Microsoft on Tuesday released fixes for two high-severity zero-days that were disclosed by a researcher who has been locked in a testy beef with the software giant.

Nightmare Eclipse, the pseudonym the researcher goes by, released a handful of high-severity vulnerabilities in recent months, making them zero-days that had the potential to be exploited in the wild. The researcher has said the disclosures, which included proof-of-concept code, came after Microsoft reneged on an arrangement the two made regarding vulnerabilities they had discussed.

Disclosure drama

“But someone violated our agreement and left me homeless with nothing,” Nightmare Eclipse wrote in March. “They knew this will happen and they still stabbed me in the back anyways, this is their decision not mine.”

As part of June’s vulnerability patch batch release, Microsoft issued a fix for CVE-2026-45586. Nightmare Eclipse disclosed the vulnerability and limited PoC code in May under the name GreenPlasma. The vulnerability is a local privilege escalation, meaning it can be chained to a separate vulnerability to give users or processes with low-level privileges the ability to defeat OS protections and gain full SYSTEM rights needed to install malware.

Microsoft said CVE-2026-45586 required minimal complexity to exploit, required no user interaction, and that chances of active exploitation in the wild were likely. The vulnerability, the company added, was the result of “improper link resolution before file access (‘link following’) in [the] Windows Collaborative Translation Framework.” There are no indications that the vulnerability has been actively exploited so far.

Tuesday’s patch bundle also fixed MiniPlasma, a separate vulnerability disclosed by Nightmare Eclipse. Microsoft said in an email that the vulnerability is tracked as CVE-2020-17103, a vulnerability Microsoft first fixed six years ago. That means MiniPlasma was the result of a regression or an incomplete patch in its initial form. The company is in the process of updating Tuesday’s bulletin to note the republication.

Microsoft has yet to release patches for other vulnerabilities disclosed by Nightmare Eclipse. The company did provide manual instructions for mitigating YellowKey, a vulnerability that allows attackers to defeat Bitlocker full-disk encryption. That could be a boon when attackers have physical access to a device (the precise scenario Bitlocker is designed to protect against). The company has yet to fix the underlying cause of the vulnerability.

The status of other vulnerabilities disclosed by Nightmare Eclipse are also unclear at the moment. The researcher named one vulnerability, present in Windows Defender RedSun. Another, named BlueHammer, is also a local privilege escalation flaw that provides SYSTEM rights.

Over the past few months, Nightmare Eclipse has taken multiple potshots at Microsoft. The specific criticisms remain unclear, but many make references to complaints about the company’s vulnerability disclosure program. Microsoft, in turn, has publicly railed against the researcher for “not responsibly” disclosing the vulnerabilities and made a vailed reference to the possibility of pursuing legal action. After a public backlash, Microsoft later relented and vowed no such legal action would occur.

On Tuesday, Nightmare Eclipse published exploit code for a new Windows vulnerability. It’s a race condition that targets Defender.

Tuesday’s patch batch included fixes for roughly 200 vulnerabilities. Notwithstanding the appearance that MiniPlasma was fixed, two of them were also confirmed as zero-days.

Post updated to include information Microsoft provided after initial publication of this post.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Wednesday 10 June 2026 at 9:58 am AEST (my time).

News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of May) 2,092

RIP Matrix

CUPERTINO, California—Apple announced earlier this year that its long-delayed Siri upgrade, announced this week as “Siri AI,” would use Google’s Gemini language models. What the company confirmed at its Worldwide Developers Conference yesterday was that it also ran on Nvidia hardware installed in Google servers. But the company is still making the same privacy promises it did before, when all of its AI models were either running locally on your devices or on Apple-controlled server hardware.

For years, Apple has touted user privacy as a key benefit of using its platforms. Its cloud services use encryption that’s intended to keep other people—including Apple employees—from being able to gain access to it. And the company has long advertised its use of on-device processing for things like scanning images, keeping as much data as possible from leaving your device in the first place.

But with Apple Intelligence, Apple has run up against the limits of its own hardware. The kinds of language and reasoning models that can run locally on an iPhone or Mac are relatively small, limiting their capabilities and accuracy. Apple’s Private Cloud Compute system was a partial solution but relied on Apple’s own server hardware; to get the kind of capacity it would need to support Siri AI, Apple would have had to commit to a huge data center buildout that it has so far avoided.

Apple’s Craig Federighi and other Apple executives got on a smaller stage after the WWDC keynote to explain to the press and other media how it planned to preserve user privacy while still getting the kind of compute capacity it needed and what its partnership with Google meant.

Taking Private Cloud Compute on the road

Federighi outlines the high-level architecture of its new Apple Intelligence capabilities.

Credit: Andrew Cunningham

“This is the amount of the Google Assistant we use, which is none,” says Federighi, standing in front of a blank slide in a much more intimate theater than the giant outdoor auditorium where he had introduced CEO Tim Cook a couple of hours before.

Federighi has just outlined a “traditional chatbot architecture”—a client app running on your device that reaches out to cloud-based models running on third-party servers. Those models can then reach out to Google Search or something similar “to [ground themselves] in world knowledge.”

Apple’s system still depends on an on-device model for simpler queries. In this year’s OS releases, most Apple Intelligence devices get AFM 3 Core, a new Gemini-based model co-developed by Google and Apple. Newer devices with at least 12GB of RAM and a relatively recent chip (M3 and newer for Macs, M4 and newer for iPads, just the A19 Pro for iPhones) use AFM 3 Core Advanced instead, which leverages the extra hardware as well as your device’s storage to function (it’s used to improve dictation and power Siri’s more expressive voice).

For “more sophisticated” questions, your device will contact cloud-based models, again co-developed by Apple and Google: a general-use model called AFM 3 Cloud, an image-generation model called ADM 3 Cloud, and an advanced model called AFM 3 Cloud Pro for “agentic tool use and complex reasoning.” The first two models, Apple says, still run on Apple’s silicon on Apple’s servers. The Cloud Pro model is the one running on Google-owned Nvidia hardware.

To do this while still making the same privacy promises, Apple has introduced a new iteration of Private Cloud Compute, this one designed to run on third-party hardware. Apple is using Nvidia’s Confidential Computing, Intel’s Trust Domain Extensions, and Google’s Titan security chip to provide layers of protection similar to what Apple provides for its own servers. To provide additional protection, Apple keeps “a cryptographically verifiable, append-only ledger of all Google Cloud hardware that is part of the PCC fleet,” and Apple’s devices will only trust software on these servers that is signed by Apple.

The Google Cloud servers don’t yet support all the same protections as Apple’s own Private Cloud Compute servers, but Apple says it “will be gradually ramping towards the complete set of protections throughout the summer preview period.”

Important decisions, like which model to use and what apps have access to what data, are handled by an on-device feature Apple calls the “System Orchestrator.” Among its duties is making sure that only the data needed to answer a user query is sent off-device in the first place (your device could generate an answer about a recipe you were sent in the Messages app, for example, without getting information about the person who sent it to you, when they sent it, or why they were sending it).

“While we absolutely minimize what is sent up to PCC, the critical thing about PCC is, architecturally, that’s at that point an efficiency measure,” said Federighi. “Because PCC itself, by design from the ground up, is going to vaporize any record of that data the moment after it answers your question… This is not stored. It’s all in a form where it’s completely transient.”

Siri AI and the other new Apple Intelligence features will launch as part of iOS 27, iPadOS 27, macOS 27 Golden Gate, and Apple’s other operating system releases this fall. The first beta versions are available to developers now, but most people would be better served by waiting until July to try it, when a more stable public beta version will be released.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Wednesday 10 June 2026 at 7:50 am AEST (my time).

News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of May) 2,092

RIP Matrix

"Google is aware that an exploit for CVE-2026-11645 exists in the wild," the company said in a Monday security advisory.

The company fixed the zero-day for users in the Stable Desktop channel, with patched versions rolling out worldwide to Windows (149.0.7827.102), Mac (149.0.7827.103), and Linux (149.0.7827.102) systems two weeks after an anonymous security researcher reported it to Google.

While Google says the security update could take days or weeks to reach all Chrome users, the update was available immediately when BleepingComputer checked for updates earlier today.

Users who prefer not to manually update their web browser can rely on Chrome to automatically check for updates and install them during the next launch.

This high-severity zero-day vulnerability (CVE-2026-11645) stems from an out-of-bounds read and write weakness in the Chrome V8 JavaScript engine, which remote attackers can exploit via crafted HTML pages to execute arbitrary code inside the web browser's sandbox.

Successful exploitation enables them to access data beyond the memory buffer via heap corruption, exposing sensitive information or triggering a crash.

Besides unauthorized access to out-of-bounds memory, the now-patched zero-day bug could also be exploited to bypass protection mechanisms such as ASLR, making it easier to achieve code execution via another weakness.

