Products
Discover amazing products built by our community
Open Source ProjectsNEW
Curating the best open-source projects shaping the future
Latest from the Blog
Analysis, product insight, and practical reads for builders
Adobe rolls out emergency fix for Acrobat, Reader zero-day flaw
Adobe has issued an emergency update for Acrobat/Reader to fix CVE-2026-34621, a zero-day that bypasses sandboxing and can execute arbitrary code via malicious PDFs, with exploits observed since December; affected products include Acrobat DC, Reader DC, and Acrobat 2024 on Windows and macOS, and users should update through Help > Check for Updates or download from Adobe’s portal, as there are no listed workarounds. The flaw was discovered by Haifei Li, and attacks have involved Russian-language oil-and-gas themed PDFs; the severity was downgraded once the vector was deemed local.
The Silent Storm: New Infostealer Hijacks Sessions, Decrypts Server-Side
Varonis Threat Labs highlights Storm, a new infostealer that shifts credential theft to server-side decryption and automated session hijacking. Debuting in early 2026, Storm decrypts data from Chromium and Firefox-based browsers and forwards it to attacker-controlled infrastructure for silent session restoration, enabling access to SaaS and cloud services without passwords or MFA alerts. The toolkit harvests saved passwords, cookies, autofill data, tokens, crypto wallets, and more, then uses Google Refresh Tokens and SOCKS5 proxies to re-create authenticated sessions. Storm operates with dedicated infrastructure, supports tiered licensing (demo, standard, team), and runs across multiple operators; observed campaigns target Google, Facebook, Twitter/X, and crypto platforms across many countries. Indicators of compromise include the StormStealer forum handle, version Gunnar v0.0.2.0, a Windows-only C++ build, and a registration date of 12/12/25.
Critical Marimo Pre‑Authentication RCE Flaw Now Under Active Exploitation
Critical RCE flaw CVE‑2026‑39987 in Marimo open‑source Python notebook platform was actively exploited within 10 hours of disclosure, allowing unauthenticated attackers to gain full shell access via the /terminal/ws WebSocket endpoint and exfiltrate .env credentials and SSH keys; users are urged to upgrade to v0.23.0 or block the endpoint immediately.
Over 20,000 crypto fraud victims identified in international crackdown
International law enforcement, led by the UK’s National Crime Agency in “Operation Atlantic,” identified over 20,000 cryptocurrency fraud victims across Canada, the UK and the US, froze more than $12 million in illicit proceeds from approval‑phishing scams, and uncovered $45 million in stolen crypto. The joint effort—partnering with the U.S. Secret Service, Ontario Police, Securities Commission and private industry—demonstrates the effectiveness of public‑private collaboration, a model that will underpin the UK’s new Fraud Strategy 2026‑29. The FBI’s parallel Operation Level Up has similarly rescued thousands of victims, highlighting the growing global threat of crypto investment scams.