Megalodon Campaign Backdoored 5,561 GitHub Repositories via Poisoned CI/CD Workflows

An automated campaign called Megalodon pushed 5,718 malicious commits to 5,561 GitHub repositories in six hours, hiding secret-stealing payloads inside CI/CD workflow files. It weaponizes the merge — the most routine action in software development.

Trump Mobile Confirms a Third-Party Platform Exposed Customer Names, Home Addresses, and Phone Numbers

Trump Mobile confirmed customer names, email and mailing addresses, phone numbers, and order identifiers were exposed to the open internet, and attributed the incident to a third-party platform provider. The company said it is still evaluating whether it must notify affected customers.

Screening Serpens: An Iran-Nexus APT Is Making Its Targets' Own .NET Software Disable Its Defenses

Unit 42 is tracking Screening Serpens, an Iran-nexus APT that fuses DLL sideloading with AppDomainManager hijacking — manipulating .NET applications into switching off their own security mechanisms before deploying six new RATs across the U.S., Israel, and the UAE.

The Copy Button Lied: A ClickFix Attack Hid an Infostealer Behind a Fake Cloudflare Check on the Based Apparel Site

The Based Apparel merchandise site was pulled offline on May 22 after reports it served a ClickFix attack: a fake Cloudflare check whose 'copy' button placed a hidden shell command on the clipboard, then asked visitors to paste it into their own terminal.

Alleged KimWolf Botmaster Arrested: How a 23-Year-Old Allegedly Ran a Two-Million-Device DDoS-for-Hire Service

Canadian authorities arrested Jacob Butler, 23, of Ottawa — known online as 'Dort' — the alleged operator of the KimWolf DDoS-for-hire botnet. The US has charged him and is seeking extradition. KimWolf allegedly grew to nearly two million infected devices.

Types of Cyberattacks: The Complete Guide

A complete guide to the major types of cyberattacks — from malware and phishing to injection, credential, and AI-enabled attacks — and how to defend against each.

Cisco Secure Workload Has a CVSS 10.0 Flaw — Unauthenticated Attackers Can Seize Site Admin of the Tool Built to Contain Them

Cisco patched CVE-2026-20223, a CVSS 10.0 flaw in Cisco Secure Workload: insufficient authentication on internal REST API endpoints lets an unauthenticated attacker seize Site Admin — full control of the microsegmentation platform built to contain attackers.

Europol Dismantles 'First VPN' — the Cybercrime Underground's Most-Used Anonymity Service — and Walks Away With a List of Thousands of Its Users

A Europol- and Eurojust-coordinated operation dismantled First VPN — a service Europol calls the most widely used in the cybercrime underground — arresting an admin, seizing 33 servers, and identifying thousands of cybercrime-linked users. The intelligence yield is the story.

Showboat: A China-Affiliated Espionage Backdoor Has Been Inside Middle East and Central Asia Telcos Since 2022

Lumen's Black Lotus Labs disclosed Showboat, a modular Linux backdoor a China-affiliated espionage operation has used to sit inside Middle East and Central Asia telecom networks for roughly four years. A SOCKS5-proxy foothold inside a carrier is a persistent window into a region's traffic.

Drupal Ships an Emergency 'Highly Critical' Fix — CVE-2026-9082 Lets Anonymous Attackers SQL-Inject Any PostgreSQL Site

Drupal shipped an out-of-band 'Highly Critical' fix for CVE-2026-9082, an unauthenticated SQL injection in Drupal core affecting every PostgreSQL-backed site. Maintainers warned exploits could land within hours — for a core flaw pre-announced on schedule, the patch window is effectively closed.

ssh-keysign-pwn: A Nine-Year-Old Linux Kernel ptrace Flaw Leaks SSH Keys on Its Way to Root

Qualys disclosed CVE-2026-46333 — 'ssh-keysign-pwn' — a nine-year-old Linux kernel ptrace flaw that gives an unprivileged user root. Its defining feature is credential theft: the exploit captures SSH keys and shadow-file password hashes, so a patched kernel does not end the exposure.

Microsoft Patches Two Actively Exploited Defender Zero-Days — UnDefend and RedSun Were Built to Disable the Security Tool Itself

Microsoft patched UnDefend (CVE-2026-41091) and RedSun (CVE-2026-45498), two Defender zero-days exploited in the wild since April. Their purpose is the security tool itself — one escalates through Defender, the other disables it. Barracuda ties the wave to the researcher behind MiniPlasma.