no alarms and no surprises please..
-
‘Lorem Ipsum’ Malware Pivots to ClickFix Delivery
‘Lorem Ipsum’ Malware Pivots to ClickFix Delivery New analysis shows the campaign, which uses compromised WordPress sites, may be linked to the ransomware and data extortion group Vice Society. Jai Vijayan Go to gbhackers.com
-
Hackers Abuse Compromised WordPress Sites to Deliver GULoader Through EtherHiding Chain
Hackers Abuse Compromised WordPress Sites to Deliver GULoader Through EtherHiding Chain In April 2026, incident responders traced a sophisticated intrusion that abused compromised WordPress sites to deliver GULoader via an EtherHiding → ClickFix → UNC-chain…. Delivered by PolitePaul service Go to gbhackers.com
-
Ghostwriter APT Uses Fake Gmail Login Panels to Steal Passwords and 2FA Codes
Ghostwriter APT Uses Fake Gmail Login Panels to Steal Passwords and 2FA Codes Ghostwriter (UNC1151) has escalated its long-standing phishing operations by deploying convincing fake Gmail login panels that harvest both passwords and two-factor authentication (2FA) codes,… Delivered by PolitePaul service Go to gbhackers.com
-
Hackers Abuse Microsoft OAuth Device Code Flow to Take Over Microsoft 365 Accounts
Hackers Abuse Microsoft OAuth Device Code Flow to Take Over Microsoft 365 Accounts An active campaign in which attackers are abusing Microsoft’s OAuth 2.0 Device Authorization Grant (device code) flow to take over Microsoft 365 accounts. Rather… Delivered by PolitePaul service Go to gbhackers.com
-
OptinMonster Plugin Vulnerability Exposes 1.2 Million WordPress Sites to Cyberattacks
OptinMonster Plugin Vulnerability Exposes 1.2 Million WordPress Sites to Cyberattacks A large-scale supply chain attack targeting the popular OptinMonster WordPress plugin has exposed more than 1.2 million websites to active compromise. The campaign also affects… Delivered by PolitePaul service Go to gbhackers.com
-
Rhysida and Interlock Ransomware Groups Linked to Initial Access Brokers and Crypter Ecosystem
Rhysida and Interlock Ransomware Groups Linked to Initial Access Brokers and Crypter Ecosystem Rhysida and Interlock sit inside the same ransomware supply chain, but their latest observed behavior shows a more nuanced relationship than simple code reuse…. Delivered by PolitePaul service Go to gbhackers.com
-
Critical Fortinet FortiSandbox flaws now exploited in attacks
Critical Fortinet FortiSandbox flaws now exploited in attacks Attackers are now exploiting several critical vulnerabilities in Fortinet’s FortiSandbox cyber threat detection platform, according to threat intelligence company Defused. […] Sergiu Gatlan Go to bleepingcomputer
-
Windows version of SprySOCKS Linux malware used to attack govt orgs
Windows version of SprySOCKS Linux malware used to attack govt orgs Windows variants for the SprySOCKS Linux malware have been used in attacks targeting government organizations in at least four countries. […] Bill Toulas Go to bleepingcomputer
-
iRhythm discloses data breach, says hackers stole patient info
iRhythm discloses data breach, says hackers stole patient info Digital healthcare company iRhythm Holdings has disclosed a data breach after hackers stole patients’ personal and health information stored on third-party-hosted business applications. […] Sergiu Gatlan Go to bleepingcomputer
-
DOJ seizes CFAKE, SOCFAKE deepfake nude sites under TAKE IT DOWN Act
DOJ seizes CFAKE, SOCFAKE deepfake nude sites under TAKE IT DOWN Act The U.S. Department of Justice announced Friday that it has seized the CFAKE.com and SOCFAKE.com websites, which allegedly hosted nonconsensual AI-generated nude images and videos of women, in what appears to be the first publicly announced domain seizure under the TAKE IT DOWN…
-
SimpleHelp bug lets hackers create rogue remote support accounts
SimpleHelp bug lets hackers create rogue remote support accounts A vulnerability in the SimpleHelp remote management software allows unauthenticated attackers to create privileged technician accounts on servers using the OpenID Connect (OIDC) authentication protocol. […] Bill Toulas Go to bleepingcomputer
-
OptinMonster Plugin Hack Exposes 1.2 Million WordPress Sites to Cyberattack
OptinMonster Plugin Hack Exposes 1.2 Million WordPress Sites to Cyberattack A large-scale supply chain attack targeting widely used WordPress plugins has exposed more than 1.2 million websites to potential compromise after attackers injected malicious code into legitimate JavaScript files distributed through trusted CDN infrastructure. Security researchers at Sansec discovered an ongoing campaign targeting plugins developed…
-
Ransomware Ecosystem Consolidates Around LockBit Alumni, Qilin, Hyflock, and The Gentlemen
Ransomware Ecosystem Consolidates Around LockBit Alumni, Qilin, Hyflock, and The Gentlemen The global ransomware landscape shifted noticeably in the first quarter of 2026, as former operators from well-known criminal groups began launching their own competing programs. Data leak sites tracked 2,122 new victims during Q1 2026, making it the second-highest first-quarter total on record. Despite…
