NeoShield Security logo NeoShield Security Quantum X
AUTONOMOUS AI · ONLINE / LAST SCAN 1m ago / STORE DB / SYNC 18:08:52 / ALERTS 0

Autonomous threat intelligence

Live critical cyber signals

A Claude-powered agent continuously scans official global threat feeds, triages the most dangerous activity, and maps each one to concrete defensive action — automatically.

5
GUARDED

AI analyst live situational brief

AI-automated ransomware & NK supply-chain packages demand immediate dev-pipeline lockdown

The landscape sits at GUARDED with 7 critical and 15 high signals across 30 tracked events, dominated by a surge in Web CMS/plugin exploitation (6 critical hits), active ransomware deployment including JadePuffer's AI-automated attack chain, and a North Korean supply-chain campaign (PolinRider) seeding 108 malicious npm/extension packages. Supply-chain and authentication cluster activity compounds risk for developer environments and identity infrastructure simultaneously. The Avalon/CrownX ranso

Do this today: Audit and freeze all npm/pip/extension dependencies against the PolinRider IOC list; enforce allowlist-only package installs in CI/CD pipelines immediately.

PolinRider CMS Plugin Blitz 6 JadePuffer/Avalon AI Ransomware Wave 3 NK PolinRider Supply-Chain Poisoning 2 Identity & Auth Credential Harvest 2 Cloud-Native Container Intrusion 1
AI-triaged Priority One

CVE-2026-11794 · CVSS 8.1

NVD · vulnerability · 5d ago

A privilege escalation vulnerability in the Advanced Form Integration WordPress plugin (before 2.1.1) allows unauthenticated visitors to create administrator-level accounts by submitting a public form with a mapped user role field. Immediate patching and audit of existing user accounts is required to prevent unauthorized administrative access.

