Yesterday we published on CVE-2026-35273, the unauthenticated remote-code-execution zero-day in Oracle PeopleSoft that ShinyHunters used to breach more than a hundred organizations, two-thirds of them universities. We ended that post with a specific prediction: our exploit harvester watches GitHub for the public proof-of-concept that would turn a targeted, hundred-victim campaign into a commodity one that anyone could run, and we said it was watching for exactly that drop. Ov

Just after midnight our exploit harvester logged a fresh proof-of-concept reference for CVE-2024-29824, an unauthenticated SQL injection in Ivanti Endpoint Manager that gives an attacker remote code execution on the EPM core server. It is a 2024 bug, it is in CISA's Known Exploited Vulnerabilities catalog, and it is actively exploited. The reasonable next question — the one a defender should always ask before spending a single hour on a vulnerability — is how exposed the thin

We published seven threat-intelligence posts this week about seven different vulnerabilities, attributed across three completely unrelated kinds of adversary, and somewhere around the fifth one a pattern stopped being a coincidence and became the story. The actors do not know each other. Their motives have nothing in common. Their tradecraft, historically, looked nothing alike. And this week they all walked through the same door. This post is about that door, because when cri

For two months we have been documenting ShinyHunters as a crew that does not, on the whole, exploit software. Their signature move — the one we wrote about when they hit six named companies in seven days in April — was a phone call. Someone rings a help desk claiming to be an employee, asks for a multi-factor reset on the Okta single sign-on, the help desk obliges, and the attacker walks into the company's Salesforce instance and exports the customer file as a CSV. No CVE. No

Earlier today we wrote about the single most dangerous bug in Microsoft's record 208-CVE June Patch Tuesday: CVE-2026-45657, a wormable kernel TCP/IP remote code execution that takes a machine to SYSTEM with no password and no click. That post argued you should patch it first. This post argues something narrower and more useful for the team that has to triage all 208: the June release is not 208 isolated bugs. It contains, in a single Tuesday, every link you need to chain an

Microsoft shipped the largest Patch Tuesday in the program's history this week — 208 CVEs in a single release, three of them zero-days. The volume is the headline everyone wrote. The volume is not the story. Buried in that pile is one bug that does not care how busy your patch team is, because it is the kind of flaw that patches itself onto the front page eventually: CVE-2026-45657, a remote code execution vulnerability in the Windows kernel's TCP/IP stack, rated CVSS 9.8, re

This morning we set a watch for where First VPN would reboot after its takedown, on the principle that disrupting criminal infrastructure relocates demand rather than ending it. By the afternoon, a different name was demonstrating the same law on a leak site: LockBit, the ransomware-as-a-service operation that international law enforcement disrupted in early 2024 with great fanfare, posted three fresh victims today as LockBit 5.0 — Central Romana Corporation, a Dominican agro

On March 21 we published a post with a blunt title: the AI agent builder got owned in twenty hours. It was about Langflow, the open-source drag-and-drop tool for building LangChain AI agent pipelines, and a critical flaw — CVE-2026-33017, rated 9.3 — that let a single unauthenticated HTTP request turn into full remote code execution. Twenty hours after the advisory dropped, before any public proof-of-concept existed, attackers had built working exploits from the advisory text

On Tuesday Google shipped an emergency Chrome update for CVE-2026-11645, an out-of-bounds memory access in V8, the JavaScript and WebAssembly engine at the heart of the browser, already being exploited in the wild. On its own that is a routine entry in a defender's week: patch Chrome, move on. The number worth pausing on is not the CVE, it is the ordinal. This is the fifth actively-exploited Chrome zero-day of 2026, and we are barely past the halfway point of the year. The ca

Yesterday we wrote that the two systems an attacker most wants are the boring, trusted ones nobody thinks of as front doors — the service desk and the backup server — and that you should weight your attention toward the nerve centers rather than the perimeter. There is a third nerve center, and it patched four critical holes this week. SAP, the enterprise resource planning platform that runs the finance, supply chain, and human resources of a very large share of the world's b

