Security & IT News

Google says the Chrome Device Bound Session Credentials (DBSC) security feature is now generally available and is rolling out to all users to prevent account takeovers. [...]

p CISA has added one new vulnerability to its a href="https://www.cisa.gov/known-exploited-vulnerabilities-catalog" data-entity-type="node" data-entity-uuid="79453b83-86b9-4e2f-b1ec-abf73c6eb291" data-entity-substitution="canonical" title="Known Exploited Vulnerabilities Catalog" Known Exploited Vulnerabilities (KEV) Catalog /a , based on evidence of active exploitation. /p ul li a href="https://www.cve.org/CVERecord?id=CVE-2026-0257" target="_blank" CVE-2026-0257 /a Palo Alto Networks PAN-OS Authentication Bypass Vulnerability /li /ul p This type of vulnerability is a frequent attack vectors for malicious cyber actors and poses significant risks to the federal enterprise. /p p a href="https://www.cisa.gov/binding-operational-directive-22-01" Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities /a established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the a href="https://www.cisa.gov/sites/default/files/publications/Reducing_the_Significant_Risk_of_Known_Exploited_Vulnerabilities_211103.pdf" BOD 22-01 Fact Sheet /a for more information. /p p Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of a href="https://www.cisa.gov/known-exploited-vulnerabilities-catalog" data-entity-type="node" data-entity-uuid="79453b83-86b9-4e2f-b1ec-abf73c6eb291" data-entity-substitution="canonical" title="Known Exploited Vulnerabilities Catalog" KEV Catalog vulnerabilities /a as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the a href="https://www.cisa.gov/known-exploited-vulnerabilities" specified criteria /a . nbsp; /p

A previously undocumented threat actor dubbed GREYVIBE has been attributed to ongoing and persistent attacks targeting Ukraine and Ukraine-related entities since at least August 2025. GREYVIBE, per WithSecure, is assessed to be a Russian-speaking group operating broadly in the Russian time zone, with the activities aligning with Kremlin state interests, specifically when it comes to

A North Carolina man was sentenced to more than 10 years in prison for selling the personal information of over 7 million elderly Americans to Jamaican scammers. [...]

Younger Americans have soured on the second Donald Trump presidency , but they are not protesting it. Despite an unpopular Iran war and an even more unpopular Trump administration , college campus protests nationwide have gone silent . And at many schools, student activism is virtually nonexistent . This silence comes in the wake of a relentless Trump administration war on campus speech that has involved lawsuits , arrests , deportations and expulsions . Reports cite a range of complicated factors for the restraint, from apathy to technology-induced incapacity. But as public policy and law and social science experts , we believe students aren’t protesting for a very simple reason: They are afraid. They are self-censoring and disengaging from campaign activism to avoid punitive measures. In law and social science, we call this impact a chilling effect —the behavioral tendency for people in face of a threat to self-censor and restrain their activities for self-protection. It’s increasingly clear to us that these impacts are not incidental or ancillary to Trump administration policy. Rather, the chilling effects are the point. This is the closest thing to a consistent governing strategy in Trump’s second term. The broader chill of Trump threats Chilling effects can be subtle, but today they are everywhere. And it’s not just students who are chilled by Trump administration threats. Professors are censoring themselves in lectures and rewriting syllabuses . Researchers are stripping grant applications of words that might attract federal scrutiny , or abandoning the topics entirely. Media outlets are modifying their news coverage to avoid Trump lawsuits or sanctions. Law enforcement and regulatory agencies are refusing to investigate Trump-aligned actors inside or outside government, and major national law firms are declining cases challenging Trump administration policies. Publishers are “ stepping back ” from LGBTQ+ books and other progressive subjects. Many in targeted immigrant communities are afraid to leave home to go to work or school . In most cases, these people and institutions are not being specifically targeted or threatened by Trump. But they are afraid, and their fear is doing the administration’s work for it. They stay silent, avoid attention and confrontation, and look the other way. In other cases, they change their speech and behavior to accommodate or conform to the administration’s worldview. Of course, there are counterexamples, such as the winter protests in Minneapolis in response to brutality by agents with U.S. Immigration and Customs Enforcement, and the recent “ No Kings ” rallies. But even here, the broader but less visible trend—chilling effects—is evident. For instance, in recent reporting on the latest No Kings rallies, many media outlets observed that students were noticeably missing , despite the Trump administration’s unpopularity among

