⚡ 18-Year-Old NGINX Flaw Under Active Exploitation Days After Disclosure
CVE-2026-42945, dubbed "NGINX Rift," is already being exploited in the wild just days after researchers disclosed the vulnerability. The heap buffer overflow flaw affects both NGINX Open Source and NGINX Plus, dormant since 2008 in the rewrite module. VulnCheck observed exploitation attempts on canary systems shortly after the CVE publication, with a public PoC appearing the same day patches dropped.
While rated CVSS 9.2, practical RCE requires specific server configurations and disabled ASLR—unlikely on modern Linux systems. Censys scans identified roughly 5.7 million internet-exposed NGINX servers running potentially vulnerable versions, creating significant patching burden despite limited real-world exploitation risk.
🛰️ Open sources - closed narratives
@sitreports
CVE-2026-42945, dubbed "NGINX Rift," is already being exploited in the wild just days after researchers disclosed the vulnerability. The heap buffer overflow flaw affects both NGINX Open Source and NGINX Plus, dormant since 2008 in the rewrite module. VulnCheck observed exploitation attempts on canary systems shortly after the CVE publication, with a public PoC appearing the same day patches dropped.
While rated CVSS 9.2, practical RCE requires specific server configurations and disabled ASLR—unlikely on modern Linux systems. Censys scans identified roughly 5.7 million internet-exposed NGINX servers running potentially vulnerable versions, creating significant patching burden despite limited real-world exploitation risk.
🛰️ Open sources - closed narratives
@sitreports
🔫 UK F-35s to carry US glide bombs amid software delays
The UK Ministry of Defence has approved procurement of the US-made GBU-53/B StormBreaker glide bomb as an interim stand-off weapon for its F-35 fleet. The move follows continued delays to Lockheed Martin's Block 4 software update, now expected in 2031—five years behind schedule—which is required to integrate the domestically-developed SPEAR 3 mini-cruise missile. The Register reports the SPEAR 3 passed test firings in 2024 but remains unusable on F-35s.
The decision highlights critical capability gaps in the UK's stealth fighter program. During Operation Highmast, HMS Prince of Wales deployed with 24 F-35s but lacked adequate spare parts, forcing the MoD to cannibalize land-based stocks.
🛰️ Open sources - closed narratives
@sitreports
The UK Ministry of Defence has approved procurement of the US-made GBU-53/B StormBreaker glide bomb as an interim stand-off weapon for its F-35 fleet. The move follows continued delays to Lockheed Martin's Block 4 software update, now expected in 2031—five years behind schedule—which is required to integrate the domestically-developed SPEAR 3 mini-cruise missile. The Register reports the SPEAR 3 passed test firings in 2024 but remains unusable on F-35s.
The decision highlights critical capability gaps in the UK's stealth fighter program. During Operation Highmast, HMS Prince of Wales deployed with 24 F-35s but lacked adequate spare parts, forcing the MoD to cannibalize land-based stocks.
🛰️ Open sources - closed narratives
@sitreports
🔍 GitHub Investigating TeamPCP Breach Claim Targeting Internal Repositories
GitHub is investigating claims by threat actor TeamPCP of unauthorized access to approximately 4,000 internal repositories. The alleged breach surfaced on May 20, 2026, with the actor claiming to have accessed proprietary code and internal project data, according to reporting from cybersecurity sources.
If verified, the incident would represent significant supply chain exposure, potentially affecting downstream users of GitHub-hosted code and enterprise dependencies. The scope and authentication vector remain under investigation, with no official breach confirmation from GitHub at this time.
🛰️ Open sources - closed narratives
@sitreports
GitHub is investigating claims by threat actor TeamPCP of unauthorized access to approximately 4,000 internal repositories. The alleged breach surfaced on May 20, 2026, with the actor claiming to have accessed proprietary code and internal project data, according to reporting from cybersecurity sources.
If verified, the incident would represent significant supply chain exposure, potentially affecting downstream users of GitHub-hosted code and enterprise dependencies. The scope and authentication vector remain under investigation, with no official breach confirmation from GitHub at this time.
