Guardicore Labs uncovers a Ransomware detection campaign targeting MySQL servers. Attackers use Double Extortion and publish data to pressure victims.

In the beginning of April, three attacks detected in the Guardicore Global Sensor Network (GGSN) caught our attention. All three had source IP addresses originating in South-Africa and hosted by VolumeDrive ISP (see IoCs).

Our deception technology is able to reroute attackers into honeypots, where they believe that they found their real target. The attacks brute forced passwords for RDP credentials to connect to the victim download and execute a previously undetected malware, which we named Trojan.sysscan.

Guardicore security researchers describe and uncover a full analysis of a cryptomining attack, which hid a cryptominer inside WAV files. The report includes the full attack vectors, from detection, infection, network propagation and malware analysis and recommendations for optimizing incident response processes in data centers.

In this Akamai FLAME Trailblazer blog post, Rachel Bayley encourages women to step into the unknown and to be their authentic selves.

CASI leaderboard shifts, and two incidents where AI was handed the keys.

These are the top threats you should know about this week.

"There is consumer pressure to back away from technology that is unnecessary to perform everyday tasks."

The insane Meta AI hack; Amazon's internal AI leaderboard; and our lawsuit against ICE.

Peptide companies have been doing AI-engine optimization by spamming the biohackers subreddit to manipulate ChatGPT and Google.

Google is trying to buy code from some Android developers as part of a "confidential" program.

MCP servers introduce a new attack surface, but the security fundamentals are familiar. In this final otto-support post, we use nmap, a Nuclei template, and MCP Inspector to discover, enumerate, and exploit an authorization gap without ever touching an LLM.

No content preview

This blog is a preview of our report, “The New Rails: How Digital Assets Are Reshaping the Foundations of Finance.”… The post Agentic Payments Cross the Threshold: Inside x402’s Path to Meaningful Adoption appeared first on Chainalysis.  ( 14 min )

Summary The Department of the Treasury’s Office of Foreign Assets Control (OFAC) designated four major Iranian cryptocurrency exchanges: Nobitex, Bitpin,… The post OFAC Sanctions Nobitex and Major Iranian Cryptocurrency Exchanges in Sweeping Evasion Crackdown appeared first on Chainalysis.

As you scale your use of Amazon Web Services (AWS), managing KMS keys becomes increasingly important. Whether you manage a handful of keys or thousands across multiple AWS accounts and AWS Regions, there’s often a need to audit key usage to help you meet compliance requirements, evaluate your risk posture, and optimize key management costs. […]

Software as a service (SaaS) providers building AI-powered applications on Amazon Bedrock AgentCore often need to serve multiple tenants with distinct security requirements from a shared infrastructure. Some tenants require cross-account access from their own Amazon Web Services (AWS) accounts, while others mandate that traffic stay within a private virtual private cloud (VPC) for regulatory […]

Planning documents for "Scout" say the plan is to "make people addicted" to the tool before adding new features.

The researchers compared AI to the near-sighted cartoon character Mr. Magoo, who can’t see he’s stumbling through dangerous situations.

The API would make IRS data available to any app the agency wishes. The Criminal Investigation arm of the IRS is also modernizing its own systems.

No content preview

OpenAI Codex Authentication Tokens Stolen in codexui-android npm Supply Chain Attack A malicious supply chain campaign has been stealing OpenAI Codex authentication tokens through a popular npm package called codexui-android, which draws over 29,000 weekly downloads by advertising itself as a legitimate remote web UI for Codex. Unlike typical typosquatting attacks, the exfiltration code was […] The post Infosec News Nuggets — June 2, 2026 appeared first on AboutDFIR - The Definitive Compendium Project.