While Google said it was aware of CVE-2024-0519 zero-day exploits used in attacks, the company has not yet shared further details about these incidents.

"Access to bug details and links may be kept restricted until a majority of users are updated with a fix," Google said. "We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven't yet fixed."

Since the start of the year, Google addressed four more zero-days exploited in attacks:

• An iterator invalidation bug (CVE-2026-2441) in CSSFontFeatureValuesMap (Chrome's implementation of CSS font feature values), which Google addressed in mid-February.
• Two other Chrome zero-day bugs exploited in attacks in March: an out-of-bounds write weakness in the Skia 2D graphics library (CVE-2026-3909), and an inappropriate implementation vulnerability in the V8 JavaScript and WebAssembly engine (CVE-2026-3910).
• And a use-after-free weakness in Dawn (CVE-2026-5281), the underlying cross-platform implementation of the WebGPU standard used by the Chromium project, which Google patched in April.

Last year, Google fixed another eight zero-days exploited in the wild, many of them reported by the company's Threat Analysis Group (TAG), which is known for identifying and tracking zero-day exploits used in spyware attacks.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Tuesday 9 June 2026 at 5:36 pm AEST (my time).

News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of May) 2,092

RIP Matrix

Dozens of cryptographically verified open source packages from Microsoft were compromised late last week to add advanced credential-stealing code that was triggered when developers opened them in AI coding agents.

In all, multiple researchers said, 73 packages were flagged as malicious when automated systems on GitHub blocked them on the platform. Rather than noting they are malicious—and that developers who used AI agents to work with them should assume their systems are compromised—the Microsoft-owned GitHub said it disabled the packages “due to a violation of GitHub’s terms of service.” The text went on to encourage the package owner to contact GitHub.

Devs: Assume compromise and proceed accordingly

It wasn’t until Monday that Microsoft even raised the possibility the packages were infected. In an email, the company stated: “We have temporarily removed some repositories as we investigate potential malicious content.”

The incident is the second supply-chain attack in as many months to breach an official Microsoft repository account. In mid May, the firm StepSecurity documented the compromise of Microsoft’s durabletask Python SDK on PyPI. The package is a framework for building fault-tolerant workflows and orchestrations to automate distributed transactions and other workflows. It receives 400,000 downloads per month.

The compromise packages executed a 28 KB payload that steals credentials from AWS, Azure, GCP, Kubernetes, password managers, and over 90 developer tool configurations. It then spreads laterally through cloud infrastructures to infect other developer machines. The attack, which has been linked to a threat actor tracked as TeamPCP, poisoned the durabletask package after compromising Microsoft credentials for publishing the package. The technique allows attackers to bypass the repository’s build pipeline entirely.

The malware used in the attack is tracked as Miasma. It’s essentially a clone of TeamPCP’s Mini Shai-Hulud toolkit, which the threat actor open-sourced recently. Security firm Cloudsmith said the malware harvests OIDC (OpenID-Connect) token credentials that are used in SLSA (Supply-chain Levels for Software Artifacts) provenance attestation, a method for providing cryptographically signed guarantees of a software’s integrity.

As was the case in the May compromise of Microsoft’s durabletask, the one last week made use of the functionality to steal a legitimate Microsoft OIDC token. It was also used in a separate supply-chain attack poisoning dozens of Red Hat packages.

“The genius of this Miasma worm lies in how it adhered to legitimate workflows,” Cloudsmith said. “It does not exploit any software vulnerability in GitHub or npm. Instead, it exploits the underlying trust model of the modern engineering ecosystem.” The company continued:

Compromised dev creds led to a legitimate GitHub OIDC token being requested. This was followed by a malicious build being published with valid SLSA provenance, which ultimately led to conventional scanners seeing it as a routine trusted update. By stealing legitimate maintainer credentials, the worm was able to act exactly as an authenticated publisher would have.

 

Furthermore, Miasma generates a uniquely encrypted payload for each individual infection. This means traditional hash-based IOCs are functionally useless for broad detection, as the file signature changes with every single package version. Andrew McNamara of Red Hat explained in a dedicated blog post where SLSA’s boundaries fall short.

 

While previous iterations of the Mini Shai-Hulud malware have focused purely on local secret scraping, the Miasma worm appears to have advanced data collectors specifically engineered for cloud identities in GCP and Azure. It attempts to harvest every cloud identity the infected developer machine and CI/CD runners have access to, proving a clear intent from the threat actors to leverage access away from the codebase and directly into live cloud environments.

The credential-stealing function in the Miasma worm infecting the Microsoft packages was triggered as soon as a developer opened it in AI agents, including Claude Code, Gemini CLI, Cursor, and VS Code. Follow-on attacks are likely to occur in the highly feasible event that credentials were successfully harvested from machines that opened the packages in one of the affected AI agents.

The Microsoft GitHub account compromised in the May attack is the same one used late last week. The explanation for this double compromise isn’t currently known. It may mean that Microsoft failed to fully change credentials for the account. It might also be the result of an unknown package run on a Microsoft developer machine that stole the new credentials. Microsoft isn’t providing details at the moment.

The self-replicating cryptographic verification of the malicious packages and the ability to bypass hash-based detection make the attacks difficult to detect. And as the subsequent compromise of the same Microsoft account shows, these breaches can be hard to fully remediate. Anyone who touched any one of the 73 packages—listed here—should drop whatever else they’re doing and thoroughly investigate, lest there are any compromised credentials that will be used in future attacks.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Tuesday 9 June 2026 at 7:47 am AEST (my time).

News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of May) 2,092

RIP Matrix

Microsoft releases new Windows Defender update packages very frequently to protect against various newly discovered malware. Once a while every three months or so, the company also pushes out these updates to Windows images (WIM and VHD) and ISOs, that are used to install Windows. Hence with the newest Windows 11 update available via the official MCT tool, you should get these definitions.

This update package is necessary as a Windows installation image may contain old, outdated anti-malware definitions and software binaries. Aside from better security, these updates can also provide improved performance benefits in some cases.

When a new Windows installation is set up, there may be a temporary security risk due to outdated Microsoft Defender protection in the OS installation images. This happens because the antimalware software included in these images might not be up to date. Thus Microsoft says that these updated definitions essentially help close this protection gap.

Microsoft delivered the latest security definitions for Windows images via security intelligence update version 1.445.323.0. The Defender package version is also the same. It applies to Windows 11, Windows 10 ESU, Windows 10 Enterprise LTSC 2021, Win 10 Ent LTSC 2019, Win 10 Ent LTSB 2016, Windows Server 2022, Windows Server 2019, and Windows Server 2016.

Microsoft writes: "This package updates the anti-malware client, anti-malware engine, and signature versions in the OS installation images to following versions:

• Platform version: 4.18.26040.7
• Engine version: 1.1.26040.8
• Security intelligence version: 1.447.236.0"

From Microsoft's security bulletin, we learn that the security intelligence update version 1.447.236.0 was released early last month and adds threat detections for various malware like trojan, backdoor exploits, ransomware, stealers, AutoKMS, and more.

For those wondering, the latest intelligence update is version 1.451.297.0 at the time of writing.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Sunday 7 June 2026 at 7:10 am AEST (my time).

News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of May) 2,092

RIP Matrix

Last month, I reported on Microsoft's plans to retire SMS codes for authentication and account recovery on personal Microsoft accounts. The company stated that SMS-based authentication is a leading source of fraud, and outlined its plans to replace it with more secure options, such as passkeys, authenticator apps, and verified email addresses.

And now, a similar change is making its way to Microsoft’s Chromium-based web browser, Edge. The company recently removed support for the Master Password feature. Microsoft first announced the change during the rollout of Edge version 145, noting its plan to end support for master passwords in the browser’s password manager on June 4, 2026 (via ).

Microsoft is replacing the master password feature in Edge with device-based authentication methods such as Windows Hello (PIN, fingerprint, or facial recognition). The company views Windows Hello as more secure and convenient compared to the custom primary password arrangement. This is because it is less susceptible to sophisticated attacks by bad actors since they'll need your fingerprint, face, or iris scan to access your account.

For context, a master password is designed to let you unlock and access all your online accounts. However, it can be viewed as a risk, especially if a third party knows your custom primary password. This means they can access sensitive data without your consent.

Alternatively, you can use your Windows PC's login, which is restricted to your device's hardware and won't send authentication data to the cloud.

While Windows Hello will seemingly make your passwords and online credentials more secure, the security feature also ships with its own fair share of challenges. In June 2025, multiple reports from web users indicated that Windows Hello no longer worked in the dark.

Microsoft confirmed that it wasn't a bug and that Windows now requires both IR sensors and a webcam that can see your face to sign in. If you've relied on a master password in Edge until now, it's time to consider your options for secure sign-ins — and always keep your passwords safe!

