🔫 Checkmarx Breach Expands Multi-Stage Supply Chain Attack
Checkmarx confirmed a GitHub repository compromise after Lapsus$ published alleged source code, API keys, and database credentials. The breach stems from a March 23 attack on the company's KICS tool, which itself originated from TeamPCP's earlier compromise of Aqua Security's Trivy scanner. The malware-laced KICS binary exfiltrated infrastructure-as-code scan results containing credentials to external endpoints, according to The Register.
The attack chain now extends to Bitwarden CLI, affecting 10M+ users and 50K+ businesses. TeamPCP has partnered with ransomware groups to weaponize compromised security tools—password managers, scanners, GitHub Actions—that maintain privileged access across developer environments and CI/CD pipelines.
🛰️ Open sources - closed narratives
@sitreports
Checkmarx confirmed a GitHub repository compromise after Lapsus$ published alleged source code, API keys, and database credentials. The breach stems from a March 23 attack on the company's KICS tool, which itself originated from TeamPCP's earlier compromise of Aqua Security's Trivy scanner. The malware-laced KICS binary exfiltrated infrastructure-as-code scan results containing credentials to external endpoints, according to The Register.
The attack chain now extends to Bitwarden CLI, affecting 10M+ users and 50K+ businesses. TeamPCP has partnered with ransomware groups to weaponize compromised security tools—password managers, scanners, GitHub Actions—that maintain privileged access across developer environments and CI/CD pipelines.
🛰️ Open sources - closed narratives
@sitreports
🔫 GlassWorm Shifts to Sleeper Extension Tactic on OpenVSX
Seventy-three malicious extensions linked to the GlassWorm campaign have been identified on the OpenVSX marketplace, with six already activated to deliver infostealer payloads. The extensions are uploaded as benign clones of legitimate tools but later weaponized through updates that fetch malware via secondary VSIX packages, compiled modules, or obfuscated JavaScript loaders. Targets include cryptocurrency wallets, credentials, access tokens, and SSH keys.
The shift to dormant extensions marks a tactical evolution for GlassWorm operators, who previously triggered detection through large-scale simultaneous deployments.
🛰️ Open sources - closed narratives
@sitreports
Seventy-three malicious extensions linked to the GlassWorm campaign have been identified on the OpenVSX marketplace, with six already activated to deliver infostealer payloads. The extensions are uploaded as benign clones of legitimate tools but later weaponized through updates that fetch malware via secondary VSIX packages, compiled modules, or obfuscated JavaScript loaders. Targets include cryptocurrency wallets, credentials, access tokens, and SSH keys.
The shift to dormant extensions marks a tactical evolution for GlassWorm operators, who previously triggered detection through large-scale simultaneous deployments.
🛰️ Open sources - closed narratives
@sitreports
📡 Toronto Police Dismantle First SMS Blaster Operation in Canada
Canadian authorities arrested three suspects operating rogue cellular equipment that mimicked legitimate cell towers to mass-distribute phishing messages across the Greater Toronto Area. The vehicle-mounted devices forced nearby phones to connect and pushed fraudulent SMS messages appearing to originate from banks and government entities. Police estimate 13 million connection events occurred from November 2025 until raids on March 31.
The technique requires no phone numbers and exploits automatic tower selection protocols. Users connected to rogue stations were temporarily severed from legitimate networks, including emergency services. This marks Canada's first documented case of this attack vector.
🛰️ Open sources - closed narratives
@sitreports
Canadian authorities arrested three suspects operating rogue cellular equipment that mimicked legitimate cell towers to mass-distribute phishing messages across the Greater Toronto Area. The vehicle-mounted devices forced nearby phones to connect and pushed fraudulent SMS messages appearing to originate from banks and government entities. Police estimate 13 million connection events occurred from November 2025 until raids on March 31.
The technique requires no phone numbers and exploits automatic tower selection protocols. Users connected to rogue stations were temporarily severed from legitimate networks, including emergency services. This marks Canada's first documented case of this attack vector.
