MSBuild.exe is a LOLBin, a legitimate Windows tool being abused to run malware on fully patched machines without dropping a single file on disk, and Windows Defender does not raise an alert because MSBuild.exe carries Microsoft’s own digital signature and many security tools treat it as trusted by default. There is no patch coming because nothing here is broken. MSBuild.exe is doing exactly what Microsoft designed it to do. 😏

MSBuild.exe, the Microsoft Build Engine, has been part of the .NET Framework and Visual Studio for years. Software developers use it to compile and build applications from XML-based project files. Because Microsoft built it and signed it, Windows trusts it completely. AppLocker trusts it. Windows Defender Application Control trusts it. Most endpoint security solutions wave it through without a second look, because as far as they are concerned, it is a legitimate Microsoft tool doing its job.

Docker’s Security Layer Has Been Broken Since 2016, And The Fix Doesn’t Finish the Job. One padded HTTP request. That is all it takes to silently disable every authorization plugin in Docker, open a direct path to the host filesystem, and walk out with AWS credentials, SSH keys, and Kubernetes cluster access. The authorization logs show nothing unusual. 😏

When a request hits the Docker API, an authorization plugin steps in before anything else happens. That plugin checks exactly what is being requested before the Docker daemon gets to act on it, and enterprises run tools like Open Policy Agent, Prisma Cloud, or Casbin for this job, configured with rules about what containers are and are not allowed to do.

A Remote Access Trojan called DesckVB has been actively hitting systems throughout 2026, running almost entirely inside memory with barely anything written to disk, hiding its final payload inside a process it names Microsoft.exe, and attempting to switch off the camera LED before streaming video back to the attacker. A cracked version of the builder is already circulating freely, meaning attackers with minimal skills can deploy this today without writing a single line of code. Forensics teams sweep these machines afterward and find very little. The system looks completely clean. 😏

Windows Defender, the built-in antivirus running on every Windows machine, has a zero-day exploit with full source code sitting on GitHub. No patch, no CVE, and confirmed working on fully updated Windows 10 and 11. A researcher who says Microsoft went back on their word just handed every attacker paying attention a privilege escalation that takes any low-privileged account straight to NT AUTHORITY\SYSTEM. On Windows Server the result is different but still serious: a standard user ends up with elevated administrator access. 😏

Fiber optic cables running through your walls can be turned into hidden microphones that record every word spoken in the room. This is not a theory anymore. Researchers from Hong Kong Polytechnic University published a fully working attack at the NDSS Symposium in February 2026, and the results are going to change the way a lot of people think about what is running through their walls. 😏

I refused to get fiber optic internet installed at my house. Call it a security instinct. Everyone around me thought I was being paranoid. Turns out that feeling was right.

NVIDIA GPUs with GDDR6 memory can be used to take full control of a system, including a root shell, bypassing hardware defenses that were supposed to stop exactly this. Three independent research teams published GPU attack research at the same time. One of them goes further than anything before it. There is currently no fix for consumer GPUs. 😏

The attack is called GPUBreach, and it comes from researchers at the University of Toronto. To understand why it matters, it helps to know what Rowhammer is, because that is where this starts.

Yesterday, I posted a QR code challenge on this Ethical Hacking page, and it has since been removed. A cipher, hidden inside a QR code, with three security questions and a prize. The comments that followed gave me a good reason to write about this, because this is a topic that deserves a proper explanation.

The comments came in fast. “You should never scan a random QR code.” “This is a trap.” “You failed the first part just by scanning.” “Hackers know better than to do this.” And honestly, that reaction makes sense. You see a QR code on a hacking page, you do not know what is inside it, and being careful is right. But being careful does not mean refusing to engage. It means knowing how to approach it.

Axios, the JavaScript library with over 100 million weekly downloads, was compromised on March 31st. For roughly three hours, every fresh install of those two versions silently dropped a remote access trojan on the machine that ran it. Windows, macOS, and Linux, all targeted. The installation completed normally, nothing flagged the change, and the backdoor was already running by the time the command finished. 😏

Axios is a JavaScript HTTP client that developers use to send web requests from their applications. It ships inside frontend frameworks, backend services, mobile apps, and CI/CD pipelines, and if a company runs Node.js anywhere in their stack, Axios is almost certainly somewhere in that dependency tree. That is what made this attack so significant.

Hackers are hijacking NGINX web servers and rerouting live traffic through their own infrastructure. No malware installed, no vulnerability exploited. Just a few lines changed in a configuration file, and every visitor’s data flows through attacker-controlled servers without anyone noticing. 🧐

NGINX is the most popular web server on the planet. It powers over 5 million websites and handles roughly one in three web connections worldwide. Banks, governments, and universities all depend on it. And right now, a campaign is silently turning these servers into traffic relays.

32 years. That is how long it took Microsoft to disable NTLM, the protocol that handles Windows login authentication. A broken system linked to $10 billion in damages and some of the worst cyberattacks ever recorded. Hackers have been exploiting it since 2001. Here is the story of why it took this long.

On January 30, 2026, Microsoft announced they will finally disable NTLM by default in future Windows releases.