> TritonInfoSec News

# Archive

Browse past daily curated stories

May 28 May 27 May 26 May 24 May 23 May 22 May 21 May 20 May 19 May 18 May 17 May 15 May 14 May 13 May 12 May 10 May 09 May 08 May 05 May 03 May 02 May 01 Apr 30 Apr 28 Apr 26 Apr 25 Apr 24 Apr 23 Apr 22 Apr 21

Thursday, May 28, 2026

  1. 1
    0
    BleepingComputer general
    Glassworm botnet disrupted after resilient C2 infrastructure takedown

    The Glassworm botnet, active since early 2025, targeted software developers through malicious packages and extensions in supply chain attacks. CrowdStrike, Google, and Shadowserver simultaneously took down all four C2 servers, which used resilient infrastructure including Solana blockchain transactions and the BitTorrent DHT network to evade takedowns. This disruption is significant for security teams protecting software development pipelines and open-source ecosystems.

  2. 2
    0
    BleepingComputer general
    CISA gives feds 4 days to patch actively exploited cPanel plugin flaw

    CISA issued an emergency directive giving federal agencies just four days to patch a critical zero-day vulnerability in the LiteSpeed cPanel user-end plugin, which is actively being exploited to execute scripts with root privileges. The flaw was resolved the prior week but had already seen in-the-wild exploitation before a patch was available. Web hosting administrators running cPanel-based deployments should prioritize this patch immediately.

  3. 3
    0
    The Record threat-intel
    Iranian intelligence service behind hack of LA transit system, researchers say

    Researchers at Gambit Security have attributed the cyberattack on the Los Angeles Metro transit system to a group with direct ties to Iran's Ministry of Intelligence (MOIS), despite the attackers claiming to be an independent hacktivist collective. The findings reveal a pattern of Iranian state actors using hacktivist fronts to conduct infrastructure attacks with plausible deniability. This attribution is critical for threat intelligence teams tracking MOIS-linked operations against Western transportation infrastructure.

  4. 4
    0
    SecurityWeek general
    FBI: Hackers Sending Operatives in Person to Insert USB Drives and Steal Data

    The FBI issued an alert warning that Silent Ransom Group (SRG) is conducting physical intrusion attacks against U.S. law firms, sending operatives in person to insert USB drives and exfiltrate data after gaining initial access via social engineering. This hybrid attack model — combining remote social engineering with physical presence at victim workstations — represents an escalation in the group's tactics specifically targeting the legal sector. Security teams at law firms should review both physical access controls and remote access policies.

  5. 5
    0
    The Hacker News general
    Gitea Vulnerability Exposes Private Container Images without Authentication

    A vulnerability tracked as CVE-2026-27771 in Gitea, affecting all versions prior to 1.26.2, allows unauthenticated remote attackers to pull private container images from self-hosted Gitea deployments without any credentials. Given Gitea's widespread use as a self-hosted GitHub alternative in enterprise and developer environments, unpatched instances may expose sensitive proprietary code or internal infrastructure details. Administrators should upgrade to Gitea 1.26.2 immediately.

  6. 6
    0
    SecurityWeek general
    Lithuania Suspects Foreign Involvement in Data Leak of Over 600,000 National Register Entries

    Lithuanian authorities are investigating the theft of over 600,000 records from the national Centre of Registers — the state agency managing property and legal entity data — with suspected foreign state involvement. The breach was reported by the Lithuanian Prosecutor General's Office, and investigators are treating it as a potential state-sponsored espionage operation. This follows a broader trend of nation-state actors targeting Eastern European government data repositories.

  7. 7
    0
    SecurityWeek general
    Hackers Exploited KnowledgeDeliver Zero-Day for Web Shell Deployment

    Attackers exploited a zero-day vulnerability in the KnowledgeDeliver learning management system by leveraging hardcoded machineKey values in a configuration file to perform ViewState deserialization attacks, ultimately achieving remote code execution and deploying the Godzilla web shell. The use of hardcoded cryptographic keys as an attack vector underscores ongoing risks in .NET-based web applications. Incident responders should check for Godzilla web shell indicators on any KnowledgeDeliver deployments.

  8. 8
    0
    SecurityWeek general
    Admins of Bulletproof Hosting Service Used by Russian Hackers Arrested in Netherlands

    Dutch authorities arrested two individuals who operated Dutch-registered companies providing bulletproof hosting services used by Russia-aligned threat actors for cyberattacks. The operation highlights continued law enforcement action against the bulletproof hosting ecosystem that enables ransomware, fraud, and espionage infrastructure. Threat intelligence teams should monitor for infrastructure migration as operators attempt to reconstitute services.

  9. 9
    0
    The Hacker News general
    CERT-In Mandates 12-Hour Patching for Internet-Facing Flaws Amid AI-Assisted Attacks

    India's CERT-In has issued new guidelines mandating that organizations patch critical vulnerabilities in internet-facing systems within 12 hours where feasible, citing the accelerating threat from AI and LLM-assisted attack automation. The directive represents one of the most aggressive patching timelines issued by any national cybersecurity authority and signals a global regulatory shift toward near-real-time vulnerability remediation. Security operations teams in India-regulated industries will need to substantially accelerate their patch management workflows.

  10. 10
    0
    SecurityWeek general
    185,000 Likely Impacted by 7-Eleven Data Breach

    ShinyHunters has leaked data allegedly stolen from 7-Eleven, with approximately 185,000 individuals likely impacted; the exposed records include email addresses, names, physical addresses, and dates of birth. This breach adds to ShinyHunters' extensive track record of high-profile retail and consumer brand attacks. Affected customers are at elevated risk of targeted phishing and identity theft operations using the combined PII dataset.