Cybersecurity Center

Cybersecurity News

  • U.S. Sanctions First VPN Service and Malware Cryptor Seller Over Ransomware Support (Tuesday July 14, 2026)
    The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) has designated two individuals and a VPN service provider for enabling ransomware actors' and other cybercriminals' malicious activities, including ransomware attacks against Americans. The VPN, named First VPN Service (1VPNS), has been accused of offering its tools to ransomware groups, along with its 45-year-old Ukrainian (HackerNews)
  • 148 npm Packages Disguised as Student Proxies Turned Browsers Into a DDoS Botnet (Tuesday July 14, 2026)
    A campaign of 148 npm packages disguised as student web proxies turned visitors' browsers into a distributed denial-of-service botnet for roughly two weeks in May, according to new research from JFrog. The packages did not go after the developers who might install them. The operators used the registry as free hosting for a booby-trapped proxy site and let the students who came to dodge (HackerNews)
  • Microsoft Maps Three Salesforce Attack Paths Tied to a Year of ShinyHunters Activity (Tuesday July 14, 2026)
    Attackers whose methods line up with the data-extortion group ShinyHunters have spent the past year walking into corporate Salesforce environments without exploiting a single flaw in the platform. The way in has been the trust the organization had already extended, usually through the OAuth connections that tie Salesforce to the apps and third-party vendors around it. In  (HackerNews)
  • CrashStealer macOS Malware Uses Notarized Dropper to Pass Gatekeeper Checks (Monday July 13, 2026)
    Cybersecurity researchers have flagged a new macOS information stealer called CrashStealer that's capable of harvesting sensitive data from compromised systems. Unlike other information stealers that are built on AppleScript droppers or Objective-C-based wrappers, CrashStealer is implemented in native C++, according to Jamf Threat Labs. "It validates the victim's login password locally before (HackerNews)
  • Google and Microsoft Pull ModHeader With 1.6 Million Installs After Dormant Collector Found (Monday July 13, 2026)
    Google and Microsoft have pulled ModHeader, a popular header-editing extension with roughly 1.6 million installs across Chrome and Edge, after researchers found a hidden browsing-history collector built into its official store version. The collector was dormant. An empty allow-list kept it switched off, and no proof has emerged that it ever gathered or sent a single browsing domain. The (HackerNews)
  • ⚡ Weekly Recap: ShareFile Threat, Citrix Bleed 2 Ransomware, AI Coding Attacks, and More (Monday July 13, 2026)
    Somewhere right now, a security tool is quietly finding bugs faster than any human can fix them. That's supposed to be the good news. The catch is that the attackers have the same tools, pointed the other way, and they don't file tickets. That's the shape of this week. Trusted code turns on the people who installed it. Old bugs from last year are still landing because the fix sat in a queue too (HackerNews)
  • Lessons Learned from CISA’s Recent GitHub Leak (Monday July 13, 2026)
    The Cybersecurity and Infrastructure Security Agency (CISA) has issued a postmortem on a data leak in which a contractor published dozens of internal CISA credentials -- including AWS Govcloud keys -- in a public GitHub repository for almost six months before being notified by KrebsOnSecurity. Experts say the gaps identified in the agency's initial response provide important lessons that all security teams should absorb. (KrebsOnSecurity)
  • New MemGhost Attack Plants Persistent False Memories in AI Agents Through One Email (Monday July 13, 2026)
    Give an AI assistant a memory and access to your inbox, and you hand an attacker a way to rewrite what it thinks it knows about you. A single email can trick that agent into saving a false "fact" about the user, hide the change, and quietly steer its answers in later sessions. When it works, the person reads an ordinary-looking reply and never learns their assistant was tampered with. The (HackerNews)
  • Forg365 PhaaS Targets Microsoft 365 with Device Code and AitM Session Theft (Monday July 13, 2026)
