Technology companies face threats across their entire attack surface, from source code repositories and CI/CD pipelines to cloud infrastructure and customer-facing platforms. Supply chain attacks, zero-days in developer tools, and cloud misconfigurations are persistent concerns. defend.network monitors threats specifically relevant to technology organizations, development environments, and cloud infrastructure.
North Korean-linked BlueNoroff compromised 140+ npm packages via Mastra AI. Gravity SMTP WordPress plugin (100k sites) actively exploited for API key theft. AutoJack attack chain targets Windows AI browsing agents.
Apple A12/A13 SecureROM exploited with unpatchable code execution; Gentlemen RaaS expands EDR-evasion toolkit targeting 400 processes; Fortinet FortiBleed now hits 86,644 devices. Klue OAuth breach spreads Salesforce credential theft to cybersecurity vendors.
F5 patched critical NGINX RCE (CVE-2026-42530). Microsoft disclosed active Windows clipboard-stealing malware spreading via USB worms since Feb 2026. INC ransomware claims 830+ victims; Salesforce data stolen through Klue OAuth breach by Icarus group.
Microsoft Defender privilege-escalation zero-day CVE-2026-50656 (patch pending). FortiBleed leaks credentials for 73,932 Fortinet devices; attackers actively harvesting access across 200 countries. GitHub supply-chain worm exploiting dismissed design flaws compromises hundreds of packages.
Fortinet FortiSandbox faces active in-the-wild exploitation of three CVEs. Android banking trojan Rokarolla targets 217 financial apps with 137 remote commands. Google Vertex AI SDK bucket-squatting flaw enables unauthorized model hijacking.
China-linked UNC6508 maintained undetected access to North American medical, military, and academic research networks for over a year via compromised REDCap servers. Microsoft issued record 200 patches with evidence of active exploitation. Cisco SD-WAN vManage CVE-2026-20262 exploited in the wild.
FBI dismantles Outsider Enterprise phishing network; Arch Linux AUR compromised with 400+ malicious packages deploying credential stealer and rootkit; Splunk Enterprise CVSS-9.8 RCE patched.
Splunk Enterprise CVE-2026-20253 (CVSS 9.8) enables unauthenticated RCE; 400+ Arch Linux AUR packages hijacked with infostealer/rootkit; China-linked Velvet Ant maintained decade-long PAM/OpenSSH backdoor.
Over 400 Arch Linux AUR packages compromised with credential stealer and eBPF rootkit; China-linked Velvet Ant backdoored Linux authentication for decade; Google sues Chinese phishing-as-a-service using Gemini AI.
Oracle PeopleSoft CVE-2026-35273 actively exploited by ShinyHunters targeting universities; Windows BitLocker bypassed via XML files; The Gentlemen ransomware claims 478 victims with worm-like spreading capability.
CVE-2026-5027 in Langflow actively exploited for unauthenticated RCE; JDY botnet expands to 1,500 devices targeting U.S. military networks. CISA mandates 3-day patching for critical flaws.
Microsoft released record 200 Patch Tuesday fixes including critical flaws; Veeam Backup & Replication RCE (CVE-2026-44963, CVSS 9.4) requires immediate patching; 73 GitHub repos remain compromised as Miasma supply-chain attack investigation continues.
Check Point VPN zero-day (CVSS 9.3) actively exploited since early May; Linux kernel use-after-free now has public exploit; NSO Group continues WhatsApp phishing despite federal court injunction.
Miasma worm compromises 73 Microsoft GitHub repositories; SolarWinds Serv-U DoS flaw confirmed actively exploited; WordPress Everest Forms Pro critical RCE under active attack; Meta AI bot abused to reset Instagram accounts.
Microsoft GitHub hit by Miasma self-replicating worm across 73 repositories; SolarWinds Serv-U actively exploited for DoS; Chrome 149 patches record 429 vulnerabilities.
IronWorm and Miasma worms actively distributed via 50+ poisoned npm packages; WordPress Everest Forms Pro (CVE-2026-3300) exploited for RCE on 4,000 sites; SolarWinds Serv-U flaw weaponized for DoS; 900+ US fuel tank gauges exposed and under attack.
Cisco patches critical Unified CM RCE with public PoC; Claude Code GitHub Action flaw enables repository hijack via GitHub issues; AI agents exploited in defense networks; Hola Browser compromised with cryptominer.
Google Gemini voice assistant hijackable via poisoned notifications; Microsoft 365 Android apps leak tokens; Redis RCE (CVE-2026-23479) patched; critical fuel tank systems under active attack.
