Attackers are turning trusted web infrastructure into covert data pipelines, as seen in a recent Magecart campaign that quietly siphons payment details through Stripe and Google Tag Manager. Cyware.com highlights how even legitimate APIs can become conduits for theft, with one scheme embedding stolen card data inside Stripe metadata tied to a fake customer ID—leaving retailers and shoppers exposed without warning.

A critical flaw in the Everest Forms Pro WordPress plugin has triggered over 29,300 blocked exploitation attempts since April, with attackers leveraging the Complex Calculation feature to run arbitrary PHP code. This vulnerability, tracked as CVE-2026-3300, is already being abused in the wild, forcing site owners to urgently patch to version 1.9.13 or risk full site takeover and malware staging.

On the threat actor front, VerdantBamboo is extending its reach by implanting modular RATs on MSP edge appliances, maintaining access for at least 18 months and leveraging stolen credentials to pivot into Microsoft 365 environments. This persistent intrusion model threatens to cascade risk across multiple downstream organizations, underscoring the evolving tactics of advanced persistent threats.

Top Malware Reported in the Last 24 Hours

Reaper stealer resurfaces to raid Macs

Reaper is a resurfaced variant of the SHub stealer classified as an infostealer targeting macOS systems. Reaper siphons browser data, cryptocurrency wallets, and sensitive documents from infected hosts. Reaper disguises itself in legitimate-looking directories such as ~/Library/Application Support/Google/GoogleUpdate.app/Contents/MacOS/ and uses fake system password prompts to escalate privileges. Infection occurs via fake download pages for popular apps like WeChat and Miro, leveraging typo-squatted domains to appear authentic. Reaper targets wallet applications including Exodus, Atomic, Ledger Live, Electrum, and Trezor Suite to intercept secrets and transactions. The campaign poses a direct financial theft risk for individuals and small businesses, as documented in recent technical analyses.

VerdantBamboo plants BRICKSTORM on network edges

BRICKSTORM is a modular remote access trojan (RAT) deployed by VerdantBamboo (also known as WARP PANDA, UNC5221) on network appliances such as pfSense firewalls. BRICKSTORM uses Cloudflare and Google’s public DNS for routing and TLS connections, blending malicious traffic with legitimate flows. BRICKSTORM enables remote shell commands, proxying, and persistent access while leveraging living-off-the-land tactics to evade detection. Initial access is achieved through targeting edge appliances and managed service provider (MSP) infrastructure. The observed intrusion timeline extended at least 18 months, including stolen-credential access into Microsoft 365 environments, increasing risk for downstream organizations.

Magecart skimmer abuses Stripe and GTM

Magecart is a cybercriminal group running a credit-card skimming operation targeting Magento and Adobe Commerce checkout pages. Magecart injects malicious code via Google Tag Manager containers and leverages Google Firestore for data storage and retrieval, masquerading as legitimate web traffic. Magecart stores stolen card data inside Stripe by writing it into metadata on fake customer records, specifically using the customer ID cus_TfFjAAZQNOYENR (defanged: cus_TfFjAAZQNOYENR). Infection occurs when shoppers enter payment details on compromised checkout pages. The campaign results in attackers collecting both card data and personal information without alerting retailers or customers.

Top Vulnerabilities Reported in Last 24 hours

Hackers exploit WordPress plugin for RCE

CVE-2026-3300 is a critical remote code execution vulnerability in the Everest Forms Pro WordPress plugin with a CVSS score not specified in the source. Successful exploitation allows unauthenticated attackers to execute arbitrary PHP code, enabling full site takeover. The flaw is actively exploited in the wild, with over 29,300 blocked attempts since April 13, 2026, and a spike of 17,900 attempts on May 16. Infosecurity Magazine reported the activity, warning that abuse can turn a public website into a malware staging point or intrusion foothold. The vulnerability centers on the Complex Calculation feature, where the Calculation add-on’s use of PHP’s eval() enables code injection. A patch is available in version 1.9.13, and all prior versions are at risk.

Cisco SD-WAN zero-day leads to root

CVE-2026-20245 is a zero-day command injection vulnerability in Cisco Catalyst SD-WAN Manager with a CVSS score not specified in the source. Exploitation allows attackers with netadmin privileges to execute arbitrary commands as root, resulting in full management compromise. The vulnerability has been exploited in limited cases, with Cisco observing configuration changes pushed to edge devices. Mandiant reported the issue, and threat actor UAT-8616 is cited in the context of similar SD-WAN exploitation, including prior use of CVE-2026-20127. Cisco has released fixes for CVE-2026-20245, and all deployments should update immediately.

