---
source: newsletter
source_url: https://thehackernews.com/2026/05/fake-openai-privacy-filter-repo-hits-1.html
title: "Fake OpenAI Privacy Filter Repo Hits #1 on Hugging Face, Draws 244K Downloads"
ingested: 2026-05-13
type: raw-article
tags: [security, ai, threat-intelligence, huggingface, openai]
sha256: e30fbb101d2590b523b5d74f6aa285a91846ec540943317e62e6e5a874281621
---
# Fake OpenAI Privacy Filter Repo Hits #1 on Hugging Face, Draws 244K Downloads
#1 Trusted Cybersecurity News Platform
Followed by 5.70+ million[__](https://twitter.com/thehackersnews)[__](https://www.linkedin.com/company/thehackernews/)[__](https://www.facebook.com/thehackernews)
[![Image 1: The Hacker News Logo](blob:http://localhost/5c34172ae87fab3ecb77bf8cfaf83e48)](https://thehackernews.com/)
[__](javascript:void(0))
__
[__ Get the Latest News](https://thehackernews.com/2026/05/fake-openai-privacy-filter-repo-hits-1.html#email-outer)
*   [Home](https://thehackernews.com/)
*   [Newsletter](https://thehackernews.com/2026/05/fake-openai-privacy-filter-repo-hits-1.html#email-outer)
*   [Webinars](https://thehackernews.com/p/upcoming-hacker-news-webinars.html)
*   [Home](https://thehackernews.com/)
*   [Threat Intelligence](https://thehackernews.com/search/label/Threat%20Intelligence)
*   [Vulnerabilities](https://thehackernews.com/search/label/Vulnerability)
*   [Cyber Attacks](https://thehackernews.com/search/label/Cyber%20Attack)
*   [Webinars](https://thehackernews.com/p/upcoming-hacker-news-webinars.html)
*   [Expert Insights](https://thehackernews.com/expert-insights/)
*   [Awards](https://awards.thehackernews.com/)
[__](javascript:void(0))
__
[__](javascript:void(0))
Resources
*   [Webinars](https://thehackernews.com/p/upcoming-hacker-news-webinars.html)
*   [Awards](https://awards.thehackernews.com/)
*   [Free eBooks](https://thehackernews.tradepub.com/)
About Site
*   [About THN](https://thehackernews.com/p/about-us.html)
*   [Jobs](https://thehackernews.com/p/careers-technical-writer-designer-and.html)
*   [Advertise with us](https://thehackernews.com/p/advertising-with-hacker-news.html)
Contact/Tip Us
[__ Reach out to get featured—contact us to send your exclusive story idea, research, hacks, or ask us a question or leave a comment/feedback!](https://thehackernews.com/p/submit-news.html)
Follow Us On Social Media
[__](https://www.facebook.com/thehackernews)[__](https://twitter.com/thehackersnews)[__](https://www.linkedin.com/company/thehackernews/)[__](https://www.youtube.com/c/thehackernews?sub_confirmation=1)[__](https://www.instagram.com/thehackernews/)
[__ RSS Feeds](https://feeds.feedburner.com/TheHackersNews)[__ Email Alerts](https://thehackernews.com/2026/05/fake-openai-privacy-filter-repo-hits-1.html#email-outer)
[![Image 2: cybersecurity](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhyqUz0-ifa8jE9rCzud3wzxmhcuzTp1VOWFEvGMoZXDYfaB_4459fPyvyQw7wvAnzjzDL09PkyJM83QGheO69fC3esg1WA7WnJ89i_t_q3K8DxYmgV__QujU8RWRnCK4MpbKqu8nwuMFfLaiRVHy_ov7IZ16hoKI3rIu-5BcISmqXPjlQU7N0sa4lWI-n-/s728-e100/wiz-d.png)](https://thehackernews.uk/wiz-ai-state-d)
# [Fake OpenAI Privacy Filter Repo Hits #1 on Hugging Face, Draws 244K Downloads](https://thehackernews.com/2026/05/fake-openai-privacy-filter-repo-hits-1.html)
__ Ravie Lakshmanan __ May 11, 2026 Supply Chain Attack / Threat Intelligence
[![Image 3](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPtLFShq_XoM9Nzsl5kmSsF2UGsm6VhRoLNodcqRCdq45zqy4ekFVtamokNzEFifQknD502Wc0uFTBUdvLsBsYn4QAeVHSWLmhF2ROBMXutev8T6JjCGrrarzLhkSTUHLBq-nEWrF0WTb2epkX_3Ba5a6Gv_21R7PPQ_zCjhk7OU702Y10tJkcJiYG52D4/s1700-e365/hugging-face-malware.jpg)](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPtLFShq_XoM9Nzsl5kmSsF2UGsm6VhRoLNodcqRCdq45zqy4ekFVtamokNzEFifQknD502Wc0uFTBUdvLsBsYn4QAeVHSWLmhF2ROBMXutev8T6JjCGrrarzLhkSTUHLBq-nEWrF0WTb2epkX_3Ba5a6Gv_21R7PPQ_zCjhk7OU702Y10tJkcJiYG52D4/s1700-e365/hugging-face-malware.jpg)
A malicious Hugging Face repository managed to take a spot in the platform's trending list by impersonating OpenAI's Privacy Filter open-weight model to deliver a Rust-based information stealer to Windows users.