Google Android zero-day (CVE-2025-48595) actively exploited; Gamaredon APT weaponizing WinRAR; WordPress Kirki plugin hijacking admin accounts. CISA adds Oracle WebLogic to KEV catalog.
Red Hat npm packages compromised with Miasma credential-stealing worm; WordPress RCE via CVE-2026-8732; Instagram accounts hijacked via Meta AI bot exploit. Patch WP Maps Pro immediately, rotate developer credentials, enable MFA.
Palo Alto PAN-OS GlobalProtect authentication bypass (CVE-2026-0257) actively exploited; Dutch authorities arrest two hosting operators supporting Russian cyberattacks; Linux kernel CIFSwitch flaw allows privilege escalation.
Palo Alto PAN-OS GlobalProtect flaw (CVE-2026-0257) under active exploitation; CISA contractor exposed AWS GovCloud keys on GitHub; Linux kernel CIFSwitch privilege escalation disclosed.
ChatGPT share links abused for malware delivery; Marimo CVE-2026-39987 exploited with LLM agents for post-compromise activity; Dutch authorities seize 800 Russian-linked servers and arrest hosting executives.
FortiClient EMS actively exploited to deploy credential stealer; CISA contractor leaked AWS GovCloud keys on GitHub; BTMOB Android RAT spreading via phishing with builder interface.
FortiClient EMS and Gogs RCE vulnerabilities actively exploited in the wild. CISA contractor exposed AWS GovCloud credentials on GitHub. FIFA World Cup fraud campaigns register 4,300+ malicious domains.
Microsoft patched SharePoint RCE (CVE-2026-45659); CISA contractor exposed AWS GovCloud keys on GitHub; MuddyWater targeted nine organizations across four continents using DLL side-loading.
Ghost CMS SQL injection actively exploited across 700+ sites; Microsoft 365 phishing service Kali365 bypasses MFA; multi-ecosystem supply-chain attacks deliver credential stealers.
Supply-chain attacks hit npm and Composer ecosystems; LiteSpeed cPanel CVE-2026-48172 actively exploited; CISA contractor exposed AWS GovCloud credentials on GitHub.
Multiple supply-chain attacks targeting Laravel-Lang and Packagist packages, active exploitation of Drupal CVE-2026-9082, and critical CISA AWS credential leak on GitHub.
GitHub campaign injects malware into 5,561 repos; Drupal SQL injection actively exploited; CISA contractor exposes AWS GovCloud credentials.
GitHub suffered breach of 3,800+ internal repos via TeamPCP. Microsoft disrupted malware-signing operation. SonicWall VPN and Drupal require urgent patching.
Microsoft disrupted Fox Tempest malware-signing service; Drupal critical patches May 20; OAuth phishing bypasses MFA on 340+ Microsoft 365 organizations. CVE-2026-31635 Linux PoC public.
Microsoft Exchange zero-day under active exploitation with no patch available. Shai-Hulud worm source code leaked, spawning clones targeting npm developers. INTERPOL Operation Ramz arrested 201 cybercriminals across MENA region.
Critical zero-days in NGINX, Microsoft Exchange, and Cisco SD-WAN actively exploited in the wild. TanStack supply chain attack compromises OpenAI and AI companies. Immediate patching required.
Critical vulnerabilities in Cisco SD-WAN (CVSS 10.0), Microsoft Exchange, and Funnel Builder WordPress plugin under active exploitation. Supply chain attacks compromise npm packages. Immediate patching required.
Critical Microsoft Exchange zero-day exploited in wild; npm supply chain attacks compromise OpenAI; Turla APT evolves Kazuar into P2P botnet; WordPress plugins actively harvesting payment cards.
Critical Cisco SD-WAN zero-day exploited in the wild; supply chain attacks compromise TanStack and node-ipc; state APTs target government; education platform disrupted by extortion.
Critical BitLocker zero-days with public PoCs, Microsoft Exchange APT exploitation, Canvas ransomware attack on education sector, and Foxconn manufacturing compromise create immediate operational risks across multiple industries.
Critical supply-chain attacks via compromised npm/PyPI packages, Canvas ransomware disrupting education nationwide, and massive vulnerability patches (Microsoft 137, Adobe 52, Exim critical) require immediate response.
Critical supply chain compromise of Checkmarx Jenkins plugin, first AI-generated zero-day 2FA bypass exploit, and active Canvas education platform extortion campaign require immediate response.
Canvas ransomware disrupts universities nationwide; Ollama zero-day affects 300k+ servers; TCLBANKER targets financial platforms; critical infrastructure breached; supply-chain compromises detected.