Learn how I found this interesting bug Continue reading on InfoSec Write-ups »

A stock checker that pings an IP. A comment box that echoes your name. These simple features hide a terrifying truth: they might be… Continue reading on InfoSec Write-ups »

No content preview

No content preview

No content preview

No content preview

No content preview

Citizen Lab senior research fellow Jon Penney and co-author Bruce Schneier wrote an op-ed in The Conversation about chilling effects. The post Chilling Effects of Trump’s War on Free Speech Extend Far Beyond Campus Walls – And That’s the Point appeared first on The Citizen Lab.

Employees admitted to 404 Media they had cheated to climb the leaderboard's ranks.

The exploit shows the extreme risk of offloading technical support to AI.

Paragon's software is capable of remotely breaking into phones and accessing messages from encrypted messaging apps. Our lawsuit aims to pry records about it from ICE.

There are hundreds of anti-data center Facebook pages churning out AI-generated slopaganda.

Amazon Web Services (AWS) is pleased to announce that the Spring 2026 System and Organization Controls (SOC) 1, 2, and 3 reports are now available. The reports cover 188 services over the 12-month period from April 1, 2025–March 31, 2026, giving customers a full year of assurance. These reports demonstrate our continuous commitment to adhering […]

Signal Phishing Campaign Targets Journalists and Activists to Steal Backup Recovery Keys A targeted phishing campaign is sending text messages that impersonate Signal Support, urgently requesting users paste their 64-character backup recovery key into the chat. Unlike standard account takeovers that only expose future messages, stealing the recovery key gives attackers full access to the […] The post InfoSec News Nuggets — June 1, 2026 appeared first on AboutDFIR - The Definitive Compendium Project.

The community has been quietly building something powerful. I went and found it. Continue reading on InfoSec Write-ups »

No content preview

No content preview

The Scala team has partnered with the Open Source Technology Improvement Fund (OSTIF) to conduct its first security audit. This initiative aims to identify potential vulnerabilities through static and dynamic analysis and provide greater confidence in Scala. The security audit conducted by Quarkslab is particularly focused on Scala 3.

📖 [The CloudSecList] Issue 340 was originally published by Marco Lancini at CloudSecList on May 31, 2026.

A new study suggests that bacteria dispersed through space on dust grains could potentially arrive intact and alive on Jupiter’s moon Europa.

This week, we discuss going deeper and Google's search changes.

A new study by the Center for Democracy & Technology shows how chatbots like ChatGPT, Gemini, Replika and more can lead users down paths they didn't intend.

Swantje Lange spoke with the Hasso Plattner Institut about sophisticated surveillance campaigns being used to exploit mobile networks. The post Researchers Uncover Espionage in Mobile Networks appeared first on The Citizen Lab.

A CVSS 10.0 path traversal in UniFi Network Application lets unauthenticated attackers read controller backups, extract credentials, and take over every managed device on the network. Bishop Fox breaks down the attack paths, the preconditions, and a safe detection tool to check your exposure.

Carnival Cruise Confirms Data Breach Affecting Nearly 6 Million People Carnival Corporation, the world’s largest cruise line operator, began notifying nearly 6 million customers this week that their personal data was stolen in an April breach after attackers gained access to an employee account through a social engineering attack. The stolen data varies by individual […] The post InfoSec News Nuggets – 05/29/2026 appeared first on AboutDFIR - The Definitive Compendium Project.

AWS Network Firewall now supports native attachment to AWS Transit Gateway. Customers commonly use Transit Gateway to route traffic from Amazon Virtual Private Cloud (Amazon VPC) networks to a centralized inspection VPC (a VPC dedicated to hosting firewall endpoints for traffic inspection) where their network firewall endpoints are deployed. This centralized deployment model reduces the […]

Network administrators face a persistent challenge: maintaining domain blocklists and allowlists that keep pace with the internet. New websites and services emerge daily, and keeping these lists current requires constant manual updates that leave gaps in coverage. This challenge intensifies when managing access to rapidly evolving categories like AI services, where new tools launch on […]

Regretful cities aren't sure how to cancel their surveillance contracts, so they are literally covering their cameras.

