βΌοΈπ¨ Over 700 Ghost CMS sites, including Harvard, Oxford, and Auburn, were compromised through an unauthenticated SQL injection (CVE-2026-26980).
Attackers pulled Admin API Keys and turned every site into a ClickFix delivery vector via fake Cloudflare "verify you are human" pages. Patch was out February 19. Most never applied it.
https://blog.xlab.qianxin.com/ghost-cms-mass-compromised-via-cve-2026-26980-now-fueling-clickfix-attacks/
Attackers pulled Admin API Keys and turned every site into a ClickFix delivery vector via fake Cloudflare "verify you are human" pages. Patch was out February 19. Most never applied it.
https://blog.xlab.qianxin.com/ghost-cms-mass-compromised-via-cve-2026-26980-now-fueling-clickfix-attacks/
π€£7π2
π¨ A zero-click attack is hijacking WhatsApp accounts on iPhones running iOS 16.
Victims scan no QR code, share no verification code, and see no linked device in the app.
Attackers then message the victim's contacts asking for bank transfers, and the likely chain (CVE-2025-43300 + CVE-2025-55177) is patched in iOS 16.7.12.
https://www.forenser.it/account-whatsapp-compromessi-su-iphone-con-ios-16/
Victims scan no QR code, share no verification code, and see no linked device in the app.
Attackers then message the victim's contacts asking for bank transfers, and the likely chain (CVE-2025-43300 + CVE-2025-55177) is patched in iOS 16.7.12.
https://www.forenser.it/account-whatsapp-compromessi-su-iphone-con-ios-16/
π5π3π1
βΌοΈπ¨ Security researcher "Nightmare-Eclipse" has now also been removed from GitLab..
This follows their GitHub being wiped last week after they publicly dropped zero-day PoCs targeting Microsoft products.
The message from major code hosts is clear: drop unpatched exploits in public, lose the platform.
This follows their GitHub being wiped last week after they publicly dropped zero-day PoCs targeting Microsoft products.
The message from major code hosts is clear: drop unpatched exploits in public, lose the platform.
π€¬31π1π©1
βΌοΈπ¨ REMARKABLE: A man calling himself "Noah Doe" walked into the NYPD with a USB drive of 39,069 dormant Bitcoin wallets, filed it as "lost property," and got a receipt.
He's now suing in New York to be declared the legal owner of all of it: ~3.8M BTC (~$286B). He says he built an algorithm to find them and is invoking a 1958 NY finders law to claim title.
Wallet #1 is the Mt. Gox hacker's address: ~80,000 BTC stolen in 2011, untouched for 15 years, worth ~$6B today. Every on-chain analyst on earth watches it.
He's now suing in New York to be declared the legal owner of all of it: ~3.8M BTC (~$286B). He says he built an algorithm to find them and is invoking a 1958 NY finders law to claim title.
Wallet #1 is the Mt. Gox hacker's address: ~80,000 BTC stolen in 2011, untouched for 15 years, worth ~$6B today. Every on-chain analyst on earth watches it.
π±20β€6π©4π₯΄2π€£2π1
βΌοΈ Microsoft has responded to the recent wave of public zero-day disclosures tied to Nightmare-Eclipse.
In an MSRC post titled "A shared responsibility," Microsoft addressed RedSun, UnDefend, BlueHammer, YellowKey, GreenPlasma, and MiniPlasma, saying the vulnerability details were not shared with the company before release.
That claim is contested.
Nightmare-Eclipse says at least BlueHammer wasn't a blindside. In an April 15 signed post, the actor said MSRC was fully aware of the disclosure, that a case had been filed and dismissed, and that Microsoft knew another disclosure was coming.
Microsoft's new post gives no per-CVE timeline. So right now, the public record has two conflicting versions.
Microsoft never printed the handle "Nightmare-Eclipse," but by naming all six vulnerabilities it left no doubt who the post was about.
The company says its security teams have been working "around the clock" to assess impact, protect customers, and ship updates.
It also says its Digital Crimes Unit will keep pursuing the actors who weaponize these exploits and those who enable them.
The case for coordinated disclosure is straightforward.
The point of giving a vendor advance notice is not to protect the vendor. It is to protect the people running the software.
Patch before PoC means defenders get a head start.
PoC before patch hands it to attackers.
That does not make the tension one-sided.
Researchers walk away from coordinated disclosure for reasons: slow fixes, disputed severity, no credit, no payment, broken trust, or deleted reporting accounts.
Nightmare-Eclipse claims Microsoft revoked access to the MSRC account used to report bugs, wiped it, and ignored requests for an explanation.
Microsoft's post does not address that claim directly.
It says only that it still welcomes submissions from anyone through its public researcher portal, regardless of past interactions or reputation.
Both things can be true at once.
A vendor can have a real duty to treat researchers fairly.
And a researcher can still be wrong to burn the disclosure process in a way that arms criminals.
The friction between those two points is exactly where users get hurt, and it's exactly why disputes belong inside proper channels, even after the relationship breaks down.
