🔫 Quasar Linux RAT Targets Developer Workstations in Supply Chain Attack
A Linux variant of the Quasar remote access trojan is being deployed against software developers to harvest credentials and source code access tokens. The malware specifically targets development environments to enable downstream supply chain compromise through stolen authentication materials.
The shift to Linux-based developer tooling creates new attack surface for credential theft operations. According to reporting, successful compromise of developer credentials enables adversaries to inject malicious code into legitimate software pipelines, potentially affecting thousands of downstream users.
🛰️ Open sources - closed narratives
@sitreports
A Linux variant of the Quasar remote access trojan is being deployed against software developers to harvest credentials and source code access tokens. The malware specifically targets development environments to enable downstream supply chain compromise through stolen authentication materials.
The shift to Linux-based developer tooling creates new attack surface for credential theft operations. According to reporting, successful compromise of developer credentials enables adversaries to inject malicious code into legitimate software pipelines, potentially affecting thousands of downstream users.
🛰️ Open sources - closed narratives
@sitreports
⚡ CISA Orders Federal Patch on Exploited Ivanti EPMM Flaw
CISA has mandated U.S. federal agencies secure systems against CVE-2026-6973, a high-severity Ivanti Endpoint Manager Mobile vulnerability exploited in zero-day attacks, by midnight May 10. The flaw enables authenticated administrators to execute arbitrary code remotely on EPMM 12.8.0.0 and earlier versions, according to reporting by BleepingComputer.
Ivanti confirmed limited exploitation and released patches for versions 12.6.1.1, 12.7.0.1, and 12.8.0.1. Shadowserver tracks over 800 exposed EPMM appliances globally, though patch adoption status remains unclear. The company advises credential rotation for admin accounts following previous January zero-day incidents in the same product line.
🛰️ Open sources - closed narratives
@sitreports
CISA has mandated U.S. federal agencies secure systems against CVE-2026-6973, a high-severity Ivanti Endpoint Manager Mobile vulnerability exploited in zero-day attacks, by midnight May 10. The flaw enables authenticated administrators to execute arbitrary code remotely on EPMM 12.8.0.0 and earlier versions, according to reporting by BleepingComputer.
Ivanti confirmed limited exploitation and released patches for versions 12.6.1.1, 12.7.0.1, and 12.8.0.1. Shadowserver tracks over 800 exposed EPMM appliances globally, though patch adoption status remains unclear. The company advises credential rotation for admin accounts following previous January zero-day incidents in the same product line.
🛰️ Open sources - closed narratives
@sitreports
🔫 TCLBANKER Banking Trojan Spreads via Messaging Platforms
A banking trojan designated TCLBANKER is actively targeting financial platforms through automated propagation via WhatsApp and Microsoft Outlook. The malware employs worm-like behavior to spread through contact lists, expanding its reach across communication networks while attempting to compromise banking credentials and financial data.
The dual-vector distribution model represents an evolution in financial malware tactics, leveraging trusted communication channels to bypass traditional detection mechanisms. Security researchers warn that the trojan's self-propagating nature significantly amplifies infection potential across corporate and personal environments, requiring enhanced endpoint monitoring and email security controls.
🛰️ Open sources - closed narratives
@sitreports
A banking trojan designated TCLBANKER is actively targeting financial platforms through automated propagation via WhatsApp and Microsoft Outlook. The malware employs worm-like behavior to spread through contact lists, expanding its reach across communication networks while attempting to compromise banking credentials and financial data.
The dual-vector distribution model represents an evolution in financial malware tactics, leveraging trusted communication channels to bypass traditional detection mechanisms. Security researchers warn that the trojan's self-propagating nature significantly amplifies infection potential across corporate and personal environments, requiring enhanced endpoint monitoring and email security controls.
🛰️ Open sources - closed narratives
@sitreports
🔍 Unpatched Linux root exploit circulates amid broken embargo
A critical privilege escalation vulnerability dubbed "Dirty Frag" is affecting Linux systems with no available patches after a disclosure embargo collapse. Public exploit code achieving root access has been released before vendor coordination, leaving administrators exposed to active exploitation risk across multiple distributions.
The timing parallels recent CopyFail disclosure failures but escalates severity with immediate weaponization. According to reporting, no CVE has been assigned despite confirmed root-level impact, complicating enterprise risk assessment and mitigation prioritization in production environments.
