Security & IT News

Cybersecurity researchers have disclosed details of a new automated campaign called Megalodon that has pushed 5,718 malicious commits to 5,561 GitHub repositories within a six-hour window. "Using throwaway accounts and forged author identities (build-bot, auto-ci, ci-bot, pipeline-bot), the attacker injected GitHub Actions workflows containing base64-encoded bash payloads that exfiltrate CI

1 Introduction This article provides a technical analysis of how many Windows kernel mode drivers can be interacted with from user mode without the hardware they were developed for. This work was motivated by driver-oriented vulnerability research and the need to evaluate the exploitability of individual findings, which frequently affect code whose reachability is hardware-gated. The

The infostealer payload in this campaign collect a vast amount of data, from collaboration authentication keys to cryptocurrency wallets

Total figure for fraudulent transactions Apple has blocked since 2020 now stands at over $11bn

U.S. and Canadian authorities arrested and charged a Canadian man with operating the KimWolf distributed denial-of-service (DDoS) botnet, which infected nearly two million devices worldwide. [...]

The U.S. Department of Justice (DoJ) on Thursday announced the arrest of a Canadian man in connection with allegedly operating a distributed denial-of-service (DDoS) botnet known as Kimwolf. In tandem, Jacob Butler (aka Dort), 23, Ottawa, Canada, has been charged with offenses related to the development and operation of the botnet. Kimwolf is assessed to be a variant of AISURU. "Kimwolf

I found a Node.js stealer that looked pretty well obfuscated. The file was not running out-of-the-box because it was uploaded on VT as extracted-decoded.js (and reformated). The SHA256 is 049300aa5dd774d6c984779a0570f59610399c71864b5d5c2605906db46ddeb9[ 1 ]. It did not run properly in a sandbox so only a static analysis was performed. The key point is that it is a cross-platform stealer targeting Windows (WSL), macOS and Linux. Good news for us, only the wrapper that is responsible for the execution is obfuscated but the malicious payloads are embedded in plain text! The obfuscation technique looks typical to the code produced by obfuscation.io[ 2 ]. We are facing a very long array of small Base64-encoded strings: function c() { const t8 = [ W54gaGuj , pSkByhzh , WRT/WPThyG , CSomW6OXWQG , WO7dIuVcTaq , AYb2Axm , WPT3WPJdLmkS , WPTNeuWa , hCkIW64XW7C , W47cM0tcObS , WPKbWOKfW74 , W6JdNCkDWRe+ , W53dLuxcP3u , WRTUc8ocW4W , ysiSica , wCo4oser , tSkAW5v3ca , W54XaKvz , W7nTe8ooW7a , W4BcSSo/FLi , W6HvW7i+FG , W5iBabul , F8oQW4JcVCku , W5ldPCkKbcy , W6ddQcdcNq0 , Aw5Niha , Dcy9W5dcVq , C8o/eqBcHW , id0GBMu , W5FcISkyW4FcJG , WR1ieSotW4y , wSoqq8o1da , B3jKvMe , icDmB2m , uSkgW4qZiq , WO7cMSkoW7zX , W5HxW6OnW7S , W4SBWRHwW7e , zwa3W5dcOG , W4PCW79DW6a , omkrngXB , xmkVCWeJ , nCoEWQ1WWR0 , WRNcH3vwCG , W7lcTSoUCq8 , rM9sWR/cPW , W4ZcKbxcUIC , DgGGDg8 , WR7dK8kpWROP , fmo7j1et , id09psa , vSo4Cx4n , iIWImJq , WRrixrpcJq , u29JA2u , ve9swsW , WRBdHH3dUa0 , W5RcKLpdTuW , u3ruyKK , WOVcLSowW4RcPG , BwuGzgK , ugf0AdO , W63cJ3Kmaa , WPVdRCk1bti , DwrVige , C8k2WQxcTh0 , igvUDhi , tmkSl1Ld , qqvnW4pcMa , WPNdGahdO0i , nmkQWRNdPNa , WQD8qmodW6G , W4NdK8oBW5pdQq , quFcOmoQWRe , Cbyarmkq , tmkoWQHU , ewb8W4eF , vcCOWOPc , WRtdQc3dIrW , WQXIrSoqW5q , kcDqCM8 , imkUWQtcPxC , bmooW7q6hW , ... Other small functions are low-level decoders that perform a lot of arithmetic operations. There are three main payloads that all have their own purpose: The first one is a browser credential stealer. It supports: Chrome, Brave, Edge, Opera, Opera GX, Vivaldi, Kiwi, Yandex, Iridium, Comodo Dragon, SRWare Iron, Chromium, AVG Browser. const localAppDataBase = `/mnt/c/Users/${windowsUsername}/AppData/Local`; const browserRelativePaths = [ Google/Chrome/User Data , // Chrome BraveSoftware/Brave-Browser/User Data , // Brave AVG Browser/User Data , // AVG Browser Microsoft/Edge/User Data , // Edge Opera Software/Opera Stable , // Opera Opera Software/Opera GX , // Opera GX Vivaldi/User Data , // Vivaldi Kiwi Browser/User Data , // Kiwi Yandex/YandexBrowser/User Data , // Yandex Iridium/User Data , // Iridium Comodo/Dragon/User Data , // Comodo SRWare Iron/User Data , // SRWare Chromium/User Data // Chromium\n ]; The malware also looks for interesting wallet Chrome extensions: const wps = [ nkbihfbeogaeaoehlefnkodbefgpgknn , ejbalbakoplchlghecdalmeeeajnimhm , acmacodkjbdgmoleebolmdjonilkdbch , bfnaelmomeimhlpmgjnjophhpkkoljpa , ibnejdfjmmkpcnlpebklmnkoeoihofec , egjidjbpglichdcondbcbd

