← Latest brief

Security news.

·Afternoon Brief

Today's security landscape is marked by active exploitation of critical vulnerabilities, particularly in WordPress plugins and Microsoft Exchange Server. Supply chain attacks continue to be a significant concern, with popular npm packages and OpenAI employee devices falling victim. Additionally, Pwn2Own Berlin saw numerous zero-days demonstrated against major software.

BLEEPINGBREACH
May 15READ

Funnel Builder WordPress Plugin Exploited to Steal Credit Cards

A critical vulnerability in the Funnel Builder plugin for WordPress is being actively exploited to inject malicious JavaScript into WooCommerce checkout pages.

BLEEPINGZERO-DAY
May 15READ

Microsoft Warns of Exchange Server Zero-Day Exploited in Attacks

Microsoft has issued a warning and mitigations for a high-severity Exchange Server vulnerability (CVE-2026-42897) actively exploited via cross-site scripting (XSS) targeting Outlook on the web users. CISA has added this to its KEV catalog.

BLEEPINGBREACH
May 15READ

Popular node-ipc npm Package Compromised to Steal Credentials

Hackers have injected credential-stealing malware into new versions of node-ipc, a widely used inter-process communication package, in a new npm supply chain attack.

BLEEPINGBREACH
May 15READ

Microsoft Exchange, Windows 11 Hacked on Second Day of Pwn2Own

Competitors at Pwn2Own Berlin 2026 earned $385,750 by demonstrating 15 unique zero-day vulnerabilities in products including Windows 11, Microsoft Exchange, and Red Hat Enterprise Linux.

SECURITYWEEKZERO-DAY
May 15READ

Cisco Patches Another SD-WAN Zero-Day, Sixth Exploited in 2026

Cisco has patched CVE-2026-20182, a maximum-severity authentication bypass flaw in Catalyst SD-WAN Controller, which has been actively exploited in targeted attacks by the sophisticated threat actor UAT-8616.

SECURITYWEEKSUPPLY CHAIN
May 15READ

OpenAI Hit by TanStack Supply Chain Attack

Two OpenAI employee devices were compromised via the Mini Shai-Hulud supply chain attack on TanStack, leading to the theft of credential material from OpenAI code repositories.

THNMALWARE
May 15READ

Turla Turns Kazuar Backdoor Into Modular P2P Botnet

The Russian state-sponsored hacking group Turla has evolved its Kazuar backdoor into a modular peer-to-peer (P2P) botnet designed for stealth and persistent access to compromised hosts.

BLEEPINGBREACH
May 15READ

Avada Builder WordPress Plugin Flaws Allow Site Credential Theft

Two vulnerabilities in the Avada Builder plugin for WordPress, with over a million installations, could allow attackers to read arbitrary files and extract sensitive database information.

Generated twice daily from public security RSS feeds. Informational only.