AI-Generated Zero-Day Discovered; Massive Supply Chain Attack Hits npm & PyPI; Ransomware Evolves with Post-Quantum Crypto

Kaspersky Report: Ransomware Landscape Shifts to Post-Quantum Encryption, Data Leak Extortion, and EDR Evasion

Kaspersky's 2026 ransomware report reveals major tactical shifts. While the number of affected organizations has slightly decreased, the threat has intensified. Advanced groups are now deploying ransomware with post-quantum cryptography to future-proof their extortion. A growing trend is 'encryptionless extortion,' where attackers like ShinyHunters skip encryption and focus solely on data theft and the threat of public leaks. Attackers also continue to rely on Initial Access Brokers and increasingly use 'EDR killers' and BYOVD techniques to neutralize endpoint security as a standard attack phase.

RansomwareKasperskyPost-Quantum CryptographyPQCEncryptionless Extortion +3 more

Ransomware Evolves in 2026: Attackers Adopt Post-Quantum Crypto and Encryptionless Extortion

High-Severity Flaw in JetBrains TeamCity On-Premises Allows API Exposure (CVE-2026-44413)

JetBrains Patches High-Severity Vulnerability (CVE-2026-44413) in TeamCity On-Premises

JetBrains has disclosed and patched a high-severity, post-authentication vulnerability (CVE-2026-44413) in its TeamCity On-Premises CI/CD server. The flaw allows any authenticated user, regardless of their permissions, to expose parts of the server API to unauthorized external users. All versions up to 2025.11.4 are affected. JetBrains has released version 2026.1 to fix the issue and has also provided a security patch plugin for users who cannot upgrade immediately. TeamCity Cloud instances are not affected.

JetBrainsTeamCityVulnerabilityCVE-2026-44413CI/CD +2 more

Living Off the Land: Threat Actors Increasingly Abuse Legitimate Platforms Like Teams and GitHub

Threat Actors Abuse Microsoft Teams, GitHub, and Phone Link to Blend In and Evade Detection

A significant 2026 trend shows threat actors are increasingly abusing trusted enterprise platforms to conduct malicious operations and evade detection. Attackers are 'living off the trusted platform' by leveraging services like Microsoft Teams for malware delivery, GitHub for distribution, and the Windows Phone Link app for SMS interception. This strategic shift allows them to blend malicious traffic with legitimate business workflows, exploiting the implicit trust that users and security tools place in these well-known services, and making detection significantly more challenging.

Living off the LandMicrosoft TeamsGitHubWindows Phone LinkMFA Bypass +2 more

Living Off the Land: Threat Actors Increasingly Abuse Legitimate Platforms Like Teams and GitHub

Critical Flaws in AI Coding Agents and Browser Extensions Expose Developer Workflows

CRITICAL

Researchers Uncover Critical Flaws in AI Tools, Including WebSocket Hijacking in Cline and Agent Hijacking in Claude Extension

Security researchers have uncovered critical vulnerabilities in popular open-source AI tools, highlighting new risks in developer workflows. A WebSocket hijacking flaw (CVSS 9.7) in the AI coding agent Cline's local Kanban server allowed any visited website to exfiltrate data and inject commands. A separate issue in Anthropic's Claude Chrome extension permitted other extensions to hijack the AI agent and send malicious prompts. These findings underscore the growing attack surface of the AI software supply chain as these tools become more integrated into development environments.

AIVulnerabilitySupply Chain AttackDeveloper ToolsCline +4 more

Critical Flaws in AI Coding Agents and Browser Extensions Expose Developer Workflows

AD CS Escalation Deep Dive: How Attackers Abuse Certificate Templates for Domain Dominance

Unit 42 Details Advanced Exploitation of Active Directory Certificate Services

Security researchers from Unit 42 have published a detailed analysis of advanced attacks targeting Active Directory Certificate Services (AD CS). The report highlights how threat actors, from ransomware groups to state-sponsored entities, are exploiting common misconfigurations in certificate templates and abusing shadow credentials to escalate privileges and achieve complete domain control. The research focuses on techniques like ESC1, where attackers can request certificates to impersonate high-privilege accounts. Rather than relying on malware, these attacks leverage native Windows functionality, making them difficult to detect with traditional signature-based tools. The analysis emphasizes the need for behavioral analytics and provides actionable guidance for defenders to identify and mitigate these stealthy but highly impactful threats to enterprise identity infrastructure.

AD CSActive DirectoryPrivilege EscalationCertificate TemplatesESC1 +5 more

14 min read

AD CS Escalation Deep Dive: How Attackers Abuse Certificate Templates for Domain Dominance

Updated Articles (6)

Ransomware Landscape Report: Qilin Leads, 'The Gentlemen' Surges in Q1 2026

INFORMATIONAL

Ransomware Landscape Establishes 'New Normal' of High Activity; Qilin and The Gentlemen Emerge as Top Groups in Q1 2026

A new Q1 2026 report from Check Point Research reveals significant ransomware market consolidation, with top 10 groups claiming 71% of victims. LockBit 5.0 made a strong comeback with 163 victims after law enforcement disruption. Qilin remained the market leader with 338 victims, while 'The Gentlemen' surged to 166 victims, focusing on non-Western regions and FortiGate vulnerabilities. Although overall victim numbers slightly decreased from Q4 2025, the threat level remains high, indicating a mature criminal market dominated by resilient adversaries.

