spacemoth

Bitwarden CLI Compromised in Ongoing Checkmarx Supply Chain Campaign thehackernews.com/2026/04/bitwar…

Here's my update to the broader community about the ongoing incident investigation. I want to give you the rundown of the situation directly. A Vercel employee got compromised via the breach of an AI platform customer called Context.ai that he was using. The details are being fully investigated. Through a series of maneuvers that escalated from our colleague’s compromised Vercel Google Workspace account, the attacker got further access to Vercel environments. Vercel stores all customer environment variables fully encrypted at rest. We have numerous defense-in-depth mechanisms to protect core systems and customer data. We do have a capability however to designate environment variables as “non-sensitive”. Unfortunately, the attacker got further access through their enumeration. We believe the attacking group to be highly sophisticated and, I strongly suspect, significantly accelerated by AI. They moved with surprising velocity and in-depth understanding of Vercel. At the moment, we believe the number of customers with security impact to be quite limited. We’ve reached out with utmost priority to the ones we have concerns about. All of our focus right now is on investigation, communication to customers, enhancement of security measures, and sanitization of our environments. We’ve deployed extensive protection measures and monitoring. We’ve analyzed our supply chain, ensuring Next.js, Turbopack, and our many open source projects remain safe for our community. The recommendation for all Vercel customers is to follow the Security Bulletin closely (vercel.com/kb/bulletin/ve…). My advice to everyone is to follow the best practices of security response: secret rotation, monitoring access to your Vercel environments and linked services, and ensuring the proper use of the sensitive env variables feature. In response to this, and to aid in the improvement of all of our customers’ security postures, we’ve already rolled out new capabilities in the dashboard, including an overview page of environment variables, and a better user interface for sensitive env var creation and management. As always, I’m totally open to your feedback. We’re working with elite cybersecurity firms, industry peers, and law enforcement. We’ve reached out to Context to assist in understanding the full scale of the incident, in an effort to protect other organizations and the broader internet. I also want to thank the Google Mandiant team for their active engagement and assistance. It’s my mission to turn this attack into the most formidable security response imaginable. It’s always been a top priority for me. Vercel employs some of the most dedicated security researchers and security-minded engineers in the world. I commit to keeping you updated and rolling out extensive improvements and defenses so you, our customers and community, can have the peace of mind that Vercel always has your back.

We’ve identified a security incident that involved unauthorized access to certain internal Vercel systems, impacting a limited subset of customers. Please see our security bulletin: vercel.com/kb/bulletin/ve…

Introducing Claude Opus 4.7, our most capable Opus model yet. It handles long-running tasks with more rigor, follows instructions more precisely, and verifies its own outputs before reporting back. You can hand off your hardest work with less supervision.

Zero Click Unauthenticated RCE in n8n (CVE-2026-27493) The chain exploitation method is: Allow User input SSTI exploitation e.g. {{7*7}} ={{$node["NodeName"].constructor.constructor('return process.mainModule.require("child_process").execSync("id ").toString()')()}}

Genians Security Center uncovers an APT37 campaign that used social networking as an initial access vector. Two Facebook accounts set to North Korea-linked locations were used to screen targets, build trust, and move conversations to Messenger. genians.co.kr/en/blog/threat…

Hi I've added another 550,000+ malwares to the malware library. Please download the malware and share it with your friends and family. vx-underground.org/Updates

Chat, I've changed my mind. We have some problems in the AI department. It turns out someone compromised the Mexican government to an unbelievable extent using nothing but Claude and ChatGPT. I'll link the full paper in the subsequent post. However, here is the highlights of how an unknown Threat Actor "vibe hacked" the Mexico government. Data stolen from... 1. SAT (Servicio de Administracion Tributaria) - Federal tax authority: - 195 million taxpayer records - 52 million directory records 2. Estado de Mexico - State government: - 15.5M vehicle registry records - 3.6M property owner records 3. Registro Civil de CDMX - Mexico City civil registry: - 220M civil records 4. Jalisco state government: - 50K patient records - 17K domestic violence victim records - 36K healthcare employee records - 180K digital government records 5. INE (Instituto Nacional Electoral) - National electoral institute: - 13.8K voter card records 6. Michoacan state government: - 2.28M property records - 2K user accounts with plaintext passwords 7. SADM Monterrey (Agua y Drenaje) Municipal water utility: - 3.5K procurement and vendor records - 5K procurement bid records

CPU-Z and HWMonitor nerd (@d0cTB) put out a statement. Compromise was present for approx. 6 hours. This is an extremely short period of time. Also, extremely fast response by the nerds at cpuid.

Introducing Project Glasswing: an urgent initiative to help secure the world’s most critical software. It’s powered by our newest frontier model, Claude Mythos Preview, which can find software vulnerabilities better than all but the most skilled humans. anthropic.com/glasswing

Bluehammer Privilege escalation via Microsoft Defender. No patch yet github.com/Nightmare-Ecli… #0day #lpe

Publicly disclosing the bluehammer exploit, at the time of writing this, this vulnerability is still unpatched. Full PoC source can be found here - deadeclipse666.blogspot.com/2026/04/public…

ls /Library/Caches/com.apple.act.mond

The OSAI+ syllabus is finally here! Every module includes hands-on labs designed to mirror how real AI systems are built, integrated, and attacked in production environments ⚔️ And if you haven't already heard: OSAI+ is available now in pre-sale, with an exclusive pre-release offer on our [Extended] Course & Certification Bundle. Get 120 days of course + lab access for the price of 90 for a limited time only. Offer ends March 30 when bundle returns to 90 days of access. 💸 Purchase through pre-sale: portal.offsec.com/checkout/produ… 🔍 Learn more: offsec.com/courses/OSAI/

🔥🐉 New GOAD Lab: DRACARYS I’ve just released a new free lab environment on GOAD: DRACARYS. The challenge includes 3 VMs and the objective is simple: Start with no authentication and work your way up to Domain Admin. Have fun exploiting it! 🔥🐉 mayfly277.github.io/posts/Dracarys…

The web’s security model has long relied on trusting the server. WEBCAT is an attempt to change that. Please help test it if you can. Your feedback at this early stage of development is extremely valuable. Excited to collaborate with @FreedomofPress & @SecureDrop

New public website for the v1 release! sirius.opensecurity.com

Kali & LLM: macOS with Claude Desktop GUI & Anthropic Sonnet LLM: This post will focus on an alternative method of using Kali Linux, moving beyond direct terminal command execution. Instead, we will leverage a Large Language Model (LLM) to translate… kali.org/blog/kali-llm-…

Zapper is used to hide malicious processes on Linux. Relies on ptrace-based manipulation of the ELF auxiliary table with minimal performance impact and doesn’t need root access. We keep seeing it during forensic analysis. hackers-arise.com/linux-zapper-h… Should be monitored @three_cube @_aircorridor @IamSmouk @DI0256 #dfir #redteam #pentest #blueteam

Hackers can abuse PAM to log SSH credentials in plaintext by modifying authentication modules. Helpful for lateral movement. There are many ways of doing it, but it often comes down to changes in /etc/pam.d/ and /lib/security/ Blue teams should monitor unauthorized changes in these directories hackers-arise.com/password-crack… @three_cube @_aircorridor @DI0256 #dfir #blueteam #redteam #pentest