Attacks & Vulnerabilities
|
ShinyHunters claim they have cruise giant Carnival's booty as 7.5M emails surface (2 minute read)
Have I Been Pwned flagged 7.5 million email addresses from Holland America Line's Mariner Society loyalty program. ShinyHunters published the data after ransom talks failed, claiming to hold terabytes of corporate data. Carnival says a phishing attack affected a single user account, but the scope of the breach remains unclear. Exposed data includes names, birth dates, and membership details.
|
Bad Connection: Uncovering Global Telecom Exploitation by Covert Surveillance Actors (30 minute read)
Citizen Lab mapped live SS7 and Diameter attack telemetry to specific operator identifiers for the first time, exposing two long-running covert surveillance campaigns (STA1 and STA2) that exploited the global telecom interconnect ecosystem to track high-value targets across borders. STA1 rotated between 3G and 4G protocols using legitimate signaling identities from Tango Networks UK, 019Mobile Israel, and infrastructure spanning nine countries to evade firewalls, while STA2 deployed a SIMjacker zero-click binary SMS exploit linked to Swiss commercial surveillance vendor Fink Telecom Services, with over 15,700 tracking attempts dating back to October 2022. The findings expose systemic governance failures across the interconnect ecosystem, in which legacy peer-to-peer trust models, weak IPX screening, and unregulated Global Title leasing enable CSVs to operate as "ghost operators" within mobile networks for years without detection.
|
Critical bug in CrowdStrike LogScale let attackers access files (3 minute read)
CrowdStrike has patched CVE-2026-40050, a critical unauthenticated path-traversal flaw in a LogScale self-hosted cluster API endpoint that allows remote attackers to read arbitrary files from the server's filesystem, potentially exposing configuration files, credentials, and internal data. Discovered through internal product testing with no observed exploitation, the bug spares Next-Gen SIEM customers and was mitigated for SaaS users on April 7, via network-layer controls applied across all clusters. Self-hosted LogScale operators must upgrade to the patched version immediately, since a compromise of a log management platform at the heart of SOC operations could allow attackers to disable alerts, suppress logs, and pivot laterally undetected.
|
|
Snow Flurries: How UNC6692 Employed Social Engineering to Deploy a Custom Malware Suite (21 minute read)
UNC6692 ran a staged intrusion starting with heavy email spam and Microsoft Teams phishing, luring victims into installing a fake “Mailbox Repair Utility” delivered via a malicious Edge-only landing page that harvests credentials and drops AutoHotKey-based loaders. The operation installed the SNOWBELT browser extension plus SNOWGLAZE and SNOWBASIN Python components to maintain a WebSocket tunnel, run a local bindshell, move laterally with PsExec and RDP, and exfiltrate data through S3- and Heroku-hosted C2 infrastructure, all mapped to concrete IOCs and ATT&CK techniques for defenders.
|
State of Vibe-Coded Security (4 minute read)
4,783 AI-assisted apps were scanned, turning up 727 critical and over 5,000 high-severity issues, with 7% of Lovable and Bolt apps exposing Supabase databases publicly, while a YC control group had none. Several production systems leaked real data: therapy billing and schedules, full booking histories with chat logs, patient records via simple ID changes, CRM tables via public anon keys, and college enrollment data. Most criticals came from Supabase RLS left disabled, followed by client-exposed API keys, IDOR, unauthenticated OpenAPI endpoints, and AI-written code that referenced nonexistent security checks.
|
Inside the computers of DPRK IT workers (8 minute read)
NoxHunt shifted from ZachXBT's April 8 investigation into the luckyguys[.]site payment hub to retrieve infostealer logs from two DPRK IT worker devices via STEALINT, revealing the tradecraft behind the fraudulent freelance ecosystem. Both operators ("SuperDev" and "DevWisdom") used Korean Windows installs behind Astrill VPN with US/Japan exit nodes, used DeskIn and AnyDesk for remote work, maintained multiple fake GitHub portfolios with many repos across languages, and used AI interview copilots like jobright.ai and ntro.io while targeting Middle East clients, including fake Saudi gym brands linked to the Memvera/Shijazi88 persona. Defenders should look for Astrill VPN ranges, DeskIn/AnyDesk pairings, recent fake GitHub accounts with diverse languages and recycled repos, and virtual number providers on freelance platform signups.
|
|
RedAI (GitHub Repo)
RedAI is a terminal workbench for AI-driven vulnerability discovery and live validation, surpassing static scanning by spinning up validator agents inside the target to confirm or disprove findings. Scanner agents (Claude Code or Codex) triage source code into candidates, then validator agents execute PoC scripts, hit endpoints, click UI, and capture evidence like screenshots, transcripts, and logs. Built on Bun, it includes Chrome and iOS Simulator environments. RedAI treats validation targets as plugins, allowing extension to Linux VMs, Android emulators, Kubernetes, or embedded devices, with verdicts and full artifacts in Markdown, HTML, and JSON reports.
|
Trailmark (GitHub Repo)
Trail of Bits' Trailmark parses source code into queryable graphs of functions, classes, calls, and semantic annotations, using tree-sitter for AST parsing and rustworkx for graph traversal. It supports 21 languages, including Python, Rust, Go, Solidity, Cairo, and Circom, and exposes a QueryEngine API with security-focused operations. Trailmark also augments graphs with SARIF and weAudit findings, and supports structural diffing between git refs to surface attack-surface changes across PRs.
|
Copperhelm (Product Launch)
Copperhelm is a cloud security platform that enables autonomous agents to monitor cloud workloads, investigate suspicious behavior, and apply targeted controls, such as WAF rules, in real time for large enterprises.
|
|
Researchers Uncover Pre-Stuxnet 'fast16' Malware Targeting Engineering Software (4 minute read)
Fast16 is a Lua-based malware from 2005 that predates Stuxnet by five years. It targets high-precision calculation software like LS-DYNA, PKPM, and MOHID to inject systematic errors into engineering and physics simulations. The malware spreads through weak credentials and avoids systems with antivirus software installed. Forensic links tie it to NSA tools leaked by The Shadow Brokers.
|
Bitwarden Statement on Checkmarx Supply Chain Incident (8 minute read)
A malicious @bitwarden/cli@2026.4.0 npm package, downloaded by 334 users between 5:57 and 7:30 PM ET on April 22, was contained within 93 minutes of the broader Checkmarx supply chain compromise, which propagated through a malicious Checkmarx VSCode extension on a Bitwarden engineer's workstation rather than a CI/CD dependency. The package's preinstall script triggered credential theft during installation alone, lifting tokens, SSH keys, and environment secrets, though analyses confirmed that vault data remained out of scope. Bitwarden issued a CVE, deprecated the package, shipped 2026.4.1, and directed impacted users to rotate exposed secrets, audit GitHub workflows and CI credentials, and clear npm caches with install scripts disabled during cleanup.
|
GPT-5.5 Bio Bug Bounty to Strengthen Advanced AI Capabilities (2 minute read)
OpenAI has announced a new Bio bug bounty program for its GPT-5.5 model. The program is specifically a challenge to find a universal jailbreak that can lead the model to answer the 5 challenge problems that OpenAI prepared. The challenge is by invitation or application only and only applies to the model running in Codex Desktop.
|
|
Love TLDR? Tell your friends and get rewards! |
|
Share your referral link below with friends to get free TLDR swag!
|
|
|
|
| Track your referrals here. |
|
|
|
0 Comments