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Saturday 6 June 2026 at 8:01 am AEST (my time).

News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of May) 2,092

RIP Matrix

Dashlane said that attackers mounted a coordinated hacking campaign against a large base of its users in an attempt to recover as many encrypted password vaults as possible. The password manager provider said fewer than 20 personal user vaults were downloaded before it shut down the operation.

In a campaign that started Sunday, the unknown threat actor abused the mechanism that allows Dashlane users to add new devices, such as computers or phones, to their accounts. By abusing Dashlane’s programming interfaces for device enrollment, the attackers sent requests to large numbers of existing users’ registered email addresses. In an update published Thursday, Dashlane wrote:

The threat actor targeted the API endpoints for device registration and used a brute force attack to send a large volume of automated requests to those endpoints.

 

In response, Dashlane’s automated security systems operated as intended, triggering an automatic lockout of the targeted accounts to protect those users. Before the attack was fully mitigated, the threat actor was able to brute force and generate valid tokens for fewer than 20 personal plan customers, allowing them to register a new device on those accounts and download copies of users’ encrypted vaults.

The flow and strategy of the attack

When a user installs the Dashlane app on a new device and attempts to enroll it in their existing account, Dashlane first verifies the account holder’s identity. This verification is completed by sending a one-time six-digit token to the user’s registered email address (or, for users who have enabled two-factor authentication, by validating a six-digit code generated by their authentication app).

For the registration to succeed, the user must enter this code into the Dashlane application. At this point, Dashlane will approve the enrollment and send a copy of the encrypted vault to the device. Vault contents remain unreadable until the user enters the master password, which acts as a decryption key. As Dashlane explains in its security documentation, the one-time password must be entered on the new, enrolling device for the registration to be successful.

Brute-forcing the one-time code for a single account—meaning iterating through every possible combination until the right one is entered—would be little more than a fool’s errand, even within the three-hour window that the codes remained valid. With 1 million possible valid codes, the attackers would have to cycle through a statistically significant percentage within that period. Rate limiting, in which a set number of requests are allowed per account, would also lock out the account.

To improve their odds, the attackers sent requests to register new devices across a large number of accounts. Then they simultaneously entered the one-time codes into each of them. In theory, attacking two accounts this way increased the odds for each try to 1 in 500,000. Attacking 1,000 accounts would increase the odds to 1 in 1,000, and so on. The more accounts that were targeted, the better the chances one of them will fall. The economics of password spraying work similarly. The technique also weakens rate limiting because the large number of attempts is spread out, limiting the number hitting any single account.

Ultimately, the 2FA spraying attack managed to hit the right combination on fewer than 20 user accounts, according to Dashlane, before it was shut down. The company said it has contacted all those users and that any user who has not already received a notification is unaffected.

For attackers to obtain the decrypted vault contents for those accounts, they would still have to crack the master password. Dashlane makes this process difficult by using an algorithm known as Argon2. It dramatically slows down and intensifies the process of converting the plain-text master password into a cryptographic hash. In turn, entering large numbers of guesses requires a tremendous amount of time and computing resources, even when the cracking is performed using GPUs or special-purpose hardware.

That means the chances of the attackers decrypting one of the encrypted vaults they obtained is very small in the event the master password was strong, meaning long, randomly generated, and has high entropy. However, not everyone uses such master passwords. In the event the master password was included in word lists exchanged by password crackers, the chances of success would be higher, although still unlikely.

Broadly speaking, the incident has similarities to the 2022 LastPass breach, which also allowed attackers to obtain encrypted user vaults. Eventually, the attackers managed to obtain decrypted information from some of them. The success was the result of two things.

First, certain fields, such as website URLs, remained unencrypted in vaults. That meant attackers could read them even without the master password. Second, some of the stolen vaults used outdated algorithms that didn’t adequately intensify the process for converting the plain-text password into a hash. Dashlane has said that no user fields in vaults are unencrypted. Further, when algorithms are periodically strengthened to account for advances in cracking abilities, the process occurs automatically, with no interaction required. The algorithm update process for LastPass vaults at the time came with more user friction.

Dashlane’s initial notification left out key details of the attack and led to considerable confusion about the ongoing risk users faced.

Out of an abundance of caution, both master passwords and the contents of any of the recovered Dashlane vaults should be changed immediately to reduce the chance, however unlikely, that the attackers succeed in breaking the master password. Unaffected Dashlane users don’t need to take any such action.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Friday 5 June 2026 at 11:30 am AEST (my time).

News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of May) 2,092

RIP Matrix

For the past few years, Microsoft has been phasing out NTLM in Windows in favor of Kerberos-based alternatives. Starting with the next versions of client and server editions of Windows, Microsoft will also be disabling the legacy authentication protocol by default. In the latest security baseline package for Windows Server 2025, the company is already allowing customers to audit incoming configurations. Now, it has announced a wave of changes to further reduce dependencies on NTLM.

With an upcoming Insider release of Windows 11 client and server, certain scenarios which previously required NTLM will be able to fall back on Initial and Pass-Through Authentication using Kerberos (IAKerb) and Local Key Distribution Center (LocalKDC).

For those unaware, IAKerb enables Kerberos to work when a client does not have direct access to a domain controller (DC). While traditional Kerberos authentication requires direct connectivity, IAKerb enables the target service to act as a proxy for the Kerberos-based exchange. It is useful in various enterprise scenarios where the visibility of DCs is restricted, or where client services can reach target services but not relevant DCs.

Meanwhile, LocalKDC enables Kerberos-based authentication for local account scenarios, rather than relying on NTLM. This makes it especially useful on standalone devices, workgroup environments, and more.

Together, IAKerb and LocalKDC will reduce NTLM dependency in both remote enterprise and local environment scenarios. Developers will also be able to rely on modern authentication flows that are consistent and secure. Microsoft understands that while most customers are pivoting away from NTLM due to security concerns, other continue to use the legacy protocol for niche use-cases. It hopes that IAKerb and LocalKDC will help close some of those gaps and enable organizations to ditch NTLM.

With the next Canary Channel release in the Windows Insider Program, Microsoft will be previewing these capabilities. IAKerb will be enabled by default while LocalKDC will be disabled, but users will have the ability to toggle this behavior through Windows Registry keys, as explained here.

As the company gradually moves towards general availability, it will begin surfacing these options in management tools and Group Policy too. For now, Microsoft has heavily encouraged customers still using NTLM to begin testing and validating these security functionalities as soon as they become available in the next preview.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Thursday 4 June 2026 at 8:26 am AEST (my time).

News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of May) 2,092

RIP Matrix

There’s a lot that doesn’t add up in a security advisory password manager Dashlane published Monday, warning that attackers managed to obtain 20 encrypted user vaults.

“Starting on Sunday, May 31, 2026, an external party launched a brute force attack against certain Dashlane user accounts,” the company said. “The goal of the attack was to brute-force two-factor authentication (2FA) protections to allow the attacker to register new devices on existing user accounts.”

Hello, Dashlane, anybody home?

A Dashlane user who received such a 2FA request provided this screenshot of the notification, which arrived on Sunday.

 

The UK-based user was concerned and contacted Dashlane through a support bot. Ultimately the user got no information about why the notification was sent.

“Then (i) discovered this news from Mastodon infosec and not Dashlane themselves,” the user told me. “Currently trying to find out what has happened! Because how can you trigger a 2fa request if you haven’t got the password 1st? As a paying customer I think I should have known about this from Dashlane and not Mastodon infosec folks.”

Scores of social media discussions are filled with similar comments from users who also don’t understand the basic mechanics of this attack. Typically, 2FA protections take the form of a one-time password generated by an authentication app or sent by text or email. They’re typically six digits long and change every 45 or so seconds, although as the notification above indicates, the code remained valid for three hours.

Brute-forcing is a trial-and-error method that rapidly submits every possible combination until landing on the right one. Under these assumptions, there would be 1 million possible passcodes. A successful breach would require a statistically significant percentage of them to be entered within the three-hour window.

While the resources needed to bombard Dashlane servers with that volume of guesses in such a short period of time are possible, they’re not commonly found in usual brute-force attacks. Dashlane doesn’t explicitly say it placed a rate limit on the number of submissions a user can make, although it appears likely based on language in the advisory saying “Because of the high volume of attempts on user accounts, Dashlane’s security controls automatically locked accounts that were targeted by the attack.” Even assuming there was no rate limiting, it’s hard to imagine Dashlane servers not at least temporarily choking when receiving 150,000 or more submissions in an hour or so.

It’s possible that Dashlane’s reference to 2FA meant something else. Sometimes, 2FA can come in the form of push notifications. Once someone enters the correct account password, the notification is sent to the registered device. For the login to succeed, the user must press a button on their device that provides the second factor. A tactic known as 2FA fatigue attacking exploits the friction of this process. An attacker who has already broken the first authentication factor attempts to log in repeatedly, resulting in a push notification being sent to the target each time. After dozens or even hundreds of attempts, the target finally gives in and presses the approve button.

