Malcolm v26.06.0 is primarily a security hardening release, addressing fifteen vulnerabilities (2 high severity, 6 medium, and 7 low) identified in a security assessment. Bug fixes address an issue with the zeek container causing performance degredation over time and a fix for duplicate virtual machine entries in NetBox autopopulation. A few component versions have also been updated.

If you are upgrading from an existing Malcolm installation, run ./scripts/status for Malcolm to migrate some settings prior to running ./scripts/configure, ./scripts/start, or other Malcolm control scripts.

https://github.com/idaholab/Malcolm/compare/v26.05.2...v26.06.0

• 🛡️ Security Remediation & Hardening (#996)
  • Unauthenticated reflected XSS / open redirect in /dashboards/app/refred; also added Content-Security-Policy framing headers (frame-ancestors, base-uri, form-action) and X-Frame-Options: SAMEORIGIN globally to mitigate clickjacking (#997)
  • Authenticated command injection in filebeat container via SFTP-uploaded filename (#998)
  • Password stored as MD5-crypt for SFTP (#1009)
  • Authenticated archive zip-slip file write in filebeat container (#999)
  • OpenSearch path injection via /mapi/fields?template (#1000)
  • submit.php Location: open redirect via Referer (#1007)
  • htadmin proxied with no nginx auth gate (#1003)
  • Keycloak OIDC ssl_verify always set to false (#1006)
  • NetBox SUPERUSER_PASSWORD=admin shipped default (#1011)
  • RBAC defaultdict(lambda: True) fail-open for unlisted handlers in Malcolm API (#1004)
  • Read-only Arkime deny-regex omits addtags/removetags (#1008)
  • Read-only deployment allows POST /mapi/event (#1002)
  • WISE auth path selectable by client User-Agent (#1001)
  • ARKIME_PASSWORD_SECRET=Malcolm shipped default (#1005)
  • requests CVE bump reverted in logstash image (#1010)
  • Fix API auth errors and hide NGINX version disclosure (#989)
• 🐛 Bug fixes
  • auto-discovered Virtual Machines in NetBox seem to allow for duplicates (#978)
  • Ensure list of archive file types supported by Malcolm for uploading Zeek logs (application/gzip,application/vnd.rar,application/x-7z-compressed,application/x-bzip2,application/x-cpio,application/x-gzip,application/x-lzip,application/x-lzma,application/x-rar-compressed,application/x-tar,application/x-xz,application/zip) are consistently used across the platform.
  • zeek container continually grows /usr/local/zeek/crontab, causing Malcolm performance to gradually worsen (#1015)
• ✅ Component version updates
  • Filebeat to v9.4.2
  • Fluent Bit to v5.0.6
  • Logstash to v9.4.2
  • Supercronic to v0.2.46
  • uv to v0.11.15
• 🧹 Code and project maintenance
  • Fixed some incorrect links in documentation (#988, thanks @jsoref)
  • Refactored NGINX error pages configuration into its own include file and added a 401.html page
• 📄 Configuration changes for Malcolm (in environment variables in ./config/). The Malcolm control script (e.g., ./scripts/status, ./scripts/start) automatically handles creation and migration of variables according to ./config/env-var-actions.yml.
  • Added KEYCLOAK_SSL_VERIFY (default false) to keycloak.env for #1006
  • The Arkime password hash secret ARKIME_PASSWORD_SECRET in arkime-secret.env no longer has a default value: it must be set during auth_setup (for #1005)
  • The Netbox superuser password SUPERUSER_PASSWORD in netbox-secret.env no longer has a default value: it must be set during auth_setup (for #1011)

Malcolm is a powerful, easily deployable network 🖧 traffic analysis tool suite for network security monitoring 🕵🏻‍♀️.

Malcolm operates as a cluster of containers 📦, isolated sandboxes which each serve a dedicated function of the system. This makes Malcolm deployable with frameworks like Docker 🐋, Podman 🦭, and Kubernetes ⎈. Check out the Quick Start guide for examples on how to get up and running.

Alternatively, dedicated official ISO installer images 💿 for Malcolm and Hedgehog Linux 🦔 can be downloaded from Malcolm's releases page on GitHub. Due to limits on individual files in GitHub releases, these ISO files have been split 🪓 into 2GB chunks and can be reassembled with scripts provided for both Bash 🐧 (release_cleaver.sh) and PowerShell 🪟 (release_cleaver.ps1). See Downloading Malcolm - Installer ISOs for instructions.

As always, join us on the Malcolm discussions board 💬 to engage with the community, or pop some corn 🍿 and watch a video 📼.