No content preview

FBI Warns Silent Ransom Group Is Walking Into Law Firm Offices to Steal Data The FBI issued a fresh flash alert warning that Silent Ransom Group — also known as Luna Moth, Chatty Spider, and UNC3753 — has escalated its campaign against U.S. law firms by physically sending operatives into offices posing as IT support […] The post InfoSec News Nuggets – 05/28/2026 appeared first on AboutDFIR - The Definitive Compendium Project.

CASI Leaderboard, Bias Jailbreak, and Three Coordinated Supply Chain Incidents

These are the top threats you should know about this week.

This blog is a preview of our report, “The New Rails: How Digital Assets Are Reshaping the Foundations of Finance.”… The post The New Compliance Floor: Organizations are Adopting Stronger Than Ever Monitoring Practices appeared first on Chainalysis.  ( 15 min )

Summary The U.K.’s Foreign, Commonwealth and Development Office (FCDO) sanctioned 18 cryptocurrency exchanges, payment providers, and individuals for helping Russia… The post U.K. Sanctions 18 Entities and Persons for Evading Russian Trade Blockades appeared first on Chainalysis.  ( 12 min )

AI Chatbot Recommendations Redirect Users to Cryptojacking Malware Sites Microsoft warned that attackers are adapting SEO poisoning techniques for AI-generated software recommendations, pushing users toward fake utility download sites that deploy ScreenConnect for persistence before launching cryptomining payloads. The campaign is a meaningful shift in social engineering surface area — users who have learned to […] The post InfoSec News Nuggets 05/27/2026 appeared first on AboutDFIR - The Definitive Compendium Project.

In real AI systems, bottlenecks don't disappear, they move. Learn about why inference placement, not raw compute, is the decisive infrastructure question.

May 26, 2026: This post was originally published in July 2022. It has been updated to reflect current engagement options, new threat intelligence resources such as the Threat Technique Catalog for AWS (TTC), additional open-source tools, and the distinction between AWS CIRT support and the AWS Security Incident Response managed service. Welcome back, or welcome […]

There have been multiple notable supply chain attacks using the npm Registry since September: Shai-Hulud, Chalk/Debug, one abusing tea.xyz tokens, and recently axios. Thanks to community efforts involving the Amazon Inspector team, the Open Source Security Foundation, and others, the affected packages were quickly flagged, which reduced the impact of these incidents. Supply chain attacks […]

Akamai Cloud introduces password-less provisioning and atomic customization. Align with Zero Trust by eliminating root passwords and hardening VMs at creation.

Sparkplug B is the dominant protocol in ICS and SCADA environments, but no public security fuzzer existed for it until now. Bishop Fox used AI-assisted development to build one from scratch, covering all 9 message types, 19 data types, and 87+ field paths from the full specification.

Iranian Hackers Deploy MiniFast and MiniJunk V2 via Phishing and SEO Poisoning Researchers tied a fresh Nimbus Manticore campaign to phishing and SEO poisoning targeting aviation, software, telecom, and oil and gas organizations across the U.S., Europe, and the Middle East, using fake career lures, trojanized Zoom and SQL Developer installers, and new backdoors called […] The post InfoSec News Nuggets 05/26/2026 appeared first on AboutDFIR - The Definitive Compendium Project.

Senior research associate Kate Robertson discusses the risks Bill C-22 poses for future data-sharing agreements with foreign law enforcement agencies. The post Trump Wants to Tap Your Phone. Ottawa Might Let Him. appeared first on The Citizen Lab.

📖 [The CloudSecList] Issue 339 was originally published by Marco Lancini at CloudSecList on May 24, 2026.

As far back as the early 1800s, the U.S. Department of the Treasury has issued economic sanctions to achieve foreign… The post OFAC and Crypto Crime: Every OFAC Specially Designated National with Identified Cryptocurrency Addresses appeared first on Chainalysis.  ( 28 min )

CVE-2026-0265 lets unauthenticated attackers forge a JWT and log in as any trusted user on CAS-enabled PAN-OS deployments. Bishop Fox built a detection tool that returns a definitive verdict from a single anonymous request, and breaks down exactly how the bug works and what to do about it.

