#0779
Cisco Talos19 days ago3 min▣LLM reportinfo The article details a novel approach to reverse engineering where the VB6 disassembler vbdec exposes its internal object model via the Windows Component Object Model (COM). This allows local AI agents to programmatically query and automate complex analysis tasks, such as decompilation and call graph generation, without requiring built-in AI features or cloud uploads.
#0778
Infoblox19 days ago6 min▣LLM reporthigh Operation Endgame successfully disrupted the SocGholish (TA569) initial access framework, which relies on compromised WordPress sites and Traffic Distribution Systems (TDS) to deliver fake browser updates. The threat actor utilizes domain shadowing and a multi-stage JScript payload to establish footholds, primarily targeting corporate environments during standard work weeks to facilitate follow-on ransomware deployment.
#0777
Trend Micro19 days ago7 min▣LLM reporthigh A sophisticated malvertising campaign abused Google Ads to deliver ClickFix social engineering attacks disguised as popular AI developer tools and Mac utilities. The threat actors initially leveraged GitLab Pages before pivoting to weaponize claude.ai's shared chat feature, tricking macOS users into executing terminal commands that deploy the MacSync infostealer.
#0776
Akamai19 days ago4 min▣LLM reporthigh In May 2026, a major Indian public sector bank was targeted by sophisticated, multi-vector DDoS attacks peaking at 1.78 Tbps and 171 Mpps. The attackers aimed to overwhelm network bandwidth and compute resources by targeting a critical login endpoint using globally distributed infrastructure. The attacks were successfully mitigated at the edge using preconfigured protections and continuous traffic profiling, resulting in no service disruption.
#0775
Socket20 days ago7 min▣LLM reportcritical A coordinated supply chain attack compromised over 140 npm packages in the Mastra namespace by injecting a typosquatted dependency, easy-day-js. This dependency uses a postinstall hook to execute a cross-platform Node.js infostealer that establishes persistence, inventories cryptocurrency wallets, steals browser history, and enables arbitrary remote code execution via a custom ICAP-style C2 protocol.
#0774
Recorded Future20 days ago5 min▣LLM reporthigh Insikt Group's analysis of the global state digital surveillance landscape identifies 31 countries as high or very high risk, driven by the proliferation of commercial spyware, network interception technologies, and AI-powered data aggregation. The report outlines five primary surveillance vectors—network, endpoint, platform, public space, and data aggregation—and highlights the increasing threat to foreign nationals and business travelers, necessitating strict device management and travel security protocols.
#0773
NCSC20 days ago3 min▣LLM reporthigh The NCSC CEO reported that approximately 75% of the 200+ cyber incidents affecting UK critical national infrastructure over the past year were linked to hostile state actors such as Russia, China, and Iran. The NCSC warns that unpatched legacy systems pose a severe risk, particularly as AI-enabled cyber capabilities are projected to accelerate the exploitation of known vulnerabilities at scale by 2028.
#0772
Canadian Centre for Cyber Security20 days ago3 min▣LLM reporthigh The Canadian Centre for Cyber Security released a daily digest highlighting critical security updates from Oracle, JetBrains, and Microsoft. The advisories cover Oracle's June 2026 quarterly rollup affecting numerous enterprise products, a vulnerability in JetBrains GoLand, and an Elevation of Privilege flaw in the Microsoft Malware Protection Engine (CVE-2026-50656).
#0771
Check Point20 days ago7 min▣LLM reporthigh A threat actor is distributing Rust-based cryptocurrency clipboard hijackers for Windows and macOS by disguising them as trading bots and game predictors. The campaign leverages extensive social engineering, utilizing 'Ghost Networks' to artificially inflate engagement metrics across GitHub, SourceForge, YouTube, and VirusTotal to establish false credibility. The malware achieves persistence and continuously monitors the victim's clipboard to replace legitimate cryptocurrency addresses with attacker-controlled wallets.
#0770
ESET20 days ago8 min▣LLM reporthigh ESET researchers discovered two undocumented Windows variants of the SprySOCKS backdoor, WINDRV and WINPLUS, attributed to the China-aligned FishMonger APT. These variants utilize advanced stealth techniques, including a custom kernel driver for hiding artifacts and diverting TCP traffic, as well as print processor abuse for persistence.
