Guardicore Labs uncovers a Ransomware detection campaign targeting MySQL servers. Attackers use Double Extortion and publish data to pressure victims.

In the beginning of April, three attacks detected in the Guardicore Global Sensor Network (GGSN) caught our attention. All three had source IP addresses originating in South-Africa and hosted by VolumeDrive ISP (see IoCs).

Guardicore security researchers describe and uncover a full analysis of a cryptomining attack, which hid a cryptominer inside WAV files. The report includes the full attack vectors, from detection, infection, network propagation and malware analysis and recommendations for optimizing incident response processes in data centers.

Our deception technology is able to reroute attackers into honeypots, where they believe that they found their real target. The attacks brute forced passwords for RDP credentials to connect to the victim download and execute a previously undetected malware, which we named Trojan.sysscan.

In this Akamai FLAME Trailblazer blog post, Rachel Bayley encourages women to step into the unknown and to be their authentic selves.

In March 2026, the student information system Infinite Campus was targeted in a ShinyHunters "pay or leak" extortion campaign. The group subsequently published data they alleged was taken from Infinite Campus, containing 137k unique email addresses along with names, phone numbers, physical addresses and support tickets. Infinite Campus subsequently sent notifications, advising that the exposed data largely consisted of "names and contact information for school staff" and that "the majority is directory information commonly found on school websites".

No content preview

📖 [The CloudSecList] Issue 342 was originally published by Marco Lancini at CloudSecList on June 14, 2026.

No content preview

A massive whale graveyard in the Indian Ocean contains the remains of hundreds of extinct whales dating back more than five million years, along with recent carcasses that support hotspots of seafloor life.

No content preview

No content preview

No content preview

Senior fellow Cynthia Khoo writes that “pillars core to a functioning democracy are [being] reoriented around the false god of AI” in The Walrus.  The post Canada Finally Has a National AI Strategy. Experts Hate It. appeared first on The Citizen Lab.

Citizen Lab director Ron Deibert spoke to Politiken about the spyware industry, calling it “a symptom that something is fundamentally wrong.”  The post Who Watches the Watchers? appeared first on The Citizen Lab.

Senior researcher Luis Fernando García participated in a Conversatorio Regional hosted by CELS, ODIA, Democracia en Red, and Vía Libre. The post Luis Fernando García On State Surveillance in Latin America appeared first on The Citizen Lab.

"I’ve spoken. I’m not debating this."

This week, we discuss Trump fucking up the World Cup, some thoughts on ICE coverage, and movies.

Apple and the Met Police are working together to make stolen iPhones harder to reset, resell, and profit from.  ( 23 min )

A convincing fake FACEIT verification page is stealing Steam accounts by using a fake login window that looks completely legitimate.  ( 24 min )

Microsoft June 2026 Patch Tuesday Fixes 6 Zero-Days, 200 Flaws Microsoft’s June 2026 Patch Tuesday addressed a staggering 200 vulnerabilities, including five publicly disclosed zero-days and one being actively exploited in the wild. Among the most severe is CVE-2026-45657, a wormable Windows Kernel RCE rated CVSS 9.8 that allows remote, unauthenticated attackers to execute code […] The post Infosec News Nuggets — June 12, 2026 appeared first on AboutDFIR - The Definitive Compendium Project.

No content preview

No content preview

No content preview

No content preview

Learn how to recover complete access to a self-hosted n8n Docker deployment when password reset emails fail. Continue reading on InfoSec Write-ups »

No content preview

No content preview

Building a simple attack lab to understand how Fail2Ban detects and blocks repeated SSH login attempts. Continue reading on InfoSec Write-ups »

Sensor Intel Series: June 2026 CVE Trends

Summary An international coalition of law enforcement agencies, including the U.S. DOJ, Secret Service, Europol, CBZC, and others, dismantled “AudiA6,”… The post Global Law Enforcement Dismantles ‘AudiA6’ Crypto Laundering Network Linked to Ransomware Gangs appeared first on Chainalysis.  ( 13 min )

A new software update is turning off the AC in Amazon delivery vans after 10 minutes or 30 seconds under certain conditions.

Three Amazon data centers aren't even open yet, but local residents are already paying at least $10.60 extra per month for them, according to a new study.

Flock, the automatic license plate reader (ALPR) company, exposed some of the license plate cops were looking for and the reason for doing so.

LLMs including ChatGPT, Gemini and Claude are obsessed with telling stories about lighthouse keepers and clockmakers, and one character named 'Elias Thorne' has made his way from chatbots to Amazon books. Researchers are trying to discover why.

