Nostr notes by O RLY CYBER

(talosintelligence.com) Rethinking Vulnerability Prioritization: ...

2026-05-28T18:05:37Z

(talosintelligence.com) Rethinking Vulnerability Prioritization: Beyond CVSS to EPSS and Decentralized CVE Enrichment

New research challenges traditional vulnerability management, advocating for EPSS alongside CVSS to prioritize patching based on exploit likelihood rather than severity alone.

In brief - Vulnerability prioritization must evolve beyond CVSS to incorporate EPSS, which predicts exploitation probability within 30 days. Centralized databases like CISA’s KEV are limited; decentralized approaches such as GCVE offer faster, globally relevant enrichment. Cisco Talos’s EvidenceForge tool generates synthetic logs to enhance SOC training without compliance risks.

Technically - EPSS (Exploit Prediction Scoring System) complements CVSS by quantifying real-world exploitability, enabling risk-based patching. GCVE (Global CVE) decentralizes CVE enrichment, addressing delays in centralized sources like KEV. EvidenceForge leverages AI-assisted scenario authoring to produce temporally and causally consistent synthetic logs, improving detection validation and threat hunting without relying on sensitive datasets.

Source: https://blog.talosintelligence.com/less-panic-patching-more-precision/

#Cybersecurity #ThreatIntel

(picussecurity.com) NightSpire Ransomware: Analysis of Attack ...

2026-05-23T08:27:07Z

(picussecurity.com) NightSpire Ransomware: Analysis of Attack Chain, Tools, and Double Extortion Tactics

NightSpire ransomware, active since early 2025, employs double extortion by exfiltrating and encrypting data, targeting 64+ orgs across 33 countries. Uses RDP for access, legitimate tools for persistence/data theft, and Go-based encryptor for cross-platform attacks.

In brief - NightSpire is an emerging ransomware threat using double extortion, impacting global orgs via RDP access, remote admin tools, and cloud storage encryption. Affects healthcare, finance, and education sectors.

Technically - NightSpire leverages RDP for initial access, establishes persistence via Chrome Remote Desktop/AnyDesk, and uses Everything/7-Zip for file discovery/archiving. Exfiltrates data via MEGAsync to MEGA cloud. Go-based encryptor appends .nspire extension, uniquely encrypts OneDrive files in transit. Statically linked binaries aid static analysis. Simulate via Picus Security (Threat IDs: 79926, 95001).

Source: https://www.picussecurity.com/resource/blog/nightspire-ransomware-attack-chain-tools-and-tactics

#Cybersecurity #ThreatIntel

(picussecurity.com) UNC2891: Anatomy of a Sophisticated Bank ...

2026-05-22T13:10:04Z

(picussecurity.com) UNC2891: Anatomy of a Sophisticated Bank Heist Using CAKETAP Rootkit and Raspberry Pi-Based Attacks

UNC2891, a financially motivated threat group active since 2017, has executed sophisticated attacks on banking infrastructure using custom malware and physical access vectors. Their latest campaign in Q1 2025 involved planting a 4G-enabled Raspberry Pi on a bank’s network switch to bypass perimeter defenses, enabling ATM fraud via Payment HSM manipulation.

In brief - UNC2891 targets financial institutions with advanced Linux/Solaris malware, including the CAKETAP rootkit, to authorize fraudulent ATM withdrawals. A recent attack used a Raspberry Pi for initial access, highlighting evolving physical and digital threats to banking systems.

Technically - UNC2891 employs CAKETAP (Solaris kernel rootkit) to hook system calls like `mkdirat` and `ipcl_get_next_conn`, enabling stealthy C2 and network manipulation. SLAPSTICK (PAM backdoor) captures credentials, while TINYSHELL (backdoor) communicates over raw TCP (ports 53/443). Tools like WINGHOOK (keylogger) and STEELHOUND (in-memory dropper) facilitate credential harvesting and payload execution. The CAKETAP variant on ATM switches bypasses card/PIN verification by replaying HSM responses.

Source: https://www.picussecurity.com/resource/blog/unc2891-bank-heist-explained-caketap-rootkit-and-raspberry-pi-attack

#Cybersecurity #ThreatIntel

(domaintools.com) ZionSiphon: A Conceptually Mature but ...

