🔫 RansomHouse Claims Trellix Breach, Posts Internal Screenshots
RansomHouse added cybersecurity firm Trellix to its leak site with screenshots allegedly showing access to internal systems. Trellix confirmed in early May that unauthorized actors accessed part of its source code repository, according to Security Affairs reporting, but stated no evidence suggests code tampering or exploitation to date.
Source code exposure can reveal software logic, APIs, and credentials—enabling attackers to identify vulnerabilities, develop exploits, or stage supply chain attacks. RansomHouse, active since late 2021, typically focuses on data theft and extortion rather than encryption, targeting organizations through weak credentials and exposed services.
🛰️ Open sources - closed narratives
@sitreports
RansomHouse added cybersecurity firm Trellix to its leak site with screenshots allegedly showing access to internal systems. Trellix confirmed in early May that unauthorized actors accessed part of its source code repository, according to Security Affairs reporting, but stated no evidence suggests code tampering or exploitation to date.
Source code exposure can reveal software logic, APIs, and credentials—enabling attackers to identify vulnerabilities, develop exploits, or stage supply chain attacks. RansomHouse, active since late 2021, typically focuses on data theft and extortion rather than encryption, targeting organizations through weak credentials and exposed services.
🛰️ Open sources - closed narratives
@sitreports
🔫 Russia-Linked APT Groups Breach Poland's Water Treatment Facilities
Poland's Internal Security Agency confirmed that hackers breached industrial control systems at five water treatment plants in 2025, gaining the ability to modify equipment operating parameters in real time. The affected facilities in Jabłonna Lacka, Szczytno, Małdyty, Tolkmicko, and Sierakowo were compromised through weak passwords and internet-exposed management interfaces, according to the official report.
ABW attributed the campaign to Russian groups APT28 and APT29, alongside Belarusian-aligned UNC1151. The incidents represent a direct threat to critical infrastructure continuity, moving beyond reconnaissance to potential sabotage capability against municipal water supplies.
🛰️ Open sources - closed narratives
@sitreports
Poland's Internal Security Agency confirmed that hackers breached industrial control systems at five water treatment plants in 2025, gaining the ability to modify equipment operating parameters in real time. The affected facilities in Jabłonna Lacka, Szczytno, Małdyty, Tolkmicko, and Sierakowo were compromised through weak passwords and internet-exposed management interfaces, according to the official report.
ABW attributed the campaign to Russian groups APT28 and APT29, alongside Belarusian-aligned UNC1151. The incidents represent a direct threat to critical infrastructure continuity, moving beyond reconnaissance to potential sabotage capability against municipal water supplies.
🛰️ Open sources - closed narratives
@sitreports
⚡ Pentagon Deploys Directed Energy Counter-Drone Systems to Five Bases
Joint Interagency Task Force 401 announced a six-month pilot program to field high-energy laser and microwave systems at Fort Huachuca, Fort Bliss, Naval Base Kitsap, Grand Forks AFB, and Whiteman AFB. The initiative follows joint Pentagon-FAA testing in New Mexico that addressed safety concerns for commercial aviation.
The deployment reflects accelerated homeland defense priorities after repeated UAS incursions over military installations. Directed energy systems are preferred for domestic use due to minimal collateral risk, though operational deployment awaits final coordination with installation commanders later this year.
🛰️ Open sources - closed narratives
@sitreports
Joint Interagency Task Force 401 announced a six-month pilot program to field high-energy laser and microwave systems at Fort Huachuca, Fort Bliss, Naval Base Kitsap, Grand Forks AFB, and Whiteman AFB. The initiative follows joint Pentagon-FAA testing in New Mexico that addressed safety concerns for commercial aviation.
The deployment reflects accelerated homeland defense priorities after repeated UAS incursions over military installations. Directed energy systems are preferred for domestic use due to minimal collateral risk, though operational deployment awaits final coordination with installation commanders later this year.
🛰️ Open sources - closed narratives
@sitreports
🔫 USMC Restructures Reconnaissance Training Around Drone-Saturated Battlefield
The Marine Corps has replaced its 12-week Basic Reconnaissance Course with two new nine-week programs—Ground Reconnaissance and Amphibious Reconnaissance—totaling 18 weeks. The courses now include infantry baseline training and sensor/robotic exposure, according to training command leadership. Officials acknowledge uncertainty about which specific systems to integrate given technology cycles that render equipment obsolete within months.
The restructuring addresses the challenge of concealment in sensor-dense environments where detection increasingly equals elimination.
🛰️ Open sources - closed narratives
@sitreports
The Marine Corps has replaced its 12-week Basic Reconnaissance Course with two new nine-week programs—Ground Reconnaissance and Amphibious Reconnaissance—totaling 18 weeks. The courses now include infantry baseline training and sensor/robotic exposure, according to training command leadership. Officials acknowledge uncertainty about which specific systems to integrate given technology cycles that render equipment obsolete within months.
