Malware

More than 30 npm packages in Red Hat's @redhat-cloud-services namespace were compromised and used to deliver credential-stealing malware to developers who installed them. Researchers say attackers likely took over a Red Hat employee GitHub account, added malicious GitHub Actions workflows, and abused npm trusted publishing to release 96 backdoored package versions. The malware, a new Shai-Hulud variant dubbed Miasma, targeted GitHub Actions secrets, cloud credentials, SSH keys, package publishing tokens, Vault tokens, Kubernetes service-account tokens, Docker credentials, GPG keys, and .env files. — Developers and organizations that installed the affected packages may have had sensitive keys and tokens stolen, which can lead to wider compromise of code, cloud systems, and build pipelines. This is urgent: identify affected installs, remove the packages, and rotate all credentials and secrets that were present on impacted machines or CI/CD systems.

GitHub disabled more than 70 Microsoft repositories after attackers allegedly used a compromised contributor account to push malicious commits into projects including Azure/durabletask and Azure/functions-action. StepSecurity says the Miasma worm planted configuration files that could trigger remote code execution when a developer opened the repository in an integrated development environment or AI coding tool such as Claude Code, Gemini CLI, or Cursor, and the takedowns disrupted workflows that depended on Azure/functions-action@v1. — This affects developers and organizations that rely on Microsoft's open-source Azure tooling, with both supply-chain risk and immediate build-pipeline disruption. Teams using the affected repositories should review recent commits, rotate contributor and automation tokens, check developer machines for malicious config execution, and verify dependencies before restoring pipelines.

Attackers compromised 19 Python packages on PyPI, including popular science and bioinformatics tools, and planted malware that can steal secrets from developer machines and continuous integration systems. Socket linked the activity to the broader Shai-Hulud campaign and said 37 malicious releases used executable .pth startup hooks to trigger code when Python starts, then fetched the Bun JavaScript runtime to run an obfuscated payload that targeted GitHub, npm, PyPI, AWS, GCP, Azure, Kubernetes, SSH, Docker, Vault, and Claude/MCP credentials. — Developers, researchers, and organizations using these packages may have had passwords, tokens, and cloud keys stolen without obvious signs. Anyone who installed affected versions should treat the environment as compromised, rotate secrets, and rebuild from known-good backups.

A security researcher published a new Windows zero-day exploit that can give an attacker full SYSTEM privileges on fully patched consumer PCs. The proof-of-concept, dubbed RoguePlanet, abuses a race condition in Microsoft Defender to achieve local privilege escalation on Windows 10 and Windows 11 systems with June 2026 updates installed; the researcher says earlier versions also enabled remote code execution through malicious .vhd(x) files on remote SMB shares and BitLocker bypass paths, but the currently released exploit is validated primarily as local escalation and reportedly does not yet work on Windows Server. — This matters because a public exploit can help malware or intruders turn limited access on a Windows machine into full control even after current patches are installed. Organizations should watch for Microsoft guidance, restrict untrusted SMB and disk-image handling where possible, and prioritize detection for SYSTEM-level escalation from Defender-related activity.

Researchers say the China-linked JDY botnet has grown to more than 1,500 compromised small-office/home-office and internet-connected devices and is increasingly used to probe U.S. military and related networks. Black Lotus Labs says JDY is tied to China-nexus activity previously associated with Volt Typhoon and is used for distributed scanning, banner grabbing, TLS certificate collection, and fingerprinting to find vulnerable systems soon after flaws are disclosed, including scans for FortiClient EMS bug CVE-2026-35616. The botnet uses infected routers and IoT devices from vendors including Cisco, Ubiquiti, DrayTek, Hikvision, Linksys, Araknis, and Mimosa, with command-and-control routed through Tor hidden services. — This matters because compromised routers and IoT gear are being used to quietly map weak points in networks tied to sensitive U.S. targets, helping follow-on intrusions. Organizations should patch exposed network devices quickly, reduce internet-facing services, and watch for scanning and unusual activity from SOHO and IoT infrastructure.

