CIRCLE WITH A DOT

(wiz.io) Jenkins in the Crosshairs: Analyzing the Threat Landscape of CI/CD OrchestrationJenkins CI/CD environments are under active exploitation, with 59% of cloud deployments vulnerable to critical-severity flaws and 87% running end-of-life instances. Attackers leverage exposed script consoles, misconfigured pipelines, and compromised agents for RCE, credential theft, and lateral movement into cloud control planes.In brief - Jenkins remains a prime target due to unpatched core vulnerabilities, deprecated plugins (31% of environments), and misconfigurations. Threat actors exploit these to gain RCE, steal credentials, and pivot into cloud environments, necessitating urgent patching, plugin lifecycle management, and hardening.Technically - Jenkins' attack surface includes unpatched core CVEs, deprecated plugins (31%), and critical plugin vulnerabilities (21%). Attackers exploit exposed script consoles for RCE, abuse CI/CD pipelines for secret extraction, and compromise agents for lateral movement. Cloud IAM risks arise from credential theft via instance metadata services, emphasizing the need for least-privilege access and secure pipeline design.Source: https://www.wiz.io/blog/jenkins-threat-risk-insights#Cybersecurity #ThreatIntel

(dragos.com) AI-Assisted Intrusion Targeting OT: How Commercial AI Tools Enabled an Adversary to Identify and Breach Critical InfrastructureNew Dragos/Gambit report exposes AI-assisted OT intrusion: Unknown adversary used Anthropic Claude & OpenAI GPT to autonomously identify and target Mexican water utility OT via IT compromise. AI-generated 17K-line Python script (BACKUPOSINT v9.0) enabled credential abuse, lateral movement, and network enumeration—compressing IT-to-OT attack timeline.In brief - Commercial AI tools enabled an adversary to rapidly assess and target OT infrastructure without prior OT expertise, demonstrating the urgent need for enhanced detection and network visibility in critical infrastructure.Technically - Adversary leveraged Claude AI for intrusion planning/tool development and GPT for data processing. The AI-generated BACKUPOSINT script (49 modules) automated reconnaissance, credential harvesting, and privilege escalation. Failed OT breach via vNode gateway password spray highlights AI’s role in accelerating attack lifecycle while reducing reliance on specialized OT knowledge. Defenders must prioritize SANS Five Critical Controls and detection of AI-driven enumeration/credential abuse patterns.Source: https://www.dragos.com/blog/ai-assisted-ics-attack-water-utility#Cybersecurity #ThreatIntel

It would appears that the DDoS attack affecting #Ubuntu is finally over, with statements from both Canonical and the claimed attackers. While the attackers threaten Cloudflare next, they continue to use their services to protect their booter service. Meanwhile, Canonical has not put anything but security and archive repos behind Cloudflare protection. It's unknown what other measures are in place for other resources.https://discourse.ifin.network/t/ubuntu-services-under-attack/356#ThreatIntel #ThreatIntelligence #IFIN

Looks like some Initial Access Broker stacks up on new Accounts.I love @shadowserver #threatintel

(humansecurity.com) Monthly Benchmark Report: AI Agent Traffic Trends and Threat Landscape AnalysisAI agent traffic surged 5.26% MoM in April, with browser-based agents Comet (48.12%) and Atlas (21.33%) dominating 70% of observed activity. Blocking rates rose to 8.2%, signaling escalating detection challenges.In brief - AI-driven web traffic is growing rapidly, with media, ecommerce, and travel sectors bearing 98% of the volume. Organizations must enhance visibility to distinguish AI agents from human activity and mitigate unauthorized actions.Technically - Browser-based agents like Perplexity’s Comet and OpenAI’s Atlas leverage user-agent strings, cookies, and session behaviors to mimic human patterns, complicating detection. Traffic is concentrated in product/search routes (69.57%), while federal/government (+254%) and SaaS (+41.5%) sectors show rapid growth. Behavioral signal analysis and publisher-level integration are critical for classifying agent intent and mitigating risks.Source: https://www.humansecurity.com/learn/blog/state-of-agentic-traffic-april-26/#Cybersecurity #ThreatIntel

THREAT INTEL | maiadouro.pt🟢 Actor "safepay" claims Undisclosed️ Unverified claimhttps://www.yazoul.net/intel/claim/2026-05-05-maiadouro-ransomware-attack-by-safepay-may-2026#DarkWeb #DataBreach #ThreatIntel #CyberSecurity #InfoSec

