🔍 Ghost CMS flaw used to weaponize 700+ sites in ClickFix campaign
Attackers are exploiting CVE-2026-26980, a critical SQL injection bug in Ghost CMS versions 3.24.0 through 6.19.0, to steal admin API keys and inject malicious JavaScript into article pages. XLab says more than 700 domains were hit, including university, media, fintech, security, and SaaS sites. The injected code delivers fake Cloudflare verification prompts that push users to run commands via ClickFix.
The case shows how an unauthenticated CMS flaw can be converted from data access into trusted-page malware delivery at scale. Ghost 6.19.1 patched the bug in February, but unpatched sites remained exposed long enough for repeated reinfection and script replacement between activity clusters.
🛰️ Open sources - closed narratives
@sitreports
Attackers are exploiting CVE-2026-26980, a critical SQL injection bug in Ghost CMS versions 3.24.0 through 6.19.0, to steal admin API keys and inject malicious JavaScript into article pages. XLab says more than 700 domains were hit, including university, media, fintech, security, and SaaS sites. The injected code delivers fake Cloudflare verification prompts that push users to run commands via ClickFix.
The case shows how an unauthenticated CMS flaw can be converted from data access into trusted-page malware delivery at scale. Ghost 6.19.1 patched the bug in February, but unpatched sites remained exposed long enough for repeated reinfection and script replacement between activity clusters.
🛰️ Open sources - closed narratives
@sitreports
🔍 Anthropic’s Glasswing exposes the patching gap
Anthropic says Project Glasswing identified more than 10,000 serious vulnerability candidates in its first month across 1,000+ open-source projects. Human review confirmed 1,726 exploitable flaws, including 1,094 rated high or critical. The effort has so far produced 97 upstream patches and 88 security advisories.
The key signal is not raw discovery volume but remediation lag. AI-assisted triage is now surfacing serious flaws faster than maintainers and vendors can absorb, validate, and patch them. That shifts software security from a discovery problem toward a throughput problem in validation, patch engineering, and release cadence.
🛰️ Open sources - closed narratives
@sitreports
Anthropic says Project Glasswing identified more than 10,000 serious vulnerability candidates in its first month across 1,000+ open-source projects. Human review confirmed 1,726 exploitable flaws, including 1,094 rated high or critical. The effort has so far produced 97 upstream patches and 88 security advisories.
The key signal is not raw discovery volume but remediation lag. AI-assisted triage is now surfacing serious flaws faster than maintainers and vendors can absorb, validate, and patch them. That shifts software security from a discovery problem toward a throughput problem in validation, patch engineering, and release cadence.
🛰️ Open sources - closed narratives
@sitreports
📡 Navantia unveils 75-meter uncrewed warship concept
Navantia UK has presented the LASV75, a 1,000-tonne autonomous surface combatant built with no bridge or crew spaces. The design uses integrated full-electric propulsion with waterline exhausts, a configurable sensor mast, and modular payload architecture for weapons, sensors, and containerized mission packages.
The concept aligns with the Royal Navy’s “hybrid navy” model by shifting routine escort, patrol, and infrastructure-security tasks toward lower-cost autonomous hulls. Its main significance is not novelty but scale: a vessel large enough for open-ocean task group operations, yet designed around persistence, modularity, and reduced manpower demand.
🛰️ Open sources - closed narratives
@sitreports
Navantia UK has presented the LASV75, a 1,000-tonne autonomous surface combatant built with no bridge or crew spaces. The design uses integrated full-electric propulsion with waterline exhausts, a configurable sensor mast, and modular payload architecture for weapons, sensors, and containerized mission packages.
The concept aligns with the Royal Navy’s “hybrid navy” model by shifting routine escort, patrol, and infrastructure-security tasks toward lower-cost autonomous hulls. Its main significance is not novelty but scale: a vessel large enough for open-ocean task group operations, yet designed around persistence, modularity, and reduced manpower demand.
🛰️ Open sources - closed narratives
@sitreports
🤖 Rick Crawford flags autonomous weapons and AI competition
House Intelligence Committee Chairman Rep. Rick Crawford said the rise of autonomous weapons, the threat posed by Iranian drones, and the need for continued U.S. leadership in AI development are converging security issues. The remarks came in a televised interview aired on May 24.
The framing links battlefield autonomy, drone proliferation, and AI policy into a single defense agenda. Operationally, it reflects growing U.S. concern that advances in military AI are no longer separable from near-term drone threats and strategic competition.
