From The Hacker News ยท 40 stories
FBI and CISA Warn of Russian Phishing Attacks on Signal and WhatsApp Accounts
The FBI and CISA have issued an updated warning about Russian intelligence phishing campaigns targeting Signal and WhatsApp accounts. Attackers are using Signal Backup Recovery Keys to hijack accounts, and the U.S. is offering a $10 million reward for information on the group responsible. The campaign has compromised thousands of accounts of high-profile targets, including government officials and journalists.
Anubis Ransomware Group Exploits Citrix Bleed 2 Vulnerability for Attacks
The Anubis ransomware operation has been identified exploiting the Citrix Bleed 2 (CVE-2025-5777) vulnerability to gain access to targeted environments. This trend, utilizing legitimate remote access tools for lateral movement, highlights the evolving tactics of ransomware groups and the urgent need for organizations to address vulnerabilities.
Umbrij Malware Exploits OAuth to Access Gmail Through Google API
The ToddyCat threat actor has released a new malware named Umbrij, which gains unauthorized access to Gmail accounts via the Google API using OAuth tokens. This technique could significantly impact corporate email security, as it leverages existing Gmail sessions for access.
US Lifts Export Controls on Anthropic's AI Models Fable 5 and Mythos 5
The US government has lifted export restrictions on Anthropic's AI models, Claude Fable 5 and Mythos 5, after negotiations ensured certain safety protocols. The initial bans were due to security concerns linked to potential model misuse. This change restores access to Fable 5 globally and Mythos 5 to select US organizations, addressing previous concerns. The case showcases the evolving regulatory landscape for AI models.
Exploitation of Langflow RCE Vulnerability Targets AI Endpoints for Monero Mining and AI-Driven Ransomware Attacks
The Langflow remote code execution vulnerability (CVE-2026-33017) is actively exploited to deploy Monero miners and automate ransomware attacks using AI. The attacks highlight vulnerabilities in exposed AI applications and the evolving threat landscape, as AI agents can execute complex attacks independently.
Serious Flaw in Argo CD Repo-Server Allows Remote Code Execution
An unpatched flaw in Argo CD's repo-server allows unauthenticated attackers to execute code, potentially taking over Kubernetes clusters. Synacktiv, which discovered the issue, reports that the vulnerability remains unaddressed nearly 18 months after it was reported.
Cursor AI Code Editor Flaws Could Allow Command Execution via Prompt Injection
Two critical vulnerabilities in Cursor, tracked as CVE-2026-50548 and CVE-2026-50549, could enable command execution outside the editor's safety sandbox, affecting many Fortune 500 companies. The flaws, identified by Cato AI Labs and rated 9.8/10 in severity, can be exploited through prompt injection without user interaction, necessitating an immediate software update to the patched version 3.0.
Critical Vulnerability in Progress Kemp LoadMaster Enables Root Command Execution
A critical vulnerability (CVE-2026-8037) in Progress Kemp LoadMaster permits unauthenticated root command execution via API requests. Patches are released to mitigate the CVSS 9.8 flaw. Reports indicate active exploitation attempts, causing security concerns among users.
AI-Generated Ransomware Discovered Exploiting Chromium API on Windows and Android
A new ransomware artifact created by the AI model DeepSeek combines theoretical attacks with real browser functionality, enabling browser-based ransomware on Windows and Android. This marks the first identified practical attack chain of its kind, indicating a significant shift in the cybersecurity threat landscape.
GuardFall Exploits Decades-Old Shell Injection Risks in AI Coding Agents
New research from Adversa AI reveals that the GuardFall vulnerability allows bypassing safety checks in AI coding agents. This poses risks of executing malicious shell commands with full account access across multiple popular open-source agents.
AirDrop and Quick Share Vulnerabilities Found, Affecting Millions of Devices
Researchers discovered six security flaws in Apple's AirDrop and Samsung's Quick Share, enabling attackers nearby to crash file-sharing services. Apple has already patched one of the identified vulnerabilities, but others remain under investigation, impacting potentially five billion devices globally.
Critical Flaw CVE-2026-46817 in Oracle E-Business Suite Exploited
A critical vulnerability in Oracle E-Business Suite, CVE-2026-46817, is now being actively exploited. Impacting versions 12.2.3 to 12.2.15, the flaw allows unauthenticated attackers to take control of Oracle Payments, necessitating immediate patching for affected instances.
Mustang Panda Exploits Zoho WorkDrive in Campaign Against Indian Government
The Mustang Panda group has launched campaigns targeting the Indian government, utilizing Zoho WorkDrive to transmit commands and steal data. This approach leverages legitimate service traffic to mask malicious activities and is part of broader espionage efforts aimed at India's hydropower initiatives and defense relations with Taiwan.