The restructuring addresses the challenge of concealment in sensor-dense environments where detection increasingly equals elimination.
🛰️ Open sources - closed narratives
@sitreports
🔫 RansomHouse Claims Trellix Source Code Breach
Cybersecurity firm Trellix confirmed unauthorized access to its source code repository on May 1st, following an April 17th intrusion claimed by RansomHouse. The threat group leaked screenshots as proof of access to the company's appliance management system, though authenticity remains unverified. Trellix serves over 53,000 customers globally including Fortune 100 firms.
According to reporting, Trellix found no evidence of source code exploitation or compromised distribution channels, though forensic investigation continues with law enforcement involvement. The incident marks another escalation for RansomHouse, which evolved from pure data extortion to deploying advanced dual-encryption tools targeting VMware ESXi environments.
🛰️ Open sources - closed narratives
@sitreports
Cybersecurity firm Trellix confirmed unauthorized access to its source code repository on May 1st, following an April 17th intrusion claimed by RansomHouse. The threat group leaked screenshots as proof of access to the company's appliance management system, though authenticity remains unverified. Trellix serves over 53,000 customers globally including Fortune 100 firms.
According to reporting, Trellix found no evidence of source code exploitation or compromised distribution channels, though forensic investigation continues with law enforcement involvement. The incident marks another escalation for RansomHouse, which evolved from pure data extortion to deploying advanced dual-encryption tools targeting VMware ESXi environments.
🛰️ Open sources - closed narratives
@sitreports
🔫 Dirty Frag: Unpatched Linux Kernel Flaw Grants Root Access
Researcher Hyunwoo Kim disclosed an unpatched Linux kernel vulnerability, Dirty Frag, enabling unprivileged local users to gain root access on Ubuntu, RHEL, Fedora, AlmaLinux, and CentOS Stream. The flaw chains two separate bugs—xfrm-ESP and RxRPC Page-Cache Write vulnerabilities—introduced in 2017 and 2023 respectively. Unlike typical exploits, this deterministic logic bug requires no race conditions and maintains high reliability. Public exploit code is already available, reducing exploitation to a single command.
The embargo broke prematurely after third-party disclosure. No CVE has been assigned yet. Recommended mitigation: blocklist esp4, esp6, and rxrpc kernel modules until official patches are released.
🛰️ Open sources - closed narratives
@sitreports
Researcher Hyunwoo Kim disclosed an unpatched Linux kernel vulnerability, Dirty Frag, enabling unprivileged local users to gain root access on Ubuntu, RHEL, Fedora, AlmaLinux, and CentOS Stream. The flaw chains two separate bugs—xfrm-ESP and RxRPC Page-Cache Write vulnerabilities—introduced in 2017 and 2023 respectively. Unlike typical exploits, this deterministic logic bug requires no race conditions and maintains high reliability. Public exploit code is already available, reducing exploitation to a single command.
The embargo broke prematurely after third-party disclosure. No CVE has been assigned yet. Recommended mitigation: blocklist esp4, esp6, and rxrpc kernel modules until official patches are released.
🛰️ Open sources - closed narratives
@sitreports
🔫 Quasar Linux RAT Targets Developer Workstations in Supply Chain Attack
A Linux variant of the Quasar remote access trojan is being deployed against software developers to harvest credentials and source code access tokens. The malware specifically targets development environments to enable downstream supply chain compromise through stolen authentication materials.
The shift to Linux-based developer tooling creates new attack surface for credential theft operations. According to reporting, successful compromise of developer credentials enables adversaries to inject malicious code into legitimate software pipelines, potentially affecting thousands of downstream users.
🛰️ Open sources - closed narratives
@sitreports
A Linux variant of the Quasar remote access trojan is being deployed against software developers to harvest credentials and source code access tokens. The malware specifically targets development environments to enable downstream supply chain compromise through stolen authentication materials.
The shift to Linux-based developer tooling creates new attack surface for credential theft operations. According to reporting, successful compromise of developer credentials enables adversaries to inject malicious code into legitimate software pipelines, potentially affecting thousands of downstream users.
🛰️ Open sources - closed narratives
@sitreports
⚡ CISA Orders Federal Patch on Exploited Ivanti EPMM Flaw
CISA has mandated U.S. federal agencies secure systems against CVE-2026-6973, a high-severity Ivanti Endpoint Manager Mobile vulnerability exploited in zero-day attacks, by midnight May 10. The flaw enables authenticated administrators to execute arbitrary code remotely on EPMM 12.8.0.0 and earlier versions, according to reporting by BleepingComputer.