The project, named [Open-OSS/privacy-filter](https://huggingface.co/Open-OSS/privacy-filter), masqueraded as its legitimate counterpart released by OpenAI late last month ([openai/privacy-filter](https://huggingface.co/openai/privacy-filter)), including copying the entire description verbatim to trick unsuspecting users into downloading it. Access to the malicious model has since been disabled by Hugging Face.
Privacy Filter was [unveiled](https://openai.com/index/introducing-openai-privacy-filter/) in April 2026 by the artificial intelligence (AI) company as a way to detect and redact personally identifiable information (PII) in unstructured text with an aim to incorporate strong privacy and security protections into applications.
"The repository had typosquatted OpenAI's legitimate Privacy Filter release, copied its model card nearly verbatim, and shipped a loader.py file that fetches and executes infostealer malware on Windows machines," the HiddenLayer Research Team [said](https://www.hiddenlayer.com/research/malware-found-in-trending-hugging-face-repository-open-oss-privacy-filter) in a report published last week.
[![Image 4: Cybersecurity](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhnNON5UeWywT7OcPNw7V4L7QNWnCnm7Xl_99Y9ek8dL-gRwx-bWxQM1TKqt8deqqrdpUyKMuuijAWyyPQVB0s0qf8ntQ6ldFAJLru-QUWhddKTopc7SeNbBBnd-TsfFyRPP-AAyDuclLlL6XHK4_LXqDC_7eyaz9pzToYr7U543MhrJ7qcK-89sVWHTQUZ/s728-e100/zz-2-d.jpg)](https://thehackernews.uk/threatlabz-vpn-risk-2026-d)
The malicious project instructs users to clone the repository and run a batch script ("start.bat") for Windows or a Python script ("loader.py") for Linux or macOS systems to configure all necessary dependencies and start the model.
[](https://thehackernews.com/2026/05/fake-openai-privacy-filter-repo-hits-1.html)
Once launched, the Python script triggers malicious code responsible for disabling SSL verification, decoding a Base64-encoded URL hosted on JSON Keeper, and using it to extract a command that's passed to PowerShell for subsequent execution.The use of JSON Keeper, a public JSON paste service, as a dead drop resolver allows the attackers to switch payloads on the fly without the need for modifying the repository.
The PowerShell command is used to download a batch script from a remote server ("api.eth-fastscan[.]org") and launch it using "cmd.exe."The batch script functions as a second-stage downloader that prepares the environment by elevating its privileges by means of a User Account Control (UAC) prompt, configuring Microsoft Defender Antivirus exclusions, downloading the next-stage binary from the same domain, and setting up a scheduled task that launches a PowerShell script to run the executable.
Once the scheduled task is launched, the malware waits for two seconds before deleting itself. The final stage is an information stealer that's designed to take screenshots and harvest data from Discord, cryptocurrency wallets and extensions, system metadata, files such as FileZilla configurations and wallet seed phrases, and web browsers based on the Chromium and Gecko rendering engines.
"Despite using a scheduled task, this stage establishes no persistence: the task is destroyed before any reboot. It is being used as a one-shot SYSTEM-context launcher," HiddenLayer explained.
The stealer also runs checks to detect debuggers and sandboxes, ascertains it's not running in a virtual machine, and tries to disable Windows Antimalware Scan Interface (AMSI) and Event Tracing for Windows (ETW) to evade behavioural detection. The stolen data is exfiltrated in JSON format to the "recargapopular[.]com" domain.
[![Image 5](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgktNa8Ejw3vrSO1h0djyf_XA0lvv4E8h8nwiAHUInGfIzHh4kqc718j_KrIU4XCvIVeNiRFRSmRMfgli7R_Mz2CpXHXbNYA4NzVGLiHQiujW-jHF-Ww3eLK-KF9yvarLcXkMvxrwwHYP2DJHOveaDkCD0OQ6xsTcXWn8d1Z6i7GTN9gWpYD1o5_aZ0Luxg/s1700-e365/lure.png)](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgktNa8Ejw3vrSO1h0djyf_XA0lvv4E8h8nwiAHUInGfIzHh4kqc718j_KrIU4XCvIVeNiRFRSmRMfgli7R_Mz2CpXHXbNYA4NzVGLiHQiujW-jHF-Ww3eLK-KF9yvarLcXkMvxrwwHYP2DJHOveaDkCD0OQ6xsTcXWn8d1Z6i7GTN9gWpYD1o5_aZ0Luxg/s1700-e365/lure.png)
Prior to it being disabled, the model is said to have reached the #1 trending position on Hugging Face with approximately 244,000 downloads and 667 likes within 18 hours. It's suspected that these numbers were artificially inflated to give the repository an illusion of trust and get users to download it.