No content preview

No content preview

"AI can make mistakes" isn't a good enough legal defense for defamatory or incorrect AI Overviews, a German court has ruled.  ( 23 min )

We explain what data was exposed, the potential risks, and the steps you should take now.  ( 22 min )

Apple and Google have three months to block nude images on children's phones. They're not allowed to collect any data while they do it.  ( 23 min )

PCI DSS v4.0.1 made internal penetration testing more complex, bringing cloud infrastructure, SaaS apps, and build pipelines explicitly into scope. Derek Rush breaks down how to scope a compliant IPT, what to test, and what a QSA-ready deliverable actually looks like in practice.

ServiceNow tells customers a bug left some of their data exposed to the internet Cloud platform giant ServiceNow has notified enterprise customers that a software bug was allowing unauthenticated users to access data stored in customer instances without requiring credentials. The flaw, patched on June 5, was caused by an API endpoint configured with authentication […] The post Infosec News Nuggets — June 11, 2026 appeared first on AboutDFIR - The Definitive Compendium Project.

In June 2026, the University of Nottingham was the target of a cyber attack, later linked to a ShinyHunters "pay or leak" extortion campaign. Tens of gigabytes of data were subsequently published online and included 455k unique email addresses along with extensive personal information including names, addresses, phone numbers, ethnicities, disabilities, passport numbers and information relating to academic enrolments and fee payments. In a post about the incident, the university advised that the breach affected both "current students, and alumni".

Citizen Lab director Ron Deibert gave a keynote speech about the Greek spyware scandal at an event hosted by Eteron think tank in Athens in May. The post Ron Deibert Speaks About “Greek Watergate” appeared first on The Citizen Lab.

These are the top threats you should know about this week.

Cybercriminals are turning TikTok and Instagram Reels into malware delivery platforms, using free software tutorials to spread infostealers.  ( 22 min )

June 2026 is the largest Patch Tuesday in history, fixing 206 vulnerabilities and three publicly disclosed zero-days.  ( 22 min )

As AI-generated scams, deepfakes, and impersonation spread, a new Malwarebytes report finds people increasingly unsure what to trust online.  ( 22 min )

Adaptive Spec-driven Scoring for Evaluation and Regression Testing (ASSERT) is an open-source framework for converting natural language behavior requirements into executable evaluations of AI models and agents. The post Turn specs into evals for any agent with ASSERT appeared first on Microsoft Security Blog.

Researchers report a "serendipitous" discovery while watching videos of crowds: an inexplicable bias toward counterclockwise turning that may be rooted in biology.

Memes at Google; Microsoft wants to make its new AI assistant addictive; and manipulating Reddit.

There have been more than a dozen cases around the country where police use Flock to obsessively and illegally stalk people.

With AI API calls set to grow 1,000x by 2027, you need a roadmap to secure your enterprise against agentic threats.

Self-replicating Miasma worm hits 73 Microsoft GitHub repositories in supply chain attack The Miasma worm has reached Microsoft’s own GitHub repositories, forcing GitHub to disable 73 repos across Azure, Azure-Samples, Microsoft, and MicrosoftDocs after the worm planted malicious code designed to harvest developer credentials. The attack exploited previously compromised contributor credentials — the same account […] The post Infosec News Nuggets — June 10, 2026 appeared first on AboutDFIR - The Definitive Compendium Project.

In April 2026, Chainalysis signed a Memorandum of Understanding (MoU) with the Korean National Police Agency (KNPA) to deepen cooperation… The post Chainalysis and the Korean National Police Agency (KNPA) Sign MoU to Strengthen Virtual Asset Investigation Capabilities appeared first on Chainalysis.  ( 11 min )

오늘 체이널리시스는 대한민국 경찰청(KNPA)과 디지털 자산 범죄 수사 협력을 강화하기 위한 양해각서(MoU)를 체결했습니다. 이번 협약은 교육, 인증, 실무형 수사 프로그램… The post 체이널리시스와 대한민국 경찰청(KNPA), 디지털 자산 수사 역량 강화를 위한 양해각서(MoU) 체결 appeared first on Chainalysis.  ( 11 min )

Summary In the last six months, at least $36.7 million has been stolen from protocols whose source code was never… The post The Hidden Code Problem: How Unverified Smart Contracts Are Becoming a Preferred Target for Attackers appeared first on Chainalysis.  ( 14 min )

On May 25, senior research associate Kate Robertson appeared before SECD to testify on Bill C-8. The post Submission to the Standing Senate Committee on National Security, Defence and Veterans Affairs of Bill C-8 appeared first on The Citizen Lab.

