Crow's Nest - 2026-06-08

A roundup of 44 items curated from across the security community.

News

• UN food agency breach exposes 600,000 Gaza households by Nicolas Krassas.

The UN World Food Programme discloses a data breach affecting 600,000 households in Gaza.

• UNC3753 targets US law firms with vishing and physical intrusion by scriptjunkie (Matt).

Mandiant details UNC3753 using vishing and RMM tools for data extortion against US law firms, with some operators attempting in-person theft.

• CISA: SolarWinds Serv-U flaw now actively exploited by BleepingComputer.

CISA adds an actively exploited SolarWinds Serv-U vulnerability to the KEV catalog.

Techniques and Write-ups

• AI-powered self-replicating worm steals GPU compute to spread by thaddeus e. grugq.

A research paper demonstrates an AI worm that reasons its way through networks, steals compute from GPU machines to run its own LLM, and self-replicates across Linux, Windows, and IoT targets.

• CVE-2026-10880: Unauthenticated Blind SQLi in OSNEXUS QuantaStor.

OSNEXUS QuantaStor through v6.6.1 has an unauthenticated blind SQL injection in the login form. Attackers can recover stored password hashes one character at a time using differing login error responses, with no credentials required.

• VerdantBamboo deploys BRICKSTORM through compromised MSPs and firewalls by L0Psec.

Volexity details how VerdantBamboo breached an MSP to deploy BRICKSTORM across firewalls, NAS, and cloud storage devices, including a zero-day privilege escalation.

• New technique to detect Chrome incognito mode via Cache API by AndrewMohawk⁽ⁿᵘˡˡ⁾.

Writing tiny responses into a scratch Cache API cache reveals different metadata residue in normal vs. incognito Chrome, because incognito writes to memory instead of disk.

• Two bytes to RCE: chaining nginx Rift and PoolSlip by Giuseppe N3mes1s.

Verichains chains the nginx Rift and PoolSlip vulnerabilities together into a full remote code execution exploit.

• Unauth RCE as QSECOFR on IBM i via Management Central by /r/netsec.

Silent Signal finds an unauthenticated RCE as the system superuser on IBM i Management Central, exploiting a client-controlled verify flag on port 5555.

Tools and Exploits

• WASMForge: running full Sliver implants entirely in a WASM VM by Bad Sector Labs.

Praetorian shims all necessary host APIs to run complete implants with all logic inside a WebAssembly VM, demonstrated with Sliver.

• EDRChoker: choking the telemetry stream to bypass defenses by /r/netsec.

A technique for starving EDR of telemetry by throttling the stream, effectively blinding defenses without killing the agent.