-
Hackers Abuse Legitimate RMM Tools in The Quarry IRS and SSA Phishing Campaigns
Hackers Abuse Legitimate RMM Tools in The Quarry IRS and SSA Phishing Campaigns A wave of phishing campaigns targeting American taxpayers has been traced back to a single, highly organized cybercrime operation known as The Quarry. What appeared to be dozens of unrelated incidents impersonating the IRS, Social Security Administration, and platforms like DocuSign turned…
-
LiteSpeed cPanel Plugin 0-Day Vulnerability Actively Exploited in the Wild
LiteSpeed cPanel Plugin 0-Day Vulnerability Actively Exploited in the Wild A critical zero-day vulnerability in the LiteSpeed cPanel user-end plugin is being actively exploited in the wild, posing a serious threat to shared hosting environments worldwide. The flaw, tracked as CVE-2026-54420, enables privilege escalation to root level, allowing attackers to take full control of affected…
-
Cisco SD-WAN vManage Vulnerability Exploited in Zero-Day Attacks
Cisco SD-WAN vManage Vulnerability Exploited in Zero-Day Attacks Cisco has disclosed a critical security issue in its Catalyst SD-WAN Manager (formerly vManage) that is now being actively exploited in zero-day attacks, raising concerns for enterprise network environments worldwide. The vulnerability, tracked as CVE-2026-20262, is an arbitrary-file-write flaw in the web-based management interface. It carries a…
-
EvilTokens: A phishing attack that doesn’t steal your password
EvilTokens: A phishing attack that doesn’t steal your password A phishing kit subverting Microsoft’s legitimate authentication flow lets attackers break into accounts without stealing passwords or creating fake login pages Go to eset
-
Cisco Releases Security Updates for Actively Exploited SD-WAN Manager Flaw
Cisco Releases Security Updates for Actively Exploited SD-WAN Manager Flaw Cisco has released security updates for a medium-severity security flaw in Catalyst SD-WAN Manager that has come under active exploitation in the wild. The vulnerability, tracked as CVE-2026-20262, carries a CVSS score of 6.5 out of 10.0. “A vulnerability in the web UI of Cisco…
-
CISA Flags LiteSpeed cPanel Plugin Flaw Exploited for Root Privilege Escalation
CISA Flags LiteSpeed cPanel Plugin Flaw Exploited for Root Privilege Escalation The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a security flaw impacting LiteSpeed cPanel Plugin to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by June 18, 2026. The vulnerability in question is…
-
Chinese Hackers Abused Google Workspace Rules to Steal Research and Defense Emails
Chinese Hackers Abused Google Workspace Rules to Steal Research and Defense Emails A China-linked espionage group hid inside North American medical, academic, and military research networks for more than a year, quietly stealing sensitive research and defense email. The way in was a backdoor on their REDCap research servers that stole login credentials. The exfiltration…
-
North Korean Hackers Are Turning Developer Tools Into Malware Delivery Channels
North Korean Hackers Are Turning Developer Tools Into Malware Delivery Channels Cybersecurity researchers have flagged two malicious cyber campaigns that exhibit similarities with a persistent North Korean threat cluster known as Contagious Interview (aka Famous Chollima, HexagonalRodent, and Void Dokkaebi). According to a report published by Proofpoint, the threat actor has been found orchestrating phishing…
-
LiteLLM Vulnerability Chain Lets Low-Privilege Users Take Over AI Gateway Servers
LiteLLM Vulnerability Chain Lets Low-Privilege Users Take Over AI Gateway Servers A default low-privilege account on a LiteLLM proxy can climb to full admin and run code on the server by chaining three vulnerabilities, researchers at Obsidian Security disclosed LiteLLM is a widely deployed open-source AI gateway that brokers calls to more than 100 model…
-
The FCC Wants to Eliminate Burner Phones
The FCC Wants to Eliminate Burner Phones A proposed FCC rule would kill burner phones: phones whose accounts are not attached to a particular person. The FCC plans to do this by legally forcing the country’s telecoms to store a wealth of personal information about essentially all phone customers, including a government issued identification number…
-
ISC Stormcast For Tuesday, June 16th, 2026 https://isc.sans.edu/podcastdetail/9974, (Tue, Jun 16th)
ISC Stormcast For Tuesday, June 16th, 2026 https://isc.sans.edu/podcastdetail/9974, (Tue, Jun 16th) (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Go to isc.sans.edu
-
Evil MSI Background: BASE64 Statistical Analysis, (Mon, Jun 15th)
Evil MSI Background: BASE64 Statistical Analysis, (Mon, Jun 15th) I like it when a fellow handler posts a diary entry about images with malicious content. Last one is Xavier: “The Evil MSI Background is Back!“. I like to have a go at the sample with my tools, and see if there are any improvements I…
-
