Hacking News

Malicious npm package mouse5212-super-formatter stole files from Claude AI's working directory. The attacker's own GitHub token was exposed in the code, allowing researchers to trace exfiltration.

CVE-2026-27771 let attackers pull private container images without authentication. Over 30,000 Gitea deployments affected across healthcare, aerospace, and retail. Update to 1.26.2 now.

NIST's updated password guidelines eliminate forced expiration and complexity rules. Here's how to enforce strong Active Directory passwords without driving users to workarounds.

7-Eleven confirms data breach after ShinyHunters demanded $250K ransom. Over 600,000 Salesforce records allegedly stolen from franchise application systems.

Immigration law platform DocketWise confirms data breach affecting 143,480 people. SSNs, passport numbers, and medical information compromised via cloned repositories.

Attackers compromised DigiCert's support portal via malicious chat attachment, stealing EV code signing certificates. 11 certificates used to sign Zhong Stealer malware.

CVE-2024-12802 lets attackers bypass MFA on SonicWall Gen6 VPNs even after patching. Ransomware operators actively exploiting incomplete fixes. Gen6 reached EOL April 16.

Critical CVE-2026-48172 in LiteSpeed cPanel plugin enables root privilege escalation. CVSS 10.0, actively exploited, CISA KEV deadline May 29. Patch immediately.

Varonis joins 27 other security vendors integrating Anthropic's Claude Compliance API, enabling enterprises to monitor AI conversations, detect data leaks, and enforce governance policies in real time.

New ransomware group Payload uses Babuk-derived code to target Windows and VMware ESXi systems. 12 victims across 7 countries within hours of launching leak site.

North Korea's Lazarus Group uses RemotePE, a fileless RAT that executes entirely in RAM, to target DeFi platforms. The group has stolen $577M in crypto this year alone.

CVE-2026-48095 in 7-Zip allows attackers to execute arbitrary code through malicious NTFS images. CVSS 8.8 - update to v26.01 immediately.

A toggle for claude-mythos-1-preview briefly surfaced in Claude Code before removal. The restricted model found 10,000+ zero-days in its first month through Project Glasswing.

ShinyHunters threatens to leak 42 million Charter Communications customer records by May 27. The telecom giant confirms incident but disputes data sensitivity claims.

International law enforcement seizes 33 servers and shuts down First VPN, a criminal service used by at least 25 ransomware groups since 2014. 15 nations participated.

Supply chain attack deploys 34 malicious packages across npm, PyPI, and Crates.io to steal crypto wallets, SSH keys, and developer credentials. AI assistants weaponized.

Attackers exploit CVE-2026-26980 to steal admin API keys and inject malicious scripts across 700+ Ghost CMS sites, including Harvard and Oxford. Patch now.

New phishing-as-a-service platform bypasses MFA via OAuth device code flow. FBI PSA details how Kali365's AI-generated lures and $250/month pricing are enabling widespread credential theft.

CVE-2026-34926 lets attackers inject malicious code into Apex One servers and deploy it to all connected endpoint agents. CISA confirms active exploitation with June 4 federal deadline.

CISA adds CVE-2025-34291 to KEV after Iranian APT MuddyWater weaponizes the CORS/CSRF chain for account takeover and RCE. CVSS 9.4 flaw requires only a malicious link click.

CVE-2026-9082 exploitation began within hours of patch release. Imperva tracked 15,000+ attacks against PostgreSQL-backed Drupal sites across 65 countries in the first two days.

Automated Megalodon campaign pushed 5,718 malicious commits to GitHub repos on May 18, injecting CI/CD workflows that exfiltrate cloud credentials, SSH keys, and secrets. SafeDep links it to TeamPCP.

Attackers compromised 700+ versions of Laravel-Lang PHP packages via tag poisoning, deploying a sophisticated stealer targeting cloud credentials, crypto wallets, and browser data. Packagist pulled affected versions.