    A new phishing-as-a-service (PhaaS) operation called Forg365 is using a combination of device code phishing, adversary-in-the-middle (AitM) tactics, antibot evasion, artificial intelligence (AI)-assisted lure creation, and post-compromise mailbox operations targeting Microsoft 365 accounts. Distributed via Telegram and costing $400 a month (or $3,800 per year), attack chains leverage phishing (HackerNews)
  • Meta Files Patent for AI That Can Listen All Day and Track How You're Feeling (Monday July 13, 2026)
    Meta has filed a patent application for an AI that listens to your voice throughout the day, works out how it thinks you are feeling from the way you sound, and keeps a timestamped log of every read. Each read gets pinned to the moment it happened: the time, your location, what you were doing, even how you were using your phone. Some versions in the filing would listen all day; others would (HackerNews)
  • Thinking Fast and Slow in the SOC: The Case for Combining Autonomous AI with Analyst Copilots (Monday July 13, 2026)
    A few days ago, I was sitting with the CISO of a Fortune 50 company, walking through how his security team was thinking about AI agents in the SOC. Smart team. Serious program. They had already connected Claude to a few detection tools and were seeing real value in specific investigations. But as we mapped out the broader architecture, something kept nagging at me. The design they were building (HackerNews)
  • Attacker Uses Suspected AI-Generated PowerShell Script to Map Active Directory (Monday July 13, 2026)
    Cybersecurity researchers have flagged an intrusion in which an unknown threat actor leveraged a vibe-coded PowerShell script for Active Directory (AD) enumeration. "The script looked for the Domain Controller (DC) and mapped users, computers, and domains, before creating a directory and exporting out a number of files, and finally creating AD_Report.html to measure the success of the (HackerNews)
  • Misconfigured Server Reveals Three Evilginx Phishing Operations Targeting Microsoft 365 (Monday July 13, 2026)
    An attacker running a live Microsoft 365 phishing operation left a Python web server listening on a public port with directory listing switched on. The command that did it: python3 -m http.server 8080, was still sitting in the readable .bash_history. From that one lapse, French security firm Lexfo lifted the operator's entire toolkit and pivoted through it to two more (HackerNews)
  • iCagenda and Balbooa Forms Joomla Flaws Reportedly Exploited as Zero-Days (Monday July 13, 2026)
    The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two maximum-severity security flaws impacting iCagenda and Balbooa extensions for Joomla to its Known Exploited Vulnerabilities (KEV) catalog, following reports of zero-day exploitation in the wild. The vulnerabilities, both rated 10.0 on the CVSS scoring system, are below - CVE-2026-48939 - A vulnerability in the (HackerNews)
  • Compromised jscrambler 8.14.0 npm Release Drops Rust Infostealer During Install (Saturday July 11, 2026)
    The jscrambler npm package was compromised, and simply installing its 8.14.0 release runs an infostealer on your machine. Published on July 11, 2026, the malicious version carries a preinstall hook that drops and executes a native binary, one build each for Windows, macOS, and Linux. Socket flagged the release six minutes after it was published. If you or one of your (HackerNews)
  • Hackers Weaponize Balochistan Police Portal in Multi-Group Espionage Campaigns (Saturday July 11, 2026)
    Cybersecurity researchers have disclosed details of sustained cyber espionage activity against several Pakistani law enforcement organizations undertaken by suspected China- and India-aligned threat actors between February 2024 and April 2026. "At Balochistan Police, the compromised assets included servers hosting web applications that manage police and citizen data, such as criminal and (HackerNews)
  • Critical Zimbra Flaw Could Let Crafted Emails Run Malicious Code in User Sessions (Saturday July 11, 2026)
    Zimbra is urging customers to apply updates to address a critical security vulnerability impacting the Classic Web Client that could result in arbitrary code execution. The vulnerability has been described as a case of stored cross-site scripting (XSS) that could allow specially crafted emails to execute malicious scripts in a user's session. It has yet to be assigned a CVE identifier. "The (HackerNews)
  • URGENT - Progress Tells ShareFile Customers to Shut Down Storage Zone Controllers Over Security Threat (Friday July 10, 2026)