🛰️ Open sources - closed narratives
@sitreports
🔫 Chinese MSS Contractor Extradited from Italy for Silk Typhoon Operations
Xu Zewei, a Chinese national accused of conducting cyberespionage for China's Ministry of State Security, has been extradited from Italy to face charges in the United States. Between February 2020 and June 2021, Xu allegedly worked as a contract hacker for Shanghai Powerock Network Co., targeting COVID-19 research organizations and exploiting Microsoft Exchange Server zero-days to compromise thousands of systems globally.
The indictment links Xu to Silk Typhoon operations that deployed web shells for mailbox access and lateral movement within victim networks. His arrest marks a rare instance of physical detention for state-sponsored cyber operators working through commercial fronts.
🛰️ Open sources - closed narratives
@sitreports
Xu Zewei, a Chinese national accused of conducting cyberespionage for China's Ministry of State Security, has been extradited from Italy to face charges in the United States. Between February 2020 and June 2021, Xu allegedly worked as a contract hacker for Shanghai Powerock Network Co., targeting COVID-19 research organizations and exploiting Microsoft Exchange Server zero-days to compromise thousands of systems globally.
The indictment links Xu to Silk Typhoon operations that deployed web shells for mailbox access and lateral movement within victim networks. His arrest marks a rare instance of physical detention for state-sponsored cyber operators working through commercial fronts.
🛰️ Open sources - closed narratives
@sitreports
🔫 Itron and Medtronic Disclose Network Intrusions
Utility tech provider Itron ($4B revenue) and medical device manufacturer Medtronic ($107B) filed breach notifications with SEC on April 27. Itron detected unauthorized access on April 13, remediated the intrusion, and reports no operational impact or subsequent activity. Medtronic confirmed corporate IT compromise following ShinyHunters extortion claims of 9M records stolen, with an April 21 payment deadline.
Both firms maintain separation between corporate and operational networks—Itron's customer-hosted systems unaffected, Medtronic's product/manufacturing infrastructure isolated. Neither company disclosed attack vectors or confirmed ransomware deployment. Insurance expected to cover significant portion of Itron's incident costs.
🛰️ Open sources - closed narratives
@sitreports
Utility tech provider Itron ($4B revenue) and medical device manufacturer Medtronic ($107B) filed breach notifications with SEC on April 27. Itron detected unauthorized access on April 13, remediated the intrusion, and reports no operational impact or subsequent activity. Medtronic confirmed corporate IT compromise following ShinyHunters extortion claims of 9M records stolen, with an April 21 payment deadline.
Both firms maintain separation between corporate and operational networks—Itron's customer-hosted systems unaffected, Medtronic's product/manufacturing infrastructure isolated. Neither company disclosed attack vectors or confirmed ransomware deployment. Insurance expected to cover significant portion of Itron's incident costs.
🛰️ Open sources - closed narratives
@sitreports
🔫 Elementary-data PyPI Package Compromised via GitHub Actions Injection
Attackers exploited a script injection vulnerability in GitHub Actions workflows to push malicious version 0.23.3 of the elementary-data package to PyPI. The compromised release, downloaded over 1.1 million times monthly, deployed an infostealer targeting SSH keys, cloud credentials, cryptocurrency wallets, and developer secrets. The attack forged a signed commit using exposed GITHUB_TOKEN credentials, bypassing standard release controls.
The malicious payload auto-executed via elementary.pth at Python startup and extended to Docker images through automated CI/CD pipelines. Users who pulled version 0.23.3 or latest-tagged containers require immediate secret rotation and environment restoration from clean backups.
🛰️ Open sources - closed narratives
@sitreports
Attackers exploited a script injection vulnerability in GitHub Actions workflows to push malicious version 0.23.3 of the elementary-data package to PyPI. The compromised release, downloaded over 1.1 million times monthly, deployed an infostealer targeting SSH keys, cloud credentials, cryptocurrency wallets, and developer secrets. The attack forged a signed commit using exposed GITHUB_TOKEN credentials, bypassing standard release controls.
The malicious payload auto-executed via elementary.pth at Python startup and extended to Docker images through automated CI/CD pipelines. Users who pulled version 0.23.3 or latest-tagged containers require immediate secret rotation and environment restoration from clean backups.