🛰️ Open sources - closed narratives
@sitreports
House Intelligence Committee Chairman Rep. Rick Crawford said the rise of autonomous weapons, the threat posed by Iranian drones, and the need for continued U.S. leadership in AI development are converging security issues. The remarks came in a televised interview aired on May 24.
The framing links battlefield autonomy, drone proliferation, and AI policy into a single defense agenda. Operationally, it reflects growing U.S. concern that advances in military AI are no longer separable from near-term drone threats and strategic competition.
🛰️ Open sources - closed narratives
@sitreports
🤖 China AI race framed as leverage, not just innovation
Rep. Ashley Hinson, a member of the House Select Committee on China, said on Sunday Morning Futures that China’s AI expansion is tied to economic and political leverage. She argued the US must lead in AI development, warned against China’s state-controlled tech model, and said over-regulation could erode US national security and economic advantage.
The message places AI competition squarely in the national power domain rather than the commercial sector alone. It also reflects a policy line in Washington that links domestic AI regulation, industrial capacity, and strategic competition with China.
🛰️ Open sources - closed narratives
@sitreports
Rep. Ashley Hinson, a member of the House Select Committee on China, said on Sunday Morning Futures that China’s AI expansion is tied to economic and political leverage. She argued the US must lead in AI development, warned against China’s state-controlled tech model, and said over-regulation could erode US national security and economic advantage.
The message places AI competition squarely in the national power domain rather than the commercial sector alone. It also reflects a policy line in Washington that links domestic AI regulation, industrial capacity, and strategic competition with China.
🛰️ Open sources - closed narratives
@sitreports
🔍 Lazarus shifts to memory-only intrusion tooling
Lazarus has been linked to deployment of RemotePE, a memory-only remote access trojan used against financial and cryptocurrency firms. The malware executes in memory rather than writing payloads to disk, reducing conventional forensic visibility and complicating endpoint detection.
The tradecraft points to a focus on stealth inside high-value financial environments where speed of detection matters. Memory-resident access can compress defenders’ response window, limit artifact recovery, and increase the survivability of post-compromise operations.
🛰️ Open sources - closed narratives
@sitreports
Lazarus has been linked to deployment of RemotePE, a memory-only remote access trojan used against financial and cryptocurrency firms. The malware executes in memory rather than writing payloads to disk, reducing conventional forensic visibility and complicating endpoint detection.
The tradecraft points to a focus on stealth inside high-value financial environments where speed of detection matters. Memory-resident access can compress defenders’ response window, limit artifact recovery, and increase the survivability of post-compromise operations.
🛰️ Open sources - closed narratives
@sitreports
🔍 Storm-2949 Turns Azure RBAC Into a Cloud Exfiltration Path
Microsoft says Storm-2949 used social engineering against IT staff and executives, abused SSPR and MFA approval, then enrolled attacker-controlled Authenticator devices. From compromised Microsoft 365 accounts, the group enumerated roles with Graph API, stole IT documents, and used Azure “Owner” privileges to access Azure Key Vault, extracting secrets that opened the primary production app.
The case shows how identity compromise plus management-plane permissions can collapse cloud segmentation fast. Within minutes, the attackers moved from account access to secrets theft, storage exposure, SQL firewall changes, VM backdoors, Defender suppression, and large-scale data exfiltration.
🛰️ Open sources - closed narratives
@sitreports
Microsoft says Storm-2949 used social engineering against IT staff and executives, abused SSPR and MFA approval, then enrolled attacker-controlled Authenticator devices. From compromised Microsoft 365 accounts, the group enumerated roles with Graph API, stole IT documents, and used Azure “Owner” privileges to access Azure Key Vault, extracting secrets that opened the primary production app.
The case shows how identity compromise plus management-plane permissions can collapse cloud segmentation fast. Within minutes, the attackers moved from account access to secrets theft, storage exposure, SQL firewall changes, VM backdoors, Defender suppression, and large-scale data exfiltration.
🛰️ Open sources - closed narratives
@sitreports
🔍 TrapDoor Targets Open-Source Package Registries
The TrapDoor supply chain attack is reported to be distributing credential-stealing malware through npm, PyPI, and CratesIO. The activity spans three major software package ecosystems, putting developers and downstream users at risk through poisoned dependencies.
