Identity Threat & Breach News
Coverage of the threats targeting identity: credential theft, account takeover, infostealers, and breaches, with a line of context on what each means for defenders.
← All posts- News · Jul 15, 2026Firefox, Chrome, Adobe, and VMware Updates Fix Multiple Critical Security Flaws
Mozilla has released updates to address two critical flaws in Firefox for which it warned that exploit code has been published. The vulnerabilities are listed below - CVE-2026-15718, an invalid pointer in the JavaScript: WebAssembly component CVE-2026-15719, a site isolation in t
- News · Jul 15, 2026Nearly 300 GitHub repos pose as legit software to push malware
A threat actor has published hundreds of fake GitHub repositories impersonating legitimate software and security projects to distribute infostealer malware. [...]
- News · Jul 14, 2026CrashStealer macOS Malware Uses Notarized Dropper to Pass Gatekeeper Checks
Cybersecurity researchers have flagged a new macOS information stealer called CrashStealer that's capable of harvesting sensitive data from compromised systems. Unlike other information stealers that are built on AppleScript droppers or Objective-C-based wrappers, CrashStealer is
- News · Jul 14, 2026Hackers backdoor Jscrambler npm package with infostealer malware
The Jscrambler client-side web security company disclosed that a threat actor published a malicious version of its npm package that has been downloaded almost 1,500 times. [...]
- News · Jul 14, 2026Microsoft Entra ID gets passkeys default authentication starting September
Microsoft has announced that passkeys will become the default authentication method for the Entra ID enterprise identity service starting September 2026. [...]
- News · Jul 14, 2026Microsoft Maps Three Salesforce Attack Paths Tied to a Year of ShinyHunters Activity
Attackers whose methods line up with the data-extortion group ShinyHunters have spent the past year walking into corporate Salesforce environments without exploiting a single flaw in the platform. The way in has been the trust the organization had already extended, usually throug
- News · Jul 14, 2026New CrashStealer malware poses as Apple crash reporting tool
A new macOS information-stealing malware called CrashStealer pretends to be Apple's crash-reporting tool to steal credentials, keychain data, and crypto wallets. [...]
- News · Jul 14, 2026New phishing kits target Microsoft 365 accounts, evade MFA
Two new phishing kits, Jalisco and OmegaLord, have been discovered in attacks targeting Microsoft 365 accounts, using techniques that defeat multi-factor authentication (MFA). [...]
- News · Jul 14, 2026OAuth Client ID Spoofing Lets Attackers Validate Stolen Microsoft Entra Credentials
At least two distinct threat actors are weaponizing a novel evasion technique called OAuth client ID spoofing in cloud campaigns, while slipping past telemetry. The activity allows users to enumerate user accounts and validate stolen credentials in Microsoft Entra ID environments
- News · Jul 14, 2026RabbitMQ Flaws Could Leak OAuth Secrets and Expose Cross-Tenant Queue Metadata
Cybersecurity researchers have disclosed details of two access control-related flaws impacting the RabbitMQ message broker service that could allow attackers to leak OAuth client secrets, expose enterprise messaging infrastructure to takeover risks, and bypass tenant boundaries.
- News · Jul 13, 2026Attacker Uses Suspected AI-Generated PowerShell Script to Map Active Directory
Cybersecurity researchers have flagged an intrusion in which an unknown threat actor leveraged a vibe-coded PowerShell script for Active Directory (AD) enumeration. "The script looked for the Domain Controller (DC) and mapped users, computers, and domains, before creating a direc
- News · Jul 13, 2026Breach at the Beach: Play the Ultimate Entra ID CTF
Learn how attackers abuse Entra ID through a free hands-on Capture the Flag. Varonis created the Breach at the Beach CTF to teach defenders how to investigate Entra ID attack techniques using realistic scenarios. [...]
- News · Jul 13, 2026Lessons Learned from CISA’s Recent GitHub Leak
The Cybersecurity and Infrastructure Security Agency (CISA) has issued a postmortem on a data leak in which a contractor published dozens of internal CISA credentials -- including AWS Govcloud keys -- in a public GitHub repository for almost six months before being notified by Kr
- News · Jul 13, 2026Thinking Fast and Slow in the SOC: The Case for Combining Autonomous AI with Analyst Copilots
A few days ago, I was sitting with the CISO of a Fortune 50 company, walking through how his security team was thinking about AI agents in the SOC. Smart team. Serious program. They had already connected Claude to a few detection tools and were seeing real value in specific inves
- News · Jul 13, 2026UK charges suspects linked to Russian Coms call spoofing platform
UK authorities charged five people following a National Crime Agency (NCA) investigation into Russian Coms, a major caller ID spoofing platform used by criminals to make over 1.8 million scam calls. [...]
