Search This Blog

Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Latest News

JadePuffer Uses AI to Streamline End to End Ransomware Operations

  Researchers have discovered the first ransomware intrusion conducted almost entirely by an autonomous large language model (LLM) agent, fu...

All the recent news you need to know

New Bad Epoll Bug Impacts Android and Linux, Allows Root Access


A recently found Linux kernel vulnerability called ‘Bad Epoll’ (CVE-2026-46242) allows an ordinary person without any special privilege to take complete command of a device as a root. This has impacted Linux systems, Android, and servers, and a patch is out to address the flaw. 

Bad Epoll was discovered in the same kernel code where Anthropic’s famous AI model, Mythos, discovered another vulnerability. 

The AI flagged one flaw but missed Bad Epoll. Expert Jaeyoung Chung discovered this one.

About Bad Epoll

Epoll is a Linux feature that allows a program to watch various network connections and files at once. You cannot switch it off as web browsers, network services, and servers, all rely on it.

The flaw is a ‘use-after-free’ bug, where two parts of the kernel clean up the same internal object at once. One cleans the memory while the other one writes it. This small friction allows hackers to attack kernel memory, then rise upward to root.

Detecting the bug

Timing is the catch. A random attempt nearly never lands in the window where the two pathways intersect since it is just roughly six machine instructions wide. On testing platforms, Chung's attack expands that window and tries again without crashing, achieving root roughly 99% of the time.

It is more serious since, according to his account, it can be triggered from within Chrome's renderer sandbox, which prevents nearly all other kernel problems, and it can reach Android, which is not possible with other Linux privilege bugs.

Chung sent the flaw as a zer0-day to Google’s kernelCTF program, and full details can be found on his Github. There are no indications that hackers have used it in real-time. At present, an android variant of compromise exists and the only working code is the kernelCTF PoC.

History of the bug

These two flaws go back to a single 2023 modification to the epoll code. According to Chung, Mythos discovered the first two, now labelled as CVE-2026-43074, with an early patch in 2026.

Additionally, Anthropic said that Mythos discovered linux kernel privilege-escalation bugs, but it did not relate the findings with Bad Epoll. Finding the first one was difficult as race-condition flaws are difficult to detect. But why did the AI miss the second flaw? 

Chung offers two likely reasons:

Small timing window

Lack of evidence during runtime 

North Korean PolinRider Campaign Spreads Malicious Packages Across npm, Go, Chrome, and Packagist

 

North Korean threat actors behind the Contagious Interview campaign have been observed persistently targeting software supply chains by distributing more than 100 malicious packages and browser extensions. Researchers note that the PolinRider campaign is targeting software developers and those in the cryptocurrency space by leveraging popular open-source repositories and developer tools. 

The cybersecurity researchers at Socket have discovered 108 unique malicious packages and browser extensions, resulting in 162 release artifacts. Within the discovered malicious code, the researchers have identified 19 npm packages, 10 Packagist (Composer) libraries, 61 Go modules, and one Google Chrome extension. Researchers note that the threat actors continue to compromise developer accounts and push out malicious code updates each time they gain access to a software repository. 

Researchers have linked the PolinRider campaign to the Contagious Interview supply chain attack, which has been actively targeting developers since at least 2023. In most cases, North Korean hackers impersonate recruiters or business partners on social media platforms and code repositories, luring targets into installing malicious software during the interview process. 

The PolinRider threat group was first detected this year when cybersecurity analysts identified hundreds of GitHub repositories with hidden JavaScript code that downloads an updated version of the BeaverTail malware. According to the researchers, almost 2000 GitHub repositories and 1000+ unique owners have been compromised by the PolinRider campaign as of April 2026. 

Researchers suggest that attackers are not compromising the GitHub servers directly but rather hijacking developer accounts on the platform. The initial access to the developer accounts is achieved through either the domain takeover or account recovery process. Attackers compromise the developers’ Visual Studio Code accounts or npm account, where they then install a malicious Visual Studio Code extension or an npm package. 

