I Left Port 22 Open on the Internet for 54 Days. Here’s Who Showed Up.

In a 54-day experiment, a honeypot mimicking an Ubuntu SSH server was left open on port 22, recording over 269,000 connection attempts from 7,556 unique IPs. The study revealed a constant flood of mostly automated attacks scanning for weak passwords, with a small fraction of sophisticated attackers deploying advanced techniques, including targeted crypto node intrusions; the findings underscore the relentless and noisy nature of internet scanning and the importance of robust SSH security practices.

https://arman-bd.hashnode.dev/i-left-port-22-open-on-the-internet-for-54-days-here-s-who-showed-up

cPanel 0-Day Authentication Bypass Vulnerability Actively Exploited in the Wild

, ,

A critical authentication bypass vulnerability (CVE-2026-41940) in cPanel & WHM has been actively exploited in the wild, allowing unauthenticated attackers to gain root-level access to hosting control panels. With a public proof-of-concept exploit released, cPanel has issued emergency patches and urged administrators to update immediately to prevent widespread compromise across millions of hosting accounts globally.

https://cybersecuritynews.com/cpanel-0-day-authentication-bypass-vulnerability/

Linux Kernel 0-Day “Copy Fail” Roots Every Major Distribution Since 2017

, ,

A critical zero-day vulnerability named “Copy Fail” (CVE-2026-31431) in the Linux kernel, affecting every major distribution since 2017, allows any unprivileged local user to gain root access by exploiting a flaw in the kernel's cryptographic template via the AF_ALG socket and splice() system call. The vulnerability, discovered by Theori and exploited by Xint Code Research Team, enables file page cache corruption undetectable by integrity tools, and also facilitates Kubernetes container escapes; a patch has been released and administrators are urged to update immediately.

https://cybersecuritynews.com/linux-kernel-0-day-copy-fail/

Wiz Hands GitHub AI-aided Bug Report That Isn’t Total Slop

, ,

Wiz researchers discovered a high-severity vulnerability (CVE-2026-3854) in GitHub's git infrastructure that allowed remote attackers full read/write access to private repositories using a single command. By leveraging AI-augmented tools for automated reverse engineering, they rapidly identified the flaw, leading to GitHub issuing fixes within six hours and awarding Wiz one of the largest payouts in its bug bounty history.

https://www.theregister.com/2026/04/29/github_woah_a_genuinely_helpful/

Critical Chrome Vulnerabilities Enables Remote Code Execution Attacks

,

Google has released a critical update for Chrome version 147.0.7727.137/138 that fixes 30 security vulnerabilities, including four severe use-after-free flaws enabling remote code execution attacks. Users and enterprises are strongly urged to update their browsers immediately to protect against remote attacks that could bypass Chrome’s sandbox and compromise systems without additional user interaction.

https://cybersecuritynews.com/chrome-vulnerabilities-2/

CISA Warns Microsoft Windows Shell 0-Click Vulnerability Exploited in Attacks

, ,

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning about a critical zero-day vulnerability in the Microsoft Windows Shell, tracked as CVE-2026-32202, which is actively being exploited. This vulnerability allows attackers to perform network spoofing, potentially intercepting sensitive data and bypassing access controls, prompting CISA to mandate immediate patching by May 12, 2026, particularly for federal agencies, while strongly urging all organizations to apply mitigations to protect their networks.

https://cybersecuritynews.com/windows-shell-0-click-vulnerability/

Cursor AI Coding Agent Vulnerability Allow Attackers to Execute Code on Developer’s Machine

,

A high-severity vulnerability (CVE-2026-26268) in Cursor, an AI-powered coding environment, allows attackers to execute arbitrary code remotely on a developer’s machine by simply getting them to clone a malicious Git repository. The exploit leverages legitimate Git features—embedded bare repositories and Git hooks—triggering malicious scripts automatically without user interaction when the Cursor AI agent processes the repository, posing a significant risk to developer environments and organizational infrastructure.

https://cybersecuritynews.com/cursor-ai-coding-agent-vulnerability/

DDoS Cyber Attack Makes eBay Lose $200m Per Day

,

A large-scale Distributed Denial of Service (DDoS) attack disrupted eBay's operations for 42 to 48 hours, causing an estimated loss of $200 million per day in transactions. The pro-activist group 313 Team claimed responsibility, highlighting the significant financial and reputational damage such cyberattacks can inflict on major online platforms.

https://www.cybersecurity-insiders.com/ddos-cyber-attack-makes-ebay-lose-200m-per-day/

