// Articles
389 articles — page 8 of 17
TanStack npm Supply Chain Attack: GitHub Actions OIDC Token Hijack Used to Publish 84 Malicious Package Versions
Attackers exploited a GitHub Actions misconfiguration in the TanStack project to publish 84 malicious versions of popular React ecosystem packages to the npm registry. The attack chained a Pwn Request misconfiguration, workflow cache poisoning, and runtime OIDC token theft to operate under TanStack's trusted publisher identity.
Windows DNS Client RCE CVE-2026-41096: Attacker-Controlled DNS Servers Can Trigger Memory Corruption on All Windows Versions
CVE-2026-41096 in the Windows DNS Client allows an attacker controlling a DNS server to send a crafted response that triggers memory corruption on any Windows system performing standard DNS resolution. No user interaction or authentication is required, and the flaw affects all supported Windows versions. Patch network-facing systems within 24 hours.
Australia ACSC Warns of ClickFix Campaign Delivering Vidar Infostealer — Fake CAPTCHA Bypass Technique Targeting Enterprise Users
The Australian Cyber Security Centre has issued a warning about an active ClickFix social engineering campaign delivering Vidar infostealer malware. ClickFix presents victims with fake CAPTCHA or browser-fix dialogs that instruct them to run PowerShell commands, bypassing standard malware delivery defences. The campaign has been observed across multiple Australian industry sectors.
Google GTIG Confirms First AI-Developed Zero-Day Used in Active Exploitation — 2FA Bypass via Automated Vulnerability Discovery
Google's Threat Intelligence Group has confirmed the first documented case of a threat actor using AI tools to discover and develop a working zero-day exploit deployed in a live attack campaign. The target was a 2FA bypass in a widely-used open-source web administration tool. A separate China-aligned actor was also found using AI platforms for automated offensive reconnaissance.
Instructure Confirms ShinyHunters Exploited Canvas LMS to Deface University Login Portals in Mass Extortion Campaign
Instructure has confirmed that the ShinyHunters threat group exploited a vulnerability in Canvas LMS to deface login portals across multiple university clients with extortion messages. The attack moved beyond the data exposure incident disclosed on May 3 into active defacement — university login pages were replaced with ransom demands visible to students and staff. Instructure is notifying affected institutions and has issued an emergency patch.
Attackers Abuse Google Ads and Claude.ai Conversations to Deliver macOS Malware to Developers
A campaign targeting macOS users — particularly developers — is abusing both Google Ads and Claude.ai chat conversations as malware delivery vectors. Malicious ads impersonating developer tools redirect to sites hosting macOS malware, while a second vector embeds download links in Claude.ai conversations shared with targets. The campaign has updated the MacSync infostealer family with new macOS Sequoia-compatible components.
TrickMo Android Banking Trojan Moves C2 to TON Blockchain — Decentralised Infrastructure Makes Takedown Near-Impossible
The TrickMo Android banking trojan has been updated to use the Telegram Open Network (TON) blockchain as its command-and-control infrastructure. TON's decentralised architecture means law enforcement cannot seize or sink-hole C2 servers — TrickMo operators gain persistent, censorship-resistant communications regardless of takedowns. The move signals a broader industry shift toward blockchain-based C2 that defenders have limited ability to disrupt at the infrastructure level.
VENOM Phishing Kit Targets Senior Microsoft 365 Executives via AiTM Session Interception
A new phishing-as-a-service platform named VENOM is specifically targeting C-suite and senior executive Microsoft 365 accounts using adversary-in-the-middle (AiTM) infrastructure to intercept authenticated sessions. Unlike generic phishing kits, VENOM's targeting logic filters for high-value accounts — CFOs, CEOs, legal counsel, and board-level contacts — and includes executive-tailored lures designed for low suspicion.
