Verizon DBIR Crowns Vulnerability Exploits as Top Breach Vector; Microsoft Disrupts Fox Tempest Malware-Signing Service

Verizon's 2026 DBIR Reveals Vulnerability Exploitation as the Leading Initial Access Vector in Data Breaches

The 2026 Verizon Data Breach Investigations Report (DBIR) marks a historic shift in the threat landscape. For the first time in 19 years, the exploitation of software vulnerabilities is the leading cause of data breaches, responsible for 31% of incidents. This trend is fueled by AI-accelerated attacks and a concurrent slowdown in enterprise patch management, with organizations successfully remediating only 26% of known exploited vulnerabilities. The report also highlights a 60% jump in supply chain breaches and the growing threat of 'Shadow AI' in the workplace.

DBIRVerizonVulnerability ManagementPatch ManagementSupply Chain Security +5 more

5 min read

Verizon DBIR 2026: Vulnerability Exploitation Now the #1 Cause of Breaches, Surpassing Stolen Credentials

Microsoft Takes Down 'Fox Tempest' Cybercrime Service That Sold Forged Code-Signing Certificates

Microsoft Disrupts Fox Tempest's Malware-Signing-as-a-Service Operation Used by Ransomware Gangs

Microsoft has executed a legal and technical takedown of 'Fox Tempest,' a financially motivated cybercrime group that ran a sophisticated malware-signing-as-a-service (MSaaS). The group sold counterfeit code-signing certificates for up to $9,500, allowing other criminals, including the Rhysida ransomware gang, to disguise their malware as legitimate software and bypass security controls. Microsoft seized the group's primary domain, took hundreds of VMs offline, and is collaborating with the FBI and Europol to identify the operators.

Fox TempestMicrosoftCode SigningMSaaSRansomware +4 more

Microsoft Takes Down 'Fox Tempest' Cybercrime Service That Sold Forged Code-Signing Certificates

New 'WantToCry' Ransomware Uses Exposed SMB Services for Novel Remote Encryption Attacks

SophosLabs Details 'WantToCry' Ransomware Targeting Exposed SMB Ports for Remote File Encryption

A new ransomware strain named 'WantToCry' is actively targeting systems with exposed Server Message Block (SMB) services. According to SophosLabs, the attackers brute-force credentials to gain access, then exfiltrate files to their own servers for encryption. The encrypted files are then rewritten back to the victim's host over SMB. This technique minimizes the on-host footprint, making detection difficult as no malware is executed locally. The attacks are linked to infrastructure previously associated with LockBit, Qilin, and BlackCat ransomware.

WantToCryRansomwareSMBSophosBrute Force +2 more

New 'WantToCry' Ransomware Uses Exposed SMB Services for Novel Remote Encryption Attacks

AI-Powered Cyberattacks Are Overwhelming Critical Infrastructure Defenses, Experts Warn

Experts Warn Human-Led Security is Insufficient Against AI-Driven Attacks on Critical Infrastructure

Security experts are sounding the alarm that AI-powered cyberattacks are becoming too fast and complex for human-led security teams to handle, particularly in critical infrastructure sectors. As operators of hospitals, utilities, and power grids connect more of their Operational Technology (OT) to IT networks, they create a vast attack surface that AI-assisted adversaries are exploiting. The speed of these attacks is forcing a necessary shift towards automated, AI-driven defensive systems to protect essential services from real-world disruption.

Artificial IntelligenceAICritical InfrastructureOT SecurityICS +2 more

AI-Powered Cyberattacks Are Overwhelming Critical Infrastructure Defenses, Experts Warn

XCSSET Malware Detailed: A Supply Chain Attack on macOS Developers via Xcode Projects

ADEX Analysis Reveals XCSSET Malware's Propagation Through Infected Xcode Projects

Security firm ADEX has published a deep-dive analysis of the XCSSET macOS malware, detailing how it conducts supply chain attacks against developers. The malware injects itself into Xcode projects and uses a self-propagating mechanism to spread to other projects on a developer's machine and potentially to public repositories. XCSSET is a modular threat capable of stealing a wide range of credentials, including Keychain data, AWS tokens, and SSH keys, and also features clipboard hijacking and ransomware capabilities.

XCSSETmacOSMalwareXcodeSupply Chain Attack +2 more

5 min read

XCSSET Malware Detailed: A Supply Chain Attack on macOS Developers via Xcode Projects

EU Cybersecurity Centre Opens Call for Experts to Oversee Billions in Digital Funding

ECCC Seeks Independent Experts for Digital Europe and Horizon Europe Cybersecurity Programs

The European Cybersecurity Competence Centre (ECCC) has launched a call for independent cybersecurity experts to assist in evaluating and monitoring projects funded under the multi-billion Euro Digital Europe and Horizon Europe programs. Professionals with at least five years of experience are invited to apply by June 15, 2026, to help shape the EU's investment in digital resilience, technological sovereignty, and cybersecurity research amid growing global threats.

ECCCEuropean UnionCybersecurityPolicyFunding +2 more

3 min read

EU Cybersecurity Centre Opens Call for Experts to Oversee Billions in Digital Funding

Japan Introduces New National Strategy to Defend Critical Infrastructure from Cyberattacks

Japan Adopts New Cyber Defense Measures for Critical Infrastructure in Response to AI-Driven Threats

The Japanese government has adopted a new, comprehensive package of measures to strengthen the cyber defenses of its critical infrastructure. The strategy, targeting 15 industry sectors including finance and medicine, is a direct response to the rising risk of sophisticated cyberattacks amplified by advanced AI. The plan focuses on enhancing government-led intelligence gathering, fostering a skilled cybersecurity workforce, and increasing pressure on software vendors to patch vulnerabilities promptly.

