The Hacker News | #1 Trusted Source for Cybersecurity News

An unknown threat actor has been observed using a large language model (LLM) agent to conduct post-compromise actions after obtaining initial access following the exploitation of a publicly-accessible Marimo network using a recently disclosed vulnerability. "The attacker compromised an internet-reachable Marimo notebook via CVE-2026-39987, extracted two cloud credentials from the compromised host, replayed them through a fanned-out egress pool to retrieve an SSH private key from AWS Secrets Manager, and used that key to drive eight short SSH sessions against a downstream SSH bastion server," Sysdig said . "The bastion phase exfiltrated the schema and full contents of an internal PostgreSQL database in under two minutes." CVE-2026-39987 refers to a critical pre-authenticated remote code execution vulnerability impacting all versions of Marimo prior to and including 0.20.4. It allows an unauthenticated attacker to execute arbitrary system commands. The issue...

A previously undocumented threat actor dubbed GREYVIBE has been attributed to ongoing and persistent attacks targeting Ukraine and Ukraine-related entities since at least August 2025. GREYVIBE, per WithSecure, is assessed to be a Russian-speaking group operating broadly in the Russian time zone, with the activities aligning with Kremlin state interests, specifically when it comes to intelligence gathering efforts aimed at Ukraine in the context of the ongoing Russo-Ukrainian war. "The group has leveraged multiple attack vectors, including spear-phishing e-mails, fake captcha pages, and fraudulent Ukrainian adult club websites, to deliver malware to a diverse set of victims," WithSecure researcher Mohammad Kazem Hassan Nejad said in an analysis. "Across these campaigns, the group has relied on custom-developed obfuscators, loaders, and malware." The victimology footprint spans military, government, civilian, and business-related organizations. GREYVIBE, its ...

Shadow AI used to mean employees pasting things they shouldn't into ChatGPT. It now means something bigger: employees building full applications with AI, wiring them into production systems, and publishing them on the open internet. Without Security or IT in the loop. The artifact moved from a prompt to a product. The risk surface moved with it. In The Shadow Builders report ( get it here ), a new category-level investigation covered in May by Axios, WIRED, and VentureBeat, Red Access identified more than 380,000 publicly accessible web assets across the leading vibe-coding platforms. Roughly 5,000 looked corporate. More than 2,000 of those held sensitive corporate, operational, or personal data - sitting on the open web, deployed without basic access controls, often granting admin access by default to anyone who reached the URL. Six continents. Every industry is examined. No exploitation required. Inside organizations, passing their audits while these exposures were live...

Cybersecurity researchers have discovered a malicious NuGet package that masquerades as a C# software development kit for Sicoob, one of Brazil's largest cooperative financial systems, to siphon client IDs and PFX certificates. According to Socket , versions 2.0.0 through 2.0.4 of " Sicoob.Sdk " contain functionality to exfiltrate sensitive information, including PFX certificates that are used to authenticate businesses with the Sicoob banking network in order to automate banking operations, such as processing instant payments and generating dynamic Pix QR codes. The package is estimated to have been downloaded nearly 500 times. "When a developer instantiates SicoobClient with a client ID, a PFX file path, and a PFX password, the package reads the PFX file from disk, Base64-encodes its contents, and sends the supplied client ID, PFX password, and encoded PFX data to a hardcoded third-party Sentry endpoint," security researcher Kirill Boychenko said. In ad...

The North Korean state-sponsored threat actor known as Kimsuky (aka Velvet Chollima) has been attributed to a fresh set of cyber attacks targeting South Korean military and corporate entities through March and April 2026. "Kimsuky employed a range of tailored social engineering tactics, such as spoofing security software installation pages and crafting a fake Webex meeting page that leveraged a legitimate meeting schedule," ENKI said in an analysis published this week. The attacks have been found to deliver a variant of a known malware family dubbed HTTPSpy by disguising it as installers from South Korean security software, a tactic the threat actor has consistently adopted since 2023. In the latest campaign observed in March 2026, the adversary has been found to propagate malicious payloads through a bogus web page impersonating the security software installation page of a South Korean B2B messaging service. Given the nature of the lure, it's suspected that...

A critical security vulnerability has been disclosed in Gogs, a popular open-source self-hosted Git service, that allows an authenticated user to execute arbitrary code under certain conditions. The security flaw, per Rapid7, is rated 9.4 on the CVSS scoring system. It does not have a CVE identifier. "The vulnerability allows any authenticated user to achieve remote code execution (RCE) on the server by creating a pull request with a malicious branch name that injects the --exec flag into git rebase during the 'Rebase before merging' merge operation," security researcher Jonah Burgess said . Rebasing is a Git action that's used to take a sequence of commits from one feature branch and replay them on top of another base branch to create a linear project history. While "git rebase" solves the same problem as "git merge" -- i.e., integrating changes from one branch into another -- the former rewrites the project history by creating new c...

