Topics

CVEs, actors, campaigns, incidents, tools, and annual reports tracked across briefs. The badge marks items covered in more than one brief — these are the "stories that unfolded".

• EFK audit: federal cyber-governance split leaves SEPOS/FS BIS without complete incident picture
  incidentincident:ch-efk-federal-cyber-governance-auditlast covered 2026-06-22
  2026-06-22
• Brazil national Cell Broadcast emergency-alert platform hijacked; ~30M fake Extreme Alerts
  incidentincident:brazil-cell-broadcast-hijacklast covered 2026-06-22
  2026-06-22
• eBanking phishing using IPv4-mapped IPv6 URL notation to bypass regex URL scanners
  campaigncampaign:ebanking-ipv4-mapped-ipv6-phishinglast covered 2026-06-22
  2026-06-22
• AryStinger botnet — reconnaissance/proxy network on EoL D-Link routers + QNAP NAS
  campaigncampaign:arystinger-botnetlast covered 2026-06-22
  2026-06-22
• RoguePlanet: TOCTOU race in Microsoft Defender scan engine -> SYSTEM LPE, PoC, no CVE/patch
  vulnerability-trenditem:nightmare-eclipse-rogueplanet-defender-toctou-lpe-2026-06last covered 2026-06-21×2 appearances
  2026-W252026-06-11
• ShinyHunters Oracle PeopleSoft data-theft campaign (100+ orgs, ~300 instances, education-heavy; Univ. of Nottingham confirmed)
  campaigncampaign:shinyhunters-peoplesoft-2026last covered 2026-06-21×6 appearances
  2026-W252026-W242026-06-162026-06-132026-06-12
• The Gentlemen ransomware (Storm-2697 / Phantom Mantis): self-propagating Go encryptor
  campaigncampaign:the-gentlemen-ransomware-storm2697last covered 2026-06-21×2 appearances
  2026-W252026-06-12
• FortiBleed — 73,932 FortiGate device credentials exposed; active Russian-speaking brute-force/AD-lateral campaign
  incidentincident:fortibleed-fortigate-credential-exposurelast covered 2026-06-21×3 appearances
  2026-W252026-06-202026-06-18
• Mastra npm namespace backdoored via easy-day-js (dormant contributor account)
  campaigncampaign:mastra-easy-day-js-supply-chainlast covered 2026-06-21×3 appearances
  2026-W252026-06-212026-06-18
• Operation Endgame expands to SocGholish/TA569 — 106 C2 servers, 14,971 WordPress sites
  incidentincident:operation-endgame-socgholish-ta569last covered 2026-06-21×2 appearances
  2026-W252026-06-19
• Icarus extortion: dormant Klue credential → harvested OAuth tokens → bulk Salesforce CRM theft
  campaigncampaign:icarus-klue-salesforce-oauthlast covered 2026-06-21×3 appearances
  2026-W252026-06-212026-06-19
• Gentlemen RaaS — operator-maintained GentleKiller EDR-killer framework (BYOVD, 48 vendors)
  actoractor:gentlemen-raas-gentlekillerlast covered 2026-06-21×3 appearances
  2026-W252026-06-202026-06-19
• Kodak confirms breach after ShinyHunters leak-site listing; June 18 deadline passed without publication
  incidentincident:kodak-shinyhunters-breachlast covered 2026-06-21×2 appearances
  2026-W252026-06-20
• Prinz Eugen — Go-based ransomware, recent-files-first, no ransom note
  campaigncampaign:prinz-eugen-ransomwarelast covered 2026-06-21
  2026-06-21
• Popa residential-proxy botnet (Vo1d plugin) tied to Alarum/NetNut by Krebs/Qurium
  campaigncampaign:popa-vo1d-residential-proxy-botnetlast covered 2026-06-21
  2026-06-21
• UK ICO Commissioner John Edwards resigns with immediate effect
  incidentincident:uk-ico-commissioner-resignation-2026last covered 2026-06-21
  2026-06-21
• HCRG Care Group notifies patients 16 months after Feb-2025 Medusa breach
  incidentincident:hcrg-medusa-notification-delaylast covered 2026-06-21
  2026-06-21
• Texas Parks & Wildlife 3.08M licence holders exposed via third-party vendor
  incidentincident:texas-parks-wildlife-vendor-breachlast covered 2026-06-21
  2026-06-21
• One Medical (Amazon) legacy-storage breach; ShinyHunters 8.8TB claim unverified
  incidentincident:one-medical-amazon-shinyhunterslast covered 2026-06-21×2 appearances
  2026-W252026-06-21
• Nintendo employee data stolen from third-party HR-survey SaaS TinyPulse (Shadowbyt3$ extortion)
  incidentincident:nintendo-tinypulse-shadowbyt3last covered 2026-06-20
  2026-06-20
• usbliter8 — permanent unpatchable SecureROM boot-chain exploit for Apple A12/A13 silicon (checkm8 successor)
  toolitem:usbliter8-securerom-exploitlast covered 2026-06-20
  2026-06-20
• AutoJack — single-web-page host RCE via AI agent's local MCP WebSocket (AutoGen Studio dev builds)
  vulnerability-trenditem:autojack-mcp-websocket-rcelast covered 2026-06-20
  2026-06-20
• UK ICO criminal caution — London Clinic insider accessed Princess of Wales medical records
  incidentincident:ico-london-clinic-princess-wales-insiderlast covered 2026-06-19
  2026-06-19
• CryptoBandits — USB-LNK worm + Tor hidden-service C2 driving a clipboard hijacker
  campaigncampaign:cryptobandits-usb-lnk-tor-clipperlast covered 2026-06-19
  2026-06-19
• Sophos X-Ops — cautious-but-concrete AI adoption in the cybercrime underground
  campaigncampaign:underground-ai-adoption-sophoslast covered 2026-06-19
  2026-06-19
• ScarCruft (APT37) NarwhalRAT — fake Microsoft OTP lures, compiled-Python RAT, pCloud dead-drop C2
  campaigncampaign:scarcruft-narwhalratlast covered 2026-06-18
  2026-06-18
• China arrests 67 Silver Fox (Winos/ValleyRAT) cybercrime operators
  incidentincident:silver-fox-arrests-china-2026last covered 2026-06-18
  2026-06-18
• Zammad 7.1 — 13 vulns incl admin privesc/SSRF, BSI WID-SEC-2026-1981, DACH public-sector helpdesk
  vulnerability-trenditem:zammad-7.1-security-releaselast covered 2026-06-18
  2026-06-18
• 15 malicious JetBrains Marketplace plugins exfiltrate AI provider API keys (Aikido)
  campaigncampaign:jetbrains-marketplace-malicious-ai-pluginslast covered 2026-06-18
  2026-06-18
• Rust crypto clipboard-hijacker abusing VirusTotal community reputation (Check Point)
  campaigncampaign:rust-crypto-clipper-virustotal-reputationlast covered 2026-06-18
  2026-06-18
• Novo Nordisk discloses theft of clinical-trial and HCP data
  incidentincident:novo-nordisk-clinical-trial-breach-2026last covered 2026-06-17×3 appearances
  2026-06-172026-06-162026-06-13
• Munich LHM-Services GmbH — ~120,000 student records suspected on darknet, suspected insider threat, Bavarian DPA notified
  incidentitem:munich-lhm-services-120k-student-records-darknet-insiderlast covered 2026-06-17
  2026-06-17
• FishMonger (I-SOON) ports SprySOCKS backdoor to Windows (WIN_DRV/WIN_PLUS) with kernel-driver rootkit; government targets
  campaignitem:fishmonger-isoon-sprysocks-windows-kernel-rootkitlast covered 2026-06-17
  2026-06-17
• ErrTraffic — ClickFix MaaS distribution framework with EtherHiding/Polygon C2 resolution; EU WordPress targeting
  campaignitem:sekoia-errtraffic-clickfix-maas-polygon-c2last covered 2026-06-17
  2026-06-17
• Potemkin loader + RMMProject RAT via ClickFix — Chromium App-Bound Encryption bypass, EtherRAT
  campaignitem:huntress-potemkin-loader-rmmproject-clickfix-abe-bypasslast covered 2026-06-17
  2026-06-17
• Rokarolla Android banking trojan — 217 banking/crypto apps, 137 commands, default call/SMS handler hijack
  campaignitem:zimperium-rokarolla-android-banker-217-appslast covered 2026-06-17
  2026-06-17
• DragonForce intrusion — first ITW Microsoft Teams TURN-relay C2 (Backdoor.Turn) + four-driver BYOVD chain
  campaignitem:dragonforce-backdoor-turn-teams-relay-byovdlast covered 2026-06-17
  2026-06-17
• FortiSandbox triple active exploitation (CVE-2026-39808/39813/25089) — simultaneous in-the-wild exploitation
  campaignitem:fortisandbox-triple-active-exploitationlast covered 2026-06-17
  2026-06-17
• UNC6508 (PRC) — INFINITERED implant on internet-facing REDCap servers + Google Workspace BCC content-compliance rule for covert research/defence email exfiltration
  campaigncampaign:unc6508-infinitered-redcap-2026last covered 2026-06-16
  2026-06-16
• Awesome Motive CDN supply-chain attack — OptinMonster/TrustPulse/PushEngage scripts tampered on ~1.2M WordPress sites; rogue admins + hidden backdoor plugin (via CVE-2026-10795)