Further analysis of the activity has unearthed six more repositories that feature a similar Python loader to deploy the stealer -
*   anthfu/Bonsai-8B-gguf
*   anthfu/Qwen3.6-35B-A3B-APEX-GGUF
*   anthfu/DeepSeek-V4-Pro
*   anthfu/Qwopus-GLM-18B-Merged-GGUF
*   anthfu/Qwen3.6-35B-A3B-Claude-4.6-Opus-Reasoning-Distilled-GGUF
*   anthfu/supergemma4-26b-uncensored-gguf-v2
HiddenLayer said it also observed the "api[.]eth-fastscan[.]org" domain being used to serve a different Windows executable ("[o0q2l47f.exe](https://www.virustotal.com/gui/file/c1b59cc25bdc1fe3f3ce8eda06d002dda7cb02dea8c29877b68d04cd089363c7/detection)") that beacons out to "welovechinatown[.]info," a command-and-control (C2) server previously put to use in a campaign in which a malicious npm package named trevlo was leveraged to deliver ValleyRAT (aka Winos 4.0).
The Node.js library was downloaded more than 2,300 times after it was published by a user named "titaniumg" on April 4, 2026, although it's not clear if the download count was artificially boosted using automated processes. It's no longer available on npm.
[![Image 6: Cybersecurity](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjPEV6-530TOlxG6PjrmdlY623wpBwduZ7t1HV6flcmO5R4q4AmfixDUzW0CrhlvMVNWbhvOIso-UDNTka4W_W9Chrdj_dglwBZwi7DuePM2IMIl-hfUYVIqBXgfpr_2619K8Gptb4LzwJ6gUbi7lWl2M8AFQJsHEaw63Q7tZ6708YGruiHrr0Y2W9YYxLQ/s728-e100/ThreatLocker-d.png)](https://thehackernews.uk/ai-cant-stop-d)
"The package's postinstall hook silently executes an obfuscated JavaScript loader that spawns a base64-encoded PowerShell command, which in turn fetches and executes a second-stage PowerShell script from attacker-controlled infrastructure," Panther [noted](https://panther.com/blog/sober-up-npm-typosquat-delivers-winos4.0-implant-via-multi-stage-powershell-dropper) last month.
[![Image 7](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi8JnIvmt4PAHtZvSQ2YRcwuVQwJMVnyiTN7xhxfUqOMxVCIjZgmZE73SpTLdFIGpKFM0eEzzht3R_UeTCFKEro0g_UiRRjXb7vJRwQepdaOfZZrriN0Bjn1J4Cn5UgP8U7HR1pb9xsirEQpKWXHL7Pcfosgt5QkArSJnoagQXlb_p07MUfrE-84Xf6c-7o/s1700-e365/powershell.jpg)](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi8JnIvmt4PAHtZvSQ2YRcwuVQwJMVnyiTN7xhxfUqOMxVCIjZgmZE73SpTLdFIGpKFM0eEzzht3R_UeTCFKEro0g_UiRRjXb7vJRwQepdaOfZZrriN0Bjn1J4Cn5UgP8U7HR1pb9xsirEQpKWXHL7Pcfosgt5QkArSJnoagQXlb_p07MUfrE-84Xf6c-7o/s1700-e365/powershell.jpg)
"That script downloads and runs a Winos 4.0 stager binary ("CodeRun102.exe") with full evasion, complete with hidden window execution, Zone Identifier removal, and process detachment."
The attack is noteworthy for the fact that it represents a new initial access vector for ValleyRAT, a modular remote access trojan that's[known](https://thehackernews.com/2026/05/silver-fox-deploys-abcdoor-malware-via.html) to be [distributed](https://thehackernews.com/2025/12/silver-fox-uses-fake-microsoft-teams.html) via phishing emails and search engine optimization (SEO) poisoning. The use of ValleyRAT is exclusively attributed to a Chinese hacking group dubbed Silver Fox.
"The shared infrastructure suggests these campaigns are possibly linked and likely part of a broader supply chain operation targeting open-source ecosystems," HiddenLayer said.
Found this article interesting? Follow us on [Google News](https://news.google.com/publications/CAAqLQgKIidDQklTRndnTWFoTUtFWFJvWldoaFkydGxjbTVsZDNNdVkyOXRLQUFQAQ), [Twitter](https://twitter.com/thehackersnews) and [LinkedIn](https://www.linkedin.com/company/thehackernews/) to read more exclusive content we post.
