🤖 Pentagon Identifies Compute Capacity as Critical AI Bottleneck
Chief Digital and AI Officer Cameron Stanley disclosed that DOD is experiencing unprecedented demand for computational resources following AI integration across operational environments. During Operation Epic Fury, Palantir's Maven Smart System processed 894 million tokens daily across 13,000 targets in 38 days, demonstrating a fourfold increase in network utilization. The Pentagon has formalized agreements with eight major technology providers to deploy frontier AI models on classified networks.
Stanley characterized compute scarcity as the primary constraint on warfighter capability, noting infrastructure expansion announcements are forthcoming.
🛰️ Open sources - closed narratives
@sitreports
Chief Digital and AI Officer Cameron Stanley disclosed that DOD is experiencing unprecedented demand for computational resources following AI integration across operational environments. During Operation Epic Fury, Palantir's Maven Smart System processed 894 million tokens daily across 13,000 targets in 38 days, demonstrating a fourfold increase in network utilization. The Pentagon has formalized agreements with eight major technology providers to deploy frontier AI models on classified networks.
Stanley characterized compute scarcity as the primary constraint on warfighter capability, noting infrastructure expansion announcements are forthcoming.
🛰️ Open sources - closed narratives
@sitreports
🔫 TCLBanker Trojan Weaponizes WhatsApp and Outlook for Worm Propagation
A new banking trojan targeting 59 financial platforms uses a trojanized Logitech installer to deploy malware that monitors browser activity for credential theft. The malware employs advanced anti-analysis protections and WPF-based overlays to deceive victims during active banking sessions.
TCLBanker's worm modules autonomously hijack WhatsApp Web sessions and Outlook accounts to spread malicious links to contacts, marking a significant evolution in LATAM malware capabilities. Currently focused on Brazilian targets, researchers at Elastic Security Labs warn the threat may expand geographically as previous regional malware campaigns have done.
🛰️ Open sources - closed narratives
@sitreports
A new banking trojan targeting 59 financial platforms uses a trojanized Logitech installer to deploy malware that monitors browser activity for credential theft. The malware employs advanced anti-analysis protections and WPF-based overlays to deceive victims during active banking sessions.
TCLBanker's worm modules autonomously hijack WhatsApp Web sessions and Outlook accounts to spread malicious links to contacts, marking a significant evolution in LATAM malware capabilities. Currently focused on Brazilian targets, researchers at Elastic Security Labs warn the threat may expand geographically as previous regional malware campaigns have done.
🛰️ Open sources - closed narratives
@sitreports
🔫 State Actors Exploit Palo Alto Zero-Day for Weeks
Palo Alto Networks confirms suspected nation-state hackers exploited critical PAN-OS vulnerability CVE-2026-0300 for nearly a month before detection. The buffer overflow flaw allowed unauthenticated remote code execution with root privileges on exposed firewalls. Post-compromise activity included deployment of EarthWorm and ReverseSocks5 tunneling tools, Active Directory enumeration, and systematic log destruction.
The intrusion demonstrates advanced operational discipline: attackers used open-source tools rather than custom malware, conducted intermittent sessions over weeks to evade detection, and prioritized identity abuse over network pivoting. EarthWorm has been linked to China-nexus groups including APT41 and Volt Typhoon.
🛰️ Open sources - closed narratives
@sitreports
Palo Alto Networks confirms suspected nation-state hackers exploited critical PAN-OS vulnerability CVE-2026-0300 for nearly a month before detection. The buffer overflow flaw allowed unauthenticated remote code execution with root privileges on exposed firewalls. Post-compromise activity included deployment of EarthWorm and ReverseSocks5 tunneling tools, Active Directory enumeration, and systematic log destruction.
The intrusion demonstrates advanced operational discipline: attackers used open-source tools rather than custom malware, conducted intermittent sessions over weeks to evade detection, and prioritized identity abuse over network pivoting. EarthWorm has been linked to China-nexus groups including APT41 and Volt Typhoon.