Hackers posing as women seeking relationships or volunteers offering help tricked Russian military personnel into installing spyware or surrendering their Telegram accounts. Researchers at F6 say the previously undocumented SiribClone group has operated since at least summer 2025, targeting troops in border regions and combat zones with Android spyware dubbed SafeLoveStealer, desktop malware called SiribGrabber, and phishing sites masquerading as Telegram logins, invite pages, medical portals, and other services to steal messages, files, location data, and microphone audio. — This is an active espionage campaign aimed at people in combat zones and shows how romance lures and fake support offers can turn personal chats into battlefield surveillance. Anyone in sensitive roles should treat unsolicited Telegram contacts, app downloads, and login pages as high risk, avoid sideloading apps, and use phishing-resistant account protections where possible.

Researchers say multiple criminal groups have built fake FIFA websites to steal World Cup fans’ passwords, payment details, and money through bogus ticket sales. Group-IB identified four separate campaigns since August 2025, including a Chinese-speaking operation it calls GHOST STADIUM that uses more than 300 active lookalike domains and roughly 3,800 dormant ones. The phishing kit closely copies FIFA’s login flow, can trigger password-reset steps to lock victims out, and is being promoted through Facebook ads offering unrealistically cheap tickets. — Fans trying to buy 2026 World Cup tickets could lose their accounts, have legitimate tickets resold, or pay scammers for fake seats. Users should only type fifa.com directly into their browser, avoid ad-linked ticket offers, and treat lookalike FIFA domains as suspicious.

A likely North Korean-linked group sent more than 250 fake job and code-review emails to developers at nearly 100 organizations, mainly in the United States, to steal login credentials and cryptocurrency wallets. Proofpoint tracks the activity as UNK_DeadDrop and says the attackers used spoofed company brands and attacker-controlled GitHub repositories posing as coding tests or crypto projects; victims were told to clone and open the repos in tools such as Visual Studio Code or Cursor, triggering cross-platform malware on macOS, Linux, and Windows. — Developers and the companies that employ them are the direct targets, and a single successful lure can expose source code, cloud access, and crypto assets. Organizations should warn staff about unsolicited recruiting emails, scrutinize GitHub-based coding tests, and isolate or block unknown repositories and scripts.

Attackers are tricking bank customers into installing fake Android banking app updates from GitHub so they can steal card data and PINs. D3Lab says newer NFCShare variants, seen since May 14, target banks mainly in Italy and Spain after victims visit phishing sites impersonating real banks. The malware abuses near-field communication (NFC) on Android to read card details via IsoDep and EMV commands, then sends the data to command-and-control servers over WebSocket. — This can lead directly to payment-card fraud because victims are persuaded to hand over both card details and their PIN during a fake security check. Android users should only install banking apps from Google Play and treat any request to scan a bank card with their phone or sideload an update from GitHub as suspicious.

Researchers say a compromised npm maintainer account ('atool') was used to publish hundreds of malicious package versions across the @antv namespace, including downstream widely used packages such as echarts-for-react and timeago.js. The payload steals GitHub Actions secrets and credentials from cloud, Kubernetes, Vault, wallet, and developer-tool paths, exfiltrates data via GitHub and fallback infrastructure, and can republish tampered packages using stolen npm tokens. Reports also link the campaign to malicious PyPI uploads, a compromised GitHub Action, and a VS Code extension. — This is a high-impact ecosystem compromise with downstream risk to developer workstations, CI environments, and software consumers through trusted package updates. Defenders should immediately identify affected package versions, rotate exposed secrets and npm tokens, review CI runners and GitHub repositories for exfiltration, and block known malicious artifacts.

A new botnet called C0XMO is infecting DD-WRT routers and other internet-connected devices so they can be used in denial-of-service attacks. Fortinet says the malware exploits CVE-2021-27137, an unauthenticated buffer overflow in DD-WRT, and also brute-forces Telnet and SSH logins while carrying binaries for multiple CPU architectures including ARM, MIPS, PowerPC, x86, and x86_64. The botnet establishes persistence with cron jobs and startup-file changes, then removes rival malware and tooling from infected systems. — Organizations and users with exposed routers, DVRs, and similar devices may be silently pulled into a botnet and used in attacks. Patch affected firmware where available, disable unnecessary remote administration, and change weak or reused device credentials immediately.