Threat actors are continuing to exploit a critical, now-patched security flaw impacting FortiClient Endpoint Management Server (EMS) deployments to deliver credential-stealing malware. "The campaign abused trusted endpoint management infrastructure to deliver malware across managed endpoints," Arctic Wolf said . "Threat actors disguised the credential stealer payload as a Fortinet endpoint update, silently executing the malicious executable through PowerShell." The activity, observed by the cybersecurity company in May 2026, involves the exploitation of CVE-2026-35616 (CVSS score: 9.1), a critical pre-authentication API access bypass leading to privilege escalation. The issue was addressed by Fortinet in FortiClient EMS 7.4.7 and later. A successful compromise is followed by the threat actor taking steps to modify configurations to defer firmware upgrade reminders, as well as modifying a Remote Access Profile configuration and endpoint policy to insert a mal...

Microsoft has come out strongly in favor of Coordinated Vulnerability Disclosure (CVD), urging the research community to share their findings and give affected vendors an opportunity to better understand the impact and address them before they are publicly disclosed. The development comes after a researcher named Chaotic Eclipse (aka Nightmare-Eclipse) disclosed details of multiple zero-day vulnerabilities affecting various Windows components, including Defender and BitLocker, over the past month, citing a breakdown in Microsoft's handling of the vulnerability disclosure process. "In recent weeks, several zero-day vulnerabilities have been publicly disclosed," the tech giant said . "The details of these vulnerabilities were not shared with Microsoft prior to release, and the disclosures put our customers at unnecessary risk." "In response to the unnecessary risk created by these disclosures, our security teams have been working around the clock to ...

Every time you think the industry has finally stopped doing some reckless, low-effort crap, somebody spins up a fresh box full of sketchy loaders, fake installers, recycled social-engineering bait, and enough exposed infrastructure to make you wonder if prod is just a public beta now - meanwhile some researcher casually drops a technique that turns a "minor" foothold into total account compromise because apparently six digits and blind trust were all that stood between your vault and getting absolutely pwned. Cool. Great. Love that for us. Then there's the supply chain mess... signed binaries, poisoned updates, legit tooling getting hijacked like it's still 2017, plus a few reports this week that feel less like advanced tradecraft and more like watching skiddies discover low-hanging fruit with enterprise branding slapped on top. The weird part isn't that it works. The weird part is how damn easy it still is. Anyway. Grab caffeine. Let's get into it. ...

State of AI Usage Report 2026 ( full report here ) by LayerX Security reveals the extent of the enterprise AI visibility gap and why most organizations still don't understand where their AI exposure is actually coming from. The research shows that enterprise AI risk is not distributed evenly across users or platforms. Instead, it is heavily concentrated among a small group of AI power users and a handful of dominant AI platforms that drive the majority of enterprise AI activity and sensitive data exposure. At the same time, AI usage is rapidly fragmenting across personal accounts, AI browser extensions, embedded copilots, AI connectors, and secondary AI tools operating outside traditional visibility and governance controls. The result is a fragmented AI ecosystem that most organizations still cannot fully see or govern. While AI Is Everywhere in the Enterprise, Most Employees Are Casual The common perception is that "everyone uses AI now". The report paints a much ...

A new campaign orchestrated by a previously undocumented threat actor has targeted cryptocurrency organizations with an aim to facilitate digital asset theft using recruitment-themed social engineering and bespoke macOS malware. "These campaigns leveraged sophisticated social engineering techniques, custom macOS malware, and deep targeting of CI/CD infrastructure," Wiz researchers Shira Ayal, Eden Abergil, Andre Maccarone, Yuval Dan, and Benjamin Read said . "The used methods enabled the threat actor to move laterally from compromised employee laptops to code distribution systems and development infrastructure." The Google-owned cloud security company is tracking the activity under the moniker JINX-0164 . The threat actor is assessed to be active since at least mid-2025 and motivated by financial gain, targeting developers through recruitment-themed and other social engineering techniques to siphon cryptocurrencies. In at least one case, the adversary is said t...

Latin America and Europe become the target of two banking trojan campaigns that are designed to infect Windows and Android devices with Grandoreiro and BTMOB malware, respectively. That's according to new findings from WatchGuard and ESET, which have observed the two malware families being used to single out companies in Spain, Portugal, and Mexico, as well as mobile users in Brazil. The Grandoreiro campaign "uses the DLL Side-Loading technique abusing four different software, targeting banks in Portugal," WatchGuard researcher Euler Neto said . Active since 2016, Grandoreiro is an actively evolving banking malware that's capable of stealing credentials associated with thousands of financial institutions across 45 countries and territories. It's typically distributed via phishing emails, instructing recipients to click on sketchy links. Despite some arrests and attempts by Brazilian authorities to dismantle its infrastructure in early 2024, the malware h...