CVE-2026-23918 in Apache HTTP Server 2.4.66 lets attackers crash workers trivially or achieve remote code execution through a double-free in mod_http2. Upgrade to 2.4.67 immediately.

Ubiquiti releases emergency patches for three maximum-severity vulnerabilities in UniFi OS that allow unauthenticated remote attackers to take full control of network appliances. 100,000 devices exposed.

Canadian authorities arrest 23-year-old Jacob Butler for operating the KimWolf IoT botnet. The DDoS-for-hire operation enslaved nearly 2 million devices and set volumetric attack records.

China-linked Calypso group targets telecoms across Middle East and Asia Pacific with new Linux and Windows malware. Showboat provides SOCKS5 proxy access; JFMBackdoor enables full system control.

Leaked Shai-Hulud malware source code fuels new npm supply chain attack. Four malicious packages steal credentials and deploy DDoS bot with TCP/UDP flood capabilities.

Cisco patches CVE-2026-20223, a maximum-severity REST API vulnerability in Secure Workload enabling unauthenticated attackers to gain Site Admin privileges across tenants.

A Chromium bug reported in 2022 that turns browsers into silent botnets was accidentally exposed on Google's issue tracker. No patch exists despite 'fixed' status.

ESET exposes Webworm's EchoCreep and GraphWorm backdoors targeting European governments. The China-aligned APT uses Discord and OneDrive for C2, hitting Belgium, Italy, Poland, and Spain.

CISA's May 20 KEV update includes two actively exploited Microsoft Defender vulnerabilities and five legacy flaws from 2008-2010. Federal agencies have until June 3 to patch.

Security researchers disclose nginx-poolslip, an unpatched zero-day in NGINX 1.31.0 that defeats ASLR protection. Millions of servers at risk with no CVE or fix available yet.

Grafana Labs confirms hackers stole source code through a GitHub token that slipped through rotation after the TanStack supply chain compromise. The company refused to pay the ransom demand.

Verizon's 2026 Data Breach Investigations Report reveals vulnerability exploitation surpassed credential theft as the leading breach vector for the first time in 19 years. Only 26% of KEV flaws get patched.

Drupal releases patches for a highly critical vulnerability (severity 20/25) affecting all supported versions. Exploits may emerge within hours—administrators should update between 5-9pm UTC today.

Seven vulnerabilities including CVE-2026-2743 (CVSS 10.0) allow unauthenticated attackers to compromise SEPPMail secure email gateways, read all traffic, and establish persistent access. Patch to 15.0.4 immediately.

Microsoft's Digital Crimes Unit seizes infrastructure behind Fox Tempest, a malware-signing service that helped Rhysida, Akira, and Qilin ransomware gangs disguise malicious code as legitimate software.

Microsoft unveils four-pillar Driver Quality Initiative at WinHEC 2026, enforcing stricter power, thermal, and security standards for Windows 11 drivers starting this year.

Attackers published malicious Nx Console 18.95.0 to VS Code Marketplace, stealing developer credentials via triple-channel exfiltration and Sigstore-signed npm package poisoning.

REMUS, a 64-bit Lumma Stealer successor, now offers session theft, EtherHiding blockchain C2, and full MaaS infrastructure targeting browser credentials and auth tokens.

SHub Reaper macOS infostealer bypasses Tahoe 26.4 defenses using applescript:// URLs, spoofs Apple, Google, and Microsoft to steal credentials and backdoor systems.

OpenAI's Daybreak initiative brings GPT-5.5 variants to defensive security. Partners include Cisco, CrowdStrike, and Fortinet. Red team model available for authorized testing.

DEVCORE claims Master of Pwn with $505K across three days. VMware ESXi and SharePoint exploits highlight Day 3 as Pwn2Own Berlin 2026 awards $1.29M total.

Chaotic Eclipse drops working exploit for Windows Cloud Filter driver flaw allegedly patched in 2020. Race condition in cldflt.sys spawns SYSTEM shell on Windows 11.