🛰️ Open sources - closed narratives
@sitreports
🔍 ADT Breach Exposes 5.5 Million Records via SSO Compromise
Home security provider ADT confirmed a data breach affecting 5.5 million individuals after ShinyHunters extortion group compromised an employee's Okta SSO account through voice phishing. The stolen data includes names, phone numbers, addresses, dates of birth, and partial government IDs, according to breach analysis by Have I Been Pwned. Attackers exfiltrated records from ADT's Salesforce instance after gaining access on April 20.
This marks ADT's third breach in eight months and highlights persistent threats from credential-based SSO attacks targeting enterprise SaaS platforms.
🛰️ Open sources - closed narratives
@sitreports
Home security provider ADT confirmed a data breach affecting 5.5 million individuals after ShinyHunters extortion group compromised an employee's Okta SSO account through voice phishing. The stolen data includes names, phone numbers, addresses, dates of birth, and partial government IDs, according to breach analysis by Have I Been Pwned. Attackers exfiltrated records from ADT's Salesforce instance after gaining access on April 20.
This marks ADT's third breach in eight months and highlights persistent threats from credential-based SSO attacks targeting enterprise SaaS platforms.
🛰️ Open sources - closed narratives
@sitreports
🔍 Checkmarx Confirms GitHub Repository Breach Data Posted on Dark Web
Application security firm Checkmarx has confirmed that internal GitHub repository data stolen during a March 23, 2026 cyberattack has been posted to dark web forums. The company acknowledged the breach following reporting by security researchers who identified leaked code and internal documentation circulating on underground marketplaces.
The incident highlights persistent targeting of DevSecOps infrastructure, where source code repositories represent high-value intelligence for both criminal actors and APT groups. Organizations maintaining security tooling face elevated exposure when their own development environments are compromised.
🛰️ Open sources - closed narratives
@sitreports
Application security firm Checkmarx has confirmed that internal GitHub repository data stolen during a March 23, 2026 cyberattack has been posted to dark web forums. The company acknowledged the breach following reporting by security researchers who identified leaked code and internal documentation circulating on underground marketplaces.
The incident highlights persistent targeting of DevSecOps infrastructure, where source code repositories represent high-value intelligence for both criminal actors and APT groups. Organizations maintaining security tooling face elevated exposure when their own development environments are compromised.
🛰️ Open sources - closed narratives
@sitreports
🔫 US Defense Contractor Leaked Hacking Tools to Russia
An employee of Trenchant, a government malware vendor authorized to sell exclusively to Western allies, secretly sold advanced hacking tools to a Russian company. The leaked exploits, including iPhone zero-days, subsequently appeared in operations attributed to Russian intelligence services in Ukraine and were potentially distributed to Chinese criminal networks, according to investigative reporting by TechCrunch and 404 Media.
The breach exposes critical vulnerabilities in the oversight mechanisms governing the commercial exploit industry. When tools designed for targeted intelligence operations enter adversarial hands, they enable mass exploitation campaigns that undermine the security rationale used to justify their development.
🛰️ Open sources - closed narratives
@sitreports
An employee of Trenchant, a government malware vendor authorized to sell exclusively to Western allies, secretly sold advanced hacking tools to a Russian company. The leaked exploits, including iPhone zero-days, subsequently appeared in operations attributed to Russian intelligence services in Ukraine and were potentially distributed to Chinese criminal networks, according to investigative reporting by TechCrunch and 404 Media.
The breach exposes critical vulnerabilities in the oversight mechanisms governing the commercial exploit industry. When tools designed for targeted intelligence operations enter adversarial hands, they enable mass exploitation campaigns that undermine the security rationale used to justify their development.
🛰️ Open sources - closed narratives
@sitreports
📄 US House Introduces Section 702 Reauthorization Without Warrant Requirement
Speaker Johnson has introduced the Foreign Intelligence Accountability Act days before Section 702 of FISA expires. The bill mandates a civil liberties officer review FBI queries of US persons after surveillance occurs, but according to digital rights advocates, fails to establish a warrant requirement for FBI access to Americans' communications collected under the program.