2026-05-21T19:32:15Z

(domaintools.com) ZionSiphon: A Conceptually Mature but Functionally Constrained ICS-Targeting Malware with Critical Execution Flaws

New ICS-targeting malware ZionSiphon (SCADA_SecurityPatch_v8.4.exe) exposes critical gaps between cyber-physical attack intent and execution. Despite sophisticated water-sector targeting logic—including chlorine dosing and reverse osmosis control references—it fails due to a fatal XOR bug in geofencing validation, preventing activation in Israeli IP ranges (2.52.0.0/14, 5.28.0.0/16).

In brief - ZionSiphon demonstrates modular ICS malware development by Iranian-aligned actors, but its non-operational state and lack of C2 channels limit immediate risk. The malware’s dual-use nature—combining technical sabotage with psychological operations—highlights evolving cyber-physical threat tactics.

Technically - The PE32/.NET implant executes at the Windows host layer, leveraging PowerShell (Start-Process -Verb RunAs), registry persistence (Run\SystemHealthCheck), and static ICS configuration paths (e.g., C:\ChlorineControl.dat). It lacks native ICS protocol support (Modbus/DNP3/S7comm) and PLC interaction, relying on pre-scripted logic. USB propagation strings (CreateUSBShortcut) were observed but unconfirmed. Detection relies on generic Windows behaviors, as no engines flag it as ICS-specific.

Source: https://dti.domaintools.com/research/threat-intelligence-report-zionsiphon

#Cybersecurity #ThreatIntel

(safedep.io) Megalodon Campaign: Large-Scale GitHub Repository ...

2026-05-21T16:41:23Z

(safedep.io) Megalodon Campaign: Large-Scale GitHub Repository Backdooring via Malicious CI Workflows

New large-scale supply chain attack, *Megalodon*, backdoored 5,561 GitHub repos via malicious CI workflows. Attackers injected 5,718 commits with base64-encoded bash payloads exfiltrating CI secrets, cloud creds (AWS/GCP/Azure), SSH keys, and OIDC tokens to C2 (216.126.225.129:8443).

In brief - A sophisticated campaign compromised GitHub repos using forged identities and CI workflows, leading to widespread secret exfiltration and npm package poisoning. Two payload variants enabled both mass-scale and targeted attacks, with elevated permissions facilitating cloud identity theft.

Technically - Attackers leveraged GitHub Actions workflows with two variants: *SysDiag* (automatic trigger on push/pull_request_target) and *Optimize-Build* (dormant, workflow_dispatch-triggered). Payloads used base64-encoded bash scripts to harvest env vars, credential files, AWS CLI/gcloud/IMDS outputs, and 30+ secret types via regex. Anti-forensic measures included error suppression, random sleeps, and cleanup traps. Elevated permissions (id-token: write, actions: read) enabled OIDC token theft and cloud impersonation.

Source: https://safedep.io/megalodon-mass-github-repo-backdooring-ci-workflows

#Cybersecurity #ThreatIntel

(qianxin.com) Large-Scale Compromise of Ghost CMS via ...

2026-05-21T12:42:34Z

(qianxin.com) Large-Scale Compromise of Ghost CMS via CVE-2026-26980 Fuels ClickFix Malware Campaigns

Active exploitation of CVE-2026-26980 (Ghost CMS SQLi) enables large-scale ClickFix malware campaigns via Admin API key theft and article poisoning.

In brief - Attackers exploit CVE-2026-26980 to steal Ghost CMS Admin API keys, injecting malicious JavaScript into 700+ sites. Users are tricked via FakeCaptcha/ClickFix into executing stealer trojans (Rust/Electron-based). Two threat actor groups compete in this automated, multi-stage campaign.

Technically - CVE-2026-26980 (SQLi) allows unauthenticated Admin API key exfiltration. Malicious JS (two-stage loader) decodes base64 URLs to fetch cloaking scripts (e.g., clo4shara[.]xyz), redirecting victims to forged Cloudflare pages. Payloads include installer.dll (Rust) and UtilifySetup.exe (Electron), with persistence. Attackers use dynamic C2 domains (e.g., com-apps[.]cc) and cloaking to evade detection.

