Cybersecurity Newsfeed - 18/05/26
Daily cybersecurity news covering vulnerabilities, adversaries, trends, breaches, and other notable security developments.
Cybersecurity Newsfeed
đ 18/05/26
đĄď¸ Vulnerabilities
Nginx HTTP/3 Critical Memory Corruption (CVE-2026-42945): A critical heap-based buffer overflow vulnerability in Nginxâs HTTP/3 module is under active exploitation. Attackers utilize specially crafted QUIC packets to trigger the flaw, enabling remote code execution on vulnerable web servers. With public proof-of-concept (PoC) code now published, automated scanners are actively identifying unpatched instances. Organizations are urged to update to Nginx version 1.27.4 or 1.28.1 immediately, or disable HTTP/3 support as a temporary mitigation. More info More info Active Exploitation of Funnel Builder WordPress Plugin: Cybercriminals are actively exploiting a critical vulnerability in the Funnel Builder WordPress plugin. The flaw allows unauthenticated attackers to perform unauthorized file uploads and execute arbitrary code, leading to the injection of âMagecart-styleâ JavaScript e-skimmers on checkout pages to harvest customer credit card data in real-time. Over 5,000 WooCommerce stores are estimated to be at risk. Administrators are urged to update to version 3.5.2 or higher immediately. More info More info More info Microsoft Declines CVE for Azure Automation Service Flaw: Microsoft has declined to issue a CVE for a critical privilege escalation vulnerability reported in Azureâs automation service, asserting it does not breach a security boundary. While researchers argue the risk of unauthorized internal tenant access is substantial, Microsoft maintains that existing configuration controls adequately mitigate the threat. More info
CISA Adds New Enterprise Software Flaw to KEV Catalog: The Cybersecurity and Infrastructure Security Agency (CISA) has added a new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog based on evidence of active exploitation. Federal agencies must apply patches by the specified deadline, and private organizations are strongly encouraged to prioritize it. More info
Pwn2Own Day Two Showcases Zero-Days: Security researchers demonstrated multiple zero-day vulnerabilities in Microsoft Exchange, Windows 11, and Red Hat Enterprise Linux. Highlights included a sophisticated Microsoft Exchange chain enabling remote code execution and complete system takeover, alongside Windows 11 kernel-level local privilege escalation bugs. More info
Microsoft Warns of Exchange Server Zero-Day: Microsoft has issued an immediate warning regarding an Exchange Server zero-day vulnerability being exploited in targeted attacks via specially crafted emails to achieve remote code execution. While working on a patch, Microsoft has provided temporary URL rewrite mitigation rules. More info
Google Patches Critical RCE Bugs in Chrome 148: Google released Chrome version 148, patching several critical flaws, including a high-severity âuse-after-freeâ bug in the browserâs rendering engine that could lead to remote code execution if a user visits a malicious website. More info
- âClaw Chainâ Infrastructure Flaws Risk OpenClaw AI Servers: Vulnerabilities discovered in OpenClaw AI server infrastructure could allow unauthorized actors to bypass authentication protocols. This grants administrative access to AI training environments, risking the theft of proprietary models, training data poisoning, and exposure of confidential queries. More info
đŻ Adversaries
Tycoon2FA Kit Uses Device Code Flow to Bypass MFA: The Tycoon2FA adversary-in-the-middle phishing kit has evolved to bypass multifactor authentication by leveraging Microsoft 365âs device code flow. It tricks users into entering a unique code on a legitimate login page, allowing attackers to authorize their own devices, hijack active sessions, and extract emails and session cookies. More info
Russian APT Turla Upgrades Kazuar Backdoor to P2P Botnet: The Russian state-sponsored threat group Turla has significantly transformed its Kazuar backdoor into a highly sophisticated, modular P2P botnet for long-term espionage. By shifting to decentralized peer-to-peer communication, enhanced obfuscation, and a complex plugin system (supporting keylogging and file manipulation), the group reduces reliance on static infrastructure and resists sinkholing efforts within government and military networks. More info More info China-Linked Threat Actors Deploy New âTencShellâ Backdoor: State-sponsored Chinese threat actors are utilizing a sophisticated new malware strain named âTencShellâ in espionage campaigns targeting government and telecommunications sectors in Southeast Asia. The backdoor uses custom encryption and multi-layer obfuscation to execute commands, upload files, and maintain long-term network presence. More info