Two vulnerabilities surfaced this week that do not look related and are. One is a ServiceNow API endpoint that was answering requests from people who never logged in. The other is a Veeam Backup and Replication flaw rated 9.4 that hands remote code execution to any authenticated domain user. They sit at opposite ends of an enterprise — the service desk where work is tracked and the backup server where recovery lives — and they are the same story told twice, because those two

This morning we published a piece arguing that Microsoft had spent six weeks trying to criminalize the researcher who found a family of Defender vulnerabilities, then quietly patched those exact bugs in its record June Patch Tuesday — and that the persecution was the wrong response because a process that breaks down on both ends produces scorched earth, not safety. We did not expect the demonstration to arrive the same day. Within hours of Microsoft shipping the patches for G

When law enforcement seizes a piece of criminal infrastructure, the advisory that follows usually contains a list of IP addresses, and defenders dutifully feed those into their logs to check for historical connections. That is the right thing to do, and it is also the smallest version of what is available. This week's takedown of First VPN — the anonymization service used by at least twenty-five ransomware groups since 2014, seized May 19 and 20 in the French-and-Dutch-led Op

This morning one of our precursor detectors, the one we call Sandtrout, climbed from a score of 0.4 to 0.6 and crossed its elevation threshold, with a stated lead time of zero to six hours before the campaign it stages typically fires. That detector is named for the larval form of Frank Herbert's sandworm, because the entire premise is that the worm is easier to catch before it grows. Sandtrout watches for the larval phase of supply-chain worms — credential encapsulation, mai

A few days ago I wrote that I had done everything right and still lost about five thousand three hundred dollars to two mainland-China e-bike brands, eAhora and Wallke. Then I did what I do for a living: I investigated the structure behind the loss instead of just being angry about it. The conclusion changed my mind about what the lesson actually is. It is not "don't buy Chinese." That framing is both lazy and wrong, and it would have led me to the same loss by a different do

On Tuesday Microsoft shipped the largest Patch Tuesday in its history — two hundred and eight CVEs, beating the previous record of one hundred and seventy-seven — and buried in that pile are fixes for a family of Microsoft Defender and Windows vulnerabilities that the company spent the previous six weeks insisting were so dangerous to disclose that it banned the researcher who found them off GitHub and GitLab, revoked his vulnerability-reporting account, and referred him to i

We just brought our edge block telemetry back online after a two-week instrumentation gap, and the first thing worth doing with a restored sensor is to ask what changed while it was dark. The answer, when we lined up the providers our infrastructure has been rejecting over the last thirteen days against the bulletproof hosts that used to be regulars in our block data, is that a whole cohort of them has simply gone quiet. This is an observation, not a victory lap, and the dist

The FBI's Boston field office went public today with the seizure side of an operation called Riptide, and the shape of it is the thing I want defenders to sit with, because it is the same lesson we have been writing all week from a different angle. The target was not a ransomware gang. It was a single virtual private network service — marketed as "First VPN Service," advertised almost exclusively on Russian-language criminal forums, in operation since roughly 2014 — that serv

In the June 2026 Android security bulletin Google patched a hundred and twenty-four flaws, and buried in that pile is one — CVE-2025-48595 — that they flagged with a specific, deliberate phrase: there are indications it may be under "limited, targeted exploitation." CISA agreed, added it to the Known Exploited Vulnerabilities catalog at the start of the month, and gave federal agencies an unusually short fuse to remediate. If you read Android bulletins for a living you alread

CISA added CVE-2026-28318 to the Known Exploited Vulnerabilities catalog this month, with a remediation mandate for federal civilian agencies, and it is a SolarWinds Serv-U flaw — which by itself would be a routine patch note, except that when I cross-referenced it against our own KEV index this morning, it turned out to be the fifth Serv-U vulnerability on that list. Not the fifth SolarWinds product. The fifth time this one file-transfer server has been added to the catalog