Intelligence · Updated daily
AI-analysed threats, vulnerabilities and campaigns. Not just what happened — what it means, who's affected, and what to do about it.
SecurityWeek reports on multiple concurrent security issues including an Nvidia cloud gaming data breach, Canvas LMS compromise by ShinyHunters following FBI warning, Android 17 hardening, and automotive/enterprise vulnerabilities. The clustering suggests defenders face distributed pressure across consumer, educational, and enterprise sectors.
Russian state-sponsored group Turla has rebuilt its Kazuar backdoor into a modular peer-to-peer botnet designed for stealth and persistent command-and-control. This represents a significant operational upgrade that complicates detection and attribution for defenders.
THORChain suffered a $10.7 million theft from one of six vaults, indicating a compromise of their multi-signature custody mechanism. This demonstrates that even established DeFi platforms remain vulnerable to sophisticated attacks targeting key management and vault architecture.
Attackers are actively exploiting a critical flaw in the Funnel Builder WordPress plugin to inject malicious JavaScript into WooCommerce checkout pages, enabling payment card theft from customer transactions.
Marten's full-text search APIs directly interpolate user-supplied regConfig parameters into SQL queries without sanitization, enabling unauthenticated SQL injection against PostgreSQL backends. The PoC confirms multiple attack vectors including time-based exfiltration and arbitrary query execution.
VM2 fails to properly isolate host exceptions thrown during async generator cleanup, allowing attackers to break sandbox confinement and execute arbitrary host code. This PoC reliably demonstrates RCE by constructing a type-confused Error object that escapes sandbox restrictions.
SentinelOne Labs researchers examined whether publicly disclosed breach signals and market timing models can be used to predict or capitalise on stock price movements following cyber incidents, exploring the emerging intersection of cybersecurity data and financial markets.
SecurityWeek publishes guidance on implementing security controls in AI data centres without proportional performance degradation. This reflects growing industry recognition that security and throughput constraints can be co-optimised through architectural choices.
Three versions of the widely-used node-ipc npm package (9.1.6, 9.2.3, 12.0.1) were found to contain malicious code designed to exfiltrate developer secrets and credentials. This represents a direct compromise of a critical infrastructure dependency affecting Node.js projects globally.
A supply chain campaign has compromised the TanStack npm library and related packages on npm and PyPI, affecting multiple AI companies including OpenAI. The attack leverages trusted open-source dependencies to distribute malicious code to downstream users.
The TeamPCP hacker group is threatening to publicly release proprietary source code from Mistral AI unless a buyer purchases the stolen data. This represents a significant intellectual property theft and potential supply-chain risk for the AI company's customers and partners.
Goobi viewer's POST /api/v1/index/stream endpoint forwarded arbitrary Solr streaming expressions without authentication, enabling complete index exfiltration, modification, and deletion. This PoC demonstrates pre-authentication remote code execution risk against backend search infrastructure.
SiYuan's Bazaar marketplace fails to HTML-escape package `name` and `version` fields before rendering them to DOM via `innerHTML`, enabling stored XSS that escalates to OS command execution due to permissive Electron security configuration (nodeIntegration enabled, contextIsolation disabled).
CVE-2026-22599 allows authenticated administrators to inject arbitrary SQL through the Content-Type Builder's `column.defaultTo` attribute, enabling database compromise including file read, DoS, and potential RCE. This PoC demonstrates a critical gap in input validation on trusted user boundaries.
Google Project Zero published a 0-click exploit chain for Pixel 10 leveraging CVE-2025-54957 (Dolby vulnerability) and bypassing RET PAC mitigations. The attack requires only two exploits to achieve root access from a zero-interaction context, indicating modern Android devices remain vulnerable despite security hardening.
The Nitrogen ransomware group claims to have compromised Foxconn's North American manufacturing facilities and exfiltrated 8TB of data including confidential documents. This represents a significant supply chain risk given Foxconn's role as a critical electronics manufacturer for major tech companies.
A Chinese-affiliated threat actor designated FamousSparrow conducted a multi-wave intrusion against an Azerbaijani oil and gas company between December 2025 and February 2026, exploiting Microsoft Exchange vulnerabilities as an initial access vector. This represents a notable shift in the group's targeting geography and suggests persistent interest in critical infrastructure.
Owe Martin Andresen, alleged administrator of Dream Market, was arrested in Germany following a US indictment. The arrest demonstrates coordinated international law enforcement action against established criminal marketplaces that operated for over a decade.
SillyTavern trusts HTTP headers (`Remote-User`, `X-Authentik-Username`) from any network client without validating origination from a trusted reverse proxy, allowing unauthenticated attackers to impersonate any user including administrators. This is a foundational architectural flaw in SSO integration.
Mapfish Print contains an unauthenticated RCE vulnerability in dynamic table functionality, allowing arbitrary code execution without credentials. This PoC is significant for defenders as it demonstrates a critical authentication bypass combined with code injection.
Cisco Talos highlights that responding to state-sponsored intrusions requires fundamentally different IR strategies than ransomware incidents. Organisations using ransomware-focused response playbooks may fail to detect or contain nation-state actors.
Microsoft released fixes for 137 vulnerabilities spanning Azure, Windows, Dynamics 365, and Jira/Confluence SSO integrations. The breadth of affected platforms suggests defenders face a complex patching prioritisation challenge across multiple attack surfaces.
CVE-2026-45185 is a use-after-free vulnerability in Exim's BDAT command handling that affects GnuTLS-compiled builds, enabling memory corruption and potential code execution on mail servers. Given Exim's deployment across internet-facing mail infrastructure, this poses significant risk to email delivery chains.
Foxconn confirmed a cyberattack affecting multiple North American manufacturing facilities across six US states and Mexico, but has withheld specifics on scope and impact. The incident threatens critical supply chains for consumer electronics and automotive components.
The U.S. House Committee on Homeland Security has demanded testimony from Instructure executives regarding two separate cyberattacks by the ShinyHunters extortion group against Canvas, which exposed student data and disrupted educational institutions during critical exam periods.