We somehow went from "script kiddies are bad" to giving any random office worker the power to launch hundreds of programs that will hammer unknown servers across the web to make mediocre power point presentations.

Not to mention the massive usage spikes that are now hitting public software and data repositories.

What a world.

(microsoft.com) Storm-2949: A Sophisticated Cloud-Centric Attack Leveraging Identity Compromise and Legitimate Azure Features for Data Exfiltration

Storm-2949 exploited identity compromise and legitimate Azure features to exfiltrate sensitive data from cloud environments, bypassing MFA via SSPR abuse.

In brief - Threat actor Storm-2949 targeted cloud infrastructure by abusing Microsoft’s Self-Service Password Reset (SSPR) to bypass MFA, gaining persistent access to high-value accounts. The attack leveraged Azure management tools for lateral movement and data exfiltration, emphasizing the risks of identity-driven cloud threats.

Technically - Storm-2949 initiated the attack via SSPR abuse and social engineering to enroll rogue MFA devices. Post-compromise, they used Microsoft Graph API for directory discovery, exfiltrated data from OneDrive/SharePoint, and exploited custom RBAC roles to access Azure Key Vault, Storage, and SQL databases. Azure VM extensions (VMAccess, Run Command) were abused to create backdoor accounts and deploy ScreenConnect for persistence. Defense evasion included disabling Microsoft Defender Antivirus and clearing forensic artifacts.

Source: https://www.microsoft.com/en-us/security/blog/2026/05/18/storm-2949-turned-compromised-identity-into-cloud-wide-breach/

#Cybersecurity #ThreatIntel

 RubyGems suspends new Signups after Hundreds of Malicious Packages are Uploaded.

RubyGems, the standard package manager for the Ruby programming language, has temporarily paused account sign ups following what has been described as a "major malicious attack."

"We're dealing with a major malicious attack on Ruby Gems right now," Maciej Mensfeld, senior product manager for software supply chain security at Mend.io, said in a post on X. "Signups are paused for the time being. Hundreds of packages involved – mostly targeting us, but some carrying exploits."

https://x.com/maciejmensfeld/status/2054164602577940619

⁉️Visitors to RubyGems sign up page are now greeted with the message: "New account registration has been temporarily disabled."⁉️

https://rubygems.org/sign_up

#rubygems #security #privacy #media #secure #ruby #programming #developer #infosec #tech #news

(manifold.security) High-Severity Access Control Bypass in mcp-server-kubernetes Enables Full Cluster Compromise

New high-severity access control bypass (CVE-2026-46519, CVSS 8.8) in mcp-server-kubernetes npm package enables full Kubernetes cluster compromise. Attackers can bypass environment variable restrictions (e.g., ALLOW_ONLY_READONLY_TOOLS) to execute destructive tools like kubectl_delete, even in read-only mode.

In brief - A critical flaw in mcp-server-kubernetes (CVE-2026-46519) allows attackers to bypass access controls, potentially leading to full cluster compromise if the MCP server runs with cluster-admin privileges. Patch to v3.6.0 immediately.

Technically - The vulnerability arises from inconsistent enforcement of access controls between the discovery (tools/list) and execution (tools/call) layers. Environment variables like ALLOW_ONLY_READONLY_TOOLS are ignored in the execution handler (src/index.ts), enabling direct invocation of restricted tools via crafted HTTP requests. Fixed in v3.6.0 by applying filter checks to the execution layer.

Source: https://www.manifold.security/blog/mcp-server-kubernetes-readonly-bypass

#Cybersecurity #ThreatIntel

After EV maker Fisker's collapse, ~4,000 car owners formed a nonprofit to keep their cars working by reverse-engineering software and building open-source tools (Fred Lambert/Electrek)

https://electrek.co/2026/05/16/fisker-ocean-open-source-ev-story-after-bankruptcy/
http://www.techmeme.com/260518/p11#a260518p11