🔫 Acting Navy Secretary labels drones as generational IED threat
Hung Cao, appointed acting SECNAV six days prior, told the Modern Day Marine conference that unmanned aerial systems represent "the new" improvised explosive device threat facing deployed forces. The former Navy special operations officer and EOD technician called for accelerated industry delivery of counter-UAS capabilities and AI-enabled systems, drawing parallels between roadside bombs in Iraq and current drone threats to ground units.
Cao's remarks reflect operational realities as the Navy pursues its "Golden Fleet" concept integrating autonomous platforms with traditional assets. His emphasis on speed over bureaucracy signals potential acquisition reforms, though implementation timelines remain unclear amid his recent appointment following John Phelan's abrupt removal.
🛰️ Open sources - closed narratives
@sitreports
Hung Cao, appointed acting SECNAV six days prior, told the Modern Day Marine conference that unmanned aerial systems represent "the new" improvised explosive device threat facing deployed forces. The former Navy special operations officer and EOD technician called for accelerated industry delivery of counter-UAS capabilities and AI-enabled systems, drawing parallels between roadside bombs in Iraq and current drone threats to ground units.
Cao's remarks reflect operational realities as the Navy pursues its "Golden Fleet" concept integrating autonomous platforms with traditional assets. His emphasis on speed over bureaucracy signals potential acquisition reforms, though implementation timelines remain unclear amid his recent appointment following John Phelan's abrupt removal.
🛰️ Open sources - closed narratives
@sitreports
🔫 USMC 2nd Division to conduct first dedicated counter-UAS training at Twentynine Palms
Marine Air-Ground Task Force Training Command will host 2nd Marine Division for integrated counter-drone exercises between mid-July and late August. Maj. Gen. Farrell Sullivan described counter-UAS as a "significant concern," noting the service is building capabilities as conflicts in Ukraine and the Middle East demonstrate the evolving threat of small drones and FPV platforms.
The training reflects accelerated fielding driven by operational urgency rather than traditional timelines. Officials acknowledged gaps in maneuver-level coverage, prompting distribution of counter-UAS kits to smaller formations.
🛰️ Open sources - closed narratives
@sitreports
Marine Air-Ground Task Force Training Command will host 2nd Marine Division for integrated counter-drone exercises between mid-July and late August. Maj. Gen. Farrell Sullivan described counter-UAS as a "significant concern," noting the service is building capabilities as conflicts in Ukraine and the Middle East demonstrate the evolving threat of small drones and FPV platforms.
The training reflects accelerated fielding driven by operational urgency rather than traditional timelines. Officials acknowledged gaps in maneuver-level coverage, prompting distribution of counter-UAS kits to smaller formations.
🛰️ Open sources - closed narratives
@sitreports
📡 Space Force Requests $4.5B for Space Data Network Architecture
The U.S. Space Force's FY27 budget includes billions for its Space Data Network — a multi-orbit hybrid architecture integrating military and commercial relay satellites. Key components include $1.5B for SDN-Backbone R&D (pLEO mesh constellation), $1.6B for procurement, and $1.4B for Space Link mission enclaves supporting Golden Dome interceptors. The SDN absorbs the classified MILNET program and effectively replaces SDA's Tranche 3 Transport Layer, which received zero funding.
The architecture serves as critical infrastructure for CJADC2 and Golden Dome missile defense, providing low-latency data pathways across domains. Congressional concerns about SpaceX vendor lock-in persist, though the Space Force commits to multi-contractor integration.
🛰️ Open sources - closed narratives
@sitreports
The U.S. Space Force's FY27 budget includes billions for its Space Data Network — a multi-orbit hybrid architecture integrating military and commercial relay satellites. Key components include $1.5B for SDN-Backbone R&D (pLEO mesh constellation), $1.6B for procurement, and $1.4B for Space Link mission enclaves supporting Golden Dome interceptors. The SDN absorbs the classified MILNET program and effectively replaces SDA's Tranche 3 Transport Layer, which received zero funding.
