Threat Intel

www.bleepingcomputer.com/news/secu… Summary: Global threat researchers have documented a staggering 37-fold increase in sophisticated device code authentication phishing campaigns targeting cloud environment credentials. Historically a tool reserved for elite nation-state threat vectors, the rapid commercialization of 18 distinct pre-packaged phishing kits on underground forums has democratized the technique for mainstream cybercriminals. The attack method exploits the legitimate OAuth device code flow, tricking users into inputting a single activation code into genuine verification pages, which immediately generates full enterprise tenant access tokens that bypass traditional multi-factor endpoint protection rings. Keywords: #Phishing #OAuth #DeviceCode #MFA_Bypass #CloudSecurity #CyberCrime #AccessManagement #CredentialTheft

www.securityweek.com/openai-un… Summary: OpenAI has officially introduced GPT-5.6 Sol, an advanced neural model architecture trained specifically for real-time cyber defense operations and automated threat mitigation. Unlike generic text generation engines, the model features a specialized multi-agent swarm logic optimized to digest continuous binary code dumps, analyze system call behaviors, and generate functional firewall adjustments at machine speed. The platform’s deployment marks a shift towards autonomous threat hunting, though researchers note its deep knowledge of zero-day bug synthesis poses double-edged compliance challenges. Keywords: #ArtificialIntelligence #OpenAI #GPT5 #CyberDefense #AutonomousSecurity #AutomatedPatching #ThreatHunting #Infosec

www.bleepingcomputer.com/news/secu… Summary: E-commerce security monitors have detected an active exploitation campaign targeting the Shopify Shop application infrastructure to plant fraudulent order confirmations directly inside consumers' history lists. Threat actors are manipulating open merchant api access endpoints to register fake purchases without routing through genuine payment verification gateways. Unsuspecting consumers seeing unexpected high-dollar orders inside their native tracking app are lured into clicking embedded links or calling fraudulent helpline centers, exposing them to aggressive malware installers and personal credential harvesting traps. Keywords: #Shopify #ECommerceFraud #AppSecurity #API_Abuse #Phishing #MalwareDelivery #ConsumerSecurity

1. FBI Warns Russian Intelligence Hackers Target Signal Backup Recovery Keys

• Original URL: [https://thehackernews.com/2026/06/fbi-warns-russian-intelligence-hackers.html](https://thehackernews.com/2026/06/fbi-warns-russian-intelligence-hackers.html)
• Summary: The FBI and CISA have issued an updated advisory warning that Russian state-sponsored threat groups (including UNC5792 and UNC4221) are actively targeting Signal messaging accounts via credential-phishing campaigns. Attackers are using social engineering to trick users into revealing their Signal Backup Recovery Keys, which allows the adversaries to permanently hijack accounts, restore complete message histories, and continue monitoring communication even if a user attempts to recreate their account. To mitigate this threat, users must generate a completely new recovery key within their Signal security settings, an action that instantly revokes the access privileges of any previously compromised keys.
• Keywords: #CyberSecurity #SignalApp #Phishing #Infosec #CISA #FBI #RussianHackers #DataPrivacy #ThreatIntelligence

2. Self-Destructing Mistic Backdoor Linked to Access Broker Selling Corporate Footholds

• Original URL: [https://www.theregister.com/security/2026/06/25/self-destructing-mistic-backdoor-linked-to-access-broker-selling-corporate-footholds-to-ransomware-gangs/](https://www.theregister.com/security/2026/06/25/self-destructing-mistic-backdoor-linked-to-access-broker-selling-corporate-footholds-to-ransomware-gangs/)
• Summary: A newly discovered, highly evasive backdoor known as “Mistic” (or MLTBackdoor) is being deployed across multiple corporate networks, including organizations within the IT, insurance, and education sectors. Security researchers from Symantec, Carbon Black, and Zscaler have linked the malware to a financially motivated initial access broker tracked as KongTuke (or Woodgnat), who specializes in establishing early network footprints to sell to ransomware syndicates. Mistic stands out due to its built-in self-destruction mechanisms, which erase its tracks following initial deployment to complicate forensic investigations while facilitating lateral movement within target environments.
• Keywords: #Malware #Ransomware #InitialAccessBroker #MisticBackdoor #ThreatHunting #EnterpriseSecurity #Infosec #CyberCrime