Zara Confirms Data Breach Affecting 197,000 Customers — ShinyHunters' April Extortion Claim Now Substantiated
Inditex has confirmed that a breach of Zara customer data exposed the personal information of approximately 197,000 people, substantiating the ShinyHunters extortion claim from late April 2026. Exposed data includes names, email addresses, postal addresses, phone numbers, and purchase history. European GDPR notification has been filed and affected customers are being contacted.
FreeBSD CVE-2026-42511 — NFS Stack Vulnerability Affecting Network Appliances and BSD-Based Storage
A new vulnerability in FreeBSD's NFS networking stack has been disclosed as CVE-2026-42511, distinct from the previously covered CVE-2026-4747 (the 17-year-old NFSv4 daemon RCE). CVE-2026-42511 affects the NFS client implementation and is exploitable by a malicious NFS server to achieve code execution on FreeBSD hosts connecting to untrusted NFS mounts — a relevant threat model for enterprise environments mounting network storage from potentially compromised infrastructure.
Microsoft Edge Stores Saved Passwords as Plaintext in Process Memory — No CVE, No Patch
Security researchers have documented that Microsoft Edge's built-in password manager stores user-saved passwords in cleartext within the browser's process memory — readable by any process on the same system with the ability to dump Edge process memory. Microsoft has acknowledged the behaviour and characterised it as a performance design decision, not a vulnerability warranting a security fix. Users relying on Edge's password manager for credential storage should understand what this means for their threat model.
MicroStealer Infostealer Targets Education and Telecom via Discord Webhook Exfiltration
ANY.RUN analysts have documented MicroStealer, an infostealer active since December 2025 that specifically targets education and telecommunications sector organisations. MicroStealer uses multi-stage delivery, harvests browser credentials, session tokens, cryptocurrency wallets, and screenshots, and exfiltrates data exclusively via Discord webhooks — making it invisible to traditional network monitoring that blocks dedicated C2 domains. Detection rates on VirusTotal remain low.
pnpm 11 Defaults to 24-Hour Package Age Minimum — Blocking Automated Post-Publish Supply Chain Attacks
pnpm 11, released this week, introduces a package quarantine feature that by default blocks installation of any npm package published within the past 24 hours. The control targets the automated post-publish compromise pattern used by TeamPCP, CanisterSprawl, and similar supply chain threat actors who publish malicious package versions and immediately trigger mass installation before defenders can respond. It is the most substantive supply-chain-defensive default configuration added to a package manager since npm's provenance attestation.
Proton Mail Adds Post-Quantum Encryption for New Emails to Counter Harvest-Now-Decrypt-Later Attacks
Proton Mail has added optional post-quantum encryption for new emails sent between Proton Mail accounts, protecting against harvest-now-decrypt-later (HNDL) attacks in which adversaries collect encrypted communications today with the intention of decrypting them when sufficiently powerful quantum computers become available. The feature uses the CRYSTALS-Kyber (ML-KEM) algorithm standardised by NIST in 2024. Existing encrypted emails are not retroactively re-encrypted.
Calendly-Themed AiTM Phishing Kits Rise with Real-Time Socket.IO and Telegram Exfiltration
urlscan.io researchers have documented a surge in phishing kits impersonating Calendly booking pages, used as a step in multi-stage AiTM credential theft chains targeting enterprise users. The kits use real-time Socket.IO connections for live victim monitoring, fake CAPTCHA challenges for victim fingerprinting, and Telegram bot webhooks for credential exfiltration — a combination that makes the attack infrastructure highly operationally efficient while appearing to originate from legitimate Calendly sessions.
CallPhantom: 28 Fake Android Apps with 7.3M Play Store Downloads Charged for Fabricated Call Data
ESET researchers have identified 28 Android applications — collectively downloaded 7.3 million times from the Google Play Store — that charged users for access to fabricated call history, SMS logs, and WhatsApp message records that the apps could not actually retrieve. The CodedCallPhantom campaign, active primarily in India and South-East Asia, combines financial fraud (charging for non-existent data) with personal data collection used for follow-on targeting.