The proposal maintains existing prohibition language on targeting US persons while doing nothing to address incidental collection—the primary mechanism through which domestic communications are accessed. Privacy groups characterize the self-policing oversight structure as inadequate accountability for Fourth Amendment concerns.
🛰️ Open sources - closed narratives
@sitreports
Speaker Johnson has introduced the Foreign Intelligence Accountability Act days before Section 702 of FISA expires. The bill mandates a civil liberties officer review FBI queries of US persons after surveillance occurs, but according to digital rights advocates, fails to establish a warrant requirement for FBI access to Americans' communications collected under the program.
The proposal maintains existing prohibition language on targeting US persons while doing nothing to address incidental collection—the primary mechanism through which domestic communications are accessed. Privacy groups characterize the self-policing oversight structure as inadequate accountability for Fourth Amendment concerns.
🛰️ Open sources - closed narratives
@sitreports
🔫 Acting Navy Secretary labels drones as generational IED threat
Hung Cao, appointed acting SECNAV six days prior, told the Modern Day Marine conference that unmanned aerial systems represent "the new" improvised explosive device threat facing deployed forces. The former Navy special operations officer and EOD technician called for accelerated industry delivery of counter-UAS capabilities and AI-enabled systems, drawing parallels between roadside bombs in Iraq and current drone threats to ground units.
Cao's remarks reflect operational realities as the Navy pursues its "Golden Fleet" concept integrating autonomous platforms with traditional assets. His emphasis on speed over bureaucracy signals potential acquisition reforms, though implementation timelines remain unclear amid his recent appointment following John Phelan's abrupt removal.
🛰️ Open sources - closed narratives
@sitreports
Hung Cao, appointed acting SECNAV six days prior, told the Modern Day Marine conference that unmanned aerial systems represent "the new" improvised explosive device threat facing deployed forces. The former Navy special operations officer and EOD technician called for accelerated industry delivery of counter-UAS capabilities and AI-enabled systems, drawing parallels between roadside bombs in Iraq and current drone threats to ground units.
Cao's remarks reflect operational realities as the Navy pursues its "Golden Fleet" concept integrating autonomous platforms with traditional assets. His emphasis on speed over bureaucracy signals potential acquisition reforms, though implementation timelines remain unclear amid his recent appointment following John Phelan's abrupt removal.
🛰️ Open sources - closed narratives
@sitreports
🔫 USMC 2nd Division to conduct first dedicated counter-UAS training at Twentynine Palms
Marine Air-Ground Task Force Training Command will host 2nd Marine Division for integrated counter-drone exercises between mid-July and late August. Maj. Gen. Farrell Sullivan described counter-UAS as a "significant concern," noting the service is building capabilities as conflicts in Ukraine and the Middle East demonstrate the evolving threat of small drones and FPV platforms.
The training reflects accelerated fielding driven by operational urgency rather than traditional timelines. Officials acknowledged gaps in maneuver-level coverage, prompting distribution of counter-UAS kits to smaller formations.
🛰️ Open sources - closed narratives
@sitreports
Marine Air-Ground Task Force Training Command will host 2nd Marine Division for integrated counter-drone exercises between mid-July and late August. Maj. Gen. Farrell Sullivan described counter-UAS as a "significant concern," noting the service is building capabilities as conflicts in Ukraine and the Middle East demonstrate the evolving threat of small drones and FPV platforms.
The training reflects accelerated fielding driven by operational urgency rather than traditional timelines. Officials acknowledged gaps in maneuver-level coverage, prompting distribution of counter-UAS kits to smaller formations.
🛰️ Open sources - closed narratives
@sitreports
📡 Space Force Requests $4.5B for Space Data Network Architecture
The U.S. Space Force's FY27 budget includes billions for its Space Data Network — a multi-orbit hybrid architecture integrating military and commercial relay satellites. Key components include $1.5B for SDN-Backbone R&D (pLEO mesh constellation), $1.6B for procurement, and $1.4B for Space Link mission enclaves supporting Golden Dome interceptors. The SDN absorbs the classified MILNET program and effectively replaces SDA's Tranche 3 Transport Layer, which received zero funding.
