🔫 Pwn2Own Berlin Day Two: Exchange Server Breached, $900K Total Payout
Day two of Pwn2Own Berlin 2026 saw researchers earn $385,750 for demonstrating 15 zero-day vulnerabilities in Microsoft Exchange, Windows 11, and Red Hat Enterprise Linux. Orange Tsai of DEVCORE chained three bugs to achieve remote code execution as SYSTEM on Exchange, earning $200,000. Multiple Windows 11 privilege escalation flaws and attacks on AI-powered tools like Cursor and LiteLLM were also successful.
The two-day total now stands at $908,750 for 39 unique vulnerabilities, according to competition reporting. DEVCORE leads with $405,000 earned. Vendors have 90 days to patch disclosed flaws before details become public. One competition day remains with high-value targets still available.
🛰️ Open sources - closed narratives
@sitreports
Day two of Pwn2Own Berlin 2026 saw researchers earn $385,750 for demonstrating 15 zero-day vulnerabilities in Microsoft Exchange, Windows 11, and Red Hat Enterprise Linux. Orange Tsai of DEVCORE chained three bugs to achieve remote code execution as SYSTEM on Exchange, earning $200,000. Multiple Windows 11 privilege escalation flaws and attacks on AI-powered tools like Cursor and LiteLLM were also successful.
The two-day total now stands at $908,750 for 39 unique vulnerabilities, according to competition reporting. DEVCORE leads with $405,000 earned. Vendors have 90 days to patch disclosed flaws before details become public. One competition day remains with high-value targets still available.
🛰️ Open sources - closed narratives
@sitreports
🔫 Microsoft Exchange and Windows 11 compromised at Pwn2Own Berlin
During the second day of Pwn2Own Berlin 2026, security researchers demonstrated 15 zero-day vulnerabilities across enterprise platforms, collecting $385,750 in awards. Orange Tsai of DEVCORE earned $200,000 by chaining three bugs for remote code execution with SYSTEM privileges on Microsoft Exchange, while additional exploits targeted Windows 11, Red Hat Enterprise Linux, and NVIDIA Container Toolkit.
The competition showcases critical vulnerabilities in widely deployed enterprise infrastructure before vendors receive 90-day disclosure periods to develop patches. According to reporting, AI coding agents including Cursor and OpenAI Codex were also compromised, highlighting emerging attack surfaces in development environments.
🛰️ Open sources - closed narratives
@sitreports
During the second day of Pwn2Own Berlin 2026, security researchers demonstrated 15 zero-day vulnerabilities across enterprise platforms, collecting $385,750 in awards. Orange Tsai of DEVCORE earned $200,000 by chaining three bugs for remote code execution with SYSTEM privileges on Microsoft Exchange, while additional exploits targeted Windows 11, Red Hat Enterprise Linux, and NVIDIA Container Toolkit.
The competition showcases critical vulnerabilities in widely deployed enterprise infrastructure before vendors receive 90-day disclosure periods to develop patches. According to reporting, AI coding agents including Cursor and OpenAI Codex were also compromised, highlighting emerging attack surfaces in development environments.
🛰️ Open sources - closed narratives
@sitreports
⚡ Microsoft Exchange Server Zero-Day Under Active Exploitation
Microsoft has confirmed active in-the-wild exploitation of CVE-2026-42897, a cross-site scripting vulnerability in Exchange Server with a CVSS score of 8.1. The flaw affects Outlook Web Access, allowing attackers to execute malicious JavaScript by sending specially crafted emails. The vulnerability emerged just two days after Microsoft's May 2026 Patch Tuesday, which addressed 138 other vulnerabilities but not this zero-day.
Microsoft has released temporary mitigation measures while a permanent patch is developed. Exchange Server zero-days remain high-value targets for both espionage and ransomware groups due to their central role in corporate communications and frequent internet exposure.
🛰️ Open sources - closed narratives
@sitreports
Microsoft has confirmed active in-the-wild exploitation of CVE-2026-42897, a cross-site scripting vulnerability in Exchange Server with a CVSS score of 8.1. The flaw affects Outlook Web Access, allowing attackers to execute malicious JavaScript by sending specially crafted emails. The vulnerability emerged just two days after Microsoft's May 2026 Patch Tuesday, which addressed 138 other vulnerabilities but not this zero-day.
