General CTI

Threat actors are actively exploiting a critical remote code execution vulnerability in the popular @react-native-community/cli npm package, impacting countless mobile application developers worldwide. The Vulnerability: CVE-2025-11953 Dubbed Metro4Shell, this critical vulnerability (CVSS 9.8) affects the Metro Development Server bundled with the React Native CLI. The flaw allows remote unauthenticated attackers to execute arbitrary operating system…

Google Threat Intelligence Group (GTIG) has published a comprehensive report revealing persistent cyber operations targeting the defense industrial base (DIB) from Russia and China-linked threat actors. The findings detail how state-sponsored hackers are exploiting everything from battlefield messaging apps to edge network devices to compromise defense contractors, military personnel, and the broader supply chain. Key…

A major ransomware attack on BridgePay Network Solutions has caused a nationwide payment processing outage, forcing merchants across the United States to switch to cash-only operations and disrupting card transactions for municipalities and businesses alike. Ransomware Confirmed Within Hours BridgePay confirmed late Friday, February 6, 2026, that ransomware was responsible for the incident that began…

Ransomware operators are increasingly exploiting legitimate virtual infrastructure management platforms to host and deliver malicious payloads at scale, effectively hiding their command-and-control infrastructure among thousands of innocuous systems. The Discovery Researchers at cybersecurity firm Sophos uncovered this concerning trend while investigating recent WantToCry ransomware incidents. They discovered that attackers were using Windows virtual machines with…

Security researchers at Huntress have documented a sophisticated intrusion where threat actors leveraged compromised SonicWall SSLVPN credentials to deploy a custom EDR killer that abuses a legitimate forensic driver from Guidance Software’s EnCase to terminate security processes from kernel mode. Attack Overview The attack, disrupted in early February 2026 before ransomware deployment, demonstrates a growing…

In a stark demonstration of how artificial intelligence is transforming the cybersecurity threat landscape, the Sysdig Threat Research Team (TRT) has documented a sophisticated cloud intrusion where attackers achieved full administrative control of an AWS environment in less than 10 minutes — with strong evidence that large language models (LLMs) were used to automate the…

The tables have turned: BreachForums, one of the largest dark web marketplaces for stolen data, has been breached. A disgruntled insider leaked the real identities of nearly 324,000 cybercriminals, including email addresses, IP addresses, and connections to notorious groups like ShinyHunters.