Detecteam

hackers are now hiding malicious code inside .cursorrules and CLAUDE.md files. invisible Unicode characters, your AI reads them, you don't. → 34 malicious packages across npm, PyPI and Crates .io → 384 versions designed to steal SSH keys, crypto wallets, and API tokens → attackers opened real PRs to LangChain, LlamaIndex, and MetaGPT to sneak these files in → your AI runs a fake "security scan" that silently exfiltrates everything Socket detected it in under 6 minutes. check your repos.

Microsoft Defender detected and protected customers against a new software supply chain compromise affecting the "pytorch-lightning" package and immediately reported the issue to the repository maintainers for takedown: https://t.co/yZsFqek0Cr. At the time the compromised packages were identified and distributed, Microsoft Defender had proactive detections that blocked the malicious files as Trojan:JS/ShaiWorm.DQ!MTB. For protected environments, Microsoft Defender for Endpoint raised the alert "ShaiWorm malware was prevented". Our assessment indicates that Microsoft continues to provide strong protection coverage and has prevented observed activity indicating attempts to install the modified packages. Microsoft Defender continues to monitor for potential follow-on activity, including suspicious use of potentially exposed cloud credentials across major cloud platforms. Observed activity remains limited to a small number of devices and appear contained to a narrow set of environments. We are also investigating container-based telemetry and registry-related signals that may indicate potential compromise in some scenarios. Microsoft continues to monitor and investigate the issue, with layered protections, broad prevention coverage, and ongoing hunting efforts in place. We will share updates as more information becomes available.

⚠️ Critical Wireshark Flaws Let Attackers Execute Arbitrary Code Via Malformed Packets Source: https://t.co/6dBCOkuhxB Wireshark, the world's most widely used open-source network protocol analyzer, has released a major security update addressing over 40 vulnerabilities, several of which enable arbitrary code execution through malformed packet injection or malicious capture files. Organizations and individuals relying on Wireshark for network monitoring, forensics, and traffic analysis should update immediately to Wireshark 4.6.5. The most severe vulnerabilities in this release carry the potential for remote code execution (RCE), moving beyond simple denial-of-service impact. #cybersecuritynews #wireshark

🛡️ Trellix Source Code Breach - Hackers Gain Unauthorized Access to Repository Source: https://t.co/oKUr7fUdWh Cybersecurity giant Trellix has disclosed a significant security incident involving unauthorized access to a portion of its source code repository. The company confirmed the breach in an official statement published on its website, stating it immediately engaged leading forensic experts upon discovering the intrusion. Source code repositories are prime targets for attackers seeking to identify exploitable vulnerabilities, embed backdoors, or conduct supply chain attacks against downstream customers. #cybersecuritynews #Databreach

🚨 cPanelSniper - PoC Exploit Disclosed for cPanel Vulnerability, 44,000 Servers Compromised Source: https://t.co/wwsBnz5wTc A weaponized proof-of-concept (PoC) exploit framework dubbed "cPanelSniper" has been publicly released for CVE-2026-41940, a maximum-severity authentication bypass in cPanel & WHM that has already led to the compromise of tens of thousands of servers worldwide with attack activity traced as far back as late February 2026. The Shadowserver Foundation confirmed on April 30, 2026, that 44,000 unique IP addresses were observed scanning for victims, launching exploits, or conducting brute-force attacks against their honeypot sensors. #cybersecuritynews #vulnerability

🚨 cPanelSniper — CVE-2026-41940 cPanel & WHM'de CVSS 10.0 kritik auth bypass. CRLF injection → session file poisoning → root WHM access. Zero creds. ~70M domain affected. 4-stage chain: → preauth session mint → CRLF inject via Authorization header → do_token_denied gadget (raw→cache flush) → /json-api/version → PWNED ✅ Interactive WHM shell ✅ Account enum · cmd exec · backdoor admin ✅ Bulk scan · pipeline ready · stdlib only 🔗 https://t.co/gmRA0xtEsx #BugBounty #InfoSec #WHM #RedTeam #AppSec #bugbountytip #bugbountytips #infosec #recon

⚠️ Linux Kernel 0-Day "Copy Fail" Roots Every Major Distribution Since 2017 Source: https://t.co/fyfuQjBYHn A critical zero-day vulnerability in the Linux kernel has been publicly disclosed, enabling any unprivileged local user to obtain root access on virtually every major Linux distribution shipped since 2017. Copy Fail is a straight-line logic bug not a race condition in the Linux kernel's authencesn cryptographic template, reachable via the AF_ALG socket interface combined with the splice() system call. A single 732-byte Python script using only standard library modules achieves deterministic root on every tested distribution and architecture. #cybersecuritynews #linux #CopyFail