- News · Jul 13, 2026World Cup grudge attackers may have scored Argentine FA access via year-old infostealer infection
Footie fans? Overreacting? There's a first time for everything
- News · Jul 12, 2026Compromised jscrambler 8.14.0 npm Release Drops Rust Infostealer During Install
The jscrambler npm package was compromised, and simply installing its 8.14.0 release runs an infostealer on your machine. Published on July 11, 2026, the malicious version carries a preinstall hook that drops and executes a native binary, one build each for Windows, macOS, and Li
- News · Jul 11, 2026Destructive Windows backdoor stuffs multiple wipers and ransomware code into a single package
Microsoft says GigaWiper combines at least 3 malware families into one modular tool
- News · Jul 11, 2026'Ghostcommit' hides prompt injection in images to fool AI agents, steal secrets
A PNG hiding a prompt injection could steal your repo's secrets, researchers demonstrate. The technique, dubbed 'Ghostcommit,' slipped past AI code reviewers CodeRabbit and Bugbot, which never open image files at all, then convinced a coding agent to read a repo's .env and write
- News · Jul 10, 2026Dormant GitHub Accounts Help Attackers Blend In While Mapping Corporate Orgs
Datadog Security Labs is warning of "several overlapping campaigns" that are systematically enumerating corporate GitHub organizations, repositories, and user accounts through the GitHub API. "Operators rely on automated scraping tooling with custom or legitimate-sounding user ag
- News · Jul 10, 2026Hackers Use Fake Microsoft Entra Passkey Enrollment to Gain Microsoft 365 Access
A threat actor has been targeting organizations spanning multiple sectors with voice-based fake security requests that prompt Microsoft 365 users to enroll a new Entra passkey with an aim to carry out data extortion attacks. The threat actor, tracked by Okta under the moniker O-U
- News · Jul 10, 2026Laser Attack Resets Tangem Wallet Passwords on Cards That Can't Be Patched
Researchers at Ledger's Donjon security team have shown that a precisely timed laser pulse, aimed at the chip inside a Tangem crypto wallet card, can reset the card's password to anything the attacker picks. No old password. No backup card. Once it is reset, whoever did it contro
- News · Jul 10, 2026New GigaWiper Windows Backdoor Bundles Disk Wiping, Fake Ransomware, and Spyware
Microsoft has taken apart a destructive Windows backdoor it calls GigaWiper. What stands out is how it is built: not one tool but three older destructive programs bolted into one, offered as commands the operator can choose from. Each is a different way to break a machine: wipe t
- News · Jul 10, 2026New Helix vishing group emerges in SharePoint data theft attacks
A new data-extortion group called Helix is using identity-focused tactics such as voice phishing (vishing), device code phishing, and multi-factor authentication (MFA) abuse to steal data from SharePoint environments. [...]
- News · Jul 10, 2026npm 12 Disables Install Scripts by Default to Reduce Supply Chain Risk
GitHub has officially announced the release of npm version 12 with install scripts disabled by default, along with deprecating granular access tokens (GATs) designed to bypass two-factor authentication (2FA). The Microsoft-owned subsidiary noted that the following npm install beh
- News · Jul 10, 2026Researcher Details WhatsApp-to-Host Attack Chain Using Three OpenClaw Flaws
Details have emerged about three now-patched security flaws in the OpenClaw personal artificial intelligence (AI) assistant that, if successfully exploited, could enable credential theft, privilege escalation, and arbitrary code execution on the host. A brief description of the h
- News · Jul 10, 2026The Replicant in Your Directory: AI Agents and the Identity Security Gap
AI agents are accelerating the growth of non-human identities, making it harder for organizations to understand what exists, who owns it, and what it can access. Netwrix explains why stronger visibility and identity governance are essential as AI expands the enterprise attack sur
- News · Jul 9, 2026AI Coding Agents Found Triggering Endpoint Security Rules Built to Catch Attackers
Sophos looked at a week of its own endpoint data and found that AI coding agents such as Claude Code, Cursor, and OpenAI Codex are setting off detection rules written to catch human intruders. The agents are not malicious. They just do a lot of things that, to a behavioral engine
- News · Jul 9, 2026Entra passkey enrollment vishing targets Microsoft 365 users
A threat actor has been targeting organizations across multiple sectors with voice-based fake security requests that ask Microsoft 365 users to enroll a new Entra passkey. [...]
- News · Jul 9, 2026Fake Paysafe, Skrill SDKs on NPM and PyPi steal credentials
Malicious packages on the Node Package Manager (npm) and the Python Package Index (PyPI) delivered stealer malware to developers and users of Paysafe, Skrill, and Neteller payment applications. [...]
- News · Jul 9, 2026Hackers exploit Roundcube flaw to spy on academic researchers
A China-linked threat cluster has been exploiting vulnerable Roundcube servers at U.S. and Canadian universities to steal credentials and deploy backdoor malware. [...]
- News · Jul 8, 20263 Ways AI Powers Service Desk Attacks and How to Prevent Them
Specops Software explains how AI is making service desk impersonation attacks more convincing, personalized, and scalable, along with practical steps organizations can take to strengthen onboarding and identity verification. [...]
