‼️ Lock ‘em up! Dropshippers are now using Down syndrome and AI-generated content to manipulate buyers into purchasing cheap resin lamps as "handmade" products.

‼️🚨 Over 700 Ghost CMS sites, including Harvard, Oxford, and Auburn, were compromised through an unauthenticated SQL injection (CVE-2026-26980).

Attackers pulled Admin API Keys and turned every site into a ClickFix delivery vector via fake Cloudflare "verify you are human" pages. Patch was out February 19. Most never applied it.

https://blog.xlab.qianxin.com/ghost-cms-mass-compromised-via-cve-2026-26980-now-fueling-clickfix-attacks/

🚨 A zero-click attack is hijacking WhatsApp accounts on iPhones running iOS 16.

Victims scan no QR code, share no verification code, and see no linked device in the app.

Attackers then message the victim's contacts asking for bank transfers, and the likely chain (CVE-2025-43300 + CVE-2025-55177) is patched in iOS 16.7.12.

https://www.forenser.it/account-whatsapp-compromessi-su-iphone-con-ios-16/

‼️🚨 Security researcher "Nightmare-Eclipse" has now also been removed from GitLab..

This follows their GitHub being wiped last week after they publicly dropped zero-day PoCs targeting Microsoft products.

The message from major code hosts is clear: drop unpatched exploits in public, lose the platform.

‼️ Microsoft has responded to the recent wave of public zero-day disclosures tied to Nightmare-Eclipse.

In an MSRC post titled "A shared responsibility," Microsoft addressed RedSun, UnDefend, BlueHammer, YellowKey, GreenPlasma, and MiniPlasma, saying the vulnerability details were not shared with the company before release.

That claim is contested.

Nightmare-Eclipse says at least BlueHammer wasn't a blindside. In an April 15 signed post, the actor said MSRC was fully aware of the disclosure, that a case had been filed and dismissed, and that Microsoft knew another disclosure was coming.

Microsoft's new post gives no per-CVE timeline. So right now, the public record has two conflicting versions.

Microsoft never printed the handle "Nightmare-Eclipse," but by naming all six vulnerabilities it left no doubt who the post was about.

The company says its security teams have been working "around the clock" to assess impact, protect customers, and ship updates.

It also says its Digital Crimes Unit will keep pursuing the actors who weaponize these exploits and those who enable them.

The case for coordinated disclosure is straightforward.

The point of giving a vendor advance notice is not to protect the vendor. It is to protect the people running the software.

Patch before PoC means defenders get a head start.

PoC before patch hands it to attackers.

That does not make the tension one-sided.

Researchers walk away from coordinated disclosure for reasons: slow fixes, disputed severity, no credit, no payment, broken trust, or deleted reporting accounts.

Nightmare-Eclipse claims Microsoft revoked access to the MSRC account used to report bugs, wiped it, and ignored requests for an explanation.

Microsoft's post does not address that claim directly.

It says only that it still welcomes submissions from anyone through its public researcher portal, regardless of past interactions or reputation.

Both things can be true at once.

A vendor can have a real duty to treat researchers fairly.

And a researcher can still be wrong to burn the disclosure process in a way that arms criminals.

The friction between those two points is exactly where users get hurt, and it's exactly why disputes belong inside proper channels, even after the relationship breaks down.

SOURCE: https://www.microsoft.com/en-us/msrc/blog/2026/05/a-shared-responsibility-protecting-customers-through-coordinated-vulnerability-disclosure

‼️ After the MSRC blog post about Nightmare-Eclipse, researchers are coming forward with their own MSRC horror stories.

The response from the security community isn't going Microsoft's way. As they’re not backing Microsoft.

Gabriel Landau, a well-known Windows security researcher, says he reported a Device Guard bypass with a 90-day window. MSRC told him it met their bar and they'd fix it, then asked him to hold disclosure for extra months. He agreed on the condition they issue a CVE. They patched it silently, decided after the fact it "didn't meet the bar," and never issued the CVE. In his words: "MSRC strung me along for a few extra months to keep me quiet, then broke their word."

Another researcher, rootsecdev, says he responsibly disclosed a legacy-auth flaw that allowed password spraying while avoiding smart lockout. Five months later, MSRC replied that it "doesn't meet the bar for servicing," silently fixed it, and closed the case.

Microsoft's post was meant to defend their coordinated disclosure policy. Instead it became a thread of researchers explaining why they've stopped trusting their process.

🚨 BREAKING: Anthropic released Claude Opus 4.8 today, just 41 days after 4.7.

The jump in six weeks:

agentic coding 64.3% → 69.2%
knowledge work 1753 → 1890.

It also overtook GPT-5.5 on financial analysis and knowledge work, the two benchmarks where 4.7 had trailed.

‼️🚨 Hacked Fortinet FortiClient EMS servers are pushing infostealer malware disguised as a Fortinet patch to every managed endpoint.

Attackers exploit CVE-2026-35616 to take the server, then abuse FortiClient's own management channel to deploy it. Patch now!

Source: https://arcticwolf.com/resources/blog/forticlient-ems-exploited-via-cve-2026-35616-to-deliver-ekz-infostealer-disguised-as-a-fortinet-patch/

❗️ iPhone 18 Pro dummy units just surfaced in four finishes: Black, Silver, Dark Cherry, and Light Blue.

Dark Cherry looks set to be this year's headline color, the successor to the Cosmic Orange that became a phenomenon in China. That orange shade was nicknamed "Hermès orange" for resembling the luxury brand's signature color, and it's credited with driving Apple's China iPhone sales up 38% year-over-year, the company's best-ever quarter in the region.

📸: SonnyDickson