OpenClaw Advisory Surge Highlights Blind Spot Between GitHub and CVE Vulnerability Tracking
OpenClaw’s AI‑agent platform released roughly 255 GitHub Security Advisories (GHSAs) within three weeks, yet only a fraction received CVE identifiers, exposing a visibility gap between GitHub’s advisory stream and traditional CVE feeds. Vulnerability‑intelligence firm VulnCheck asked the CVE Project to issue a bulk DIBS request for 170 of those advisories, but MITRE rejected the approach, emphasizing that DIBS is intended for individual, CVE‑eligible findings. Studies cited in the article reveal that only about 8.2% of the 288,604 GHSAs published to date are GitHub‑reviewed, leaving a backlog that would take roughly 95 years to clear at current rates. The disparity threatens enterprise detection tools that rely on CVE IDs, prompting community‑built trackers to bridge the two ecosystems.
Malicious Browser Add‑on Targets imToken Users’ Private Keys
Socket’s Threat Research Team discovered a deceptive Chrome extension called “lmΤoken Chromophore” that masquerades as an imToken visualizer to steal private keys and seed phrases. The add‑on silently redirects users to a phishing site via a hard‑coded JSONKeeper endpoint, where...
RMM Tools Crucial for IT Operations, But Growing Threat as Attackers Weaponize Them
Remote Monitoring and Management (RMM) platforms are essential for modern IT operations, but attackers are increasingly weaponizing them to bypass defenses. The Huntress 2026 Cyber Threat Report shows a 277% surge in RMM abuse in 2025, with over half of...
DPRK Hackers Target Crypto Firms, Steal Keys and Cloud Assets in Coordinated Attacks
Suspected North Korean‑linked threat actors launched a coordinated campaign against cryptocurrency firms, exploiting the critical React2Shell (CVE‑2025‑55182) remote code execution flaw in React Server Components and Next.js. After gaining initial web‑app access, they leveraged stolen AWS tokens to enumerate and...
VoidLink Malware Framework Targets Kubernetes and AI Workloads in New Cyber Attack Wave
VoidLink is a new Linux‑based malware framework that specifically targets Kubernetes clusters and AI workloads, using fileless, in‑memory techniques to remain invisible. The framework fingerprints cloud environments, harvests credentials and metadata, and can compile payloads on demand for AI‑enabled attacks....
AzCopy Utility Misused for Data Exfiltration in Ongoing Ransomware Attacks
Ransomware groups are weaponizing Microsoft’s Azure data‑transfer tool AzCopy to steal large volumes of data before encrypting victims’ systems. By leveraging valid Azure credentials and Shared Access Signature tokens, attackers can silently upload files to attacker‑controlled Blob storage using standard...
IPVanish VPN for macOS Flaw Enables Privilege Escalation and Code Execution
A critical privilege‑escalation flaw was found in IPVanish VPN for macOS, allowing any local, unprivileged user to execute arbitrary code as root. The vulnerability resides in the helper tool "com.ipvanish.osx.vpnhelper," which accepts unauthenticated XPC connections and skips code‑signature verification for...
New Starkiller Phishing Framework Uses Real Login Pages to Bypass MFA Security
A new phishing‑as‑a‑service framework called Starkiller proxies real login pages of major brands, delivering authentic HTML, CSS, and JavaScript to victims. By running a headless Chrome instance inside Docker, it captures credentials and, crucially, steals MFA session cookies after users...
Malvertising Actor ‘D-Shortiez’ Exploits WebKit Back-Button Hijack in Forced-Redirect Campaign
A threat group known as D‑Shortiez has launched a malvertising campaign that exploits a WebKit flaw to hijack the back button in Safari and other iOS browsers. The malicious JavaScript injects a fake history entry and binds a redirect to...
Zerobot Malware Exploits Tenda Command Injection Vulnerabilities to Deploy Malicious Payloads
A new Zerobot campaign is weaponizing two critical flaws – CVE‑2025‑7544 in Tenda AC1206 routers and CVE‑2025‑68613 in the n8n workflow‑automation platform – to deliver a Mirai‑derived payload called Zerobotv9. The exploit chain uses simple HTTP requests or malicious workflow...
Hackers Exploit Telegram for Initial Access to Corporate VPN, RDP, and Cloud Systems
Hackers are turning Telegram into a live marketplace for stolen VPN, RDP and cloud credentials, accelerating initial access to corporate networks. Threat actors harvest stealer logs, post searchable credential feeds, and negotiate sales in private chats, cutting the gap between...