The architecture serves as critical infrastructure for CJADC2 and Golden Dome missile defense, providing low-latency data pathways across domains. Congressional concerns about SpaceX vendor lock-in persist, though the Space Force commits to multi-contractor integration.
🛰️ Open sources - closed narratives
@sitreports
🔫 VECT 2.0 Ransomware Functions as Irreversible Data Wiper
The VECT 2.0 ransomware, advertised on BreachForums and linked to TeamPCP supply-chain attacks, contains a critical encryption flaw that permanently destroys files larger than 128KB rather than encrypting them. The malware's faulty nonce-handling logic overwrites encryption keys during the process, making 75% of affected files unrecoverable even if ransoms are paid, according to Check Point researchers.
This threshold encompasses virtually all enterprise-critical data including VM disks, databases, backups, and standard office documents. The flaw exists across all VECT 2.0 variants targeting Windows, Linux, and ESXi environments, making the ransomware effectively a destructive wiper rather than viable extortion tool.
🛰️ Open sources - closed narratives
@sitreports
The VECT 2.0 ransomware, advertised on BreachForums and linked to TeamPCP supply-chain attacks, contains a critical encryption flaw that permanently destroys files larger than 128KB rather than encrypting them. The malware's faulty nonce-handling logic overwrites encryption keys during the process, making 75% of affected files unrecoverable even if ransoms are paid, according to Check Point researchers.
This threshold encompasses virtually all enterprise-critical data including VM disks, databases, backups, and standard office documents. The flaw exists across all VECT 2.0 variants targeting Windows, Linux, and ESXi environments, making the ransomware effectively a destructive wiper rather than viable extortion tool.
🛰️ Open sources - closed narratives
@sitreports
🔫 LiteLLM Proxy Gateway Under Active SQLi Exploitation
Threat actors are exploiting CVE-2026-42208, a critical pre-authentication SQL injection flaw in LiteLLM, a widely-used open-source gateway for AI model management with 45k GitHub stars. The vulnerability allows unauthenticated attackers to read and modify proxy databases containing API keys, virtual keys, and provider credentials by sending malicious Authorization headers. Exploitation began 36 hours after public disclosure on April 24, with researchers observing targeted attacks querying specific credential tables.
Patched in version 1.83.7, the flaw poses immediate risk to exposed instances managing multi-model LLM deployments. Organizations running vulnerable versions should treat systems as compromised and rotate all stored credentials immediately.
🛰️ Open sources - closed narratives
@sitreports
Threat actors are exploiting CVE-2026-42208, a critical pre-authentication SQL injection flaw in LiteLLM, a widely-used open-source gateway for AI model management with 45k GitHub stars. The vulnerability allows unauthenticated attackers to read and modify proxy databases containing API keys, virtual keys, and provider credentials by sending malicious Authorization headers. Exploitation began 36 hours after public disclosure on April 24, with researchers observing targeted attacks querying specific credential tables.
Patched in version 1.83.7, the flaw poses immediate risk to exposed instances managing multi-model LLM deployments. Organizations running vulnerable versions should treat systems as compromised and rotate all stored credentials immediately.
🛰️ Open sources - closed narratives
@sitreports
🔫 GitHub RCE Flaw Allowed Code Execution via Single Git Push
Critical vulnerability CVE-2026-3854 in GitHub Enterprise Cloud and Server enabled remote code execution through command injection in git push operations. The flaw exploited improper sanitization of user-supplied push option values in internal service headers, allowing attackers with repository push access to inject metadata, bypass sandbox protections, and execute arbitrary commands on backend infrastructure.
Wiz researchers discovered the vulnerability using AI-assisted analysis of closed-source code and reported to GitHub on March 4, 2026, with patches released within two hours. Despite rapid response, 88% of Enterprise Server instances remain vulnerable. The attack chain could expose millions of repositories on shared storage nodes, requiring immediate patching across all affected versions.
🛰️ Open sources - closed narratives
@sitreports
Critical vulnerability CVE-2026-3854 in GitHub Enterprise Cloud and Server enabled remote code execution through command injection in git push operations. The flaw exploited improper sanitization of user-supplied push option values in internal service headers, allowing attackers with repository push access to inject metadata, bypass sandbox protections, and execute arbitrary commands on backend infrastructure.