3. CISA Sets Urgent Deadline to Fix Cisco Flaw Exploited in Attacks

• Original URL: [https://www.bleepingcomputer.com/news/security/cisa-sets-urgent-deadline-to-fix-cisco-flaw-exploited-in-attacks/](https://www.bleepingcomputer.com/news/security/cisa-sets-urgent-deadline-to-fix-cisco-flaw-exploited-in-attacks/)
• Summary: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical Cisco flaw to its Known Exploited Vulnerabilities catalog, imposing an urgent patching deadline for federal agencies. The vulnerability, tracked as CVE-2026-20230, is a critical server-side request forgery (SSRF) flaw in the Cisco Unified Communications Manager Server that permits unauthenticated, remote attackers to execute malicious actions via custom HTTP requests. While Cisco initially patch-released the flaw with no evidence of active exploits, threat detection firm Defused recently caught threat actors actively leveraging the vulnerability to write arbitrary text files directly onto vulnerable network endpoints.
• Keywords: #Cisco #Vulnerability #PatchTuesday #CISA #KEV #SSRF #NetworkSecurity #ITSecurity #FederalCyber

4. New Initiative Tackles Security for End-of-Life Open Source Software

• Original URL: [https://www.darkreading.com/application-security/initiative-tackles-security-end-of-life-open-source](https://www.darkreading.com/application-security/initiative-tackles-security-end-of-life-open-source)
• Summary: The Commonhaus Foundation has officially introduced the Open Source Sustainability Initiative (OSSI) to confront the systemic security risks associated with abandoned and end-of-life (EOL) open-source projects. Because standard enterprises utilize hundreds of open-source dependencies, managing security patches becomes highly error-prone once development teams stop maintaining original repositories. The OSSI aims to establish a structured, collaborative framework to track, secure, and retroactively patch vulnerable code in widely used legacy projects, minimizing the attack surface for enterprise supply chains.
• Keywords: #OpenSource #SoftwareSupplyChain #AppSec #Commonhaus #OSSI #CyberResilience #VulnerabilityManagement #EnterpriseSoftware

5. Clean GitHub Repo Tricks AI Coding Agents Into Running Malware

• Original URL: [https://www.bleepingcomputer.com/news/security/clean-github-repo-tricks-ai-coding-agents-into-running-malware/](https://www.bleepingcomputer.com/news/security/clean-github-repo-tricks-ai-coding-agents-into-running-malware/)
• Summary: Security researchers at Mozilla’s Zero Day Investigative Network (0DIN) have demonstrated a novel prompt injection attack vector that completely bypasses code scanners by tricking AI coding assistants into generating and running local malware. Instead of containing malicious code, the target GitHub repository remains entirely clean; instead, it relies on indirect prompt instructions that manipulate the AI agent during setup into creating an unintended local vulnerability. Once executed by an automated tool like Claude Code, the attack grants the adversary a localized terminal shell functioning with the host developer’s system privileges, giving them direct access to local API keys, environment variables, and files.
• Keywords: #AISecurity #GitHub #PromptInjection #LLM #ArtificialIntelligence #SoftwareDevelopment #DevSecOps #Mozilla #0DIN

6. Microsoft Removes 119 Edge Extensions That Hid Malware in Images and Fonts

• Original URL: [https://thehackernews.com/2026/06/microsoft-removes-119-edge-extensions.html](https://thehackernews.com/2026/06/microsoft-removes-119-edge-extensions.html)
• Summary: Microsoft has shut down a long-running malicious extension operation on the Edge Add-ons store that hid its payloads inside ordinary image and font files, then woke up days after install to steal credentials and run ad fraud. The company calls it StegoAd, a mash-up of steganography and adware, and ties 119 extensions to a single threat actor it says has been active since at least 2021. The extensions were disguised as common utilities like ad blockers, VPNs, and translators, which performed their stated tasks to gain positive reviews while remaining dormant until clearing evasion checks.
• Keywords: #Malware #BrowserExtensions #Steganography #MicrosoftEdge #AdFraud #CredentialTheft #SupplyChainAttack #Infosec