Malicious Go Crypto Module Steals Passwords, Deploys Rekoobe Backdoor in Developer Environments
Security researchers discovered a malicious Go module, github.com/xinfeisoft/crypto, that masquerades as the legitimate golang.org/x/crypto library. The backdoored ReadPassword function captures plaintext credentials, writes them to /usr/share/nano/.lock, and exfiltrates them via a dynamically supplied GitHub Raw URL. After exfiltration, the module pulls and...
Infostealers Drive Massive Brute-Force Attacks on Corporate SSO Gateways with Stolen Credentials
Defused Cyber uncovered a credential‑stuffing campaign that uses passwords harvested by Infostealers to brute‑force corporate SSO gateways, notably targeting F5 BIG‑IP devices. Analysis of 70 credential pairs showed 77 % originated from known Infostealer infections, confirming a direct supply chain from malware‑infected employee...
Phishing‑Led Agent Tesla Campaign Uses Process Hollowing and Anti‑Analysis to Evade Detection
Agent Tesla’s newest campaign leverages a multi‑stage, fileless delivery chain that begins with a phishing email containing a RAR‑packed JSE loader. The loader fetches an AES‑encrypted PowerShell script, which executes entirely in memory and uses process hollowing to inject malicious...
ResidentBat Android Malware Grants Belarusian KGB Ongoing Mobile Access
ResidentBat is a custom Android spyware implant deployed by the Belarusian KGB to turn seized smartphones into persistent surveillance tools. The malware is sideloaded via Android Debug Bridge after physical access, granting extensive data collection and remote‑wipe capabilities. First disclosed...
Threat Actors Exploit Apache ActiveMQ Vulnerability to Gain RDP Access, Deploy LockBit Ransomware
Threat actors leveraged the critical Apache ActiveMQ flaw CVE‑2023‑46604 to achieve remote code execution, download a Metasploit stager via CertUtil, and gain SYSTEM privileges on a Windows host. After dumping LSASS credentials, they moved laterally using a harvested domain‑admin account,...
OAuth Vulnerabilities in Entra ID Could Exploit ChatGPT to Breach User Email Accounts
Security researchers have identified a new OAuth consent attack vector in Microsoft Entra ID where a legitimate service principal such as ChatGPT is granted high‑risk Graph permissions like Mail.Read. By tricking users into approving a consent screen, attackers obtain persistent...
Microsoft Alerts Developers of Malicious Next.js Repositories Used in Ongoing Hacker Attacks
Microsoft Defender has identified a coordinated campaign that weaponizes seemingly legitimate Next.js repositories to compromise developers. The malicious projects, often presented as interview assessments, exploit Visual Studio Code workspace automation, build‑time scripts, and server startup routines to fetch and execute...
.webp?ssl=1)
Malicious NuGet Packages Target ASP.NET Developers to Steal Login Credentials
A coordinated supply‑chain campaign published four malicious NuGet packages between August 2024, amassing over 4,500 downloads before removal. The lead package, NCryptYo, typosquats the legitimate NCrypto library and installs JIT hooks that drop a hidden payload establishing a localhost proxy....
ZeroDayRAT Targets Android and iOS Devices for Surveillance and Financial Data Theft
ZeroDayRAT, a Malware‑as‑a‑Service kit, now targets both Android and iOS devices, merging real‑time surveillance with direct financial theft through a browser‑based control panel. The service is marketed on Telegram, with subscriptions ranging from $250 per day to $3,500 per month,...
Deserialization Flaw in Ruby Workers That Could Enable Full Compromise
A critical remote code execution vulnerability has been discovered in RubitMQ job workers due to unsafe JSON deserialization with the Ruby Oj library. The flaw allows attackers to craft malicious JSON that triggers object injection, instantiating a Node class whose...
LUKS Encryption Compromised on Linux ICS Devices via TPM Bus Sniffing Exploit
Security researchers have disclosed CVE‑2026‑0714, a high‑severity flaw in Moxa’s UC‑1222A Secure Edition industrial computer. The vulnerability allows an attacker with physical access to the SPI bus to sniff the TPM2_NV_Read command and capture the LUKS full‑disk encryption key in...
Cache Deception Flaw in SvelteKit And Vercel Stack Exposes User Data
A cache‑deception flaw was found in SvelteKit applications deployed on Vercel, where the `__pathname` query parameter can override request paths and cause private API responses to be cached as public assets. The vulnerability affects any route under `/_app/immutable/`, which Vercel...
Anthropic Debuts Claude Code Security – AI Now Scan Vulnerabilities in Your Entire Codebase
Anthropic launched Claude Code Security, an AI‑driven tool that scans entire codebases for vulnerabilities and suggests patches. Powered by Claude Opus 4.6, it uses frontier reasoning to map data flows and identify complex bugs that traditional SAST tools miss. Internal tests...