Wiz researchers discovered the vulnerability using AI-assisted analysis of closed-source code and reported to GitHub on March 4, 2026, with patches released within two hours. Despite rapid response, 88% of Enterprise Server instances remain vulnerable. The attack chain could expose millions of repositories on shared storage nodes, requiring immediate patching across all affected versions.
🛰️ Open sources - closed narratives
@sitreports
🔫 US charges Scattered Spider member arrested in Finland
A 19-year-old dual US-Estonian citizen using the alias "Bouquet" faces federal wire fraud and computer intrusion charges after Finnish authorities arrested him at Helsinki airport on April 10. According to Chicago Tribune reporting, temporarily unsealed court records link him to at least four Scattered Spider breaches, including attacks conducted when he was 16 years old.
The complaint details involvement in multi-million dollar extortion campaigns against corporations, including a luxury retailer hit with an $8 million ransom demand in May 2025. The financially motivated collective, known for social engineering and MFA bombing tactics, has previously breached Caesars, MGM Resorts, and multiple UK retailers.
🛰️ Open sources - closed narratives
@sitreports
A 19-year-old dual US-Estonian citizen using the alias "Bouquet" faces federal wire fraud and computer intrusion charges after Finnish authorities arrested him at Helsinki airport on April 10. According to Chicago Tribune reporting, temporarily unsealed court records link him to at least four Scattered Spider breaches, including attacks conducted when he was 16 years old.
The complaint details involvement in multi-million dollar extortion campaigns against corporations, including a luxury retailer hit with an $8 million ransom demand in May 2025. The financially motivated collective, known for social engineering and MFA bombing tactics, has previously breached Caesars, MGM Resorts, and multiple UK retailers.
🛰️ Open sources - closed narratives
@sitreports
🤖 Kamasers Botnet Combines DDoS and Ransomware Delivery
A newly analyzed DDoS botnet named Kamasers has been observed combining multi-vector distributed denial-of-service capabilities with malware loader functions that enable ransomware deployment and data theft. Research by ANY.RUN reveals the malware spreads via GCleaner and Amadey loaders, with control infrastructure hosted on Railnet LLC ASN—previously linked to bulletproof hosting operations.
Kamasers employs a Dead Drop Resolver mechanism using GitHub Gist, Telegram, and Dropbox to dynamically retrieve C2 addresses, evading static detection. Spanish-language commands observed in sessions suggest operator origins, while targeting spans Germany, U.S., Poland, and France across education, telecom, and tech sectors.
🛰️ Open sources - closed narratives
@sitreports
A newly analyzed DDoS botnet named Kamasers has been observed combining multi-vector distributed denial-of-service capabilities with malware loader functions that enable ransomware deployment and data theft. Research by ANY.RUN reveals the malware spreads via GCleaner and Amadey loaders, with control infrastructure hosted on Railnet LLC ASN—previously linked to bulletproof hosting operations.
Kamasers employs a Dead Drop Resolver mechanism using GitHub Gist, Telegram, and Dropbox to dynamically retrieve C2 addresses, evading static detection. Spanish-language commands observed in sessions suggest operator origins, while targeting spans Germany, U.S., Poland, and France across education, telecom, and tech sectors.
🛰️ Open sources - closed narratives
@sitreports
📄 Checkmarx Confirms LAPSUS$ Data Leak Following GitHub Breach
Application security firm Checkmarx has confirmed that LAPSUS$ threat actors leaked 96GB of data stolen from its private GitHub repository. The breach originated from a March 23 compromise linked to the Trivy supply-chain attack, where stolen credentials enabled unauthorized access. The attackers published malicious code and Docker images on April 22 before releasing the stolen data on both dark web and clearnet portals.
The incident highlights how downstream credential theft enabled persistent access across multiple organizations. Checkmarx states no customer data was stored in the affected repository, though forensic investigation continues. The company has blocked repository access pending completion of the probe.
