Yesterday I got a funny DM. @s00pcan said some AI slop is automatically forking his Linux open-source projects and adding goofy ass ReadMe files to look all fancy. The primary difference though is the ReadMe includes a "download here" link which delivers a .zip file. The .zip file contains cool and badass malware. The malware is also free. Yay This is a campaign which has been identified by various AV vendors since April, 2026. It is attributed to StealC. In this particular instance though it is very, very silly. The exact mechanic in which this StealC group is using to automagically fork projects on GitHub, insert bogus ReadMe files, etc. is unknown. Clearly it is AI generated. However, this group failed to account for all edge cases because ... this is malware developed for Windows ... but it is from a Linux audio driver fork. This yet again however a use case of AI in malware campaigns. StealC has been around forever and clearly isn't AI slop. However, Threat Actors are using AI to generate fancy schmancy ReadMe files. Very cool. Thank you, Mr. Smart GPU-thingy. The following GitHub I'll be linking is giving FREE malware. Visiting the page won't give you the free malware. At the top of the ReadMe is a "Download" section with a hyperlink to "pcie_dante_snd_v1.4". If you care what this payload does: Inside this .zip file is "Application.cmd", "dir-dot-cc", "lua51.dll", and "loader.exe". Application.cmd is a command line file, it launches loader.exe. Loader.exe is responsible for loading the "dir" file. Loader.exe is dependent on lua51.dll because the "dir" file is a GIANT obfuscated Lua file. I hate Lua and I hate dealing with obfuscated Lua, I refuse to be a victim of Lua, so instead of trying to bonk it with a stick I emulated it. Unsurprisingly, the malicious Lua file tries to harvest credentials from Chrome and exfiltrate them to a remote host. Free malware: github-dot-com/mbyington67-prog/snd-dante-pcie/tree/master tl;dr ai slopping and forking github, delivers malware that uses obfuscated lua, i like cats a lot

Dutch authorities have dismantled a botnet comprising at least 17 million infected devices, including computers, smartphones, tablets, and IoT devices. More than 200 servers in the Netherlands supported the operation. Police seized a subset of the infrastructure, and the hosting provider subsequently took the network offline. Read: thehackernews.com/2026/05/du…

Palo Alto GlobalProtect VPN auth bypass flaw now exploited in attacks bleepingcomputer.com/news/se… bleepingcomputer.com/news/se…

Self-hosted #Gogs instances with public registration enabled are at highest risk right now. Attackers can create their own accounts and fully compromise the server in minutes using the malicious branch name exploit. A ready-to-use #Metasploit module makes this even more dangerous for exposed instances. Disable public sign-ups and repository creation immediately until Gogs ships a patch.

#ESETresearch released its latest APT Activity Report (Oct 2025–Mar 2026): 🇨🇳China-aligned groups focused on Venezuela, Gulf states, and AI & robotics industry in 🇰🇷South Korea, while 🇰🇵North Korea-aligned APTs targeted the nuclear sector. Full report: web-assets.esetstatic.com/wl…

🚨 Supply chain compromises are impacting developer environments, targeting GitHub & Nx Console. See our Alert for detection and remediation recommendations & our KEV Catalog for info on Nx Console embedded malicious code vulnerability CVE-2026-48027. 🔗 go.dhs.gov/559