Security news.
Today's security landscape is marked by active exploitation of critical vulnerabilities, particularly in WordPress plugins and Microsoft Exchange Server. Supply chain attacks continue to be a significant concern, with popular npm packages and OpenAI employee devices falling victim. Additionally, Pwn2Own Berlin saw numerous zero-days demonstrated against major software.
Funnel Builder WordPress Plugin Exploited to Steal Credit Cards
A critical vulnerability in the Funnel Builder plugin for WordPress is being actively exploited to inject malicious JavaScript into WooCommerce checkout pages.
Microsoft Warns of Exchange Server Zero-Day Exploited in Attacks
Microsoft has issued a warning and mitigations for a high-severity Exchange Server vulnerability (CVE-2026-42897) actively exploited via cross-site scripting (XSS) targeting Outlook on the web users. CISA has added this to its KEV catalog.
Popular node-ipc npm Package Compromised to Steal Credentials
Hackers have injected credential-stealing malware into new versions of node-ipc, a widely used inter-process communication package, in a new npm supply chain attack.
Microsoft Exchange, Windows 11 Hacked on Second Day of Pwn2Own
Competitors at Pwn2Own Berlin 2026 earned $385,750 by demonstrating 15 unique zero-day vulnerabilities in products including Windows 11, Microsoft Exchange, and Red Hat Enterprise Linux.
Cisco Patches Another SD-WAN Zero-Day, Sixth Exploited in 2026
Cisco has patched CVE-2026-20182, a maximum-severity authentication bypass flaw in Catalyst SD-WAN Controller, which has been actively exploited in targeted attacks by the sophisticated threat actor UAT-8616.
OpenAI Hit by TanStack Supply Chain Attack
Two OpenAI employee devices were compromised via the Mini Shai-Hulud supply chain attack on TanStack, leading to the theft of credential material from OpenAI code repositories.
Turla Turns Kazuar Backdoor Into Modular P2P Botnet
The Russian state-sponsored hacking group Turla has evolved its Kazuar backdoor into a modular peer-to-peer (P2P) botnet designed for stealth and persistent access to compromised hosts.
Avada Builder WordPress Plugin Flaws Allow Site Credential Theft
Two vulnerabilities in the Avada Builder plugin for WordPress, with over a million installations, could allow attackers to read arbitrary files and extract sensitive database information.