🛰️ Open sources - closed narratives
@sitreports
🤖 Pentagon Cyber Chief Sees Opportunity in Mythos AI Vulnerability Discovery
Katie Sutton, Pentagon's Assistant Secretary of Defense for Cyber Policy, reframed concerns about Anthropic's Claude Mythos AI model discovering thousands of high-severity vulnerabilities as a success story. Speaking at the AI+ Expo, Sutton emphasized that frontier AI models represent opportunities to build more secure code and identify vulnerabilities before adversaries exploit them, according to Defense Scoop reporting.
The challenge lies in implementation speed—moving from days-or-weeks patching cycles to machine-speed responses in minutes or seconds. Pentagon CTO Emil Michael noted the Mythos moment is a defining test for how the U.S. government operationalizes vulnerability remediation at scale.
🛰️ Open sources - closed narratives
@sitreports
Katie Sutton, Pentagon's Assistant Secretary of Defense for Cyber Policy, reframed concerns about Anthropic's Claude Mythos AI model discovering thousands of high-severity vulnerabilities as a success story. Speaking at the AI+ Expo, Sutton emphasized that frontier AI models represent opportunities to build more secure code and identify vulnerabilities before adversaries exploit them, according to Defense Scoop reporting.
The challenge lies in implementation speed—moving from days-or-weeks patching cycles to machine-speed responses in minutes or seconds. Pentagon CTO Emil Michael noted the Mythos moment is a defining test for how the U.S. government operationalizes vulnerability remediation at scale.
🛰️ Open sources - closed narratives
@sitreports
🔍 US nationals sentenced for laptop farm enabling DPRK IT infiltration
Matthew Isaac Knoot and Erick Ntekereze Prince received 18-month prison sentences for operating a laptop hosting scheme that enabled North Korean IT workers to remotely access systems at US companies. The operation involved renting devices to DPRK operatives who according to federal reporting posed as legitimate remote employees to infiltrate corporate networks.
The case demonstrates enforcement focus on infrastructure enablers rather than solely pursuing overseas threat actors. Laptop farms remain a key vector for DPRK revenue generation operations that fund regime priorities while undermining corporate security controls through insider positioning.
🛰️ Open sources - closed narratives
@sitreports
Matthew Isaac Knoot and Erick Ntekereze Prince received 18-month prison sentences for operating a laptop hosting scheme that enabled North Korean IT workers to remotely access systems at US companies. The operation involved renting devices to DPRK operatives who according to federal reporting posed as legitimate remote employees to infiltrate corporate networks.
The case demonstrates enforcement focus on infrastructure enablers rather than solely pursuing overseas threat actors. Laptop farms remain a key vector for DPRK revenue generation operations that fund regime priorities while undermining corporate security controls through insider positioning.
🛰️ Open sources - closed narratives
@sitreports
🔫 PCPJack Worm Evicts TeamPCP, Steals Cloud Credentials
A new malware framework called PCPJack is compromising exposed cloud infrastructure including Docker, Kubernetes, Redis, MongoDB, and RayML systems, while actively removing TeamPCP infections from the same hosts. The worm exploits five known vulnerabilities and harvests credentials from developer tools, messaging apps, financial services, and cloud platforms before exfiltrating data via encrypted Telegram channels.
SentinelLabs researchers believe PCPJack may be operated by a former TeamPCP affiliate, given striking similarities in targeting patterns and anti-TeamPCP cleaning routines. The framework includes lateral movement capabilities, persistence mechanisms, and according to analysis, propagates by scanning and exploiting vulnerable services at scale.
🛰️ Open sources - closed narratives
@sitreports
A new malware framework called PCPJack is compromising exposed cloud infrastructure including Docker, Kubernetes, Redis, MongoDB, and RayML systems, while actively removing TeamPCP infections from the same hosts. The worm exploits five known vulnerabilities and harvests credentials from developer tools, messaging apps, financial services, and cloud platforms before exfiltrating data via encrypted Telegram channels.
