🔍 Iranian APT Targets Rockwell PLCs
On April 7, 2026, U.S. cybersecurity and defense agencies issued a joint advisory confirming that Iranian-linked threat actors are actively targeting Rockwell Automation programmable logic controllers exposed on public networks.
Thousands of Rockwell PLCs remain internet-accessible, presenting a persistent attack surface across industrial and critical infrastructure sectors. Iranian APT activity against operational technology follows an established pattern of pre-positioning within control system environments rather than immediate disruption.
The advisory indicates coordinated federal recognition of an active targeting cycle, not a theoretical threat model. PLC exposure at this scale reflects systemic integration failures between IT and OT security practices across affected operators.
🛰️ Open sources - closed narratives
@sitreports
On April 7, 2026, U.S. cybersecurity and defense agencies issued a joint advisory confirming that Iranian-linked threat actors are actively targeting Rockwell Automation programmable logic controllers exposed on public networks.
Thousands of Rockwell PLCs remain internet-accessible, presenting a persistent attack surface across industrial and critical infrastructure sectors. Iranian APT activity against operational technology follows an established pattern of pre-positioning within control system environments rather than immediate disruption.
The advisory indicates coordinated federal recognition of an active targeting cycle, not a theoretical threat model. PLC exposure at this scale reflects systemic integration failures between IT and OT security practices across affected operators.
🛰️ Open sources - closed narratives
@sitreports
🔍 Adobe Patches Acrobat Reader Zero-Day
Adobe released security bulletin APSB26-43 on April 11, 2026, patching CVE-2026-34621, a zero-day vulnerability in Acrobat Reader confirmed as actively exploited prior to the patch.
Acrobat Reader's near-universal deployment across enterprise and government environments makes unpatched zero-days in the application a reliable vector for initial access operations. Active exploitation prior to disclosure indicates the flaw was weaponized before Adobe's detection cycle closed.
🛰️ Open sources - closed narratives
@sitreports
Adobe released security bulletin APSB26-43 on April 11, 2026, patching CVE-2026-34621, a zero-day vulnerability in Acrobat Reader confirmed as actively exploited prior to the patch.
Acrobat Reader's near-universal deployment across enterprise and government environments makes unpatched zero-days in the application a reliable vector for initial access operations. Active exploitation prior to disclosure indicates the flaw was weaponized before Adobe's detection cycle closed.
🛰️ Open sources - closed narratives
@sitreports
⚡ Pentagon, FAA Formalize Counter-Drone Laser Accord
The Department of Defense and the Federal Aviation Administration have signed a safety agreement governing the domestic use of counter-drone laser technology, following recent testing at a domestic range. The accord establishes a formal coordination channel between the two agencies on directed-energy systems operating in shared airspace.
The agreement reflects an ongoing effort to integrate military counter-UAS capabilities into the civilian airspace framework — a structural requirement as laser-based interdiction moves from testing toward operational domestic deployment. Interagency formalization at this stage typically precedes broader fielding authority.
🛰️ Open sources - closed narratives
@sitreports
The Department of Defense and the Federal Aviation Administration have signed a safety agreement governing the domestic use of counter-drone laser technology, following recent testing at a domestic range. The accord establishes a formal coordination channel between the two agencies on directed-energy systems operating in shared airspace.
The agreement reflects an ongoing effort to integrate military counter-UAS capabilities into the civilian airspace framework — a structural requirement as laser-based interdiction moves from testing toward operational domestic deployment. Interagency formalization at this stage typically precedes broader fielding authority.
🛰️ Open sources - closed narratives
@sitreports
🔍 APT41 Deploys Linux Backdoor, Clouds
APT41, also tracked as Winnti, has launched a campaign targeting Linux-based cloud environments using a newly identified backdoor variant designed for credential theft.
The shift to Linux cloud infrastructure marks a tactical expansion for APT41, a group historically associated with both state-sponsored espionage and financially motivated intrusions. Linux servers in cloud environments typically operate with elevated privileges and reduced endpoint monitoring coverage compared to enterprise Windows deployments, making them structurally attractive for credential harvesting operations.
The campaign follows a broader pattern of China-linked threat actors repositioning tooling toward cloud-native infrastructure as enterprise workloads migrate away from on-premise systems.
🛰️ Open sources - closed narratives
@sitreports
APT41, also tracked as Winnti, has launched a campaign targeting Linux-based cloud environments using a newly identified backdoor variant designed for credential theft.