No content preview

I’ve made it through Pwn2Own Berlin, had a little vacation, and now I’m back for Patch Tuesday. Microsoft and Adobe didn’t disappoint. In fact, they have heralded my return with the largest Patch Tuesday release ever. Thanks? Take a break from your regularly scheduled activities and let’s take a look at the latest security patches from Adobe and Microsoft. If you’d rather watch the full video recap covering the entire release, you can check it out here: Adobe Patches for June 2026 For May, June released 11 bulletins addressing 123 unique CVEs in Adobe Acrobat Reader, ColdFusion, Experience Manager, Experience Manager Forms, InDesign, InCopy, Substance 3D Sampler, Content Credentials SDK, Dreamweaver, Format Plugins, and Adobe Campaign Classic. A total of 11 of these CVEs were reported thro…

Learn how to investigate AI activity in Microsoft 365 Copilot and Azure AI services using a structured, telemetry-driven approach. This playbook helps security teams reconstruct events, assess data exposure, and detect potential threats faster. The post Reconstructing AI activity in investigations  appeared first on Microsoft Security Blog.

No content preview

The FCC wants to legally force telecoms to collect new and renewing customers’ government issued identity number and physical address, impacting everyone from the privacy-conscious to domestic abuse survivors. “We never thought that would happen here.”

When two AIs argue against each other, the legal system loses.

Amazon employees have a Slack channel for memes where the mock and commiserate about the company’s faulty AI coding product.

As smart glasses become more capable, concerns about face recognition, covert recording, and biometric surveillance are growing.  ( 23 min )

Facebook, Instagram, and WhatsApp account for more than two thirds of fraud reports made by Lloyds customers.  ( 23 min )

Google's latest Chrome update fixes 74 security vulnerabilities, including one under active attack.  ( 22 min )

AI is raising the ceiling for skilled researchers and flooding bug bounty programs with polished but inaccurate submissions at the same time. Both things are true, and the reconciling variable is the harness built around the model and the expertise of the person driving it.

Critical Check Point VPN Flaw Exploited to Bypass Passwords in IKEv1 Setups — Check Point disclosed active exploitation of CVE-2026-50751 (CVSS 9.3), a logic flaw in certificate validation affecting Remote Access VPN and Mobile Access deployments using the deprecated IKEv1 protocol. The bug lets an unauthenticated remote attacker establish a VPN session without a valid […] The post Infosec News Nuggets — June 9, 2026 appeared first on AboutDFIR - The Definitive Compendium Project.

The Open Source Technology Improvement Fund (OSTIF) commissioned Quarkslab to extend the BOLT-based static binary analyser in LLVM to support additional compiler flags for security hardening. This work resulted in the first iteration of a scanner for validating the implementation of -ftrivial-auto-var-init.

No content preview

Read all about the latest AWS security features, compliance updates, and hands-on resources in our new, monthly digest posts. You’ll find expert blog posts, new service capabilities, code samples, and workshops. AWS Security Blog posts This month’s AWS Security Blog posts covered AI security, network protection, identity management, compliance frameworks, and supply chain security. Read […]

Enabling security tooling is the starting point. Making it operational—where findings drive decisions, response times are measurable, and your security posture improves week over week—is where most organizations struggle. This blog post provides a phased maturity roadmap for organizations that have already enabled AWS Security Hub and Amazon GuardDuty. These two services form the foundation […]

SignalTrace “links devices that regularly travel together, correlating them to license plate.” It is a surveillance product that will sweep up and add all sorts of Bluetooth and other data to license plate readers, linking specific devices—and people—to cars.

Microsoft took the highly unusual step of shutting down more than 70 of its own GitHub repositories after hackers pushed malware that would steal credentials from AI coding agent users.

As threat actors operationalize AI to accelerate attacks, they are also leveraging the wider global interest around AI itself as a social engineering lure. The post AI brands as bait: How threat actors are using the AI hype in social engineering appeared first on Microsoft Security Blog.

Deepfakes, voice cloning, and other AI-powered scams cost Americans nearly $900 million in 2025, says the 2025 FBI Internet Crime Report.  ( 22 min )

Cybercriminals are hiding malware in cracked and repacked games, infecting more than 400,000 devices worldwide.  ( 24 min )

A list of topics we covered in the week of June 1 to June 7 of 2026  ( 21 min )

New HTTP/2 Bomb Vulnerability Allows Remote DoS on NGINX, Apache, IIS, Envoy & Cloudflare — Security researchers at Calif have disclosed a novel denial-of-service technique, dubbed the HTTP/2 Bomb, that weaponizes two well-known mechanisms — HPACK header compression and Slowloris-style connection holding — in a previously unseen combination. Rather than stuffing large values into the […] The post Infosec News Nuggets — June 8, 2026 appeared first on AboutDFIR - The Definitive Compendium Project.

