Mini Shai-Hulud, Miasma, and Hades Worms Target Bioinformatics and MCP Developers Via Malicious PyPI Wheels

, , ,

The Mini Shai-Hulud, Miasma, and Hades supply chain campaign has expanded with 23 new malicious PyPI packages targeting bioinformatics and MCP developers by using varied delivery mechanisms including trojanized native extensions and .pth startup hooks to execute obfuscated JavaScript stealers via Bun. These malware-laden packages aim to compromise developer workstations and CI/CD environments to steal credentials, tokens, SSH keys, and cloud secrets, with attackers innovating their payload deployment to evade detection and complicate forensic analysis. Security teams are advised to review affected package versions, monitor for unusual Python startup behaviors, and rotate exposed credentials to mitigate the threat.

https://socket.dev/blog/mini-shai-hulud-miasma-and-hades-worms-target-bioinformatics-and-mcp-developers-via-malicious

China-Linked Hackers Backdoored Linux Login Software to Hide for Nearly a Decade

, ,

A China-linked threat group known as Velvet Ant backdoored critical Linux login software components PAM and OpenSSH to maintain covert access inside isolated networks for nearly a decade, starting from 2016. By altering trusted login programs themselves, the attackers bypassed traditional defenses, capturing credentials and commands without exploiting new malware, making the intrusion difficult to detect and remediate. Security experts recommend monitoring these login files for changes and verifying software integrity to detect and remove such stealthy backdoors effectively.

https://thehackernews.com/2026/06/china-linked-hackers-backdoored-linux.html

A Miner with a Side of RAT: the Unintended Gift with Your TV Show or Book

, ,

The article discusses how pirated videos, books, and shows can come bundled with hidden threats such as cryptocurrency miners and Remote Access Trojans (RATs). These malicious tools, unintentionally distributed alongside popular media content, pose significant cybersecurity risks by compromising users’ devices and potentially enabling unauthorized control or data theft.

https://securelist.com/video-books-pirates-miners-rat/119943/

Microsoft Defender RoguePlanet Zero-Day Grants SYSTEM Access on Updated Windows

,

A security researcher known as Chaotic Eclipse has released a proof-of-concept exploit for a Microsoft Defender zero-day vulnerability called RoguePlanet, which enables privilege escalation to SYSTEM access on fully patched Windows 10 and 11 machines. The exploit, a race condition, allows attackers to run arbitrary code and remains effective despite recent updates, although it currently does not work on Windows Server without modification. This disclosure follows a series of public Microsoft Defender vulnerabilities revealed by the researcher amid a dispute with Microsoft over the handling of vulnerability reports and coordinated disclosure.

https://thehackernews.com/2026/06/microsoft-defender-rogueplanet-zero-day.html

June 2026 Patch Tuesday Fixes 200 Microsoft Vulnerabilities

, ,

Microsoft's June 2026 Patch Tuesday addressed a record number of 200 vulnerabilities across its products, aiming to enhance security and mitigate risks from potential exploits. This massive update underscores the increasing complexity and volume of vulnerabilities in software ecosystems and highlights the critical need for timely patch management in cybersecurity defense.

https://thecyberexpress.com/june-2026-patch-tuesday-200-microsoft/

The Miasma Worm’s Path of Destruction

, , , ,

The Miasma worm is a new, aggressive variant of the Mini Shai-Hulud malware that has recently compromised Red Hat’s npm packages and spread to 73 Microsoft GitHub repositories, including critical Azure and Durable Task projects. It exploits legitimate GitHub OIDC tokens and valid SLSA provenance attestations to bypass traditional security defenses, weaponizes AI coding tools to propagate when infected repos are cloned, and targets cloud identities in GCP and Azure. Security teams are advised to assume credential compromise, rotate all secrets, audit environments for unauthorized activity, and implement strict dependency allowlisting and SBOMs to defend against such sophisticated supply chain attacks.

https://cloudsmith.com/blog/miasma-worms-path-of-destruction

One-Character Linux Kernel Flaw Enables Local Root Access, Exploits Now Public

,

A critical one-character use-after-free vulnerability (CVE-2026-23111) in the Linux kernel's nf_tables packet-filtering code enables local privilege escalation from an unprivileged user to root, including container breakout. The flaw, patched since February 2026, has publicly available exploits and affects distributions with nf_tables and unprivileged user namespaces enabled, requiring urgent kernel updates and reboots to mitigate risk. This issue is part of a recent surge in Linux local-root exploits, emphasizing the need to restrict unprivileged user namespaces until patches are deployed.

https://thehackernews.com/2026/06/one-character-linux-kernel-flaw-enables.html

AI Agent Uncovers 21 Zero-Days in FFmpeg; Chrome Patches Record 429 Bugs

, ,

An autonomous AI agent from security startup depthfirst discovered 21 zero-day vulnerabilities in FFmpeg, some latent for over two decades, highlighting AI's growing role in vulnerability detection. Meanwhile, Google released Chrome 149, patching a record 429 security bugs—including critical use-after-free flaws—with much of the increased workload attributed to managing a surge in AI-generated bug reports. These developments underscore the accelerating pace and volume of vulnerability discovery driven by AI, emphasizing the need for faster patch cycles and robust update mechanisms.

