🚨 73 Microsoft GitHub repos just went dark. They were hit by Miasma, a self-replicating supply chain attack spreading through trusted open-source channels. Azure and MicrosoftDocs repos were among those impacted. Read this: thehackernews.com/2026/06/mi…

Privacy for every ERC-20 token. 🫦

🚨 HTTP/2 Bomb — Remote DoS Exploit Hits nginx, Apache, IIS, Envoy, and Cloudflare Pingora Source: cybersecuritynews.com/http-2… A newly disclosed remote denial-of-service exploit dubbed "HTTP/2 Bomb" targets the default HTTP/2 configurations of the world's most widely deployed web servers, nginx, Apache httpd, Microsoft IIS, Envoy, and Cloudflare Pingora, enabling a single attacker on a home internet connection to exhaust tens of gigabytes of server memory in seconds. Chaining two techniques that have individually been known to the security community for nearly a decade: an HPACK compression bomb and a Slowloris-style connection hold. #cybersecuritynews #vulnerability

🚨 BREAKING: Socket is investigating an active npm supply chain attack compromising hundreds of packages in the @antv ecosystem. The malicious publish wave appears tied to Mini Shai-Hulud and packages connected to the npm maintainer account atool.

🚨 Google Project Zero just published a Pixel 10 zero-click to root exploit chain. Two vulnerabilities and less than a day of work to weaponize the second one. Chain: - Stage 1: same Dolby UDC zero-click (CVE-2025-54957) used against the Pixel 9. Patched in January 2026. Only minor offset updates and a tweak around RET PAC needed to port to Pixel 10 - Stage 2: a brand new local privilege escalation in the VPU driver for the Chips&Media Wave677DV on the Tensor G5 Result: arbitrary kernel read/write in 5 lines of code. Full exploit written in under a day.

❗️🚨 Microsoft Edge keeps every saved password in process memory as cleartext from the moment it launches. Microsoft's responsed when reported: "by design." All of them. Including credentials for sites you won't open this session. Researcher @L1v1ng0ffTh3L4N tested every major Chromium browser. Edge is the only one that behaves this way. Chrome decrypts credentials on demand, and App-Bound Encryption locks the keys to an authenticated Chrome process so other processes can't reuse them. In Chrome, plaintext surfaces only during autofill or when a password is viewed, making memory scraping far less useful. What makes this extra weird is that Edge still demands re-authentication before revealing those passwords in its Password Manager UI, while the same browser process already holds every one of them in plaintext. In shared environments, this turns into a credential harvest. On a terminal server, an attacker with admin rights can read the memory of every logged-on user process. In the published PoC video, a compromised admin account lifts stored credentials from two other logged-on (and even disconnected) users with Edge running. Microsoft's official response when notified: "by design." The finding was disclosed April 29 at BigBiteOfTech by PaloAltoNtwks Norway, alongside a small educational tool that lets anyone verify the cleartext storage for themselves.

Microsoft has confirmed that the April 2026 Patch Tuesday update is causing problems for many third-party backup tools on Windows 11. The update intentionally adds a specific kernel driver to the vulnerable driver blocklist for better security. Unfortunately, this change breaks Volume Shadow Copy Service functionality in several backup applications, leading to snapshot timeouts and failed backup or restore operations. Affected programs include: -Acronis Cyber Protect -Macrium Reflect -NinjaOne Backup -UrBackup, and others that rely on this driver. Microsoft recommends keeping the security update installed and contacting your backup software vendor for a compatible version that uses updated drivers. Uninstalling the patch is not advised as it leaves your system vulnerable. If your backups suddenly stopped working after the April updates, this is likely why.

🚨 Silver Fox launches new malware campaign targeting India and Russia. 1,600 phishing emails used tax-themed lures to spread ValleyRAT and the ABCDoor backdoor. Kaspersky links it to Rust-based loaders, geofencing, and stealth persistence. Read: thehackernews.com/2026/05/si…

WORLDWIDE CRACKDOWN ON VPNs BEGINS 🇪🇺 EU Executive Vice President Henna Virkkunen is pushing limits on VPN use, warning new age and ID systems must not be bypassed. Utah becomes the first 🇺🇸 US state to target VPNs under age verification laws starting May 6, 2026. Websites can be held liable even if users mask location, forcing a choice: block VPNs entirely or require ID checks from everyone. The Electronic Frontier Foundation calls it a “liability trap” that could push global platforms toward mass identity verification. Momentum is building globally. 🇬🇧 UK and 🇫🇷 French officials are now signaling VPN restrictions may be next. EU-wide age verification is set to roll out across all 27 member states by the end of 2026. x.com/f_philippot/status/205…

⚠️ Two cybercrime groups are executing rapid SaaS attacks with minimal trace. Cordial Spider and Snarky Spider use vishing and AiTM phishing to steal credentials, bypass MFA, and access multiple platforms through SSO. Read: thehackernews.com/2026/05/cy…

This GPT Image 2 prompt is going insanely viral right now. “Redraw the attached image in the most clumsy, scribbly, and utterly pathetic way possible. Use a white background, and make it look like it was drawn in MS Paint with a mouse. It should be vaguely similar but also not really, kind of matching but also off in a confusing, awkward way, with that low-quality pixel-by-pixel feel that really emphasizes how ridiculously bad it is. Actually, you know what, whatever, just draw it however you want.”

🚨 Blockaid's exploit detection system identified an on-going admin-key compromise exploit on @wasabi_protocol across Ethereum and Base. The Wasabi: Deployer EOA was used to grant ADMIN_ROLE to an attacker helper contract, which then UUPS-upgraded the perp vaults and LongPool to a malicious implementation that drained balances.