Ticker feed

A state-sponsored hacking group, likely from China, has compromised at least 70 organizations across 37 countries in what Palo Alto Networks calls the "Shadow Campaign." The cyberspies targeted government agencies, including parliaments, law enforcement, border control, and national telecommunications companies in 155 countries.

The group, tracked as TGR-STA-1030, has been active since at least January 2024 and operates in the GMT+8 timezone. They use sophisticated email phishing to install malware and deploy "ShadowGuard," a previously unknown Linux rootkit that helps them stay hidden.

Targets include finance ministries, counter-terrorism organizations, and a senior elected official. Palo Alto warns the campaign poses serious long-term risks to national security and critical services.

Source: Security Week

BeyondTrust disclosed a critical zero-day vulnerability (CVE-2026-1731) in its Remote Support and Privileged Remote Access platforms that lets attackers execute commands without authentication. The flaw affects Remote Support versions 25.3.1 and earlier, plus Privileged Remote Access versions 24.3.4 and prior.

SaaS customers received automatic patches on February 2, 2026, but self-hosted users must manually apply patches BT26-02-RS or BT26-02-PRA. Older versions need upgrades first before patching.

Discovered by Harsh Jaiswal and Hacktron AI using variant analysis, this vulnerability poses severe risks since BeyondTrust products manage privileged access across enterprise networks. Successful attacks could compromise entire organizational infrastructures.

Source: Cybersecurity News

Michael, a 47-year-old Victorian schoolteacher, had his digital identity stolen after applying for rentals online in November and December. Someone used his passport details to transfer his phone number, then accessed his bank and superannuation accounts to make unauthorized transfers.

His case highlights broader security concerns with rental platforms. Guardian Australia found millions of leasing documents on seven platforms could be accessed without authentication. A new report identified 57 rental tech platforms in Australia, with some collecting up to 50 different data fields per applicant.

Experts warn renters don't understand where their data goes or how secure these platforms are, calling for stronger regulation of the sector.

Source: The Guardian

A sophisticated supply chain attack targeting Notepad++ users ran from June to December 2025, with attackers compromising the software's hosting provider to hijack update traffic. Instead of exploiting the code itself, hackers redirected users to malicious servers that served compromised executables through the built-in WinGUp updater.

Security analysts believe Chinese state-sponsored actors were behind the highly targeted operation, which selectively focused on Notepad++ while ignoring other customers on the shared hosting server. The attackers maintained access through exposed credentials until December 2025, even after losing direct server access in September following security updates.

The hosting provider has since rotated all credentials and patched vulnerabilities, with no other customers affected.

Source: Infosecurity Magazine

The Molly Rose Foundation has issued a public warning about the "Com" - a global hacking network targeting vulnerable children for sexual abuse, self-harm, and suicide. The loose community of teenagers and young adults operates across Discord and Telegram, preying on children through gaming platforms and fake support groups.

The network includes three main groups: Sadism Com (sexual exploitation), Terror Com (promoting extremist ideologies), and Finance Com (corporate hacking). Members have been linked to major retailer breaches and serious crimes, including Cameron Finnigan's nine-year sentence for encouraging suicide online.

Victims, particularly girls and neurodivergent children, face rapid escalation of abuse within hours of contact. UK Minister Jess Phillips vowed to "hunt down perpetrators" and shut down these networks.

Source: The Guardian

Newsletter platform Substack disclosed a security breach after hackers leaked data from nearly 700,000 user accounts on cybercrime forums. The October 2025 attack exposed email addresses, phone numbers, names, and profile information, but passwords and payment details remained secure.

CEO Chris Best notified the platform's 35 million subscribers on February 3, months after the initial breach. The hacker described their "scraping" attack as "noisy," which helped Substack detect and stop it quickly.

While there's no evidence the stolen data has been misused, users should watch for suspicious emails and texts targeting the compromised information.

Source: Security Week

Researchers discovered two serious vulnerabilities in Google Looker, a business intelligence platform used by over 60,000 companies including Walmart and Coinbase. The first bug allows SQL injection attacks to steal internal database secrets through error messages. The second, more dangerous flaw enables remote code execution by manipulating Git hooks through a complex exploit chain involving path traversal and race conditions.

On Google Cloud Platform, attackers could potentially access other customers' data due to shared infrastructure. Google has patched both issues, but organizations using on-premises deployments must manually update. The fixes require significant downtime and testing, which may delay critical updates for this central data hub.

Source: Dark Reading

Kyle Svara, 27, of Oswego, Illinois, pleaded guilty in Boston federal court to hacking women's Snapchat accounts to steal and sell nude photos. Between May 2020 and February 2021, Svara impersonated Snapchat employees to trick over 4,500 women into sharing access codes. He successfully breached 570 accounts and downloaded explicit images from 59 of them.

Svara then sold or traded these stolen photos on internet forums, including to former Northeastern University track coach Steve Waithe, who had hired him to target female student athletes. Waithe was already sentenced to five years in prison for related crimes. Svara faces over 20 years behind bars for charges including identity theft, wire fraud, and computer fraud.

Source: CBS Chicago

Orca Security discovered that GitHub Codespaces automatically executes VS Code configuration files when users open repositories or pull requests, creating a pathway for supply chain attacks. Attackers can embed malicious commands in JSON files within the .vscode/ folder that execute without user approval.

The vulnerability allows hackers to steal GitHub tokens, Codespaces secrets, and other sensitive data. In one attack scenario, bad actors could fork public repositories, create malicious pull requests, and when maintainers open them via Codespaces, their GitHub tokens get compromised. This enables attackers to push verified code as legitimate maintainers.

Microsoft told Orca this behavior is intentional, raising concerns about the security implications of automated configuration execution in cloud development environments.

Source: SecurityWeek

Cybercriminals are exploiting a sneaky new trick: using Windows screensaver files (.scr) to slip past security defenses and compromise organizations. ReliaQuest researchers discovered attackers sending business-themed phishing emails with links to malicious screensaver files hosted on cloud storage platforms.

The clever part? Most people don't realize screensaver files are actually executable programs that can run any code. This makes them perfect for bypassing security tools that might catch traditional malware.

Once victims download and run these files, they install legitimate remote management tools like JWrapper, giving hackers full control over the infected computer. From there, attackers can steal data, spread through networks, or deploy ransomware.

Source: Dark Reading