- News · Jul 8, 2026CAI cloud worm gives competitors' malware the boot, then steals secrets and mines for coin
Dog-eat-dog world for credential-stealing attackers
- News · Jul 8, 2026DEBULL Tooling Abuses Microsoft Device-Code Flow to Target M365 Accounts
A Microsoft 365 device code phishing campaign has been observed leveraging collaboration-themed lures to take control of victim accounts between the last week of June 2026 and into early July, per findings from ZeroBEC. "The campaign did not depend on a fake Microsoft password pa
- News · Jul 8, 2026Hidden backdoor in Tenda router firmware grants admin access
A hidden authentication backdoor has been found in multiple Tenda router firmware versions, potentially allowing an attacker to gain administrative access to the device's web management panel. [...]
- News · Jul 8, 2026Rogue Agent Flaw Could Have Let Attackers Hijack Google Dialogflow CX Chatbots
A critical flaw in Google's Dialogflow CX could have let an attacker with edit rights on one Code Block-enabled agent compromise other Code Block-enabled agents in the same Google Cloud project. From there, they could read live conversations, steal the data users shared, and make
- News · Jul 8, 2026SCMBANKER Malware Uses ClickFix Lures to Target Mexican Banking Users
A new banking fraudulent operation is targeting customers of Mexican banks, fintech, payment processors, and cryptocurrency exchanges using ClickFix lures. The activity cluster, tracked by Elastic Security Labs under the moniker REF6045, involves infecting victims through fake CA
- News · Jul 8, 2026Telco giant KDDI says data breach affects over 12 million people
Japanese telecommunications giant KDDI says that millions of people had their email addresses and passwords exposed after attackers breached an email platform used by five internet service providers (ISPs) in the country. [...]
- News · Jul 8, 2026The Verification Step Is the New ATO Battleground in 2026
For years, account takeover (ATO) followed a predictable script. Attackers bought stolen credentials in bulk, ran them through automated tools, and waited for matches. Credential stuffing was cheap, scalable, and for defenders, relatively well understood. That era is ending. Not
- News · Jul 7, 2026BeyondTrust Patches Critical Auth Bypass Flaws in Remote Support and PRA
BeyondTrust has released updates to address two critical security flaws affecting Remote Support (RS) and Privileged Remote Access (PRA) products that, if successfully exploited, could allow unauthenticated attackers to take control of susceptible devices. The vulnerabilities are
- News · Jul 7, 2026BeyondTrust warns of critical flaws in remote access software
BeyondTrust warned customers to patch two critical security flaws in its Remote Support (RS) and Privileged Remote Access (PRA) software that could allow attackers to bypass authentication. [...]
- News · Jul 7, 2026CERT/CC Warns of Hidden Admin Backdoor in Tenda Router Firmware
Several versions of firmware released by Chinese network device manufacturer Tenda have been found to embed an undocumented authentication backdoor that enables administrative access to the devices' web management interfaces, the CERT Coordination Center (CERT/CC) warned Monday.
- News · Jul 7, 2026EU urged to act after Pegasus infects phone of spyware inquiry MEP
Campaigners demand investigation and long-delayed action on PEGA Committee recommendations
- News · Jul 7, 2026Microsoft to enable Windows settings backup by default for orgs
Microsoft says the Windows settings backup and restore tool will be enabled by default on Microsoft Entra-joined or Microsoft Entra hybrid-joined enterprise systems after upgrading to Windows 11 26H2. [...]
- News · Jul 7, 2026Phishing poses as big-brand job interview to steal Google accounts
A phishing campaign is impersonating more than 30 well-known brands, including Adobe, Netflix, Coca-Cola, and OpenAI, in fake job interviews to steal Google account credentials from marketing professionals. [...]
- News · Jul 7, 2026Public GitHub Issue Could Trick GitHub Agentic Workflows Into Leaking Private Repo Data
A public issue can trick GitHub Agentic Workflows into leaking the contents of an organization's private repositories, researchers at Noma Security have shown. The attacker needs only to open a normal-looking issue on a public repository, with no stolen credentials and no access
- News · Jul 7, 2026Suspected China-Aligned Hackers Exploit Roundcube Flaws Against Universities
A suspected China-aligned threat activity cluster has been observed exploiting Roundcube webmail software belonging to physics and engineering departments of U.S. and Canadian universities as part of a new campaign. The activity involves the exploitation of now-patched, critical
- News · Jul 7, 2026Webinar tomorrow: Why modern email attacks require a new approach to defense
Tomorrow's webinar explores how behavioral AI can help organizations detect sophisticated phishing, business email compromise, and account takeover attacks while reducing alert fatigue through automated investigation and response workflows. [...]
- News · Jul 7, 2026What Changes When Your Software Supply Chain Includes AI Writing Your Code?