  incidentincident:awesome-motive-cdn-supply-chain-2026last covered 2026-06-16
  2026-06-16
• DPRK UNK_DeadDrop (rel. Contagious Interview) — VS Code/Cursor tasks.json runOn:folderOpen auto-exec delivering Overlord Go C2 to developers; EU targets FR/DE/NL
  campaigncampaign:unk-deaddrop-2026last covered 2026-06-16
  2026-06-16
• iRhythm Holdings (cardiac MedTech) — SEC 8-K Item 1.05: social engineering of third-party-hosted apps; PHI/PII/proprietary data theft + ransom demand
  incidentincident:irhythm-data-theft-2026last covered 2026-06-16
  2026-06-16
• Google lawsuit vs China-based "Outsider" PhaaS weaponising Gemini to generate phishing pages
  campaigncampaign:outsider-phaas-gemini-2026last covered 2026-06-15×2 appearances
  2026-06-152026-06-13
• Handala (Void Manticore) breaches California Water Service via internet-exposed RTKBase NTRIP/GNSS caster; billing PII pivot, no OT access
  incidentincident:cal-water-handala-rtkbase-gnss-2026last covered 2026-06-15
  2026-06-15
• Mini Shai-Hulud — TeamPCP SAP CAP npm supply-chain worm
  campaigncampaign:mini-shai-huludlast covered 2026-06-14×8 appearances
  2026-W242026-W222026-W192026-06-102026-05-26
• UPDATE: Chaotic Eclipse Windows zero-days — MiniPlasma is third PoC (cldflt.sys CfAbortHydration, claimed CVE-2020-17103 regression on fully patched Win11)
  campaignitem:windows-zero-day-proliferation-yellowkey-greenplasma-miniplalast covered 2026-06-14×4 appearances
  2026-W242026-W232026-W212026-05-19
• Rapid7 publishes unpatched Gogs argument-injection RCE with Metasploit module
  vulnerability-trenditem:gogs-unpatched-argument-injection-rce-rapid7-metasploitlast covered 2026-06-14×3 appearances
  2026-W242026-W232026-05-29
• NCSC-CH pre-event cyber advisory for the G7 Évian summit (DDoS/intel-collection/mobile targeting)
  campaigncampaign:g7-evian-2026last covered 2026-06-14×2 appearances
  2026-W242026-06-03
• VerdantBamboo (UNC5221/WARP PANDA) — China-nexus; BRICKSTORM on edge devices, MSP supply-chain, M365 CA bypass, AGENTPSD/PLENET
  actoractor:VerdantBamboolast covered 2026-06-14×3 appearances
  2026-W242026-W232026-06-05
• Maine AG breach portal abused for fraudulent VRChat/Discord filings
  incidentincident:maine-breach-portal-fraudulent-filings-2026last covered 2026-06-14×3 appearances
  2026-W242026-06-132026-06-12
• "Atomic Arch" AUR supply-chain — 400+ hijacked packages drop Rust stealer + eBPF rootkit
  campaigncampaign:atomic-arch-aur-supply-chain-2026last covered 2026-06-14×2 appearances
  2026-W242026-06-13
• Velvet Ant "Operation Highland" — decade-long Linux PAM/sshd auth-stack subversion (China-nexus)
  campaigncampaign:velvet-ant-operation-highland-2026last covered 2026-06-14×2 appearances
  2026-W242026-06-13
• APT28 (GRU Unit 26165) tradecraft evolution — LameHug LLM-driven stealer, BeardShell cloud C2, FrostArmada router DNS hijack (Sekoia)
  campaigncampaign:apt28-tradecraft-evolution-2026last covered 2026-06-14×2 appearances
  2026-W242026-06-14
• Cyber Europe 2026 — first EU-wide test of 2025 EU Cyber Blueprint and first live activation of the EU Cybersecurity Reserve
  incidentincident:cyber-europe-2026-eu-cybersecurity-reservelast covered 2026-06-14
  2026-06-14
• Conti loader developer Oleksii Lytvynenko pleads guilty in US federal court after extradition from Ireland
  incidentincident:conti-lytvynenko-guilty-plea-2026last covered 2026-06-14
  2026-06-14
• Kyushu Electric subsidiary loses unencrypted SSD with 10.9M customer records — reportedly Japan's largest personal-data breach
  incidentincident:kyushu-electric-ssd-loss-2026last covered 2026-06-14
  2026-06-14
• European Commission refers France and Spain to the CJEU over NIS2 non-transposition
  policypolicy:eu-nis2-cjeu-referral-france-spain-2026last covered 2026-06-14SINGLE-SOURCE
  2026-W24
• Germany Bundestag first reading of CRA domestic-implementation bill (Drucksache 21/6134)
  policypolicy:germany-cra-implementation-bill-2026last covered 2026-06-14
  2026-W24
• ENISA SBOM Adoption State of Play 2026 — first EU-wide SBOM baseline
  policypolicy:enisa-sbom-adoption-state-of-play-2026last covered 2026-06-14
  2026-W24
• South Korea PIPC record fine on Coupang over unrevoked former-employee signing key
  incidentincident:coupang-pipc-record-fine-2026last covered 2026-06-13
  2026-06-13
• Check Point LangGraph checkpointer SQLi->RCE chain (CVE-2025-67644 + CVE-2026-28277 + CVE-2026-27022)
  vulnerability-trendcampaign:langgraph-checkpointer-sqli-rce-2026last covered 2026-06-13
  2026-06-13
• "Agentjacking" — MCP injection of AI coding agents via forged Sentry error events (Tenet Security)
  campaigncampaign:agentjacking-mcp-sentry-injection-2026last covered 2026-06-13
  2026-06-13
• AudiA6 ransomware crypto-laundering service dismantled (US/Europol, CH participating)
  incidentincident:audia6-crypto-laundering-takedown-2026last covered 2026-06-12
  2026-06-12
• GreatXML: Nightmare Eclipse unpatched BitLocker/WinRE bypass, public PoC
  vulnerability-trendcampaign:greatxml-bitlocker-bypass-2026last covered 2026-06-12
  2026-06-12
• CISA BOD 26-04 — risk-tiered federal remediation, supersedes BOD 22-01/19-02
  incidentpolicy:cisa-bod-26-04last covered 2026-06-12
  2026-06-12
• OpenClaw AI agent: indirect prompt injection (Imperva) + agent phishing (Varonis)
  campaigncampaign:openclaw-prompt-injection-agent-phishing-2026last covered 2026-06-12
  2026-06-12
• OceanLotus/APT32 SPECTRALVIPER via FireAnt MetaKit update-server supply-chain compromise
  campaigncampaign:oceanlotus-apt32-fireant-supplychain-2026last covered 2026-06-12
  2026-06-12
• npm v12 disables install lifecycle scripts by default (July 2026)
  incidentpolicy:npm-v12-install-scripts-default-off-2026last covered 2026-06-12
  2026-06-12
• ServiceNow unauthenticated REST endpoint (/api/now/related_list_edit/create) queried customer instance tables
  incidentincident:servicenow-unauth-rest-api-2026last covered 2026-06-11
  2026-06-11
• EDPB adopts harmonised GDPR Art. 33 breach-notification template; consultation to 5 Aug 2026
  policypolicy:edpb-gdpr-art33-breach-notification-template-2026last covered 2026-06-11
  2026-06-11
• JDY botnet (Volt Typhoon-linked) expands to 1,500+ SOHO/IoT devices; sub-24h post-disclosure scanning
  campaigncampaign:jdy-botnet-volt-typhoon-2026last covered 2026-06-11
  2026-06-11
• CrowdStrike 2026 Technology Threat Landscape Report
  annual-reportannual-report:crowdstrike-tech-threat-landscape-2026last covered 2026-06-11SINGLE-SOURCE
  2026-06-11
• Tchap French government Matrix messenger breached via account takeover; 73,467 civil servants' metadata exposed, CNIL notified
  incidentincident:tchap-french-government-messenger-breachlast covered 2026-06-10
  2026-06-10
• Ghost-Sender: Exchange Online inbound spoofing bypassing SPF/DKIM/DMARC on third-party-MX tenants (no patch)
  campaigncampaign:ghost-sender-exchange-online-spoofinglast covered 2026-06-10
  2026-06-10
• NCSC-CH Week 23: coordinated job-seeker targeting (fake interviews, reshipping ID theft, LinkedIn-to-GitHub infostealer)
  campaigncampaign:ncsc-ch-jobseeker-targeting-2026last covered 2026-06-10
  2026-06-10
• Meta Instagram AI support tool (High Touch Support) logic flaw: 20,225 account takeovers; Maine AG notified
  incidentincident:meta-instagram-ai-support-account-takeoverlast covered 2026-06-10
  2026-06-10
• GIFTEDCROOK via UAC-0226 and Earth Dahu still exploiting WinRAR CVE-2025-8088 against Ukraine (Trend Micro)
  campaigncampaign:uac0226-giftedcrook-winrar-cve-2025-8088last covered 2026-06-10
  2026-06-10
• Unit 42 cloud-logging defense-evasion taxonomy across AWS CloudTrail and Google Cloud Logging
  vulnerability-trendcampaign:cloud-logging-defense-evasion-unit42last covered 2026-06-10
  2026-06-10
• Red Canary: Microsoft Entra Agent ID OBO OAuth abuse turns compromised AI agent into delegated phishing sender
  vulnerability-trendcampaign:entra-agent-id-obo-abuse-redcanarylast covered 2026-06-10
  2026-06-10
