> TritonInfoSec News

# Archive

Browse past daily curated stories

May 19 May 18 May 17 May 15 May 14 May 13 May 12 May 10 May 09 May 08 May 05 May 03 May 02 May 01 Apr 30 Apr 28 Apr 26 Apr 25 Apr 24 Apr 23 Apr 22 Apr 21 Apr 20 Apr 19 Apr 18 Apr 17 Apr 16 Apr 15 Apr 14 Apr 12

Sunday, May 17, 2026

  1. 1
    0
    BleepingComputer general
    Microsoft warns of Exchange zero-day flaw exploited in attacks

    Microsoft disclosed CVE-2026-42897, a high-severity Exchange Server zero-day being actively exploited in the wild. The flaw enables arbitrary code execution via cross-site scripting (XSS) targeting Outlook on the web users, with Microsoft providing mitigations while a permanent patch is pending. Security teams running on-premises Exchange should apply the published mitigations immediately given active exploitation.

  2. 2
    0
    SecurityWeek general
    Cisco Patches Another SD-WAN Zero-Day, the Sixth Exploited in 2026

    Cisco patched CVE-2026-20182, a sixth SD-WAN zero-day exploited in 2026, attributed to sophisticated threat actor UAT-8616. CISA added the critical authentication bypass flaw to its Known Exploited Vulnerabilities catalog and mandated Federal Civilian Executive Branch agencies remediate by May 17, 2026. The repeated exploitation of Cisco SD-WAN infrastructure by this actor signals a sustained, targeted campaign against network edge devices.

  3. 3
    0
    The Hacker News general
    Turla Turns Kazuar Backdoor Into Modular P2P Botnet for Persistent Access

    Russia's FSB-affiliated Turla group (also tracked as Secret Blizzard) has evolved its Kazuar backdoor into a modular peer-to-peer botnet engineered for long-term stealth and persistent access. The P2P architecture eliminates centralized C2 infrastructure, making detection and takedown significantly harder for defenders. CISA has attributed Turla to Center 16 of the FSB, underscoring the state-sponsored nature of this advanced persistent threat.

  4. 4
    0
    BleepingComputer general
    Popular node-ipc npm package compromised to steal credentials

    The popular npm package node-ipc was compromised in a supply chain attack, with hackers injecting credential-stealing malware into newly published versions. This package is widely used for inter-process communication in Node.js applications, meaning the blast radius across development pipelines and production environments could be substantial. Developers should audit dependencies and check installed versions immediately.

  5. 5
    0
    SecurityWeek general
    OpenAI Hit by TanStack Supply Chain Attack

    Two OpenAI employee devices were compromised via the 'Mini Shai-Hulud' supply chain attack targeting the TanStack open-source project, with credential material stolen from OpenAI code repositories. OpenAI stated no user data, production systems, or intellectual property were modified, and macOS updates were forced on affected devices. The attack is linked to threat group TeamPCP, which subsequently released the Shai-Hulud worm's source code publicly to encourage further supply chain exploitation.

  6. 6
    0
    BleepingComputer general
    Microsoft Exchange, Windows 11 hacked on second day of Pwn2Own

    At Pwn2Own Berlin 2026's second day, researchers exploited 15 unique zero-days across Windows 11, Microsoft Exchange, and Red Hat Enterprise Linux for Workstations, collecting $385,750 in awards. The volume and diversity of successful exploits against enterprise-grade platforms underscores the continued prevalence of unpatched attack surface in widely deployed Microsoft and Linux environments. Vendors now have 90 days to patch the disclosed vulnerabilities per Pwn2Own rules.

  7. 7
    0
    BleepingComputer general
    Funnel Builder WordPress plugin bug exploited to steal credit cards

    A critical, unpatched vulnerability (no CVE yet assigned) in the Funnel Builder WordPress plugin is being actively exploited to inject malicious JavaScript into WooCommerce checkout pages for payment card skimming. Sansec researchers published details of the active exploitation campaign, which targets e-commerce sites running WooCommerce. WordPress site owners using the Funnel Builder plugin should disable it immediately pending an official patch.

  8. 8
    0
    BleepingComputer general
    Avada Builder WordPress plugin flaws allow site credential theft

    Two vulnerabilities in the Avada Builder WordPress plugin — installed on an estimated one million active sites — allow attackers to read arbitrary files and extract sensitive database credentials. The flaws represent a significant supply chain risk given the plugin's massive install base, enabling credential theft at scale. WordPress administrators should update Avada Builder to the latest patched version without delay.

  9. 9
    0
    SecurityWeek general
    PoC Code Published for Critical NGINX Vulnerability

    A critical-severity vulnerability in NGINX Plus and NGINX open source, introduced in 2008 and patched this week, now has public proof-of-concept exploit code available. The nearly two-decade-old flaw's PoC publication significantly raises the risk of mass exploitation against unpatched NGINX deployments, which are ubiquitous in web infrastructure. Operators should prioritize patching given the immediate availability of working exploit code.

  10. 10
    0
    BleepingComputer general
    Microsoft backpedals: Edge to stop loading passwords into memory

    Microsoft reversed course on a security issue in the Edge browser, committing to stop loading saved passwords into process memory in cleartext at startup — behavior the company had previously defended as 'by design.' The change comes after security researchers flagged that cleartext credentials in process memory are trivially accessible to any process with sufficient privileges or via memory dump attacks. This represents a meaningful hardening improvement for the estimated hundreds of millions of Edge users who store passwords in the browser.