Talkback.sh News

Tue, 19 May 2026 19:49:53 +0000

• CISA Exposes Secrets, Credentials in 'Private' Repo [app] [cloud]
  CISA's publicly accessible GitHub repository exposed sensitive data due to risky practices and personnel behaviors, highlighting organizational security vulnerabilities amid resource constraints.
• Stealer Spoofs Google, Microsoft & Apple, Then Backdoors macOS [social] [mal]
  SHub Reaper macOS malware impersonates trusted brands via social engineering, using AppleScript to evade detection, exfiltrate data, and maintain persistence, highlighting the need for enhanced security measures.
• OpenAI co-founder Andrej Karpathy joins Anthropic's pre-training team
  Andrej Karpathy joins Anthropic to lead LLM pre-training research, leveraging Claude to enhance efficiency, while the company also hires cybersecurity expert Chris Rohlf to bolster AI safety.
• America's top cyber-defense agency left a GitHub repo open with with passwords, keys, tokens – and incredibly obvious filenames [app] [cloud]
  CISA's six-month exposure of sensitive credentials on GitHub due to poor secret management and disabled secret scanning highlights significant cybersecurity vulnerabilities.
• Trapdoor Android Ad Fraud Scheme Hit 659 Million Daily Bid Requests Using 455 Apps [mal]
  A malicious Android ad fraud scheme used utility apps, obfuscation, and targeted campaigns to generate millions of downloads and bid requests, but was disrupted after Google removed the malicious apps.
• Drupal to Patch Highly Critical Vulnerability at Risk of Quick Exploitation [app]
  Drupal will release a critical security patch on May 20, 2026, for multiple versions, with rapid exploitation expected post-disclosure.
• Microsoft Disrupts Malware-Signing Service Run by ‘Fox Tempest’ [mal]
  Microsoft disrupted the cybercrime service Fox Tempest, seizing infrastructure and filing lawsuits to dismantle its malware-signing certificate operation affecting global sectors.
• DirtyDecrypt PoC Released for Linux Kernel CVE-2026-31635 LPE Vulnerability [exp] [sys]
  A PoC exploit for CVE-2026-31635 and related Linux kernel vulnerabilities enables privilege escalation on CONFIG_RXGK-enabled systems, prompting developers to consider emergency disables and distributions like Rocky Linux to deploy rapid fixes.
• Looking Back, Looking Forward: Digesting a Dynamic Bouillabaisse of Cyber Evolution [cloud]
  Cybersecurity has shifted from perimeter defenses to resilience, emphasizing foundational practices amid evolving threats from cloud, IoT, AI, and non-human identities.
• Facebook scam promises cheap Aldi meat boxes, steals payment info instead [social]
  A Facebook scam promotes fake Aldi meat deals using fake stories and urgency to steal personal and payment info through deceptive links and mimicry, with similar tactics targeting other retailers globally.

Talkback.sh Technical

Tue, 19 May 2026 20:58:31 +0000

• Sleeping Agent: Silent persistent C2 through Web Push [app]
  A flaw in Web Push `userVisibleOnly` enforcement allowed covert background notifications, fixed by Apple in May 2026, while Chrome and Microsoft have yet to implement the fix, exposing risks to user awareness and control.
• GhostTree: Unveiling Path Manipulation Techniques to Bypass Windows Security [exp]
  Varonis Threat Labs uncovered 'GhostTree,' a technique exploiting NTFS junctions to create recursive paths that bypass security scans, emphasizing the need for monitoring junction activity to detect evasive malware.
• CVE-2025-54539: Apache ActiveMQ NMS AMQP Deserialization Policy Bypass to RCE [app] [exp]
  CVE-2025-54539 is a deserialization bypass in Apache.NMS.AMQP 2.3.0 that allows remote code execution via crafted messages, mitigated in version 2.4.0 by adding null checks to prevent fallback deserialization.
• Index [rev]
  A series detailing how to derive and reverse-engineer perspective-projection matrices in game engines, covering theory, methods, and practical steps.
• TP-Link, Photoshop, OpenVPN, Norton VPN vulnerabilities [app] [net]
  Multiple critical vulnerabilities affecting TP-Link routers, Adobe Photoshop, OpenVPN, and Norton VPN have been disclosed, enabling remote code execution, privilege escalation, and denial-of-service attacks.
• Deep dive into the Object creation flow in Windows [PART 4 [sys]]
  The article details the multi-level internal structure, dynamic management, and complex creation process of Windows handle tables.
• HoneyLabs [Open-source honeypot telemetry, query-ready [net] [mal]]
  An open-source honeypot telemetry platform offering 90 days of searchable data by IP, multiple query methods, attacker insights, and API integrations with rate limits.
• GitHub [Teycir/SeekYou: OSINT intelligence on any IP, domain, or ASN [cloud] [net]]
  SeekYou is a cloud-based, edge-first host intelligence tool that aggregates security data from 15 sources to support security operations, troubleshooting, and threat intelligence within Cloudflare’s infrastructure.
• GitHub [MyuriKanao/src-hunter-skill: 实战 SRC / 众测 / Bug bounty 漏洞挖掘 Claude Code skill — 19 个攻击类 playbook、305 个结构化 payload、263 个 WAF/EDR 绕过、2887 份 HackerOne 真实案例、88,636 WooYun 案例统计 [app] [rev]]
  src-hunter is an automated, structured vulnerability hunting tool with a comprehensive knowledge base, integration capabilities, and strict safety guidelines for ethical security testing.
• GitHub [crussella0129/tricorne: a Fedora remix focused on pentesting and purple hat tooling [app]]
  Tricorne is an upcoming Fedora-based offensive security distribution offering a comprehensive toolset, hardened security features, and streamlined workflows for penetration testing and evidence management.

