Ethical Hacking Mission Control
This live lab is a safe space for defenders, red teamers, and curious hackers to sharpen their tradecraft using real tooling and real telemetry. Every article, lab module, and intel briefing is curated to help you practice responsible disclosure, grow your skill set, and support the security community.
New ChocoPoC RAT Targets Vulnerability Researchers via Fake PoC Exploit Repos
SharePoint RCE CVE-2026-45659 Added to CISA KEV After Active Exploitation
Medtronic notifies customers impacted by ShinyHunters data breach
Unpatched Argo CD Repo-Server Flaw Could Let Attackers Take Over Kubernetes Clusters
FortiBleed credential-theft campaign linked to Lynx ransomware
Kubota says hackers had month-long access to network systems
Crafty Phishing Campaigns Auto-Adapt to Victim's Device, OS
ChocoPoc malware delivered via trojanized exploits on GitHub
New ChocoPoC malware targets researchers via trojanized PoC exploits
And the Winner in Dominant Malware Delivery? ClickFix
19-Year-Old Scattered Spider Suspect Extradited to Face U.S. Hacking Charges
SEO-Poisoned Software Sites Abuse ScreenConnect to Deploy AsyncRAT
DHS confirms hackers breached HSIN info-sharing platform
VEIL#DROP Malware Chain Uses Blogger Platform to Deliver PureLogs Stealer
Webinar: Why traditional email security is no longer enough
Hackers target Microsoft 365 accounts with 81 million login attempts
Ousaban Banking Trojan Targets Iberian Bank Users with Fake PDF Lures
Adobe Patches 7 CVSS 10.0 Flaws in ColdFusion and Campaign Classic
'Phantom Squatting': An Emerging AI-Driven Supply Chain Threat
Critical Cursor Flaws Could Let Prompt Injection Escape Sandbox and Run Commands
Turning Indicators into Intelligence in OpenCTI with Criminal IP
Progress Kemp LoadMaster Pre-Auth RCE Flaw Faces Active Exploitation Attempts
Safe Events Start With Threat Intel and Digital Security
AI-Generated Browser Ransomware Abuses Chromium API on Windows and Android
Over 900 Oracle E-Business instances exposed to ongoing attacks
2026 Cybersecurity Assessment: The Gap Between Awareness and Resilience
Microsoft fixes GIF functionality in the Windows Emoji Panel
Microsoft Accelerates Post-Quantum Cryptography Shift to 2029
Amazon fined $2.25M for withholding evidence from fraud victims
Adobe patches seven max severity ColdFusion, Campaign flaws
Phantom Squatting Uses AI-Hallucinated Domains for Phishing and Malware
Anthropic Restores Claude Fable 5 After U.S. Lifts Jailbreak-Linked Export Controls
Azure CLI Password Spray Hits at Least 78 Microsoft Accounts in 81M+ Attempts
Researcher Analyzes 3,000 Live ClickFix Payloads, Exposing API-Driven Malware Delivery
Citrix Patches Six NetScaler Flaws Allowing File Read and Denial-of-Service
China-Linked Group Targets Southeast Asia Critical Systems
Anthropic to restore Claude Fable access on Wednesday
Anthropic rolls out Sonnet 5 with near-Opus 4.8 performance at a lower price
New BioShocking attack manipulates AI browser into data theft
Fake Bug Report Hijacks AI Coding Agents at Scale
Microsoft accelerates quantum-safe roadmap as risks grow
Malicious PyPI packages give hackers control of Telegram bot servers
Attackers Hijack Exposed AI Endpoints to Power Offensive Ops
Silent Swap Crypto Clipper Uses Fake Google Notes Extension to Replace Wallet Addresses
Why Identity Security Is Your Cyber Career Entry Point
Lessons from the Underground: How to Combat Business Email Compromise
Phishers Gain Persistence at EU, Asia Hospitality Orgs
Microsoft Warns Poisoned MCP Tool Descriptions Can Make AI Agents Leak Data
RustDuck Botnet Rebuilds in Rust to Hijack Routers and Servers for DDoS
Mircosoft adds smarter bot protection to Teams meetings
Langflow RCE Exploited to Deploy Monero Miner on Exposed AI App Endpoints
Fake Perplexity extension on Chrome Web Store tracked searches
Blackfield ransomware asks Nidec Corporation for $2 million ransom
GuardFall Exposes Open-Source AI Coding Agents to Decades-Old Shell Injection Risks
