Roundup

A roundup of 126 items curated from across the security community. News Mastra-AI npm Supply Chain Attack Hits 80+ Packages by Dave Kennedy. An attacker hijacked npm accounts to inject a phantom dependency into 80+ Mastra-AI packages. The malicious payload arrived via a “dayjs” typosquat that ran a post-install script to download and execute a remote binary. Operation Endgame Dismantles SocGholish Infrastructure by SwitHak (). International law enforcement took down 100 servers and domains, remediating nearly 15,000 websites. SocGholish’s “FakeUpdates” web inject framework has been a persistent ransomware delivery vector since 2018. ...

A roundup of 292 items curated from across the security community. News Microsoft Packages Laced with Credential Stealer for Second Time in Weeks by Nicolas Krassas. For the second time in weeks, official Microsoft packages were found laced with credential-stealing malware, raising serious questions about supply chain integrity in the Microsoft ecosystem. AI Misidentification Leads to Wrongful Arrest, Months in Prison by Kim Zetter. AI facial recognition identified Jalil Richardson with only 85% accuracy. Police never checked his alibi. He spent months in prison and lost his job, home, and child custody before police admitted the AI was wrong. ...

A roundup of 44 items curated from across the security community. News UN food agency breach exposes 600,000 Gaza households by Nicolas Krassas. The UN World Food Programme discloses a data breach affecting 600,000 households in Gaza. UNC3753 targets US law firms with vishing and physical intrusion by scriptjunkie (Matt). Mandiant details UNC3753 using vishing and RMM tools for data extortion against US law firms, with some operators attempting in-person theft. CISA: SolarWinds Serv-U flaw now actively exploited by BleepingComputer. CISA adds an actively exploited SolarWinds Serv-U vulnerability to the KEV catalog. ...

A roundup of 89 items curated from across the security community. News Hackers Used Meta’s AI Support Bot to Seize Instagram Accounts by BrianKrebs. Pro-Iran hackers hijacked high-profile Instagram accounts, including the Obama White House, by tricking Meta’s AI support bot into resetting passwords with a spoofed hometown IP. Dutch police dismantle a 17-million-device botnet. Dutch police and the NCSC dismantled a 17-million-device botnet operating on 200 servers seized from a local hosting provider. ...

A roundup of 82 items curated from across the security community. News Active exploitation of a Cisco Catalyst SD-WAN auth bypass (CVE-2026-20182) by Cisco Talos. Talos is tracking in-the-wild exploitation of CVE-2026-20182, an authentication bypass in Cisco Catalyst SD-WAN Manager and Controller. Pwn2Own Berlin 2026: DEVCORE takes Master of Pwn by Dustin Childs. DEVCORE took Master of Pwn at Pwn2Own Berlin 2026, capping an event that paid $1,298,250 for 47 zero-days. Orange Tsai chained three bugs to RCE as SYSTEM on Exchange for $200,000. ...

A roundup of 44 items curated from across the security community. News Bleeding Llama: unauthenticated memory leak in Ollama (CVE-2026-7482). Cyera Research uncovers a critical pre-auth memory disclosure in Ollama. Self-hosted LLM gateways leak adjacent buffer contents to anyone who can hit the API. More this week (2) RansomHouse claims Trellix source-code breach by BleepingComputer. Zara data breach exposed 197,000 people by BleepingComputer. Techniques and Write-ups MariaDB CVE-2026-32710 deep dive: character-constrained overflow to RCE by kmkz. Tim Becker walks through the heap-grooming primitive Xint used to turn a character-constrained heap overflow in JSON_SCHEMA_VALID into full RCE. ZeroDay Cloud’s deep dive on the bug behind GHSA-4rj5-2227-9wgc. ...

A roundup of 54 items curated from across the security community. News Apache ActiveMQ CVE-2026-40466 exploited in the wild by kmkz. VulnCheck sees CVE-2026-40466 burning in active campaigns: authenticated RCE in ActiveMQ via the vm:// protocol, a bypass of the original CVE-2026-34197 fix. 2,700+ exposed instances on Shodan. Mythos: a long-form look at the stakes, impact, and PR by Kuba Gretzky. Ivan Kwiatkowski’s deep-dive cuts through weeks of hot takes about Anthropic’s Mythos: what the actual capability claims are, what they mean for the bug-finding economy, and what the rollout did to industry trust. ...

A roundup of 189 items curated from across the security community. News Claude Mythos Has Found 271 Zero-Days in Firefox by Bruce Schneier. 271 Firefox bugs found by Claude Mythos in collaboration with Mozilla. Schneier breaks down the disclosure and what it means for browser security at scale. Defender for Endpoint: restrict response actions on high-value assets by Sean Metcalf. Defender for Endpoint adds a public preview to restrict live response actions on high-value assets. The control SOC analysts running scripts as SYSTEM on tier 0 boxes have been asking for. ...