Security & IT News

Cybersecurity researchers have shed light on a macOS malvertising campaign codenamed Operation FlutterBridge that spreads a new backdoor called FlutterShell. According to Palo Alto Networks Unit 42, the campaign is said to be the next stage of a previously reported activity cluster dubbed JSCoreRunner (aka FileRipple) in late August 2025. The cybercrime group behind the two attack chains is

Cisco has released security updates to patch a critical-severity Unified Communications Manager (Unified CM) flaw that allows attackers to gain root privileges. [...]

I've been using the GnuWin32 CoreUtils for Windows for many years now (it gives you many *nix core commands on Windows). Microsoft has just released their coreutils version for Windows. You can install them with a winget command (winget install Microsoft.Coreutils) or with the installer released on GitHub . It takes just a few clicks: It installs a single executable compiled with Rust (coreutils.exe) in the program files folder: And each individual command is a hard link to this executable: Here is the full list of commands: arch.cmd b2sum.cmd base32.cmd base64.cmd basename.cmd basenc.cmd cat.cmd cksum.cmd comm.cmd cp.cmd csplit.cmd cut.cmd date.cmd df.cmd dirname.cmd du.cmd echo.cmd env.cmd expr.cmd factor.cmd false.cmd find.cmd fmt.cmd fold.cmd grep.cmd head.cmd hostname.cmd join.cmd link.cmd ln.cmd ls.cmd md5sum.cmd mkdir.cmd mktemp.cmd mv.cmd nl.cmd nproc.cmd numfmt.cmd od.cmd pathchk.cmd pr.cmd printenv.cmd printf.cmd ptx.cmd pwd.cmd readlink.cmd realpath.cmd rm.cmd rmdir.cmd seq.cmd sha1sum.cmd sha224sum.cmd sha256sum.cmd sha384sum.cmd sha512sum.cmd shuf.cmd sleep.cmd sort.cmd split.cmd stat.cmd sum.cmd tac.cmd tail.cmd tee.cmd test.cmd touch.cmd tr.cmd true.cmd truncate.cmd tsort.cmd unexpand.cmd uniq.cmd unlink.cmd uptime.cmd wc.cmd xargs.cmd yes.cmd Didier Stevens Senior handler blog.DidierStevens.com (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

The U.S. Department of Justice (DoJ) on Wednesday announced the results of a sweeping action undertaken by government authorities and private sector companies to combat cyber-enabled and cryptocurrency fraud targeting Americans. The "Disruption Week" operation began May 18, 2026, leading to the takedown of millions of social media, email, and internet access accounts used by transnational

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

CISA, the FBI, the NSA, the Department of Energy, and other US government partners are warning that hackers are targeting internet-exposed automatic tank gauge (ATG) systems used to monitor fuel and liquid storage tanks across various critical infrastructure sectors. [...]

A single poisoned notification from WhatsApp, Slack, SMS, Signal, Instagram, or Messenger could have hijacked Google Gemini's voice assistant on Android and made it open a victim's connected windows, fake a message from their boss, push the phone into a Zoom call, or quietly poison its long-term memory. No malicious app on the phone is required. The assistant just had to treat a hostile

A new denial-of-service (DoS) attack dubbed HTTP/2 Bomb can be launched from a single machine to take down web servers within seconds. [...]

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a critical flaw impacting Mirasvit Cache Warmer, a popular Magento full-page cache extension, to its Known Exploited Vulnerabilities (KEV) catalog, following reports of active exploitation in the wild. The vulnerability, tracked as CVE-2026-45247 (CVSS score: 9.8), is a case of deserialization of untrusted

Cybersecurity researchers have flagged a new malspam campaign that makes use of Google's DoubleClick domain as a way to evade detection and ultimately deliver a remote access trojan (RAT) named DesckVB RAT. "Before the victim ever reaches attacker-controlled infrastructure, the lure routes through DoubleClick, a legitimate Google-owned domain that many security tools are less likely to treat as