Shadow AI used to mean employees pasting things they shouldn't into ChatGPT. It now means something bigger: employees building full applications with AI, wiring them into production systems, and publishing them on the open internet. Without Security or IT in the loop. The artifact moved from a prompt to a product. The risk surface moved with it. In The Shadow Builders report (get it here), a

A Google security engineer was charged with insider trading after winning $1.2 million using confidential company data to place bets on the cryptocurrency-based Polymarket decentralized prediction market. [...]

From a research-driven pilot, the Cybersecurity Communities of Support (CyCOS) is about to be handed over to CIISec

Email still reaches more people than any other digital channel. Getting it to actually land in the inbox…

Cybersecurity researchers have discovered a malicious NuGet package that masquerades as a C# software development kit for Sicoob, one of Brazil's largest cooperative financial systems, to siphon client IDs and PFX certificates. According to Socket, versions 2.0.0 through 2.0.4 of "Sicoob.Sdk" contain functionality to exfiltrate sensitive information, including PFX certificates that are used to

ESET’s 2026 APT Activity Report suggests China-backed APTs are using instability in the region to target victims, as well as continuing activity against organizations around the globe

The ShinyHunters extortion gang stole personal information from 4.9 million accounts after hacking the U.S. telecom giant Charter Communications in early April, according to data breach notification service Have I Been Pwned. [...]

Sloppy AI-generated npm infostealer leaked its own GitHub token, exposing the operator

The North Korean state-sponsored threat actor known as Kimsuky (aka Velvet Chollima) has been attributed to a fresh set of cyber attacks targeting South Korean military and corporate entities through March and April 2026. "Kimsuky employed a range of tailored social engineering tactics, such as spoofing security software installation pages and crafting a fake Webex meeting page that leveraged

In this article Attack chain overview The lure: typosquats and spoofed metadata Execution: npm lifecycle hook abuse Gen-1 stager: HTTP C2 beacon and payload drop Gen-2 stager: abusing the legitimate Bun runtime as a loader Credential theft Impact and blast radius Mitigation and protection guidance How Microsoft Defender helps Microsoft Defender XDR Detections Advanced hunting Indicators of Compromise (IOC) References Learn more Microsoft has identified an active supply chain attack targeting the npm package ecosystem. On May 28, 2026, a single threat actor operating under the newly created maintainer alias vpmdhaj (a39155771@gmail[.]com) published 14 malicious packages within a four-hour window. The packages typosquat well-known OpenSearch, ElasticSearch, DevOps, and environment-configuration libraries, and several spoof the upstream OpenSearch project’s repository URL in their package.json to appear legitimate. Once installed, the packages harvest AWS credentials, HashiCorp Vault tokens, and CI/CD pipeline secrets from the host environment. All packages in the cluster ship the same install-time stager and the same Bun-compiled second-stage payload – a ~195 KB credential harvester purpose-built for cloud and CI/CD environments. The payload runs silently during npm install and targets credentials across Amazon Web Services, HashiCorp Vault, GitHub Actions, and the npm registry itself, enabling both cloud lateral movement and downstream supply-chain pivoting through stolen npm publish tokens. Based on our investigation and feedback to the npm team these repos and users were taken down. Key capabilities observed in the campaign include automatic execution via npm lifecycle hooks, two distinct stager generations (an HTTP-C2 variant and a stealthier variant that abuses the legitimate Bun runtime distribution), AWS Instance Metadata Service (IMDSv2) and ECS task-role theft, AWS Secrets Manager enumeration across 16+ regions, HashiCorp Vault token harvesting, and theft of npm publish tokens for follow-on supply-chain attacks. Attack chain overview The vpmdhaj cluster spans 14 scoped and unscoped packages that all mimic the @opensearch / @elastic ecosystem. The attack proceeds through: Publication of 14 typosquat packages under a single actor identity Automatic payload execution through a preinstall hook during npm install Execution chain (Gen-1): node -> preinstall.js -> HTTP C2 -> payload.bin (detached) Execution chain (Gen-2): node -> setup.mjs -> download legitimate Bun runtime -> run bundled stage-2 Cloud credential theft (AWS IMDS, ECS metadata, Vault, Secrets Manager) and npm publish-token theft for downstream supply-chain pivot Figure 1. vpmdhaj npm supply chain attack flow. The lure: typosquats and spoofed metadata The actor adopted three social-engineering techniques designed to drive installs by mistake or trust transference. First, lookalike naming – names such as opensearch-setup, opensearch-setup-tool, opensearch-config-ut

