DLTA

@zecret_money @bubblemaps Wallet have power over smart contract. Wallet not small thing no more. Bad man take wallet, bad man get keys, bad man get everything.

@DLTA_Sec @bubblemaps Dude, just write it in plain English you know damn well that the average person doesn't know tech jargon like that. 😭 Doesn't take all that to say it's someone doing that on the other end.

ALERT: 🚨 Polymarket contract exploited Attackers are removing 5,000 $POL every 30 seconds – $600k stolen so far Pause all Polymarket activity for now

A CVSS 10 in Cisco Secure Workload, a directory traversal in Trend Micro Apex One, and a Polymarket drain through an internal operations wallet all landed inside one 24-hour window. All three failed at the management layer. Secure Workload exists to enforce segmentation; Apex One is the endpoint agent; the Polymarket account was, by its operator's own description, for internal operations. Attackers now move through the console, the security agent, and the operational account, because those are the components every other system trusts by default. For a digital asset firm, the management layer is where it administers validator keys, RPC credentials, and custody signing flows. DLTA maps the intelligence-to-control loop for that layer, the one most asset inventories never list as attack surface. #CTI #Web3Security #ThreatIntel

Mapping this as an npm, PyPI and IDE story understates it; the pipeline moves on harvested identity, and one stolen publish token or OIDC credential crosses from a poisoned release channel into the deploy roles, bridge relayer endpoints, and contract admin keys that never shared a registry with it but do share an engineer.

We combed through the full attack chain behind the Shai-Hulud / Mini Shai-Hulud supply chain attacks since May 2026. From the collapse of TanStack’s CI/CD trust boundary, to the malicious Nx Console VS Code extension, and later the @antv, PyPI durabletask, and GitHub internal private repository breach incidents, the attackers completed coordinated lateral expansion across npm, PyPI, IDE extensions, and cloud environments within roughly a week. ⚠️This was not a series of isolated incidents, but a mature attack pipeline built around “trusted release channels → credential harvesting → lateral propagation.” Read the full analysis and incident breakdown 🔎 slowmist.medium.com/black-may-seri…

When one KEV update flags both an AI-orchestration framework and the on-prem server of an endpoint-protection product, the question for any digital asset firm is whether its Langflow instances and Apex One consoles ever made the asset inventory alongside the RPC nodes, CI runners, wallet signing services, and SIEM collectors they sit beside.

🛡️ We added Langflow origin validation error vulnerability CVE-2025-34291 and Trend Micro Apex One (on-premise) server directory traversal vulnerability CVE-2026-34926 to our KEV Catalog. Visit go.dhs.gov/Z3Q for more information. #Cybersecurity #InfoSec

A RaaS crew that adapts the second Defender blocks its encryptor has already told you the payload was never the detection opportunity; the PowerShell event logs, evasion attempts, and lateral-movement traces it leaves first are what decide whether a validator host, a multisig signer's machine, or an exchange treasury workstation gets caught at minute one or minute ninety.

Our SOC recently investigated two incidents involving The Gentlemen, a ransomware-as-a-service operation that's claimed 400+ victims across 70 countries since mid-2025. 🧵

A CVSS 10 in the platform that enforces workload segmentation hands an attacker the policy engine itself, so every east-west rule separating CI/CD runners from production, SIEM collectors from general subnets, and validator nodes, RPC gateways, and custody signing hosts from each other now answers to whoever holds that admin session.

Cisco Patches Critical Vulnerability in Secure Workload securityweek.com/cisco-patches-…

The VPN was the cheapest thing two dozen ransomware crews owned; their initial-access brokers, EDR-killer tooling, and credential stockpiles re-home in an afternoon, still pointed at the hosting panels, CI/CD runners, exchange admin consoles, and custodial dashboards those crews were already operating inside.

Law enforcement shuts down VPN service used by two dozen ransomware gangs techcrunch.com/2026/05/21/law…

@FalconFeedsio A UK law firm hit by Qilin is also a law firm whose document store holds client identity files, conveyancing payment details, and increasingly the escrow wallet arrangements, token sale paperwork, and custody agreements of any digital asset client on its books.

🚨 Ransomware Alert: 🇬🇧 Hamer Childs Solicitors (hamerchilds.co.uk), a UK-based legal services firm, has reportedly fallen victim to the Qilin ransomware group. 🔎 Key Details: 👥 Threat Actor: Qilin 📅 Reported on: 21-05-2026

@Cyber_O51NT When the delivery channel is an allowlisted image host and the loader never touches disk, detection collapses onto runtime memory, the same place SSH keys, cloud IAM tokens, browser wallet extensions, and exchange session cookies all sit decrypted while in use.

