Attackers behind this campaign are using an unexpected method to communicate with infected sites, hiding command instructions inside Steam Community profile comments and turning a popular gaming platform into a covert control channel.

The malware works in two stages. First, it injects malicious JavaScript into the front end of a compromised WordPress website, serving harmful content to every visitor who lands on the page.

Second, it plants a server-side backdoor that gives attackers persistent remote access, allowing them to modify WordPress plugin and theme files without any visible trace of the intrusion.

GoDaddy security researchers identified this campaign, noting it was first detected in July 2024 and has since been found across approximately 1,900 WordPress sites. 

GoDaddy said in a report shared with Cyber Security News (CSN) that threat actors are deliberately disguising their infrastructure behind Valve’s trusted gaming platform rather than maintaining obviously malicious servers that could be flagged and taken down quickly.

What makes this campaign particularly difficult to detect is how the malware conceals its payloads. It uses invisible Unicode characters, a technique known as steganography, to encode malicious data within Steam profile comment text.

Since those hidden characters look like completely normal text on the surface, traditional text-based scanning tools are far less likely to catch them during routine checks.

The reach of this campaign is significant. Compromised websites unknowingly serve injected scripts to every visitor, exposing real users to potential harm. For site owners, the damage runs deeper, as the backdoor gives attackers the ability to rewrite site code even after partial cleanup attempts.

WordPress Malware Abuses Steam Community Profiles

The core of this attack relies on a PHP function embedded within the compromised WordPress installation.

When any page on the infected site loads, the malware sends an HTTP request to a Steam Community profile page using cURL, scrapes comment text from that profile, and decodes hidden payloads embedded inside it.

The malware has been observed fetching profiles such as steamcommunity.com/profiles/76561199096946028 and caches extracted content using WordPress transients with a five-minute expiration window.

The decoded data becomes a JavaScript URL injected into every front-end page via the wp_enqueue_script hook, under the deceptive handle name “asahi-jquery-min-bundle” designed to mimic a legitimate library.

The decoded external URL observed during analysis pointed to hello-myworld[.]info, which serves the final malicious JavaScript payload to site visitors.

Stealthy Backdoor Enables Remote Code Execution

The server-side component is just as dangerous as the front-end injection. A backdoor function registered through WordPress’s template_redirect hook listens for POST requests containing specific authentication cookies.

When those cookies are present, the backdoor either confirms it is active by returning a version string, or accepts base64-encoded PHP code and rewrites plugin and theme files across the entire WordPress installation.

This remote code execution capability means that even if a site owner removes part of the infection, attackers can reinstall deleted code through the still-active backdoor.

The malware protects this channel using AES-256-CTR encryption with PBKDF2 key derivation based on SHA-512 and 10,000 iterations, along with HMAC-SHA256 authentication to verify each incoming payload.

To evade detection, the malware layers multiple obfuscation techniques. All string constants are encoded using octal or hexadecimal escape sequences, function and variable names follow a randomized mixed-case hexadecimal style, and a disabled logging function is scattered through the code to mimic legitimate debugging infrastructure without ever executing.

Site administrators who suspect an infection should enable maintenance mode right away and back up the compromised installation before making any changes.

All WordPress credentials including admin passwords, database access, FTP credentials, and SSH keys must be rotated. Cleanup must cover every plugin and theme file, since partial removal is not enough given the backdoor’s ability to remotely restore deleted code.

Suspicious transient cache entries with the prefix transient_caption and enqueued external scripts pointing to unknown domains should be removed.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post WordPress Malware Abuses Steam Community Profiles for C2 Operations appeared first on Cyber Security News.

What looks like an American patriot channel is actually a financially motivated fraud scheme run by a solo Russian-speaking operator. The goal was always money, and AI made scaling that goal nearly effortless.

The campaign, tracked under the handle “bandcampro,” began on February 6, 2021, one month after the Capitol riot, when QAnon and MAGA communities were being deplatformed and migrating to Telegram.