Ivanti confirmed limited exploitation and released patches for versions 12.6.1.1, 12.7.0.1, and 12.8.0.1. Shadowserver tracks over 800 exposed EPMM appliances globally, though patch adoption status remains unclear. The company advises credential rotation for admin accounts following previous January zero-day incidents in the same product line.
🛰️ Open sources - closed narratives
@sitreports
CISA has mandated U.S. federal agencies secure systems against CVE-2026-6973, a high-severity Ivanti Endpoint Manager Mobile vulnerability exploited in zero-day attacks, by midnight May 10. The flaw enables authenticated administrators to execute arbitrary code remotely on EPMM 12.8.0.0 and earlier versions, according to reporting by BleepingComputer.
Ivanti confirmed limited exploitation and released patches for versions 12.6.1.1, 12.7.0.1, and 12.8.0.1. Shadowserver tracks over 800 exposed EPMM appliances globally, though patch adoption status remains unclear. The company advises credential rotation for admin accounts following previous January zero-day incidents in the same product line.
🛰️ Open sources - closed narratives
@sitreports
🔫 TCLBANKER Banking Trojan Spreads via Messaging Platforms
A banking trojan designated TCLBANKER is actively targeting financial platforms through automated propagation via WhatsApp and Microsoft Outlook. The malware employs worm-like behavior to spread through contact lists, expanding its reach across communication networks while attempting to compromise banking credentials and financial data.
The dual-vector distribution model represents an evolution in financial malware tactics, leveraging trusted communication channels to bypass traditional detection mechanisms. Security researchers warn that the trojan's self-propagating nature significantly amplifies infection potential across corporate and personal environments, requiring enhanced endpoint monitoring and email security controls.
🛰️ Open sources - closed narratives
@sitreports
A banking trojan designated TCLBANKER is actively targeting financial platforms through automated propagation via WhatsApp and Microsoft Outlook. The malware employs worm-like behavior to spread through contact lists, expanding its reach across communication networks while attempting to compromise banking credentials and financial data.
The dual-vector distribution model represents an evolution in financial malware tactics, leveraging trusted communication channels to bypass traditional detection mechanisms. Security researchers warn that the trojan's self-propagating nature significantly amplifies infection potential across corporate and personal environments, requiring enhanced endpoint monitoring and email security controls.
🛰️ Open sources - closed narratives
@sitreports
🔍 Unpatched Linux root exploit circulates amid broken embargo
A critical privilege escalation vulnerability dubbed "Dirty Frag" is affecting Linux systems with no available patches after a disclosure embargo collapse. Public exploit code achieving root access has been released before vendor coordination, leaving administrators exposed to active exploitation risk across multiple distributions.
The timing parallels recent CopyFail disclosure failures but escalates severity with immediate weaponization. According to reporting, no CVE has been assigned despite confirmed root-level impact, complicating enterprise risk assessment and mitigation prioritization in production environments.
🛰️ Open sources - closed narratives
@sitreports
A critical privilege escalation vulnerability dubbed "Dirty Frag" is affecting Linux systems with no available patches after a disclosure embargo collapse. Public exploit code achieving root access has been released before vendor coordination, leaving administrators exposed to active exploitation risk across multiple distributions.
The timing parallels recent CopyFail disclosure failures but escalates severity with immediate weaponization. According to reporting, no CVE has been assigned despite confirmed root-level impact, complicating enterprise risk assessment and mitigation prioritization in production environments.
🛰️ Open sources - closed narratives
@sitreports
🔫 JDownloader Website Compromised in Supply Chain Attack
The official JDownloader website was hacked May 6-7, 2026, with attackers exploiting an unpatched CMS vulnerability to replace Windows and Linux installers with malicious payloads. The Windows executable deployed an obfuscated Python-based RAT, while the Linux installer dropped SUID-root binaries for persistence. Legitimate installers are digitally signed by "AppWork GmbH".
This marks the third high-profile software tool compromise in recent weeks, following similar incidents affecting CPUID and DAEMON Tools. Users who downloaded affected installers should perform full OS reinstallation and credential resets.
🛰️ Open sources - closed narratives
@sitreports
The official JDownloader website was hacked May 6-7, 2026, with attackers exploiting an unpatched CMS vulnerability to replace Windows and Linux installers with malicious payloads. The Windows executable deployed an obfuscated Python-based RAT, while the Linux installer dropped SUID-root binaries for persistence. Legitimate installers are digitally signed by "AppWork GmbH".
This marks the third high-profile software tool compromise in recent weeks, following similar incidents affecting CPUID and DAEMON Tools. Users who downloaded affected installers should perform full OS reinstallation and credential resets.
