The News.
Daily intel.
Daily breach reporting, CVE disclosures, malware analyses, and threat campaigns. Yesterday's incidents, this morning's coverage — written by practitioners for the analysts and defenders who need it first.
Gemini CLI Prompt Injection Flaw Could Have Poisoned Google's Own Supply Chain
A critical prompt injection in Gemini CLI's --yolo mode allowed attackers to push arbitrary code to Google's repository. Patched in v0.39.1 (April 24, 2026).
Russia-Linked Hackers Breached Five Polish Water Treatment Plants, ABW Reports
Poland's Internal Security Agency reveals ICS breaches at five water treatment plants. Hackers gained control of PLCs and pump systems using default credentials.
CVE-2026-6973: Ivanti EPMM Zero-Day Exploited, 850+ Servers Exposed
CVE-2026-6973 is a new Ivanti EPMM RCE zero-day being actively exploited. Patches released for 12.6.1.1, 12.7.0.1, and 12.8.0.1. 850+ servers exposed globally.
TrustFall: AI Coding Agents Exploitable with One Enter Keypress
TrustFall attack shows how malicious repos can hijack Claude Code, Cursor, Gemini CLI, and Copilot CLI with one keypress, enabling supply chain attacks in CI/CD pipelines.
CVE-2025-68670: Critical Pre-Auth RCE in xrdp Exposes Linux Remote Desktop Servers
CVE-2025-68670 is a CVSS 9.8 pre-authentication RCE buffer overflow in xrdp Linux remote desktop. Upgrade to xrdp 0.10.5 or apply distro patches now.
PyPI Malware Campaign Abuses Zulip Chat API as Command-and-Control Channel
Three malicious PyPI packages deliver ZiChatBot malware using Zulip's REST API for covert C2. Kaspersky links tooling to APT32 (OceanLotus) with 64% code similarity.
PCPJack Cloud Worm Evicts TeamPCP and Steals 40+ Credential Types at Scale
PCPJack worm exploits 5 CVEs to compromise Docker, Kubernetes, and Next.js environments, stealing cloud credentials from 40+ services while evicting TeamPCP.
LLMs Used in OT Cyberattack Against Mexican Water Utility, Dragos Warns
Dragos reports that Claude and GPT were used to plan and execute a cyberattack on a Mexican water facility's OT systems. AI independently identified SCADA targets.
Daemon Tools Lite 12.5.1 Trojanized With Quic RAT in Build Pipeline Attack
Daemon Tools Lite 12.5.1 was compromised between April 8 and May 5, 2026, delivering Quic RAT to thousands of systems across 100+ countries. Upgrade to 12.6 now.