Rapid7 PAN-OS bugs, Veeam RCE, Seedworm DLL hijacks
Rapid7’s Managed Detection and Response team observed real‑world exploitation of Palo Alto Networks’ PAN‑OS GlobalProtect authentication bypass (CVE‑2026‑0257) across multiple customers as early as May 17, 2026. The vulnerability lets unauthenticated attackers establish VPN connections, prompting Rapid7 to urge urgent patching despite its medium CVSS rating.
Veeam disclosed a critical remote‑code‑execution vulnerability (CVSS 9.4) in Service Provider Console that could be triggered through enabled alarm script execution. The flaw, reported via HackerOne, is mitigated by disabling the script execution flag or upgrading to version 9.2.1 (build 33875). Administrators are urged to patch immediately.
Iran‑linked Seedworm (MuddyWater) ran an espionage campaign in early 2026 against nine organizations across nine countries, abusing legitimate Fortemedia fmapp.exe and SentinelOne sentinelmemoryservice.exe binaries to sideload malicious DLLs. The loaders delivered ChromElevator, stealing browser credentials and data, while a Node.js script orchestrated the attack.
Microsoft identified a supply‑chain attack where a threat actor published 14 malicious npm packages that typo‑squat popular OpenSearch and Elastic libraries. The packages execute a preinstall hook to steal AWS credentials, HashiCorp Vault tokens, CI/CD pipeline secrets, and npm publish tokens for further exploitation.
Profero researchers uncovered an Iranian state‑directed persona, Cyber Isnaad Front, that reprogrammed industrial control systems and deployed malware to wipe Windows servers in Israeli factories during a cease‑fire, using OT sabotage as a low‑cost continuation of conflict. The campaign shows how cyber attacks fill the gaps between kinetic wars.
A detailed blog post reveals BoldTealLayer’s multi‑stage attack chain, featuring a legitimate signed host that side‑loads a malicious DLL which launches a Lua engine to bypass Windows defenses and inject a .NET payload. The author provides IOCs, YARA rules, and mitigation guidance.
SANS ISC reports an unknown RAT infection that delivered NetSupport Manager RAT via the SmartApeSG ClickFix campaign. The initial RAT communicated with a C2 server on TCP 443 and later dropped malicious NetSupport files, establishing persistence on Windows hosts. Indicators include varied domains, hashes, and C2 IPs.
The article benchmarks over 3,000 DNS resolvers to compare DoH, DoT, DoQ, and DoH3, highlighting performance, privacy, and compatibility differences. It explains that while DoH shields queries from ISP snooping, it cannot mitigate attacks from compromised or malicious resolvers. The piece also outlines DNS hijacking risks inherent to unencrypted DNS.
The article explains how data center infrastructure, sold as neutral cloud and AI support, underpins government fusion centers that merge police, immigration and criminal data, effectively creating a digital panopticon. Privacy advocates warn this unremarkable hardware enables mass monitoring with little oversight.
The UN human rights office warns that blocking children from social media is insufficient, urging platforms to embed safety by design, enforce strict age verification, and conduct child‑rights impact assessments. It stresses that bans can be bypassed and push youth toward riskier, unregulated digital spaces.
Matthew Green’s blog details a weekend project exploring the signed, encrypted “thinking” blobs returned by Claude and OpenAI APIs. The blobs enable cryptographic verification and secure, privacy‑preserving LLM reasoning, suggesting a path toward auditable AI inference.
MalShark is an MCP‑based server that lets AI clients run tshark analyses on PCAPs via natural‑language prompts, producing structured IOC reports. Its detection rules were tuned and benchmarked against real malware captures from malware‑traffic‑analysis.net, ensuring practical relevance.
NVIDIA released SkillSpector, an open‑source scanner that analyzes AI agent skill packages for security flaws, malicious patterns, and supply‑chain risks. It supports multiple formats, runs static and LLM‑semantic checks, and outputs reports in JSON, Markdown, SARIF and more, helping developers vet skills before deployment.
A security researcher shows how to find a vulnerable driver not on Microsoft’s blocklist, use it to strip Protected Process Light from LSASS, and dump its memory while XOR‑obfuscating the dump to evade current EDR solutions. The step‑by‑step guide covers driver selection, exploitation and stealth techniques.
Subscribe free