Fake OpenAI Repository on Hugging Face Reached #1 Trending, Delivered Rust Infostealer to 244,000 Users
A malicious repository impersonating an official OpenAI project reached the top trending position on Hugging Face before being removed — delivering a Rust-compiled infostealer to an estimated 244,000 users who executed the repository's loader script. The attack exploited Hugging Face's trending algorithm and the high trust developers place in repositories attributed to the OpenAI organisation. Affected users should rotate all credentials accessible from the compromised machine.
DOJ Indicts North Korean Developer for Leading Sales of DDoS and Cyberterrorism Tools for Regime Revenue
The US Department of Justice has indicted a North Korean software developer on charges of conspiracy to develop and sell cyberattack tools — including distributed denial-of-service infrastructure and cyberterrorism-enabling toolkits — through front companies operated by the Workers' Party of Korea. The indictment provides rare detail into how DPRK IT workers generate hard currency for the regime through offensive cyber tool sales, complementing the well-documented cryptocurrency theft and IT contractor programmes.
OpenAI Launches Advanced Account Security Programme with Mandatory Phishing-Resistant MFA
OpenAI has announced an opt-in Advanced Account Security programme for high-risk users — journalists, human rights advocates, executives, and researchers — offering phishing-resistant FIDO2 hardware key and passkey authentication, stricter account recovery controls, and session compromise mitigations. The programme, developed in partnership with Yubico, acknowledges that standard MFA is insufficient against sophisticated phishing and AiTM attacks targeting OpenAI accounts with access to sensitive workflows.
FTC Bans Kochava Subsidiary from Selling Sensitive Location Data in Landmark Enforcement Settlement
The US Federal Trade Commission has reached a settlement banning Kochava and its Collective Data Solutions subsidiary from selling sensitive location data derived from consumer mobile devices — marking the FTC's most significant enforcement action against the location data broker industry. The settlement establishes a precedent with direct implications for any organisation that monetises or purchases precise consumer location data, including advertising technology companies, retail analytics firms, and financial services using location data for fraud detection.
JDownloader Official Download Site Hijacked to Serve Python RAT in Supply Chain Attack
The official JDownloader download site was compromised during a window of approximately 18 hours between 6 and 7 May 2026, with legitimate installer downloads replaced by a trojanised package delivering a Python-based remote access trojan. JDownloader is a popular open-source download manager with millions of users. Users who installed JDownloader during the compromise window should treat their system as compromised and perform immediate credential rotation and system remediation.
PamDOORa: Linux Post-Exploitation PAM Module Backdoor Sold on Dark Web for $1,600
Flare.io researchers have identified PamDOORa, a commercially sold Linux backdoor sold for $1,600 on a Russian-language underground forum. PamDOORa installs as a malicious PAM (Pluggable Authentication Module) on compromised Linux systems, creating a persistent hidden SSH access mechanism that activates via a magic password and a TCP port — while also harvesting the credentials of all legitimate users who authenticate to the system.
QLNX Linux RAT Harvests Developer Credentials to Enable Malicious Package Publishing on npm and PyPI
Trend Micro researchers have identified QLNX (Quasar Linux), a Linux-targeting remote access trojan specifically designed to harvest developer credentials — npm tokens, PyPI upload credentials, AWS IAM keys, Docker registry credentials, and GitHub CLI tokens — from developer workstations. The harvested credentials are then used to publish malicious packages to npm and PyPI under the compromised developer's identity, enabling second-stage supply chain attacks against the developer's downstream users.
SonicWall CVE-2026-0204 — Authentication Bypass in SSLVPN Allows Unauthenticated Network Access
SonicWall has disclosed CVE-2026-0204, an authentication bypass vulnerability in the SonicWall SSLVPN product that allows a remote attacker to bypass VPN authentication and gain access to the protected network without valid credentials. SonicWall SSLVPN appliances are widely deployed as enterprise and SMB VPN concentrators. Patch available — update immediately.