  • Update Advanced Form Integration plugin to version 2.1.1 or later immediately via WordPress admin dashboard or manual deployment.
  • Audit all WordPress user accounts for recently created or unexpected administrator-level accounts and revoke unauthorized privileges.
  • Review all Advanced Form Integration configurations to ensure no public-facing forms map user role fields to form inputs; remove or restrict such mappings.
  • Enable WordPress activity logging (e.g., WP Activity Log) to detect and alert on new administrator account creation events.
6
Critical
21
High
37
Tracked
● Live
CRITICAL CVE-2026-11794 · CVSS 8.1 CRITICAL North Korean Hackers Publish 108 Malicious Packages and Extensions in PolinRider Campaign CRITICAL JadePuffer ransomware used AI agent to automate entire attack CRITICAL New "Bad Epoll" Linux Kernel Flaw Lets Unprivileged Users Gain Root, Hits Android CRITICAL North Korea-Linked npm Packages Mimic Rollup Polyfills to Steal Developer Secrets CRITICAL New Avalon Malware Framework Packs CrownX Ransomware Capabilities HIGH Opera GX Flaw Let Malicious Sites Auto-Install Mods to Steal Data From Visited Pages HIGH CVE-2026-53902 HIGH CVE-2026-5120 · CVSS 8.1 HIGH New Java-Based QuimaRAT MaaS Built to Run on Windows, Linux, and macOS HIGH New TrojPix Attack Leaks Data From Air-Gapped Systems via Video Cable Emissions HIGH SkillCloak Lets Malicious AI Agent Skills Evade Static Scanners with Self-Extracting Packing HIGH CVE-2026-12923 · CVSS 7.5 HIGH U.S. Government Entity Paid Kairos $1 Million in Data-Theft Extortion Case HIGH NetNut proxy network disrupted, 2 million infected devices cut off HIGH Unpatched Flaws Disclosed in Filesystem Bundled Into Millions of Embedded Devices HIGH Armored Likho Targets Government Agencies, Power Sector with BusySnake Stealer HIGH PamStealer Uses Fake Maccy Sites and PAM Checks to Steal Mac Login Passwords HIGH Threat Actors Probe Gitea Docker Flaw CVE-2026-20896 13 Days After Disclosure HIGH RCS and DNS: The NAPTR Record, (Mon, Jul 6th) HIGH Max severity Adobe ColdFusion flaw now exploited in attacks HIGH ⚡ Weekly Recap: Proxy Botnets, Browser Ransomware, AI Agent Tricks, Fake PoC Malware and More HIGH FBI Seizes NetNut Proxy Platform, Popa Botnet HIGH CubeSpace CW0057 Reaction Wheel CRITICAL CVE-2026-11794 · CVSS 8.1 CRITICAL North Korean Hackers Publish 108 Malicious Packages and Extensions in PolinRider Campaign CRITICAL JadePuffer ransomware used AI agent to automate entire attack CRITICAL New "Bad Epoll" Linux Kernel Flaw Lets Unprivileged Users Gain Root, Hits Android CRITICAL North Korea-Linked npm Packages Mimic Rollup Polyfills to Steal Developer Secrets CRITICAL New Avalon Malware Framework Packs CrownX Ransomware Capabilities HIGH Opera GX Flaw Let Malicious Sites Auto-Install Mods to Steal Data From Visited Pages HIGH CVE-2026-53902 HIGH CVE-2026-5120 · CVSS 8.1 HIGH New Java-Based QuimaRAT MaaS Built to Run on Windows, Linux, and macOS HIGH New TrojPix Attack Leaks Data From Air-Gapped Systems via Video Cable Emissions HIGH SkillCloak Lets Malicious AI Agent Skills Evade Static Scanners with Self-Extracting Packing HIGH CVE-2026-12923 · CVSS 7.5 HIGH U.S. Government Entity Paid Kairos $1 Million in Data-Theft Extortion Case HIGH NetNut proxy network disrupted, 2 million infected devices cut off HIGH Unpatched Flaws Disclosed in Filesystem Bundled Into Millions of Embedded Devices HIGH Armored Likho Targets Government Agencies, Power Sector with BusySnake Stealer HIGH PamStealer Uses Fake Maccy Sites and PAM Checks to Steal Mac Login Passwords HIGH Threat Actors Probe Gitea Docker Flaw CVE-2026-20896 13 Days After Disclosure HIGH RCS and DNS: The NAPTR Record, (Mon, Jul 6th) HIGH Max severity Adobe ColdFusion flaw now exploited in attacks HIGH ⚡ Weekly Recap: Proxy Botnets, Browser Ransomware, AI Agent Tricks, Fake PoC Malware and More HIGH FBI Seizes NetNut Proxy Platform, Popa Botnet HIGH CubeSpace CW0057 Reaction Wheel

Triaged intelligence feed

refreshes automatically · severity-first
CRITICAL NVD

CVE-2026-11794 · CVSS 8.1

A privilege escalation vulnerability in the Advanced Form Integration WordPress plugin (before 2.1.1) allows unauthenticated visitors to create administrator-level accounts by submitting a public form with a mapped user role field. Immediate patching and audit of existing user accounts is required to prevent unauthorized administrative access.

▸ countermeasure Update Advanced Form Integration plugin to version 2.1.1 or later immediately via WordPress admin dashboard or manual deployment.
Claude triage 5d ago
CRITICAL The Hacker News

North Korean Hackers Publish 108 Malicious Packages and Extensions in PolinRider Campaign

North Korean threat actors (Contagious Interview/PolinRider) have published 108 malicious packages across npm, Packagist, Go, and Chrome extensions to compromise developer environments via supply chain poisoning. The campaign is ongoing with new packages expected as attackers continue compromising maintainer accounts.

▸ countermeasure Audit all recently added or updated dependencies in npm, Packagist, and Go modules against known PolinRider IOC lists published by threat intelligence sources
Claude triage 2d ago
CRITICAL BleepingComputer

JadePuffer ransomware used AI agent to automate entire attack

JadePuffer ransomware represents a novel threat where an LLM agent autonomously orchestrated an entire ransomware attack lifecycle, dramatically reducing attacker skill requirements and accelerating attack velocity. Defenders must urgently reassess detection strategies to account for AI-driven, high-speed, adaptive intrusion patterns that may evade traditional signature-based controls.