282 iOS AI Apps Leak API Keys and Open AI Proxy Access in Network Traffic Study
AI-Generated Workflows Are a Silent Security Disaster
What the Numbers Say About FIFA 2026 Cyber Risk
Attackers Exploit SimpleHelp CVE-2026-48558 to Deploy TaskWeaver and Djinn Stealer
Insurance giant Aflac discloses data breach after subsidiary hack
Microsoft adds smarter bot protection to Teams meetings
Kali Linux 2026.2 released with 9 new tools, NetHunter updates
AirDrop and Quick Share Flaws Let Nearby Attackers Trigger Crashes and Bypass Checks
CISA: Windows BlueHammer flaw now exploited by ransomware gangs
New BioShocking Attack Tricks AI Browsers Into Leaking User Credentials
Progress Kemp LoadMaster Flaw Could Let Attackers Run Root Commands Pre-Auth
Apple Patches 30+ iOS, macOS, Safari Flaws, Including AI-Discovered WebKit Bugs
Oracle E-Business Suite Flaw CVE-2026-46817 Actively Exploited in the Wild
Nissan discloses employee data breach linked to Oracle zero-day attacks
NIST Enrichment Reductions Impact CVE Coverage, Accuracy
'Djinn' Stealer Targets Cloud, AI Credentials
Vulnerabilities Expose Private Data in Indian Government Systems
NAIC says public data stolen in ShinyHunters' PeopleSoft breach
U.S. offers $10 million for hackers targeting WhatsApp, Signal users
Can Clothes Make You Invisible to Facial Recognition?
Iran, Russia, China Target Water Systems for Sabotage
Malicious Perplexity Chrome Extension Intercepted Searches and Address Bar Input
WhatsApp rolls out usernames to help users hide their phone number
Microsoft extends Windows Server 2022 hotpatching until October 2027
236,000 DCloud Uni-App Sites Used in Crypto Scams, Phishing, and Wallet Drainers
WhatsApp is Finally Getting Usernames to Help Keep Phone Numbers Private
Mustang Panda Uses Zoho WorkDrive as Command Channel in Indian Government Attacks
⚡ Weekly Recap: Linux Kernel Flaws, AI Malware Tricks, Turla Backdoor, Infostealers and More
Agentic AI Has an Identity Problem and Attackers Know It
Critical SimpleHelp flaw exploited to deploy new stealer malware
Hackers now exploit critical Oracle E-Business flaw in attacks
Webinar: Why business email compromise attacks keep succeeding
Amazon Q VS Extension Flaw Leads to Cloud Credential Theft
Why Post-Quantum Cryptography Starts With Credentials
Gamaredon Expands Ukraine Attacks with New Malware and Cloud Service Abuse
US seizes hundreds of FIFA World Cup illegal streaming domains
Microsoft Removes 119 Edge Extensions That Hid Malware in Images and Fonts
Public PoC Released for Critical libssh2 CVE-2026-55200 Client-Side SSH Flaw
Hijacked npm and Go Packages Use VS Code Tasks to Deploy Python Infostealer
Data breach exposes up to 14.2 million email logins at six ISPs
OpenAI Previews GPT-5.6 Sol With Restricted Access and Stronger Cyber Safeguards
Clean GitHub repo tricks AI coding agents into running malware
Ukraine Says Russian Intelligence Used Fake Support Texts to Steal Messaging Credentials
Third-Party Breaches Teach Education Sector a Costly Lesson in Vendor Risk
CISA sets urgent deadline to fix Cisco flaw exploited in attacks
FBI: Russian hackers now target Signal backup recovery keys
Chinese-Speaking APT Deploys New TinyRCT Backdoor in Southeast Asia Campaign
AI Decline? Confidence in Autonomous Penetration Testing Falls
Polymarket customers lose $3 million in supply-chain attack
Cybersecurity firms targeted by fraudulent OpenAI organization invites
CISA Adds Exploited PTC Windchill RCE Flaw to KEV as Web Shell Attacks Continue
FBI Warns Russian Intelligence Hackers Target Signal Backup Recovery Keys
New SharkLoader Malware Deploys Cobalt Strike in StrikeShark Cyberattacks
Unpatchable 'usbliter8' Exploit Breaks Apple A12 and A13 SecureROM Boot Chain
‘Popa’ Botnet Linked to Publicly-Traded Israeli Firm
Cisco Adds NHI to Security Stack With Astrix, WideField Acquisitions
PirloTV sports piracy network disrupted as 44 domains seized
New Initiative Tackles Security for End-of-Life Open Source Software