After the initial compromise, the attackers’ BeaverTail malware searches the project directory for the most common JavaScript configuration files and other relevant files such as Tailwind CSS, Next.js, Babel, and ESLint files. It then stealthily inserts malicious code into the files. Additionally, the malware tampers with the Git commit history to hide its tracks by overwriting commit messages and timestamps. 

The latest updates to the BeaverTail malware now download the second stage of encrypted payloads from the blockchain network. Attackers have been observed using TRON, Aptos, and BNB Smart Chain blockchain networks to host the payloads. The decrypted payloads then deploy remote access malware, including DEV#POPPER RAT and OmniStealer, to exfiltrate data from the compromised systems. Researchers recommend that developers who have installed any of the compromised packages should treat their systems as compromised.

The users should update their compromised accounts, including SSH keys and tokens, from a different machine if possible. Additionally, the developers should delete the malicious versions of the packages and re-install the project dependencies using a trusted package manager lock file. Lastly, the developers should review their commits, tasks, and files for any suspicious activities or unauthorized changes.

AI-Powered Antivirus: How Next-Gen Software Predicts and Stops Threats

 

Antivirus software has undergone a profound transformation, shifting from reactive signature matching to proactive behavior prediction. Where traditional tools once relied on databases of known malware fingerprints, modern solutions now leverage machine learning, behavioral analysis, and real-time monitoring to identify suspicious activity before an attack fully unfolds. This evolution is essential as cybercriminals deploy polymorphic code, fileless malware, and zero-day exploits faster than legacy defenses can adapt. 

Historically, antivirus programs functioned like a bouncer checking IDs against a blacklist of known troublemakers. If a file matched a stored signature, it was blocked; if not, it slipped through undetected. This model worked when malware evolved slowly, but today’s threat landscape moves at lightning speed. Polymorphic malware mutates its code with each infection, metamorphic variants rewrite themselves entirely, and zero-day attacks exploit freshly discovered vulnerabilities before patches exist. Signature databases, while still useful, increasingly lag behind the pace of malicious innovation, leaving systems exposed to novel or rapidly changing threats. 

Modern antivirus flips the script by focusing on behavior rather than identity. It monitors API calls, memory access patterns, encryption bursts, and unusual network traffic to spot anomalies. For instance, a process that suddenly begins locking files across a network, disabling security services, or contacting unfamiliar servers at odd hours raises red flags—even if it has no known signature. This behavior-first approach is critical against ransomware and fileless attacks that operate in memory or hijack legitimate tools to avoid detection. Anomaly detection establishes a baseline of “normal” system activity and alerts on deviations, enabling early intervention before damage spreads. 

Machine learning supercharges this capability by training models on vast datasets of both clean and malicious files. These algorithms learn subtle patterns linked to malware—suspicious code structures, odd execution paths, or risky permission requests—and assign risk scores to files and processes. Decision trees, support vector machines, and neural networks each contribute to layered evaluations that reduce false negatives for unseen threats. Companies like Microsoft, CrowdStrike, and SentinelOne deploy such models at scale, continuously refining them with telemetry from millions of endpoints. The result is a system that generalizes from past attacks to catch new ones, even without an exact signature match. 

The ultimate aim is prediction: intercepting malware in its earliest stages using sandboxing, dynamic analysis, and integration with broader security stacks like endpoint detection and response (EDR). Suspicious files are detonated in isolated environments to observe their behavior safely, while EDR tools trace attack chains across networks. Yet AI is a double-edged sword—attackers also use it to craft evasive malware that adapts to detection systems. False positives and privacy concerns from heavy telemetry remain challenges. For most users, built-in tools like Microsoft Defender and Apple’s XProtect offer strong baseline protection, but layered security and user vigilance against phishing are still essential.

