π« Critical vm2 Sandbox Escape Enables Host Code Execution
CVE-2026-26956, a critical vulnerability in the Node.js sandboxing library vm2, allows attackers to escape the sandbox and execute arbitrary code on host systems. The flaw impacts vm2 version 3.10.4 on Node.js 25 with WebAssembly exception handling enabled, affecting a library with over 1.3 million weekly downloads. The vulnerability exploits WebAssembly exception handling to bypass JavaScript-level protections, according to the security advisory, causing host-side error objects to leak into the sandbox.
Users should upgrade to vm2 version 3.10.5 or later immediately. This marks the latest in a series of sandbox escape flaws affecting vm2, following CVE-2026-22709 and multiple critical vulnerabilities in 2022-2023.
π°οΈ Open sources - closed narratives
@sitreports
CVE-2026-26956, a critical vulnerability in the Node.js sandboxing library vm2, allows attackers to escape the sandbox and execute arbitrary code on host systems. The flaw impacts vm2 version 3.10.4 on Node.js 25 with WebAssembly exception handling enabled, affecting a library with over 1.3 million weekly downloads. The vulnerability exploits WebAssembly exception handling to bypass JavaScript-level protections, according to the security advisory, causing host-side error objects to leak into the sandbox.
Users should upgrade to vm2 version 3.10.5 or later immediately. This marks the latest in a series of sandbox escape flaws affecting vm2, following CVE-2026-22709 and multiple critical vulnerabilities in 2022-2023.
π°οΈ Open sources - closed narratives
@sitreports
π« DAEMON Tools Lite Trojanized in Supply Chain Attack
Disc Soft confirmed DAEMON Tools Lite version 12.5.1 was compromised between April 8-May 5, with attackers backdooring systems across 100+ countries. The trojanized installers, digitally signed and distributed via official channels, deployed information stealers and backdoors to thousands of systems, with some infections escalating to QUIC RAT deployment across retail, government, and manufacturing sectors.
The 27-day compromise window enabled extensive multi-stage payload delivery before Disc Soft released clean version 12.6. The incident highlights persistent supply chain vulnerabilities where valid code-signing certificates enable deep network penetration before detection.
π°οΈ Open sources - closed narratives
@sitreports
Disc Soft confirmed DAEMON Tools Lite version 12.5.1 was compromised between April 8-May 5, with attackers backdooring systems across 100+ countries. The trojanized installers, digitally signed and distributed via official channels, deployed information stealers and backdoors to thousands of systems, with some infections escalating to QUIC RAT deployment across retail, government, and manufacturing sectors.
The 27-day compromise window enabled extensive multi-stage payload delivery before Disc Soft released clean version 12.6. The incident highlights persistent supply chain vulnerabilities where valid code-signing certificates enable deep network penetration before detection.
π°οΈ Open sources - closed narratives
@sitreports
π Iranian Intelligence Cyber Unit Mimics Ransomware to Mask Espionage
An MOIS-linked threat actor is deploying ransomware as theatrical cover while maintaining persistent backdoor access to compromised networks. The Register reports the operation prioritizes intelligence collection over financial extortion, with encryption serving as misdirection rather than primary objective.
The tactic complicates attribution and enables longer-term access by shifting victim focus toward data recovery instead of counterintelligence response. Defenders should treat ransomware incidents involving geopolitically relevant targets as potential espionage vehicles requiring full forensic scope.
π°οΈ Open sources - closed narratives
@sitreports
An MOIS-linked threat actor is deploying ransomware as theatrical cover while maintaining persistent backdoor access to compromised networks. The Register reports the operation prioritizes intelligence collection over financial extortion, with encryption serving as misdirection rather than primary objective.
The tactic complicates attribution and enables longer-term access by shifting victim focus toward data recovery instead of counterintelligence response. Defenders should treat ransomware incidents involving geopolitically relevant targets as potential espionage vehicles requiring full forensic scope.
π°οΈ Open sources - closed narratives
@sitreports
π Pentagon Overrides Army Cyber Training Policy
The Pentagon is implementing a three-year cybersecurity training requirement for service members, overriding the Army's February directive that reduced mandatory training to once every five years. The shift follows Defense Secretary Hegseth's memo directing reduced administrative burdens, though according to DefenseScoop reporting, neither entity confirmed coordination on the conflicting cycles. Civilian personnel and contractors continue annual training.