The shift to Linux cloud infrastructure marks a tactical expansion for APT41, a group historically associated with both state-sponsored espionage and financially motivated intrusions. Linux servers in cloud environments typically operate with elevated privileges and reduced endpoint monitoring coverage compared to enterprise Windows deployments, making them structurally attractive for credential harvesting operations.
The campaign follows a broader pattern of China-linked threat actors repositioning tooling toward cloud-native infrastructure as enterprise workloads migrate away from on-premise systems.
🛰️ Open sources - closed narratives
@sitreports
🔍 FBI Dismantles W3LL Phishing Platform
The FBI Atlanta Field Office and Indonesian authorities have dismantled the W3LL phishing platform, seizing its infrastructure and arresting the alleged developer. The operation marks the first coordinated enforcement action between the United States and Indonesia directed at a phishing kit developer.
W3LL operated as a commercial phishing-as-a-service platform, supplying kit infrastructure to downstream threat actors. Targeting the developer tier, rather than end users, reflects a law enforcement approach aimed at collapsing supply-side criminal tooling rather than pursuing individual operators.
🛰️ Open sources - closed narratives
@sitreports
The FBI Atlanta Field Office and Indonesian authorities have dismantled the W3LL phishing platform, seizing its infrastructure and arresting the alleged developer. The operation marks the first coordinated enforcement action between the United States and Indonesia directed at a phishing kit developer.
W3LL operated as a commercial phishing-as-a-service platform, supplying kit infrastructure to downstream threat actors. Targeting the developer tier, rather than end users, reflects a law enforcement approach aimed at collapsing supply-side criminal tooling rather than pursuing individual operators.
🛰️ Open sources - closed narratives
@sitreports
📄 Adobe Patches Acrobat Zero-Day
Adobe has released an emergency security update for Acrobat and Reader addressing CVE-2026-34621, a vulnerability confirmed to have been zero-day exploit active since at least December 2025.
The gap between initial exploitation and patch release indicates the vulnerability was leveraged for several months before vendor detection or disclosure. PDF readers remain a persistent attack surface due to their near-universal deployment across enterprise and government environments.
🛰️ Open sources - closed narratives
@sitreports
Adobe has released an emergency security update for Acrobat and Reader addressing CVE-2026-34621, a vulnerability confirmed to have been zero-day exploit active since at least December 2025.
The gap between initial exploitation and patch release indicates the vulnerability was leveraged for several months before vendor detection or disclosure. PDF readers remain a persistent attack surface due to their near-universal deployment across enterprise and government environments.
🛰️ Open sources - closed narratives
@sitreports
🔍 108 Chrome Extensions Exfiltrate User Data
A cluster of 108 Chrome extensions was found routing stolen Google and Telegram credentials to shared command-and-control infrastructure, affecting an estimated 20,000 users.
The use of shared C2 infrastructure across the full extension cluster indicates coordinated deployment rather than isolated development — a distribution model that reduces per-unit cost while scaling collection volume across a single backend.
🛰️ Open sources - closed narratives
@sitreports
A cluster of 108 Chrome extensions was found routing stolen Google and Telegram credentials to shared command-and-control infrastructure, affecting an estimated 20,000 users.
The use of shared C2 infrastructure across the full extension cluster indicates coordinated deployment rather than isolated development — a distribution model that reduces per-unit cost while scaling collection volume across a single backend.
🛰️ Open sources - closed narratives
@sitreports
🎭 Fake Linux Leader Targets Developers
A social engineering operation has been targeting Linux kernel developers via Slack, with an actor impersonating Linux Foundation leadership to extract credentials and sensitive information. The attack chain routes targets through a Google Sites lure before directing them to install a bogus root certificate — a technique that enables interception of encrypted traffic on the compromised machine.
Installing a fraudulent root certificate grants the operator the ability to perform man-in-the-middle attacks against TLS sessions, effectively nullifying transport-layer security. The use of Google Sites for initial staging exploits the domain's trusted reputation to bypass URL-based filtering. The full attack chain follows a pattern consistent with credential-harvesting operations targeting open-source supply chain access points.
🛰️ Open sources - closed narratives
@sitreports
A social engineering operation has been targeting Linux kernel developers via Slack, with an actor impersonating Linux Foundation leadership to extract credentials and sensitive information. The attack chain routes targets through a Google Sites lure before directing them to install a bogus root certificate — a technique that enables interception of encrypted traffic on the compromised machine.
Installing a fraudulent root certificate grants the operator the ability to perform man-in-the-middle attacks against TLS sessions, effectively nullifying transport-layer security. The use of Google Sites for initial staging exploits the domain's trusted reputation to bypass URL-based filtering. The full attack chain follows a pattern consistent with credential-harvesting operations targeting open-source supply chain access points.