https://thehackernews.com/2026/06/ai-agent-uncovers-21-zero-days-in.html

Critical Hugging Face Transformers Vulnerability Enables Remote Code Execution Attacks

,

A critical vulnerability (CVE-2026-4372) in the HuggingFace Transformers library allows remote code execution via malicious model configuration files, bypassing existing security controls. This flaw affects versions 4.56.0 through 5.2.x when used with the kernels package, enabling attackers to execute arbitrary Python code during model loading from HuggingFace Hub without user consent. HuggingFace fixed the issue in version 5.3.0 and advises users to upgrade immediately and audit their environments to mitigate supply chain risks in AI workflows.

https://cybersecuritynews.com/hugging-face-rce-vulnerability/

New Gafgyt Variant Targets Multiple Linux Architectures With Modular Propagation

, ,

A new variant of the Gafgyt botnet malware, called C0XMO, has been identified targeting multiple Linux architectures by exploiting a stack buffer overflow vulnerability (CVE-2021-27137) in the UPnP service of DD-WRT router firmware. This modular malware uses architecture-specific payloads and Python-based scripts for lateral movement, allowing it to compromise a wide range of IoT and embedded devices, launch DDoS attacks, and exploit various other known vulnerabilities in devices from D-Link, GLPI project software, and Avtech DVR cameras. Users are advised to apply firmware updates, disable UPnP where unnecessary, and monitor network traffic to mitigate this ongoing threat.

https://cybersecuritynews.com/new-gafgyt-variant-targets-multiple-linux-architectures/

These Convincing Copyright Notices Are Designed to Steal Google Logins

, , , ,

A new phishing scam targets Chrome extension developers with fake copyright removal notices designed to steal Google login credentials. The scam uses publicly available extension information to create convincing personalized warnings and a fake Google sign-in window, pressuring victims to enter their credentials before a fabricated deadline. Developers are advised to verify warnings only through their Chrome Web Store dashboard and to safeguard accounts with strong authentication and security software.

https://www.malwarebytes.com/blog/threat-intel/2026/06/these-convincing-copyright-notices-are-designed-to-steal-google-logins

Attackers Use AI to Automate EDR Evasion Testing

,

Sophos X-Ops analysts discovered that an unidentified threat actor used AI-driven Python scripts to automate the testing and evasion of endpoint detection and response (EDR) tools from Sophos, CrowdStrike, and Windows Defender. This attacker created a sophisticated lab environment with multiple virtual machines to iteratively develop and refine malware capable of bypassing EDR defenses, highlighting the increasing use of AI in advanced cyberattack methods.

https://www.darkreading.com/endpoint-security/attackers-automate-edr-evasion-testing

Agentic AI Red Teaming Reveals Zero-Click Human-in-the-Loop Bypass Attack Chains

, , ,

Security researchers have discovered that agentic AI systems—AI capable of planning and executing multi-step tasks autonomously—exhibit exploitable vulnerabilities that allow attackers to bypass human-in-the-loop controls entirely, executing zero-click attack chains without user interaction. Microsoft’s year-long red teaming efforts led to an updated taxonomy identifying seven new failure modes in agentic AI, highlighting risks such as supply chain compromise, goal hijacking, and session context contamination, and recommending robust architectural mitigations including cryptographic agent verification and hardened approval processes.

https://cybersecuritynews.com/agentic-ai-red-teaming-reveals-zero-click/

Microsoft Edge Vulnerability Allows Remote Attackers to Execute Arbitrary Code

, ,

Microsoft has released a critical security update for Microsoft Edge addressing a vulnerability (CVE-2026-45495) that allows remote attackers to execute arbitrary code by exploiting improper validation of user-supplied file paths in feedback log processing. The flaw, requiring user interaction such as visiting a malicious webpage or opening a crafted file, could enable attackers to run code with the current user's privileges, leading to risks like data theft and local persistence; users and administrators are urged to apply the patch immediately.

https://cybersecuritynews.com/microsoft-edge-vulnerability-code-execution/

Unpatched Windows Search URI Vulnerability Lets Attackers Steal NTLMv2 Hashes

, ,

A newly disclosed, unpatched vulnerability in the Windows Search URI handler allows attackers to steal users' NTLMv2 hashes by inducing them to click specially crafted links that connect to malicious SMB servers. This issue, similar to a previously patched flaw in the Windows Snipping Tool, poses risks of relay attacks and deeper network access, but Microsoft has declined to issue a fix, recommending mitigations like blocking outbound SMB traffic and disabling NTLM where possible.

https://thehackernews.com/2026/06/unpatched-windows-search-uri.html

Scroll to Top