CVE-2026-45585 (CVSS 6.8): YellowKey bypasses BitLocker encryption via Windows Recovery Environment. No password cracking. No TPM exploit. Just a maintenance request the OS processed exactly as designed.

IBM X-Force Index 2026: supply chain attacks 4x in 5 years. 50% of global orgs had an AI-related security incident. North America most attacked for first time in 6 years. The common thread is preventable.

GitHub confirms ~3,800 internal repos breached via poisoned VS Code extension. TeamPCP (UNC6780) sells stolen source code for $50,000

Technical analysis of CVE-2026-40369, a 12-byte Windows kernel write reachable from browser sandboxes via NtQuerySystemInformation, leading to SYSTEM.

Unauthenticated ETHCheat requests return admin and WLAN secrets in the page markup on affected ZTE H298A and H108N router builds.

Angular. tj-actions. Cline. TanStack. The same class of attack has been quietly hijacking publish pipelines for two years. Here's what it is, how it works, and what you need to do today.

Three progressively compromised versions of a Microsoft-adjacent Python package deliver a full-featured infostealer that spreads through AWS and Kubernetes, exfiltrates every cloud credential it can find, and wipes disks on Israeli and Iranian systems

Upgrade your package manager before a supply chain attack makes that decision for you.

Inside SA-Core2026-004 On the 20th of May, the Drupal Security Team released SA-CORE-2026-004 (CVE-2026-9082), a Highly critical (20/25) SQL injection in Drupal core. The issue is reachable by fully anonymous users on any deployment that backs Drupal with…

Evidence-backed root-cause analysis of CVE-2021-35036, showing how low-privilege users could extract super-admin, TR-069, FTPS, and other credentials across Zyxel router, ONT, LTE, and 5G product lines.

By Faris | Cybersecurity Engineer & Threat Researcher | @farixzz | NullByte Collective

A four-byte type, an eight-byte stride, one root shell.

Hi! Last Thursday, as part of the Burp Extensibility Month on the PortSwigger Discord server, I gave a talk on […]

Browser-first CTF landing page for KubeArmor AI security challenges.

Security Advisory Description NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module. This vulnerability exists when a rewrite directive uses a regex pattern with distinct, overlapping Perl-Compatible Regular Expression…