PurpleOps

What we post here: • Dark-web forum + leak-site activity (today's LAPSUS$ TeamPCP coverage: x.com/PurpleOps_io/s…) • CVE + vendor exploit tracking with operational context • Threat actor moves before they hit the news cycle • Defender-relevant operational insight Daily intel. Follow if any of that is your job.

CVE-2026-5426 is a class of bug, not a vendor slip. Ship a static ASP.NET machineKey and every customer shares the same RCE key. Microsoft flagged public-machineKey abuse in Feb 2025; ViewState deserialization keeps collecting. Fix: per-install key generation, never a baked-in default.

🚨 One shared key. Every deployment at risk. Attackers exploited CVE-2026-5426 in the KnowledgeDeliver LMS to gain unauthenticated RCE through hard-coded ASP-NET machineKeys, deploy the Godzilla (BLUEBEAM) web shell, and deliver Cobalt Strike Beacon on vulnerable internet-facing systems. Read 🠒 thehackernews.com/2026/05/knowle…

Ghost CMS (CVE-2026-26980, CVSS 9.4): one unauthenticated SQL injection, Admin key stolen, 700+ blogs bulk-injected with ClickFix lures. Sites you trust now serve the payload. Full chain: purple-ops.io/blog/cve-2026-…

Anthropic's Mythos flagged 23,000 potential vulnerabilities across 1,000 OSS projects. "Potential" is carrying heavy weight here. The number that matters is confirmed true-positive rate - without that, this is just alert fatigue at scale. securityweek.com/anthropic-myth…

Dependency vulnerability checks don't need reasoning - they need correct answers. OSV lookup is deterministic by design; adding a model layer just introduces hallucination risk on the one question where "maybe vulnerable" isn't acceptable. The timing shift (pre-commit vs. broken CI) is the actual win.

As AI speeds coding, CVE Lite CLI keeps security deliberately AI-free spr.ly/6014B8RmHj

Exactly right. MFA passes, token gets stolen mid-session, attacker walks in clean. Kali365 and similar kits make this turnkey now - we're seeing AiTM campaigns hitting tens of thousands of accounts per run. Architecture has to catch what MFA can't.

@SCMagazine @Sophos The payload never touches your machine. WantToCry pulls files over SMB 445, encrypts them server-side, and writes back the ciphertext. Your EDR watches clean processes while your data is already gone.

WantToCry #ransomware is abusing exposed SMB ports and remote encryption to evade detection, showing how old protocols still create major modern attack risks, @Sophos reported. #cybersecurity #CISO #infosec bit.ly/4wEyziM

CVE-2026-26980 (critical SQLi, unauthenticated) - steal the Admin API key, then bulk-tamper content across every hosted site. That's how one unauth read turns 700+ Ghost installs into ClickFix watering holes. Chain matters more than the vuln.

DragonForce - 12 new claims in the past hour (leak site, unconfirmed): 🇺🇸 Allianceadjustment.com 🇺🇸 Jakn.com 🇺🇸 Epbinsurance.com 🇪🇸 Rolser.com 🇺🇸 Arsenalscaffold.com 🇨🇦 Ennsco.ca 🇺🇸 Sphvalue.com 🇺🇸 Businessrecord.com 🇺🇸 Ggroupcpas.com 🇺🇸 Vegfresh.com 🇳🇱 Saver.nl 🇩🇪 Xtr-global.de

CVE-2026-45695 - CVSS 9.8 unauthenticated RCE in Kopia's backup HTTP server. No credentials needed. ProxyCommand injection via a crafted storage config. The server you'd rely on after a ransomware hit. purple-ops.io/blog/kopia-una…

@TheHackersNews ETW patching is what makes this stick - once ETW is blind, most EDR telemetry dies before it phones home. File-based detection is already irrelevant here. Hunt shifts to memory scanning + C2 egress patterns on aes-secure[.]net.

🚨 Lazarus deployed a new memory-only RAT against crypto and financial organizations. thehackernews.com/2026/05/lazaru… The RemotePE malware executes entirely in memory with no filesystem artifacts, using DPAPI loaders, ETW patching, and Hell’s Gate techniques to evade detection and maintain stealthy access.

@IntCyberDigest @meakaaet Confirmed from our tracking - zero platform breach, all these "mega leaks" trace back to old aggregator dumps repackaged with AI-generated previews. Same playbook, different headline.

