Security & IT News

A new supply chain attack targeting the Node Package Manager (npm) ecosystem is stealing developer credentials and attempting to spread through packages published from compromised accounts. [...]

Bluesky is back online after a roughly 24-hour DDoS attack disrupted services, with the Iran-linked 313 Team claiming responsibility and no data breach reported.

Microsoft is preparing to roll out a new Efficiency Mode for Microsoft Teams for systems with limited CPU and memory resources to improve app responsiveness. [...]

p CISA has added one new vulnerability to its a href="https://www.cisa.gov/known-exploited-vulnerabilities-catalog" data-entity-type="node" data-entity-uuid="79453b83-86b9-4e2f-b1ec-abf73c6eb291" data-entity-substitution="canonical" title="Known Exploited Vulnerabilities Catalog" Known Exploited Vulnerabilities (KEV) Catalog /a , based on evidence of active exploitation. /p ul li a href="https://www.cve.org/CVERecord?id=CVE-2026-33825" target="_blank" CVE-2026-33825 /a Microsoft Defender Insufficient Granularity of Access Control Vulnerability /li /ul p This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise. /p p a href="https://www.cisa.gov/binding-operational-directive-22-01" Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities /a established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the a href="https://www.cisa.gov/sites/default/files/publications/Reducing_the_Significant_Risk_of_Known_Exploited_Vulnerabilities_211103.pdf" BOD 22-01 Fact Sheet /a for more information. /p p Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of a href="https://www.cisa.gov/known-exploited-vulnerabilities-catalog" data-entity-type="node" data-entity-uuid="79453b83-86b9-4e2f-b1ec-abf73c6eb291" data-entity-substitution="canonical" title="Known Exploited Vulnerabilities Catalog" KEV Catalog vulnerabilities /a as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the a href="https://www.cisa.gov/known-exploited-vulnerabilities" data-entity-type="node" data-entity-uuid="f2adba9a-0404-494c-a90c-4363a4a5c934" data-entity-substitution="canonical" title="Reducing the Significant Risk of Known Exploited Vulnerabilities" specified criteria /a . nbsp; /p

ICE has admitted that it uses spyware from the Israeli company Graphite.

A former ransomware negotiator has pleaded guilty to abusing his position by working with noted cybercrime group BlackCat

Cybersecurity researchers have discovered a previously undocumented data wiper that has been used in attacks targeting Venezuela at the end of last year and the start of 2026. Dubbed Lotus Wiper, the novel file wiper has been used in a destructive campaign targeting the energy and utilities sector in Venezuela, per findings from Kaspersky. "Two batch scripts are responsible for initiating the

On January 31, 2026, researchers disclosed that Moltbook, a social network built for AI agents, had left its database wide open, exposing 35,000 email addresses and 1.5 million agent API tokens across 770,000 active agents. The more worrying part sat inside the private messages. Some of those conversations held plaintext third-party credentials, including OpenAI API keys shared between agents,

Microsoft says that an ongoing Universal Print sharing issue that prevents users from creating some printer shares is due to a Microsoft Graph API code change. [...]

A Linux variant of the GoGra backdoor uses legitimate Microsoft infrastructure, relying on an Outlook inbox for stealthy payload delivery. [...]

Infrawatch says ProxySmart platform enables SIM farm activity at “industrial scale”

Microsoft has released out-of-band updates to address a security vulnerability in ASP.NET Core that could allow an attacker to escalate privileges. The vulnerability, tracked as CVE-2026-40372, carries a CVSS score of 9.1 out of 10.0. It's rated Important in severity. An anonymous researcher has been credited with discovering and reporting the flaw. "Improper verification of cryptographic

Microsoft has released out-of-band (OOB) security updates to patch a critical ASP.NET Core privilege escalation vulnerability. [...]

The convergence of global tensions and rapid technological change is driving a new era of cyber risk, the NCSC warns

Cybersecurity researchers have discovered a new variant of a known malware called LOTUSLITE that's distributed via a theme related to India's banking sector. "The backdoor communicates with a dynamic DNS-based command-and-control server over HTTPS and supports remote shell access, file operations, and session management, indicating a continued espionage-focused capability set rather than

A critical security vulnerability has been disclosed in a Python-based sandbox called Terrarium that could result in arbitrary code execution. The vulnerability, tracked as CVE-2026-5752, is rated 9.3 on the CVSS scoring system. "Sandbox escape vulnerability in Terrarium allows arbitrary code execution with root privileges on a host process via JavaScript prototype chain traversal," according to

Over 1,300 Microsoft SharePoint servers exposed online remain unpatched against a spoofing vulnerability that was exploited as a zero-day and is still being abused in ongoing attacks. [...]

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

[This is a Guest Diary by L. Carty, an ISC intern as part of the SANS.edu Bachelor's Degree in Applied Cybersecurity (BACS) program [1].] Introduction A few weeks ago, my honeypot logged an incident that changed how I think about modern attacks. A threat actor broke into my system using weak SSH credentials and immediately started running commands. What started as a routine resource-hijacking attempt was followed by credential harvesting targeting Telegram Desktop session data. This incident isn't just another story about cryptocurrency mining malware. It's a window into how modern threat actors are evolving their tactics - chaining initial access with credential theft to enable persistent, multi-layered exploitation. The commands I observed tell a story of methodical reconnaissance, from checking for competing miners to hunting for Telegram's tdata directory. In this post, I'll walk through what I found, explain why the tdata folder is so valuable to threat actors, and share practical ways to protect it and manage your sessions. The Attack Chain: A Conceptual Overview Before diving into the actual commands, let's establish what we're looking at. Modern attacks rarely consist of a single malicious action and instead follow a progression. Below is the attack chain and corresponding MITRE ATT CK Techniques. [2] Initial Access Weak SSH credentials, phishing, or vulnerabilities /T1110/001/ Reconnaissance System enumeration, identifying valuable targets /T1082/ /T1083/ Credential Harvesting Extracting session tokens, passwords, or authentication data /T1555/ /T1005/ Account Takeover Using stolen credentials for further access /T1078/ Exploitation Social engineering, lateral movement, or monetization /T1041/ What made this particular attack notable was the explicit targeting of Telegram's local session data. Threat actors aren't just after CPU cycles anymore they're after persistent access through compromised accounts that can be leveraged for ongoing exploitation. The Evidence: Live from the Honeypot The following commands were captured in the honeypot's SSH logs immediately after the threat actor gained access. They show the threat actor s intent to map the system, check for competition, and locate the tdata directory. Commands Captured /ip cloud print ifconfig uname -a cat /proc/cpuinfo #looks to have an issue with cloudflare ps | grep '[Mm]iner' ps -ef | grep '[Mm]iner' ls -la ~/.local/share/TelegramDesktop/tdata /home/*/.local/share/TelegramDesktop/tdata /dev/ttyGSM* /dev/ttyUSB-mod* /var/spool/sms/* /var/log/smsd.log /etc/smsd.conf* /usr/bin/qmuxd /var/qmux_connect_socket /etc/config/simman /dev/modem* /var/config/sms/* locate D877F783D5D3EF8Cs echo Hi | cat -n A Command Timeline Visualization [Initial SSH Access] | _________V_________________________________________________________ | RECONNAISSANCE PHASE | | /ip cloud print MikroTik RouterOS status,configuration | | ifconfig Network int

France Titres, the government agency in France for issuing and managince administrative documents has disclosed a data breach after a threat actor claimed the attack and stealing citizen data. [...]