Ivanti Patches EPMM Zero-Day Exploited in Targeted Attacks
Ivanti released May security updates for Endpoint Manager Mobile that fix five vulnerabilities, including CVE-2026-6973, a high-severity flaw exploited in targeted attacks. The bug requires admin privileges, but reporting indicates it may be tied to earlier EPMM flaws that allowed attackers to gain broader control of mobile device management infrastructure. Organizations running on-prem EPMM should patch quickly, review admin accounts, rotate credentials where appropriate, and look for signs of unauthorized management activity.
Quasar Linux RAT Steals Developer Credentials for Software Supply Chain Compromise
Researchers detailed a previously undocumented Linux implant called Quasar Linux RAT that targets developer and DevOps systems to steal credentials from files tied to npm, PyPI, Git, AWS, Kubernetes, Docker, Vault, Terraform, GitHub CLI, and environment variables. The risk is bigger than one infected workstation because stolen developer credentials can let attackers push malicious packages, access cloud infrastructure, or pivot into CI/CD pipelines. Security teams should treat developer endpoints as high-value assets and monitor for unusual credential use across source control, registries, and cloud accounts.
New TCLBanker malware self-spreads over WhatsApp and Outlook
Elastic researchers found a new banking trojan called TCLBanker that uses a trojanized Logitech AI Prompt Builder installer, DLL side-loading, and anti-analysis features to infect Windows systems. The malware targets banking, fintech, and cryptocurrency platforms, then spreads through WhatsApp Web and Outlook by abusing the victim’s authenticated sessions and contact lists. This matters because it combines credential theft, remote control, social engineering, and worm-like propagation through trusted communication channels.
Businesses hide vast majority of ransomware attacks, report finds
BlackFog reported that undisclosed ransomware attacks in the first quarter of 2026 were nearly 10 times higher than publicly disclosed attacks, with 2,160 undisclosed incidents compared to 264 disclosed ones. The report also found that data exfiltration remains central to ransomware operations, appearing in 96% of disclosed attacks. The practical takeaway is that public ransomware counts likely understate the real threat level, so teams shouldn’t use disclosed victim numbers alone to judge sector risk, board reporting, or control priorities.
Critical Android vulnerability CVE-2026-0073 fixed by Google
Google patched CVE-2026-0073, a critical Android remote code execution vulnerability in the System component that could allow code execution as the shell user without user interaction. The flaw affects Android Debug Bridge daemon functionality, and Google says it isn’t aware of public exploits or active exploitation. Even without known exploitation, this is worth prioritizing because no-click mobile RCE flaws can become high-impact quickly once technical details spread.