SentinelLabs researchers believe PCPJack may be operated by a former TeamPCP affiliate, given striking similarities in targeting patterns and anti-TeamPCP cleaning routines. The framework includes lateral movement capabilities, persistence mechanisms, and according to analysis, propagates by scanning and exploiting vulnerable services at scale.
🛰️ Open sources - closed narratives
@sitreports
📡 HawkEye 360 Space Analytics Firm Reaches $3.15B Valuation on NYSE Debut
Shares of HawkEye 360 surged 30% during its New York Stock Exchange debut on Thursday, pushing the space analytics company's valuation to $3.15 billion, according to Reuters reporting. The firm specializes in radio frequency geospatial intelligence collection via satellite constellation.
The strong market reception signals growing investor confidence in commercial SIGINT capabilities and dual-use space infrastructure. HawkEye 360's RF monitoring services have applications across maritime domain awareness, spectrum mapping, and sanctions enforcement monitoring.
🛰️ Open sources - closed narratives
@sitreports
Shares of HawkEye 360 surged 30% during its New York Stock Exchange debut on Thursday, pushing the space analytics company's valuation to $3.15 billion, according to Reuters reporting. The firm specializes in radio frequency geospatial intelligence collection via satellite constellation.
The strong market reception signals growing investor confidence in commercial SIGINT capabilities and dual-use space infrastructure. HawkEye 360's RF monitoring services have applications across maritime domain awareness, spectrum mapping, and sanctions enforcement monitoring.
🛰️ Open sources - closed narratives
@sitreports
🔫 State Actors Exploit Palo Alto Firewall Zero-Day Pre-Patch
Internet-facing PAN-OS firewalls are under active exploitation by state-backed threat actors targeting a zero-day vulnerability prior to patch availability. The vulnerability enables unauthorized access to enterprise networks, with compromised devices functioning as initial access brokers.
The attack pattern demonstrates pre-patch exploitation timing characteristic of advanced persistent threat groups with prior vulnerability knowledge. Organizations running exposed PAN-OS instances face immediate compromise risk until vendor remediation becomes available.
🛰️ Open sources - closed narratives
@sitreports
Internet-facing PAN-OS firewalls are under active exploitation by state-backed threat actors targeting a zero-day vulnerability prior to patch availability. The vulnerability enables unauthorized access to enterprise networks, with compromised devices functioning as initial access brokers.
The attack pattern demonstrates pre-patch exploitation timing characteristic of advanced persistent threat groups with prior vulnerability knowledge. Organizations running exposed PAN-OS instances face immediate compromise risk until vendor remediation becomes available.
🛰️ Open sources - closed narratives
@sitreports
🔫 RansomHouse Claims Trellix Breach, Posts Internal Screenshots
RansomHouse added cybersecurity firm Trellix to its leak site with screenshots allegedly showing access to internal systems. Trellix confirmed in early May that unauthorized actors accessed part of its source code repository, according to Security Affairs reporting, but stated no evidence suggests code tampering or exploitation to date.
Source code exposure can reveal software logic, APIs, and credentials—enabling attackers to identify vulnerabilities, develop exploits, or stage supply chain attacks. RansomHouse, active since late 2021, typically focuses on data theft and extortion rather than encryption, targeting organizations through weak credentials and exposed services.
🛰️ Open sources - closed narratives
@sitreports
RansomHouse added cybersecurity firm Trellix to its leak site with screenshots allegedly showing access to internal systems. Trellix confirmed in early May that unauthorized actors accessed part of its source code repository, according to Security Affairs reporting, but stated no evidence suggests code tampering or exploitation to date.
Source code exposure can reveal software logic, APIs, and credentials—enabling attackers to identify vulnerabilities, develop exploits, or stage supply chain attacks. RansomHouse, active since late 2021, typically focuses on data theft and extortion rather than encryption, targeting organizations through weak credentials and exposed services.