A sanitization bypass in Strapi 4.0.0 through 5.36.1 lets unauthenticated attackers extract an admin's password reset token character by character and take over the account. With over 20,000 internet-facing hosts exposed, Bishop Fox breaks down how the exploit works and how to remediate it.

TrendAI Patches Apex One Zero-Day Exploited in the Wild TrendAI patched CVE-2026-34926, a directory traversal flaw in the on-premises version of Apex One that has been exploited in the wild, with successful abuse allowing an attacker to modify a key table and inject malicious code for deployment to managed agents. Exploitation requires access to the […] The post InfoSec News Nuggets 05/22/2026 appeared first on AboutDFIR - The Definitive Compendium Project.

The Akamai SIRT uncovered a custom P2P Trojan masquerading as system activity. Learn how to detect and mitigate this stealthy Go-based cryptominer.

The Akamai and Auth0 partnership secures identity at the edge by combining edge intelligence and adaptive authentication to stop fraud and enhance user trust.

Learn how the complex Drupal SQLi vulnerability (CVE-2026-9082) exploits PostgreSQL environments and its data theft risks — and how to ensure you’re protected.

We’re excited to announce that Amazon Web Services (AWS) has completed the S&P Global Know Your Third Party (KY3P) assessment of its security posture. This assessment demonstrates our continued commitment to meet the heightened expectations of cloud service providers. Customers can now use the AWS KY3P assessment to reduce their supplier due diligence burden. KY3P, […]

Managing identities and access across complex environments has become more critical than ever. AWS Directory Service for Managed Microsoft Active Directory, also known as AWS Managed Microsoft AD, has added new capabilities to manage users and groups. Now, you can perform create, read, update, and delete (CRUD) operations on users and groups directly through AWS […]

Highly Critical Drupal Core Flaw Exposes PostgreSQL Sites to RCE Attacks Drupal released security updates for CVE-2026-9082, a highly critical flaw affecting sites that use PostgreSQL databases, which can allow anonymous attackers to send crafted requests leading to SQL injection, information disclosure, privilege escalation, or remote code execution in some cases. Teams running Drupal should […] The post InfoSec News Nuggets 05/21/2026 appeared first on AboutDFIR - The Definitive Compendium Project.

Summary The Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned more than a dozen individuals and entities… The post OFAC Sanctions Sinaloa Cartel Fentanyl Trafficking and Crypto Laundering Network appeared first on Chainalysis.

Summary Criminals are increasingly turning to novel digital asset classes, like Bitcoin Ordinals and BRC-20 tokens, to generate and conceal… The post How Blockchain Intelligence Uncovered a Million-Euro Bitcoin Ordinals Tax Fraud Scheme appeared first on Chainalysis.  ( 13 min )

Agents have agency: they adapt and find multiple ways to solve problems. This autonomy creates a fundamental security challenge: the large language model (LLM) at the heart of the agent is non-deterministic, and its decisions can’t be predicted or guaranteed in advance. It can hallucinate harmful actions with complete confidence. It’s vulnerable to prompt injection […]

Our largest security services customers started the same way every customer does – with a click. They enabled Amazon GuardDuty, Amazon Inspector, AWS WAF, and AWS Security Hub, experienced the benefits in real time, and evaluated with transparent pay-as-you-go pricing. No RFP. No six-month evaluation. No multi-year commitment up front. Our field teams played a […]

These are the top threats you should know about this week.

GitHub Investigates Internal Repositories Breach Claimed by TeamPCP GitHub confirmed that roughly 3,800 internal repositories were accessed after an employee installed a malicious VS Code extension, in what appears to be a follow-on from the broader developer tooling supply chain attack activity seen this week. The company says it has no evidence that customer repositories, […] The post InfoSec News Nuggets 05/20/2026 appeared first on AboutDFIR - The Definitive Compendium Project.

