PCPJack Credential Stealer Targets Cloud Infrastructure
Researchers have uncovered PCPJack, a new credential-stealing framework designed to compromise exposed cloud environments and spread in a worm-like fashion. The malware exploits five known vulnerabilities to move laterally across services such as Docker, Kubernetes, Redis, MongoDB, and vulnerable web applications. Once inside, it harvests credentials from cloud, developer, productivity, and financial services, then exfiltrates them via attacker-controlled infrastructure.
What makes PCPJack notable is its overlap with TeamPCP campaigns, while deliberately removing TeamPCP artifacts and skipping crypto-mining in favor of pure credential theft. This points to a shift toward access resale, fraud, and broader cloud abuse. For organizations, the campaign underscores how unpatched cloud services and weak credential hygiene can quickly escalate into multi-system compromise.
Read the original article here
Ivanti Warns of New EPMM Zero-Day Under Active Exploitation
Ivanti disclosed a high-severity remote code execution flaw in its on-prem Endpoint Manager Mobile (EPMM) product that is being exploited in the wild. Tracked as CVE-2026-6973, the vulnerability allows authenticated administrators to execute arbitrary code on vulnerable systems. While exploitation is described as limited, hundreds of internet-exposed EPMM instances remain at risk.
Ivanti has released patches and urged customers to upgrade immediately and rotate administrative credentials, especially if they were affected by earlier Ivanti zero-days. This incident continues a troubling trend of attackers targeting enterprise management platforms, which often provide broad visibility and control over devices.
Read the original article here
PAN-OS Firewall RCE Zero-Day Exploited Since April
Palo Alto Networks confirmed that a critical zero-day vulnerability in PAN-OS firewalls has been exploited since early April. The flaw, CVE-2026-0300, enables unauthenticated remote code execution with root privileges via the User-ID Authentication Portal on internet-exposed devices. Activity has been linked to a suspected state-sponsored cluster and includes post-compromise log wiping and tunneling tools.
With thousands of exposed firewalls still visible online and patches not immediately available, the risk window is significant. This incident reinforces the growing focus by advanced threat actors on network edge devices, which often lack strong monitoring and provide high-impact access when compromised.
Read the original article here
Fake Claude AI Website Used to Spread Beagle Backdoor
Sophos researchers identified a malicious website impersonating Anthropic’s Claude AI platform to distribute a previously undocumented Windows backdoor called Beagle. Victims are lured into downloading a fake “Claude-Pro Relay” installer, which abuses DLL sideloading and a signed antivirus binary to evade detection. The infection chain uses an in-memory loader before deploying the final backdoor.
The campaign highlights how threat actors are exploiting trust in popular AI brands and search advertising to deliver malware. For businesses, this is a reminder that user awareness and software sourcing controls are just as critical as technical defenses, especially as AI tools become mainstream.
Read the original article here
Linux Kernel “Dirty Frag” LPE Grants Root Access
A newly disclosed Linux kernel vulnerability dubbed Dirty Frag allows local attackers to gain root privileges on most major distributions. The flaw chains two page-cache write bugs and is highly reliable, requiring no race condition. Due to a broken embargo, details and proof-of-concept exploits were released before patches were ready.
Dirty Frag affects widely deployed systems, including Ubuntu, RHEL, Fedora, and others, and poses serious risk in multi-user and containerized environments. Until official fixes are available, administrators are advised to apply mitigations such as disabling affected kernel modules, despite potential operational impact.