Foxit Software introduced a new capability designed to uncover hidden security risks inside PDFs as part of its latest PDF Editor 2026.1 release for Windows and macOS.

The update is led by PDF Action Inspector, a new tool that proactively scans documents for embedded JavaScript and self-modifying behaviors — threats that can bypass redaction, expose sensitive data, or alter document output without detection. As organizations rely on PDFs to share critical infrastructure, these risks have become a growing but often overlooked attack surface.

“Most organizations don’t realize that everyday documents can contain active code,” said Evan Reiss, SVP of Marketing at Foxit Software. ”PDF Action Inspector gives teams visibility into behaviors that would otherwise remain hidden, helping them identify risks before they cause real damage.”

The release reflects a broader shift in how documents are created, shared, and secured. As workflows become more digital and AI-driven, documents are no longer static files but dynamic assets that require greater oversight, intelligence, and control.

Alongside its new security capabilities, Foxit PDF Editor 2026.1 expands enterprise protection to help organizations manage documents consistently across environments. Microsoft Azure Information Protection is now available in the Mac App Store version, enabling unified policy enforcement across Windows and macOS devices.

Support for FileOpen-protected PDFs has also been added to Mac editions for Editor and Reader, improving access to DRM-protected content across teams. The update also introduces a series of workflow and usability improvements shaped by customer feedback.

Enhancements to licensing and login stability aim to reduce friction during enterprise rollouts, while a new license page provides clearer visibility into subscription and entitlement details.

Additional updates to annotation, file splitting, and page extraction workflows are designed to streamline everyday document tasks and reduce user error. Foxit also continues to advance its AI Assistant, with updates focused on security controls, governance, and compliance alignment.

These enhancements are part of Foxit’s broader vision to enable more intelligent, efficient, and secure document workflows. PDF Editor 2026.1 is available now for Windows and macOS.

from Help Net Security https://ift.tt/NtShKWU

US prosecutors have charged a Maryland man in connection with two hacks of the Uranium Finance cryptocurrency exchange that led to losses exceeding $50 million.

Jonathan Spalletta, also known as “Cthulhon” and “Jspalletta,” is accused of abusing vulnerabilities in Uranium Finance smart contracts to siphon assets from the platform. If convicted, he could face up to 10 years in prison for computer fraud and 20 years for money laundering.

“As alleged, Jonathan Spalletta repeatedly hacked smart contracts to steal millions of dollars’ worth of other people’s money and destroyed a cryptocurrency exchange in the process,” said U.S. Attorney Jay Clayton. “In describing his alleged ‘heist,’ Spalletta told another individual, ‘Crypto is just fake internet money anyway.’”

The indictment outlines two incidents in 2021. In the first, he used a series of transactions to take advantage of a flaw in the exchange’s code, allowing him to withdraw more cryptocurrency rewards than permitted and drain a liquidity pool of nearly all its tokens, netting about $1.4 million. In messages cited by prosecutors, he later described the incident as a “crypto heist” and acknowledged exploiting a bug.

Authorities say he then pressured the platform into letting him keep roughly $386,000 as a so-called bug bounty in exchange for returning part of the stolen assets.

Weeks later, he carried out a second attack, using another flaw across 26 liquidity pools to extract about $53.3 million, which led to the platform shutting down. Investigators allege he laundered the assets through a series of transactions, including the use of a cryptocurrency mixer.

After laundering the funds, Spalletta spent the money on high-value collectibles, including rare Magic: The Gathering and Pokémon cards, antique Roman coins, and items such as a Black Lotus card, sealed Alpha Booster packs, and a piece of fabric from the Wright brothers’ airplane that was later carried to the moon, prosecutors said.

from Help Net Security https://ift.tt/W3KT8tZ

Bitdefender has announced the Bitdefender Internal Attack Surface Assessment, a complimentary evaluation that helps organizations identify and reduce hidden internal cyber risks caused by unnecessary user access to applications, tools, and operating system utilities commonly exploited in attacks. The assessment provides organizations with a data-driven view of their internal attack surface and offers actionable guidance to help prioritize and remediate exposure.