No content preview

Sensor Intel Series: April 2026 CVE Trends

The AWS Customer Incident Response Team works with customers to help them recover from active security incidents. As part of this work, the team often uncovers new or trending tactics used by various threat actors that take advantage of specific customer configurations and designs. Understanding these tactics can help inform your architecture decisions, improve your […]

Organizations often struggle to enforce security and compliance requirements consistently across their cloud infrastructure. In one environment, a workload might be deployed in an AWS Region that was never approved for that class of data. In another, a security group might allow broader access than intended. Required tags might be missing. Encryption might be assumed […]

Nx Console VS Code Extension Compromised A compromised version of the Nx Console VS Code extension, version 18.95.0, was briefly published with malicious code targeting developer credentials, cloud tokens, CI/CD secrets, Kubernetes credentials, 1Password data, and AI coding assistant configuration files. The extension has more than 2.2 million installs, and the malicious version executed when […] The post InfoSec News Nuggets – 05/19/2026 appeared first on AboutDFIR - The Definitive Compendium Project.

An Optical Line Terminal (OLT) is the central device in a Fiber-To-The-Home (FTTH) network that connects and manages all customer connections, making it a critical control point in an ISP's infrastructure for delivering high speed Internet. This article uncovers how unauthenticated access to OLTs can lead to a full network takeover starting by exploiting exposed vulnerable devices, showing how to pivot into the cloud-based fleet manager using other vulnerabilities, and then compromising an ISP's entire infrastructure.

Discover CVE-2026-42945 (NGINX Rift), a critical heap buffer overflow vulnerability. Learn about the affected versions and critical patch updates.

📖 [The CloudSecList] Issue 338 was originally published by Marco Lancini at CloudSecList on May 17, 2026.

May 26, 2026: We’ve updated this post to reflect recommended core services. TL;DR for busy executives The AWS AI Security Framework helps security leaders move fast and stay secure with AI. Security compounds from day 1 as workloads evolve from prototype to production to scale. Assess first. Request a no-cost SHIP engagement to baseline your […]

No content preview

AWS IAM Identity Center provides a web-based access portal that gives your workforce a single place to view their AWS accounts and applications. With the recent launch of IAM Identity Center multi-Region replication, customers can replicate their IAM Identity Center instance across multiple AWS Regions to improve resilience and reduce latency for a globally distributed […]

Migrating your TLS endpoints to Post-quantum cryptography (PQC) starts with understanding your current TLS endpoint inventory and posture. This post introduces the PQC Readiness Scanner — an automated tool that inventories your Application Load Balancer (ALB), Network Load Balancer (NLB), and Amazon API Gateway endpoints and continuously monitors their TLS configurations for PQC readiness. The […]

Senior research associate Kate Robertson says Bill C-22 could lead to the rollout of forced metadata collection for messaging apps. The post Signal Warns It Would Pull Out of Canada if Made to Comply with Lawful Access Bill appeared first on The Citizen Lab.

Recent improvements in the capabilities of the edge network have created a smarter, more connected edge. These changes call for a reassessment of edge strategy.

If any of the MCP attack classes in this series happened in your environment today, would you detect it? Most MCP servers log only a tool name and a timestamp. This post walks through what that gap looks like in practice, how EchoLeak exploited it, and what proper audit logging actually requires.

