A roundup of 292 items curated from across the security community.
News
For the second time in weeks, official Microsoft packages were found laced with credential-stealing malware, raising serious questions about supply chain integrity in the Microsoft ecosystem.
AI facial recognition identified Jalil Richardson with only 85% accuracy. Police never checked his alibi. He spent months in prison and lost his job, home, and child custody before police admitted the AI was wrong.
- Unpatched Firefox Focus Universal XSS 0-Day by Simone Margaritelli.
An unpatched universal XSS vulnerability in Firefox Focus allows any website to execute arbitrary JavaScript in the context of another origin. No fix is currently available.
- NSO Group Hacking WhatsApp Despite Court Order by Bruce Schneier.
WhatsApp caught NSO Group phishing its users in violation of a court order. The spyware vendor continued targeting users even after legal action explicitly barred such activity.
- Chinese Tracking Device Found in UK Prime Minister’s Car by Florian Roth.
A Chinese-manufactured tracking device was discovered embedded in the UK Prime Minister’s official vehicle, raising fresh concerns about supply chain surveillance risks in government fleets.
A Scripted REST API endpoint in ServiceNow required no authentication and logged activity under a Guest user. The endpoint had been in this state since at least 2018 and was only patched when reports surfaced of suspicious access across multiple customer tenants.
An attacker posed as a trusted maintainer and adopted orphaned AUR packages, infecting nearly 900 Arch Linux packages with infostealer malware and a rootkit in one of the largest supply chain attacks on the AUR.
More this week (52)
- RT Brian in Pittsburgh: I absolutely hate how effective campaigns that use targeted phone-based social engineering to get users to run legitimate util… by thaddeus e. grugq.
- Over 20,000 Instagram accounts stolen in Meta AI support hack https://www.bleepingcomputer.com/news/security/meta-ai-support-data-breach-affects-20-00… by BleepingComputer.
- Measuring LLMs’ Impact on N-Day Exploits by Nicolas Krassas.
- 2026 Verizon DBIR: vulnerability exploitation overtakes stolen credentials as #1 breach entry point for the first time in 19 years https://www.verizon… by Nicolas Krassas.
- Shai-Hulud Attack Trojanizes 19 Science-Focused PyPI Packages by Nicolas Krassas.
- Gogs Patches Critical Zero-Day Enabling Remote Code Execution by Nicolas Krassas.
- Microsoft Defender Now Monitors RPC Activity by SwiftOnSecurity.
- Gamaredon Exploits Old WinRAR Flaw in Attacks on Ukraine by SwitHak ().
- Record-Breaking June 2026 Patch Tuesday: 200 Vulnerabilities.
- One of my job’s greatest joys is being forced to use hacker tool names in technical reports. by Jason Lang.
- RT Nextron Research : Did you know curl can be used to leak your NTLM hash with a simple one-liner on your Windows machine? Mind you, curl is avai… by Florian Roth.
- RT Nebula Security: We disclosed another Nginx RCE to F5 two weeks ago, along with a proposed patch, and have not yet received a response. This vulner… by Simone Margaritelli.
- RT James Kettle: Woo, I can confirm “Can AI Do Novel Security Research? Meet the HTTP Terminator” is coming to @defcon! This research was a huge gambl… by Gareth Heyes \u2028.
- Krebs: Who Runs the Ransomware Group ‘The Gentlemen’?.
- CISA Directive to Reshape Agency Cyber Risk Prioritization by Caleb Gross.
- Starseer AI: For the first time in 19 years, vulnerability exploitation is the #1 breach entry point. Not credentials. Not phishing. Software flaws, hit within hours of disclosure because AI compresse by Josh.
- RT drm: (near) Instant dumping of the Bitlocker VMK using @SipeedIO #SLogic16U3 and #ngscopeclient . Full disclosure: i know nothing about C++, fi… by scriptjunkie (Matt).
- Aikido Security: We detected a supply-chain compromise in onering 1.4.1, a Rust crate on http://crates.io with 18,000+ downloads. The latest version uses a malicious http://build.rs script to quietly by vx-underground.
- Azure Attestation Metrics Vulnerable to Spoofing (CVE-2026-45642) by AndrewMohawk⁽ⁿᵘˡˡ⁾.
- The ‘Miasma’ worm source code briefly leaked on GitHub https://www.bleepingcomputer.com/news/security/the-miasma-worm-source-code-briefly-leaked-on-… by BleepingComputer.
- ServiceNow discloses security incident exposing customer data https://www.bleepingcomputer.com/news/security/servicenow-discloses-security-incident-ex… by BleepingComputer.
- GitHub Announces npm Security Changes for Supply Chain Defense by Nicolas Krassas.
- It will be interesting to see how The Gentlemen respond to having their dear overlord identified in real life. Already there is some butthurt on the group’s threads across a couple of RU hacker forums.
- apple-zlib: uninitialized memory leak during decompression in inflate https://project-zero.issues.chromium.org/issues/488250572 by Project Zero Bugs.
- APT28 Arsenal Evolution: From Early Days to Current Operations by SwitHak ().
- Signal Opposes UK Bulk Device Scanning Mandate by Alex Plaskett.
- RT Coiffeur: No infoleak. No memory disclosure. Just collected libc mappings and a bit of statistics. Even if ASLR was technically random it just had … by kmkz.
- AI PCB Vendor Threatens Adafruit with CFAA Over Vuln Disclosure by lcamtuf.
- The Senate Judiciary Committee chairman is demanding answers from CISA about an alarming data exposure incident wherein a contractor leaked oodles of internal CISA passwords – including multiple AWS.
- DOJ Seizes 13 Domains Used by Chinese Agents to Recruit Clearance Holders by thaddeus e. grugq.
- Maine disables data breach notification portal after fake disclosures https://www.bleepingcomputer.com/news/security/maine-disables-data-breach-notifi… by BleepingComputer.
