// Threat intelligence

CYBERSECURITY THREATS THAT
ACTUALLY MATTER
FOR THE TOOLS YOU USE.

Opichi Aware monitors news, advisories, and social signals across the online services you depend on, then summarizes only what matters with AI — delivered to your inbox, on demand.

// Services
30
// Alerts
221
// Last updated
// Public feed

Recent alerts

View archive →

Januscape (CVE-2026-53359), a 16-year-old use-after-free vulnerability in KVM's shadow MMU, enables guest-to-host escape on systems with nested virtualization enabled. Discovered by researcher Hyunwoo Kim via Google's kvmCTF bug bounty program, the flaw allows root access on the host machine. The vulnerability affects both Intel and AMD processors and has been present since kernel 2.6.36 (August 2010). Patches are available; organizations should update immediately or disable nested virtualization if patching is delayed.

// Get alerts for Google Cloud

Active social engineering campaign targets Microsoft Teams users via fake IT support calls. Threat actors impersonate helpdesk personnel using external Teams accounts to convince victims to enable screen sharing and install legitimate remote access tools. Attackers then deploy malicious MSI installers that fetch Node.js and execute EtherRAT, a cross-platform remote access trojan capable of command execution, data exfiltration, and persistence. EtherRAT uses Ethereum smart contracts to fetch C2 addresses, complicating remediation. Campaign publicly documented by Palo Alto Networks Unit 42 as of July 2026.

// Get alerts for Microsoft 365

CVE-2026-45504 is a server-side request forgery (SSRF) vulnerability in Microsoft Exchange Server 2019 that allows authenticated low-privileged users to read arbitrary files via improper URL validation in the OneDriveProUtilities component. The flaw stems from unsafe handling of user-controlled input in WOPI (Web Application Open Platform Interface) URL processing, enabling attackers to chain the vulnerability through malicious attachment references to access sensitive files such as configuration data and credentials. A proof-of-concept exploit has been publicly released.

// Get alerts for Microsoft 365

Microsoft issued a security advisory for CVE-2026-53045, a high-severity Linux kernel flaw in the NVIDIA Tegra124 memory controller driver (CVSS 7.8). The vulnerability, a reversed bit check in the EMC driver, affects Windows Subsystem for Linux 2 (WSL2) and Azure Linux VMs with Tegra124 hardware. Exploitation can cause kernel panics, data corruption, and potentially privilege escalation. Microsoft advises updating WSL kernels and Azure container images.

// Get alerts for Microsoft Azure
// OpenaiCRITICAL

CVE-2026-45499 describes a critical server-side request forgery (SSRF) vulnerability in Azure OpenAI with CVSS score 9.9. An authenticated attacker can exploit the flaw to send arbitrary requests to internal network resources, potentially escalating privileges within the environment. No public proof-of-concept or patch details were available at publication on July 2, 2026.

// Get alerts for Openai
// ClaudeMEDIUM

Claude Code allegedly contains a covert mechanism that detects usage in specific corporate and AI research environments, including those operated by Alibaba, Baidu, ByteDance, and Moonshot AI. According to reverse-engineering claims posted on June 30, the tool inspected proxy settings and system time zones against embedded lists and silently encoded detection signals via system prompt modifications since version 2.1.91 (April 2, 2026). Anthropic acknowledged the detection feature was intended to prevent account abuse and model distillation, stating remediation was underway by July 1. The allegation prompted Alibaba to announce a ban on Claude Code effective July 10, 2026.

// Get alerts for Claude

A critical vulnerability (CVE-2026-46817) in Oracle E-Business Suite is under active exploitation in the wild. Approximately 900–950 internet-facing EBS instances have been identified globally, with DefusedCyber observing real-world attack attempts. The flaw enables remote code execution and affects systems handling sensitive financial, HR, and operational data. Attackers appear to have reverse-engineered Oracle's patch before public disclosure.

// Get alerts for Oracle Health
// OpenaiMEDIUM

Security researcher zer0dac disclosed a vulnerability chain in ChatGPT combining a guardrail bypass with path traversal in the file download mechanism, potentially allowing access to restricted system files. The vulnerability exploited inconsistent path normalization and social engineering of the LLM to bypass deletion policies. OpenAI remediated the issue by redesigning the URL download flow, with practical impact limited by sandboxing but highlighting a critical vulnerability class in AI-generated backend endpoints.