By positioning the fake channel, @americanpatriotus, as an authentic American conservative voice, the actor tapped into a ready-made audience already hungry for alternative platforms. The timing was clearly opportunistic.

Analysts at Trend Micro said in a report shared with Cyber Security News (CSN) that in May 2026, their TrendAI Research team discovered the threat actor’s operational environment had been inadvertently exposed, revealing the full scope of a five-year influence and fraud campaign.

The actor used AI-assisted techniques to run the Telegram channel, targeting politically engaged American audiences for cryptocurrency fraud alongside AI-assisted credential theft.

Starting in September 2025, the actor pivoted to fully AI-generated content, using a jailbroken version of Google Gemini as an operational co-worker.

He named his content pipeline “Quantum Patriot,” a set of Python scripts that called Gemini to roleplay as an American veteran patriot.

The AI generated Q-style posts, deployed servers, rotated stolen API keys, and managed Cloudflare tunnels, all from natural-language commands typed in Russian.

What made the operation alarming was its near-zero cost. The actor used 73 likely stolen Gemini API keys on a round-robin rotation, meaning he paid almost nothing for industrial-scale content generation.

With 29 WordPress accounts cracked, one company infiltrated, and one victim’s cryptocurrency wallet fully drained, the operation showed that AI can scale a one-person fraud scheme to team-level output.

Threat Actor Uses Stolen Gemini API Keys

The actor’s use of stolen Gemini API keys was central to keeping the operation cost-free. During one documented 16-hour session, Gemini validated 40 likely stolen API keys and wrote a round-robin rotator that cycled through them automatically.

That rotator was later published to GitHub as a clean, open-source project, disguising its criminal purpose entirely.

To bypass Gemini’s safety guardrails, the actor established himself to the AI as an “authorized pentester,” which Gemini accepted and saved into a persistent memory file called GEMINI.md.

Over subsequent sessions, he escalated by getting the AI to memorize it should execute requests without ethical refusals or warnings. Since Gemini CLI reloads this memory file at every session start, each new conversation automatically inherited those jailbreak instructions.

AI-Assisted Credential Theft and Fraud

Beyond running the channel, the actor used Gemini to assist with credential theft and a gamified chatbot designed to steal cryptocurrency.

On September 9, 2025, he posted an executable called StellarMonSetup.exe, framed as a self-custody wallet with a welcome bonus of up to 1,000 XLM.

The file was actually GoToResolve, a remote-administration tool that gave the actor persistent remote desktop access, command execution, and clipboard capture on victim machines.

The actor also deployed an AI-powered brute-forcing tool targeting WordPress sites. Using Gemini 2.5 Flash as a password-mutation oracle, the script generated 20 plausible password variants per target by modeling patterns such as swapping cases, appending years, and substituting symbols.

Collected data confirmed that 29 WordPress administrator accounts were cracked across weapons retailers, legal offices, medical practices, and small commercial sites.

Defenders should never install software or enter a seed phrase based on instructions from a social media channel, as legitimate platforms will never make such requests.

Enterprises should monitor for stolen API key reuse, anomalous CLI-driven infrastructure changes, and credential-stuffing patterns consistent with LLM-assisted password mutation.

AI vendors should treat cross-language guardrail parity and jailbreak-resistant memory as urgent priorities, since this campaign proves those gaps are already being actively exploited.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Threat Actor Uses Stolen Gemini API Keys to Automate Telegram Influence Campaign appeared first on Cyber Security News.

A recent threat intelligence investigation using ANY.RUN’s Threat Intelligence (TI) Lookup reveals just how deeply this abuse has become embedded in modern attack chains.

The investigation by Threat Researcher Clandestine, spanning five targeted OSINT queries across ANY.RUN’s dynamic threat intelligence database, which indexes over 50 million IOCs, IOBs, and IOAs derived from real-time sandbox analyses conducted by over 500,000 analysts globally, exposes a recurring pattern: legitimate services are being turned into shields for adversarial activity.

Accelerate security workflows for faster triage & response. Integrate Threat Intelligence in your SOC or MSSP.