SOURCE: https://www.microsoft.com/en-us/msrc/blog/2026/05/a-shared-responsibility-protecting-customers-through-coordinated-vulnerability-disclosure
In an MSRC post titled "A shared responsibility," Microsoft addressed RedSun, UnDefend, BlueHammer, YellowKey, GreenPlasma, and MiniPlasma, saying the vulnerability details were not shared with the company before release.
That claim is contested.
Nightmare-Eclipse says at least BlueHammer wasn't a blindside. In an April 15 signed post, the actor said MSRC was fully aware of the disclosure, that a case had been filed and dismissed, and that Microsoft knew another disclosure was coming.
Microsoft's new post gives no per-CVE timeline. So right now, the public record has two conflicting versions.
Microsoft never printed the handle "Nightmare-Eclipse," but by naming all six vulnerabilities it left no doubt who the post was about.
The company says its security teams have been working "around the clock" to assess impact, protect customers, and ship updates.
It also says its Digital Crimes Unit will keep pursuing the actors who weaponize these exploits and those who enable them.
The case for coordinated disclosure is straightforward.
The point of giving a vendor advance notice is not to protect the vendor. It is to protect the people running the software.
Patch before PoC means defenders get a head start.
PoC before patch hands it to attackers.
That does not make the tension one-sided.
Researchers walk away from coordinated disclosure for reasons: slow fixes, disputed severity, no credit, no payment, broken trust, or deleted reporting accounts.
Nightmare-Eclipse claims Microsoft revoked access to the MSRC account used to report bugs, wiped it, and ignored requests for an explanation.
Microsoft's post does not address that claim directly.
It says only that it still welcomes submissions from anyone through its public researcher portal, regardless of past interactions or reputation.
Both things can be true at once.
A vendor can have a real duty to treat researchers fairly.
And a researcher can still be wrong to burn the disclosure process in a way that arms criminals.
The friction between those two points is exactly where users get hurt, and it's exactly why disputes belong inside proper channels, even after the relationship breaks down.
SOURCE: https://www.microsoft.com/en-us/msrc/blog/2026/05/a-shared-responsibility-protecting-customers-through-coordinated-vulnerability-disclosure
π€¬9π€£5β€2
βΌοΈ After the MSRC blog post about Nightmare-Eclipse, researchers are coming forward with their own MSRC horror stories.
The response from the security community isn't going Microsoft's way. As theyβre not backing Microsoft.
Gabriel Landau, a well-known Windows security researcher, says he reported a Device Guard bypass with a 90-day window. MSRC told him it met their bar and they'd fix it, then asked him to hold disclosure for extra months. He agreed on the condition they issue a CVE. They patched it silently, decided after the fact it "didn't meet the bar," and never issued the CVE. In his words: "MSRC strung me along for a few extra months to keep me quiet, then broke their word."
Another researcher, rootsecdev, says he responsibly disclosed a legacy-auth flaw that allowed password spraying while avoiding smart lockout. Five months later, MSRC replied that it "doesn't meet the bar for servicing," silently fixed it, and closed the case.
Microsoft's post was meant to defend their coordinated disclosure policy. Instead it became a thread of researchers explaining why they've stopped trusting their process.
The response from the security community isn't going Microsoft's way. As theyβre not backing Microsoft.
Gabriel Landau, a well-known Windows security researcher, says he reported a Device Guard bypass with a 90-day window. MSRC told him it met their bar and they'd fix it, then asked him to hold disclosure for extra months. He agreed on the condition they issue a CVE. They patched it silently, decided after the fact it "didn't meet the bar," and never issued the CVE. In his words: "MSRC strung me along for a few extra months to keep me quiet, then broke their word."
Another researcher, rootsecdev, says he responsibly disclosed a legacy-auth flaw that allowed password spraying while avoiding smart lockout. Five months later, MSRC replied that it "doesn't meet the bar for servicing," silently fixed it, and closed the case.
Microsoft's post was meant to defend their coordinated disclosure policy. Instead it became a thread of researchers explaining why they've stopped trusting their process.
π₯13β€5
π¨ BREAKING: Anthropic released Claude Opus 4.8 today, just 41 days after 4.7.
The jump in six weeks:
agentic coding 64.3% β 69.2%
knowledge work 1753 β 1890.
It also overtook GPT-5.5 on financial analysis and knowledge work, the two benchmarks where 4.7 had trailed.
The jump in six weeks:
agentic coding 64.3% β 69.2%
knowledge work 1753 β 1890.
It also overtook GPT-5.5 on financial analysis and knowledge work, the two benchmarks where 4.7 had trailed.
π₯13π4π―2π©1
βΌοΈπ¨ Hacked Fortinet FortiClient EMS servers are pushing infostealer malware disguised as a Fortinet patch to every managed endpoint.
Attackers exploit CVE-2026-35616 to take the server, then abuse FortiClient's own management channel to deploy it. Patch now!
Source: https://arcticwolf.com/resources/blog/forticlient-ems-exploited-via-cve-2026-35616-to-deliver-ekz-infostealer-disguised-as-a-fortinet-patch/
Attackers exploit CVE-2026-35616 to take the server, then abuse FortiClient's own management channel to deploy it. Patch now!