A China-linked espionage group kept access to a victim organization and its managed services provider for at least 18 months, using multiple backdoors to return even after cleanup. Volexity says UNC5221, also tracked as VerdantBamboo, used Brickstorm on Egnyte Storage Sync, pfSense, Synology NAS and a retired Linux email server, then used Plenet (also called Grimbolt) and AgentPSD to maintain persistence and reach the victim’s Microsoft 365 environment through stolen credentials and SSL VPN access. No new CVE is named in this report. — Organizations using Microsoft 365, MSPs, and internet-facing edge devices should treat this as a reminder that sophisticated attackers can survive remediation and re-enter through trusted providers. Review VPN and firewall changes, hunt for Brickstorm/Plenet/AgentPSD, audit MSP access paths, and rotate credentials and tokens tied to compromised systems.

Attackers are tricking people looking for popular PC utilities into installing malware that secretly uses their graphics cards to mine cryptocurrency. Microsoft says the campaign uses search-engine optimization (SEO) poisoning and, in some cases, attacker-controlled links surfaced in AI chatbot responses for tools such as CrystalDiskInfo, HWMonitor, FurMark, K-Lite Codec Pack, PDFgear, and Display Driver Uninstaller. The fake downloads bundle a legitimate program with a malicious dynamic-link library (DLL), install ScreenConnect for remote access, add multiple Windows persistence mechanisms, evade Microsoft Defender, and then deploy GPU miners including gminer, lolMiner, and SRBMiner-MULTI. — This campaign targets owners of powerful Windows systems and can leave victims with both hijacked hardware and a remote-access backdoor for follow-on attacks. Users and defenders should avoid downloading software from AI-generated or unfamiliar links, verify vendor domains, and hunt for the listed indicators of compromise and unauthorized ScreenConnect installs.

Sophos says it found a ransomware attack toolkit in a customer environment that was built with help from AI coding agents and used to hide from security software and map a victim's Windows network. The framework included Cobalt Strike traffic-masking profiles, Telegram-based command and control, a Cloudflare Worker redirector, and Python tools that generated Rust and Go payloads for evasion and execution. Sophos found operator logs referencing a ransom note and organizations listed on a ransomware leak site, indicating criminal use rather than legitimate red-team testing. — This shows AI tools are being used to speed up real ransomware tradecraft, especially defense evasion and internal network discovery. Defenders should review detections for Telegram and Cloudflare-backed command channels, unusual payload loaders, and suspicious Active Directory reconnaissance, and treat AI-assisted malware development as an operational threat rather than a theory.

Hola says its Windows browser installer was compromised and, in some cases, delivered hidden mining malware to users. AppEsteem certification checks and analysis by Sophos found an undeclared executable, 'me.exe,' installed under the Hola program folder; the binary was unsigned, obfuscated, added a Microsoft Defender exclusion, copied itself as 'HolaMonitorService.exe,' created the 'hola_monitor_svc' Windows service for persistence, and appeared to mine Monero when the PC was idle. Hola said about 0.1% of users were affected and that it rebuilt its distribution pipeline after separately confirming the compromise with Sygnia. — People who installed Hola Browser on Windows may have unknowingly run malware that abuses their computer for cryptocurrency mining and weakens local defenses. Affected users and admins should treat this as urgent: verify installations, look for the named files and service, remove Hola if necessary, and reinstall only from a trusted, verified build.

Researchers say a new Magecart card-skimming campaign is stealing shoppers’ payment details from compromised online stores and hiding both its malware and stolen data inside trusted Google Tag Manager and Stripe services. Sansec says the skimmer targets Magento and Adobe Commerce checkout pages, pulls JavaScript from a Google Tag Manager container, retrieves payload code from Stripe customer metadata tied to customer ID cus_TfFjAAZQNOYENR, and exfiltrates stolen card, billing, email, and phone data by creating fake Stripe customer records; a variant uses Google Firestore instead of Stripe. The Stripe record was reportedly created on December 24, 2025, suggesting the campaign may have been active for months. — This matters because stores may allow traffic to Google Tag Manager and Stripe by default, letting the skimmer blend in and evade common security controls while stealing card data from real customers. Online retailers using Magento or Adobe Commerce should urgently inspect GTM containers, Stripe API activity, and checkout-page scripts for unauthorized changes.

Attackers uploaded 36 malicious npm packages carrying a new malware strain called IronWorm, putting developers and continuous integration systems at risk if they installed the poisoned versions. JFrog says the Rust-based malware steals 86 environment variables and 20 credential-file types, including AWS, OpenAI, Anthropic, npm, SSH, vault, and crypto-wallet data; it was first linked to the compromised npm account 'asteroiddao' and can self-propagate by abusing stolen npm publishing and Trusted Publishing secrets to push trojanized package updates. — This can spread from one compromised developer or build system into many other packages and organizations, making it a high-priority software supply-chain threat. Developers and defenders should identify any affected package versions, upgrade to clean releases, rotate exposed credentials, review GitHub Actions and npm publishing tokens, and enforce two-factor authentication.

