Research
-
Lazarus Group Uses Memory-Only RemotePE Malware Against Crypto Firms
Researchers say Lazarus Group has used the RemotePE malware family against financial and cryptocurrency targets. The in-memory trojan leaves little forensic evidence and was linked to a multi-stage attack chain with several loaders.
-
TrapDoor supply chain attack spreads across npm, PyPI and Crates.io
A coordinated supply chain campaign has spread malicious packages across npm, PyPI and Crates.io, targeting developers with code that steals credentials, wallets, SSH keys and cloud secrets.
-
Ghost CMS flaw exploited in large-scale ClickFix campaign
A campaign is using a critical Ghost CMS SQL injection flaw to inject malicious JavaScript and drive ClickFix attacks, with researchers saying more than 700 domains were affected.
-
New Showboat Linux malware targeted telecom provider in Middle East, researchers say
Researchers say Showboat, a new Linux malware family, has targeted a telecommunications provider in the Middle East since at least mid-2022. The campaign also involved victims in Afghanistan, Azerbaijan, the United States and Ukraine.
-
Nine-year-old Linux kernel flaw can expose credentials and enable root access
Researchers disclosed a Linux kernel flaw that went unnoticed for nine years and could let a local attacker steal sensitive files or gain root access on some major distributions. Patches are available and a temporary workaround has also been outlined.
-
Hackers bypass SonicWall VPN MFA after incomplete patching
Threat actors bypassed MFA on SonicWall Gen6 SSL-VPN appliances in attacks between February and March, exploiting a flaw that stayed open on devices that were updated but not fully remediated, according to a ReliaQuest analysis.
-
Webworm adds Discord and Microsoft Graph backdoors in new 2025 campaign
Webworm used new backdoors in 2025 that relied on Discord and Microsoft Graph API for command and control, according to an ESET technical analysis. The group also expanded its proxy tools and targeted government and enterprise networks in Asia and Europe.
-
CISA left GitHub repo with passwords and keys exposed for six months
CISA left a public GitHub repository exposed for six months, revealing passwords, keys and tokens in production infrastructure files. GitGuardian found the leak on May 14 and the agency removed the repo the next day.
-
Trapdoor Android ad fraud scheme hit millions of devices, researchers say
Researchers said Trapdoor used Android utility apps, hidden WebViews and HTML5 cashout domains to drive ad fraud at scale. Google removed the identified apps after disclosure, and the campaign had reached millions of downloads.
-
Linux kernel flaw gets proof of concept as distributions move on security fixes
Proof-of-concept code has been released for DirtyDecrypt, a Linux kernel flaw tied to CVE-2026-31635. The issue can allow local privilege escalation on systems with CONFIG_RXGK enabled, including some Fedora, Arch Linux, and openSUSE builds.
