Security & IT News

div class="OutlineElement Ltr SCXW232133708 BCX8" p The Cybersecurity and Infrastructure Security Agency (CISA) is releasing this alert to provide guidance in response to the software supply chain compromise of the Axios node package manager (npm). a href="#note1" sup 1 /sup /a Axios is an HTTP client for JavaScript that developers commonly use in Node.js and browser environments. nbsp; /p /div div class="OutlineElement Ltr SCXW232133708 BCX8" p On March 31, 2026, two npm packages for versions code [email protected] /code and code [email protected] /code of Axios npm injected the malicious dependency code [email protected] /code that downloads multi-stage payloads from cyber threat actor infrastructure, including a remote access trojan. a href="#note2" sup 2 /sup /a /p div class="OutlineElement Ltr SCXW205905216 BCX8" p CISA urges organizations to implement the following recommendations to detect and remediate a potential compromise: /p /div div class="ListContainerWrapper SCXW205905216 BCX8" ul li Monitor and review code repositories, continuous integration/continuous delivery (CI/CD) pipelines, and developer machines that ran code npm install /code or code npm update /code with the compromised Axios version. ul li Search for cached versions of affected dependencies in artifact repositories and dependency management tools. Pin npm package dependency versions to known safe releases. /li /ul /li /ul div class="OutlineElement Ltr SCXW94631961 BCX8" p If compromised dependencies are identified, revert the environment to a known safe state. nbsp; /p /div div class="ListContainerWrapper SCXW94631961 BCX8" ul li Downgrade to code [email protected] /code or code [email protected] /code and delete code node_modules/plain-crypto-js/ /code . /li /ul /div div class="ListContainerWrapper SCXW94631961 BCX8" ul li Rotate/revoke credentials that may have been exposed on affected systems or pipelines (e.g., version control system [VCS] tokens, CI/CD secrets, cloud keys, npm tokens, and Secure Shell [SSH] keys). For ephemeral CI jobs, rotate all secrets injected into the compromised run. /li /ul /div div class="ListContainerWrapper SCXW94631961 BCX8" ul li Monitor for unexpected child processes and anomalous network behavior, specifically during code npm install /code or code npm update /code . ul li Block and monitor outbound connections to code Sfrclak[.]com /code domains. /li li Conduct continuous indicator searches and endpoint detection and response (EDR) hunts to confirm no indicators of compromise (IOCs) remain; ensure no further egress to the command and control (C2). /li /ul /li /ul div class="OutlineElement Ltr SCXW237985159 BCX8" p In addition, CISA recommends organizations using Axios npm: /p /div div class="ListContainerWrapper SCXW237985159 BCX8" ul li Mandate phishing-resistant multifactor authentication (MFA) on all developer accounts, especially for critical platforms. /li /ul /div div class="ListContainerWrapper SCXW237985159 BCX8" ul li Set code ignore-scripts