This article guides you on how to use Amazon GuardDuty to identify and mitigate cryptocurrency mining threats in your Amazon Web Services (AWS) environment. You’ll learn about the specialized detection capabilities of GuardDuty and best practices to build a multi-layered defense strategy that protects your infrastructure costs and security posture. Understanding the crypto mining challenge […]

The financial services industry (FSI) is using AI to transform how financial institutions serve their customers. AI solutions can help proactively manage portfolios, automatically refinance mortgages when rates decrease, and negotiate insurance premiums for customers. However, this adoption brings new governance, risk, and compliance (GRC) considerations that organizations need to address. To help FSI customers […]

Amazon Web Services (AWS) is pleased to announce the successful completion of Payment Card Industry Personal Identification Number (PCI PIN) and PCI Point-to-Point Encryption (PCI P2PE) assessments for the AWS Payment Cryptography service. This assessment expands the AWS Payment Cryptography compliance portfolio, with AWS now validated as a component provider for Key Management (KMCP) and […]

Citizen Lab director Ron Deibert recently spoke at the OSCE Supplementary Human Dimension Meeting II on Safeguarding Civil Space in the Digital Age. The post Ron Deibert Speaks at the OSCE: Supplementary Human Dimension Meeting II appeared first on The Citizen Lab.

These are the top threats you should know about this week.

What if the MCP server itself is the attacker? Supply chain risk in MCP tools is structural, and the postmark-mcp and ClawHub compromises made it concrete. This post pairs those case studies with otto-support's selfpwn module to show exactly what a hostile MCP server can access the moment it runs.

Today, we’re excited to announce the preview release of full repository code review, a new capability in AWS Security Agent that performs deep, context-aware security analysis of your entire code base. AI-driven cybersecurity capabilities are advancing rapidly. AWS Security Agent can now find vulnerabilities and build working exploits across your entire code base at a […]

No content preview

Bishop Fox is releasing Joro, a collaborative web exploitation framework built almost entirely with AI. From intercepting proxy to C2 integration, this post covers how it was built, what it does, and what AI-assisted security tool development actually looks like in practice.

No content preview

📖 [The CloudSecList] Issue 337 was originally published by Marco Lancini at CloudSecList on May 10, 2026.

When an agent reads attacker-controlled content and acts on it using its own privileges, the user's name ends up on every audit log entry. From Microsoft Copilot to ConfusedPilot, this post walks through how confused deputy attacks work and the layered controls that help contain them.

Read the technical details of a security vulnerability (CVE-2026-34354) in Akamai Guardicore Platform Agent for Windows — and get clear guidance on mitigation.

Summary Crypto prediction markets use blockchain technology to create liquid platforms for forecasting and hedging real-world events, driving massive growth… The post Crypto Prediction Markets Explained: How the Blockchain Is Reshaping Forecasting appeared first on Chainalysis.

SSRF and token passthrough are not new, but MCP servers are reintroducing them at scale. From a chained SSRF-to-RCE in mcp-atlassian to Microsoft's MarkItDown and OpenClaw, this post walks through three recent disclosures and the controls that actually prevent them.

This article presents the structure of the Independent Guest Virtual Machine (IGVM) file format, a binary file designed to define and securely launch the initial state of a virtual machine. It bundles all necessary components such as the BIOS/OVMF, kernel, and initial ramdisk, into a single file. We'll focus on a concrete example to understand the main structure of the file format.

These are the top threats you should know about this week.

The Akamai State of AI Inference report captures real data from the field that describes how AI inference is being built and scaled in production today.

Read why Akamai was named the only Customers’ Choice in the 2026 Gartner Peer Insights Voice of the Customer for API Protection.

No content preview

AI agents connected to too many tools don't just create risk, they've already caused real damage. From deleted databases to mass-wiped mailboxes, excessive agency has a track record. This post breaks down what it looks like in practice and how role-aware tool registration can help contain it.

Bishop Fox researchers confirmed a critical pre-authentication SQL injection in LiteLLM proxy affecting versions 1.81.16 through 1.83.6. Attackers can exploit it without credentials, and it blends into normal logs. In-the-wild exploitation was observed within 36 hours of the advisory going public.

This blog is a preview of our report, “The New Rails: How Digital Assets Are Reshaping the Foundations of Finance.”… The post Where to Build: A Data-Driven Guide to Blockchain Infrastructure for TradFi Tokenization appeared first on Chainalysis.  ( 19 min )