Maine forced to take down data breach portal after fake notices filed with authorities
Maine forced to take down data breach portal after fake notices filed with authorities The US state of Maine has taken its public data breach notification portal offline after someone submitted fraudulent breach disclosures impersonating two well-known technology companies. Read more in my article on the Hot for Security blog. Graham Cluley Go to grahamcluley
-
Weekly Update 508
Weekly Update 508 Light switches. How on earth is it so hard to find decent light switches?! It sounds ridiculous until you actually spend enough time looking for ones that meet two simple criteria: Aren’t stateful (switch is up or down, has to be push-button) Looks good Now, I’m conscious that this is also very…
-
Copilot ‘SearchLeak’ Attack Allows 1-Click Data Theft
Copilot ‘SearchLeak’ Attack Allows 1-Click Data Theft The critical, three-stage attack is now patched, but it’s part of a new group of AI prompt-injection issues that use hidden URLs and other variables. Alexander Culafi Go to gbhackers.com
-
China-Nexus Actor Spied on US Researchers Undetected for a Year
China-Nexus Actor Spied on US Researchers Undetected for a Year Google discovered and disrupted the sprawling campaign, which stole RedCAP credentials to target numerous institutions and exfiltrate sensitive data. Elizabeth Montalbano Go to gbhackers.com
-
The Beginning of the End of Social Engineering
The Beginning of the End of Social Engineering AI-native operating systems are shifting the responsibility to stay vigilant against social engineering cyberattacks from the user onto the system itself. Arun Vishwanath Go to gbhackers.com
-
US Cracks Down on Anthropic AI Models Amid Abuse Concerns
US Cracks Down on Anthropic AI Models Amid Abuse Concerns Anthropic abruptly suspended all access to Fable 5 and Mythos 5 after receiving an export control directive that banned foreign nationals from using the AI models. Robert Lemos Go to gbhackers.com
-
New DPAPISnoop Tool Enables Extraction of CREDHIST Hashes From Windows Systems
New DPAPISnoop Tool Enables Extraction of CREDHIST Hashes From Windows Systems A newly enhanced version of the open-source DPAPISnoop tool is drawing attention in the security community after researchers demonstrated its ability to extract offline-crackable… Delivered by PolitePaul service Go to gbhackers.com
-
SearchJack Adware Campaign Exposes 758,000 Users to Privacy and Phishing Risks
SearchJack Adware Campaign Exposes 758,000 Users to Privacy and Phishing Risks A coordinated campaign of 23 seemingly legitimate Chrome extensions tracked as “SearchJack” has quietly hijacked the default search settings of roughly 758,000 users, routing… Delivered by PolitePaul service Go to gbhackers.com
-
SHADOWBYT3$ Allegedly Claims Nintendo Breach and Theft of Sensitive Data
SHADOWBYT3$ Allegedly Claims Nintendo Breach and Theft of Sensitive Data Threat intelligence sources have flagged a potential cybersecurity incident involving Nintendo after threat actor “SHADOWBYT3$” allegedly claimed responsibility for breaching internal systems and exfiltrating… Delivered by PolitePaul service Go to gbhackers.com
-
Palo Alto Warns GlobalProtect VPN Flaw Is Being Actively Exploited
Palo Alto Warns GlobalProtect VPN Flaw Is Being Actively Exploited Palo Alto Networks has issued an urgent warning after confirming active exploitation of a GlobalProtect VPN vulnerability, tracked as CVE-2026-0257, impacting PAN-OS deployments with… Delivered by PolitePaul service Go to gbhackers.com
-
PromptSnatcher Browser Extensions Abuse AI Platforms to Capture Full Chat Conversations
PromptSnatcher Browser Extensions Abuse AI Platforms to Capture Full Chat Conversations PromptSnatcher (internal identifier: Panel 231) is a modern, stealthy data collection operation embedded inside two browser extensions that masquerade as ad‑blockers while harvesting full… Delivered by PolitePaul service Go to gbhackers.com
-
FBI disrupts massive AI-powered phishing service using a million URLs
FBI disrupts massive AI-powered phishing service using a million URLs In a coordinated effort, the FBI, working with Google and Black Lotus Labs, has dismantled a massive Chinese phishing-as-a-service operation called Outsider Enterprise with thousands of phishing websites used to steal credit card data and passwords. […] Bill Toulas Go to bleepingcomputer
-
SecSuite – AI-powered Tool for OSINT, Web and API Security Testing
SecSuite – AI-powered Tool for OSINT, Web and API Security Testing A new open-source security platform called SecSuite, developed under the TheSecuredAnalyst project, has been released, combining OSINT reconnaissance, web vulnerability scanning, API security assessment, compliance checking, and AI-powered analysis into a single unified toolkit. Available on GitHub at 53cur3dL34rn/security-suite, the tool targets security professionals, penetration testers, and red…
-
WinRAR Vulnerability Exploited by Russian Hackers to Deploy GIFTEDCROOK Stealer
