UNPWNED SECURITY BLOG
Ship secure,
not sorry.
Guides, checklists, and real-world security fixes for developers who build fast and ship often.
Two SonicWall SMA 1000 Zero-Days Actively Exploited in the Wild
SonicWall has confirmed active exploitation of two zero-days in its SMA 1000 appliances, including a CVSS 10.0 SSRF flaw that allows unauthenticated remote command execution.
Two Joomla Extensions Hit by Maximum-Severity Zero-Day Exploits
CISA added two CVSS 10.0 flaws in the iCagenda and Balbooa Forms Joomla extensions to its KEV catalog after reports of active zero-day exploitation in the wild.
Injective SDK on npm Infected with Cryptocurrency Wallet Stealer
Attackers compromised the Injective Labs GitHub repo and pushed a malicious npm package that stole crypto wallet private keys and seed phrases from developers.
SkillCloak: How Malicious AI Agent Skills Evade Static Scanners
Researchers show that malicious add-on skills for AI coding agents can bypass static scanners over 90% of the time using simple packing tricks. Here is what small teams need to know.
FBI Seizes NetNut Proxy Platform Linked to Popa Botnet of Two Million Devices
The FBI seized hundreds of domains tied to NetNut, a residential proxy service connected to the Popa botnet, which compromised at least two million devices without owner consent.
Azure CLI Password Spray Hits at Least 78 Microsoft Accounts in 81 Million Attempts
Researchers at Huntress tracked a massive automated password spray campaign targeting Azure CLI, compromising dozens of accounts across 81 million login attempts.
Hijacked npm and Go Packages Deploy Python Infostealer via VS Code Tasks
Researchers found hijacked npm and Go packages that use VS Code task files to silently deploy a Python infostealer on Windows, Linux, and macOS developer machines.
Poland Busts SIM-Swapping Gang Tied to Millions in Crypto Theft
Polish authorities arrested four cybercriminals who breached telecom partners and hijacked email accounts to steal millions via SIM-swapping attacks.
Cisco Unified CM SSRF Flaw CVE-2026-20230 Now Actively Exploited
A high-severity SSRF vulnerability in Cisco Unified Communications Manager is being actively exploited. Here is what small teams need to know and do right now.
INTERPOL: Phishing, Ransomware, and AI Scams Are Rising Across Asia-Pacific
INTERPOL's 2025/2026 Asia-Pacific cyberthreat report documents a dramatic rise in phishing, ransomware, and AI-powered scams. Here is what small teams need to know.
CISA Warns Fortinet Users to Secure Devices After FortiBleed Credential Leak
Nearly 74,000 Fortinet firewall and VPN credentials were exposed in the FortiBleed leak. CISA is urging all Fortinet customers to act immediately.
CISA Warns of Actively Exploited Joomla JCE Flaw Allowing PHP Code Execution
CISA added CVE-2026-48907, a CVSS 10.0 flaw in the Joomla JCE editor plugin, to its KEV catalog after confirming active exploitation in the wild.
FBI Disrupts AI-Powered Phishing Service Behind One Million Malicious URLs
The FBI, Google, and Black Lotus Labs dismantled Outsider Enterprise, a Chinese phishing-as-a-service platform that used AI to generate thousands of credential-stealing sites.
Japanese Energy Firm Loses Drive With Data of 10.9 Million Clients
Kyushu Electric Power lost a physical storage drive containing private data on nearly 11 million customers. Here is what happened and what small teams should learn from it.
Ivanti Sentry Critical Flaw Allows Remote Root Code Execution
Ivanti patched a maximum-severity vulnerability in its Sentry gateway that lets remote attackers run arbitrary code as root. Here is what small teams need to know.
Meta AI Support System Abused to Hijack Over 20,000 Instagram Accounts
Attackers exploited Meta's AI-powered support system to reset passwords and steal Instagram accounts. Here is what small teams need to know and do right now.
Cisco Catalyst SD-WAN Zero-Day Actively Exploited for Root Access
Cisco is warning of an unpatched high-severity zero-day in Catalyst SD-WAN Manager (CVE-2026-20245) that attackers are actively exploiting to gain root privileges.
VS Code Zero-Day Lets Attackers Steal GitHub Tokens in One Click
A newly disclosed VS Code zero-day vulnerability allows attackers to steal GitHub authentication tokens by tricking developers into clicking a single malicious link.
WP Maps Pro Bug Exploited to Create Admin Accounts on WordPress Sites
A vulnerability in the WP Maps Pro WordPress plugin is being actively exploited to create unauthorized admin accounts. Here is what small teams need to know.
Kimsuky Uses HTTPSpy and VS Code Tunnels in Targeted Attacks on Military and Corporate Networks
North Korean state actor Kimsuky has expanded its toolkit with HTTPSpy and HelloDoor malware, and is abusing VS Code Tunnels to blend into developer environments.