Software supply chain security was hard enough. Then AI joined the build pipeline. For five years, "software supply chain security" meant one question: what's in your code? Which open-source packages, which versions, which transitive dependencies three layers deep that nobody cho
- News · Jul 7, 2026Writer AI Flaw Could Let Agent Previews Leak Session Tokens Across Tenants
Cybersecurity researchers have disclosed details of a now-patched critical session isolation vulnerability in Writer, an enterprise generative artificial intelligence (AI) platform, that could result in cross-tenant compromise. The one-click vulnerability has been codenamed Write
- News · Jul 6, 2026How to Evaluate an AI SOC Platform in 2026: 6 Capabilities That Separate Leaders from Bolt-On AI solutions
Building a shortlist for an AI SOC evaluation can be tough. SIEM, SOAR, and pureplay AI SOC vendors are all saying the same thing. But behind the identical label sit very different products, from chat assistants bolted onto a legacy SIEM to agent platforms that run detection, tri
- News · Jul 6, 2026MFA-optional banks leave safe doors (and accounts) wide open for thieves to pillage
Financial institutions are putting their clients at risk in the name of convenience.
- News · Jul 6, 2026⚡ Weekly Recap: Proxy Botnets, Browser Ransomware, AI Agent Tricks, Fake PoC Malware and More
A streaming box should not need a threat model. Neither should a username field, a demo repo, a reset flow, or a browser permission prompt. That is the irritating part this week: the risky pieces were ordinary. Home devices became a routing cover. Clean code pulled dirt from a de
- News · Jul 4, 2026New Avalon Malware Framework Packs CrownX Ransomware Capabilities
Cybersecurity researchers have discovered a previously undocumented modular malware framework codenamed Avalon that's distributed by means of a multi-stage phishing chain capable of bypassing traditional security controls. Avalon combines credential collection, lateral movement,
- News · Jul 4, 2026North Korea-Linked npm Packages Mimic Rollup Polyfills to Steal Developer Secrets
Threat actors with ties to North Korea have been linked to a fresh set of malicious npm packages that masquerade as Rollup polyfill tooling to facilitate remote access and data theft. According to JFrog, the packages "rollup-packages-polyfill-core" and "rollup-runtime-polyfill-co
- News · Jul 3, 2026AdaptHealth says attackers sweet-talked their way into cloud systems and stole patient data
Third-party contractor compromise exposed health information and insurance billing passwords
- News · Jul 3, 2026ConsentFix and ClickFix: How Microsoft 365 Accounts are Hijacked in 3 Seconds
ConsentFix and ClickFix attacks steal Microsoft 365 tokens in seconds using fake prompts and OAuth flows. Learn how these MFA bypass tactics work and how to defend against them. [...]
- News · Jul 3, 2026European Parliament Member Investigating Spyware Was Hacked With Pegasus
A new report from the Citizen Lab has revealed that former Member of the European Parliament Stelios Kouloglou had his mobile device repeatedly hacked with the notorious Pegasus spyware while serving on a committee that was tasked with investigating the abuse of such commercial s
- News · Jul 3, 2026FBI Seizes NetNut Proxy Platform, Popa Botnet
The Federal Bureau of Investigation (FBI) said today it worked with industry partners to seize hundreds of domains associated with NetNut, a sprawling residential proxy service operated by the publicly-traded Israeli company Alarum Technologies [NASDAQ: ALAR]. The action comes ro
- News · Jul 3, 2026PamStealer Uses Fake Maccy Sites and PAM Checks to Steal Mac Login Passwords
Cybersecurity researchers have flagged a new macOS information stealer called PamStealer that employs a series of clever tricks to infect systems and siphon sensitive data. The stealer, discovered by Jamf Threat Labs, is distributed as a compiled AppleScript (.scpt) file imperson
- News · Jul 3, 2026Ransomware Groups Turn to Citrix Bleed 2, BYOVD, and Supply Chain Credentials
Threat actors associated with the Anubis ransomware operation have been observed exploiting the Citrix Bleed 2 (CVE-2025-5777) vulnerability to obtain initial access. "Although tactics differ between affiliates, common patterns emerged in tradecraft through use of legitimate Remo
- News · Jul 2, 2026AI Agent Exploits Langflow RCE to Automate Database Ransomware Attack
Security firm Sysdig says it has found what it believes is the first ransomware attack run from start to finish by an AI agent. Its Threat Research Team calls the operator JADEPUFFER and says a large language model handled the whole job: breaking in, stealing credentials, moving
- News · Jul 2, 2026DHS confirms hackers breached HSIN info-sharing platform
The Department of Homeland Security is investigating a cyberattack that compromised the Homeland Security Information Network (HSIN), a sensitive information-sharing platform used by federal, state, local, and private-sector partners. [...]
- News · Jul 2, 2026FortiBleed credential-theft campaign linked to Lynx ransomware
The massive FortiBleed credential theft campaign has been linked to the INC and Lynx ransomware operations, suggesting the stolen Fortinet credentials were intended to fuel future network intrusions. [...]
- News · Jul 2, 2026FortiBleed Credential Theft Linked to INC and Lynx Ransomware Operations
The recently discovered financially-motivated FortiBleed campaign has been attributed to INC and Lynx ransomware operations, indicating that the verified, stolen credentials were intended for follow-on intrusions. "An operator tied to FortiBleed's infrastructure was found activel
- News · Jul 2, 2026Hackers target Microsoft 365 accounts with 81 million login attempts
An aggressive password-spraying campaign targeting Microsoft 365 environments generated more than 81 million login attempts over a two-week period. [...]