No content preview

No content preview

In May 2026, the HVAC/R wholesale distributor Baker Distributing Company was added to the ShinyHunters data extortion group's "pay or leak" site. In early June, the group publicly published data they claimed had been obtained from Baker's SharePoint and Salesforce infrastructure including 103k unique email addresses along with names, physical addresses, phone numbers and tickets relating to the company's HVAC contractor customer base. The exposed data was largely corporate contact and support information with limited sensitivity.

📖 [The CloudSecList] Issue 341 was originally published by Marco Lancini at CloudSecList on June 07, 2026.

No content preview

No content preview

Modern web applications require robust security controls to protect user data and application resources. Authentication and authorization are two fundamental pillars of application security that answer critical questions: Who are you? and What are you allowed to do? Implementing these controls correctly can be challenging for developers, especially when building data-intensive applications with frameworks like […]

Microsoft Threat Intelligence identified a prompt injection pathway in Claude Code GitHub Action that allowed access to workflow secrets under specific conditions. This research examines the attack chain, responsible disclosure process, Anthropic's mitigation, and guidance for securing AI-powered CI/CD workflows. The post Securing CI/CD in an agentic world: Claude Code Github action case appeared first on Microsoft Security Blog.

No content preview

A three-part vulnerability chain in UniFi OS Server lets an unauthenticated attacker bypass the auth gateway, hit a command injection sink, and escalate to root in a single request. Bishop Fox confirmed the chain end to end and breaks down the attack, the impact, and how to detect it safely.

Hackers Spied on a Stock Exchange Executive’s Outlook Mailbox for Five Months Unknown attackers spent at least five months quietly inside the Outlook mailbox of a senior executive at a major global stock exchange, exfiltrating the inbox in small, repeated batches and routing the stolen data through Dropbox and OneDrive so the traffic blended in […] The post Infosec News Nuggets — June 5, 2026 appeared first on AboutDFIR - The Definitive Compendium Project.

Public concern about AI is rising. We look at what's driving it, and why cybersecurity occupies a unique place in this debate.  ( 23 min )

In May 2026, the corporate travel management company BCD Travel was claimed as a victim of the ShinyHunters "pay or leak" extortion campaign. Data allegedly obtained from BCD was subsequently published publicly in early June and contained 396k unique email addresses. Other exposed data included names, addresses, phone numbers, job titles and employer names, spanning a variety of different data sets including leads, internal staff and support tickets.

During a Red Team exercise we were able to chain multiple LLM and web-based vulnerabilities to achieve admin account takeover from a low-privileged account. Trusting the LLM turned out to be the first falling domino of a long chain of events that lead to complete compromise. In this article we describe how it went down.

Amazon Cognito recently introduced high-throughput performance for demanding workloads, customer-managed keys for full control over data encryption at rest, and multi- Region replication for business continuity improvement. These capabilities were made possible through a next-generation storage infrastructure designed for extensibility and scale. To deliver this, we migrated hundreds of millions of user profiles, and you […]

Reconstructing distributed denial of service (DDoS) attack traffic used to mean combining data from multiple sources after the fact. AWS Shield Advanced attack flow logs change that—they capture traffic metadata during attacks so you can pinpoint sources, verify mitigations, and feed your existing analysis pipelines. Shield publishes logs to Amazon Simple Storage Service (Amazon S3), […]

You can use Amazon Cognito user pools to add sign-up and sign-in functionality to your web and mobile applications. You can authenticate users directly with Amazon Cognito managed accounts using passwords, passwordless flows, or custom authentication flows, or let users federate in through external identity providers (IdP) using SAML, OpenID Connect, or social providers such […]

No content preview

No content preview

No content preview

A surge in real-world attacks against agentic AI systems is reshaping how we think about risk. Based on 12 months of red teaming, this update introduces seven new failure modes, from supply chain compromise to goal hijacking, and the practical mitigations teams need now. The post Updating the taxonomy of failure modes in agentic AI systems: What a year of red teaming taught us  appeared first on Microsoft Security Blog.

No content preview

No content preview

No content preview

No content preview

Summary A $100 Million Shadow Economy: The on-chain gray-market peptide industry has experienced a breakout, surging past a $100 million… The post The $100 Million Crypto “Looksmaxxing” Boom: How Chinese Cartel Suppliers Pivoted to the Gray-Market Peptide Ecosystem appeared first on Chainalysis.  ( 17 min )

Learn how to spot travel scams, avoid risky bookings, and keep your personal information out of the wrong hands.  ( 22 min )

Hackers convinced an AI support bot to hand over Instagram accounts by changing recovery email addresses.  ( 23 min )

The Worst Hacks and Breaches of 2026 (So Far) Halfway through what’s shaping up to be a brutal year for cybersecurity, a comprehensive roundup catalogs the most damaging digital incidents of 2026, including DOGE’s alleged upload of a live Social Security database to an unsecured server, Iranian state-backed hackers remotely wiping tens of thousands of […] The post Infosec News Nuggets — June 4, 2026 appeared first on AboutDFIR - The Definitive Compendium Project.

