Cloud
-
Attackers use device code vishing to take over Microsoft Entra accounts
Threat actors used device code phishing and vishing to abuse the OAuth 2.0 device flow and compromise Microsoft Entra accounts. The attacks use legitimate OAuth client IDs to obtain refresh tokens and access connected SSO applications.
-
Worm-driven TeamPCP campaign compromises cloud native infrastructure at scale
A worm-driven campaign by TeamPCP exploited exposed Docker, Kubernetes, Ray and React vulnerabilities around Dec 25, 2025 to build proxy and scanning infrastructure for data theft, extortion and cryptocurrency mining, researchers report.
-
Threat actor compromises about 1,400 exposed MongoDB servers in low-value extortion campaign
A technical analysis found a threat actor compromised about 1,400 exposed MongoDB servers, leaving ransom notes demanding about 0.005 BTC per victim. Researchers identified roughly 208,500 exposed servers and many running outdated versions.
-
Entra ID to auto-enable passkey profiles and add synced passkeys from March 2026
Starting March 2026 Entra ID will automatically enable passkey profiles and add support for synced passkeys. A Microsoft message center announcement outlines staged rollout with opt-in and automatic migration and a new passkeyType profile setting.
-
AWS Payment Cryptography passes PCI PIN audit with zero findings
AWS published an updated PCI PIN compliance package for AWS Payment Cryptography. A PCI PIN Attestation of Compliance shows validation by a QSA with zero findings and a Responsibility Summary clarifies customer obligations.
-
Mass spam wave uses unsecured Zendesk ticket systems to send hundreds of automated emails
A global spam wave beginning January 18 used unsecured Zendesk ticket systems to deliver hundreds of automated confirmation emails that bypassed filters and confused recipients. The advisory urges restricting ticket creation to verified users and removing open placeholders.
-
Two high severity flaws in Chainlit allow file theft and SSRF in cloud deployments
Two high severity Chainlit vulnerabilities allow arbitrary file reads and SSRF that can expose secrets and internal services. Patches were released in Chainlit 2.9.4 on December 24, 2025. Upgrades are recommended.
-
Check Point Research says VoidLink cloud malware was largely AI generated
A Check Point Research technical analysis says the VoidLink Linux cloud malware was largely generated with AI, reaching about 88,000 lines of code and a functional iteration within a week after development began in late November 2025.
-
Cloudflare patches ACME HTTP-01 validation bug that could bypass WAF
Cloudflare said in a blog post it fixed an ACME HTTP-01 validation bug on October 27, 2025 that could disable WAF rules and allow requests to reach origin servers.
-
CodeBreach misconfiguration in AWS CodeBuild could have exposed aws-sdk-js-v3 GitHub repo
A CodeBuild misconfiguration could have allowed takeover of AWS-managed GitHub repositories including the AWS JavaScript SDK. The flaw, dubbed CodeBreach, was fixed in September 2025 after responsible disclosure.