Source: https://blog.xlab.qianxin.com/ghost-cms-mass-compromised-via-cve-2026-26980-now-fueling-clickfix-attacks/

#Cybersecurity #ThreatIntel

(socket.dev) Sophisticated iOS Exploit Delivery via Compromised ...

2026-05-21T00:30:34Z

(socket.dev) Sophisticated iOS Exploit Delivery via Compromised npm Package: Analysis of the Coruna Exploit Kit Watering Hole Attack

Newly uncovered watering hole campaign by UNC6691 delivers Coruna exploit kit via compromised npm package `art-template` (v4.13.5/6), targeting iOS 11.0–17.2. Exploit framework employs multi-stage WASM payloads, anti-bot fingerprinting, and session-key-gated content addressing.

In brief - A Chinese threat actor exploited a hijacked npm package to inject malicious scripts, redirecting iOS users to a watering hole site hosting the Coruna exploit kit. The attack leverages supply chain compromise, advanced obfuscation, and version-specific payloads to target non-auto-updating iPhones.

Technically - The `art-template` compromise injects a script loader fetching `49554fde7424c31c.js`, a heavily obfuscated implant (UTF-16 packing, XOR encoding, eval chains) that enforces strict browser/OS checks. The Coruna framework uses WebRTC/WebGL fingerprinting, IndexedDB Blob tests, and WASM proof-of-work to validate targets before delivering architecture-specific payloads (ARM64/ARM64_32). Content-addressed URLs derive from session-key hashing, and C2 domains overlap with prior Coruna activity.

Source: https://socket.dev/blog/coruna-respawned-compromised-art-template-npm-package

#Cybersecurity #ThreatIntel

(paloaltonetworks.com) TamperedChef-Style Malware: The Stealthy ...

2026-05-20T10:55:50Z

(paloaltonetworks.com) TamperedChef-Style Malware: The Stealthy Threat of Trojanized Productivity Applications

New analysis reveals TamperedChef-style malware campaigns leveraging trojanized productivity apps (PDF editors, calendars) via malvertising. Three clusters (CL-CRI-1089, CL-UNK-1090, CL-UNK-1110) identified since 2024, with 4K+ samples and 100+ variants delivering info-stealers/RATs after delayed activation.

In brief - TamperedChef malware uses legitimate-looking apps distributed via malicious ads to deploy stealthy payloads (info-stealers, RATs) after extended dormancy. Threat actors abuse code signing and vertical integration to evade detection, with global reach and no specific targeting.

Technically - Malware employs code-signing abuse, frequent binary rebuilding, and persistence via scheduled tasks/registry Run keys. Clusters CL-CRI-1089 (high TTP variability) and CL-UNK-1090 (vertical integration) demonstrate distinct operational traits. Payloads include adware, browser hijackers, and RATs, activated after weeks/months of dormancy. Tracking via certs/ad transparency reveals shell company networks.

Source: https://unit42.paloaltonetworks.com/tracking-tampered-chef-clusters/

#Cybersecurity #ThreatIntel

(wiz.io) TeamPCP Supply Chain Attack: Compromise of DurableTask ...

2026-05-19T19:15:52Z

(wiz.io) TeamPCP Supply Chain Attack: Compromise of DurableTask Python Packages Unleashes Multi-Cloud Credential Theft and Worm Propagation

New supply chain attack by TeamPCP: Compromised Microsoft DurableTask Python packages (v1.4.1–1.4.3) deploy rope.pyz malware targeting Linux. Credential theft (AWS/Azure/GCP/K8s/Vault) + lateral movement via AWS SSM/Kubernetes. Worm-like propagation with 5-target limit per host. C2: check.git-service.com, t.m-kosche.com.

In brief - TeamPCP compromised official DurableTask Python packages to distribute malware stealing cloud/K8s credentials and enabling lateral movement across multi-cloud environments. Immediate credential rotation and C2 blocking recommended.

Technically - Malware (rope.pyz) injected into __init__.py/task.py, persists via ~/.cache/.sys-update-check. Harvests credentials from env vars, .bash_history/.zsh_history, and password managers (Bitwarden/1Password/GPG). Uses AWS SSM (SendCommand) and kubectl exec for lateral movement. Exfil via /v1/models, /audio.mp3. IoCs: rope.pyz hashes, /tmp/managed.pyz, /tmp/rope-*.pyz. RSA Key B for encryption.

