SafeDep has detailed Megalodon, a GitHub Actions attack that scans 5,561 repositories for usable CI/CD secrets and credentials by submitting malicious pull requests that contain crafted workflow files. The campaign appears unrelated to the recent TeamPCP supply-chain wave. Separately, a throwaway npm account 'polymarketdev' published nine packages within 30 seconds (polymarket-trading-cli, polymarket-terminal, polymarket-trade, polymarket-auto-trade, polymarket-copy-trading, polymarket-bot, polymarket-claude-code, polymarket-ai-agent, polymarket-trader) that, on postinstall, present a fake wallet onboarding prompt and exfiltrate Ethereum and Polygon private keys to a Cloudflare Worker at polymarketbot.polymarketdev.workers[.]dev. The malicious packages remain live on npm at time of publication.
The Dutch Financial Crime Investigation Service (FIOD) has arrested two men and seized 800 servers during raids on data centers in Dronten and Schiphol-Rijk that hosted infrastructure for cyberattacks, disinformation, and influence operations tied to sanctioned Russian and Belarusian entities. The 57-year-old company director and a 39-year-old connectivity provider face charges of indirectly providing economic resources to EU-sanctioned parties. The web hosting company Stark Industries was sanctioned by the EU last May; investigators say its infrastructure was simply transferred to a newly created Dutch company called WorkTitans B.V., trading under THE.Hosting. Mirhosting, which provided physical colocation and connectivity, denies knowingly supporting illegal operations.
Google has accidentally published the technical details of an unfixed Chromium vulnerability that lets a malicious webpage run JavaScript on a visitor's device even after the browser is closed. The issue, originally reported by researcher Lyra Rebane in December 2022, abuses a Service Worker download task that never terminates. It was marked 'fixed' on February 12 and the bug tracker went public on May 20 after the 14-week visibility timer expired, but Rebane re-tested the latest Chrome Dev 150 and Edge 148 and confirmed the bug still works. Microsoft Edge no longer shows a download prompt, making the persistence completely silent. All Chromium-based browsers are affected.
Lumen Black Lotus Labs and PwC Threat Intelligence have detailed a Chinese cyber-espionage campaign tied to the Calypso group (also tracked as Red Lamassu) that has been hitting telecommunications providers across Asia Pacific and parts of the Middle East since mid-2022. The operators run a Linux post-exploitation framework called Showboat (or kworker) that doubles as a SOCKS5 proxy and port-forwarder, plus a Windows RAT called JMFBackdoor delivered via DLL-sideloading of fltMC.exe + FLTLIB.dll. Showboat retrieves a 'hide' command from public dead-drops like Pastebin to mask its process. The tooling appears to be shared across multiple China-aligned clusters targeting distinct victim sets.
Cisco has patched a maximum-severity flaw, CVE-2026-20223, in the internal REST APIs of Cisco Secure Workload (formerly Tetration), the zero-trust microsegmentation platform used to stop lateral movement in enterprise environments. Insufficient authentication on the affected endpoints lets an unauthenticated remote attacker craft a request that returns sensitive data and modifies configuration with Site Admin privileges across tenant boundaries. Cisco's PSIRT says there is no evidence of in-the-wild exploitation yet and no workaround exists. The on-prem fixed releases are 3.10.8.3 and 4.0.3.17; the SaaS deployment has already been patched. Sites running 3.9 or earlier must migrate to a fixed release.
A joint operation between French, Dutch and 14 other authorities, coordinated by Europol and Eurojust, has taken down First VPN, a privacy-focused VPN service that was advertised on cybercrime forums as a no-logs option that ignored law enforcement requests. Authorities seized 33 servers across 27 countries, took down the 1vpns.com, 1vpns.net, 1vpns.org domains and the onion mirrors, and questioned a Ukrainian suspect. Investigators infiltrated the infrastructure before takedown and pulled the user database, sharing 506 user identifications and 83 intelligence packages internationally. Europol says the service name turned up in nearly every major cybercrime investigation it has supported in recent years.
Krebs on Security reports that Jacob Butler, the 18-year-old Ottawa resident allegedly known online as 'Dort,' has been arrested and charged in both the US and Canada with running the Kimwolf IoT botnet. KrebsOnSecurity unmasked Butler as the operator on February 28 by tying together his email addresses, forum registrations, and public Telegram and Discord posts. Dort later threatened and swatted researchers including Synthient's Ben Brundage. Ontario Provincial Police executed a search warrant in Ottawa on March 19 and seized devices. Kimwolf competed with Aisuru, JackSkid, and Mossad for the same vulnerable-IoT population. Butler faces up to 10 years if extradited and convicted in the US.
CISA has added two new entries to its Known Exploited Vulnerabilities catalog. CVE-2025-34291 is an origin-validation/CORS chain in Langflow, a popular open-source AI agent framework, that lets a malicious webpage exfiltrate refresh tokens and reach the code-validation endpoint for full RCE. Active exploitation began on January 23, 2026, and threat actors have been deploying the Flodric botnet through compromised instances. CVE-2026-34926 is a directory-traversal flaw in Trend Micro Apex One (On-Premise) that allows file read or write outside the intended path. FCEB agencies must remediate by June 11 per BOD 22-01; CISA urges all organisations to do the same.
Aikido Security's Joe Leon has documented that standard Google Cloud API keys keep working for up to 23 minutes after they are deleted from the GCP console, with a median revocation window of 16 minutes. Over 10 trials across two days, the team kept sending authenticated requests at 3-5 per second; one trial saw 79% of requests succeed one minute after deletion. During this window, an attacker holding a leaked key retains full access to any enabled API on the project, including Gemini file dumps, BigQuery, and Maps. Google closed the bug report as 'won't fix.' Service-account deletions propagate in around 5 seconds; only standard API keys are slow.
ADAMnetworks researchers have disclosed Underminr, a domain-fronting attack that abuses how major content delivery networks resolve HTTP requests, letting an attacker route malicious traffic so it appears to come from trusted brand domains. Protective DNS filters see the DNS lookup for the legitimate site and wave it through. ADAMnetworks estimates 42% of websites globally are vulnerable, 51% in the US, around one-third in Eastern Europe, and under 9% in China's heavily-regulated internet. The researchers say attackers are already using the technique. Boutique security-focused CDNs that perform domain verification are not vulnerable; the larger general-purpose providers carry most of the exposure.