This week European and American law enforcement seized AudiA6, a cryptocurrency laundering service, and the numbers attached to the operation are the kind that make a press release write itself: more than three hundred eighty-nine million dollars washed between 2022 and 2025, twenty-five domains taken down, more than thirty servers seized, two administrators arrested in Batumi, Georgia, and — the detail that matters most — laundering services provided to at least fifteen dist

We have been following a researcher who calls himself Chaotic Eclipse — also tracked as Nightmare-Eclipse — for two months, and the story keeps escalating in a direction Microsoft clearly did not anticipate. We wrote about his Defender vulnerabilities in April. We wrote on June 5 that Microsoft responded to his disclosures by banning him from its own GitHub and referring him to its crimes unit. We wrote on June 11 that within hours of Microsoft quietly patching his GreenPlasm

This morning we published a post making a narrow, careful argument. The PeopleSoft zero-day CVE-2026-35273 — the unauthenticated remote code execution that ShinyHunters used to breach more than a hundred organizations, two-thirds of them universities — had attracted two new GitHub repositories named after the CVE. We opened them, found seventeen and three kilobytes of nothing, and refused to call it a public proof-of-concept, because it was not one. What we called it instead

In April we published a post with a title we meant literally: the AI agent is the new login shell. The argument was that a tool like OpenClaw — a self-hosted AI agent with broad access to your files, your shell, and more than twenty messaging platforms — is functionally a remote-access shell that happens to speak English, and that defenders were treating it like a chatbot instead of like the privileged process it actually is. We counted six holes in seven days then. This week

For six weeks we have been following a researcher who goes by Chaotic Eclipse, also tracked as Nightmare Eclipse, and the increasingly ugly fight between him and Microsoft. We wrote about his Defender vulnerabilities — BlueHammer, the TOCTOU race in Defender's cleanup engine that escalates a low-privileged user to SYSTEM, back on April 26, and the RedSun and UnDefend tools alongside it. We wrote on June 5 that Microsoft's response to the disclosures was to ban him from its ow

Yesterday we published on CVE-2026-35273, the unauthenticated remote-code-execution zero-day in Oracle PeopleSoft that ShinyHunters used to breach more than a hundred organizations, two-thirds of them universities. We ended that post with a specific prediction: our exploit harvester watches GitHub for the public proof-of-concept that would turn a targeted, hundred-victim campaign into a commodity one that anyone could run, and we said it was watching for exactly that drop. Ov

Just after midnight our exploit harvester logged a fresh proof-of-concept reference for CVE-2024-29824, an unauthenticated SQL injection in Ivanti Endpoint Manager that gives an attacker remote code execution on the EPM core server. It is a 2024 bug, it is in CISA's Known Exploited Vulnerabilities catalog, and it is actively exploited. The reasonable next question — the one a defender should always ask before spending a single hour on a vulnerability — is how exposed the thin

We published seven threat-intelligence posts this week about seven different vulnerabilities, attributed across three completely unrelated kinds of adversary, and somewhere around the fifth one a pattern stopped being a coincidence and became the story. The actors do not know each other. Their motives have nothing in common. Their tradecraft, historically, looked nothing alike. And this week they all walked through the same door. This post is about that door, because when cri

For two months we have been documenting ShinyHunters as a crew that does not, on the whole, exploit software. Their signature move — the one we wrote about when they hit six named companies in seven days in April — was a phone call. Someone rings a help desk claiming to be an employee, asks for a multi-factor reset on the Okta single sign-on, the help desk obliges, and the attacker walks into the company's Salesforce instance and exports the customer file as a CSV. No CVE. No

Earlier today we wrote about the single most dangerous bug in Microsoft's record 208-CVE June Patch Tuesday: CVE-2026-45657, a wormable kernel TCP/IP remote code execution that takes a machine to SYSTEM with no password and no click. That post argued you should patch it first. This post argues something narrower and more useful for the team that has to triage all 208: the June release is not 208 isolated bugs. It contains, in a single Tuesday, every link you need to chain an