Source: https://www.wiz.io/blog/durabletask-teampcp-supply-chain-attack

#Cybersecurity #ThreatIntel

(quarkslab.com) Exploiting Unauthenticated Access in GPON OLTs to ...

2026-05-19T18:11:57Z

(quarkslab.com) Exploiting Unauthenticated Access in GPON OLTs to Compromise ISP Infrastructure

Critical vulnerabilities in GPON OLTs and Cloud EMS fleet management systems enable unauthenticated network takeover, exposing ISP infrastructure globally.

In brief - Unauthenticated RCE flaws in VSOL GPON OLTs and Cloud EMS allow full ISP network compromise via command injection, arbitrary file upload, and default credentials. Attackers can pivot from a single OLT to cloud-based fleet managers, risking mass surveillance, data theft, or service disruption.

Technically - Key vulnerabilities include: (1) SNMP command injection via OIDs 1.3.6.1.4.1.37950.1.1.5.10.12.33.1-3 (newline bypass); (2) TACACS+ auth RCE via /action/main.html; (3) Web traceroute RCE via /action/tracert.html; (4) Cloud EMS arbitrary file upload (/uploadBUFile) for JSP webshells; (5) Info leakage via /systemMonitoring/getSystemCpuAndMem. Default creds (admin/Xpon@Olt9417#) and Docker socket access enable privilege escalation. Stored XSS, buffer overflows, and OMCI-based ONT attacks also identified.

Source: http://blog.quarkslab.com/how-olts-may-have-exposed-entire-isp-networks.html

#Cybersecurity #ThreatIntel

(microsoft.com) Fox Tempest: Disruption of a ...

2026-05-19T16:09:33Z

(microsoft.com) Fox Tempest: Disruption of a Malware-Signing-as-a-Service Operation Enabling Ransomware and Cybercrime

Microsoft DCU disrupted Fox Tempest, a Malware-Signing-as-a-Service (MSaaS) operator abusing Microsoft Artifact Signing to issue 72-hour code-signing certs for ransomware & malware (e.g., Rhysida, Oyster backdoor). Over 1K certs revoked, hundreds of Azure tenants dismantled.

In brief - Fox Tempest ran an MSaaS platform enabling cybercriminals to sign malware via fraudulent Microsoft-issued certificates, facilitating ransomware attacks across healthcare, education, and government sectors. Microsoft’s DCU disrupted the operation, revoking certificates and seizing infrastructure.

Technically - Fox Tempest exploited Microsoft Artifact Signing to generate short-lived code-signing certificates, distributing them via signspace[.]cloud and later pre-configured Cloudzy VMs. Customers (including Vanilla Tempest, Storm-0501) used signed payloads in malvertising/SEO poisoning campaigns, deploying Rhysida ransomware and Lumma Stealer. Mitigations include Microsoft Defender’s cloud protection, Safe Links, and tamper protection.

Source: https://www.microsoft.com/en-us/security/blog/2026/05/19/exposing-fox-tempest-a-malware-signing-service-operation/

#Cybersecurity #ThreatIntel

(sucuri.net) Effective Triage and Response Strategies for Data ...

2026-05-18T21:11:45Z

(sucuri.net) Effective Triage and Response Strategies for Data Breaches: Protecting Credentials and Securing Websites

Credential exposure in data breaches demands immediate, structured response—credential stuffing and session hijacking risks escalate rapidly.

In brief - Breach notifications require tailored triage: verify legitimacy, assess credential blast radius, rotate secrets, enforce phishing-resistant MFA, and audit admin access. Personal data exposure risks SIM-swap and identity theft; proactive measures like credit freezes mitigate fallout.

Technically - Cross-reference breach alerts with Have I Been Pwned or state portals to avoid phishing lures. For compromised credentials, map reuse across CMS (e.g., WordPress), hosting panels, and repos. Rotate passwords, regenerate session-binding secrets (e.g., WordPress salts), and invalidate active sessions. Enable MFA with hardware keys or passkeys. For web assets, scan for malware (e.g., SocGholish), audit hidden admin accounts, and review access logs for anomalies. Implement WAFs and file integrity checks to counter automated attacks targeting endpoints like /wp-admin.

