Rey Bango 🇺🇦🌻

@HackingTeam77 @JuSTCyberCon

🚨 NOW, THIS IS INTERESTING. BreachForums and TeamPCP have announced what they describe as a “Supply Chain Competition” centered around the alleged public release of the “Shai-Hulud” tooling. According to the underground forum post: • participants are encouraged to conduct software supply chain compromises • a monetary reward of $1,000 USD in XMR is being offered • actors are instructed to use the alleged “Shai-Hulud” tooling during attacks • submissions reportedly require proof of access or compromise • winners are allegedly determined based on downstream impact and package download volume The post references: • software package ecosystem abuse • open-source distribution attacks • package/repository compromise scenarios • supply chain propagation tactics • public hosting of the tooling via underground infrastructure This development is significant because it reflects an evolution in underground ecosystems: threat actors are increasingly gamifying cyber operations through: • competitions • public rankings • collaborative tooling releases • affiliate-style attack ecosystems • community-driven malware development The operational model resembles a blend of: • bug bounty culture • ransomware affiliate programs • open-source collaboration • competitive cybercrime ecosystems Even if portions of the tooling or claims are exaggerated, these types of campaigns can still: • accelerate copycat attacks • lower barriers for inexperienced actors • increase package poisoning attempts • normalize supply chain targeting • encourage opportunistic compromise activity Organizations should immediately review defenses related to: • software supply chain security • dependency trust validation • CI/CD pipeline hardening • package signing enforcement • repository integrity monitoring • developer credential exposure • anomalous package update behavior • open-source dependency governance Security teams should closely monitor for: • suspicious package updates • malicious dependency injections • typosquatting packages • unexpected maintainer changes • build pipeline anomalies • unauthorized GitHub/GitLab actions • npm/PyPI ecosystem abuse • credential leakage tied to developers This also highlights a broader industry shift: supply chain attacks are no longer exclusively associated with highly sophisticated state operations. Underground communities are now actively: • operationalizing supply chain tradecraft • sharing offensive automation • incentivizing mass-impact attacks • distributing reusable tooling • commoditizing software ecosystem abuse At this time: • the full operational capability of the alleged tooling remains unverified • the scale of adoption is unclear • authenticity of all related source code releases has not been independently confirmed However, the public encouragement of supply chain attacks alone represents a concerning escalation in underground threat actor culture. #CyberSecurity #SupplyChainSecurity #ThreatIntelligence #DarkWeb #TeamPCP #BreachForums #SoftwareSecurity #DevSecOps #OpenSourceSecurity #Infosec #CyberThreats #DDW #Intelligence

i just hardened most of the npm packages I own against the ongoing supply chain attack using this thread to share what i did in case it's helpful for others the core idea is simple: don't use any third-party package versions that are just published. enforce this with tools 🧵

Certainly a number of big tech companies that fit into this. I guess employees being the "core of the company’s strength, innovation, and culture" was only applicable to the extent of shareholder value. 🙄

130k tech layoffs year-to-date. Insane.

@SocketSecurity 😂

Tough week so far for Microsoft security: - 137 security patches delivered including a critical Outlook flaw Credit to @theo for the following list: - YellowKey (Windows Bitlocker pwn'd entirely) - GreenPlasma (Windows privilege escalation) - CVE-2026-21510 and CVE-2026-21513 confirmed to be used by Russia for Windows RCE - CVE-2026-32202 separately confirmed to be used by Russia for sensitive document access securityweek.com/microsoft-patc…

@SocketSecurity @feross you need to give them a raise, bonus and paid vacation to a nice place! 😂😂 ^^

I feel for the @SocketSecurity social media coordinator because with all of these supply-chain attacks, I know they are NOT sleeping!

"I've been working in cybersecurity for 3 years and I feel great!" - Dave, 24

Security things from the last few days: - CopyFail (linux pwn'd) - CopyFail 2/Dirty Frag - 13 advisories in Next.js - Over 70 CVEs addressed in MacOS 26.5 - ~50 CVEs addressed in iOS 26.5 - YellowKey (Windows Bitlocker pwn'd entirely) - GreenPlasma (Windows privilege escalation) - CVE-2026-21510 and CVE-2026-21513 confirmed to be used by Russia for Windows RCE - CVE-2026-32202 separately confirmed to be used by Russia for sensitive document access - Mini-Shai Hulud (over 300 JS and Python packages compromised via GitHub Action cache poisoning) - Google confirms they have identified AI-powered exploitation of zero days in an unidentified "open-source, web-based system administration too" - Canvas (popular LMS used in most schools) pwn'd entirely - PAN-OS (palo alto networks) pwn'd with a 9.3 severity CVE-2026-0300 Are you scared yet?

