Skip to main content
Mallory
Updated continuously · 3 new this hour

The signal that matters.

Cutting through advisories, vendor PSIRTs, researcher write-ups, and the underground — correlated, deduped, and ranked so your team only sees what moves the needle.

36,093stories tracked
Story velocity
5,248 sources1.7M refsLive
361k
Vulnerabilities
View trending
8,652
Threat actors
View trending
16k
Malware families
View trending
207k
Products tracked
View trending
Updated 33min ago
Loader Delivery Mech…Threat Infrastructur…Search Ad Manipulation+1

Operation Endgame Disrupts SocGholish Malware Infrastructure and Cleans 14,971 Sites

International law enforcement agencies disrupted the SocGholish malware operation, taking 106 servers and domains offline and remediating 14,971 compromised websites as part of Operation Endgame. Authorities from the Netherlands, Canada, the United States, and Germany, supported by Europol and Eurojust, targeted infrastructure tied to TA569, the threat actor widely associated with SocGholish, also known as FakeUpdates and GhoLoader. The campaign relied on compromised legitimate websites—especially WordPress and other CMS platforms—to display fake browser update prompts that tricked visitors into installing malware.

Timeline
  • 15h agoOperation Endgame disrupts SocGholish infrastructure
  • 21h agoProofpoint begins tracking TA569/SocGholish activity
Malware Intelligence·2sources·Updated 33min ago
Latest
Three LMS Flaws Expose Databases and Enable Command Injection
Internet Facing Serv…Widely Deployed Prod…

Three LMS Flaws Expose Databases and Enable Command Injection

CERT Polska disclosed three vulnerabilities in LMS (LAN Management System), including two high-severity issues tracked as CVE-2026-40455 and CVE-2026-40456. The first is an authenticated SQL injection in tarifflist.php before commit 4cb30a7, caused by insufficient sanitization of the POST tg[] parameter and unsafe query construction with implode(), allowing attackers to extract sensitive database information. The second is an OS command injection before commit 9fcb4de, where an IP address parameter is passed to exec() without proper validation, enabling arbitrary operating system command execution.

Patch & Detection Intelligence
3·Updated 34min ago
Crypto clipper malware spreads by USB and uses Tor-backed C2 on Windows
Credential Stealer A…Command And Control…+3

Crypto clipper malware spreads by USB and uses Tor-backed C2 on Windows

Microsoft disclosed an active Windows cryptocurrency theft campaign that spreads through malicious .lnk shortcut files, often delivered via USB devices, and combines worm-like propagation with a script-based clipper and stealer. The malware has been active since February 2026 and uses Windows Script Host, ActiveX, and a bundled Tor client to reach hidden-service command-and-control infrastructure through localhost:9050, avoiding conventional installer and IP-based infrastructure. Microsoft said the threat is detected as Trojan:Win32/CryptoBandits.A and related CryptoBandits signatures.

Attack Tradecraft
3·Updated 14h ago
MetaStealer Campaign Adds New DGA and Exposes RuntimeSync Backdoor
Credential Stealer A…Remote Access Implant+3

MetaStealer Campaign Adds New DGA and Exposes RuntimeSync Backdoor

Researchers Jason Reaves and Joshua Platt reported new infrastructure and malware activity tied to MetaStealer, identifying a new wordlist-based domain generation algorithm while confirming the malware’s older DGA is still active. Their analysis found MetaStealer gate servers are largely domain-agnostic and depend more on IP address, port, URI, and HTTP headers to relay traffic, indicating operators can shift domains without significantly changing backend behavior.

Attack Tradecraft
2·Updated 16h ago

Trending

The most-referenced stories across every topic right now.

View all

US Export Order Forces Anthropic to Disable Fable 5 and Mythos 5

Latest · yesterday

European and Canadian officials protest Anthropic model export cutoff

3321h ago

Malicious Commits in Arch Linux AUR Packages Pulled npm-Based Payloads

Latest · 4d ago

Arch Linux temporarily disables new AUR account registration

253d ago

Credential-Harvesting Campaign Compromises 30,000 Fortinet Firewalls

Latest · yesterday

TechCrunch names major companies allegedly affected by FortiBleed

2320h ago

Hijacked Mastra npm Account Spread easy-day-js Info-Stealer to 144 Packages

Latest · yesterday

Mastra disables token publishing and mandates MFA for npm publishes

19yesterday
11 sections hidden
Find out if you're exposed

Don't read about it. Know when it affects you.

Mallory correlates every story on this page with your attack surface (assets, vendors, identities, subsidiaries) and surfaces a small set of evidence-based cases instead of 10,000 alerts.

Start Free TrialRequest a live demo
Subscribe to the digest

A daily email with top stories, new KEVs, and fresh exploits. No marketing.

Get the daily digest:
Or grab the RSS feeds →