Mustafa Kaan Demirhan

❤️

🚨 A newly discovered "FortiBleed" leak has exposed Fortinet VPN credentials linked to more than 73,000 firewall URLs. Researchers say the dataset contains usernames, email addresses, and what appear to be plaintext passwords. The leak was discovered on an exposed server that also reportedly contained logs, scripts, cron jobs, and shell histories tied to the operators behind the campaign. Cybersecurity researcher Kevin Beaumont verified some of the credentials to be valid, with many of the affected devices still online. Nobody knows how the Fortinet configuration data was originally obtained. Fortinet has been contacted for comment.

Cybersecurity leaders of Central Asia and the Caucasus — let’s connect in Almaty. Brandefense will be attending GITEX Central Asia & Caucasus Kazakhstan 2026, bringing advanced threat intelligence and digital risk protection to one of the region’s fastest-growing technology hubs. 📍 Almaty, Kazakhstan – Atakent IEC 📅 4–5 May 2026 📌 Stand H11 – A8 Meet our team: 🔹 Hakan Uzun – Co-founder, CGO 🔹 Rovshan Mammadov – Regional Sales Manager Let’s discuss how your organization can detect, prioritize, and mitigate external cyber risks before attackers act. See you in Almaty. #Brandefense #GITEX #GITEXKazakhstan #CyberSecurity #ThreatIntelligence #DigitalRiskProtection #EASM #Almaty #CentralAsia #CyberResilience

🚨 BREAKING: Mini Shai-Hulud has spread to Packagist. We detected a malicious intercom/intercom-php@5.0.2 package artifact tied to this campaign. The compromised #PHP package used Composer plugin execution to run during install/update, download Bun, and launch an obfuscated router_runtime.js credential-stealing payload. It targeted GitHub, npm, SSH, cloud, Kubernetes, Vault, Docker, .env files, and more. We reported it to @packagist, which removed the malicious version.

🚨 BREAKING: cPanel and WHM, the control panels behind an estimated 70+ million websites, have a critical security flaw that lets anyone become root admin without a password. CVE-2026-41940 affects every supported version. It’s already being exploited in the wild. watchTowr Labs published the full attack today, after the hosting company KnownHost confirmed the bug was already being used to break into a significant chunk of the internet. If you've never heard of cPanel: it's the dashboard that hosting providers and millions of website owners use to manage their servers, domains, email accounts, databases, and SSL certificates. WHM is the admin version that controls the entire server. If someone gets root access to WHM, they get the keys to the kingdom and to every apartment inside it. How the attack works, in plain English: 🔴 Step 1: The attacker sends a deliberately wrong login. cPanel still creates a temporary "you tried to log in" record on disk and gives the attacker a cookie tied to it. 🔴 Step 2: The attacker tweaks the cookie to disable cPanel's password encryption. Normally cPanel encrypts the password field on disk. With one small change to the cookie, cPanel just stores it as plain text instead. 🔴 Step 3: The attacker sends a fake login attempt where the password field secretly contains hidden line breaks. cPanel does not strip these line breaks out, so they get written straight to the session file. Each line break creates a brand new fake record. The attacker uses this to inject lines that say "this user is root" and "this user already authenticated successfully." 🔴 Step 4: The attacker visits one more random page on the site to nudge cPanel into re-reading the file. cPanel then promotes the injected fake lines into its main session memory. 🔴 Step 5: On the next request, cPanel sees a flag that says "this user already passed the password check." cPanel trusts that flag, skips checking the actual password, and lets the attacker in as root. From start to finish, the attack takes a handful of HTTP requests. If you run cPanel or WHM, the patched versions are: 🔴 cPanel/WHM 110.0.x → 11.110.0.97 🔴 cPanel/WHM 118.0.x → 11.118.0.63 🔴 cPanel/WHM 126.0.x → 11.126.0.54 🔴 cPanel/WHM 132.0.x → 11.132.0.29 🔴 cPanel/WHM 134.0.x → 11.134.0.20 🔴 cPanel/WHM 136.0.x → 11.136.0.5 If your version is older than these, assume someone has already broken in and act accordingly. Patch right now, then rotate every password and key the server touched: root passwords, API tokens, SSL private keys, SSH keys, mail passwords, and database passwords.