TanStack was hit by a supply chain attack. MistralAI was hit by a supply chain attack. The Mayor of Arcadia, California, was a Chinese spy. Forza Horizon 6 leaked. Canvas bamboozled. Shai-Hulud open-sourced. Nightmare-Eclipse teases two new Windows 0days. It is Tuesday. What will happen on Wednesday? Find out on the next action packed episode of Dragon Ball Z

It's patch Tuesday. I wonder what the onslaught of fixes will look like this month.

‼️🚨 Microsoft calls this "intended behaviour," so here we go. How to dump the credentials of every user stored in Microsoft Edge: 1. Open Edge. Don't browse anywhere, just open it. 2. Flip to Task Manager, find Edge, expand the task. 3. Highlight the "browser" sub-task, right-click, and choose "Create Memory Dump." 4. Open the dump file and look for credentials. The logged-in Windows user can dump every stored Edge credential with no additional rights. Which means any malware that user executes has those credentials for the asking. Thanks to Rob VandenBrink at SANS: isc.sans.edu/diary/32954

@7h3h4ckv157 @mish3alkhan ^^

90+ recon modules 48 secret-regex patterns 80+ dorks 9 read-only credential validators 27 attack-path templates 5,500+ lines of structured tradecraft. Might be helpful. Try: github.com/elementalsouls…

This week in cybersecurity: - cPanel auth bypass - CopyFail linux privesc - 89 vulnerabilities in XAPI / Citrix XenServer: shittrix.moksha.dk - 17 vulnerabilities in Omi: kasparovabi.github.io/security-resea… - Thousands of vibe coded apps have their DBs publicly readable: securityscanner.dev/reports/2026-q2 - Someone triggered the whole cybersecurity community by dropping that vuln for the sobriety app on X Time for a new week, buckle up!

🚨 The cPanel Situation Is Spiraling Fast On April 29, CVE-2026-41940 was disclosed: a critical pre-authentication bypass in cPanel/WHM that lets remote attackers skip the login flow entirely and gain elevated access. Within 24 hours, it was already being weaponized. Censys watched the fallout in real time. The 6-day timeline (cPanel hosts flagged malicious): Apr 26: 117 Apr 27: 47 Apr 28: 106 Apr 29: 70 Apr 30: 146 May 1: 15,448 On May 1 alone, total malicious hosts jumped by +19,131, and 15,302 of those (roughly 80%) were cPanel/WHM systems. Compare that to the prior days where cPanel made up well under 1.2% of daily changes. This was not background noise. It was a coordinated spike. Top affected providers: DigitalOcean: 1,043 Contabo: 716 OVH: 501 Vultr: 391 Oracle: 321 Unified Layer: 280 Hetzner: 277 Akamai/Linode: 275 GoDaddy: 209 Microsoft: 169 With 1,052,657 cPanel/WHM hosts exposed on the public internet and only 9,595 currently flagged as malicious, the attack surface is enormous and growing. At least two campaigns are running in parallel: a Mirai botnet variant (nuclear.x86) deployed post-compromise, and a ransomware campaign tied to the Sorry/Hidden-Tear family. Ransomware footprint: ~7,000 cPanel servers with ".sorry" encrypted files 6,465 hosts: index.html.sorry 1,637 hosts: index.php.sorry 795 hosts: wp-config.php.sorry Victims directed to attackers via qTox If you run cPanel/WHM, patch immediately. Source: censys.com/blog/the-cpane…

@PhillipWylie @DHAhole @misstennisha @intigriti @zbraiterman @thejonmccoy @BentleyAudrey @Jhaddix @DanielMiessler @jeff_foley @bishopfox @C0d3Cr4zy @caseyjohnellis @MrJeffMan @SW_Samii @0xTib3rius @OliviaGalluccii @rana__khalil @Infosecpat @J3ssa @luizfernandorg @ethicalhacker @irawinkler @CyberWarriorSt1 @ebelardo73 @NahamSec @CSKIP71 @HackingDave @soundslikerhea @Whimmery @Neogenxz @Maekshyft @BrendonKelleyBK @_JohnHammond @JohnnyCiocca @IOCsAreEasy1 @MikeOcha2 @Dave_Maynor @EnglishRyno @LawyerLiz @C_C_Krebs @bsdbandit @marigalloway @DanRaywood @corg_e @hakluke @gregxsunday @RayRedacted @Rhynorater @GyledC Thank you my friend. Have an awesome Friday

