The Hacker News | #1 Trusted Source for Cybersecurity News

Ivanti is warning that a new security flaw impacting Endpoint Manager Mobile (EPMM) has been explored in limited attacks in the wild. The high-severity vulnerability, CVE-2026-6973 (CVSS score: 7.2), is a case of improper input validation affecting EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1. It allows "a remotely authenticated user with administrative access to achieve remote code execution," Ivanti said in an advisory released today. "We are aware of a very limited number of customers exploited with CVE-2026-6973. Successful exploitation requires Admin authentication. If customers followed Ivanti's recommendation in January to rotate credentials if you were exploited with CVE-2026-1281 and CVE-2026-1340 , then your risk of exploitation from CVE-2026-6973 is significantly reduced." It's currently not known who is behind the exploitation efforts, if any of those attacks were successful, and what the end goals of the attacks were. The devel...

Cybersecurity researchers have disclosed details of a new credential theft framework dubbed PCPJack that targets exposed cloud infrastructure and ousts any artifacts linked to TeamPCP from the environments. "The toolset harvests credentials from cloud, container, developer, productivity, and financial services, then exfiltrates the data through attacker-controlled infrastructure while attempting to spread to additional hosts," SentinelOne security researcher Alex Delamotte said in a report published today. PCPJack is specifically designed to target cloud services like Docker, Kubernetes, Redis, MongoDB, RayML, and vulnerable web applications, allowing the operators to spread in a worm-like fashion, aswell as move laterally within the compromised networks. It's assessed that the end goal of the cloud attack campaign is to generate illicit revenue for the threat actors through credential theft, fraud, spam, extortion, or resale of stolen access. The  What makes thi...

The hardest part of cybersecurity isn't the technology, it’s the people. Every major breach you’ve read about lately usually starts the same way: one employee, one clever email, and one "Patient Zero" infection. In 2026, hackers are using AI to make these "first clicks" nearly impossible to spot. If a single laptop gets compromised on your watch, do you have a plan to stop it from taking down the whole company? Register for the Webinar: The Patient Zero Playbook What is "Patient Zero"? In medicine, Patient Zero is the first person to carry a disease into a population. In cybersecurity, it’s the first device an attacker hits. Once they are "in," they don't stay there—they move fast to find your data, your passwords, and your backups. What You Will Learn Thisisn't a boring lecture. It is a technical deep dive into how modern breaches start and how to kill them instantly. We are covering: The AI Phish: How attackers use gene...

Palo Alto Networks has disclosed that threat actors may have attempted to unsuccessfully exploit a recently disclosed critical security flaw as early as April 9, 2026. The vulnerability in question is CVE-2026-0300 (CVSS score: 9.3/8.7), a buffer overflow vulnerability in the User-ID Authentication Portal service of Palo Alto Networks PAN-OS software that could allow an unauthenticated attacker to execute arbitrary code with root privileges by sending specially crafted packets. While fixes are expected to be released starting May 13, 2026, customers are advised to secure access to the PAN-OS User-ID Authentication Portal by restricting access to trusted zones, or by disabling it entirely if it's not used. As additional mitigation, the company is recommending that organizations disable Response Pages in the Interface Management Profile for any L3 interface where untrusted or internet traffic can ingress. Customers with Advanced Threat Prevention can also block exploitation a...

Bad week. Turns out the easiest way to get hacked in 2026 is still the same old garbage: shady packages, fake apps, forgotten DNS junk, scam ads, and stolen logins getting dumped into Discord channels like it’s normal. Some of these attack chains don’t even feel sophisticated anymore. More like some tired guy with a Telegram account and too much free time. The worst part is how often this stuff still works. Meanwhile, AI tools are speeding up exploit hunting, browsers are keeping passwords sitting in memory for “performance reasons,” and even ransomware crews are pushing broken builds into the wild. Everybody’s scrambling to patch faster because attackers are automating faster. Anyway. ThreatsDay’s rough this week. Let’s get into it. Credential theft campaign New MicroStealer Spotted A new stealer called MicroStealer has been observed targeting education and telecom sectors to steal sensitive data. It was first observed in the wild in...

Having an incident response retainer, or even a pre-approved external incident response firm, is not the same as being ready for an incident. A retainer means someone will answer the phone. Operational readiness determines whether that team can do meaningful work the moment they do.  That distinction matters far more than many organizations realize. In the first hours of a security incident, attackers are not waiting for your identity team to provision emergency accounts, for legal to decide whether an outside firm can access sensitive systems, or for someone to figure out who owns the EDR console. Every delay gives the attacker more uninterrupted time in your environment. Every hour lost to logistics increases the likelihood of deeper compromise, broader impact, and more expensive recovery.  The same is true internally. An organization may have an incident response plan, a capable security team, and a list of escalation contacts, yet still be unprepared to respond under p...