WinRAR Vulnerability Exploited by Russian Hackers to Deploy GIFTEDCROOK Stealer Russian hackers are exploiting a known flaw in WinRAR to quietly steal passwords, session cookies, and sensitive files from Ukrainian organizations. The vulnerability, tracked as CVE-2025-8088, was patched in July 2025, yet multiple Russia-aligned groups are still weaponizing it nearly a year later. This proves…
-
Palo Alto Warns of GlobalProtect VPN Vulnerability Actively Exploited in the Wild
Palo Alto Warns of GlobalProtect VPN Vulnerability Actively Exploited in the Wild Palo Alto Networks Unit 42 has issued an urgent warning about active exploitation of CVE-2026-0257, a critical authentication bypass vulnerability affecting the GlobalProtect portal and gateway components of PAN-OS software. The flaw allows unauthenticated remote attackers to circumvent security controls and initiate unauthorized…
-
Threat Actor Malware Platform Exposed via Unlocked PHP Installation Page
Threat Actor Malware Platform Exposed via Unlocked PHP Installation Page A misconfigured PHP installation page exposed the internal infrastructure of a live malware distribution platform, allowing a security researcher to gain unintentional administrative access to a threat actor’s dashboard. What initially appeared to be a fake software download site turned out to be an active…
-
Criminal IP at Infosecurity Europe 2026: Introducing AITEM, the Next Chapter of Attack Surface Management
Criminal IP at Infosecurity Europe 2026: Introducing AITEM, the Next Chapter of Attack Surface Management Torrance, United States / California, June 11th, 2026, CyberNewswire Criminal IP by AI SPERA, a cyber threat intelligence platform delivering decision-ready intelligence and attack surface visibility to security teams worldwide, participated in Infosecurity Europe 2026 at ExCeL London this week,…
-
Upcoming Speaking Engagements
Upcoming Speaking Engagements This is a current list of where and when I am scheduled to speak: I’m giving a keynote at Cybernation 2026 in Berlin, Germany, on June 24, 2026. I’m speaking at the Potsdam Conference on National Cybersecurity at the Hasso Plattner Institut in Potsdam, Germany. The event runs June 24–25, 2026, and my…
-
ISC Stormcast For Monday, June 15th, 2026 https://isc.sans.edu/podcastdetail/9972, (Mon, Jun 15th)
ISC Stormcast For Monday, June 15th, 2026 https://isc.sans.edu/podcastdetail/9972, (Mon, Jun 15th) (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Go to isc.sans.edu
-
Ex-school district employee jailed for hacks on former employer
Ex-school district employee jailed for hacks on former employer A former IT employee at an Iowa school district was sentenced to 21 months in prison after conducting a prolonged cyberattack against the former employer that disrupted classroom operations, deleted accounts, and caused tens of thousands of dollars in damages. […] Lawrence Abrams Go to bleepingcomputer
-
Chinese hackers hijack auth flow, spy on isolated network for a decade
Chinese hackers hijack auth flow, spy on isolated network for a decade Chinese hackers took control of a target organization’s authentication stack and maintained persistence for 10 years, with full visibility into the administrative activity. […] Bill Toulas Go to bleepingcomputer
-
Maine Takes Data Breach Reporting Portal Offline After Fake VRChat and Discord Filings
Maine Takes Data Breach Reporting Portal Offline After Fake VRChat and Discord Filings The Office of the Maine Attorney General has temporarily taken its public-facing data breach reporting database offline after discovering that an unknown entity submitted fabricated breach notifications targeting two major online platforms, VRChat and Discord, in what officials are calling a deliberate…
-
152 Chrome Extensions Hide Ad Tracking and Fake Google Search Traffic
152 Chrome Extensions Hide Ad Tracking and Fake Google Search Traffic 152 Chrome “live wallpaper” extensions on the Chrome Web Store have been caught secretly logging user data and faking Google “organic search” traffic to inflate ad revenue, despite promising they do not collect any data. This adware‑adjacent campaign abuses new‑tab extensions to launder extension‑generated…
-
New Agentjacking Attack Hijacks Your AI Coding Agent to Run Code From a Hacker’s Server
New Agentjacking Attack Hijacks Your AI Coding Agent to Run Code From a Hacker’s Server New “Agentjacking” attack that hijacks AI coding agents and silently executes attacker-controlled code on developer machines using nothing more than a single injected Sentry error. The technique turns trusted AI assistants like Claude Code and Cursor into an execution layer…
-
BugHunter – Bug Bounty Toolkit Powered by Claude and Free AI Providers
BugHunter – Bug Bounty Toolkit Powered by Claude and Free AI Providers A new open-source bug bounty hunting toolkit called BugHunter, built on top of Anthropic’s Claude Code and now extended to support free AI providers like Ollama and Groq, is gaining traction in the security research community for automating the full vulnerability discovery and…
