FISA

An anonymous security researcher known as Chaotic Eclipse (also tracked as Nightmare-Eclipse and MSNightmare) has publicly released a proof-of-concept exploit for yet another unpatched Microsoft Defender zero-day, this one dubbed RoguePlanet. The exploit works on fully updated Windows 10 and Windows 11 systems with the June 2026 Patch Tuesday updates installed, and when successful, delivers a shell with SYSTEM-level privileges the highest level of access on a Windows machine. How the Exploit Works RoguePlanet is a race condition vulnerability, meaning it exploits a timing gap between two operations in Microsoft Defender's code. The researcher acknowledged the exploit is not perfectly consistent across all machines success rates varied significantly depending on the target system, but noted that independent security researcher Will Dormann confirmed it worked on the first attempt on his machine. The exploit does not currently function against Windows Server installations in its p...

Security researchers disclosed a new software supply chain campaign attributed to the North Korean threat actor Lazarus Group. The operation targets software developers through malicious packages uploaded to the npm registry, one of the world's largest repositories for JavaScript software components. Unlike traditional typosquatting attacks that rely on simple spelling mistakes, this campaign uses a more sophisticated technique known as brandjacking, where malicious packages are intentionally designed to appear related to legitimate and widely trusted open-source projects. According to research conducted by Sonatype, dozens of malicious packages were identified as part of the campaign, with some accumulating hundreds of downloads before detection and removal. The attackers created package names that appeared to be extensions, companion tools, utilities, or ecosystem components associated with popular projects such as React, Express, Webpack, Chai, JWT libraries, and Buffer. By usi...

Threat actors are actively exploiting a critical remote code execution vulnerability in Everest Forms Pro , a WordPress plugin used by approximately 4,000 websites. The flaw, tracked as CVE-2026-3300 with a near-maximum CVSS score of 9.8, allows completely unauthenticated attackers to execute arbitrary PHP code on affected servers and take full control of vulnerable sites. What the Vulnerability Does The root cause of the flaw lies in the Calculation Addon's process_filter() function, which takes user-submitted form field values and concatenates them directly into a PHP code string before passing it to PHP's eval() function without proper escaping. The sanitization function applied to user input does not strip single quotes or other PHP-specific characters, meaning an attacker can simply submit a crafted value through any standard string-type form field including text, email, URL, select, or radio fields on any form that uses the "Complex Calculation" feature. T...

Cybersecurity researchers at OX Security have uncovered a malicious package on the npm registry that specifically targets files stored in Anthropic's Claude AI tool directory. The campaign, dubbed Malware-Slop , centers around a package named mouse5212-super-formatter and represents a growing trend of AI-focused supply chain attacks carried out with low operational sophistication, but real consequences. What the Package Does On the surface, the package presents itself as an internal "archive deployment sync" utility, claiming to validate GitHub repositories and send network diagnostic information. In reality, it is a data theft tool with a very specific target: the /mnt/user-data directory, the dedicated folder that Claude AI uses to handle file uploads and outputs in the background. The malicious behavior is triggered during the postinstall stage, meaning it executes automatically the moment a developer installs the package. At that point, the malware authenticates...

  Cybersecurity researchers at Qualys have uncovered a critical privilege escalation vulnerability in the Linux kernel that went undetected for nine years. Tracked as CVE-2026-46333 and codenamed "ssh-keysign-pwn" , the flaw was quietly introduced into the kernel back in November 2016 and affects default installations of several of the most widely used Linux distributions, including Debian, Ubuntu, and Fedora. What the Flaw Does The vulnerability stems from improper privilege management in the kernel's __ ptrace_may_access() function a core component that governs how one process can inspect or control another. An unprivileged local user who exploits this flaw can access highly sensitive files and escalate their privileges all the way to root, without requiring any special system configuration. In practice, a successful attack can expose the contents of /etc/shadow  the file containing hashed user passwords as well as private SSH host keys stored under /etc/ssh/ . Bey...

Cybersecurity researchers identified a large-scale malware campaign targeting job seekers through fake online interview platforms. The operation distributes a credential-stealing trojan known as JobStealer, which is disguised as legitimate video conferencing software for remote interviews. The campaign specifically targets Windows and macOS systems and focuses heavily on stealing browser credentials, cryptocurrency wallet data, authentication tokens, and sensitive personal information. The attack demonstrates how threat actors are increasingly exploiting remote work culture and employment-related social engineering to compromise victims. The attack begins with threat actors contacting victims through fake recruitment offers and interview invitations. Victims are directed to professionally designed websites pretending to host online interview platforms. Researchers identified multiple fake platform names such as MeetLab, Meetix, Juseo, and Carolla, while some sites directly impersonate...