- Pharma giant Novo Nordisk discloses breach of clinical trials data https://www.bleepingcomputer.com/news/security/pharmaceutical-giant-novo-nordisk-di… by BleepingComputer.
- Tchap data breach affects over 73,000 French govt employees https://www.bleepingcomputer.com/news/security/french-govt-says-tchap-breach-affected-over… by BleepingComputer.
- Coupang hit with record $409 million data breach fine in Korea https://www.bleepingcomputer.com/news/security/south-korea-hits-coupang-with-record-409… by BleepingComputer.
- Misconfigured Tor hidden services leak IP addresses and server data https://cyberinsider.com/misconfigured-tor-hidden-services-leak-ip-addresses-and-s… by Nicolas Krassas.
- PromptSnatcher: Ad Blocker Extension Stealing AI Chat Data by /r/netsec.
- The Axios npm compromise was visible in registry metadata before anyone ran npm install https://autodoc.bearblog.dev/how-30-seconds-of-metadata-would-… by /r/netsec.
- 23 Chrome Extensions Hijack 758K Users’ Searches by /r/netsec.
- People using Arch Linux should probably pay attention to this More than 1,500 AUR packages were reportedly modified in a supply-chain compromise The m… by Florian Roth.
- The 90-Day Disclosure Policy Is Dead by Swissky.
- Fake “Free GPT and Claude” Malware Packs InfoStealer with XMRig by vx-underground.
- Council of Europe Breached: 297 GB of HR and Payroll Data Compromised by Bobby Cooke.
- PRC-Linked Spies Lurked in Medical and Military Networks for Over a Year by Nicolas Krassas.
- Supply-Chain Attack Hits OptinMonster WordPress Plugin (1.2M Sites) by Nicolas Krassas.
- Handala Hacking Group Claims Breach of California Water Service by Nicolas Krassas.
- The Instructure Canvas Breach: XSS in a Support Ticket Compromised 275M Students by Nicolas Krassas.
- WordPress Plugin Scripts Tampered to Plant Hidden Backdoors by Nicolas Krassas.
- 152 Chrome Wallpaper Extensions Linked to Adware and Fake Traffic by Nicolas Krassas.
- French Government Messaging Platform Breached by “Misere” Hacker by Nicolas Krassas.
- Novo Nordisk Says Hackers Breached IT Systems by Nicolas Krassas.
- The FCC Wants to Eliminate Burner Phones by Nicolas Krassas.
- FBI, Google Dismantle “Outsider Enterprise” Phishing Service by Nicolas Krassas.
Techniques and Write-ups
- GPS As a Key Distribution Platform by Bruce Schneier.
The U.S. military has quietly been broadcasting encryption key material through public GPS satellites for nearly 20 years, effectively turning every GPS-enabled device into an unwitting receiver of government cryptographic data.
A new C2/post-exploitation framework with ISO embedding, ADS abuse, and Defender lure paths. Florian Roth published IOCs including named pipes, temp file paths, and alternate data stream markers.
- Linux io_uring Exfiltration Tool Bypasses EDR by Florian Roth.
A new Linux exfiltration tool abuses io_uring to asynchronously read /etc/shadow and exfiltrate credentials over TCP, completely bypassing EDR solutions that rely on traditional syscall monitoring.
- Oops, I Weaponized the Database: Abusing AI Features in SQL Server 2025 by Justin Kalnasy.
SpecterOps researchers demonstrate how native AI features in Microsoft SQL Server 2025 can be abused for data exfiltration and C2 transport directly within the database engine, with working proof-of-concept code published.
Calif.io continues their streak of hacking security tools with an arbitrary code execution in objdump -g, using a novel relocation-oriented programming technique to exploit DWARF parsing.
SpecterOps research shows SQL Server 2025’s native AI integration features can be abused for data exfiltration, NTLM coercion, and C2 transport, all using built-in functionality that works as designed.
Origin Security found that simply opening the Opencode coding agent inside a hostile repo runs the repo’s own code at startup, before the model is even in the loop. No user command needed.
Shai-Hulud is a proof-of-concept CI/CD worm that propagates through PyPI packages, demonstrating how a single compromised dependency can spread through build pipelines autonomously.
A BitLocker bypass triggered by abusing Windows Defender Offline Scan state, dropping unattend.xml onto the recovery partition to boot into WinRE with unrestricted access to the encrypted volume.
CVE-2026-2005 is a heap buffer overflow in PostgreSQL’s pgcrypto extension that leads to remote code execution. Wiz published a full technical analysis of the vulnerability.
Malware developers are embedding nuclear and biological weapons text into their code to trigger safety refusals in AI-powered security scanners, exploiting alignment guardrails as an evasion technique.
watchTowr’s analysis of a pre-authentication remote code execution in Splunk Enterprise, exploiting the database layer’s own authentication to bypass application-level controls.
An extensive writeup on using AI-assisted techniques to find vulnerabilities in Google, resulting in a $500k bug bounty payout. Praised for the depth of its technical detail.
watchTowr details how Check Point’s Remote Access VPN products allow an IKE client to skip authentication entirely, bypassing the security boundary these products are designed to enforce.
The first publicly demonstrated guest-to-host escape targeting in-kernel KVM on arm64. Unlike QEMU escapes, the bug lives in the kernel itself, running exploit code with host kernel privilege and threatening multi-tenant arm64 cloud isolation.
Exodus Intel walks through exploiting a Linux kernel use-after-free in nftables caused by a single misplaced exclamation mark, achieving local privilege escalation with a detailed technical write-up.
CVE-2026-41089, a CVSS 9.8 flaw in Windows Netlogon, lets unauthenticated attackers gain SYSTEM on domain controllers with crafted packets. Active exploitation in the wild has been confirmed; a patch has been available since May.
