ClickFix Campaigns Expand Malware Delivery With New Loaders and Fake Update Lures

,

Recent ClickFix malware campaigns have expanded their delivery methods using new loaders—BabaDeda, Lorem Ipsum, and Potemkin—deployed via fake update lures and compromised websites. These campaigns employ sophisticated techniques like PowerShell execution, DLL side-loading, and domain generation algorithms to deploy information stealers, remote access trojans, and ransomware, targeting diverse sectors including education, finance, and legal services. Despite disruptions to previous malware-signing operations, threat actors have adapted by shifting to ClickFix social engineering attacks that exploit user trust to execute malicious payloads and maintain persistent access.

https://thehackernews.com/2026/06/clickfix-campaigns-expand-malware.html

Amazon Security Research Reportedly Led to the White House’s Anthropic Fable Ban

, ,

Amazon's security research reportedly prompted the White House to impose export controls restricting foreign access to Anthropic's AI models Fable 5 and Mythos 5 after Amazon demonstrated the models could be manipulated to provide information useful for cyberattacks. CEO Andy Jassy's discussions with U.S. officials led to the directive, although Anthropic has contested the characterization of these vulnerabilities, noting similar issues exist in other publicly available models like GPT 5.5. This move has raised concerns as many of Anthropic’s researchers are foreign-born, effectively barring them from their own AI tools amid ongoing tensions between the company and the U.S. government.

https://www.theverge.com/ai-artificial-intelligence/949601/amazon-anthropic-fablemythos-government-ban

Crooks Found a New Way to Collaborate Using Teams – by Hiding Command-and-Control Traffic

, ,

Researchers at Symantec discovered that DragonForce ransomware operators used a custom Go-based backdoor called Backdoor.Turn to hide command-and-control communications within legitimate Microsoft Teams traffic, effectively disguising malicious activity as routine corporate collaboration. The malware leveraged Microsoft Teams and Skype infrastructure, including TURN relay servers and QUIC connections, to evade detection while maintaining persistent access to a major US services company's network over two months. This represents the first known instance of malware using Microsoft Teams for covert command-and-control communication.

https://www.theregister.com/cyber-crime/2026/06/16/crooks-found-a-new-way-to-collaborate-using-teams-by-hiding-command-and-control-traffic/5256296

A Backdoor in a LinkedIn Job Offer

, , , , ,

A LinkedIn message from a recruiter at a crypto startup led Roman Imankulov to analyze a suspicious GitHub repo purportedly needing a Node modules review. The repo contained a hidden backdoor in a test file that executed arbitrary code fetched from a remote server whenever dependencies were installed, triggered by an npm lifecycle script. The repo and recruiter used stolen identities, highlighting the risk of supply-chain and social engineering attacks via seemingly legitimate job offers.

https://roman.pt/posts/linkedin-backdoor/

Mini Shai-Hulud, Miasma, and Hades Worms Target Bioinformatics and MCP Developers Via Malicious PyPI Wheels

, , ,

The Mini Shai-Hulud, Miasma, and Hades supply chain campaign has expanded with 23 new malicious PyPI packages targeting bioinformatics and MCP developers by using varied delivery mechanisms including trojanized native extensions and .pth startup hooks to execute obfuscated JavaScript stealers via Bun. These malware-laden packages aim to compromise developer workstations and CI/CD environments to steal credentials, tokens, SSH keys, and cloud secrets, with attackers innovating their payload deployment to evade detection and complicate forensic analysis. Security teams are advised to review affected package versions, monitor for unusual Python startup behaviors, and rotate exposed credentials to mitigate the threat.

https://socket.dev/blog/mini-shai-hulud-miasma-and-hades-worms-target-bioinformatics-and-mcp-developers-via-malicious

China-Linked Hackers Backdoored Linux Login Software to Hide for Nearly a Decade

, ,

A China-linked threat group known as Velvet Ant backdoored critical Linux login software components PAM and OpenSSH to maintain covert access inside isolated networks for nearly a decade, starting from 2016. By altering trusted login programs themselves, the attackers bypassed traditional defenses, capturing credentials and commands without exploiting new malware, making the intrusion difficult to detect and remediate. Security experts recommend monitoring these login files for changes and verifying software integrity to detect and remove such stealthy backdoors effectively.

https://thehackernews.com/2026/06/china-linked-hackers-backdoored-linux.html

A Miner with a Side of RAT: the Unintended Gift with Your TV Show or Book

, ,

The article discusses how pirated videos, books, and shows can come bundled with hidden threats such as cryptocurrency miners and Remote Access Trojans (RATs). These malicious tools, unintentionally distributed alongside popular media content, pose significant cybersecurity risks by compromising users’ devices and potentially enabling unauthorized control or data theft.

https://securelist.com/video-books-pirates-miners-rat/119943/

Microsoft Defender RoguePlanet Zero-Day Grants SYSTEM Access on Updated Windows

,

A security researcher known as Chaotic Eclipse has released a proof-of-concept exploit for a Microsoft Defender zero-day vulnerability called RoguePlanet, which enables privilege escalation to SYSTEM access on fully patched Windows 10 and 11 machines. The exploit, a race condition, allows attackers to run arbitrary code and remains effective despite recent updates, although it currently does not work on Windows Server without modification. This disclosure follows a series of public Microsoft Defender vulnerabilities revealed by the researcher amid a dispute with Microsoft over the handling of vulnerability reports and coordinated disclosure.

