Ticker feed
Security firm Socket has uncovered "Operation Muck and Load" — a campaign using 222 GitHub repositories across 190 accounts to distribute Windows malware. Active since January 24, 2026, the threat actor published over 1,200 package versions, 700 of which are malicious.
The attack disguises a Go module as a legitimate DNS scanning tool. Hidden PowerShell code then pulls encrypted payloads from dead-drop platforms including Pastebin, YouTube, Instagram, Telegram, and Google Docs — making it harder to shut down.
Final payloads include AsyncRAT, Quasar RAT, Vidar infostealer, and XMRig cryptominers. GitHub users pulling Go dependencies are directly at risk.
Source: SecurityWeek
Security firm Socket has uncovered "Operation Muck and Load" — a campaign using 222 GitHub repositories across 190 accounts to distribute Windows malware. Active since January 24, 2026, the threat actor published over 1,200 package versions, 700 of which are malicious.
The attack disguises a Go module as a legitimate DNS scanning tool. Hidden PowerShell code then pulls encrypted payloads from dead-drop platforms including Pastebin, YouTube, Instagram, Telegram, and Google Docs — making it harder to shut down.
Final payloads include AsyncRAT, Quasar RAT, Vidar infostealer, and XMRig cryptominers. GitHub users pulling Go dependencies are directly at risk.
Source: SecurityWeek
Accenture confirmed a data breach this week after a hacker posted on PwnForums claiming to have stolen 35 gigabytes of internal data — including Azure access keys, SSH and RSA keys, configuration files, and source code. The threat actor posted a screenshot of a private Azure DevOps repository as proof and listed the data for sale.
Accenture said the incident has been remediated and hasn't affected operations, but offered no further details. Security experts warn the stolen data could serve as a roadmap for future attacks, given Accenture's deep access to major enterprise systems worldwide.
Source: SecurityWeek
Accenture confirmed a data breach this week after a hacker posted on PwnForums claiming to have stolen 35 gigabytes of internal data — including Azure access keys, SSH and RSA keys, configuration files, and source code. The threat actor posted a screenshot of a private Azure DevOps repository as proof and listed the data for sale.
Accenture said the incident has been remediated and hasn't affected operations, but offered no further details. Security experts warn the stolen data could serve as a roadmap for future attacks, given Accenture's deep access to major enterprise systems worldwide.
Source: SecurityWeek
A massive global cybercrime sweep has wrapped up with 5,811 arrests and $293 million in intercepted illicit assets. Operation First Light 2026 ran from January 15 to April 30, 2026, pulling in law enforcement from 97 countries under Interpol's coordination — with funding from China's Ministry of Public Security.
The operation targeted social engineering scams like romance fraud and business email compromise schemes. Authorities froze over 31,000 bank accounts, identified 15,606 suspects, and uncovered 142,000 victims worldwide. One standout bust in Eswatini revealed scammers running a full replica Brazilian police station — fake uniforms and all — to trick victims into transferring money.
Source: Infosecurity Magazine
A massive global cybercrime sweep has wrapped up with 5,811 arrests and $293 million in intercepted illicit assets. Operation First Light 2026 ran from January 15 to April 30, 2026, pulling in law enforcement from 97 countries under Interpol's coordination — with funding from China's Ministry of Public Security.
The operation targeted social engineering scams like romance fraud and business email compromise schemes. Authorities froze over 31,000 bank accounts, identified 15,606 suspects, and uncovered 142,000 victims worldwide. One standout bust in Eswatini revealed scammers running a full replica Brazilian police station — fake uniforms and all — to trick victims into transferring money.
Source: Infosecurity Magazine
A sophisticated phishing campaign is targeting marketing professionals by impersonating major brands like Coca-Cola, Netflix, OpenAI, McKinsey & Company, and Louis Vuitton. First spotted by Team Cymru's Will Thomas, the attackers send personalized job recruitment emails via legitimate HR platform PeopleForce, then route victims through nested redirects — bouncing through Salesforce's ExactTarget and real estate CRM Wise Agent — before landing on a fake Google sign-in page hosted on Netlify.