Cobalt Strike Hides Behind Trusted Cloud Providers

One of the most alarming findings emerged from a JA3S TLS fingerprint query targeting the hash 1af33e1657631357c73119488045302c, a signature commonly associated with Cobalt Strike beacons.

Analysts querying this hash in TI Lookup uncovered more than 1,000 system events, predominantly involving native Windows processes such as slui.exe, svchost.exe, and PowerShell classic Living-off-the-Land Binary (LOLBin) abuse. Nearly all communication was routed over port 443 (HTTPS), exploiting the protocol’s ubiquity to blend into normal enterprise traffic.

More critically, the C2 infrastructure tied to this JA3S fingerprint was found hosted across Microsoft, GitHub, Google, Amazon, and Cloudflare. This deliberate use of reputable platforms makes traditional reputation-based blocking ineffective.

JA3S fingerprinting provides a behavioral anchor that persists even as adversaries rotate domains and IP addresses, a powerful technique for tracking C2 infrastructure continuity.

Detection of this JA3S hash in network telemetry should be treated as a strong indicator of Cobalt Strike infection, immediately triggering endpoint correlation and incident response workflows.

The investigation also uncovered active phishing campaigns targeting Brazilian organizations, where attackers are leveraging subdomains of globally recognized services alongside malicious domains.

The use of globally hosted infrastructure serves a dual purpose: it lends the attacks a veneer of legitimacy and actively hinders domain takedowns. Security teams in Brazil and similar regions should be especially alert to emails containing links hosted on subdomains of popular cloud services.

Compound this with the discovery of Business Email Compromise (BEC) campaigns deploying fake invoice PDFs files named invoice.pdf and pagamento.pdf (Portuguese for “payment”) hosted on Amazon S3 buckets.

These files serve as infection vectors for financial fraud operations. The finding reinforces that legitimate cloud storage is now a preferred staging ground for initial payload delivery, with file hashes from these samples providing actionable IOCs for blocking and detection.

Trojan Traffic Tunneled Through HTTPS on Port 443

A behavior-based hunting query combining Russian IP geolocation, Suricata trojan classifications, and port 443 communication surfaced a diverse ecosystem of malicious traffic deliberately disguised as routine encrypted web activity.

This multi-layered attack strategy, employing multiple legitimate services across various ports for communication and fallback, demonstrates how attackers architect resilience directly into their infrastructure.

The .top TLD emerged as a particularly hostile domain space, with algorithm-generated Domain Generation Algorithm (DGA) domains classified as malicious at scale.

These domains routinely leverage WinRAR archives for payload delivery and use Cloudflare services to conceal true server locations. Given the extremely high volume of malicious activity tied to .top, many organizations are now blocking the entire TLD proactively at the perimeter.

Turn uncertain alerts into faster, defensible decisions. Gain clearer evidence for response and reporting.

For SOC teams and threat hunters, this research underscores several critical imperatives. Multi-parameter hunting queries combining JA3S fingerprints, destination geolocation, Suricata classifications, and file path patterns will outperform single-IOC lookups significantly.

Detection rules targeting the identified JA3S hash, HTTPS-based C2 behavior, and high-risk TLDs like .top, .shop, and .cc should be deployed immediately. Integration of ANY.RUN’s TI Feeds and Lookup results into SIEM/SOAR platforms can automate threat correlation and reduce analyst burden.

At an organizational level, the extensive abuse of trusted infrastructure from Microsoft, Google, and Amazon proves that brand reputation no longer guarantees network safety.

Adopting a Zero Trust posture, investing in advanced sandbox-based detection, and educating financial teams about BEC and phishing risks are no longer optional; they are baseline requirements for resilience in a threat landscape where the attacker’s most reliable weapon is the cloud platform your enterprise already trusts.

Close blind spots and reduce exposure to critical incidents with ANY.RUN’s Threat Intelligence.

The post Attackers Abuse AWS, Google Cloud, Cloudflare, and Microsoft Services to Hide Malicious Traffic appeared first on Cyber Security News.

