Mini Shai-Hulud is a highly active, self-propagating software supply chain attack campaign attributed to a financially motivated threat actor known as TeamPCP. Named after the colossal sandworms of Frank Herbert’s Dune universe, the campaign reflects both the actor’s thematic branding and the malware’s worm-like, self-replicating nature. The
The first week of June makes one thing clear: attackers are targeting trust itself — in AI platforms, CI/CD pipelines, package provenance, MFA, and legacy patch status. AI is being weaponized faster than it's being defended. Sophos uncovered an AI-assisted ransomware lab using Cursor and Claude Opus to
The final week of May 2026 delivered a dense wave of threat activity spanning every major category — from sophisticated nation-state campaigns to commodity fraud targeting World Cup fans. The dominant narrative across this reporting period is the accelerating weaponization of trust: trusted platforms (HuggingFace, GitHub, LinkedIn, Microsoft 365), trusted brands
If this edition of the newsletter has a single recurring theme, it's that the systems and institutions we trust to keep us secure are themselves becoming the attack surface. The agency responsible for securing federal infrastructure leaked its own cloud keys. A major open-source ecosystem had its packages
This edition covers 21 of the most significant cybersecurity stories from May 11 to May 17 2026 — spanning zero-day disclosures, ransomware attacks on education and pharma, AI-powered exploits, supply chain compromises, and shifting regulatory landscapes. Each entry includes a three-sentence summary and clear, actionable takeaways. Shai-Hulud Supply Chain Worm Harvests
This week’s threat intel underscores accelerating risk across perimeter infrastructure, software supply chains, and identity. Attackers—including suspected state-linked actors and organized cybercriminals—are exploiting high-value entry points such as firewall services, long-standing OS flaws, phishing-driven credential theft, and trusted developer tooling to gain access, escalate privileges, and steal
New versions of the XWorm backdoor are being distributed in phishing campaigns after the original developer, XCoder, abandoned the project in 2024. The latest variants—6.0, 6.4, and 6.5—are used by various threat actors and support plugins that enable a wide range of malicious activity. This
In this week’s newsletter we cover credential-stealing malware and extortion tradecraft, Windows security changes and escalation techniques, and a wave of software supply-chain risks such as GitHub Actions, PyPI, and malicious extensions. DEEP Python Backdoor Uses Public Tunneling for C2, Steals Browser + Cloud Credentials Researchers detailed a Python-based backdoor
This week’s threat intel highlights a wave of account-takeover and social-engineering intrusions, escalating ransomware and OT/ICS risks, and continued DDoS and perimeter-device exploitation—reinforcing the need to harden identity controls, rotate secrets, patch fast, and tightly segment and monitor critical infrastructure. Vercel Confirms Security Breach After Hackers Claim
Last week’s stories highlight a clear trend: attackers are succeeding by moving faster than organizations can patch and by targeting the areas that most often get overlooked—third‑party software and dependencies, exposed admin/management systems, and credentials/API keys. We’re seeing this play out in several ways:
This week’s newsletter centers on how attackers (and platforms) are increasingly using “quiet” collection and trust abuse to gain leverage—ranging from subtle tracking and data leakage (like extension fingerprinting and exposed API keys), to high-impact compromises and extortion, to social-engineering and supply-chain tactics that turn everyday tools and
This week’s newsletter focuses on urgent patching and active exploitation: critical Citrix NetScaler and Cisco FMC issues (including a ransomware-linked zero-day), plus Quest KACE and Oracle fixes. It also highlights disruption of a huge router proxy botnet, Russia-aligned phishing targeting Signal/WhatsApp accounts, and a major Trivy GitHub Actions
Overview In this report I discuss SILENTCONNECT, a newly discovered multi-stage malware loader that has targeted Windows machines since early March 2025. It has been observed actively in the wild. Its primary objective is to silently download and install ConnectWise ScreenConnect on the victim’s system, giving threat actors full
This week’s threat landscape highlights a sharp mix of ransomware and extortion pressure, credential-driven breaches, and active exploitation of high-impact enterprise and management-plane vulnerabilities. Healthcare and service providers remain prime targets, while phishing and social engineering continue to enable account takeovers and sensitive data exposure. At the same time,
This week's threat intel highlights multiple campaigns abusing trusted infrastructure and user habits to steal data and gain access. These include fake GitHub download pages and cloned install docs that trick people into running malicious commands. We cover major disruption events—the FBI system investigation and Stryker'
This week's threat intel newsletter covers AI-enabled attacks, mobile exploits, infrastructure vulnerabilities, law enforcement disruptions, and cloud security incidents. Key topics include attackers using Claude Code to automate exploits against Mexican government systems, North Korea's APT37 weaponizing USB drives to breach air-gapped networks, a sophisticated iOS
This week’s threat intel shows attackers using AI to scale malware and intrusions, with credential theft and internet-exposed systems as common entry points. Priority actions are to lock down management interfaces, enforce MFA, rotate secrets, and urgently patch actively exploited bugs (notably Roundcube and Cisco SD-WAN). Arkanix Stealer: Multi-Platform
Welcome to this week's Threat Intel Newsletter. This week we cover the most urgent threats where exploitation is happening fast and at scale. We start with mass exploitation of Ivanti EPMM—driven largely by a single bulletproof-hosted IP. Then we explain how trust is being abused in modern
Welcome to this week’s Threat Intel Newsletter. In this edition, the common thread is that compromise is increasingly happening through places defenders are forced to trust: edge infrastructure, virtualization layers, software update paths, and extension ecosystems. We break down China-linked targeting of Singapore’s telecom sector and leaked evidence
Welcome to this week’s Threat Intelligence Newsletter. This edition focuses on high-impact vulnerabilities and active tradecraft that shorten the path from initial access to full compromise, including multiple remote code execution (RCE) scenarios with low user interaction, and a notable software supply chain incident. We cover a one-click RCE
Overview ShinySp1d3r is a newly observed Ransomware-as-a-Service (RaaS) operation linked to the continued evolution of the ShinyHunters ecosystem and its collaboration with Scattered Spider/COM. While ShinyHunters first emerged in 2020 as a high-volume data theft and extortion group, recent campaigns show a clear progression toward more sophisticated intrusion models
This report discusses Atroposia, a new Remote Access Trojan (RAT) that has gained attention in underground forums. The malware is promoted as a multi-functional platform for remote control, data exfiltration, and stealth operations. It features advanced persistence and evasion tactics, along with a full C2 console for data exfiltration. The
Overview of the NightSpire Ransomware Group NightSpire is a ransomware group first discovered in the wild in March 2025. Within just 6 months, the group has captured the attention of global cybersecurity analysts and claimed over 73 victims worldwide. The group blends traditional ransomware tactics with aggressive public shaming and
What is the Amatera Stealer Proofpoint has identified a new threat called the Amatera Stealer, a rebranded version of ACR stealer. While Amatera shares significant code overlap, features, and capabilities with ACR stealer, it has undergone substantial development and enhancement to emerge as a distinct potential threat in the cyber