Fake OpenAI Hugging Face Repo Shows AI Supply Chain Risk Is Already Here
A fake OpenAI Privacy Filter repository on Hugging Face delivered Windows infostealer malware. Here is what SMB and gov-contractor defenders should take from it.
General CTI
MCP Server Command Injection Shows Why AI Tools Need Real Isolation
A critical GitHub advisory for @profullstack/mcp-server shows how unsafe AI tool endpoints can turn domain lookup functionality into unauthenticated remote code execution.
Dirty Frag Turns Linux Footholds Into Root: What Defenders Should Do Now
Microsoft is tracking active Dirty Frag Linux privilege escalation activity. Here is what SMB and gov-contractor defenders should prioritize now.
Prompt Injection Just Became an RCE Problem for AI Agents
Microsoft disclosed Semantic Kernel vulnerabilities showing how prompt injection can cross into code execution when AI agents are connected to unsafe tools. Here is what defenders should review now.
PAN-OS Captive Portal Zero-Day Shows Why Internet-Facing Edge Devices Need Immediate Review
Unit 42 reports limited exploitation of CVE-2026-0300, a PAN-OS Captive Portal zero-day. Here is what SMB and government-contractor defenders should check now.
PCPJack Shows Cloud Malware Is Moving From Cryptomining to Credential Theft
SentinelLabs reported PCPJack, a cloud-focused worm that evicts TeamPCP artifacts, steals credentials from exposed infrastructure, and spreads across cloud systems.
Critical Cisco IMC Authentication Bypass Grants Remote Attackers Admin Privileges
Cisco has released emergency security updates to patch a critical authentication bypass vulnerability in its Integrated Management Controller (IMC), a critical component embedded on the motherboard of Cisco UCS C-Series and E-Series servers that provides out-of-band management capabilities. The Vulnerability: CVE-2026-20093 Tracked as CVE-2026-20093, this maximum-severity flaw exists in the password change functionality of Cisco…
UAT-10608: NEXUS Listener Framework Compromises 766 Next.js Hosts in 24-Hour Credential Harvesting Blitz
Cisco Talos has disclosed a large-scale automated credential harvesting campaign carried out by a threat cluster they are tracking as “UAT-10608.” The systematic exploitation campaign leverages a custom framework called “NEXUS Listener” to target Next.js applications vulnerable to React2Shell (CVE-2025-55182), resulting in the compromise of at least 766 hosts within a 24-hour period. Key Findings…
ShinyHunters Breaches European Commission: 350GB of Sensitive Data Exfiltrated from AWS Cloud
The European Commission has confirmed a significant data breach after its Europa.eu web platform was compromised in a cyberattack claimed by the notorious ShinyHunters extortion gang. The attackers allegedly exfiltrated over 350GB of sensitive data from the Commission’s Amazon Web Services (AWS) cloud environment. Breach Discovery and Response The intrusion was detected on March 24,…
Oracle Issues Rare Out-of-Band Patch for Critical CVE-2026-21992 RCE in Identity Manager
Oracle has released an emergency out-of-band security patch for a critical unauthenticated remote code execution vulnerability affecting Oracle Identity Manager and Oracle Web Services Manager. Tracked as CVE-2026-21992 with a CVSS v3.1 score of 9.8, this flaw allows attackers to achieve full system compromise over HTTP without any authentication. The Vulnerability CVE-2026-21992 impacts two critical…