🚨 BREAKING: Active supply chain attack across npm, PyPI, and Crates.​io. Socket detected TrapDoor, a crypto stealer campaign hitting 34 malicious packages and 384 versions and artifacts, with attackers repeatedly pushing new releases across ecosystems. TrapDoor targets #crypto, #DeFi, AI, and security developers, stealing wallets, SSH keys, cloud credentials, GitHub tokens, browser data, env vars, and API keys. Socket detected releases with a median detection time of 5 minutes, 27 seconds. The fastest detection occurred 58 seconds after publication.

🚨Alert🚨 CVE-2026-1731 (CVSS 9.9): Remote code execution in Remote Support (RS) and Privileged Remote Access (PRA) 📊 2.5M Services are found on the hunter.how yearly. 🔗Hunter Link:hunter.how/list?searchValue=… 👇Query HUNTER : product.name="BeyondTrust Privileged Remote Access"||product.name="BeyondTrust Remote Support" 📰Refer:beyondtrust.com/trust-center… #hunterhow #infosec #infosecurity #OSINT #Vulnerability

⚠️ Cloudflare Zero-Day Vulnerability Enables Any Host Access Bypassing Protections Source: cybersecuritynews.com/cloudf… A critical zero-day vulnerability in Cloudflare's Web Application Firewall (WAF) allowed attackers to bypass security controls and directly access protected origin servers through a certificate validation path. The requests targeting the /.well-known/acme-challenge/ directory could reach origins even when customer-configured WAF rules explicitly blocked all other traffic. The vulnerability was detected while reviewing applications where WAF configurations blocked global access and permitted only specific sources. #CybersecurityNews #vulnerabilitynews

From LNK to PlugX: Tracking UNC6384’s Zero-Day Abuse Chain arcticwolf.com/resources/blo… Chinese threat actor UNC6384 is actively exploiting a newly disclosed Windows LNK zero-day vulnerability (ZDI-CAN-25373) to target European diplomats with PlugX malware via Canon DLL sideloading, as reported by Arctic Wolf Labs. The initial stage involves a malicious LNK file embedded in EU/NATO-themed spearphishing emails—making early detection of shortcut file execution a critical warning signal. I’ve authored a Microsoft Defender XDR detection rule to catch this abuse chain and help teams stay ahead.🤝 #Cybersecurity #ZeroDay #ZDICAN25373

Proactive detection for UNC6040 (aka ShinyHunters) cloud.google.com/blog/topics… Google's Threat Intelligence Group outlines security strategies to defend against UNC6040, a financially motivated threat actor using voice phishing (vishing) to compromise Salesforce environments. The attackers trick users into approving malicious connected apps, enabling data theft. The blog provides proactive hardening measures, logging protocols, and detection techniques to protect SaaS platforms, especially Salesforce. Below is a Seninel KQL detection for UNC6040 built based on GTIG report. detections.ai/share/rule/5LA… #Cybersecurity #UNC6040 #ShinyHunters

🚨 SpyVPN Alert FreeVPN.One, a Chrome extension with 100K installs & a “Verified” badge, was caught secretly capturing screens & sending data to its servers. koi.security/blog/spyvpn-the… I built a KQL to track screenshot activity via MDE—great for spotting suspicious apps. detections.ai/share/rule/sKj… #CyberSecurity #DataExfiltration #MDE #KQL

Windows lateral movement quick reference #ThreatHunting #DFIR

🚨 CVE-2025-8088: WinRAR Zero-Day Used to Deploy RomCom Backdoors ESET has identified spearphishing campaigns leveraging malicious RAR attachments to exploit CVE-2025-8088—a WinRAR zero-day vulnerability. This technique delivers RomCom backdoors, attributed to threat actor Storm-0978 (aka Tropical Scorpius / UNC2596). bleepingcomputer.com/news/se… To support fellow Defenders, I’ve crafted a KQL detection to surface indicators of this exploitation. It’s designed to help identify Storm-0978 activity until your infrastructure team rolls out the necessary patch. detections.ai/share/rule/MDr… #Cybersecurity #WinRaRZeroDay #Storm0978

Amazon AI coding agent hacked to inject data wiping commands - @billtoulas bleepingcomputer.com/news/se… bleepingcomputer.com/news/se…

Customer guidance for SharePoint vulnerability CVE-2025-53770

DMARC can reveal more domains associated with a target. dmarc.live/info/<target-domain> allows you to find domains using the same DMARC record. Check it out 👇 There's also a python tool: github.com/Tedixx/dmarc-subd…

🔥 The NEW #CTI Cheat Sheet by @likethecoins & Rebekah Brown is now available! Packed w/ frameworks & methodologies this guide simplifies threat modeling, tackles cognitive biases, & sharpens your analysis. 📥 Download your FREE copy: sans.org/u/1zTr #ThreatIntel #DFIR

CyberHaven malicious extension (24.10.4) details 🧵 A new content script was added to the extension manifest which runs at the start of every webpage

Cyberhaven breach reported. Employee phished and pushed malicious chrome extension. Command and Control: 149.28.124.84 cyberhavenext[.]pro File Hashes: content.js AC5CC8BCC05AC27A8F189134C2E3300863B317FB worker.js 0B871BDEE9D8302A48D6D6511228CAF67A08EC60

This hack is brilliant, APT28 hopping into a target environment over wifi by compromising neighbouring companies and finding a dual-homed host within range. volexity.com/blog/2024/11/22… And yet... they got caught doing this!

Shout out to all the Windows tech's going round deleting C-00000291*.sys on critical systems this morning. #ThoughtsAndPrayers

A Chinese military training site in China's Inner Mongolia region is an exact replica of the road network near Taiwan's Presidential Palace. Make no mistake: China fully plans to invade Taiwan in a geopolitical play that will unbalance the region.

I have created a YARA rule to detect binaries that are signed with a potentially compromised AnyDesk signing certificate (if the PE header info isn't AnyDesk -> other binaries signed with the compromised cert) #100DaysOfYARA #AnyDesk github.com/Neo23x0/signature…

🚩 This is worrying and continues to increase, multiple threat actors, including ransomware operators and initial access brokers, are abusing the @GoogleAds service, but at a higher level. Attackers manage to show the original domain (URL) in the malicious ads, which is eventually displayed to thousands of potential victims on Google's main results page. Three recent examples, thanks to Intel from Colin Cowie (Sophos) and Jérôme Segura (Malwarebytes) 👏 1.- #Pikabot (I think this is new 👀) ▪ infosec.exchange/@th3_protoC… ▪ infosec.exchange/@th3_protoC… 2.- #BatLoader ▪ infosec.exchange/@th3_protoC… 3.- #FakeBat Hunting Panel: ▪ malwarebytes.com/blog/threat… 🚨 DON'T TRUST Ads, be cautious, investigate, confirm.

Super simple email hunting ideas if you want to lose an afternoon: - Emails containing the base64 encoded email of the recipient in the body - Emails containing links to IPFS platforms like cloudflare-ipfs[.]com - Emails with a subject containing the recipient email local-part