A compromised GitHub account was used to inject malicious code into frontend libraries maintained within a Red Hat GitHub organization, raising significant concern across enterprise environments that depend on these packages during container image builds.

According to Red Hat’s security bulletin RHSB-2026-006, unauthorized commits were pushed to repositories within the RedHatInsights GitHub organization using a compromised developer account.

The affected packages are frontend libraries that get compiled and bundled into container images during the Red Hat product build process, making the attack vector particularly dangerous due to its deep integration into downstream build pipelines. Red Hat engineering acted swiftly by removing the compromised versions from npm following the initial disclosure.

Threat intelligence from OX Security reveals that the malware behind this supply chain compromise is the sophisticated Shai-Hulud infostealer, a campaign far more advanced than typical npm malware.

While conventional npm malware operates with one to three execution stages, Shai-Hulud deploys a six-stage payload delivery chain that loops back on itself in an endless execution cycle.

The attack begins with an obfuscated index.js payload that proceeds through decryption and decoding stages and ultimately drops 15 distinct payloads including memory dump tools, token monitors, Claude API hooks, and a GitHub-based payload dropper.

GitHub Used as an Adaptive C2 Server

One of the most alarming aspects of Shai-Hulud is its abuse of GitHub as a live Command-and-Control (C2) infrastructure. Rather than merely hosting exfiltrated data, the threat actor stores malicious code in GitHub repositories and uses commits tagged with the string “firedalazer” as a dynamic payload delivery mechanism.

This means that even after one account is blocked, another can seamlessly take over by pushing new commits, making the campaign highly resilient.

OX Security also identified two distinct variants of the malware identified by a subtle difference: the string “Miasma: The Spreading Blight” (no space after colon) in Stage 3, versus “Miasma : The Spreading Blight” (with space) in the Stage 6 alternate payload, a detail that can cause detection tools relying on exact string matching to miss infections.

Red Hat Product Security is actively conducting build system and dependency tracking analysis to confirm whether any product builds incorporated the compromised package versions.

Based on current findings, no customer action is required at this time, though the investigation remains ongoing. Organizations are advised to monitor for known Shai-Hulud IoCs, including the “firedalazer” commit string, Miasma-related strings, and the documented encryption keys and public key pairs published by OX Security.

Free Webinar on OWASP API Top 10 and Guide to Close Visibility Gaps With WAAP

The post Red Hat Confirms Supply Chain Compromise of @redhat-cloud-services npm Packages appeared first on Cyber Security News.

The agency stated that the campaign was orchestrated by unidentified foreign intelligence services and aimed at covert surveillance and data exfiltration.

According to the FSB, the operation involved the implantation and activation of malicious software capable of extracting sensitive data, intercepting communications, and conducting unauthorized audio and video recordings.

Spyware on Officials’ Phones

The spyware reportedly targeted smartphones and other mobile devices used by senior officials, indicating a highly selective, intelligence-driven attack.

The agency noted that the attackers leveraged technical infrastructures associated with major international IT and telecommunications providers to facilitate covert data collection.

While no specific vendors or countries were named, the claim suggests the use of sophisticated supply-chain or network-level access to enable surveillance capabilities without directly compromising the devices.

From a technical perspective, such spyware campaigns often rely on zero-click exploits, baseband vulnerabilities, or malicious configuration profiles to gain persistent access to mobile systems.

These techniques allow attackers to bypass user interaction and traditional security controls, making detection significantly more difficult.

Once deployed, the spyware can access encrypted messaging apps, capture keystrokes, activate microphones and cameras, and exfiltrate stored files.

Although the FSB did not disclose indicators of compromise (IOCs) or malware family names, the described capabilities align with previously observed nation-state-grade spyware such as Pegasus or Predator.

These tools are typically used in targeted surveillance operations and are known for their stealth and modular architecture.

According to a report by Democrata shared with Cybersecurity News, Russian authorities confirmed a criminal investigation has been launched and forensic analysis of affected devices is ongoing.

The agency also issued a warning, emphasizing the risks of discussing sensitive information near mobile devices and highlighting the potential for real-time interception even without visible signs of compromise.