Kuba Gretzky demonstrated live at x33fcon how Evilginx can downgrade FIDO-based MFA protections, successfully phishing Google credentials on stage despite hardware key enforcement.
Varonis researchers turned Microsoft 365 Copilot into a one-click data exfiltration weapon, abusing its search and summarization capabilities to extract sensitive data from across the tenant.
Synacktiv released their x33fcon research on offensive DCOM techniques, including a COMouflage variant for arbitrary executable execution and a fileless lateral movement method based on .NET deserialization.
More this week (184)
- RT CloudBreach: Storm-2372 (Russian-aligned) has been running a device code phishing campaign since Aug 2024 and it is frighteningly effectiv… by Renos.
- Keeping a Short Leash: New AzureHound Least-Privilege Documentation by Martin Sohn Christensen.
- It took about 55 hours to compress the 8TB NetNTLMv1 rainbow table down to 4.3TB. Now I’m generating the torrent files and starting to copy the files to our bittorrent servers. With SSD prices so stup.
- RT PT SWARM: Did you know that it’s possible to perform RCE in Internet Explorer via clickjacking? Igor Sak-Sakovsky’s (@Psych0tr1a) n… by snvvcrsh.
- RT Adam Kohler: While testing our ML detection models, we detected on a new cross-platform campaign we’re tracking as SStar Agent. Most of the Mach-O … by Csaba Fitzl.
- Everyone’s heard of link shorteners, but did you know about link extenders? Someone forwarded me a curious long ass link that turned out to be malicious (after several redirects) that was created with.
- NFCShare Android malware spreads via fake banking app updates on GitHub https://www.bleepingcomputer.com/news/security/nfcshare-android-malware-spread… by BleepingComputer.
- Critical UniFi OS bug lets hackers gain root without authentication https://www.bleepingcomputer.com/news/security/critical-unifi-os-bug-lets-hackers-… by BleepingComputer.
- C0XMO botnet spreads via DD-WRT router flaw, kills rival malware https://www.bleepingcomputer.com/news/security/c0xmo-botnet-spreads-via-dd-wrt-router… by BleepingComputer.
- Hackers Clone Ghidra, dnSpy and Other Tool Sites to Spread Malware https://hackread.com/hackers-clone-ghidra-dnspy-tool-sites-spread-malware/ by Nicolas Krassas.
- Meta Blocks NSO Group’s New WhatsApp Phishing Attack, Files Contempt Order https://thehackernews.com/2026/06/meta-blocks-nso-groups-new-whatsapp.html by Nicolas Krassas.
- Operation FlutterBridge Uses Fake Google Ads to Spread macOS Backdoor https://hackread.com/op-flutterbridge-fake-google-ads-spread-macos-backdoor/ by Nicolas Krassas.
- One-Character Linux Kernel Flaw Enables Local Root Access, Exploits Now Public https://thehackernews.com/2026/06/one-character-linux-kernel-flaw-enabl… by Nicolas Krassas.
- Legacy Meets Modern: Breaking AD Through NIS & MFA Infrastructure https://www.netspi.com/blog/technical-blog/network-pentesting/legacy-meets-modern-br… by Nicolas Krassas.
- Norks blast 250+ fake job offers to developers over 6 weeks to try and snarf creds and crypto https://www.theregister.com/security/2026/06/08/suspecte… by Nicolas Krassas.
- CVE-2026-7304: SGLang – Unauthenticated RCE via dill.loads https://blog.securelayer7.net/cve-2026-7304-sglang-unauthenticated-rce/ by Nicolas Krassas.
- RT Calif: We’d love to be proven wrong here. As a red team, few things are more exciting than a reliable nginx RCE. For some context: we discovered at… by Nicolas Krassas.
- Researcher finds Bright Data iOS SDK turns smart TVs into web-scraping nodes https://www.scworld.com/brief/researcher-finds-ios-sdk-turns-smart-tvs-in… by Nicolas Krassas.
- azsqlshell. interactive Azure SQL shell that authenticates with a raw AAD access token (no SQL login/password) and, on connect, runs a read-only privi… by DirectoryRanger.
- Investigating suspicious AI workflows in Microsoft Entra Agent ID: Autonomous agents, by @mattifestation Part 1: https://redcanary.com/blog/threat-det… by DirectoryRanger.
- Outlook 365 for the PWN https://www.lares.com/blog/outlook365/ by DirectoryRanger.
- The Interesting Case of WSL for Payload Staging https://detect.fyi/the-interesting-case-of-wsl-for-payload-staging-bfaa0f69329a by DirectoryRanger.
- Site Unseen: Enumerating and Attacking Active Directory Sites, by @Synacktiv https://www.synacktiv.com/en/publications/site-unseen-enumerating-and-att… by DirectoryRanger.
- RT Florian Hansemann: ‘‘Debugging Windows Isolated User Mode (IUM) Processes - Quarkslabs blog’’ #infosec #pentest #redteam #blueteam https://blog.qua… by DirectoryRanger.
- RT Mr.Un1k0d3r: I decided to publish my internal Azure Entra ID tool. There are a lot of these already available, but I’ve added some interesting feat… by DirectoryRanger.
- RT DirectoryRanger: Insights into Entra ID’s (Un)Conditional Access, by @insinuator https://insinuator.net/2026/05/insights-into-entra-ids-unconditio… by DirectoryRanger.
- RT R.B.C.: My latest blog post: Using BYOVD to loot LSASS bypassing HVCI and all other security protections built in to Windows 11 25h2: https://g3tsy… by DirectoryRanger.
- RT Enno Rey: Manipulating RPKI (and more) with marquees in TLS certificates (and more) #RIPE92 https://pretalx.ripe.net/media/ripe-92/submissions/YHQY… by DirectoryRanger.