▸ countermeasure Implement behavioral-based EDR and NDR solutions capable of detecting anomalous automation patterns such as rapid sequential reconnaissance, lateral movement, and encryption activity that may outpace human-speed attacks
Claude triage 2d ago
CRITICAL The Hacker News

New "Bad Epoll" Linux Kernel Flaw Lets Unprivileged Users Gain Root, Hits Android

CVE-2026-46242 ('Bad Epoll') is a Linux kernel privilege escalation vulnerability allowing unprivileged local users to gain root access, affecting Linux desktops, servers, and Android devices. A patch is available and should be applied immediately across all affected systems.

▸ countermeasure Apply the available kernel patch immediately; prioritize internet-facing Linux servers and Android device fleets
Claude triage 2d ago
CRITICAL The Hacker News

North Korea-Linked npm Packages Mimic Rollup Polyfills to Steal Developer Secrets

North Korea-linked threat actors published malicious npm packages mimicking legitimate Rollup polyfill tooling to enable remote access and steal developer secrets from software supply chains. Organizations using npm packages related to Rollup polyfills should immediately audit dependencies for the malicious packages 'rollup-packages-polyfill-core' and 'rollup-runtime-polyfill-core'.

▸ countermeasure Immediately audit all project package.json and lock files for presence of 'rollup-packages-polyfill-core' or 'rollup-runtime-polyfill-core' and remove them if found
Claude triage 3d ago
CRITICAL The Hacker News

New Avalon Malware Framework Packs CrownX Ransomware Capabilities

Avalon is a newly discovered modular malware framework delivered via multi-stage phishing that integrates credential theft, lateral movement, remote access, backup disruption, and CrownX ransomware execution into a unified attack chain. Its ability to bypass traditional security controls and combine multiple threat capabilities makes it an immediate high-priority defensive concern for organizations.

▸ countermeasure Immediately audit and harden email security gateways with advanced anti-phishing controls including sandboxing of attachments and URLs to detect multi-stage phishing delivery chains
Claude triage 2d ago
HIGH The Hacker News

Opera GX Flaw Let Malicious Sites Auto-Install Mods to Steal Data From Visited Pages

A now-patched flaw in Opera GX allowed malicious websites to silently auto-install browser extensions capable of exfiltrating sensitive page data, including authenticated session content such as Gmail addresses, without any user interaction. Organizations and individuals using Opera GX should update immediately and audit installed extensions for unauthorized additions.

▸ countermeasure Update Opera GX to the latest patched version immediately via the browser's built-in updater or official Opera download page
Claude triage 10h ago
HIGH NVD

CVE-2026-53902

CVE-2026-53902 describes a broken authorization vulnerability in MCO's group membership API endpoint that allows any authenticated user to escalate privileges by adding themselves to arbitrary groups. Exploitation requires only valid authentication and a discoverable group ID, making this a significant internal threat vector.

▸ countermeasure Immediately restrict access to the /customer/servlet/mco/webapi/profile-sections/group-membership endpoint at the WAF or reverse proxy layer until a vendor patch is applied
Claude triage 5d ago
HIGH NVD

CVE-2026-5120 · CVSS 8.1

A race condition vulnerability in BIOVIA Workbook (2021–2026) allows authenticated users to access unauthorized data belonging to other users, posing a significant data confidentiality risk. Immediate patching and access controls are recommended to mitigate unauthorized cross-user data exposure.

▸ countermeasure Apply vendor-supplied patches or updates for BIOVIA Workbook immediately upon availability; monitor NVD and Dassault Systèmes advisories for patch releases.
Claude triage 5d ago
HIGH The Hacker News

New Java-Based QuimaRAT MaaS Built to Run on Windows, Linux, and macOS

QuimaRAT is a Java-based cross-platform remote access trojan sold as Malware-as-a-Service, enabling threat actors to compromise Windows, Linux, and macOS systems with relatively low cost and technical barrier. Its MaaS model significantly lowers the entry threshold for attackers, increasing the likelihood of widespread deployment across diverse enterprise environments.