Cybersecurity researchers have discovered three packages on the Python Package Index (PyPI) repository that are designed to stealthily deliver a previously unknown malware family called  ZiChatBot on Windows and Linux systems. "While these wheel packages do implement the features described on their PyPI web pages, their true purpose is to covertly deliver malicious files," Kaspersky  said . "Unlike traditional malware, ZiChatBot does not communicate with a dedicated command-and-control (C2) server, but instead uses a series of REST APIs from the public team chat app Zulip as its C2 infrastructure." The activity has been described as a "carefully planned and executed PyPI supply chain attack" by the Russian cybersecurity company. The names of the packages, which have since been taken down, are listed below - uuid32-utils (1,479 downloads) colorinal (614 downloads) termncolor (387 downloads) All three packages were uploaded to PyPI during a short wi...

A dozen critical security vulnerabilities have been disclosed in the vm2 Node.js library that could be exploited by bad actors to break out of the sandbox and execute arbitrary code on susceptible systems. vm2 is an open-source library used to run untrusted JavaScript code inside a secure sandbox by intercepting and proxying JavaScript objects to prevent sandboxed code from accessing the host environment. The security flaws are listed below - CVE-2026-24118 (CVSS score: 9.8) - A vulnerability that allows sandbox escape via "__lookupGetter__" and permits an attacker to run arbitrary code on the underlying host. (Affects versions <= 3.10.4, patches in 3.11.0) CVE-2026-24120 (CVSS score: 9.8) - A patch bypass for CVE-2023-37466 (CVSS score: 9.8) that could allow attackers to escape the sandbox through the species property of promise objects and execute arbitrary commands on the underlying host. (Affects versions <= 3.10.3, patched in 3.10.5) CVE-2026-24781 (CVSS ...

Cybersecurity researchers have exposed a new Mirai -derived botnet that self-identifies as xlabs_v1 and targets internet-exposed devices running Android Debug Bridge ( ADB ) to enlist them in a network capable of carrying out distributed denial-of-service (DDoS) attacks. Hunt.io, which detailed the malware, said it made the discovery after identifying an exposed directory on a Netherlands-hosted server at the IP address "176.65.139[.]44" without requiring any authentication. The malware supports "21 flood variants across TCP, UDP, and raw protocols, including RakNet and OpenVPN-shaped UDP, capable of bypassing consumer-grade DDoS protection," Hunt.io said, adding it's offered as a DDoS-for-hire service designed for targeting game servers and Minecraft hosts. What makes xlabs_v1 notable is that it seeks out Android devices running an exposed ADB service on TCP port 5555, meaning any gear that comes with the tool enabled by default, such as Android TV boxes,...

The Iranian state-sponsored hacking group known as MuddyWater (aka Mango Sandstorm, Seedworm, and Static Kitten) has been attributed to a ransomware attack in what has been described as a "false flag" operation. The attack, observed by Rapid7 in early 2026, has been found to leverage social engineering techniques via Microsoft Teams to initiate the infection sequence. Although the incident initially appeared to be consistent with a ransomware-as-a-service (RaaS) group operating under the Chaos brand, evidence points to it being a targeted state-backed attack that masquerades as opportunistic extortion. "The campaign was characterized by a high-touch social engineering phase conducted via Microsoft Teams , where the attackers utilized interactive screen-sharing to harvest credentials and manipulate multi-factor authentication (MFA)," Rapid7 said in a report shared with The Hacker News. "Once inside, the group bypassed traditional ransomware workflows, for...

For nearly 20 years, we at The Hacker News have mostly told scary stories about cyberspace — big hacks, broken systems, and new threats. But behind every headline, there’s a quieter, better story. It’s the story of leaders making tough calls under pressure, teams building smarter defenses, and security products that keep hunting threats 24/7 — even when it’s hard. Most of the time, this work is invisible. When everything goes perfectly, nothing happens. The world just stays safe, and no one notices. Today, we want the world to notice. Introducing the CyberStars Awards 2026 We are launching the  Cybersecurity Stars Awards 2026 , a global program that recognizes excellence across the cybersecurity industry and highlights outstanding work that often goes unnoticed. Submissions are now open, and companies, products, and professionals can apply via the official awards portal: https://awards.thehackernews.com/ We don’t just want to report the news anymore. We want to recognize t...

Analysts recently confirmed what identity security teams have quietly feared: AI agents are being deployed faster than enterprises can govern them. In their inaugural Market Guide for Guardian Agents, Gartner states that “enterprise adoption of AI agents is accelerating, outpacing maturity of governance policy controls.” Enterprise leaders can request access to the Gartner Market Guide for Guardian Agents , available complimentary from Orchid Security. The challenge is not simply one of tooling. It is a structural gap in how identity has been managed over the past decades. Traditional identity and access management were designed for human users to log in and out of systems. AI agents operate differently — they run continuously, span multiple applications, acquire permissions opportunistically, and generate activity at machine speed. The result is yet another form of what Orchid Security calls "identity dark matter": an invisible and unmanaged layer of identity activity op...