CyberSec News

A large-scale skimming operation known as GorgonAgora runs over 4,800 fake storefronts impersonating major global brands to steal payment card data. The campaign uses Medusa.js storefronts with injected checkout skimmers that exfiltrate data via encrypted WebSocket channels. Stolen payment details are relayed to central command infrastructure for real-time processing.

Source: Sansec Forensics Team

The Gamaredon APT group is targeting Ukrainian government systems using GammaPhish lures and WinRAR exploitation to deploy GammaWorm and GammaSteel malware. The campaign uses multi-stage infection chains for persistence, lateral movement, and data exfiltration. Command-and-control infrastructure relies on Telegram and cloud-based dead-drop mechanisms.

Source: Sekoia.io

Attackers are hijacking Instagram accounts by manipulating Meta AI support tools into accepting fake identity verification. The method bypasses 2FA and geolocation checks, enabling full account takeovers including high-profile users. Victims are left locked out as automated recovery systems fail to escalate cases.

Source: BleepingComputer

Android’s June 2026 security update fixes a Framework zero-day (CVE-2025-48595) already exploited for privilege escalation across widely deployed devices. Attackers leveraged the flaw for silent system-level access without user interaction before patches were issued. The update also addresses dozens of additional framework, kernel, and vendor component vulnerabilities across major Android versions.

Source: Google Android Security Bulletin

A CVSS 10.0 LiquidJS vulnerability enables unauthenticated remote code execution via crafted templates affecting millions of Node.js deployments.

Source: Orca Research Pod

A supply chain attack on Red Hat’s npm packages deploys a self-spreading worm that hijacks CI/CD secrets and cloud credentials during installation.

Source: StepSecurity | Wiz Research

A critical Windows Netlogon flaw is being actively exploited, allowing attackers to run code remotely on domain controllers through unauthenticated RPC requests.

Source: BleepingComputer | Palo Alto Networks

Dutch authorities dismantled a 17-million-device botnet and seized Russian-linked infrastructure, while ShinyHunters breaches impacted Canvas LMS and Carnival Corporation, Lazarus deployed the RemotePE RAT against financial targets, Glassworm targeted developers through poisoned software repositories, and SymJack exposed remote code execution risks across leading AI coding agents.

Attackers pushed 14 fake OpenSearch and Elasticsearch npm packages that silently harvest AWS and CI/CD secrets during installation through hidden execution hooks.

Source: The Register

Google’s Chrome 148 update fixes 151 security vulnerabilities, including multiple critical memory corruption bugs across GPU, WebGL, V8, and other core browser components.

Source: SecurityWeek | Google Chrome Releases

North Korean-linked Kimsuky operators tricked South Korean military and corporate users with fake Webex portals that deployed upgraded HTTPSpy malware capable of full remote system control.

Source: ENKI WhiteHat

A new Go-based ransomware strain uses self-propagating techniques and lateral movement tools like PsExec and WMI to rapidly spread through enterprise systems while encrypting and disabling security controls.

Source: Microsoft Threat Intelligence

Attackers are weaponising stolen booking details from hundreds of hotels worldwide to send convincing fake payment requests that trick travellers into handing over sensitive financial data.

Source: Gen Digital

A social engineering attack tied to ShinyHunters exposed sensitive personal data of nearly six million Carnival customers, including addresses, phone numbers, and identity records.

Source: The Register

The Silent Ransom Group is conducting IT impersonation campaigns using phishing calls, remote access tools, and even in-person device access to steal sensitive data from US law firms. The group relies on legitimate administration tools to exfiltrate data without deploying ransomware encryption.

Source: FBI IC3

The SymJack attack abuses symlinked repositories to trick AI coding agents into executing malicious configuration changes, leading to remote code execution and credential exposure. Multiple AI development tools and CI/CD environments are impacted through trusted workflow abuse.

Source: Adversa AI

A critical flaw in Gitea’s container registry, CVE-2026-27771, allows unauthenticated attackers to access private OCI images, exposing source code, credentials, and infrastructure data. The issue potentially affects tens of thousands of deployments across multiple regions.

Source: Orca Security