Ghostwriter Targets Ukrainian Officials with Phishing: The Ghostwriter threat group, linked to Belarusian or Russian interests, is launching a new wave of credential-theft and malware-delivery phishing campaigns. The attacks impersonate official state departments to target Ukrainian government officials for cyber-espionage and communication disruption. More info
- FamousSparrow Spies on Azerbaijani Energy Sector: The FamousSparrow APT group has initiated a multi-wave espionage campaign targeting the Azerbaijani energy sector. Exploiting unpatched server vulnerabilities to deploy custom backdoors, the group aims to exfiltrate strategic data to influence regional energy politics. More info
đ Trends
Physical Phishing Letters Target Ledger Wallet Users: A high-effort social engineering campaign is targeting Ledger hardware wallet users via fraudulent letters mailed directly to their homes. Disguised as official Ledger security alerts, the correspondence includes a counterfeit, tampered replacement device with instructions to enter the 24-word recovery seed phrase into a malicious application, draining the victimsâ cryptocurrency. More info
Hackers Combine PyInstaller and AMSI Patching for XWorm RAT: Attackers are distributing version 7.4 of the XWorm Remote Access Trojan (RAT) by packaging it with PyInstaller to complicate static analysis. The malware incorporates advanced in-memory Antimalware Scan Interface (AMSI) patching to bypass native Windows security features, enabling keylogging, file exfiltration, and secondary payload deployment. More info
Microsoft Edge to Restrict Cleartext Passwords in Memory: Microsoft Edge is introducing a security feature that halts the practice of loading decrypted user credentials into RAM upon browser startup. By keeping passwords encrypted until an explicit autofill action occurs, the update significantly mitigates risks associated with memory-scraping malware. More info
Gremlin Stealer Evolves Sandbox and Virtual Machine Evasion: Palo Alto Networks Unit 42 has detailed the evolution of Gremlin Stealer from a basic information collector into a sophisticated threat. The latest variants feature enhanced sandbox and virtual machine detection to evade analysis while ramping up exfiltration of Discord tokens, browser cookies, crypto wallets, and saved credentials via malicious advertisements. More info More info Remus Infostealer Emerges in the MaaS Market: Remus Infostealer has quickly gained traction as a prominent Malware-as-a-Service (MaaS) offering specializing in session hijacking and credential theft. Featuring a user-friendly dashboard for low-skilled operators, the malware employs rapid development updates specifically designed to bypass the latest browser security protections. More info
âEvilTokensâ Kit Spreads via Outlook Calendar Invites: A novel âCalPhishingâ technique utilizes a phishing kit called âEvilTokensâ to send fake Outlook calendar notifications to Microsoft 365 users. The embedded links lead to highly convincing login interfaces designed to steal active session tokens rather than standard credentials, allowing attackers to completely bypass multifactor authentication. More info
- âConsentFix v3â Automates OAuth Abuse at Scale: Cybercriminals are turning to an automated tool named âConsentFix v3â to abuse OAuth consent flows. The application automates the creation of malicious apps that trick users into granting permanent cloud environment permissions (e.g., Google or M365), allowing threat actors to retain access even if account passwords are reset. More info
đĽ Breaches & Leaks
Grafana Labs Source Code Stolen Following Refused Ransom: Grafana Labs confirmed a security incident involving the theft of several gigabytes of internal development repositories and secrets by the âRansomHubâ ransomware group. Grafana refused to comply with extortion demands and confirmed that customer data and cloud environments remain isolated and unaffected. More info
OpenAI Impacted by TanStack Package Supply Chain Attack: OpenAI and at least one other major enterprise were impacted by a supply chain compromise involving malicious versions of popular TanStack packages uploaded to the npm registry. The contaminated packages contained obfuscated code designed to harvest developer environment variables and sensitive API keys. OpenAI responded by auditing internal dependency trees and rotating compromised credentials. More info More info - Popular node-ipc npm Package Compromised: In another software supply chain blow, recent versions of the popular
node-ipcnpm package were compromised to inject credential-stealing code. The malicious modifications targeted developers in specific geographic regions to overwrite local files and exfiltrate environment configurations. Malicious versions have since been purged by maintainers. More info