Ticker feed

A sophisticated threat actor called UAT-8616 is actively exploiting a critical authentication bypass vulnerability (CVE-2026-20182) in Cisco's SD-WAN controllers. The bug earned a perfect 10/10 severity score, allowing attackers to gain administrative access without authentication.

This marks the second major Cisco SD-WAN vulnerability this year. In February, the same threat group exploited a nearly identical flaw (CVE-2026-20127) for years before detection. UAT-8616 appears undeterred by patches, quickly moving to exploit new vulnerabilities in the same product line.

The group targets critical infrastructure organizations, using compromised controllers to establish persistent access and escalate to root privileges. Researchers suggest potential Chinese state-sponsored connections. Cisco has released patches, but the pattern of recurring vulnerabilities in centralized network infrastructure highlights ongoing security challenges.

Source: Dark Reading

Electronics giant Foxconn, Apple's primary iPhone assembler, confirmed a cyberattack disrupted its North American factories. The Nitrogen ransomware group claims responsibility, allegedly stealing 8 terabytes of data across 11 million files containing confidential projects from Intel, Apple, Google, Dell, and Nvidia.

Foxconn's cybersecurity team quickly implemented measures to maintain production and delivery. The company said affected factories resumed normal operations as of Tuesday, though it didn't specify when the attack occurred or which systems were compromised.

Nitrogen, active since 2023, typically steals data before encrypting systems to maximize pressure on victims. However, security experts question whether the group is inflating its data theft claims to demand higher ransoms. The Taiwan-based manufacturer operates factories across Mexico, Wisconsin, Ohio, Texas, Virginia, and Indiana.

Source: CyberScoop

A frustrated security researcher has released two dangerous zero-day exploits targeting Windows systems after a dispute with Microsoft. The most severe, dubbed "YellowKey," completely bypasses BitLocker encryption on Windows 11 and Server 2022/2025 systems within minutes using just a USB stick or direct drive access.

The second exploit, "GreenPlasma," enables privilege escalation through the Windows CTFMON service, potentially giving attackers system-level control. Windows 10 remains unaffected by YellowKey due to different recovery architecture.

Microsoft hasn't patched these vulnerabilities yet. Security experts recommend using BitLocker PINs, strong BIOS passwords, and monitoring physical hardware access as immediate protection measures.

Source: Cyber Security News

A massive cyberattack called "mini Shai-Hulud" infected hundreds of popular open-source software packages, including TanStack's React Router with over 12 million weekly downloads. The malware, created by cybercriminal group TeamPCP, steals credentials from cloud services like AWS and Google Cloud by hijacking automated publishing systems.

The attack bypassed two-factor authentication and carried valid digital signatures, making it nearly undetectable. The malware embeds itself in developer tools like Visual Studio Code and disguises stolen data as anonymous messaging traffic through the Session app.

Security experts urge anyone who downloaded affected packages on Monday to immediately change all cloud, server, and developer credentials. The incident exposes critical vulnerabilities in how the software industry consumes open-source code.

Source: CyberScoop

A new campaign of Mini Shai-Hulud malware is spreading through npm packages, targeting the TanStack developer ecosystem with hundreds of compromised packages. Security researchers from Socket and Aikido discovered 373 malicious package entries across 169 npm packages, with evidence suggesting the actual number could be double that.

The worm-like malware steals developer credentials from machines and CI/CD systems, then uses those credentials to infect more packages automatically. What makes this wave particularly dangerous is its abuse of trusted publishing workflows - hijacking legitimate GitHub Actions to push Trojanized updates that appear authentic.

Attributed to the TeamPCP threat group, this evolved variant uses obfuscated JavaScript and targets build systems more aggressively than previous versions. Developers should immediately scan publishing logs, rotate credentials, and enable provenance verification to protect their projects.

Source: Dark Reading

TeamPCP hackers compromised over 170 packages across major software projects on May 11, including 42 TanStack packages, 65 UiPath packages, and Mistral AI's PyPI packages. The "Mini Shai-Hulud" attack exploited three security weaknesses to hijack TanStack's CI/CD pipeline and publish malicious packages that appeared legitimate with valid SLSA provenance certificates.

The malware steals developer credentials, API keys, cryptocurrency wallets, and cloud secrets. It spreads by using stolen tokens to publish infected versions of packages. For the first time, attackers targeted password managers like 1Password and Bitwarden, and used the decentralized Session network for harder-to-disrupt data exfiltration.

Users should immediately check for compromised package versions, rotate all credentials, and audit their GitHub Actions configurations.

Source: SecurityWeek

Google's Threat Intelligence Group discovered cybercriminals successfully created a working zero-day exploit using AI assistance. The Python-based attack bypassed two-factor authentication in a popular web administration tool, showing clear signs of AI generation including educational code comments and textbook structure.

State-sponsored groups from China and North Korea are systematically using AI to find vulnerabilities at scale. Most alarming is PROMPTSPY, an Android backdoor that integrates Google's Gemini API to autonomously navigate victim devices through AI-generated commands.

Russian hackers deployed AI-enabled malware with LLM-generated decoy code to fool security analyzers. Criminal groups are building sophisticated systems to bypass AI safety measures and exploit stolen credentials through ransomware partnerships.

Google responded by disabling malicious accounts and deploying defensive AI agents to identify and patch vulnerabilities automatically.

Source: Cybersecurity News

Checkmarx warned users Friday that hackers published a malicious version of its Jenkins AST plugin to the Jenkins Marketplace. The compromised plugin, which integrates Checkmarx One security scanning into Jenkins pipelines, was part of an ongoing supply chain attack that began in March.

The company urged users to update to version 2.0.13-829.vc72453fa_1c16 from December 2025, and released two newer versions over the weekend. The latest version, 2.0.13-848.v76e89de8a_053, is now available on GitHub and Jenkins Marketplace.

This incident stems from the Trivy supply chain attack, where TeamPCP hackers accessed Checkmarx repositories and published malicious artifacts. The Lapsus$ group later released stolen company data.

Source: Security Week

Researchers at Israel's Ben-Gurion University have developed ODINI, a proof-of-concept malware that extracts data from air-gapped computers even when protected by Faraday cages. The malware manipulates CPU workloads to generate low-frequency magnetic fields that penetrate metal shielding.

ODINI transmits stolen passwords, tokens, and encryption keys at 40 bits per second to receivers positioned 100-150 centimeters away. A variant called MAGNETO uses smartphone magnetometers as receivers, working at distances up to 12.5 centimeters at 5 bits per second.

Standard Faraday cages can't block these low-frequency transmissions. Defense options include expensive mu-metal shielding, magnetic field jammers, or strict policies banning electronic devices near sensitive systems.

Source: Cybersecurity News

The hacking group ShinyHunters attacked Canvas, the academic software used by thousands of schools, disrupting approximately 9,000 institutions across the US, Canada, and Australia during critical end-of-year exams.

Students at Mississippi State University were mid-exam when ransom notes suddenly appeared on their screens, demanding bitcoin payment and threatening to release stolen data. The university postponed Friday's finals to help students recover lost work.

Major universities including Penn State, University of Sydney, and UCLA cancelled or rescheduled exams as Canvas remained largely offline. By Thursday evening, owner Instructure reported the platform was "available for most users," though many schools still experienced outages Friday.

Students expressed anxiety about completing coursework and potential data breaches, while universities scrambled to communicate updates and reschedule critical assessments during this high-stakes academic period.

Source: BBC