ServiceNow released KB3067321 Update regarding this. More details in the post: thecybersecguru.com/news/ser…

Hundreds of detection lists for threat hunting and SOC github.com/mthcht/awesome-li…

Full Disclosure: 1-Click GitHub Token Stealing via a VSCode Bug blog.ammaraskar.com/github-t…

An #adware campaign involving 50 Chrome extensions (disguised as live wallpapers) has hit ~30K users. Spread across three publisher accounts, the attackers are pushing remote HTML to 40 extensions and wiping IndexedDB on install and startup. Details at bit.ly/3Q05sWB

Google Chrome is rolling out device-bound session credentials to all users. Session cookies get cryptographically tied to your device, so stolen cookies can't be replayed from a different machine. Attackers who exfiltrate your cookie database get nothing usable.

🚨 Supply chain attack on the Laravel Lang organization: 700 historical versions across multiple community-maintained Laravel Lang packages were compromised with an RCE backdoor, including: laravel-lang/lang laravel-lang/http-statuses laravel-lang/attributes Laravel-Lang/actions The payload targets cloud creds, CI/CD secrets, Kubernetes tokens, Vault, browser data, password managers, SSH keys, and more.

🚨 The "𝙼𝚎𝚐𝚊𝚕𝚘𝚍𝚘𝚗" Campaign is live... 𝟻,𝟽𝟷𝟾 malicious commits to 𝟻,𝟻𝟼𝟷 GitHub repositories in a six-hour window. Using throwaway accounts and forged author identities (build-bot, auto-ci, ci-bot, pipeline-bot), the attacker injected 𝙶𝚒𝚝𝙷𝚞𝚋 𝙰𝚌𝚝𝚒𝚘𝚗𝚜 workflows containing 𝚋𝚊𝚜𝚎𝟼𝟺-𝚎𝚗𝚌𝚘𝚍𝚎𝚍 bash payloads that exfiltrate: - CI secrets, - cloud credentials - SSH keys - OIDC tokens - source code secrets Check your repo / Technical details: safedep.io/megalodon-mass-gi…

🚨 ACTIVE SUPPLY CHAIN ATTACK 🚨 The actions-cool/issues-helper GitHub Action is compromised. Every existing tag in the repo now points to an imposter commit that: ⬇️ Downloads the bun JS runtime 🧠 Reads Runner.Worker process memory to harvest CI/CD secrets in flight 📡 Exfiltrates credentials to t.m-kosche[.]com Any workflow referencing this action by version will pull the malicious code on its next run. If you use it: stop immediately, pin to a known-good commit SHA from before the compromise, and rotate any secrets exposed to recent runs. StepSecurity customers are already protected: 🛡 Real-time Threat Center alert with "Am I Affected?" links for every workflow and every runner that has talked to the IOC domain 🚫 Compromised Actions Policy blocks any run referencing this action before it executes 🌐 Harden-Runner Global Block List now blocks t.m-kosche[.]com automatically, even in audit mode, no config change required 🔍 Imposter Commit detection flags the exact signature of this attack Full advisory and IOCs: stepsecurity.io/blog/actions…

We’re continuing to work with Microsoft and GitHub to investigate the impact of the malicious Nx Console version 18.95.0. I'll share any updates on X (@jeffbcross and @NxDevTools) as well as in our security advisory: github.com/nrwl/nx-console/s…. Initially, Microsoft indicated to us that there were 28 installs of the malicious version 18.95.0. Based on our own analytics for the compromised version, we currently believe the number of users who received the malicious package may be significantly higher; potentially over 6k installs. We’ll keep working to determine the actual impact and exposure, and I don’t want to speculate beyond the facts we have right now. But I also don’t want to minimize the situation. This is my top priority right now. Our team has been, and continues to be focused on understanding exactly what happened, helping affected users, hardening our systems and release processes, and being as transparent as possible throughout the investigation.

💠VSXSentry💠 vsxsentry.github.io VS Code Extensions threat intel feeds for multiple platforms, VSIX analyzer, scripts & policy generator, remediation and forensic traces guide

1/ We are sharing additional details regarding our investigation into unauthorized access to GitHub's internal repositories. Yesterday we detected and contained a compromise of an employee device involving a poisoned VS Code extension. We removed the malicious extension version, isolated the endpoint, and began incident response immediately.

CISA Admin Leaked AWS GovCloud Keys on Github krebsonsecurity.com/2026/05/…

🚨 UPDATE: Mini Shai-Hulud has crossed from @npmjs into @pypi and is still spreading. Newly confirmed compromised artifacts: @​opensearch-project/opensearch: 3.5.3, 3.6.2, 3.7.0, 3.8.0 (1.3M weekly downloads) mistralai: 2.4.6 on PyPI guardrails-ai: 0.10.1 on PyPI additional @​squawk/* packages on npm guardrails-ai 0.10.1 executes malicious code on import. On Linux, it downloads git-tanstack[.]com/transformers.​pyz, writes it to /tmp/transformers.​pyz, and runs it with python3 without integrity verification. The git-tanstack.​com domain displayed a message signed “With Love TeamPCP,” along with: “We've been online over 2 hours now stealing creds Regardless I just came to say hello :^)” The page also linked to a YouTube video and you can probably guess which one.

LOLRMM just got a serious upgrade under the hood. ✅ Code-signing certificate data, schema validation, and safety warnings are now part of the dataset. That means better trust signals, cleaner detections, and clearer context on what's legitimate vs what's being abused. This is the kind of foundational work that makes everything else in the project more reliable. github.com/magicsword-io/LOL…

Have you ever wanted to query ETW providers, but didn't want to open a VM? What about checking the difference of ETW providers/events across OS builds? Today I am releasing EtwWatcher - a tool that brings EtwInspector to GitHub pages so that you can query ETW providers, as well as compare them across builds. This is something I wish I had for YEARS but have always opt'd to pull manually through a VM. I plan on being very active in uploading new snapshots as new OS builds come out. Check it out! Blog: jonny-johnson.medium.com/etw… Repo: github.com/jonny-jhnson/EtwW… Live site: jonny-jhnson.github.io/EtwWa…

💥 Introducing "Dirty Frag" A universal Linux LPE chaining two vulns in xfrm-ESP and RxRPC. A successor class to Dirty Pipe & Copy Fail. No race, no panic on failure, fully deterministic. ~9 years latent. Ubuntu / RHEL / Fedora / openSUSE / CentOS / AlmaLinux, and more. Even if you've applied the "Copy Fail" mitigation, your Linux is still vulnerable to "Dirty Frag". Apply the Dirty Frag mitigation. Details: dirtyfrag.io

CTI and SOC folks, you’ll like this one! ThreatCheck lets you select IOCs from any web page, bulk-extract and dedupe them, then pivot across 29 threat intel platforms with optional auto API enrichment. chromewebstore.google.com/de… github.com/mthcht/threatchec…

My new toxic trait: A useful browser extension project every week 😆 It’s been a productive month. I almost replaced every extensions I used with my own. Funny enough, building a good dark reader extension without causing performance issues ended up being the hardest one, some are published now!