    Progress Software has told ShareFile customers to shut down the Windows servers running their Storage Zone Controllers, confirming to The Hacker News that it is responding to a "credible external security threat." The company has temporarily disabled access to the affected accounts, a step it says it took "out of an abundance of caution" while it works with internal and external security (HackerNews)
  • Injective Labs GitHub Compromise Pushes Wallet-Key-Stealing npm Packages (Friday July 10, 2026)
    Unknown threat actors compromised the Injective Labs SDK project's GitHub repository and leveraged it to publish a malicious package on the npm registry to steal cryptocurrency wallet private keys and mnemonic seed phrases. The compromised version, @injectivelabs/sdk-ts@1.20.21, came embedded with fake telemetry functionality that exfiltrated data from cryptocurrency wallets. The version was (HackerNews)
  • Six New U-Boot Flaws Could Let Malicious Images Crash Devices or Run Code at Boot (Friday July 10, 2026)
    Researchers at firmware security firm Binarly have found six new flaws in U-Boot, the small program that starts up hardware as varied as home routers, smart cameras, and the management chips inside data-center servers. Four of the bugs can crash a device. The other two could let an attacker who slips a malicious image in front of the bootloader run their own code, before the device (HackerNews)
  • Laser Attack Resets Tangem Wallet Passwords on Cards That Can't Be Patched (Friday July 10, 2026)
    Researchers at Ledger's Donjon security team have shown that a precisely timed laser pulse, aimed at the chip inside a Tangem crypto wallet card, can reset the card's password to anything the attacker picks. No old password. No backup card. Once it is reset, whoever did it controls the wallet and can move the coins out. This is not an emergency for most owners. The attack needs (HackerNews)
  • Researcher Details WhatsApp-to-Host Attack Chain Using Three OpenClaw Flaws (Friday July 10, 2026)
    Details have emerged about three now-patched security flaws in the OpenClaw personal artificial intelligence (AI) assistant that, if successfully exploited, could enable credential theft, privilege escalation, and arbitrary code execution on the host. A brief description of the high-severity vulnerabilities is as follows - GHSA-hjr6-g723-hmfm (CVSS score: 8.8) - An operating system (HackerNews)
  • New MODBEACON RAT Uses gRPC Streaming for Encrypted C2 Traffic (Friday July 10, 2026)
    The China-linked cybercrime group known as Silver Fox has been attributed to a new Rust-based remote access trojan (RAR) called MODBEACON. Chinese cybersecurity company QiAnXin said that while the threat cluster may appear like a low-sophistication, high-activity operation that propagates malware via counterfeit installers using SEO poisoning techniques, it belies their true organizational (HackerNews)
  • Unpatched XRING Flaw in XQUIC Lets Remote Clients Crash HTTP/3 Servers (Friday July 10, 2026)
    A single wrong variable on one line in XQUIC, Alibaba's QUIC and HTTP/3 library, lets any remote client crash the server with a short burst of completely legal traffic. There is no patch. FoxIO researcher Sébastien Féry disclosed the flaw on July 8 and nicknamed it XRING. He says it needs no login and no malformed packets: about 260 bytes of ordinary QPACK traffic takes the server (HackerNews)
  • Exposed Hacker Server Reveals WP-SHELLSTORM Backdooring Thousands of WordPress Sites (Friday July 10, 2026)
    A cybercrime crew left one of its own servers wide open on the internet for three weeks, and it exposed the operation's inner workings: the hacking tools, the activity logs, and target lists naming more than 1.4 million websites. Far fewer were actually broken into, but the exposed files showed researchers how a mass site-hacking operation runs from the inside. The operation, now tracked as (HackerNews)
  • Study of 281 Free Android VPN Apps Finds Traffic Leaks, Unencrypted Data, and Tracking (Friday July 10, 2026)
    Researchers ran 281 of the most popular free VPN apps on the Google Play Store through a new testing system and found that many fail at the basics people install a VPN for, i.e., keeping their traffic private and secure. The apps flagged with at least one problem have been installed more than 2.4 billion times. The problems are basic, not sophisticated. 29 apps let user traffic leak outside (HackerNews)