The architecture serves as critical infrastructure for CJADC2 and Golden Dome missile defense, providing low-latency data pathways across domains. Congressional concerns about SpaceX vendor lock-in persist, though the Space Force commits to multi-contractor integration.
🛰️ Open sources - closed narratives
@sitreports
The U.S. Space Force's FY27 budget includes billions for its Space Data Network — a multi-orbit hybrid architecture integrating military and commercial relay satellites. Key components include $1.5B for SDN-Backbone R&D (pLEO mesh constellation), $1.6B for procurement, and $1.4B for Space Link mission enclaves supporting Golden Dome interceptors. The SDN absorbs the classified MILNET program and effectively replaces SDA's Tranche 3 Transport Layer, which received zero funding.
The architecture serves as critical infrastructure for CJADC2 and Golden Dome missile defense, providing low-latency data pathways across domains. Congressional concerns about SpaceX vendor lock-in persist, though the Space Force commits to multi-contractor integration.
🛰️ Open sources - closed narratives
@sitreports
🔫 VECT 2.0 Ransomware Functions as Irreversible Data Wiper
The VECT 2.0 ransomware, advertised on BreachForums and linked to TeamPCP supply-chain attacks, contains a critical encryption flaw that permanently destroys files larger than 128KB rather than encrypting them. The malware's faulty nonce-handling logic overwrites encryption keys during the process, making 75% of affected files unrecoverable even if ransoms are paid, according to Check Point researchers.
This threshold encompasses virtually all enterprise-critical data including VM disks, databases, backups, and standard office documents. The flaw exists across all VECT 2.0 variants targeting Windows, Linux, and ESXi environments, making the ransomware effectively a destructive wiper rather than viable extortion tool.
🛰️ Open sources - closed narratives
@sitreports
The VECT 2.0 ransomware, advertised on BreachForums and linked to TeamPCP supply-chain attacks, contains a critical encryption flaw that permanently destroys files larger than 128KB rather than encrypting them. The malware's faulty nonce-handling logic overwrites encryption keys during the process, making 75% of affected files unrecoverable even if ransoms are paid, according to Check Point researchers.
This threshold encompasses virtually all enterprise-critical data including VM disks, databases, backups, and standard office documents. The flaw exists across all VECT 2.0 variants targeting Windows, Linux, and ESXi environments, making the ransomware effectively a destructive wiper rather than viable extortion tool.
🛰️ Open sources - closed narratives
@sitreports
🔫 LiteLLM Proxy Gateway Under Active SQLi Exploitation
Threat actors are exploiting CVE-2026-42208, a critical pre-authentication SQL injection flaw in LiteLLM, a widely-used open-source gateway for AI model management with 45k GitHub stars. The vulnerability allows unauthenticated attackers to read and modify proxy databases containing API keys, virtual keys, and provider credentials by sending malicious Authorization headers. Exploitation began 36 hours after public disclosure on April 24, with researchers observing targeted attacks querying specific credential tables.
Patched in version 1.83.7, the flaw poses immediate risk to exposed instances managing multi-model LLM deployments. Organizations running vulnerable versions should treat systems as compromised and rotate all stored credentials immediately.
🛰️ Open sources - closed narratives
@sitreports
Threat actors are exploiting CVE-2026-42208, a critical pre-authentication SQL injection flaw in LiteLLM, a widely-used open-source gateway for AI model management with 45k GitHub stars. The vulnerability allows unauthenticated attackers to read and modify proxy databases containing API keys, virtual keys, and provider credentials by sending malicious Authorization headers. Exploitation began 36 hours after public disclosure on April 24, with researchers observing targeted attacks querying specific credential tables.
Patched in version 1.83.7, the flaw poses immediate risk to exposed instances managing multi-model LLM deployments. Organizations running vulnerable versions should treat systems as compromised and rotate all stored credentials immediately.