Critical vulnerabilities in Palo Alto Networks and Ivanti EPMM under active exploitation. PCPJack credential stealer worm targeting cloud infrastructure. Russian state actors harvesting Office tokens via router compromise.
Critical vulnerabilities in vm2, Palo Alto firewalls, and DAEMON Tools combined with Russian military intelligence token harvesting and Iranian APT false-flag campaigns demand immediate patching and investigation.
Critical vulnerabilities in Apache HTTP/2 and MetInfo CMS, supply-chain compromise of DAEMON Tools, and persistent OAuth backdoors require immediate response.
Critical vulnerabilities in cPanel and MOVEit, widespread RMM-based phishing compromising 80+ organizations, and supply-chain malware in PyTorch Lightning demand immediate patching and credential rotation.
Critical Linux root access vulnerability added to CISA KEV with active exploitation confirmed. Multiple critical threats including cPanel mass-exploitation, source code breaches, and state-sponsored APT campaigns.
Critical cPanel RCE exploited for ransomware; Russian military harvesting Office tokens; 30K Facebook accounts compromised; Trellix source code breached; automated Azure OAuth attacks.
Critical vulnerabilities, state-sponsored token harvesting, large-scale phishing operations, and coordinated SaaS extortion attacks demand immediate defensive action across government and technology sectors.
Critical supply chain attacks compromise PyTorch Lightning and SAP packages; Russian state-sponsored actors steal Office tokens; AI-accelerated exploitation shrinks time-to-compromise to 24 hours.
Critical supply-chain attacks on SAP npm packages and North Korean AI-assisted malware, combined with cPanel authentication bypass and state-sponsored credential harvesting, create immediate existential threats to enterprise infrastructure and critical systems.
Critical RCE vulnerabilities in GitHub and Hugging Face, destructive VECT 2.0 ransomware, Russian token harvesting, and BlueNoroff deepfake attacks demand immediate defensive action.
Critical supply chain attacks on developer platforms, Russian state-sponsored token theft via router exploits, and unpatched Windows RPC privilege escalation demand immediate defensive action.
Critical supply-chain compromises affecting Bitwarden CLI and Checkmarx tools; Russian state actors harvesting Office 365 tokens; AI-powered attacks outpacing human response capabilities.
Critical supply chain attacks via malicious Docker images and npm worms, state-sponsored credential theft campaigns targeting Microsoft Office, and destructive Lotus Wiper malware deployed against Venezuelan energy infrastructure require immediate response across all organizations.
Russian state-backed APT harvesting Microsoft tokens, 1,570+ Gentlemen ransomware victims, critical SD-WAN and RMM exploits, Windows Defender flaws—urgent patching required across infrastructure.
Critical RCE vulnerabilities in AI infrastructure (SGLang, Anthropic MCP) combined with state-sponsored APT campaigns targeting authentication systems and OT/healthcare infrastructure demand immediate patching and access controls.
Critical Microsoft Defender zero-days actively exploited, 68% of cloud breaches from unmanaged service accounts, Russian state actors harvesting Office tokens, protobuf.js RCE with public exploit, APT28 targeting Ukrainian government.
Critical Microsoft Defender zero-days under active exploitation, 68% of cloud breaches from unmanaged service accounts, and Russian state-sponsored token harvesting campaigns demand immediate action.
Critical zero-day exploits in Microsoft Defender and Apache ActiveMQ, Russian state-sponsored token harvesting, and sophisticated ransomware evasion techniques pose immediate threats requiring emergency patching and threat hunting.
Apache ActiveMQ actively exploited; Microsoft Defender zero-day disclosed; Russian state actors harvesting Office 365 tokens; ZionSiphon targets water infrastructure.
Critical nginx-ui authentication bypass actively exploited; Microsoft releases 169 patches including SharePoint zero-day; n8n webhooks weaponized for phishing; WordPress plugins and signed software compromised.
Critical Microsoft zero-days under exploitation, Russian state hackers harvesting Office tokens via routers, and 220K users compromised by Mirax RAT. Supply-chain risks escalating across PHP and development ecosystems.
Critical Adobe zero-day under active exploitation, Russian state-sponsored token harvesting, and APT37 social engineering campaigns compound with AI-powered vulnerability discovery threats.
Critical Adobe Reader zero-day, CPUID supply-chain compromise distributing STX RAT, Russian APT harvesting Office tokens via router exploits, and Iranian actors targeting 4,000+ U.S. industrial control systems.
Critical exploitation of Marimo RCE, Iranian targeting of 4,000 US PLCs, and Russian token harvesting via routers demand immediate patching and access controls.