Operationally, the case underscores how a single malware distribution campaign can scale across JavaScript, Python, and Rust repositories at once. Cross-registry abuse expands exposure beyond one language stack and increases the chance of credential theft propagating through build pipelines and developer environments.
🛰️ Open sources - closed narratives
@sitreports
The TrapDoor supply chain attack is reported to be distributing credential-stealing malware through npm, PyPI, and CratesIO. The activity spans three major software package ecosystems, putting developers and downstream users at risk through poisoned dependencies.
Operationally, the case underscores how a single malware distribution campaign can scale across JavaScript, Python, and Rust repositories at once. Cross-registry abuse expands exposure beyond one language stack and increases the chance of credential theft propagating through build pipelines and developer environments.
🛰️ Open sources - closed narratives
@sitreports
📡 MiniUpdate RAT shifts C2 traffic onto Azure
Researchers tracking Screening Serpens identified an espionage campaign using MiniUpdate and MiniJunk V2 against targets in the US, Israel, and the UAE. Delivery relied on tailored spear-phishing, fake job portals, and spoofed installers, while MiniUpdate used AppDomainManager hijacking to load local payloads, suppress ETW telemetry, and bypass signature checks.
The operational significance is the blend of signed executables, native .NET abuse, and Azure-hosted domains impersonating health, finance, and technology entities. That combination reduces detection opportunities, isolates C2 by target, and supports shell execution, process control, dynamic code loading, and chunked file exfiltration.
🛰️ Open sources - closed narratives
@sitreports
Researchers tracking Screening Serpens identified an espionage campaign using MiniUpdate and MiniJunk V2 against targets in the US, Israel, and the UAE. Delivery relied on tailored spear-phishing, fake job portals, and spoofed installers, while MiniUpdate used AppDomainManager hijacking to load local payloads, suppress ETW telemetry, and bypass signature checks.
The operational significance is the blend of signed executables, native .NET abuse, and Azure-hosted domains impersonating health, finance, and technology entities. That combination reduces detection opportunities, isolates C2 by target, and supports shell execution, process control, dynamic code loading, and chunked file exfiltration.
🛰️ Open sources - closed narratives
@sitreports
🔍 Zero-click WhatsApp takeover tied to unpatched iOS 16
Multiple iPhone users in Italy had WhatsApp accounts hijacked without QR pairing, linked devices, or user interaction. Forensic analysis by Forenser found repeated WhatsApp resync events and ImageIO errors on affected devices, all running iOS 16. The cases are consistent with abuse of CVE-2025-43300, potentially combined with CVE-2025-55177, to extract session material and attach a rogue client.
Operationally, this is significant because the attacker session did not appear in WhatsApp's linked-device view while still sending messages from the victim account. The observed access was focused on recent chats, indicating session-level compromise rather than full device visibility. Patching iOS removes the known exposure window.
🛰️ Open sources - closed narratives
@sitreports
Multiple iPhone users in Italy had WhatsApp accounts hijacked without QR pairing, linked devices, or user interaction. Forensic analysis by Forenser found repeated WhatsApp resync events and ImageIO errors on affected devices, all running iOS 16. The cases are consistent with abuse of CVE-2025-43300, potentially combined with CVE-2025-55177, to extract session material and attach a rogue client.
Operationally, this is significant because the attacker session did not appear in WhatsApp's linked-device view while still sending messages from the victim account. The observed access was focused on recent chats, indicating session-level compromise rather than full device visibility. Patching iOS removes the known exposure window.
🛰️ Open sources - closed narratives
@sitreports
🔍 FBI flags Kali365 as Microsoft 365 token-theft service
The FBI has warned that Kali365 is being used to hijack Microsoft 365 accounts via OAuth device code phishing, capturing session tokens after users complete legitimate MFA. First seen in April 2026 and marketed through Telegram, the platform offers device-code phishing, AI-generated lures, campaign templates, victim tracking, and an adversary-in-the-middle mode dubbed Cookie Link.
The operational point is clear: this tradecraft bypasses password theft entirely and turns approved authentication into attacker access. For defenders, device code flows, new device registrations, inbox rule changes, and token-based session abuse are now priority indicators in Microsoft 365 environments.
🛰️ Open sources - closed narratives
@sitreports
The FBI has warned that Kali365 is being used to hijack Microsoft 365 accounts via OAuth device code phishing, capturing session tokens after users complete legitimate MFA. First seen in April 2026 and marketed through Telegram, the platform offers device-code phishing, AI-generated lures, campaign templates, victim tracking, and an adversary-in-the-middle mode dubbed Cookie Link.