Source: https://arcticwolf.com/resources/blog/forticlient-ems-exploited-via-cve-2026-35616-to-deliver-ekz-infostealer-disguised-as-a-fortinet-patch/
π€―2π1π1π€£1
βοΈ iPhone 18 Pro dummy units just surfaced in four finishes: Black, Silver, Dark Cherry, and Light Blue.
Dark Cherry looks set to be this year's headline color, the successor to the Cosmic Orange that became a phenomenon in China. That orange shade was nicknamed "Hermès orange" for resembling the luxury brand's signature color, and it's credited with driving Apple's China iPhone sales up 38% year-over-year, the company's best-ever quarter in the region.
πΈ: SonnyDickson
Dark Cherry looks set to be this year's headline color, the successor to the Cosmic Orange that became a phenomenon in China. That orange shade was nicknamed "Hermès orange" for resembling the luxury brand's signature color, and it's credited with driving Apple's China iPhone sales up 38% year-over-year, the company's best-ever quarter in the region.
πΈ: SonnyDickson
β€7π€£4π©1
π¨ California's State Assembly approved a Stop Killing Games bill targeting games that need a server connection to play. Before shutting those servers down, developers would have to give 60 days' notice, then either release a patch that makes the game playable offline or refund players. Only applies to games released after Jan 1, 2027. The Senate still has to approve it.
Stop Killing Games is an international consumer campaign (started in 2024 by YouTuber Ross Scott) pushing to stop publishers from making purchased games unplayable. It's pursued an EU Citizens' Initiative and backs related bills like California's AB 1921.
Source: https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=202520260AB1921
Stop Killing Games is an international consumer campaign (started in 2024 by YouTuber Ross Scott) pushing to stop publishers from making purchased games unplayable. It's pursued an EU Citizens' Initiative and backs related bills like California's AB 1921.
Source: https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=202520260AB1921
π₯15β€9π1
βΌοΈπ¨ Malicious actors can now use your SSD's activity, just by getting you to open their website, to spy on which other sites you're browsing and which apps you're running.
The attack, called FROST, is accurate: 88.95% on identifying websites, 95.83% on identifying applications. It works on macOS and Linux, across browsers, and runs entirely in JavaScript.
The browser makers were told, and largely shrugged. Chromium says fingerprinting isn't a security bug. Apple called it out of scope. Mozilla acknowledged it and shipped nothing.
Researchers at Graz University of Technology developed the attack. It abuses the Origin Private File System, a browser feature that lets sites store files on your disk without asking. The attack creates one huge file, then constantly times how fast it can read from it. When you open another tab or launch an app, that activity competes for the same SSD, and the tiny changes in read speed leak what you're doing. A trained neural network turns those timing patterns into guesses about which site or app it is.
https://hannesweissteiner.com/pdfs/frost.pdf
The attack, called FROST, is accurate: 88.95% on identifying websites, 95.83% on identifying applications. It works on macOS and Linux, across browsers, and runs entirely in JavaScript.
The browser makers were told, and largely shrugged. Chromium says fingerprinting isn't a security bug. Apple called it out of scope. Mozilla acknowledged it and shipped nothing.
Researchers at Graz University of Technology developed the attack. It abuses the Origin Private File System, a browser feature that lets sites store files on your disk without asking. The attack creates one huge file, then constantly times how fast it can read from it. When you open another tab or launch an app, that activity competes for the same SSD, and the tiny changes in read speed leak what you're doing. A trained neural network turns those timing patterns into guesses about which site or app it is.
https://hannesweissteiner.com/pdfs/frost.pdf
π©13π3π€3π₯΄2
βοΈ John Daghita, the 22-year-old accused of stealing $46 million in crypto from the US Marshals Service, has been cleared by a French court for fast-tracked extradition to the United States.
He was arrested March 4 in a luxury villa on Saint-Martin in a joint FBI and GIGN operation, caught "by ruse and without incident." Agents seized computers, crypto wallet credentials, several phones, around 250,000 euros in cash, and a loaded Glock. The full $46 million was recovered.
He allegedly pulled it off using privileged access tied to his father's federal contracting firm, which held a US government contract to manage seized cryptocurrency. He got caught after blockchain investigator ZachXBT traced the funds, reportedly tipped off when Daghita flexed a $23M wallet on Telegram.
Daghita requested his own extradition at his first hearing on May 21, saying he wants to explain himself to US courts.
He was arrested March 4 in a luxury villa on Saint-Martin in a joint FBI and GIGN operation, caught "by ruse and without incident." Agents seized computers, crypto wallet credentials, several phones, around 250,000 euros in cash, and a loaded Glock. The full $46 million was recovered.
He allegedly pulled it off using privileged access tied to his father's federal contracting firm, which held a US government contract to manage seized cryptocurrency. He got caught after blockchain investigator ZachXBT traced the funds, reportedly tipped off when Daghita flexed a $23M wallet on Telegram.
Daghita requested his own extradition at his first hearing on May 21, saying he wants to explain himself to US courts.
π15π4β€2π€¬1π’1