Critical zero-day in Adobe Reader, state-sponsored credential theft via routers, and major supply-chain compromises demand immediate action across all organizations.
State-sponsored APT campaigns targeting Microsoft 365 and supply chains escalate with GitHub C2 usage and zero-day exploits deployed within 24 hours of breach.
State-sponsored DPRK and China-linked APT campaigns, critical FortiClient RCE exploit, and cascading supply chain attacks affecting European institutions and npm ecosystem.
Critical zero-day in TrueConf, resurgent Chinese APT targeting European governments, North Korean npm supply chain compromise, and third-party vendor breaches require immediate response
Critical vulnerabilities in Next.js, Cisco IMC, and Progress ShareFile actively exploited; $280M cryptocurrency theft attributed to North Korea; credential harvesting impacts 766 hosts
Critical zero-day vulnerabilities in Chrome and TrueConf under active exploitation, combined with widespread malware campaigns targeting mobile and enterprise infrastructure.
Critical zero-day exploits in TrueConf and North Korean Axios compromise, plus wiper attacks and AI platform over-privilege vulnerabilities demand immediate response across cloud, government, and healthcare sectors.
Critical supply-chain compromise of Telnyx PyPI package, active iOS exploitation, state-sponsored wiper attacks on medical device firm, and advanced APT malware targeting telecom infrastructure demand immediate response.
Critical supply chain attacks on LiteLLM and development tools, wiper attacks on medical device manufacturer, and RCE vulnerabilities in manufacturing systems demand immediate response.
Critical supply chain attacks on Trivy scanner and VS Code, destructive Iran-linked wipers targeting Kubernetes, and phishing-as-a-service platforms resurging with 29K IRS victims. Initial access now occurs in 22 seconds.
Critical Oracle RCE, Russian state-sponsored phishing, Trivy supply-chain worm, and Iran-backed healthcare wiper attacks demand immediate emergency response and patching across enterprise infrastructure.
Critical vulnerabilities in Oracle Identity Manager and Langflow actively exploited; Trivy supply chain attack escalates with CanisterWorm across 47 npm packages; Russian intelligence phishing campaigns compromise thousands.
This week's verified vulnerability coverage is limited to one actively exploited CVE: CVE-2026-20253 affecting Splunk Enterprise, which CISA has added to its Known Exploited Vulnerabilities catalog wi
Organizations should prioritize patching these vulnerabilities immediately — several are actively exploited in the wild and confirmed in CISA's KEV catalog, most urgently Oracle PeopleSoft (CVE-2026-3
Three verified CVEs dominated this week's reporting: one actively exploited Linux kernel vulnerability (CVE-2022-0492) now in CISA's Known Exploited Vulnerabilities catalog, one proof-of-concept relea
This week's verified threat landscape is dominated by three actively exploited vulnerabilities affecting web platforms and infrastructure. CVE-2026-48172 in LiteSpeed cPanel Plugin poses immediate ris
This week presents an exceptionally high-risk threat landscape with multiple critical vulnerabilities under active exploitation across infrastructure, enterprise, and open-source ecosystems. Immediate
This week marks a significant surge in actively exploited vulnerabilities, with three critical flaws requiring immediate patching across IT infrastructure and OT systems. The Ollama out-of-bounds read
This week presents an exceptionally high-risk threat landscape dominated by active exploitation campaigns and critical infrastructure vulnerabilities. Federal agencies face an immediate Sunday deadlin
This week presents elevated risk from actively exploited vulnerabilities across network infrastructure, IoT devices, and enterprise software. Immediate patching is required for Cisco Firepower/ASA dev
This week presents elevated risk across OT/ICS sectors with multiple critical RCE vulnerabilities in industrial control systems and emerging threats to cloud infrastructure. Active exploitation of Mic
This week presents an elevated threat landscape dominated by actively exploited critical vulnerabilities in both IT and OT environments. Iranian-affiliated threat actors are actively targeting US crit
This week presents elevated risk with five critical vulnerabilities actively exploited in the wild, including FortiClient EMS and video conferencing systems requiring immediate patching. Organizations
This week reflects sustained critical threats across OT/ICS and enterprise systems with multiple actively exploited vulnerabilities. F5 BIG-IP APM (CVE-2025-53521) and Citrix NetScaler (CVE-2026-3055)
This week demands immediate attention. Two actively exploited vulnerabilities (VMware ESXi and FortiOS) require emergency patching. Organizations using Windows Server should prioritize the kernel priv
Subscribe free and never miss a threat briefing.