🛰️ Open sources - closed narratives
@sitreports
🔫 ChromaDB Zero-Day Enables Pre-Auth RCE on AI Vector Databases
CVE-2026-45829, a maximum-severity flaw in ChromaDB's Python FastAPI server, allows unauthenticated attackers to execute arbitrary code by exploiting misplaced authentication checks. Attackers can inject malicious Hugging Face models that execute before credentials are validated. Affecting versions 1.0.0 through 1.5.8 of the open-source vector database with 14 million monthly PyPI downloads, the flaw remains unpatched despite February disclosure.
Shodan data shows 73% of internet-exposed instances run vulnerable versions. Maintainers have not responded to HiddenLayer researchers. Mitigation requires switching to Rust frontends, restricting HTTP exposure, or implementing network-level API port controls.
🛰️ Open sources - closed narratives
@sitreports
CVE-2026-45829, a maximum-severity flaw in ChromaDB's Python FastAPI server, allows unauthenticated attackers to execute arbitrary code by exploiting misplaced authentication checks. Attackers can inject malicious Hugging Face models that execute before credentials are validated. Affecting versions 1.0.0 through 1.5.8 of the open-source vector database with 14 million monthly PyPI downloads, the flaw remains unpatched despite February disclosure.
Shodan data shows 73% of internet-exposed instances run vulnerable versions. Maintainers have not responded to HiddenLayer researchers. Mitigation requires switching to Rust frontends, restricting HTTP exposure, or implementing network-level API port controls.
🛰️ Open sources - closed narratives
@sitreports
🔫 Pentagon Awards $500M Counter-Drone Contract to Ukraine-Tested Developer
The Department of Defense's Joint Interagency Task Force 401 awarded a three-year, $500 million contract to Perennial Autonomy for AI-enabled counter-UAS systems. The company's Merops interceptor has downed over 4,000 Russian drones in Ukraine since mid-2024 and is currently deployed with U.S. forces in Central Command during the Iran conflict, according to Defense Scoop reporting.
The award reflects accelerated procurement of cost-effective interception against mass-produced Shahed variants. The Army previously purchased 13,000 Merops units at approximately $15,000 each, addressing the economic asymmetry of engaging cheap drones with expensive traditional systems.
🛰️ Open sources - closed narratives
@sitreports
The Department of Defense's Joint Interagency Task Force 401 awarded a three-year, $500 million contract to Perennial Autonomy for AI-enabled counter-UAS systems. The company's Merops interceptor has downed over 4,000 Russian drones in Ukraine since mid-2024 and is currently deployed with U.S. forces in Central Command during the Iran conflict, according to Defense Scoop reporting.
The award reflects accelerated procurement of cost-effective interception against mass-produced Shahed variants. The Army previously purchased 13,000 Merops units at approximately $15,000 each, addressing the economic asymmetry of engaging cheap drones with expensive traditional systems.
🛰️ Open sources - closed narratives
@sitreports
🔫 Microsoft Disrupts Malware-Signing Service Used by Ransomware Groups
Microsoft's Digital Crimes Unit seized infrastructure linked to Fox Tempest, a malware-signing operation that sold fraudulent code-signing certificates to ransomware gangs since May 2025. The service abused Microsoft's Artifact Signing platform through 580+ fake accounts, enabling criminals to digitally sign malware—including Rhysida ransomware and Lumma infostealer—making it appear legitimate to Windows systems. Thousands of US machines were compromised, including over a dozen owned by Microsoft itself.
The operation charged $5,000-$9,500 per certificate and supplied groups like Vanilla Tempest, INC, Qilin, and Akira.
🛰️ Open sources - closed narratives
@sitreports
Microsoft's Digital Crimes Unit seized infrastructure linked to Fox Tempest, a malware-signing operation that sold fraudulent code-signing certificates to ransomware gangs since May 2025. The service abused Microsoft's Artifact Signing platform through 580+ fake accounts, enabling criminals to digitally sign malware—including Rhysida ransomware and Lumma infostealer—making it appear legitimate to Windows systems. Thousands of US machines were compromised, including over a dozen owned by Microsoft itself.