Microsoft Confirms Active Exploitation of Windows Shell CVE-2026-32202

, , ,

Microsoft has confirmed active exploitation of a high-severity Windows Shell vulnerability (CVE-2026-32202) that allows unauthorized attackers to perform spoofing and access sensitive information. This zero-click exploit, linked to an incomplete patch for CVE-2026-21510 and used by the Russian state-sponsored group APT28, enables credential theft through automatic network authentication when victims open malicious Windows Shortcut files, highlighting ongoing risks despite recent patches.

https://thehackernews.com/2026/04/microsoft-confirms-active-exploitation.html

FIRESTARTER: Cisco ASA Backdoor

,

On April 23, 2026, CISA and the UK National Cyber Security Centre revealed FIRESTARTER, a persistent backdoor implant targeting Cisco Adaptive Security Appliance firmware via CVE-2025-20333 and CVE-2025-20362, enabling advanced persistent threat actor UAT-4356 (linked to the earlier ArcaneDoor campaign) to maintain long-term access even after patching and rebooting. The malware hooks into Cisco’s core LINA process to execute attacker shellcode triggered by specially crafted WebVPN requests, requiring a hard power cycle or full device reimaging to fully remove, highlighting a serious evolution in firmware-level threats that challenge conventional patch-and-monitor security models.

https://thecyberthrone.in/2026/04/28/firestarter-cisco-asa-backdoor/

Exploits Turn Windows Defender Into Attacker Tool

, ,

Threat actors are exploiting three publicly available proof-of-concept vulnerabilities—BlueHammer, RedSun, and UnDefend—to turn Microsoft Defender's built-in security functions against the systems it is meant to protect, enabling SYSTEM-level access and disrupting update mechanisms. While Microsoft has patched BlueHammer, the other two remain unpatched, and these exploits are actively used in targeted attacks that highlight systemic validation weaknesses in Defender’s privileged workflows, underscoring the need for updated defenses and multi-factor authentication for remote access.

https://www.darkreading.com/cyberattacks-data-breaches/exploits-turn-windows-defender-attacker-tool

Self-Propagating Supply Chain Worm Hijacks Npm Packages to Steal Developer Tokens

,

Cybersecurity researchers have identified a self-propagating supply chain worm named CanisterSprawl that compromises npm packages to steal developer tokens and credentials, spreading by injecting malicious postinstall hooks into affected packages. The worm exfiltrates sensitive data from developer environments, including npm configuration files, cloud credentials, SSH keys, and browser data, to push poisoned package versions and expand its reach, posing significant risks to open-source supply chains.

https://thehackernews.com/2026/04/self-propagating-supply-chain-worm.html

A Dozen Allied Agencies Say China Is Building Covert Hacker Networks Out of Everyday Routers

,

A coalition of U.S. and international government agencies has issued a warning about a significant shift in Chinese hacker tactics, highlighting the use of large-scale covert networks composed of compromised everyday routers and Internet of Things devices to conduct cyberattacks. These networks enable malicious activities such as reconnaissance, malware delivery, and espionage while disguising attackers' origins, prompting recommendations for organizations, especially large and critical infrastructure entities, to adopt enhanced cybersecurity measures and active threat hunting.

https://cyberscoop.com/china-nexus-covert-networks-advisory/

Phishing — Sometimes with AI’s Help — Topped Initial-Access Methods in Q1, Cisco Says

,

In the first quarter of 2026, phishing—sometimes aided by AI tools like the Softr platform—was the most common method hackers used to gain initial access, according to Cisco’s Talos threat intelligence report. Attackers leveraged AI to quickly create fake login pages for credential harvesting without coding, targeting mainly government and health-care sectors, with deficient multifactor authentication being the leading security weakness exploited.

https://www.cybersecuritydive.com/news/phishing-initial-access-ai-cisco/818185/

We Found a Stable Firefox Identifier Linking All Your Private Tor Identities

,

Researchers discovered a privacy vulnerability in Firefox-based browsers whereby the order of IndexedDB databases returned by the indexedDB.databases() API serves as a stable, process-scoped identifier. This allows unrelated websites to link user activity across origins and defeats privacy features in Firefox Private Browsing and Tor Browser, including Tor's “New Identity” function, by exposing a deterministic fingerprint until the browser process restarts. Mozilla has released a fix that canonicalizes the database order to eliminate this leakage and restore expected privacy guarantees.

https://fingerprint.com/blog/firefox-tor-indexeddb-privacy-vulnerability/

Scroll to Top