AlonsoHM

🚨 Windows BitLocker 0-Day Vulnerability Allows Attackers to Bypass Security Feature Source: https://t.co/nKVJSPN6eK Microsoft disclosed a new Windows BitLocker Security Feature Bypass vulnerability, tracked as CVE-2026-50507, on June 9, 2026, as part of its June Patch Tuesday security release. The flaw, rooted in a protection mechanism failure, allows an unauthorized attacker with physical access to bypass BitLocker Device Encryption and access sensitive data on the system's storage device. While there is no evidence of active exploitation at the time of release, proof‑of‑concept code exists, which typically accelerates the adoption of attacks. #cybersecuritynews

🚨 Windows Defender 0-Day Exploit “RoguePlanet” Grants SYSTEM Access to Attackers Source: https://t.co/h0SqQD6cjB A researcher known as Nightmare Eclipse has publicly released a new proof-of-concept (PoC) exploit named RoguePlanet, targeting a previously undisclosed race condition vulnerability in Microsoft Windows Defender. When successfully executed, the exploit spawns a command shell running under SYSTEM-level privileges, granting an attacker the highest possible access on a compromised Windows machine. The release, posted to GitHub, arrives on Patch Tuesday, June 10, 2026, adding urgency to an already escalating series of Defender-targeting disclosures. #cybersecuritynews

🚨 WhatsApp Disrupts NSO-Linked Cyberattack Targeting Users with Pegasus Spyware Source: https://t.co/GPRM96raVN Meta's WhatsApp has identified and disrupted a fresh wave of spear-phishing campaigns linked to NSO Group, the Israeli spyware firm blacklisted by the U.S. government, and is now asking a federal court to hold the company in contempt for violating a permanent injunction issued just last year. WhatsApp's latest investigation, triggered by user reports, uncovered NSO-linked accounts attempting to lure users into clicking on malicious external links, a classic 1-click phishing technique previously attributed to NSO Group. The campaign primarily targeted fewer than 10 users in Jordan and Lebanon, according to a Meta spokesperson. #cybersecuritynews #whatsapp

🛡️ CISA Warns of Linux Kernel Improper Authentication Vulnerability Exploited in Attacks Source: https://t.co/nYjfoejPRS CISA has added a critical Linux kernel vulnerability, tracked as CVE-2022-0492, to its Known Exploited Vulnerabilities (KEV) catalog, warning that the flaw is being actively leveraged in real-world attacks. The issue, categorized as improper authentication, affects Linux systems using the cgroups v1 release_agent feature and may allow attackers to achieve privilege escalation. By exploiting this behavior, an attacker can execute arbitrary commands with elevated privileges, effectively escaping containerized environments or gaining root-level access on the host system. #cybersecuritynews

Compromised npm packages ([email protected], [email protected]) are abusing Hugging Face repos as exfiltration infrastructure. The packages deploy a remote access trojan (RAT) that captures keystrokes, screenshots, and crypto wallet credentials. Indicators of compromise (IOCs): - npm user: hexalpha10 / author: toskypi - 195.201.194[.]107:8010 (WebSocket C2) - c2-toskypi.onrender[.]com (HTTP C2) - huggingface[.]co/api (exfiltration endpoint) - HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftSystem64 (persistence) - MicrosoftSystem64.service (Linux systemd persistence) - \MicrosoftSystem64 (Windows scheduled task) - MicrosoftSystem64/payload.js (payload directory) Defenders: treat unexpected huggingface[.]co/api calls from non-ML workloads as suspicious.