Source: https://blog.sucuri.net/2026/05/what-to-do-when-a-third-party-data-breach-puts-your-website-at-risk.html

#Cybersecurity #ThreatIntel

(hiddenlayer.com) AI-Powered Code Assistants as Vectors for ...

2026-05-10T14:01:35Z

(hiddenlayer.com) AI-Powered Code Assistants as Vectors for Self-Propagating Prompt Injection Attacks: The CopyPasta License Threat

New AI-powered code assistants like Cursor are being exploited via the CopyPasta License Attack—a self-propagating prompt injection technique that embeds malicious instructions in software licenses. Threat actors use hidden markdown comments and adversarial prompt engineering (HL03.04, HL03.09) to trick AI models into spreading payloads across codebases, risking backdoors, data exfiltration, or resource abuse.

In brief - AI coding tools are vulnerable to a novel attack vector where malicious instructions disguised as licenses propagate automatically, compromising development environments and supply chains.

Technically - The CopyPasta License Attack leverages Imperative Emphasis and Syntax-Based Input manipulation in README files to hijack AI assistants (Cursor, Windsurf, Kiro, Aider). Infected templates force the AI to insert payloads into generated code, evading detection via obfuscation. This builds on Morris II AI worm concepts but targets code generation agents with higher practical impact.

Source: https://www.hiddenlayer.com/research/prompts-gone-viral-practical-code-assistant-ai-viruses

#Cybersecurity #ThreatIntel

(microsoft.com) Critical Vulnerabilities in Microsoft Semantic ...

2026-05-07T22:40:45Z

(microsoft.com) Critical Vulnerabilities in Microsoft Semantic Kernel: From Prompt Injection to Remote Code Execution

Critical vulnerabilities in Microsoft Semantic Kernel (CVE-2026-25592, CVE-2026-26030) enable prompt injection to escalate to host-level RCE or arbitrary file writes, exposing systemic risks in AI agent frameworks.

In brief - Two CVEs in Microsoft Semantic Kernel demonstrate how prompt injection can bypass security boundaries, leading to RCE or file writes. Patched via responsible disclosure, but highlights urgent need for secure AI agent architectures.

Technically - CVE-2026-26030 exploits unsafe string interpolation in the In-Memory Vector Store’s filter functionality, allowing `eval()`-based RCE via crafted prompts. CVE-2026-25592 abuses exposed `DownloadFileAsync` in the .NET SDK to write files to arbitrary locations, including Startup folders. Exploit chains involve AST traversal and sandbox escape. Mitigations: upgrade, AST allowlists, and tool exposure restrictions. Detection queries provided for post-exploitation activity.

Source: https://www.microsoft.com/en-us/security/blog/2026/05/07/prompts-become-shells-rce-vulnerabilities-ai-agent-frameworks/

#Cybersecurity #ThreatIntel

(calif.io) CVE-2026-7270: Root Privilege Escalation in FreeBSD ...

2026-05-07T19:27:57Z

(calif.io) CVE-2026-7270: Root Privilege Escalation in FreeBSD via Kernel Memory Corruption in execve()

New critical LPE in FreeBSD: CVE-2026-7270 enables root access via a one-character error in `execve()` kernel handling. Exploit targets `sshd-session` with `LD_PRELOAD` injection through a race condition.

In brief - CVE-2026-7270 is a local privilege escalation flaw in FreeBSD (since 2013) caused by a sign error in `execve()` memory handling. Attackers can corrupt kernel memory during shebang script execution, inject `LD_PRELOAD`, and gain root via `sshd-session`. Affects default installations.

Technically - The bug in `sys/kern/kern_exec.c` (`exec_args_adjust_args`) miscalculates `memmove` size (`+ consume` instead of `- consume`), causing a 2,024-byte overflow into an adjacent `exec_map` entry. Exploit preseeds kernel memory at offset 265,166 bytes to replace `sshd-session` environment with `LD_PRELOAD=/tmp/evil.so`. Race condition optimized via fragmented argument strings to slow `execve` calls. Challenges include avoiding `MADV_FREE` under memory pressure and a 3.1% panic risk. PoC achieves root in seconds.

