Security news.
Today's security brief highlights critical vulnerabilities and active exploitation, including a remote code execution flaw in the Protobuf library and an Apache ActiveMQ vulnerability added to CISA's KEV catalog. We also see continued activity from ransomware groups employing novel evasion techniques and the evolving landscape of phishing attacks.
Critical flaw in Protobuf library enables JavaScript code execution
Proof-of-concept exploit code has been published for a critical remote code execution flaw in protobuf.js, a widely used JavaScript implementation of Google's Protocol Buffers.
$13.74M Hack Shuts Down Sanctioned Grinex Exchange After Intelligence Claims
Grinex, a cryptocurrency exchange sanctioned by the U.K. and U.S., has suspended operations after a $13.74 million hack it attributes to Western intelligence agencies.
Mirai Variant Nexcorium Exploits CVE-2024-3721 to Hijack TBK DVRs for DDoS Botnet
Threat actors are exploiting CVE-2024-3721 in TBK DVR devices and EoL TP-Link Wi-Fi routers to deploy Mirai-botnet variants for DDoS attacks.
Recent Apache ActiveMQ Vulnerability Exploited in the Wild
The remote code execution vulnerability CVE-2026-34197 in Apache ActiveMQ, patched earlier this month, is now being actively exploited.
Payouts King ransomware uses QEMU VMs to bypass endpoint security
The Payouts King ransomware is employing the QEMU emulator to run hidden virtual machines via a reverse SSH backdoor, aiming to bypass endpoint security.
Three Microsoft Defender Zero-Days Actively Exploited; Two Still Unpatched
Huntress warns that threat actors are actively exploiting three recently disclosed zero-day vulnerabilities (codenamed BlueHammer, RedSun, and UnDefend) in Microsoft Defender to gain elevated privileges.
Microsoft: Some Windows servers enter reboot loops after April patches
Microsoft has issued a warning that some Windows domain controllers are experiencing restart loops after installing the April 2026 security updates.
Tycoon 2FA Phishers Scatter, Adopt Device Code Phishing
Following disruptions to the Tycoon 2FA platform, threat actors are now reusing its tools across other phishing kits and adopting device code phishing techniques.