No content preview

No content preview

In May 2026, the dental benefits administrator DentaQuest was the target of a ShinyHunters "pay or leak" extortion campaign that resulted in the group publicly publishing hundreds of gigabytes of data allegedly obtained from the company. The data included 2.6M unique email addresses along with names, addresses and phone numbers. Much of the data appeared in healthcare enrollment files (ASC X12 transaction sets) with some containing Medicaid IDs, while additional data appeared in member records and related files. DentaQuest acknowledged "a cybersecurity incident involving unauthorized access to a limited portion of our network", and advised they had contained the attack and mitigated the threat.

CASI leaderboard shifts, and two incidents where AI was handed the keys.

These are the top threats you should know about this week.

No content preview

This article describes the main software protection techniques used in Android applications, organized around a taxonomy covering environment checks, obfuscation, and program loading abuse. It presents the results of a large-scale analysis of nearly 2.5 million Android apps, studying how widely these protections are adopted across different markets, app categories, and malware samples.

Invoices pretending to be from Amazon, PayPal, and others reveal how criminals use fear and phone calls to steal money and devices.  ( 25 min )

Scam Number Check lets you quickly check whether a number has been linked to scams before you call back, share information, or send money.  ( 21 min )

Cybercriminals prefer infostealers to traditional phishing techniques because they reduce friction, scale well, and are widely available.  ( 22 min )

No content preview

MCP servers introduce a new attack surface, but the security fundamentals are familiar. In this final otto-support post, we use nmap, a Nuclei template, and MCP Inspector to discover, enumerate, and exploit an authorization gap without ever touching an LLM.

No content preview

This blog is a preview of our report, “The New Rails: How Digital Assets Are Reshaping the Foundations of Finance.”… The post Agentic Payments Cross the Threshold: Inside x402’s Path to Meaningful Adoption appeared first on Chainalysis.  ( 14 min )

Summary The Department of the Treasury’s Office of Foreign Assets Control (OFAC) designated four major Iranian cryptocurrency exchanges: Nobitex, Bitpin,… The post OFAC Sanctions Nobitex and Major Iranian Cryptocurrency Exchanges in Sweeping Evasion Crackdown appeared first on Chainalysis.  ( 11 min )

A large-scale npm supply chain attack compromised over 90 versions of @redhat-cloud-services packages, silently infecting CI/CD environments and developer systems. The malicious code steals credentials from GitHub, cloud platforms, and local machines, then spreads like a worm by republishing trusted packages. Discover how the attack works, what data is at risk, and the steps you can take to protect your organization. The post Preinstall to persistence: Inside the Red Hat npm Miasma credential-stealing campaign appeared first on Microsoft Security Blog.

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

As you scale your use of Amazon Web Services (AWS), managing KMS keys becomes increasingly important. Whether you manage a handful of keys or thousands across multiple AWS accounts and AWS Regions, there’s often a need to audit key usage to help you meet compliance requirements, evaluate your risk posture, and optimize key management costs. […]

Software as a service (SaaS) providers building AI-powered applications on Amazon Bedrock AgentCore often need to serve multiple tenants with distinct security requirements from a shared infrastructure. Some tenants require cross-account access from their own Amazon Web Services (AWS) accounts, while others mandate that traffic stay within a private virtual private cloud (VPC) for regulatory […]

Discover how Microsoft enables fast, secure AI development with MDASH and new security capabilities. The post Microsoft Build 2026: Securing code, agents, and models across the development lifecycle appeared first on Microsoft Security Blog.

No content preview

No content preview

No content preview

OpenAI Codex Authentication Tokens Stolen in codexui-android npm Supply Chain Attack A malicious supply chain campaign has been stealing OpenAI Codex authentication tokens through a popular npm package called codexui-android, which draws over 29,000 weekly downloads by advertising itself as a legitimate remote web UI for Codex. Unlike typical typosquatting attacks, the exfiltration code was […] The post Infosec News Nuggets — June 2, 2026 appeared first on AboutDFIR - The Definitive Compendium Project.

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

No content preview

Citizen Lab senior research fellow Jon Penney and co-author Bruce Schneier wrote an op-ed in The Conversation about chilling effects. The post Chilling Effects of Trump’s War on Free Speech Extend Far Beyond Campus Walls – And That’s the Point appeared first on The Citizen Lab.

