The CyberSignal

Latest
Trending
Cyber Attacks
Data Breaches
Threat Intelligence
Critical Infrastructure
Policy & Government
Cybersecurity 101
Vulnerabilities
About Us
Weekly Briefing

Trending

Trending cybersecurity news and analysis covering emerging cyber threats, major breaches, critical vulnerabilities, and the latest developments impacting security teams worldwide.

Line-art illustration of a database cylinder in isometric view on a deep ochre background, with one flat red dot accent.

Vulnerabilities

Drupal Ships an Emergency 'Highly Critical' Fix — CVE-2026-9082 Lets Anonymous Attackers SQL-Inject Any PostgreSQL Site

Drupal shipped an out-of-band 'Highly Critical' fix for CVE-2026-9082, an unauthenticated SQL injection in Drupal core affecting every PostgreSQL-backed site. Maintainers warned exploits could land within hours — for a core flaw pre-announced on schedule, the patch window is effectively closed.

Line-art illustration of a single key set on a bold diagonal on a deep petrol-blue background, with one flat red dot accent.

Vulnerabilities

ssh-keysign-pwn: A Nine-Year-Old Linux Kernel ptrace Flaw Leaks SSH Keys on Its Way to Root

Qualys disclosed CVE-2026-46333 — 'ssh-keysign-pwn' — a nine-year-old Linux kernel ptrace flaw that gives an unprivileged user root. Its defining feature is credential theft: the exploit captures SSH keys and shadow-file password hashes, so a patched kernel does not end the exposure.

Line-art illustration of a single cracked shield filling the frame on a deep charcoal background, with one flat red dot accent.

Vulnerabilities

Microsoft Patches Two Actively Exploited Defender Zero-Days — UnDefend and RedSun Were Built to Disable the Security Tool Itself

Microsoft patched UnDefend (CVE-2026-41091) and RedSun (CVE-2026-45498), two Defender zero-days exploited in the wild since April. Their purpose is the security tool itself — one escalates through Defender, the other disables it. Barracuda ties the wave to the researcher behind MiniPlasma.

Line-art illustration of a single open file folder on a deep indigo background, with one flat red dot accent.

Cyber Attacks

GitHub Confirms TeamPCP Exfiltrated 3,800 Internal Repositories Through One Poisoned VS Code Extension

GitHub confirmed TeamPCP (UNC6780) exfiltrated roughly 3,800 internal repositories after an employee installed a poisoned Visual Studio Code extension. The same actor behind the Mini Shai-Hulud worm listed the data for $50,000+ on BreachForums — framed as a sale, not a ransom.

Line-art illustration of a single open padlock on a pink background, with one flat red dot accent.

Vulnerabilities

YellowKey: A USB Port and a Reboot Bypass BitLocker — and Microsoft's Only Fix Is a Config Change, Not a Patch

Microsoft released mitigations for YellowKey (CVE-2026-45585), a BitLocker bypass disclosed by the researcher behind MiniPlasma. A USB port and a reboot defeat the encryption on any TPM-only device — and the only fix is a TPM+PIN configuration change, not a patch.

Line-art illustration of a single cloud shape on a deep moss-green background, with one flat red dot accent.

Nation-State Cyber Threats

Webworm's New Backdoors Run on Discord and Microsoft OneDrive — and the China-Aligned APT Has Pivoted to Five European Governments

ESET documented Webworm, a China-aligned APT that pivoted from Asia to European governments. Its two new backdoors — EchoCreep and GraphWorm — run command-and-control entirely on Discord and Microsoft OneDrive, hiding inside the trusted cloud traffic every enterprise allowlists.

Line-art illustration of a fractured Artifact Signing vault spilling certificate fragments with a fox-and-tempest motif, on oxblood background with one red dot accent.

Application Security

Microsoft Just Took Down a Code-Signing-as-a-Service Operation. Five Ransomware Crews Were the Customers.

Microsoft's Digital Crimes Unit disrupted Fox Tempest on May 19 — a malware-signing-as-a-service operation that issued over 1,000 fraudulent code-signing certificates to ransomware crews including Rhysida, Vanilla Tempest, and three Storm clusters at up to $9,500 per signed sample.

Line-art illustration of a severed seven-link supply chain spilling malware-package boxes onto a wireframe European map, on mustard background with one red dot accent.

Cyber Crime

Operation Endgame 2.0: Europol Just Took Down 300 Servers and 20 Operators of the Ransomware Supply Chain

Europol and Eurojust executed Operation Endgame 2.0 May 19-22: 300+ servers dismantled, 650 domains, 20 international arrest warrants, €3.5M crypto seized across seven countries. The strategic target is the initial-access-broker layer that supplies ransomware affiliates.

Line-art illustration of an open CISA vault spilling labeled credential documents with a crossed-out GitHub push-protection shield, on plum background with one red dot accent.

Policy & Government

'The Worst Leak I've Witnessed': CISA Contractor Left AWS GovCloud Admin Keys on Public GitHub for Six Months

GitGuardian discovered a public GitHub repo named 'Private-CISA' holding 844 MB of plaintext passwords, AWS GovCloud admin tokens, and Entra ID SAML certs belonging to CISA — public since November 2025. The Nightwing contractor engineer manually disabled push-protection.

Line-art illustration of a balance scale tilted toward a heavy bug icon labeled 31% and away from a light key icon labeled 13%, on slate-blue background with one red dot accent.

Threat Intelligence

Verizon DBIR 2026: Vulnerability Exploitation Just Overtook Credential Theft as the #1 Way Attackers Get In

Verizon's 19th DBIR re-baselines the threat model: vulnerability exploitation hit 31% of breaches up from 20% — now the #1 vector. Credential abuse fell to 13%. AI is shrinking patching windows from months to hours. Third-party breaches up 60% YoY.

Line-art illustration of a glitched Luxembourg map with a fractured network signal and a question-marked Huawei router, on slate-gray background with one red dot accent.

Critical Infrastructure

Luxembourg's Entire Telecom Network Crashed in July 2024. Ten Months Later, the Huawei Zero-Day Behind It Still Has No CVE.

The Record disclosed that the July 23, 2024 nationwide outage of Luxembourg's POST mobile network — which knocked out 4G, 5G, landline, and emergency comms for 3+ hours — was caused by a Huawei enterprise router zero-day. Ten months later: no CVE, no Huawei acknowledgment.

Line-art illustration of a fractured SEPPmail lockbox spilling envelopes marked "READ" with an Alpine mountain silhouette, on jade background with one red dot accent.

Application Security

SEPPmail Just Disclosed Seven CVEs. The Worst Lets Anyone on the Internet Read Your Email Traffic.

InfoGuard Labs disclosed seven CVEs in SEPPmail Secure E-Mail Gateway including CVE-2026-2743 (CVSS 10.0 path traversal to full appliance takeover) and CVE-2026-44128 (unauthenticated Perl eval() RCE). Patched in 15.0.2.1, 15.0.3, and 15.0.4.

See all

The CyberSignal

The CyberSignal delivers breaking cybersecurity news, data breach reports, vulnerability alerts, and threat intelligence for CISOs, IT leaders, and security professionals.

The CyberSignal

Daily Briefing
Weekly Briefing
Corrections
Privacy Policy

Powered by Ghost