📢 Ransomware Alert: 🇹🇷 Narteks Tekstil San. ve Tic. A.Ş. (narteks.com.tr), a Turkey-based textile manufacturing company, has reportedly fallen victim to the KRYBIT ransomware group. NB: The group intends to publish the data within 4-5 days. 🔍Key Details: 🛡️Threat actor: KRYBIT 📅 Reported on: 26/04/26

İzmir’de 2018’de cansız bedeni bulunan, Emekli Tümgeneral Ethem Büyükışık'ın oğlu Dorukhan Büyükışık’ın ölümüyle ilgili iddianamede, Büyükışık’ın intihar etmediği ve dövülerek öldürüldüğü ortaya çıktı. (T24 - Tolga Şardan)

The signals we saw in Q4 2025, RaaS expansion, affiliate growth, structured attacks, are now fully materialized. Attackers are faster. More organized. And scaling globally. See what changed → eu1.hubs.ly/H0tv1mf0 #Ransomware #CyberThreats #CTI

🚨 BREAKING: Socket and @Docker uncovered what appears to be a broader Checkmarx supply chain compromise affecting official KICS Docker images and recent Checkmarx VS Code extension releases. We found malicious images in the official checkmarx/kics Docker Hub repo, including overwritten tags and a new tag outside the normal release flow. Our analysis also found signs that recent Checkmarx extension releases introduced code capable of downloading and executing what appears to be a malicious remote addon. We’re in touch with the Checkmarx team and still investigating the incident.

🚨 Cyber threat actors compromised versions (1.14.1 and 0.30.4) of Axios npm, allowing unauthorized access to downstream systems. Review our Alert for detection and remediation guidance. 🔗 go.dhs.gov/5kW

BlackTech doesn’t target endpoints. They control the infrastructure. Routers. VPNs. Edge devices. Silent access. Long-term persistence. If you’re not monitoring it, they already are. 🔗 eu1.hubs.ly/H0tt_Bw0 #CyberSecurity #APT #ThreatIntel

🚨 A critical nginx-ui flaw is now exploited in the wild. CVE-2026-33032 (9.8) allows auth bypass via the /mcp_message endpoint, letting attackers take full control of Nginx with two HTTP requests due to an “allow-all” default. 🔗 Details here → thehackernews.com/2026/04/critic…

🛑 April Patch Tuesday spans SAP, Adobe, Microsoft, Fortinet—and core vendors like Apple, Google, Cisco, VMware, Palo Alto, AWS, and Linux. SAP (CVSS 9.9) enables SQL execution. Adobe Reader and SharePoint flaws are already exploited. 🔗 Read → thehackernews.com/2026/04/april-…

Q1 2026 data is clear: 🔸2,135 confirmed incidents 🔸68 active ransomware groups 🔸~50% growth QoQ This isn’t a spike. It’s a trajectory. If Q4 was the warning, Q1 is the escalation. 👉 Download the full report: eu1.hubs.ly/H0tv0DN0 #CyberSecurity #Ransomware #ThreatIntelligence #Infosec

🚨 A ShowDoc flaw (CVSS 9.4) is now under active exploitation. CVE-2025-0520 lets attackers upload web shells via unauthenticated file upload → full server control. First attacks seen via a U.S. honeypot; ~2,000 instances remain exposed, mostly in China. 🔗 Details → thehackernews.com/2026/04/showdo…

⚠️ ALERT - Composer disclosed two command injection flaws (CVE-2026-40176 and CVE-2026-40261) with up to CVSS 8.8 severity. Malicious composer.json or crafted source refs can execute arbitrary commands—even without Perforce installed. 🔗 Read → thehackernews.com/2026/04/new-ph…

Unauthenticated RCE in Apache Tomcat (CVE-2026-34486) The EncryptInterceptor was supposed to protect cluster communication. A fix for a padding oracle vulnerability moved one line outside a try block, and the encryption layer silently started forwarding every failed decryption straight into unfiltered Java deserialization. We found it with Striga, built the exploit, and reported it to The Apache Software Foundation. striga.ai/research/tomca…

A critical CVSS 10 flaw in Axios (CVE-2026-40175) allows attackers to bypass AWS IMDSv2 and achieve RCE via header injection. Upgrade to v1.15.0 now! #AxiosVulnerability #CloudSecurity #InfoSec #NodeJS #CVE202640175 #CyberAttack securityonline.info/axios-vulnerab…

🛑 Adobe released emergency fixes for a 9.6 CVSS flaw (CVE-2026-34621) in Acrobat/Reader, confirmed under active exploitation. A prototype pollution bug lets malicious PDFs run arbitrary code via JavaScript. Evidence shows attacks may date back to Dec 2025. 🔗 Read → thehackernews.com/2026/04/adobe-…

🚨Cyber Alert ‼️ 🇺🇸US - 𝗖𝗣𝗨𝗜𝗗 CPUID confirms its website has been compromised on April 9–10, 2026, with attackers injecting malicious links that distributed trojanized CPU-Z/HWMonitor installers for about 6 hours. The multi-stage malware enabled potential credential and data theft, impacting potentially millions of users Threat actor: Not Specified Sector: ICT Data exposure (claimed): Not specified Data type: Credentials and user data Observed: Apr 10, 2026 Status: Confirmed ESIX©: 6.43 Full details and impact assessment on HackRisk.io

⚠️ Marimo CVE-2026-39987 gave attackers a full shell with no authentication. A missing check in /terminal/ws allowed remote code execution on exposed systems. Exploitation began within 9 hours of disclosure—no PoC needed. 🔗 Details here → thehackernews.com/2026/04/marimo…