Massive Azure CLI Password Spray Campaign Targets Microsoft 365, Over 81 Million Login Attempts Detected

 

Cybersecurity company Huntress has uncovered a large-scale password spray campaign targeting Microsoft 365 environments through the Azure CLI, resulting in millions of malicious login attempts and multiple account compromises.

According to the company, between June 12 and June 21, attackers carried out more than 81 million login attempts against customer environments. The campaign led to the compromise of 78 user accounts across 64 organizations.

During the two-week period, threat actors were found compromising between two and four accounts each day. However, activity surged around June 22, when 23 organizations were reportedly affected in a single spike.

Huntress' investigation revealed that the majority of the login attempts originated from Autonomous System (AS) 32167, which is associated with internet hosting provider LSHIY LLC.

“These attacks are part of a large wave of credential spray attacks across a few different ASNs. In the past six months, Huntress has observed the volume of credential spray attacks increase by over 155 times across our customer base,” the cybersecurity company says.

The company also observed a sharp increase in password spray attacks during late May and early June, impacting multiple organizations. Huntress believes the campaign primarily relied on previously compromised username-password combination lists.

As part of the attack, the threat actors exploited the OAuth Resource Owner Password Credentials (ROPC) authentication flow to validate user credentials. Although this authentication method has been deprecated in OAuth 2.1, it still allows attackers to obtain a new user-delegated access token when valid credentials are provided.

Because of this authentication flow, attackers were able to compromise accounts even when multi-factor authentication (MFA) was enabled, provided that MFA policies were not configured to protect the OAuth ROPC authentication process.

“ROPC is considered problematic for several reasons, but one of those reasons is that it doesn’t offer support for modern auth flows like MFA or SSO. That means, as we saw in this campaign, ROPC sends the password straight to the /token endpoint with no interactive MFA prompt,” Huntress explains.

Further analysis of the affected environments showed several weaknesses in MFA implementation. In some organizations, MFA was applied only to specific cloud applications or user groups. Others enforced MFA only for logins from untrusted locations, while some had deployed MFA policies that were never actively enforced.

“It’s worth noting that eight businesses impacted by the campaign had no MFA policy at all. While threat actors in this campaign were able to get in despite MFA being set up, the takeaway should not be that MFA doesn’t work at all; instead, organizations should ensure that their MFA policies are properly configured to address the authorization flow used across these incidents,” the cybersecurity firm notes.

Huntress also traced the attack traffic to IPv6 address ranges linked to LSHIY, an internet infrastructure provider registered in Hong Kong, Wuhan, China, and New York. Previous reports have also associated IPv6 ranges operated under AS32167 and AS955 with infrastructure originating from China.

The cybersecurity firm said it reported the malicious activity to LSHIY through the provider's abuse reporting mechanism but did not receive any response.

AI-Driven Software Development Demands a New Approach to Security Audits

 



Artificial intelligence is rapidly reshaping how software is built, enabling developers to generate code, automate repetitive tasks and accelerate application development. While these tools are helping organizations improve productivity, cybersecurity experts warn that they are also introducing new security and governance challenges that traditional software audits were never designed to address. As AI-generated code becomes more deeply embedded in development workflows, security leaders are being encouraged to expand software audits beyond compliance checks and evaluate how artificial intelligence influences the entire software development lifecycle (SDLC).

Unlike conventional audits, which primarily examine financial records, operational controls and regulatory compliance, modern software audits must determine how AI contributes to software development and whether its use introduces security risks before applications are deployed. This includes identifying which developers are using AI-powered coding assistants, understanding how frequently these tools are used, determining where AI-generated code enters development pipelines, and verifying that approved tools are being used responsibly. Collectively, these activities form what many security professionals now describe as the Agentic Development Lifecycle (ADLC), where governance extends beyond the software itself to the AI systems supporting its creation.