Leaker — Passive Credential Leak Discovery Across Multiple Breach Sources 💀💥 When investigating exposed credentials, checking one breach database is rarely enough. Leaker aggregates results from 12 different leak intelligence sources into a single tool, helping researchers uncover leaked emails, usernames, domains, phone numbers, and credentials faster. 🔍 Search by email, username, domain, keyword, or phone number ⚡ Aggregates data from IntelligenceX, DeHashed, Snusbase, LeakCheck, Hudson Rock, ProxyNova, and more 🧹 Built-in deduplication removes duplicate results across sources 📊 JSONL output for automation, pipelines, and OSINT workflows 🌐 Proxy support, rate limiting, credential verification, and local SQLite caching included A useful addition for OSINT analysts, threat intelligence teams, and bug bounty hunters performing breach exposure investigations. 🔗 https://t.co/8b72EEYgCW #OSINT #ThreatIntelligence #CyberSecurity #ThreatHunting #BugBounty #OpenSource #InfoSec

⚠️Observed phishing URLs delivering RMM payload: RMM: ScreenConnect Theme: DocuSign URL: hxxps://aims-intl[.]org/ftx File Download URL: hxxps://pub-2703e413a0d34bd08065d227791844ec.r2[.]dev/DocuSignSetup.exe SHA256: 6fa7e10753bceb179d4130fd4a4f363527f2d5dad30ad8eec3daa73f38c23fa8 Cert Name: Danielle Hale #ThreatIntel #Phishing #RMM

🚨 Windows Netlogon 0-Click RCE Vulnerability Now Actively Exploited In The Wild | Source: https://t.co/Iym37fFkgU The critical Windows Netlogon remote code execution (RCE) vulnerability tracked as CVE-2026-41089 is now under active exploitation in the wild, significantly raising the risk profile for unpatched Windows Server environments. The flaw affects Windows servers configured as domain controllers and allows unauthenticated remote attackers to execute arbitrary code with SYSTEM-level privileges by sending specially crafted Netlogon network requests. To exploit CVE-2026-41089, an attacker only needs network access to a vulnerable domain controller’s Netlogon service. #cybersecuritynews #windows

🚨 HTTP/2 Bomb — Remote DoS Exploit Hits nginx, Apache, IIS, Envoy, and Cloudflare Pingora Source: https://t.co/aw380067fE A newly disclosed remote denial-of-service exploit dubbed "HTTP/2 Bomb" targets the default HTTP/2 configurations of the world's most widely deployed web servers, nginx, Apache httpd, Microsoft IIS, Envoy, and Cloudflare Pingora, enabling a single attacker on a home internet connection to exhaust tens of gigabytes of server memory in seconds. Chaining two techniques that have individually been known to the security community for nearly a decade: an HPACK compression bomb and a Slowloris-style connection hold. #cybersecuritynews #vulnerability

Multiple Red Hat Cloud Services npm Packages Hacked to Deploy Credential-Stealing Malware Source: https://t.co/aGSaD9CDFO A significant supply chain attack on June 1, 2026, targeting over 30 official packages under the @]redhat-cloud-services npm scope. The campaign, dubbed "Miasma: The Spreading Blight," is a new variant of the Mini Shai-Hulud malware family a sophisticated credential-stealing worm previously linked to threat actor group TeamPCP. The malicious packages were published via GitHub Actions OIDC tokens, indicating the CI/CD pipeline itself was compromised, not individual developer accounts. #cybersecuritynews

You query SigninLogs for a user. 4,300 events in 24 hours. You expected five. The other 4,295 are non-interactive token refreshes, Teams, Outlook, OneDrive silently renewing tokens in the background. Why does this matter for security? Interactive sign-ins (SigninLogs) answer: · When did this user explicitly authenticate? · What authentication method was used? · Did CA evaluate? These are your primary enforcement points. Non-interactive sign-ins (AADNonInteractiveUserSignInLogs) answer: · Is the session still active? · What apps are accessing data? · Is the token refreshing from the expected device? The critical security implication: An attacker with a stolen refresh token (or Primary Refresh Token) never appears in the interactive logs. They can silently refresh tokens and access resources without triggering the controls that protect the initial sign-in. That said, modern defences help close this gap: Continuous Access Evaluation (CAE) can still enforce policy changes in real time during token refreshes (events may appear in either log table). Token Protection (a Conditional Access session control) cryptographically binds tokens to the device, significantly reducing the risk of token replay from a different device. If you’re only querying SigninLogs, you’re seeing only a small fraction of the total authentication activity. The vast majority, including most token replay and session abuse, lives in the non-interactive logs.