The operation charged $5,000-$9,500 per certificate and supplied groups like Vanilla Tempest, INC, Qilin, and Akira.
🛰️ Open sources - closed narratives
@sitreports
🔍 Microsoft Disrupts Malware Signing Service Abusing Internal Platform
Microsoft has shut down a malware-signing-as-a-service operation that exploited the company's Artifact Signing service to generate fraudulent code-signing certificates. The service enabled ransomware gangs and cybercriminals to sign malicious payloads with legitimate certificates, bypassing security controls that trust Microsoft-signed code.
The disruption highlights ongoing vulnerabilities in certificate authority ecosystems where attackers exploit trusted infrastructure to weaponize supply chain trust. While Microsoft's intervention removes one avenue for threat actors, the incident underscores the need for enhanced verification processes within internal signing platforms used by major technology providers.
🛰️ Open sources - closed narratives
@sitreports
Microsoft has shut down a malware-signing-as-a-service operation that exploited the company's Artifact Signing service to generate fraudulent code-signing certificates. The service enabled ransomware gangs and cybercriminals to sign malicious payloads with legitimate certificates, bypassing security controls that trust Microsoft-signed code.
The disruption highlights ongoing vulnerabilities in certificate authority ecosystems where attackers exploit trusted infrastructure to weaponize supply chain trust. While Microsoft's intervention removes one avenue for threat actors, the incident underscores the need for enhanced verification processes within internal signing platforms used by major technology providers.
🛰️ Open sources - closed narratives
@sitreports
🔫 Storm-2949 exploits Microsoft SSPR to hijack Azure environments
Microsoft reports threat actor Storm-2949 is targeting Microsoft 365 and Azure environments by impersonating IT support to trick privileged users into approving MFA prompts during password resets. Attackers then remove existing MFA controls, enroll their own devices, and use custom Python scripts via Graph API to enumerate environments and exfiltrate data from OneDrive, SharePoint, Key Vaults, and Azure SQL databases.
The campaign demonstrates advanced cloud persistence through Azure RBAC abuse, FTP and Kudu console deployment, and firewall manipulation. Defenders should implement phishing-resistant MFA for privileged roles and apply least-privilege principles.
🛰️ Open sources - closed narratives
@sitreports
Microsoft reports threat actor Storm-2949 is targeting Microsoft 365 and Azure environments by impersonating IT support to trick privileged users into approving MFA prompts during password resets. Attackers then remove existing MFA controls, enroll their own devices, and use custom Python scripts via Graph API to enumerate environments and exfiltrate data from OneDrive, SharePoint, Key Vaults, and Azure SQL databases.
The campaign demonstrates advanced cloud persistence through Azure RBAC abuse, FTP and Kudu console deployment, and firewall manipulation. Defenders should implement phishing-resistant MFA for privileged roles and apply least-privilege principles.
🛰️ Open sources - closed narratives
@sitreports
🔫 Microsoft Disrupts Malware-Signing Service Fox Tempest
Microsoft's Digital Crimes Unit dismantled Fox Tempest, a malware-signing-as-a-service operation that issued over 1,000 fraudulent certificates to cybercriminals. The service charged $5,000–$9,000 for plans allowing threat actors to sign malware with legitimate-looking Microsoft certificates, supporting ransomware families including Rhysida, INC, Qilin, and Akira across healthcare, education, and government sectors globally.
The operation abused Microsoft Artifact Signing through Azure tenants and ran customer portals via Telegram. Microsoft filed legal action enabling infrastructure seizure and certificate revocation, while collaborating with Resecurity, Europol's EC3, and the FBI to counter downstream attacks.
🛰️ Open sources - closed narratives
@sitreports
Microsoft's Digital Crimes Unit dismantled Fox Tempest, a malware-signing-as-a-service operation that issued over 1,000 fraudulent certificates to cybercriminals. The service charged $5,000–$9,000 for plans allowing threat actors to sign malware with legitimate-looking Microsoft certificates, supporting ransomware families including Rhysida, INC, Qilin, and Akira across healthcare, education, and government sectors globally.
