Live threat intelligence — updated continuously
Open Cyber Threat Intelligence
Structured, AI-extracted threat intel — entity pages, IoC downloads, and YARA/Sigma rules. Free, no login required.
Latest Intelligence
View all → Secure Registry now tells you which machine pulled a compromised package
3d ago · step-security
On June 17, 2026, an attacker compromised the @mastra npm organization and introduced a typosquatted package, easy-day-js, into over 140 packages in the Mastra AI framework ecosystem. The malicious package executed an obfuscated postinstall dropper that retrieved a second-stage payload from an attacker-controlled server before deleting itself. This supply chain attack exposed more than 1.1 million weekly downloads, highlighting the need for rapid incident response and source attribution to determine affected systems.
3 IoCs
10 Layers Deep: How StepSecurity Stops TeamPCP's Trivy Supply Chain Attack on GitHub Actions
2d ago · step-security
In March 2026, the threat actor TeamPCP compromised 76 version tags of the aquasecurity/trivy-action GitHub Action by injecting a credential stealer, exploiting elevated privileges to harvest secrets from memory and exfiltrate them to a malicious domain. The same actor targeted other platforms including PyPI packages litellm and telnyx, and previously compromised the Checkmarx KICS GitHub Action using similar tactics. These supply chain attacks highlight a broader trend of targeting CI/CD pipelines to steal credentials and cloud tokens. The attacks leveraged typosquatted domains and memory scraping techniques, underscoring the need for layered defenses in GitHub Actions environments.
2 IoCs 1 Actors 1 CVEs
StepSecurity Maintained Actions Are Now Free for Public Repos
2d ago · step-security
In March 2025, the tj-actions/changed-files GitHub Action, used by over 23,000 repositories, was compromised in a supply chain attack that exfiltrated CI/CD secrets via malicious code injected through tampered version tags. StepSecurity detected the incident using its Harden-Runner tool and provided a secure, drop-in replacement, step-security/changed-files, which has since been adopted by thousands of projects. This event highlighted the risks of relying on unmaintained third-party GitHub Actions and led StepSecurity to make its catalog of 500+ maintained, security-hardened actions freely available for public repositories to improve overall CI/CD security across the open-source ecosystem.
2 IoCs 1 CVEs
Welcome to the new Project Zero Blog
6mo ago · google-project-zero
This article introduces the new Project Zero blog and highlights previously unpublished research on exploitation techniques. It references historical work on Windows race conditions and sandbox escape methods. The post emphasizes the ongoing relevance of zero-day vulnerabilities and the need for continued defensive improvements. No active threat activity or specific attacks are described.
A 0-click exploit chain for the Pixel 9 Part 1: Decoding Dolby
5mo ago · google-project-zero
A 0-click exploit chain targeting Google Pixel 9 devices was developed by Project Zero to demonstrate the exploitation of a critical vulnerability in the Dolby Unified Decoder (CVE-2025-54957). The vulnerability allows arbitrary code execution in the mediacodec context via malicious audio attachments in SMS/RCS messages, which are automatically decoded without user interaction. The exploit leverages a buffer overrun and memory leak in the EMDF parsing logic to achieve code execution, bypassing Android security features such as ASLR and SELinux. The vulnerabilities were patched as of January 5, 2026.
5 IoCs
A 0-click exploit chain for the Pixel 9 Part 2: Cracking the Sandbox with a Big Wave
5mo ago · google-project-zero
A 0-click exploit chain targeting the Pixel 9 was demonstrated, leveraging a vulnerability in the BigWave kernel driver accessible from the mediacodec SELinux context. The exploit achieves kernel arbitrary read/write via a use-after-free (UAF) in the BIGO_IOCX_PROCESS ioctl handler, enabling sandbox escape and privilege escalation. The attacker can gain root privileges and disable SELinux, culminating in full device compromise. The exploit was integrated with a Dolby decoder vulnerability to form a complete attack chain.
2 IoCs
A 0-click exploit chain for the Pixel 9 Part 3: Where do we go from here?
5mo ago · google-project-zero
Google Project Zero uncovered a 0-click exploit chain targeting the Pixel 9, leveraging vulnerabilities in the Dolby UDC audio decoder and the BigWave kernel driver. The chain allowed remote code execution and privilege escalation with minimal bugs, highlighting weaknesses in Android's attack surface, driver security, and patching timelines. Despite responsible disclosure, patch deployment was delayed, leaving users exposed for months. The findings emphasize systemic issues in vulnerability prioritization, mitigation effectiveness, and vendor coordination across the Android ecosystem.
Bypassing Windows Administrator Protection
5mo ago · google-project-zero
A security researcher identified multiple vulnerabilities in Windows 11 25H2's new Administrator Protection feature, designed to replace User Account Control (UAC). One of nine discovered bypasses allowed silent escalation to full administrator privileges by exploiting lazy initialization of per-session DOS device directories, improper access checking during object creation, and token impersonation behaviors. The vulnerabilities were reported to Microsoft and addressed in updates, including optional update KB5067036, before the feature's official release. Administrator Protection was temporarily disabled in December 2025 due to application compatibility issues unrelated to the security flaws.
1 IoCs
Breaking the Sound Barrier, Part II: Exploiting CVE-2024-54529
5mo ago · google-project-zero
A detailed technical analysis of exploiting CVE-2024-54529, a type confusion vulnerability in macOS's coreaudiod daemon, is presented. The exploit leverages uninitialized memory in the 'ngne' object and a heap manipulation technique using property lists to achieve arbitrary code execution. The attack involves crashing and restarting coreaudiod to reuse heap-sprayed data, ultimately enabling privilege escalation via a ROP chain.
1 IoCs
Bypassing Administrator Protection by Abusing UI Access
4mo ago · google-project-zero
A researcher discovered multiple bypasses for Windows Administrator Protection by exploiting UI Access, a feature designed to allow accessibility tools to interact with higher integrity processes. The bypasses leverage flaws in secure directory checks, repurposing legitimate UI Access executables, shared user profiles, insecure RPC handling, and access token manipulation. These techniques allow a limited user to silently elevate privileges and compromise administrator-level processes without consent prompts, undermining the security boundary intended by Administrator Protection.
2 IoCs