DirtyClone Vulnerability in Linux Kernel Allows Local Root Access Exploits
The DirtyClone vulnerability (CVE-2026-43503) affects the Linux kernel, allowing local users to gain root privileges using cloned network packets. This flaw poses significant security risks in environments like multi-tenant clouds and Kubernetes clusters. The patch was released, and users are advised to update their systems immediately.
Microsoft Removes 119 Malicious Edge Extensions Involved in Malware Operation
Microsoft has removed 119 Edge extensions from its Add-ons store that concealed malware within images and fonts, compromising user credentials and facilitating ad fraud. The extensions, installed by up to 2.6 million users, utilized steganography to hide malicious code, operating undetected for years.
Public PoC Released for Critical libssh2 CVE-2026-55200 Client-Side SSH Flaw
A public proof-of-concept has been released for CVE-2026-55200, a critical flaw in libssh2 that may allow memory corruption and code execution for connected clients. This vulnerability affects all versions up to 1.11.1, posing significant risks as libssh2 is widely used in various applications and systems.
Hijacked npm and Go Packages Deploy Python Infostealer via VS Code Tasks
Cybersecurity researchers have identified hijacked npm and Go packages that deploy a Python-based infostealer on compromised systems. This method utilizes a concealed VS Code task to execute malware upon opening a project folder, facilitating data theft and persistent access.
Linux pedit COW Exploit Allows Root Access via Cached Binary Poisoning
A critical flaw in the Linux kernel's traffic-control subsystem allows unprivileged users to gain root access on vulnerable systems. The exploit targets the memory cache of setuid binaries, enabling attackers to inject and execute malicious code while bypassing file integrity checks.
CISA Warns of Exploited Flaws in Lantronix EDS5000 and PTC Windchill
The CISA has issued alerts concerning the exploitation of critical vulnerabilities in Lantronix EDS5000 and PTC Windchill systems. The Lantronix flaw allows code execution with escalated privileges, while the Windchill vulnerability enables remote code execution. Both alerts urge immediate patching to mitigate risks posed by these active threats.
Miasma Malware Compromises npm Packages and GitHub Actions
Researchers identified a supply chain attack involving Miasma malware targeting multiple npm packages and GitHub Actions. The attack compromises developer credentials to propagate malware across various software ecosystems, posing significant security risks.
Popular Chrome Ad Blocker Can Execute Arbitrary JavaScript Code
The Chrome ad blocker 'Adblock for YouTube,' with over 10 million installs, has been found to contain functionality for executing arbitrary JavaScript code remotely. This could potentially allow for significant privacy risks, including data theft, although no malicious activity has been reported to date.
New Mistic Backdoor Discovered Linked to KongTuke in Cyber Attack Campaigns
A new backdoor named Mistic has emerged in attacks directed at various sectors, linked to the KongTuke group. The stealthy malware is designed for long-term access, employing sophisticated evasion techniques such as memory-based execution and DLL side-loading, marking a significant threat to targeted organizations.
Cisco Catalyst SD-WAN Zero-Day CVE-2026-20245 Exploited for Root Access
A zero-day vulnerability in Cisco Catalyst SD-WAN, tracked as CVE-2026-20245, has been exploited to gain root access by an unknown threat actor. This flaw, identified by Mandiant, allows an authenticated attacker to execute commands by manipulating user input, raising serious security concerns for affected systems.
Law Enforcement Disrupts Amadey and StealC Malware Networks, Reclaims 27M Credentials
A law enforcement operation disrupted the Amadey and StealC malware networks, recovering 27 million stolen credentials and restricting over $47 million in criminal cryptocurrency assets. This takedown involved 326 servers and 142 domains and highlights the effectiveness of public and private sector collaboration in combating cybercrime.
Flaws in Cordyceps CI/CD Expose 300+ GitHub Repositories to Cyber Attacks
Researchers identified a CI/CD vulnerability, codenamed Cordyceps, affecting over 300 repositories on GitHub. This flaw allows unauthenticated users to hijack workflows, posing significant risks to the supply chain of major organizations like Microsoft and Google.
Emergence of AI Threat Models Marks a New Era in Cybersecurity
The rise of frontier agentic AI models has drastically reduced the time from threat discovery to execution in cybersecurity. This shift poses a significant risk as AI can exploit vulnerabilities faster than human defenders can respond.
ClickFix Malware Exploits Rise in 2025, Leveraging API and Social Media Ads
ClickFix has become a major method of malware delivery in 2025, utilizing deceptive techniques like fake prompts and API-driven servers. Researchers found these attacks often evade detection by exploiting user habits and leveraging social media ads to spread malware disguised as legitimate applications. This growing method underscores the importance of enhancing security awareness and defenses against social engineering tactics.