- RT : MS AD Kerberos update active since April: If there is no explicit msds-SupportedEncryptionTypes Active Directory attribute defined the Defaul… by Sean Metcalf.
- X.com silently injects session-bound tracking tokens into your clipboard on every copy - security tools correctly flag this as malicious injection https:// gitlab.com/jacquesmyo/security -findings.
- RT Smukx.E: The (Anti-)EDR Compendium TL;DR: EDR functionality and bypasses, with focus on undetected shellcode loader. Blog:- https://blog.deeb.ch/po… by Silky.
- RT SEC Consult: New advisory by @Kruxinator & Christian Hager: Local privilege escalation in @genetec ’s #RabbitMQ deployment (#CVE-2026-25112) W… by SkelSec.
- RT Alex Neff: SPN-less RBCD with NetExec While classic RBCD requires a computer account, you can use U2U authentication to perform RBCD with a nor… by Steven Lowson.
- Site Unseen: Enumerating and Attacking Active Directory Sites by SwiftOnSecurity.
- RT Digital Security Lab Ukraine: DSLU analyzed a spearphishing campaign targeting Ukrainian organizations, attributed with moderate confidence to… by SwitHak ().
- Kerberos User-to-User Authentication Internals Deep Dive by Raj Patel.
- The June 2026 Security Update Review by Dustin Childs.
- Microsoft Patch Tuesday for June 2026 - Snort rules and prominent vulnerabilities by Chetan Raghuprasad.
- RT msuiche: My AI Agent keeps impressing me every day, I asked my Agent to finish some research I did in 2020 on Windows ARM64… It went straight gra… by chompie.
- Prompt Engineering for Security Agents with GEPA by Katherine.
- Saw Safari signed with
com.apple.security.hardened-process.containment.vm.cow-defeaturedbut this string is not in the 26 kernelcache. - https:// codecolor.ist/entdb/os/keys?os =iOS%2F26.5.1_23F81&diff=26.3.1_23D8133&q=com.apple.security - added entitlement keys diff to entdb - however the daily update job does not include beta firmwar.
- RT Marius Benthin: One more NPM package related to DPRK-linked RAT MicrosoftSystem64 published two hours ago. os-ulid-void@3.0.2 https://www.virustota… by Florian Roth.
- RT Derek Hsue: I asked @dguido about his thoughts on why North Korea’s had so much success exploiting blockchains: – “Normally from countries like No… by Dan Guido.
- RT Panos Gkatziroulis : I’ve been exploring different WinGet threat scenarios to identify practical detection strategies, especially since severa… by Dominic Chell.
- RT The Hacker News: Hackers are already exploiting a flaw in LiteLLM, a widely used open-source AI gateway. One bug (CVE-2026-42271) lets any log… by Simone Margaritelli.
- RT Kevin Gosse: Ok security twitter, I’m very confused by MS’ response to my report. I have a way for an unelevated user to get SYSTEM to run arbitrar… by Simone Margaritelli.
- Pretty major # Tor upgrade, full of security fixes. If you are a Relay or Onion operator please upgrade! https:// gitlab.torproject.org/tpo/core /tor/-/raw/tor-0.4.9.9/ChangeLog.
- Shazzer can now fuzz over 1 million characters now. I got Claude to refactor the fuzzing code and now it fuzzes in chunks. This is amazingly fast on C… by Gareth Heyes \u2028.
- RT Victor Fresk0: After 6 months of extensive research, I have finally published a new blog post! It describes the journey from breaking into my route… by hypr.
- Advanced Evasion Tradecraft: Precision Module Stomping https://medium.com/@toneillcodes/advanced-evasion-tradecraft-precision-module-stomping-b51feb09… by Panos Gkatziroulis.
- Async PICOs and Custom Beacon Wakeups in Cobalt Strike https://www.nccgroup.com/research/async-picos-and-custom-beacon-wakeups-in-cobalt-strike/ by Panos Gkatziroulis.
- Staged DLL injection - proof-of-concept built in C using Win32 APIs https://github.com/kasturixbm5/staged-DLL-Injection-SMB- by Panos Gkatziroulis.
- Shellcode Loaders - Advanced Execution & Evasion Tradecraft https://0xdbgman.github.io/posts/shellcode-loaders-the-art-of-execution/ by Panos Gkatziroulis.
- BlackSun - Defender for Endpoint on macOS https:// bountyy.fi/blog/defender-macos -quarantine-toctou.
- RT 0xor0ne: Guest-to-host VM escape in VMware Workstation chaining CVE-2023-20870, CVE-2023-34044 and CVE-2023-20869, by Alexander Zaviyalov (@NCCGrou… by kmkz.
- RT Dave Kennedy: Awesome post from Ross @Binary_Defense on bluerabbit. https://binarydefense.com/resources/blog/bluerabbit-a-golang-based-backdoor-wit… by kmkz.
- RT xvonfers: (CVE-2026-11645)[$55000][506689381][objects] PoC: ``` let key = ‘AA’; let value = 2; class C extends Function { [key] = value; } let o1 =… by kmkz.
- RT starlabs: Our intern Tevel Sho and his mentor @CurseRed spent some time poking at Cisco ISE. 40+ bugs reported. 4 dupes. This dupe is RCE as root: … by kmkz.
- RT Matt: zer0matt’s blog: Whoops! I did it again. I patched Windows Kernel a… https://zer0matt.blogspot.com/2026/05/whoops-i-did-it-again-i-patched-… by kmkz.
- SpecterOps: Understanding Kerberos U2U Authentication for AD Attacks by Spiros Fraganastasis.
- RT 𝕭𝖑4𝖈𝖐𝖍0𝖑3𝖟 : An outstanding project reveals how much information mobile apps can access and collect without users rea… by MalwareHunterTeam.