• Check Point: TDS-gated ecosystem impersonating Ghidra/dnSpy/ILSpy delivers SessionGate, RemusStealer, AnimateClipper
  campaigncampaign:tds-security-tool-impersonation-checkpointlast covered 2026-06-10
  2026-06-10
• EU Cyber Resilience Act — first hard deadline (notifying-authority designation, 11 June 2026)
  campaigncampaign:eu-cyber-resilience-actlast covered 2026-06-10
  2026-06-10
• Dragos Q1 2026 Industrial Ransomware Analysis — 1,020 incidents; The Gentleman 4x vs Romanian energy; IT-adjacent pattern
  annual-reportannual-report:dragos-industrial-ransomware-q1-2026last covered 2026-06-10
  2026-06-10
• Oxford University CareerConnect (Group GTI) SaaS breach
  incidentincident:oxford-careerconnect-breachlast covered 2026-06-09
  2026-06-09
• Meta contempt complaint vs NSO Group over new WhatsApp spyware phishing
  incidentincident:meta-nso-whatsapp-contemptlast covered 2026-06-09
  2026-06-09
• Microsoft Teams external-chat phishing (APT29/Cloaked Ursa, UNC6692)
  campaigncampaign:teams-external-chat-phishinglast covered 2026-06-09
  2026-06-09
• AI-brand impersonation malware delivery (Storm-3075, Fox Tempest)
  campaigncampaign:ai-brand-impersonation-storm3075-foxtempestlast covered 2026-06-09
  2026-06-09
• TeamPCP Mini Shai-Hulud framework open-sourced; Phantom Gyp derivative
  campaigncampaign:teampcp-mini-shai-huludlast covered 2026-06-09
  2026-06-09
• EU Cybersecurity Package 2026 — NIS2 amendment COM(2026) 13 + Cybersecurity Act 2; PQC Article 7(2)(k) explicit obligation; CRA Single Reporting Platform 11 September 2026
  campaignpolicy:eu-cybersecurity-package-2026last covered 2026-06-08×2 appearances
  2026-W232026-W19
• EU 20th Russia sanctions package — managed-security-services prohibition (eff. 25 May 2026); Switzerland adopted most measures 22 May
  policypolicy:eu-20th-russia-sanctions-mss-prohibition-2026last covered 2026-06-08×2 appearances
  2026-W232026-W21
• Germany's federal cabinet approves Cybersicherheitsstärkungsgesetz — BKA, BSI and Federal Police gain authority to redirect attacker traffic and disable infrastructure
  incidentitem:germany-cybersicherheitsstaerkungsgesetz-bka-bsi-bundespolizei-active-defencelast covered 2026-06-08×2 appearances
  2026-W232026-05-28
• FBI FLASH CSA 260526 — Silent Ransom Group / Luna Moth / UNC3753 sends operatives physically into US law-firm offices to insert USB exfiltration devices when remote social engineering fails
  campaignitem:fbi-flash-csa-260526-silent-ransom-group-physical-usb-attacks-us-law-firmslast covered 2026-06-08×3 appearances
  2026-W232026-06-062026-05-28
• Ghost Stadium PhaaS — 300+ FIFA domain clones targeting EU fans
  campaignitem:ghost-stadium-phaas-300-fifa-domain-clones-eu-fan-credentialslast covered 2026-06-08×2 appearances
  2026-W232026-05-30
• Miasma worm backdoors 32 @redhat-cloud-services npm packages (TeamPCP / Mini Shai-Hulud variant)
  campaigncampaign:miasma-redhat-npm-supply-chainlast covered 2026-06-08×3 appearances
  2026-W232026-06-062026-06-02
• Gamaredon GammaPhish/GammaWorm — NTFS-ADS USB+network worm (Sekoia)
  campaigncampaign:gamaredon-gammaphish-gammawormlast covered 2026-06-08×3 appearances
  2026-W232026-06-032026-06-02
• Sophos 2026 Active Adversary Report — identity-dominant root causes; Impacket/AnyDesk
  annual-reportannual-report:sophos-active-adversary-2026last covered 2026-06-08×2 appearances
  2026-W232026-06-03
• NCSC-CH: Booking.com breach feeds WhatsApp hotel-booking phishing (TWINT/bank spoof + booking-channel ATO)
  incidentincident:ncsc-ch-booking-hotel-phishing-2026last covered 2026-06-08×2 appearances
  2026-W232026-06-04
• Shared booking-SaaS breach exposes guests at 100+ Dutch/Belgian/Irish hotels; phishing wave
  incidentincident:dutch-hotels-booking-saas-breach-2026last covered 2026-06-08×2 appearances
  2026-W232026-06-04
• TA4922 — China-nexus financially-motivated cluster; Atlas RAT/RomulusLoader/SilentRunLoader, expands to DE/UK/IT
  actoractor:TA4922last covered 2026-06-08×2 appearances
  2026-W232026-06-05
• DentaQuest — ShinyHunters extortion victim; 234 GB leaked, 2.6M dental-benefit records
  incidentincident:dentaquest-shinyhunters-2026last covered 2026-06-08×2 appearances
  2026-W232026-06-05
• Five Eyes joint bulletin 'Safeguarding Our Secrets' — China military intel recruiting via LinkedIn/job platforms
  incidentitem:five-eyes-safeguarding-our-secrets-china-job-platform-recruitmentlast covered 2026-06-08×2 appearances
  2026-W232026-06-06
• IronWorm — Rust npm supply-chain worm with eBPF kernel rootkit, Tor C2, cloud/AI-key sweep
  campaigncampaign:ironwormlast covered 2026-06-08×2 appearances
  2026-W232026-06-06
• ENISA NIS360 2026 — public-sector receives 63% of EU hacktivist attacks; seven sectors in risk zone
  annual-reportannual-report:enisa-nis360-2026last covered 2026-06-08
  2026-W23
• FIFA World Cup 2026 pre-event threat cluster — GHOST STADIUM phishing-domain layer, Massiv/Perseus Android banking trojans via Zombinder in pirated streaming apps, 13,000+ malicious domains
  campaigncampaign:fifa-world-cup-2026last covered 2026-06-08
  2026-06-08
• ICO secures £118,852 Proceeds of Crime Act confiscation from two former RAC employees who sold ~30,000 customer records (insider data theft)
  incidentincident:ico-rac-poca-2026last covered 2026-06-08
  2026-06-08
• C0XMO — cross-platform Gafgyt DDoS botnet variant propagating via DD-WRT UPnP flaw (FortiGuard)
  campaigncampaign:c0xmo-gafgytlast covered 2026-06-08
  2026-06-08
• Hijacked polyfill[.]io domain reactivates with HTTP 401 credential prompts
  incidentitem:polyfill-io-domain-reactivates-http-401-credential-promptslast covered 2026-06-07
  2026-06-07
• Magecart skimmer hosted in Stripe customer metadata, exfiltrates via api.stripe.com
  campaignitem:magecart-stripe-api-skimmer-customer-metadatalast covered 2026-06-07
  2026-06-07
• Autonomous AI agent finds 21 FFmpeg zero-days for ~$1,000 (CVE-2026-39210–39218)
  vulnerability-trenditem:depthfirst-ai-agent-21-ffmpeg-zero-dayslast covered 2026-06-07
  2026-06-07
• SANS ISC: WeTransfer JS → steganographic JPEG loader on Cloudflare Workers/R2
  campaignitem:sans-isc-steganographic-jpeg-loader-cloudflare-workers-r2last covered 2026-06-07
  2026-06-07
• OP-512 — China-linked cluster, cryptographically-unique self-reporting IIS web-shell framework
  actoractor:OP-512last covered 2026-06-06
  2026-06-06
• ShinyHunters — financially motivated data-theft group
  actoractor:ShinyHunterslast covered 2026-06-05×7 appearances
  2026-W222026-W192026-06-052026-05-272026-05-25
• Operation FlutterBridge (CL-CRI-1089) — notarized macOS FlutterShell backdoor via Google Ads malvertising
  campaigncampaign:flutterbridge-cl-cri-1089last covered 2026-06-05
  2026-06-05
• UK National Federation of Subpostmasters ransomware via cPanel flaw
  incidentincident:nfsp-cpanel-ransomware-2026last covered 2026-06-05
  2026-06-05
• claude-code-action [bot]-actor bypass + prompt injection → repo hijack / action poisoning (fixed v1.0.94)
  vulnerability-trenditem:claude-code-action-github-issue-supply-chainlast covered 2026-06-05
  2026-06-05
• U-Toronto/Vector Institute adaptive AI worm PoC — open-weight LLM on compromised hosts synthesises per-target exploits
  vulnerability-trenditem:ai-adaptive-worm-utoronto-2026last covered 2026-06-05
  2026-06-05
• UN WFP Palestine Self-Registration breach — ~600k Gaza households' IDs/locations exposed
  incidentincident:wfp-gaza-sra-breach-2026last covered 2026-06-04
  2026-06-04
• OFAC sanctions Nobitex + 3 Iranian exchanges as IRGC-affiliated ransomware proceeds conduit
  incidentincident:ofac-nobitex-iran-sanctions-2026last covered 2026-06-04
  2026-06-04
• DesckVB RAT malspam laundering via Google DoubleClick; AMSI/ETW patching; DACH lures
  campaigncampaign:desckvb-rat-doubleclick-2026last covered 2026-06-04
  2026-06-04
• Unpatched Windows search: URI handler NTLMv2 leak; Microsoft declined to patch
  vulnerability-trenditem:windows-search-uri-ntlm-leak-2026last covered 2026-06-04