#0769
Cofense20 days ago5 min▣LLM reporthigh A sophisticated multi-stage phishing campaign is spoofing the IRS and Elon Musk to lure victims into a fraudulent cryptocurrency initiative. The attack chain begins with an email offering a fake $5,000 tax refund, which redirects to a credential harvesting site that steals extensive PII, including government IDs and bank routing numbers. Victims are then funneled into a fake trading dashboard designed to facilitate direct financial fraud and continuous Bitcoin theft.
#0768
Socket20 days ago5 min▣LLM reportmedium An npm package named shai_hulululud was discovered utilizing adversarial techniques to disrupt AI-assisted malware scanners. The package employs prompt injection, safety-triggering content, and context flooding via millions of tokens to cause LLM-based analysis tools to fail, truncate, or refuse processing before reaching the obfuscated JavaScript payload.
#0767
Morphisec21 days ago5 min▣LLM reporthigh Morphisec researchers identified a significantly evolved version of the BabaDeda loader targeting the education and financial sectors. The campaign leverages ClickFix social engineering to trick users into executing PowerShell commands, leading to a complex, multi-stage infection chain involving DLL sideloading, in-memory execution, and external payload storage to deliver DanaBot and SectopRAT.
#0766
Canadian Centre for Cyber Security21 days ago4 min▣LLM reportcritical The Canadian Centre for Cyber Security released a daily digest highlighting critical vulnerabilities across Cisco, Fortinet, and Zyxel products. Notably, CVE-2026-20262 in Cisco Catalyst SD-WAN Manager and multiple Fortinet CVEs (CVE-2026-39813, CVE-2026-39808, CVE-2026-25089) are actively being exploited in the wild, prompting immediate patching requirements.
#0765
CISA21 days ago4 min▣LLM reportcritical Rockwell Automation FLEX I/O EtherNet/IP Adapters version 2.012 are affected by two vulnerabilities. CVE-2026-0647 allows unauthenticated account takeover via the embedded web server, while CVE-2026-0646 enables a denial-of-service condition through malformed CIP protocol requests.
#0764
CISA21 days ago4 min▣LLM reporthigh Rockwell Automation RSLinx Classic versions 4.50.00 and prior contain an out-of-bounds read and stack-based buffer overflow vulnerability (CVE-2020-13573). Successful exploitation by a remote attacker can lead to a denial of service condition where the application becomes unresponsive, or potentially allow for remote code execution.
#0763
CISA21 days ago4 min▣LLM reporthigh Rockwell Automation Logix 5370 and 5570 controllers are affected by a high-severity denial-of-service vulnerability (CVE-2026-11317, CVSS 8.7) triggered by crafted Common Industrial Protocol (CIP) messages. Successful exploitation results in a major nonrecoverable fault (MNRF) due to improper resource shutdown or release, requiring a manual program download to restore operations.
#0762
Sekoia.io21 days ago7 min▣LLM reporthigh ErrTraffic is a Malware-as-a-Service framework that compromises WordPress sites and uses malvertising to deliver ClickFix social engineering lures. It leverages EtherHiding via Polygon smart contracts to dynamically resolve C2 infrastructure and distribute infostealers, RATs, and loaders.
#0761
Palo Alto Networks21 days ago5 min▣LLM reportcritical A critical vulnerability in the Google Cloud Vertex AI SDK for Python allows attackers to achieve cross-tenant Remote Code Execution (RCE) via bucket squatting. By predicting default staging bucket names and exploiting a lack of ownership verification, attackers can intercept model uploads and inject malicious pickle payloads, leading to the theft of highly privileged service account tokens.
#0760KKaspersky21 days ago7 min▣LLM reporthigh Cybercriminals are abusing the 'application wallpapers' feature of Wallpaper Engine on Steam Workshop to distribute malware, including DarkKomet, Lumma, and Vidar. The malicious wallpapers drop backdoors and patched system libraries to hijack active Steam sessions, primarily targeting gamers in China and Russia.