And of course, brute-force attacks on 2FA require the first authentication factor to already have been broken. Dashlane makes no mention of what this factor is or how it was broken.

It’s still further plausible that the attack exploited features that allow Dashlane users to enroll new devices in their accounts. Such techniques typically work by tricking the user into approving a request to approve a device owned by the attacker instead.

Dashlane said it has contacted fewer than 20 account holders whose encrypted vaults were obtained. “If you’re a Dashlane user and have not received a message from Dashlane specific to vault risk, there is no impact to your Dashlane account,” the company said. It also notes that without the master decryption password—which Dashlane never sees or stores—vault contents remain safe.

But without more information, we’re left with more questions than we should be. Dashlane has maintained silence for more than 48 hours since publishing the opaque advisory. Company representatives didn’t respond to an email seeking details.

Post updated to add details from a Dashlane user who recived the notifcation.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Thursday 4 June 2026 at 8:25 am AEST (my time).

News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of May) 2,092

RIP Matrix

Official Red Hat NPM accounts have been compromised and used to push a malicious worm that spreads from machine to machine, where it pilfers sensitive credentials in hopes of stealing yet more confidential data, researchers said.

The supply-chain attack began Monday and remained active at the time this post went live, according to researchers at security firm Aikido. It’s the result of the threat actor responsible for the hack taking control of @redhat-cloud-services, a legitimate channel in the npm repository that’s reserved for official Red Hat packages. As such, the channel is widely trusted by developers who rely on Red Hat cloud services.

The vicious cycle of today’s supply-chain attacks

It’s unclear precisely how the threat actor took control of the namespace, but it almost certainly involved the compromise of credentials required to access it, possibly through a previous supply-chain attack. More than 30 packages seem to be affected.

The packages execute an obfuscated payload that can run during the npm install process, which occurs before a developer imports or actually uses the package in a production environment. Security firm Socket said an analysis of the malware revealed that it’s designed to collect sensitive credentials, including GitHub action secrets, npm tokens, Kubernetes and Vault material, and credentials for other cloud services. The worm then spreads by republishing backdoored packages to third-party accounts the infected device has access to. Most, but not all, of the packages had been taken down in the hours following the incident.

“Organizations should treat any system that installed one of the affected @redhat-cloud-services package versions as potentially compromised,” Socket researchers wrote. “The payload executes during npm install, before application code imports or uses the package, so exposure depends on installation or CI execution, not runtime use.”

Once a system is infected, it encrypts the credentials and sends them through a web request. A fallback mechanism allows the malware to publish the encrypted data into a compromised GitHub repository, assuming it has possession of the credentials for it.

The worm, dubbed Shai-Hulud, has all the hallmarks of malware released last month as freely available open source. TeamPCP was the first group to use Shai-Hulud, and it promoted a competition that promised a $1,000 payment to the hacker who carried out the biggest supply-chain attack using the malware. TeamPCP has also been behind a rash of previous supply-chain attacks. Now that the worm is in the hands of many other threat groups, supply-chain attacks may ramp up further.

The malware devotes considerable attention to CI/CD (continuous integration/continuous delivery) systems, which allow for faster and more reliable software releases by automating the building, testing, and deploying of code changes. The malware spread in Monday’s attack was published through GitHub Actions OIDC (OpenID Connect), indicating that Red Hat’s CI/CD pipeline was compromised. OIDC is a security measure designed to interact with cloud services through the use of temporary credentials.

Once installed, the malware targets other organizations’ CI/CD credentials. The compromise of Red Hat’s GitHub Actions OIDC was very possibly the result of a previous supply-chain attack that infected an employee’s machine.

In an email sent after this post went live, Red Hat said it has removed the malicious packages.

“The packages are strictly limited to internal development, and the malicious code was never published for customer consumption via the console.redhat.com system,” the email said. “While our investigation is ongoing, we have not identified any impact to customer or partner environments or Red Hat production systems.”

Given the success of other recent supply-chain attacks, anyone who touched one of the affected packages in the past 36 hours should assume compromise of their workstations, CI/CD pipelines, and all credentials for cloud services and repositories. That means employees should drop whatever they’re doing at the moment and investigate thoroughly.

In a recent supply-chain attack that hit Checkmarx, the security firm failed to fully drive out the party responsible. Checkmarx was then hit two more times. The Checkmarx credentials used in the first attack came from a supply chain attack on the Trivy software developer. The pivot to Checkmarx and its failure to fully remediate the initial breach demonstrates the difficulty of completely recovering from such security lapses and the risks that result.

Both Socket and Aikido have lists of affected Red Hat packages and other indicators of compromise that any potentially affected person or organization should make use of promptly.

Story updated to add Red Hat comment.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Tuesday 2 June 2026 at 2:23 pm AEST (my time).

News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of May) 2,092

RIP Matrix

Microsoft is facing criticism for its handling of zero-day exploits. Someone going by the name Nightmare Eclipse has been publicly feuding with the company, posting proof-of-concept exploit code. Some of their posts suggest that they’re a disgruntled former employee. But what caught cyber security researcher Kevin Beaumont’s eye was how Microsoft has responded.

Microsoft suggests it plans to bring a criminal case against Nightmare Eclipse for failing to follow “proper coordination” in disclosing vulnerabilities. They also disabled Nightmare Eclipse’s GitHub, GitLab, and Microsoft Security Response Center accounts disabled. As Beaumont points out, “It’s quite difficult to ‘responsibly’ report future vulnerabilities when you have been banned.”

What troubles Beaumont is that Microsoft has hired people who have done many of the exact same things. They’ve employed people who have publicly posted zero-day exploits, some with criminal hacking convictions on their record. Microsoft has also purchased exploits from brokers.

Beaumont sums it up:

If Microsoft’s tactic is to try to criminalise not following often arbitrary “responsible disclosure” frameworks, good luck defending that in court — because there’s a whole clown car of prior decision making within Microsoft and facts which would emerge in that process.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Sunday 31 May 2026 at 7:16 am AEST (my time).

News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of April) 1,700

RIP Matrix

Authorities in the Netherlands said they dismantled a botnet that comprised more than 17 million devices and were managed by 200 servers in a joint operation by the police and the National Cyber Security Center.

The action, announced Thursday, came about after a security researcher reported the sprawling network to authorities. The host infrastructure was located in the Netherlands.

Used for criminal purposes

“The police then seized several botnet servers from a hosting provider for investigation,” the NCSC said. “The botnet was taken offline by the provider because it was used for criminal purposes.”

According to a report Thursday by the NL Times, the botnet was linked to ASOCKS, a Russia-based company that provides residential proxy services. These services cater to people and organizations who want to obscure their locations or identities by proxying their Internet traffic through third-party devices. Proxy services are often used for illicit or unethical purposes such as performing DDoS attacks, running botnet command-and-control servers, operating phishing operations, and scraping website content.

Ars was unable to independently confirm the NL Times report, but the claim checks out. Thursday’s NCSC post linked to a separate post that the nonprofit organization published a day earlier. That post, in turn, was updated to add a link to Thursday’s post. Wednesday’s post, headlined “Residential proxies and their major impact on digital security in the Netherlands,” warned: “Residential proxies are used to maintain anonymity and circumvent geographical restrictions. In this way, a Dutch organization can be attacked with Dutch proxies that have similarities with ‘regular’ traffic, making cybercrime mitigation more difficult.”

In 2024, security firm Human said its researchers found evidence that a botnet named Proxylib was tied to ASOCKS. The evidence included (1) Proxylib-infected IP addresses and port numbers that were returned by an Asocks proxy-list endpoint and (2) requests made to asocks[.]com exiting through an infected test device. Twenty-eight apps available in Google Play had enrolled as many as 190,000 devices into the Russia-headquartered proxy network without user approval.

Questions emailed to ASOCKS received no response.

It’s unclear how the 17 million devices controlled by the botnet taken down by the Dutch police came to be that way. In some cases, such devices are infected through exploited software vulnerabilities or through the installation of malicious apps. In some cases, apps disclose the behavior, often in small or obscured print. Other times, apps disclose the proxy arrangement outright.

People who want to prevent their devices from being swept into botnets should install security updates in a timely manner and resist the urge to continue using software or devices that no longer receive them. People should carefully research apps before installing them and then only when they provide a true benefit. Apps should be uninstalled when they’re no longer needed.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Saturday 30 May 2026 at 7:50 am AEST (my time).

News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of April) 1,700

RIP Matrix

Researchers at Push Security have identified a new campaign by threat actors that delivers infostealer malware through legitimate domains, tagged "LLMShare."