Hacker News

Wed, 20 May 2026 07:33:01 +0530

• Trapdoor Android Ad Fraud Scheme Hit 659 Million Daily Bid Requests Using 455 Apps
  Cybersecurity researchers have disclosed details of a new ad fraud and malvertising operation dubbed Trapdoor targeting Android device users. The activity, per HUMAN's Satori Threat Intelligence and Research Team, encompassed 455 malicious Android apps and 183 threat actor-owned command-and-control (C2) domains, turning the infrastructure into a pipeline for multi-stage fraud. 'Users
• DirtyDecrypt PoC Released for Linux Kernel CVE-2026-31635 LPE Vulnerability
  Proof-of-concept (PoC) exploit code has now been released for a recently patched security flaw in the Linux kernel that could allow for local privilege escalation (LPE). Dubbed DirtyDecrypt (aka DirtyCBC), the vulnerability was discovered and reported by the Zellic and V12 security team on May 9, 2026, only to be informed by the maintainers that it was a duplicate of a vulnerability that had
• The New Phishing Click: How OAuth Consent Bypasses MFA
  In February 2026, a phishing-as-a-service (PhaaS) platform called EvilTokens went live. Within five weeks, it had compromised more than 340 Microsoft 365 organizations across five countries. The targets of the platform received a message asking them to enter a short code at microsoft
• Drupal to Release Urgent Core Security Updates on May 20, Sites Told to Prepare
  Drupal has issued an alert stating that it intends to release a 'core security release' for all supported branches on May 20, 2026, from 5-9 p.m. UTC. 'The Drupal Security Team urges you to reserve time for core updates at that time because exploits might be developed within hours or days,' the maintainers of the PHP-based content management system (CMS) said. 'Not all configurations are
• SEPPMail Secure E-Mail Gateway Vulnerabilities Enable RCE and Mail Traffic Access
  Critical security vulnerabilities have been disclosed in SEPPMail Secure E-Mail Gateway, an enterprise-grade email security solution, that could be exploited to achieve remote code execution and enable an attacker to read arbitrary mails from the virtual appliance. 'These vulnerabilities could have been exploited to read all mail traffic or as an entry vector into the internal network,'
• Compromised Nx Console 18.95.0 Targeted VS Code Developers with Credential Stealer
  Cybersecurity researchers have flagged a compromised version of the Nx Console extension that was published to the Microsoft Visual Studio Code (VS Code) Marketplace. The extension in question is rwl.angular-console (version 18.95.0), a popular user interface and plugin for code editors like VS Code, Cursor, and JetBrains. The VS Code extension has more than 2.2 million installations. The Open
• Popular GitHub Action Tags Redirected to Imposter Commit to Steal CI/CD Credentials
  In yet another software supply chain attack, threat actors have compromised the popular GitHub Actions workflow, actions-cool/issues-helper, to run malicious code that harvests sensitive credentials and exfiltrates them to an attacker-controlled server. 'Every existing tag in the repository has been moved to point to an imposter commit that does not appear in the action's normal commit history,
• Mini Shai-Hulud Pushes Malicious AntV npm Packages via Compromised Maintainer Account
  Cybersecurity researchers have discovered a fresh software supply chain attack campaign that has compromised various npm packages associated with the @antv ecosystem as part of the ongoing Mini Shai-Hulud attack wave. 'The attack affects packages tied to the npm maintainer account atool, including echarts-for-react, a widely used React wrapper for Apache ECharts with roughly 1.1 million weekly
• INTERPOL Operation Ramz Disrupts MENA Cybercrime Networks with 201 Arrests
  INTERPOL has coordinated a first-of-its-kind cybercrime crackdown across the Middle East and North Africa (MENA) that led to 201 arrests and the identification of an additional 382 suspects. The initiative involved the efforts of 13 countries from the region between October 2025 and February 2026, aiming to investigate and neutralize malicious infrastructure, arrest perpetrators behind these
• ⚡ Weekly Recap: Exchange 0-Day, npm Worm, Fake AI Repo, Cisco Exploit and More
  Monday opens with a trust problem. A mail server flaw is under active use. A network control system was targeted. Trusted packages were poisoned. A fake model page pushed a stealer. Then came the familiar ransom claim: the data was returned and deleted. The pattern is clear. One weak dependency can leak keys. One leaked key can open cloud access. One cloud foothold can become a production