Source: https://blog.calif.io/p/cve-2026-7270-how-i-get-root-on-freebsd

#Cybersecurity #ThreatIntel

(cyberscoop.com) Former Incident Responders Sentenced to Prison ...

2026-04-30T23:53:35Z

(cyberscoop.com) Former Incident Responders Sentenced to Prison for Orchestrating ALPHV/BlackCat Ransomware Attacks

Two former cybersecurity professionals, Ryan Clifford Goldberg and Kevin Tyler Martin, sentenced to 4 years for orchestrating ALPHV/BlackCat ransomware attacks. Insiders exploited IR and negotiation roles to extort U.S. medical, pharma, and engineering firms.

In brief - Former incident responders abused trusted roles to deploy ALPHV/BlackCat ransomware, targeting critical sectors. Case highlights insider threats in cybersecurity and risks in ransomware negotiation practices.

Technically - Attackers leveraged ALPHV/BlackCat ransomware, known for healthcare sector targeting, to encrypt systems and exfiltrate data. Coordinated with negotiator Angelo John Martino III to maximize extortion. Demonstrates operational risks of insiders with privileged access and challenges in detecting such threats.

Source: https://cyberscoop.com/incident-responders-ryan-goldberg-kevin-martin-sentenced-ransomware/

#Cybersecurity #ThreatIntel

(wiz.io) Critical RCE Vulnerability in GitHub's Git ...

2026-04-28T16:31:05Z

(wiz.io) Critical RCE Vulnerability in GitHub's Git Infrastructure Discovered via AI-Augmented Reverse Engineering

Critical RCE vulnerability (CVE-2026-3854) in GitHub's git infrastructure allowed authenticated users to execute arbitrary commands on backend servers via a single git push. Affects GitHub.com and GitHub Enterprise Server (GHES), enabling cross-tenant exposure or full server compromise.

In brief - Wiz Research discovered CVE-2026-3854, a critical injection flaw in GitHub's X-Stat protocol, enabling RCE on GitHub.com and full compromise of GHES instances. GitHub patched the issue within hours, highlighting risks in multi-service architectures and AI-augmented vulnerability research.

Technically - The flaw (CVE-2026-3854) exploited unsanitized semicolons in git push options to inject arbitrary fields into the X-Stat header, overriding security-critical metadata (e.g., rails_env, custom_hooks_dir). This enabled sandbox bypass, hook directory redirection, and malicious hook injection via path traversal. On GHES, it granted full server access; on GitHub.com, RCE on shared storage nodes. Discovery leveraged AI-augmented reverse engineering tools like IDA MCP for binary analysis.

Source: https://www.wiz.io/blog/github-rce-vulnerability-cve-2026-3854

#Cybersecurity #ThreatIntel

(recordedfuture.com) AI's Evolving Impact on Vulnerability ...

2026-04-22T15:30:41Z

(recordedfuture.com) AI's Evolving Impact on Vulnerability Discovery, Exploit Development, and Defensive Prioritization

AI is compressing the window between vulnerability disclosure and exploitation, with ~29% of 2025 KEVs exploited on or before CVE publication. Defenders must adapt to AI-accelerated threat timelines or face heightened risk.

In brief - AI is reducing exploit development time, increasing the urgency for automated, exploitability-based vulnerability prioritization. Organizations must shift from manual triage to AI-enabled risk scoring and accelerated patching to counter shrinking time-to-exploit.

Technically - AI models (e.g., Anthropic’s Mythos, OpenAI LLMs) are enhancing multi-step attack simulations and PoC generation, driving exploit timelines from days to hours. Recorded Future tracked only 446 exploited CVEs in 2025 despite ~50K disclosures. Defenders should adopt real-time exploitability scoring, Nuclei-based active exploitation detection, and DevSecOps integration. Automated remediation requires human oversight for high-impact actions, particularly for zero-day or patch-unavailable scenarios.

Source: https://www.recordedfuture.com/blog/ai-hype-vs-reality

#Cybersecurity #ThreatIntel

(akamai.com) Active Exploitation of D-Link DIR-823X Command ...