Microsoft has released temporary mitigation measures while a permanent patch is developed. Exchange Server zero-days remain high-value targets for both espionage and ransomware groups due to their central role in corporate communications and frequent internet exposure.
🛰️ Open sources - closed narratives
@sitreports
🔫 Node-ipc npm Package Compromised in Credential Theft Campaign
Three malicious versions of node-ipc, a popular inter-process communication package with 690,000 weekly downloads, were published after an external actor compromised an inactive maintainer's account. The malware, embedded in versions 9.1.6, 9.2.3, and 12.0.1, exfiltrates cloud credentials, SSH keys, CI/CD secrets, and browser data through heavily obfuscated code that uses DNS TXT queries for stealth.
The infostealer targets AWS, Azure, GCP, Kubernetes, Docker, and development platform credentials, generating up to 29,400 DNS requests per 500KB archive to blend with normal traffic. Affected developers must immediately remove compromised versions, rotate all exposed secrets, and audit dependency lockfiles for indicators of compromise.
🛰️ Open sources - closed narratives
@sitreports
Three malicious versions of node-ipc, a popular inter-process communication package with 690,000 weekly downloads, were published after an external actor compromised an inactive maintainer's account. The malware, embedded in versions 9.1.6, 9.2.3, and 12.0.1, exfiltrates cloud credentials, SSH keys, CI/CD secrets, and browser data through heavily obfuscated code that uses DNS TXT queries for stealth.
The infostealer targets AWS, Azure, GCP, Kubernetes, Docker, and development platform credentials, generating up to 29,400 DNS requests per 500KB archive to blend with normal traffic. Affected developers must immediately remove compromised versions, rotate all exposed secrets, and audit dependency lockfiles for indicators of compromise.
🛰️ Open sources - closed narratives
@sitreports
🔫 Turla Refactors Kazuar Backdoor Into P2P Botnet Architecture
Russian APT group Turla has evolved its Kazuar backdoor into a modular peer-to-peer botnet framework designed for long-term network persistence. The retooled malware now supports decentralized command infrastructure, complicating takedown efforts and according to reporting, enabling resilient access across compromised environments.
The shift from traditional C2 to distributed nodes reflects operational maturity and anticipation of network disruption. P2P architecture allows infected hosts to relay commands laterally, sustaining access even if primary infrastructure is severed—raising the operational cost of remediation for defenders.
🛰️ Open sources - closed narratives
@sitreports
Russian APT group Turla has evolved its Kazuar backdoor into a modular peer-to-peer botnet framework designed for long-term network persistence. The retooled malware now supports decentralized command infrastructure, complicating takedown efforts and according to reporting, enabling resilient access across compromised environments.
The shift from traditional C2 to distributed nodes reflects operational maturity and anticipation of network disruption. P2P architecture allows infected hosts to relay commands laterally, sustaining access even if primary infrastructure is severed—raising the operational cost of remediation for defenders.
🛰️ Open sources - closed narratives
@sitreports
🔫 Pentagon Contracts Four Companies for 10,000 Containerized Cruise Missiles
The Defense Department awarded agreements to Anduril, CoAspire, Leidos, and Zone 5 Technologies to procure at least 10,000 low-cost cruise missiles within three years under the new Low-Cost Containerized Missiles (LCCM) program. Testing begins June 2026, with production purchases starting in 2027. Containerized missiles fit standard shipping containers, enabling covert transport and deployment from ground, maritime, or air platforms.
The initiative marks a shift toward attritable mass weapons and expanded industrial base participation beyond traditional primes. According to Defense Department reporting, vendors will scale production without Pentagon capital investment.
🛰️ Open sources - closed narratives
@sitreports
The Defense Department awarded agreements to Anduril, CoAspire, Leidos, and Zone 5 Technologies to procure at least 10,000 low-cost cruise missiles within three years under the new Low-Cost Containerized Missiles (LCCM) program. Testing begins June 2026, with production purchases starting in 2027. Containerized missiles fit standard shipping containers, enabling covert transport and deployment from ground, maritime, or air platforms.
The initiative marks a shift toward attritable mass weapons and expanded industrial base participation beyond traditional primes. According to Defense Department reporting, vendors will scale production without Pentagon capital investment.