- RT Alon Leviev: 10 Secure Boot & BitLocker bypasses I reported are fixed in today’s Patch Tuesday: CVE-2026-45588, CVE-2026-45654, CVE-2026-45655, CVE… by Max.
- Neat bug and solid payout! And much better than their previous approach, which involved calling your boss and threatening to involve the FBI … by Patrick Wardle.
- yasss, this is delightful Handling ES deadlines has always been complex(ish) (e.g. don’t forget to use a mach_timebase_info when converting “mach… by Patrick Wardle.
- RT Teodor Sorescu: If you are experiencing this, it is probably related to this known issue: “Devices configured with Reduced Security … might also … by Patrick Wardle.
- MAD Bugs: Exploiting a 21-Year-Old PHP Vulnerability by Swissky.
- The return of “self-funded bug-bounty platforms” https://www.coindesk.com/markets/2026/06/05/zcash-plummets-30-as-developer-reveals-a-major-bug-that-w… by Phil Venables.
- Suddenly seeing a renewed interest in the Com, or the “community” of English-speaking cybercrime cliques scattered across Telegram and Discord. The Financial Times reports teenagers carrying out sabot.
- Dayum. The folks at PRODAFT have now dropped one helluva detailed writeup on The Gentlemen. tl;dr: -The administrator supplies affiliates with initial access directly, primarily Fortinet SSL-VPN crede.
- This is a super interesting analysis of the English-language cybercrime communities on Telegram and Discord, from a convicted (and reformed?) SIM-swapper who says he found at least 164 call centers th.
- #CVE-2026-8054: #dotCMS Core SQL Injection Based on internet-wide exposure data in Shadon, many organizations appear to be running #dotCMS instances. … by pyn3rd.
- Pre-auth XXE → HTTP SSRF on ArubaOS 8.13.2 closed as “theoretical / no valid PoC” despite TCP pcap, sshd localhost log, and internal port scan - documenting for community review https:// netacoding.co.
- RT Mehmet Ergene: This is big https://techcommunity.microsoft.com/blog/microsoftdefenderatpblog/microsoft-defender-now-monitors-rpc-activity/… by stuk0v.
- RT Arthur B.: New credentials attack on Google, it’s a subtle one. The email actually comes from http://account.google.com. It informs you that your r… by thaddeus e. grugq.
- Ubuntu LXD Group Root: Default to Host Root on Every LTS Since 20.04 by thaddeus e. grugq.
- RT Chetan Nayak (Brute Ratel C4 Author): Not sure what all the fuss was about with CET? I never considered cetcompat to be a dealbreaker as most opera… by Vincent Yiu.
- RT AmirMohammad Safari: We’re dropping 3 Adminer 0-days after nearly three months without acknowledgment from the maintainers. Among these vulnerabili… by Vincent Yiu.
- RT Petr Beneš: Tracing every usermode call on Windows-on-ARM. Clean install, no breakpoints, no hooks, memory not modified in any way. Virtually unde… by Axel Souchet.
- RT chompie: Some rly interesting RCE bugs got patched today!! Would be an interesting test for a certain super saiyan cyber model that’s really goate… by Bobby Cooke.
- NEW BHIS | Blog A fake badge. A held door. A few assumptions. That’s all it can take to bypass physical security. The Art of the Badge: A Hard Tr… by Black Hills Information Security.
- CVE-2026-0466: AMD AmdPowerProfiler.sys Kernel Write Primitive by Bad_Jubies.
- Evading Gatekeeper in Enterprise macOS Environments by BlackArrow.
- China-linked JDY botnet expands targeting of U.S. military networks https://www.bleepingcomputer.com/news/security/china-linked-jdy-botnet-expands-tar… by BleepingComputer.
- Microsoft patches Exchange Server zero-day exploited in attacks https://www.bleepingcomputer.com/news/microsoft/microsoft-patches-exchange-server-zero… by BleepingComputer.
- Microsoft patches YellowKey, GreenPlasma, MiniPlasma zero-days https://www.bleepingcomputer.com/news/microsoft/microsoft-patches-yellowkey-greenplasma… by BleepingComputer.
- Microsoft Defender ‘RoguePlanet’ zero-day grants SYSTEM privileges https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-rogueplanet-zero… by BleepingComputer.
- OpenClaw AI agent found falling for phishing attacks, spills user data https://www.bleepingcomputer.com/news/security/openclaw-ai-agent-found-falling-… by BleepingComputer.
- SAP fixes critical flaws in NetWeaver and Commerce Cloud https://www.bleepingcomputer.com/news/security/sap-fixes-critical-flaws-in-netweaver-and-comm… by BleepingComputer.
- In the era of AI-generated code and automated research, I still believe human creativity has the edge. My latest High severity CVEs in Zoom’s Android… by Dimitri Os.
- FBI Seizes China-Linked Fake Consulting Sites Targeting US Clearance Holders https://hackread.com/fbi-seizes-china-fake-consulting-sites-us-clearance/ by Nicolas Krassas.
- Scammers Use TikTok and Instagram Reels to Spread Vidar Infostealer https://hackread.com/scammers-tiktok-instagram-reels-vidar-infostealer/ by Nicolas Krassas.
- Angry bug hunter with Microsoft beef drops new Windows 0-day https://www.theregister.com/security/2026/06/10/nightmare-eclipse-publishes-new-windows-d… by Nicolas Krassas.
- Ransomware group The Gentlemen linked to Russian national https://www.scworld.com/brief/ransomware-group-the-gentlemen-linked-to-russian-national by Nicolas Krassas.
- Chinese agents caught rebuilding botnets and stirring the pot on AI datacenter debate https://www.theregister.com/security/2026/06/11/china-linked-ope… by Nicolas Krassas.
- Oracle PeopleSoft servers hacked in ShinyHunters data theft attacks https://www.bleepingcomputer.com/news/security/oracle-peoplesoft-servers-hacked-in… by Nicolas Krassas.