KnowledgeDeliver Zero-Day Exploited to Plant Web Shells on LMS Servers
Attackers exploited a critical unpatched flaw in the KnowledgeDeliver LMS to deploy the Godzilla web shell, giving them persistent backdoor access to compromised servers.
TrapDoor Supply Chain Attack Spreads Credential-Stealing Malware via npm, PyPI, and Crates.io
A coordinated attack campaign named TrapDoor planted credential-stealing malware across npm, PyPI, and Crates.io in over 34 packages and 384 versions starting May 22, 2026.
CISA Flags Actively Exploited Vulnerabilities in Langflow and Trend Micro Apex One
CISA added two actively exploited vulnerabilities to its KEV catalog, including a critical flaw in the Langflow AI platform. Here is what small teams need to know.
Grafana GitHub Breach Exposes Source Code via TanStack npm Attack
Grafana Labs confirmed a breach limited to its GitHub environment after a compromised TanStack npm package exposed public and private source code repositories.
Pwn2Own Berlin 2026: Researchers Earned $1.3 Million Exploiting 47 Zero-Days
Security researchers collected $1,298,250 at Pwn2Own Berlin 2026 by exploiting 47 zero-day vulnerabilities. Here is what the results mean for small teams.
On-Prem Microsoft Exchange Server CVE-2026-42897 Exploited via Crafted Email
Microsoft disclosed CVE-2026-42897, an actively exploited spoofing flaw in on-premise Exchange Server rooted in a cross-site scripting bug with a CVSS score of 8.1.
US Congress Demands Answers After ShinyHunters Breach Hits Canvas Learning Platform
ShinyHunters breached Instructure's Canvas platform twice, stealing student data and disrupting schools during final exams. Now Congress wants answers from the company.
Hackers Abuse Google Ads and Claude.ai Chats to Deliver Mac Malware
Attackers are using Google Ads and legitimate Claude.ai shared chat URLs to trick Mac users into installing malware. Here is what happened and how to protect yourself.
Canvas Breach Disrupts Schools and Colleges Nationwide
A data extortion attack hit Canvas, the widely-used education platform, defacing its login page and threatening to leak data from 275 million students and faculty.
Quasar Linux Malware Targets Software Developers with Rootkit and Credential-Stealing Capabilities
A new Linux implant called Quasar Linux is targeting developers with rootkit, backdoor, and credential-stealing features. Here is what you need to know.
Instructure Confirms Data Breach as ShinyHunters Claims Responsibility
Educational tech company Instructure has confirmed a data breach after the ShinyHunters extortion group claimed the attack. Here is what developers should know.
Bluekit Phishing Service Bundles AI Assistant and 40 Attack Templates
A new phishing-as-a-service tool called Bluekit lowers the bar for attackers with 40+ brand templates and an AI assistant for writing convincing lures.
LiteLLM CVE-2026-42208: A Critical SQL Injection Exploited Within 36 Hours
A critical SQL injection flaw in the popular LiteLLM Python package was exploited in the wild within 36 hours of public disclosure. Here is what developers need to know.
American Utility Firm Itron Discloses Breach of Internal IT Network
Itron filed an SEC 8-K disclosing unauthorized access to internal systems. Here is what happened and what small teams can learn from this incident.
Hackers Exploit File Upload Bug in Breeze Cache WordPress Plugin
A critical unauthenticated file upload vulnerability in the Breeze Cache WordPress plugin is being actively exploited. Here is what small teams need to know and do now.
Over 1,300 SharePoint Servers Remain Vulnerable to Active Spoofing Attacks
More than 1,300 Microsoft SharePoint servers are still unpatched against a spoofing flaw that was first exploited as a zero-day and remains under active attack.
French Government Agency Confirms Breach as Hacker Sells Citizen Data
France Titres, the agency that issues French identity documents, confirmed a data breach after a threat actor claimed responsibility and began selling stolen citizen data online.
Next.js Middleware Auth Bypass: What CVE-2025-29927 Means for Your Site
A critical Next.js vulnerability lets attackers skip middleware auth checks by sending a single HTTP header. If your site uses middleware for route protection, this is the first thing to patch.
How to Fix Exposed .env Files Before Hackers Find Them
Your .env file contains your database password, API keys, and secrets. Here is how to check if it is exposed and fix it in 5 steps.
7 Security Mistakes AI Code Generators Make (and How to Fix Them)
AI-generated code is 2.74x more likely to have security flaws. These are the 7 most common mistakes and how to catch them.
The Web Security Checklist Every Indie Hacker Needs
15 security checks grouped by category. SSL, headers, secrets, auth, and database. Covers everything you need before shipping.
Want to know if your site has these issues?
SCAN YOUR SITE FREE