- Home
- Cybercrime and Ransomware
- Emerging Tech
- Threat Intelligence
- Expert Insights
- Careers and Learning
- Compliance
Subscribe to Updates
Subscribe to our newsletter and never miss our latest news
Subscribe my Newsletter for New Posts & tips Let's stay updated!
Author: Staff Writer
John Marcelli is a staff writer for the CISO Brief, with a passion for exploring and writing about the ever-evolving world of technology. From emerging trends to in-depth reviews of the latest gadgets, John stays at the forefront of innovation, delivering engaging content that informs and inspires readers. When he's not writing, he enjoys experimenting with new tech tools and diving into the digital landscape.
Quick Takeaways NSFOCUS Security CERT identified a credential-stealing malware in the latest LiteLLM release on GitHub. The malicious code was a result of supply chain poisoning, orchestrated by the TeamPCP group via PyPI. Attackers compromised the security scanning tool Trivy to gain publishing permissions and inject malicious code. This incident highlights the increasing threat of supply chain attacks targeting AI infrastructure and open-source projects. The Core Issue Recently, NSFOCUS Technology CERT reported a concerning security breach involving the LiteLLM project on GitHub. The breach occurred because a malicious program, spread through the PyPI platform by the TeamPCP group, poisoned the…
Fast Facts Critical security updates released in March 2026 address severe vulnerabilities across enterprise and AI systems, notably affecting NVIDIA’s AI frameworks, including Apex, Triton, Megatron LM, and NeMo Framework. A key vulnerability (CVE-2025-33244) in NVIDIA Apex could allow attackers to execute arbitrary code, hijack training workloads, steal proprietary models, or escalate privileges, posing substantial remote code execution risks. Other high-severity flaws in NVIDIA tools, such as Triton Inference Server and Megatron LM, could lead to system disruptions, unauthorized access, or exposure of sensitive AI training data if not patched promptly. Organizations are urged to swiftly review NVIDIA security bulletins,…
Fast Facts High-grade iOS exploit kits Coruna and DarkSword, linked to government espionage and Operation Triangulation, have been leaked to criminals and the public, increasing widespread threat. Coruna is believed to be developed by US military contractors, while DarkSword likely originated in the Gulf region; both have been repurposed for financial theft alongside espionage. These tools are now used by diverse actors, from nation-states to criminal groups, to target global organizations and even low-level cybercriminals, blurring lines between espionage and crime. Organizations must urgently upgrade iOS security, as these exploits remain effective on outdated systems, risking credential theft, lateral movement,…
Quick Takeaways Leak Bazaar, launched by SnowTeam, is a new platform transforming raw stolen corporate data into organized, sellable intelligence through advanced processing and human validation, addressing the inefficiency of traditional data leaks post-ransom failure. It targets high-value organizational data (≥100GB, preferably 1TB), focusing on English-language, unpublished content, and offers a revenue split favoring data providers, with flexible sale formats including permanent and recurring sales. The platform classifies stolen data by buyer demand—such as financial reports or personal records—making complex archives easily interpretable and commercially valuable, thus extending the lifespan of exfiltrated data. Analysts warn that Leak Bazaar exemplifies a…
Quick Takeaways Rapid7 Labs uncovered a sophisticated, state-sponsored Chinese espionage campaign by Red Menshen, targeting global telecom infrastructure to enable long-term data collection and geopolitical tracking. The campaign employs BPFdoor, a stealth Linux backdoor that exploits kernel-level Berkeley Packet Filter (BPF) features, with a new variant hiding command signals within HTTPS traffic and ICMP packets for enhanced stealth. Red Menshen’s operatives target critical telecom providers and infrastructure components—including VPNs, network devices, and cloud-based 5G core functions—using advanced post-exploitation tools and infrastructure masquerading techniques. Organizations are urged to improve visibility into kernel operations and BPF activity, utilize detection tools like Rapid7’s…
Quick Takeaways The Cybersecurity and Infrastructure Security Agency (CISA) has added a critical, actively exploited code injection vulnerability, CVE-2026-33017, affecting the Langflow platform to its KEV catalog. This flaw allows unauthenticated attackers to remotely inject malicious code into workflows, bypassing security controls due to improper validation and missing authentication. Exploitation poses serious risks, including manipulation of AI workflows, data theft, and potential pivoting to internal networks, especially given Langflow’s role in connecting AI models and enterprise systems. CISA mandates federal agencies to apply patches by April 8, 2026, and advises organizations to update immediately or cease using Langflow until a…
Fast Facts Torg Grabber, a rapidly evolving credential stealer, transitioned from Telegram-based exfiltration to a sophisticated, encrypted REST API command-and-control infrastructure within three months, serving multiple criminal clients. The malware targets over 30 browser types and collects sensitive information like credentials, browser extensions, session data, VPN configs, and screenshots, indicating a wide data-harvesting scope. It employs a multi-stage loader chain—initial dropper via fake software or cheats, followed by in-memory, diskless PE payloads using custom syscalls and AES encryption—making detection difficult. investigators advise caution against unofficial downloads, monitoring for suspicious PowerShell activity, BITS transfers, in-memory malware patterns, and irregular browser behavior…
Summary Points Stryker recently experienced a cybersecurity incident involving a malicious file used to conceal activity, but it was not ransomware or malware capable of spreading within or outside their systems. The company, in collaboration with experts including Palo Alto Networks’ Unit 42, confirmed that there was no evidence of malicious activity directed towards customers, suppliers, or partners, and the threat is believed to be contained. Stryker emphasized its rapid response, system restoration, and ongoing efforts to resume critical manufacturing operations, prioritizing patient care and transparency with authorities and partners. The incident occurred amidst heightened geopolitical tensions linked to Iran,…
Critical Vulnerability: Remote Attackers Can Execute Arbitrary Commands via Synology DiskStation Manager
Top Highlights A severe vulnerability (CVE-2026-32746) in Synology DiskStation Manager (DSM), affecting multiple versions, allows unauthenticated remote attackers to execute arbitrary commands via a buffer overflow in the telnetd daemon. The flaw stems from improper input handling during active network sessions, enabling memory corruption that bypasses authentication, with a CVSSv3 score of 9.8, marking it as critically severe. Synology has released patches for affected DSM versions; administrators are urged to immediately update or disable Telnet to mitigate remote exploitation risks, which could lead to ransomware deployment or data theft. Disabling Telnet by turning off the service provides an immediate security…
Summary Points Cisco has issued an urgent alert for a critical vulnerability (CVE-2026-20131) in its Secure Firewall Management Center (FMC), which allows remote attackers to execute arbitrary code with root privileges. The flaw stems from insecure Java deserialization in the web management interface, exploitable without authentication via crafted Java objects, leading to full system compromise. Exploited attackers can gain persistent root access, enabling them to manipulate security controls and deepen network infiltration, with active exploitation observed in the wild since March 2026. Cisco recommends immediate patching, restricting public internet access to FMC, and using Cisco tools to verify and update…