11.
C0XMO botnet variant exploits DD-WRT routers and kills rivals
The malware targets old DD-WRT routers across multiple CPU architectures, supports 19 DDoS methods, and removes competing implants
@DFIR_Radar on Backlist
19 appearances on the backlist front page in the last 30 days.
73.
Sophisticated supply chain attack targets CI/CD environments via npm packages using binding.gyp files to bypass s…
Sophisticated supply chain attack targets CI/CD environments via npm packages using binding.gyp files to bypass security audits. Over 286 malicious versions across 56 packages deployed multi-layered encrypted payloads specifically designed
9.
CIFSwitch: a 19-year-old Linux logic bug for root escalation
An old CIFS authentication-key logic flaw lets unprivileged users forge keys and escalate to root through malicious NSS modules on major Linux distributions
72.
New GhostBeacon tool identifies rogue and hidden Wi-Fi access points by analyzing beacon frames, signal strength,…
New GhostBeacon tool identifies rogue and hidden Wi-Fi access points by analyzing beacon frames, signal strength, uptime, and encryption patterns. Reveals how evil twin attacks exploit 802. #DFIR_Radar
1.
Trivy scanner credentials compromised in npm supply-chain worm
A scanner trusted in CI/CD became a worm delivery path across 60+ packages within 24 hours, showing how defensive tooling can become a privileged supply-chain target
18.
GoDaddy malware campaign hid C2 instructions in Steam comments
A malware campaign hid command-and-control instructions in Steam profile comments using invisible Unicode, abusing trusted gaming infrastructure for WordPress infections
47.
Attackers hijacked Red Hat's legitimate npm scope to push backdoored versions of 32 packages targeting cloud secr…
Attackers hijacked Red Hat's legitimate npm scope to push backdoored versions of 32 packages targeting cloud secrets and CI/CD tokens. The malware spread via compromised GitHub Actions OIDC tokens, affecting 9.8M downloads. #DFIR_Radar
48.
Miasma malware compromises Red Hat npm packages in sophisticated supply chain attack, stealing credentials and sp…
Miasma malware compromises Red Hat npm packages in sophisticated supply chain attack, stealing credentials and spreading through CI/CD pipelines using worm-like behavior. Builds on Shai-Hulud tactics with GitHub abuse for verified malicious
61.
CVE-2026-8732 (CVSS 9.8) in WP Maps Pro plugin lets unauthenticated attackers create WordPress admin accounts via…
CVE-2026-8732 (CVSS 9.8) in WP Maps Pro plugin lets unauthenticated attackers create WordPress admin accounts via flawed "temp access" feature. 2,858 attacks blocked in 24 hours across 15,000+ vulnerable sites. Update to v6.1. #DFIR_Radar
71.
Custom KQL rule in Microsoft Sentinel successfully caught 260 SSH brute force attempts across 3 attack waves in 2…
Custom KQL rule in Microsoft Sentinel successfully caught 260 SSH brute force attempts across 3 attack waves in 28 minutes. Rate-based detection prevented alert fatigue while maintaining 100% detection accuracy. Technical breakdown: • Rule
47.
FSB-linked Gamaredon group deploys advanced worm hiding in NTFS Alternate Data Streams to target Ukrainian netwo…
FSB-linked Gamaredon group deploys advanced worm hiding in NTFS Alternate Data Streams to target Ukrainian networks. Campaign active since January 2026 uses fileless VBScript and exploits WinRAR vulnerability for initial access. Key techn
49.
CVE-2026-0257 in Palo Alto GlobalProtect allows auth bypass via forged VPN cookies. Rapid7 confirms active exploi…
CVE-2026-0257 in Palo Alto GlobalProtect allows auth bypass via forged VPN cookies. Rapid7 confirms active exploitation since May 17 across multiple customers. Patch immediately or disable auth override feature. #DFIR_Radar
66.
Supply chain compromise hits 32 RedHat npm packages with "Miasma" malware variant derived from publicly released … (x.com)
Supply chain compromise hits 32 RedHat npm packages with "Miasma" malware variant derived from publicly released TeamPCP toolkit. Attack targets developer credentials and secrets through preinstall scripts. Key technical details: • 32 pack
74.
Multi-stage infection chain: Unknown RAT delivers NetSupport RAT via SmartApeSG ClickFix campaign. Initial RAT ma…
Multi-stage infection chain: Unknown RAT delivers NetSupport RAT via SmartApeSG ClickFix campaign. Initial RAT maintains persistent C2 since April 2026, now pushing secondary payloads through encoded traffic over port 443. Attack chain bre
82.
CVE-2026-4387: Critical StrongDM flaw allowed attackers to steal and reuse authentication state files across host…
CVE-2026-4387: Critical StrongDM flaw allowed attackers to steal and reuse authentication state files across hosts for persistent access. Plaintext JWT and key pairs in user directories enabled session hijacking without credential theft. K
21.
Visual Studio extensions remain a soft attack surface
MDSec showed malicious Visual Studio extensions can still reach the marketplace and execute with minimal controls, keeping IDE supply chains exposed
52.
Long-running cybercrime operation distributes cryptocurrency miners through pirated content sites, leveraging fak…
Long-running cybercrime operation distributes cryptocurrency miners through pirated content sites, leveraging fake video player updates to infect millions. Campaign active since 2022 with sophisticated evasion and persistence mechanisms. T
86.
Fake ChatGPT site delivers dual-platform malware targeting Windows and Mac users. Windows victims get credential …
Fake ChatGPT site delivers dual-platform malware targeting Windows and Mac users. Windows victims get credential stealers while Mac users receive $3K/month AMOS malware designed for cryptocurrency theft. Key technical details: • Fake site
10.
Glassworm botnet disrupted after multi-channel C2 takedown
Glassworm targeted developers through poisoned VS Code extensions, npm packages, and GitHub repos while using Solana, BitTorrent, and Google Calendar for resilient command and control