🚨 Update - Citrix CVE-2026-8451 is now under active exploitation, less than 24 hours after disclosure.
A Frankfurt IP hit sensors for 5 hours, delivering the watchTowr exploit only after a 200 OK response and skipping 404s.
Learn the malformed SAML exploit path works: https://t.co/yeLT7wq5on
Following the Trail of Anubis: Forums, Onion Sites, and the Rise of a Ransomware Operation
Using StealthMole, a series of seemingly unrelated discoveries led to a deeper examination of Anubis, a ransomware operation that has steadily expanded its presence across the underground ecosystem. What began as a routine inquiry soon developed into a broader effort to understand how the operation established itself, promoted its services, and grew its network over time.
https://t.co/L6oGZXDJQR
#Anubis #Ransomware #ThreatIntelligence #DarkWeb #OSINT #StealthMole
‼️ BREAKING: Anthropic has embedded hidden spyware-like code in Claude Code that covertly targets Chinese users. It then sends information regarding every user by injecting it into their prompt message.
Claude Code is sending info like timezone, proxy and possible AI Lab connections into the system prompt in ways Chinese users can't notice.
A coding agent with repo and command permissions should not silently hide routing metadata inside prompts. This is a serious breach of user trust.
🛑 A leaked AI key is not just a secret anymore.
It is a running bill.
Researchers tested 444 iOS AI chatbot apps. Over 250 exposed paid LLM access through network traffic.
> Plaintext keys
> Replayable tokens
> Open backend proxies with no auth
Read the THN report: https://t.co/yDPmqod6Mi
Kali Linux 2026.2 Release (GNOME 50, KDE 6.6, Helper Scripts, APT Formats & VM Boot Tweaking): It’s the final week of Q2, and Kali Linux 2026.2 is here - right on schedule ;) We have been heads down since our last release, and we are ready to share what… https://t.co/kv4knEBCQs
🚨 A new custom backdoor is hitting government and energy targets in Southeast Asia.
Unit 42 links it to CL-STA-1062, a Chinese-speaking APT cluster.
TinyRCT can run commands, steal files, capture screenshots, and support remote control.
Read: https://t.co/4eYfTyOHXz
🛑 A new #Linux kernel exploit (CVE-2026-46331) gets root without modifying a single file on disk.
It poisons the cached copy of /bin/su in memory. The binary on disk stays untouched. File-integrity checks come back clean.
The root shell is already open.
Details here ↓ https://t.co/y2FDVjcSEq
🛑 ALERT - A Chrome ad blocker with 10 MILLION+ installs has a dormant risk.
Experts say the extension can be remotely configured to run arbitrary JavaScript across websites, without an extension update or store review.
Read the full analysis: https://t.co/A40WeifDDr
🛑 A new backdoor is being used to keep access quiet.
Researchers say Mistic has targeted organizations in insurance, education, IT, and professional services since April 2026.
It runs payloads in memory, abuses Microsoft endpoint security tooling, and can delete itself.
Read: https://t.co/bKcUXWtfzS
‼️🚨 Critical remote code execution in libssh2, the SSH client library embedded in countless tools: CVE-2026-55200, rated CVSS 9.2 by VulnCheck. Every version up to and including 1.11.1 is affected.
It's an out-of-bounds heap write in ssh2_transport_read(), which fails to bound-check the SSH packet_length field. A malicious or MITM'd SSH server can send oversized packets to corrupt memory and run code on the connecting client.
No known exploitation yet and it's not in CISA's KEV. Fix: move to a build that includes commit 7acf3df (PR #2052), and inventory anything that links libssh2 for SSH, SCP, or SFTP.
🚨 FortiBleed went beyond FortiGate firewalls.
Researchers say a Russian-speaking IAB targeted 430,000+ FortiGate firewalls, deployed credential sniffers, and identified over 110 million credentials.
Read: https://t.co/RNkghhbV1h
The campaign also hit other internet-facing systems.
A Gravity SMTP WordPress plugin flaw is already being exploited.
CVE-2026-4020 can expose API keys, OAuth tokens, and system data through an unauthenticated REST API endpoint.
Wordfence says it has blocked 17M+ exploit attempts.
Read the full story: https://t.co/7PrVeeh3yh
🚨 Two critical NGINX flaws can lead to remote code execution.
F5 has patched:
• CVE-2026-42530 (HTTP/3 use-after-free)
• CVE-2026-42055 (HTTP/2 heap buffer overflow)
Both require specific configurations and ASLR bypass conditions.
Details here → https://t.co/x1251rhB3R
🛑 Windows clipper malware swaps crypto wallet addresses via clipboard hijacking.
Microsoft says since Feb 2026 it uses USB LNK worms, WSH/ActiveX, and Tor-based C2.
It steals clipboard data and seed phrases, replacing wallet addresses before paste.
Read: https://t.co/JVL17F5b6k
This Splunk flaw is no longer just theoretical.
Splunk says it is aware of limited exploitation of CVE-2026-20253.
CISA has added it to KEV, giving federal agencies until June 21, 2026 to patch.
Upgrade now.
Read the update: https://t.co/kZDJdxlYXR
🚨 Supply chain attack: 141 packages in the npm mastra scope were republished overnight to ship a remote access trojan.
The source code was never touched. The attacker just added one dependency, easy-day-js, that downloads persistent malware on install.
‼️🚨 A critical Joomla Content Editor vulnerability is under active attack and rated CVSS 10.0. Joomla is used by 1.2% of all websites on the internet.
The vulnerability, CVE-2026-48907: an unauthenticated attacker can create an editor profile, upload PHP, and take full control of the site.
CISA and Italy's CSIRT have both issued alerts.
🌍 Global - FortiBleed Exposes 30,791 Compromised Fortinet Devices
SOCRadar researchers uncovered an active campaign targeting Fortinet firewalls and VPN gateways worldwide.
Key findings:
* 30,791 compromised Fortinet devices identified
* 21,108 unique IP addresses affected
* 8,316 unique organizations/domains impacted
* Victims identified across 194 countries
* Threat actor maintained a database of verified working credentials
* Researchers discovered attacker infrastructure, tools, automation scripts, and victim databases
The campaign highlights how compromised perimeter devices continue to provide attackers with direct access into corporate networks and critical infrastructure.
Organizations using Fortinet devices should immediately review device configurations, audit administrative access, rotate credentials, and investigate for signs of compromise.
Analyst Note: This is not a vulnerability disclosure affecting a handful of devices. The discovery of over 30,000 compromised Fortinet firewalls demonstrates how attackers are industrializing credential harvesting and firewall compromise operations at a global scale.
#DDW #Intelligence #DarkWeb #Fortinet
Credit: https://t.co/t9mgpXNCFz
UPDATE 🠖 FortiBleed looks bigger than first reported.
Update: Hudson Rock says FortiBleed targeted 73,932 Fortinet firewall URLs across 194 countries, affecting 21,632 domains.
The bigger risk: exposed FortiGate SSL VPNs may be used as listening posts to capture more credentials and keep the access loop going.
Read the full update: https://t.co/r8VrvtdCie
🚨 One weak LiteLLM account could take over an AI gateway.
A CVSS 9.9 flaw chain lets attackers become admin, run code, steal AI keys, read prompts, and tamper with AI agent responses.
Read the full story: https://t.co/ZqQtUeX5uY