🔫 Pentagon Contracts Four Companies for 10,000 Containerized Cruise Missiles
The Defense Department awarded agreements to Anduril, CoAspire, Leidos, and Zone 5 Technologies to procure at least 10,000 low-cost cruise missiles within three years under the new Low-Cost Containerized Missiles (LCCM) program. Testing begins June 2026, with production purchases starting in 2027. Containerized missiles fit standard shipping containers, enabling covert transport and deployment from ground, maritime, or air platforms.
The initiative marks a shift toward attritable mass weapons and expanded industrial base participation beyond traditional primes. According to Defense Department reporting, vendors will scale production without Pentagon capital investment.
🛰️ Open sources - closed narratives
@sitreports
The Defense Department awarded agreements to Anduril, CoAspire, Leidos, and Zone 5 Technologies to procure at least 10,000 low-cost cruise missiles within three years under the new Low-Cost Containerized Missiles (LCCM) program. Testing begins June 2026, with production purchases starting in 2027. Containerized missiles fit standard shipping containers, enabling covert transport and deployment from ground, maritime, or air platforms.
The initiative marks a shift toward attritable mass weapons and expanded industrial base participation beyond traditional primes. According to Defense Department reporting, vendors will scale production without Pentagon capital investment.
🛰️ Open sources - closed narratives
@sitreports
🔫 Ghostwriter Resumes Campaign Against Ukrainian Government
ESET researchers documented new activity by the Belarus-aligned APT group Ghostwriter (FrostyNeighbor) targeting Ukrainian government organizations since March 2026. The campaign deploys spear-phishing emails with PDF attachments impersonating Ukrtelecom that lead to geofenced delivery infrastructure—Ukrainian IPs receive a RAR archive with JavaScript-based PicassoLoader, while others get a benign decoy document.
The attack chain features manual operator validation of victims before deploying Cobalt Strike beacons to high-value targets. Analysis shows the group maintains focus on military, defense, and government entities across Ukraine, Poland, and Lithuania, using geofencing and staged payloads to evade automated detection systems.
🛰️ Open sources - closed narratives
@sitreports
ESET researchers documented new activity by the Belarus-aligned APT group Ghostwriter (FrostyNeighbor) targeting Ukrainian government organizations since March 2026. The campaign deploys spear-phishing emails with PDF attachments impersonating Ukrtelecom that lead to geofenced delivery infrastructure—Ukrainian IPs receive a RAR archive with JavaScript-based PicassoLoader, while others get a benign decoy document.
The attack chain features manual operator validation of victims before deploying Cobalt Strike beacons to high-value targets. Analysis shows the group maintains focus on military, defense, and government entities across Ukraine, Poland, and Lithuania, using geofencing and staged payloads to evade automated detection systems.
🛰️ Open sources - closed narratives
@sitreports
🔫 Cisco SD-WAN hit by second perfect-10 authentication bypass zero-day
Cisco disclosed CVE-2026-20182, a maximum-severity vulnerability allowing unauthenticated remote attackers to gain admin privileges on Catalyst SD-WAN Controller and Manager. The flaw bypasses authentication and enables arbitrary NETCONF commands—potentially intercepting traffic, manipulating firewall rules, or disabling networks. Rapid7 confirmed exploitation in May 2026, though attribution remains unclear.
CISA added the bug to its KEV catalog, ordering federal agencies to patch within three days—a rare deadline reflecting operational urgency. Cisco confirmed no workarounds exist and urged administrators to audit auth.log files for suspicious publickey authentication.
🛰️ Open sources - closed narratives
@sitreports
Cisco disclosed CVE-2026-20182, a maximum-severity vulnerability allowing unauthenticated remote attackers to gain admin privileges on Catalyst SD-WAN Controller and Manager. The flaw bypasses authentication and enables arbitrary NETCONF commands—potentially intercepting traffic, manipulating firewall rules, or disabling networks. Rapid7 confirmed exploitation in May 2026, though attribution remains unclear.
CISA added the bug to its KEV catalog, ordering federal agencies to patch within three days—a rare deadline reflecting operational urgency. Cisco confirmed no workarounds exist and urged administrators to audit auth.log files for suspicious publickey authentication.