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Anthropic has confirmed that it plans to bring Mythos-class models to the general public after delaying the rollout due to security risks to public and private software. [...]

A likely Russian threat cluster tracked as GreyVibe has been targeting Ukrainian entities with AI-generated lures and a rich set of custom malware tools. [...]

An Android remote access trojan named BTMOB is offered to cybercriminals with a builder interface for generating malware payloads tailored to phishing lures. [...]

Using the data collected over the past year and using Kibana these two ES|QL query to summarize the data, this shows the list of the most uploaded threat to two DShield sensors (local and cloud) over the past year. I have sorted the activity by months that shows the evolution of files uploaded to the sensors each month. The activity peaked during the winter months (Dec 2025 - Feb 2026) and started decreasing in March 2026 for each sensor. ES|QL Query by Sensor FROM cowrie* | WHERE threat.indicator.provider == virustotal | WHERE related.hash IS NOT NULL | WHERE threat.indicator.file.type IS NOT NULL | WHERE threat.software.name IS NOT NULL | SORT @timestamp DESC | STATS Total=COUNT(related.hash) BY FileType=threat.indicator.file.type, agent.name=BUCKET(@timestamp, 50, ?_tstart, ?_tend) Past Year of Files Uploaded to Dshield Sensors This example displays the activity by file type (8) for a one-year period. The file type uploaded or downloaded to the sensor are ELF, Shell script, Powershell, HTML, Text, unknown, DOS batch file and JavaScript. ES|QL Activity by File Type FROM cowrie* | WHERE threat.indicator.provider == virustotal | WHERE related.hash IS NOT NULL | WHERE threat.indicator.file.type IS NOT NULL | WHERE threat.software.name IS NOT NULL | WHERE threat.indicator.name IS NOT NULL | SORT @timestamp DESC | STATS Total=COUNT(related.hash) BY agent.name, threat.indicator.name=BUCKET(@timestamp, 50, ?_tstart, ?_tend) To monitor the type of files uploaded or downloaded to the sensor, using the cowrie_vt.sh [ 3 ] Python Jesse's script [ 4 ], it provides a daily list of hash files that are stored on the sensor and can be monitored within the DShield SIEM [ 2 ]. [1] https://isc.sans.edu/tools/honeypot/ [2] https://github.com/bruneaug/DShield-SIEM [3] https://github.com/bruneaug/DShield-Sensor/blob/main/sensor_scripts/cowrie_vt.sh [4] https://raw.githubusercontent.com/jslagrew/cowrieprocessor/main/cowrie_malware_enrichment.py ----------- Guy Bruneau IPSS Inc. My GitHub Page Twitter: GuyBruneau gbruneau at isc dot sans dot edu (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.