Intelligence · Updated daily

Security Intelligence

AI-analysed threats, vulnerabilities and campaigns. Not just what happened — what it means, who's affected, and what to do about it.

RSS feedCVE index728 entries

Vulnerabilities Malware Campaigns Supply Chain Policy Tools

Page 16 of 30

376–400 of 728

highSupply ChainContained

OpenAI's macOS certificate rotation exposes supply chain risk in CI/CD pipelines via compromised npm packages

OpenAI discovered that malicious Axios npm packages executed within a GitHub Actions workflow and compromised macOS code-signing certificates used for application distribution. The incident highlights how CI/CD environments remain attractive targets for attackers seeking to inject malware into signed, trusted applications.

14 April 2026OpenAI, macOS applications signed by OpenAI, organisations using GitHub Actions with npm dependencies

highToolResolved

FBI-Indonesian coordination dismantles W3LL phishing platform, signalling escalated enforcement against phishing kit infrastructure

US and Indonesian authorities shut down the W3LL phishing service and arrested its developer in the first joint enforcement action targeting a phishing kit provider. This represents a shift toward coordinated international takedowns of infrastructure that enables mass credential theft campaigns.

14 April 2026Users of platforms targeted by W3LL phishing campaigns

criticalVulnerabilityResolved

wolfSSL ECDSA signature verification bypass permits certificate forgery at scale

wolfSSL's improper validation of hash algorithm identity and length in ECDSA signature verification allows attackers to forge valid certificates, potentially compromising any system relying on wolfSSL for TLS authentication.

14 April 2026wolfSSL library, embedded systems using wolfSSL, IoT devices +1

highSupply ChainResolved

Rockstar Games Analytics Breach via Anodot Supply-Chain Compromise Exposes Third-Party Data Risks

ShinyHunters gang leaked analytics data stolen from Rockstar Games following a breach at Anodot, a third-party analytics provider. This illustrates how trusted vendor compromises can expose major game publishers to data exfiltration without direct infrastructure compromise.

14 April 2026Rockstar Games, Anodot

highCampaignResolved

Basic-Fit breach exposes structural weakness in fitness sector's data handling

Hackers breached Dutch fitness chain Basic-Fit and accessed data for approximately one million members. This represents a significant exposure of personal information in a sector that has historically underinvested in security controls.

14 April 2026Basic-Fit

criticalVulnerabilityResolved

Juju Controller CloudSpec API Unauthorized Credential Exposure

Unauthenticated credential disclosure in Juju CloudSpec API allows any authenticated controller user to retrieve cloud bootstrap credentials, bypassing intended role-based access controls. This PoC demonstrates privilege escalation through API permission misconfiguration affecting multiple recent versions.

CVE-2026-5412

11 April 2026Juju/juju v2.9, Juju/juju v3.6, Juju/juju v4.0.6

criticalVulnerabilityResolved

Paperclip Authentication Bypass Chain Leading to Unauthenticated RCE

Paperclip instances with default configuration allow unauthenticated account creation, authentication bypass, and privilege escalation to RCE through a six-step API chain. This affects all publicly accessible deployments running in authenticated mode without explicit hardening.

11 April 2026paperclip

criticalVulnerabilityResolved

Daptin Unauthenticated Path Traversal in File Upload Handler

Daptin's cloudstore.file.upload action fails to validate user-supplied filenames, enabling unauthenticated attackers to write arbitrary files to disk via path traversal and zip slip attacks. This vulnerability bypasses authentication entirely and presents immediate RCE risk.

GHSA-9cp7-j3f8-p5jx

11 April 2026daptin/daptin <= v0.11.3

highCampaignResolved

Storm-2755 Targeting Microsoft Employees: Payroll Account Hijacking as Financial Theft Vector

Storm-2755, a financially motivated threat actor, is compromising Microsoft employee accounts to redirect salary payments. This represents a shift in targeting from external victims to internal credential compromise for direct financial gain.

11 April 2026Microsoft employees, payroll systems

criticalSupply ChainResolved

CPUID supply-chain compromise exposes millions to malware via trusted hardware tools

Attackers compromised CPUID's API and modified download links on the official website to serve malicious versions of CPU-Z and HWMonitor, two ubiquitous hardware monitoring tools. This represents a high-impact supply-chain attack affecting potentially millions of end-users who trust these downloads.

11 April 2026CPUID, CPU-Z, HWMonitor

highPolicyResolved

Patch gap analysis reveals defenders cannot keep pace with exploitation of critical vulnerabilities

Qualys analysed one billion CISA KEV (Known Exploited Vulnerabilities) remediation records and found that most critical flaws are actively exploited in the wild before organisations can deploy patches. This exposes a fundamental timing mismatch between vulnerability disclosure and attacker speed.

11 April 2026All organisations dependent on patch-based defence

criticalCampaignResolved

Iranian threat actors targeting Rockwell Automation PLCs: 4,000 internet-exposed devices in critical infrastructure scope

Iranian-linked cyber operators have mapped nearly 4,000 internet-exposed Rockwell Automation programmable logic controllers across U.S. critical infrastructure. This reconnaissance indicates preparation for potential disruptive attacks against operational technology networks.

11 April 2026Rockwell Automation programmable logic controllers

informationalPolicyResolved

AI pricing escalation: OpenAI's $100 Pro tier signals intensifying LLM market consolidation and potential security implications for enterprise adoption

OpenAI has launched a $100 monthly Pro subscription tier matching Anthropic's Claude pricing, reflecting competitive pressure in the generative AI market. This pricing escalation may influence how organisations evaluate AI tool security postures and dependency risks.

