Security news.
Today's threat landscape is dominated by active exploitation campaigns, supply chain compromises, and state-sponsored APT activity. Critical vulnerabilities in LMDeploy and WordPress plugins are being exploited in the wild, while Lazarus continues targeting macOS users and Chinese APT groups are expanding their operational scope across multiple regions and attack vectors.
LMDeploy CVE-2026-33626 Exploited Within 13 Hours of Disclosure
A high-severity SSRF vulnerability (CVSS 7.5) in the LLM deployment toolkit LMDeploy is under active exploitation in the wild less than 13 hours after public disclosure, allowing attackers to access sensitive data.
North Korea's Lazarus Targets macOS Users via ClickFix
Lazarus continues leveraging the ClickFix social engineering technique for initial access and data theft against Mac-centric organizations and their high-value leaders.
Breeze Cache WordPress Plugin Under Active Exploitation
Hackers are actively exploiting a critical file upload vulnerability in the Breeze Cache plugin that allows unauthenticated arbitrary file uploads to WordPress servers.
Bitwarden CLI npm Package Compromised in Supply Chain Attack
The @bitwarden/cli npm package was compromised with malicious code designed to steal developer credentials and spread to other projects, part of an ongoing Checkmarx supply chain campaign.
26 FakeWallet Apps Discovered on Apple App Store Targeting Crypto Users
Researchers found 26 malicious apps impersonating popular cryptocurrency wallets on the App Store since fall 2025, designed to steal recovery phrases and private keys by redirecting users to trojanized wallet versions.
US Federal Agency's Cisco Firewall Infected with Firestarter Backdoor
A critical backdoor named Firestarter has been discovered on a U.S. federal agency's Cisco firewall, providing remote access and maintaining persistence even after patching.
Tropic Trooper Deploys AdaptixC2 via Trojanized SumatraPDF
Chinese-speaking targets are being attacked with a trojanized SumatraPDF reader that deploys the AdaptixC2 Beacon post-exploitation agent and abuses VS Code tunnels for remote access.
CISA Adds Marimo RCE Vulnerability to KEV Catalog
CVE-2026-39987, a remote code execution flaw in Marimo, has been added to CISA's Known Exploited Vulnerabilities catalog based on evidence of active exploitation.