Alerts
A critical vulnerability chain has been disclosed in vLLM, a widely-used high-performance library for Large Language Model inference. Tracked as CVE-2026-22778 with a CVSS score of 9.8, the flaw allows remote attackers to execute arbitrary commands on vLLM servers by submitting a malicious video URL to the API. Default
Threats
Huntress has published details of a February 2026 intrusion where threat actors leveraged compromised SonicWall SSLVPN credentials to access a victim network, then deployed a custom EDR killer that abuses a legitimate Guidance Software (EnCase) forensic driver to terminate security processes from kernel mode. The attack was disrupted before ransomware
Breaches
ShinyHunters, one of the most prolific data breach and extortion groups of the past five years, has posted a message to their official Telegram channel claiming that a "second leader has been arrested." The brief update also confirmed that the group's X (formerly Twitter) account has
Threats
Palo Alto Networks' Unit 42 has published a major investigation into a newly identified cyberespionage group it tracks as TGR-STA-1030, also known as UNC6619. The group — assessed with high confidence to be state-aligned and operating out of Asia — has compromised at least 70 organizations across 37 countries over the
Threats
LockBit 5.0 has introduced cross-platform ransomware payloads capable of hitting Windows, Linux, and VMware ESXi environments in a single campaign, according to analysis of 19 samples published by LevelBlue. The release marks a significant technical evolution for the RaaS operation, with specialized routines designed to maximize damage across enterprise
Threats
ShadowSyndicate, a cybercrime cluster first identified in 2023, has been caught using a server transition technique designed to obscure operational continuity across its infrastructure — but OPSEC failures have given researchers visibility into the group's C2 network. Group-IB confirmed two additional SSH fingerprints linked to ShadowSyndicate operations in February
Alerts
CISA has been silently updating its Known Exploited Vulnerabilities (KEV) catalog when it confirms that vulnerabilities are being exploited by ransomware groups — without notifying defenders when those changes occur. Glenn Thorpe, senior director of security research and detection engineering at GreyNoise, documented the gap by downloading daily KEV snapshots for
Threats
FortiGuard Incident Response has documented a new tool in Interlock ransomware's arsenal — a bring-your-own-vulnerable-driver (BYOVD) process killer that abuses a zero-day vulnerability in a gaming anti-cheat kernel driver to terminate EDR and AV processes before ransomware deployment. The activity was observed during an intrusion against a North American
Threats
Sysdig's Threat Research Team has published a detailed analysis of a cloud intrusion in which a threat actor went from stolen credentials to full AWS administrative access in under 10 minutes — with strong indicators that large language models were used throughout the operation to automate reconnaissance, generate exploitation
Alerts
The Django project has issued security releases across all supported versions — Django 6.0.2, 5.2.11, and 4.2.28 — addressing six vulnerabilities, three of which are high-severity SQL injection flaws that could allow attackers to execute arbitrary SQL commands against backend databases. All three SQL injection CVEs
Breaches
Step Finance, one of the most widely used DeFi dashboard and analytics platforms on Solana, has disclosed that attackers stole approximately $40 million in digital assets after compromising devices belonging to company executives. The breach was detected on January 31 during APAC hours. Step Finance described the attacker as a
Threats
Daylight Security has published findings from a real-world intrusion in which BlueNoroff — the financially motivated subgroup of North Korea's Lazarus Group — used live social engineering over Microsoft Teams to compromise a macOS endpoint, steal Keychain credentials, and stage data for exfiltration. The entire attack was operator-driven in real