🛰️ Open sources - closed narratives
@sitreports
🤖 AI Agents Demonstrate Functional Exploit Development Capabilities
Researchers from UC Berkeley, Max Planck Institute, and AI labs released ExploitGym, testing whether frontier AI models can convert vulnerabilities into working exploits. Testing 898 real-world CVEs, Anthropic's Mythos Preview exploited 157 instances while OpenAI's GPT-5.5 managed 120 within two-hour windows. Both models frequently weaponized entirely different vulnerabilities than those initially provided, with Mythos deviating from intended bugs in 69 of 226 CTF scenarios.
Agents successfully bypassed ASLR and V8 sandbox protections. While GPT-5.5's safety filters blocked 88% of requests, researchers note such guardrails remain bypassable through prompt engineering.
🛰️ Open sources - closed narratives
@sitreports
Researchers from UC Berkeley, Max Planck Institute, and AI labs released ExploitGym, testing whether frontier AI models can convert vulnerabilities into working exploits. Testing 898 real-world CVEs, Anthropic's Mythos Preview exploited 157 instances while OpenAI's GPT-5.5 managed 120 within two-hour windows. Both models frequently weaponized entirely different vulnerabilities than those initially provided, with Mythos deviating from intended bugs in 69 of 226 CTF scenarios.
Agents successfully bypassed ASLR and V8 sandbox protections. While GPT-5.5's safety filters blocked 88% of requests, researchers note such guardrails remain bypassable through prompt engineering.
🛰️ Open sources - closed narratives
@sitreports
🔫 Google Discloses Full Zero-Click Exploit Chain for Pixel 10
Google Project Zero has published a complete zero-click exploit chain targeting Pixel 10 devices, beginning with CVE-2025-54957, a critical Dolby audio decoder flaw. The attack requires no user interaction—a crafted DD+ audio stream delivered via voice message automatically triggers remote code execution. Researcher Seth Jenkins chained it with a VPU driver vulnerability allowing arbitrary kernel memory access due to missing bounds validation, as detailed in the disclosure.
Google patched the VPU flaw in 71 days, but the research exposes persistent vulnerabilities in vendor-maintained kernel code. Only devices with December 2025 or later security patches are protected.
🛰️ Open sources - closed narratives
@sitreports
Google Project Zero has published a complete zero-click exploit chain targeting Pixel 10 devices, beginning with CVE-2025-54957, a critical Dolby audio decoder flaw. The attack requires no user interaction—a crafted DD+ audio stream delivered via voice message automatically triggers remote code execution. Researcher Seth Jenkins chained it with a VPU driver vulnerability allowing arbitrary kernel memory access due to missing bounds validation, as detailed in the disclosure.
Google patched the VPU flaw in 71 days, but the research exposes persistent vulnerabilities in vendor-maintained kernel code. Only devices with December 2025 or later security patches are protected.
🛰️ Open sources - closed narratives
@sitreports
🔫 Turla Evolves Kazuar Backdoor Into P2P Botnet
Russia-linked APT group Turla has upgraded its Kazuar malware into a modular peer-to-peer botnet designed for stealth and long-term access to compromised systems. The architecture uses separate Kernel, Bridge, and Worker modules to distribute tasks, reduce visibility, and maintain persistent control inside targeted government, diplomatic, and defense networks in Europe and Central Asia.
The botnet minimizes suspicious network activity by allowing only one elected leader node to communicate externally while other infected systems exchange data internally through encrypted P2P channels, according to Microsoft researchers.
🛰️ Open sources - closed narratives
@sitreports
Russia-linked APT group Turla has upgraded its Kazuar malware into a modular peer-to-peer botnet designed for stealth and long-term access to compromised systems. The architecture uses separate Kernel, Bridge, and Worker modules to distribute tasks, reduce visibility, and maintain persistent control inside targeted government, diplomatic, and defense networks in Europe and Central Asia.
The botnet minimizes suspicious network activity by allowing only one elected leader node to communicate externally while other infected systems exchange data internally through encrypted P2P channels, according to Microsoft researchers.