A Chinese-speaking cybercrime group is using new malware and localized phishing messages to break into organizations in Europe and beyond. Proofpoint says TA4922, linked to activity overlaps with Silver Fox and Void Arachne, has targeted entities in Germany, Italy, the United Kingdom, South Africa, and parts of Southeast Asia since March 2026 using payroll, tax, VAT, invoice, and HR lures sent by email and messaging apps including WhatsApp, LINE, and Microsoft Teams. The campaigns deploy Atlas RAT, RomulusLoader, SilentRunLoader, and Winos4.0/ValleyRAT for remote access, file theft, credential theft, keylogging, screenshots, and webcam or audio capture. — Organizations in the targeted regions should treat this as an active intrusion and phishing threat, especially finance, HR, and compliance teams that may receive convincing local-language messages. Defenders should hunt for the named malware families and remote-management tools, tighten phishing controls, and warn staff to verify unexpected payroll, tax, invoice, or compliance messages across email and chat platforms.

Hackers secretly monitored and stole email data from a senior executive at a major global stock exchange for about five months. Broadcom’s Symantec and Carbon Black teams said the intrusion began in October 2025 and lasted until March 2026, with malware on the victim’s device disguised as Adobe and OneDrive software, scheduled-task persistence masked as Adobe, Lenovo, and OneDrive services, and exfiltration of Outlook mailbox data in small archives via Dropbox and OneDrive. The initial access method and the victim exchange were not disclosed, but investigators published indicators of compromise. — This is a high-impact espionage case because a stock exchange executive’s mailbox can expose market-moving information, internal deliberations, contacts, and travel details. Financial institutions and other high-value targets should hunt for the published indicators, review executive mailbox and endpoint activity, and scrutinize cloud-storage exfiltration and suspicious scheduled tasks.

Police in Europe and the United States say they broke up nine organized crime groups running illegal streaming services and arrested 29 suspects. The seven-month Operation KRATOS 2, led by Bulgaria with Europol support, involved 13 countries and led to the removal of more than 27,000 illegal streaming URLs, identification of 18,000 IP addresses tied to illegal services, 4,370 piracy-linked domains, nearly 400,000 additional URLs flagged for suspension, and 126,000 infringing objects. Investigators say the operators split public-facing sites from backend hosting across jurisdictions to evade takedowns. — People using pirate streaming services are not just risking copyright trouble; Europol says these platforms can also expose users to malware, spyware, and theft of personal data. The story matters because it shows the scale and international reach of the criminal infrastructure behind these services, and affected users should avoid such platforms and check devices for suspicious software if they used them.

A large malware campaign has infected more than 116,000 computers by tricking Minecraft players into downloading booby-trapped mods, cheat clients, and utilities. McAfee says the WeedHack operation has been active since January 2026, spreads via YouTube links and search-result manipulation, and uses thousands of malicious Java archive (JAR) files. The malware steals browser passwords and cookies, Minecraft session IDs, Discord, Steam and Telegram credentials, and crypto-wallet data, while paid tiers add remote-control features such as keylogging, webcam access, shell access, and file management. — This is a broad consumer-focused infostealer campaign hitting gamers at scale, with stolen passwords, session tokens, and wallet data creating immediate account-takeover and financial risk. Minecraft players and parents should avoid unofficial mod download sites, remove suspicious JAR files, run antivirus scans, and reset passwords for any accounts used on affected devices.

A threat actor called DriveSurge has compromised thousands of real websites and is using them to redirect visitors into malware traps. Silent Push says the actor operates as an initial access broker, using the zTDS traffic distribution system to decide whether each visitor sees a ClickFix lure that tricks them into running malicious PowerShell commands or a FakeUpdate page posing as browser updates for Chrome, Firefox, Edge, Safari and others; researchers also found macOS-targeting JavaScript and more than 80 malicious injection domains. — People can get infected just by visiting a legitimate site that has been silently hijacked, so the risk extends beyond obviously shady pages. Organizations should hunt for the identified JavaScript injection patterns and domains, and users should only update browsers through the built-in updater and never paste commands from pop-ups into Terminal or PowerShell.