Amazon Web Services (AWS) is pleased to announce that the Spring 2026 System and Organization Controls (SOC) 1, 2, and 3 reports are now available. The reports cover 188 services over the 12-month period from April 1, 2025–March 31, 2026, giving customers a full year of assurance. These reports demonstrate our continuous commitment to adhering […]

No content preview

Signal Phishing Campaign Targets Journalists and Activists to Steal Backup Recovery Keys A targeted phishing campaign is sending text messages that impersonate Signal Support, urgently requesting users paste their 64-character backup recovery key into the chat. Unlike standard account takeovers that only expose future messages, stealing the recovery key gives attackers full access to the […] The post InfoSec News Nuggets — June 1, 2026 appeared first on AboutDFIR - The Definitive Compendium Project.

In January 2026, the automotive research and car-shopping platform Edmunds was listed by the ShinyHunters hacking group as having been breached. Data purportedly obtained in the incident was later published publicly and included 178k unique email addresses, usernames, passwords, IP addresses, phone numbers and vehicle-related records.

The Scala team has partnered with the Open Source Technology Improvement Fund (OSTIF) to conduct its first security audit. This initiative aims to identify potential vulnerabilities through static and dynamic analysis and provide greater confidence in Scala. The security audit conducted by Quarkslab is particularly focused on Scala 3.

In May 2026, the GTA V and CS2 cheat service Atlas Menu suffered a data breach. An attacker claimed to have gained access to all Atlas systems and published the service's database to a public GitHub repository. The incident exposed 64k unique email addresses along with usernames, IP addresses, support tickets and passwords stored as bcrypt hashes.

📖 [The CloudSecList] Issue 340 was originally published by Marco Lancini at CloudSecList on May 31, 2026.

No content preview

A dependency confusion campaign leveraged 33 malicious npm packages to collect reconnaissance data from developer and build environments. This report details the attack chain, observed tradecraft, and detection opportunities to help organizations identify and disrupt related activity. The post Malicious npm packages abuse dependency confusion to profile developer environments appeared first on Microsoft Security Blog.

No content preview

No content preview

No content preview

Microsoft is named a Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. The post Microsoft is named a Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection appeared first on Microsoft Security Blog.

The Mini Shai-Hulud campaign used malicious npm packages to target cloud and CI/CD credentials across developer environments. This report details the attack chain, detection opportunities, and mitigation guidance to help organizations identify and disrupt related activity. The post Typosquatted npm packages used to steal cloud and CI/CD secrets appeared first on Microsoft Security Blog.

Swantje Lange spoke with the Hasso Plattner Institut about sophisticated surveillance campaigns being used to exploit mobile networks. The post Researchers Uncover Espionage in Mobile Networks appeared first on The Citizen Lab.

A CVSS 10.0 path traversal in UniFi Network Application lets unauthenticated attackers read controller backups, extract credentials, and take over every managed device on the network. Bishop Fox breaks down the attack paths, the preconditions, and a safe detection tool to check your exposure.

Carnival Cruise Confirms Data Breach Affecting Nearly 6 Million People Carnival Corporation, the world’s largest cruise line operator, began notifying nearly 6 million customers this week that their personal data was stolen in an April breach after attackers gained access to an employee account through a social engineering attack. The stolen data varies by individual […] The post InfoSec News Nuggets – 05/29/2026 appeared first on AboutDFIR - The Definitive Compendium Project.

No content preview

No content preview

No content preview

AWS Network Firewall now supports native attachment to AWS Transit Gateway. Customers commonly use Transit Gateway to route traffic from Amazon Virtual Private Cloud (Amazon VPC) networks to a centralized inspection VPC (a VPC dedicated to hosting firewall endpoints for traffic inspection) where their network firewall endpoints are deployed. This centralized deployment model reduces the […]

Network administrators face a persistent challenge: maintaining domain blocklists and allowlists that keep pace with the internet. New websites and services emerge daily, and keeping these lists current requires constant manual updates that leave gaps in coverage. This challenge intensifies when managing access to rapidly evolving categories like AI services, where new tools launch on […]

In May 2026, the telecommunications company Charter Communications (the parent company behind the consumer broadband and cable brand Spectrum) was named by the ShinyHunters group in a "pay or leak" extortion campaign. The group later published the data, which exposed 4.9M unique email addresses along with names, phone numbers and physical addresses. A subset of approximately 85k records originating from an internal employee directory also included job titles. Charter confirmed the incident, but stated that no sensitive personal information or customer proprietary network information (CPNI) was exfiltrated.