SHARE[__](https://thehackernews.com/2026/05/fake-openai-privacy-filter-repo-hits-1.html#link_share)[__](https://thehackernews.com/2026/05/fake-openai-privacy-filter-repo-hits-1.html#link_share)[__](https://thehackernews.com/2026/05/fake-openai-privacy-filter-repo-hits-1.html#link_share)[__](javascript:void(0))
[__ Tweet](https://thehackernews.com/2026/05/fake-openai-privacy-filter-repo-hits-1.html#link_share)
[__ Share](https://thehackernews.com/2026/05/fake-openai-privacy-filter-repo-hits-1.html#link_share)
[__ Share](https://thehackernews.com/2026/05/fake-openai-privacy-filter-repo-hits-1.html#link_share)
__ Share
[__](javascript:void(0))[__ Share on Facebook](https://thehackernews.com/2026/05/fake-openai-privacy-filter-repo-hits-1.html#link_share)[__ Share on Twitter](https://thehackernews.com/2026/05/fake-openai-privacy-filter-repo-hits-1.html#link_share)[__ Share on Linkedin](https://thehackernews.com/2026/05/fake-openai-privacy-filter-repo-hits-1.html#link_share)[__ Share on Reddit](https://thehackernews.com/2026/05/fake-openai-privacy-filter-repo-hits-1.html#link_share)[__ Share on Hacker News](https://thehackernews.com/2026/05/fake-openai-privacy-filter-repo-hits-1.html#link_share)[__ Share on Email](https://thehackernews.com/2026/05/fake-openai-privacy-filter-repo-hits-1.html#link_share)[__ Share on WhatsApp](https://thehackernews.com/2026/05/fake-openai-privacy-filter-repo-hits-1.html#link_share)[![Image 8: Facebook Messenger](blob:http://localhost/4790c518974848fb287f0be1d99a37a0)Share on Facebook Messenger](https://thehackernews.com/2026/05/fake-openai-privacy-filter-repo-hits-1.html#link_share)[__ Share on Telegram](https://thehackernews.com/2026/05/fake-openai-privacy-filter-repo-hits-1.html#link_share)
[SHARE __](javascript:void(0))
[cybersecurity](https://thehackernews.com/search/label/cybersecurity), [Hugging Face](https://thehackernews.com/search/label/Hugging%20Face), [Malware](https://thehackernews.com/search/label/Malware), [OpenAI](https://thehackernews.com/search/label/OpenAI), [powershell](https://thehackernews.com/search/label/powershell), [supply chain attack](https://thehackernews.com/search/label/supply%20chain%20attack), [Threat Intelligence](https://thehackernews.com/search/label/Threat%20Intelligence), [windows security](https://thehackernews.com/search/label/windows%20security)
⚡ Top Stories This Week
[![Image 9: 30,000 Facebook Accounts Hacked via Google AppSheet Phishing Campaign](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEilUS_xmTpvaJtwhFTnxsBtKSx2hWroMJKWUCKeB_CNx_9-5T85bdpqGfTZ0__XITi-i6ZnndaiiiFggf3Cgf-35KK-G6sEwvnlqom2DK6U-oH_o9GhEGNyd9kiSti-QC_dpl3v7b7IniC9kAUzV265yVbVsWAnLnH1RfQxrftUHj5MFAm03MOBw3Z6UEVb/w72-h72-c-rw-e365/phish.jpg) 30,000 Facebook Accounts Hacked via Google AppSheet Phishing Campaign](https://thehackernews.com/2026/05/30000-facebook-accounts-hacked-via.html)
[![Image 10: Trellix Confirms Source Code Breach With Unauthorized Repository Access](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJ47NY9D4DSEZHqBNSGTjpmSJqwYVOzlIKGoG-0LTxSdIIDrMtyV2tOqRYcc-4kpxkE1UZ6nJhK4eXCGEsEmG6UcQeHn_YjAhRWXIAxo5yC75eUmLv3w5rur6SN6Qoee65gve-LgM0_3YGnAzQwTrQMTeTShRe_leh8_ImIlzU-Sgfy2kRqTcx5V-yG-3M/w72-h72-c-rw-e365/breach.jpg) Trellix Confirms Source Code Breach With Unauthorized Repository Access](https://thehackernews.com/2026/05/trellix-confirms-source-code-breach.html)