// Get alerts for Openai
// GitHubMEDIUM

A pseudonymous researcher published a GitHub repository called 'Exploitarium' containing over 30 proof-of-concept exploits for undisclosed zero-day vulnerabilities in open-source projects including Libssh2, FFmpeg, Gitea, MyBB, PHP, and others, without coordinating with maintainers. At least 12 exploits have been assigned CVE identifiers, with CVE-2026-55200 (libssh2 pre-auth RCE, CVSS 9.2) confirmed under active exploitation. The researcher justified the public disclosure approach as educational but acknowledged it enables malicious use.

// Get alerts for GitHub

Security researcher zer0dac disclosed a vulnerability chain in ChatGPT combining a guardrail bypass with path traversal through the file download mechanism. The exploit involved social engineering the LLM to generate a valid download URL and then appending traversal sequences to access restricted system files. OpenAI has remediated the issue by redesigning the URL download flow; practical impact was limited by sandbox restrictions.

// Get alerts for Chatgpt

CISA confirmed on July 2, 2026, that attackers are actively exploiting CVE-2026-45659, a high-severity remote code execution vulnerability in Microsoft SharePoint. The deserialization flaw requires only basic authenticated access (Site Member permissions) and was patched in May 2026. Over 10,000 SharePoint servers remain exposed online, with no visibility into remediation coverage.

// Get alerts for Microsoft Azure

CVE-2026-45659, a high-severity remote code execution vulnerability in Microsoft SharePoint Server, was added to CISA's Known Exploited Vulnerabilities catalog on July 1, 2026, following confirmed active exploitation. The flaw stems from improper deserialization of untrusted data and affects SharePoint Server Subscription Edition, 2019, and Enterprise Server 2016 (patched May 2026). Authenticated attackers with minimum Site Member permissions can execute arbitrary code on vulnerable systems; the threat group and exploitation details remain unknown. CISA mandates that U.S. federal agencies patch by July 4, 2026.

// Get alerts for Microsoft 365

Microsoft released patches for CVE-2026-33825 (BlueHammer), a Microsoft Defender privilege escalation vulnerability, on April 14, 2026. CISA added the flaw to its Known Exploited Vulnerabilities catalog on April 22 and has now updated the entry to confirm active exploitation in ransomware campaigns. Authenticated attackers can escalate privileges to disable defenses, move laterally, or prepare systems for encryption. No details on specific ransomware groups have been publicly disclosed.

// Get alerts for Microsoft Azure

CVE-2026-33825 (BlueHammer), a privilege escalation vulnerability in Microsoft Defender, is actively exploited in ransomware campaigns. The flaw was disclosed April 2 and patched April 14, 2026. CISA's Known Exploited Vulnerabilities catalog was recently updated to confirm ransomware activity. The vulnerability requires authenticated access but enables attackers to escalate privileges, disable defenses, and move laterally within compromised environments.

// Get alerts for Microsoft 365
// GitHubMEDIUM

Researchers discovered multiple trojanized proof-of-concept exploits on GitHub delivering ChocoPoC, a Python-based remote access trojan targeting cybersecurity researchers. The malware is embedded via malicious Python packages ('frint' and 'skytext') listed as dependencies that are automatically fetched from PyPI upon cloning the malicious repositories. When executed, the compiled native extension decrypts and runs embedded Python code to steal data and execute commands.

// Get alerts for GitHub

CVE-2025-49715 is an unauthenticated information disclosure vulnerability in Microsoft Dynamics 365 FastTrack Implementation Assets that exposes personally identifiable information (PII) to remote attackers with no authentication required. The vulnerability affects widely-used implementation templates and configuration scripts that organizations often deploy directly to production. Microsoft's MSRC advisory contains conflicting CVE identifiers (CVE-2025-49715 vs CVE-2025-55238), potentially delaying remediation efforts. Organizations should apply patches immediately and rotate any exposed credentials.

// Get alerts for Microsoft 365

Active password spray campaign targeting Azure CLI is compromising Microsoft 365 user accounts. Between June 12-21, attackers made over 81 million login attempts originating from systems associated with LSHIY hosting provider, successfully compromising at least 78 user accounts across 64 organizations. Attackers rely on compromised password combo lists and are increasing credential spray attack volumes across Microsoft 365 environments.

// Get alerts for Microsoft 365

Threat actors conducted a large-scale password spray campaign targeting Azure CLI between June 12 and 21, 2026, making over 81 million login attempts originating primarily from LSHIY LLC infrastructure. Huntress detected 78 user account compromises across 64 customer organizations, with 2-4 accounts typically breached daily. The attack represents part of a broader surge in credential spray attacks across the cloud services landscape.

// Get alerts for Microsoft Azure