🛰️ Open sources - closed narratives
@sitreports
Application security firm Checkmarx has confirmed that LAPSUS$ threat actors leaked 96GB of data stolen from its private GitHub repository. The breach originated from a March 23 compromise linked to the Trivy supply-chain attack, where stolen credentials enabled unauthorized access. The attackers published malicious code and Docker images on April 22 before releasing the stolen data on both dark web and clearnet portals.
The incident highlights how downstream credential theft enabled persistent access across multiple organizations. Checkmarx states no customer data was stored in the affected repository, though forensic investigation continues. The company has blocked repository access pending completion of the probe.
🛰️ Open sources - closed narratives
@sitreports
🎭 Signal Phishing Campaign Targets German Political Elite
German prosecutors have launched an espionage investigation into a large-scale phishing operation targeting hundreds of Signal accounts belonging to politicians, ministers, military personnel, and journalists. Attackers impersonated Signal support or trusted contacts to trick victims into sharing authentication codes or scanning malicious QR codes, gaining access to private communications. High-profile targets included CDU politician Julia Klöckner, while German authorities suspect Russian state involvement.
The campaign exploited human trust rather than technical vulnerabilities, bypassing encryption through social engineering.
🛰️ Open sources - closed narratives
@sitreports
German prosecutors have launched an espionage investigation into a large-scale phishing operation targeting hundreds of Signal accounts belonging to politicians, ministers, military personnel, and journalists. Attackers impersonated Signal support or trusted contacts to trick victims into sharing authentication codes or scanning malicious QR codes, gaining access to private communications. High-profile targets included CDU politician Julia Klöckner, while German authorities suspect Russian state involvement.
The campaign exploited human trust rather than technical vulnerabilities, bypassing encryption through social engineering.
🛰️ Open sources - closed narratives
@sitreports
🔫 Linux Kernel Flaw Enables 10-Line Root Exploit
A local privilege escalation vulnerability dubbed Copy Fail (CVE-2026-31431) allows unprivileged users to gain root access on most Linux distributions released since 2017. The flaw in the kernel's cryptographic template permits writing controlled bytes into any readable file's page cache, modifying binaries during execution without triggering filesystem defenses. A functional exploit is just 732 bytes of Python code.
Major distributions including Debian, Ubuntu, and SUSE have deployed patches for the high-severity flaw, identified with AI-assisted scanning by Theori. While requiring local access, the vulnerability presents container escape risks in Kubernetes environments due to shared page cache architecture.
🛰️ Open sources - closed narratives
@sitreports
A local privilege escalation vulnerability dubbed Copy Fail (CVE-2026-31431) allows unprivileged users to gain root access on most Linux distributions released since 2017. The flaw in the kernel's cryptographic template permits writing controlled bytes into any readable file's page cache, modifying binaries during execution without triggering filesystem defenses. A functional exploit is just 732 bytes of Python code.
Major distributions including Debian, Ubuntu, and SUSE have deployed patches for the high-severity flaw, identified with AI-assisted scanning by Theori. While requiring local access, the vulnerability presents container escape risks in Kubernetes environments due to shared page cache architecture.
🛰️ Open sources - closed narratives
@sitreports
🔫 SAP npm Packages Compromised in TeamPCP Supply Chain Attack
Four official SAP npm packages—@cap-js/sqlite, @cap-js/postgres, @cap-js/db-service, and mbt—were compromised to deploy credential-stealing malware targeting developers and CI/CD environments. According to security researchers, malicious preinstall scripts downloaded obfuscated payloads that exfiltrated npm tokens, GitHub credentials, SSH keys, cloud provider credentials, and Kubernetes secrets from CI runner memory, uploading encrypted data to GitHub repositories marked "A Mini Shai-Hulud has Appeared."
The attack shows medium-confidence attribution to TeamPCP threat actors, using tactics identical to previous Bitwarden, Trivy, and Checkmarx compromises.