[![Image 11: ⚡ Weekly Recap: AI-Powered Phishing, Android Spying Tool, Linux Exploit, GitHub RCE and More](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi_j3mVDqxMVjGlF1qpGV3nSUfIhHsxGDl7Nt6QQFwRUA-qOtj22zKVcE7B7UTCcjLdUrsjLPB5N7TiX8Hzjx8Hq8LPy_GdAfcO_AqMwDDWRyQ6dWdeXzFOQa1KYm8rUUDCgwCbR9kN7OCheQyc0Ijz2MuXGkY6bsqHwlBtV34Q6xH2VAPRDUjFFThKk46X/w72-h72-c-rw-e365/CYBERRECAP.jpg) ⚡ Weekly Recap: AI-Powered Phishing, Android Spying Tool, Linux Exploit, GitHub RCE and More](https://thehackernews.com/2026/05/weekly-recap-ai-powered-phishing.html)
[![Image 12: Progress Patches Critical MOVEit Automation Bug Enabling Authentication Bypass](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTvgdRkcdOwctclhM5XBvKXGGFrqpNsd7pJsR6Qk9QfhVd52KaiNWtY6kbWYbxzweFJDx5-sXo5UmIGJZ2yKbiSqntFDcYS7aDV_hUlAuNtcFzIPf_MDdqWq9eeyzZwJXx9__K5ynAXHc-7kJ6i66ifjuGrFqfLdn4-yDTvmL1oSZ-kVX2V9eoTq-xdiKa/w72-h72-c-rw-e365/moveit.jpg) Progress Patches Critical MOVEit Automation Bug Enabling Authentication Bypass](https://thehackernews.com/2026/05/progress-patches-critical-moveit.html)
[![Image 13: Microsoft Details Phishing Campaign Targeting 35,000 Users Across 26 Countries](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiAfU-GpnCdjg1P2f40nj2Y7eLLpsjWNa1TnSlNm3m9F7VkOryT5etD2BouMGxbfatdzukMzeCPXsDagasXWNbcwUPJNkDY-sBox3DkrA0bTYjAEOk4JV8OySSD1_Ni2DgEnoWih83X65e9K1foEaEUetNxoyXFJnGx4Np8VQWrZSnxo2UMmR0Y68L-qf0y/w72-h72-c-rw-e365/ms-hook.jpg) Microsoft Details Phishing Campaign Targeting 35,000 Users Across 26 Countries](https://thehackernews.com/2026/05/microsoft-details-phishing-campaign.html)
[![Image 14: Critical Apache HTTP/2 Flaw (CVE-2026-23918) Enables DoS and Potential RCE](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjL7seGapCGfnl8pFznQajU2KsVPCE19qbtPTJb2sqpOuurkEKNI8ZwUui6QhYmDJODr1F5L7hrpfGBQfsCOT8oC2k_gbjmRPIFWpVZLpJzcdd9nb-UJyNNg4L9LTtEto1sSo3Fn1cIgWxgsH4Xs0GlRJgEt65_Eut7FRv7aQrkqYdJXiE9zDunU2spQOVP/w72-h72-c-rw-e365/apache.jpg) Critical Apache HTTP/2 Flaw (CVE-2026-23918) Enables DoS and Potential RCE](https://thehackernews.com/2026/05/critical-apache-http2-flaw-cve-2026.html)
[![Image 15: Palo Alto PAN-OS Flaw Under Active Exploitation Enables Remote Code Execution](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgF11tAg5Rdf8st9TeSlgPkW_Rn1I3Xi4Xl6wJjNMThFLB0oYYl2kKURYxYxgtnEphAJkeHzRxVrm8LX_7i8RDXgdLQhq4HM5ecZCrv3biRciuLM2JufgdxHqJR3eNTcTsIBWJBAz1Nv8Gac1fhW0vZ8Kgb7RFOC7_9zkL7Uy_SCrFOKps1scenY4c_LPSH/w72-h72-c-rw-e365/paloalto.jpg) Palo Alto PAN-OS Flaw Under Active Exploitation Enables Remote Code Execution](https://thehackernews.com/2026/05/palo-alto-pan-os-flaw-under-active.html)
[![Image 16: The Hacker News Launches 'Cybersecurity Stars Awards 2026' — Submissions Now Open](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1Yg33sY2y1VE4mkNb135928ke63sPOMciQgxVLYK0vXlJfSbZPCF0Q2b6URj-uZG0YOarE7-_WKyEc2OTstYRdmcdOagHSWstqHftoc-rv7vWrKepoENsBmKnR7P9jqH6MK9z-oa3RpOks3HGTqafjHUrPp2t-Xny6btfsAMIBcPWPBXq0hZv2-7XrkE/w72-h72-c-rw-e365/the-hacker-news-cybersecurity-stars-awards-2026.jpg.jpg) The Hacker News Launches 'Cybersecurity Stars Awards 2026' — Submissions Now Open](https://thehackernews.com/2026/05/the-hacker-news-launches-cybersecurity.html)
[![Image 17: ThreatsDay Bulletin: Edge Plaintext Passwords, ICS 0-Days, Patch-or-Die Alerts and 25+ New Stories](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhYNaH2vOiD-OgAVnO0nGCSr8j4nnvHD2n7RieJD2mDMlPev_fKoBafjhvob13LV4pOFhgMuZd6ex8zyQnCM1AyVfl6fuRG9Max2F76Ku9rWbieBvF0AtGlQd0nXlIwHDKvq5H4BJn3hGCRfE86fHs5SL05RywOADNDC9J5lG9DF8goavgxWzAh7a7isNMB/w72-h72-c-rw-e365/threatsday-1.jpg) ThreatsDay Bulletin: Edge Plaintext Passwords, ICS 0-Days, Patch-or-Die Alerts and 25+ New Stories](https://thehackernews.com/2026/05/threatsday-bulletin-edge-plaintext.html)