🛰️ Open sources - closed narratives
@sitreports
A critical privilege escalation vulnerability dubbed "Dirty Frag" is affecting Linux systems with no available patches after a disclosure embargo collapse. Public exploit code achieving root access has been released before vendor coordination, leaving administrators exposed to active exploitation risk across multiple distributions.
The timing parallels recent CopyFail disclosure failures but escalates severity with immediate weaponization. According to reporting, no CVE has been assigned despite confirmed root-level impact, complicating enterprise risk assessment and mitigation prioritization in production environments.
🛰️ Open sources - closed narratives
@sitreports
🔫 JDownloader Website Compromised in Supply Chain Attack
The official JDownloader website was hacked May 6-7, 2026, with attackers exploiting an unpatched CMS vulnerability to replace Windows and Linux installers with malicious payloads. The Windows executable deployed an obfuscated Python-based RAT, while the Linux installer dropped SUID-root binaries for persistence. Legitimate installers are digitally signed by "AppWork GmbH".
This marks the third high-profile software tool compromise in recent weeks, following similar incidents affecting CPUID and DAEMON Tools. Users who downloaded affected installers should perform full OS reinstallation and credential resets.
🛰️ Open sources - closed narratives
@sitreports
The official JDownloader website was hacked May 6-7, 2026, with attackers exploiting an unpatched CMS vulnerability to replace Windows and Linux installers with malicious payloads. The Windows executable deployed an obfuscated Python-based RAT, while the Linux installer dropped SUID-root binaries for persistence. Legitimate installers are digitally signed by "AppWork GmbH".
This marks the third high-profile software tool compromise in recent weeks, following similar incidents affecting CPUID and DAEMON Tools. Users who downloaded affected installers should perform full OS reinstallation and credential resets.
🛰️ Open sources - closed narratives
@sitreports
🔫 Fileless Linux RAT Targets Developer Infrastructure
Researchers identified QLNX, a previously undocumented Linux remote access trojan that operates entirely from memory to evade detection. The malware targets developers and DevOps environments, harvesting SSH keys, browser credentials, cloud tokens, and system secrets while deploying multiple persistence mechanisms including systemd services, PAM backdoors, and eBPF-based kernel-level hiding. According to Trend Micro analysis, it includes peer-to-peer mesh capabilities and can survive reboots through six redundant persistence methods, significantly complicating detection and removal across compromised development environments.
🛰️ Open sources - closed narratives
@sitreports
Researchers identified QLNX, a previously undocumented Linux remote access trojan that operates entirely from memory to evade detection. The malware targets developers and DevOps environments, harvesting SSH keys, browser credentials, cloud tokens, and system secrets while deploying multiple persistence mechanisms including systemd services, PAM backdoors, and eBPF-based kernel-level hiding. According to Trend Micro analysis, it includes peer-to-peer mesh capabilities and can survive reboots through six redundant persistence methods, significantly complicating detection and removal across compromised development environments.
🛰️ Open sources - closed narratives
@sitreports
🔫 Vidar Stealer Deployed via Obfuscated AutoIt Loader Chain
A multi-stage infection targeting Microsoft Toolkit users delivers Vidar malware through legitimate scripting tools. The campaign leverages AutoIt-compiled loaders, file masquerading (.dot-to-.bat), and extract32.exe to deploy an encrypted payload. Analysis shows the malware queries processes for security tools, exfiltrates browser credentials, session cookies, and crypto wallets, then performs thorough cleanup by deleting artifacts and terminating its own process.
Command-and-control communication abuses Telegram and Steam profiles for beaconing, complicating network detection. Post-execution deletion significantly hinders forensic analysis.
🛰️ Open sources - closed narratives
@sitreports
A multi-stage infection targeting Microsoft Toolkit users delivers Vidar malware through legitimate scripting tools. The campaign leverages AutoIt-compiled loaders, file masquerading (.dot-to-.bat), and extract32.exe to deploy an encrypted payload. Analysis shows the malware queries processes for security tools, exfiltrates browser credentials, session cookies, and crypto wallets, then performs thorough cleanup by deleting artifacts and terminating its own process.
Command-and-control communication abuses Telegram and Steam profiles for beaconing, complicating network detection. Post-execution deletion significantly hinders forensic analysis.
🛰️ Open sources - closed narratives
@sitreports
🎭 Malicious Hugging Face Repository Impersonates OpenAI to Deploy Infostealer
A fake repository posing as OpenAI's "Privacy Filter" reached #1 on Hugging Face's trending list before accumulating 244,000 downloads. The malicious package delivered a Rust-based infostealer targeting browser credentials, cryptocurrency wallets, Discord tokens, SSH keys, and system data through multi-stage PowerShell execution with anti-analysis features to evade detection.