The incident underscores the growing threat of mobile-targeted espionage, particularly against government and high-value individuals.

Mobile devices remain a critical attack surface due to their constant connectivity, access to sensitive communications, and integration with enterprise systems.

Security experts recommend several mitigation strategies, including regular device updates, the use of mobile threat defense (MTD) solutions, restricting app installations, and segmenting sensitive communications across secure channels.

In high-risk environments, hardened devices or air-gapped communication methods may also be considered. While independent verification of the FSB’s claims remains limited, the report reflects ongoing geopolitical tensions and the increasing use of cyber capabilities in intelligence operations.

The lack of attribution and technical disclosure leaves open questions. However, the scenario aligns with known tactics used in modern cyber-espionage campaigns targeting government entities

Free Webinar on OWASP API Top 10 and Guide to Close Visibility Gaps With WAAP

The post Russia Says Foreign Spyware Found on High-Ranking Officials’ Mobile Phones appeared first on Cyber Security News.

Attack Surface Management Platform Recognized for Exceptional Innovation and Successful Deployment Through The Channel

Halo Security today announced that its attack surface management solution has been named a 2026 MSP Today Product of the Year Award winner by TMC, a leading global media company recognized for building communities in technology and business through live events and digital marketing platforms. This marks the second consecutive year Halo Security has earned the award.

The MSP Today Product of the Year Award honors standout products and services that are reshaping the managed services landscape, delivered through the Channel and purpose-built to meet the evolving needs of end users. The Halo Security platform was selected for its innovation, performance, and its measurable impact on customers and partners alike.

The Halo Security Attack Surface Management Platform gives organizations and MSPs a complete view of their internet-facing assets and a clear path to fixing what matters most.

Automated discovery helps uncover every domain, hostname, and IP exposed to the internet, while continuous vulnerability scanning, dynamic application security testing, dark web monitoring, and manual penetration testing surface the risks behind them.

Behind the technology is a US-based team of security professionals who help customers and partners interpret findings, prioritize remediation, and act with confidence, so risk reduction happens faster and with less guesswork.

For MSPs, that combination scales across every client. Multi-tenant management, customizable dashboards with drag-and-drop widgets, configurable reports with saved views, and white-labeling let partners deliver branded, client-ready insights without the operational drag.

Direct integrations with Slack, ServiceNow, Jira, Linear, Vanta, and the major cloud providers keep findings flowing into the tools partners already use, while built-in PCI compliance reporting as a PCI DSS Approved Scanning Vendor and SOC 2 Type II compliance underscore the platform’s commitment to the standards partners and their clients depend on.

“As AI has reshaped almost every corner of cybersecurity, our partners keep telling us the same thing: the human element is what they value most,” said Lisa Dowling, CEO of Halo Security.

“Automation finds the issues, but it’s our team of security experts who help partners and their clients understand what matters, what to fix first, and how to communicate risk in a meaningful way. This award is a reflection of the trust our partners place in our people, not just our technology.”

“It gives me great pleasure to recognize Halo Security as a 2026 recipient of TMC’s MSP Today Product of the Year Award for their innovative attack surface management solution,” said Rich Tehrani, CEO of TMC.

“Our judges were thoroughly impressed not only by the strength and features of the product, but by Halo Security’s commitment to the Channel—empowering partners to deliver exceptional service and drive meaningful results for their clients.”

Winners of the 2026 MSP Today Product of the Year Award will be featured on MSP Today, the definitive resource for managed service providers, as well as across TMCnet’s media platforms.

About Halo Security

Halo Security is changing the way organizations manage their external attack surface.

The comprehensive EASM platform pairs unprecedented visibility into internet-facing assets with expert remediation guidance, combining automated asset discovery, continuous vulnerability scanning, and penetration testing insights in a single solution for fast, measurable, and affordable risk reduction. Readers can learn more at halosecurity.com.