CharlieKirk Grabber Malware Targets Windows Systems to Steal Login Credentials
CharlieKirk Grabber is a new Python‑based Windows infostealer first seen in February 2026. It rapidly harvests credentials from Chromium and Firefox browsers, Wi‑Fi profiles, Discord tokens, and gaming sessions, then packages the data into a ZIP archive for exfiltration via...
ClickFix Exploits Homebrew Workflow to Deploy Cuckoo Stealer for macOS Credential Theft
ClickFix is weaponizing a fake Homebrew installation workflow to deliver Cuckoo Stealer, a macOS credential‑stealing RAT. The campaign uses typosquatted domains such as homabrews.org that mimic brew.sh and inject a malicious curl | bash command into the clipboard, prompting developers to run it....
New SysUpdate Variant Malware Discovered, Decryption Tool for Linux C2 Traffic Released
Researchers at LevelBlue identified a new SysUpdate variant targeting Linux systems, packaged as a packed ELF64 binary that mimics a system service. The malware employs a custom, multi‑layered symmetric cipher to encrypt its command‑and‑control traffic across several protocols. By emulating...
New Phishing Campaign Exploits Booking.com Partners, Targets Customers in Multi-Stage Fraud Scheme
A coordinated phishing campaign is exploiting Booking.com’s partner platform to steal hotel staff credentials and then target guests with payment‑stealing lures. The operation uses a three‑stage chain: email phishing to hotel inboxes, a bespoke partner login kit to harvest credentials,...
Malicious Fork of Legitimate Triton App Discovered on GitHub, Exposing New Malware Threat
A malicious fork of the legitimate Triton macOS client was posted on GitHub, masquerading as an official release while embedding a Windows‑only malware payload. The attacker, operating under the account “JaoAureliano,” used a deceptive README and raw asset links to...
.webp?ssl=1)
LockBit 5.0 Emerges: Cross-Platform Ransomware Now Targeting Windows, Linux, and ESXi Systems
LockBit has released version 5.0, a cross‑platform ransomware that encrypts Windows, Linux and VMware ESXi systems with a single code base. The new variant uses XChaCha20 and Curve25519 encryption, while the Windows build adds sophisticated anti‑forensic tricks such as ETW...
Lotus Blossom Hackers Breach Official Notepad++ Hosting Infrastructure
Between June and December 2025, the state‑sponsored Lotus Blossom group compromised the shared hosting provider that delivered Notepad++ updates, turning the popular text editor into a covert espionage conduit. By exploiting weaknesses in the older WinGUp updater, attackers redirected update...
Hackers Abuse ClawHub Skills to Evade VirusTotal via Social Engineering
Hackers have revamped ClawHub skill attacks by removing embedded malware and instead using clean SKILL.md files that lure users to counterfeit OpenClawCLI download sites. The malicious payload is hosted on look‑alike domains and fetched via an obfuscated bash command, allowing...
APT Hackers Abuse Trusted Edge Services to Stealthily Deploy Malware
APT groups, largely China‑linked, are shifting attacks from protected endpoints to edge infrastructure such as firewalls, routers and IoT devices. Taiwan emerged as the most targeted APAC region, logging 173 incidents and serving as a testing ground for new tools....
Vortex Werewolf Targets Organizations With Tor-Enabled RDP, SMB, SFTP, and SSH Backdoors
Vortex Werewolf, also known as SkyCloak, is a threat cluster that has been delivering Tor‑enabled remote‑access backdoors to Russian government and defense organizations through sophisticated Telegram‑themed phishing campaigns. Victims are lured to counterfeit Telegram login pages that harvest phone numbers,...
Cybersquatting Attacks Exploit Trusted Brands to Steal Customer Data and Spread Malware
Cybercriminals are increasingly exploiting cybersquatting to clone trusted brands, harvest customer credentials, and deliver malware. Research from SecPod shows a 19‑fold surge in malicious domain registrations between late 2024 and mid‑2025, with more than 99 % used for phishing or malware...
New Telegram Phishing Scam Hijacks Login Flow to Steal Fully Authorized User Sessions
Cyber‑intelligence firm CYFIRMA uncovered a new Telegram phishing campaign that hijacks the platform’s QR‑code and manual login flows. Attackers register their own Telegram API credentials and relay victim‑supplied phone numbers, OTPs, or QR scans to create fully authorized sessions on...
FvncBot Targets Android Users, Exploiting Accessibility Services for Attacks
A new Android banking trojan named FvncBot was first seen in late 2025, masquerading as a security app from Poland’s mBank. The malware uses a two‑stage loader, both obfuscated with the APK0day cryptor, to install an unencrypted payload that hijacks...