- News · Jul 2, 2026Identity Lifecycle Management Wasn't Built for AI Agents
Identity lifecycle management was architected around a person with an employment record, a manager, and a departure date. AI agents have none of those. As autonomous principals proliferate across enterprise environments, the governance model built for humans develops structural b
- News · Jul 2, 2026New ChocoPoC RAT Targets Vulnerability Researchers via Fake PoC Exploit Repos
Attackers are hiding a data-stealing trojan inside fake exploit code aimed at the people who hunt bugs for a living. The malware, called ChocoPoC, travels in Python proof-of-concept (PoC) repositories on GitHub that claim to exploit hot new CVEs. Run one, and it quietly lifts you
- News · Jul 2, 2026ToddyCat-Linked Umbrij Malware Abuses OAuth to Access Gmail via Google API
The threat actor known as ToddyCat has been attributed to a new malware called Umbrij that's designed to gain surreptitious access to a victim's email correspondence via the Google API. "In this campaign, the attackers focused their attention on corporate email communications hos
- News · Jul 2, 2026Webinar: Why traditional email security is no longer enough
Modern phishing, business email compromise, and account takeover attacks increasingly exploit trusted identities and legitimate business workflows, making them harder for traditional email defenses to detect. This webinar explores how behavioral AI can help organizations automate
- News · Jul 1, 2026Amazon fined $2.25M for withholding evidence from fraud victims
The U.S. Federal Trade Commission (FTC) says Amazon will pay a $2.25 million civil penalty to settle charges that it blocked identity theft victims' access to transaction records. [...]
- News · Jul 1, 2026Azure CLI Password Spray Hits at Least 78 Microsoft Accounts in 81M+ Attempts
Cybersecurity researchers have warned of a "massive, ongoing, automated password spray attack" aimed at Microsoft's Azure command-line interface (CLI), compromising dozens of accounts in the process. The activity, per Huntress, originates from an IPv6 address range (2a0a:d683::/3
- News · Jul 1, 2026Lessons from the Underground: How to Combat Business Email Compromise
Business Email Compromise is more than an email scam. It's a coordinated operation involving compromised accounts, financial research, and cash-out networks. Flare explores how underground forums reveal how BEC attacks are planned and executed. [...]
- News · Jun 30, 2026Attackers Exploit SimpleHelp CVE-2026-48558 to Deploy TaskWeaver and Djinn Stealer
An unknown threat actor has been observed exploiting a recently disclosed maximum-severity security flaw in SimpleHelp to deliver two previously unreported malware families, TaskWeaver and Djinn Stealer. The intrusion involves the exploitation of CVE-2026-48558 (CVSS score: 10.0)
- News · Jun 30, 2026India’s central bank mandated use of .bank domains to enhance trust – but its registry leaked sensitive info
Open API could reveal everything an attacker needs to impersonate bank officials
- News · Jun 30, 2026NAIC says public data stolen in ShinyHunters' PeopleSoft breach
The National Association of Insurance Commissioners (NAIC) says the ShinyHunters extortion group stole only publicly available data, outdated logs, and configuration files after breaching its systems by exploiting a zero-day vulnerability in an Oracle PeopleSoft server. [...]
- News · Jun 30, 2026New BioShocking Attack Tricks AI Browsers Into Leaking User Credentials
Convince an AI browser that it is playing a game, and it can hand over your login details. That is the finding behind BioShocking, a technique from security firm LayerX that tricked six AI browsers and assistants into copying a user's credentials and sending them to an attacker.
- News · Jun 30, 2026Oracle E-Business Suite Flaw CVE-2026-46817 Actively Exploited in the Wild
A critical security flaw impacting Oracle E-Business Suite has come under active exploitation in the wild, according to Defused Cyber. The vulnerability, tracked as CVE-2026-46817 (CVSS score: 9.8), refers to an improper privilege management and authentication flaw in Oracle Paym
- News · Jun 30, 2026⚡ Weekly Recap: Linux Kernel Flaws, AI Malware Tricks, Turla Backdoor, Infostealers and More
This week was a reminder that attackers do not always need big tricks. One small mistake, one old access path, one missed patch, and suddenly the door is open. The noise is not all noise, either. Forums are talking, researchers are finding easy cracks, and defenders have more cle
- News · Jun 29, 2026Agentic AI Has an Identity Problem and Attackers Know It
AI agents can access data, trigger workflows, and take action across enterprise systems. Token Security explains why governing these privileged identities is becoming essential for enterprise security. [...]
