← Latest brief

Security news.

·Afternoon Brief

Today's security landscape is dominated by critical infrastructure threats, supply chain compromises, and active zero-day exploitation. A major breach at Vercel, vulnerabilities in serial-to-IP devices affecting OT/healthcare systems, and multiple unpatched Microsoft Defender zero-days are actively being exploited, while CISA warns of a compromised Axios npm package affecting JavaScript developers globally.

CISASUPPLY CHAIN
Apr 20READ

CISA: Axios npm Package Supply Chain Compromise

Two versions of the widely-used Axios HTTP client ([email protected] and [email protected]) were compromised, affecting JavaScript developers across Node.js and browser environments.

THNRCE
Apr 20READ

SGLang CVE-2026-5760: Critical RCE via Malicious GGUF Files

A CVSS 9.8 command injection vulnerability in SGLang enables remote code execution through specially crafted model files.

SECURITYWEEKVULN
Apr 20READ

Serial-to-IP Converter Flaws Expose OT and Healthcare Systems

Forescout researchers discovered 20 new vulnerabilities in Lantronix and Silex products used in operational technology and healthcare environments, with thousands of additional legacy bugs identified.

THNRCE
Apr 20READ

Anthropic MCP Design Flaw Enables RCE, Threatens AI Supply Chain

A critical "by design" weakness in the Model Context Protocol architecture allows arbitrary command execution on vulnerable MCP implementations, with cascading effects across the AI supply chain.

SECURITYWEEKBREACH
Apr 20READ

Vercel Breach: Next.js Creator Compromised via Third-Party AI Tool

Cloud development platform Vercel suffered a breach after attackers compromised Context.ai, a third-party AI tool used by an employee, gaining access to internal systems and limited customer credentials.

THNMALWARE
Apr 20READ

ZionSiphon Malware Targets Israeli Water and Desalination Systems

A new malware specifically designed for Israeli water treatment and desalination OT systems establishes persistence, tampers with configurations, and scans for operational technology services.

BLEEPINGBREACH
Apr 20READ

Seiko USA Website Defaced; Attacker Claims Shopify Database Theft

The Seiko USA website was defaced with attackers claiming to have stolen the Shopify customer database and threatening to leak it unless ransom is paid.

BLEEPING
Apr 20READ

Microsoft Teams Increasingly Abused in Helpdesk Impersonation Attacks

Threat actors are leveraging external Microsoft Teams collaboration to impersonate helpdesk staff and gain initial access and lateral movement on enterprise networks.

Generated twice daily from public security RSS feeds. Informational only.