🛰️ Open sources - closed narratives
@sitreports
Four official SAP npm packages—@cap-js/sqlite, @cap-js/postgres, @cap-js/db-service, and mbt—were compromised to deploy credential-stealing malware targeting developers and CI/CD environments. According to security researchers, malicious preinstall scripts downloaded obfuscated payloads that exfiltrated npm tokens, GitHub credentials, SSH keys, cloud provider credentials, and Kubernetes secrets from CI runner memory, uploading encrypted data to GitHub repositories marked "A Mini Shai-Hulud has Appeared."
The attack shows medium-confidence attribution to TeamPCP threat actors, using tactics identical to previous Bitwarden, Trivy, and Checkmarx compromises.
🛰️ Open sources - closed narratives
@sitreports
🔫 WordPress Plugin Harbored Five-Year Backdoor
Quick Page/Post Redirect, installed on over 70,000 WordPress sites, contained a hidden backdoor introduced in 2020-2021 versions that enabled remote code execution. Researcher Austin Ginder discovered the malware after infections triggered alerts across his hosting fleet, revealing that versions 5.2.1 and 5.2.2 included a self-update mechanism pointing to an external domain that pushed compromised code outside WordPress.org controls.
The backdoor remained dormant for years, primarily functioning as a parasite SEO operation affecting logged-out users. Though the malicious C2 subdomain no longer resolves, the update mechanism persists on affected installations, presenting ongoing arbitrary code execution risk if reactivated.
🛰️ Open sources - closed narratives
@sitreports
Quick Page/Post Redirect, installed on over 70,000 WordPress sites, contained a hidden backdoor introduced in 2020-2021 versions that enabled remote code execution. Researcher Austin Ginder discovered the malware after infections triggered alerts across his hosting fleet, revealing that versions 5.2.1 and 5.2.2 included a self-update mechanism pointing to an external domain that pushed compromised code outside WordPress.org controls.
The backdoor remained dormant for years, primarily functioning as a parasite SEO operation affecting logged-out users. Though the malicious C2 subdomain no longer resolves, the update mechanism persists on affected installations, presenting ongoing arbitrary code execution risk if reactivated.
🛰️ Open sources - closed narratives
@sitreports
📡 Oak Ridge Lab Develops Portable GPS Interference Detector
Oak Ridge National Laboratory unveiled a portable device capable of detecting GPS spoofing and jamming attacks on commercial vehicles. The system uses a software-defined radio and embedded GPU running novel RF analysis algorithms to distinguish authentic satellite signals from malicious ones, even when both are equal in strength. Testing with DHS showed the device outperforms existing commercial systems while operating independently of GPS infrastructure.
The technology addresses growing threats to logistics networks, including cargo theft operations that exploit spoofed location data to misdirect high-value shipments. Researchers are now working to reduce production costs for wider deployment across the trucking industry.
🛰️ Open sources - closed narratives
@sitreports
Oak Ridge National Laboratory unveiled a portable device capable of detecting GPS spoofing and jamming attacks on commercial vehicles. The system uses a software-defined radio and embedded GPU running novel RF analysis algorithms to distinguish authentic satellite signals from malicious ones, even when both are equal in strength. Testing with DHS showed the device outperforms existing commercial systems while operating independently of GPS infrastructure.
The technology addresses growing threats to logistics networks, including cargo theft operations that exploit spoofed location data to misdirect high-value shipments. Researchers are now working to reduce production costs for wider deployment across the trucking industry.
🛰️ Open sources - closed narratives
@sitreports
🔫 LiteLLM SQL Injection Exploited Within 36 Hours of Disclosure
A critical SQL injection vulnerability in LiteLLM (CVE-2026-42208) was exploited just 36 hours after public disclosure. The flaw, affecting versions 1.81.16 to 1.83.6, allows unauthenticated attackers to manipulate database queries through crafted Authorization headers, potentially accessing or modifying sensitive credentials and API keys. The vulnerability was patched in version 1.83.7 on April 19, 2026.
The Sysdig Threat Research Team observed targeted exploitation attempts demonstrating precise knowledge of LiteLLM's database schema. Unlike typical automated attacks, according to the researchers, the intrusion showed deliberate enumeration efforts, though no evidence of data exfiltration or credential reuse was detected.