- News · Jun 29, 2026AI may be good at finding security vulnerabilities, but it can't beat human stupidity
You don't need Mythos or GPT-5.5-Cyber to find a vuln to exploit when the world's password habits are so sloppy
- News · Jun 29, 2026Hijacked npm and Go Packages Use VS Code Tasks to Deploy Python Infostealer
Cybersecurity researchers have uncovered two hijacked npm packages and a cluster of Go packages that are designed to deploy a Python-based information stealer on compromised Windows, Linux, and macOS hosts. "This attack avoids the most common npm execution paths through lifecycle
- News · Jun 29, 2026Microsoft Removes 119 Edge Extensions That Hid Malware in Images and Fonts
Microsoft has shut down a long-running malicious extension operation on the Edge Add-ons store that hid its payloads inside ordinary image and font files, then woke up days after install to steal credentials and run ad fraud. The company calls it StegoAd, a mash-up of steganograp
- News · Jun 29, 2026Public PoC Released for Critical libssh2 CVE-2026-55200 Client-Side SSH Flaw
A public proof-of-concept is now out for CVE-2026-55200, a critical flaw in libssh2 that lets a malicious or compromised SSH server trigger memory corruption on a connecting client, with possible code execution. No credentials, no user interaction. The bug affects every release u
- News · Jun 29, 2026Why Post-Quantum Cryptography Starts With Credentials
Today’s encrypted data, such as credentials, may no longer remain confidential in the future because the public-key cryptography protecting it will soon be broken by quantum computers. Although no machine today can break elliptic curve cryptography or RSA, quantum hardware is adv
- News · Jun 28, 2026Ukraine Says Russian Intelligence Used Fake Support Texts to Steal Messaging Credentials
The Security Service of Ukraine (SSU) said it, together with the U.S. Federal Bureau of Investigation (FBI), uncovered a long-running campaign orchestrated by Russian intelligence services to break into the messaging accounts of government officials, military personnel, politicia
- News · Jun 27, 2026Amazon Q Developer Flaw Could Let Malicious Repos Run Code via MCP Configs
A high-severity flaw in Amazon Q Developer let a malicious repository run commands and steal a developer's cloud credentials. The path was short: a developer opens the repo, trusts the workspace, and Amazon Q does the rest. Amazon has patched it. Tracked as CVE-2026-12957 (CVSS 8
- News · Jun 26, 2026Guardian Agents: The Next Layer of Identity Governance
AI agents are moving through enterprise environments, inheriting permissions, traversing systems, and executing decisions at machine speed with minimal oversight. The identity infrastructure built to govern human access wasn't designed for autonomous actors, and the gap between w
- News · Jun 26, 2026Miasma campaign poisons 20-plus npm packages, hunts for developer secrets
Microsoft says latest attack targets Leo Platform and RStreams packages, harvesting creds and going after more maintainers
- News · Jun 26, 2026Security boss thought MFA would be too much security
One rule for the workers, another for execs
- News · Jun 25, 2026‘Popa’ Botnet Linked to Publicly-Traded Israeli Firm
For the past four years, a sprawling Android-based botnet called Popa has forced millions of consumer TV boxes to relay Internet traffic linked to advertising fraud, account takeovers, and mass data-scraping efforts. This week, researchers from multiple security firms concluded t
- News · Jun 25, 2026Amadey and StealC Malware Network Disrupted, 27M Stolen Credentials Recovered
A coordinated law enforcement operation, in partnership with private sector companies, including Bitdefender, Bitsight, ESET, and Microsoft, has resulted in the takedown of criminal infrastructure powering Amadey and StealC. "The main common goal was to disrupt the 'assembly line
- News · Jun 25, 2026Britain's privacy watchdog quits after 'poor judgment' admission
John Edwards says his position had become 'untenable' following investigation into conduct including inappropriate attempts at humor
- News · Jun 25, 2026CISA Admin Leaked AWS GovCloud Keys on Github
Until this past weekend, a contractor for the Cybersecurity & Infrastructure Security Agency (CISA) maintained a public GitHub repository that exposed credentials to several highly privileged AWS GovCloud accounts and a large number of internal CISA systems. Security experts
- News · Jun 25, 2026Hackers Used Meta’s AI Support Bot to Seize Instagram Accounts
The Instagram accounts for the Obama White House and the Chief Master Sergeant of the U.S. Space Force were briefly defaced with pro-Iranian images and messages over the weekend, after instructions began circulating on Telegram showing how to trick Meta's "AI support assistant" b
- News · Jun 25, 2026Lawmakers Demand Answers as CISA Tries to Contain Data Leak
Lawmakers in both houses of Congress are demanding answers from the U.S. Cybersecurity & Infrastructure Security Agency (CISA) after KrebsOnSecurity reported this week that a CISA contractor intentionally published AWS GovCloud keys and a vast trove of other agency secrets o
- News · Jun 25, 2026London cops bring live facial recognition to West End
'Permanent biometric surveillance of the public square' incompatible with policing by consent, say critics
- News · Jun 25, 2026Massive password-stealing attack hits 75k Fortinet firewalls
Why are you even reading this?! Rotate your passwords!!
- News · Jun 25, 2026Securing the service desk: Why social engineering attacks keep succeeding
Service desks have become a favored target for attackers seeking password resets, MFA changes, and access to corporate accounts. Specops Software breaks down how service desk social engineering attacks work and how organizations can defend against them. [...]