▸ countermeasure Block or restrict execution of unsigned or unexpected Java applications (JAR/JNLP files) via application control policies on all endpoints
Claude triage 9h ago
HIGH The Hacker News

New TrojPix Attack Leaks Data From Air-Gapped Systems via Video Cable Emissions

TrojPix is a covert air-gap exfiltration technique that manipulates on-screen pixel patterns to emit decodable radio signals via video cable emissions, allowing data theft from isolated systems. The attack requires prior malware installation on the target machine, making initial access prevention and endpoint integrity the primary defensive priorities.

▸ countermeasure Enforce strict application allowlisting and endpoint protection on all air-gapped systems to prevent initial malware delivery, which is a prerequisite for TrojPix
Claude triage 9h ago
HIGH The Hacker News

SkillCloak Lets Malicious AI Agent Skills Evade Static Scanners with Self-Extracting Packing

Researchers demonstrated that malicious AI agent skills/plugins can evade static security scanners over 90% of the time using self-extracting packing techniques dubbed SkillCloak, posing a significant supply-chain risk to organizations using AI coding assistants. Defenders must shift from static-only scanning to runtime behavioral analysis for AI agent skill/plugin vetting.

▸ countermeasure Implement runtime behavioral monitoring for all AI agent skills and plugins rather than relying solely on static scanners
Claude triage 11h ago
HIGH NVD

CVE-2026-12923 · CVSS 7.5

The Youtube Showcase WordPress plugin (<=4.0.3) allows authenticated users to invoke arbitrary PHP functions via the unsanitized 'path' parameter in the emd_delete_file() AJAX handler, bypassing weak sanitization. This could enable attackers to execute dangerous built-in PHP functions leading to data destruction, information disclosure, or further compromise.

▸ countermeasure Immediately update the Youtube Showcase plugin to a patched version above 4.0.3, or deactivate and remove the plugin if no patch is available.
Claude triage 5d ago
HIGH The Hacker News

U.S. Government Entity Paid Kairos $1 Million in Data-Theft Extortion Case

A U.S. government entity paid approximately $1 million to a threat actor group called Kairos following data theft and extortion, with no ransomware encryption involved — indicating a pure data-exfiltration and extortion operation. The group's tactics suggest a focus solely on stealing and threatening to leak sensitive data rather than deploying traditional ransomware.

▸ countermeasure Audit and inventory all sensitive data repositories to identify what data is accessible and could be targeted for exfiltration
Claude triage 2d ago
HIGH BleepingComputer

NetNut proxy network disrupted, 2 million infected devices cut off

A large-scale residential proxy botnet (NetNut) leveraging approximately 2 million compromised Android devices including smart TVs and streaming boxes has been disrupted via a joint operation with Google. Organizations should audit their networks for traffic originating from or routing through residential proxy infrastructure, as these devices may have been used to obfuscate malicious activity against enterprise targets.

▸ countermeasure Audit firewall and proxy logs for anomalous traffic patterns originating from residential IP ranges or known proxy exit nodes associated with NetNut infrastructure
Claude triage 3d ago
HIGH The Hacker News

Unpatched Flaws Disclosed in Filesystem Bundled Into Millions of Embedded Devices

Seven unpatched vulnerabilities have been disclosed in FatFs, a widely embedded FAT/exFAT filesystem library present in millions of IoT and embedded devices including security cameras, drones, industrial controllers, and hardware crypto wallets. These flaws could allow attackers to compromise devices via malicious USB drives or SD cards, posing significant supply-chain and physical-access risks.

▸ countermeasure Conduct an immediate firmware inventory audit to identify all embedded devices in your environment that incorporate FatFs and document their versions
Claude triage 2d ago
HIGH The Hacker News

Armored Likho Targets Government Agencies, Power Sector with BusySnake Stealer

Armored Likho is a threat actor deploying the BusySnake stealer in targeted campaigns against government agencies and power sector organizations across Russia, Brazil, and Kazakhstan, blending financial and espionage motivations. Organizations in these sectors should treat this as an active, targeted threat requiring immediate defensive review.

▸ countermeasure Audit and restrict execution of unknown or unsigned executables, particularly in government and energy sector endpoints
Claude triage 3d ago
HIGH The Hacker News

PamStealer Uses Fake Maccy Sites and PAM Checks to Steal Mac Login Passwords

PamStealer is a macOS infostealer distributed via fake Maccy clipboard manager sites, using compiled AppleScript to harvest Mac login passwords through PAM (Pluggable Authentication Modules) abuse. It targets sensitive credentials and system data by masquerading as a trusted open-source utility.

