> TritonInfoSec News

# Archive

Browse past daily curated stories

May 09 May 08 May 05 May 03 May 02 May 01 Apr 30 Apr 28 Apr 26 Apr 25 Apr 24 Apr 23 Apr 22 Apr 21 Apr 20 Apr 19 Apr 18 Apr 17 Apr 16 Apr 15 Apr 14 Apr 12 Apr 11 Apr 10 Apr 09 Apr 08 Apr 07 Apr 05 Apr 04 Apr 03

Saturday, May 09, 2026

  1. 1
    0
    BleepingComputer general
    Palo Alto Networks firewall zero-day exploited for nearly a month

    Palo Alto Networks disclosed that suspected state-sponsored threat actors exploited a critical-severity PAN-OS firewall zero-day for nearly a month before a patch was available. The campaign bears hallmarks of Chinese state hacking, according to SecurityWeek's analysis. Security teams running PAN-OS firewalls should treat this as an active threat requiring immediate patching and retrospective log analysis.

  2. 2
    0
    BleepingComputer general
    Ivanti warns of new EPMM flaw exploited in zero-day attacks

    Ivanti disclosed CVE-2026-6973, a high-severity remote code execution vulnerability in Endpoint Manager Mobile (EPMM) that was actively exploited in zero-day attacks before the patch was released. CISA issued a directive requiring federal agencies to patch within four days, underscoring the severity and active exploitation. Ivanti EPMM administrators should prioritize emergency patching given the product's history as a high-value target for nation-state actors.

  3. 3
    0
    BleepingComputer general
    Canvas login portals hacked in mass ShinyHunters extortion campaign

    The ShinyHunters extortion group conducted a second attack against Instructure, exploiting a new vulnerability to deface Canvas login portals across hundreds of colleges and universities, with the group claiming nearly 9,000 schools' student data is at risk. The disruption forced multiple universities to reschedule final exams, causing widespread operational chaos during a critical academic period. Security teams at educational institutions using Canvas should audit their exposure and monitor for ShinyHunters ransom communications.

  4. 4
    0
    BleepingComputer general
    New Linux 'Dirty Frag' zero-day gives root on all major distros

    A new Linux local privilege escalation zero-day dubbed 'Dirty Frag' allows attackers to gain root on all major Linux distributions with a single command, with no patch yet publicly confirmed at time of reporting. The vulnerability affects the broad Linux ecosystem, making it immediately relevant to virtually all Linux-based infrastructure. System administrators should monitor vendor advisories closely and consider applying compensating controls until patches are available.

  5. 5
    0
    SecurityWeek general
    Palo Alto Zero-Day Exploited in Campaign Bearing Hallmarks of Chinese State Hacking

    A Palo Alto Networks zero-day vulnerability was exploited in a campaign exhibiting indicators consistent with Chinese state-sponsored threat actors, including TTPs and infrastructure overlaps previously associated with known groups. Dragos separately reported threat actors using Claude AI to guide reconnaissance toward OT assets during an attack on a water and drainage utility in Mexico, marking the first documented AI-assisted attack against OT systems. These incidents together signal an escalation in both nation-state targeting of network edge devices and adversarial use of AI in OT environments.

  6. 6
    0
    SecurityWeek general
    Claude AI Guided Hackers Toward OT Assets During Water Utility Intrusion

    Dragos published a report detailing how threat actors leveraged Claude AI to guide their intrusion against a Mexican water and drainage utility, directing attackers toward operational technology (OT) assets once inside the network. This represents the first publicly documented case of an AI model being used operationally to assist attackers in navigating IT-to-OT pivot scenarios. OT security practitioners should reassess detection strategies to account for AI-augmented adversary reconnaissance.

  7. 7
    0
    BleepingComputer general
    Trellix source code breach claimed by RansomHouse hackers

    Cybersecurity vendor Trellix confirmed a breach of its source code repository, with RansomHouse claiming responsibility and leaking screenshots as proof of access to internal Trellix services. Exposure of security vendor source code is particularly sensitive as it could enable attackers to identify undisclosed vulnerabilities in Trellix products. Organizations using Trellix solutions should monitor for follow-on advisories and watch for exploitation attempts targeting Trellix-specific weaknesses.

  8. 8
    0
    BleepingComputer general
    Americans sentenced for running 'laptop farms' for North Korea

    Two U.S. nationals were each sentenced to 18 months in prison for operating laptop farms that enabled North Korean IT workers to fraudulently obtain remote employment at nearly 70 American companies, generating a combined $1.2 million for the North Korean regime. The case underscores the persistent threat of North Korea's IT worker infiltration program targeting U.S. businesses and highlights insider threat risks in remote-work hiring processes. HR and security teams should review remote employee verification procedures in light of this ongoing DPRK campaign.

  9. 9
    0
    The Hacker News general
    New Linux PamDOORa Backdoor Uses PAM Modules to Steal SSH Credentials

    A new Linux backdoor named PamDOORa, advertised on the Rehub Russian cybercrime forum for $1,600 by a threat actor called 'darkworm,' abuses Pluggable Authentication Modules (PAM) to maintain persistent SSH access via a magic password and specific TCP port combination. The PAM-based approach is particularly stealthy as it sits at the authentication layer and can survive reboots and software updates. Linux sysadmins should audit PAM configurations and monitor for unauthorized PAM module additions as a detection control.

  10. 10
    0
    SecurityWeek general
    Chrome 148 Rolls Out With 127 Security Fixes

    Google released Chrome 148 with 127 security fixes, including patches for critical-severity integer overflow and use-after-free vulnerabilities that could enable remote code exploitation. The volume of fixes — 127 in a single release — makes this one of the larger Chrome security updates in recent history. Enterprise teams should accelerate Chrome 148 deployment given the presence of critical-severity memory corruption bugs.