JapanCybersecurityPolicyCritical InfrastructureAI +1 more

3 min read

Japan Introduces New National Strategy to Defend Critical Infrastructure from Cyberattacks

Not So Gentle: 'The Gentlemen' Ransomware Gang Hacked, Internal Operations Exposed

Internal Breach of 'The Gentlemen' Ransomware Group Exposes Infrastructure, Chats, and Victim Data

The ransomware-as-a-service (RaaS) group known as 'The Gentlemen' has reportedly suffered a major breach of its own internal systems. The compromise has given security researchers at Check Point an unprecedented look inside the gang's operations, including affiliate chats, backend infrastructure, and victim databases. The leak revealed that the group, which offers affiliates a 90% revenue share, had compromised over 1,570 victims—far more than publicly claimed. Despite the major operational security failure, the group appears to be continuing its attacks.

The GentlemenRansomwareRaaSCheck PointData Breach +2 more

Not So Gentle: 'The Gentlemen' Ransomware Gang Hacked, Internal Operations Exposed

Updated Articles (5)

The Agentic Era: Frontier AI Models Fuel a Surge in Vulnerability Discovery

Cybersecurity Enters 'Agentic Era' as Frontier AI Models Like GPT-5.5-Cyber and Claude Mythos Dramatically Accelerate Vulnerability Discovery

Security experts, including Check Point's Yochai Corem, warn that the 'agentic speed' of AI-powered attacks, which can autonomously chain exploits and pivot rapidly, creates a critical mismatch with slow, manual human remediation cycles. This asymmetry is now considered the most exploitable vulnerability. Organizations must shift to automated discovery, validation, and remediation to match the adversary's pace, as demonstrated by a healthcare organization reducing MTTR to 0.87 hours. This requires embracing exposure management and redefining security analyst roles.

May 14, 2026

AIArtificial IntelligenceVulnerability DiscoveryExploitationProject Glasswing +3 more

5 min read

The Agentic Era: Frontier AI Models Fuel a Surge in Vulnerability Discovery

New 'MiniPlasma' Windows Zero-Day Resurrects Patched Flaw for Full System Control

CRITICAL

Unpatched 'MiniPlasma' Windows Vulnerability Grants SYSTEM Privileges by Reviving CVE-2020-17103

The 'MiniPlasma' zero-day exploit's proof-of-concept has been further verified by multiple independent security researchers, confirming its reliability on fully patched Windows 11 systems. This widespread confirmation significantly increases the urgency, with active exploitation by threat actors now considered highly likely. The new report also provides specific external sources, including direct links to articles detailing the vulnerability and its impact, offering additional context and verification for the ongoing threat.

May 18, 2026

zero-dayprivilege escalationWindows 11cldflt.syspatch regression +1 more

6 min read

New 'MiniPlasma' Windows Zero-Day Resurrects Patched Flaw for Full System Control

Unit 42: Frontier AI Models Can Autonomously Find Zero-Days, Posing Major Threat to Software Security

Fracturing Software Security With Frontier AI Models

Check Point Research reports new AI-powered exploits. 'Claw Chain' (CVE-2026-44112, CVSS 9.6) vulnerabilities were found in the OpenClaw autonomous AI agent platform, allowing sandbox bypass and full control. Additionally, an AI-assisted exploit was demonstrated to bypass Apple's Memory Integrity Enforcement on M5 chips, granting full system control. These disclosures provide concrete examples of the emerging threat of AI in vulnerability discovery and exploitation, making the previously theoretical threat more tangible.

April 20, 2026

AIArtificial IntelligenceZero-DayN-DayVulnerability Research +4 more

8 min read

Unit 42: Frontier AI Models Can Autonomously Find Zero-Days, Posing Major Threat to Software Security

Post-Shai-Hulud: npm Attacks Evolve with Wormable Malware and CI/CD Persistence

CRITICAL

Unit 42 Report: Sophisticated Supply Chain Attacks Target npm, Impersonating Bitwarden and Compromising SAP CAP Toolchain

Recent campaigns like TeamPCP and 'mini Shai-Hulud' exemplify a strategic shift by threat actors to target developer workstations directly. These environments are now considered the 'epicenter' for compromising the entire software delivery lifecycle, as they contain high-value credentials, API keys, and secrets. Experts emphasize the need to treat developer machines as production environments, implementing robust endpoint security, credential hygiene, and containerized development to mitigate widespread supply chain compromise.

May 2, 2026

npmsupply chain attackShai-Huludcredential theftCI/CD +5 more

11 min read

Post-Shai-Hulud: npm Attacks Evolve with Wormable Malware and CI/CD Persistence

‘Mini Shai-Hulud’ Supply Chain Attack Hits 170+ Open-Source Packages via GitHub Actions

CRITICAL

Sophisticated 'Mini Shai-Hulud' Campaign Abuses GitHub Actions and SLSA Signing to Spread Malware

New details from TanStack confirm the 'Mini Shai-Hulud' campaign compromised 42 of their npm packages on May 11, 2026, publishing 84 malicious versions. The attack leveraged GitHub Actions cache poisoning and, critically, the theft of a short-lived OIDC token from the build environment. This sophisticated method allowed attackers to publish packages without compromising maintainer credentials, highlighting a dangerous new vector for supply chain attacks through CI/CD pipelines. The payload was credential-stealing malware targeting developer environments.

May 14, 2026