Researchers disclosed 12 critical vulnerabilities in the widely-used vm2 Node.js sandbox library, all enabling sandbox escape and arbitrary code execution
A malicious website impersonating Claude AI distributes a new, previously undocumented Windows backdoor named Beagle to users seeking to download
Security researchers from Adversa AI and Mitiga disclosed a one-click RCE, silent MCP OAuth token hijacking, and a Chrome extension
A critical unpatched Linux kernel privilege escalation flaw dubbed Dirty Frag lets local attackers gain root via a single command
Fashion retailer Zara confirmed a data breach affecting over 197,000 customers after hackers accessed databases containing personal information from Inditex
State-sponsored actors exploited CVE-2026-0300, a critical CVSS 9.3 RCE flaw in PAN-OS, for roughly one month before disclosure. CISA deadline
Ivanti disclosed CVE-2026-6973, an actively exploited RCE vulnerability in EPMM 12.8.0.0 and earlier. CISA set a May 10 federal remediation
Three PyPI packages with 2,400+ combined downloads delivered ZiChatBot malware to developer machines, abusing Zulip’s REST API as a covert
Researchers discovered TCLBanker, a banking trojan hidden in trojanized Logitech software installers, stealing credentials from 59 banking and cryptocurrency platforms.
Researchers identified a Linux variant of Quasar RAT targeting developer systems to steal source code access, CI/CD credentials, and signing
Subscribe to the Daily Security Review Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.