#Malcolm #HedgehogLinux #Zeek #Arkime #Strelka #NetBox #OpenSearch #Elasticsearch #Suricata #PCAP #NetworkTrafficAnalysis #networksecuritymonitoring #OT #ICS #icssecurity #CyberSecurity #Cyber #Infosec #INL

Programm der lernOS Convention 2026

Es sind nur noch drei Wochen bis zur lernOS Convention und wer noch auf die Burg nach Nürnberg kommen will, muss sich beeilen, es gibt nur noch 10 freie Plätze. Beim AI Crowdsourcing 2026 wurden 27 praxiserprobte KI-Anwendungsfälle eingereicht, die ihr bis zum 22. Juni ausprobieren und bewerten könnt. Und einen Workhack gibt es in diesem KCLO natürlich auch wieder.

KEEP CALM & […]

#crowdsourcing #ics #loscon26 #outlook #teams

https://cogneon.de/?p=67456

Mini Shai-Hulud Campaign Hits Red Hat Cloud Services npm Packages

A supply chain attack compromised multiple @redhat-cloud-services npm packages, executing malicious payloads automatically during installation via preinstall hooks. The attack uses AES-GCM encrypted payloads and obfuscated JavaScript loaders to harvest GitHub Actions secrets, npm tokens, cloud credentials (AWS, Azure, GCP), Kubernetes and Vault material, SSH keys, Git credentials, and cryptocurrency wallet files. The payload can daemonize on developer workstations, includes Russian-locale avoidance mechanisms, and exfiltrates stolen data through encrypted HTTPS channels with GitHub API fallback mechanisms. The campaign employs tactics similar to the publicly released Shai-Hulud toolkit, though attribution remains unclear due to the availability of open-source attack tooling.

Pulse ID: 6a1dde0e4e662ca1f8b4b0b2
Pulse Link: https://otx.alienvault.com/pulse/6a1dde0e4e662ca1f8b4b0b2
Pulse Author: AlienVault
Created: 2026-06-01 19:31:26

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AWS #Azure #Cloud #CyberSecurity #GitHub #HTTP #HTTPS #ICS #InfoSec #Java #JavaScript #NPM #OTX #OpenThreatExchange #RAT #RCE #Russia #SMS #SSH #SupplyChain #bot #cryptocurrency #AlienVault

🚩🏴 @guerrillastickers #AntifascistAction at #StickeRomExpo. With #ics_urban & #locuraproductions

📍Roma, Italia

#guerrillastickersCombo #stickercombo #guerrillastickers #noadesivigrazie #no_adesivigrazie #sticker #stickers #stickerslaps #streetart #stickerart #ics

📰 CISA Issues Urgent Advisories for Critical Flaws in ICS and OT Devices

⚠️ CISA issues urgent advisories for critical ICS/OT vulnerabilities. Flaws in Jinan USR, ABB, Schneider Electric products could lead to device takeover. A 9.8 CVSS flaw (CVE-2026-7786) has no patch available! 🏭 #ICS #OTsecurity #CISA

🌐 cyber[.]netsecops[.]io

🔗 https://cyber.netsecops.io/articles/cisa-warns-of-critical-ics-ot-vulnerabilities/?utm_source=mastodon&utm_medium=social&utm_campaign=daily

Kimsuky's Advanced Attack Techniques: JSONPing, Webex Spoofing, and a New HttpSpy Variant

Through April 2026, Kimsuky deployed sophisticated malicious campaigns against South Korean military and corporate entities using tailored social engineering tactics including fake security software installation pages and spoofed Webex meeting pages leveraging legitimate meeting schedules. The threat actor introduced a novel JSONPing technique allowing distribution pages to verify in real time whether victims executed the payload via JSONP queries to localhost servers. Analysis revealed a new HttpSpy variant with a three-stage execution chain replacing the previous single-binary architecture, utilizing RC4 encryption and shared infrastructure indicators. Attribution was confirmed through code pattern overlaps, reused encryption keys, XAMPP certificate fingerprints, and preferred ASN usage consistent with historical Kimsuky operations targeting South Korea.

Pulse ID: 6a19766cc7caf96e27eae35e
Pulse Link: https://otx.alienvault.com/pulse/6a19766cc7caf96e27eae35e
Pulse Author: AlienVault
Created: 2026-05-29 11:20:12

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #Encryption #HTTP #HTTPS #ICS #InfoSec #Kimsuky #Korea #Military #OTX #OpenThreatExchange #RAT #SocialEngineering #SouthKorea #UK #bot #AlienVault

The Gentlemen ransomware: Dissecting a self-propagating Go encryptor

The Gentlemen is a ransomware-as-a-service operation tracked as Storm-2697, distinguished by combining robust per-file encryption using Curve25519 with XChaCha20 stream cipher alongside aggressive self-propagation capabilities designed for broad network compromise. Emerging in mid-2025 and transitioning to RaaS by September 2025, the operation recently partnered with BreachForums to recruit affiliates including penetration testers and initial access brokers. Written in Go and obfuscated with Garble, the ransomware employs double extortion tactics, encrypting data while exfiltrating sensitive information. It utilizes 21 distinct lateral movement techniques per target host, including PsExec, WMI, scheduled tasks, services, and PowerShell remoting. The malware disables defenses, deletes shadow copies and forensic artifacts, and can optionally wipe free disk space to prevent recovery, impacting organizations globally across education, transportation, healthcare, and finance sectors.