🛰️ Open sources - closed narratives
@sitreports
🔫 Russia-Linked APT Groups Breach Poland's Water Treatment Facilities
Poland's Internal Security Agency confirmed that hackers breached industrial control systems at five water treatment plants in 2025, gaining the ability to modify equipment operating parameters in real time. The affected facilities in Jabłonna Lacka, Szczytno, Małdyty, Tolkmicko, and Sierakowo were compromised through weak passwords and internet-exposed management interfaces, according to the official report.
ABW attributed the campaign to Russian groups APT28 and APT29, alongside Belarusian-aligned UNC1151. The incidents represent a direct threat to critical infrastructure continuity, moving beyond reconnaissance to potential sabotage capability against municipal water supplies.
🛰️ Open sources - closed narratives
@sitreports
Poland's Internal Security Agency confirmed that hackers breached industrial control systems at five water treatment plants in 2025, gaining the ability to modify equipment operating parameters in real time. The affected facilities in Jabłonna Lacka, Szczytno, Małdyty, Tolkmicko, and Sierakowo were compromised through weak passwords and internet-exposed management interfaces, according to the official report.
ABW attributed the campaign to Russian groups APT28 and APT29, alongside Belarusian-aligned UNC1151. The incidents represent a direct threat to critical infrastructure continuity, moving beyond reconnaissance to potential sabotage capability against municipal water supplies.
🛰️ Open sources - closed narratives
@sitreports
⚡ Pentagon Deploys Directed Energy Counter-Drone Systems to Five Bases
Joint Interagency Task Force 401 announced a six-month pilot program to field high-energy laser and microwave systems at Fort Huachuca, Fort Bliss, Naval Base Kitsap, Grand Forks AFB, and Whiteman AFB. The initiative follows joint Pentagon-FAA testing in New Mexico that addressed safety concerns for commercial aviation.
The deployment reflects accelerated homeland defense priorities after repeated UAS incursions over military installations. Directed energy systems are preferred for domestic use due to minimal collateral risk, though operational deployment awaits final coordination with installation commanders later this year.
🛰️ Open sources - closed narratives
@sitreports
Joint Interagency Task Force 401 announced a six-month pilot program to field high-energy laser and microwave systems at Fort Huachuca, Fort Bliss, Naval Base Kitsap, Grand Forks AFB, and Whiteman AFB. The initiative follows joint Pentagon-FAA testing in New Mexico that addressed safety concerns for commercial aviation.
The deployment reflects accelerated homeland defense priorities after repeated UAS incursions over military installations. Directed energy systems are preferred for domestic use due to minimal collateral risk, though operational deployment awaits final coordination with installation commanders later this year.
🛰️ Open sources - closed narratives
@sitreports
🔫 USMC Restructures Reconnaissance Training Around Drone-Saturated Battlefield
The Marine Corps has replaced its 12-week Basic Reconnaissance Course with two new nine-week programs—Ground Reconnaissance and Amphibious Reconnaissance—totaling 18 weeks. The courses now include infantry baseline training and sensor/robotic exposure, according to training command leadership. Officials acknowledge uncertainty about which specific systems to integrate given technology cycles that render equipment obsolete within months.
The restructuring addresses the challenge of concealment in sensor-dense environments where detection increasingly equals elimination.
🛰️ Open sources - closed narratives
@sitreports
The Marine Corps has replaced its 12-week Basic Reconnaissance Course with two new nine-week programs—Ground Reconnaissance and Amphibious Reconnaissance—totaling 18 weeks. The courses now include infantry baseline training and sensor/robotic exposure, according to training command leadership. Officials acknowledge uncertainty about which specific systems to integrate given technology cycles that render equipment obsolete within months.
The restructuring addresses the challenge of concealment in sensor-dense environments where detection increasingly equals elimination.