[![Image 18: PAN-OS RCE Exploit Under Active Use Enabling Root Access and Espionage](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhA-FbTXMB7fJu_4ZxIlvKU2wHShSiMZaCQBah-p33256FjWEUsO0kd4s-LXOT_YQoS39Mj5f7nhj-ERtNF2EPNU9WG91ZWJXpl4cwYFoWz8npaMpVWzAhYjVVB-JnPyoycvPmik7Y5IsihIDXp7_mHvh4DYUz9vqkkVRYgylDqKeezcDEwqRJNs4F_2scA/w72-h72-c-rw-e365/paloalto-rce.jpg) PAN-OS RCE Exploit Under Active Use Enabling Root Access and Espionage](https://thehackernews.com/2026/05/pan-os-rce-exploit-under-active-use.html)
[![Image 19: Linux Kernel Dirty Frag LPE Exploit Enables Root Access Across Major Distributions](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnVSDBWt4hKZ-DOrZqHWPVH0JxrpcUeup9hpMpoH5Ny8bpuJ6Lviv58aH0aK2S2IJvAugaYRhM8P9wUW3tbVCu2kFMQbG5F16kI3PvS6gmR2Px8qOxcat-tK-UHV9oSDsAv9MHjvrduyndsqhicJxX1GroDTBo8it4ANI2wKIUVauhdxbgrNBQHhdgq2SW/w72-h72-c-rw-e365/linux.gif) Linux Kernel Dirty Frag LPE Exploit Enables Root Access Across Major Distributions](https://thehackernews.com/2026/05/linux-kernel-dirty-frag-lpe-exploit.html)
[![Image 20: New Linux PamDOORa Backdoor Uses PAM Modules to Steal SSH Credentials](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixNgyNI9ObZi3Il87CVXhEWyWgcK-O1IKhQKRs7NPrNVqTMBZRw7AZpmbk5RdsPxNPmO9IyXaq6QzYBN691HBgfE8HpwnyJuE4-vaCAwHPpb6UfeSRcrMI-GRjcX53cELs31s7ps6YkGx5bAAB67w4m9GQ7ZVWjSdnaPOFczjHlsS3967ZvBh-4ZvTBWEJ/w72-h72-c-rw-e365/linux-pam.jpg) New Linux PamDOORa Backdoor Uses PAM Modules to Steal SSH Credentials](https://thehackernews.com/2026/05/new-linux-pamdoora-backdoor-uses-pam.html)
[![Image 21: Quasar Linux RAT Steals Developer Credentials for Software Supply Chain Compromise](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiholjenZRIykmReErkRiguk5xd9RV4BIEEPM0nT-o3LvMvDkCTLpd3G0NpqDGEFHp-f6QyvGRMip6CBhGlllYVlp9wS3XBVoV6xW47CDka7Ig8S_aotcuNlmAv3SYgS4hJzxjLp2nrV4SzqlTXnQLG_w68Cq0Bf5hiOoV6CaN9QZliRDa-StzsvIkJAdSF/w72-h72-c-rw-e365/kube.jpg) Quasar Linux RAT Steals Developer Credentials for Software Supply Chain Compromise](https://thehackernews.com/2026/05/quasar-linux-rat-steals-developer.html)
[![Image 22: 2026: The Year of AI-Assisted Attacks](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEji6GV4hhCDB_wJkm6REZZfugW5H5hF8g8X27oGcUHnOSxYst1aJJspKKl6joygytGLwgKYvfDU_DD8DFHQ-vPt-_Tc1yzG8fJl_0tHuyOLgJC3eHKGFM_YZA_OIYoL7wI8lUWZrpGO_E2Sjunen7Y9g2fY7sRTi6cvk4DgBW5plToR5U-Je5GQeJsKuqY/w72-h72-c-rw-e365/ai-cyberattacks.png) 2026: The Year of AI-Assisted Attacks](https://thehackernews.com/2026/05/2026-year-of-ai-assisted-attacks.html)
[![Image 23: Day Zero Readiness: The Operational Gaps That Break Incident Response](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdEBtnOnAfYEV-De3NPPeeTCPWK_gSqYM7OZ0ioRJl84OvS49Fp-GJucJfc-ADDOhyTe11dUoYbkIlA1gYW5b8E6KxYIG71gNa0pU4tmqiEyfmxAEyI1A3n2ZOzfePdcm5WdqHVnFlrSwzgNlOmWKMUOHTqUjS_qUhHBEI9CpMJ_OZrUgn-yaHjTDaXJ0/w72-h72-c-rw-e365/main.jpg) Day Zero Readiness: The Operational Gaps That Break Incident Response](https://thehackernews.com/2026/05/day-zero-readiness-operational-gaps.html)
[![Image 24: We Scanned 1 Million Exposed AI Services. Here's How Bad the Security Actually Is](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJcSH4TD_VT_40WBni-IecCy9etWtsaPKvEXzvqJrDVNl0rTIg_XXWSygEBXAIP7y4saSzakCzASpQL6vtRnHRHULD71drQ3gr-y9PpzOeeQ4JzkDGorQe26Iy7zCRp0tyc_h8EYpJYEMkYjlophh6fnhGnb0ZnRqmier4jB4nMXO2A_4j2duMoSQGKbo/w72-h72-c-rw-e365/intruder.jpg) We Scanned 1 Million Exposed AI Services. Here's How Bad the Security Actually Is](https://thehackernews.com/2026/05/we-scanned-1-million-exposed-ai.html)