🛰️ Open sources - closed narratives
@sitreports
🔍 OpenAI Rotates Certs After Supply Chain Hit
OpenAI is rotating macOS code-signing certificates following exposure caused by a malicious Axios package executed through a GitHub Actions workflow. The certificate rotation was triggered after the compromised dependency reached OpenAI's build pipeline during a broader supply chain attack targeting the Axios library.
Code-signing certificate exposure in CI/CD pipelines represents a structural risk in automated build environments. A compromised certificate allows unsigned or malicious binaries to appear as legitimately signed software, undermining endpoint trust verification on macOS systems at the distribution level.
🛰️ Open sources - closed narratives
@sitreports
OpenAI is rotating macOS code-signing certificates following exposure caused by a malicious Axios package executed through a GitHub Actions workflow. The certificate rotation was triggered after the compromised dependency reached OpenAI's build pipeline during a broader supply chain attack targeting the Axios library.
Code-signing certificate exposure in CI/CD pipelines represents a structural risk in automated build environments. A compromised certificate allows unsigned or malicious binaries to appear as legitimately signed software, undermining endpoint trust verification on macOS systems at the distribution level.
🛰️ Open sources - closed narratives
@sitreports
🔍 Microsoft Patches 168 Flaws, SharePoint Zero-Day
Microsoft's April 2026 release addresses 168 vulnerabilities, including an actively exploited zero-day in SharePoint. The zero-day enables elevation of privilege, indicating active operational use prior to patch availability.
The volume — 168 CVEs in a single cycle — reflects the sustained attack surface across Microsoft's enterprise stack. Privilege escalation via SharePoint is consistent with intrusion patterns targeting lateral movement inside corporate and government networks.
🛰️ Open sources - closed narratives
@sitreports
Microsoft's April 2026 release addresses 168 vulnerabilities, including an actively exploited zero-day in SharePoint. The zero-day enables elevation of privilege, indicating active operational use prior to patch availability.
The volume — 168 CVEs in a single cycle — reflects the sustained attack surface across Microsoft's enterprise stack. Privilege escalation via SharePoint is consistent with intrusion patterns targeting lateral movement inside corporate and government networks.
🛰️ Open sources - closed narratives
@sitreports
📡 Democrats Passive on FISA 702 Renewal
Democratic congressional leadership has not moved to organize caucus opposition to renewing Section 702 of the Foreign Intelligence Surveillance Act, according to The Intercept's reporting. The provision authorizes warrantless collection of communications involving foreign targets, with incidental collection of American data a documented byproduct.
Grassroots resistance to reauthorization is forming among lower-level members and outside advocacy groups, driven partly by the expanded use of AI systems to process and sort collected data on U.S. persons. Leadership inaction removes the primary organizational mechanism that would consolidate that opposition into a legislative position.
🛰️ Open sources - closed narratives
@sitreports
Democratic congressional leadership has not moved to organize caucus opposition to renewing Section 702 of the Foreign Intelligence Surveillance Act, according to The Intercept's reporting. The provision authorizes warrantless collection of communications involving foreign targets, with incidental collection of American data a documented byproduct.
Grassroots resistance to reauthorization is forming among lower-level members and outside advocacy groups, driven partly by the expanded use of AI systems to process and sort collected data on U.S. persons. Leadership inaction removes the primary organizational mechanism that would consolidate that opposition into a legislative position.
🛰️ Open sources - closed narratives
@sitreports
🔍 100+ Chrome Extensions Exfiltrate OAuth Tokens
Over 100 malicious extensions identified in the official Chrome Web Store were found targeting Google OAuth2 Bearer tokens, deploying backdoors, and executing ad fraud operations. The Chrome Web Store served as the distribution vector, meaning the extensions carried implicit legitimacy through Google's own platform.
OAuth2 Bearer token theft grants persistent session access without requiring credential capture, effectively bypassing authentication layers. Combined with backdoor deployment, the operation profile indicates staged compromise: initial access via extension install, token harvest for account takeover, with ad fraud as a likely revenue mechanism funding broader infrastructure.
Over 100 malicious extensions identified in the official Chrome Web Store were found targeting Google OAuth2 Bearer tokens, deploying backdoors, and executing ad fraud operations. The Chrome Web Store served as the distribution vector, meaning the extensions carried implicit legitimacy through Google's own platform.
OAuth2 Bearer token theft grants persistent session access without requiring credential capture, effectively bypassing authentication layers. Combined with backdoor deployment, the operation profile indicates staged compromise: initial access via extension install, token harvest for account takeover, with ad fraud as a likely revenue mechanism funding broader infrastructure.