🛰️ Open sources - closed narratives
@sitreports
🔫 Ghostwriter Resumes Campaign Against Ukrainian Government
ESET researchers documented new activity by the Belarus-aligned APT group Ghostwriter (FrostyNeighbor) targeting Ukrainian government organizations since March 2026. The campaign deploys spear-phishing emails with PDF attachments impersonating Ukrtelecom that lead to geofenced delivery infrastructure—Ukrainian IPs receive a RAR archive with JavaScript-based PicassoLoader, while others get a benign decoy document.
The attack chain features manual operator validation of victims before deploying Cobalt Strike beacons to high-value targets. Analysis shows the group maintains focus on military, defense, and government entities across Ukraine, Poland, and Lithuania, using geofencing and staged payloads to evade automated detection systems.
🛰️ Open sources - closed narratives
@sitreports
ESET researchers documented new activity by the Belarus-aligned APT group Ghostwriter (FrostyNeighbor) targeting Ukrainian government organizations since March 2026. The campaign deploys spear-phishing emails with PDF attachments impersonating Ukrtelecom that lead to geofenced delivery infrastructure—Ukrainian IPs receive a RAR archive with JavaScript-based PicassoLoader, while others get a benign decoy document.
The attack chain features manual operator validation of victims before deploying Cobalt Strike beacons to high-value targets. Analysis shows the group maintains focus on military, defense, and government entities across Ukraine, Poland, and Lithuania, using geofencing and staged payloads to evade automated detection systems.
🛰️ Open sources - closed narratives
@sitreports
🔫 Cisco SD-WAN hit by second perfect-10 authentication bypass zero-day
Cisco disclosed CVE-2026-20182, a maximum-severity vulnerability allowing unauthenticated remote attackers to gain admin privileges on Catalyst SD-WAN Controller and Manager. The flaw bypasses authentication and enables arbitrary NETCONF commands—potentially intercepting traffic, manipulating firewall rules, or disabling networks. Rapid7 confirmed exploitation in May 2026, though attribution remains unclear.
CISA added the bug to its KEV catalog, ordering federal agencies to patch within three days—a rare deadline reflecting operational urgency. Cisco confirmed no workarounds exist and urged administrators to audit auth.log files for suspicious publickey authentication.
🛰️ Open sources - closed narratives
@sitreports
Cisco disclosed CVE-2026-20182, a maximum-severity vulnerability allowing unauthenticated remote attackers to gain admin privileges on Catalyst SD-WAN Controller and Manager. The flaw bypasses authentication and enables arbitrary NETCONF commands—potentially intercepting traffic, manipulating firewall rules, or disabling networks. Rapid7 confirmed exploitation in May 2026, though attribution remains unclear.
CISA added the bug to its KEV catalog, ordering federal agencies to patch within three days—a rare deadline reflecting operational urgency. Cisco confirmed no workarounds exist and urged administrators to audit auth.log files for suspicious publickey authentication.
🛰️ Open sources - closed narratives
@sitreports
🤖 AI Agents Demonstrate Functional Exploit Development Capabilities
Researchers from UC Berkeley, Max Planck Institute, and AI labs released ExploitGym, testing whether frontier AI models can convert vulnerabilities into working exploits. Testing 898 real-world CVEs, Anthropic's Mythos Preview exploited 157 instances while OpenAI's GPT-5.5 managed 120 within two-hour windows. Both models frequently weaponized entirely different vulnerabilities than those initially provided, with Mythos deviating from intended bugs in 69 of 226 CTF scenarios.
Agents successfully bypassed ASLR and V8 sandbox protections. While GPT-5.5's safety filters blocked 88% of requests, researchers note such guardrails remain bypassable through prompt engineering.
🛰️ Open sources - closed narratives
@sitreports
Researchers from UC Berkeley, Max Planck Institute, and AI labs released ExploitGym, testing whether frontier AI models can convert vulnerabilities into working exploits. Testing 898 real-world CVEs, Anthropic's Mythos Preview exploited 157 instances while OpenAI's GPT-5.5 managed 120 within two-hour windows. Both models frequently weaponized entirely different vulnerabilities than those initially provided, with Mythos deviating from intended bugs in 69 of 226 CTF scenarios.
Agents successfully bypassed ASLR and V8 sandbox protections. While GPT-5.5's safety filters blocked 88% of requests, researchers note such guardrails remain bypassable through prompt engineering.