  2026-06-04
• M365 Android debug flag (setIsDebugMode) enables silent OAuth-token theft across 6 apps
  vulnerability-trenditem:m365-android-debug-flag-oauth-theft-2026last covered 2026-06-04
  2026-06-04
• One-click github.dev webview OAuth-token theft (postMessage origin flaw), unpatched + PoC
  vulnerability-trenditem:github-dev-oauth-token-theft-2026last covered 2026-06-04
  2026-06-04
• Symantec: 5-month mailbox espionage vs global stock exchange; Aspose OST stealer, Dropbox/OneDrive exfil
  campaigncampaign:stock-exchange-mailbox-espionage-2026last covered 2026-06-04
  2026-06-04
• Dashlane TOTP brute-force — encrypted vaults of <20 personal-plan users downloaded
  incidentincident:dashlane-totp-brute-force-2026last covered 2026-06-03
  2026-06-03
• Attacker-built AI-orchestrated EDR-evasion testing lab (Sophos X-Ops)
  tooltool:sophos-ai-edr-evasion-lablast covered 2026-06-03
  2026-06-03
• SVG phishing wave using application/ecmascript MIME to evade WAF/email pattern-matching (SANS ISC)
  campaigncampaign:svg-ecmascript-phishing-2026last covered 2026-06-03
  2026-06-03
• Operation XENOFISCAL — SideCopy/APT36 XenoRAT via mshta/HTA vs Afghan provincial treasuries
  campaigncampaign:operation-xenofiscal-sidecopylast covered 2026-06-03
  2026-06-03
• ShinyHunters lists Charter Communications (Spectrum), claims 42M records; Charter denies sensitive PI/CPNI exfil
  incidentitem:shinyhunters-charter-spectrum-listing-42m-claimlast covered 2026-06-02×2 appearances
  2026-06-022026-05-25
• Spain arrests doxer publishing data on INCIBE/AG/Civil Guard staff (Police-ESP-Doxed)
  incidentitem:spain-national-police-arrest-doxer-incibe-ag-civil-guardlast covered 2026-06-02
  2026-06-02
• Meta AI support chatbot social-engineered into resetting Instagram passwords (pro-Iranian)
  incidentitem:meta-ai-support-bot-instagram-account-takeoverlast covered 2026-06-02
  2026-06-02
• WordPress malware abuses Steam profile comments as Unicode-steganography C2 (GoDaddy)
  campaigncampaign:wordpress-steam-profile-c2-unicode-steganographylast covered 2026-06-02
  2026-06-02
• Operation Dragon Weave — China-nexus espionage (Czech/Taiwan) with Azure Blob dead-drop C2
  campaigncampaign:operation-dragon-weavelast covered 2026-06-02
  2026-06-02
• PostHog AWS exploit — researcher-confirmed; EU/US cloud credential rotation and outage
  incidentitem:posthog-aws-exploit-eu-us-cloud-credential-rotationlast covered 2026-06-01
  2026-06-01
• npm dependency-confusion campaigns targeting internal corporate namespaces (Microsoft 33 pkgs / Sonatype 176 pkgs)
  campaignitem:npm-dependency-confusion-internal-namespace-campaigns-ms-sonatypelast covered 2026-06-01
  2026-06-01
• SmartApeSG ClickFix stages unnamed RAT pivoting to weaponised NetSupport Manager
  campaignitem:smartapesg-clickfix-staging-rat-to-netsupport-managerlast covered 2026-06-01
  2026-06-01
• Italy's low-cost commercial spyware economy — Morpheus (IPS Intelligence) and Spyrtacus (SIO) Android Accessibility-API abuse
  campaignitem:italy-low-cost-commercial-spyware-morpheus-spyrtacuslast covered 2026-06-01
  2026-06-01
• TeamPCP — threat actor targeting software supply chains
  actoractor:TeamPCPlast covered 2026-05-31×4 appearances
  2026-W222026-W192026-05-122026-05-06
• MuddyWater (Iran/MOIS) Chaos ransomware false-flag + Teams credential harvesting — Europe/Middle East
  campaigncampaign:muddywater-chaos-2026last covered 2026-05-31×3 appearances
  2026-W222026-W192026-05-08
• The Gentlemen — RaaS surged Q1 2026 (192 attacks, 588% QoQ); 32% of victims European; FortiGate CVE-2024-55591 initial-access funnel
  actoractor:TheGentlemenlast covered 2026-05-31×3 appearances
  2026-W222026-W192026-05-14
• Nightmare Eclipse Windows zero-day drops: YellowKey (BitLocker) and GreenPlasma (CTFMON LPE), public PoC
  incidentnightmare-eclipse-windows-zerodaydrops-2026-05last covered 2026-05-31×2 appearances
  2026-W222026-05-15
• UNC6671 / BlackFile — vishing-driven AiTM extortion with programmatic SharePoint exfiltration (GTIG 2026-05-15)
  actoractor:UNC6671last covered 2026-05-31×2 appearances
  2026-W222026-05-16
• Screening Serpens (UNC1549 / Smoke Sandstorm / Nimbus Manticore) — Iranian APT operationalising AppDomainManager hijacking; six new RAT variants MiniUpdate/MiniJunk V2 deployed Feb–Apr 2026
  actoractor:screening-serpens-unc1549-smoke-sandstorm-nimbus-manticore-iran-aptlast covered 2026-05-31×4 appearances
  2026-W222026-W212026-05-272026-05-23
• GlassWorm developer-targeting botnet — all four C2 channels (Solana / BitTorrent DHT / Google Calendar / VPS) severed simultaneously by CrowdStrike / Google / Shadowserver
  campaignitem:glassworm-developer-botnet-takedown-crowdstrike-google-shadowserver-russia-attributedlast covered 2026-05-31×2 appearances
  2026-W222026-05-28
• Carnival Corporation confirms 5.99M-record ShinyHunters breach — Princess/Holland/Cunard/Costa
  incidentitem:carnival-corporation-5-99m-shinyhunters-breach-2026last covered 2026-05-31×2 appearances
  2026-W222026-05-29
• Grandoreiro 2026 Iberian campaign — Delphi DLL side-loading, WebSocket/STUN C2; parallel ESET BTMOB Android RAT MaaS
  campaignitem:grandoreiro-2026-iberian-watchguard-eu-banks-btmob-maaslast covered 2026-05-31×2 appearances
  2026-W222026-05-29
• GREYVIBE — Russia-nexus AI-assisted threat cluster (Ukraine)
  actoritem:greyvibe-russia-nexus-ai-assisted-five-parallel-ukraine-attacklast covered 2026-05-31×2 appearances
  2026-W222026-05-30
• Kimsuky HTTPSpy + HelloDoor with VS Code/Cloudflare tunnel C2
  campaignitem:kimsuky-httpspy-hellodoor-vs-code-remote-tunnel-cloudflarelast covered 2026-05-31×2 appearances
  2026-W222026-05-30
• Mautic 7.1.2/6.0.9 — seven authenticated flaws (Focus SSRF CVE-2026-9557, API SQLi CVE-2026-4776)
  vulnerability-trenditem:mautic-7-1-2-6-0-9-seven-authenticated-flaws-ssrf-sqlilast covered 2026-05-31
  2026-05-31
• 'Signal Support' impersonation phishing harvesting cloud-backup recovery keys
  campaignitem:signal-support-impersonation-backup-recovery-key-phishinglast covered 2026-05-31
  2026-05-31
• California AG sues former 23andMe (Chrome Holding Co.) over 2023 genetic-data breach
  incidentitem:california-ag-sues-23andme-chrome-holding-2023-genetic-breachlast covered 2026-05-31
  2026-05-31
• Cisco Talos — DICOM-format heap OOB-write attack surface against Orthanc PACS (pydicom/GDCM)
  vulnerability-trenditem:talos-dicom-pacs-orthanc-heap-attack-surfacelast covered 2026-05-31
  2026-05-31
• CNIL fines IQVIA €5M for health data warehouse security failures
  incidentitem:cnil-fines-iqvia-5m-health-data-warehouse-security-failureslast covered 2026-05-30
  2026-05-30
• LLMShare malvertising via ChatGPT share links (Beagle infostealer)
  campaignitem:llmshare-malvertising-chatgpt-share-links-infostealer-googlelast covered 2026-05-30
  2026-05-30
• ESET APT Activity Report Q4 2025–Q1 2026
  annual-reportitem:eset-apt-activity-report-q4-2025-q1-2026-sandworm-lazaruslast covered 2026-05-30
  2026-05-30
• Sysdig first observed LLM-agent-driven intrusion via CVE-2026-39987
  incidentitem:sysdig-trt-llm-agent-driven-intrusion-marimo-cve-2026-39987last covered 2026-05-30
  2026-05-30
• ChatGPhish — ChatGPT Markdown renderer trusts third-party image URLs
  campaignitem:chatgphish-chatgpt-markdown-rendering-flaw-permiso-securitylast covered 2026-05-30
  2026-05-30
• Red Canary Entra Agent ID priv-esc via AgentIdentityBlueprint.AddRemoveCreds.All
  vulnerability-trenditem:red-canary-entra-agent-id-priv-esc-addremovecreds-all-rolelast covered 2026-05-30
  2026-05-30
• Nightmare Eclipse: Microsoft DCU threat, GreenPlasma/MiniPlasma unpatched, July 14 deadline
  campaignitem:nightmare-eclipse-microsoft-dcu-threat-greenplasma-miniplasmaaaclast covered 2026-05-30
  2026-05-30
• TheGentlemen RaaS lists Czech University of Finance and Administration (VSFS) and Swiss DEVO-Tech AG on leak site
  campaignitem:thegentlemen-raas-czech-university-finance-administration-delast covered 2026-05-29×3 appearances