  • Hackers Use Fake Microsoft Entra Passkey Enrollment to Gain Microsoft 365 Access (Friday July 10, 2026)
    A threat actor has been targeting organizations spanning multiple sectors with voice-based fake security requests that prompt Microsoft 365 users to enroll a new Entra passkey with an aim to carry out data extortion attacks. The threat actor, tracked by Okta under the moniker O-UNC-066, has deployed a panel-controlled phishing kit that's capable of targeting the passkey enrollment process. The (HackerNews)
  • Attackers Exploit 'Ill Bloom' Vulnerability to Drain Over $5 Million From Cryptocurrency Wallets (Friday July 10, 2026)
    Security firm Coinspect has disclosed a crypto wallet flaw it calls Ill Bloom, and attackers are already using it. The flaw is in how some wallet software generated its recovery phrase, the words that control the money. When that phrase is made with weak randomness, an attacker can work it out and take everything it controls. The firm has confirmed one coordinated sweep on May 27 (HackerNews)
  • Ransomware Negotiator Gets 70 Months in Prison for Aiding BlackCat Attacks (Friday July 10, 2026)
    A 41-year-old former ransomware negotiator has been sentenced to nearly six years (i.e., 70 months) in prison in the U.S. for their role in conspiring with the now-defunct BlackCat ransomware operators to extort multiple victims and working with two other cybersecurity professionals to target additional victims in 2023. In a sentencing memorandum, federal prosecutors described Martino as a " (HackerNews)
  • Dormant GitHub Accounts Help Attackers Blend In While Mapping Corporate Orgs (Thursday July 09, 2026)
    Datadog Security Labs is warning of "several overlapping campaigns" that are systematically enumerating corporate GitHub organizations, repositories, and user accounts through the GitHub API. "Operators rely on automated scraping tooling with custom or legitimate-sounding user agents, leveraging GitHub 'ghost' accounts that are often years old, or compromised OAuth tokens and personal (HackerNews)
  • New GigaWiper Windows Backdoor Bundles Disk Wiping, Fake Ransomware, and Spyware (Thursday July 09, 2026)
    Microsoft has taken apart a destructive Windows backdoor it calls GigaWiper. What stands out is how it is built: not one tool but three older destructive programs bolted into one, offered as commands the operator can choose from. Each is a different way to break a machine: wipe the whole disk, overwrite the Windows drive, or run fake "ransomware" that scrambles files with a key it never saves (HackerNews)
  • npm 12 Disables Install Scripts by Default to Reduce Supply Chain Risk (Thursday July 09, 2026)
    GitHub has officially announced the release of npm version 12 with install scripts disabled by default, along with deprecating granular access tokens (GATs) designed to bypass two-factor authentication (2FA). The Microsoft-owned subsidiary noted that the following npm install behaviors that used to run automatically before have been made opt-in - allowScripts defaults to off, meaning (HackerNews)
  • ThreatsDay: Cloud Bucket Hijacking, Windows LPE Chain, Global Fraud Bust + 17 More Stories (Thursday July 09, 2026)
    Most security mess starts as admin work. A link gets clicked. A tool gets trusted. A bucket name gets reused. A setting stays loose because nobody wants to touch it. This week is full of that kind of damage. Not loud. Not clever. Just small gaps doing big jobs. The worst part is how normal it all looks until the bill arrives. The full ThreatsDay list is below. Global (HackerNews)
  • AI Attacks Move in Minutes. Join This Webinar on Building a Defense That Keeps Up (Thursday July 09, 2026)
    AI has changed how fast attacks move. Work that once took an attacker days now takes minutes. Using models like Mythos, attackers write tailored bait, pick targets, test what lands, and jump to the next host before your team clears the first alert. That is the gap, and it is not your fault. The tools and runbooks most teams run on were built for attackers who work at human speed. AI-driven (HackerNews)
  • Summer of Clearinghouses (Thursday July 09, 2026)
    Everyone seems to have announced a clearinghouse over the past few weeks. We did too. Ours is called Athena, and the main thing that sets it apart is that it was already real and running when we announced it — built quietly months earlier, heads down, taking findings and shipping fixes, because customers kept asking us to. We only announced it now because everyone else started announcing theirs, (HackerNews)
