Stay ahead of emerging threats with expert analysis from 137 published security articles, vulnerability reports, and cybersecurity insights — updated daily with the latest CVEs, threat actor campaigns, and security advisories. As of Tuesday, June 9, 2026, the most urgent items for production stacks: the "Miasma" worm has detonated across 73 Microsoft-owned GitHub repositories in an npm supply-chain cascade — a software supply-chain attack means malicious code is planted in a trusted package your developers already install, so it spreads automatically into everything that depends on it — making any team that pulls JavaScript packages from npm a potential downstream victim; audit your dependencies and pin trusted versions now. The Cisco Catalyst SD-WAN Manager zero-day CVE-2026-20245 remains under active exploitation with no patch available yet — restrict management-interface access and watch Cisco's advisory for the fix. Cisco Unified Communications Manager flaw CVE-2026-20230 hands attackers root through a server-side request forgery (SSRF) bug — a server tricked into making attacker-controlled requests — and a working proof-of-concept exploit is already public, so patch now. The Mirasvit Cache Warmer bug CVE-2026-45247 is being used for active remote code execution (RCE — running attacker code on your server) against Magento e-commerce stores. Still carrying forward: the HTTP/2 "Bomb" CVE-2026-49975 lets a single home connection knock NGINX, Apache, IIS, and Cloudflare web servers offline; Palo Alto GlobalProtect authentication-bypass CVE-2026-0257 remains on the CISA Known Exploited Vulnerabilities (KEV) catalog under active exploitation; and the WP Maps Pro WordPress flaw CVE-2026-8732 is still spawning rogue administrator accounts across roughly 15,000 sites. If your business pulls npm packages, or runs Cisco SD-WAN or Unified CM, Magento, a public web server, Palo Alto GlobalProtect, or WordPress with WP Maps Pro, these advisories require action now — start with the article-level remediation steps below.
A logic flaw in the Linux kernel algif_aead module gives any unprivileged local user root access on every major distro released since 2017. CISA added CVE-2026-31431 to the KEV catalog with a mandatory federal patch deadline. If you run Linux servers, patch today or assume compromise.
CISA added the two-year-old ConnectWise ScreenConnect path traversal flaw CVE-2024-1708 to its Known Exploited Vulnerabilities catalog on April 28, 2026, after China-aligned Storm-1175 was caught chaining it with the SlashAndGrab auth bypass CVE-2024-1709 to deploy Medusa ransomware through compromised MSP infrastructure. Federal agencies have until May 12 to remediate.
Read moreMicrosoft has confirmed active exploitation of CVE-2026-32202, a Windows Shell spoofing flaw that turns out to be an incomplete patch for an APT28 zero-day from earlier this year. The Russian GRU-linked group is using crafted LNK files to silently steal NTLM credentials with zero clicks, and the original April 14 advisory dramatically understated the severity until Microsoft corrected it on April 27.
Read moreA poisoned build of @bitwarden/cli version 2026.4.0 lived on the npm registry for roughly ninety minutes on April 22, 2026, infecting around 334 developer machines with the third generation of the Shai-Hulud worm. The attack chained off the prior compromise of the checkmarx/ast-github-action GitHub Action, harvested cloud credentials, GitHub and npm tokens, and AI coding tool configs, then self-propagated by injecting malicious workflows into accessible repositories.
Read moreA server-side request forgery flaw in the LMDeploy vision-language pipeline was under active exploitation twelve hours and thirty-one minutes after public disclosure, and no upstream patch has shipped yet. Attackers are already probing exposed instances for AWS metadata credentials, Redis on localhost, and loopback services.
Read moreApple shipped iOS 26.4.2, iPadOS 26.4.2, iOS 18.7.8, and iPadOS 18.7.8 to fix CVE-2026-28950, a data retention flaw in the Notification Services framework that kept the text of deleted notifications in an internal database. The FBI used the bug to recover Signal message content from a seized iPhone after the Signal app had been deleted. Patch every managed iPhone today and enforce preview redaction on sensitive messaging apps.