  2026-W212026-05-292026-05-20
• Apereo CAS 7.3.7.1 patches an OIDC-provider flaw reported by Coop Switzerland; CERT-FR issues advisory
  vulnerability-trenditem:apereo-cas-7-3-7-1-oidc-provider-coop-switzerland-reporterlast covered 2026-05-29
  2026-05-29
• Dutch Police + NCSC dismantle Asocks residential-proxy botnet — 17M devices, 200 NL-hosted servers seized
  campaignitem:dutch-police-ncsc-asocks-residential-proxy-takedownlast covered 2026-05-29
  2026-05-29
• UK Visa Portal lookalike (ukvisaportal.com) — 100K passport scans/selfies exposed via misconfigured S3 bucket
  incidentitem:uk-visa-portal-s3-100k-passport-selfies-exposurelast covered 2026-05-29
  2026-05-29
• JINX-0164 — financially motivated cluster targeting crypto orgs via LinkedIn recruiter lures, AUDIOFIX macOS infostealer, MINIRAT npm pivot into CI/CD
  campaignitem:jinx-0164-crypto-firms-linkedin-audiofix-miniratlast covered 2026-05-29
  2026-05-29
• ILIAS LMS — nine fixes shipped 2026-05-27; critical access-control gaps (CVSS 9.8 + 9.3); NCSC.ch flags SOAP interface as primary unauthenticated attack surface
  vulnerability-trenditem:ilias-lms-nine-fixes-2026-05-27-tileimageupload-unauth-write-soap-access-bypass-multiple-sqlilast covered 2026-05-28
  2026-05-28
• Dutch National Police arrest 35-year-old from Buren over AFC Ajax breach — 300k+ fan accounts and 42k+ season tickets exposed via misconfigured API access-control and shared keys
  incidentitem:afc-ajax-amsterdam-arrest-2026-05-26-300k-fan-records-shared-keys-misconfigured-apilast covered 2026-05-28
  2026-05-28
• Iran MOIS attributed to LACMTA destructive breach via 'Ababil of Minab' hacktivist front — 700 GB exfiltrated, VMs and backups deliberately destroyed
  actoritem:ababil-of-minab-mois-attribution-lacmta-march-2026-700gb-backups-destroyedlast covered 2026-05-28
  2026-05-28
• MuddyWater / Seedworm Q1 2026 — Symantec documents DLL side-loading via signed Fortemedia / SentinelOne binaries; ChromElevator ABE bypass; Node.js orchestration
  campaignitem:muddywater-seedworm-fortemedia-sentinelone-dll-sideload-chromelevator-nodejslast covered 2026-05-28
  2026-05-28
• Microsoft Defender Experts — AI-chatbot search-poisoning extends SEO lure; GPU-utility lookalikes drop ScreenConnect, then process-hollowed miners (gminer/lolMiner/SRBMiner-MULTI) under signed Microsoft binary
  campaignitem:microsoft-ai-chatbot-search-poisoning-cryptojacking-screenconnect-process-hollowinglast covered 2026-05-28
  2026-05-28
• SANS ISC — Akira ransomware kill chain reconstructed entirely from SSLVPN syslog and Windows EVTX, no EDR
  campaignitem:sans-isc-akira-kill-chain-sslvpn-syslog-evtx-no-edrlast covered 2026-05-28SINGLE-SOURCE
  2026-05-28
• Tycoon2FA PhaaS post-March-2026-takedown — OAuth Device Authorization Grant abuse on Microsoft 365
  campaignitem:tycoon2fa-oauth-device-authorization-grant-microsoft-365-post-takedownlast covered 2026-05-27×2 appearances
  2026-05-272026-05-18
• Lithuania Centre of Registers breach — ~600,000 property/legal-entity records exfiltrated via abused institutional API credentials; foreign-state actor suspected; agency head resigned
  incidentincident:lithuania-centre-of-registers-2026last covered 2026-05-27
  2026-05-27
• TrapDoor cross-ecosystem supply-chain campaign (npm/PyPI/Crates.io); AI-assistant config poisoning
  campaigncampaign:trapdoorlast covered 2026-05-26
  2026-05-26
• ACR Stealer distributed via counterfeit Claude AI download pages + malicious search ads
  campaigncampaign:acr-stealer-fake-claudelast covered 2026-05-26
  2026-05-26
• GTIG: Chinese-language PhaaS ecosystem — real-time OTP relay over RCS/iMessage defeats TOTP/SMS MFA
  campaigncampaign:chinese-language-phaas-otp-relaylast covered 2026-05-26
  2026-05-26
• Lazarus RemotePE — three-stage memory-only RAT (DPAPILoader/RemotePELoader/RemotePE); HellsGate+ETW patch
  tooltool:remotepelast covered 2026-05-26
  2026-05-26
• Underminr - multi-tenant-CDN domain-fronting variant defeating DNS-layer filtering (ADAMnetworks)
  vulnerability-trenditem:underminr-multitenant-cdn-domain-fronting-variantlast covered 2026-05-25
  2026-05-25
• THORChain GG20 Threshold Signature Scheme vault drain — ~$11M across nine chains (Switzerland-based)
  incidentitem:thorchain-gg20-tss-vault-drain-11m-nine-chains-switzerlandlast covered 2026-05-24×2 appearances
  2026-W212026-05-18
• ARWINI (Lower Saxony statutory-prescription audit body) — data exfiltration confirmed by LKA
  incidentitem:arwini-lower-saxony-statutory-prescription-audit-body-data-last covered 2026-05-24×2 appearances
  2026-W212026-05-19
• BigBlueButton bbb-web — three CVEs (sessionToken, checksum bypass, SSRF) on EU edu/gov virtual-classroom platform
  vulnerability-trenditem:bigbluebutton-bbb-web-three-cves-46351-46353-46404-eu-edulast covered 2026-05-24×2 appearances
  2026-W212026-05-19
• CISA / Nightwing contractor — AWS GovCloud admin keys + plaintext creds + Artifactory exposed in public GitHub for ~6 months
  incidentitem:cisa-nightwing-contractor-aws-govcloud-keys-exposed-github-last covered 2026-05-24×2 appearances
  2026-W212026-05-19
• 7-Eleven confirms ShinyHunters breach of 600K+ Salesforce franchise-application records (campaign same as Instructure / Vimeo / Wynn / Vercel / Medtronic)
  incidentitem:7-eleven-confirms-shinyhunters-salesforce-breach-600k-recorlast covered 2026-05-24×2 appearances
  2026-W212026-05-19
• INTERPOL Operation Ramz — first MENA-region cybercrime sweep: 201 arrests, 53 servers, first Algerian PhaaS takedown (Oct 2025–Feb 2026)
  campaignitem:interpol-operation-ramz-mena-cybercrime-13-country-201-arrelast covered 2026-05-24×2 appearances
  2026-W212026-05-19
• UPDATE: TeamPCP / Shai-Hulud — first copycat wave (OX Security npm packages w/ Phantom Bot + SSH/cloud stealers); Checkmarx Jenkins plugin trojanised (third in three months); SentinelLabs PCPJack rival worm
  campaignitem:teampcp-shai-hulud-copycat-wave-ox-security-checkmarx-pcpjalast covered 2026-05-24×2 appearances
  2026-W212026-05-19
• UPDATE: Grafana Labs CoinbaseCartel — victim confirms source-code-only theft via Pwn-Request, no customer data, ransom rejected on FBI guidance
  incidentitem:grafana-labs-coinbasecartel-pwn-request-github-actions-breaclast covered 2026-05-24×2 appearances
  2026-W212026-05-19
• Drupal core highly critical pre-patch warning — PSA-2026-05-18, patch window today 17:00-21:00 UTC; pre-auth, unauthenticated, full-site compromise; no CVE yet
  incidentitem:drupal-core-highly-critical-pre-patch-warning-psa-2026-05-18last covered 2026-05-24×3 appearances
  2026-W212026-05-212026-05-20
• Microsoft DCU disrupts Fox Tempest MSaaS — 1,000+ Artifact Signing certs revoked; SDNY court order; downstream Rhysida, INC, Qilin, Akira + Vanilla Tempest, Storm-0501 / 2561 / 0249
  incidentitem:microsoft-dcu-disrupts-fox-tempest-malware-signing-as-a-servilast covered 2026-05-24×2 appearances
  2026-W212026-05-20
• Fox Tempest — financially motivated MSaaS operator; signspace[.]cloud seized 2026-05-19
  actoractor:fox-tempestlast covered 2026-05-24×2 appearances
  2026-W212026-05-20
• Sparx Enterprise Architect / Pro Cloud Server — five-CVE chain (CVE-2026-42096 to 42100); pre-auth SQL injection + WebEA race-condition RCE; CVSSv4 10.0 chained; PoC public; no vendor patch
  vulnerability-trenditem:sparx-enterprise-architect-pro-cloud-server-five-cve-chain-clast covered 2026-05-24×2 appearances
  2026-W212026-05-20
• actions-cool/issues-helper GitHub Action compromised — 53 tags moved to imposter commit 1c9e803 reading Runner.Worker /proc/PID/mem for secrets; Mini Shai-Hulud cluster link
  incidentitem:actions-cool-issues-helper-github-action-compromised-53-taglast covered 2026-05-24×2 appearances
  2026-W212026-05-20
• Nx Console VS Code extension 18.95.0 compromised — stolen publisher credentials; 11-minute window 2026-05-18 12:36-12:47 UTC; multi-channel stealer + macOS Python backdoor