🛰️ Open sources - closed narratives
@sitreports
🔫 Kazuar Backdoor Evolves Into Modular P2P Botnet
Russian FSB-linked Secret Blizzard has transformed its Kazuar backdoor into a three-module peer-to-peer botnet with kernel, bridge, and worker components. An internal leader-election mechanism designates one infected host to communicate with C2 while others stay silent. Microsoft's analysis details 150 configuration options and bypasses for AMSI, ETW, and WLDP.
The modular design reduces detection by limiting external traffic while maintaining keylogging, data exfiltration, and reconnaissance capabilities. Encrypted internal communications via named pipes and mailslots blend with legitimate network noise, complicating behavioral detection.
🛰️ Open sources - closed narratives
@sitreports
Russian FSB-linked Secret Blizzard has transformed its Kazuar backdoor into a three-module peer-to-peer botnet with kernel, bridge, and worker components. An internal leader-election mechanism designates one infected host to communicate with C2 while others stay silent. Microsoft's analysis details 150 configuration options and bypasses for AMSI, ETW, and WLDP.
The modular design reduces detection by limiting external traffic while maintaining keylogging, data exfiltration, and reconnaissance capabilities. Encrypted internal communications via named pipes and mailslots blend with legitimate network noise, complicating behavioral detection.
🛰️ Open sources - closed narratives
@sitreports
🔫 Pwn2Own Berlin 2026: DEVCORE dominates with $505K, 47 zero-days discovered
Pwn2Own Berlin 2026 concluded with $1.298 million in payouts across three days, as researchers exposed 47 unique zero-day vulnerabilities. DEVCORE Research Team secured Master of Pwn with 50.5 points and $505,000, exploiting targets including Microsoft SharePoint and multiple Windows 11 privilege escalations. STARLabs SG placed second with a $200,000 VMware ESXi cross-tenant code execution. OpenAI Codex fell three times to different researchers using distinct techniques.
The competition results mark a 20% increase from 2025's $1.07M total, reflecting expanded targeting of AI infrastructure and developer tooling beyond traditional platforms. Vendors have 90 days to patch before disclosure.
🛰️ Open sources - closed narratives
@sitreports
Pwn2Own Berlin 2026 concluded with $1.298 million in payouts across three days, as researchers exposed 47 unique zero-day vulnerabilities. DEVCORE Research Team secured Master of Pwn with 50.5 points and $505,000, exploiting targets including Microsoft SharePoint and multiple Windows 11 privilege escalations. STARLabs SG placed second with a $200,000 VMware ESXi cross-tenant code execution. OpenAI Codex fell three times to different researchers using distinct techniques.
The competition results mark a 20% increase from 2025's $1.07M total, reflecting expanded targeting of AI infrastructure and developer tooling beyond traditional platforms. Vendors have 90 days to patch before disclosure.
🛰️ Open sources - closed narratives
@sitreports
🔫 CISA Adds Actively Exploited Exchange Server Zero-Day to KEV Catalog
CISA has added CVE-2026-42897, a cross-site scripting vulnerability in Microsoft Exchange Server with a CVSS score of 8.1, to its Known Exploited Vulnerabilities catalog. Microsoft confirmed active exploitation affecting Outlook Web Access, where attackers execute malicious JavaScript by sending specially crafted emails, according to reporting from Security Affairs. The vulnerability surfaced two days after Microsoft's May 2026 Patch Tuesday with no permanent fix available, only temporary mitigations.
Federal agencies must remediate by May 29, 2026, under BOD 22-01.
🛰️ Open sources - closed narratives
@sitreports
CISA has added CVE-2026-42897, a cross-site scripting vulnerability in Microsoft Exchange Server with a CVSS score of 8.1, to its Known Exploited Vulnerabilities catalog. Microsoft confirmed active exploitation affecting Outlook Web Access, where attackers execute malicious JavaScript by sending specially crafted emails, according to reporting from Security Affairs. The vulnerability surfaced two days after Microsoft's May 2026 Patch Tuesday with no permanent fix available, only temporary mitigations.
Federal agencies must remediate by May 29, 2026, under BOD 22-01.
🛰️ Open sources - closed narratives
@sitreports
🔫 OpenAI confirms breach via TanStack supply chain attack
OpenAI disclosed that two employee devices were compromised through malicious TanStack packages distributed by the TeamPCP hacking group, exposing credentials from internal code repositories. The attackers deployed the Mini Shai-Hulud worm, which spread via hijacked GitHub Actions tokens and stole secrets from CI/CD environments, according to Security Affairs reporting.