-
Splunk Enterprise Pre-Auth RCE Chain Exposes Database With Zero Authentication
Splunk Enterprise Pre-Auth RCE Chain Exposes Database With Zero Authentication A critical vulnerability chain in Splunk Enterprise has been disclosed, enabling unauthenticated attackers to achieve remote code execution (RCE) through a misconfigured PostgreSQL sidecar service. Tracked as CVE-2026-20253, the flaw has a CVSS score of 9.8 and affects Splunk Enterprise 10 and later. The issue…
-
Critical Splunk Enterprise Flaw Lets Attackers Run Code Without Authentication
Critical Splunk Enterprise Flaw Lets Attackers Run Code Without Authentication Splunk has released security updates to address a critical security flaw in Splunk Enterprise that could be exploited to conduct unauthenticated file operations and even remote code execution. The vulnerability, tracked as CVE-2026-20253, is rated 9.8 on the CVSS scoring system. “In Splunk Enterprise versions…
-
New Agentjacking Attack Hijacks AI Coding Agents to Execute Malicious Code
New Agentjacking Attack Hijacks AI Coding Agents to Execute Malicious Code A newly disclosed Agentjacking attack class can silently weaponize AI coding agents against the very developers who rely on them, requiring no phishing, no… Delivered by PolitePaul service Go to gbhackers.com
-
Critical Splunk Enterprise Pre-Auth RCE Chain Exposes Databases
Critical Splunk Enterprise Pre-Auth RCE Chain Exposes Databases A critical pre-authentication remote code execution (RCE) vulnerability in Splunk Enterprise has been disclosed, carrying a near-perfect CVSS score of 9.8. Tracked as CVE-2026-20253, the… Delivered by PolitePaul service Go to gbhackers.com
-
Anthropic Blocks Fable 5 and Mythos 5 Following U.S. National Security Directive
Anthropic Blocks Fable 5 and Mythos 5 Following U.S. National Security Directive Anthropic has disabled all access to its Fable 5 and Mythos 5 artificial intelligence models following a sudden export-control directive from the United States… Delivered by PolitePaul service Go to gbhackers.com
-
Malicious 152 Chrome Extensions Caught Spoofing Google Organic Search Traffic
Malicious 152 Chrome Extensions Caught Spoofing Google Organic Search Traffic A massive, coordinated network of 152 malicious Google Chrome browser extensions has been dismantled after researchers caught the operation generating fake organic Google search… Delivered by PolitePaul service Go to gbhackers.com
-
GRU-Linked APT28 Uses MooBot Botnet and Compromised EdgeRouters for Cyber Operations
GRU-Linked APT28 Uses MooBot Botnet and Compromised EdgeRouters for Cyber Operations A notable operational pivot by the GRU-linked intrusion set APT28 (aka Fancy Bear, Sofacy, Forest Blizzard, Pawn Storm) that combines the MooBot botnet and… Delivered by PolitePaul service Go to gbhackers.com
-
US Gov asks Anthropic to ban ‘foreign national’ access to Fable, Mythos
US Gov asks Anthropic to ban ‘foreign national’ access to Fable, Mythos The US government has ordered Anthropic to block all foreign nationals from accessing Fable 5 and Mythos 5, forcing the company to suspend both models worldwide. Anthropic is complying but disputes the basis, calling the cited jailbreak narrow and the capability widely available…
-
Maine disables data breach notification portal after fake disclosures
Maine disables data breach notification portal after fake disclosures Maine has taken its public data breach reporting portal offline after fraudulent breach disclosures were published on the state’s website, prompting a review of procedures to prevent abuse in the future. […] Lawrence Abrams Go to bleepingcomputer
-
phpBB forum fixes auth bypass bug lurking for a decade
phpBB forum fixes auth bypass bug lurking for a decade A 10-year-old authentication bypass vulnerability discovered in the phpBB forum software allows an attacker to log in as any user, including administrators. […] Bill Toulas Go to bleepingcomputer
-
Ukrainian national pleads guilty to role in Conti ransomware operation
Ukrainian national pleads guilty to role in Conti ransomware operation A Ukrainian national extradited from Ireland to the United States last year has pleaded guilty to conspiracy charges tied to the Conti ransomware operation. […] Lawrence Abrams Go to bleepingcomputer
-
Over 400 Arch Linux packages compromised to push rootkit, infostealer
Over 400 Arch Linux packages compromised to push rootkit, infostealer More than 400 packages in the Arch User Repository (AUR) are distributing a Linux rootkit and infostealer malware targeting credentials and access tokens. […] Bill Toulas Go to bleepingcomputer
-
Anthropic Fable 5 and Mythos 5 Access Blocked to All Users Following Government Directive
Anthropic Fable 5 and Mythos 5 Access Blocked to All Users Following Government Directive Anthropic has disabled its two most capable AI models, Fable 5 and Mythos 5, after the U.S. government issued an export control directive late on June 12 ordering the company to block access for any foreign national, whether inside or outside…