- News · Jun 25, 2026Surviving the Mythos Era: Richard Bejtlich on the Case for NDR
Despite the abundance of telemetry at analysts’ disposal, many security operations teams struggle to answer a few basic questions during incident investigation: What happened? What evidence do we have? How do we know we’re seeing it all, in context? Answering these questions requ
- News · Jun 25, 2026UK school’s network left wide open for invasion, student found
And the admin password was right in the Active Directory description field
- News · Jun 25, 2026Webinar: Why account takeovers remain one of the hardest threats to stop
Account takeover attacks continue to challenge security teams because attackers often operate through legitimate accounts and trusted services. This webinar explores how behavioral AI can help organizations identify compromised accounts faster and automate response workflows. [..
- News · Jun 25, 2026Who Runs the Ransomware Group ‘The Gentlemen?’
A cybercrime group known as The Gentlemen has emerged as the second most active ransomware gang by victim count, rapidly attracting a talented pool of hackers through an aggressive recruitment strategy that promises affiliates 90 percent of any ransom paid by victims. This post e
- News · Jun 25, 2026You have got to be KDDI-ng – Japanese telco exposes 14.2 million managed email credentials
Five ISPs and plenty of users await their fate
- News · Jun 24, 2026145 Mastra npm Packages Compromised via Hijacked Contributor Account
As many as 145 npm packages associated with the Mastra namespace ("@mastra/*"), a popular open-source JavaScript and TypeScript framework for building artificial intelligence (AI) applications, have been compromised as part of a software supply chain attack codenamed easy-day-js,
- News · Jun 24, 202629-Year-Old Squid Proxy Bug 'Squidbleed' Can Leak Cleartext HTTP Requests
A heap over-read in the Squid web proxy can leak another user's cleartext HTTP request, including any credentials or session tokens it carries, to anyone already allowed to send traffic through the same proxy. The bug traces to a 1997 FTP-parsing change and is still live in Squid
- News · Jun 24, 2026AutoJack Attack Lets One Web Page Hijack AI Agent for Host Code Execution
Microsoft researchers have detailed an exploit chain, named AutoJack, that turns an AI browsing agent into a delivery vehicle for remote code execution. Steer the agent to load an attacker's web page, and that page's JavaScript can reach a privileged local service on the same mac
- News · Jun 24, 2026CISA Warns Fortinet Customers as FortiBleed Hits 86,644 FortiGate Devices
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday urged Fortinet customers with FortiGate appliances to take steps to secure against ongoing malicious activity aimed at thousands of internet-accessible devices. The sweeping campaign, believed to be the
- News · Jun 24, 2026Crypto Clipper Campaign Abuses Fake Reviews, AI Narrators, and VirusTotal Comments
An unknown threat actor has been observed leveraging paid or promoted posts on legitimate news websites to drum up buzz for their warez, according to new findings from Check Point Research. The threat actor also has at their disposal a dedicated WordPress phishing page that acts
- News · Jun 24, 2026Dawn of the Apex Agentic Adversary
We are standing at the end of an era we never thought to mourn: the era of human-speed threats. For years, cybersecurity moved to a rhythm organizations could follow. A researcher found a bug, a CVE was cataloged, a vendor navigated a patch cycle, and weeks or even months later,
- News · Jun 24, 2026DragonForce Hackers Abuse Microsoft Teams Relays to Hide Backdoor.Turn C2 Traffic
Threat actors associated with the DragonForce ransomware have been observed using a custom Go-based remote access trojan (RAT) called Backdoor.Turn to conceal command-and-control (C2) traffic inside Microsoft Teams relay infrastructure. According to findings from Broadcom-owned S
- News · Jun 24, 2026FortiBleed Targeted FortiGate Firewalls in 110 Million-Credential Harvesting Operation
A Russian-speaking initial access broker (IAB) driven by financial gain is assessed to be behind a large-scale credential-harvesting operation known as FortiBleed that has targeted over 430,000 FortiGate firewalls globally. The campaign, active since February 2026, involves colle
- News · Jun 24, 2026Google Sets Sept. 30 Deadline for Android Developer Verification in Four Countries
Google has set September 30, 2026, as the day it begins enforcing Android developer verification in the first four countries, and the major device-maker app stores are in from the start. On that date, certified Android phones in Brazil, Indonesia, Singapore, and Thailand will blo
- News · Jun 24, 2026Hackers Exploit Gravity SMTP WordPress Plugin Bug to Expose API Keys
Threat actors are exploiting a recently patched security flaw impacting Gravity SMTP, a WordPress plugin that's installed on about 100,000 sites. The vulnerability, tracked as CVE-2026-4020 (CVSS score: 5.3), is a medium-severity information disclosure flaw that can allow unauthe
- News · Jun 24, 2026Junior Hacker Used Tailscale and OpenSSH to Keep Access After His C2 Went Offline
A French-speaking attacker broke into a small French automotive business, planted a keylogger, and stole banking and email credentials. Ordinary stuff, until one move near the end. Before his command-and-control server went dark, he installed OpenSSH and Tailscale on a victim's m
- News · Jun 24, 2026LastPass confirms data breach in Klue supply chain attack
LastPass announced that hackers accessed customer data from its Salesforce environment after stealing the company's OAuth tokens in the Klue supply chain attack earlier this month. [...]