What actually happens inside a SOC when an incident unfolds? Most teams see the alerts and the outcomes, but the decision-making in between is often less visible. At the Rapid7 2026 Global Cybersecurity Summit, the signature session Inside the Modern SOC: Who Carries You Through an Incident takes a different approach. Rather than focusing on tools or dashboards, it follows a real-world incident from the perspective of the people responsible for investigating and containing it. The session walks through how modern MDR teams operate under pressure, drawing on real experience across cloud, identity, and on-prem environments. Led by Karl Lankford, Senior Director, Sales Engineering, Rapid7, the discussion brings in perspectives from across the SOC , including incident response and detection, to show how teams work together when it matters most. Structured around a full incident lifecycle, the walkthrough begins with the initial signal and moves through triage and investigation, following the decisions that shape the outcome. The focus is not on theory but on how incidents are handled in practice, from background and context through to the final result. What stands out is how much of the process depends on judgment. Alerts are only the starting point. From there, analysts are working to understand context, assess risk, and decide what matters most in the moment. This includes identifying compromised identities, understanding how attackers move across environments, and coordinating response across multiple systems. The session also highlights how quickly these decisions need to be made. As shown in the high-level timeline, attackers can move from initial access to broader compromise across cloud and on-prem systems in a matter of minutes, which leaves little room for hesitation or uncertainty. Throughout the walkthrough, the focus stays on what carries organizations through an incident. Detection plays a role, but outcomes are shaped by coordination, tradeoffs, and the ability to act with clarity under pressure. The session also explores how visibility across environments, combined with human-led response, helps teams connect signals and act before impact occurs. For practitioners, SOC leaders, and teams evaluating MDR, this session offers a grounded view of how modern incident response works under real conditions. It shows what happens between the alert and the outcome, and why that gap is where the real value lies. Watch the full session to follow the investigation step by step and see how MDR teams carry organizations through real incidents.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning that hackers are exploiting vulnerabilities in the Linux kernel and Android operating system. [...]

A development flag left switched on in production builds of several Microsoft 365 Android apps disabled the check that limits account-token sharing to trusted Microsoft apps. Any other app on the same phone could ask for the signed-in user's token and get it, then read email, open files, browse the calendar, and send messages as that user. No password, no login screen, no permission prompt.

A two-week penetration test can leave roughly 345 days of real-world exposure unvalidated. Sprocket Security explores why continuous testing is becoming critical as attack surfaces constantly change. [...]

Redis has patched a use-after-free in its blocking-client code that lets an authenticated user run arbitrary OS commands on the machine hosting the database. The flaw was found by an autonomous AI tool built to hunt bugs in large codebases. Tracked as CVE-2026-23479, the flaw was introduced in Redis 7.2.0 and remained in every stable branch until the May 5 fixes, unnoticed for over two years.