(opensourcemalware.com) CNCF Project Antrea Compromised via Supply Chain Attack and Malicious GitHub Actions Pwn RequestIn brief - The CNCF project Antrea was compromised via a multi-stage supply chain attack involving malicious GitHub Actions (Trivy) and a crafted pull request targeting Jenkins. Threat actor TeamPCP exfiltrated AWS credentials and gained root access to Antrea’s CI/CD pipeline, exploiting mutable tags and insufficient PR validation.Technically - The attack began with the March 2026 compromise of Trivy’s GitHub Actions (`aquasecurity/trivy-action`, `aquasecurity/setup-trivy`), enabling secret exfiltration from CI runners. Antrea’s use of mutable tags exposed its pipeline, leading to AWS credential theft. On May 2, 2026, the attacker (0xedgerunner) submitted PR #8027 with a Jenkins Job DSL payload, executing arbitrary code via slash-commands (`/test-*`). The payload used Python deserialization, bash injection, and exfiltrated data to `paste.rs`/`webhook.site`. IOCs include IP `35.164.122.165`, spoofed committer `tzgate <tzgate@local.lan>`, and branch patterns like `poc/pwn-*`.Source: https://opensourcemalware.com/blog/antrea-compromise2#Cybersecurity #ThreatIntel

Our CERT is releasing a new research into UNC2465, a ransomware affiliate actively distributing Qilin across Europe . A TLP:RED version of this research was presented during @botconf 2026.https://www.orangecyberdefense.com/global/blog/cert-news/smoking-out-an-affiliate-smokedham-qilin-a-few-google-ads-and-some-bosswareUNC2465 primarily relies on malvertising to distribute the SmokedHam backdoor. By pivoting on its delivery infrastructure, we identified a large number of spoofed software like RVTools, @hornetsecurity , Angry IP Scanner, Remote Desktop Manager...UNC2465 also relies on bossware like ControlioNet and Teramindco to further blend malicious actions with normal activity and avoid detection.IOCs are available here: https://github.com/cert-orangecyberdefense/cti/blob/main/smokedham/iocs#CTI #ThreatIntel #SmokedHam #UNC2465 #ransomware #Qilin #rvtools #bossware

The Salt Typhoon breach of IBM's Italian subsidiary System Informative is not a distant geopolitical headline. It is a direct signal to every organization running critical infrastructure or sensitive data operations in Europe.Chinese-linked threat actors are no...Read more: https://steelefortress.com/kgv6qkSecurity #Privacy #ThreatIntel

THREAT INTEL | manateeair.com🟢 Actor "m3rx" claims UndisclosedAllegedly exposed• Customer data️ Unverified claimhttps://www.yazoul.net/intel/claim/2026-05-03-manatee-air-ransomware-claim-by-m3rx-may-2026#DarkWeb #DataBreach #ThreatIntel #CyberSecurity #InfoSec

Cyber intel today: Windows NTLM hash leak zero-day hit KEV. Patch by May 12. Storm-1175 tied to Medusa zero-day attacks. Watch ransomware pivots. WordPress plugin RCE and auth bypass CVEs. Inventory plugins.#CyberSecurity #ThreatIntel #Ransomware #PatchManagementsolomonneas.dev/intel

New cheatsheets pushedhttps://github.com/r1cksec/cheatsheets#infosec #cybersecurity #redteam #pentest #threatintel #malware #dfir #bugbounty #opensource

Thanks to Censys, We have confirmed exploitation leading to ransomware for the #cPanel/WHM auth bypass.https://discourse.ifin.network/t/cve-2026-41960-cpanel-auth-bypass-eitw/339#ThreatIntel #ThreatIntelligence #IFIN

Cyber watch: Gemini CLI host RCE in agent workflows: patch CLI/action, audit tokens and deployment secrets. ScreenConnect CVE-2024-1708 in KEV: patch exposed remote-access servers and hunt for compromise.🟡 Mini Shai-Hulud hits npm, PyPI, PHP packages: rotate dev secrets.solomonneas.dev/intel#CyberSecurity #ThreatIntel #VulnerabilityManagement #SupplyChain

(picussecurity.com) CVE-2026-41940: Deep Dive into the cPanel & WHM Authentication Bypass Exploit Affecting 1.5 Million ServersCritical authentication bypass in cPanel & WHM (CVE-2026-41940, CVSS 9.8) exposes 1.5M servers to pre-auth RCE. Actively exploited since Feb 2026, this zero-day grants root access via session hijacking. Patch immediately, rotate credentials, and purge sessions.In brief - CVE-2026-41940 is a critical authentication bypass in cPanel & WHM, allowing unauthenticated attackers to gain root access to 1.5M internet-facing servers. Exploited in the wild since February 2026, it requires immediate patching and mitigation.Technically - The exploit chains a CRLF injection in session files with a malformed cookie to disable encryption and manipulate session caching. Attackers inject newline-laced credentials via Basic-auth, bypass encryption, and plant a 'successful_internal_auth_with_timestamp' flag in session files. The flaw stems from missing sanitization, encryption bypass, and JSON cache discrepancies. Detection involves monitoring for CRLF in session files, privileged keys in failed logins, and anomalous access-log sequences.Source: https://www.picussecurity.com/resource/blog/cve-2026-41940-explained-cpanel-whm-authentication-bypass-hit-1-5m-servers#Cybersecurity #ThreatIntel