The multi-hop redirect chain bypasses basic email filters and builds false trust. Over 30 malicious domains have been identified. Password managers and advanced web filtering are recommended defenses.
Source: Dark Reading
A sophisticated phishing campaign is targeting marketing professionals by impersonating major brands like Coca-Cola, Netflix, OpenAI, McKinsey & Company, and Louis Vuitton. First spotted by Team Cymru's Will Thomas, the attackers send personalized job recruitment emails via legitimate HR platform PeopleForce, then route victims through nested redirects — bouncing through Salesforce's ExactTarget and real estate CRM Wise Agent — before landing on a fake Google sign-in page hosted on Netlify.
The multi-hop redirect chain bypasses basic email filters and builds false trust. Over 30 malicious domains have been identified. Password managers and advanced web filtering are recommended defenses.
Source: Dark Reading
Cybersecurity firm Sysdig has documented what it calls the first agentic ransomware attack — where an AI agent autonomously managed an entire extortion operation from start to finish. The late June 2026 attack, attributed to a financially motivated group called JadePuffer, exploited a Langflow vulnerability to reach a MySQL and Alibaba Nacos production server.
The AI agent ran over 600 payloads, self-corrected errors in 31 seconds, and tapped models from OpenAI, Anthropic, DeepSeek, and Gemini. A human still set up the infrastructure, but the AI handled the heavy lifting. "The skill floor for running a full ransomware operation just dropped," warned Sysdig's Michael Clark.
Source: CyberScoop
Cybersecurity firm Sysdig has documented what it calls the first agentic ransomware attack — where an AI agent autonomously managed an entire extortion operation from start to finish. The late June 2026 attack, attributed to a financially motivated group called JadePuffer, exploited a Langflow vulnerability to reach a MySQL and Alibaba Nacos production server.
The AI agent ran over 600 payloads, self-corrected errors in 31 seconds, and tapped models from OpenAI, Anthropic, DeepSeek, and Gemini. A human still set up the infrastructure, but the AI handled the heavy lifting. "The skill floor for running a full ransomware operation just dropped," warned Sysdig's Michael Clark.
Source: CyberScoop
Security researchers at Push Security have uncovered a new attack where hackers create fake OpenAI organizations — impersonating real companies — and send employees legitimate-looking invitations straight from OpenAI's own notification system. One click joins the victim to an attacker-controlled tenant with zero additional verification.
Once inside, anything the employee does — prompts, uploaded files, API calls — is visible to the attacker. The fake org even had a credit card attached to avoid suspicion. No spoofed domains, no malicious links. Just a trusted platform being weaponized against its own users.
Source: Cybersecurity News
Security researchers at Push Security have uncovered a new attack where hackers create fake OpenAI organizations — impersonating real companies — and send employees legitimate-looking invitations straight from OpenAI's own notification system. One click joins the victim to an attacker-controlled tenant with zero additional verification.
Once inside, anything the employee does — prompts, uploaded files, API calls — is visible to the attacker. The fake org even had a credit card attached to avoid suspicion. No spoofed domains, no malicious links. Just a trusted platform being weaponized against its own users.
Source: Cybersecurity News
A newly discovered threat group called "Armored Likho" is targeting government agencies and critical infrastructure across Russia, Brazil, and Kazakhstan using spear-phishing emails disguised as official government or social assistance communications.
Their main weapon is a Python-based infostealer dubbed "BusySnake" — capable of stealing passwords, cookies, cryptographic keys, and Telegram session data, while also opening backdoor access via reverse SSH tunnels. Notably, Kaspersky researchers found evidence the attackers used AI language models to generate early-stage payloads, speeding up attack development. The group's nation-state affiliation remains unconfirmed.
Source: Dark Reading
A newly discovered threat group called "Armored Likho" is targeting government agencies and critical infrastructure across Russia, Brazil, and Kazakhstan using spear-phishing emails disguised as official government or social assistance communications.