-
Fancy Bear Hackers Abuse EdgeRouters and Cloud Services to Launch Stealthy Cyberattacks
Fancy Bear Hackers Abuse EdgeRouters and Cloud Services to Launch Stealthy Cyberattacks One of the most persistent hacking groups in the world has found a new way to stay hidden. The threat actor known as Fancy Bear, formally tracked as APT28 and attributed to Russia’s military intelligence unit GRU Unit 26165, has been quietly shifting…
-
Hackers Abuse Legitimate NinjaOne RMM Software to Bypass Traditional Malware Detection
Hackers Abuse Legitimate NinjaOne RMM Software to Bypass Traditional Malware Detection A newly documented phishing campaign is using a legitimate remote management tool to silently take over victims’ computers, without deploying a single line of traditional malware. Researchers have uncovered an active operation targeting Brazilian organizations, where attackers trick employees into installing a real enterprise…
-
Malicious npm Campaign Steals SSH Keys, API Tokens, Cloud Credentials, and Wallet Secrets
Malicious npm Campaign Steals SSH Keys, API Tokens, Cloud Credentials, and Wallet Secrets A fresh wave of supply chain attacks is putting blockchain developers, Web3 teams, and cloud engineers at serious risk. Researchers have uncovered a coordinated campaign involving multiple malicious packages on the npm registry, each designed to quietly steal sensitive secrets the moment…
-
Hackers Use OnyxC2 Malware-as-a-Service to Steal Credentials From 210 Applications
Hackers Use OnyxC2 Malware-as-a-Service to Steal Credentials From 210 Applications A new and dangerous credential-stealing tool called OnyxC2 has emerged in the cybercrime underground, showing just how easy it has become for even low-skilled attackers to run a professional hacking operation. Sold as a complete package for $250 a month, the malware gives buyers everything…
-
U.S. Orders Anthropic to Suspend Fable 5 and Mythos 5 Access for Foreign Nationals
U.S. Orders Anthropic to Suspend Fable 5 and Mythos 5 Access for Foreign Nationals Anthropic said on Friday it will “abruptly disable” its most advanced artificial intelligence (AI) models, Claude Fable 5 and Mythos 5, for all users after the U.S. government ordered it to suspend access to the models for foreign nationals, whether inside…
-
Over 400 Arch Linux AUR Packages Hijacked to Deploy Infostealer and eBPF Rootkit
Over 400 Arch Linux AUR Packages Hijacked to Deploy Infostealer and eBPF Rootkit Attackers took over more than 400 packages in the Arch User Repository (AUR) this week and rewrote their build scripts to install a credential stealer on any machine that built them. The malware is a Rust binary built to harvest developer secrets.…
-
Google Sues Chinese Smishing Network Accused of Using Gemini AI in Phishing
Google Sues Chinese Smishing Network Accused of Using Gemini AI in Phishing Google on Friday said it’s pursuing legal action against a Chinese cybercrime network, accusing it of using its Gemini artificial intelligence (AI) agent to send phishing text messages targeting Americans. The network is said to be behind the development and management of a…
-
China-Linked Hackers Backdoored Linux Login Software to Hide for Nearly a Decade
China-Linked Hackers Backdoored Linux Login Software to Hide for Nearly a Decade Instead of hiding on the laptops and servers defenders watch most closely, a China-nexus group spent close to a decade hidden inside the Linux login system itself. Sygnia, which tracks the group as Velvet Ant, says it backdoored the PAM and OpenSSH components…
-
Agentjacking Attack Tricks AI Coding Agents Into Running Malicious Code
Agentjacking Attack Tricks AI Coding Agents Into Running Malicious Code Cybersecurity researchers have described what they say is a new class of attack that can trick artificial intelligence (AI) coding agents into running arbitrary code on developer machines. Called Agentjacking by Tenet Security, the attack can be triggered by means of a fake error report…
-
Friday Squid Blogging: Squid-Inspired Fluid Pump
Friday Squid Blogging: Squid-Inspired Fluid Pump This fluid pump was inspired by the way squids propel themselves through the water. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Blog moderation policy. Bruce Schneier Go to bruce schneier
-
Bernie Sanders’ AI Sovereign Wealth Fund Plan
Bernie Sanders’ AI Sovereign Wealth Fund Plan Let no one accuse Bernie Sanders of ducking the big questions. Writing in the New York Times last week, the senator asked: “Will the future of humanity be determined by a handful of billionaires who have promoted and developed AI, with virtually no democratic input, who stand to…
-
ISC Stormcast For Friday, June 12th, 2026 https://isc.sans.edu/podcastdetail/9970, (Fri, Jun 12th)
ISC Stormcast For Friday, June 12th, 2026 https://isc.sans.edu/podcastdetail/9970, (Fri, Jun 12th) (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. Go to isc.sans.edu
-
Privacy own-goal: World Cup blunder leaks Lionel Messi’s passport details