Basically, "LLMShare" works by abusing the share features of popular LLM chatbots like ChatGPT. The attackers render a custom HTML layout directly on the legitimate domain to display a fake system maintenance message like "we're experiencing high traffic right now," to simulate a crash, and try to get you to download their desktop app.

The threat actors use sponsored Google search ads targeting search terms like "ChatGPT," "ChatGPT desktop app," or "ChatGPT download" to drive victims toward this trap. When a user clicks one of these malicious search ads, they go to a legitimate URL that looks exactly like a normal chatgpt.com/s/[unique-id] share link. Because the domain belongs to OpenAI, web filter rules and firewall blocks do not trigger.

When you click the download button on this fake page, the site takes you to an external domain named openew[.]app, which impersonates the OpenAI desktop application, from where payloads targeting both Windows and macOS users are distributed.

The landing site remains smart enough to detect automated testing sandboxes, allowing the site to hide its true nature by serving a harmless mock-up web design. When BleepingComputer tested the Windows version on Any.Run, the executable ran various commands to verify if the victim ran a physical desktop or a virtual machine sandbox, looking for registry keys associated with security software. On macOS, this exact trap drops Odyssey Stealer to steal sensitive data.

Every day, hackers are finding new and creative ways to exploit LLMs and the chatbots that developers built on top of them to distribute malicious software. Recently, a threat actor named GreyVibe targeted Ukrainian infrastructure. Thanks to AI, the group is able to punch above its weight, fill technical gaps, write code obfuscation scripts, and generate highly realistic social engineering lures.

GreyVibe relied on attack methods like PhantomMail to send polished phishing emails mimicking Ukrainian government agencies, PhantomClick to deploy fake CAPTCHA prompts that run malicious PowerShell commands, and PrincessClub to host fake adult portals containing Android spyware.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Saturday 30 May 2026 at 7:50 am AEST (my time).

News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of April) 1,700

RIP Matrix

Back in April, Microsoft published a detailed blog post explaining how Windows 11 contains a bunch of built-in protections that actively protect your data. The blog was titled "Best antivirus software for 2026: The built-in Windows protection you need", and emphasized the idea that the operating system natively integrates security features, implying that you don't really need anything else because you already have Windows Security. Now, the company has inexplicably removed this blog post.

The removal of this blog post, previously available here, was first spotted by AV-Comparatives and highlighted to us by Neowin forum supervisor goretsky, who noted that the blog post was a bit controversial in the first place due to its strict stance regarding third-party antivirus solutions.

The blog was originally published on April 9 on the Microsoft Learning Center, and looking at archive.org snapshots, we know that it was available until at least May 11. However, a snapshot from May 24 indicates that it was removed without any public announcement, and now redirects to the Learning Center homepage.

In the contents, Microsoft had explained the benefits of Microsoft Defender Antivirus, Microsoft Defender SmartScreen, Smart App Control, native ransomware mitigation processes, and more. One of its more controversial aspects was Microsoft's emphasis that you don't really need third-party security solutions. One section in particular highlighted that:

Do you still need third‑party antivirus in 2026?

 

For many Windows 11 users, Microsoft Defender Antivirus covers everyday risk without requiring additional software. The choice to add third‑party antivirus depends on how you use your PC and which features you value.

 

When built‑in protection is enough:

 

Windows antivirus protection is usually sufficient when Windows 11 runs with default protections enabled, updates are installed regularly, and software downloads are deliberate. Microsoft Defender Antivirus and SmartScreen already address common threats such as malicious files, phishing sites, and unsafe installers.

 

When additional tools may help:

 

You might consider extra security software if you manage multiple devices, share devices with family members, or want services like identity monitoring or parental controls.

 

Each added tool increases background activity and complexity, so choose tools that match real needs.

Of course, many Windows 11 customers (including yours truly) do only rely on Windows 11's native protection mechanisms and don't feel the need for alternatives, Microsoft's public stance on the matter may have rubbed some partner vendors the wrong way, leading to its subsequent removal.

We checked similar keywords online and could not locate recent articles from Microsoft still holding this stance, which indicates that the removal is intentional. That said, we have still reached out to Microsoft to understand the company's reasoning behind this move.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Friday 29 May 2026 at 12:02 pm AEST (my time).

News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of April) 1,700

RIP Matrix

Over the decades, there has been no shortage of sites using clever techniques to covertly track visitors’ browsing histories, device fingerprints, and log keystrokes and mouse movements in real time. Even Meta and Yandex were recently caught joining in the privacy-invasive free-for-all.

Now sites have a new way to spy on their visitors: measuring subtle interactions with their solid-state drives. The technique, named FROST (fingerprinting remotely using OPFS-based SSD timing), allows sites to monitor other sites a visitor is viewing and what apps are open on their devices.

A side channel based on contention

The technique, laid out in a research paper, exploits a side channel, a form of leak resulting from physical manifestations such as electromagnetic emanations, data caches, or the time required to complete a task. By measuring the manifestations, attackers can decrypt encrypted traffic and infer other confidential data.

The attack that FROST uses is known as a contention side channel, which measures the interaction of various processes all using (or competing for) a given resource. By measuring the timing of certain I/O (input-output) operations of the SSD a visitor is using, the researchers were able to determine the websites open in other tabs—even on other browsers—and the apps that were open on the visitor’s device. FROST requires no interaction from the visitor other than opening the site hosting the attack.

“Web browsers have evolved from simple document viewers into complex platforms capable of running sophisticated applications,” the paper authors wrote. “Companies like Google, Microsoft, and Adobe have developed full-fledged office suites, photo- and video editors, or even integrated development environments (IDEs) that run entirely within the browser.” The authors went on to note: “While these features enhance the capabilities of web applications and allow completely novel use cases, they also increase the browser’s attack surface, and some have already been shown to introduce new vulnerabilities.”

Unlike previous contention side-channel attacks on SSDs, FROST runs exclusively in the browser. It uses JavaScript that interacts with the OPFS (origin private file system), an allocated storage space that’s reserved for a specific site to run code needed to complete a given task. Websites can create one with no interaction required by the visitor.

While each file system is sandboxed, meaning it’s isolated from other websites and from the device system itself, the JavaScript can measure the I/O interactions. Then, by running those interactions through a pretrained convolutional neural network—a system that uses deep learning to analyze text, audio, and images—the attacker can deduce various apps and websites open on the device.

“The attacker continuously measures SSD contention by performing random reads from a large OPFS file,” the researchers explained. “SSD contention caused by user activity causes measurable latency differences for these read operations. By training a convolutional neural network (CNN) on these traces, the attacker can fingerprint user activity on the host system by classifying new traces using the trained model.”

The technique has its limitations. First, the OPFS file must be extremely large—likely a gigabyte or more. That requirement means that attacks at scale would inevitably be detected by many users. Additionally, the OPFS file must be stored on the same SSD the visitor is using. This isn’t usually a problem for tracking open websites, since the OPFS file is stored in the browser’s default location. In the event apps are using a separate SSD drive for apps, those apps couldn’t be detected by FROST.

One of the best ways to prevent FROST attacks is to close tabs as soon as they’re no longer needed. More savvy users can monitor the creation and size of OPFS files allocated by unknown websites. The researchers proposed ways for browser makers to shut down the side channel. One such method is to limit the maximum size such files that are allowed. There are no indications FROST attacks have been performed in the wild.

The researchers performed the full Frost attack on an M2 Mac. On Linux, they showed that the underlying primitive (measuring SSD access latency traces from JavaScript) works, but didn’t run the full attack.

“However, since the performance of the primitive is similar between macOS and Linux, we expect similar performance for the full classification,” Hannes Weissteiner, one of the co-authors, wrote in an email. “In principle, it would be possible to train a model on any system activity that reliably generates SSD accesses.”

The researchers did not test Windows.

The paper linked above provides many more technical details. The research is scheduled to be presented at the DIMVA conference in July.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Thursday 28 May 2026 at 7:54 am AEST (my time).

News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of April) 1,700

RIP Matrix

Millions of AI agents and tools around the world have been imperiled by a critical vulnerability that can allow hackers to breach the servers running them and make off with sensitive data and credentials to third-party accounts, a security researcher is warning.

The vulnerability is present in Starlette, an open source framework that its developer says receives 325 million downloads per week. Thousands of other open source projects are also vulnerable because they require Starlette to work. The framework is an implementation of the ASGI (asynchronous server gateway interface), which allows large numbers of requests to be efficiently processed simultaneously. Starlette is the base of FastAPI and other widely used frameworks for building services in Python apps, as well as many others.

Trivial to exploit, millions of servers exposed

ASGI, and by extension Starlette, have access to servers running the MCP (model context protocol), which allows AI agents from major providers to access external sources, including user data bases, email and calendar accounts, and all manner of other resources. To connect with these external systems, MCP servers store credentials for each one, making them especially valuable storehouses for attackers to breach.