The operation abused Microsoft Artifact Signing through Azure tenants and ran customer portals via Telegram. Microsoft filed legal action enabling infrastructure seizure and certificate revocation, while collaborating with Resecurity, Europol's EC3, and the FBI to counter downstream attacks.
🛰️ Open sources - closed narratives
@sitreports
🔫 CISA Exposed 844MB of Credentials in Public GitHub Repository for Six Months
The US Cybersecurity and Infrastructure Security Agency left a public GitHub repository named "Private-CISA" containing plain-text passwords, AWS credentials, Kubernetes manifests, and private keys exposed for six months. GitGuardian researcher Guillaume Valadon discovered the leak on May 14, and according to reporting, CISA removed the repository within 26 hours of notification.
The incident reflects operational dysfunction at the agency, which has operated without permanent leadership while facing budget cuts exceeding $700M.
🛰️ Open sources - closed narratives
@sitreports
The US Cybersecurity and Infrastructure Security Agency left a public GitHub repository named "Private-CISA" containing plain-text passwords, AWS credentials, Kubernetes manifests, and private keys exposed for six months. GitGuardian researcher Guillaume Valadon discovered the leak on May 14, and according to reporting, CISA removed the repository within 26 hours of notification.
The incident reflects operational dysfunction at the agency, which has operated without permanent leadership while facing budget cuts exceeding $700M.
🛰️ Open sources - closed narratives
@sitreports
📡 Shai-Hulud Malware Compromises 600+ npm Packages in One-Hour Blitz
Threat actors published 639 malicious versions across 323 unique npm packages on May 19, targeting the @antv ecosystem for charting and visualization. The attack compromised maintainer accounts to inject credential-stealing payloads that exfiltrate developer secrets via Session P2P and GitHub. Affected packages include echarts-for-react and @antv/g2, with Socket researchers tracking over 1,000 total compromised artifacts across all Shai-Hulud campaigns since September.
The malware targets CI/CD environments including GitHub Actions, Jenkins, and Azure DevOps, automatically creating repositories under victims' accounts to store encrypted data.
🛰️ Open sources - closed narratives
@sitreports
Threat actors published 639 malicious versions across 323 unique npm packages on May 19, targeting the @antv ecosystem for charting and visualization. The attack compromised maintainer accounts to inject credential-stealing payloads that exfiltrate developer secrets via Session P2P and GitHub. Affected packages include echarts-for-react and @antv/g2, with Socket researchers tracking over 1,000 total compromised artifacts across all Shai-Hulud campaigns since September.
The malware targets CI/CD environments including GitHub Actions, Jenkins, and Azure DevOps, automatically creating repositories under victims' accounts to store encrypted data.
🛰️ Open sources - closed narratives
@sitreports
🔫 DirtyDecrypt PoC Exploit Published for Linux Kernel Privilege Escalation
Proof-of-concept code has been released for CVE-2026-31635, a local privilege escalation vulnerability in the Linux kernel. The exploit, dubbed DirtyDecrypt, allows unprivileged users to gain elevated system access through a flaw in kernel memory handling, according to reporting on the disclosure.
Public availability of working exploit code significantly reduces weaponization time for threat actors. Linux system administrators should prioritize kernel patching and monitor for suspicious privilege escalation attempts on exposed systems.
🛰️ Open sources - closed narratives
@sitreports
Proof-of-concept code has been released for CVE-2026-31635, a local privilege escalation vulnerability in the Linux kernel. The exploit, dubbed DirtyDecrypt, allows unprivileged users to gain elevated system access through a flaw in kernel memory handling, according to reporting on the disclosure.
Public availability of working exploit code significantly reduces weaponization time for threat actors. Linux system administrators should prioritize kernel patching and monitor for suspicious privilege escalation attempts on exposed systems.
🛰️ Open sources - closed narratives
@sitreports