Angular Language Service Extension Flaws Allow Remote Code Execution
Multiple high‑severity flaws were uncovered in the Angular Language Service VS Code extension, allowing remote code execution through malicious JSDoc hover links and unsafe TypeScript SDK path configuration. The vulnerabilities affect all releases prior to version 21.2.4 and have been patched in the latest update. Attackers can bypass VS Code’s Workspace Trust model, executing commands silently when a workspace opens or with a single click on a crafted tooltip. Developers cloning repositories or installing third‑party packages are especially exposed.
NightSpire Ransomware Abuses RDP for Stealthy Persistence
NightSpire ransomware, first identified in early 2025, has quickly become a high‑profile threat by combining double‑extortion tactics with stealthy persistence mechanisms. Between March and June 2025 the group compromised at least 64 organizations across 33 countries, using legitimate remote‑administration tools...
Gamaredon Deploys GammaDrop, GammaLoad in Phishing Campaigns
Gamaredon, the Russian‑linked espionage group targeting Ukraine, has intensified its phishing campaign by leveraging the WinRAR directory‑traversal flaw CVE‑2025‑8088. The group distributes RAR (and now ARJ) archives that embed a VBScript downloader called GammaDrop, which drops a second‑stage HTA payload...
Paper Werewolf APT Spreads EchoGather RAT via Fake Adobe Installer
The Russian‑language threat group Paper Werewolf (aka GOFFEE) launched a new wave of attacks against Russian industrial, financial and transport firms in March‑April 2026. The campaign begins with a phishing PDF that auto‑downloads a fake Adobe Reader installer, which silently...
Hackers Abuse Cloudflare Storage to Exfiltrate Network Files
Researchers at Oasis Security uncovered a sophisticated cyber‑espionage campaign targeting multiple Malaysian organizations. The attackers leveraged an Azure virtual machine to run custom Python, Laravel, and C# tools that enumerated networks, accessed internal databases, and harvested Active Directory credentials. Data...
Critical Marimo RCE Flaw Could Let Attackers Execute Malicious Code Remotely
A critical remote code execution flaw (CVE‑2026‑39987) has been discovered in the Marimo Python notebook framework. The vulnerability resides in the /terminal/ws WebSocket endpoint, which fails to enforce authentication and spawns a system‑level shell for any requester. All Marimo versions...
OtterCookie Malware Steals Dev Secrets, SSH Keys, Cloud Credentials, and Tokens
OtterCookie is a newly identified Node.js‑based remote‑access trojan that leverages persistent Socket.IO connections to monitor infected workstations in real time. Unlike earlier malware such as BeaverTail, it captures live developer activity—including clipboard data, keystrokes, screenshots, SSH keys, cloud credentials, and...
Gunra Ransomware Expands RaaS After Conti Locker Shift
Gunra ransomware has transitioned from a Conti‑derived locker to a standalone Ransomware‑as‑a‑Service platform, expanding its operational reach. The shift, announced after its initial 2025 attacks on South Korean firms, now powers an affiliate network that can brand the payload and...
OrBit Rootkit Targets Linux to Steal SSH and Sudo Credentials
The OrBit Linux rootkit, first identified in 2022, has been quietly evolving while remaining active in the wild. Built on the open‑source Medusa LD_PRELOAD framework, attackers now deploy two main variants—Lineage A with full credential‑stealing and network‑hiding features, and a slimmer...
TeamPCP, BreachForums Launch $1K Supply-Chain Attack Contest
TeamPCP and BreachForums have launched a $1,000 Monero‑rewarded contest that challenges hackers to compromise open‑source packages using the Shai‑Hulud tool. Participants submit proof of access and compete on a leaderboard that scores based on download volume of the infected packages....
Chinese APT Exploits Microsoft Exchange to Breach Energy Sector Network
Chinese state‑aligned APT group FamousSparrow breached a major Azerbaijani energy firm by exploiting the ProxyNotShell chain on an unpatched Microsoft Exchange server on Dec. 25, 2025. The attackers deployed the Deed RAT via a LogMeIn Hamachi DLL sideloading technique and later attempted a...
New Malware Framework Enables Screen Control and UAC Bypass
Researchers uncovered TencShell, a sophisticated malware framework built on the open‑source Rshell C2 tool and repurposed for stealthy post‑exploitation. In April 2026, Cato CTRL blocked an attack on a global manufacturing firm in India after the implant delivered Donut shellcode hidden...
170 Npm Packages Hijacked to Steal GitHub, AWS & Kubernetes Secrets
Hackers compromised more than 170 npm packages and two PyPI libraries, which together see over 200 million weekly downloads, to harvest developer and cloud credentials. The malicious packages embed pre‑install scripts that download obfuscated payloads, extract GitHub Actions tokens, npm publishing...
Microsoft Research: AI Can Generate Realistic Command-Line and Process Telemetry
Microsoft Research unveiled an AI system that converts attacker tactics from frameworks like MITRE ATT&CK into realistic command‑line and process telemetry. The approach uses prompt‑engineered generation, multi‑agent workflows, and reinforcement‑learning‑with‑verifiable‑rewards to synthesize logs that closely mimic real attack behavior. Evaluations show...
Vidar Stealer Campaign Evades EDR to Steal Credentials
A new Vidar Stealer campaign uses malicious LNK shortcuts, environment‑variable string reconstruction, and layered PowerShell‑to‑Python payloads to bypass endpoint detection and response (EDR) tools. The chain starts with spear‑phishing ZIP archives, launches cmd.exe, then PowerShell to download an obfuscated batch...