Risk
-
KelpDAO says $290 million crypto heist tied to suspected Lazarus hackers
KelpDAO said a $290 million crypto theft likely tied to North Korea’s Lazarus Group hit its rsETH system on Saturday. The incident also prompted Aave to freeze rsETH-related activity while investigators examined the cross-chain attack.
-
Critical SGLang flaw can enable remote code execution
A critical flaw in SGLang, tracked as CVE-2026-5760 and rated 9.8, could allow remote code execution through a crafted model file and the /v1/rerank endpoint, according to a CERT/CC advisory.
-
Researchers flag MCP design flaw that could enable remote code execution
Researchers said a design flaw in Anthropic’s Model Context Protocol could allow remote code execution across thousands of servers and packages, exposing sensitive data and widening AI supply chain risk.
-
Researchers flag ZionSiphon malware aimed at Israeli water systems
Researchers say ZionSiphon is a new malware sample aimed at Israeli water systems, with code for persistence, scanning and sabotage. The unfinished malware was first seen in the wild in June 2025.
-
Vercel says breach linked to third-party AI tool exposed limited customer credentials
Vercel said a breach tied to a third-party AI tool exposed access to some internal systems and affected a limited subset of customers. The company said sensitive environment variables were not known to be accessed and urged credential rotation.
-
Critical protobuf.js flaw enables JavaScript code execution
A critical flaw in protobuf.js can let attackers execute JavaScript code through malicious schemas, with a proof-of-concept now public. The issue affects versions 8.0.0 and 7.5.4 and earlier, and patched releases are available.
-
Mirai variant Nexcorium targets TBK DVRs and outdated TP-Link routers
Threat actors are exploiting flaws in TBK DVR devices and unsupported TP-Link routers to spread a Mirai variant called Nexcorium, according to a Fortinet technical analysis and a Unit 42 disclosure. The malware adds persistence, brute-force and DDoS functions.
-
Global police seize 53 domains in DDoS-for-hire crackdown
Police in 21 countries seized 53 domains and arrested four people in Operation PowerOFF, a crackdown on DDoS-for-hire services used by more than 75,000 cybercriminals and tied to databases with over 3 million accounts.
-
CISA adds Apache ActiveMQ flaw CVE-2026-34197 to exploited list
CISA says a high-severity Apache ActiveMQ Classic flaw, CVE-2026-34197, is being exploited in the wild. The agency added it to its Known Exploited Vulnerabilities catalog and ordered federal fixes by April 30.
-
Researchers spot PowMix botnet targeting Czech workers
Researchers said the PowMix botnet has targeted workers in the Czech Republic since at least December 2025. The malware uses phishing-style ZIP files, in-memory execution and jittered command traffic to avoid detection.