Businesses face growing challenges defending against Living-Off-the-Land (LOTL), fileless, and other non-malware attack techniques, which leverage legitimate operating system tools and trusted applications to breach systems and evade detection while blending into normal activity.

Analysis of more than 700,000 real-world security incidents found that legitimate tools and LOTL techniques are involved in more than 84% of major attacks. Cybercriminals increasingly exploit widely available utilities such as PowerShell, WMIC, and others to gain access, escalate privileges and move laterally within environments undetected. As a result, organizations are being forced to shift toward a prevention-first security posture to proactively close attack paths before they can be exploited.

The Bitdefender Internal Attack Surface Assessment addresses this critical security gap through a guided engagement that helps organizations uncover this largely invisible internal exposure, assess its impact on overall risk and identify practical steps for remediation. Organizations enroll and immediately begin assessing and monitoring their environment with no disruption to employees or daily operations.

The assessment is powered by Bitdefender GravityZone PHASR (Proactive Hardening and Attack Surface Reduction), a first-to-market endpoint security innovation that combines dynamic, behavior-based security hardening with real-time threat intelligence. It helps identify excessive user access and restrict or block unnecessary applications and tools without impacting business operations.

Key benefits of the Internal Attack Surface Assessment include:

• Quantify internal risk at the user level – Gain precise visibility into attack surface exposure down to each user, including access to applications, tools and utilities, mapped against their baseline behavior and real-time threat intelligence.
• Identify shadow IT and unauthorized tools – Uncover shadow IT and unauthorized tools, including unusual network activity, access to non-approved binaries, and unrecognized applications attempting to access company resources.
• Reduce the attack surface using actionable insights – Receive actionable recommendations to focus mitigation and begin hardening the internal attack surface, with the option to apply controls manually or automatically with Bitdefender guidance. Organizations can reduce their attack surface by up to 95%, significantly lowering exposure to modern attack techniques.

“Cybercriminals are increasingly exploiting legitimate applications and system tools to bypass traditional defenses, creating a growing and often invisible attack surface that is difficult to defend,” said Andrei Florescu, president and GM at Bitdefender Business Solutions Group. “The Bitdefender Internal Attack Surface Assessment gives organizations a clear, data-driven view of these risks and a path to remediation. We are offering it at no cost to help level the playing field, enabling organizations to identify and close critical gaps in their internal attack surface as adversaries rapidly shift tactics.”

from Help Net Security https://ift.tt/qcJ1PDN

New research from the 2026 SANS Identity Threats & Defenses Survey shows that 55% of organizations experienced an identity-related compromise last year, while 26% reported MFA fatigue as a factor in identity attacks. Download the report to learn: Why identity compromises remain common How attackers abuse authentication systems using valid credentials Where organizations struggle to detect and contain identity threats Download the full report to see how identity attacks are evolving.

The post Download: 2026 SANS Identity Threats & Defenses Survey appeared first on Help Net Security.

from Help Net Security https://ift.tt/hpCv04S

TeamPCP’s destructive run of supply chain breaches has stopped, for now: it has been three days since the group published malicious versions of Telnyx’s SDK on PyPI, and there haven’t been reports of new open-source project compromises.

Partnership with emerging RaaS operation

“The prior operational cadence was aggressive – a new target every 1-3 days (Trivy [on] March 19, CanisterWorm [on] March 20-22, Checkmarx [on] March 23, LiteLLM [on] March 24, Telnyx [on] March 27),” SANS instructor Kenneth Hartman noted.

“The current pause, combined with the Vect ransomware affiliate announcement, suggests TeamPCP has shifted primary operational focus from supply chain expansion to monetization of existing credential harvests.”

The announcement in question has been made by Vect, a new ransomware-as-a-service (RaaS) operation, on BreachForum, which is a known “hangout” for cybercriminals.

They revealed their plan to make all BreachForum members their affiliates (by providing a “Vect Affiliation Key”), and their partnership with TeamPCP.

“Together, we are ready to deploy ransomware across all affected companies that got hit by these attacks, and we won’t stop there. We will pull off even bigger supply chain operations. We will chain these compromises into devastating follow-on ransomware campaigns,” they boasted.