🛰️ Open sources - closed narratives
@sitreports
🔫 Google Discloses Full Zero-Click Exploit Chain for Pixel 10
Google Project Zero has published a complete zero-click exploit chain targeting Pixel 10 devices, beginning with CVE-2025-54957, a critical Dolby audio decoder flaw. The attack requires no user interaction—a crafted DD+ audio stream delivered via voice message automatically triggers remote code execution. Researcher Seth Jenkins chained it with a VPU driver vulnerability allowing arbitrary kernel memory access due to missing bounds validation, as detailed in the disclosure.
Google patched the VPU flaw in 71 days, but the research exposes persistent vulnerabilities in vendor-maintained kernel code. Only devices with December 2025 or later security patches are protected.
🛰️ Open sources - closed narratives
@sitreports
Google Project Zero has published a complete zero-click exploit chain targeting Pixel 10 devices, beginning with CVE-2025-54957, a critical Dolby audio decoder flaw. The attack requires no user interaction—a crafted DD+ audio stream delivered via voice message automatically triggers remote code execution. Researcher Seth Jenkins chained it with a VPU driver vulnerability allowing arbitrary kernel memory access due to missing bounds validation, as detailed in the disclosure.
Google patched the VPU flaw in 71 days, but the research exposes persistent vulnerabilities in vendor-maintained kernel code. Only devices with December 2025 or later security patches are protected.
🛰️ Open sources - closed narratives
@sitreports
🔫 Turla Evolves Kazuar Backdoor Into P2P Botnet
Russia-linked APT group Turla has upgraded its Kazuar malware into a modular peer-to-peer botnet designed for stealth and long-term access to compromised systems. The architecture uses separate Kernel, Bridge, and Worker modules to distribute tasks, reduce visibility, and maintain persistent control inside targeted government, diplomatic, and defense networks in Europe and Central Asia.
The botnet minimizes suspicious network activity by allowing only one elected leader node to communicate externally while other infected systems exchange data internally through encrypted P2P channels, according to Microsoft researchers.
🛰️ Open sources - closed narratives
@sitreports
Russia-linked APT group Turla has upgraded its Kazuar malware into a modular peer-to-peer botnet designed for stealth and long-term access to compromised systems. The architecture uses separate Kernel, Bridge, and Worker modules to distribute tasks, reduce visibility, and maintain persistent control inside targeted government, diplomatic, and defense networks in Europe and Central Asia.
The botnet minimizes suspicious network activity by allowing only one elected leader node to communicate externally while other infected systems exchange data internally through encrypted P2P channels, according to Microsoft researchers.
🛰️ Open sources - closed narratives
@sitreports
🔫 Kazuar Backdoor Evolves Into Modular P2P Botnet
Russian FSB-linked Secret Blizzard has transformed its Kazuar backdoor into a three-module peer-to-peer botnet with kernel, bridge, and worker components. An internal leader-election mechanism designates one infected host to communicate with C2 while others stay silent. Microsoft's analysis details 150 configuration options and bypasses for AMSI, ETW, and WLDP.
The modular design reduces detection by limiting external traffic while maintaining keylogging, data exfiltration, and reconnaissance capabilities. Encrypted internal communications via named pipes and mailslots blend with legitimate network noise, complicating behavioral detection.
🛰️ Open sources - closed narratives
@sitreports
Russian FSB-linked Secret Blizzard has transformed its Kazuar backdoor into a three-module peer-to-peer botnet with kernel, bridge, and worker components. An internal leader-election mechanism designates one infected host to communicate with C2 while others stay silent. Microsoft's analysis details 150 configuration options and bypasses for AMSI, ETW, and WLDP.
The modular design reduces detection by limiting external traffic while maintaining keylogging, data exfiltration, and reconnaissance capabilities. Encrypted internal communications via named pipes and mailslots blend with legitimate network noise, complicating behavioral detection.
🛰️ Open sources - closed narratives
@sitreports
🔫 Pwn2Own Berlin 2026: DEVCORE dominates with $505K, 47 zero-days discovered
Pwn2Own Berlin 2026 concluded with $1.298 million in payouts across three days, as researchers exposed 47 unique zero-day vulnerabilities. DEVCORE Research Team secured Master of Pwn with 50.5 points and $505,000, exploiting targets including Microsoft SharePoint and multiple Windows 11 privilege escalations. STARLabs SG placed second with a $200,000 VMware ESXi cross-tenant code execution. OpenAI Codex fell three times to different researchers using distinct techniques.