Dutch police say they helped dismantle a botnet made up of at least 17 million compromised devices, with 200 supporting servers traced to the Netherlands and seized or shut down with help from a hosting provider. Authorities and NCSC-NL did not name the botnet or specify the exact malware family, but said affected devices likely included poorly secured routers, mobile devices, and Internet of Things hardware commonly abused for phishing, distributed denial-of-service attacks, and online fraud. — A botnet this large can be used to hide attacks, knock services offline, and abuse ordinary people's devices without their knowledge. Users and organizations should check internet-connected devices for updates, replace default passwords, and avoid unofficial app sources while defenders watch for follow-on indicators once police release more details.

A long-running malware campaign infected about 1,980 WordPress websites and hid its command-and-control data inside Steam Community profile comments. GoDaddy says the malware, tracked since July 2025, uses invisible Unicode characters in Steam comments to encode a payload that builds a hello-mywordl[.]info URL, then injects JavaScript disguised as common libraries and installs a PHP backdoor that executes code sent in specially crafted POST requests with a specific cookie. The initial compromise route is unknown but may involve stolen WordPress or FTP credentials, vulnerable themes or plugins, or a supply-chain compromise. — WordPress site owners and hosting teams should treat this as an active website compromise, not just a nuisance script, because it includes a persistent backdoor that can reinfect a site if cleanup is incomplete. Check for outbound requests to Steam from WordPress servers, suspicious JavaScript injections, and restore from a known-good backup where possible.

Afghan Ministry of Finance and provincial government officials were targeted in a phishing campaign that installed remote-access malware on victims' computers. Seqrite attributed the activity with medium-to-high confidence to the Pakistan-linked SideCopy group, which used Pashto-language lure documents inside ZIP archives and delivered them through compromised Afghan government server infrastructure; opening the file installed XenoRAT, a remote access trojan, which then contacted attacker-controlled servers in Europe. — This matters because it shows a suspected state-linked espionage operation aimed at government financial and provincial officials, using trusted local-language lures and compromised government infrastructure to improve success. Afghan public-sector defenders should investigate suspicious ZIP attachments, review access to government-hosted domains, and hunt for XenoRAT-related activity.

A single attacker published 14 malicious npm packages that pretended to be OpenSearch, Elasticsearch, and related developer tools, putting developers and build systems at risk of secret theft. Microsoft said the packages were uploaded under the alias "vpmdhaj" and used typosquatting, spoofed metadata, and inflated version numbers; on install, preinstall hooks fetched a second-stage credential harvester targeting Amazon Web Services, HashiCorp Vault, GitHub Actions, and npm tokens. The packages were removed after publication. — Anyone who installed or built these packages may have exposed credentials that can be reused to access cloud accounts, code pipelines, and package publishing systems. Organizations should identify affected installs from May 28 onward, rotate AWS Identity and Access Management or Security Token Service credentials, Vault tokens, npm publish tokens, and GitHub Actions secrets, and review for follow-on compromise.

Attackers are using legitimate ChatGPT share links to show fake OpenAI outage notices that tell people to download a bogus ChatGPT desktop app. Push Security says the LLMShare campaign buys Google ads for ChatGPT searches, serves the lure from chatgpt.com/s/ pages rendered with custom HTML and CSS inside ChatGPT, then redirects victims to openew[.]app, which offers cloaked Windows and macOS malware downloads; the Windows sample checks whether it is running on a real device or a virtual machine. — This matters because the scam is hosted partly on a real OpenAI domain, making it more convincing to ordinary users and harder for defenders to spot. Users should avoid sponsored results for AI tools, download apps only from the official vendor site or app store, and security teams should monitor for chatgpt.com share-link abuse and block the impersonation domain.

Researchers say a previously undocumented Russia-linked group called GreyVibe has targeted Ukrainian military, government, civilian, and business organizations since August 2025. WithSecure says the actor used at least six spear-phishing campaigns, fake adult-club websites, Telegram and dating-site lures, and file-sharing links to deliver PhantomRelay and LegionRelay malware on Windows and Fallspy on Android; the report also says the group used ChatGPT, Gemini, Ideogram, and other generative artificial intelligence tools across lure creation, malware development, obfuscation, and post-compromise tooling. — This matters because it describes an active espionage-focused campaign against Ukrainian targets and shows how lower-sophistication operators can use generative artificial intelligence to scale convincing phishing and malware operations. Organizations supporting Ukraine should review indicators, harden email and mobile defenses, and warn users about archive-based lures, fake personas, and links delivered over chat and dating platforms.

