Arda Büyükkaya

We have published a report of our findings jumpshare.com/s/gWJKRzJ4NQiH… It is also available on VirusTotal to verify there is no malware virustotal.com/gui/file-analy…

This week I presented at BSides Den Haag 🇳🇱, one of the rare cybersecurity events that brings together industry veterans and new talent under one roof. If you're starting your journey in cybersecurity, the networking here is unmatched.

BREAKING: Cyberattack against American breathalyzer test company locks out drivers across 45 states.

The @FBI has identified cyber actors associated with Russian Intelligence Services targeting users of commercial messaging applications, including Signal. The campaign targets individuals of high intelligence value, including current and former U.S. government officials, military personnel, political figures, and journalists.   Globally, this effort has resulted in unauthorized access to thousands of individual accounts. After gaining access, the actors can view messages and contact lists, send messages as the victim, and conduct additional phishing from a trusted identity. It's important for you to be aware and take action - this vulnerability is not with the application - but you as the end user.   The FBI and CISA have released a joint PSA to help you identify this activity and protect your accounts: ic3.gov/PSA/2026/PSA26…

Interesting AWS added JA3 and JA4 fingerprints as IOCs 🫆 aws.amazon.com/blogs/security…

Happy one year tj-actions-aversary: wiz.io/blog/trivy-com…

Malware trends in 2026: Using bot accounts in @virustotal to boost the community score 60171e71774630b9f5c824e2a4ee4742aff1461e0c1910395430ba1592c469cd C2: foxkids[.]us It won't work, makes it even more suspicious and your EV signature will be revoked anyways! Try harder ;)

The US has for the first time officially linked the Handala hacker group to the Iranian government. The announcement came amid the takedown of several websites used by Handala. securityweek.com/us-confirms-ha…

🚨 Breaking: Trivy GitHub Actions supply chain attack – 75 out of 76 version tags compromised. If your CI/CD pipelines reference “aquasecurity/trivy-action” by version tag, you’re likely running malware right now. At Socket, we identified that an attacker force-pushed nearly every version tag in the official aquasecurity/trivy-action repository. That’s @​0.0.1 all the way through @​0.34.2. Over 10,000 GitHub workflow files reference this action. The malicious payload runs silently before the legitimate Trivy scan, so nothing looks broken. Meanwhile it’s: - Dumping runner process memory to extract secrets - Harvesting SSH keys - Exfiltrating AWS, GCP, and Azure credentials - Stealing Kubernetes service account tokens The only unaffected tag right now appears to be @​0.35.0. Socket independently detected this at 19:15 UTC and generated 182 threat feed entries tied to this campaign – all correctly classified as Backdoor, Infostealer, or Reconnaissance malware. This is the second Trivy compromise this month. Earlier in March, attackers injected code into the Aqua Trivy VS Code extension on OpenVSX to abuse local AI coding agents. The compromised tags are still active. Pin to @​0.35.0 or use a SHA reference until this is fully remediated. Full write-up: socket.dev/blog/trivy-und…

Iran's cyber espionage groups have been intermittently active since the war with the U.S. and Israel began, with one notable breach of a U.S. company. Read more: forbes.com/sites/the-wire… (Illustration: Getty Images)

What's new is old, and what's old is new - as is relentlessly proven. Join us in our analysis of CVE-2026-32746, the recent pre-auth RCE in inteutils' Telnetd Speak soon. labs.watchtowr.com/a-32-year-old-…

This tool has already been used in distinct hacking campaigns against Ukrainians, Malaysians, Saudi and Turkish victims. If other hackers needed any more encouragement to adopt it, too, the Russian spies who used it left it fully unobfuscated with helpful code comments legible.

Aura confirms data breach exposing 900,000 marketing contacts bleepingcomputer.com/news/security/… bleepingcomputer.com/news/security/…

The US government is warning businesses to secure their corporate accounts within a popular Microsoft management tool, following a cyberattack on Stryker last week bloomberg.com/news/articles/…

@ctrlaltintel Great work, thanks for sharing it.

Interesting work by @ctrlaltintel researchers 🔥

Researchers at @ctrlaltintel once again yanked an APT into the spotlight due to sloppy trade craft. Today its FancyBear! Check out the full write up. As always, none of this is possible without @polygonben and others @ctrlaltintel ctrlaltintel.com/threat%20resea…

New Blog! The Beast Returns: Analysis of a Beast Ransomware Server 👹 In March 2026, @TeamCymru detected a Beast operator’s server that enabled us to understand the flow of their attacks from start, to middle, to the end, including ransomware binaries. team-cymru.com/post/beast-ran…

See also @kloosha’s paper on Russian gig work spies tandfonline.com/doi/pdf/10.108…

People who laugh and comment “who still uses telnet” have no idea how this industry actually works - or how power plants, warships, factories, baggage handling systems and other control and logistics systems are planned, built and expected to last for decades

Joe Kent is a heavily decorated combat veteran who served with the 75th Ranger Regiment and U.S. Special Forces. He served eleven combat tours, primarily in Iraq, and retired in 2018, becoming a paramilitary officer with the Central Intelligence Agency (CIA). His wife, Senior Chief Shannon M. Kent, was killed by a suicide bomber in Syria in 2019. I very much doubt that he was leaking anything, and I think it’s disgusting that members of the Trump Administration would attempt to circulate something like that without providing any kind of evidence, all because he decided to resign in protest of yet another war - which he has seen plenty of - in the Middle East.