The threat is real. According to Hartman, there has already been a first confirmed Vect ransomware deployment using TeamPCP-sourced credentials.

TeamPCP’s rapid evolution

TeamPCP emerged in 2024 and focused on targeting and compromising misconfigured Docker APIs, Kubernetes clusters, Ray dashboards, and Redis servers to steal credentials and deploy cryptominers.

In 2025, they started building their capacity for automated supply chain attacks.

“In late 2025 they deployed CanisterWorm, a self-propagating worm that used ICP Canister nodes as decentralized, censorship-resistant C2 infrastructure — the first observed use of this technique in the wild. In early 2026, destructive payloads with geotargeting logic appeared, combining credential theft with region-specific destruction,” says the OpenSourceMalware team.

“The March 2026 campaign represents the culmination: a cascading chain through five vendor ecosystems seeded by a single retained credential [from a previous Trivy compromise].”

They demonstrated their adaptibility even during these latest supply chain attacks.

“In just eight days, the actor has pivoted across security scanners, AI infrastructure, and now telecommunications tooling evolving their delivery from inline Base64 to .pth auto-execution, and ultimately to split-file WAV steganography, while also expanding from Linux-only to dual-platform targeting with Windows persistence,” Trend Micro researchers noted in the wake of the Telnyx compromise.

Hartman also documented another of the group’s innovative techniques: the use of the GitHub Releases API as a fallback data exfiltration channel during a supply chain compromise.

TeamPCP’s attacks ripple through dependencies

Hartman pointed out that TeamPCP’s pause in supply chain compromises should not be interpreted as the end of the group’s supply chain operations.

“TeamPCP explicitly stated they intend to be ‘around for a long time,’ and stolen credentials from the estimated 300 GB trove could enable future package compromises at any time. The absence of new compromises may also reflect improved vigilance by package registries – PyPI has quarantined two TeamPCP campaigns in rapid succession, which may be raising the attacker’s cost of operations on that platform.”

Open-source maintainers must realize that TeamPCP is an eminently capable attack group and should take steps to secure their projects.

“This incident also exposes the absolute stupidity of blindly updating to the latest package versions. The obsession with using the newest patch the second it drops is a massive vulnerability,” Trend Micro researchers also opined.

“If your CI/CD pipeline automatically pulls the newest release without a quarantine period, you are automating your own breach. Pin your dependencies to cryptographic hashes. Let someone else’s infrastructure test the newest release for supply chain malware first.”

GitGuardian reseachers have analyzed how TeamPHP’s supply chain attacks spread through dependencies and automation pipelines, and found that:

• 474 public repositories executed malicious code from the compromised trivy-action (CI/CD component)
• 1,750 Python (PyPI) packages were set up in a way that would automatically pull the poisoned LiteLLM versions

Those numbers are not definitive – i.e., they are likely bigger – because they did not (could not) analyze private GitHub repositories, and they limited their search to Python packages with direct dependency of LiteLLM.

“The package could have been included through a longer dependency chain. Looking for the exact digest of the malicious packages is the only way to determine if the dependency was downloaded on a given machine,” they pointed out, and shared the malicious packages’ SHA256 digests for organizations to use when investigating.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!

from Help Net Security https://ift.tt/uGr4qXl

Diligent launched of Third-Party Risk Intel, an agentic due diligence and intelligence solution that automates the most time-consuming steps of third-party reviews, delivering up to 80% time savings for compliance, legal, and procurement teams.

The launch builds on the company’s recent acquisition of 3rdRisk, an AI-native third-party risk management solution that gives organizations a near real-time view of their external ecosystem, how critical vendors are performing, and what that means for their overall risk posture.

Third-Party Risk Intel extends Diligent’s leadership in risk management, providing a unified, AI-driven view of risk that spans from the boardroom to the extended vendor landscape.

“Compliance teams are facing a surge in third-party volume across global jurisdictions, with expectations to move faster without compromising defensibility,” said Amanda Carty, GM of Compliance at Diligent. “Third-Party Risk Intel cuts through the noise by mapping ownership structures, screening entities and key individuals, and prioritizing the risks that truly require attention so teams can scale reviews without sacrificing quality or focus.”

