FISA

A high-severity vulnerability was disclosed in the AI-powered development environment Cursor, exposing developers to arbitrary code execution through malicious Git repositories. The flaw, tracked as CVE-2026-26268 with a severity score of 8.1, demonstrates how modern AI-assisted development tools can introduce new attack surfaces when combined with traditional software mechanisms such as version control systems. The vulnerability allows attackers to execute code on a developer’s machine simply by convincing them to clone a specially crafted repository. This significantly lowers the barrier for exploitation, as cloning repositories is a routine and trusted operation in software development workflows. Once the repository is cloned, hidden malicious logic embedded within Git configurations can be triggered automatically without requiring additional user interaction. At the core of the issue is the interaction between Cursor’s AI agent and Git’s built-in features, particularly Git hooks....

Cybersecurity authorities including CISA and the UK’s National Cyber Security Centre disclosed a highly sophisticated malware campaign involving a custom Linux-based backdoor known as FIRESTARTER. The malware specifically targets Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) devices, which are widely deployed as critical network perimeter defenses in enterprise and government environments. The discovery followed a forensic investigation into a breach affecting a U.S. federal agency, revealing that attackers had maintained long-term access to firewall infrastructure even after security patches were applied. The FIRESTARTER backdoor is designed to provide attackers with persistent remote access and full control over compromised devices. Unlike typical malware that resides on endpoints, this implant operates directly within the firewall system itself, effectively turning a core security control into an attack platform. By embedding within the LINA process, wh...

  Microsoft has updated its security advisory to confirm that a recently patched Windows Shell vulnerability  CVE-2026-32202  has been actively exploited in the wild. The flaw, which carries a CVSS score of 4.3, was originally addressed as part of Microsoft's April 2026 Patch Tuesday update, but the company quietly revised its advisory on April 27 after acknowledging that the original exploitability assessment had been published with incorrect information. What Does the Vulnerability Do? CVE-2026-32202 is a spoofing vulnerability rooted in a protection mechanism failure within Windows Shell. An attacker exploiting it over a network can access sensitive information on a victim's machine. To trigger the flaw, the attacker must send the victim a malicious file that the victim then opens. The impact is limited to data exposure the attacker cannot modify data or affect system availability, but in the context of how it is being chained with other vulnerabilities, the conseque...

BitSight published an analysis focused on how the emergence of advanced AI systems such as Claude Mythos is reshaping cybersecurity priorities, particularly in the area of cyber risk management and resilience. Rather than emphasizing traditional defensive controls or vulnerability remediation alone, the report highlights the growing importance of external visibility, third-party risk monitoring, and continuous risk scoring as core components of modern security strategy. The post-Mythos landscape is defined not just by faster attacks, but by the increasing difficulty organizations face in understanding and managing their total exposure across complex digital ecosystems. The analysis emphasizes that organizations no longer operate within clearly defined perimeters. Instead, they exist within an extended attack surface that includes vendors, partners, suppliers, and cloud services. BitSight identifies this external exposure as one of the most critical blind spots in cybersecurity today. A...

A cybersecurity-focused webinar titled “Mythos Reality Check: Beating Automated Exploitation at AI Speed” highlighted a fundamental shift in the threat landscape driven by artificial intelligence. The session emphasized that modern attackers are increasingly leveraging AI to automate vulnerability discovery and exploitation at unprecedented speed, fundamentally changing how organizations must approach security. The concept introduced as the “collapsing exploit window” describes the rapidly shrinking time between the discovery of a vulnerability and its active exploitation in the wild. The webinar underscores that traditional security practices, particularly those relying on manual vulnerability management and delayed patching cycles, are no longer sufficient. In the past, organizations had a measurable window of time to identify, prioritize, and remediate vulnerabilities before attackers could weaponize them. However, with AI-driven tools capable of scanning, identifying, and exploit...

Google-owned Mandiant has published new research exposing a previously undocumented threat group called UNC6692 , which is carrying out sophisticated social engineering attacks through Microsoft Teams to deploy a custom-built malware suite against corporate targets. The Attack Begins With an Email Flood The operation starts by overwhelming the victim's inbox with a massive wave of spam emails, creating a sense of panic and urgency. Shortly after, the attacker reaches out to the same victim over Microsoft Teams, impersonating an IT helpdesk employee from outside the organization and offering to resolve the email issue. The victim is then manipulated into clicking a phishing link shared via the Teams chat disguised as a "Mailbox Repair and Sync Utility v2.1.5", which triggers the download of a malicious AutoHotkey script from an attacker-controlled Amazon S3 bucket. This tactic of combining inbox flooding with Teams-based helpdesk impersonation has been a hallmark of for...