🛰️ Open sources - closed narratives
@sitreports
🔫 RansomHouse Claims Trellix Source Code Breach
Cybersecurity firm Trellix confirmed unauthorized access to its source code repository on May 1st, following an April 17th intrusion claimed by RansomHouse. The threat group leaked screenshots as proof of access to the company's appliance management system, though authenticity remains unverified. Trellix serves over 53,000 customers globally including Fortune 100 firms.
According to reporting, Trellix found no evidence of source code exploitation or compromised distribution channels, though forensic investigation continues with law enforcement involvement. The incident marks another escalation for RansomHouse, which evolved from pure data extortion to deploying advanced dual-encryption tools targeting VMware ESXi environments.
🛰️ Open sources - closed narratives
@sitreports
Cybersecurity firm Trellix confirmed unauthorized access to its source code repository on May 1st, following an April 17th intrusion claimed by RansomHouse. The threat group leaked screenshots as proof of access to the company's appliance management system, though authenticity remains unverified. Trellix serves over 53,000 customers globally including Fortune 100 firms.
According to reporting, Trellix found no evidence of source code exploitation or compromised distribution channels, though forensic investigation continues with law enforcement involvement. The incident marks another escalation for RansomHouse, which evolved from pure data extortion to deploying advanced dual-encryption tools targeting VMware ESXi environments.
🛰️ Open sources - closed narratives
@sitreports
🔫 Dirty Frag: Unpatched Linux Kernel Flaw Grants Root Access
Researcher Hyunwoo Kim disclosed an unpatched Linux kernel vulnerability, Dirty Frag, enabling unprivileged local users to gain root access on Ubuntu, RHEL, Fedora, AlmaLinux, and CentOS Stream. The flaw chains two separate bugs—xfrm-ESP and RxRPC Page-Cache Write vulnerabilities—introduced in 2017 and 2023 respectively. Unlike typical exploits, this deterministic logic bug requires no race conditions and maintains high reliability. Public exploit code is already available, reducing exploitation to a single command.
The embargo broke prematurely after third-party disclosure. No CVE has been assigned yet. Recommended mitigation: blocklist esp4, esp6, and rxrpc kernel modules until official patches are released.
🛰️ Open sources - closed narratives
@sitreports
Researcher Hyunwoo Kim disclosed an unpatched Linux kernel vulnerability, Dirty Frag, enabling unprivileged local users to gain root access on Ubuntu, RHEL, Fedora, AlmaLinux, and CentOS Stream. The flaw chains two separate bugs—xfrm-ESP and RxRPC Page-Cache Write vulnerabilities—introduced in 2017 and 2023 respectively. Unlike typical exploits, this deterministic logic bug requires no race conditions and maintains high reliability. Public exploit code is already available, reducing exploitation to a single command.
The embargo broke prematurely after third-party disclosure. No CVE has been assigned yet. Recommended mitigation: blocklist esp4, esp6, and rxrpc kernel modules until official patches are released.
🛰️ Open sources - closed narratives
@sitreports
🔫 Quasar Linux RAT Targets Developer Workstations in Supply Chain Attack
A Linux variant of the Quasar remote access trojan is being deployed against software developers to harvest credentials and source code access tokens. The malware specifically targets development environments to enable downstream supply chain compromise through stolen authentication materials.
The shift to Linux-based developer tooling creates new attack surface for credential theft operations. According to reporting, successful compromise of developer credentials enables adversaries to inject malicious code into legitimate software pipelines, potentially affecting thousands of downstream users.
🛰️ Open sources - closed narratives
@sitreports
A Linux variant of the Quasar remote access trojan is being deployed against software developers to harvest credentials and source code access tokens. The malware specifically targets development environments to enable downstream supply chain compromise through stolen authentication materials.
The shift to Linux-based developer tooling creates new attack surface for credential theft operations. According to reporting, successful compromise of developer credentials enables adversaries to inject malicious code into legitimate software pipelines, potentially affecting thousands of downstream users.