IBM i servers exposed to unauth RCE

An unauthenticated remote code execution flaw in IBM i Management Central allows attackers to run commands as the root-equivalent user QSECOFR, risking total system compromise. Successful exploitation enables remote attackers to bypass authentication on the MGTC protocol (port 5555) and trigger arbitrary CL commands. The vulnerability is detailed in a researcher write-up from the Silent Signal blog, which describes how attackers can impersonate QSECOFR to create and start command tasks. Mitigation requires upgrading to IBM i V7R5 or later, where Management Central is not included.

Top Threat Actors Reported in Last 24 hours

Incransom leaks financial adviser client data

Incransom is a financially motivated ransomware group suspected to operate for extortion. Incransom claims to have stolen 500 GB of sensitive files from Colina Financial Advisors, including client PII, financial profiles, business intelligence, estate and legal planning materials, and compliance records. Incransom threatens further disclosures to increase leverage in negotiations. The group targets financial management firms, with this attack reported on June 3, 2026, affecting a prominent firm in Nassau, The Bahamas. The incident exposes clients to long-term fraud, account takeover, and personalized scams.

Parsimonius PyPI package targets Python developers

Parsimonius is a malicious PyPI package suspected to originate from a financially motivated actor targeting software supply chains. Parsimonius uses typosquatting to mimic the legitimate parsimonious parser, advertising a higher version number to lure developers. Parsimonius blends into normal library behavior using a living-off-the-land approach to evade static and dynamic analysis. The package adds a Telegram-based backdoor for remote access and command execution, specifically searching for .env files containing credentials and secrets. The malicious package was downloaded 2,474 times before removal from PyPI.

Frequently Asked Questions

1. What is Reaper? Reaper, a resurfaced variant of the SHub stealer, is back on macOS with a focus on siphoning browser data, cryptocurrency wallets, and sensitive documents. It lures victims through fake download pages for popular apps like WeChat and Miro and uses typo-squatted domains to make the setup feel legitimate.

2. What is VerdantBamboo? VerdantBamboo (also known as [WARP PANDA, UNC5221]) has been linked to deployments of BRICKSTORM, a modular RAT found on network appliances like pfSense firewalls. It uses Cloudflare plus Google’s public DNS for routing and TLS connections, helping the traffic blend in while it enables remote control features such as shell commands and proxying.

3. What is Magecart? Magecart actors are running a credit-card skimming scheme that abuses trusted tooling—Stripe’s API and Google Tag Manager—to quietly capture payment details on Magento/Adobe Commerce checkout pages. It injects malicious code via GTM containers and, in one variant, uses Google Firestore for data storage and retrieval while masquerading as legitimate web traffic.

4. What is CVE-2026-3300? A critical remote code execution bug in the Everest Forms Pro WordPress plugin (CVE-2026-3300) lets unauthenticated attackers run arbitrary PHP on vulnerable servers, opening the door to full site takeover. The weakness centers on forms using the Complex Calculation feature, where the plugin’s Calculation add-on relies on PHP’s eval() in a way that allows injected input to become executable code.

5. What is CVE-2026-20245? A newly disclosed Cisco Catalyst SD-WAN Manager zero-day (CVE-2026-20245) lets an attacker with existing access execute arbitrary commands as root, turning a management compromise into full control. Cisco says the bug lives in the product’s CLI and can be exploited by users with netadmin privileges by uploading crafted files that trigger command injection.

6. What is Incransom? Incransom, a financially motivated ransomware group, says it stole and is extorting a large cache of sensitive files from Colina Financial Advisors. They claim the haul totals 500 GB and includes client PII, financial profiles, proprietary business intelligence, estate and legal planning materials, and compliance records.

7. What is parsimonius? A typosquatting campaign hit Python developers via parsimonius, a malicious PyPI package designed to be mistaken for the legitimate parsimonious parser by changing a single character and advertising a higher version number. The broader tactic fits an ongoing wave of software supply-chain abuse on PyPI, where similar lookalike packages have previously targeted widely used libraries including TensorFlow, requests, and BeautifulSoup.