Pulse ID: 6a189defc88ad66cd0a9d87d
Pulse Link: https://otx.alienvault.com/pulse/6a189defc88ad66cd0a9d87d
Pulse Author: AlienVault
Created: 2026-05-28 19:56:31

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#ChaCha20 #CyberSecurity #ELF #Education #Encryption #Extortion #Healthcare #ICS #InfoSec #Malware #OTX #OpenThreatExchange #PowerShell #PsExec #RAT #RaaS #RansomWare #RansomwareAsAService #bot #AlienVault

Typosquatted npm packages used to steal cloud and CI/CD secrets

A supply chain attack targeting the npm ecosystem was identified involving 14 malicious packages published under the alias vpmdhaj. These packages typosquat well-known OpenSearch, ElasticSearch, and DevOps libraries, executing malicious payloads through npm lifecycle hooks during installation. The attack deploys a two-stage credential harvesting operation that targets AWS credentials, HashiCorp Vault tokens, GitHub Actions secrets, and npm publish tokens. The malware queries AWS Instance Metadata Service, ECS task metadata, and enumerates AWS Secrets Manager across multiple regions. Two stager variants were observed: an HTTP-based C2 beacon and a stealthier version abusing the legitimate Bun runtime. The stolen credentials enable cloud lateral movement and downstream supply chain attacks through compromised npm maintainer identities, specifically targeting developers working with cloud and CI/CD infrastructure.

Pulse ID: 6a192e1ac095630ef4d5d60f
Pulse Link: https://otx.alienvault.com/pulse/6a192e1ac095630ef4d5d60f
Pulse Author: AlienVault
Created: 2026-05-29 06:11:38

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AWS #Cloud #CredentialHarvesting #CyberSecurity #DevOps #GitHub #HTTP #ICS #InfoSec #Malware #NPM #OTX #OpenThreatExchange #RAT #SupplyChain #bot #developers #AlienVault

Critical infrastructure is under constant cyber threat.
A proactive OT cybersecurity strategy is no longer optional for industries like Oil & Gas, Utilities, Manufacturing, and Transportation.

Discover how OT risk assessments, architecture reviews, vulnerability assessments, and penetration testing can strengthen operational resilience.

🔗 https://invictux.com/services/ot-cybersecurity-advisory/

#CyberSecurity #OTSecurity #ICS #SCADA #IndustrialCybersecurity #CriticalInfrastructure #OTCyber #RiskAssessment

تحذير أمني جديد ⚠️
برنامج ضار جديد يستهدف القطاع الصناعي بشكل مباشر. يستطيع هذا الـ Wiper Malware:
• إتلاف البيانات بالكامل
• تعطيل أنظمة التحكم الصناعية (ICS)
• تجاوز إجراءات الحماية التقليدية

التوصية: تعزيز التدابير الوقائية وتحديث الأنظمة الأمنية بشكل مستمر.

#الأمن_السيبراني #القطاع_الصناعي #برمجيات_ضارة #ICS #أمن_المعلومات

🔗 https://news.google.com/rss/articles/CBMivwNBVV95cUxQaE9faGRWb3dCUHlBSFdvSENtdUJ4anVVZTJFdk9GZkdJUXlBdEtCdTZjV2RsYWlhdlZlb0F1MjJVczhDRm12NXFzZ2JOd0NZV0VOclNpSWloNGtFdk5XTW9VZW1QWU9qUmRoTTBCYjlGWERNbElnd1FmaFFZTGpqbm0zX2k5Y0ZNZVFtZUZaR3U2a05PM0ltWWlnWTZBQTN5bG8wclI5a1NTOF9TVG1EYWFzdFVzX3d6bHZ3NjUtaVBma1gteEF2ODNLd3hiT1F4eE5KdXIyOUJaejRRSDgzbFVFakpaR2E4aTAxaXBrRm1PYXZZY0lsMzI3aVJfRnpmVDREc1FTa2EzWk40R28wYzhBTkRnWkluaTU5elFDOXZOejNoVHhOdEFpQWhIalZhWUd1SWNIT0VHbFZyZ0dlNVBzZXNmUnlpU0EtZkoxSGdJNVpVLS1fUlY1R3FxUWluYjlPcGU4dWJ6TFoyelZTdmdMQTdtM3pNbXlESGVHaFkzczd4dk9rdkdqSXpXWjl4TVJZWVVhemxQekYzX2w3SV9VdkRYTndJT2RyRW1yS2hGQ09RemxDMWY1djNSZ2PSAVRBVV95cUxPSWwxazdTeWRCeEE5SHhCY1lsYTZJX3A4VWFISGNueDF0Mmt1R1l5VlZ1WHhoRTNWQWVmclZtN1VGdWoyN2hfcTBZeGpCT0VWU0s5dUQ?oc=5