- Unpatched Langflow Flaw CVE-2026-5027 Exploited for Unauthenticated RCE https://thehackernews.com/2026/06/unpatched-langflow-flaw-cve-2026-5027.html by Nicolas Krassas.
- I’m so excited to share what we’ve been working on: AI Guard for Coding Agents. Months ago Datadog Security Research, saw the risk posed to coding a… by Nick Frichette.
- ShinyHunters is a DFIR construct. It’s like Anonymous – an umbrella name given to an evolving collection of people conducting hacking operations by Kim Zetter.
- Enhanced License Plate Tracking by Bruce Schneier.
- BYOVD isn’t dead. We wrote about vulnerable driver inventory in 2019. https://redcanary.com/blog/threat-detection/tracking-driver-inventory-to-expose-… by The Haag™.
- RT BleepingComputer: New Veeam vulnerability exposes backup servers to RCE attacks https://www.bleepingcomputer.com/news/security/new-veeam-vulnerabil… by Sean Metcalf.
- it works! detection coverage for RoguePlanet - LPE via Windows Defender vulnerability https://github.com/MSNightmare/RoguePlanet/tree/main by Samir.
- SpecterOps: Building an Indirect Prompt Injection Workflow by Antero Guy.
- RT FBI Cyber Division: Today, the FBI is announcing Operation Riptide, an ongoing, coordinated law enforcement campaign targeting cybercriminal actors… by SwitHak ().
- Ghost Sender: Reviving Classic Email Spoofing Techniques by Matt Eidelberg.
- CS 4.13 is right around the corner, so I’ve been having a play with the new Beacon Interpreter. This script will stomp a PICO over a module, with unwi… by Rasta Mouse.
- Some rly interesting RCE bugs got patched today!! Would be an interesting test for a certain super saiyan cyber model that’s really goated at exploit… by chompie.
- CVE-2026-10520: Pre-Auth RCE in Ivanti Sentry by Piotr Bazydło.
- Me: writes a YARA rule to detect text about nuclear weapon design in executables by Florian Roth.
- RT PRODAFT: PHANTOM MANTIS (a.k.a. The Gentlemen): They only hold the door open to exfiltrate your data. Meet Phantom Mantis, the ransomware crew… by ege.
- RT Dmitry Vyukov: First AI-generated patches for syzbot #Linux kernel bugs are being merged into mainline: https://git.kernel.org/pub/scm/linux/kernel… by h0mbre.
- RT Nicolas Krassas: 0hardik1/kubesplaining: Kubernetes security assessment CLI: RBAC, pod-escape, and privilege-escalation path analysis. Cloudsplaini… by Chris Nickerson.
- Watch Your AI! Using Replit AI to Mask Your C2 Traffic https://askar.so/blogs/watch-your-ai-using-replit-ai-to-mask-your-c2-traffic/ by Panos Gkatziroulis.
- Beacon Object File for LDAP Queries Through ADWS https://github.com/e-fin/ADWS-BOF by Panos Gkatziroulis.
- RT cr3ghost: Your EDR is running. Detecting everything. Alerting on nothing. EDRSilencer blocks all EDR outbound traffic using Windows Filtering Platf… by Panos Gkatziroulis.
- Factoring “Short-Sleeve” RSA Keys with Polynomials.
- RT mRr3b00t: good thread here: also court docs: https://storage.courtlistener.com/recap/gov.uscourts.cand.350613/gov.uscourts.cand.350613.854.0_1.pdf by kmkz.
- RT dbugs: A PoC/exploit has been discovered for vulnerability ITScape Vendor: Linux Product: KVM/arm64 Description: A race condition in the vGIC-… by kmkz.
- RT mRr3b00t: “GreatXML GreatXML bitlocker bypass vulnerability Steps to reproduce, If defender offline scan was initiated in the victim machine at any… by kmkz.
- A Long-Running BOF Component Contract Specification by Spiros Fraganastasis.
- Huge props to James @rotarydrone for reporting the first-ever infoleak bug in the open-source version of Evilginx. This affects all Evilginx lure… by Kuba Gretzky.
- Following up on a Linkedin post about non-existent security incidents showing up at the Maine Attorney General’s list of consumer data breaches, the Maine AG sent me a statement acknowledging that sev.
- Discovering Vulnerabilities in Enterprise Audiovisual Hardware @spaceraccoon https://spaceraccoon.dev/discovering-vulnerabilities-enterprise-audiovisu… by Swissky.
- #CVE-2026-48907 Unauthenticated RCE in #Joomla Content Editor Extension by pyn3rd.
- RT Karsten Hahn: This seems to be a prevalent issue now: People vibe code security applications and the LLM generates real malware for testing. The ge… by Rad.
- CVE-2026-25089: FortiSandbox Pre-Auth OS Command Injection PoC by Vincent Yiu.
- phpBB forum fixes auth bypass bug lurking for a decade https://www.bleepingcomputer.com/news/security/phpbb-forum-fixes-auth-bypass-bug-lurking-for-a-… by BleepingComputer.
- CISA orders feds to patch actively exploited Ivanti flaw by Sunday https://www.bleepingcomputer.com/news/security/cisa-gives-feds-3-days-to-patch-ivan… by BleepingComputer.
- Japanese energy firm loses drive with data of 10.9 million clients https://www.bleepingcomputer.com/news/security/japanese-energy-firm-loses-drive-wit… by BleepingComputer.
- Authorities dismantle ‘AudiA6’ ransomware crypto-laundering service https://www.bleepingcomputer.com/news/legal/authorities-dismantle-audia6-ransomwar… by BleepingComputer.
- RT Adam Crosser: I’d been wanting to build a virtualized loader for awhile and finally got around to it. https://www.praetorian.com/blog/virtualized-l… by Michael Weber.