The operational point is clear: this tradecraft bypasses password theft entirely and turns approved authentication into attacker access. For defenders, device code flows, new device registrations, inbox rule changes, and token-based session abuse are now priority indicators in Microsoft 365 environments.
🛰️ Open sources - closed narratives
@sitreports
🔍 SonicWall scanning surge hits 597,000 sessions in one day
Between 9 and 18 May, GreyNoise observed a sustained reconnaissance spike against SonicOS management interfaces, peaking at roughly 597,000 sessions on 12 May—about 46 times the prior 30-day baseline. The traffic was concentrated on ports 80 and 8080, largely tied to a Chrome 119/Linux fingerprint and source networks in the Netherlands and Ukraine, with heavy volume on AS211736. SonicWall appliances were the target.
The pattern matters because similar scan spikes in Q1 preceded disclosure of CVE-2026-0400. This does not confirm a new vulnerability, but it does indicate structured target mapping against exposed management surfaces and SSL VPN-related endpoints.
🛰️ Open sources - closed narratives
@sitreports
Between 9 and 18 May, GreyNoise observed a sustained reconnaissance spike against SonicOS management interfaces, peaking at roughly 597,000 sessions on 12 May—about 46 times the prior 30-day baseline. The traffic was concentrated on ports 80 and 8080, largely tied to a Chrome 119/Linux fingerprint and source networks in the Netherlands and Ukraine, with heavy volume on AS211736. SonicWall appliances were the target.
The pattern matters because similar scan spikes in Q1 preceded disclosure of CVE-2026-0400. This does not confirm a new vulnerability, but it does indicate structured target mapping against exposed management surfaces and SSL VPN-related endpoints.
🛰️ Open sources - closed narratives
@sitreports
🔍 CISA flags exploited Drupal SQL injection flaw
CISA added CVE-2026-9082 to its Known Exploited Vulnerabilities catalog after active abuse of a highly critical Drupal Core SQL injection bug affecting PostgreSQL-backed deployments. The issue stems from improper sanitization in the EntityQuery condition handler, with exploitation observed less than 48 hours after disclosure. Reporting cites 15,000+ attack attempts against roughly 6,000 sites in 65 countries.
The exposure is notable because it is unauthenticated and remote, making public-facing Drupal sites on PostgreSQL the immediate risk set. MySQL, MariaDB, SQLite, and Drupal 7 are not affected; patched releases are available across supported branches, while older 8.9 and 9.5 installs require manual hotfixes.
🛰️ Open sources - closed narratives
@sitreports
CISA added CVE-2026-9082 to its Known Exploited Vulnerabilities catalog after active abuse of a highly critical Drupal Core SQL injection bug affecting PostgreSQL-backed deployments. The issue stems from improper sanitization in the EntityQuery condition handler, with exploitation observed less than 48 hours after disclosure. Reporting cites 15,000+ attack attempts against roughly 6,000 sites in 65 countries.
The exposure is notable because it is unauthenticated and remote, making public-facing Drupal sites on PostgreSQL the immediate risk set. MySQL, MariaDB, SQLite, and Drupal 7 are not affected; patched releases are available across supported branches, while older 8.9 and 9.5 installs require manual hotfixes.
🛰️ Open sources - closed narratives
@sitreports
🔍 Ghost CMS flaw used to hijack 700+ sites
Attackers are exploiting CVE-2026-26980 in Ghost CMS to compromise more than 700 websites and redirect visitors into ClickFix-style social engineering flows. The activity turns legitimate sites into delivery points for malicious prompts and user-driven execution.
The case shows how a single CMS vulnerability can be scaled into broad access for traffic hijacking and malware staging. For defenders, the key issue is not only patch latency but trust abuse: compromised publisher domains can make fake remediation prompts appear routine and lower user suspicion.
🛰️ Open sources - closed narratives
@sitreports
Attackers are exploiting CVE-2026-26980 in Ghost CMS to compromise more than 700 websites and redirect visitors into ClickFix-style social engineering flows. The activity turns legitimate sites into delivery points for malicious prompts and user-driven execution.
The case shows how a single CMS vulnerability can be scaled into broad access for traffic hijacking and malware staging. For defenders, the key issue is not only patch latency but trust abuse: compromised publisher domains can make fake remediation prompts appear routine and lower user suspicion.
🛰️ Open sources - closed narratives
@sitreports