About MSP Today

MSP Today is the premier online destination for MSPs (Managed Service Providers) and IT service providers worldwide. As the industry’s leading web portal, MSP Today delivers timely and relevant news, cutting-edge product information, and invaluable insights to empower MSPs and IT professionals to thrive in today’s rapidly evolving technology landscape.

Whether you’re seeking in-depth articles on emerging technologies, comprehensive product reviews, or actionable tips to optimize your IT services, MSP Today is the go-to resource for all things MSP-related. Readers can learn more at www.msptoday.com.

About TMC

For more than 20 years, TMC has been honoring technology companies with awards in various categories. These awards are regarded as some of the most prestigious and respected awards in the communications and technology sector worldwide. Winners represent prominent players in the market who consistently demonstrate the advancement of technologies.

Each recipient is a verifiable leader in the marketplace. TMC also provides global buyers with valuable insights to make informed tech decisions through editorial platforms, live events, webinars, and online advertising. Readers can learn more at www.tmcnet.com.

Contact

Director of Partnerships

Lauren Ladra

Halo Security

lauren@halosecurity.com

The post Halo Security Honored with 2026 MSP Today Product of the Year Award appeared first on Cyber Security News.

The alert underscores the increasing risk posed by exposed enterprise middleware systems, particularly those accessible over network protocols such as T3 and IIOP.

The vulnerability affects Oracle WebLogic Server, a widely used enterprise Java application server deployed across cloud and on-premise environments.

Although Oracle has not disclosed complete technical specifics, the flaw is classified as an unspecified vulnerability that can be exploited remotely without authentication.

Attackers leveraging this issue can gain unauthorized access to sensitive data or potentially achieve full compromise of affected WebLogic environments.

Oracle WebLogic Server Vulnerability Exploited

Security researchers note that the attack vector relies on network-level access via WebLogic’s proprietary T3 protocol or the Internet Inter-ORB Protocol (IIOP), both of which are commonly used for internal application communication.

Misconfigured or internet-exposed WebLogic instances significantly increase the attack surface, making them attractive targets for threat actors seeking initial access into enterprise networks.

However, given WebLogic’s history as a frequent target in ransomware intrusion chains, cybersecurity experts warn that exploitation of this vulnerability could quickly be adopted in financially motivated campaigns.

The impact of successful exploitation is severe. An attacker can bypass authentication controls and access critical application data, potentially leading to lateral movement within enterprise environments.

In high-risk scenarios, this could result in full system compromise, data exfiltration, or deployment of follow-on payloads such as web shells or remote access trojans.

CISA’s inclusion of CVE-2024-21182 in the KEV catalog indicates confirmed in-the-wild exploitation. However, no specific threat actors or ransomware groups have been publicly attributed to these attacks so far.

Organizations using Oracle WebLogic Server are urged to take immediate action. CISA has mandated federal agencies to remediate the vulnerability by June 4, 2026, in accordance with Binding Operational Directive 22-01.

The agency recommends applying Oracle’s official patches or mitigation measures without delay. If fixes are not available or cannot be implemented promptly, organizations should consider isolating or discontinuing affected systems to reduce exposure.

From a defensive standpoint, security teams should audit network exposure of WebLogic services, restrict access to T3 and IIOP protocols, and implement strong network segmentation.

Continuous monitoring for unusual traffic patterns or unauthorized access attempts is also critical in detecting early signs of compromise.

This development underscores the persistent risks posed by unpatched enterprise middleware and underscores the importance of proactive vulnerability management.

As threat actors continue to scan for exploitable services, timely patching and strict access controls remain essential to defending critical infrastructure.

Free Webinar on OWASP API Top 10 and Guide to Close Visibility Gaps With WAAP

The post CISA Warns of Two-Year-Old Oracle WebLogic Server Vulnerability Exploited in Attacks appeared first on Cyber Security News.

The vulnerability, tracked as CVE-2026-5386, has been assigned a high CVSS v3 score of 9.1, highlighting its severe impact on organizations relying on these surveillance systems.

The issue stems from an “unverified password change” weakness in affected devices, which allows remote attackers to modify authentication credentials without proper validation.