HiddenLayer researchers uncovered the campaign May 7, noting connections to broader typosquatting campaigns across npm and other platforms. Users who downloaded from the repository should reimage affected machines and rotate all stored credentials immediately.
🛰️ Open sources - closed narratives
@sitreports
A fake repository posing as OpenAI's "Privacy Filter" reached #1 on Hugging Face's trending list before accumulating 244,000 downloads. The malicious package delivered a Rust-based infostealer targeting browser credentials, cryptocurrency wallets, Discord tokens, SSH keys, and system data through multi-stage PowerShell execution with anti-analysis features to evade detection.
HiddenLayer researchers uncovered the campaign May 7, noting connections to broader typosquatting campaigns across npm and other platforms. Users who downloaded from the repository should reimage affected machines and rotate all stored credentials immediately.
🛰️ Open sources - closed narratives
@sitreports
🔫 cPanel and WHM Patch Three Vulnerabilities Following Zero-Day Exploitation
cPanel has released security updates addressing three newly disclosed vulnerabilities in its web hosting management platforms after evidence of zero-day exploitation in the wild. The vendor has urged immediate deployment of fixes, though specific CVEs and attack vectors were not immediately disclosed.
With cPanel powering millions of websites globally, exploitation at the management layer enables lateral movement across hosted environments, elevating risk for shared hosting infrastructure. Administrators should prioritize patching and review access logs for indicators of compromise.
🛰️ Open sources - closed narratives
@sitreports
cPanel has released security updates addressing three newly disclosed vulnerabilities in its web hosting management platforms after evidence of zero-day exploitation in the wild. The vendor has urged immediate deployment of fixes, though specific CVEs and attack vectors were not immediately disclosed.
With cPanel powering millions of websites globally, exploitation at the management layer enables lateral movement across hosted environments, elevating risk for shared hosting infrastructure. Administrators should prioritize patching and review access logs for indicators of compromise.
🛰️ Open sources - closed narratives
@sitreports
🔫 MacSync Infostealer Deployed via Weaponized Claude.ai Shared Chats
Attackers exploit Google Ads and legitimate Claude.ai shared chat URLs to distribute macOS malware. Sponsored results for "Claude mac download" redirect victims to authentic claude.ai domains hosting malicious installation guides disguised as Apple Support documentation.
🛰️ Open sources - closed narratives
@sitreports
Attackers exploit Google Ads and legitimate Claude.ai shared chat URLs to distribute macOS malware. Sponsored results for "Claude mac download" redirect victims to authentic claude.ai domains hosting malicious installation guides disguised as Apple Support documentation.
🛰️ Open sources - closed narratives
@sitreports
🤖 AI-Generated Zero-Day Bypasses 2FA in First Known Mass Exploitation
Threat actors have deployed the first documented zero-day vulnerability enabling mass bypass of two-factor authentication, developed using artificial intelligence tools. The exploit represents a qualitative shift in adversary capability, according to reporting from The Hacker News, marking AI's transition from theoretical threat vector to operational weapon in authentication circumvention.
The incident confirms emerging patterns where AI-assisted vulnerability research compresses development timelines for novel attack methods. Organizations relying on 2FA as primary authentication layer face immediate re-evaluation of security architectures, particularly where implementation follows standard patterns susceptible to automated exploitation discovery.
🛰️ Open sources - closed narratives
@sitreports
Threat actors have deployed the first documented zero-day vulnerability enabling mass bypass of two-factor authentication, developed using artificial intelligence tools. The exploit represents a qualitative shift in adversary capability, according to reporting from The Hacker News, marking AI's transition from theoretical threat vector to operational weapon in authentication circumvention.
The incident confirms emerging patterns where AI-assisted vulnerability research compresses development timelines for novel attack methods. Organizations relying on 2FA as primary authentication layer face immediate re-evaluation of security architectures, particularly where implementation follows standard patterns susceptible to automated exploitation discovery.
🛰️ Open sources - closed narratives
@sitreports
🤖 AI-Generated Zero-Day Exploited in Targeted Campaign
Google's Threat Intelligence Group has identified criminal actors deploying an AI-generated zero-day vulnerability in a coordinated mass exploitation attempt. The incident marks a significant escalation beyond traditional AI-assisted social engineering, according to Google's analysis, demonstrating adversary capability to weaponize machine learning for vulnerability discovery and exploit development.
