CIRCLE WITH A DOT

New security advisory:CVE-2025-71284 affects multiple systems.• Impact: Remote code execution or complete system compromise possible• Risk: Attackers can gain full control of affected systems• Mitigation: Patch immediately or isolate affected systemsFull breakdown:https://www.yazoul.net/advisory/cve/cve-2025-71284-synway-smg-gateway-unauth-rce-patch#Cybersecurity #ZeroDay #ThreatIntel

(socket.dev) Malicious Ruby Gems and Go Modules Impersonate Developer Tools to Compromise CI Environments and Steal SecretsNew supply chain campaign by threat actor BufferZoneCorp targets dev/CI environments via malicious Ruby gems and Go modules. Packages like `knot-activesupport-logger` and `go-retryablehttp` deploy credential theft, GitHub Actions tampering, and SSH persistence.In brief - A multi-stage attack impersonates legitimate dev tools to harvest SSH/AWS/GitHub secrets, poison CI workflows, and establish persistence. Sleeper packages and typosquatting evade detection, exfiltrating data via hidden endpoints.Technically - Ruby gems use `extconf.rb` to steal env vars (e.g., `~/.ssh/id_rsa`, `~/.aws/credentials`) during install, exfiltrating JSON-encoded data to `webhook[.]site/49c21843...`. Go modules abuse `init()` to modify `GITHUB_ENV`, disable `GOSUMDB`, and inject fake `go` wrappers. One module appends hardcoded SSH keys to `authorized_keys`. Obfuscation includes decimal-encoded endpoints and fragmented env var names.Source: https://socket.dev/blog/malicious-ruby-gems-and-go-modules-steal-secrets-poison-ci#Cybersecurity #ThreatIntel

@hermlon @the_moep this is somehow extremely cursed. But also kinda... Hundy?!

(therecord.media) Cybercriminals Hijack Cargo Shipments Through Load Board Fraud, FBI Warns of Multi-Million Dollar TheftsFBI warns of a 60% surge in cargo thefts (2025: $725M) via cyber-enabled load board fraud. Threat actors compromise freight broker/carrier accounts, post fraudulent listings, and divert shipments—often undetected until loss is reported. Tactics include social engineering, malicious links, FMCSA profile tampering, and ransom demands.In brief - Cybercriminals are hijacking cargo shipments by breaching load boards, impersonating brokers, and redirecting freight. The FBI reports $725M in losses (2025), with attacks involving phishing, double-brokering, and regulatory tampering to facilitate theft.Technically - Attackers compromise load boards via phishing/malicious links, then impersonate brokers or carriers to post fraudulent freight listings. Double-brokering inserts unauthorized stops, while FMCSA profile alterations enable unauthorized shipments. Ransom demands are delivered via email or overseas contacts. Compromised carriers often remain unaware until brokers report missing cargo.Source: https://therecord.media/hackers-earning-millions-from-hijacked-cargo-fbi#Cybersecurity #ThreatIntel

Claude Security: Anthropic bringt KI-Schwachstellenscanner für UnternehmenAnthropic schickt Claude Security in den öffentlichen Beta-Test. Es scannt Code auf Schwachstellen, schlägt Patches vor und soll bei Sicherheit streng sein.https://www.heise.de/news/Claude-Security-Anthropic-bringt-KI-Schwachstellenscanner-fuer-Unternehmen-11279018.html?wt_mc=sm.red.ho.mastodon.mastodon.md_beitraege.md_beitraege&utm_source=mastodon#Anthropic #Cybersecurity #Datensicherheit #IT #KünstlicheIntelligenz #Security #Softwareentwicklung #news

(malwarebytes.com) Scammers Exploit PayPal’s Legitimate Services to Deliver Deceptive Payment NotificationsNew PayPal-themed phishing campaign abuses legitimate email notifications, bypassing DKIM/SPF/DMARC via manipulated subject lines. Attackers alter genuine PayPal payment emails to falsely claim pending charges (e.g., $987.90) while the body shows nominal amounts (e.g., ¥1 JPY).In brief - Scammers exploit PayPal’s email system to send verified but deceptive payment alerts, tricking users into calling fraudulent support numbers. The attack leverages social engineering and PayPal’s remittance fields to weaponize subject lines, evading traditional email security.Technically - The campaign abuses PayPal’s payout templates, where arbitrary text in note/remittance fields surfaces in subject lines. Emails originate from service@paypal.com and pass authentication checks, but the subject line is altered to include fake charges and scammer contact details. Victims are coerced into installing remote access tools or divulging credentials.Source: https://www.malwarebytes.com/blog/news/2026/04/more-paypal-emails-hijacked-to-deliver-tech-support-scams#Cybersecurity #ThreatIntel