The competition results mark a 20% increase from 2025's $1.07M total, reflecting expanded targeting of AI infrastructure and developer tooling beyond traditional platforms. Vendors have 90 days to patch before disclosure.
🛰️ Open sources - closed narratives
@sitreports
Pwn2Own Berlin 2026 concluded with $1.298 million in payouts across three days, as researchers exposed 47 unique zero-day vulnerabilities. DEVCORE Research Team secured Master of Pwn with 50.5 points and $505,000, exploiting targets including Microsoft SharePoint and multiple Windows 11 privilege escalations. STARLabs SG placed second with a $200,000 VMware ESXi cross-tenant code execution. OpenAI Codex fell three times to different researchers using distinct techniques.
The competition results mark a 20% increase from 2025's $1.07M total, reflecting expanded targeting of AI infrastructure and developer tooling beyond traditional platforms. Vendors have 90 days to patch before disclosure.
🛰️ Open sources - closed narratives
@sitreports
🔫 CISA Adds Actively Exploited Exchange Server Zero-Day to KEV Catalog
CISA has added CVE-2026-42897, a cross-site scripting vulnerability in Microsoft Exchange Server with a CVSS score of 8.1, to its Known Exploited Vulnerabilities catalog. Microsoft confirmed active exploitation affecting Outlook Web Access, where attackers execute malicious JavaScript by sending specially crafted emails, according to reporting from Security Affairs. The vulnerability surfaced two days after Microsoft's May 2026 Patch Tuesday with no permanent fix available, only temporary mitigations.
Federal agencies must remediate by May 29, 2026, under BOD 22-01.
🛰️ Open sources - closed narratives
@sitreports
CISA has added CVE-2026-42897, a cross-site scripting vulnerability in Microsoft Exchange Server with a CVSS score of 8.1, to its Known Exploited Vulnerabilities catalog. Microsoft confirmed active exploitation affecting Outlook Web Access, where attackers execute malicious JavaScript by sending specially crafted emails, according to reporting from Security Affairs. The vulnerability surfaced two days after Microsoft's May 2026 Patch Tuesday with no permanent fix available, only temporary mitigations.
Federal agencies must remediate by May 29, 2026, under BOD 22-01.
🛰️ Open sources - closed narratives
@sitreports
🔫 OpenAI confirms breach via TanStack supply chain attack
OpenAI disclosed that two employee devices were compromised through malicious TanStack packages distributed by the TeamPCP hacking group, exposing credentials from internal code repositories. The attackers deployed the Mini Shai-Hulud worm, which spread via hijacked GitHub Actions tokens and stole secrets from CI/CD environments, according to Security Affairs reporting.
The company rotated exposed credentials and revoked code-signing certificates for iOS, macOS, Windows, and Android applications. OpenAI stated no customer data or production systems were compromised, but macOS users must update their apps by June 12, 2026, to maintain functionality.
🛰️ Open sources - closed narratives
@sitreports
OpenAI disclosed that two employee devices were compromised through malicious TanStack packages distributed by the TeamPCP hacking group, exposing credentials from internal code repositories. The attackers deployed the Mini Shai-Hulud worm, which spread via hijacked GitHub Actions tokens and stole secrets from CI/CD environments, according to Security Affairs reporting.
The company rotated exposed credentials and revoked code-signing certificates for iOS, macOS, Windows, and Android applications. OpenAI stated no customer data or production systems were compromised, but macOS users must update their apps by June 12, 2026, to maintain functionality.
🛰️ Open sources - closed narratives
@sitreports
🔫 Windows MiniPlasma Zero-Day Grants SYSTEM Access
Researcher Chaotic Eclipse released proof-of-concept exploit code for a Windows privilege escalation zero-day dubbed MiniPlasma, affecting fully patched systems including the latest May 2026 builds. The flaw targets the Cloud Filter driver (cldflt.sys) and appears to be an unpatched remnant of CVE-2020-17103, originally reported by Google Project Zero in 2020. Independent testing confirms the exploit successfully elevates standard user accounts to SYSTEM privileges on Windows 11 Pro.
This marks the latest in a series of zero-day disclosures by the researcher, following BlueHammer, RedSun, YellowKey, and GreenPlasma exploits released since April. Previous exploits from this series have already been observed in active attacks.