  • GodDamn Ransomware Uses PoisonX Driver to Disable Endpoint Defenses (Thursday July 09, 2026)
    Cybersecurity researchers have flagged a new ransomware family called GodDamn that employs the PoisonX kernel driver to neutralize security software as part of its defense evasion strategy. According to a new report published by the Threat Hunter Team from Symantec, the ransomware was first publicly spotted in the wild on May 21, 2026. It's assessed to be a rebrand of the Beast ransomware, (HackerNews)
  • Microsoft Patches RoguePlanet Defender Flaw That Can Grant SYSTEM Privileges (Thursday July 09, 2026)
    Microsoft has released security updates for a Defender vulnerability known as RoguePlanet, nearly a month after details of the flaw became public. The vulnerability, tracked as CVE-2026-50656 (CVSS score: 7.8), is a privilege escalation issue in the Microsoft Malware Protection Engine ("mpengine.dll"), which provides scanning, detection, and cleaning capabilities for its antivirus and (HackerNews)
  • Meta's New AI Image Tool Lets Others Use Your Public Instagram Photos in AI Images (Thursday July 09, 2026)
    Meta has announced that its new artificial intelligence (AI) model Muse Image lets people use public Instagram posts and reels to generate AI content, and it's enabled by default. "You can also @-mention Instagram accounts in the Meta AI app to bring specific Instagram profiles right into your images," the social media giant said in a post. "Whether you want to design a custom event invitation (HackerNews)
  • Top AI Agents Built to Catch Malicious Code Can Be Tricked Into Running It (Thursday July 09, 2026)
    Ask an AI coding agent to scan open-source code for security holes, and it might run the attacker's code on your own machine instead. That is the finding in a proof-of-concept published Wednesday by the AI Now Institute, an attack it calls "Friendly Fire." It works against Anthropic's Claude Code and OpenAI's Codex when either is running in an autonomous mode that approves its own (HackerNews)
  • GhostApproval Symlink Flaws Could Let Malicious Repos Run Code in AI Coding Agents (Thursday July 09, 2026)
    Researchers at Wiz found that a flaw in six popular AI coding assistants lets a booby-trapped code project quietly take control of a developer's computer. The assistant asks permission to edit one harmless-looking file, but the write lands on a sensitive one instead. The affected tools are Amazon Q Developer, Anthropic's Claude Code, Augment, Cursor, Google Antigravity, and Windsurf. (HackerNews)
  • Fake 7-Zip Installers Turn Devices Into Residential Proxy Nodes (Thursday July 09, 2026)
    Cybersecurity researchers have disclosed details of a new threat actor dubbed Lurking Lizard that has been operating an end-to-end malicious residential proxy business using an infrastructure comprising more than 230 lookalike domains. The activity dates back to at least August 2022, according to DNS threat intelligence firm Infoblox. One such campaign, observed earlier this year, involved the (HackerNews)
  • AI Coding Agents Found Triggering Endpoint Security Rules Built to Catch Attackers (Wednesday July 08, 2026)
    Sophos looked at a week of its own endpoint data and found that AI coding agents such as Claude Code, Cursor, and OpenAI Codex are setting off detection rules written to catch human intruders. The agents are not malicious. They just do a lot of things that, to a behavioral engine, look exactly like an attack. Decrypting browser credentials, listing what sits in Windows' credential store, (HackerNews)
  • New HalluSquatting Attack Could Trick AI Coding Assistants Into Installing Botnet Malware (Wednesday July 08, 2026)
    AI coding assistants have a habit of making things up. Ask one to fetch a popular tool, and it will sometimes hand back a real-sounding name for a project that does not exist. New research, which its authors call HalluSquatting, turns that habit into an attack: work out the fake names an AI reliably invents, register them first, and wait for the assistant to fetch your trap on a user's (HackerNews)
  • Ubiquiti Patches Critical UniFi Flaws Across Connect, Talk, Access, Protect, and OS (Wednesday July 08, 2026)
