‼️🚨 MAJOR IMPACT: The 18-year-old NGINX critical RCE vulnerability "NGINX Rift" (CVE-2026-42945) now WORKS with ASLR turned ON.

PoC code with the ASLR bypass has just been published on GitHub.

https://github.com/Hamid-K/nginx-rift-private-lab

‼️🚨 BREAKING: GitHub has been compromised by TeamPCP. GitHub has confirmed the internal breach. A poisoned VS Code extension on an employee device exfiltrated ~3,800 internal repositories.

TeamPCP is already selling the data on a cybercrime forum.

https://x.com/github/status/2056949168208552080

‼️ Meet the guy who allegedly stabbed Henry Nowak, a student who died at 18. He was stabbed five times, and bodycam footage shows police handcuffed the dying victim after the suspect claimed he had been racially abused and does not carry a knife. Yet we found a photo of him carrying his knife in public...

The suspect "Vickrum Digwa" can be seen wearing his "religious" Sikh knife, or "kirpan". Sikhs have a clear, statutory defence to possess and wear a kirpan in public in the UK. Two-tier policing, written into statute.

‼️🚨 Drupal CMS (which powers about 1 in 100 websites on the internet) has just released, not a 'critical' vuln patch, but a 'highly critical' patch to fix a SQL injection vuln.

This vulnerability only affects sites using PostgreSQL.

ID: CVE-2026-9082

‼️ AI gooners be warned: the FBI and DOJ announced the arrests of Cornelius Shannon and Arturo Hernandez, both charged with violations of the TAKE IT DOWN Act, which prohibits nonconsensual publication of AI-generated deepfake pornography.

Shannon and Hernandez allegedly posted thousands of images and videos that appeared to depict real people nude and engaging in sexual acts. Victims included actresses, singers, elected officials, and private acquaintances of the defendants.

Shannon, 51, of New Jersey, ran 360 albums depicting ~90 female victims, viewed millions of times. Hernandez, 20, of Texas, posted 113 albums depicting ~50 victims, including non-public figures whose innocent photos were morphed into explicit content.

The DOJ is charging conduct from May 19, 2025 onward, the day President Trump signed the TAKE IT DOWN Act into law. Both men allegedly kept posting for a full year after that date, into the new federal statute.

Each defendant faces up to 2 years in federal prison.

‼️ Dutch and French authorities have taken down "First VPN," a criminal VPN service that openly marketed itself to cybercriminals on dark web forums.

Every user received a notification on takedown that the service is gone and they have been identified.

Before pulling the service offline, police had full visibility into the criminal traffic of every user. 33 servers were seized. 83 intelligence packages were shared with ongoing investigations through a Europol Operational Taskforce.

First VPN advertised directly on known cybercrime forums and promised users no logs, no cooperation with justice, and no jurisdiction. Customers used it for ransomware attacks, system intrusions, and account hijacking.

The takedown ran on 19 and 20 May 2026, led by the Dutch Team High Tech Crime and the French authorities, with coordination support from Eurojust and Europol. Action days hit Ukraine, Switzerland, the UK, Romania, and Luxembourg simultaneously. The administrator was interrogated in Ukraine at France's request.

Kash Patel's apparel website is reportedly hosting ClickFix malware, according to multiple visitors.

A fake Cloudflare verification page is tricking users into pasting OS-specific "verification" commands that execute malware. The macOS path fetches an infostealer targeting Keychain, browser data, session tokens, and crypto wallets.