(malwarebytes.com) Critical Authentication Bypass Vulnerability in cPanel/WHM Actively Exploited by Threat ActorsCritical authentication bypass in cPanel/WHM (CVE-2026-41940) is under active exploitation. Attackers gain admin access without credentials, impacting millions of sites. CISA has listed it in the KEV catalog.In brief - A zero-day flaw in cPanel/WHM (CVE-2026-41940) allows unauthenticated admin access, with active exploitation confirmed. Hosting providers are urged to patch immediately and restrict interface access.Technically - CVE-2026-41940 affects cPanel/WHM v11.40+ (including DNSOnly/WP Squared), enabling privilege escalation via authentication bypass. Exploitation observed since February 2026; patches released April 28. Mitigations include patching, MFA enforcement, and access restrictions. Over 1M sites at risk.Source: https://www.malwarebytes.com/blog/news/2026/05/actively-exploited-cpanel-bug-exposes-millions-of-websites-to-takeover#Cybersecurity #ThreatIntel

New security advisory:CVE-2025-71284 affects multiple systems.• Impact: Remote code execution or complete system compromise possible• Risk: Attackers can gain full control of affected systems• Mitigation: Patch immediately or isolate affected systemsFull breakdown:https://www.yazoul.net/advisory/cve/cve-2025-71284-synway-smg-gateway-unauth-rce-patch#Cybersecurity #ZeroDay #ThreatIntel

Potassium update: the Mirai fork @synthient reported in March (https://x.com/deobfuscately/status/2033923869782712514) is still active and the operator appears to have taken up Dutch poetry. The new C2 domathreatintelkankerinmijnrechterteelbal[.]st (would not recommend pasting that into Google Translate during standup.)Same key material and HTTP C2 protocol as the original potassium.vitacoco...[.]st variant. 11-port random C2 rotation, spreading via ADB to Android TV boxes.IoCs:a87aa7995ee9996952edb323d703875812f71d08237756ab44367f10e6197c7e6833cb4681ac69281474be2c626df06cd90bb05bec72ae697cf219a6603826c93f13e18e190a7fc4c795d7caa83534d2879376ce43fd1a9120f23e48639cfe85C2: ikhebkankerinmijnrechterteelbal[.]st → 34.245.45[.]153Dropper: 92.38.186[.]44 (HTTP + netcat :25565)#mirai #DDoS #threatintel

(socket.dev) Malicious Ruby Gems and Go Modules Impersonate Developer Tools to Compromise CI Environments and Steal SecretsNew supply chain campaign by threat actor BufferZoneCorp targets dev/CI environments via malicious Ruby gems and Go modules. Packages like `knot-activesupport-logger` and `go-retryablehttp` deploy credential theft, GitHub Actions tampering, and SSH persistence.In brief - A multi-stage attack impersonates legitimate dev tools to harvest SSH/AWS/GitHub secrets, poison CI workflows, and establish persistence. Sleeper packages and typosquatting evade detection, exfiltrating data via hidden endpoints.Technically - Ruby gems use `extconf.rb` to steal env vars (e.g., `~/.ssh/id_rsa`, `~/.aws/credentials`) during install, exfiltrating JSON-encoded data to `webhook[.]site/49c21843...`. Go modules abuse `init()` to modify `GITHUB_ENV`, disable `GOSUMDB`, and inject fake `go` wrappers. One module appends hardcoded SSH keys to `authorized_keys`. Obfuscation includes decimal-encoded endpoints and fragmented env var names.Source: https://socket.dev/blog/malicious-ruby-gems-and-go-modules-steal-secrets-poison-ci#Cybersecurity #ThreatIntel

(therecord.media) Cybercriminals Hijack Cargo Shipments Through Load Board Fraud, FBI Warns of Multi-Million Dollar TheftsFBI warns of a 60% surge in cargo thefts (2025: $725M) via cyber-enabled load board fraud. Threat actors compromise freight broker/carrier accounts, post fraudulent listings, and divert shipments—often undetected until loss is reported. Tactics include social engineering, malicious links, FMCSA profile tampering, and ransom demands.In brief - Cybercriminals are hijacking cargo shipments by breaching load boards, impersonating brokers, and redirecting freight. The FBI reports $725M in losses (2025), with attacks involving phishing, double-brokering, and regulatory tampering to facilitate theft.Technically - Attackers compromise load boards via phishing/malicious links, then impersonate brokers or carriers to post fraudulent freight listings. Double-brokering inserts unauthorized stops, while FMCSA profile alterations enable unauthorized shipments. Ransom demands are delivered via email or overseas contacts. Compromised carriers often remain unaware until brokers report missing cargo.Source: https://therecord.media/hackers-earning-millions-from-hijacked-cargo-fbi#Cybersecurity #ThreatIntel