THIS IS FAKE‼️ None of the “OnlyFans Mega Leak” accounts exist. It's AI-generated bullcrap. Via @meakaaet

@fundcruncher @DailyDarkWeb Records ≠ users, correct - retracting that line. Skepticism holds on stronger ground: every prior 'OnlyFans mega leak' resolved to aggregator scrapes, not platform breach. Waiting on samples either way.

@PurpleOps_io @DailyDarkWeb "340M exceeds OnlyFans's public user count" It clearly states "and creators".

THIS IS HUGE‼️ 🌐 “OnlyFans Mega Leak” allegedly containing approximately 340 million user records involving both fans and creators. According to the visible listing, the claimed dataset may include: • usernames and display names • email addresses • linked phone numbers • account creation dates • follower/subscriber metrics • likes and content statistics • creator/fan classifications • linked social profiles • partial payment card metadata (claimed last 4 digits) If authentic, this would represent one of the most operationally sensitive adult-platform-related exposures observed due to the combination of: • identity data • behavioral metadata • financial indicators • social linkage information • creator activity metrics The biggest risk here is not necessarily direct financial theft. The primary danger is: • extortion • doxxing • blackmail • targeted harassment • reputational attacks • account takeover campaigns • relationship/social exposure Adult-platform ecosystems are uniquely sensitive because attackers can combine: • usernames • linked social media • email reuse • payment references • creator/fan relationships • behavioral activity patterns to deanonymize users who believed their identities were separated from their online activity. For creators specifically, risks may include: • impersonation • stalking • swatting • revenue theft • subscriber fraud • credential compromise • targeted phishing pretending to be platform support or agencies For fans/users: • sextortion campaigns • phishing emails • credential stuffing • blackmail attempts • fake legal notices • cryptocurrency scams • exposure of private consumption habits One particularly concerning element is the reference to: • linked profiles • activity metrics • internal identifiers because these fields may allow correlation attacks across multiple platforms and previously leaked datasets. However, several important caveats exist: • extremely large breach claims are often exaggerated • underground actors frequently recycle older datasets • “scraped” data may originate from multiple unrelated leaks • partial data collections are sometimes rebranded as “internal databases” At this stage, the authenticity, source, freshness, and completeness of the alleged dataset remain unverified. Recommended immediate actions for users potentially affected: • change passwords immediately • enable MFA • avoid password reuse • monitor phishing attempts • review connected social accounts • monitor for impersonation attempts • remain alert for extortion emails or social engineering campaigns Platforms operating creator ecosystems should additionally: • monitor credential stuffing spikes • review API abuse • audit scraping protections • monitor underground marketplaces • strengthen anti-bot controls • alert high-risk creators proactively Because of the reputational and emotional sensitivity associated with adult-platform ecosystems, even limited verified exposure could have disproportionate real-world impact. 🌐 #DDW #Intelligence #CyberSecurity #DarkWeb #ThreatIntelligence #DataBreach #Infosec #OSINT #Privacy #OnlyFans

Add to this: 162 ransomware victims across 32 active groups in just 7 days. Qilin, The_Gentelman, Nova, Akira, CMD leading the wave. Full breakdown - every CVE, IOC, ransomware group, and dark web leak from this week linkedin.com/feed/update/ur…

Notice the pattern? Every major incident this week targeted a trusted layer: Source control (GitHub) Package registries (npm) Mail servers (Exchange) Endpoint defense (Defender) Disk encryption (BitLocker) Attackers aren't breaching perimeters anymore. They're poisoning the supply

This week, the tools your team trusts became the attack. 🔓 GitHub breached — 4,000 repos stolen 📦 600 npm packages backdoored 🚨 Exchange zero-day actively exploited 🛡️ Defender hit with 2 zero-days 🔐 BitLocker bypassed Attackers stopped chasing endpoints. They're hunting trust. 🧵 linkedin.com/feed/update/ur…

CVE-2026-9089 in ConnectWise Automate: CWE-494, agent updates processed without integrity check. RMM update-bypass is the Kaseya-class vector - one push hits every managed endpoint. On-prem needs manual patching. purple-ops.io/blog/connectwi…

Mini Shai-Hulud, Megalodon, now TrapDoor cross-ecosystem: registry-level allowlisting is no longer enough. 34 packages × 384 versions × 3 registries × persistent re-push = supply-chain ops grew up.