Privacy own-goal: World Cup blunder leaks Lionel Messi’s passport details Argentina’s World Cup squad had their passport numbers leaked before a ball was kicked – not by hackers, but by someone who failed to redact a document properly. document. It’s a mistake that has been made many times in the past… Read more in my…
-
Silent Ransom Group: what you need to know
Silent Ransom Group: what you need to know Most extortion gangs hide behind a keyboard. Silent Ransom Group will phone your staff pretending to be IT support – and if that fails, send someone to your office in person to plug in a USB stick. Read more in my article on the Fortra blog. Graham…
-
ShinyHunters Uses Oracle Zero-Day to Rampage Higher Ed
ShinyHunters Uses Oracle Zero-Day to Rampage Higher Ed A major bug in Oracle’s ERP software disproportionately affected American universities, and hackers have capitalized by stealing gobs of data. Nate Nelson Go to gbhackers.com
-
Claude Fable 5 Doesn’t Change the Mythos Security Story
Claude Fable 5 Doesn’t Change the Mythos Security Story Stay cool: Mythos 5 is an upgrade over Mythos Preview while Fable 5 is Mythos “made safe for general use,” Anthropic explained. Alexander Culafi Go to gbhackers.com
-
Hackers Use Typosquatted npm Packages to Target Web3 Projects and Crypto Wallet Operators
Hackers Use Typosquatted npm Packages to Target Web3 Projects and Crypto Wallet Operators Hackers have been using typosquatting npm packages to weaponize the trust Web3 teams place in open-source dependencies, turning routine installs into a path for… Delivered by PolitePaul service Go to gbhackers.com
-
Attackers Can Exploit Microsoft Outlook and Word Flaws to Run Malicious Code
Attackers Can Exploit Microsoft Outlook and Word Flaws to Run Malicious Code Microsoft has disclosed a set of critical remote code execution (RCE) vulnerabilities affecting Outlook and Word that could allow attackers to execute arbitrary code… Delivered by PolitePaul service Go to gbhackers.com
-
Palo Alto PAN-OS Flaw Lets Attackers Run Arbitrary Commands With Root Privileges
Palo Alto PAN-OS Flaw Lets Attackers Run Arbitrary Commands With Root Privileges Palo Alto Networks has released patches for three new PAN-OS vulnerabilities that could allow authenticated administrators or users to execute arbitrary commands with root… Delivered by PolitePaul service Go to gbhackers.com
-
OnyxC2 Stealer Uses Cloudflare-Fronted C2 to Exfiltrate Browser Data and Credentials
OnyxC2 Stealer Uses Cloudflare-Fronted C2 to Exfiltrate Browser Data and Credentials A new commercial-grade information stealer, marketed as OnyxC2, surfaced on cybercrime forums in early 2026 and demonstrates how commodity malware is increasingly packaged as… Delivered by PolitePaul service Go to gbhackers.com
-
Tchap Messenger Hack Exposes Data of Over 73,000 French Government Employees
Tchap Messenger Hack Exposes Data of Over 73,000 French Government Employees A suspected cyberattack targeting Tchap, the secure messaging platform used by French government agencies, has reportedly exposed sensitive data belonging to more than 73,000… Delivered by PolitePaul service Go to gbhackers.com
-
CISA orders feds to patch actively exploited Ivanti flaw by Sunday
CISA orders feds to patch actively exploited Ivanti flaw by Sunday The U.S. Cybersecurity and Infrastructure Security Agency (CISA) ordered government agencies to patch an actively exploited Ivanti Sentry flaw within three days, as mandated by the newly issued Binding Operational Directive (BOD) 26-04. […] Sergiu Gatlan Go to bleepingcomputer
-
Over 73,000 French govt employees affected in Tchap messenger breach
Over 73,000 French govt employees affected in Tchap messenger breach The French government revealed that a recent breach of its Tchap encrypted messaging platform affects the accounts of over 73,000 employees in the French public sector. […] Sergiu Gatlan Go to bleepingcomputer
-
Japanese energy firm loses drive with data of 10.9 million clients
Japanese energy firm loses drive with data of 10.9 million clients Kyushu Electric Power Co., Inc. has disclosed a physical security incident that affects private data of more than 10 million customers. […] Bill Toulas Go to bleepingcomputer
-
Maine breach portal abused to publish fake data breach disclosures
Maine breach portal abused to publish fake data breach disclosures In an unusual misinformation campaign, fraudulent data breach disclosures were submitted to Maine’s official breach portal and publicly posted before their legitimacy could be verified, prompting companies to deny the claims. […] Bill Toulas Go to bleepingcomputer
-
Oracle mitigates PeopleSoft zero-day exploited in data theft attacks
Oracle mitigates PeopleSoft zero-day exploited in data theft attacks Oracle is warning about a critical PeopleSoft Suite zero-day vulnerability tracked as CVE-2026-35273 that allows unauthenticated remote code execution, with the flaw actively exploited in ShinyHunter data theft attacks. […] Lawrence Abrams Go to bleepingcomputer