A newly highlighted Android malware family called BTMOB can give criminals broad control over infected phones, including stealing data and taking over the device. ESET says the remote access trojan (RAT) is spread through phishing pages and fake app stores, abuses Android Accessibility Services to gain elevated privileges, and is sold with an APK-building kit that lets buyers customize lures by country and brand. The campaign has mainly been observed in Latin America. — This is more serious than a typical banking trojan because it can turn an Android phone into a remotely controlled spying and theft tool. Android users should avoid app downloads from links in messages or fake stores, and defenders should watch for phishing infrastructure and abuse of Accessibility permissions.

Attackers are using a critical Fortinet server flaw to send malware to computers managed by FortiClient Endpoint Management Server (EMS). The issue, CVE-2026-35616, is a remote code execution bug in FortiClient EMS that can be exploited without authentication via crafted requests; Fortinet patched it in April after warning it had already been used as a zero-day, and Arctic Wolf now says fresh attacks are abusing EMS scripting workflows to deploy EKZ Infostealer disguised as a Fortinet patch. — This can turn a central management server into a way to infect every device it manages, putting passwords, browser cookies, and other sensitive data at risk. Organizations running FortiClient EMS should patch immediately, check for suspicious PowerShell/script activity, and investigate whether fake update jobs were pushed to endpoints.

Security firms say they disrupted the GlassWorm botnet, a malware operation that infected developers and open source software ecosystems and could be used to steal credentials, cryptocurrency wallet data, and remote access to infected machines. CrowdStrike says GlassWorm spread through trojanized Visual Studio extensions on OpenVSX and later through GitHub and compromised Python projects, while using Solana blockchain transactions, Google Calendar, BitTorrent and VPS-hosted servers as layered command-and-control channels. The malware hid code with Unicode variation selectors and stole npm, GitHub and Git credentials, creating downstream software supply-chain risk. — This matters because a compromise of developers can spread to the software and updates many other organizations rely on. Teams should check for beaconing to 164.92.88[.]210, investigate developer machines and repositories for compromise, rotate exposed credentials, and review software supply-chain protections.

Researchers say the March cyberattack on Los Angeles Metro was likely carried out by Iranian state-linked hackers, not just a self-described hacktivist group. LA Metro said the breach caused internal operational disruption and required hundreds of servers to be checked before restoration, while the attackers claimed to have wiped hundreds of terabytes and stolen more than 1 terabyte of data. Gambit linked the operation to infrastructure associated with Black Shadow, a group previously attributed to Iran's Ministry of Intelligence and Security, and said the attackers also accessed systems including virtualization management, Microsoft IIS servers, and a train-monitoring operational technology system. — A breach at a major transit agency raises concern not only about data theft but also about disruption to public services and potential access to operational systems. Transit operators and other public-sector defenders should review exposure of administrative platforms and monitoring systems, hunt for data theft and destructive activity, and treat claimed hacktivist incidents as possible state-backed operations.

Hackers used a previously unknown flaw in Digital Knowledge’s KnowledgeDeliver learning platform to break into servers and plant persistent malware. Mandiant says CVE-2026-5426 affects KnowledgeDeliver deployments before February 24, 2026, because a standardized ASP.NET web.config file contained hardcoded machineKey values, enabling ViewState deserialization attacks for remote code execution. The observed intrusions deployed Godzilla web shells, altered JavaScript to show fake plugin alerts, and ultimately installed a tailored Cobalt Strike backdoor. — Organizations using KnowledgeDeliver, especially enterprise and education users, may already be compromised, not just vulnerable. Admins should urgently rotate machine keys, restrict access to the LMS, hunt for the published indicators of compromise, and check for web shells, modified JavaScript, and follow-on malware.