SANS Internet Storm Center

Wed, 20 May 2026 03:25:03 +0000

• ISC Stormcast For Wednesday, May 20th, 2026 https://isc.sans.edu/podcastdetail/9938, (Wed, May 20th)
  
• ISC Stormcast For Tuesday, May 19th, 2026 https://isc.sans.edu/podcastdetail/9936, (Tue, May 19th)
  
• TeamPCP Supply Chain Campaign: Activity Through 2026-05-17, (Mon, May 18th)
  Since the last update, the TeamPCP supply chain campaign produced its loudest stretch since the March Trivy disclosure: an officially confirmed Checkmarx Jenkins plugin compromise and a new self-spreading Mini Shai-Hulud worm across npm and PyPI.
• [Guest Diary] New Malware Libraries means New Signatures, (Fri, May 15th)
  
• ISC Stormcast For Friday, May 15th, 2026 https://isc.sans.edu/podcastdetail/9934, (Fri, May 15th)
  
• Simple bypass of the link preview function in Outlook Junk folder, (Thu, May 14th)
  Besides serving as a place where Microsoft Outlook places suspected spam, the Outlook Junk folder has one additional function that can be quite helpful when it comes to identifying malicious messages. Any e-mail placed in this folder is stripped of all formatting, and destinations of all links included in the message become visible to the user, as you can see in the following images which show the same e-mail when it is placed in the inbox, and when it is placed in the Junk folder.
• ISC Stormcast For Thursday, May 14th, 2026 https://isc.sans.edu/podcastdetail/9932, (Thu, May 14th)
  
• [GUEST DIARY] Tearing apart website fraud to see how it works., (Wed, May 13th)
  &#;x26;#;x5b;This is a Guest Diary by Joshua Nikolson, an ISC Intern and part of the SANS.edu Bachelor&#;x26;#;39;s degree in Applied Cybersecurity (BACS) program.]
• ISC Stormcast For Wednesday, May 13th, 2026 https://isc.sans.edu/podcastdetail/9930, (Wed, May 13th)
  
• Proxying the Unproxyable? Sending EXE traffic to a Proxy, (Wed, May 13th)
  .. if “unproxyable” is a word that is ..

Troy Hunt Breaches

• CTT [468,124 breached accounts]
  Tue, 19 May 2026 00:28:54 Z
• Addi [34,532,941 breached accounts]
  Mon, 18 May 2026 20:55:51 Z
• Abrigo [711,099 breached accounts]
  Thu, 14 May 2026 03:37:50 Z
• Canada Life [237,810 breached accounts]
  Wed, 13 May 2026 06:51:17 Z
• Cushman & Wakefield [310,431 breached accounts]
  Tue, 12 May 2026 06:58:16 Z
• Zara [197,376 breached accounts]
  Fri, 08 May 2026 07:14:22 Z
• Woflow [447,593 breached accounts]
  Thu, 07 May 2026 06:48:33 Z
• LegionProxy [10,144 breached accounts]
  Wed, 06 May 2026 10:11:25 Z
• Vimeo [119,167 breached accounts]
  Tue, 05 May 2026 02:08:50 Z
• Reborn Gaming [126 breached accounts]
  Mon, 04 May 2026 03:43:06 Z
• Marcus & Millichap [1,837,078 breached accounts]
  Sun, 03 May 2026 22:53:12 Z
• ZenBusiness [5,118,184 breached accounts]
  Sat, 02 May 2026 05:53:38 Z
• Aman [215,563 breached accounts]
  Fri, 01 May 2026 03:34:30 Z
• Pitney Bowes [8,243,989 breached accounts]
  Mon, 27 Apr 2026 22:52:07 Z
• ADT [5,488,888 breached accounts]
  Mon, 27 Apr 2026 07:36:42 Z
• Udemy [1,401,259 breached accounts]
  Sun, 26 Apr 2026 23:01:50 Z
• Carnival [7,531,359 breached accounts]
  Fri, 24 Apr 2026 01:58:19 Z
• Amtrak [2,147,679 breached accounts]
  Fri, 17 Apr 2026 04:54:48 Z
• McGraw Hill [13,500,136 breached accounts]
  Thu, 16 Apr 2026 01:31:14 Z
• Hallmark [1,736,520 breached accounts]
  Sun, 12 Apr 2026 02:01:11 Z