-
Microsoft Outlook and Word Vulnerabilities Allow Attackers to Execute Malicious Code
Microsoft Outlook and Word Vulnerabilities Allow Attackers to Execute Malicious Code Microsoft released critical fixes for three closely related remote code execution (RCE) vulnerabilities in Microsoft Outlook and Word that stem from low‑level memory‑safety flaws in the Word rendering engine and its integration with Outlook Classic. These bugs, tracked as CVE‑2026‑45456, CVE‑2026‑45458, and CVE‑2026‑47635, are…
-
Palo Alto PAN-OS Vulnerability Allows Attackers to Execute Arbitrary Commands as Root User
Palo Alto PAN-OS Vulnerability Allows Attackers to Execute Arbitrary Commands as Root User Palo Alto Networks fixed a new command injection vulnerability in PAN‑OS (CVE-2026-0273) that allows authenticated administrators to execute arbitrary commands as root via the CLI or web management interface. Two related medium‑severity issues in the same advisory window cover CLI privilege escalation…
-
Google Patches 28 Chrome Vulnerabilities that Allow Attackers to Execute Malicious Code
Google Patches 28 Chrome Vulnerabilities that Allow Attackers to Execute Malicious Code Google has released a new Chrome security update addressing 28 vulnerabilities, including several critical flaws that could allow attackers to execute malicious code on affected systems. The latest Stable channel update upgrades Chrome to version 149.0.7827.114/.115 on Windows and macOS, and to 149.0.7827.114…
-
Microsoft Teams for Android Vulnerability Allows Attackers to Disclose Sensitive Data
Microsoft Teams for Android Vulnerability Allows Attackers to Disclose Sensitive Data Microsoft has disclosed a significant security vulnerability in Microsoft Teams for Android that could allow an authenticated attacker to expose sensitive information over a network. The flaw, tracked as CVE-2026-42835, was officially released on June 9, 2026, and has been rated Important in severity.…
-
Oracle PeopleSoft 0-Day RCE Vulnerability Exploited in Attacks by ShinyHunters
Oracle PeopleSoft 0-Day RCE Vulnerability Exploited in Attacks by ShinyHunters Mandiant and Google Threat Intelligence Group (GTIG) have issued a critical warning after identifying an active compromise-and-extortion campaign targeting Oracle PeopleSoft infrastructure, attributed to the notorious threat actor UNC6240, also known as ShinyHunters. The campaign exploited CVE-2026-35273, a critical unauthenticated remote code execution (RCE) vulnerability…
-
OceanLotus: From external espionage to domestic targeting
OceanLotus: From external espionage to domestic targeting A shift in operational pattern of the infamous Vietnam-aligned APT group Go to eset
-
ShinyHunters Exploits Oracle PeopleSoft Zero-Day (CVE-2026-35273) to Breach Universities
ShinyHunters Exploits Oracle PeopleSoft Zero-Day (CVE-2026-35273) to Breach Universities The ShinyHunters extortion crew exploited an unpatched flaw in Oracle PeopleSoft to break into enterprise systems, steal data, and demand payment to keep it private. The campaign hit universities hardest. Google’s Mandiant attributes it to the group it tracks as UNC6240, and dates the activity between…
-
New Attacks Trick OpenClaw AI Agent Into Running Code and Leaking Secrets
New Attacks Trick OpenClaw AI Agent Into Running Code and Leaking Secrets Two security teams have shown, in separate research published this week, that OpenClaw, the popular self-hosted AI agent, can be driven to run attacker-controlled code or hand over sensitive data through ordinary-looking inputs. Imperva buried instructions inside shared contacts, vCards, and location pins…
-
New GreatXML Exploit Bypasses Windows BitLocker via Recovery Partition XML Files
New GreatXML Exploit Bypasses Windows BitLocker via Recovery Partition XML Files Security researcher Chaotic Eclipse (aka Nightmare-Eclipse and MSNightmare) has released a new Windows BitLocker bypass dubbed GreatXML, a day after they published an exploit for Microsoft Defender. “This was an accidental discovery, it took a total of 4 hours to find this,” the researcher…
-
The Gentlemen Ransomware Claims 478 Victims, Can Spread Like a Worm
The Gentlemen Ransomware Claims 478 Victims, Can Spread Like a Worm A new analysis of The Gentlemen operation has revealed that the financially motivated threat group initially operated as an affiliate responsible for conducting double extortion attacks, while leveraging resources from various ransomware-as-a-service (RaaS) schemes like LockBit (aka Tenacious Mantis), Qilin (aka Pestilent Mantis), and…
-
Cybersecurity Stars Awards 2026: Winners Announced Across 95 Categories
Cybersecurity Stars Awards 2026: Winners Announced Across 95 Categories Most good security work is invisible by design. Today is the exception. The 2026 Cybersecurity Stars Awards winners are announced across 95 subcategories in four main award categories. The reason is simple. Cybersecurity is full of work that deserves recognition and rarely gets it. Products that…