🛰️ Open sources - closed narratives
@sitreports
Researcher Chaotic Eclipse released proof-of-concept exploit code for a Windows privilege escalation zero-day dubbed MiniPlasma, affecting fully patched systems including the latest May 2026 builds. The flaw targets the Cloud Filter driver (cldflt.sys) and appears to be an unpatched remnant of CVE-2020-17103, originally reported by Google Project Zero in 2020. Independent testing confirms the exploit successfully elevates standard user accounts to SYSTEM privileges on Windows 11 Pro.
This marks the latest in a series of zero-day disclosures by the researcher, following BlueHammer, RedSun, YellowKey, and GreenPlasma exploits released since April. Previous exploits from this series have already been observed in active attacks.
🛰️ Open sources - closed narratives
@sitreports
🔍 Tycoon2FA Phishing Kit Adds Device-Code Attack Vector
The Tycoon2FA phishing-as-a-service platform has integrated device-code phishing capabilities targeting Microsoft 365 accounts, while exploiting Trustifi click-tracking URLs to evade detection. According to recent analysis, the kit now automates OAuth device authorization flow abuse, bypassing traditional MFA protections.
Device-code phishing represents a significant escalation in social engineering tactics, as it leverages legitimate Microsoft authentication mechanisms to trick users into authorizing malicious devices. Organizations relying solely on MFA for account security face elevated credential theft risk from this technique.
🛰️ Open sources - closed narratives
@sitreports
The Tycoon2FA phishing-as-a-service platform has integrated device-code phishing capabilities targeting Microsoft 365 accounts, while exploiting Trustifi click-tracking URLs to evade detection. According to recent analysis, the kit now automates OAuth device authorization flow abuse, bypassing traditional MFA protections.
Device-code phishing represents a significant escalation in social engineering tactics, as it leverages legitimate Microsoft authentication mechanisms to trick users into authorizing malicious devices. Organizations relying solely on MFA for account security face elevated credential theft risk from this technique.
🛰️ Open sources - closed narratives
@sitreports
⚡ NGINX CVE-2026-42945 Under Active Exploitation
A critical vulnerability in NGINX is being actively exploited in the wild, causing worker process crashes and potentially enabling remote code execution. The flaw, designated CVE-2026-42945, poses significant risk to web servers running vulnerable versions of the widely-deployed software.
The exploitation pattern suggests threat actors are probing for vulnerable instances to achieve service disruption or establish footholds. Organizations running NGINX should prioritize patching immediately, as security researchers have confirmed active targeting of this vector in production environments.
🛰️ Open sources - closed narratives
@sitreports
A critical vulnerability in NGINX is being actively exploited in the wild, causing worker process crashes and potentially enabling remote code execution. The flaw, designated CVE-2026-42945, poses significant risk to web servers running vulnerable versions of the widely-deployed software.
The exploitation pattern suggests threat actors are probing for vulnerable instances to achieve service disruption or establish footholds. Organizations running NGINX should prioritize patching immediately, as security researchers have confirmed active targeting of this vector in production environments.
🛰️ Open sources - closed narratives
@sitreports
🔍 Grafana Discloses GitHub Token Compromise and Extortion Attempt
Grafana Labs confirmed a security incident involving a compromised GitHub token that allowed unauthorized actors to download source code repositories. The breach, disclosed by Grafana, was followed by an extortion attempt. The token provided read access to private repositories but no write permissions or production infrastructure access.
The incident highlights supply chain risks through developer credential exposure. While no code modification or customer data access occurred, downloaded proprietary codebases create potential for future exploitation through vulnerability discovery or IP theft. The extortion component indicates threat actors increasingly monetize repository access beyond direct system compromise.
🛰️ Open sources - closed narratives
@sitreports
Grafana Labs confirmed a security incident involving a compromised GitHub token that allowed unauthorized actors to download source code repositories. The breach, disclosed by Grafana, was followed by an extortion attempt. The token provided read access to private repositories but no write permissions or production infrastructure access.
The incident highlights supply chain risks through developer credential exposure. While no code modification or customer data access occurred, downloaded proprietary codebases create potential for future exploitation through vulnerability discovery or IP theft. The extortion component indicates threat actors increasingly monetize repository access beyond direct system compromise.
🛰️ Open sources - closed narratives
@sitreports