In April 2026, the American insurance holding company Kemper Corporation was named by the ShinyHunters ransomware group in a "pay or leak" extortion campaign. The attackers allegedly accessed Kemper's Salesforce environment via social engineering as part of a broader campaign targeting hundreds of organisations using the same method. The group later published tens of gigabytes of data they claimed included internal directory data, Salesforce records and Stripe payment logs. Among the 269k unique email addresses were names, phone numbers, physical addresses and partial payment card data including the last 4 digits, expiry dates and card brands. Kemper confirmed the incident and stated they had engaged third-party cybersecurity experts and notified law enforcement.

No content preview

CASI Leaderboard, Bias Jailbreak, and Three Coordinated Supply Chain Incidents

These are the top threats you should know about this week.

No content preview

This blog is a preview of our report, “The New Rails: How Digital Assets Are Reshaping the Foundations of Finance.”… The post The New Compliance Floor: Organizations are Adopting Stronger Than Ever Monitoring Practices appeared first on Chainalysis.  ( 15 min )

Summary The U.K.’s Foreign, Commonwealth and Development Office (FCDO) sanctioned 18 cryptocurrency exchanges, payment providers, and individuals for helping Russia… The post U.K. Sanctions 18 Entities and Persons for Evading Russian Trade Blockades appeared first on Chainalysis.  ( 12 min )

In real AI systems, bottlenecks don't disappear, they move. Learn about why inference placement, not raw compute, is the decisive infrastructure question.

In April 2026, the luxury fashion e-commerce platform Mytheresa was listed as a victim of the ShinyHunters "pay or leak" extortion group. After the ransom deadline passed, the group publicly released the data which contained 84k unique email addresses. The exposed data also included names, phone numbers, physical addresses, purchases and partial credit card data including card type, last 4 digits and expiry date.

In March 2026, the financial services firm Ameriprise Financial was named by the ShinyHunters group in a "pay or leak" extortion campaign. The group claimed possession of more than 200GB of compressed data exfiltrated from Ameriprise's Salesforce environment and internal SharePoint infrastructure, and subsequently published the data after negotiations allegedly failed. The published data contained 500k unique email addresses as well as names, phone numbers, physical addresses and employer information. In their disclosure to state attorneys general, Ameriprise reported 47,876 affected people; the larger email address population represents contacts from Ameriprise's broader operational systems, including internal staff. Ameriprise further advised that they have "implemented heightened monitoring of your account(s) to include enhanced identity verification procedures".

No content preview

May 26, 2026: This post was originally published in July 2022. It has been updated to reflect current engagement options, new threat intelligence resources such as the Threat Technique Catalog for AWS (TTC), additional open-source tools, and the distinction between AWS CIRT support and the AWS Security Incident Response managed service. Welcome back, or welcome […]

There have been multiple notable supply chain attacks using the npm Registry since September: Shai-Hulud, Chalk/Debug, one abusing tea.xyz tokens, and recently axios. Thanks to community efforts involving the Amazon Inspector team, the Open Source Security Foundation, and others, the affected packages were quickly flagged, which reduced the impact of these incidents. Supply chain attacks […]

No content preview

No content preview

Akamai Cloud introduces password-less provisioning and atomic customization. Align with Zero Trust by eliminating root passwords and hardening VMs at creation.

Sparkplug B is the dominant protocol in ICS and SCADA environments, but no public security fuzzer existed for it until now. Bishop Fox used AI-assisted development to build one from scratch, covering all 9 message types, 19 data types, and 87+ field paths from the full specification.

Senior research associate Kate Robertson discusses the risks Bill C-22 poses for future data-sharing agreements with foreign law enforcement agencies. The post Trump Wants to Tap Your Phone. Ottawa Might Let Him. appeared first on The Citizen Lab.

No content preview

In April 2026, 7-Eleven was the victim of a "pay or leak" extortion campaign by ShinyHunters, with the data later published that month. The incident exposed 185k unique email addresses, along with names, physical addresses, dates of birth and phone numbers. A small number of records also contained additional exposed data fields. The company later advised the breach was limited to "certain 7-Eleven systems used to store franchisee documents", a statement consistent with the exposed data.

📖 [The CloudSecList] Issue 339 was originally published by Marco Lancini at CloudSecList on May 24, 2026.

As far back as the early 1800s, the U.S. Department of the Treasury has issued economic sanctions to achieve foreign… The post OFAC and Crypto Crime: Every OFAC Specially Designated National with Identified Cryptocurrency Addresses appeared first on Chainalysis.  ( 28 min )

CVE-2026-0265 lets unauthenticated attackers forge a JWT and log in as any trusted user on CAS-enabled PAN-OS deployments. Bishop Fox built a detection tool that returns a definitive verdict from a single anonymous request, and breaks down exactly how the bug works and what to do about it.