Security researchers have uncovered a serious supply chain attack affecting Bitwarden CLI , the command-line version of the popular open-source password manager. The compromised package was published to npm as part of a broader ongoing campaign linked to the threat actor group TeamPCP , previously connected to the Checkmarx supply chain attacks. What Happened? According to application security firm Socket, the affected package version was @bitwarden/cli@2026.4.0 , where malicious code was injected into a file called bw1.js included in the published package. The attackers managed to push this rogue version by exploiting a compromised GitHub Actions workflow within Bitwarden's own CI/CD pipeline, the same attack vector identified in earlier Checkmarx campaign incidents. Security firm JFrog confirmed that the malicious version was designed to steal a wide range of sensitive data, including GitHub and npm authentication tokens, SSH keys, environment files, shell history, GitHub Act...

A significant security incident emerged involving unauthorized access to Anthropic’s highly restricted AI model, Claude Mythos. The model, designed as an advanced cybersecurity tool capable of identifying software vulnerabilities, was intended to be accessible only to a limited number of trusted organizations under a controlled testing initiative. However, reports revealed that a small group of individuals operating through a private Discord community managed to gain access to the system, raising serious concerns about the security and governance of high-risk artificial intelligence technologies. The unauthorized access reportedly occurred on the same day the model was introduced to selected partners. Instead of exploiting a traditional vulnerability in Anthropic’s core infrastructure, the group leveraged weaknesses in a third-party vendor environment connected to the system. By analyzing Anthropic’s existing URL structures and conventions, the attackers were able to guess or discover...

Cybersecurity researchers at Kaspersky have uncovered a previously unknown data wiper malware, dubbed Lotus Wiper , that was used in a targeted destructive campaign against Venezuela's energy and utilities sector in late 2025 and early 2026. What Is a Wiper? Unlike ransomware, which locks data and demands payment, a wiper malware has one purpose: to permanently destroy data and render systems completely inoperable. Notably, Lotus Wiper contains no ransom demands or payment instructions, meaning the attack was not financially motivated, it was purely destructive. How the Attack Unfolded The attack chain begins with two batch scripts that work together to prepare the environment and deploy the wiper payload. The first script attempts to stop a Windows service related to background process alerts, checks for a NETLOGON network share, and retrieves a remote XML file — a step that researchers believe is used to confirm the machine is part of an Active Directory domain before proceed...

Cybersecurity researchers revealed a large-scale compromise linked to the SystemBC malware infrastructure, uncovering a command-and-control server associated with more than 1,570 infected victims worldwide. The activity is tied to a rapidly growing ransomware-as-a-service operation known as “The Gentlemen,” which has emerged as a significant threat actor since mid-2025. The discovery provides rare visibility into the internal scale and operational reach of a modern ransomware ecosystem. SystemBC is a proxy-based malware that plays a critical role in advanced intrusion campaigns by establishing covert communication channels between compromised systems and attacker-controlled infrastructure. It operates by creating SOCKS5 tunnels, allowing attackers to route traffic through infected machines while maintaining anonymity and persistence. The malware communicates with its command-and-control servers using encrypted protocols and is capable of downloading and executing additional payloads d...

  Ukraine’s Computer Emergency Response Team (CERT-UA) disclosed a sophisticated cyber campaign attributed to a threat cluster tracked as UAC-0247. The operation specifically targeted government entities and municipal healthcare institutions, including clinics and emergency hospitals, with the primary objective of stealing sensitive data and establishing persistent access within compromised systems. The campaign was observed between March and April 2026, and its origin remains unknown, raising concerns about ongoing espionage activity. The attack begins with a carefully crafted phishing email, often disguised as a humanitarian aid proposal to exploit trust during wartime conditions. Victims are lured into clicking a link that redirects either to a compromised legitimate website exploiting cross-site scripting vulnerabilities or to a convincingly generated fake website. This initial step is designed to appear credible while initiating the infection chain in a stealthy manner. Once...