Once exploited, threat actors can take control of the camera, view real-time video streams, alter configurations, or potentially turn off surveillance operations altogether.

This creates significant security risks, particularly in sensitive environments where CCTV systems play a critical role in monitoring and safety.

KMW CCTV Vulnerability 

The vulnerability impacts specific KMW CCTV models, including KM-IP521 running firmware IPCAM_V4.04.91.230307 and KM-IP421 with firmware IPCAM_V4.04.53.210416.

These devices are deployed globally across multiple critical infrastructure sectors, including commercial facilities, government institutions, financial services, transportation systems, and manufacturing environments.

Given their widespread usage, exploitation could have far-reaching consequences, including surveillance bypass, espionage, and operational disruption.

Although there are currently no confirmed reports of active exploitation in the wild, the vulnerability’s severity makes it a high-priority target for threat actors, especially those focusing on IoT and industrial control system weaknesses.

From a technical perspective, the flaw allows attackers to bypass authentication controls by sending crafted requests that trigger password changes without verifying the requester’s identity.

For example, an attacker on the same network, or one who exposes devices to the internet, could issue unauthorized commands to reset credentials and gain administrative access within seconds.

Security researcher Souvik Kandar has been credited with discovering and reporting the flaw to CISA. This type of attack does not require advanced skills, making it particularly dangerous in poorly secured environments.

According to a recent CISA advisory (ICSA-26-148-06), organizations should reduce exposure by keeping devices off the public internet and behind firewalls or isolated networks.

Remote access should be enabled only through secure channels, such as updated VPNs, and organizations should ensure that all connected systems follow strict security practices.

Regular risk assessments and impact analysis are also advised before implementing changes.

Additionally, organizations are encouraged to monitor for suspicious activity, follow incident response procedures, and report anomalies to relevant authorities for correlation and threat tracking.

Implementing defense-in-depth strategies and adhering to ICS cybersecurity guidelines can significantly reduce the risk of exploitation.

As surveillance infrastructure increasingly becomes a target for cyberattacks, this vulnerability highlights the urgent need for stronger security controls in IoT-based camera systems.

Free Webinar on OWASP API Top 10 and Guide to Close Visibility Gaps With WAAP

The post Critical KMW CCTV Vulnerability Let Attackers Gain Unauthorized Access to Camera Feeds appeared first on Cyber Security News.

This expansion follows several weeks of close collaboration with existing partners, the broader security industry, open-source software maintainers, and the US government.

Project Glasswing was first announced in early April 2026, when roughly 50 initial partner organizations gained access to Claude Mythos Preview to scan their codebases for security vulnerabilities.

Those early partners collectively identified more than 10,000 high- or critical-severity security flaws, underscoring the raw detection power of Mythos-class AI models when applied to enterprise and infrastructure codebases.

The newly onboarded organizations span more than fifteen countries, with most providing critical infrastructure services that extend well beyond their home nations. Industries that were underrepresented in the initial cohort, including power, water, healthcare, communications, and hardware, are now integrated into the program.

A substantial portion of the new partners are vendors and nonprofits that maintain widely used codebases relied upon by other organizations globally, including national governments.

Anthropic’s assessment of risk is stark: for most Project Glasswing partners, a successful cyberattack on their codebase could affect more than 100 million people, with significant consequences for both global and national security. Each new organization must meet Anthropic’s security requirements before receiving access to models.

Claude Mythos Preview Capabilities

Beyond raw vulnerability detection, partners are now deploying Claude Mythos Preview across a broader range of defensive tasks. These include automated patch writing, pre-release security checks to prevent vulnerabilities from entering production, penetration testing simulations, threat detection and response automation, and rebuilding legacy codebases in memory-safe languages.

Mythos Preview also represents a critical warning signal for the industry. Anthropic estimates that within six to twelve months, competing AI companies will develop Mythos-class models, potentially releasing them without sufficient safeguards to prevent offensive misuse.

This timeline creates an urgent window for cyberdefenders to adapt their tooling and operational norms before the threat landscape shifts dramatically.