(acronis.com) Exploitation of AI Platforms: How Threat Actors Abuse Hugging Face and ClawHub for Malware DeliveryThreat actors are actively abusing AI platforms Hugging Face and ClawHub for large-scale malware delivery, exploiting trust in AI ecosystems to distribute trojans, cryptominers, and infostealers like AMOS. Over 575 malicious OpenClaw skills were identified across 13 developer accounts.In brief - Cybercriminals are weaponizing AI distribution platforms to deliver malware at scale, leveraging indirect prompt injection and social engineering to compromise Windows and macOS systems. The abuse of Hugging Face and ClawHub highlights critical risks in AI supply chains.Technically - Attackers use indirect prompt injection on ClawHub to turn AI agents into intermediaries, executing base64-encoded commands or installing password-protected archives. Payloads include AMOS stealer (macOS) and cryptominers (Windows), with persistence via scheduled tasks and Defender exclusions. On Hugging Face, campaigns like ITHKRPAW and FAKESECURITY employ obfuscated PowerShell, Cloudflare Workers, and dead-drop resolvers (e.g., Telegram bots) for C2. Techniques include XOR/AES encryption, process injection, and high-entropy overlays to evade detection.Source: https://www.acronis.com/en/tru/posts/poisoning-the-well-ai-supply-chain-attacks-on-hugging-face-and-openclaw/#Cybersecurity #ThreatIntel

CVE-2026-7381 - Critical (9.1)Plack::Middleware::XSendfile versions through 1.0053 for Perl can allow client-controlled path rewriting.Plack::Middleware::XSendfile allows the variation setting (sendfile type) to be set by the client via the X-Sendfile-Type header, if it is n... https://www.thehackerwire.com/vulnerability/CVE-2026-7381/#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

New ransom group blog posts!Group name: qilinPost title: ApothebeautyInfo: https://cti.fyi/groups/qilin.htmlGroup name: nightspirePost title: Progressive Oral Surgery & ImplantologyInfo: https://cti.fyi/groups/nightspire.htmlGroup name: payoutskingPost title: SunSourceInfo: https://cti.fyi/groups/payoutsking.htmlGroup name: payoutskingPost title: Data Exchange CorporationInfo: https://cti.fyi/groups/payoutsking.htmlGroup name: payoutskingPost title: Epcon CommunitiesInfo: https://cti.fyi/groups/payoutsking.htmlGroup name: payoutskingPost title: SCS EngineersInfo: https://cti.fyi/groups/payoutsking.htmlGroup name: payoutskingPost title: Englewood LabInfo: https://cti.fyi/groups/payoutsking.htmlGroup name: payoutskingPost title: Grace Design StudiosInfo: https://cti.fyi/groups/payoutsking.htmlGroup name: worldleaksPost title: SMTA Sherwood Mutual Telephone AssociationInfo: https://cti.fyi/groups/worldleaks.html#ransomware #cti #threatintelligence #cybersecurity #infosec

That email attachment your coworker just opened? It's copying every password they've ever saved. Right now.Full analysis: https://threatchain.io/agenttesla-sample-detected-nota-de-credito-a12345-045-20260403-pdf-scr-exe-4a2b467d#cybersecurity #threatintelligence #infosec #SIEM

Achtung - es kursieren gerade täuschend nachgemachte Mails, die den Eindruck erwecken, von der Deutschen Rentenversicherung zu stammen. Angeblich soll man eine aktuelle Renteninformation anfordern und sich hierzu auf dem Rentenportal einloggen. Die Mails enthalten hierzu sowohl eine Schaltfläche als auch einen Link.BEIDE VERKNÜPFUNGEN SIND FAKE und leiten weiter zu einer dubiosen Internet-Homepage, die vermutlich speziell dafür eingerichtet wurde, persönliche Daten abzugreifen.ALSO NICHT ANKLICKEN - am besten die Mail löschen!#cybersecurity #rente #phishing #emailUnd bitte: informiert Nachbarn, Freunde und Bekannte über diesen Sachverhalt, damit sie nicht aus Unachtsamkeit persönliche Daten an Betrüger preisgeben.

