Critical SQL injection vulnerability (CVSS 9.1) in OTRS database layer module allows unauthenticated attackers to bypass authentication. Issue only affects systems where MySQL/MariaDB server is configured with NO_BACKSLASH_ESCAPES SQL mode.
Update to OTRS version 2026.4.X or later immediately. If patching is not possible, reconfigure MySQL/MariaDB servers to disable NO_BACKSLASH_ESCAPES SQL mode as temporary mitigation.
Source: NVD • Published: 2026-06-01
BitLocker bypass zero-day dubbed 'YellowKey' with public PoC exploit released. Involves placing crafted FsTx files on USB drive or EFI partition, rebooting into WinRE, and triggering shell by holding CTRL key. Affects Windows 11 and Server 2022/2025.
Use BitLocker PIN and BIOS password as mitigation. Note: vulnerability is exploitable even in TPM+PIN environment per security researcher Kevin Beaumont. Monitor for Microsoft patch. Implement physical security controls to prevent unauthorized boot device access.
Source: BleepingComputer • Published: 2026-06-01
North Korean state actor Sapphire Sleet compromised Axios npm packages versions 1.14.1 and 0.30.4 with malicious dependency 'plain-crypto-js' that downloads second-stage malware from C2 infrastructure. Active for approximately 3 hours on March 31, 2026. Targets Windows, macOS, and Linux with platform-specific payloads.
Immediately audit all projects for axios@^1.14.0 or axios@^0.30.0. Clear caches, lockfiles, and CI/CD artifacts. Reinstall dependencies in clean environment. Rotate all credentials including repository secrets, GitHub Actions tokens, and API keys that may have been exposed during compromise window.
Source: MSRC • Published: 2026-03-31
North Korean threat actor Sapphire Sleet (UNC1069) conducting active supply chain attacks targeting axios NPM package. Introduced malicious 'plain-crypto-js' dependency deploying WAVESHAPER.V2 backdoor across Windows, macOS, and Linux. Financially motivated group active since 2018 with multiple ongoing supply chain operations targeting developers.
Monitor all NPM dependencies for unexpected changes. Implement package lock validation in CI/CD pipelines. Use npm audit and vulnerability scanning tools. Consider private NPM registry with vetted packages for critical projects. Review all axios installations for versions 1.14.1 and 0.30.4.
Source: GTIG • Published: 2026-03-31
Iranian cyber retaliation campaign following February 2026 military strikes. March 11 attack on Stryker Corporation (medical device manufacturer with $25B revenue, 150M patients, 61 countries) forced tens of thousands offline causing global disruption. Data destruction wiper attacks designed for permanent data loss with no recovery. Psychological operations using deepfakes and fabricated communications.
Implement air-gapped backups with offline copies immune to wiper malware. Deploy authentication for all executive communications channels to prevent deepfake attacks. Establish incident response procedures for data destruction scenarios. Increase monitoring for Iranian threat actor TTPs. Validate business continuity plans for prolonged outages.
Source: Web • Published: 2026-03-11
ShinyHunters breached Instructure (Canvas LMS) affecting 275 million people across 9,000 schools. Compromised 3.65 TB of data including billions of private messages between students and teachers containing PII. Demanded ransom payment threatening data leak. ShinyHunters previously attacked Ticketmaster, Google, and multiple universities.
All Canvas LMS credentials should be reset immediately. Monitor for unauthorized access to student and faculty accounts. Implement enhanced logging and anomaly detection for LMS access. Review third-party integrations for potential lateral movement. Notify affected students and faculty per breach notification requirements.
Source: BleepingComputer • Published: 2026-05-01
Ransomware landscape evolution in 2026 shows adoption of post-quantum cryptography (Kyber1024 algorithm providing AES-256 equivalent strength). Increased use of EDR killers and BYOVD (Bring Your Own Vulnerable Driver) techniques to terminate security processes before payload execution. Shift toward encryptionless extortion as ransom payments decline. Initial access brokers focus on RDWeb remote access.
Deploy endpoint detection with kernel-level driver validation to prevent BYOVD attacks. Implement application whitelisting for driver installations. Prepare for post-quantum cryptography impact on backup recovery. Strengthen RDWeb access controls and MFA. Monitor for EDR process termination attempts.
Source: Web • Published: 2026-06-01
The Gentlemen ransomware group rapidly expanded from 35 victims in Q4 2025 to 182 in Q1 2026, becoming second most active group. Posted multiple victims on June 1, 2026 including ahcpl.com, aph.com.sa, and bouri.net. Established groups like Qilin and Akira declined 25% and 22% respectively, indicating influence redistribution.
Implement network segmentation to limit lateral movement. Deploy EDR solutions with behavioral detection for ransomware. Maintain offline encrypted backups with regular restore testing. Monitor for The Gentlemen TTPs and IOCs. Establish incident response retainer for rapid ransomware response.
Source: Web • Published: 2026-06-01
ADT confirmed unauthorized access to customer data on April 20, 2026. ShinyHunters claimed theft of 10+ million records, with Have I Been Pwned measuring 5.5 million exposed. Data includes names, phone numbers, addresses, with limited records containing DOB and last-four SSN/tax ID digits.
Monitor affected customer accounts for social engineering attacks leveraging exposed PII. Implement additional verification steps for account changes. Notify customers of breach and provide identity monitoring services. Review access controls and authentication mechanisms that allowed initial breach.
Source: Web • Published: 2026-04-24
Medtronic confirmed unauthorized access to corporate IT systems on April 24, 2026 after ShinyHunters claimed theft of 9+ million records. Group listed Medtronic on April 18 with ransom-contact deadline of April 21. Claims include PII exposure and terabytes of internal corporate data.
Rotate all corporate credentials and API keys. Monitor for use of stolen internal data in secondary attacks. Review network segmentation to prevent lateral movement in future incidents. Implement enhanced monitoring for unusual data exfiltration patterns. Assess impact to medical device safety and patient data.
Source: Web • Published: 2026-04-24
CVE-2026-48188: Critical SQL injection vulnerability (CVSS 9.1) in OTRS database layer module allows unauthenticated attackers to bypass authentication. Issue only affects systems where MySQL/MariaDB server is configured with NO_BACKSLASH_ESCAPES SQL mode.