    Ubiquiti has shipped updates to address multiple critical security flaws impacting UniFi Connect, UniFi Talk, UniFi Access, UniFi Protect, and UniFi OS that could result in privilege escalation and arbitrary command execution. The list of vulnerabilities is as follows - CVE-2026-50746 (CVSS score: 10.0) - An improper access control vulnerability in UniFi Connect Application that an attacker (HackerNews)
  • New Ghost Phishing Wave Is Breaking Traditional Email Security (Wednesday July 08, 2026)
    A recent EvilTokens campaign targeting businesses across the US and Europe is exposing a new email security blind spot. This “ghost phishing” technique keeps the malicious page hidden until it decrypts and comes to life inside the victim’s browser. For security leaders, the risk is clear: traditional URL checks may miss the attack while Microsoft 365 access, sensitive data, and response time (HackerNews)
  • SCMBANKER Malware Uses ClickFix Lures to Target Mexican Banking Users (Wednesday July 08, 2026)
    A new banking fraudulent operation is targeting customers of Mexican banks, fintech, payment processors, and cryptocurrency exchanges using ClickFix lures. The activity cluster, tracked by Elastic Security Labs under the moniker REF6045, involves infecting victims through fake CAPTCHA verification pages that deceive them into running a malicious command that installs a PowerShell toolkit dubbed (HackerNews)
  • Felons, Fraudsters Flog Offensive Cybersecurity Startup (Wednesday July 08, 2026)
    A cybersecurity startup dangling millions of dollars to acquire zero-day security vulnerabilities in popular software is run by a pair of far-right conspiracy theorists and convicted felons whose most recent ventures included fake intelligence companies and a now-defunct AI-based lobbying platform they operated under assumed names. (KrebsOnSecurity)
  • GitHub 'Verified' Commits Can Be Rewritten Into New Hashes Without Breaking Signatures (Wednesday July 08, 2026)
    New research shows that a signed Git commit's hash is not the one-of-a-kind name that much of the software world assumes it to be. Given any signed commit, someone without the signing key can mint a second commit with the same files, author, and date, and a valid signature, GitHub still stamps "Verified." Everything a reviewer would check matches. The commit's hash does not. That matters (HackerNews)
  • The Verification Step Is the New ATO Battleground in 2026 (Wednesday July 08, 2026)
    For years, account takeover (ATO) followed a predictable script. Attackers bought stolen credentials in bulk, ran them through automated tools, and waited for matches. Credential stuffing was cheap, scalable, and for defenders, relatively well understood. That era is ending. Not because attackers gave up, but because the front door finally got harder to kick in. Passkeys are now mainstream. (HackerNews)
  • GitHub Copilot Refuses Harmful Requests in Chat, Then Writes Them in Code (Wednesday July 08, 2026)
    An AI coding assistant that refuses to answer a dangerous request in its chat box can answer it anyway if the same request is broken into small, ordinary-looking steps inside a code editor. That is the finding of a new study of GitHub Copilot by researchers Abhishek Kumar and Carsten Maple. The models they tested through Copilot, Claude from Anthropic, and Gemini from Google, refused (HackerNews)
  • China-Linked UAT-7810 Expands ORB Network With New LONGLEASH Malware (Wednesday July 08, 2026)
    A Chinese threat actor tracked as UAT-7810 is actively refining its bespoke malware to expand its Operational Relay Box (ORB) network by breaking into internet-facing networking devices. According to findings from Cisco Talos, UAT-7810 is an advanced persistent threat (APT) actor that's responsible for maintaining and proliferating LapDogs, an ORB network that first came to light in June 2025. (HackerNews)
  • 15-Year-Old GhostLock Flaw Enables Root and Container Escape on Most Linux Distros (Wednesday July 08, 2026)
    Researchers at Nebula Security have disclosed GhostLock (CVE-2026-43499), a 15-year-old Linux kernel flaw that lets any logged-in user take full root control of a machine that has not been patched. The vulnerable code has shipped by default in essentially every mainstream distribution since 2011. The flaw needs no special permission, no unusual settings, and no network (HackerNews)
  • FBI Seizes NetNut Proxy Platform, Popa Botnet (Thursday July 02, 2026)
