Attacks & Vulnerabilities
|
Progress warns of critical MOVEit Automation auth bypass flaw (2 minute read)
CVE-2026-4670 is a critical authentication bypass in MOVEit Automation affecting versions before 2025.1.5, 2025.0.9, and 2024.1.8. This vulnerability is exploitable remotely without privileges or user interaction, alongside a high-severity privilege escalation flaw, CVE-2026-5174. PwnDefend's Daniel Card identified over 1,400 internet-exposed MOVEit Automation instances via Shodan, including more than a dozen linked to US state and local government agencies. Given Clop's history of mass-exploiting MFT platforms such as Accellion FTA, SolarWinds Serv-U, GoAnywhere, Cleo, and the 2023 MOVEit Transfer campaign that affected more than 2,100 organizations, defenders should immediately apply the full installer upgrade and audit exposure.
|
Salt Typhoon breach IBM subsidiary in Italy: a warning for Europe's digital defenses (2 minute read)
Italian outlet La Repubblica attributed an April 2026 breach of Sistemi Informativi, the IBM Italy subsidiary that runs IT infrastructure for Italian public agencies and critical industries, to China-linked APT Salt Typhoon, citing intelligence sources, though IBM's confirmation stopped at "identified and contained" with no scope disclosed. Salt Typhoon's tradecraft favors Citrix and Cisco zero-days and supply-chain footholds over phishing, with 2025–2026 victims including Viasat, Canadian telecoms, the US Army National Guard, and Dutch government networks. A managed-services provider compromise of this depth is a one-to-many pivot into Italian government databases, so defenders at MSP-dependent organizations should hunt for prolonged low-volume exfiltration on telecom and edge appliances and review third-party access scopes.
|
|
Cross-Session Activation (8 minute read)
Purple Team detailed Cross-Session Activation (MITRE T1021.003), a DCOM lateral movement technique where elevated attackers hijack CLSIDs configured with RunAs=Interactive User to execute code inside another logged-in user's session via CoCreateInstanceEx and SetSessionId, with PoCs from Michael Zhmailo (IHxExec, sppui), Andrew Oliveau (SessionHop), and tooling like PermissionHunter, ComDiver, and ComHijackWrite. High-priority hijackable AppIDs include Speech Runtime, sppui, Auth UI CredUI, ShellServiceHost, and ActivatableApplicationRegistrar, all reachable once Remote Registry is started and a DLL is dropped via admin share. Defenders should hunt anomalous HelpPane.exe and slui.exe child processes (Event ID 4688), enable Audit Registry on the listed CLSIDs to capture Event ID 4663, and verify EDR hooks on WTSEnumerateSessions/WinStation* APIs used during session discovery.
|
"AccountDumpling" – The Google-Sent Phishing Wave Hijacking 30k Facebook Accounts (14 minute read)
A Vietnamese-linked group abuses Google AppSheet to send fully authenticated phishing emails that target Facebook business and high-value accounts, leading to at least 30,000 compromises. The campaign uses four main lures: Netlify-hosted fake Facebook help centers, Vercel-hosted “security” and blue badge flows, Google Drive PDFs that hide live phishing panels, and recruiter-style job approaches that move victims into one-to-one conversations. Stolen credentials, IDs, and 2FA codes flow into Telegram bots where operators take over accounts, resell access, and run recovery-for-hire schemes tied to identifiable Vietnamese personas and infrastructure.
|
Building an AI Ready Vulnerability Management Platform After NVD Changes and Claude Mythos (5 minute read)
The NVD recently announced that, due to the increase of vulnerabilities from AI tools like Claude Mythos, they would only be enriching CVEs for vulnerabilities in the KEV, software used in government systems, or software that is deemed critical. Many security tools and teams build their programs around CVEs and prioritization around CVSS scores, which will now be missing from many vulnerabilities. Security teams should prepare by proactively making architectural changes and adding guardrails to harden systems, and consider adding runtime security tooling.