The need for stronger oversight is becoming increasingly urgent. Research has found that one in five organizations has experienced a serious security incident associated with AI-generated code, highlighting how limited visibility into AI-assisted development can expose organizations to unnecessary risk. Without a clear understanding of developer practices and AI tool adoption, Chief Information Security Officers (CISOs) face growing challenges in enforcing security policies, demonstrating regulatory compliance and providing boards with measurable assessments of AI-related risk.

Although AI coding assistants can significantly improve developer efficiency, security specialists caution that they should not be treated as autonomous software engineers. Studies comparing human developers with large language models (LLMs) show that leading AI models can effectively identify issues such as insecure coding patterns, code smells and certain design weaknesses. However, they continue to struggle with more complex security responsibilities, including denial-of-service protections, insufficient logging and permission management. As a result, experienced developers remain essential for reviewing AI-generated code, identifying inaccuracies and ensuring vulnerabilities are eliminated before software reaches production.

Security leaders also recommend that organizations adopt a structured auditing framework for AI-assisted development. This includes maintaining an inventory of approved AI coding tools, mapping AI-generated code to development activities, benchmarking models against known vulnerability patterns and monitoring integrations to ensure AI agents access only authorized tools and data sources. Regular vulnerability assessments, developer upskilling and risk-based evaluations can further help organizations identify skill gaps, strengthen governance and reduce the likelihood of preventable security incidents.

Ultimately, effective AI governance requires more than simply adopting new technologies. By combining continuous oversight with skilled human review and well-defined security policies, organizations can harness the productivity benefits of AI while maintaining secure software development practices. As AI becomes an increasingly permanent part of modern software engineering, comprehensive audits will play a central role in ensuring innovation does not come at the expense of security.

MSG Data Breach: Hackers Leak Facial Recognition Records of 26 Million Visitors

 

A massive data breach at Madison Square Garden has exposed the facial recognition and personal records of millions of visitors, sparking outrage and legal action. The cybercrime group ShinyHunters leaked 45 gigabytes of stolen data after the arena’s parent company missed a ransom deadline, raising serious concerns about biometric privacy and surveillance. 

The breach, which reportedly occurred on June 5, 2026, involved the theft of what hackers claim are 26 million customer and corporate records. The leaked files include biometric tracking logs, internal threat assessments, background check information, and detailed dossiers on attendees—some dating back to 2018. Among the exposed data were references to New York Knicks players, coaches, and talent, with fields listing addresses, contact details, and even “cost of talent.” Customer emails were also part of the dump, including messages from fans who had previously expressed concern about being misidentified by MSG’s facial recognition cameras. 

What makes this incident particularly alarming is MSG’s extensive use of facial recognition technology across its venues. For years, the arena has deployed biometric systems to screen visitors—and controversially, to ban lawyers from firms that have sued the company. The leaked surveillance records now reveal how deeply the venue tracked individuals, creating detailed profiles without clear consent. Privacy advocates argue this breach underscores the risks of unchecked biometric data collection, especially when security practices fail to protect such sensitive information.

In the wake of the leak, a federal class-action lawsuit—Avalo v. MSG Entertainment—was filed on June 16 in a New York court. The plaintiff, Carlos Avalo, alleges his biometric data was captured during a 2025 concert visit without proper disclosure or consent. The suit seeks at least $5 million in initial damages and highlights violations of biometric privacy laws. This is not MSG’s first major breach in under a year, further eroding trust in the company’s ability to safeguard visitor data. Despite repeated requests, MSG Entertainment has not publicly confirmed the full scope of the breach or commented on the lawsuits. 

The ShinyHunters group, known for targeting high-profile organizations like Kodak and Instructure, claimed responsibility for the attack, alleging they gained access by socially engineering a low-level employee. The incident serves as a stark reminder of the vulnerabilities in even the most advanced surveillance systems—and the human element that often remains the weakest link. As investigations continue, the breach raises urgent questions about the ethics of biometric data collection, the adequacy of current privacy regulations, and the responsibilities of venues that turn guests into data profiles.

Featured