An Iran-linked hacking group is using fake job offers and trojanized software downloads to break into aviation and software companies, including targets in Saudi Arabia, Australia, and the United States. Check Point says Nimbus Manticore (also known as Bohrium, TA455, and UNC1549) switched from DLL sideloading to AppDomain hijacking, using malicious .NET configuration files to load payloads, and deployed updated MiniJunk malware plus a new Windows DLL backdoor called MiniFast through ZIP files on OnlyOffice, a fake Zoom installer, and a fake SQL Developer site boosted with search-engine optimization. — This campaign shows continued state-linked targeting of sensitive industries during heightened regional tensions, with lures that can fool both job seekers and employees downloading familiar tools. Organizations in aviation, defense-adjacent, and software sectors should warn staff about recruiter and installer lures, review detections for MiniJunk and MiniFast, and hunt for suspicious .config-based AppDomain hijacking activity.

Attackers are using a Ghost CMS bug to hijack websites and show visitors fake verification prompts that can infect their computers. The campaign abuses CVE-2026-26980, a critical unauthenticated SQL injection flaw affecting Ghost 3.24.0 through 6.19.0, to steal admin API keys and inject malicious JavaScript into article pages; researchers say more than 700 domains were hit, including university, media, fintech, and tech sites. Victims who follow the ClickFix instructions paste commands into Windows that download malware. — This affects both website owners and ordinary visitors: unpatched Ghost sites can be silently turned into malware delivery pages, and people browsing them can be tricked into infecting their own systems. Ghost administrators should update to 6.19.1 or later immediately, rotate exposed keys, and check for injected scripts and suspicious admin API activity.

Attackers compromised Laravel Lang localization packages and made legitimate-looking Composer installs fetch malware instead. The attackers rewrote existing GitHub release tags across laravel-lang/lang, laravel-lang/http-statuses, laravel-lang/attributes, and possibly laravel-lang/actions to point to malicious commits in a fork, affecting hundreds of historical versions; the payload drops a PHP stealer that targets cloud keys, CI/CD secrets, SSH keys, browser data, crypto wallets, and on Windows launches a helper executable dubbed DebugElevator to decrypt Chromium-based browser credentials. — Developers and organizations that installed these packages could have had passwords, cloud credentials, and deployment secrets stolen without realizing it. Treat this as urgent: identify affected installs, remove compromised versions, rotate any exposed secrets, and review developer and build systems for follow-on access.

A new automated attack dubbed Megalodon pushed malicious commits to more than 5,500 GitHub repositories, putting developers and organizations that merge those changes at risk of credential theft. Researchers say the malware runs in continuous integration and continuous delivery (CI/CD) pipelines after a poisoned commit is merged, then steals GitHub, Bitbucket, AWS, Google Cloud, Azure, SSH, Docker, Kubernetes, Vault, and Terraform secrets and can spread further; SafeDep also linked backdoored Tiledesk npm releases 2.18.6 through 2.18.12 to a compromised GitHub repository rather than a stolen npm account. — This can turn a routine code merge into a cloud-account and source-code compromise, especially for organizations that automatically build code from GitHub. Repo maintainers and security teams should review recent pull requests and commits, block suspicious automation, rotate CI/CD and cloud secrets, and check whether affected packages or repositories were used.

Researchers say attackers are exploiting a weakness in shared content delivery network (CDN) infrastructure to make malicious connections look like they are going to legitimate websites. The technique, dubbed Underminr, is described as a variant of domain fronting that abuses mismatches between DNS lookups, server name indication (SNI), HTTP Host headers, edge IP addresses, and CDN tenant routing; ADAMnetworks says it affects roughly 88 million domains and has been used to bypass Protective DNS filtering, conceal command-and-control traffic, and tunnel VPN or proxy connections over TCP port 443. — Organizations that rely on DNS filtering or allowlists could miss malicious outbound traffic that appears to be headed to trusted domains. Defenders should review CDN egress controls, correlate DNS, SNI, Host header, and destination IP telemetry, and watch for guidance or mitigations from affected providers.

A Russian-speaking threat actor allegedly used a jailbroken Google Gemini account to run a months-long scam and theft campaign aimed at QAnon and MAGA communities, stealing WordPress admin credentials and draining at least one victim's cryptocurrency wallets. TrendAI says the operation ran from September 2025 to May 2026 through a Telegram channel with about 17,000 subscribers, used 73 likely stolen Gemini API keys, pushed a fake StellarMonster wallet app that actually installed the GoToResolve remote access tool, and captured victims' seed phrases through a bogus wallet-import screen. — This matters because it blends political-community targeting, AI-assisted social engineering, malware, and direct crypto theft in a way ordinary users can fall for and defenders may miss. Users should avoid wallet apps and recovery prompts promoted in Telegram channels, while organizations should investigate exposed WordPress credentials and watch for abuse of stolen API keys.