|
|
VanGuard (GitHub Repo)
VanGuard is a single-binary Go-based DFIR toolkit that consolidates triage, threat hunting, memory forensics, disk collection, and Velociraptor lifecycle management for Windows and Linux, with full air-gap support and zero installation required. The toolkit ships 28 pre-built MITRE ATT&CK-mapped use cases, integrates Hayabusa, Chainsaw, Loki, YARA, KAPE, EZ Tools, UAC, WinPMEM, AVML, and Volatility3, and supports remote operations over WinRM, SSH, and PSExec with bounded concurrency. Evidence integrity is built in via dual MD5+SHA256 hashing at collection time, an append-only chain-of-custody record, and HMAC-SHA256 tamper-evident audit logging, with credentials never written to disk or logs.
|
ship-safe (GitHub Repo)
ship-safe is an MIT-licensed Node CLI that bundles 23 parallel agents for secrets, OWASP Web/Mobile/LLM/API Top 10, supply-chain typosquatting, CI/CD pipeline poisoning, MCP tool injection, and prompt injection in .cursorrules and CLAUDE.md, with a REPL that previews diffs before writing and routes dependency audits to npm audit, pip-audit, or bundle-audit. The agentic fix loop sends findings to Claude for REAL/FALSE_POSITIVE classification, rewrites hardcoded secrets to process.env, and opens provider revocation dashboards for OpenAI, Anthropic, GitHub, Stripe, AWS, GCP, and Supabase.
|
|
Claude Code Leak: 8100 Takedown Requests and the Birth of Claw-Code (5 minute read)
An accidentally published source map file at Anthropic exposed over half a million lines of Claude Code's source code, with security researcher Chaofan Shou first spotting the public directory and tracing the compiled code back to its originals before mirrors spread across GitHub. Anthropic responded with more than 8,100 DMCA takedown requests (later narrowed to roughly 100 specific copies), but Korean developer Sigrid Jin used OpenAI's Codex to produce Claw-Code, a Python rewrite of the agentic framework that became the fastest-growing repo in GitHub history and is reportedly being adopted by xAI. The incident raises a thorny authorship question — Claude Code was reportedly ~90% AI-written, and US courts have held that fully autonomous AI creations don't qualify for copyright protection — leaving Anthropic in the awkward position of enforcing rights on largely machine-generated code while also exposing how brittle the DMCA process is when platforms must remove content without judicial review.
|
CTFs in the AI Era (5 minute read)
Laurence Tennant of Include Security recounts BSidesSF 2026, where 16 teams fully solved every CTF challenge (versus one team in 2025) because Claude Code, Codex, and similar agents now crack easy-to-medium challenges including binary exploitation within minutes, shifting the competition from solving skill to infrastructure spend. Top teams ran auto-scraping pipelines that spawn parallel agents the moment a challenge drops and auto-submit flags, with the winning team open-sourcing a coordinator-LLM architecture that runs GPT-5.4-mini, Claude Opus 4.6 max-effort, and others in parallel and shares discoveries between stuck agents. Automated CTF success doesn't translate cleanly to pentesting because real engagements lack the unambiguous flag, bounded codebase, and consequence-free environment that make CTFs an ideal LLM testbed, with false positive triage, scope discipline, and business context still requiring human judgment.
|
Microsoft Defender Glitch Breaks Secure Systems by Flagging DigiCert Certificates (2 minute read)
A faulty Microsoft Defender intelligence update on May 3 wrongly tagged DigiCert root certificates as Trojan:Win32/Cerdigent.A!dha, leading endpoints to quarantine or remove them and breaking certificate-based trust. Users saw TLS sites fail, apps break, and updates stop, while admins initially suspected an active attack. Microsoft pushed corrected definitions and urged rapid Defender updates plus checks for stripped certificates.
|
|
Microsoft confirms April Windows updates cause backup failures (2 minute read)
Microsoft confirmed that April 2026 security updates added the psmounterex.sys kernel driver to the Vulnerable Driver Blocklist to mitigate CVE-2023-43896 (a high-severity buffer overflow enabling privilege escalation or arbitrary code execution), causing VSS snapshot timeouts and image-mount failures in Macrium Reflect, Acronis Cyber Protect Cloud, UrBackup Server, and NinjaOne Backup on Windows 10, 11, and Server.
|
|
Love TLDR? Tell your friends and get rewards! |
|
Share your referral link below with friends to get free TLDR swag!
|
|
|
|
| Track your referrals here. |
|
|
|
0 Comments