🛰️ Open sources - closed narratives
@sitreports
🔫 GitHub RCE Flaw Allowed Code Execution via Single Git Push
Critical vulnerability CVE-2026-3854 in GitHub Enterprise Cloud and Server enabled remote code execution through command injection in git push operations. The flaw exploited improper sanitization of user-supplied push option values in internal service headers, allowing attackers with repository push access to inject metadata, bypass sandbox protections, and execute arbitrary commands on backend infrastructure.
Wiz researchers discovered the vulnerability using AI-assisted analysis of closed-source code and reported to GitHub on March 4, 2026, with patches released within two hours. Despite rapid response, 88% of Enterprise Server instances remain vulnerable. The attack chain could expose millions of repositories on shared storage nodes, requiring immediate patching across all affected versions.
🛰️ Open sources - closed narratives
@sitreports
Critical vulnerability CVE-2026-3854 in GitHub Enterprise Cloud and Server enabled remote code execution through command injection in git push operations. The flaw exploited improper sanitization of user-supplied push option values in internal service headers, allowing attackers with repository push access to inject metadata, bypass sandbox protections, and execute arbitrary commands on backend infrastructure.
Wiz researchers discovered the vulnerability using AI-assisted analysis of closed-source code and reported to GitHub on March 4, 2026, with patches released within two hours. Despite rapid response, 88% of Enterprise Server instances remain vulnerable. The attack chain could expose millions of repositories on shared storage nodes, requiring immediate patching across all affected versions.
🛰️ Open sources - closed narratives
@sitreports
🔫 US charges Scattered Spider member arrested in Finland
A 19-year-old dual US-Estonian citizen using the alias "Bouquet" faces federal wire fraud and computer intrusion charges after Finnish authorities arrested him at Helsinki airport on April 10. According to Chicago Tribune reporting, temporarily unsealed court records link him to at least four Scattered Spider breaches, including attacks conducted when he was 16 years old.
The complaint details involvement in multi-million dollar extortion campaigns against corporations, including a luxury retailer hit with an $8 million ransom demand in May 2025. The financially motivated collective, known for social engineering and MFA bombing tactics, has previously breached Caesars, MGM Resorts, and multiple UK retailers.
🛰️ Open sources - closed narratives
@sitreports
A 19-year-old dual US-Estonian citizen using the alias "Bouquet" faces federal wire fraud and computer intrusion charges after Finnish authorities arrested him at Helsinki airport on April 10. According to Chicago Tribune reporting, temporarily unsealed court records link him to at least four Scattered Spider breaches, including attacks conducted when he was 16 years old.
The complaint details involvement in multi-million dollar extortion campaigns against corporations, including a luxury retailer hit with an $8 million ransom demand in May 2025. The financially motivated collective, known for social engineering and MFA bombing tactics, has previously breached Caesars, MGM Resorts, and multiple UK retailers.
🛰️ Open sources - closed narratives
@sitreports
🤖 Kamasers Botnet Combines DDoS and Ransomware Delivery
A newly analyzed DDoS botnet named Kamasers has been observed combining multi-vector distributed denial-of-service capabilities with malware loader functions that enable ransomware deployment and data theft. Research by ANY.RUN reveals the malware spreads via GCleaner and Amadey loaders, with control infrastructure hosted on Railnet LLC ASN—previously linked to bulletproof hosting operations.
Kamasers employs a Dead Drop Resolver mechanism using GitHub Gist, Telegram, and Dropbox to dynamically retrieve C2 addresses, evading static detection. Spanish-language commands observed in sessions suggest operator origins, while targeting spans Germany, U.S., Poland, and France across education, telecom, and tech sectors.
🛰️ Open sources - closed narratives
@sitreports
A newly analyzed DDoS botnet named Kamasers has been observed combining multi-vector distributed denial-of-service capabilities with malware loader functions that enable ransomware deployment and data theft. Research by ANY.RUN reveals the malware spreads via GCleaner and Amadey loaders, with control infrastructure hosted on Railnet LLC ASN—previously linked to bulletproof hosting operations.