- News · Jun 24, 2026New macOS ClickFix attack silently mounts DMGs to push infostealer
A new macOS ClickFix campaign is using Terminal commands to silently download, mount, and launch info-stealing malware from malicious disk image (DMG) files. [...]
- News · Jun 24, 2026Operation Endgame Disrupts SocGholish Servers, Cleans 14,971 WordPress Sites
Dutch law enforcement authorities, along with counterparts from Canada , Germany, and the U.S., have disrupted malicious infrastructure associated with SocGholish and cleaned up nearly 15,000 infected WordPress websites. "With these actions we deprive cybercriminals of access to
- News · Jun 24, 2026Researchers Detail DifyTap Flaws in Dify That Could Expose AI Chats Across Tenants
Cybersecurity researchers have disclosed details of four vulnerabilities in Dify, an open-source agentic workflow platform with more than 146,000 GitHub stars, that could allow attackers to stealthily read artificial intelligence (AI) conversions from other customers' application
- News · Jun 24, 2026Salesforce Disables Klue App Integration After OAuth Token Abuse Exposes Customer Data
Salesforce has revealed that it disabled the Klue Battlecards app integration within its platform in response to a security incident impacting the competitive intelligence company on June 11, 2026. To that end, organizations will be unable to connect to Salesforce via the app unt
- News · Jun 24, 2026The Scripts on Your Checkout Page Are Now a PCI DSS Problem
An independent PCI assessor tested Reflectiz against the new PCI DSS rules. Here is the verdict: See the full QSA assessment here → When a customer types their card number into your checkout, their browser is running far more than your code. Analytics tags, a tag manager, a suppo
- News · Jun 24, 2026⚡ Weekly Recap: Browser Bugs, EDR Killers, TV Botnet, OpenBSD Flaw, Android Trojan, and More
It’s Monday again. This week’s threat list looks painfully familiar: abused integrations, fake tools, poisoned websites, ransomware crews trying to shut down security tools, and mobile malware asking for way too much control. The annoying part is how little of this feels new. Wea
- News · Jun 23, 2026A Glimpse into the “Search Your Target” Market for Stolen Credentials
Attackers no longer need to sift through massive credential dumps. They can pay others to do it for them. Flare explores how an emerging underground market searches stolen credential databases for specific companies, domains, and accounts. [...]
- News · Jun 23, 2026FortiBleed campaign used custom FortiGate sniffer to steal credentials
Security firm SOCRadar says the large-scale FortiBleed campaign targeting Fortinet FortiGate devices used custom sniffers to harvest authentication secrets from compromised firewalls and steal credentials. [...]
- News · Jun 23, 2026Klue OAuth breach victim list grows as Icarus hackers claim attack
Market intelligence platform Klue has publicly confirmed a recent security incident that allowed threat actors to steal OAuth tokens used to connect to customers' Salesforce environments, as the new "Icarus" extortion group publicly claims the attack. [...]
- News · Jun 23, 2026Webinar: Why email security teams are drowning in alerts
Phishing, BEC, and account takeover attacks continue to overwhelm security teams with alerts and investigations. This webinar explores how behavioral AI can help automate detection and response workflows, reducing alert fatigue and improving operational efficiency. [...]
- News · Jan 20, 2026Microsoft reports identity attacks dominated by password attacks
Microsoft research found the overwhelming majority of identity attacks target passwords, and that phishing-resistant MFA blocks over 99% of them.
- News · Nov 10, 2025IBM reports global average data breach cost eased to $4.44M
IBM Cost of a Data Breach research showed a modest decline in average breach cost, driven by faster identification and containment.
- News · Jul 8, 2025Infostealer-driven session and token theft surges
Threat researchers reported a sharp rise in infostealer malware harvesting credentials and live session cookies, enabling attackers to bypass MFA.
- News · Jun 19, 2025Report describes a 16 billion credential compilation circulating online
Researchers described one of the largest aggregations of stolen credentials to date, largely sourced from infostealer logs and prior breaches.
- News · Apr 23, 2025Verizon DBIR finds credentials and the human element central to breaches
The annual Data Breach Investigations Report again highlighted stolen credentials, phishing, and the human element as dominant breach factors.
- News · Feb 4, 2025Vendors warn of surge in deepfake-driven identity verification fraud
Verification vendors reported rapid growth in deepfake and injection attacks against remote identity proofing, raising the bar for liveness detection.
- News · Nov 12, 2024Scattered Spider help-desk social engineering drives identity attacks
Authorities warned that the Scattered Spider group continued to bypass MFA through help-desk social engineering and SIM swapping, hitting major enterprises.
- News · Jul 4, 2024RockYou2024 compilation exposes billions of leaked passwords
Researchers reported a massive aggregation of previously leaked passwords, a reminder that credential reuse keeps fueling account-takeover attacks.