- hadriansecurity/openhack: Lightweight, file-based workspace for source-guided whitebox security review. https://github.com/hadriansecurity/OpenHack by Nicolas Krassas.
- China-Linked Hackers Backdoored Linux Login Software to Hide for Nearly a Decade https://thehackernews.com/2026/06/china-linked-hackers-backdoored-lin… by Nicolas Krassas.
- BUMSRAKETE™ - The Most Beautiful, Most Tremendous FreeBSD Vulnerability In The History Of Computing. BELIEVE ME. https://bumsrake.de/ (love the webs… by Nicolas Krassas.
- Entra Agent ID: Cross-Tenant Abuse via Blueprint Blast Radius by Nick Frichette.
- RT Criminal Division: Ukrainian National Pleads GUILTY to Wire Fraud Conspiracy in Connection with Conti Ransomware: Conti Attacked Over 1,000 Victims… by SwitHak ().
- RT CERT Polska: ‼ Nowa aktywność grupy UNC1151/Ghostwriter Zespół CERT Polska zaobserwował w ostatnich miesiącach zmianę w sposobie działan… by SwitHak ().
- RT 𝙹𝚊𝚟𝚒𝚎𝚛 𝙼𝚊𝚛𝚌𝚘𝚜 : A decentralized Command & Control framework built on libp2p and inspired by Sliver: https:/… by X-C3LL.
- RT Mr.Un1k0d3r: The new @_CobaltStrike BOF-PE feature allows you to load PEs without having to convert them into BOFs with limited modification. You c… by Rasta Mouse.
- MeshCentral: From XSS to RCE by /r/netsec.
- Getting the PID from Random Numbers in PHP by /r/netsec.
- Why Use App-Level Auth When Every Database Has Auth? (Splunk Enterprise CVE-2026-20253 Pre-Auth RCE) - watchTowr Labs https://labs.watchtowr.com/why-u… by /r/netsec.
- Major AI Clients Shipping With Broken OAuth Implementations (JUNE 2026 UPDATE) https://www.redcaller.com/docs/references/mcp-client-oauth-refresh-toke… by /r/netsec.
- Abusing CREDHIST for Offline Credential Recovery via DPAPI by /r/netsec.
- Marking Your Own Homework (Check Point Remote Access VPN IKEv1 Authentication Bypass CVE-2026-50751) - watchTowr Labs https://labs.watchtowr.com/marki… by /r/netsec.
- Jupyter Enterprise Gateway: From Notebook to K8s Cluster Admin by /r/netsec.
- WinGet Abuse: Code Execution, Persistence, and Detection by /r/netsec.
- Dissecting SleepySheriff: An Equation Group NDIS Driver by winterknife.
- Exploiting Mali GPU CVE-2024-1065 via the Page Cache by Alex Plaskett.
- CVE-2026-45257 / FreeBSD-SA-26:26.ktls Local file overwrite on FreeBSD. A local user can overwrite files they can read. Turn that into a SUID overwrit… by Florian Roth.
- RT Nextron Research : Our Artifact Scanner flagged “pylogxo”, a PyPI typosquat of “pylogx” dropping Sirkeira Stealer from 69[.]164[.]245[.]166 to … by Florian Roth.
- RT Vivek | Cybersecurity: Every employee’s password was stored in a single Excel file https://www.theregister.com/security/2026/06/11/every-employees-… by Florian Roth.
- RT Two Seven One Three: New #redteam tool for blocking EDRs: EDRChoker Instead of fully blocking the EDR agents’ connections to their server, we can t… by Florian Roth.
- RT Mark Odayan: Received a suspicious coding assessment for a crypto company I had zero mutual followers with (yet they had 100K+ followers on twitter… by Dave Aitel.
- RT 0xor0ne: 3-part series on Linux kernel bug hunting: KASAN, Syzkaller, and kernel fuzzing by @slava_moskvin_ Part 1: https://slavamoskvin.com/huntin… by Dave Aitel.
- RT cr0@Defensive-Security.com / EDRmetry / PurpleLabs: Looks promising => eBPF-based tool that records every Linux syscall made by Docker containers a… by Dave Aitel.
- Pwning Chromium 146: Full Renderer Process Exploit Chain by Dave Aitel.
- Researcher accidentally gained access to a threat actor-controlled phishing website https:// potato.id/en/posts/i-accidenta lly-logged-into-threat-actor-website/#google_vignette.
- RT spaceraccoon | Eugene Lim: Re @garethheyes Btw, not sure if you saw my blogpost(s) on it - approaching vuln identification at an angle (“does this… by Gareth Heyes \u2028.
- CVE-2026-3199: LLM-Assisted RCE in Sonatype Nexus Repository by Brett Hawkins.
- Great research by @jdelta11 Check it out by Brett Hawkins.
- RT jolmos: Scales, the eBPF malware targeting ArchLinux https://sha0coder.github.io/scales/ by hasherezade.
- RT Tal Be’ery: A WhatsApp #E2EE & #OPSEC reminder: 1⃣Metadata is not protected by E2EE; WhatsApp knows phone #, profile name, contacts, groups etc. 2… by hasherezade.
- Wanted to see how to create your own #OpenGraph collector for #BloodHound!? Here you go! https://youtu.be/S7aoFGLGt0g?is=sVsWfGvWlPXWCVki by Chihuahua in charge NotMe.
- CVE-2026-45454: SharePoint Server RCE via Webshell Upload by kmkz.
- RT Dark Web Informer: ‼ CVE-2026-40369: Twelve Bytes to Escape the Browser Sandbox. CVSS: 7.8 Writeup: https://voidsec.com/cve-2026-40369-browser-s… by kmkz.