April 18, 2026

RansomwareThreat IntelligenceQilinThe GentlemenAkira +1 more

Ransomware Landscape Report: Qilin Leads, 'The Gentlemen' Surges in Q1 2026

QR Code Phishing Surges 146% in Q1 2026, Microsoft Warns

Microsoft Threat Report Reveals QR Code Phishing as Fastest-Growing Email Threat, Surging 146% in Early 2026

A new report from Barracuda reinforces the escalating email threat landscape, confirming the surge in QR code phishing and highlighting AI's role in crafting hyper-realistic social engineering lures. It identifies malicious HTML attachments as another key evasive delivery method. The report reveals alarming statistics: one in three emails is now malicious or spam, and 34% of companies face monthly account takeovers, increasing internal phishing risks. New mitigation strategies include advanced email security with OCR, account takeover protection, Zero Trust, and Mobile Device Management to combat these industrialized threats.

May 1, 2026

PhishingQuishingQR CodeMicrosoftThreat Intelligence +2 more

QR Code Phishing Surges 146% in Q1 2026, Microsoft Warns

Ivanti Discloses Third Actively Exploited EPMM Zero-Day of 2026 (CVE-2026-6973)

CRITICAL

Ivanti Warns of New EPMM Zero-Day (CVE-2026-6973) Under Active Exploitation

Ivanti has officially released critical security patches for the actively exploited zero-day vulnerability, CVE-2026-6973, in its Endpoint Manager Mobile (EPMM) platform. This RCE flaw, which allows authenticated administrators to execute arbitrary code, was confirmed to be actively exploited in the wild. Despite the availability of patches, reports indicate that hundreds of Ivanti EPMM appliances remained exposed online at the time of disclosure, emphasizing the urgent need for organizations to apply updates and review their network exposure.

May 10, 2026

IvantiZero-DayCVE-2026-6973EPMMMobileIron +3 more

Ivanti Discloses Third Actively Exploited EPMM Zero-Day of 2026 (CVE-2026-6973)

Landmark Discovery: Google Disrupts Campaign Using First-Ever AI-Developed Zero-Day Exploit

Google Threat Analysis Group Detects and Disrupts First Zero-Day Exploit Developed by Artificial Intelligence

New technical analysis of the AI-developed zero-day exploit reveals it targets a semantic logic flaw rooted in a hard-coded trust assumption, enabling 2FA bypass after an attacker obtains valid user credentials. The AI is specifically identified as a Large Language Model (LLM). Additional MITRE ATT&CK techniques include T1588.006 (Develop Capabilities), T1078 (Valid Accounts), and T1610 (Steal Application Access Token). Updated detection guidance emphasizes User and Entity Behavior Analytics (UEBA) and advanced code analysis for AI fingerprints. Mitigation strategies now highlight robust Software Development Lifecycle (SDLC) practices and the use of FIDO2-compliant hardware security keys for MFA.

May 11, 2026

Artificial IntelligenceAIZero-DayExploit DevelopmentGoogle +3 more

5 min read

Landmark Discovery: Google Disrupts Campaign Using First-Ever AI-Developed Zero-Day Exploit

Canvas LMS Breach: ShinyHunters Hacks Thousands of Schools, Disrupts Final Exams

Instructure's Canvas Platform Suffers Major Data Breach Attributed to ShinyHunters Hacking Group

New reports confirm ShinyHunters exfiltrated an alleged 240 million records from Canvas LMS, including student ID numbers and enrolled course information, in what is now being classified as an encryptionless extortion attack. While previous reports focused on a 'Free-For-Teacher' account exploit, newer analyses broaden the potential initial access vectors. The attack continues to highlight the systemic risk of SaaS dependencies in education.

May 11, 2026

Data BreachInstructureCanvasShinyHuntersEducation +3 more

5 min read

Canvas LMS Breach: ShinyHunters Hacks Thousands of Schools, Disrupts Final Exams

CRITICAL: Palo Alto Networks Firewalls Under Active Attack via Unpatched Zero-Day (CVE-2026-0300)

CRITICAL

Actively Exploited Zero-Day Flaw (CVE-2026-0300) in PAN-OS Allows Root Access on Palo Alto Networks Firewalls

This update provides further details on the critical CVE-2026-0300 zero-day affecting Palo Alto Networks PAN-OS firewalls. While the CVSS score is noted as 9.3 (compared to 9.8 previously), the article emphasizes the catastrophic impact, including complete firewall compromise, network espionage, and internal network access. CERT-EU has also amplified the warning. Additional detection methods, such as vulnerability scanners, NIDS, and integrity monitoring, are highlighted to help identify and mitigate the threat.

May 11, 2026