Windows Zero-Days Expose Systems, Critical NGINX Flaw Under Active Attack, and State-Sponsored Ransomware Targets OT
Summary
This week in cybersecurity, researchers disclosed multiple Windows zero-day vulnerabilities, including 'MiniPlasma' and 'YellowKey,' granting attackers full system access and bypassing BitLocker encryption. A critical 18-year-old flaw in NGINX, 'NGINX Rift,' is now under active exploitation, threatening millions of web servers. The line between cybercrime and nation-state attacks continues to blur as Iran-aligned actors weaponize ransomware against critical infrastructure. Additionally, a logical flaw in the Verus-Ethereum bridge led to an $11.5 million theft, and a widespread supply chain attack compromised popular open-source packages.
Today New Articles
New 'MiniPlasma' Windows Zero-Day Resurrects Patched Flaw for Full System Control
A security researcher has released a proof-of-concept exploit for 'MiniPlasma,' an unpatched zero-day vulnerability affecting modern Windows 11 systems. The flaw, a regression of a bug Microsoft supposedly fixed in 2020, allows a local attacker to escalate pri...
Verus-Ethereum Bridge Loses $11.5M in Logical Exploit; Attacker Forges Value-less Transaction
The Verus-Ethereum cross-chain bridge has been exploited for approximately $11.58 million in digital assets. The attacker leveraged a critical logical flaw in the bridge's smart contract, not a cryptographic weakness. By submitting a validly signed proof for a...
Critical 18-Year-Old 'NGINX Rift' Vulnerability (CVE-2026-42945) Under Active Attack
A critical vulnerability in the NGINX web server, dubbed 'NGINX Rift' and tracked as CVE-2026-42945, is being actively exploited in the wild. The flaw, a heap buffer overflow that has existed in the codebase for 18 years, can be triggered by a remote attacker...
The line between nation-state espionage and financially motivated cybercrime is dissolving as state-sponsored actors, particularly from Iran, increasingly use ransomware as a proxy weapon. Security analysts report that groups like MuddyWater and APT33 are leve...
Pwn2Own Berlin 2026 Concludes with $1.3M Awarded for 47 Zero-Days in Enterprise Software
The Pwn2Own Berlin 2026 ethical hacking competition has concluded, with researchers earning nearly $1.3 million for disclosing 47 unique zero-day vulnerabilities in a range of major enterprise software products. The Taiwanese team DEVCORE won the coveted 'Mast...
Article Updates
Instructure Pays Off ShinyHunters to Delete Data of 275M Canvas Users
Update:Instructure has officially confirmed paying an undisclosed ransom to the ShinyHunters hacking group following the massive Canvas data breach. This decision, made to secure the return and destruction of 3.65 TB of stolen data affecting 275 million users, has dr...
Update:Further analysis of the YellowKey BitLocker bypass reveals that Windows 10 is not affected, clarifying the scope of the vulnerability. The attack specifically involves holding the CTRL key during the Windows Recovery Environment (WinRE) boot process to trigger...
Microsoft Exchange Zero-Day CVE-2026-42897 Under Active Exploitation, Mitigation Urged
Update:The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the actively exploited Microsoft Exchange zero-day, CVE-2026-42897, to its Known Exploited Vulnerabilities (KEV) catalog. This inclusion mandates federal agencies to apply mitigations b...
Russian APT Turla Evolves Kazuar Backdoor into Stealthy P2P Botnet
Update:The updated analysis of Turla's Kazuar P2P botnet reveals a sophisticated leader election process where only one node communicates externally, significantly boosting stealth. The malware's modular framework now includes Kernel, Bridge, and Worker components, a...
NIST Finalizes SP 800-172r3, Toughening Security Rules for Controlled Unclassified Information (CUI)
Update:The updated guidance for NIST SP 800-172 Revision 3 now explicitly includes its assessment companion, SP 800-172A Revision 3. The primary focus is on bolstering defenses against Advanced Persistent Threats (APTs) by promoting cyber resiliency and defense-in-de...
Japan Forms Public-Private Task Force to Counter AI-Driven Cyber Threats like 'Mythos'
Update:Anthropic is set to brief the Financial Stability Board (FSB), a global financial regulator, on its 'Mythos' AI model. This follows a request from the Bank of England's governor, reflecting growing international concern over Mythos's ability to autonomously di...
OpenAI Hit by "Shai-Hulud" Supply Chain Attack on TanStack NPM Library
Update:Security researchers at Wiz have provided further details on the TeamPCP supply chain attack. The report confirms the worm-like propagation mechanism, where attackers stole developer credentials and API tokens to publish malicious versions of popular open-sour...