@DHAhole @misstennisha @intigriti @zbraiterman @thejonmccoy @BentleyAudrey @Jhaddix @DanielMiessler @jeff_foley @bishopfox @C0d3Cr4zy @caseyjohnellis @MrJeffMan @SW_Samii @0xTib3rius @OliviaGalluccii @rana__khalil @Infosecpat @J3ssa @luizfernandorg @ethicalhacker @irawinkler @CyberWarriorSt1 @ebelardo73 @NahamSec @CSKIP71 @HackingDave #FF @soundslikerhea @Whimmery @Neogenxz @Maekshyft @BrendonKelleyBK @_JohnHammond @JohnnyCiocca @IOCsAreEasy1 @MikeOcha2 @Dave_Maynor @EnglishRyno @LawyerLiz @C_C_Krebs @reybango @bsdbandit @marigalloway @DanRaywood @corg_e @hakluke @gregxsunday @RayRedacted @Rhynorater @GyledC

#FF Happy Friday! @DHAhole @misstennisha @intigriti @zbraiterman @thejonmccoy @BentleyAudrey @Jhaddix @DanielMiessler @jeff_foley @bishopfox @C0d3Cr4zy @caseyjohnellis @MrJeffMan @SW_Samii @0xTib3rius @OliviaGalluccii @rana__khalil @Infosecpat @j3ssa

CVE-2026-31431 a/k/a CopyFail > Linux LPE > Description sounds like AI slop > Exploit is legit > Impacts every Linux kernel from 2017 - Now > Proof-of-concept released > It's Wednesday? copy.fail

‼️🚨 BREAKING: An AI found a Linux kernel zero-day that roots every distribution since 2017. The exploit fits in 732 bytes of Python. Patch your kernel ASAP. The vulnerability is CVE-2026-31431, nicknamed "Copy Fail," disclosed today by Theori. It has been sitting quietly in the Linux kernel for nine years. Most Linux privilege-escalation bugs are picky. They need a precise timing window (a "race"), or specific kernel addresses leaked from somewhere, or careful tuning per distribution. Copy Fail needs none of that. It is a straight-line logic mistake that works on the first try, every time, on every mainstream Linux box. The attacker just needs a normal user account on the machine. From there, the script asks the kernel to do some encryption work, abuses how that work is wired up, and ends up writing 4 bytes into a memory area called the "page cache" (Linux's high-speed copy of files in RAM). Those 4 bytes can be aimed at any program the system trusts, like /usr/bin/su, the shortcut to becoming root. Result: the next time anyone runs that program, it lets the attacker in as root. What should worry most: the corruption never touches the file on disk. It only exists in Linux's in-memory copy of that file. If you imaged the hard drive afterwards, the on-disk file would match the official package hash exactly. Reboot the machine, or just put it under memory pressure (any normal system load that needs the RAM), and the cached copy reloads fresh from disk. Containers do not help either. The page cache is shared across the whole host, so a process inside a container can use this bug to compromise the underlying server and reach into other tenants. The original sin was a 2017 "in-place optimization" in a kernel crypto module called algif_aead. It was meant to make encryption slightly faster. The change broke a critical safety assumption, and nobody noticed for nine years. That bug then rode every kernel update from 2017 to today. This vulnerability affects the following: 🔴 Shared servers (dev boxes, jump hosts, build servers): any user becomes root 🔴 Kubernetes and container clusters: one compromised pod escapes to the host 🔴 CI runners (GitHub Actions, GitLab, Jenkins): a malicious pull request becomes root on the runner 🔴 Cloud platforms running user code (notebooks, agent sandboxes, serverless functions): a tenant becomes host root Timeline: 🔴 March 23, 2026: reported to the Linux kernel security team 🔴 April 1: patch committed to mainline (commit a664bf3d603d) 🔴 April 22: CVE assigned 🔴 April 29: public disclosure Mitigation: update your kernel to a build that includes mainline commit a664bf3d603d. If you cannot patch immediately, turn off the vulnerable module: echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf rmmod algif_aead 2>/dev/null || true For environments that run untrusted code (containers, sandboxes, CI runners), block access to the kernel's AF_ALG crypto interface entirely, even after patching. Almost nothing legitimate needs it, and blocking it shuts the door on this whole class of bug...