🛰️ Open sources - closed narratives
@sitreports
A critical SQL injection vulnerability in LiteLLM (CVE-2026-42208) was exploited just 36 hours after public disclosure. The flaw, affecting versions 1.81.16 to 1.83.6, allows unauthenticated attackers to manipulate database queries through crafted Authorization headers, potentially accessing or modifying sensitive credentials and API keys. The vulnerability was patched in version 1.83.7 on April 19, 2026.
The Sysdig Threat Research Team observed targeted exploitation attempts demonstrating precise knowledge of LiteLLM's database schema. Unlike typical automated attacks, according to the researchers, the intrusion showed deliberate enumeration efforts, though no evidence of data exfiltration or credential reuse was detected.
🛰️ Open sources - closed narratives
@sitreports
🤖 Pentagon to Establish Sub-Unified Command for Autonomous Warfare
Secretary of Defense Pete Hegseth announced the U.S. military will soon designate a sub-unified command focused on autonomous warfare, citing the central role of drones in modern combat. The move follows U.S. Southern Command's recent launch of its Autonomous Warfare Command. Hegseth emphasized lessons from Ukraine and Operation Epic Fury as drivers behind the decision.
The Pentagon's fiscal 2027 budget requests $54 billion for autonomous systems, including $39.2 billion for "Drone Dominance" initiatives. Sub-unified command status signals enduring priority, placing autonomous warfare alongside elite structures like Joint Special Operations Command.
🛰️ Open sources - closed narratives
@sitreports
Secretary of Defense Pete Hegseth announced the U.S. military will soon designate a sub-unified command focused on autonomous warfare, citing the central role of drones in modern combat. The move follows U.S. Southern Command's recent launch of its Autonomous Warfare Command. Hegseth emphasized lessons from Ukraine and Operation Epic Fury as drivers behind the decision.
The Pentagon's fiscal 2027 budget requests $54 billion for autonomous systems, including $39.2 billion for "Drone Dominance" initiatives. Sub-unified command status signals enduring priority, placing autonomous warfare alongside elite structures like Joint Special Operations Command.
🛰️ Open sources - closed narratives
@sitreports
🔫 Microsoft Incomplete Patch Spawns New Windows Zero-Day Under Active Exploitation
Microsoft's February fix for CVE-2026-21510, a Windows Shell flaw exploited by Russia's APT28 against Ukraine and EU targets, failed to close a critical authentication coercion vector. The incomplete patch led to CVE-2026-32202, now actively exploited and flagged by CISA's Known Exploited Vulnerabilities catalog with a May 12 federal remediation deadline. The zero-click flaw enables attackers to harvest Net-NTLMv2 hashes via auto-parsed LNK files.
Akamai researchers discovered victim machines still authenticating to attacker servers despite the original RCE fix. The vulnerability permits credential theft and lateral movement without user interaction, representing a credential theft vector directly descended from APT28's original exploit chain.
🛰️ Open sources - closed narratives
@sitreports
Microsoft's February fix for CVE-2026-21510, a Windows Shell flaw exploited by Russia's APT28 against Ukraine and EU targets, failed to close a critical authentication coercion vector. The incomplete patch led to CVE-2026-32202, now actively exploited and flagged by CISA's Known Exploited Vulnerabilities catalog with a May 12 federal remediation deadline. The zero-click flaw enables attackers to harvest Net-NTLMv2 hashes via auto-parsed LNK files.
Akamai researchers discovered victim machines still authenticating to attacker servers despite the original RCE fix. The vulnerability permits credential theft and lateral movement without user interaction, representing a credential theft vector directly descended from APT28's original exploit chain.
🛰️ Open sources - closed narratives
@sitreports
🔍 SAP npm Packages Compromised in Supply Chain Attack
Multiple SAP-related npm packages have been compromised with credential-stealing malware dubbed "Mini Shai-Hulud." The malicious code was injected into legitimate packages used by developers working with SAP systems, enabling attackers to exfiltrate authentication credentials from affected development environments.
The compromise targets the npm supply chain, a critical vector given SAP's widespread enterprise adoption. Organizations using affected packages face immediate exposure risk to credential theft, potentially granting attackers access to corporate SAP environments and sensitive business data.