2026-04-21T19:07:03Z

(akamai.com) Active Exploitation of D-Link DIR-823X Command Injection Vulnerability Deploys Mirai Botnet Variant

Active exploitation of CVE-2025-29635 (command injection in D-Link DIR-823X routers) detected, deploying Mirai variant 'tuxnokill.'

In brief - Threat actors are exploiting a critical command injection flaw in end-of-life D-Link DIR-823X routers to deploy the 'tuxnokill' Mirai botnet variant. Organizations should retire vulnerable devices or apply patches immediately.

Technically - CVE-2025-29635 affects D-Link DIR-823X firmware versions 240126/24082, enabling unauthenticated RCE via crafted POST requests to /goform/set_prohibiting (macaddr parameter). The 'tuxnokill' Mirai variant uses XOR encoding (key 0x30), targets multiple architectures, and communicates with C2 64.89.161.130:44300. Hard-coded strings include 'AI.NEEDS.TO.DIE' and 'segmentation fault (core dumped).' IOCs: downloader IP 88.214.20.14, five SHA256 hashes, and Snort/YARA rules available.

Source: https://www.akamai.com/blog/security-research/2026/apr/cve-2025-29635-mirai-campaign-targets-d-link-devices

#Cybersecurity #ThreatIntel

(zsec.uk) Autonomous LLM-Driven Vulnerability Hunting at Scale: ...

2026-04-04T12:13:40Z

(zsec.uk) Autonomous LLM-Driven Vulnerability Hunting at Scale: Architecture, Methodology, and Discovered Zero-Days

New research details an autonomous LLM-driven vulnerability hunting system using Claude Code and Model Context Protocol (MCP), uncovering multiple zero-days including critical Go standard library flaws and a four-stage OEM exploit chain.

In brief - A security researcher built an end-to-end autonomous system integrating 300+ tools across five VMs, discovering confirmed CVEs (CVE-2026-33809, CVE-2026-33812) and a complex OEM service exploit chain achieving SYSTEM execution. The system eliminates false positives through a rigorous multi-gate validation pipeline.

Technically - The architecture leverages FastMCP-based Python servers for SSH/WinRM, Proxmox VM orchestration, Ghidra/radare2/Frida RE, grammar-based fuzzing (WinAFL, Jackalope, DynamoRIO), and FAISS-backed RAG. Key findings: CVE-2026-33809 (Go TIFF parsing OOM via unchecked IFD offset), CVE-2026-33812 (Go SFNT font parsing OOM via unchecked uint16 class count), and an OEM exploit chain combining WCF named pipe auth bypass, SSRF, catalog injection, and BYOVD for SYSTEM execution. Validation requires PoC compilation, clean-VM crash reproduction, and exploitability confirmation.

Source: https://blog.zsec.uk/bullyingllms/

#Cybersecurity

(mend.io) Poisoned Axios: npm Account Takeover Delivers ...

2026-03-31T08:02:52Z

(mend.io) Poisoned Axios: npm Account Takeover Delivers Cross-Platform RAT via Supply Chain Attack

Critical npm supply chain attack: Threat actors compromised the axios maintainer account, publishing malicious versions (1.14.1, 0.30.4) with hidden plain-crypto-js v4.2.1 dependency. This delivered a cross-platform RAT via postinstall hook, impacting macOS, Windows, and Linux developers.

In brief - Compromised npm credentials for axios (50M+ weekly downloads) led to malicious package versions deploying a RAT. Affected systems must be treated as compromised; rotate all credentials immediately.

Technically - The plain-crypto-js v4.2.1 package executed an obfuscated JavaScript dropper (setup.js) using XOR cipher (key: 'OrDeR_7007'), base64, and string reversal. It contacted C2 at http://sfrclak.com:8000/6202033, delivering platform-specific payloads: Mach-O RAT (SHA256: 92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a) on macOS, PowerShell via VBScript on Windows, and Python on Linux. The macOS RAT supports peinject, runscript, rundir, and kill commands, beaconing every 60s. Post-execution cleanup removed forensic artifacts.

Source: https://www.mend.io/blog/poisoned-axios-npm-account-takeover-50-million-downloads-and-a-rat-that-vanishes-after-install/

#Cybersecurity #ThreatIntel