The vulnerability, tracked as CVE-2026-48710 and under the name BadHost, is trivial to exploit and works against most systems that aren’t behind a properly configured firewall. Besides FastAPI, other widely used packages—including vLLM, and LiteLLM—are also affected. BadHost affects Starlette versions prior to 1.0.1, which was released Friday.

“A single character injected into the HTTP Host header bypasses path-based authorization in Starlette, the routing core of FastAPI,” researchers from Secwest wrote. “Through FastAPI, this primitive (now tracked as CVE-2026-48710 and branded BadHost by the discoverers) reaches a large segment of the Python AI tooling ecosystem: vLLM (where the bug was discovered), LiteLLM, Text Generation Inference, most OpenAI-shim proxies, MCP servers, agent harnesses, eval dashboards, and model-management UIs.”

BadHost carries a severity rating of 7 out of 10. Secwest said the classification “materially understates” the threat it poses to people using other apps that depend on Starlette. X41 D-Sec, the security firm that discovered it, described it as having “critical severity.” X41 D-Sec partnered with fellow security firm Nemesis to create an online scanner that can check if a given server is vulnerable.

X41 D-Sec researcher Markus Vervier said a scan has revealed the following types of data are currently exposed:

1. Biopharma AI – clinical trial DBs, M&A data, SSRF
2. Identity Verification – face analysis, KYB, live PII, internal codebase
3. IoT/Industrial – SSH to devices via bastion, remote code execution
4. Email/SaaS – full mailbox read/send/delete, S3 export, webhooks
5. HR/Recruitment – candidate PII, hiring pipeline data
6. CMS/Marketing – subscriber lists, send/schedule mass email campaigns
7. Document Management – read, upload, modify scanned documents
8. Cloud Monitoring – AWS topology, distributed traces, metric queries
9. Cybersecurity – asset inventory, live Nuclei scanner access
10. Personal Health/Finance – nutrition logs, expenses, subscriptions

The crux of the vulnerability is that Starlette accepts invalid host header values that cause authenticating apps that use Starlette’s request.url object to approve unauthorized access requests. X41 D-Sec said it has found authentication in multiple apps that rely on this call to be bypassed. Besides that, hacks can lead to SSRF (server-side request forgery) exploits and, in some cases, remote code execution. X41 D-Sec described it this way:

Starlette reconstructs the requested URL based on the HTTP Host request header and requested path, but does not perform any validation of the Host header value. This allows attackers to inject paths into the host part, prepending the actual path. However, routing in Starlette is based on the actual request path. This inconsistent interpretation of HTTP requests may lead to issues such as authentication bypass when the authentication depends on the reconstructed URL’s path. Starlette is the foundation of the FastAPI Python framework.

Company researchers added: “The routing algorithm of Starlette depends on the HTTP path, but the request.url.path attribute which is made available to middlewares and endpoints is based on the reconstructed URL. It is unexpected for users that request.url.path is different from the actual path requested over HTTP.”

The developer of Starlette didn’t immediately reply to an email seeking confirmation of the assessment and additional information.

With vulnerable versions of Starlette still widely used in production systems, people relying on any app that depends on Starlette—particularly FastLLM, vLLM, and LiteLLM—should, at a minimum, run the scanner on their systems to detect whether vulnerable Starlette code is still in use. Additional mitigation guidance is provided in the Nemesis and X41 D-Sec links above.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Wednesday 27 May 2026 at 7:38 am AEST (my time).

News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of April) 1,700

RIP Matrix

A so-called software supply chain attack, in which hackers corrupt a legitimate piece of software to hide their own malicious code, was once a relatively rare event but one that haunted the cybersecurity world with its insidious threat of turning any innocent application into a dangerous foothold in a victim’s network. Now one group of cybercriminals has turned that occasional nightmare into a near-weekly episode, corrupting hundreds of open source tools, extorting victims for profit, and sowing a new level of distrust in an entire ecosystem used to create the world’s software.

On Tuesday night, open source code platform GitHub announced that it had been breached by hackers in one such software supply chain attack: A GitHub developer had installed a “poisoned” extension for VSCode, a plug-in for a commonly used code editor that, like GitHub itself, is owned by Microsoft. As a result, the hackers behind the breach, an increasingly notorious group called TeamPCP, claim to have accessed around 4,000 of GitHub’s code repositories. GitHub’s statement confirmed that it had found at least 3,800 compromised repositories while noting that, based on its findings so far, they all contained GitHub’s own code, not that of customers.

“We are here today to advertise GitHub’s source code and internal orgs for sale,” TeamPCP wrote on BreachForums, a forum and marketplace for cybercriminals. “Everything for the main platform is there and I very am happy to send samples to interested buyers to verify absolute authenticity.”

The GitHub breach is just the latest incident in what has become the longest-running spree of software supply chain attacks ever, with no end in sight. According to cybersecurity firm Socket, which focuses on software supply chains, TeamPCP has, in just the last few months, carried out 20 “waves” of supply chain attacks that have hidden malware in more than 500 distinct pieces of software, or well over a thousand counting all of the various versions of the code that TeamPCP has hijacked.

Those tainted pieces of code have allowed TeamPCP’s hackers to breach hundreds of companies that installed the software, says Ben Read, who leads strategic threat intelligence at the cloud security firm Wiz. GitHub is only the latest on the group’s long list of victims, which has also included AI firm OpenAI and the data contracting firm Mercor. “It may be their biggest one," Read says of the GitHub breach. “But each one of these is a big deal for the company that it happens to. It's not qualitatively different from the 14 breaches that happened last week.”

TeamPCP’s core tactic has become a kind of cyclical exploitation of software developers: The hackers gain access to a network where an open source tool commonly used by coders is being developed—for example, the VSCode extension that led to the GitHub breach or the data visualization software AntV that TeamPCP hijacked earlier this week. The hackers plant malware in the tool that ends up on other software developers’ machines, including some who are writing other tools intended to be used by coders.

The malware allows TeamPCP’s hackers to steal credentials that let them publish malicious versions of those software development tools, too. The cycle repeats, and TeamPCP’s collection of breached networks grows. “It’s a flywheel of supply chain compromises,” says Read. “It’s self-perpetuating, and it’s been a hugely successful way to get access to networks and steal stuff.”

Most recently, the group appears to have automated many of its software supply chain attacks with a self-spreading worm that’s come to be known as Mini Shai-Hulud. The name comes from GitHub repositories the worm creates that include encrypted credentials stolen from victims, each of which includes the phrase “A Mini Shai-Hulud Has Appeared” along with a handful of other references to the sci-fi novel Dune. That message in turn appears to be a reference not just to Dune’s sandworms but to a similar supply chain compromise worm known as Shai-Hulud that appeared in September, though there’s no evidence TeamPCP was behind that earlier self-spreading malware.

“They’re definitely going for big exposure. They really care about getting big attention,” says Philipp Burckhardt, who leads research at Socket and has tracked TeamPCP for months. “They like to toot their own horn.” A dark-web site for the group, which links to “business contacts” likely used to carry out ransom negotiations, features Matrix-style cascading ones and zeros, a reggae fusion soundtrack, and the words “TEAMPCP: The Cats Hijacking Your Supply Chains.”

Before landing on its current strategy for supply chain attacks, TeamPCP emerged in late 2025 exploiting cloud misconfigurations and a vulnerability in the web app development tool Next.js to deploy a botnet for attacks like credential theft and cryptocurrency mining. The group’s reliance on worms emerged during this time with increasing success grabbing static credentials and authentication tokens to bore deeper into victims’ systems.

landing on its current strategy for supply chain attacks, TeamPCP emerged in late 2025 exploiting cloud misconfigurations and a vulnerability in the web app development tool Next.js to deploy a botnet for attacks like credential theft and cryptocurrency mining. The group’s reliance on worms emerged during this time with increasing success grabbing static credentials and authentication tokens to bore deeper into victims’ systems.

“It’s been like wildfire; it’s gone very fast,” says Nathaniel Quist, manager of the Cortex Cloud intelligence team at Palo Alto Networks. “They find credentials, personal access tokens, and then it’s just how far can one credential go. I think we will continue to see these techniques. Threat actors know they work, and they’re running with it.”

TeamPCP appears to be financially motivated and often deploys ransomware or data extortion campaigns against its targets, though it also appears willing to sell victims’ data to any buyer. In the most recent case of GitHub, for instance, it wrote on its BreachForums site that “this is not a ransom. We do not care about extorting GitHub, 1 buyer and we shred the data on our end.”

It added what appeared to be a veiled threat to GitHub, perhaps intended to coerce the company to pay: “It looks like our retirement is soon so if no buyer is found we will leak it free.”