🛰️ Open sources - closed narratives
@sitreports
Multiple SAP-related npm packages have been compromised with credential-stealing malware dubbed "Mini Shai-Hulud." The malicious code was injected into legitimate packages used by developers working with SAP systems, enabling attackers to exfiltrate authentication credentials from affected development environments.
The compromise targets the npm supply chain, a critical vector given SAP's widespread enterprise adoption. Organizations using affected packages face immediate exposure risk to credential theft, potentially granting attackers access to corporate SAP environments and sensitive business data.
🛰️ Open sources - closed narratives
@sitreports
🔍 NSA-Developed OT Tool Contains XML External Entity Vulnerability
CISA issued advisory on CVE-2026-6807, an XXE vulnerability affecting all versions of GrassMarlin, an NSA-developed network security tool for critical infrastructure and SCADA networks that reached end-of-life in 2017. The flaw stems from insufficient XML parsing hardening in session files, enabling data exfiltration through maliciously crafted .gm3 archives. According to reporting, exploitation requires tricking users into opening weaponized files, with a public PoC demonstrating base64-encoded exfiltration.
No patches forthcoming due to EOL status. CISA recommends network isolation and access hardening. Threat vector limited to phishing scenarios, reducing immediate risk to organizations with mature security awareness programs.
🛰️ Open sources - closed narratives
@sitreports
CISA issued advisory on CVE-2026-6807, an XXE vulnerability affecting all versions of GrassMarlin, an NSA-developed network security tool for critical infrastructure and SCADA networks that reached end-of-life in 2017. The flaw stems from insufficient XML parsing hardening in session files, enabling data exfiltration through maliciously crafted .gm3 archives. According to reporting, exploitation requires tricking users into opening weaponized files, with a public PoC demonstrating base64-encoded exfiltration.
No patches forthcoming due to EOL status. CISA recommends network isolation and access hardening. Threat vector limited to phishing scenarios, reducing immediate risk to organizations with mature security awareness programs.
🛰️ Open sources - closed narratives
@sitreports
🤖 DPRK Actors Deploy AI-Generated npm Packages in Developer Supply Chain Campaign
North Korean threat actors are distributing malware through npm packages with AI-generated code, alongside fake recruitment firms targeting software developers. The campaign employs remote access trojans to compromise victims through social engineering tactics focused on employment opportunities.
The operation demonstrates continued evolution of DPRK supply chain targeting methods, combining automated code generation with established social engineering frameworks. Developer-focused attack vectors remain a priority objective for revenue generation operations linked to Pyongyang-affiliated groups.
🛰️ Open sources - closed narratives
@sitreports
North Korean threat actors are distributing malware through npm packages with AI-generated code, alongside fake recruitment firms targeting software developers. The campaign employs remote access trojans to compromise victims through social engineering tactics focused on employment opportunities.
The operation demonstrates continued evolution of DPRK supply chain targeting methods, combining automated code generation with established social engineering frameworks. Developer-focused attack vectors remain a priority objective for revenue generation operations linked to Pyongyang-affiliated groups.
🛰️ Open sources - closed narratives
@sitreports
🔍 DHS Expanding Predator Drone Fleet for Domestic Surveillance
Customs and Border Protection plans to spend hundreds of millions of dollars on additional high-powered surveillance drones, with other DHS components potentially launching their own MQ-9 fleets, according to procurement records reviewed by 404 Media.
The expansion signals broader integration of military-grade aerial surveillance capabilities across DHS operations beyond traditional border monitoring, potentially establishing parallel drone infrastructure within multiple agency branches.
🛰️ Open sources - closed narratives
@sitreports
Customs and Border Protection plans to spend hundreds of millions of dollars on additional high-powered surveillance drones, with other DHS components potentially launching their own MQ-9 fleets, according to procurement records reviewed by 404 Media.
The expansion signals broader integration of military-grade aerial surveillance capabilities across DHS operations beyond traditional border monitoring, potentially establishing parallel drone infrastructure within multiple agency branches.
🛰️ Open sources - closed narratives
@sitreports