ModHeader spy, RabbitMQ OAuth flaw, VPN sanctions
RabbitMQ’s management endpoint exposed the OAuth client secret to anyone without authentication (CVE-2026-5721, CVSS 8.7). An attacker who grabs the secret can impersonate the broker to an identity provider and seize admin control over queues, messages, and users. Patching to v4.3.0 or later and locking down the management UI mitigates the risk.
Internet-wide scans are now probing Model Context Protocol (MCP) servers and AI assistant config files. Researchers observed 200+ AI‑focused requests from 49 distinct IPs, each sending a valid MCP handshake, indicating attackers are mapping exposed LLM endpoints before trying to hijack them.
French researchers uncovered a publicly exposed Python HTTP server that revealed the full toolset of three separate Evilginx‑based phishing operators targeting Microsoft 365 users. The dump included configs, logs, RMM installers and Telegram sessions, showing how each actor bypasses MFA with custom AiTM setups. The find highlights the danger of simple misconfigurations exposing entire attack infrastructures.
Angelo Martino, who billed companies as a ransomware negotiator, secretly passed their insurance limits and negotiation strategies to the BlackCat gang, inflating ransom demands. He was convicted of conspiracy to extort and sentenced to 70 months in federal prison, sending a warning that insiders who aid ransomware will face stiff penalties.
The U.S. Treasury has sanctioned First VPN Service (1VPNS) and its Ukrainian administrator for providing ransomware groups with anonymizing infrastructure. It also targeted a Belarusian seller of “cryptors,” tools that hide malware. The action severs a critical supply‑chain node and signals an aggressive U.S. stance against cyber‑crime enablers.
Researchers uncovered a dormant spying module in the official ModHeader extension that harvested visited domains, encrypted them, and posted to an external server. Google and Microsoft removed the 1.6 million‑install tool from Chrome and Edge stores, warning users to uninstall immediately.
CrashStealer is a native C++ macOS infostealer masquerading as Apple’s crash‑reporting framework. It arrives in a signed, notarized DMG called “Werkbit Setup,” which clears Gatekeeper and then installs the payload that harvests browsers, crypto wallets, password managers and the keychain, encrypting the loot with AES‑GCM before exfiltration. This shows attackers can exploit Apple’s notarization to bypass macOS defenses.
Check Point Research uncovered a new .NET‑based command‑and‑control framework used by the Iran‑MOIS‑backed group Cavern Manticore. The actors hijack SysAid’s legitimate software‑update feature to sideload a malicious DLL, then load additional native and managed modules for reconnaissance, data exfiltration, and lateral movement. The modular design lets operators tailor payloads per victim and hampers analysis.
Progress Software ordered all on‑prem ShareFile Storage Zone Controller servers shut down, citing a credible external security threat despite finding no evidence of breach. Administrators must power off the Windows hosts immediately, preserving logs for a later investigation. The move underscores the heightened risk to self‑hosted file‑sharing platforms after the 2023 MOVEit fallout.
The agency has renamed its Office of Computer Network Operations to Tailored Access Operations, undoing the 2016 NSA21 split. Under Deputy Director Tim Kosiba, the move reunites developers and operators to speed up exploit development ahead of rising AI-driven threats.
The UK and EU jointly announced their first coordinated cyber‑sanctions, naming Russia’s FSB Centre 16 as the culprit behind the December 2025 attack that threatened to plunge half a million Poles into darkness. The package bars 24 individuals and groups, signalling a new escalation in Western response to state‑sponsored hacking.
Researchers show that a single crafted email can force a persistent AI assistant to silently store false information, altering its future replies and actions. Their MemGhost tool automates the payload, achieving up to 87% success on popular agents, exposing a new vector for long‑term compromise of personal AI agents.
Tempolocus lets analysts turn raw timestamps, like PE TimeDateStamp values, into probabilistic location guesses by profiling weekly or yearly activity patterns. By ranking timezone offsets and holiday calendars, it highlights likely countries, giving threat intel teams a cheap, data‑driven clue for attribution.
Subscribe free