Built natively on the Diligent One Platform, Third-Party Risk Intel uses agentic intelligence to plug due diligence directly into third-party risk workflows. Instead of manually stitching together insights from multiple systems, teams get a defensible, end-to-end view of who they’re doing business with, where risk is concentrated and a clear, citation-backed audit trail for every decision.

Turning third-party data into decision-ready intelligence

Third-Party Risk Intel automates entity resolution, ownership identification and risk synthesis so teams can qualify risk earlier, keep analysts focused on the highest‑risk cases and expand coverage without adding headcount. It delivers measurable efficiency gains and risk reduction through:

• Automated entity resolution: Instantly identifies the correct entity across alternate names, translations, and trade names, eliminating duplicate searches and manual verification.
• Comprehensive risk intelligence: Screens entities and principals across global sanctions lists, politically exposed persons (PEPs), adverse media, and beneficial ownership networks to expose hidden relationships conventional tools miss.
• AI-driven risk synthesis: Produces a clear triage recommendation with narrative summary, suggested actions, and a full audit trail in minutes, giving teams a defensible record of how each decision was made.
• Embedded in GRC workflows: Integrates findings directly into Diligent’s third-party risk suite, turning intelligence into immediate action across compliance, risk, and audit programs.

Unlike generic AI tools, Third-Party Risk Intel is trained on Diligent’s proprietary due‑diligence methodologies, applying investigator‑grade logic to entity resolution, ownership mapping and risk triage. By combining open‑source intelligence with proprietary datasets maintained by Diligent’s research teams, Third-Party Risk Intel delivers deeper, more reliable insights than solutions that rely solely on third‑party data feeds.

from Help Net Security https://ift.tt/lKZcQwV

Coro has announced new Model Context Protocol (MCP) capabilities that extend its AI-driven security platform beyond the Coro interface, allowing users to access, analyze, and take action on security data directly from tools like ChatGPT, Claude, and other AI environments. Coro enables teams to interact with and act on security data without switching tools or navigating complex dashboards, which is important for organizations increasingly relying on AI assistants to manage daily workflows.

Coro’s MCP integration brings AI-driven accessibility and interoperability to SMB and lean IT organizations, which have historically lacked the resources to deploy and operate complex security systems.

“Cybersecurity has forced teams to adapt to complex tools and workflows for years,” said Joe Sykora, CEO of Coro. “With MCP, Coro is flipping that model, meeting users where they already are and bringing security into the tools they already use every day, making it possible to go from question to action instantly.”

Extending AI across three layers of security operations

Coro is purpose-built for organizations operating with limited IT resources, as well as the channel partners who support them. To support these teams, Coro’s AI-driven security platform is built across three core layers:

• AI-driven insights that automatically analyze security events, identify threats, and surface prioritized actions across users, devices, and environments.
• AI copilot that enables users to interact with their security environment through natural language, generating summaries, answering questions, and guiding responses.
• MCP integration that brings these capabilities into external tools, allowing users to access and act on security data without logging into Coro.

With MCP integration, users can manage security operations without navigating a dedicated security interface. Instead, they can query live security data, generate reports, visualize trends, and execute actions directly within the tools they already use. This represents a shift from traditional dashboard-based security operations to conversational, AI-driven workflows.

Tasks that traditionally required hours or days of manual analysis, such as investigating security events or compiling reports, can now be completed in seconds or minutes through conversational workflows. MCP also enables more advanced outputs, including generating visualizations and executive-ready reports based on large volumes of security data.

By combining Coro’s unified security data with the AI platform of a user’s choice, MCP enables deeper analysis and more flexible workflows than traditional security tools. Coro’s MCP integration also removes the need to learn new systems or navigate multiple dashboards, allowing users to manage security through familiar tools and interfaces.

Designed for IT professionals, Coro translates complex security data into plain language and actionable guidance, reducing operational overhead and enabling faster, more confident decision-making.

These capabilities shift security operations from reactive workflows to continuous, automated, and accessible execution, advancing Coro’s vision of making cybersecurity easier to operate at scale.

from Help Net Security https://ift.tt/Svp1JFb