> TritonInfoSec News

# Archive

Browse past daily curated stories

May 26 May 24 May 23 May 22 May 21 May 20 May 19 May 18 May 17 May 15 May 14 May 13 May 12 May 10 May 09 May 08 May 05 May 03 May 02 May 01 Apr 30 Apr 28 Apr 26 Apr 25 Apr 24 Apr 23 Apr 22 Apr 21 Apr 20 Apr 19

Sunday, May 24, 2026

  1. 1
    0
    The Hacker News general
    LiteSpeed cPanel Plugin CVE-2026-48172 Exploited to Run Scripts as Root

    CVE-2026-48172, a CVSS 10.0 privilege escalation flaw in the LiteSpeed User-End cPanel Plugin, is under active exploitation in the wild. The vulnerability stems from incorrect privilege assignment, allowing any cPanel user — including compromised accounts — to execute arbitrary scripts as root. Server administrators running LiteSpeed on cPanel hosts should patch immediately given the maximum severity score and confirmed in-the-wild exploitation.

  2. 2
    0
    The Hacker News general
    Drupal Core SQL Injection Bug Actively Exploited, Added to CISA KEV

    CISA has added CVE-2026-9082, a CVSS 6.5 SQL injection vulnerability in Drupal Core affecting all supported versions, to its Known Exploited Vulnerabilities catalog following evidence of active exploitation. SecurityWeek reports attackers began targeting the flaw shortly after public disclosure, with thousands of websites already under attack. Drupal site administrators should apply the available patch without delay.

  3. 3
    0
    Ars Technica Security general
    A hacker group is poisoning open source code at an unprecedented scale

    Threat group TeamPCP has been executing software supply chain attacks at an unprecedented scale, with GitHub being the latest platform targeted. The campaign spans multiple ecosystems including Packagist (8 packages compromised) and Laravel-Lang PHP packages, with malicious Linux binaries distributed via GitHub Releases URLs and credential-stealing frameworks injected into package.json files rather than composer.json to evade detection. Developers using Laravel-Lang packages — including laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes, and laravel-lang/actions — should audit their dependencies immediately.

  4. 4
    0
    SecurityWeek general
    Grafana Says Codebase and Other Data Stolen via TanStack Supply Chain Attack

    Grafana disclosed that its codebase and other internal data were stolen after attackers leveraged a GitHub access token compromised in the TanStack supply chain attack that was never rotated. The incident illustrates cascading third-party supply chain risk: a token stolen upstream gave attackers direct access to Grafana's repositories. Security teams should audit and rotate all tokens associated with compromised upstream dependencies.

  5. 5
    0
    SecurityWeek general
    ‘First VPN’ Cybercrime Service Disrupted, Administrator Arrested

    The 'First VPN' cybercrime service has been disrupted by the FBI, with its administrator arrested. The FBI states First VPN was actively used by dozens of ransomware groups to conduct network reconnaissance and facilitate intrusions. Separately, Dutch FIOD investigators arrested two men and seized 800 servers tied to a bulletproof hosting firm enabling cyberattacks and disinformation campaigns.

  6. 6
    0
    BleepingComputer general
    US and Canada arrest and charge suspected Kimwolf botnet admin

    U.S. and Canadian authorities arrested 23-year-old Canadian Jacob Butler and charged him with operating the KimWolf DDoS-for-hire botnet, which infected nearly two million devices worldwide. Butler ran KimWolf as a Telegram-accessible service, and the DOJ is seeking extradition. The takedown is part of broader law enforcement action against DDoS-as-a-service infrastructure.

  7. 7
    0
    The Hacker News general
    CISA Adds Exploited Langflow and Trend Micro Apex One Vulnerabilities to KEV

    CISA added two actively exploited vulnerabilities to its KEV catalog: CVE-2025-34291 (CVSS 9.4), an origin validation error in Langflow, and CVE-2026-34926, a directory traversal zero-day in Trend Micro Apex One's on-premise version patched by TrendAI after confirmed in-the-wild exploitation. Organizations running either product should treat these as urgent patch priorities given confirmed active exploitation.

  8. 8
    0
    Schneier on Security threat-intel
    CISA Security Leak

    A CISA contractor inadvertently exposed credentials to multiple highly privileged AWS GovCloud accounts and numerous internal CISA systems via a public GitHub repository, in what security experts are calling one of the most egregious government data leaks in recent history. The repository also contained detailed documentation on how CISA internally builds, tests, and deploys software. The repository was taken down as of last weekend, but the exposure window and full blast radius remain under investigation.

  9. 9
    0
    CyberScoop general
    FBI warns about fast-growing phishing kit targeting Microsoft 365 users

    The FBI issued an advisory warning about Kali365, a Telegram-based phishing-as-a-service kit first observed in April 2026 that abuses legitimate Microsoft OAuth device authorization flows to capture persistent tokens granting access to Microsoft 365 environments. The service enables cybercriminals without technical expertise to bypass MFA by hijacking OAuth sessions rather than stealing passwords directly. M365 administrators should review conditional access policies and monitor for suspicious device authorization requests.

  10. 10
    0
    Dark Reading general
    China's Webworm Uses Discord, Microsoft Graphs to Hack EU Govts.

    China's Webworm APT group has been targeting European government entities by abusing Discord and Microsoft Graph APIs for command-and-control, combined with SOCKS proxy tools including SoftEther VPN to obscure attacker infrastructure. The use of trusted cloud platforms for C2 makes detection via traditional network monitoring significantly harder. EU government security teams should monitor for anomalous Graph API and Discord traffic originating from internal hosts.