  incidentitem:nx-console-vs-code-extension-18-95-0-compromised-stolen-publlast covered 2026-05-24×2 appearances
  2026-W212026-05-20
• Huawei VRP enterprise-router zero-day caused POST Luxembourg nationwide telecom outage (23 July 2025); no CVE assigned 10 months later
  incidentitem:huawei-vrp-enterprise-router-zero-day-post-luxembourg-2025-olast covered 2026-05-24×2 appearances
  2026-W212026-05-20
• Webworm (China-aligned; FishMonger / Aquatic Panda / SixLittleMonkeys / Space Pirates) — ESET documents 2025 EU pivot with EchoCreep (Discord C2) and GraphWorm (MS Graph / OneDrive C2) backdoors against Belgian / Italian / Serbian / Polish government targets
  actoritem:webworm-fishmonger-aquatic-panda-eset-echocreep-graphworm-eu-last covered 2026-05-24×2 appearances
  2026-W212026-05-21
• Verizon 2026 DBIR — vulnerability exploitation overtakes credentials as primary breach vector first time in 19 years (31% vs 13%); only 26% KEV remediation (down from 38%); median patch time 43d (from 32d); supply-chain breaches +60% YoY now 48% of all breaches
  annual-reportannual-report:verizon-2026-dbir-exploitation-overtakes-credentialslast covered 2026-05-24×2 appearances
  2026-W212026-05-21
• Operation Saffron: First VPN criminal anonymisation service dismantled; Switzerland JIT participant; Phobos RaaS link confirmed
  incidentitem:operation-saffron-first-vpn-takedown-33-servers-27-countrilast covered 2026-05-24×2 appearances
  2026-W212026-05-22
• Calypso/Red Lamassu (Bronze Medley): Showboat (Linux) + JFMBackdoor (Windows) telco espionage campaign
  campaignitem:calypso-red-lamassu-showboat-jfmbackdoor-linux-windows-telcolast covered 2026-05-24×2 appearances
  2026-W212026-05-22
• Netherlands FIOD arrests two over EU sanctions evasion for Stark Industries / WorkTitans bulletproof hosting; 800 servers seized; NoName057(16) DDoS infrastructure dismantled
  incidentitem:nl-fiod-stark-industries-worktitans-mirhosting-800-servers-eu-sanctions-arrestlast covered 2026-05-24×2 appearances
  2026-W212026-05-23
• Kimwolf / 'Dort' DDoS-for-hire operator (Jacob Butler, 23, Ottawa) arrested; AISURU variant; 30+ Tbps peak; >25,000 attack commands; DoD-range targeting
  incidentitem:kimwolf-dort-jacob-butler-ddos-botnet-arrest-ottawa-aisuru-variantlast covered 2026-05-24×2 appearances
  2026-W212026-05-23
• Megalodon mass-poisoned 5,561 GitHub repos in 6-hour window; SysDiag + Optimize-Build workflows exfiltrate cloud credentials, SSH keys, OIDC tokens
  campaignitem:megalodon-mass-github-cicd-backdoor-5561-repos-sysdiag-optimize-buildlast covered 2026-05-24×2 appearances
  2026-W212026-05-23
• Rhysida claims Landeshauptstadt Stuttgart (Baden-Württemberg state capital) municipal-data theft for 5 BTC; city denies confirmed incident
  incidentitem:rhysida-claims-stuttgart-municipal-data-5btc-city-denies-confirmed-incidentlast covered 2026-05-24×2 appearances
  2026-W212026-05-23
• ANSSI / CERT-FR CERTFR-2026-AVI-0635 on SPIP < 4.4.15 security-policy bypass; dominant French public-administration CMS, EU/CH Francophone government deployment
  vulnerability-trenditem:anssi-certfr-2026-avi-0635-spip-4-4-15-security-policy-bypass-fr-public-adminlast covered 2026-05-24×2 appearances
  2026-W212026-05-23
• ROADtools weaponised by Midnight Blizzard (APT29), Curious Serpens (APT33) and UTA0355 for Entra ID device registration, token theft and tenant enumeration
  campaigncampaign:roadtools-weaponised-by-midnight-blizzard-curious-serpens-uta0355-entra-idlast covered 2026-05-24×2 appearances
  2026-W212026-05-23
• Rapid7 Q1 2026 Threat Landscape Report — vulnerability exploitation overtakes social engineering as top initial-access vector (38% vs 24%); KEV median time 8.5→5.0 days
  annual-reportannual-report:rapid7-q1-2026-threat-landscape-report-vulnerability-exploitation-top-iavlast covered 2026-05-24×2 appearances
  2026-W212026-05-23
• Check Point Research March-April 2026 AI Threat Landscape Digest — single operator runs two AI platforms in parallel to breach nine Mexican government agencies; EvilTokens jailbreak-as-a-service
  annual-reportannual-report:checkpoint-research-ai-threat-landscape-march-april-2026-mexico-nine-agencies-eviltokenslast covered 2026-05-24×2 appearances
  2026-W212026-05-23
• Breach at billing processor Unimed exfiltrates ~97,600+ patient records from six German university hospitals (attribution open)
  incidentincident:unimed-german-hospitals-2026last covered 2026-05-24×2 appearances
  2026-W212026-05-24
• Deleted Google Cloud API keys keep authenticating up to 23 minutes (GCP IAM eventual consistency)
  vulnerability-trenditem:google-cloud-api-key-deletion-delay-2026last covered 2026-05-24
  2026-05-24
• Atos TRC: hardware-gated Windows drivers made BYOVD-exploitable in software (PnP AddDevice / filter restacking / registry)
  vulnerability-trenditem:atos-byovd-hardware-gate-bypass-2026last covered 2026-05-24
  2026-05-24
• npm 2FA-gated staged publishing GA + install-source restriction flags (supply-chain hardening)
  tooltool:npm-staged-publishing-2falast covered 2026-05-24×2 appearances
  2026-W212026-05-24
• Packagist supply-chain wave: Laravel-Lang autoloader backdoor + 8-package cross-ecosystem postinstall strand
  campaigncampaign:packagist-laravel-lang-supply-chain-2026last covered 2026-05-24×2 appearances
  2026-W212026-05-24
• FrostyNeighbor/Ghostwriter/UNC1151 March-May 2026 campaign: Poland, Lithuania, Ukraine
  campaignfrostyneighbor-2026-05-campaignlast covered 2026-05-23×2 appearances
  2026-05-232026-05-15
• FBI PSA260521 warns on Kali365 — Telegram-distributed PhaaS exploiting OAuth device-code flow for persistent M365 token capture bypassing MFA
  campaignitem:fbi-psa260521-kali365-phaas-oauth-device-code-m365-mfa-bypasslast covered 2026-05-23
  2026-05-23
• ICO POCA confiscation £355,880: Markerstudy Insurance insider accessed 32K+ records off-hours and sold data
  incidentitem:ico-poca-confiscation-rizwan-manjra-markerstudy-off-hours-bulast covered 2026-05-22
  2026-05-22
• B1ack-s Stash carding marketplace publicly releases 4.6M stolen payment card records — third free-release wave (after 1M Apr 2024 and 4M Feb 2025); SOCRadar attributes collection to e-skimming and phishing
  campaignitem:b1ack-stash-46m-card-dump-may-2026-third-free-release-wavelast covered 2026-05-21
  2026-05-21
• PinTheft — Linux kernel RDS zerocopy double-free + io_uring fixed-buffer page-cache overwrite LPE; PoC public; no CVE assigned; Arch Linux default-loaded (not Ubuntu/Debian/Fedora/RHEL/SUSE)
  vulnerability-trenditem:pintheft-linux-kernel-rds-zerocopy-iouring-lpe-no-cve-arch-dlast covered 2026-05-21
  2026-05-21
• Storm-2949 SSPR-to-Key-Vault Azure kill chain — voice-phishing SSPR → Entra ID → M365 Graph → App Service Kudu → Key Vault → SQL → Storage → Azure VM, no malware
  campaignitem:storm-2949-sspr-to-key-vault-azure-cloud-wide-kill-chainlast covered 2026-05-20
  2026-05-20
• Storm-2949 — financially motivated, no nation-state attribution; SSPR voice-phishing → multi-resource Azure abuse
  actoractor:storm-2949last covered 2026-05-20
  2026-05-20
• Cisco Talos — demo.pdb BadIIS commodity MaaS ISAPI backdoor; lwxat developer alias; builder tool recovered; UAT-8099 / DragonRank link; 1,800+ IIS servers compromised globally
  campaignitem:cisco-talos-badiis-demo-pdb-maas-isapi-backdoor-lwxat-dragonlast covered 2026-05-20
  2026-05-20
• Fast16 — Symantec/Carbon Black confirm contemporaneous-with-Stuxnet nuclear-simulation sabotage; LS-DYNA/AUTODYN hook engine targeting 30 g/cm³ density threshold; Zetter corrects 'pre-Stuxnet' framing
  campaignitem:fast16-symantec-carbon-black-contemporaneous-stuxnet-nuclealast covered 2026-05-19
  2026-05-19
• Instructure (Canvas LMS) data breach — student and educator data
  incidentincident:instructure-canvas-2026last covered 2026-05-18×7 appearances
  2026-W192026-05-132026-05-122026-05-092026-05-08
• ENISA expands CVE Numbering Authority Root — 4 new CNAs, 7 migrated from MITRE; ~90 European CNAs eligible for transfer