    The Federal Bureau of Investigation (FBI) said today it worked with industry partners to seize hundreds of domains associated with NetNut, a sprawling residential proxy service operated by the publicly-traded Israeli company Alarum Technologies [NASDAQ: ALAR]. The action comes roughly two weeks after KrebsOnSecurity published findings from multiple security firms connecting NetNut to the Popa botnet, a collection of at least two million devices that have been compromised by malicious software with little or no consent from victims. (KrebsOnSecurity)
  • Scattered Spider Hackers Plead Guilty on Day 1 of Trial (Tuesday June 23, 2026)
    Two men pleaded guilty in the United Kingdom this week to criminal charges stemming from an August 2024 cyberattack that crippled Transport for London, the entity responsible for the public transport network in the Greater London area. The duo were key members of a prolific cybercrime group known as Scattered Spider, and their guilty pleas came on the first day of what was expected to be a six-week trial. (KrebsOnSecurity)
  • ‘Popa’ Botnet Linked to Publicly-Traded Israeli Firm (Thursday June 18, 2026)
    For the past four years, a sprawling Android-based botnet called Popa has forced millions of consumer TV boxes to relay Internet traffic linked to advertising fraud, account takeovers, and mass data-scraping efforts. This week, researchers from multiple security firms concluded that the Popa botnet is linked to NetNut, a "residential proxy" provider operated by the publicly-traded Israeli firm Alarum Technologies Ltd [NASDAQ: ALAR]. (KrebsOnSecurity)
  • Who Runs the Ransomware Group ‘The Gentlemen?’ (Wednesday June 10, 2026)
    A cybercrime group known as The Gentlemen has emerged as the second most active ransomware gang by victim count, rapidly attracting a talented pool of hackers through an aggressive recruitment strategy that promises affiliates 90 percent of any ransom paid by victims. This post examines clues pointing to a real life identity for the administrator of The Gentlemen ransomware group. (KrebsOnSecurity)
  • A Record-Breaking Patch Tuesday for June 2026 (Tuesday June 09, 2026)
    Microsoft today released software updates to plug nearly 200 security holes across its Windows operating systems and supported software, a record number of fixes for the company's monthly Patch Tuesday cycle. Nearly three dozen of those bugs earned Microsoft's most dire "critical" rating, and exploit code for at least three of the weaknesses is now publicly available. (KrebsOnSecurity)
  • Hackers Used Meta’s AI Support Bot to Seize Instagram Accounts (Monday June 01, 2026)
    The Instagram accounts for the Obama White House and the Chief Master Sergeant of the U.S. Space Force were briefly defaced with pro-Iranian images and messages over the weekend, after instructions began circulating on Telegram showing how to trick Meta's "AI support assistant" bot into resetting account passwords. (KrebsOnSecurity)
  • Netherlands Seizes 800 Servers, Arrests 2 for Aiding Cyberattacks (Monday May 25, 2026)
    Authorities in the Netherlands have arrested the co-owners of two related Internet hosting companies for operating IT infrastructure used by Russia to carry out cyberattacks, influence operations and disinformation campaigns inside the European Union. The two men were the focus of a 2025 KrebsOnSecurity story about how their hosting companies had assumed control over the technical infrastructure of Stark Industries Solutions, an Internet service provider sanctioned last year by the EU as a frequent staging ground for cyber mischief from Russia's intelligence agencies. (KrebsOnSecurity)
  • Lawmakers Demand Answers as CISA Tries to Contain Data Leak (Friday May 22, 2026)
    Lawmakers in both houses of Congress are demanding answers from the U.S. Cybersecurity & Infrastructure Security Agency (CISA) after KrebsOnSecurity reported this week that a CISA contractor intentionally published AWS GovCloud keys and a vast trove of other agency secrets on a public GitHub account. The inquiry comes as CISA is still struggling to contain the breach and invalidate the leaked credentials. (KrebsOnSecurity)

Disclaimer: Some Links listed are external-links and are not managed by Western Illinois University. Western Illinois University or any of its employees shall not be held liable for any improper or incorrect use of the information described and/or contained herein and assumes no responsibility for anyone's use of the information.