The Pentagon's CISO states the three-year cycle balances security with readiness restoration. Commanders will tailor cyber training to mission-specific risks, despite analyst warnings about reducing training frequency amid escalating cyber threats.
π°οΈ Open sources - closed narratives
@sitreports
The Pentagon is implementing a three-year cybersecurity training requirement for service members, overriding the Army's February directive that reduced mandatory training to once every five years. The shift follows Defense Secretary Hegseth's memo directing reduced administrative burdens, though according to DefenseScoop reporting, neither entity confirmed coordination on the conflicting cycles. Civilian personnel and contractors continue annual training.
The Pentagon's CISO states the three-year cycle balances security with readiness restoration. Commanders will tailor cyber training to mission-specific risks, despite analyst warnings about reducing training frequency amid escalating cyber threats.
π°οΈ Open sources - closed narratives
@sitreports
π« ShinyHunters Defaces 330 Canvas Login Portals in Escalated Instructure Extortion
ShinyHunters exploited a vulnerability to deface Canvas login portals at approximately 330 educational institutions for 30 minutes, threatening to leak stolen student data if ransom demands are not met by May 12. The attack follows last week's breach where the gang claimed theft of 280 million records from 8,809 schools, with Instructure confirming data theft but providing limited transparency to affected students and staff.
The attack demonstrates escalation from data theft to active service disruption. Instructure took the platform offline following the defacement, with the vulnerability reportedly allowing direct modification of institutional login pages and mobile app interfaces.
π°οΈ Open sources - closed narratives
@sitreports
ShinyHunters exploited a vulnerability to deface Canvas login portals at approximately 330 educational institutions for 30 minutes, threatening to leak stolen student data if ransom demands are not met by May 12. The attack follows last week's breach where the gang claimed theft of 280 million records from 8,809 schools, with Instructure confirming data theft but providing limited transparency to affected students and staff.
The attack demonstrates escalation from data theft to active service disruption. Instructure took the platform offline following the defacement, with the vulnerability reportedly allowing direct modification of institutional login pages and mobile app interfaces.
π°οΈ Open sources - closed narratives
@sitreports
π€ Pentagon Identifies Compute Capacity as Critical AI Bottleneck
Chief Digital and AI Officer Cameron Stanley disclosed that DOD is experiencing unprecedented demand for computational resources following AI integration across operational environments. During Operation Epic Fury, Palantir's Maven Smart System processed 894 million tokens daily across 13,000 targets in 38 days, demonstrating a fourfold increase in network utilization. The Pentagon has formalized agreements with eight major technology providers to deploy frontier AI models on classified networks.
Stanley characterized compute scarcity as the primary constraint on warfighter capability, noting infrastructure expansion announcements are forthcoming.
π°οΈ Open sources - closed narratives
@sitreports
Chief Digital and AI Officer Cameron Stanley disclosed that DOD is experiencing unprecedented demand for computational resources following AI integration across operational environments. During Operation Epic Fury, Palantir's Maven Smart System processed 894 million tokens daily across 13,000 targets in 38 days, demonstrating a fourfold increase in network utilization. The Pentagon has formalized agreements with eight major technology providers to deploy frontier AI models on classified networks.
Stanley characterized compute scarcity as the primary constraint on warfighter capability, noting infrastructure expansion announcements are forthcoming.
π°οΈ Open sources - closed narratives
@sitreports
π« TCLBanker Trojan Weaponizes WhatsApp and Outlook for Worm Propagation
A new banking trojan targeting 59 financial platforms uses a trojanized Logitech installer to deploy malware that monitors browser activity for credential theft. The malware employs advanced anti-analysis protections and WPF-based overlays to deceive victims during active banking sessions.
TCLBanker's worm modules autonomously hijack WhatsApp Web sessions and Outlook accounts to spread malicious links to contacts, marking a significant evolution in LATAM malware capabilities. Currently focused on Brazilian targets, researchers at Elastic Security Labs warn the threat may expand geographically as previous regional malware campaigns have done.
π°οΈ Open sources - closed narratives
@sitreports
A new banking trojan targeting 59 financial platforms uses a trojanized Logitech installer to deploy malware that monitors browser activity for credential theft. The malware employs advanced anti-analysis protections and WPF-based overlays to deceive victims during active banking sessions.
