TECHZONE™

One Missed Threat Per Week: What 25M Alerts Reveal About Low-Severity Risk https://thehackernews.com/2026/05/one-missed-threat-per-week-what-25m.html The dark secret of enterprise security operations is that defenders have quietly institutionalized the practice of not looking. This is not just anecdotal, but rather backed by a recent report investigating more than 25 million security alerts, including informational and low-severity, across live enterprise environments.  The dataset behind these findings includes 10 million monitored

New Linux PamDOORa Backdoor Uses PAM Modules to Steal SSH Credentials https://thehackernews.com/2026/05/new-linux-pamdoora-backdoor-uses-pam.html Cybersecurity researchers have disclosed details of a new Linux backdoor named PamDOORa that's being advertised on the Rehub Russian cybercrime forum for $1,600 by a threat actor called "darkworm." The backdoor is designed as a Pluggable Authentication Module (PAM)-based post-exploitation toolkit that enables persistent SSH access by means of a magic password and specific TCP port combination.

Fake call logs, real payments: How CallPhantom tricks Android users https://www.welivesecurity.com/en/eset-research/fake-call-logs-real-payments-how-callphantom-tricks-android-users/ ESET researchers uncovered fraudulent apps on Google Play that claim to provide the call history “for any number” and had been downloaded more than seven million times before being taken down

Fixing the password problem is as easy as 123456 https://www.welivesecurity.com/en/cybersecurity/fixing-password-problem-as-easy-as-123456/ How come it’s still possible to ‘secure’ an online account with a six-digit string?

Linux Kernel Dirty Frag LPE Exploit Enables Root Access Across Major Distributions https://thehackernews.com/2026/05/linux-kernel-dirty-frag-lpe-exploit.html Details have emerged about a new, unpatched local privilege escalation (LPE) vulnerability impacting the Linux kernel. Dubbed Dirty Frag, it has been described as a successor to Copy Fail (CVE-2026-31431, CVSS score: 7.8), a recently disclosed LPE flaw impacting the Linux kernel that has since come under active exploitation in the wild. The vulnerability was reported to Linux kernel maintainers

Ivanti EPMM CVE-2026-6973 RCE Under Active Exploitation Grants Admin-Level Access https://thehackernews.com/2026/05/ivanti-epmm-cve-2026-6973-rce-under.html Ivanti is warning that a new security flaw impacting Endpoint Manager Mobile (EPMM) has been explored in limited attacks in the wild. The high-severity vulnerability, CVE-2026-6973 (CVSS score: 7.2), is a case of improper input validation affecting EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1. It allows "a remotely authenticated user with administrative access to achieve remote code

PCPJack Credential Stealer Exploits 5 CVEs to Spread Worm-Like Across Cloud Systems https://thehackernews.com/2026/05/pcpjack-credential-stealer-exploits-5.html Cybersecurity researchers have disclosed details of a new credential theft framework dubbed PCPJack that targets exposed cloud infrastructure and ousts any artifacts linked to TeamPCP from the environments. "The toolset harvests credentials from cloud, container, developer, productivity, and financial services, then exfiltrates the data through attacker-controlled infrastructure while attempting

vm2 Node.js Library Vulnerabilities Enable Sandbox Escape and Arbitrary Code Execution https://thehackernews.com/2026/05/vm2-nodejs-library-vulnerabilities.html A dozen critical security vulnerabilities have been disclosed in the vm2 Node.js library that could be exploited by bad actors to break out of the sandbox and execute arbitrary code on susceptible systems. vm2 is an open-source library used to run untrusted JavaScript code inside a secure sandbox by intercepting and proxying JavaScript objects to prevent sandboxed code from accessing the host

Mirai-Based xlabs_v1 Botnet Exploits ADB to Hijack IoT Devices for DDoS Attacks https://thehackernews.com/2026/05/mirai-based-xlabsv1-botnet-exploits-adb.html Cybersecurity researchers have exposed a new Mirai-derived botnet that self-identifies as xlabs_v1 and targets internet-exposed devices running Android Debug Bridge (ADB) to enlist them in a network capable of carrying out distributed denial-of-service (DDoS) attacks. Hunt.io, which detailed the malware, said it made the discovery after identifying an exposed directory on a Netherlands-hosted

MuddyWater Uses Microsoft Teams to Steal Credentials in False Flag Ransomware Attack https://thehackernews.com/2026/05/muddywater-uses-microsoft-teams-to.html The Iranian state-sponsored hacking group known as MuddyWater (aka Mango Sandstorm, Seedworm, and Static Kitten) has been attributed to a ransomware attack in what has been described as a "false flag" operation. The attack, observed by Rapid7 in early 2026, has been found to leverage social engineering techniques via Microsoft Teams to initiate the infection sequence. Although the incident

