KENSAI Security Research
🔴 Critical Vulnerabilities
Chrome 146 Patches Two Exploited Zero-Days (CVE-2026-3909 & CVE-2026-3910)
Google released emergency patches for two high-severity zero-days actively exploited in the wild. CVE-2026-3909 (CVSS 8.8) is an out-of-bounds write in the Skia 2D graphics library; CVE-2026-3910 targets the V8 JavaScript engine. Both allow remote code execution via crafted HTML pages. Update Chrome immediately.
Critical HPE AOS-CX Vulnerability Allows Admin Password Resets
A critical vulnerability in HPE Aruba AOS-CX network switches allows unauthenticated remote attackers to bypass authentication controls and reset administrator passwords. Organizations running HPE AOS-CX should patch urgently — no user interaction required for exploitation.
9 "CrackArmor" Flaws in Linux AppArmor — Root Escalation & Container Escape
Qualys TRU disclosed nine confused deputy vulnerabilities in the Linux kernel's AppArmor module. Unprivileged users can escalate to root and break container isolation. These flaws undermine core Linux security guarantees. All major distributions are expected to release kernel patches this week.
WordPress "Ally" Plugin SQLi Exposes 200,000+ Sites
A SQL injection vulnerability in the popular Ally WordPress plugin (200K+ installs) allows attackers to inject queries and extract sensitive database contents. No patch available at time of disclosure. Site admins should deactivate the plugin until a fix is released.
💀 Data Breaches & Attacks
Starbucks Employee Data Breach via Phishing Campaign
Starbucks confirmed a data breach affecting employee data after phishing attacks targeted an internal employee portal. Hundreds of employees impacted with personal information exposed. Credential theft was the primary vector.
Iran-Linked Attack on Stryker Disrupts Manufacturing
Iranian threat actors attacked medical device manufacturer Stryker, disrupting manufacturing and shipping operations. Attackers used existing endpoint management tools (living off the land) rather than traditional malware to wipe devices. A significant supply chain impact for the healthcare sector.
Poland's Nuclear Research Centre Targeted by Cyberattack
Poland's National Centre for Nuclear Research (NCBJ) reported a cyberattack targeting its IT infrastructure. The attack was detected and blocked before causing impact, but the targeting of nuclear research institutions signals escalating geopolitical cyber operations in Europe.
🕷️ Threat Campaigns & Malware
Chinese APT CL-STA-1087 Targets SE Asian Militaries
Palo Alto Unit 42 uncovered a China-linked APT campaign targeting Southeast Asian military organizations since 2020. Using custom malware (AppleChris, MemFun), the group collected specific files on military capabilities and Western military cooperation. Demonstrates "strategic operational patience" — highly targeted intelligence collection, not bulk theft.
Storm-2561: Trojanized Enterprise VPN Clients via SEO Poisoning
Microsoft disclosed Storm-2561's campaign distributing fake VPN clients from Ivanti, Cisco, and Fortinet through SEO poisoning. Users searching for legitimate enterprise VPN software are redirected to attacker-controlled sites serving digitally signed trojans that steal VPN credentials. All enterprise VPN admins should issue download source advisories.
GlassWorm Escalates: 72 Malicious Open VSX Extensions
A major escalation of the GlassWorm supply-chain campaign now abuses extensionPack and extensionDependencies in the Open VSX registry to create transitive infection chains across 72 extensions. Developers using VS Code alternatives with Open VSX should audit their installed extensions immediately.
AppsFlyer SDK Hijacked for Crypto-Stealing Supply Chain Attack
The AppsFlyer Web SDK was temporarily compromised with malicious JavaScript code designed to steal cryptocurrency. This supply-chain attack affected sites integrating the popular marketing analytics SDK. The malicious code has been removed, but sites that cached the SDK may still be serving it.
⚖️ Law Enforcement Operations
INTERPOL Operation Synergia III: 45,000 IPs Sinkholed, 94 Arrested
INTERPOL's largest cybercrime crackdown yet involved 72 countries, sinkholing 45,000 malicious IPs and seizing 212 servers. 94 arrests made with 110 more under investigation. Targets included phishing, malware distribution, and ransomware infrastructure. Bangladesh alone saw 40 arrests and 134 devices seized.
SocksEscort Proxy Botnet Dismantled — 369,000 Devices Across 163 Countries
Court-authorized international operation took down SocksEscort, a criminal proxy botnet that infected 369,000 residential routers with AVrecon malware since 2020. The service sold access to compromised home routers for fraud operations, with 2,500 US-based devices among ~8,000 active nodes.
FBI Investigates Malware Spread via Steam Games
The FBI is seeking victims who installed eight malicious games uploaded to Steam that contained malware. The investigation targets a campaign that used the gaming platform as a malware distribution vector. Gamers who installed unknown titles in recent weeks should scan their systems.
🛡️ Security Tools & Industry
Bold Security Emerges From Stealth — $40M Funding
Bold Security launched with $40M in funding, using AI to turn endpoints into active security agents that understand user behavior and provide real-time protection. Represents the industry's continued shift toward autonomous, AI-driven endpoint security.
Onyx Security Launches — $40M for AI Agent Oversight
Onyx Security launched with $40M to build a control plane for overseeing autonomous AI agents. Directly relevant to the emerging AI governance market — helping organizations safely adopt AI agents while maintaining security controls.
Google Paid $17M in Bug Bounties in 2025
Google's 2025 bug bounty program paid out $17M total — $3.7M for Chrome vulnerabilities and $3.5M for cloud security defects. Signals the growing value (and volume) of vulnerability research in the market.
📌 Notable Mentions
Meta Killing Instagram E2E Encrypted Chats (May 2026)
Meta will discontinue end-to-end encryption for Instagram direct messages after May 8, 2026. A significant privacy regression affecting millions of users. Media and messages should be downloaded before the cutoff date.
Iran-Linked Hackers Expanding US Targeting
Pro-Iranian hackers are expanding beyond Middle Eastern targets to US defense contractors, power stations, and water plants. The escalation during wartime conditions raises the risk profile for US critical infrastructure operators.
Microsoft OOB Hotpatch for Windows 11 RRAS RCE
Microsoft released an out-of-band update fixing a security vulnerability in Windows 11 Enterprise's Routing and Remote Access Service (RRAS). Only affects hotpatch-enabled Enterprise deployments.
Apple Patches Legacy iOS Against Coruna Exploits
Apple released iOS 16.7.15 and 15.8.7 to patch Coruna exploits on older devices. A US defense contractor was reportedly behind the Coruna exploit chain. Older iPhones and iPads still in use should be updated immediately.
🎯 KENSAI Relevance & Action Items
- Supply chain attacks dominating: GlassWorm (VSX), AppsFlyer SDK, and Steam malware — KENSAI's SBOM scanning and dependency analysis capabilities are directly relevant content angles
- CrackArmor Linux flaws: Container escape vulnerabilities affect cloud-hosted apps — strong angle for KENSAI infrastructure scanning content targeting DevOps teams
- Two new AI security startups ($80M combined): Bold Security and Onyx Security validate the AI security market. KENSAI should position against/alongside in content strategy
- Iran APT escalation: US critical infrastructure targeting + NIS2 compliance angles for DACH market content (energy, water, defense contractors)
- WordPress SQLi (200K sites): Good candidate for KENSAI free scan promotion — "Is your WordPress site vulnerable?"
- VPN credential theft (Storm-2561): Enterprise security hygiene content opportunity — credential monitoring, download verification