TCLBanker's worm modules autonomously hijack WhatsApp Web sessions and Outlook accounts to spread malicious links to contacts, marking a significant evolution in LATAM malware capabilities. Currently focused on Brazilian targets, researchers at Elastic Security Labs warn the threat may expand geographically as previous regional malware campaigns have done.
π°οΈ Open sources - closed narratives
@sitreports
π« State Actors Exploit Palo Alto Zero-Day for Weeks
Palo Alto Networks confirms suspected nation-state hackers exploited critical PAN-OS vulnerability CVE-2026-0300 for nearly a month before detection. The buffer overflow flaw allowed unauthenticated remote code execution with root privileges on exposed firewalls. Post-compromise activity included deployment of EarthWorm and ReverseSocks5 tunneling tools, Active Directory enumeration, and systematic log destruction.
The intrusion demonstrates advanced operational discipline: attackers used open-source tools rather than custom malware, conducted intermittent sessions over weeks to evade detection, and prioritized identity abuse over network pivoting. EarthWorm has been linked to China-nexus groups including APT41 and Volt Typhoon.
π°οΈ Open sources - closed narratives
@sitreports
Palo Alto Networks confirms suspected nation-state hackers exploited critical PAN-OS vulnerability CVE-2026-0300 for nearly a month before detection. The buffer overflow flaw allowed unauthenticated remote code execution with root privileges on exposed firewalls. Post-compromise activity included deployment of EarthWorm and ReverseSocks5 tunneling tools, Active Directory enumeration, and systematic log destruction.
The intrusion demonstrates advanced operational discipline: attackers used open-source tools rather than custom malware, conducted intermittent sessions over weeks to evade detection, and prioritized identity abuse over network pivoting. EarthWorm has been linked to China-nexus groups including APT41 and Volt Typhoon.
π°οΈ Open sources - closed narratives
@sitreports
π€ Pentagon Cyber Chief Sees Opportunity in Mythos AI Vulnerability Discovery
Katie Sutton, Pentagon's Assistant Secretary of Defense for Cyber Policy, reframed concerns about Anthropic's Claude Mythos AI model discovering thousands of high-severity vulnerabilities as a success story. Speaking at the AI+ Expo, Sutton emphasized that frontier AI models represent opportunities to build more secure code and identify vulnerabilities before adversaries exploit them, according to Defense Scoop reporting.
The challenge lies in implementation speedβmoving from days-or-weeks patching cycles to machine-speed responses in minutes or seconds. Pentagon CTO Emil Michael noted the Mythos moment is a defining test for how the U.S. government operationalizes vulnerability remediation at scale.
π°οΈ Open sources - closed narratives
@sitreports
Katie Sutton, Pentagon's Assistant Secretary of Defense for Cyber Policy, reframed concerns about Anthropic's Claude Mythos AI model discovering thousands of high-severity vulnerabilities as a success story. Speaking at the AI+ Expo, Sutton emphasized that frontier AI models represent opportunities to build more secure code and identify vulnerabilities before adversaries exploit them, according to Defense Scoop reporting.
The challenge lies in implementation speedβmoving from days-or-weeks patching cycles to machine-speed responses in minutes or seconds. Pentagon CTO Emil Michael noted the Mythos moment is a defining test for how the U.S. government operationalizes vulnerability remediation at scale.
π°οΈ Open sources - closed narratives
@sitreports
π US nationals sentenced for laptop farm enabling DPRK IT infiltration
Matthew Isaac Knoot and Erick Ntekereze Prince received 18-month prison sentences for operating a laptop hosting scheme that enabled North Korean IT workers to remotely access systems at US companies. The operation involved renting devices to DPRK operatives who according to federal reporting posed as legitimate remote employees to infiltrate corporate networks.
The case demonstrates enforcement focus on infrastructure enablers rather than solely pursuing overseas threat actors. Laptop farms remain a key vector for DPRK revenue generation operations that fund regime priorities while undermining corporate security controls through insider positioning.
π°οΈ Open sources - closed narratives
@sitreports
Matthew Isaac Knoot and Erick Ntekereze Prince received 18-month prison sentences for operating a laptop hosting scheme that enabled North Korean IT workers to remotely access systems at US companies. The operation involved renting devices to DPRK operatives who according to federal reporting posed as legitimate remote employees to infiltrate corporate networks.