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added two security flaws impacting Langflow and Trend Micro Apex One to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The vulnerabilities in question are listed below - CVE-2025-34291 (CVSS score: 9.4) - An origin validation error vulnerability in Langflow that could

Cisco has rolled out updates for a maximum-severity security flaw impacting Secure Workload that could allow an unauthenticated, remote attacker to access sensitive data. Tracked as CVE-2026-20223 (CVSS score: 10.0), the vulnerability arises from insufficient validation and authentication when accessing REST API endpoints. "An attacker could exploit this vulnerability if they are able to send

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Canadian authorities on Wednesday arrested a 23-year-old Ottawa man on suspicion of building and operating Kimwolf , a fast spreading Internet-of-Things botnet that enslaved millions of devices for use in a series of massive distributed denial-of-service (DDoS) attacks over the past six months. KrebsOnSecurity publicly named the suspect in February 2026 after the accused launched a volley of DDoS, doxing and swatting campaigns against this author and a security researcher. He now faces criminal hacking charges in both Canada and the United States. A criminal complaint unsealed today in an Alaska district court charges Jacob Butler , a.k.a. “ Dort ,” of Ottawa, Canada with operating the Kimwolf DDoS botnet. A statement from the Department of Justice says the complaint against Butler was unsealed following the defendant’s arrest in Canada by the Ontario Provincial Police pursuant to a U.S. extradition warrant. Butler is currently in Canadian custody awaiting an initial court hearing scheduled for early next week. The government said Kimwolf targeted infected devices which were traditionally “firewalled” from the rest of the internet, such as digital photo frames and web cameras. The infected systems were then rented to other cybercriminals, or forced to participate in record-smashing DDoS attacks, as well as assaults that affected Internet address ranges for the Department of Defense . Consequently, the DoD’s Defense Criminal Investigative Service is investigating the case, with assistance from the FBI field office in Anchorage. “KimWolf was tied to DDoS attacks which were measured at nearly 30 Terabits per second, a record in recorded DDoS attack volume,” the Justice Department statement reads. “These attacks resulted in financial losses which, for some victims, exceeded one million dollars. The KimWolf botnet is alleged to have issued over 25,000 attack commands.” On March 19, U.S. authorities joined international law enforcement partners in seizing the technical infrastructure for Kimwolf and three other large DDoS botnets — named Aisuru , JackSkid and Mossad — that were all competing for the same pool of vulnerable devices. On February 28, KrebsOnSecurity identified Butler as the Kimwolf botmaster after digging through his various email addresses, registrations on the cybercrime forums, and posts to public Telegram and Discord servers. However, Dort continued to threaten and harass researchers who helped track down his real-life identity and dramatically slow the spread of his botnet. Dort claimed responsibility for at least two swatting attacks targeting the founder of Synthient , a security startup that helped to secure a widespread critical security weakness that Kimwolf was using to spread faster and more effectively than any other IoT botnet out there. Synthient was among many technology companies thanked by the Justice Department today, and Synthient’s founder Ben Brundage

