Research
-
Malicious node-ipc versions found stealing cloud and developer secrets
Three malicious node-ipc npm versions were found stealing developer and cloud secrets, according to a technical analysis by Socket. The code targets dozens of credential types and uses a direct exfiltration path to a fake Azure domain.
-
Ghostwriter targets Ukrainian government entities in fresh phishing campaign
Ghostwriter has been tied to new attacks on Ukrainian government entities since March 2026, using malicious PDFs, geofencing checks and a JavaScript version of PicassoLoader to deliver Cobalt Strike, according to an ESET technical analysis.
-
PraisonAI flaw was probed within hours of public disclosure
PraisonAI was probed within hours of a disclosed authentication bypass, according to Sysdig. The flaw affects versions 2.5.6 through 4.6.33 and was patched in 4.6.34.
-
Two new Windows zero-days expose BitLocker and CTFMON flaws
A technical disclosure says two new Windows zero-days can bypass BitLocker in recovery mode and may enable privilege escalation in CTFMON, adding to a recent run of Microsoft security issues.
-
New Fragnesia Linux flaw can grant root access, researchers say
Fragnesia is a new Linux kernel local privilege escalation flaw that can grant root access, according to a technical analysis. The issue affects the XFRM ESP-in-TCP subsystem and has prompted advisories from multiple Linux distributions.
-
MuddyWater hackers targeted South Korean electronics maker in broad espionage campaign
MuddyWater targeted at least nine organizations in a cyberespionage campaign that included a major South Korean electronics maker, government agencies and an airport, according to Symantec. The group used DLL sideloading, PowerShell and other legitimate tools.
-
Researchers say GemStuffer abused more than 150 RubyGems to store scraped council data
Researchers said GemStuffer abused more than 150 RubyGems packages to store scraped data from U.K. council portals, using the registry as an exfiltration channel and raising questions about package registry abuse.
-
China-linked hackers hit Azerbaijani energy firm in repeated Exchange intrusions
A China-linked group targeted an Azerbaijani oil and gas firm in three waves between late December 2025 and late February 2026, repeatedly using the same Exchange Server entry point and swapping backdoors, according to a Bitdefender analysis.
-
New TrickMo variant uses TON for Android command control, researchers say
Researchers say a new TrickMo Android trojan variant used TON for command and control and targeted banking and crypto wallet users in France, Italy and Austria. The malware added network reconnaissance, SSH tunnelling and SOCKS5 proxying features.
-
Attackers exploit cPanel flaw to deploy Filemanager backdoor
Attackers linked to Mr_Rot13 are exploiting CVE-2026-41940 in cPanel and WHM to install the Filemanager backdoor, with more than 2,000 source IPs seen in activity, according to a technical analysis by QiAnXin XLab.
