Latest News from Bleeping Computer

• New Windows 'MiniPlasma' zero-day exploit gives SYSTEM access, PoC released

  A cybersecurity researcher has released a proof-of-concept exploit for a Windows privilege escalation zero-day dubbed "MiniPlasma" that lets attackers gain SYSTEM privileges on fully patched Windows systems.  [...]

• Tycoon2FA hijacks Microsoft 365 accounts via device-code phishing

  The Tycoon2FA phishing kit now supports device-code phishing attacks and abuses Trustifi click-tracking URLs to hijack Microsoft 365 accounts. [...]

• Microsoft rejects critical Azure vulnerability report, no CVE issued

  A security researcher claims Microsoft quietly fixed an Azure Backup for AKS vulnerability after rejecting his report, and without issuing a CVE. Microsoft disputes the claim, telling BleepingComputer the behavior was expected and that "no product changes were made," despite the researcher documenting a silent fix. [...]

• Russian hackers turn Kazuar backdoor into modular P2P botnet

  The Russian hacker group Secret Blizzard has developed its long-running Kazuar backdoor into a modular peer-to-peer (P2P) botnet designed for long-term persistence, stealth, and data collection. [...]

• Funnel Builder WordPress plugin bug exploited to steal credit cards

  A critical vulnerability in the Funnel Builder plugin for WordPress is being actively exploited to inject malicious JavaScript snippets into WooCommerce checkout pages. [...]

• Microsoft Exchange, Windows 11 hacked on second day of Pwn2Own

  ​During the second day of Pwn2Own Berlin 2026, competitors collected $385,750 in cash awards after exploiting 15 unique zero-day vulnerabilities in multiple products, including Windows 11, Microsoft Exchange, and Red Hat Enterprise Linux for Workstations. [...]

• Popular node-ipc npm package compromised to steal credentials

  Hackers have injected credential-stealing malware into newly published versions of node-ipc, a popular inter-process communication package, in a new supply chain attack targeting npm. [...]

• Avada Builder WordPress plugin flaws allow site credential theft

  Two vulnerabilities in the Avada Builder plugin for WordPress, with an estimated one million active installations, allow hackers to read arbitrary files and extract sensitive information from the database. [...]

• Microsoft backpedals: Edge to stop loading passwords into memory

  Microsoft is updating the Edge web browser to ensure it no longer loads saved passwords into process memory in clear text at startup after previously stating it was "by design." [...]

• Inside the REMUS Infostealer: Session Theft, MaaS, and Rapid Evolution

  Stolen browser sessions and authentication tokens are becoming more valuable than stolen passwords. Flare explains how the REMUS infostealer evolved around session theft and operational scalability. [...]