  campaignpolicy:enisa-cve-root-2026last covered 2026-05-18×3 appearances
  2026-W192026-05-092026-05-07
• Germany KRITIS-DachG (CER Directive transposition) in force March 2026 — public administration first time in CI scope; registration deadline 17 July 2026
  campaignpolicy:germany-kritis-dachg-2026last covered 2026-05-18
  2026-W19
• West Pharmaceutical Services SEC 8-K Item 1.05 — data exfiltrated, systems encrypted, global operations partially restarted (2026-05-11)
  incidentincident:west-pharma-8k-2026last covered 2026-05-18
  2026-05-12
• Škoda Auto Deutschland online-shop breach exposes customer PII and password hashes; logging gap prevents exfiltration confirmation (2026-05-11)
  incidentincident:skoda-shop-breach-2026last covered 2026-05-18
  2026-05-12
• Foxconn confirms Nitrogen ransomware crippled North-American manufacturing sites — 8 TB/11M files claimed, ESXi decryptor mathematically broken
  incidentincident:foxconn-nitrogen-2026last covered 2026-05-18
  2026-05-13
• BWH Hotels (Best Western / WorldHotels / Sure Hotels) — 181-day dwell in guest-reservation web app, EEA guests in scope
  incidentincident:bwh-hotels-breach-2026last covered 2026-05-18
  2026-05-13
• Clinical Diagnostics LCPL / NMDL (NL) — Dutch IGJ ruling: failed NEN 7510 information-security standard at time of July 2025 Nova ransomware breach; ~941,000 patients incl. cervical-cancer screening
  incidentincident:clinical-diagnostics-nmdl-igj-2026last covered 2026-05-18
  2026-05-14
• UAT-8616 — Sophisticated actor exploiting Cisco SD-WAN infrastructure since 2023
  actorUAT-8616last covered 2026-05-18
  2026-05-15
• Secret Blizzard / Turla / FSB Centre 16 — Kazuar P2P botnet anatomy (Microsoft Threat Intelligence 2026-05-14)
  actoractor:SecretBlizzardlast covered 2026-05-18
  2026-05-16
• Kimsuky (Ruby Sleet / APT43) PebbleDash toolkit evolution — Rust-based HelloDoor variant + TryCloudflare quick-tunnel C2 (Kaspersky GReAT analysis); South Korea primary, Germany spillover
  campaignitem:kimsuky-pebbledash-hellodoor-trycloudflare-tunnel-c2-evolutionlast covered 2026-05-18
  2026-05-17
• FunnelKit Funnel Builder for WooCommerce — unauthenticated checkout-endpoint injection, active Magecart skimmer on 40,000+ stores (no CVE assigned)
  campaignitem:funnelkit-funnel-builder-for-woocommerce-actively-exploited-magecart-skimmerlast covered 2026-05-17
  2026-05-17
• Pwn2Own Berlin 2026 (May 14–16) — 47 zero-days, $1,298,250 awarded; DEVCORE Exchange three-bug SYSTEM RCE chain, STARLabs ESXi escape, every AI agent target fell; Compass Security Swiss participation
  incidentitem:pwn2own-berlin-2026last covered 2026-05-17
  2026-05-17
• node-ipc npm package backdoored via expired-domain account takeover (versions 9.1.6 / 9.2.3 / 12.0.1)
  incidentincident:node-ipc-supply-chain-2026-05last covered 2026-05-16
  2026-05-16
• Dream Market lead admin Owe Martin Andresen arrested in Germany (BKA + US multi-agency)
  incidentincident:dream-market-admin-arrest-2026-05last covered 2026-05-16
  2026-05-16
• AMD-SB-7052 — Zen 2 µop-cache corruption / SoC isolation LPE (May 2026 Windows CU / Xen XSA-490)
  vulnerability-trendadvisory:amd-sb-7052last covered 2026-05-16
  2026-05-16
• Gremlin Stealer evolved — Unit 42 documents .NET XOR resource-section obfuscation, crypto-clipper, WebSocket browser-process session hijack
  toolresearch:gremlin-stealer-evolution-2026last covered 2026-05-16
  2026-05-16
• SentinelOne — Living Off the Pipeline CI/CD subversion taxonomy with three case studies (TeamCity / GitLab service-account / Contagious Interview)
  campaignresearch:sentinelone-living-off-the-pipeline-2026last covered 2026-05-16
  2026-05-16
• OpenAI named as TeamPCP/Mini Shai-Hulud victim; code-signing certificate rotation enforced
  incidentopenai-tanstack-breach-2026-05last covered 2026-05-15
  2026-05-15
• Datadog Shai-Hulud open-source static analysis framework for CI/CD pipeline security
  tooldatadog-shai-hulud-framework-2026-05last covered 2026-05-15
  2026-05-15
• Sophos State of Identity Security 2026: Switzerland highest breach incidence globally
  annual-reportsophos-identity-security-2026last covered 2026-05-15
  2026-05-15
• GemStuffer — RubyGems registry weaponised as one-way exfiltration channel scraping UK local-authority ModernGov portals; new abuse pattern exploiting CI/CD inbound-monitoring blind spot
  toolresearch:gemstuffer-rubygems-2026last covered 2026-05-14
  2026-05-14
• FamousSparrow (UAT-9244) three-wave intrusion of Azerbaijani oil & gas operator Dec 2025 – Feb 2026; ProxyNotShell re-exploit + novel two-stage export-gated DLL sideloading
  campaigncampaign:famoussparrow-azerbaijan-2026last covered 2026-05-14
  2026-05-14
• CERTFR-2026-AVI-0564 — SPIP < 4.4.14 multiple RCEs (public + private area)
  campaignadvisory:certfr-2026-avi-0564last covered 2026-05-13
  2026-05-13
• CERTFR-2026-AVI-0572 — Centreon Infra Monitoring April 2026 bulletin (RCE / SQLi / XSS cluster)
  campaignadvisory:certfr-2026-avi-0572last covered 2026-05-13
  2026-05-13
• Microsoft MDASH — multi-model agentic vulnerability-discovery harness, 16 Windows CVEs found in network-stack kernel components
  toolresearch:microsoft-mdash-2026last covered 2026-05-13
  2026-05-13
• TrickMo "TrickMo C" — Android banking trojan migrated C2 to The Open Network blockchain, adds SOCKS5/SSH device-as-pivot; FR/IT/AT campaigns
  tooltool:TrickMo-C-2026last covered 2026-05-13
  2026-05-13
• NCSC-UK "10 questions to ask when using AI models to find vulnerabilities" — operational checklist
  campaignadvisory:ncsc-uk-ai-vuln-10-questions-2026last covered 2026-05-13
  2026-05-13
• ICO fines South Staffordshire Water £963,900 — Cl0p ZeroLogon 20-month dwell, 5% SOC coverage (UK NIS2/CER precedent)
  incidentincident:south-staffordshire-water-ico-2026last covered 2026-05-12
  2026-05-12
• BKA + ZIT dismantle relaunched Crimenetwork darknet marketplace; German operator arrested in Mallorca on European Arrest Warrant (2026-05-08)
  incidentincident:bka-crimenetwork-takedown-2026last covered 2026-05-12
  2026-05-12
• Google Threat Intelligence Group AI Threat Tracker (May 2026) — first AI-generated zero-day exploit ITW; AI-augmented malware (CANFAIL, LONGSTREAM, PROMPTFLUX, HONESTCUE); state-actor Gemini abuse (UNC2814, APT45, APT27, UNC5673)
  annual-reportannual-report:gtig-ai-threat-tracker-may-2026last covered 2026-05-12
  2026-05-12
• TeamPCP backdoors Checkmarx Jenkins AST plugin version 2026.5.09; SANDCLOCK exfiltrates CI/CD secrets (2026-05-09 to 2026-05-10)
  incidentincident:checkmarx-jenkins-ast-plugin-2026last covered 2026-05-12
  2026-05-12
• SMS-blaster smishing establishing itself in Switzerland — portable IMSI-catchers force 2G downgrade, bypass operator SMS filtering
  campaigntechnique:sms-blaster-ch-2026last covered 2026-05-11SINGLE-SOURCE-OTHER
  2026-05-11
• UAT-8302 — China-nexus APT targeting government entities in South America and southeastern Europe
  actoractor:UAT-8302last covered 2026-05-10×2 appearances
  2026-W192026-05-06
• World Leaks — rebranded Hunters International; data-theft extortion without encryption
  actoractor:WorldLeakslast covered 2026-05-10×2 appearances
  2026-W192026-05-06
• France ANTS government identity agency breach — 11.7M citizen records confirmed
  incidentincident:france-ants-breach-2026last covered 2026-05-10×3 appearances
  2026-W192026-05-072026-05-06
• DigiCert support portal compromise — 60 fraudulent EV code-signing certificates
  incidentincident:digicert-support-portal-2026last covered 2026-05-10×2 appearances
  2026-W192026-05-06
• Trellix source code repository breach
  incidentincident:trellix-source-code-2026last covered 2026-05-10×2 appearances
  2026-W192026-05-06
• ADT Inc. cloud environment breach — customer PII (SEC 8-K 2026-04-24)
  incidentincident:adt-cloud-breach-2026last covered 2026-05-10×2 appearances
  2026-W192026-05-06
• Mediaworks Kft (Hungary) — World Leaks data-theft extortion