To help scale these defensive capabilities beyond Project Glasswing’s direct partners, Anthropic is releasing on request to trusted security teams the tools developed to support the program’s vulnerability detection workflows.

The company has also launched Claude Security, a product built on its frontier public models, including Claude Opus 4.8, designed to scan codebases and suggest patches for organizations outside the program.

Anthropic is also in active discussions with third parties to substantially scale up the review and patching of vulnerabilities in open-source software, including the development of standardized best practices for disclosing findings to open-source maintainers to streamline triage and remediation.

Anthropic acknowledges that hundreds of thousands of organizations will ultimately need access to Mythos-level capabilities to address the full scope of the coming threat environment.

The company is working toward a general access release, but notes that highly robust safeguards preventing offensive misuse, which neither Anthropic nor other AI developers have fully developed yet, must be in place first.

In parallel, Anthropic plans to further scale its Cyber Verification Program, which would grant Mythos-class capabilities to additional organizations for specific defensive tasks.

The long-term goal of Project Glasswing remains unchanged: to shift AI’s role in cybersecurity from finding vulnerabilities to a full-cycle model covering disclosure, patching, and deployment, ultimately securing a permanent advantage for defenders.

Free Webinar on OWASP API Top 10 and Guide to Close Visibility Gaps With WAAP

The post Anthropic Expands Project Glasswing Claude Mythos Preview to 150 New Organizations appeared first on Cyber Security News.

The vulnerability affects PAN-OS, the operating system that powers Palo Alto Networks firewalls. It enables attackers to bypass authentication mechanisms and establish unauthorized VPN access.

According to the official CVE record, CVE-2026-0257 is categorized as an authentication bypass issue linked to CWE-565.

The flaw allows remote attackers to circumvent security restrictions without valid credentials, potentially granting them direct access to internal network resources through VPN connections.

This type of weakness is particularly dangerous because it undermines perimeter defenses and enables attackers to operate as legitimate users within enterprise environments.

PAN-OS vulnerability exploited

CISA added the vulnerability to its KEV catalog on May 29, 2026, with a remediation due date of June 1, 2026, for federal agencies.

The inclusion in the KEV list confirms that exploitation has been observed in the wild. However, there is currently no public confirmation linking the flaw to specific ransomware campaigns.

However, security experts warn that authentication bypass vulnerabilities in network edge devices are frequently targeted by threat actors, including initial access brokers and advanced persistent threat groups.

The impact of this vulnerability is significant, especially for organizations that rely on PAN-OS to secure their remote access infrastructure.

Successful exploitation could allow attackers to gain persistent access, move laterally across networks, and potentially deploy additional malicious payloads.

Given the role of VPN gateways in enterprise environments, exploitation could result in data exfiltration, service disruption, or the further compromise of critical systems.

Palo Alto Networks has issued guidance and mitigation steps to address the vulnerability. Organizations are strongly advised to apply available security updates or patches immediately.

In cases where patches are not yet available or cannot be applied, CISA recommends following vendor-provided mitigation instructions and adhering to Binding Operational Directive (BOD) 22-01 for cloud and network services.

If mitigation is not feasible, discontinuing use of the affected product is advised to reduce exposure to risk.

Security teams should also review authentication logs, monitor VPN access patterns, and investigate any unusual or unauthorized connection attempts.

Indicators of compromise may include unexpected VPN sessions, anomalous login behavior, or access from unfamiliar IP ranges.

Proactive threat hunting and network monitoring are essential to detect potential exploitation attempts early. The addition of CVE-2026-0257 to the KEV catalog highlights the ongoing risk posed by vulnerabilities in network security appliances.

As attackers increasingly target edge infrastructure, timely patching and continuous monitoring remain critical to maintaining a secure enterprise environment.

Free Webinar on OWASP API Top 10 and Guide to Close Visibility Gaps With WAAP

The post CISA Flags Palo Alto Networks PAN-OS Vulnerability as Exploited in Attacks appeared first on Cyber Security News.