- RT Horizon3 Attack Team: Today we are disclosing CVE-2026-48558, an auth bypass in #SimpleHelp RMM when OIDC is configured. Affected servers let unaut… by kmkz.
- Difficulty Parsing MSRC Publications: BitLocker Bypass Patch Status by Max.
- RT Kostas: Just merged PR #200 into the EDR Telemetry project. SentinelOne Windows now correctly reports File Downloaded, USB Mount, and USB Unmount t… by Max.
- RT Altered Security: Can Azure’s Global ARM APIs expose source control resources across tenants? Our latest blog demonstrates how ARM API abuse can le… by Nikhil Mittal.
- Shift Happens – Uncovering Two Built-in Command Injections in Windows Context Menus - @podalirius_ https://specterops.io/blog/2026/05/07/shift-happen… by Swissky.
- iOS 27 Reworked Stub Islands: Disassembly Observations.
- Path Traversal Strikes Again: HackerOne Report 3712279 by ϻг_ϻε.
- Deep Dive into Darwin’s XZone Memory Allocator by Csaba Fitzl.
- chompie’s Full Exploit Archive: Wormable RCEs, Kernel LPEs, and More by thaddeus e. grugq.
- RT Sébastien Dudek : We built Grimoire: a single search box for every offensive playbook, fully offline. Type ssrf, kerberoast, jwt, sudo … by Vincent Yiu.
- Kernel-Hack-Drill: Linux Kernel Attacks and Defenses Masterclass.
- RT White Knight Labs: When WDAC blocks your implants, Electron apps become the way in. The post walks through using Loki C2 to backdoor signed applica… by Bobby Cooke.
- Sleeping Beauty II: Advanced Evasion via Adaptix StealthPalace by sailay(valen).
- Inside a ClickFix to EtherHiding to GULoader Intrusion Chain by Nicolas Krassas.
- TrustedSec: Hardening Intune - The Privileged Roles Nobody Talks About by DirectoryRanger.
- Empty Ciphertext Panic in AWS Encryption Provider.
- RT Hossam: Hi! I just published UNCanny, a small Windows research experiment around a new coercion primitive I found while digging through AppX and In… by Silky.
Tools and Exploits
Major Cobalt Strike release introducing a Beacon Interpreter for native C scripting, an LLVM-compiled Beacon, improved docking UX, and better payload management.
Ghidra-RPC enables agentic reverse engineering by exposing Ghidra’s analysis capabilities over an RPC interface, letting AI agents and automation tools interact with disassembled binaries programmatically.
More this week (27)
- RT offensivecon: Offensivecon’s talks are now available on our YouTube channel! https://buff.ly/g63xgm5 by Csaba Fitzl.
- RT Gavin K: Janus v1.1.0 released: - added a @OutflankNL OC2 parser for local line-oriented implant log files (api ingestion coming soon) - created ne… by Bobby Cooke.
- RT OX Security: Breaking: Miasma Malware Goes Open Source (Hades / Shai-Hulud Variants) TeamPCP’s decision to open-source Shai-Hulud has spawned … by Nicolas Krassas.
- EDRUnChoker: Fileless WMI Tool to Remove EDR Throttling by Samir.
- RT Open Source Security mailing list: Roundcube (webmail frontend) 1.6.16, 1.7.1 released May 24 fix many vulns https://www.openwall.com/lists/oss-sec… by Dave Aitel.
- Busywork: EDR Sleep Replacement Library by n00py.
- SO-CRATES: Security Onion Container for PCAP, Log, and Binary Analysis by Ring3API 🇺🇦.
- phantom loader v2 and recent v3 I released recently with a talk is way richer! by Mr.Z.
- GitHub to Disable npm Install Scripts by Default to Stop Supply Chain Attacks https://thehackernews.com/2026/06/github-to-disable-npm-install-scripts…. by Nicolas Krassas.
- NimSyscallPacker: Nim-Based Payload Packer by Panos Gkatziroulis.
- This week’s release adds new Kerberos/Certificate tracing options (GSoC project), a community feedback call on evasion module UX, a new ClickFix social-engineering exploit module, 9 enhancements, and.
- HyperDbg v0.19: Hypervisor-Level Tracing with LBR Support by sinusoid.
- TrustedSec Reel: Continuous Social Engineering Framework by James .
- RT Gavin K: RELEASED: Noradrenaline - a Linux/macOS companion to Adrenaline (small purpose-built BOFs) The idea is to have small .dylib and .so module… by Nicolas Krassas.
- I downloaded the release and tested it. I didn’t observe any alerts or blocking during execution. The interesting part is that it’s leveraging native … by The Haag™.
- JS-Tap v3: JavaScript Implants for Electron, Extensions, and Node by S3cur3Th1sSh1t.
- ModuleStomped: Module Stomping Evasion Tool by CCob.
- Tracebit: Memory-Based Implant Fingerprinting Sensor by Panos Gkatziroulis.
- Grimoire: Offline Offensive Knowledge Base by Max.
- RT ProjectDiscovery: Introducing depx - open-source malicious package & supply-chain intelligence, in your terminal. Hijacked publishes, credential st… by Nuclei by ProjectDiscovery.
- Vulnerability Spoiler Alert: AI-Powered CVE Early Warning by spaceraccoon | Eugene Lim.
- Universal SELinux Bypass PoC Released for Samsung Exynos by thaddeus e. grugq.
- MalwareView 8.0.2: Malware Analysis Tool Update by thaddeus e. grugq.
- Ferrum: Windows LPE, Persistence, and COM Hijacking Toolkit by Bobby Cooke.
- EDD: Enumerate Domain Data, PowerView’s .NET Cousin by DirectoryRanger.
- Tunnel Vision Toolkit: BOFs for Microsoft Global Secure Access by DirectoryRanger.
- WhatAboutSAM: Dump Windows SAM Credentials with Stack Spoofing by Peter Gabaldon.