The case demonstrates enforcement focus on infrastructure enablers rather than solely pursuing overseas threat actors. Laptop farms remain a key vector for DPRK revenue generation operations that fund regime priorities while undermining corporate security controls through insider positioning.
π°οΈ Open sources - closed narratives
@sitreports
π« PCPJack Worm Evicts TeamPCP, Steals Cloud Credentials
A new malware framework called PCPJack is compromising exposed cloud infrastructure including Docker, Kubernetes, Redis, MongoDB, and RayML systems, while actively removing TeamPCP infections from the same hosts. The worm exploits five known vulnerabilities and harvests credentials from developer tools, messaging apps, financial services, and cloud platforms before exfiltrating data via encrypted Telegram channels.
SentinelLabs researchers believe PCPJack may be operated by a former TeamPCP affiliate, given striking similarities in targeting patterns and anti-TeamPCP cleaning routines. The framework includes lateral movement capabilities, persistence mechanisms, and according to analysis, propagates by scanning and exploiting vulnerable services at scale.
π°οΈ Open sources - closed narratives
@sitreports
A new malware framework called PCPJack is compromising exposed cloud infrastructure including Docker, Kubernetes, Redis, MongoDB, and RayML systems, while actively removing TeamPCP infections from the same hosts. The worm exploits five known vulnerabilities and harvests credentials from developer tools, messaging apps, financial services, and cloud platforms before exfiltrating data via encrypted Telegram channels.
SentinelLabs researchers believe PCPJack may be operated by a former TeamPCP affiliate, given striking similarities in targeting patterns and anti-TeamPCP cleaning routines. The framework includes lateral movement capabilities, persistence mechanisms, and according to analysis, propagates by scanning and exploiting vulnerable services at scale.
π°οΈ Open sources - closed narratives
@sitreports
π‘ HawkEye 360 Space Analytics Firm Reaches $3.15B Valuation on NYSE Debut
Shares of HawkEye 360 surged 30% during its New York Stock Exchange debut on Thursday, pushing the space analytics company's valuation to $3.15 billion, according to Reuters reporting. The firm specializes in radio frequency geospatial intelligence collection via satellite constellation.
The strong market reception signals growing investor confidence in commercial SIGINT capabilities and dual-use space infrastructure. HawkEye 360's RF monitoring services have applications across maritime domain awareness, spectrum mapping, and sanctions enforcement monitoring.
π°οΈ Open sources - closed narratives
@sitreports
Shares of HawkEye 360 surged 30% during its New York Stock Exchange debut on Thursday, pushing the space analytics company's valuation to $3.15 billion, according to Reuters reporting. The firm specializes in radio frequency geospatial intelligence collection via satellite constellation.
The strong market reception signals growing investor confidence in commercial SIGINT capabilities and dual-use space infrastructure. HawkEye 360's RF monitoring services have applications across maritime domain awareness, spectrum mapping, and sanctions enforcement monitoring.
π°οΈ Open sources - closed narratives
@sitreports
π« State Actors Exploit Palo Alto Firewall Zero-Day Pre-Patch
Internet-facing PAN-OS firewalls are under active exploitation by state-backed threat actors targeting a zero-day vulnerability prior to patch availability. The vulnerability enables unauthorized access to enterprise networks, with compromised devices functioning as initial access brokers.
The attack pattern demonstrates pre-patch exploitation timing characteristic of advanced persistent threat groups with prior vulnerability knowledge. Organizations running exposed PAN-OS instances face immediate compromise risk until vendor remediation becomes available.
π°οΈ Open sources - closed narratives
@sitreports
Internet-facing PAN-OS firewalls are under active exploitation by state-backed threat actors targeting a zero-day vulnerability prior to patch availability. The vulnerability enables unauthorized access to enterprise networks, with compromised devices functioning as initial access brokers.
The attack pattern demonstrates pre-patch exploitation timing characteristic of advanced persistent threat groups with prior vulnerability knowledge. Organizations running exposed PAN-OS instances face immediate compromise risk until vendor remediation becomes available.
π°οΈ Open sources - closed narratives
@sitreports