⚠️ Windows RPC Vulnerability Lets Attackers Escalate Privileges Across All Windows Versions Source: https://t.co/luN3UDOucJ PhantomRPC, a newly identified architectural vulnerability in Windows Remote Procedure Call (RPC) that enables local privilege escalation to SYSTEM-level access, potentially affecting every version of Windows. PhantomRPC is not a classic memory corruption bug or a logic flaw in a single component. Instead, it exploits an architectural design weakness in how the Windows RPC runtime (rpcrt4.dll) handles connections to unavailable RPC servers. When a highly privileged process attempts an RPC call to a server that is offline or disabled, the RPC runtime does not verify whether the responding server is legitimate. #cybersecuritynews #Windows

🚨 Hackers Abuse SS7 and Diameter Protocols to Track Mobile Users Worldwide Source: https://t.co/kO27x4ixcV A major investigation has revealed that sophisticated threat actors are exploiting fundamental vulnerabilities in global mobile networks to track users worldwide. By abusing legacy 3G SS7 and 4G Diameter signaling protocols, hackers are successfully bypassing telecom firewalls to conduct silent, cross-border espionage. By functioning as "Ghost Operators," they manipulate routing data to mask their origins while pinpointing the exact locations of high-value targets. While the older SS7 protocol completely lacks basic authentication, the newer 4G Diameter protocol suffers from weak security implementation across the industry. #cybersecuritynews

⚠️ CrowdStrike LogScale Vulnerability Allows Remote Attackers to Read Files from Server Source: https://t.co/ZIk1ToJCb8 An urgent security advisory for a critical unauthenticated path-traversal vulnerability (CVE-2026-40050) affecting its LogScale platform, warning that a remote attacker could exploit the flaw to read arbitrary files directly from the server’s filesystem without authentication. The vulnerability resides in a specific cluster API endpoint within CrowdStrike LogScale. If this endpoint is exposed, a remote attacker can leverage it to traverse the server’s directory structure and access sensitive files without needing credentials. #cybersecuritynews

🚨 Gentlemen RaaS Attacking Windows, Linux With additional locker written in C for ESXi Source: https://t.co/63TQXITj2Z A new ransomware-as-a-service (RaaS) operation known as “The Gentlemen” has emerged as a serious threat to corporate networks worldwide. Since appearing around mid-2025, this group has rapidly grown into a well-organized criminal platform, publicly claiming over 320 victims, with most attacks more than 240 recorded in the opening months of 2026. The group offers lockers written in the Go programming language that work across Windows, Linux, NAS, and BSD environments, along with a separate locker written in C specifically designed to target VMware ESXi hypervisors. #cybersecuritynews

🚨 Microsoft Defender 0-Day Vulnerability “RedSun” Enables Full SYSTEM Access Source: https://t.co/s1vfh5GLcg A newly disclosed zero-day vulnerability in Microsoft Defender, dubbed "RedSun," allows an unprivileged user to escalate privileges to full SYSTEM-level access on fully patched Windows 10, Windows 11, and Windows Server 2019 and later systems, and as of now, remains unpatched. RedSun is the second zero-day exploit published within a two-week span in April 2026 by the security researcher known as "Chaotic Eclipse" (also referred to as Nightmare-Eclipse on GitHub). RedSun follows the same exploit tradition but introduces an entirely new and independent attack vector, suggesting that Defender's architectural weaknesses run far deeper than a single isolated flaw. #cybersecuritynews #Windowsdefender

🚨 Microsoft SharePoint Server 0-Day Vulnerability Actively Exploited in Attacks Source: https://t.co/cPB7CZ2Nf7 A critical zero-day spoofing vulnerability in Microsoft SharePoint Server is being actively exploited in the wild, Microsoft confirmed on April 14, 2026, as part of its monthly security update cycle. Tracked as CVE-2026-32201, the flaw affects multiple versions of SharePoint Server and has been assigned a CVSS base score of 6.5 (Important), with an adjusted temporal score of 6.0 reflecting the availability of an official fix. The vulnerability stems from improper input validation (CWE-20) in Microsoft Office SharePoint, allowing an unauthenticated remote attacker to perform spoofing attacks over a network. #cybersecuritynews