Analyzing the Silver Fox tax campaign and the new ABCDoor backdoorhttps://hackerworkspace.com/article/analyzing-the-silver-fox-tax-campaign-and-the-new-abcdoor-backdoor#malware #cybersecurity #threatintelligence

Teachable to YouTube - Here's Why I Made the Switchhttps://www.youtube.com/watch?v=IeoMGk3hN0Q#cybersecurity #vulnerability #penetrationtesting

Police dismantles 9 crypto scam centers, arrests 276 suspectshttps://www.bleepingcomputer.com/news/security/police-dismantles-9-crypto-investment-scam-centers-arrests-276-suspects/Read on HackerWorkspace: https://hackerworkspace.com/article/police-dismantles-9-crypto-scam-centers-arrests-276-suspects#cybersecurity #incidentresponse #threatintelligence

Cyber Resilience Act: BSI wird zum digitalen TÜV für vernetzte ProdukteDie Bundesregierung bringt das Durchführungsgesetz zum Cyber Resilience Act der EU auf den Weg und will das BSI zur zentralen Marktüberwachungsbehörde machen.https://www.heise.de/news/Cyber-Resilience-Act-BSI-wird-zum-digitalen-TUeV-fuer-vernetzte-Produkte-11278890.html?wt_mc=sm.red.ho.mastodon.mastodon.md_beitraege.md_beitraege&utm_source=mastodon#BSI #Bundesregierung #Cybersecurity #Netzpolitik #news

"Run a quick DNS speed test" they said… One click on dns-speed.tail-f[.]de and your browser helpfully fans out ~5,000 HTTPS handshakes to "random" Cisco Top 1M domains in ~30 seconds.That randomness is doing a lot of work.Across a handful of runs we saw clients touching:- Government + defence: *.uscourts.gov, multiple .gov TLDs, and .mil hosts (incl. disa[.]mil, onr[.]navy[.]mil)- Microsoft sovereign/GCC High endpoints (dodsuite, usgovcloudapi, etc.)- Enterprise collaboration: 100+ Webex, Zoom infra, SharePoint/OneDrive tenants- Identity surfaces: 130+ auth/login patterns, Okta/Auth0/Duo tenants- Autodiscover for named orgs (useful for pre‑populating phish kits)- ~150 banking domains, globally distributedAll from a page load. No content fetched, just "harmless" handshakes.What's interesting isn't malice so much as side‑effects. A "neutral" performance test becomes:- A spray of client IPs into sensitive identity and gov endpoints- Noisy, hard‑to‑explain telemetry for defenders ("why is this workstation touching DISA?")- Occasional redirects into less friendly corners of the web, courtesy of the long tailThe stated aim is realism (avoid vendor‑optimised test servers). In practice, you inherit the internet's entire distribution of good, bad, and broken—and push it through end‑user browsers.It's a reminder that at scale, "just measuring" can look a lot like reconnaissance… or at least generate it for someone else.#dns #threatintel #threatintelligence #cybercrime #cybersecurity #infosec #infoblox #infobloxthreatintel

#Signal Desktop without a smartphone, standalone version in developmenthttps://aboutsignal.com/news/signal-desktop-without-a-mobile-phone-standalone-version-in-development/#privacy #cybersecurity

(I know this requires some way to run the POC as normal user, and that not every kernel build and device has the necessary exploitable bits, but it will still be an available way that you can try; I do suggest trying it simply to see if it works, wouldn't be the first time an (embedded or otherwise) device has weird libraries, oversized kernel builds, and bad protection past the frontend)

Thank you SheSpeaksCyber https://shespeakscyber.org/ for being a Community Partner sponsor of Bsides Edmonton 2026. We’re grateful for your support of Edmonton’s cybersecurity community. #BSidesEdmonton #InformationSecurity #Cybersecurity #Edmonton #Infosec #YEG

Celebrity Private Communications Exposed in Stalkerware Database BreachA misconfigured database belonging to an individual using stalkerware exposed nearly 87,000 screenshots from a prominent celebrity's device, including private chats and sensitive documents. The breach highlights how spyware bypasses end-to-end encryption by capturing data directly from the device's screen.****#cybersecurity #infosec #incident #databreachhttps://beyondmachines.net/event_details/celebrity-private-communications-exposed-in-stalkerware-database-breach-u-y-n-m-r/gD2P6Ple2L