Samuel Trim

A sophisticated and multi-layered attack by the threat actor tracked by Microsoft as Storm-2949 demonstrates how a single compromised cloud identity could lead to a full-scale organizational breach. https://t.co/s1MMx0fI4L Relying on social engineering and abusing legitimate administrative tools, Storm-2949 moved laterally across cloud resources and endpoints without using traditional malware, quietly exfiltrating large volumes of sensitive data. This stealthy attack underscores the importance of strong identity protections, least-privilege access, and unified visibility across environments. Read the latest Microsoft Defender Research blog for guidance on detecting and containing multi-stage attacks before they escalate.

📢 Breached and TeamPCP announce supply chain attack competition with $1,000 USD prize and open-sourced Shai Hulud worm The owner of Breached has announced a joint competition with TeamPCP offering $1,000 USD in XMR to whoever conducts the biggest supply chain attack. As part of the announcement, TeamPCP's Shai Hulud worm has been open-sourced and hosted on the Breached CDN (also published yesterday on GitHub), with participants required to use the worm in their attacks. Winners are determined by total weekly and monthly download counts of compromised packages, with smaller package compromises added together to count toward the total. ▸ Actor: [Owner] diencracked in collaboration with TeamPCP ▸ Sector: Cybercrime Forum / Supply Chain Attack Tooling ▸ Type: Attack Competition Announcement / Tool Release ▸ Prize: $1,000 USD (XMR only) ▸ Country: N/A ▸ Date: 11/05/2026 Competition details: ▪ First-ever supply chain attack competition hosted on BreachForums ▪ TeamPCP's Shai Hulud worm released as open source and hosted on the Breached CDN ▪ Raw download link also provided for the worm ▪ Participants must use the Shai Hulud worm in their attack ▪ Submissions must include the participant's forum handle, preferably linked to their Breached profile ▪ Reasonable proof of access must be submitted alongside the entry ▪ Winner determined by the largest supply chain attack measured by weekly and monthly package downloads ▪ Compromises of multiple small packages are aggregated toward the total ▪ Prize paid by diencracked in XMR Stop guessing what's redacted. Subscribers see everything → https://t.co/281Qjc6p2J

Our new multi-model agentic security system brings together more than 100 specialized agents across frontier and custom models to find exploitable bugs, delivering top performance on the CyberGym benchmark. We used it ahead of Patch Tuesday to help find and fix 16 vulnerabilities. Today we’re announcing that customers can sign up to test it in private preview. https://t.co/maAN55yZQ1

Microsoft is investigating mistralai PyPI package v2.4.6 compromise. Attackers injected code in mistralai/client/__init__.py that executes on import, downloads hxxps://83[.]142[.]209[.]194/transformers.pyz to /tmp/transformers.pyz, and launches a second-stage payload on Linux. The file name transformers.pyz appears deliberately chosen to mimic the widely used Hugging Face Transformers library and blend into ML/dev environments. The main payload is a credential stealer, but it also includes country-aware logic; it avoids Russian-language environments and contains a geo fenced destructive branch that has 1-in-6 chance of executing rm -rf / when the system appears to be in Israel or Iran. To mitigate this threat: isolate affected Linux hosts, block 83[.]142[.]209[.]194, hunt for /tmp/transformers.pyz, pgmonitor[.]py, and pgsql-monitor.service, and rotate exposed credentials.

The FBI is aware of a service disruption affecting an online Learning Management System (LMS). This disruption has impacted schools, educational institutions, and students across the country. If you are contacted directly by anyone claiming to have your data, we recommend you not send payment or respond to their demands. By receiving a message, that does not necessarily mean your personal information has been compromised. Threat actors often exaggerate or fabricate their access to sensitive or personal information to prompt payment from victims. We encourage individuals to be cautious of unsolicited emails, calls, or texts claiming to be from your school, the LMS provider, or law enforcement and to verify the contact through known channels before responding. We understand that the immediate concern for individuals/students is determining what, if any, of their data or other sensitive information may have been exposed. At this time, the strongly recommended course is to await formal guidance from your educational institution regarding the scope of the incident and the nature of any affected data. If you believe you have been impacted by the attack, please file a complaint at https://t.co/DbJcDzldwF. All crimes can have a devastating effect on those who have been impacted, as well as their families who may need help coping with what happened. Visit https://t.co/QkwTszk8Dx for more resources on coping with the impact of crime: ⚫ https://t.co/wC1eqXwymH ⚫ https://t.co/MMU78iJw0i

I will reiterate what I said earlier: I believe they should also investigate the mysterious and tragic disappearance of Professor Thomas Marsh in the Atacama Desert in 2022. His ULTRACAM instrument was particularly useful for searching for subsecond transients, see, for example, https://t.co/E5WJRBLpJS. The Spanish-language (Chilean) news reports provided more details regarding the case...

Finally, it is published 😁 Making Vulnerable Drivers Exploitable Without Hardware - my latest research on driver vulnerability hardware-gating, explaining the concept of hardware-dependent code and diving deep into creative deployment techniques - software-emulated phantom devices, driver restacking, and forced driver replacement — all explored through the lens of Bring Your Own Vulnerable Driver (BYOVD) attacks: https://t.co/COJ0BKpZQe