Enterprise applications often still use complex standards like SOAP for web services. The big advantage of SOAP is its tight and extensive standards, which enable interoperability across an enterprise governed by web services. The disadvantage of SOAP: First, while it is de facto usually used over HTTP, it does not leverage HTTP, leading to unnecessary complexity. Secondly, kids don't RTFM, and developers these days tend not to appreciate the art of careful system design; they rather throw code at an IDE to see what sticks, if they don't vibe code it anyway. So the answer to all of the calls for a simpler standard is the non-standard REST. REST is more a living standard defined by commonly used libraries that happen to be popular right now. One of these standards is Swagger, or OpenAPI [1]. A very popular part of Swagger is swagger.json , a file that defines how to use an API. Some people here may remember WSDL s, or good old .h files in C/C++. Same idea, but now with more JSON. From a web application security perspective, swagger.json is like a directory listing for an API. It is not that they are inherently evil or insecure. They are often necessary to allow developers to connect to an API efficiently. But on the other hand, they are also a great roadmap for attackers. So it's no surprise that attackers are looking for them. Not only do they provide a list of API features, but metadata in the description will usually identify the underlying application. It is a great way to find vulnerable applications. Here are some of the top URLs attackers are scanning recently: URL First Seen Last Seen # of Requests /swagger.json 2020-12-28 2026-06-03 32,499 /api/v2/swagger.json 2021-01-03 2026-06-02 14,536 /swagger/v1/swagger.json 2020-12-28 2026-06-03 13,791 /api/swagger.json 2020-12-28 2026-06-03 11,100 /api-docs/swagger.json 2020-12-28 2026-06-03 8,693 /v1/swagger.json 2021-01-03 2026-06-02 7,482 /apidocs/swagger.json 2021-01-03 2026-04-26 6,517 /api/v1/swagger.json 2021-03-03 2026-06-02 6,495 /v2/swagger.json 2021-08-07 2026-06-03 1,026 /api/api-docs/swagger.json 2020-12-28 2026-05-12 945 And some that started showing up more recently: URL First Seen Last Seen Number of Requests /%2Fswagger.json 2026-04-03 2026-04-22 20 /swagger/v2/api-docs/service/swagger.json 2026-02-27 2026-05-24 17 /swagger/v3/api-docs/service/swagger.json 2026-02-27 2026-05-24 17 /26-166/api-docs/swagger.json 2026-01-21 2026-04-18 2 /73/api/apidocs/swagger.json 2026-01-21 2026-04-18 2 /hsd1/api/swagger-ui/swagger.json 2026-01-21 2026-04-18 2 /69/api/api-docs/swagger.json 2026-01-21 2026-04-18 2 /166/api-docs/swagger.json 2026-01-21 2026-04-18 2 /c/api-docs/swagger.json 2026-01-21 2026-04-18 2 /26-166/api/api-docs/swagger.json 2026-01-21 2026-04-18 2 The number of requests is continuously high, but there are spikes and slow times: But the continuing interest shows that attackers see value here. What's the lesson? Should you stop using swagger.json? Probably not. You

Inaugural Infosecurity Europe Cyber Startup Award Winner Impresses Panel with Ability Help Prioritize Vulnerabilities in AI era

Cybersecurity researchers have disclosed a one-click attack via Microsoft Visual Studio Code (VS Code) that makes it possible to steal a user's GitHub token. "Just by clicking a link, it's possible for an attacker to steal a GitHub token that can read and write to your repos, including private ones," security researcher Ammar Askar said. GitHub supports a feature called GitHub.dev that runs as

p CISA has added one new vulnerability to its nbsp; a href="https://www.cisa.gov/known-exploited-vulnerabilities-catalog" Known Exploited Vulnerabilities (KEV) Catalog /a , based on evidence of active exploitation. /p ul type="disc" li a href="https://www.cve.org/CVERecord?id=CVE-2026-45247" target="_blank" CVE-2026-45247 /a nbsp;Mirasvit Full Page Cache Warmer Deserialization of Untrusted Data Vulnerability /li /ul p This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise. /p p a href="https://www.cisa.gov/binding-operational-directive-22-01" Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities /a established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the nbsp; a href="https://www.cisa.gov/sites/default/files/publications/Reducing_the_Significant_Risk_of_Known_Exploited_Vulnerabilities_211103.pdf" BOD 22-01 Fact Sheet /a for more information. /p p Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of nbsp; a href="https://www.cisa.gov/known-exploited-vulnerabilities-catalog" KEV Catalog vulnerabilities /a as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the nbsp; a href="https://www.cisa.gov/known-exploited-vulnerabilities" specified criteria /a . /p

The Fragmented State of Modern Enterprise Identity Enterprise IAM is approaching a breaking point. As organizations scale, identity becomes increasingly fragmented across thousands of applications, decentralized teams, machine identities, and autonomous systems. The result is Identity Dark Matter: identity activity that sits outside the visibility of centralized IAM and beyond the reach of