The development signals a tactical shift in threat actor tradecraft, compressing the exploit development cycle and potentially lowering technical barriers for sophisticated attacks. GTIG assessment indicates this represents operational maturation beyond phishing and chatbot manipulation into autonomous offensive capabilities.
🛰️ Open sources - closed narratives
@sitreports
Google's Threat Intelligence Group has identified criminal actors deploying an AI-generated zero-day vulnerability in a coordinated mass exploitation attempt. The incident marks a significant escalation beyond traditional AI-assisted social engineering, according to Google's analysis, demonstrating adversary capability to weaponize machine learning for vulnerability discovery and exploit development.
The development signals a tactical shift in threat actor tradecraft, compressing the exploit development cycle and potentially lowering technical barriers for sophisticated attacks. GTIG assessment indicates this represents operational maturation beyond phishing and chatbot manipulation into autonomous offensive capabilities.
🛰️ Open sources - closed narratives
@sitreports
🔍 ShinyHunters Resets Leak Deadline Following Double Canvas Breach Confirmation
Nearly 9,000 schools face data exposure after intrusion into Double Canvas systems was confirmed. The threat actor ShinyHunters has reset the deadline for releasing compromised data, according to reporting by The Register, escalating pressure on the education technology platform.
The breach demonstrates persistent targeting of educational infrastructure, with ShinyHunters leveraging deadline extensions as a negotiation tactic. Affected institutions remain in a critical window for incident response and stakeholder notification as the threat actor maintains control of the timeline.
🛰️ Open sources - closed narratives
@sitreports
Nearly 9,000 schools face data exposure after intrusion into Double Canvas systems was confirmed. The threat actor ShinyHunters has reset the deadline for releasing compromised data, according to reporting by The Register, escalating pressure on the education technology platform.
The breach demonstrates persistent targeting of educational infrastructure, with ShinyHunters leveraging deadline extensions as a negotiation tactic. Affected institutions remain in a critical window for incident response and stakeholder notification as the threat actor maintains control of the timeline.
🛰️ Open sources - closed narratives
@sitreports
🔫 Instructure Confirms XSS Flaws Enabled Canvas Portal Defacement
Education technology provider Instructure disclosed that threat actor ShinyHunters exploited cross-site scripting vulnerabilities in Canvas LMS to inject malicious JavaScript and gain authenticated admin access. The May 7 defacement operation followed an initial April 29 breach in which ShinyHunters claims to have exfiltrated 3.6TB of data from 8,809 educational institutions affecting approximately 275 million records.
The attackers weaponized user-generated content features to hijack admin sessions and inject extortion messages onto login portals, demanding ransom negotiations by May 12. Instructure temporarily disabled Free-for-Teacher accounts and restored Canvas services on May 9 after applying additional safeguards.
🛰️ Open sources - closed narratives
@sitreports
Education technology provider Instructure disclosed that threat actor ShinyHunters exploited cross-site scripting vulnerabilities in Canvas LMS to inject malicious JavaScript and gain authenticated admin access. The May 7 defacement operation followed an initial April 29 breach in which ShinyHunters claims to have exfiltrated 3.6TB of data from 8,809 educational institutions affecting approximately 275 million records.
The attackers weaponized user-generated content features to hijack admin sessions and inject extortion messages onto login portals, demanding ransom negotiations by May 12. Instructure temporarily disabled Free-for-Teacher accounts and restored Canvas services on May 9 after applying additional safeguards.
🛰️ Open sources - closed narratives
@sitreports
🔫 Checkmarx Jenkins Plugin Compromised in Supply Chain Attack
Checkmarx warned that a malicious version of its Jenkins Application Security Testing plugin was published to the official Jenkins Marketplace by TeamPCP threat actors. The rogue version (2026.5.09) was uploaded May 9 using credentials stolen during the March Trivy vulnerability scanner breach, delivering credential-stealing malware to CI/CD pipelines.
The compromise marks the third incident in TeamPCP's campaign against Checkmarx since late March. Organizations using the Jenkins AST plugin should verify they're running version 2.0.13-829.vc72453fa_1c16 from December 2025, rotate all secrets, and investigate for lateral movement if the malicious version was deployed.