⭐ Featured Resources
[![Image 25: Articles](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6hiDBtbNc7in8a_CTb-LT0Ll-l0sJPg5Ci6gZL3RX1NgEVODENrFt6JqXhhk-FmPODNM1pzUrPq00VJJiLR-Ju6-4AroQySaFQVIVMtE-wShqzg77pnlapc3RM3LNwuuET_2eI-wMpfSLrJ40sKHXObmn_DDOO9XCzXwvmnhqEvtqqUcrh8lKpcwl_Dyj/s72-e365/picus-web.jpg) [Webinar] Learn How Autonomous Validation Keeps Pace With AI Attacks](https://thehackernews.uk/auto-validation-2026)
[![Image 26: Articles](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEicj0i3aQS0iB32Gg1HU_TnqOC4RybSLNsb4nZvZ5tdWiY5XEv69ok2BV-i5r-2w7QIpwImYTQCMiG8pbr9CvaHqAUHexe1m8DPsE_oBN-LTAMfTzjK_uEpHgmWlYbA1kGEl5InvXhDL0er2J-20BigTiaTZvuvCxXFBMZYcVxHm1RZg7TtRAv01A9J6CH_/s72-e365/ciso.jpg) [Guide] Get Practical AI SOC Insights to Improve Threat Detection](https://thehackernews.uk/ciso-soc-ai-report)
[![Image 27: Articles](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgOSJhOFpdVWKgMryEfPnZR30BTWO4mkvD6pvCPkWP6xcMUcwAvGfPhRJReg90gGxRIsU5I_v9rfmhVqSTeMRc2QbYkAjZ3gd-0GRVoVOhous50pX5NHNSfPHz1f0vIfYZLCtT6Rnb7aHZBQqozE5AhaQZuMunks4U1vYzWoquczSWO3TnLYgNZALA_06FR/s72-e365/or.jpg) [Demo] Discover How to Control Autonomous Identity Risks Effectively](https://thehackernews.uk/auto-identity-guards)
[![Image 28: Articles](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEii8_hL1LxsJl61aahBvGLwPGMbVaZw1Xq2nL-acbm0pmhkgCr0YdSzIWO9MEziTnpzmNV0-3RDkNEV8Qnbf61H14MsS664AuEHJuRcUqkdDOqQdlu5BBYF5G1Hy1Dzs7Uqnnty4d3jZAxcGaLZ0goUUu_1py6H8VYxmu6oxj3VZNLg5uvhVbJZAaF2eKnA/s72-e365/ma.jpg) [Demo] Stop Email Attacks and Protect Cloud Workspace Data Faster](https://thehackernews.uk/google-m365-email-security)
## Cybersecurity Webinars
[Building Stronger Defenses ### Stop Patient Zero Attacks Before They Bypass Detection Learn how to stop patient zero attacks before they bypass detection and compromise your systems at entry points. Register](https://thehacker.news/patient-zero-playbook?source=below)[Reduce AppSec Risk ### Validate Real Attack Paths Before Attackers Exploit Them Learn how to validate real attack paths and reduce exploitable risk with continuous agentic security validation. Register](https://thehacker.news/top-attack-paths-appsec?source=below)
⚡ Latest News
Cybersecurity Resources
[![Image 29: Cybersecurity](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXACokw4cvLvnMAIF9jza_ah5XTHyp1X7mdStYyPSaHXvjCQ2KC-V5kvZZiHAMysvMR7o3NrPVPgg516Yl0IcmISulV3KECKWn6HYr0gbY18GqVlCFHlCKtRBYoEukyeWJH2zFDgSvdU8_3mpMMJ1gfygQmK9Dq5YaR8Co90e81jRC3nN-AVMO9yiP-YzK/s728-e100/ldr.jpg) Build Security Strategy That Earns Executive Buy-In — SANS LDR514, NYC SANS LDR514 in NYC, Aug 10–15: policy, risk frameworks, board communication, and strategic leadership.](https://thehackernews.uk/nyc-sans-2026)[![Image 30: Cybersecurity](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjCyK3mSumMJPUnI4kYAEcB0kS-ZSB7ZtBTA0xs3tlLhDSQ54FWotA2Ub_e7XLbtTCOqM9k1cAnk6t0Wu7-01W0seVE56jCVFacwmWMu2S5K8EN3MLqE4un8a8_0mWm7fXyXDQO3fSq28M40u2dSATlucFhuKxWUF56thZHx6hRXXVX7d73RzdD6Wc1kQlp/s728-e100/zz-2.jpg) Your VPN is Helping Attackers Move as Fast as AI AI collapsed human response window and turned remote access into fastest path to breach.](https://thehackernews.uk/zscaler-risk-vpn-2026)[![Image 31: Cybersecurity](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjUas4KOce8ComJG5TW2uigorerrcCPf4cjsao7P2In6sgYdLwVMmRFB7bqZ6v0LJXrWDN6LIdgvwvK-kpnISCL7wzLDsSYAVs-XXs-qgcP41i1lj-H3ZYgpXz9Utd_6aCQBoyLo9feismppmickqgr_jwBGQuBazVrSqYDc8pWyFU2x6hkbi7GD1m9NXYc/s728-e300/gg.png) Earn a Master's in Cybersecurity Risk Management Lead the future of cybersecurity risk management with an online Master’s from Georgetown.](https://thehackernews.uk/cyber-risk-program)​