🛰️ Open sources - closed narratives
@sitreports
⚡ CISA Orders Federal Patch on Exploited Ivanti EPMM Flaw
CISA has mandated U.S. federal agencies secure systems against CVE-2026-6973, a high-severity Ivanti Endpoint Manager Mobile vulnerability exploited in zero-day attacks, by midnight May 10. The flaw enables authenticated administrators to execute arbitrary code remotely on EPMM 12.8.0.0 and earlier versions, according to reporting by BleepingComputer.
Ivanti confirmed limited exploitation and released patches for versions 12.6.1.1, 12.7.0.1, and 12.8.0.1. Shadowserver tracks over 800 exposed EPMM appliances globally, though patch adoption status remains unclear. The company advises credential rotation for admin accounts following previous January zero-day incidents in the same product line.
🛰️ Open sources - closed narratives
@sitreports
CISA has mandated U.S. federal agencies secure systems against CVE-2026-6973, a high-severity Ivanti Endpoint Manager Mobile vulnerability exploited in zero-day attacks, by midnight May 10. The flaw enables authenticated administrators to execute arbitrary code remotely on EPMM 12.8.0.0 and earlier versions, according to reporting by BleepingComputer.
Ivanti confirmed limited exploitation and released patches for versions 12.6.1.1, 12.7.0.1, and 12.8.0.1. Shadowserver tracks over 800 exposed EPMM appliances globally, though patch adoption status remains unclear. The company advises credential rotation for admin accounts following previous January zero-day incidents in the same product line.
🛰️ Open sources - closed narratives
@sitreports
🔫 TCLBANKER Banking Trojan Spreads via Messaging Platforms
A banking trojan designated TCLBANKER is actively targeting financial platforms through automated propagation via WhatsApp and Microsoft Outlook. The malware employs worm-like behavior to spread through contact lists, expanding its reach across communication networks while attempting to compromise banking credentials and financial data.
The dual-vector distribution model represents an evolution in financial malware tactics, leveraging trusted communication channels to bypass traditional detection mechanisms. Security researchers warn that the trojan's self-propagating nature significantly amplifies infection potential across corporate and personal environments, requiring enhanced endpoint monitoring and email security controls.
🛰️ Open sources - closed narratives
@sitreports
A banking trojan designated TCLBANKER is actively targeting financial platforms through automated propagation via WhatsApp and Microsoft Outlook. The malware employs worm-like behavior to spread through contact lists, expanding its reach across communication networks while attempting to compromise banking credentials and financial data.
The dual-vector distribution model represents an evolution in financial malware tactics, leveraging trusted communication channels to bypass traditional detection mechanisms. Security researchers warn that the trojan's self-propagating nature significantly amplifies infection potential across corporate and personal environments, requiring enhanced endpoint monitoring and email security controls.
🛰️ Open sources - closed narratives
@sitreports
🔍 Unpatched Linux root exploit circulates amid broken embargo
A critical privilege escalation vulnerability dubbed "Dirty Frag" is affecting Linux systems with no available patches after a disclosure embargo collapse. Public exploit code achieving root access has been released before vendor coordination, leaving administrators exposed to active exploitation risk across multiple distributions.
The timing parallels recent CopyFail disclosure failures but escalates severity with immediate weaponization. According to reporting, no CVE has been assigned despite confirmed root-level impact, complicating enterprise risk assessment and mitigation prioritization in production environments.
🛰️ Open sources - closed narratives
@sitreports
A critical privilege escalation vulnerability dubbed "Dirty Frag" is affecting Linux systems with no available patches after a disclosure embargo collapse. Public exploit code achieving root access has been released before vendor coordination, leaving administrators exposed to active exploitation risk across multiple distributions.
The timing parallels recent CopyFail disclosure failures but escalates severity with immediate weaponization. According to reporting, no CVE has been assigned despite confirmed root-level impact, complicating enterprise risk assessment and mitigation prioritization in production environments.
🛰️ Open sources - closed narratives
@sitreports