The picture has become increasingly complex, Quist says, since TeamPCP began moving to a ransomware-as-a-service model in April by establishing partnerships with the cybercriminal platforms BreachForums and DragonForce. The group has also, at times, seemed to wade into geopolitics, deploying a geographically targeted wiper (dubbed CanisterWorm by researchers) that targeted any Kubernetes cloud infrastructure with malware but only deployed a destructive wiper against Iranian targets. This week, an entity claiming to be TeamPCP also leaked the original Shai Hulud worm source code along with detailed documentation, though its motivations for that leak aren’t clear.

The scale of TeamPCP’s targeting expanded dramatically in March as it hacked more software utilities, leading to its more recent cascading effect of supply chain attacks. The group embedded an infostealer in the open source security scanner Trivy and then used stolen credentials from this attack to compromise certain versions of the AI application programming interface tool LiteLLM hosted on the popular Python software repository PyPI. The group also tainted infrastructure from the web application security firm Checkmarx, hit the development server pgserve, and compromised the web app library TanStack as well as the enterprise AI platform Mistral AI.

The fallout has been severe. In addition to GitHub, TeamPCP attacks on software service providers have led to breaches of the European Commission’s public website and the data contracting firm Mercor, compromise of two employees’ devices at OpenAI and many other incidents. But Palo Alto’s Quist emphasizes that organizations can protect themselves to a degree through security "hygiene" practices that carefully manage authentication tokens and impose access restrictions wherever possible.

“The biggest opportunistic thing that’s making this operation successful is long-lived credentials in these environments,” he says. “It’s vitally important to change your tokens even if you’re not using LiteLLM or any of these packages that have been compromised. If you have Gitlab and GitHub personal access tokens, rotate them. And AWS, Azure, GCP, Alibab, Oracle all of these credentials are being taken.”

TeamPCP’s tidal waves of tainted code also raise hard questions about how to safely use open source software in an era of mounting supply chain attacks. Wiz’s Read recommends safeguards such as “age-gating” updates to open source tools—vetting and installing security updates but otherwise holding off on immediate updates to code that’s been newly published and may be malicious.

In the case of one recent malicious TeamPCP update, Read says Wiz detected the supply chain compromise and warned customers within minutes, but many of the software’s users had auto-updates enabled and had already downloaded it. “You don't want to just install the freshest version all the time,” Read says.

Amid an epidemic of supply chain attacks like the ones TeamPCP has unleashed, Socket’s Burckhardt says open-source users will need to take trust-but-verify measures, like analyzing updates for malware before rolling them out across a network, as well as the kind of “cool-down” period that Read recommends before downloading and running code.

“At the point it hits your machine,” Burckhardt says, “it’s already too late.”

Updated at 10:15 am ET, May 21, 2026 to remove mention of the AI firm Anthropic. The company is one of many training data customers of Mercor, but it did not have a known incident as a result of that company's breach.

Source

FIOD arrested a 57-year-old suspect, who was the company director, and a 39-year-old who headed a separate firm that provided internet connectivity.

According to the authorities, the suspects indirectly provided economic resources to Russian and Belarusian entities sanctioned by the European Union (EU).

The investigation focuses on the activities of web hosting firm Stark Industries, founded on February 10, 2022, shortly before Russia’s invasion of Ukraine.

“The [Dutch] web hosting company, according to the research team, provided support to actions by the Russian Federation that undermine democracy and security, including through information manipulation and disruption of public and economic systems,” FIOD says.

The EU added Stark Industries to the list of sanctioned entities last year on May 20. Following this restriction, the web hosting infrastructure was transferred to a newly created Dutch company that investigators believe acted as a front for the sanctioned entities.

In the recent action, FIOD conducted multiple raids in data centers in Dronten and Schiphol-Rijk, as well as searches in Enschede and Almere, where they seized 800 servers, laptops, phones, and administrative records.

According to a report from the De Volkskrant publication, the name of this Dutch entity is WorkTitans B.V. and provides hosting services under the brand THE.Hosting.

The same outlet alleges that Danish authorities and infrastructure providers linked WorkTitans to attacks by the pro-Russian hacktivist group NoName057(16), which has previously targeted key organizations with distributed denial-of-service (DDoS) attacks.

Mirhosting, based in Almere, operated physical servers, provided colocation, and supplied high-capacity connectivity to major internet exchanges in Amsterdam and Frankfurt, acting as the transport layer through which Stark’s traffic entered Europe to reach the WorkTitans infrastructure.

It’s worth noting that WorkTitans did not respond to de Volkskrant’s requests for a statement, while Mirhosting denied knowingly supporting illegal operations, claiming they quickly intervened upon receipt of abuse complaints.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Saturday 23 May 2026 at 12:26 pm AEST (my time).

News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of April) 1,700

RIP Matrix

Earlier this month we had reported on a recently disclosed Windows security vulnerability that can let attackers bypass BitLocker. Tracked under the ID "CVE-2026-45585," the researcher who found it released a proof-of-concept (PoC) exploit for it known as “YellowKey." Essentially a hacker can use a USB stick to get around BitLocker as a result of this vulnerability in the WinRE (Windows Recovery Environment) with the help of an "FsTx" folder. You can read about it in some detail in our dedicated piece here.

Nightmare-Eclipse, who uncovered it also recently published details on a new vulnerability called "MiniPlasma" that lets threat actors plant malicious Registry mods.

Following the widespread reports on YellowKey, Microsoft this week published its own mitigation guidance for it after acknowledging it. In its advisory, the tech giant has shared a script that will act as an "interim security fix" to reduce the potential attack surface and is recommending it to those who are concerned about their devices and data being stolen, like organisations’ employees who take their work devices home or on business travel.

About the mitigation Microsoft explains: "The script is for WinRE and removes autofstx.exe from the BootExecute registry value. Since BootExecute runs programs very early in boot (even in recovery mode), removing this entry prevents that executable from running in a high‑privilege environment, reducing risk. ... It works by mounting the WinRE image, editing its offline SYSTEM registry to remove the entry if present, then safely committing changes and re‑sealing WinRE so BitLocker trust remains intact. ... It’s designed to be safe—if the autofstx.exe entry isn’t there, it exits without making changes."

While that is great news, Microsoft is also seemingly quite annoyed and irked at Nightmare-Eclipse as it says that "the proof of concept for this vulnerability has been made public violating coordinated vulnerability best practices."

The researcher too isn't happy about this response as they said the following on their blog: "Dear Microsoft, Regarding CVE-2026-45585, ... Saying that I violated CVD best practices is a defamation of my personal reputation, you already told me you will defaming me and doing it in public will not help dissolve this conflict. ... You intentionally revoked my access to my MSRC account that I used to report vulnerabilities to you, when I asked you, you went ahead and completely wiped the account from existance despite multiple attempts from asking for an explanation. All of those requests went unanswered by the MSRC leadership. ... I'm taking your statement very personally."

Therefore Nightmare-Eclipse has essentially put the blame back on Microsoft alleging that it's the company's fault from the start. It will be interesting to see how things go from here.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Saturday 23 May 2026 at 8:17 am AEST (my time).

News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of April) 1,700

RIP Matrix

The competition took place at the OffensiveCon conference from May 14 to May 16 and focused on enterprise technologies and artificial intelligence.

Throughout the contest, the hackers targeted fully patched products across web browsers, enterprise applications, local privilege escalation, servers, local inference, cloud-native/container environments, virtualization, and LLM categories.

Competitors collected $523,000 in cash awards on the first day for 24 unique zero-days, and another $385,750 on the second day for exploiting 15 zero-days. On the third day of Pwn2Own, they earned another $389,500 for eight more zero-days.

DEVCORE won this year's edition of Pwn2Own Berlin with 50.5 Master of Pwn points and $505,000 in rewards throughout the three-day contest after hacking Microsoft SharePoint, Microsoft Exchange, Microsoft Edge, and Windows 11, followed by STARLabs SG with $242,500 (25 points) and Out Of Bounds with $95,750 (12.75 points).

The competition's highest reward was $200,000, awarded to Cheng-Da Tsai (also known as Orange Tsai) of the DEVCORE Research Team after chaining three bugs to gain remote code execution with SYSTEM privileges on Microsoft Exchange.

On the first day, Orange Tsai earned another $175,000 for a Microsoft Edge sandbox escape chaining 4 logic bugs, Windows 11 was hacked 3 times, and Valentina Palmiotti (chompie) of IBM X-Force Offensive Research collected $70,000 for rooting Red Hat Linux for Workstations and an NVIDIA Container Toolkit zero-day.

On the second day, the hackers demonstrated another Windows 11 local privilege escalation vulnerability, a root-privilege escalation vulnerability in Red Hat Enterprise Linux for Workstations, and zero-days in multiple AI coding agents.

On the third and final day of the contest, the competitors hacked Windows 11 and Red Hat Enterprise Linux for Workstations again, and used a memory corruption bug to exploit VMware ESXi.