🤖 AI Agents Vulnerable to Credential Theft
Researchers demonstrated that AI agents from Anthropic, Google, and Microsoft — when integrated with GitHub — can be manipulated via prompt injection to exfiltrate user credentials. The vulnerability findings covered Claude, Gemini, and Copilot. All three vendors issued minimal bounty payouts without publishing user advisories.
The attack surface is structural: agentic AI systems that read external content — repositories, issues, pull requests — inherit the trust level of the integrating platform. Malicious instructions embedded in that content can redirect agent actions without user awareness. Researchers assessed the problem as likely pervasive across similar integrations.
🛰️ Open sources - closed narratives
@sitreports
Researchers demonstrated that AI agents from Anthropic, Google, and Microsoft — when integrated with GitHub — can be manipulated via prompt injection to exfiltrate user credentials. The vulnerability findings covered Claude, Gemini, and Copilot. All three vendors issued minimal bounty payouts without publishing user advisories.
The attack surface is structural: agentic AI systems that read external content — repositories, issues, pull requests — inherit the trust level of the integrating platform. Malicious instructions embedded in that content can redirect agent actions without user awareness. Researchers assessed the problem as likely pervasive across similar integrations.
🛰️ Open sources - closed narratives
@sitreports
🔍 OpenAI Releases Cybersecurity-Focused Model
OpenAI has released GPT-5.4-Cyber, a model variant oriented toward defensive security operations, with expanded access extended to security teams. According to the model release, the system has been used to identify and remediate over 3,000 vulnerabilities.
The release continues a pattern of AI developers segmenting general-purpose models into domain-specific variants for institutional users. Positioning the tooling toward defenders rather than general release reflects an access-tiering approach intended to shape how offensive and defensive capabilities are distributed across the security ecosystem.
OpenAI has released GPT-5.4-Cyber, a model variant oriented toward defensive security operations, with expanded access extended to security teams. According to the model release, the system has been used to identify and remediate over 3,000 vulnerabilities.
The release continues a pattern of AI developers segmenting general-purpose models into domain-specific variants for institutional users. Positioning the tooling toward defenders rather than general release reflects an access-tiering approach intended to shape how offensive and defensive capabilities are distributed across the security ecosystem.
🔫 Thomson Reuters Fires ICE Critic
Thomson Reuters terminated an employee after the worker raised internal objections over the company's data products being used in U.S. Immigration and Customs Enforcement operations, according to a former employee account. The dismissed worker stated that internal reporting on potential legal and humanitarian misuse of company products resulted directly in termination.
Thomson Reuters supplies data aggregation and analytics tools with documented use in immigration enforcement. The case fits a pattern of corporate retaliation against internal dissent over law enforcement contracts — a structural dynamic present across major data brokers supplying federal agencies.
🛰️ Open sources - closed narratives
@sitreports
Thomson Reuters terminated an employee after the worker raised internal objections over the company's data products being used in U.S. Immigration and Customs Enforcement operations, according to a former employee account. The dismissed worker stated that internal reporting on potential legal and humanitarian misuse of company products resulted directly in termination.
Thomson Reuters supplies data aggregation and analytics tools with documented use in immigration enforcement. The case fits a pattern of corporate retaliation against internal dissent over law enforcement contracts — a structural dynamic present across major data brokers supplying federal agencies.
🛰️ Open sources - closed narratives
@sitreports
🔍 Marines Assess First Agentic AI Workshop
The U.S. Marine Corps held its inaugural agentic and generative AI workshop at Quantico, with officials now reviewing collected feedback. According to the workshop findings, two primary gaps surfaced: insufficient personnel training and inadequate institutional trust in AI-assisted decision-making.
Both gaps are structurally consistent with broader U.S. military AI integration patterns. Agentic systems — capable of executing multi-step tasks autonomously — require command-level confidence that current doctrine and familiarity levels do not yet support. The Quantico event functions as a baseline assessment ahead of further operational integration.
The U.S. Marine Corps held its inaugural agentic and generative AI workshop at Quantico, with officials now reviewing collected feedback. According to the workshop findings, two primary gaps surfaced: insufficient personnel training and inadequate institutional trust in AI-assisted decision-making.
Both gaps are structurally consistent with broader U.S. military AI integration patterns. Agentic systems — capable of executing multi-step tasks autonomously — require command-level confidence that current doctrine and familiarity levels do not yet support. The Quantico event functions as a baseline assessment ahead of further operational integration.