Expert Insights [Articles](https://thehackernews.com/expert-insights/)[Videos](https://thehackernews.com/videos/)
[![Image 32: Expert Insights](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0EPKdTPEKUa8Uc9PmVeh_VN-_Z6Xp3n26lj5cYdZ_vBB8hh6KgSMFWgHjNu87tAg4_5-V_0MrdHXNvB2V9VScBtQSLCn5ZAHPTXI1n4OO3q1AD46ouuXgHLP7g_JGzIN0OWU8LSl1K3n__Ae3lE8TWu1feFlDbjpcG7ZZpq5w6JujzcdzgRAX0ZSIkFtI/s728-e300/kaseya-unit.jpg) ## From Phishing to Recovery: Breaking the Ransomware Attack Chain __ May 04, 2026 Read ➝](https://thehackernews.com/expert-insights/2026/05/from-phishing-to-recovery-breaking.html)[![Image 33: Expert Insights](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhvqP3x1syb3PjmFpOjgHv33XjiWZ_KwdBaa_jhB1qcuIhQ7VzAk8kHGPmqwxS5Uqmkr4-dYYpeAwXGYQpQnFXusdmNyIEeDHxE1QyLcuRKaXnS6xtWHtUfvc72APloD12dswCi0H3f51CQNctZ_GpbEBTcLf2HSFxUxkBPdgv7liGTx6-4e50Bu3ZcQUT6/s728-e300/Prophet-unit.jpg) ## Mythos is Coming: What the Next Six Months Require __ May 04, 2026 Read ➝](https://thehackernews.com/expert-insights/2026/05/mythos-is-coming-what-next-six-months.html)[![Image 34: Expert Insights](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgz7h4CNKNO8n5D4i7u9G5jwqxdtEeNXr1XPyX5R-Sctm747-NzZibUb98NgjMZfCMYIDVncAfqOdOCXDJ5i_vDQflcqUNxfFi7-OM7Pnu-savMRuQ9lzSHCvXrhBMYI-8OyurZurcPnCE0-gjrw5x5_q205hY0fp7wCwwc9EMQOo51LbdeNaKW7Sh9kQVB/s728-e300/bitdefender-unit.jpg) ## Your Biggest Security Risk Isn’t Malware — It's What You Already Trust __ May 04, 2026 Read ➝](https://thehackernews.com/expert-insights/2026/05/your-biggest-security-risk-isnt-malware.html)[![Image 35: Expert Insights](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjR6WCPSsositUcZds60O72kHyXQXP7yFwD4OBNAb-U73tzZankMDzheCEmqGXK8OBv2w_q4NKUb5grytr4SKS17xb1GSbT3kXHhQ9xi_7AXl0-p11Wok4HyoTt_VT9y6zfK6VVP-x0UY-QVhWkOmiN8kv8BRHYwUU-rcpyKEHLz5Zts7348qOa4VIW-CeZ/s728-e300/ctm360-unit.jpg) ## CTM360 Exposes Global GovTrap Campaign With 11,000+ Fake Government Portals Targeting Citizens Worldwide __ April 27, 2026 Read ➝](https://thehackernews.com/expert-insights/2026/04/ctm360-exposes-global-govtrap-campaign.html)
Get the Latest News in Your Inbox
Get the latest news, expert insights, exclusive resources, and strategies from industry leaders, all for free.
- [x] - [x] 
Email 
Connect with us!
[__ 1,300,000 Followers](https://twitter.com/thehackersnews)
[__ 710,100 Followers](https://www.linkedin.com/company/thehackernews/)
[__ 25,500 Subscribers](https://www.youtube.com/c/thehackernews?sub_confirmation=1)
[__ 157,500 Followers](https://www.instagram.com/thehackernews/)
[__ 1,990,000 Followers](https://www.facebook.com/thehackernews)
[![Image 36: Google News Icon](blob:http://localhost/d9c712dcc9cf552b3323fda6e1fe7145) 55,500 Followers](https://news.google.com/publications/CAAqLQgKIidDQklTRndnTWFoTUtFWFJvWldoaFkydGxjbTVsZDNNdVkyOXRLQUFQAQ)
Company
*   [About THN](https://thehackernews.com/p/about-us.html)
*   [Advertise with us](https://thehackernews.com/p/advertising-with-hacker-news.html)
*   [Contact](https://thehackernews.com/p/submit-news.html)
Pages
*   [Webinars](https://thehackernews.com/p/upcoming-hacker-news-webinars.html)
*   [Awards](https://awards.thehackernews.com/)
*   [Privacy Policy](https://thehackernews.com/p/privacy-policy.html)
[__ RSS Feeds](https://feeds.feedburner.com/TheHackersNews)[__ Contact Us](https://thehackernews.com/p/submit-news.html)
© 2026 The Hacker News. All Rights Reserved.