Vercel Finds More Compromised Accounts in Context.ai Linked Breach
Vercel said its investigation uncovered an additional set of affected customer accounts after expanding the indicators of compromise and reviewing environment variable access logs. The incident stemmed from a compromise tied to Context.ai and shows how third party identity and OAuth exposure can ripple into a cloud platform environment.
Source: Vercel

Bitwarden CLI Compromised in Ongoing Checkmarx Supply Chain Campaign
A malicious npm package was briefly distributed as @bitwarden/cli version 2026.4.0, carrying credential theft logic and CI pipeline propagation behavior. Bitwarden said the impact was limited to the compromised CLI release window and that there is no evidence end user vault data or production systems were affected.
Source: JFrog

China Nexus Covert Networks Built From Compromised Edge Devices
CISA and NCSC warned that China nexus actors are increasingly using botnet style covert networks made up of compromised routers and edge devices for reconnaissance, delivery, command and control, and exfiltration. The advisory highlights a low cost and deniable infrastructure model that can be reshaped quickly, reducing the value of static blocking alone.
Source: CISA

UAT 4356 Continues Targeting Cisco Firepower Devices With FIRESTARTER
Cisco Talos reported continued activity against Firepower devices running FXOS, where UAT 4356 exploits n day flaws and deploys the FIRESTARTER backdoor. The malware gives the actor remote access inside a core device process, which makes perimeter appliances a direct espionage and persistence target.
Source: Cisco Talos

Breeze Cache WordPress Plugin Actively Exploited for Arbitrary File Upload
Attackers are actively exploiting a critical Breeze Cache flaw that allows unauthenticated file uploads and can lead to remote code execution on vulnerable WordPress sites. The issue requires a specific plugin setting to be enabled, but the shift from disclosure to real world attacks makes exposed sites an immediate patching priority.
Source: BleepingComputer

Marimo RCE Added to KEV as Exploitation Continues
CISA added CVE-2026-39987 in marimo to the Known Exploited Vulnerabilities catalog after attackers moved from disclosure to exploitation within hours. The flaw enables pre authentication remote code execution on exposed notebook instances and has already been used in follow on malware activity.
Source: CISA

BRIDGE:BREAK Flaws Expose Serial to IP Converters in OT and Healthcare
Researchers disclosed 22 vulnerabilities in Lantronix and Silex serial to IP converters and identified thousands of exposed devices online. Because these bridge devices often sit between older serial systems and modern networks, compromise can enable data tampering, lateral movement, and disruption in OT and healthcare environments.
Source: Forescout

Void Dokkaebi Turns Fake Job Interviews Into Developer Supply Chain Attacks
Trend Micro said the North Korea aligned group Void Dokkaebi continues using fake recruitment workflows to lure developers into running malicious code repositories. The important development is that a single compromised developer machine can become a launch point for poisoning internal repositories and downstream software contributions.
Source: Trend Micro

GopherWhisper Abuses Slack Discord and Outlook in Attacks on Mongolia
ESET disclosed a previously undocumented China aligned group named GopherWhisper targeting Mongolian government institutions. The actors use a Go based toolset and legitimate cloud services such as Slack, Discord, Outlook, and file.io for command and control and exfiltration, which helps blend malicious traffic into normal workflows.
Source: ESET

Device Code Phishing Reaches 7 Million Attacks in Four Weeks
Barracuda said it observed more than 7 million device code phishing attacks in just four weeks, reflecting rapid growth in OAuth based account takeover activity. The technique abuses legitimate device login flows to obtain persistent authorized access without needing to steal and replay a password in the usual way.
Source: Barracuda

Critical Protobuf.js Flaw Enables JavaScript Code Execution
Proof of concept exploit code is now public for a critical protobuf.js issue that can lead to JavaScript code execution through unsafe dynamic code generation. The library is heavily used across Node.js applications and cloud environments, which makes the blast radius much larger than a niche package bug.
Source: BleepingComputer

SGLang Critical RCE Lets Malicious GGUF Models Run Code
A critical vulnerability tracked as CVE-2026-5760 can let attackers achieve remote code execution on SGLang systems by feeding crafted GGUF model files through exposed functionality. The bug matters because SGLang is a popular serving layer for LLM and multimodal workloads, putting AI infrastructure directly at risk.
Source: The Hacker News

Lotus Wiper Targets the Energy and Utilities Sector in Venezuela
Kaspersky described a destructive campaign using a previously unknown wiper called Lotus Wiper against the energy and utilities sector in Venezuela. The attack chain includes scripts that prepare the environment, weaken defenses, and coordinate the final destructive stage across the network.
Source: Kaspersky

ZionSiphon Malware Shows OT Focus on Israeli Water Systems
Darktrace analyzed ZionSiphon, an OT focused malware set built to target Israeli water treatment and desalination environments. Its mix of persistence, USB propagation, ICS scanning, and sabotage logic tied to chlorine and pressure controls makes it notable beyond typical IT malware reporting.
Source: Darktrace

Telecom Surveillance Actors Exploit Mobile Signalling Infrastructure
Citizen Lab uncovered two telecom surveillance campaigns and linked attack traffic to real mobile operator signalling infrastructure. The report shows how suspected commercial surveillance vendors can exploit telecom interconnect systems for covert location tracking that may persist for years without clear visibility from defenders or users.
Source: Citizen Lab