div class="OutlineElement Ltr SCXW178812853 BCX8" p CISA has added eight new vulnerabilities to its a href="https://www.cisa.gov/known-exploited-vulnerabilities-catalog" u Known Exploited Vulnerabilities (KEV) Catalog /u /a , based on evidence of active exploitation. nbsp; /p /div div class="ListContainerWrapper SCXW178812853 BCX8" ul li a href="https://www.cve.org/CVERecord?id=CVE-2023-27351" target="_blank" u CVE-2023-27351 /u /a PaperCut NG/MF Improper Authentication Vulnerability /li li a href="https://www.cve.org/CVERecord?id=CVE-2024-27199" target="_blank" u CVE-2024-27199 /u /a JetBrains TeamCity Relative Path Traversal Vulnerability /li li a href="https://www.cve.org/CVERecord?id=CVE-2025-2749" target="_blank" u CVE-2025-2749 /u /a Kentico Xperience Path Traversal Vulnerability /li li a class="Hyperlink SCXW178812853 BCX8" href="https://www.cve.org/CVERecord?id=CVE-2025-32975" target="_blank" rel="noreferrer noopener" u CVE-2025-32975 /u /a Quest KACE Systems Management Appliance (SMA) Improper Authentication Vulnerability /li li a href="https://www.cve.org/CVERecord?id=CVE-2025-48700" target="_blank" u CVE-2025-48700 /u /a Synacor Zimbra Collaboration Suite (ZCS) Cross-site Scripting Vulnerability /li li a href="https://www.cve.org/CVERecord?id=CVE-2026-20122" target="_blank" u CVE-2026-20122 /u /a Cisco Catalyst SD-WAN Manager Incorrect Use of Privileged APIs Vulnerability /li li a href="https://www.cve.org/CVERecord?id=CVE-2026-20128" target="_blank" u CVE-2026-20128 /u /a Cisco Catalyst SD-WAN Manager Storing Passwords in a Recoverable Format Vulnerability /li li a href="https://www.cve.org/CVERecord?id=CVE-2026-20133" target="_blank" u CVE-2026-20133 /u /a Cisco Catalyst SD-WAN Manager Exposure of Sensitive Information to an Unauthorized Actor Vulnerability /li /ul p These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. nbsp; /p /div div class="OutlineElement Ltr SCXW178812853 BCX8" p a href="https://www.cisa.gov/binding-operational-directive-22-01" u Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities /u /a established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the a href="https://www.cisa.gov/sites/default/files/publications/Reducing_the_Significant_Risk_of_Known_Exploited_Vulnerabilities_211103.pdf" u BOD 22-01 Fact Sheet /u /a for more information. nbsp; /p /div div class="OutlineElement Ltr SCXW178812853 BCX8" p Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of a href="https://www.cisa.gov/known-exploite

The fastest way to fall in love with an AI tool is to watch the demo. Everything moves quickly. Prompts land cleanly. The system produces impressive outputs in seconds. It feels like the beginning of a new era for your team. But most AI initiatives don't fail because of bad technology. They stall because what worked in the demo doesn't survive contact with real operations. The gap between a

Critical RCE flaw in protobuf.js lets attackers execute code via malicious schemas. Learn who is at risk, affected versions, and how to fix it.

Cybersecurity researchers have discovered a critical "by design" weakness in the Model Context Protocol's (MCP) architecture that could pave the way for remote code execution and have a cascading effect on the artificial intelligence (AI) supply chain. "This flaw enables Arbitrary Command Execution (RCE) on any system running a vulnerable MCP implementation, granting attackers direct access to