Read moreThree zero-day vulnerabilities in Microsoft Defender, nicknamed BlueHammer, RedSun, and UnDefend, are under active exploitation after researcher Chaotic Eclipse dumped working proof-of-concept code. Only BlueHammer (CVE-2026-33825, CVSS 7.8) has been patched. RedSun escalates local users to SYSTEM on fully patched systems while UnDefend silently disables Defender definition updates, making the chained attack especially dangerous until the May 13 Patch Tuesday.
Read moreScattered Spider, the group behind the MGM and Caesars attacks, has hit Marks & Spencer, Co-op, and Harrods in a coordinated campaign deploying DragonForce ransomware. The attacks relied on social engineering help desk staff rather than technical exploits.
Read moreCitizen Lab revealed that law enforcement agencies worldwide are using Webloc, a tool built by Israeli intelligence company Cobwebs Technologies, to track 500 million mobile devices through advertising data without warrants. Clients include ICE, US military, and police departments across America.
Read moreThe official CPUID website was compromised for 19 hours, redirecting users to malicious downloads of CPU-Z and HWMonitor that delivered STX RAT. Over 150 victims identified across retail, manufacturing, telecom, and individual users in Brazil, Russia, and China.
Read moreFortinet has disclosed that threat actors are using a symlink-based technique to maintain read-only access to FortiGate devices even after security patches are applied. The method exploits the SSL-VPN language files directory to create persistent filesystem access.
Read moreSecurity researchers discovered 36 malicious npm packages impersonating Strapi CMS plugins. The packages exploit Redis and PostgreSQL databases, deploy reverse shells, harvest credentials, and target cryptocurrency platforms with hard-coded database credentials.
Read moreGoogle patched CVE-2026-5281, a high-severity use-after-free vulnerability in Chrome's Dawn WebGPU implementation that is being actively exploited in the wild. This marks the fourth Chrome zero-day of 2026, and CISA has already added it to the Known Exploited Vulnerabilities catalog.
Read moreCensys discovered CTRL, a Russian RAT using named pipes and RDP tunneling to evade network monitoring. Built to stay hidden while maintaining full network access.
Read moreOver 340 organizations across five countries compromised in aggressive device code phishing campaign exploiting OAuth device authorization flow. Attackers harvest tokens that survive password resets using PhaaS platform EvilTokens.
Read moreU.S. authorities dismantled four IoT botnets (AISURU, Kimwolf, JackSkid, Mossad) responsible for the largest DDoS attacks ever recorded. Over 3 million enslaved devices generated attacks exceeding 31 Tbps.
Read moreOver 2,000 Kubernetes clusters compromised through RBAC misconfigurations. Attackers deploy cryptominers via default service accounts. Check your clusters now.
Read moreGoogle patched CVE-2026-3909 (Skia OOB write) and CVE-2026-3910 (V8 sandbox escape), both CVSS 8.8 and actively exploited. CISA added to KEV with March 27 deadline. Update to Chrome 146.0.7680.75/76.
Read moreTwo Chrome Featured extensions, QuickLens and ShotBird, turned malicious after ownership transfer. Attackers stripped security headers, injected C2 payloads via 1x1 pixel images, and deployed ClickFix-style attacks for full endpoint compromise. Extension supply chain attacks are accelerating.
Read moreAkamai confirmed Russia's APT28 was exploiting CVE-2026-21513 in Windows MSHTML before Microsoft released the February patch. The attack chains crafted LNK files to bypass Mark-of-the-Web and IE Enhanced Security, delivering payloads without user interaction.
Read moreOur CyberOne MobileAssess platform performs deep static analysis, source code decompilation, and runtime security testing for iOS and Android apps. From one-time assessments to year-long continuous testing, we find what surface-level scanners miss.
Subscribe to our newsletter and get the latest security insights delivered to your inbox.