FortiBleed Campaign Compromises Fortinet Devices, Linked to Ransomware Groups
The FortiBleed campaign has been connected to the INC and Lynx ransomware groups, compromising credentials from Fortinet devices. Researchers found the operation entailed scanning 11,250 FortiGate portals and compromised 354 targets, leading to 12 ransomware deployments. The breach highlights significant cybersecurity risks, affecting organizations globally.
CISA Adds Actively Exploited Microsoft SharePoint RCE Vulnerability to KEV Catalog
CISA added CVE-2026-45659, a remote code execution vulnerability in Microsoft SharePoint, to its Known Exploited Vulnerabilities catalog due to active exploitation. The flaw, affecting SharePoint Server Subscription Edition, Server 2019, and Enterprise Server 2016, allows authenticated attackers to execute code without elevated privileges. Federal agencies are required to patch the issue by July 4, 2026.
19-Year-Old Extradited to U.S. for Scattered Spider Hacking Charges
Peter Stokes, a 19-year-old with dual U.S. and Estonian citizenship, has been extradited from Finland to face U.S. charges related to the Scattered Spider hacking group. He faces accusations of conspiracy, computer intrusion, and fraud, including a significant breach of a luxury jewelry retailer. This case highlights ongoing efforts to combat organized cybercrime.
WhatsApp Introduces Usernames for Privacy Amid Impersonation Concerns
WhatsApp is rolling out user-friendly usernames to enhance privacy, removing the need to disclose phone numbers. The feature aims to protect user identities; however, it raises concerns about possible impersonation, especially in India.
Google and FBI Disrupt NetNut's Malicious Proxy Network of 2 Million Devices
Google, in coordination with the FBI and Lumen, has disrupted the NetNut residential proxy network, known for using over 2 million home devices as exit nodes for malicious traffic. This action follows the dismantling of the IPIDEA network, aiming to decrease the operational capacity of such networks. Disabling Google services and increasing awareness among platforms play a role in this effort.
Citrix Patches Six Critical NetScaler Vulnerabilities, Including HTTP/2 Bomb
Citrix released patches for six vulnerabilities in NetScaler ADC and Gateway, including a critical HTTP/2 Bomb exploit. These flaws, affecting versions 14.1 and 13.1, pose severe risks like denial-of-service attacks and data breaches. Organizations using these configurations should urgently update to protect against active threats.
LayerX Reveals AI Browser Vulnerability Exploited by 'BioShocking' Attack
Security firm LayerX has discovered a vulnerability in AI-driven browsers, known as the 'BioShocking' attack, where browsers can be tricked into leaking user credentials. The attack uses game-like puzzle contexts to manipulate AI agents into bypassing security protocols, potentially exposing sensitive data. This discovery raises concerns about the security of AI-assisted browsing applications.
ChocoPoC Malware Targets Cybersecurity Researchers via Trojanized PoC Exploits
ChocoPoC, a Python-based remote access trojan, is being distributed through trojanized proof-of-concept (PoC) exploit repositories on GitHub. The malware targets cybersecurity researchers by installing malicious dependencies from PyPI, enabling attackers to execute commands and steal sensitive data. This highlights security risks associated with using unofficial PoCs in vulnerability research.
Password Spray Attack Targets Microsoft Azure CLI, Compromising 78 Accounts
An automated password spray attack on Microsoft's Azure CLI attempted over 81 million logins, affecting 78 accounts across 64 organizations. The attackers exploited a deprecated OAuth flow, bypassing security measures like Conditional Access policies and multi-factor authentication (MFA). This incident underscores vulnerabilities in prevalent security configurations within cloud environments.
Adobe Releases Patches for Critical ColdFusion and Campaign Classic Vulnerabilities
Adobe issued critical security updates for ColdFusion and Campaign Classic, addressing several maximum-severity vulnerabilities with CVSS scores of 10.0. These flaws could allow arbitrary code execution, impacting system security and necessitating prompt user action to apply updates.
US Government Restricts Release of OpenAI's GPT-5.6 Amid Security Measures
The U.S. government is influencing the release of OpenAI's GPT-5.6 models, limiting their availability to select customers. This supervisory approach poses challenges for AI labs, potentially slowing innovation and affecting financial performance. Enhanced cybersecurity measures aim to prevent misuse.
Recent Security Threats Highlight Weaknesses in AI and Email Systems
This week's security updates reveal new phishing campaigns, vulnerabilities in AI sandboxing, and flaws in Apple's email privacy service. These issues indicate pervasive weaknesses in various systems and could lead to increased risk for small businesses and users of affected services.
Threat Actors Use SEO-Poisoned Sites to Deploy AsyncRAT via ScreenConnect
Cybercriminals are using the ScreenConnect remote access tool to deploy AsyncRAT through compromised installer archives on spoofed websites. The campaign targets multiple languages and has resulted in a significant security risk as it enables attackers to maintain control over compromised devices and steal sensitive data.