Kamasers employs a Dead Drop Resolver mechanism using GitHub Gist, Telegram, and Dropbox to dynamically retrieve C2 addresses, evading static detection. Spanish-language commands observed in sessions suggest operator origins, while targeting spans Germany, U.S., Poland, and France across education, telecom, and tech sectors.
🛰️ Open sources - closed narratives
@sitreports
📄 Checkmarx Confirms LAPSUS$ Data Leak Following GitHub Breach
Application security firm Checkmarx has confirmed that LAPSUS$ threat actors leaked 96GB of data stolen from its private GitHub repository. The breach originated from a March 23 compromise linked to the Trivy supply-chain attack, where stolen credentials enabled unauthorized access. The attackers published malicious code and Docker images on April 22 before releasing the stolen data on both dark web and clearnet portals.
The incident highlights how downstream credential theft enabled persistent access across multiple organizations. Checkmarx states no customer data was stored in the affected repository, though forensic investigation continues. The company has blocked repository access pending completion of the probe.
🛰️ Open sources - closed narratives
@sitreports
Application security firm Checkmarx has confirmed that LAPSUS$ threat actors leaked 96GB of data stolen from its private GitHub repository. The breach originated from a March 23 compromise linked to the Trivy supply-chain attack, where stolen credentials enabled unauthorized access. The attackers published malicious code and Docker images on April 22 before releasing the stolen data on both dark web and clearnet portals.
The incident highlights how downstream credential theft enabled persistent access across multiple organizations. Checkmarx states no customer data was stored in the affected repository, though forensic investigation continues. The company has blocked repository access pending completion of the probe.
🛰️ Open sources - closed narratives
@sitreports
🎭 Signal Phishing Campaign Targets German Political Elite
German prosecutors have launched an espionage investigation into a large-scale phishing operation targeting hundreds of Signal accounts belonging to politicians, ministers, military personnel, and journalists. Attackers impersonated Signal support or trusted contacts to trick victims into sharing authentication codes or scanning malicious QR codes, gaining access to private communications. High-profile targets included CDU politician Julia Klöckner, while German authorities suspect Russian state involvement.
The campaign exploited human trust rather than technical vulnerabilities, bypassing encryption through social engineering.
🛰️ Open sources - closed narratives
@sitreports
German prosecutors have launched an espionage investigation into a large-scale phishing operation targeting hundreds of Signal accounts belonging to politicians, ministers, military personnel, and journalists. Attackers impersonated Signal support or trusted contacts to trick victims into sharing authentication codes or scanning malicious QR codes, gaining access to private communications. High-profile targets included CDU politician Julia Klöckner, while German authorities suspect Russian state involvement.
The campaign exploited human trust rather than technical vulnerabilities, bypassing encryption through social engineering.
🛰️ Open sources - closed narratives
@sitreports
🔫 Linux Kernel Flaw Enables 10-Line Root Exploit
A local privilege escalation vulnerability dubbed Copy Fail (CVE-2026-31431) allows unprivileged users to gain root access on most Linux distributions released since 2017. The flaw in the kernel's cryptographic template permits writing controlled bytes into any readable file's page cache, modifying binaries during execution without triggering filesystem defenses. A functional exploit is just 732 bytes of Python code.
Major distributions including Debian, Ubuntu, and SUSE have deployed patches for the high-severity flaw, identified with AI-assisted scanning by Theori. While requiring local access, the vulnerability presents container escape risks in Kubernetes environments due to shared page cache architecture.
🛰️ Open sources - closed narratives
@sitreports
A local privilege escalation vulnerability dubbed Copy Fail (CVE-2026-31431) allows unprivileged users to gain root access on most Linux distributions released since 2017. The flaw in the kernel's cryptographic template permits writing controlled bytes into any readable file's page cache, modifying binaries during execution without triggering filesystem defenses. A functional exploit is just 732 bytes of Python code.
Major distributions including Debian, Ubuntu, and SUSE have deployed patches for the high-severity flaw, identified with AI-assisted scanning by Theori. While requiring local access, the vulnerability presents container escape risks in Kubernetes environments due to shared page cache architecture.
🛰️ Open sources - closed narratives
@sitreports