🛰️ Open sources - closed narratives
@sitreports
🔫 Fileless Linux RAT Targets Developer Infrastructure
Researchers identified QLNX, a previously undocumented Linux remote access trojan that operates entirely from memory to evade detection. The malware targets developers and DevOps environments, harvesting SSH keys, browser credentials, cloud tokens, and system secrets while deploying multiple persistence mechanisms including systemd services, PAM backdoors, and eBPF-based kernel-level hiding. According to Trend Micro analysis, it includes peer-to-peer mesh capabilities and can survive reboots through six redundant persistence methods, significantly complicating detection and removal across compromised development environments.
🛰️ Open sources - closed narratives
@sitreports
Researchers identified QLNX, a previously undocumented Linux remote access trojan that operates entirely from memory to evade detection. The malware targets developers and DevOps environments, harvesting SSH keys, browser credentials, cloud tokens, and system secrets while deploying multiple persistence mechanisms including systemd services, PAM backdoors, and eBPF-based kernel-level hiding. According to Trend Micro analysis, it includes peer-to-peer mesh capabilities and can survive reboots through six redundant persistence methods, significantly complicating detection and removal across compromised development environments.
🛰️ Open sources - closed narratives
@sitreports
🔫 Vidar Stealer Deployed via Obfuscated AutoIt Loader Chain
A multi-stage infection targeting Microsoft Toolkit users delivers Vidar malware through legitimate scripting tools. The campaign leverages AutoIt-compiled loaders, file masquerading (.dot-to-.bat), and extract32.exe to deploy an encrypted payload. Analysis shows the malware queries processes for security tools, exfiltrates browser credentials, session cookies, and crypto wallets, then performs thorough cleanup by deleting artifacts and terminating its own process.
Command-and-control communication abuses Telegram and Steam profiles for beaconing, complicating network detection. Post-execution deletion significantly hinders forensic analysis.
🛰️ Open sources - closed narratives
@sitreports
A multi-stage infection targeting Microsoft Toolkit users delivers Vidar malware through legitimate scripting tools. The campaign leverages AutoIt-compiled loaders, file masquerading (.dot-to-.bat), and extract32.exe to deploy an encrypted payload. Analysis shows the malware queries processes for security tools, exfiltrates browser credentials, session cookies, and crypto wallets, then performs thorough cleanup by deleting artifacts and terminating its own process.
Command-and-control communication abuses Telegram and Steam profiles for beaconing, complicating network detection. Post-execution deletion significantly hinders forensic analysis.
🛰️ Open sources - closed narratives
@sitreports
🎭 Malicious Hugging Face Repository Impersonates OpenAI to Deploy Infostealer
A fake repository posing as OpenAI's "Privacy Filter" reached #1 on Hugging Face's trending list before accumulating 244,000 downloads. The malicious package delivered a Rust-based infostealer targeting browser credentials, cryptocurrency wallets, Discord tokens, SSH keys, and system data through multi-stage PowerShell execution with anti-analysis features to evade detection.
HiddenLayer researchers uncovered the campaign May 7, noting connections to broader typosquatting campaigns across npm and other platforms. Users who downloaded from the repository should reimage affected machines and rotate all stored credentials immediately.
🛰️ Open sources - closed narratives
@sitreports
A fake repository posing as OpenAI's "Privacy Filter" reached #1 on Hugging Face's trending list before accumulating 244,000 downloads. The malicious package delivered a Rust-based infostealer targeting browser credentials, cryptocurrency wallets, Discord tokens, SSH keys, and system data through multi-stage PowerShell execution with anti-analysis features to evade detection.
HiddenLayer researchers uncovered the campaign May 7, noting connections to broader typosquatting campaigns across npm and other platforms. Users who downloaded from the repository should reimage affected machines and rotate all stored credentials immediately.
🛰️ Open sources - closed narratives
@sitreports
🔫 cPanel and WHM Patch Three Vulnerabilities Following Zero-Day Exploitation
cPanel has released security updates addressing three newly disclosed vulnerabilities in its web hosting management platforms after evidence of zero-day exploitation in the wild. The vendor has urged immediate deployment of fixes, though specific CVEs and attack vectors were not immediately disclosed.
With cPanel powering millions of websites globally, exploitation at the management layer enables lateral movement across hosted environments, elevating risk for shared hosting infrastructure. Administrators should prioritize patching and review access logs for indicators of compromise.
🛰️ Open sources - closed narratives
@sitreports
cPanel has released security updates addressing three newly disclosed vulnerabilities in its web hosting management platforms after evidence of zero-day exploitation in the wild. The vendor has urged immediate deployment of fixes, though specific CVEs and attack vectors were not immediately disclosed.
With cPanel powering millions of websites globally, exploitation at the management layer enables lateral movement across hosted environments, elevating risk for shared hosting infrastructure. Administrators should prioritize patching and review access logs for indicators of compromise.
🛰️ Open sources - closed narratives
@sitreports