  incidentincident:mediaworks-hungary-2026last covered 2026-05-10×2 appearances
  2026-W192026-05-06
• Europol IOCTA 2026 — Internet Organised Crime Threat Assessment
  annual-reportannual-report:iocta-2026last covered 2026-05-10×2 appearances
  2026-W192026-05-06
• DAEMON Tools Lite supply chain — QUIC RAT, EU governments targeted
  incidentincident:daemon-tools-supply-chain-2026last covered 2026-05-10×2 appearances
  2026-W192026-05-09
• ChipSoft (Netherlands) healthcare software vendor — Embargo ransomware, 66 Dutch DPA notifications
  incidentincident:chipsoft-embargo-2026last covered 2026-05-10×2 appearances
  2026-W192026-05-07
• Vimeo data breach via Anodot third-party SaaS compromise — 119,200 accounts
  incidentincident:vimeo-anodot-2026last covered 2026-05-10×2 appearances
  2026-W192026-05-07
• Europol shadow IT systems — decade of unregulated data processing outside EU oversight
  incidentincident:europol-shadow-it-2026last covered 2026-05-10×2 appearances
  2026-W192026-05-07
• Mandiant M-Trends 2026 — Annual Threat Intelligence Report
  annual-reportannual-report:mtrends-2026last covered 2026-05-10×2 appearances
  2026-W192026-05-07
• DragonForce — ransomware-as-a-service operator exploiting SimpleHelp RMM
  actoractor:DragonForcelast covered 2026-05-10×2 appearances
  2026-W192026-05-07
• Embargo — ransomware group; responsible for ChipSoft Netherlands attack
  actoractor:Embargolast covered 2026-05-10×2 appearances
  2026-W192026-05-07
• OceanLotus (APT32) — Vietnam-nexus APT; PyPI supply chain campaign
  actoractor:OceanLotuslast covered 2026-05-10×2 appearances
  2026-W192026-05-07
• CL-STA-1132 — likely state-sponsored exploitation cluster for CVE-2026-0300 (PAN-OS)
  campaigncampaign:CL-STA-1132last covered 2026-05-10×2 appearances
  2026-W192026-05-07
• Pro-Russian hacktivist OT intrusion at five Polish water treatment facilities — pump settings modified
  incidentincident:polish-water-ot-2026last covered 2026-05-10×3 appearances
  2026-W192026-05-092026-05-08
• Die Linke (Germany) — Qilin ransomware, 1.5 TB claimed, DPA notified (April 2026)
  incidentincident:die-linke-qilin-2026last covered 2026-05-10×2 appearances
  2026-W192026-05-08
• Eurail breach (December 2025) — 308 777 travellers notified April 2026; Dutch DPA and EDPS reviewing delayed notification
  incidentincident:eurail-breach-2026last covered 2026-05-10×2 appearances
  2026-W192026-05-08
• CERT-FR CERTFR-2026-ACT-016 — Agentic AI tool risks: prompt injection, MCP supply chain, sandboxing
  campaignadvisory:certfr-2026-act-016last covered 2026-05-10×2 appearances
  2026-W192026-05-08
• Dragos 2025 OT Cybersecurity Year in Review — Frontlines IR Edition
  annual-reportannual-report:dragos-2025-ot-frontlineslast covered 2026-05-10×2 appearances
  2026-W192026-05-08
• Kaspersky Q1 2026 Exploits and Vulnerabilities Report
  annual-reportannual-report:kaspersky-q1-2026-exploitslast covered 2026-05-10×2 appearances
  2026-W192026-05-08
• Inditex (Zara) — ShinyHunters third-party analytics breach, 197,400 EU customers
  incidentincident:inditex-zara-breach-2026last covered 2026-05-10×2 appearances
  2026-W192026-05-09
• DENIC .de DNSSEC outage — HSM integration defect, 3.5 h disruption
  incidentincident:denic-dnssec-outage-2026last covered 2026-05-10×2 appearances
  2026-W192026-05-09
• Groupe 3R (Réseau Radiologique Romand) — Akira ransomware, 48 GB claimed, Swiss medical imaging
  incidentincident:groupe-3r-akira-2026last covered 2026-05-10×2 appearances
  2026-W192026-05-10
• Braintrust AI evaluation platform — AWS account breach exposes customer org-level LLM provider keys
  incidentincident:braintrust-aws-breach-2026last covered 2026-05-10×2 appearances
  2026-W192026-05-10
• JDownloader official site compromised — Windows/Linux installers swapped for Python RAT (~48 h window)
  incidentincident:jdownloader-supply-chain-2026last covered 2026-05-10×2 appearances
  2026-W192026-05-10
• PCPJack — modular cloud-credential-theft worm chaining 5 public CVEs; evicts TeamPCP
  toolresearch:pcpjack-cloud-worm-2026last covered 2026-05-10×2 appearances
  2026-W192026-05-10
• Bauman University 'Department No. 4' — leaked GRU cyber-operator training pipeline (joint The Insider / Guardian / Le Monde / Spiegel investigation)
  campaignresearch:bauman-gru-pipeline-investigation-2026last covered 2026-05-10×2 appearances
  2026-W192026-05-10
• Beagle backdoor distributed via fake Claude AI site (claude-pro[.]com) — DonutLoader + DLL sideloading on signed G DATA AV updater (Sophos STAC4713)
  toolresearch:beagle-fake-claude-stac4713-2026last covered 2026-05-10
  2026-05-10
• ClickFix expands to macOS — Macsync / Shub Stealer / AMOS via Base64 Terminal-paste lures bypass Gatekeeper (Microsoft research)
  campaigncampaign:clickfix-macos-2026last covered 2026-05-10
  2026-05-10
• DENIC .de DNSSEC outage — technical post-mortem confirms three private keys with keytag 33834, only one DNSKEY published
  incidentincident:denic-dnssec-outage-2026-postmortemlast covered 2026-05-10×2 appearances
  2026-W192026-05-10
• Akira — ransomware operator targeting EU healthcare and SME via edge-device CVE chains and intermittent-encryption EDR evasion
  actoractor:Akiralast covered 2026-05-10
  2026-W19
• Qilin / Agenda — Rust-based ransomware-as-a-service; Q3 2025 German operational tempo tripled (GTIG); 23 Q1 2026 healthcare claims
  actoractor:Qilinlast covered 2026-05-10
  2026-W19
• Q1 2026 ransomware quarterly synthesis — Emsisoft / ReliaQuest / ZeroFox / Comparitech convergence
  annual-reportannual-report:q1-2026-ransomware-quarterlylast covered 2026-05-10
  2026-W19
• Google Threat Intelligence Group — Europe Data Leak Landscape 2025 (Germany dominant, 96% of victims <5,000 employees)
  annual-reportannual-report:gtig-europe-2025last covered 2026-05-10×2 appearances
  2026-W192026-05-07
• LG Berlin II Apobank ruling — bank liable €218K phishing loss; PSD2 IP-analytics obligation clarified as case law
  campaignresearch:apobank-psd2-ruling-2026last covered 2026-05-10×2 appearances
  2026-W192026-05-09
• EDPB Coordinated Enforcement Framework 2026 — 25 DPAs target GDPR Articles 12-14 transparency obligations
  campaignpolicy:edpb-cef-2026-transparencylast covered 2026-05-10
  2026-W19
• NCSC Switzerland BACS assessment on AI in vulnerability management — defenders warned against over-reliance on AI detection
  campaignadvisory:ncsc-ch-ai-vuln-mgmt-2026last covered 2026-05-10
  2026-W19
• Poland NIS2 transposition (UKSC amendment) in force 3 April 2026 — water-sector essential-entity status
  campaignpolicy:poland-nis2-transposition-2026last covered 2026-05-10
  2026-W19
• MEPs demand Europol expansion pause after shadow-IT disclosure; EDPS sanctioning toolkit identified as binary
  campaignpolicy:europol-mandate-libe-pause-2026last covered 2026-05-10
  2026-W19
• PamDOORa — malicious PAM module with credential harvesting and log scrubbing, sold on Rehub
  toolresearch:pamdoora-pam-backdoor-2026last covered 2026-05-09
  2026-05-09
• Amazon SES abuse for authenticated BEC/phishing (Kaspersky, 2026-05-04)
  campaigntechnique:amazon-ses-bec-2026last covered 2026-05-08
  2026-05-08
• QLNX (Quasar Linux) — developer-targeting Linux RAT with eBPF rootkit and PAM backdoor
  tooltool:QLNXlast covered 2026-05-07
  2026-05-07
• ZiChatBot — OceanLotus PyPI supply chain backdoor using Zulip API C2
  tooltool:ZiChatBotlast covered 2026-05-07
  2026-05-07
• Amatera — InstallFix campaign infostealer targeting browser credentials and e-wallets
  tooltool:Amateralast covered 2026-05-07
  2026-05-07
• InstallFix — malvertising campaign distributing Amatera infostealer via fake AI tool install pages
  campaigncampaign:installfixlast covered 2026-05-07
  2026-05-07
• ScarCruft (APT37 / Reaper) — North Korea-aligned APT
  actoractor:ScarCruftlast covered 2026-05-06
  2026-05-06
• BirdCall — ScarCruft Android/Windows backdoor
  tooltool:BirdCalllast covered 2026-05-06
  2026-05-06