AI Won't Wipe-Out Entry-Level Cybersecurity Jobs
Microsoft Warns of Photo ZIP Phishing Campaign Targeting Hotels with Node.js Implant
Amazon Q Developer Flaw Could Let Malicious Repos Run Code via MCP Configs
New Linux pedit COW Exploit Enables Root Access by Poisoning Cached Binaries
Google Details Turla's New STOCKSTAY Backdoor Used in Ukraine Espionage Attacks
Russian APT 'Gamaredon' Upgrades Its Arsenal, Requiring New Defenses
Your First GRC Agent: A Red Teamer's Walkthrough
Meeting Trump's 2030 Quantum Deadline Will be Expensive, Complex
Thanks for Crushing the Submissions Inbox. We're Trying to Keep Up
In Less Than 24 Hours, Attackers Weaponize Cisco CUCM Flaw
New DirtyClone Linux Kernel Flaw Lets Local Users Gain Root via Cloned Packets
Guardian Agents: The Next Layer of Identity Governance
Miasma Malware Targets npm Packages and GitHub Actions in Supply Chain Attack
Anthropic is testing desktop-like Claude Cowork for mobile
Russia Used Cellebrite on Jailed Activist's iPhone Months After Sales Cutoff
Surviving the Mythos Era: Richard Bejtlich on the Case for NDR
EdTech Attackers Shift From Schools to Their Software Suppliers
Order-tracking app Shop abused to push callback phishing attacks
Chrome Ad Blocker with 10M+ Installs Found with Dormant Script Injection Capability
Robinhood Cuts Access Approval Time to Support High-Velocity Development
Poland busts SIM-swapping gang tied to millions in crypto theft
New macOS malware embeds fake errors to confuse AI analysis tools
Local Police Collusion Hampers Crackdown on Asian Scam Centers
The Four Elevations of Effective Fraud Prevention
Bluekit phishing kit adopts browser-in-the-middle for login theft
New Gaslight macOS Malware Uses Prompt Injection to Disrupt AI-Assisted Analysis
New Mistic Backdoor Linked to KongTuke in ClickFix and ModeloRAT Campaigns
Microsoft quietly extends free Windows 10 ESU support to October 2027
Segmentation Works for OT If Operators Are Paying Attention
2026 FIFA World Cup Faces Surge in Cyber Threats
Cisco Catalyst SD-WAN Zero-Day CVE-2026-20245 Exploited to Gain Root Access
Do CISOs Need a Code of Ethics?
ThreatsDay Bulletin: Smart TV Proxyware, 24-Year curl Bug, AI Crime Forums + 13 More Stories
Webinar: Why account takeovers remain one of the hardest threats to stop
The Beginning of the End of Social Engineering
Europe Evolves Into Ransomware's Favorite Region
Amadey and StealC Malware Network Disrupted, 27M Stolen Credentials Recovered
Google releases new privacy controls for activity history, personalization
CISA Warns Critical Lantronix EDS5000 Flaw Is Being Actively Exploited
Apple's MacOS Gap Lets Users Disable Security Tools
DraftKings hacker 'Snoopy' sentenced to 18 months in prison
Mandiant reveals how Cisco SD-WAN zero-day attacks gained root access
Attackers Hit Cisco SD-WAN Flaw 2 Months Before Disclosure
Claude Fable 5 Doesn't Change the Mythos Security Story
DoJ Seizes Huione Cloud Account Tied to Cyber Scam Money Laundering
More Malicious OpenClaw Skills Threaten AI Supply Chain
Malicious Edge extension abuses Native Messaging as bridge to malware
Crypto Heist Fueled by Elaborate Fake Reputation-Boosting Campaign
UK Social Media Ban for Minors Has Privacy Experts Worried
Security Community Slams US Ban on Exporting Mythos, Fable
The Invisible Battlefield: How Cyberwar Is Reshaping Everyday Life
AI Slop Will Kill Cybersecurity Storytelling If We Let It
Stealthy Mistic backdoor linked to ransomware access broker KongTuke
Cordyceps CI/CD Flaws Expose 300+ GitHub Repositories to Supply-Chain Attacks
Researchers Detail DifyTap Flaws in Dify That Could Expose AI Chats Across Tenants
Google Sets Sept. 30 Deadline for Android Developer Verification in Four Countries
AutoJack Attack Lets One Web Page Hijack AI Agent for Host Code Execution
Orphaned AI Agents: How to Find Hidden Access Risks Inside Your Network
Junior Hacker Used Tailscale and OpenSSH to Keep Access After His C2 Went Offline
Who Runs the Ransomware Group ‘The Gentlemen?’