Canadian authorities arrested Ottawa resident Jacob Butler, alleged online as “Dort,” and U.S. prosecutors unsealed charges accusing him of running the Kimwolf Internet-of-Things botnet that hijacked millions of connected devices. The complaint says Kimwolf infected devices such as cameras and digital photo frames, issued more than 25,000 attack commands, powered distributed denial-of-service attacks measured at nearly 30 terabits per second, and was also rented to other criminals; the case follows March seizures of Kimwolf infrastructure and related botnets Aisuru, JackSkid, and Mossad. — This matters to internet providers, enterprises, and anyone running exposed connected devices because it shows how insecure Internet-of-Things products can be turned into large-scale attack infrastructure. Defenders should keep internet-facing devices patched, disable unnecessary exposure, and review mitigations tied to the exploitation path Kimwolf used to spread.

Belarus-linked hackers are sending fake course-certificate emails to Ukrainian government staff to infect their computers with espionage malware. CERT-UA says the campaign, active since spring 2026, uses compromised email accounts and messages posing as Ukraine’s Prometheus learning platform; a PDF leads victims to a ZIP that installs OysterFresh, then OysterBlues and OysterShuck, which collect host and user details and may later deliver Cobalt Strike. — This is a targeted government espionage campaign, so affected organizations should treat related Prometheus certificate emails as suspicious, hunt for the named malware and infrastructure, and isolate infected systems quickly. For users, the practical takeaway is not to open certificate attachments or download archives from unexpected training-platform emails, even if they come from known contacts.

A China-linked hacking group has been targeting telecommunications providers in Asia Pacific and parts of the Middle East with new malware for both Linux and Windows systems. Researchers at Lumen Black Lotus Labs and PwC attributed the campaign to Calypso, also called Red Lamassu, and say it has been active since at least mid-2022. The Linux implant, Showboat, is a modular post-compromise framework used for persistence, file transfer, and SOCKS5 proxying to move through victim networks, while the Windows implant, JFMBackdoor, uses DLL sideloading and supports remote commands, file operations, registry changes, screenshots, and anti-forensics. — Telecom providers are high-value targets because they sit in the middle of sensitive communications and critical infrastructure. Organizations in the sector should hunt for these malware families and related telecom-themed impersonation domains, review persistence mechanisms and proxy activity, and check Linux and Windows systems for signs of long-term intrusion.

Ukrainian cyberpolice, working with U.S. law enforcement, identified an 18-year-old suspect from Odesa as a central operator in an infostealer campaign that stole browser sessions and credentials from users of a California online store between 2024 and 2025. Authorities say 28,000 accounts were compromised, 5,800 were used for unauthorized purchases totaling about $721,000, and devices and crypto-related evidence were seized in searches. — The case highlights ongoing risk from infostealers and stolen session tokens, which can enable account takeover and sometimes bypass MFA. Online retailers, fraud teams, and users should treat session theft as a significant threat and review account security, monitoring, and token invalidation practices.

Microsoft said it seized domains and hundreds of VMs tied to Fox Tempest, a criminal service that abused Microsoft Artifact Signing using more than 580 fraudulent accounts created with fake identities. The operation allegedly sold code-signing certificates used to sign malware including Oyster, Lumma, Vidar, and Rhysida, and was linked to ransomware actors including Vanilla Tempest as well as INC, Qilin, and Akira affiliates. — Trusted code-signing helps malware bypass user suspicion and some security controls, so this service likely enabled broader, more effective intrusions. Defenders should review detections and hunting for suspicious signed binaries and malware families named by Microsoft.

SentinelOne documented Reaper, an updated SHub macOS infostealer delivered via fake WeChat and Miro installer sites spoofing trusted brands and abusing Script Editor instead of Terminal. The malware steals passwords, browser and Keychain data, Telegram sessions, and cryptocurrency wallet data, injects some wallet apps for continued theft, and installs a LaunchAgent-backed backdoor that beacons to C2 and can execute attacker-supplied code. — macOS users are being targeted with a more evasive stealer that bypasses recent Apple defenses against Terminal-based social engineering. Defenders should block the typosquatted infrastructure, hunt for the fake GoogleUpdate persistence path and LaunchAgent, and warn users about malicious installer lures.