11 April 2026OpenAI, Anthropic, Enterprise organisations adopting generative AI

highCampaignResolved

German Law Enforcement Unmasks REvil and GandCrab Operator: Attribution and the Limits of Operational Security

German authorities have publicly identified Daniil Maksimovich Shchukin, a 31-year-old Russian national, as the operator behind the REvil and GandCrab ransomware groups. The disclosure represents a significant attribution success but raises questions about law enforcement coordination and timing given the geopolitical context.

6 April 2026REvil victims (2019-2021), GandCrab victims (2019-2021), German organisations (130+ incidents)

criticalCampaignContained

Six-month DPRK social engineering campaign nets $285M from Drift DEX, exposing sustained targeting of crypto infrastructure

North Korean threat actors conducted a methodical six-month social engineering operation against Drift, a Solana-based decentralised exchange, culminating in a $285 million theft in April 2026. The campaign demonstrates DPRK's shift toward patient, targeted infiltration of high-value cryptocurrency platforms rather than opportunistic attacks.

6 April 2026Drift (Solana DEX)

criticalCampaignResolved

Automated credential harvesting via React2Shell exploitation in Next.js applications represents shift toward industrialised supply-chain attacks

Threat actors are conducting large-scale automated attacks exploiting CVE-2025-55182 (React2Shell) in vulnerable Next.js applications to harvest credentials at scale. This represents a shift from opportunistic patching cycles to industrialised credential theft targeting the JavaScript framework ecosystem.

CVE-2025-55182

6 April 2026Next.js, React applications

highCampaignResolved

QR code pivot in traffic violation scams reflects attacker adaptation to SMS filtering

Scammers are distributing fake traffic violation notices via SMS with embedded QR codes that direct victims to phishing sites harvesting payment details and personal information. The shift to QR codes likely reflects successful SMS URL filtering deployed by carriers.

6 April 2026SMS users across United States, Mobile users

criticalVulnerabilityResolved

Budibase Unauthenticated RCE via Public Webhook + Bash Automation Template Injection

An unauthenticated attacker can execute arbitrary code as root by POSTing to a public webhook endpoint that triggers automation workflows containing Bash steps with unsanitized template processing. This requires zero authentication and demonstrates complete server compromise.

CVE-2026-35216

5 April 2026Budibase/budibase

highVulnerabilityResolved

Server-Side Request Forgery (SSRF) via HTTP Redirect Bypass in pyLoad – Incomplete CVE-2026-33992 Fix

pyLoad's fix for CVE-2026-33992 validates only the initial download URL but fails to validate HTTP redirect targets, allowing authenticated attackers to reach internal addresses. The PoC demonstrates that pycurl's automatic redirect following (FOLLOWLOCATION=1, MAXREDIRS=10) completely bypasses IP filtering.

CVE-2026-33992CVE-2026-35459

5 April 2026pyLoad/pyload

criticalVulnerabilityResolved

FortiClient EMS pre-authentication bypass enables unauthenticated privilege escalation in active exploitation

Fortinet released emergency patches for CVE-2026-35616, a pre-authentication API access control flaw in FortiClient EMS that allows unauthenticated attackers to escalate privileges. The vulnerability is being actively exploited in the wild.

CVE-2026-35616

5 April 2026Fortinet FortiClient EMS

criticalSupply ChainResolved

NPM supply-chain attack: 36 Strapi lookalike packages deploy database exploits and persistent implants

Researchers identified 36 malicious npm packages masquerading as Strapi CMS plugins that exploit Redis and PostgreSQL instances, harvest credentials, deploy reverse shells, and install persistent implants. This represents a coordinated supply-chain attack targeting development environments with potential access to production infrastructure.

5 April 2026npm registry, Strapi CMS, Node.js developers +2

highPolicyResolved

LinkedIn's covert extension scanner reveals mass surveillance infrastructure at scale

LinkedIn deployed hidden JavaScript code scanning visitor browsers for 6,000+ Chrome extensions and collecting device fingerprinting data without explicit user consent, raising questions about the scope and legitimacy of data collection practices by major platforms.

5 April 2026LinkedIn, Chrome browser users

highCampaignResolved

OAuth Device Flow Abuse: 37x Surge in Account Hijacking via Weaponised Phishing Kits

Device code phishing attacks exploiting OAuth 2.0's Device Authorization Grant flow have increased 37-fold this year, with automated kits now widely available. Attackers bypass traditional MFA by tricking users into authorising malicious device registrations, gaining account access without credentials.

5 April 2026Microsoft, Google, GitHub +1

criticalSupply ChainContained

North Korean actors used Microsoft Teams spoofing to compromise Axios npm package maintainer

A developer maintaining the widely-used Axios HTTP client was socially engineered via a fake Microsoft Teams error message, leading to credential compromise and potential package poisoning. This demonstrates how supply-chain attacks exploit human trust in familiar platforms rather than technical defences.

5 April 2026Axios, npm ecosystem

criticalVulnerabilityResolved

PraisonAI WebSocket Gateway Missing Authentication – Agent Enumeration and Arbitrary Message Injection

PraisonAI Gateway exposes unauthenticated `/info` and `/ws` endpoints, allowing attackers to enumerate all registered agents and inject arbitrary messages without credentials. The PoC demonstrates network-adjacent exploitation with zero authentication barriers.

CVE-2026-34952

2 April 2026PraisonAI/praisonai