Hackers Used Meta’s AI Support Bot to Seize Instagram Accounts
FortiBleed Attackers Turn Firewalls Into Credential Stealers as Heists Persist
Operation Escaneo Signals Shift in LatAm Threat Landscape
INC Ransomware Thrives by Mastering the Basics
'Lorem Ipsum' Malware Pivots to ClickFix Delivery
China-Nexus Actor Spies on US Researchers Undetected for a Year
ShinyHunters Uses Oracle Zero-Day to Rampage Higher Ed
Bug Bounty Research Triggers ServiceNow Security Alert
Blame AI: Patch Tuesday Hits Record 206 CVEs
CISA warns of max severity Ubiquiti flaws exploited in attacks
Amadey, StealC malware operations disrupted in Operation Endgame action
Securing the service desk: Why social engineering attacks keep succeeding
Cisco Unified CM Flaw Exploited After PoC Reveals File-Write Path to Root
Dawn of the Apex Agentic Adversary
FortiBleed Targeted FortiGate Firewalls in 110 Million-Credential Harvesting Operation
Hackers Exploit Gravity SMTP WordPress Plugin Bug to Expose API Keys
Operation Endgame Disrupts SocGholish Servers, Cleans 14,971 WordPress Sites
CISA Warns Fortinet Customers as FortiBleed Hits 86,644 FortiGate Devices
Microsoft Confirms RoguePlanet Defender Zero-Day, Says Patch is in Development
Adversarial Exposure Validation Turns Security Visibility into Confident Prioritization
Healthtech firm Xolis suffers data breach impacting 1.4 million people
The Exploit Doesn't Exist. You Can Still Prove It Works Against You
Patch Tuesday, May 2026 Edition
Scope of Salesforce Attacks Expands as Icarus Leaks Data
SocGholish Takedown Highlights Malicious TDS Threats
DifyTap Bugs Let Attackers 'Wiretap' AI Chat Histories
Stressors, AI Forcing Changes to Cybersecurity Teams
EU Gets a Head Start in Developing 6G Network Security
Sweeping Credential-Harvesting Heist Compromises 30K+ Fortinet Devices
Fileless Phantom Stealer Targets Browser Credentials
HTTP/2 Bomb Attacks Put Telcos, Healthcare Orgs at Risk
Copilot 'SearchLeak' Attack Allows 1-Click Data Theft
Max-Severity Ivanti Flaw Exploited 24 Hours After Disclosure
Chinese, N. Korean Threat Groups Build on Asia-Pacific Success
CISA Rewrites Federal Patching Requirements for AI Threat Era
Nightmare-Eclipse Drops Yet Another Microsoft Exploit, RoguePlanet
Microsoft Exchange Flaw Lets Attackers Spoof Any Email Address
Miasma Supply Chain Worm Burrows Into 73 Microsoft Repositories
Agentic AI: The Weapon That No Longer Needs a Warrior
Malicious npm Packages Pose as PostCSS Tools to Deliver Windows RAT
OpenAI Expands Daybreak With GPT-5.5-Cyber to Help Defenders Patch Security Flaws
New OXLOADER Loader Uses Malicious Google Ads to Deliver CastleStealer
Stop Your Legacy Infrastructure from Hijacking Your AI Agents
⚡ Weekly Recap: Browser Bugs, EDR Killers, TV Botnet, OpenBSD Flaw, Android Trojan, and More
Canada’s Spy Agency Used First-of-Its-Kind Warrant to Clean Botnet-Infected Devices
AryStinger Malware Infects 4,300 Legacy Routers to Build Reconnaissance Proxy Network
INTERPOL Warns Phishing, Ransomware, and AI Scams Are Rising Across Asia-Pacific
The Gentlemen RaaS Uses GentleKiller EDR Framework Targeting 400 Security Processes
Apple Patches Beats Studio Buds Flaw Letting Nearby Attackers Spy via Microphone
F5 Patches Two Critical NGINX Open Source Flaws Enabling Remote Code Execution
ThreatsDay Bulletin: Claude Chat Abuse, NastyC2 npm Packages, Device-Code Phishing + 25 More Stories
INC Ransomware Emerges as Major RaaS Threat in 2026 with 830+ Victims Since 2023
The Scripts on Your Checkout Page Are Now a PCI DSS Problem
The Top 10 Attack Surface Exposures in 2026