Every morning, security people around the world face the same ritual: opening their vulnerability feed to find a lot of new CVE entries that appeared overnight. Over the past decade, this flood has become a defining challenge of modern defensive security. Some numbers[ 1 ]: CVEs published in 2023: 29K+ CVEs published in 2024: 40K+ New CVEs per day: ~110 Exploited in the wild: ~5-7% The root cause of this explosion is structural: the security research community has grown dramatically, bug bounty programs, automated scanning has industrialised vulnerability discovery, and software supply chains expose orders of magnitude more attack surface than legacy monolithic architectures ever did. And don t forget AI used more and more to find vulnerabilities! Every CVE receives a CVSS (Common Vulnerability Scoring System) that is a score between 0 and 10 attempts to express the intrinsic severity of a vulnerability. This score is based on core questions like: How bad it is if exploited? How complex exploitation is? What privileges are required? And what impact on confidentiality, integrity, and availability to expect? CVSS is a well-designed standard, and is useful. But it remains challenging to perform the initial triage: Which CVEs deserve to be investigated first? A CVSS 9.8 that sits dormant in an obscure software is less dangerous in practice than a CVSS 6.5 actively chained in ransomware campaigns! The Exploit Prediction Scoring System (EPSS) was developed by FIRST (Forum of Incident Response and Security Teams)[ 2 ] and has gone through successive iterations since its public launch in 2021, with EPSS v3 released in March 2023 as the current production model. Its design philosophy is fundamentally different from CVSS: instead of rating theoretical impact, EPSS answers a probabilistic question. We already talked about EPSS a long time ago[ 3 ] but it does get enough attention from the community (IMHO) How does it work? EPSS = P(exploitation within 30 days | CVE is published) Score range: 0.00001 1.0 (probability) Model: gradient-boosted machine learning (XGBoost) Input features: ~1,400 signals updated daily Data sources: exploit databases, darkweb telemetry, threat intel feeds, PoC repositories, NVD metadata Theory is nice but let s be more pragmatic! FIRST offers an API to query for EPSS scores: $ curl -s https://api.first.org/data/v1/epss?cve=CVE-2026-23099 | jq . { status : OK , status-code : 200, version : 1.0 , access : public , total : 1, offset : 0, limit : 100, data : [ { cve : CVE-2026-23099 , epss : 0.000180000 , percentile : 0.044770000 , date : 2026-04-19 } ] } How to automate this? Most SIEM or log management solutions can interact with external services through APIs. Let me show you how I enrich my vulnerabilities alert in Wazuh. I set up an integration[ 4 ] that will query the EPSS score of CVEs detected in my environment: A Python script will be invoked when a vulnerability is detected (with alert group vulnerability-detector , the fetch

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Apple account change notifications are being abused to send fake iPhone purchase phishing scams within legitimate emails sent from Apple's servers, increasing legitimacy and potentially allowing them to bypass spam filters. [...]

The National Institute of Standards and Technology will stop assigning severity scores to lower-priority vulnerabilities due to the growing workload from rising submission volumes. [...]

Proof-of-concept exploit code has been published for a critical remote code execution flaw in protobuf.js, a widely used JavaScript implementation of Google's Protocol Buffers. [...]

Happy Friday - Seven New Metasploit Modules We’re happy to announce that Metasploit Framework had a big week, landing seven new modules alongside various bug fixes and enhancements. This week’s highlights include RCE modules targeting AVideo, openDCIM, Selenium Grid/Selenoid, and ChurchCRM. On the post-exploitation side, Windows saw three new persistence techniques added as modules, targeting Telemetry scheduled tasks, PowerShell profiles, and Microsoft BITS. What a time to be alive as a Metasploit user! We wish you all a wonderful weekend and happy hacking. New module content (7) AVideo Unauthenticated SQL Injection Credential Dump Authors: Valentin Lobstein [email protected] and arkmarta Type: Auxiliary Pull request: #21075 contributed by Chocapikk Path: gather/avideo_catname_sqli AttackerKB reference: CVE-2026-28501 Description: Adds an auxiliary module for CVE-2026-28501, an unauthenticated SQL injection in AVideo = 22.0, along with a new BenchmarkBasedBlind SQLi mixin class and blind extraction improvements. openDCIM install.php SQL Injection to RCE Author: Valentin Lobstein [email protected] Type: Exploit Pull request: #21034 contributed by Chocapikk Path: linux/http/opendcim_install_sqli_rce AttackerKB reference: CVE-2026-28517 Description: This PR adds a new exploit module for openDCIM that chains three vulnerabilities ( https://github.com/advisories/GHSA-mg2w-x76x-59h8 , https://github.com/advisories/GHSA-prmh-rp39-qc4m , https://github.com/advisories/GHSA-428h-8xhf-g3cw ) to achieve remote code execution. Selenium Grid/Selenoid Unauthenticated RCE Authors: Jon Stratton, Takahiro Yokoyama, Valentin Lobstein [email protected] , and Wiz Research Type: Exploit Pull request: #21003 contributed by Chocapikk Path: linux/http/selenium_greed_rce Description: This replaces the two separate Selenium Grid RCE modules (Chrome and Firefox) with a single unified module that auto-detects available browsers and selects the best attack vector. The module targets unauthenticated Selenium Grid and Selenoid instances, supporting two techniques: a Firefox profile handler injection that works on all Grid versions including the latest (never patched since 2021), and a Chrome binary override for Grid versions prior to 4.11.0 and all Selenoid versions. No authentication is required. ChurchCRM Database Restore RCE 6.2.0 Author: LucasCsmt Type: Exploit Pull request: #21095 contributed by LucasCsmt Path: multi/http/churchcrm_db_restore_rce AttackerKB reference: CVE-2025-68109 Description: Adds a new exploit module for CVE-2025-68109, targeting a file upload vulnerability inside ChurchCRM leading to an RCE. This module will work on version 6.2.0 of ChurchCRM and earlier. Windows Persistence Bits Job Author: h00die Type: Exploit Pull request: #20839 contributed by h00die Path: windows/persistence/bits Description: This adds a new persistence module that uses Microsoft Bits to maintain access to the system. Powershell Profile Persistence Author: madefourit Ty