https://thehackernews.com/2026/06/microsoft-defender-rogueplanet-zero-day.html

June 2026 Patch Tuesday Fixes 200 Microsoft Vulnerabilities

, ,

Microsoft's June 2026 Patch Tuesday addressed a record number of 200 vulnerabilities across its products, aiming to enhance security and mitigate risks from potential exploits. This massive update underscores the increasing complexity and volume of vulnerabilities in software ecosystems and highlights the critical need for timely patch management in cybersecurity defense.

https://thecyberexpress.com/june-2026-patch-tuesday-200-microsoft/

The Miasma Worm’s Path of Destruction

, , , ,

The Miasma worm is a new, aggressive variant of the Mini Shai-Hulud malware that has recently compromised Red Hat’s npm packages and spread to 73 Microsoft GitHub repositories, including critical Azure and Durable Task projects. It exploits legitimate GitHub OIDC tokens and valid SLSA provenance attestations to bypass traditional security defenses, weaponizes AI coding tools to propagate when infected repos are cloned, and targets cloud identities in GCP and Azure. Security teams are advised to assume credential compromise, rotate all secrets, audit environments for unauthorized activity, and implement strict dependency allowlisting and SBOMs to defend against such sophisticated supply chain attacks.

https://cloudsmith.com/blog/miasma-worms-path-of-destruction

One-Character Linux Kernel Flaw Enables Local Root Access, Exploits Now Public

,

A critical one-character use-after-free vulnerability (CVE-2026-23111) in the Linux kernel's nf_tables packet-filtering code enables local privilege escalation from an unprivileged user to root, including container breakout. The flaw, patched since February 2026, has publicly available exploits and affects distributions with nf_tables and unprivileged user namespaces enabled, requiring urgent kernel updates and reboots to mitigate risk. This issue is part of a recent surge in Linux local-root exploits, emphasizing the need to restrict unprivileged user namespaces until patches are deployed.

https://thehackernews.com/2026/06/one-character-linux-kernel-flaw-enables.html

AI Agent Uncovers 21 Zero-Days in FFmpeg; Chrome Patches Record 429 Bugs

, ,

An autonomous AI agent from security startup depthfirst discovered 21 zero-day vulnerabilities in FFmpeg, some latent for over two decades, highlighting AI's growing role in vulnerability detection. Meanwhile, Google released Chrome 149, patching a record 429 security bugs—including critical use-after-free flaws—with much of the increased workload attributed to managing a surge in AI-generated bug reports. These developments underscore the accelerating pace and volume of vulnerability discovery driven by AI, emphasizing the need for faster patch cycles and robust update mechanisms.

https://thehackernews.com/2026/06/ai-agent-uncovers-21-zero-days-in.html

Critical Hugging Face Transformers Vulnerability Enables Remote Code Execution Attacks

,

A critical vulnerability (CVE-2026-4372) in the HuggingFace Transformers library allows remote code execution via malicious model configuration files, bypassing existing security controls. This flaw affects versions 4.56.0 through 5.2.x when used with the kernels package, enabling attackers to execute arbitrary Python code during model loading from HuggingFace Hub without user consent. HuggingFace fixed the issue in version 5.3.0 and advises users to upgrade immediately and audit their environments to mitigate supply chain risks in AI workflows.

https://cybersecuritynews.com/hugging-face-rce-vulnerability/

New Gafgyt Variant Targets Multiple Linux Architectures With Modular Propagation

, ,

A new variant of the Gafgyt botnet malware, called C0XMO, has been identified targeting multiple Linux architectures by exploiting a stack buffer overflow vulnerability (CVE-2021-27137) in the UPnP service of DD-WRT router firmware. This modular malware uses architecture-specific payloads and Python-based scripts for lateral movement, allowing it to compromise a wide range of IoT and embedded devices, launch DDoS attacks, and exploit various other known vulnerabilities in devices from D-Link, GLPI project software, and Avtech DVR cameras. Users are advised to apply firmware updates, disable UPnP where unnecessary, and monitor network traffic to mitigate this ongoing threat.

https://cybersecuritynews.com/new-gafgyt-variant-targets-multiple-linux-architectures/

These Convincing Copyright Notices Are Designed to Steal Google Logins

, , , ,

A new phishing scam targets Chrome extension developers with fake copyright removal notices designed to steal Google login credentials. The scam uses publicly available extension information to create convincing personalized warnings and a fake Google sign-in window, pressuring victims to enter their credentials before a fabricated deadline. Developers are advised to verify warnings only through their Chrome Web Store dashboard and to safeguard accounts with strong authentication and security software.

https://www.malwarebytes.com/blog/threat-intel/2026/06/these-convincing-copyright-notices-are-designed-to-steal-google-logins

Scroll to Top