🛰️ Open sources - closed narratives
@sitreports
Checkmarx warned that a malicious version of its Jenkins Application Security Testing plugin was published to the official Jenkins Marketplace by TeamPCP threat actors. The rogue version (2026.5.09) was uploaded May 9 using credentials stolen during the March Trivy vulnerability scanner breach, delivering credential-stealing malware to CI/CD pipelines.
The compromise marks the third incident in TeamPCP's campaign against Checkmarx since late March. Organizations using the Jenkins AST plugin should verify they're running version 2.0.13-829.vc72453fa_1c16 from December 2025, rotate all secrets, and investigate for lateral movement if the malicious version was deployed.
🛰️ Open sources - closed narratives
@sitreports
🔫 cPanel CVE-2026-41940 Exploited for Filemanager Backdoor
Active exploitation of CVE-2026-41940 targeting cPanel installations has been confirmed, with threat actors deploying backdoors through the platform's filemanager component. According to reporting, attackers are leveraging the vulnerability to establish persistent access on compromised web hosting infrastructure.
The exploitation pattern indicates focus on hosting providers and shared environments where cPanel remains widely deployed. Organizations running affected versions face immediate risk of unauthorized administrative access and lateral movement across hosted domains.
🛰️ Open sources - closed narratives
@sitreports
Active exploitation of CVE-2026-41940 targeting cPanel installations has been confirmed, with threat actors deploying backdoors through the platform's filemanager component. According to reporting, attackers are leveraging the vulnerability to establish persistent access on compromised web hosting infrastructure.
The exploitation pattern indicates focus on hosting providers and shared environments where cPanel remains widely deployed. Organizations running affected versions face immediate risk of unauthorized administrative access and lateral movement across hosted domains.
🛰️ Open sources - closed narratives
@sitreports
🔫 U.S. Plans Hypersonic Interceptor Demo by 2027
The Missile Defense Agency will conduct a flight test of Project Maverick along the U.S. east coast in fiscal 2027, aiming to demonstrate tracking and defeat capabilities against hypersonic missiles. The test will integrate multi-phenomenology sensor data with tactical battle management systems to direct an interceptor toward a hypersonic target, according to MDA budget documents.
The demonstration represents an interim solution while the agency's Glide Phase Interceptor program progresses toward 2031 deployment. MDA Director Lt. Gen. Heath Collins emphasized that current terminal defenses only engage threats in the endgame phase, whereas future systems will provide layered intercept opportunities against maneuvering hypersonic weapons traveling at Mach 5 or faster.
🛰️ Open sources - closed narratives
@sitreports
The Missile Defense Agency will conduct a flight test of Project Maverick along the U.S. east coast in fiscal 2027, aiming to demonstrate tracking and defeat capabilities against hypersonic missiles. The test will integrate multi-phenomenology sensor data with tactical battle management systems to direct an interceptor toward a hypersonic target, according to MDA budget documents.
The demonstration represents an interim solution while the agency's Glide Phase Interceptor program progresses toward 2031 deployment. MDA Director Lt. Gen. Heath Collins emphasized that current terminal defenses only engage threats in the endgame phase, whereas future systems will provide layered intercept opportunities against maneuvering hypersonic weapons traveling at Mach 5 or faster.
🛰️ Open sources - closed narratives
@sitreports
🔍 Pentagon's Strategic Capabilities Office details $1.7B operational priorities
SCO Director Jay Dryer outlined the classified office's three core portfolios at the AI+ Expo: long-range fires, autonomy and AI, and special enabling capabilities spanning cyber, electronic warfare, space and special operations. Eight focus areas include precision fires, contested logistics, collaborative systems, deception, advanced kill webs, countering adversary kill chains, extended reach survivability, and cost-effective air defense.
According to Dryer's briefing, project selection derives from combatant command requirements rather than internal preference, with built-in flexibility to adapt to testing outcomes and adversary evolution.
🛰️ Open sources - closed narratives
@sitreports
SCO Director Jay Dryer outlined the classified office's three core portfolios at the AI+ Expo: long-range fires, autonomy and AI, and special enabling capabilities spanning cyber, electronic warfare, space and special operations. Eight focus areas include precision fires, contested logistics, collaborative systems, deception, advanced kill webs, countering adversary kill chains, extended reach survivability, and cost-effective air defense.
According to Dryer's briefing, project selection derives from combatant command requirements rather than internal preference, with built-in flexibility to adapt to testing outcomes and adversary evolution.
🛰️ Open sources - closed narratives
@sitreports