First VPN promised hackers complete anonymity for their cyberattacks. But Europol said it was able to notify the service’s users that they have now been identified.

Google has accidentally leaked details about an unfixed issue in Chromium that keeps JavaScript running in the background even when the browser is closed, allowing remote code execution on the device. [...]

A group used Anthropic’s Mythos AI model to help find a kernel memory corruption vulnerability and exploit on Apple’s M5. News article .

Deleted Google API Keys remain active for up to 23 minutes after deletion, exposing GCP, Gemini, BigQuery, and Maps data to attackers.

At Microsoft, security innovations are purpose-built to help every organization protect end-to-end with the speed and scale of AI. Our vision is simple: security should be ambient and autonomous, just like the AI it protects. As organizations accelerate AI adoption, security teams are navigating new blind spots created by the broad distribution of agents, data, and identities across different tools and platforms. Microsoft Security ’s latest updates extend visibility, control, and protection across your expanding ecosystem, from third-party apps like Claude to your cloud environments and multi-cloud infrastructure. Together, these updates help your team secure what matters most—agents, data, and identities—without slowing your own innovation. Here’s what’s new: Cloud Security Solutions | Microsoft Security Microsoft Purview visibility now extends to Anthropic Claude Security and compliance teams can now detect and investigate Anthropic Claude usage alongside other cloud applications in the broader AI ecosystem. The new Anthropic Claude connector for Microsoft Purview delivers centralized visibility and oversight for Claude Enterprise and Claude Platform feed activity and chat conversations, enabling Microsoft Purview to provide insights on Claude interactions and audit log signals. This integration will provide visibility across Enterprise Claude.ai, Claude Console and Claude API, extending the Microsoft Purview experience and helping your teams protect sensitive data across your AI estate. New data security posture management experience in Microsoft Purview The new Microsoft Purview Data Security Posture Management (DSPM) experience is now generally available. This solution unifies and streamlines DSPM across scenarios, from discovery to protection, all the way to remediation, allowing teams to investigate risks and take actions on the same workflow. The new experience delivers goal-oriented flows, deeper remediation, expanded reporting, and third-party visibility. Your teams can efficiently discover sensitive data, assess risk, and take action at scale. Microsoft Purview Data Security Investigations extends investigative depth with custom examinations Microsoft Purview Data Security Investigations now includes optical character recognition (OCR) and custom examination capabilities to extend investigative depth. OCR extracts text from images, bringing previously inaccessible visual content into scope for AI-powered deep content analysis. In addition to existing examination types that identify credentials, risk, and personally identifiable data, and help inform mitigation, investigators can define their own analysis with custom examination, enabling more tailored and flexible investigations based on their unique needs. Now, Data Security Investigations can extract text from images, like the one above, adding visual content into scope for AI-powered investigations. Microsoft Entra ID Account recovery securely restores account access Microsoft Entr

First VPN, a service used by ransomware actors and fraudsters, was dismantled by Europol

Apple revealed that it blocked over $11 billion in fraudulent App Store transactions over the last six years, more than $2.2 billion in potentially fraudulent App Store transactions in 2025 alone. [...]

A threat actor compromised an Nx developer and posed as a legitimate maintainer to publish a malicious extension on Visual Studio Marketplace

Cybersecurity researchers have disclosed details of a new Linux malware dubbed Showboat that has been put to use in a campaign targeting a telecommunications provider in the Middle East since at least mid-2022. "Showboat is a modular post-exploitation framework designed for Linux systems, capable of spawning a remote shell, transferring files, and functioning as a SOCKS5 proxy," Lumen