Threat actors hide malware in images via steganography—delivering Remcos RAT and other payloads through image hosting sites, with DLL loaders loaded in memory to evade EDR and persistent in system memory. cofense.com/blog/steganogr…

Once the funds reach Tornado.Cash the on-chain trail goes cold, so the real question is whether exchange deposit screening, bridge address filters, and the transaction-monitoring systems at the banks behind every fiat off-ramp are circulating that tagged EOA fast enough to stop the cash-out.

#CertiKInsight 🚨 @TransitFinance exploiter has deposited 832.9 ETH (~$1.8M) into Tornado.Cash from Ethereum EOA 0x9db82d911328196d50C36450B1Ef5985DF15732B. Stay Vigilant!

Credential-stuffing engines do not care that this is a yoga portal; those email-and-password pairs fan out across Microsoft 365 tenants, VPN gateways, and exchange and custodial dashboard logins, and the reuse rate decides how many of the 2.5 million lose a second account tonight.

🇮🇳 A threat actor is advertising the alleged sale of a full SQL database and approximately 2.5 million user records linked to “internationalyogadayhry.in,” a portal associated with Haryana state government yoga registration activities in India. According to the listing, the allegedly exposed data includes: • Full names • Age and gender information • Phone numbers • Email addresses • District and block information • User type classifications • Registration metadata • Unique participant codes • Certificate-related information • Account status indicators The actor claims the portal was used by: • individuals • educational institutions • organizations • government departments participating in state yoga-related programs and registrations. One particularly notable detail: the listing appears to reference password fields directly in the exposed schema sample. If authentic, that raises immediate concerns around: • password storage practices • authentication security • account reuse risks • identity verification exposure At first glance, some people may underestimate a “yoga portal” breach. But modern cyber risk is no longer about whether a platform is “important.” It is about: how much identity correlation data exists inside it. Even seemingly low-risk citizen engagement portals can become valuable because they aggregate: • identity data • contact details • government-linked participation records • geographic segmentation • demographic information And when datasets reach millions of users, they become highly attractive for: • phishing campaigns • SMS fraud • impersonation attacks • political targeting • social engineering • credential stuffing The inclusion of: • district names • block information • participant classifications also increases the potential value for targeted regional campaigns. Threat actors increasingly prioritize: “context-rich citizen datasets” rather than just raw credentials. Another important observation: government-affiliated public engagement portals are frequently exposed through: • weak third-party development practices • outdated CMS frameworks • poorly secured APIs • insecure SQL configurations • credential reuse • inadequate cloud security controls And unfortunately, event-registration or campaign-style portals often receive weaker long-term security oversight once public campaigns conclude. In many environments, temporary public-service systems quietly become permanent attack surfaces. And apparently even International Yoga Day now comes with a complimentary SQL dump. At this stage, the authenticity of the dataset remains unverified. However, organizations operating citizen-facing government platforms should immediately review: • password hashing practices • exposed database backups • API authentication controls • public-facing admin panels • data retention policies • third-party vendor security • cloud storage exposure • logging and monitoring systems This incident also reinforces a growing reality: large-scale citizen data exposure no longer requires compromising critical infrastructure. Sometimes all it takes is: a poorly secured public portal with millions of registrations. 🇮🇳 #DDW #Intelligence #India #CyberSecurity #DarkWeb #ThreatIntelligence #DataLeak #OSINT #Infosec #CyberThreats

@DarkReading The robot moving is the least of it; a flaw that hands attackers control of OT robot middleware exposes the flat-network trust still holding up HMI consoles, IPMI management ports, validator node BMCs, and the custodial signing appliances racked beside them.

Patch Now: Critical Flaw in OT Robot OS Gives Attackers Control: bit.ly/4dGtT3f by Elizabeth Montalbano

@Unit42_Intel Malware that carries a valid code signing certificate and sleeps for days walks straight past EDR allowlists onto the same workstations running exchange desktop clients, hardware wallet companion apps, and the signing tooling for custodial release flows.

We identified 4,000 samples of TamperedChef malware hiding in trojanized productivity apps. These campaigns use code signing to bypass security filters. The malware can remain dormant for days before stealing data. Read our analysis: bit.ly/4wI0z57

DLTA tracks TeamPCP, Mini Shai-Hulud, and adjacent supply chain clusters against digital asset infrastructure. The control pattern is endpoint-first, not pipeline-first. #TeamPCP #SupplyChainSecurity #Web3Security #ThreatIntelligence

Three controls fail in the same blast radius. Marketplace vetting at the extension and package layer, signed-credential rotation at the publishing layer, and endpoint segregation between development and signing on the same physical device.

TeamPCP exfiltrated 3,800 internal GitHub repositories by getting one employee to install a poisoned VS Code extension. The same threat actor's Mini Shai-Hulud npm worm hit TanStack, antv, Mistral AI, OpenAI, and Grafana inside the last nine days.