119 Edge Extensions Promised Useful Tools, Instead Downloaded Malware

, ,

Microsoft removed 119 malicious Edge browser extensions linked to a large adware campaign that tricked 2.6 million users into installing them. These extensions initially provided promised features like ad blocking and VPNs, but later secretly downloaded malware that stole credentials, hijacked sessions, and conducted ad fraud, employing stealth techniques such as hiding code in images and limiting malicious activity to avoid detection. Users are advised to exercise caution when installing extensions and use up-to-date security solutions to detect and remove such threats.

https://www.malwarebytes.com/blog/news/2026/06/119-edge-extensions-promised-useful-tools-instead-downloaded-malware

Public PoC Released for Critical Libssh2 CVE-2026-55200 Client-Side SSH Flaw

,

A critical vulnerability (CVE-2026-55200) in the libssh2 client-side SSH library allows a malicious SSH server to trigger memory corruption and potentially execute code on the client without user interaction or credentials. The flaw, present in all versions up to 1.11.1, arises from improper bounds checking on packet length during the SSH handshake, leading to an out-of-bounds heap write. While a patch has been merged but not yet officially released, security advisories urge organizations to inventory affected software linking libssh2 and apply vendor or distribution backports, restrict SSH connections to trusted servers, and monitor for anomalous behavior.

https://thehackernews.com/2026/06/public-poc-released-for-critical.html

Nearly a Million Passports Just Exposed on the Public Internet—and Anyone Could Access Them with a Simple URL

, ,

Nearly a million passports and photo IDs from multiple European countries were exposed on public web servers without any authentication, encryption, or access controls, allowing anyone with a URL to access these sensitive documents for months. The data, collected for age verification by the company Nefos and associated cannabis clubs, remained vulnerable due to critical security misconfigurations, raising significant risks of identity theft and document fraud for affected individuals. This incident highlights severe failures in data stewardship and compliance with established security standards for handling identity verification information.

https://cambridgeanalytica.org/data-breaches-scandals/passports-driver-licenses-exposed-public-internet-2026-51096/

The Booking.com Phishing Campaign Targeting Hotels and Customers

,

Since January 2026, a phishing campaign has targeted hotels and their customers by impersonating Booking.com to conduct financial fraud. The attack unfolds in three stages: initial phishing emails sent to hotel partners to harvest credentials via a partner phishing kit, followed by customer-targeted phishing to steal financial information, delivered in part through WhatsApp. The campaign uses domain spoofing, typosquatting, and advanced evasion techniques such as user fingerprinting to avoid detection, posing significant risks to the hospitality sector.

https://www.bridewell.com/insights/blogs/detail/the-booking.com-phishing-campaign-targeting-hotels-and-customers

Clean GitHub Repo Tricks AI Coding Agents Into Running Malware

, , , ,

Researchers at Mozilla's 0DIN AI security platform demonstrated that an attacker can trick AI coding agents like Claude Code into executing malicious shell commands by cloning and running a clean-looking GitHub repository containing no explicit malware. The attack exploits a multi-step setup process where an initialization command triggers a shell script that fetches and executes a remote payload from a DNS TXT record controlled by the attacker, ultimately granting the attacker interactive shell access with developer privileges. This method evades detection by security scanners, AI agents, and human reviewers, raising concerns about AI-assisted development security and prompting recommendations for improved transparency in automated execution chains.

https://www.bleepingcomputer.com/news/security/clean-github-repo-tricks-ai-coding-agents-into-running-malware/

Cybersecurity Firms Targeted by Fraudulent OpenAI Organization Invites

, ,

Threat actors have been creating fraudulent OpenAI ChatGPT organizations impersonating legitimate companies, such as Push Security, to send legitimate-looking invitations to targeted employees with the goal of tricking them into sharing sensitive company information. These attacker-controlled tenants assign invitees administrative privileges and include payment methods to appear credible, enabling them to collect confidential data submitted within the workspace. Security experts warn this reflects a growing tactic of abusing legitimate SaaS invitation systems to bypass email security measures and recommend staff training and monitoring of SaaS memberships to mitigate risks.

https://www.bleepingcomputer.com/news/security/cybersecurity-firms-targeted-by-fraudulent-openai-organization-invites/

New DirtyClone Linux Kernel Flaw Lets Local Users Gain Root Via Cloned Packets

,

A newly disclosed Linux kernel vulnerability called DirtyClone (CVE-2026-43503) allows local users to escalate privileges to root by exploiting a flaw in the handling of cloned network packets that share file-backed memory. Attackers with CAP_NET_ADMIN can manipulate in-memory copies of privileged binaries without altering the disk files, evading detection and gaining root access once the binaries are executed. The Linux kernel patch fixing this issue was released in May 2026, and users are urged to apply updates or restrict unprivileged user namespaces to mitigate the risk.

https://thehackernews.com/2026/06/new-dirtyclone-linux-kernel-flaw-lets.html

Mirage2FA Phishing Kit Uses HTML Smuggling to Steal Microsoft 365 Credentials

, ,

Researchers at Fortra uncovered Mirage2FA, a phishing kit that uses HTML smuggling and obfuscated JavaScript to deploy fake Microsoft 365 login pages, tricking users into submitting credentials and multi-factor authentication details. The campaign employs business-themed lures and short-lived domains to carry out Microsoft 365 account takeovers, potentially exposing email, files, Teams messages, and other cloud resources. Users affected are advised to reset passwords, revoke sessions, review MFA methods, and check for unauthorized mailbox access.