Cyberattacks are evolving faster than many MSP and corporate defenses can keep up, with phishing driving much of today's cybercrime. Join our upcoming webinar to learn how to combine security and recovery strategies to reduce risk and maintain business continuity. [...]

CISA warned that attackers are now exploiting a high-severity Apache ActiveMQ vulnerability, which was patched earlier this month after going undetected for 13 years. [...]

The National Institute of Standards and Technology (NIST) has announced changes to the way it handles cybersecurity vulnerabilities and exposures (CVEs) listed in its National Vulnerability Database (NVD), stating it will only enrich those that fulfil certain conditions owing to an explosion in CVE submissions. "CVEs that do not meet those criteria will still be listed in the NVD but will not

An international law enforcement operation has taken down 53 domains and arrested four people in connection with commercial distributed denial-of-service (DDoS) operations that were used by more than 75,000 cybercriminals. The ongoing effort, dubbed Operation PowerOFF, disrupted access to the DDoS-for-hire services, took down the technical infrastructure supporting them, and obtained access to

A recently disclosed high-severity security flaw in Apache ActiveMQ Classic has come under active exploitation in the wild, per the U.S. Cybersecurity and Infrastructure Security Agency (CISA). To that end, the agency has added the vulnerability, tracked as CVE-2026-34197 (CVSS score: 8.8), to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Introduction This diary provides indicators from a Lumma Stealer infection that was followed by Sectop RAT (ArechClient2). I searched for cracked versions of popular copyright-protected software, and I downloaded the initial malware after following the results of one such search. This is a common distribution technique for various families of malware, and I often find Lumma Stealer this way. In this case, the initial malware for Lumma Stealer was delivered as a password-protected 7-zip archive. The extracted malware is an inflated Windows executable (EXE) file at 806 MB. The EXE is padded with null-bytes (0x00), a technical which increases the EXE size while allowing the compressed archive file to be much smaller. The password-protected archive and inflated EXE file are designed to avoid detection. Images from the infection Shown above: Example of a page with instructions to download the initial malware file. Shown above: Traffic from the infection filtered in Wireshark. Shown above: Sectop RAT persistent on an infected Windows host. Indicators of Compromise Example of download link from the site advertising cracked versions of copyright-protected software: hxxps[:]//incolorand[.]com/how-visual-patch-enhances-ui-consistency-across-releases/?utm_source={CID} utm_term=Adobe%20Premiere%20Pro%20(2026)%20Full%20v26.0.2%20Espa%C3%B1ol%20[Mega] utm_content={SUBID1} utm_medium={SUBID2} Example of URL for page with the file download instructions: hxxps[:]//mega-nz.goldeneagletransport[.]com/Adobe_Premiere_Pro_%282026%29_Full_v26.0.2_Espa%C3%B1ol_%5BMega%5D.zip?c=ABUZ4WkRgQUA_YUCAFVTFwASAAAAAACh s=360721 Example of URL for file download from site above site impersonating MEGA: hxxps[:]//arch.primedatahost3[.]cfd/auth/media/JvWcFd5vUoYTrImvtWQAASTh/Adobe_Premiere_Pro_(2026)_Full_v26.0.2_Espa%C3%B1ol_%5BMega%5D.zip Downloaded file: SHA256 hash: c7489e3bf546c5f2d958ac833cc7dbca4368dfba03a792849bc99c48a6b2a14f File size: 3,888,051 bytes File name: adobe_premiere_pro_(2026)_full_v26.0.2_espan?ol_[mega].7z File type: 7-zip archive data, version 0.4 File description: Password-protected 7-zip archive Password: 6919 Extracted malware: SHA256 hash: 4849f76dafbef516df91fecfc23a72afffaf77ade51f805eae5ad552bed88923 File size: 806,127,604 bytes File name: appFile.exe File type: PE32 executable (GUI) Intel 80386, for MS Windows File description: Inflated Windows EXE file for Lumma Stealer, padded with null-bytes Deflated malware: SHA256 hash: 353ddce78d58aef2083ca0ac271af93659cf0039b0b29d0d169fc015bd3610bc File size: 7,114,156 bytes File type: PE32 executable (GUI) Intel 80386, for MS Windows File description: Above appFile.exe with most of null-byte padding removed Any.Run sandbox analysis Triage sandbox analysis Lumma Stealer command and control (C2) domains from Triage sandbox analysis: cankgmr[.]cyou carytui[.]vu decrnoj[.]club genugsq[.]best longmbx[.]click mushxhb[.]best pomflgf[.]vu strikql[.]shop ulmudhw[.]shop Follow-up malware: SHA256 hash: d9b576eb6827f38e33ed

The latest wave of "Operation PowerOFF," on April 13, 2026, targeted the distributed denial-of-service (DDoS) ecosystem and its users across 21 countries. [...]

Overview On March 30, 2026, a security advisory was published for a critical vulnerability affecting Nginx UI . Nginx UI is an open-source web interface to centralize the management of Nginx configurations and SSL certificates. The critical vulnerability, CVE-2026-33032 , was reported in early March by Pluto Security researcher Yotam Perkal and subsequently patched on March 15, 2026. That same day, Pluto Security published a technical blog post with some vulnerability details. CVE-2026-33032 is a missing authentication bug with a CVSS score of 9.8 ; as a result of missing authentication controls, an unauthenticated attacker can access a Model Context Protocol (MCP) server that can perform privileged operations on managed Nginx web servers. Systems are vulnerable in the default IP allowlist configuration, which allows any remote IP to access MCP functionality. Exploitation results in full attacker control of the managed Nginx service. According to a Recorded Future report published on April 13, 2026, exploitation of CVE-2026-33032 in the wild has begun. Mitigation guidance Organizations running Nginx UI should prioritize updating on an urgent basis to remediate CVE-2026-33032. Additionally, to reduce exposure to future vulnerabilities affecting Nginx UI, defenders should ensure that network access to the Nginx UI management interface is strictly limited to those who must have it. Affected versions: According to the finder’s blog post , version 2.3.3 and prior are affected, and the fix is present in version 2.3.4 and later. However the official CVE record states that versions 2.3.5 and below are affected. This discrepancy in affected version numbers makes it unclear as to the correct version required to remediate CVE-2026-33032. To avoid this version number discrepancy, users are advised to update to the very latest version (2.3.6) . Please read the vendor advisory for the latest guidance. Rapid7 customers Exposure Command, InsightVM, and Nexpose Exposure Command, InsightVM, and Nexpose customers can assess exposure to CVE-2026-33032 with unauthenticated checks expected to be available in the April 17 content release. Updates April 16, 2026: Initial publication.