News
Nx Console 18.95.0 Compromised (2026-05-19 08:16 UTC)
A compromised version of the Nx Console VS Code extension was pushed with build 18.95.0, packing a credential stealer aimed at developers who use the Nx monorepo tooling. The Hacker News (opens in new tab)
GitHub Actions Tag Hijack (2026-05-19 06:16 UTC)
The actions-cool/issues-helper workflow had its tags redirected to an imposter commit designed to steal CI/CD credentials from downstream repos. Another reminder that pinning action hashes matters more than tagging. The Hacker News (opens in new tab)
Mini Shai-Hulud Pushes Malicious npm Packages (2026-05-19 05:16 UTC)
The @antv npm namespace took a hit when a maintainer account was compromised and malicious packages were published under the legitimate AntV visualization library group. The Hacker News (opens in new tab)
Patch Roundup: Ivanti, Fortinet, SAP, VMware, n8n (May 18, 2026)
Ivanti, Fortinet, n8n, SAP, and VMware all released fixes for RCE, SQL injection, and privilege escalation vulnerabilities. Standard rotation, multiple critical-severity items. The Hacker News (opens in new tab)
Microsoft: Patching Issues on Restricted Networks (2026-05-19 12:16 UTC)
Windows Update is failing on restricted networks after the January 2026 optional non-security preview update, Microsoft confirmed. Enterprise environments behind strict firewall rules are the ones hitting this. Bleeping Computer (opens in new tab)
Ransomware Claims
Nine groups logged 37 new claims in the last 24 hours across 16 countries and 11 sectors.
Safepay, Thegentlemen, and Titan each posted 7. Nightspire had 5, Nova and Payload posted 3 each, Qilin and Akira had 2, and Rhysida put up 1.
Manufacturing took the most sector hits with 8, followed by Business Services at 7, Consumer Services at 4, and Technology at 3. The US was the top-targeted country at 8 claims, Germany and the UK at 4 each, Singapore at 3, then France and Austria at 2.
C2 Observations
217 C2 observations landed across 49 family labels from 166 unique hosts. VShell had the most at 29, followed by AsyncRAT at 24, Cobalt Strike at 21, and KimWolf at 19. Mirai and Remus each had 10.
Shared Hosts
Several hosts carry multiple family labels.
| Host | Families | AS / Country |
|---|---|---|
| hakim32[.]ddns[.]net | AsyncRAT, DarkTortilla, NanoCore, Neshta, njRAT, RatOnRat, Remcos, VenomRAT, XWorm | LeaseWeb NL, sinkhole |
| 62[.]60[.]226[.]159 | Amadey, RedLine, SmokeLoader, Stealc, SvcStealer, TinyLoader, XMRig, XWorm | FEMO IT, GB |
| drive[.]google[.]com | DanaBot, DarkComet, GuLoader, ModiLoader, Remcos, RevengeRAT, Warzone RAT | Google, US |
| 196[.]251[.]107[.]130 | Amadey, RedLine, Stealc, SvcStealer, XMRig, XWorm | FEMO IT, GB |
| 196[.]251[.]107[.]104 | Amadey, RedLine, Stealc, SvcStealer, XWorm | FEMO IT, GB |
| firewai[.]biz | HijackLoader, Remus, Remus Stealer | Contabo, DE |
| mascard[.]biz | HijackLoader, Remus, Remus Stealer | DigitalOcean, US |
| woodfez[.]biz | HijackLoader, Remus, Remus Stealer | Hostinger, CY |
| carytui[.]vu | GhostSocks, HijackLoader, Lumma, SectopRAT | Great Flower, IL |
| decrnoj[.]club | GhostSocks, HijackLoader, Lumma, SectopRAT | Great Flower, IL |
FEMO IT's three IPs carry the densest combination: stealer, loader, miner, and RAT labels overlapping across the same addresses. The Great Flower set mirrors four labels across five domains. hakim32[.]ddns[.]net is a sinkhole saddled with so many malware labels it reads like a greatest-hits list.
Quad9 DNS Activity
Over the last 24 hours, Derp identified 217 C2 observations across 49 malware families. Derp C2 intelligence is used to help protect Quad9 users from reaching active C2 infrastructure. These events represent infected systems attempting to reach C2 hosts and Quad9 blocking the connection path.
Top 10 New Quad9 C2 Blocks (24hour)
| Host | Families | Blocked C2 events | Top countries |
|---|---|---|---|
| f****er1[.]duckdns[.]org | Mirai | 2,088 | DE, US, RU, SE, AT |
| skytrust[.]io | AsyncRAT | 534 | US, CH, FR, RU, VE |
| firewai[.]biz | HijackLoader, Remus, Remus Stealer | 376 | FR, US, CH, ID, RU |
| mascard[.]biz | HijackLoader, Remus, Remus Stealer | 319 | FR, CH, ID, RU, BD |
| woodfez[.]biz | HijackLoader, Remus, Remus Stealer | 281 | FR, CH, RU, ID, US |
| losslvs[.]surf | Remus | 267 | DE, CH, RU, US, FR |
| doctopus[.]io | AsyncRAT | 168 | US, DE, RU, BR, VN |
| 69sexy[.]duckdns[.]org | Mirai | 163 | DE, NZ, NO, US |
| newenewmew[.]duckdns[.]org | Mirai | 157 | DE, US |
| tokenguard[.]io | AsyncRAT | 94 | US, FR, RU, PL, DE |
Top 10 All C2 DB Quad9 C2 Blocks (24hour)
| Host | Blocked C2 events | Top countries |
|---|---|---|
| ff[.]jjkk567[.]com | 405,003 | DE, US |
| ff[.]xxcc789[.]com | 404,989 | DE, US |
| ff[.]nnmm234[.]com | 404,962 | DE, US |
| ff[.]aass654[.]com | 404,961 | DE, US |
| ff[.]vvbb321[.]com | 404,960 | DE, US |
| hh[.]jjkk567[.]com | 345,069 | LK, US, IN |
| hh[.]nnmm234[.]com | 345,002 | LK, US |
| hh[.]aass654[.]com | 344,995 | LK, US |
| hh[.]xxcc789[.]com | 344,993 | LK, US, IN |
| cloudguardservice[.]duckdns[.]org | 191,225 | ZA, BW, US, NL |
Infrastructure
166 malware download hosts mapped to 25 countries and 67 providers. Hosting networks carried 147 download hosts, ISP space held 16, business networks had 2, and one was a sinkhole.
| Provider | Download hosts |
|---|---|
| Cloudflare | 31 |
| DigitalOcean | 25 |
| Tencent | 12 |
| Alibaba CN | 8 |
| Great Flower | 6 |
| Omegatech | 4 |
| Alibaba US | 3 |
| FEMO IT | 3 |
| Pfcloud | 3 |
The US hosted 76 malware download hosts, China had 28, the UK 11, and Germany 7. Cloudflare and DigitalOcean alone accounted for a third of the tracked malware download infrastructure.