Cyber Attacks
Tycoon2FA is back six weeks after the Microsoft/Europol takedown — now phishing OAuth device-code consents against M365 via a Trustifi-laundered relay.
Application Security
Three published versions of node-ipc — a package with 822,000 weekly downloads — hide an obfuscated stealer backdoor that exfiltrates 90 categories of developer and cloud secrets over DNS. The attacker hijacked a lapsed maintainer domain to publish them.
Threat Intelligence
Kaspersky found something unusual in a North Korean backdoor: comments that look written by an LLM, not a human. Combined with Kimsuky's expansion into defense targets across three countries, it is documented evidence that state malware development is borrowing AI.
Threat Intelligence
Microsoft's new Kazuar analysis names one capability that ties it to the other Russian Signal operation in the news: Kazuar steals Signal Desktop message files. Encryption protects the conversation in transit — not the database on a compromised laptop.
Cyber Attacks
Ghostwriter built operational security into its phishing lure. Send the campaign's malicious PDF to a Ukrainian IP and it triggers the attack chain. Send it anywhere else — including to the analysts investigating it — and they get a harmless document.
Threat Intelligence
Salt Typhoon spent three months inside an Azerbaijani oil and gas company — a target type it normally ignores. Bitdefender's assessment of why is the part that matters: Chinese APT targeting now follows energy geopolitics in real time.
Cyber Attacks
An Iranian state-sponsored APT spent early 2026 conducting espionage while wearing the Chaos ransomware brand as a costume. Rapid7 pulled back the curtain. The Microsoft Teams screen-sharing tradecraft is why IR triage needs updating.
Cyber Attacks
Foxconn confirmed a cyberattack on its North American factories. Nitrogen ransomware claims 8TB and 11M+ files including Apple, NVIDIA, Google, Intel, and Dell project documentation. Mount Pleasant AI server factory was offline for a week.
Critical Infrastructure
West Pharmaceutical Services disclosed a disruptive ransomware attack via SEC Form 8-K on May 7, took global systems offline, and engaged Palo Alto Unit 42. The pharma-packaging CI adjacency just became a documented sector risk.
Application Security
HiddenLayer disclosed on May 7 that a malicious Hugging Face repository, Open-OSS/privacy-filter, typosquatted OpenAI's legitimate Privacy Filter release and shipped a Rust-based infostealer called Boxter. The repo briefly hit #1 on Hugging Face and reached 244,000 downloads before takedown.
Application Security
Trend Micro researchers disclosed Quasar Linux RAT (QLNX) on May 4 — a Linux implant purpose-built to harvest npm tokens, PyPI keys, AWS credentials, Kubernetes configs, and the rest of the developer credential file universe. Capabilities map to the LiteLLM compromise of March 2026.
Application Security
RansomHouse claimed responsibility on May 7 for the Trellix breach the cybersecurity firm disclosed last week — and Cybernews researchers say screenshots posted by the group show internal VMware, Rubrik, and Dell EMC dashboards. That's a much wider compromise than Trellix's "portion of our source code