A sanitization bypass in Strapi 4.0.0 through 5.36.1 lets unauthenticated attackers extract an admin's password reset token character by character and take over the account. With over 20,000 internet-facing hosts exposed, Bishop Fox breaks down how the exploit works and how to remediate it.

No content preview

The Akamai SIRT uncovered a custom P2P Trojan masquerading as system activity. Learn how to detect and mitigate this stealthy Go-based cryptominer.

The Akamai and Auth0 partnership secures identity at the edge by combining edge intelligence and adaptive authentication to stop fraud and enhance user trust.

Learn how the complex Drupal SQLi vulnerability (CVE-2026-9082) exploits PostgreSQL environments and its data theft risks — and how to ensure you’re protected.

We’re excited to announce that Amazon Web Services (AWS) has completed the S&P Global Know Your Third Party (KY3P) assessment of its security posture. This assessment demonstrates our continued commitment to meet the heightened expectations of cloud service providers. Customers can now use the AWS KY3P assessment to reduce their supplier due diligence burden. KY3P, […]

Managing identities and access across complex environments has become more critical than ever. AWS Directory Service for Managed Microsoft Active Directory, also known as AWS Managed Microsoft AD, has added new capabilities to manage users and groups. Now, you can perform create, read, update, and delete (CRUD) operations on users and groups directly through AWS […]

In December 2025, the European Dragonica private server Dragonica Lunaris suffered a data breach. The incident exposed 126k email addresses, usernames, dates of birth and bcrypt password hashes. The service operator confirmed the breach and advised it has since been fixed.

In January 2021, the parody site Windows93 suffered a data breach of the Myspace93 sub-site after a beta application was exploited to download server files. The compromised data was later leaked in June and included 46k Myspace93 accounts containing email and IP addresses, usernames and passwords stored in plain text.

Agents have agency: they adapt and find multiple ways to solve problems. This autonomy creates a fundamental security challenge: the large language model (LLM) at the heart of the agent is non-deterministic, and its decisions can’t be predicted or guaranteed in advance. It can hallucinate harmful actions with complete confidence. It’s vulnerable to prompt injection […]

Our largest security services customers started the same way every customer does – with a click. They enabled Amazon GuardDuty, Amazon Inspector, AWS WAF, and AWS Security Hub, experienced the benefits in real time, and evaluated with transparent pay-as-you-go pricing. No RFP. No six-month evaluation. No multi-year commitment up front. Our field teams played a […]

These are the top threats you should know about this week.

No content preview

Sensor Intel Series: April 2026 CVE Trends

The AWS Customer Incident Response Team works with customers to help them recover from active security incidents. As part of this work, the team often uncovers new or trending tactics used by various threat actors that take advantage of specific customer configurations and designs. Understanding these tactics can help inform your architecture decisions, improve your […]

Organizations often struggle to enforce security and compliance requirements consistently across their cloud infrastructure. In one environment, a workload might be deployed in an AWS Region that was never approved for that class of data. In another, a security group might allow broader access than intended. Required tags might be missing. Encryption might be assumed […]

In April 2026, data allegedly obtained from CTT, Portugal's national postal service, was posted to a public hacking forum. The data included 468k unique email addresses along with names, phone numbers and parcel tracking numbers which can be used to retrieve the tracking history of the parcel.

An Optical Line Terminal (OLT) is the central device in a Fiber-To-The-Home (FTTH) network that connects and manages all customer connections, making it a critical control point in an ISP's infrastructure for delivering high speed Internet. This article uncovers how unauthenticated access to OLTs can lead to a full network takeover starting by exploiting exposed vulnerable devices, showing how to pivot into the cloud-based fleet manager using other vulnerabilities, and then compromising an ISP's entire infrastructure.

In March 2026, the Colombian fintech company Addi identified unauthorised activity on its platform and advised customers that "it is possible that your personal information may have been compromised". The "pay or leak" extortion group ShinyHunters subsequently claimed responsibility and published a large trove of personal data allegedly obtained from Addi. The data included 34M unique email addresses from credit scoring requests, credit bureau records, customer identity records and email validation logs. It also contained government issued IDs (Cédula de Ciudadanía), estimated income, socioeconomic levels, purchases and other credit-related data points.

No content preview

Discover CVE-2026-42945 (NGINX Rift), a critical heap buffer overflow vulnerability. Learn about the affected versions and critical patch updates.

📖 [The CloudSecList] Issue 338 was originally published by Marco Lancini at CloudSecList on May 17, 2026.