The Hacker News Launches 'Cybersecurity Stars Awards 2026' — Submissions Now Open https://thehackernews.com/2026/05/the-hacker-news-launches-cybersecurity.html For nearly 20 years, we at The Hacker News have mostly told scary stories about cyberspace — big hacks, broken systems, and new threats. But behind every headline, there’s a quieter, better story. It’s the story of leaders making tough calls under pressure, teams building smarter defenses, and security products that keep hunting threats 24/7 — even when it’s hard. Most of the time, this work is

Your AI Agents Are Already Inside the Perimeter. Do You Know What They're Doing? https://thehackernews.com/2026/05/your-ai-agents-are-already-inside.html Analysts recently confirmed what identity security teams have quietly feared: AI agents are being deployed faster than enterprises can govern them. In their inaugural Market Guide for Guardian Agents, Gartner states that “enterprise adoption of AI agents is accelerating, outpacing maturity of governance policy controls.” Enterprise leaders can request access to the Gartner Market Guide for

Google's Android Apps Get Public Verification to Stop Supply Chain Attacks https://thehackernews.com/2026/05/android-apps-get-public-verification.html Google has announced expanded Binary Transparency for Android as a way to safeguard the ecosystem from supply chain attacks. "This new public ledger ensures the Google apps on your device are exactly what we intended to build and distribute," Google's product and security teams said. The initiative builds upon the foundation of Pixel Binary Transparency, which Google introduced in October 2021

Windows Phone Link Exploited by CloudZ RAT to Steal Credentials and OTPs https://thehackernews.com/2026/05/windows-phone-link-exploited-by-cloudz.html Cybersecurity researchers have disclosed details of an intrusion that involved the use of a CloudZ remote access tool (RAT) and a previous undocumented plugin dubbed Pheno with the aim of facilitating credential theft. "According to the functionalities of the CloudZ RAT and Pheno plugin, this was with the intention of stealing victims' credentials and potentially one-time passwords (OTPs),"

Palo Alto PAN-OS Flaw Under Active Exploitation Enables Remote Code Execution https://thehackernews.com/2026/05/palo-alto-pan-os-flaw-under-active.html Palo Alto Networks has released an advisory warning that a critical buffer overflow vulnerability in its PAN-OS software has been exploited in the wild. The vulnerability, tracked as CVE-2026-0300, has been described as a case of unauthenticated remote code execution. It carries a CVSS score of 9.3 if the User-ID Authentication Portal is configured to enable access from the internet or any

A rigged game: ScarCruft compromises gaming platform in a supply-chain attack https://www.welivesecurity.com/en/eset-research/rigged-game-scarcruft-compromises-gaming-platform-supply-chain-attack/ ESET researchers have investigated an ongoing attack by the ScarCruft APT group that targets the Yanbian region via backdoor-laced Windows and Android games

We Scanned 1 Million Exposed AI Services. Here's How Bad the Security Actually Is https://thehackernews.com/2026/05/we-scanned-1-million-exposed-ai.html While the software industry has made genuine strides over the past few decades to deliver products securely, the furious pace of AI adoption is putting that progress at risk. Businesses are moving fast to self-host LLM infrastructure, drawn by the promise of AI as a force multiplier and the pressure to deliver more value faster. But speed is coming at the expense of security. In the wake of the

ScarCruft Hacks Gaming Platform to Deploy BirdCall Malware on Android and Windows https://thehackernews.com/2026/05/scarcruft-hacks-gaming-platform-to.html The North Korea-aligned state-sponsored hacking group known as ScarCruft has compromised a video game platform in a supply chain espionage attack, trojanizing its components with a backdoor called BirdCallto likely target ethnic Koreans residing in China. While prior versions of the backdoor have primarily targeted Windows users only, the supply chain attack is assessed to have enabled the

Weaver E-cology RCE Flaw CVE-2026-22679 Actively Exploited via Debug API https://thehackernews.com/2026/05/weaver-e-cology-rce-flaw-cve-2026-22679.html A critical security vulnerability in Weaver (Fanwei) E-cology, an enterprise office automation (OA) and collaboration platform, has come under active exploitation in the wild. The vulnerability (CVE-2026-22679, CVSS score: 9.8) relates to a case of unauthenticated remote code execution affecting Weaver E-cology 10.0 versions prior to 20260312. The issue resides in the "/papi/esearch/data/devops/

Microsoft Details Phishing Campaign Targeting 35,000 Users Across 26 Countries https://thehackernews.com/2026/05/microsoft-details-phishing-campaign.html Microsoft has disclosed details of a large-scale credential theft campaign that has leveraged a combination of code of conduct-themed lures and legitimate email services to direct users to attacker-controlled domains and steal authentication tokens. The multi-stage campaign, observed between April 14 and 16, 2026, targeted more than 35,000 users across over 13,000 organizations in 26 countries,