The company rotated exposed credentials and revoked code-signing certificates for iOS, macOS, Windows, and Android applications. OpenAI stated no customer data or production systems were compromised, but macOS users must update their apps by June 12, 2026, to maintain functionality.
🛰️ Open sources - closed narratives
@sitreports
OpenAI disclosed that two employee devices were compromised through malicious TanStack packages distributed by the TeamPCP hacking group, exposing credentials from internal code repositories. The attackers deployed the Mini Shai-Hulud worm, which spread via hijacked GitHub Actions tokens and stole secrets from CI/CD environments, according to Security Affairs reporting.
The company rotated exposed credentials and revoked code-signing certificates for iOS, macOS, Windows, and Android applications. OpenAI stated no customer data or production systems were compromised, but macOS users must update their apps by June 12, 2026, to maintain functionality.
🛰️ Open sources - closed narratives
@sitreports
🔫 Windows MiniPlasma Zero-Day Grants SYSTEM Access
Researcher Chaotic Eclipse released proof-of-concept exploit code for a Windows privilege escalation zero-day dubbed MiniPlasma, affecting fully patched systems including the latest May 2026 builds. The flaw targets the Cloud Filter driver (cldflt.sys) and appears to be an unpatched remnant of CVE-2020-17103, originally reported by Google Project Zero in 2020. Independent testing confirms the exploit successfully elevates standard user accounts to SYSTEM privileges on Windows 11 Pro.
This marks the latest in a series of zero-day disclosures by the researcher, following BlueHammer, RedSun, YellowKey, and GreenPlasma exploits released since April. Previous exploits from this series have already been observed in active attacks.
🛰️ Open sources - closed narratives
@sitreports
Researcher Chaotic Eclipse released proof-of-concept exploit code for a Windows privilege escalation zero-day dubbed MiniPlasma, affecting fully patched systems including the latest May 2026 builds. The flaw targets the Cloud Filter driver (cldflt.sys) and appears to be an unpatched remnant of CVE-2020-17103, originally reported by Google Project Zero in 2020. Independent testing confirms the exploit successfully elevates standard user accounts to SYSTEM privileges on Windows 11 Pro.
This marks the latest in a series of zero-day disclosures by the researcher, following BlueHammer, RedSun, YellowKey, and GreenPlasma exploits released since April. Previous exploits from this series have already been observed in active attacks.
🛰️ Open sources - closed narratives
@sitreports
🔍 Tycoon2FA Phishing Kit Adds Device-Code Attack Vector
The Tycoon2FA phishing-as-a-service platform has integrated device-code phishing capabilities targeting Microsoft 365 accounts, while exploiting Trustifi click-tracking URLs to evade detection. According to recent analysis, the kit now automates OAuth device authorization flow abuse, bypassing traditional MFA protections.
Device-code phishing represents a significant escalation in social engineering tactics, as it leverages legitimate Microsoft authentication mechanisms to trick users into authorizing malicious devices. Organizations relying solely on MFA for account security face elevated credential theft risk from this technique.
🛰️ Open sources - closed narratives
@sitreports
The Tycoon2FA phishing-as-a-service platform has integrated device-code phishing capabilities targeting Microsoft 365 accounts, while exploiting Trustifi click-tracking URLs to evade detection. According to recent analysis, the kit now automates OAuth device authorization flow abuse, bypassing traditional MFA protections.
Device-code phishing represents a significant escalation in social engineering tactics, as it leverages legitimate Microsoft authentication mechanisms to trick users into authorizing malicious devices. Organizations relying solely on MFA for account security face elevated credential theft risk from this technique.
🛰️ Open sources - closed narratives
@sitreports
⚡ NGINX CVE-2026-42945 Under Active Exploitation
A critical vulnerability in NGINX is being actively exploited in the wild, causing worker process crashes and potentially enabling remote code execution. The flaw, designated CVE-2026-42945, poses significant risk to web servers running vulnerable versions of the widely-deployed software.
The exploitation pattern suggests threat actors are probing for vulnerable instances to achieve service disruption or establish footholds. Organizations running NGINX should prioritize patching immediately, as security researchers have confirmed active targeting of this vector in production environments.