In April 2026, a cybersecurity-focused webinar highlighted one of the fastest-growing and often overlooked risks in modern enterprise environments: orphaned non-human identities. The session focused on how organizations can identify, prioritize, and eliminate gaps in identity security, particularly those involving machine-driven accounts such as service accounts, API keys, tokens, and AI agents. The findings presented are based on recent research indicating that even mature identity programs continue to struggle with visibility and control over these identities. Non-human identities represent digital credentials assigned to systems, applications, and automated processes rather than human users. These identities are essential for modern infrastructure, enabling automation across cloud platforms, DevOps pipelines, and AI-driven environments. However, their rapid growth has introduced significant security challenges, as they often outnumber human identities and operate with elevated priv...

 In April 2026, a significant cybersecurity exposure was identified involving more than 25,000 endpoints affected by software distributed by Dragon Boss Solutions. What initially appeared to be a relatively low-risk adware issue quickly escalated into a critical supply chain security concern after researchers discovered a fundamental weakness in the application’s update mechanism. The flaw stemmed from an insecure update infrastructure tied to an unregistered domain, which could have been acquired by any attacker for a minimal cost and used to distribute malicious updates at scale. The affected software, characterized as aggressive adware, was commonly installed through deceptive advertisements or bundled installations, often without the user’s full awareness. Once present on a system, it functioned as a browser hijacker, redirecting user traffic and generating monetization through search manipulation. However, the real risk extended far beyond nuisance-level behavior. The insecur...

 In April 2026, OpenAI announced the release of GPT-5.4-Cyber, a specialized variant of its flagship GPT-5.4 model designed specifically for defensive cybersecurity operations. The launch comes at a time of increasing competition in the AI security space, particularly following the introduction of similar models by other major AI vendors. This development represents a significant shift in how artificial intelligence is being positioned as an active participant in cybersecurity defense rather than just a general-purpose tool. GPT-5.4-Cyber is engineered to assist security professionals in identifying vulnerabilities, analyzing malicious code, and strengthening overall software security. Unlike traditional AI models that enforce strict limitations on sensitive tasks, this version is intentionally designed with reduced restrictions for verified users, enabling deeper and more practical engagement with cybersecurity workflows. This includes capabilities such as binary analysis, vulner...

 In April 2026, a critical zero-day vulnerability affecting Adobe Acrobat Reader was identified as actively exploited in real-world attacks. The vulnerability, which had remained undiscovered and unpatched, allowed threat actors to compromise systems through specially crafted PDF documents. This campaign had been ongoing since at least December 2025, indicating a prolonged period of undetected exploitation and highlighting the sophistication of the attack. The attack is particularly dangerous because it requires minimal user interaction. In most observed cases, the exploit is triggered simply by opening a malicious PDF file, without the need for enabling macros or performing additional actions. This significantly lowers the barrier for successful exploitation and increases the effectiveness of phishing and social engineering campaigns, as PDF documents are widely trusted and commonly used across organizations. From a technical standpoint, the exploit leverages a previously unknow...

In April 2026, a critical cybersecurity incident was identified involving the Smart Slider 3 Pro plugin, a widely used component in WordPress and Joomla environments. The incident was the result of a software supply chain compromise, where attackers gained unauthorized access to the vendor’s update infrastructure and distributed a malicious version of the plugin through the official update channel. The compromised version, identified as 3.5.1.35, was made available to users for a limited period of approximately six hours before being detected and removed. This attack is particularly significant because it did not rely on exploiting a vulnerability within the plugin itself, but instead leveraged the inherent trust placed in legitimate software updates. As a result, any system that performed an update during the affected timeframe may have unknowingly installed a backdoored version of the plugin. This significantly increases the risk level, as traditional security controls often conside...

  Google   released  security updates for its Chrome web browser to address 21 vulnerabilities, including a zero-day flaw that it said has been exploited in the wild. The high-severity vulnerability,   CVE-2026-5281   (CVSS score: N/A), concerns a use-after-free bug in   Dawn , an open-source and cross-platform implementation of the WebGPU standard. Use-after-free in Dawn in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had compromised the renderer process to execute arbitrary code via a crafted HTML page," according to a description of the flaw in the NIST's National Vulnerability Database (NVD). As is customary for these alerts, Google did not provide any further details on how the shortcoming is being exploited and who may be behind the effort. This is typically done so as to ensure that a majority of users are updated with a fix and prevent other actors from joining the exploitation bandwagon. Google is aware that an exploit f...