https://www.helpnetsecurity.com/2026/06/26/mirage2fa-phishing-kit-microsoft-365-html-smuggling/

What Do Ports Hear When Nobody’s Listening? An Assessment of Automated Cybercrime

, ,

An analysis of honeypot data reveals that the background noise of automated scans on public-facing ports is a complex multi-tiered ecosystem of botnets and malware campaigns, ranging from rudimentary IoT exploits to sophisticated fileless attacks targeting both consumer devices and enterprise infrastructure. Operators like Terrabot and r00ts3c demonstrate flawed but persistent automation exploiting known vulnerabilities, while advanced campaigns like RondoDox utilize decentralized residential bots to conduct coordinated, evolving attacks with techniques such as Log4Shell evasion and targeted command injection. This ongoing shadow economy uses high-volume automation and imperfection in defenses to maintain persistence and adaptation, highlighting the importance of monitoring structural patterns in network noise for effective threat detection.

https://isc.sans.edu/diary/33104?n

Europe Evolves Into Ransomware’s Favorite Region

, , ,

Ransomware attacks in Europe surged by 55% in early 2026 compared to the previous year, with 684 incidents recorded by Black Kite across the continent, particularly targeting major economies like the UK, Germany, France, Italy, and Spain. Attackers are focusing on manufacturing and digital services sectors to exploit supply chain vulnerabilities, and growing reliance on third- and multi-tier vendors increases organizational risk, highlighting the need for enhanced visibility and risk management across entire vendor ecosystems.

https://www.darkreading.com/cybersecurity-analytics/europe-evolves-ransomware-favorite-region

Vulnerability Reports Are Not Special Anymore

,

Filippo Valsorda argues that vulnerability reports have lost their special status due to advances in large language models (LLMs), which can now identify potential security issues as effectively as human researchers. This shift diminishes the scarcity and confidentiality that once made vulnerability reports valuable, making the main challenge for maintainers triage and remediation rather than discovery. The article suggests security teams should adapt by focusing on rapid assessment and integrating automated LLM analysis into their workflows while recognizing some high-severity or trusted-source reports still require special handling.

https://words.filippo.io/vuln-reports/

‘Deepfake as a Service’ Sees 39% Spike in Dark Web Conversations — and Experts Fear It Will Fuel the Next Wave of “Fake Boss” Scams

, , ,

Discussions about “deepfake as a service” have surged by 39% on dark web forums, raising concerns among experts that this trend could intensify “fake boss” scams, where attackers impersonate executives to deceive employees. The rise of easily accessible deepfake technology lowers barriers for cybercriminals to conduct sophisticated social engineering attacks. Experts warn that this development may lead to more convincing and frequent fraud attempts targeting organizations.

https://www.techradar.com/pro/security/deepfake-as-a-service-sees-39-percent-spike-in-dark-web-conversations-and-experts-fear-it-will-fuel-the-next-wave-of-fake-boss-scams

Hundreds of AI-powered iOS Apps Found Exposing Credentials

,

Researchers from Wake Forest University analyzed 444 iOS apps with AI features and found that 282 exposed exploitable credentials or backend access, affecting diverse categories like productivity and health. Despite responsible disclosure, only 28% of the vulnerable apps remediated the issue, while 23% remained exploitable due to lack of action or flawed authentication. The study highlights systemic credential leakage in AI-powered iOS apps, posing ongoing security risks beyond individual developers and providers.

https://www.helpnetsecurity.com/2026/06/22/llm-api-credential-leakage-ios-apps/

OpenAI Expands Daybreak With GPT-5.5-Cyber to Help Defenders Patch Security Flaws

,

OpenAI has released an enhanced GPT-5.5-Cyber model through its Daybreak initiative to assist trusted defenders in identifying, validating, and patching software vulnerabilities across large codebases. Alongside an updated Codex Security plugin, this cybersecurity tool streamlines vulnerability detection, triage, and remediation, while the new Patch the Planet project partners with open-source communities to improve security by collaboratively developing and deploying patches. These efforts address the rapid escalation of vulnerabilities accelerated by AI, aiming to support maintainers in securing critical infrastructure despite increasing exploitation risks from advanced threat actors.

https://thehackernews.com/2026/06/openai-expands-daybreak-with-gpt-55.html

What the Latest ShinyHunters Breaches Reveal About Modern Cyberattacks

, , , ,

The recent breaches attributed to the ShinyHunters cybercrime group highlight a shift in modern cyberattacks toward exploiting identities, authentication workflows, and SaaS integrations rather than traditional software vulnerabilities. Attackers increasingly use stolen credentials, compromised OAuth tokens, social engineering, and abuse of legitimate access privileges to bypass perimeter defenses, demonstrating that identity has become the primary battleground in enterprise security. This trend exposes limitations in conventional security tools and underscores the need for continuous identity threat detection, risk-based authentication, and stricter access governance to prevent and mitigate such identity-centric attacks.

https://www.securityweek.com/what-the-latest-shinyhunters-breaches-reveal-about-modern-cyberattacks/

Scroll to Top