🛰️ Open sources - closed narratives
@sitreports
A critical vulnerability in NGINX is being actively exploited in the wild, causing worker process crashes and potentially enabling remote code execution. The flaw, designated CVE-2026-42945, poses significant risk to web servers running vulnerable versions of the widely-deployed software.
The exploitation pattern suggests threat actors are probing for vulnerable instances to achieve service disruption or establish footholds. Organizations running NGINX should prioritize patching immediately, as security researchers have confirmed active targeting of this vector in production environments.
🛰️ Open sources - closed narratives
@sitreports
🔍 Grafana Discloses GitHub Token Compromise and Extortion Attempt
Grafana Labs confirmed a security incident involving a compromised GitHub token that allowed unauthorized actors to download source code repositories. The breach, disclosed by Grafana, was followed by an extortion attempt. The token provided read access to private repositories but no write permissions or production infrastructure access.
The incident highlights supply chain risks through developer credential exposure. While no code modification or customer data access occurred, downloaded proprietary codebases create potential for future exploitation through vulnerability discovery or IP theft. The extortion component indicates threat actors increasingly monetize repository access beyond direct system compromise.
🛰️ Open sources - closed narratives
@sitreports
Grafana Labs confirmed a security incident involving a compromised GitHub token that allowed unauthorized actors to download source code repositories. The breach, disclosed by Grafana, was followed by an extortion attempt. The token provided read access to private repositories but no write permissions or production infrastructure access.
The incident highlights supply chain risks through developer credential exposure. While no code modification or customer data access occurred, downloaded proprietary codebases create potential for future exploitation through vulnerability discovery or IP theft. The extortion component indicates threat actors increasingly monetize repository access beyond direct system compromise.
🛰️ Open sources - closed narratives
@sitreports
🎭 Samsung Weather App Triggers Diplomatic Incident Over Disputed Islands
Samsung issued an emergency update to its pre-installed weather application after it incorrectly labeled Dokdo—a group of volcanic islets disputed by South Korea, North Korea, and Japan—as North Korean territory. The tech giant blamed The Weather Channel for the mapping error, but according to The Register, the incident sparked outrage among South Korean netizens who viewed it as a national champion surrendering territory to adversaries.
The rapid response underscores how seemingly minor data errors in consumer applications can trigger significant diplomatic sensitivities in regions with active territorial disputes. The incident highlights supply chain risks in third-party geospatial data integration.
🛰️ Open sources - closed narratives
@sitreports
Samsung issued an emergency update to its pre-installed weather application after it incorrectly labeled Dokdo—a group of volcanic islets disputed by South Korea, North Korea, and Japan—as North Korean territory. The tech giant blamed The Weather Channel for the mapping error, but according to The Register, the incident sparked outrage among South Korean netizens who viewed it as a national champion surrendering territory to adversaries.
The rapid response underscores how seemingly minor data errors in consumer applications can trigger significant diplomatic sensitivities in regions with active territorial disputes. The incident highlights supply chain risks in third-party geospatial data integration.
🛰️ Open sources - closed narratives
@sitreports
🤖 Linux Security List Overwhelmed by Duplicate AI Bug Reports
Linus Torvalds declared the Linux kernel security mailing list "almost entirely unmanageable" due to multiple researchers deploying identical AI tools to find vulnerabilities, creating massive report duplication. Maintainers now spend time forwarding duplicates and noting previously patched issues rather than addressing actual security work, according to his weekly kernel update.
Torvalds urged researchers to add value beyond automated detection by creating patches and understanding code context, noting AI-detected bugs are inherently non-secret and treating them on private lists creates counterproductive churn.
🛰️ Open sources - closed narratives
@sitreports
Linus Torvalds declared the Linux kernel security mailing list "almost entirely unmanageable" due to multiple researchers deploying identical AI tools to find vulnerabilities, creating massive report duplication. Maintainers now spend time forwarding duplicates and noting previously patched issues rather than addressing actual security work, according to his weekly kernel update.
Torvalds urged researchers to add value beyond automated detection by creating patches and understanding code context, noting AI-detected bugs are inherently non-secret and treating them on private lists creates counterproductive churn.
🛰️ Open sources - closed narratives
@sitreports