RenEngine Loader Deploys Stealthy Multi-Stage Execution to Bypass Security Measures
RenEngine Loader, a new malware family, embeds malicious code in legitimate Ren’Py game launchers used for cracked games. Since its emergence in April 2025, it has infected over 400,000 users, adding roughly 5,000 new victims each day, primarily in India,...
New Wave of Odyssey Stealer Targets macOS Users in Active Cyberattack Campaign
A new wave of Odyssey Stealer is actively targeting macOS users across more than twenty countries, expanding far beyond its initial foothold in the United States and Western Europe. The malware is delivered through fake CAPTCHA pages that mimic legitimate...
CentOS 9 Security Flaw Enables Privilege Escalation – PoC Released
A critical use‑after‑free vulnerability has been discovered in the `sch_cake` packet scheduler of the CentOS 9 Linux kernel. The flaw lets a local user trigger memory corruption and execute arbitrary code with root privileges, as demonstrated by a publicly released proof‑of‑concept....
Phishing and OAuth Token Vulnerabilities Lead to Full Microsoft 365 Breach
Researchers identified two medium‑severity flaws—a publicly accessible email API endpoint and verbose error handling that discloses OAuth tokens—that can be combined to launch authenticated phishing campaigns inside Microsoft 365 tenants. By exploiting the open relay, attackers send messages that appear to...
Spam Campaign Distributes Fake PDFs, Deploys Remote Monitoring Tools for Ongoing Access
A spam campaign is distributing PDFs that appear to be Adobe Acrobat updates, but the attachment redirects users to a spoofed download page that installs legitimate Remote Monitoring and Management (RMM) tools such as TrustConnect and Datto RMM. By leveraging signed...
TP-Link Vulnerabilities Let Hackers Take Full Control of Devices
TP‑Link disclosed nine critical authenticated command‑injection flaws in its Archer BE230 v1.2 router firmware, each assigned a separate CVE and scoring 8.5‑8.6 on the CVSS v4.0 scale. The vulnerabilities affect web, VPN, cloud, and configuration modules, allowing attackers with high‑privilege access to...
Interlock Ransomware Exploits Zero-Day in Gaming Anti-Cheat Driver to Disable EDR, AV
Interlock ransomware has added a zero‑day exploit in a gaming anti‑cheat driver (CVE‑2025‑61155) to its arsenal, deploying a signed kernel driver called UpdateCheckerX64.sys. The new BYOVD tool, dubbed Hotta Killer, creates a demand‑start service and uses DeviceIoControl to terminate security...
Supply Chain Attack Exploits Notepad++ Update Mechanism to Push Targeted Malware
A sophisticated supply‑chain attack hijacked Notepad++'s update mechanism after a hosting‑provider breach, remaining active from June 2025 to December 2025. Attackers rotated command‑and‑control servers and deployed three distinct infection chains that delivered Cobalt Strike beacons and a custom Chrysalis backdoor. The...
Hackers Exfiltrate NTDS.dit File, Gain Full Control of Active Directory Environments
Threat actors are increasingly targeting the NTDS.dit database, the core repository of Active Directory credentials and configuration, to gain unrestricted domain access. By creating Volume Shadow Copies and leveraging native tools such as ntdsutil, SecretsDump, and Mimikatz, attackers can extract...
Chollima APT Hackers Weaponize LNK Files to Deploy Sophisticated Malware
In March 2025, North Korean‑linked APT37 (Ricochet Chollima) launched “Operation: ToyBox Story,” a spear‑phishing campaign targeting activists focused on North Korean affairs. The emails delivered Dropbox links to ZIP archives containing malicious LNK shortcut files that execute hidden PowerShell commands, creating...
Malicious Google Play App With 50K+ Downloads Spreads Anatsa Banking Trojan
A malicious Android app posing as a document reader amassed over 50,000 downloads on Google Play before being removed. The app functioned as a dropper for the Anatsa banking trojan, which can harvest credentials and execute unauthorized transactions. ThreatLabz identified...
Notepad++ Attack Breakdown Reveals Sophisticated Malware and Actionable IoCs
The Chinese APT group Lotus Blossom has been linked to a sophisticated supply‑chain attack on the Notepad++ distribution platform. Attackers delivered a custom backdoor dubbed Chrysalis via a malicious NSIS‑based update.exe that sideloaded a forged Bitdefender Submission Wizard DLL into...
TAMECAT PowerShell Backdoor Targets Edge and Chrome: Login Credentials At Risk
Iranian state‑sponsored group APT42 deployed a new PowerShell‑based backdoor named TAMECAT, targeting Microsoft Edge and Google Chrome to harvest saved login credentials. The malware is delivered via a VBScript downloader that checks for antivirus products before fetching an AES‑encrypted loader...