Microsoft shipped the largest Patch Tuesday in the program's history this week — 208 CVEs in a single release, three of them zero-days. The volume is the headline everyone wrote. The volume is not the story. Buried in that pile is one bug that does not care how busy your patch team is, because it is the kind of flaw that patches itself onto the front page eventually: CVE-2026-45657, a remote code execution vulnerability in the Windows kernel's TCP/IP stack, rated CVSS 9.8, re

This morning we set a watch for where First VPN would reboot after its takedown, on the principle that disrupting criminal infrastructure relocates demand rather than ending it. By the afternoon, a different name was demonstrating the same law on a leak site: LockBit, the ransomware-as-a-service operation that international law enforcement disrupted in early 2024 with great fanfare, posted three fresh victims today as LockBit 5.0 — Central Romana Corporation, a Dominican agro

On March 21 we published a post with a blunt title: the AI agent builder got owned in twenty hours. It was about Langflow, the open-source drag-and-drop tool for building LangChain AI agent pipelines, and a critical flaw — CVE-2026-33017, rated 9.3 — that let a single unauthenticated HTTP request turn into full remote code execution. Twenty hours after the advisory dropped, before any public proof-of-concept existed, attackers had built working exploits from the advisory text

On Tuesday Google shipped an emergency Chrome update for CVE-2026-11645, an out-of-bounds memory access in V8, the JavaScript and WebAssembly engine at the heart of the browser, already being exploited in the wild. On its own that is a routine entry in a defender's week: patch Chrome, move on. The number worth pausing on is not the CVE, it is the ordinal. This is the fifth actively-exploited Chrome zero-day of 2026, and we are barely past the halfway point of the year. The ca

Yesterday we wrote that the two systems an attacker most wants are the boring, trusted ones nobody thinks of as front doors — the service desk and the backup server — and that you should weight your attention toward the nerve centers rather than the perimeter. There is a third nerve center, and it patched four critical holes this week. SAP, the enterprise resource planning platform that runs the finance, supply chain, and human resources of a very large share of the world's b

Two vulnerabilities surfaced this week that do not look related and are. One is a ServiceNow API endpoint that was answering requests from people who never logged in. The other is a Veeam Backup and Replication flaw rated 9.4 that hands remote code execution to any authenticated domain user. They sit at opposite ends of an enterprise — the service desk where work is tracked and the backup server where recovery lives — and they are the same story told twice, because those two

This morning we published a piece arguing that Microsoft had spent six weeks trying to criminalize the researcher who found a family of Defender vulnerabilities, then quietly patched those exact bugs in its record June Patch Tuesday — and that the persecution was the wrong response because a process that breaks down on both ends produces scorched earth, not safety. We did not expect the demonstration to arrive the same day. Within hours of Microsoft shipping the patches for G

When law enforcement seizes a piece of criminal infrastructure, the advisory that follows usually contains a list of IP addresses, and defenders dutifully feed those into their logs to check for historical connections. That is the right thing to do, and it is also the smallest version of what is available. This week's takedown of First VPN — the anonymization service used by at least twenty-five ransomware groups since 2014, seized May 19 and 20 in the French-and-Dutch-led Op

This morning one of our precursor detectors, the one we call Sandtrout, climbed from a score of 0.4 to 0.6 and crossed its elevation threshold, with a stated lead time of zero to six hours before the campaign it stages typically fires. That detector is named for the larval form of Frank Herbert's sandworm, because the entire premise is that the worm is easier to catch before it grows. Sandtrout watches for the larval phase of supply-chain worms — credential encapsulation, mai

On Tuesday Microsoft shipped the largest Patch Tuesday in its history — two hundred and eight CVEs, beating the previous record of one hundred and seventy-seven — and buried in that pile are fixes for a family of Microsoft Defender and Windows vulnerabilities that the company spent the previous six weeks insisting were so dangerous to disclose that it banned the researcher who found them off GitHub and GitLab, revoked his vulnerability-reporting account, and referred him to i