Their main weapon is a Python-based infostealer dubbed "BusySnake" — capable of stealing passwords, cookies, cryptographic keys, and Telegram session data, while also opening backdoor access via reverse SSH tunnels. Notably, Kaspersky researchers found evidence the attackers used AI language models to generate early-stage payloads, speeding up attack development. The group's nation-state affiliation remains unconfirmed.
Source: Dark Reading
North Korean hackers have been quietly compromising open source software since December 2025 in a campaign called PolinRider. Linked to the broader Contagious Interview operation, the attackers hijack legitimate GitHub maintainer accounts, inject obfuscated JavaScript loaders into real repositories, and use Git history rewriting to make the changes look old. The malware drops two payloads: the DEV#POPPER RAT and OmniStealer. So far, 162 malicious artifacts across 108 packages have been found on NPM, Packagist, Go modules, and Chrome extensions. Any developer who installed an affected package should assume their environment is compromised and remediate from a clean machine.
Source: SecurityWeek
North Korean hackers have been quietly compromising open source software since December 2025 in a campaign called PolinRider. Linked to the broader Contagious Interview operation, the attackers hijack legitimate GitHub maintainer accounts, inject obfuscated JavaScript loaders into real repositories, and use Git history rewriting to make the changes look old. The malware drops two payloads: the DEV#POPPER RAT and OmniStealer. So far, 162 malicious artifacts across 108 packages have been found on NPM, Packagist, Go modules, and Chrome extensions. Any developer who installed an affected package should assume their environment is compromised and remediate from a clean machine.
Source: SecurityWeek
A critical zero-day vulnerability in the LiteSpeed cPanel user-end plugin is being actively exploited, threatening shared hosting environments globally. Tracked as CVE-2026-54420, the flaw lets attackers with limited access — like stolen FTP credentials — escalate privileges all the way to root, breaking tenant isolation and potentially exposing every site on a shared server.
Namecheap researchers discovered the issue after spotting suspicious API call patterns, specifically rapid concurrent chaining of the generateEcCert and packageUserSize functions. LiteSpeed patched it in cPanel plugin version 2.4.8 on June 1, 2026. Admins should update immediately or remove the user-end plugin as a stopgap.
Source: Cybersecurity News
A critical zero-day vulnerability in the LiteSpeed cPanel user-end plugin is being actively exploited, threatening shared hosting environments globally. Tracked as CVE-2026-54420, the flaw lets attackers with limited access — like stolen FTP credentials — escalate privileges all the way to root, breaking tenant isolation and potentially exposing every site on a shared server.
Namecheap researchers discovered the issue after spotting suspicious API call patterns, specifically rapid concurrent chaining of the generateEcCert and packageUserSize functions. LiteSpeed patched it in cPanel plugin version 2.4.8 on June 1, 2026. Admins should update immediately or remove the user-end plugin as a stopgap.
Source: Cybersecurity News
A newly discovered Linux kernel vulnerability called "Bad Epoll" (CVE-2026-46242) lets unprivileged local users gain full root access on Linux servers, desktops, and Android devices. The flaw exploits a race condition and use-after-free bug in the kernel's epoll subsystem — a core component that can't be disabled without breaking the OS.
Researcher Jaeyoung Chung found and exploited the bug, submitting it to Google's kernelCTF program, which pays $71,337+ for working kernel exploits. The exploit achieves roughly 99% reliability and can even be chained with a Chrome renderer exploit for full kernel code execution. No workaround exists — patching is the only fix.
Source: Cybersecurity News
A newly discovered Linux kernel vulnerability called "Bad Epoll" (CVE-2026-46242) lets unprivileged local users gain full root access on Linux servers, desktops, and Android devices. The flaw exploits a race condition and use-after-free bug in the kernel's epoll subsystem — a core component that can't be disabled without breaking the OS.
Researcher Jaeyoung Chung found and exploited the bug, submitting it to Google's kernelCTF program, which pays $71,337+ for working kernel exploits. The exploit achieves roughly 99% reliability and can even be chained with a Chrome renderer exploit for full kernel code execution. No workaround exists — patching is the only fix.
Source: Cybersecurity News