▸ countermeasure Block or alert on execution of unsigned or unnotarized .scpt (AppleScript) files via endpoint controls or MDM policy
Claude triage 3d ago
HIGH The Hacker News

Threat Actors Probe Gitea Docker Flaw CVE-2026-20896 13 Days After Disclosure

Threat actors have been observed attempting to exploit a recently patched critical security flaw in Gitea Docker images, according to Sysdig. The vulnerability in question is CVE-2026-20896 (CVSS score: 9.8), a vulnerability that stems from the DevOps platform trusting the "X-WEBAUTH-USER" header from any source IP address, effectively allowing an unauthenticated internet client to get elevated

▸ countermeasure Confirm exposure, apply vendor patches, add temporary WAF/IPS rules, and run post-patch vulnerability validation.
heuristic 1h ago
HIGH SANS ISC

RCS and DNS: The NAPTR Record, (Mon, Jul 6th)

Over the last year, with recent updates to iOS and Android, RCS (Rich Communication Services) has become an increasingly used protocol &#x5b;1&#x5d;. RCS is supposed to eventually replace SMS, and in addition to richer formatting, provides added (but optional) security. RCS messages may be end-to-end encrypted and digitally signed. Unlike SMS, which was "bolted on" to existing voice-focused phone standards. The SMS s

▸ countermeasure Triage affected assets, validate exposure, apply available mitigations, increase logging, and document evidence for incident review.
heuristic 4h ago
HIGH BleepingComputer

Max severity Adobe ColdFusion flaw now exploited in attacks

Attackers are now exploiting a maximum-severity Adobe ColdFusion vulnerability tracked as CVE-2026-48282, according to vulnerability intelligence company KEVIntel. [...]

▸ countermeasure Triage affected assets, validate exposure, apply available mitigations, increase logging, and document evidence for incident review.
heuristic 4h ago
HIGH The Hacker News

⚡ Weekly Recap: Proxy Botnets, Browser Ransomware, AI Agent Tricks, Fake PoC Malware and More

A streaming box should not need a threat model. Neither should a username field, a demo repo, a reset flow, or a browser permission prompt. That is the irritating part this week: the risky pieces were ordinary. Home devices became a routing cover. Clean code pulled dirt from a dependency. Identity shortcuts aged badly. AI systems trusted the wrong instructions. Same soft spot throughout: trust

▸ countermeasure Verify immutable backups, block known IOCs, isolate affected hosts, and review EDR detections for lateral movement.
heuristic 5h ago
HIGH Krebs on Security

FBI Seizes NetNut Proxy Platform, Popa Botnet

The Federal Bureau of Investigation (FBI) said today it worked with industry partners to seize hundreds of domains associated with NetNut, a sprawling residential proxy service operated by the publicly-traded Israeli company Alarum Technologies [NASDAQ: ALAR]. The action comes roughly two weeks after KrebsOnSecurity published findings from multiple security firms connecting NetNut to the Popa botnet, a collection of

▸ countermeasure Triage affected assets, validate exposure, apply available mitigations, increase logging, and document evidence for incident review.
heuristic 3d ago
HIGH CISA News

CubeSpace CW0057 Reaction Wheel

View CSAF Summary Successful exploitation of this vulnerability could allow an attacker to upload arbitrary malicious firmware to the device. The following versions of CubeSpace CW0057 Reaction Wheel are affected: CW0057 Reaction Wheel CVSS Vendor Equipment Vulnerabilities v3 6.1 CubeSpace CubeSpace CW0057 Reaction Wheel Improper Verification of Cryptographic Signature Background Critical Infrastructure Sectors: Comm

▸ countermeasure Triage affected assets, validate exposure, apply available mitigations, increase logging, and document evidence for incident review.
heuristic 4d ago
Feeds: CISA KEV · NVD · CISA News · SANS ISC · The Hacker News · BleepingComputer · Krebs on Security · triaged by the NeoShield autonomous agent Full defense feed →