145 Mastra npm Packages Compromised via Hijacked Contributor Account
Google Vertex AI SDK Flaw Let Attackers Hijack Model Uploads via Bucket Squatting
Tata Electronics confirms cyberattack as hackers leak data
Windows 11 KB5095093 update rolls out new Point-in-Time restore feature
New macOS ClickFix attack silently mounts DMGs to push infostealer
Scattered Spider members plead guilty to hacking Transport for London
Netherlands Seizes 800 Servers, Arrests 2 for Aiding Cyberattacks
Lawmakers Demand Answers as CISA Tries to Contain Data Leak
He Thought He Was Secure; His Phone Number Was Stolen Anyway
Novo Nordisk Breach Highlights Software Development Pipeline Risk
Salesforce Data Thefts Continue via Klue App Compromise
Get Out of Security Debt by Tackling the Exposure Problem
SprySOCKS Windows Variant Abuses Kernel Drivers to Evade Detection
Rokarolla Android Trojan Levels Up to Full Device Control, Persistence
Most CISOs Report Pressure to Bury Bad Security News
US Cracks Down on Anthropic AI Models Amid Abuse Concerns
Phishing Attack Volume Down 20%, But Risk Still Rising
AI Risk Worries Insurers & Businesses Alike
Russian Attackers Weaponize WinRAR Flaw Against Ukrainian Orgs
Fake AI Agent Skill Passed Security Scans and Reportedly Reached 26,000 Agents
Trump Order Sets 2030 Deadline for Federal Post-Quantum Crypto Migration
GitHub Updates actions/checkout to Block Common Pwn Request Attack Patterns
WhatsApp VBScript Campaign Uses Fake Documents to Install ManageEngine RMM Tool
ShapedPlugin WordPress Pro Plugins Backdoored in Supply Chain Attack
29-Year-Old Squid Proxy Bug 'Squidbleed' Can Leak Cleartext HTTP Requests
From Assistive to Agentic: The AI Shift That's Redefining Threat Management
Forget Data Leakage: Shadow AI's Real Threat Is Access Control
Salesforce Disables Klue App Integration After OAuth Token Abuse Exposes Customer Data
Microsoft Details Windows Clipper Malware Campaign Using USB LNK Worm and Tor-Based C2
DragonForce Hackers Abuse Microsoft Teams Relays to Hide Backdoor.Turn C2 Traffic
Crypto Clipper Campaign Abuses Fake Reviews, AI Narrators, and VirusTotal Comments
Malicious JetBrains Plugins Steal AI API Keys as Chrome Extensions Capture Chatbot Chats
CISA Warns of Actively Exploited Joomla JCE Flaw Allowing PHP Code Execution
Cisco Unified CM flaw CVE-2026-20230 now exploited in attacks
Scattered Spider Hackers Plead Guilty on Day 1 of Trial
A Record-Breaking Patch Tuesday for June 2026
Alleged Kimwolf Botmaster ‘Dort’ Arrested, Charged in U.S. and Canada
CISA Admin Leaked AWS GovCloud Keys on Github
'Cordyceps': Mushrooming Malicious Pull Requests Threaten Developer Workflows
FIFA Bug Exposes World Cup Streams to Remote Takeover
Silent Ransom Group Hits US Law Firms in Escalating Extortion Attacks
Bug Bounty Radar
Hand-picked programs with live scope and standout rewards to help you focus your next responsible disclosure run.
FastAPI Cloud
HackerOne • Updated 2024-05-18
Prototype pollution in async workers and GraphQL stitching flaws.
Scope: api.fastapicloud.com, *.fastapicloud.com
Program brief →Supply Chain Monitor
Bugcrowd • Updated 2024-05-22
Dependency confusion, pipeline breakout, and artifact poisoning.
Scope: *.scm.dev, api.scm.dev
Program brief →Secure Notes
Intigriti • Updated 2024-05-17
OAuth misconfigurations, storage isolation, and advanced XSS chains.
Scope: app.securenotes.io, api.securenotes.io
Program brief →OpenTelemetry Hub
YesWeHack • Updated 2024-05-20
Collector escapes, tenant isolation bugs, and SSRF via exporters.
Scope: *.otelhub.dev
Program brief →