After Pwn2Own ends, vendors have 90 days to release security patches before TrendMicro's Zero Day Initiative (ZDI) publicly discloses them.

During last year's Pwn2Own Berlin contest, won by the STAR Labs SG team, ZDI awarded 1,078,750 for 29 zero-day flaws and some bug collisions.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Monday 18 May 2026 at 5:01 pm AEST (my time).

News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of April) 1,700

RIP Matrix

ExplainingComputers (1.18m subscribers)

May 17, 2026

Video length: 21m 26s

Secure Boot certificates on most computers expire in June and October 2026, affecting Windows 11, Windows 10 and Linux systems with secure boot activated. This video explains what is happening, the implications, and what you may potentially need to do. But do not panic! Most systems should update automatically, and even if they don’t, should continue to boot.

00:00 Titles & Intro

00:51 Secure Boot & Certificates

05:02 Windows Updates

12:44 Firmware (UEFI/BIOS) Update

16:12 Linux Updates

20:33 Wrap

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Monday 18 May 2026 at 7:39 am AEST (my time).

News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of April) 1,700

RIP Matrix

Recently, news emerged about an interesting security find in Microsoft Edge. A researcher discovered that Microsoft Edge is storing passwords in memory as plain text, which does not sound right, even for those far from cybersecurity. Initially, Microsoft said that there was nothing to worry about, as the feature was intentionally designed that way, but now the company is making a U-turn.

In a newly published Microsoft Browser Vulnerability Research post, the company reaffirmed that the design "falls within the expected threat model," given that it only becomes a risk if someone already has administrative access to your device. At this point, you are already screwed, as Microsoft can do little with someone running malware with elevated privileges on your device. Still, Microsoft acknowledged that it is also an opportunity to improve.

Microsoft is now working on a priority update (not just AI-powered features) that will roll out to all supported Edge versions across all four channels (version 148 and newer). The patch will prevent the browser from loading passwords into memory as plain text. Microsoft says that this change reflects its commitment to the Secure Future Initiative and a "broader view" into security measures:

That means looking not only at whether something meets the bar for a security issue, but also at where we can reduce exposure through defense-in-depth improvements. In this case, reducing the exposure of passwords in memory is a practical step in that direction.

Microsoft is not revealing exact changes in Edge's password manager. The company only says that users who already store their passwords in Microsoft Edge have nothing to worry about, and the promised patch will fix the reported "issue" without any action required from the end user. You can read more about it in the published blog post here.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Saturday 16 May 2026 at 7:45 am AEST (my time).

News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of April) 1,700

RIP Matrix

Although Exchange Online is Microsoft's recommended configuration to keep your platform modern and updated, Exchange Server continues to be the backbone for many enterprise clients' infrastructure. Now, the Redmond tech firm has issued an advisory that may trouble Exchange Server customers.

Basically, there is a security vulnerability in Exchange Server 2016, 2019, and SE, which enables an attacker to execute arbitrary JavaScript code in the victim's browser context by sending them a specially crafted email that has to be opened in Outlook Web Access (OWA) and interacted with in a certain way. It's being tracked as CVE-2026-42897 here and has been assigned a max severity ranking of "critical".

For now, Microsoft is offering two mitigations. The first one is the recommended approach and requires customers to enable the Exchange EM Service, which automatically mitigates this attack vector. It is important to note that this service was released in September 2021 and is enabled by default, so only customers who explicity disabled it are impacted.

The second mitigation is for customers who have disabled the Exchange EM Service for any reason. They are advised to apply the scripted mitigation process described here.

However, neither of these two methods are robust fixes, as they will lead to other issues, detailed below:

• OWA Print Calendar functionality might not work. As a workaround copy the data or screenshot the calendar you want to print or use Outlook Desktop client.
• Inline images might not display correctly in the recipients OWA reading pane. As a workaround, send images as email attachments or use Outlook Desktop client.
• OWA light (OWA URL ending in /?layout=light) does not work properly. Please note that this feature has been deprecated several years ago and is not intended for regular production use.
• We are aware of the mitigation showing the "Mitigation invalid for this exchange version." in mitigation details. This issue is cosmetic and the mitigation DOES apply successfully if the status is shown as "Applied". We are investigating on how to address this.

The good news is that Microsoft is working on a proper and robust fix. Exchange SE will receive it as a public update while Exchange 2016 and 2019 updates will only be offered to customers who have paid for Period 2 of the Exchange Server Extended Security Updates (ESU) program. Period 1 customers will not get the update as their program expired in April 2026. Finally, Exchange Online users can rest easy as they are not impacted by this security vulnerability at all.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Friday 15 May 2026 at 6:10 pm AEST (my time).

News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of April) 1,700

RIP Matrix

Today's highlight was Orange Tsai's attempt, who was awarded $175,000 in rewards after chaining 4 logic bugs to achieve a sandbox escape on Microsoft Edge.

Windows 11 was also hacked three times by Angelboy and TwinkleStar03 (working with the DEVCORE Internship Program), Marcin Wiązowski, and Kentaro Kawane of GMO Cybersecurity, each earning $30,000 in cash rewards for demonstrating new privilege escalation zero-days.

Valentina Palmiotti (chompie) of IBM X-Force Offensive Research (XOR) also collected $20,000 after rooting Red Hat Linux for Workstations and another $50,000 for a zero-day in the NVIDIA Container Toolkit.

Other successful attempts include k3vg3n chaining 3 bugs to take down LiteLLM ($40,000), Satoki Tsuji and haehae exploiting NVIDIA Megatron Bridge zero-days ($20,000), Compass Security and maitai of Doyensec hacking OpenAI's Codex coding agent (each earning $40,000), haehae dropping a Chroma zero-day ($20,000), and STARLabs SG a LM Studio zero-day ($40,000). 

The DEVCORE Research Team is now leading the competition with $205,000, followed by Valentina Palmiotti with $70,000.

Security researchers targeting fully patched products in the web browser, virtualization, local privilege escalation, servers, enterprise applications, cloud-native/container, local inference, and LLM categories can earn over $1,000,000 in cash and prizes.

According to Pwn2Own's rules, all targeted devices run the latest operating system versions, and all entries must compromise the target and demonstrate arbitrary code execution.

After the zero-day flaws are disclosed during the Pwn2Own competition, vendors have 90 days to release security fixes for their software and hardware products.

Last year, TrendMicro's Zero Day Initiative awarded 1,078,750 for 29 zero-day vulnerabilities and some bug collisions.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Friday 15 May 2026 at 7:31 am AEST (my time).

News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of April) 1,700

RIP Matrix

GitHub user Nightmare-Eclipse has just published two new vulnerabilities called YellowKey and GreenPlasma that affect Windows 11 systems. They were both released on May 12, the same day that Microsoft published its Patch Tuesday updates, creating a big headache for the Redmond giant.

The first of the two exploits, YellowKey, is a bypass vulnerability affecting BitLocker only on Windows 11. According to the Nightmare-Eclipse, YellowKey feels like a backdoor put in by Microsoft that could allow law enforcement to get past the encryption, but this is an unproven allegation at this point.

YellowKey relies on an actor copying the published FsTx folder to a USB stick, plugging the stick into a target Windows computer that has BitLocker switched on, and then rebooting into the Windows Recovery Environment Agent while holding down a series of keys. If you do everything properly, it brings up a shell that has unrestricted access to the BitLocker-protected volume.

Explaining why they think that this is a backdoor, Nightmare-Eclipse says:

“Now why would I say this is a backdoor ? The component that is responsible for this bug is not present anywhere (even in the internet) except inside WinRE image and what makes it raise suspicions is the fact that the exact same component is also present with the exact same name in a normal windows installation but without the functionalities that trigger the bitlocker bypass issue. Why ? I just can't come up with an explanation besides the fact that this was intentional.”

It’s noted that this vulnerability only affects Windows 11, Windows Server 2022, and Windows Server 2025, but Windows 10 is not affected.

The second of the exploits is called GreenPlasma, which can give an attacker elevated privileges, allowing them to damage systems or steal data. Luckily, the proof of concept code published will not give an attacker full SYSTEM shell access. Unluckily, a “smart” person can turn this into a full privilege escalation that could pose a risk to the public.

The proof of concept creates an arbitrary memory section object in any directory object write-able by SYSTEM, leveraging the Collaborative Translation Framework (CTF) which is known to be insecure and has been at the center of previous vulnerabilities.

It’s unclear how Microsoft will react to this news, hopefully it can get things quickly patched up and push a fix sooner than next month’s Patch Tuesday so that users don’t get harmed. You can bet that malicious actors will use these exploits, especially GreenPlasma, to do harm to the public.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Thursday 14 May 2026 at 4:26 pm AEST (my time).

News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of April) 1,700

RIP Matrix