitrary files outside a repository, leading to remote code execution. Over 700 publicly‑exposed Gogs instances were found compromised before a fix was released in v0.13.4.
Talos argues that relying on CVSS alone misguides patching, as it measures severity not exploitation risk. It recommends combining CVSS with EPSS, which predicts the likelihood of a CVE being exploited, and using GCVE for faster, global vulnerability enrichment, enabling organizations to focus on threats that truly matter.
The FBI’s 2025 Internet Crime Report documents over 1 million complaints and a historic $20.9 billion in reported losses, a 26% jump from 2024. It highlights a surge in cryptocurrency fraud and AI‑driven scams, underscoring the growing sophistication of online threats.
Security researchers at OX Security uncovered 'mouse5212-super-formatter', a malicious npm package that exfiltrates files from Anthropic Claude’s /mnt/user-data directory to a threat‑actor‑controlled GitHub repo. The package also inadvertently exposed the attacker’s private GitHub token, allowing rapid detection and mitigation. It had over 600 downloads before removal.
GCHQ director Anne Keast‑Butler warned that Russia is launching daily hybrid attacks against the UK and Europe, targeting everything from undersea cables to cyber networks. The agency is bolstering subsea cable defenses, disrupting Russian sanction‑evasion infrastructure and countering sabotage, urging businesses and governments to treat cybersecurity with ten‑fold urgency.
Cybersecurity firm Group‑IB uncovered a Chinese‑language fraud operation, dubbed GHOST STADIUM, that has registered over 4,300 domains mimicking FIFA’s site, with more than 300 actively phishing for ticket purchases and credentials. The scheme could cost fans up to $474 million, targeting premium tickets for the 2026 World Cup.
Pathfinding Labs is a collection of over 100 intentionally vulnerable AWS environments, deployable via Terraform and managed through a Go CLI, enabling red and blue teams to practice privilege escalation and CSPM misconfigurations. It builds on the pathfinding.cloud catalog, provides CTF‑style hints and automated exploit scripts, and helps validate detections and improve cloud security tooling.
Honeyslop is an open‑source collection of decoy code snippets that act as canaries for projects overwhelmed by AI‑hallucinated, unverified vulnerability reports. By embedding these canaries, developers can quickly spot false alerts and reduce noise, improving security triage in the age of large‑language‑model generated findings.
Prempti is an open‑source tool that intercepts every tool call (shell commands, file ops, web fetches, etc.) made by AI coding agents and evaluates them against configurable Falco rules, returning allow, deny, or ask verdicts. It offers real‑time visibility, audit logs, and guardrail or monitor modes, helping developers enforce security policies for AI‑driven code generation.
SpecterOps released TailscaleHound, an OpenGraph collector that feeds Tailscale data into BloodHound. It models users, devices, groups, tags, ACLs, routes, SSH rules and more, letting analysts query and visualise attack paths such as which users can reach a device or use an exit node. This improves visibility of Tailscale‑based access in red‑team assessments.
Subscribe free