7. Hijacked npm and Go Packages Use VS Code Tasks to Deploy Python Infostealer

• Original URL: [https://thehackernews.com/2026/06/hijacked-npm-and-go-packages-use-vs.html](https://thehackernews.com/2026/06/hijacked-npm-and-go-packages-use-vs.html)
• Summary: Cybersecurity researchers have uncovered a new ecosystem supply chain attack involving hijacked npm and Go packages designed to deploy a Python-based information stealer on compromised Windows, Linux, and macOS hosts. To evade the typical script detection mechanisms implemented to harden security registries, the malware strategically avoids common execution paths and hides its initialization logic inside an automatic Microsoft Visual Studio Code workspace configuration file. Once a developer simply opens the project directory inside their IDE, the hidden task triggers automatically, fetching malicious code from blockchain records and granting the threat actors a direct command shell.
• Keywords: #SupplyChainAttack #Malware #VSCode #DeveloperSecurity #Python #npm #GoLang #Infostealer #DevSecOps

8. US Seizes Hundreds of FIFA World Cup Illegal Streaming Domains

• Original URL: [https://www.bleepingcomputer.com/news/security/us-seizes-hundreds-of-fifa-world-cup-illegal-streaming-domains/](https://www.bleepingcomputer.com/news/security/us-seizes-hundreds-of-fifa-world-cup-illegal-streaming-domains/)
• Summary: The U.S. Department of Justice has executed a massive coordinated enforcement action dubbed “Operation Offsides,” seizing nearly 400 web domains that were providing illegal, real-time streams of World Cup soccer matches. Working alongside law enforcement networks across Peru, Bulgaria, Croatia, Romania, Poland, and Colombia, federal agents targeted infrastructure that infringed on global broadcasting copyright protections. Beyond media piracy, Homeland Security Investigations (HSI) warned that these unauthorized streaming platforms aggressively expose users to hidden drive-by malware infections and insecure browser connections engineered to harvest financial details.
• Keywords: #DomainSeizure #CyberCrime #LawEnforcement #DOJ #WorldCup #Malware #CopyrightInfringement #Piracy

9. Active Phishing Campaign Exploits Calendly and Photo ZIP Files to Target Hotels

• Original URL: [https://www.rescana.com/post/klue-supply-chain-breach-exposes-oauth-tokens-and-salesforce-data-in-multi-stage-cybersecurity-incident-june-2026](https://www.rescana.com/post/klue-supply-chain-breach-exposes-oauth-tokens-and-salesforce-data-in-multi-stage-cybersecurity-incident-june-2026)
• Summary: Microsoft has issued an active alert to the global hospitality sector warning of a coordinated phishing campaign that abuses common scheduling applications like Calendly to drop dangerous Node.js malware. Attackers are posing as prospective corporate clients or wedding parties to schedule appointments, leveraging the booking platforms to share highly realistic compressed “photo archives” containing malicious configuration files. Once executed by unsuspecting hotel booking agents, the payload installs a flexible Node.js infostealer designed to bypass memory protections, sweep web browser caches, and extract corporate credit card data.
• Keywords: #Phishing #Malware #HospitalitySector #Calendly #NodeJS #SocialEngineering #DataTheft #MicrosoftSecurity

10. Klue Supply Chain Breach Exposes OAuth Tokens and Salesforce Data

• Original URL: [https://www.rescana.com/post/klue-supply-chain-breach-exposes-oauth-tokens-and-salesforce-data-in-multi-stage-cybersecurity-incident-june-2026](https://www.rescana.com/post/klue-supply-chain-breach-exposes-oauth-tokens-and-salesforce-data-in-multi-stage-cybersecurity-incident-june-2026)
• Summary: A significant multi-stage supply chain breach has compromised the market intelligence SaaS platform Klue, leading to the unauthorized collection of active OAuth tokens and data exfiltration impacting approximately 200 client organizations. A threat group identified as Icarus gained initial entry by exploiting an inactive legacy administrative credential to inject malicious code directly into Klue’s core synchronization infrastructure. Armed with the stolen OAuth access tokens, the threat actors systematically pivoted to download sensitive CRM records from client environments, subsequently posting the data on a Tor leak site for double-extortion.
• Keywords: #SupplyChainAttack #OAuth #DataBreach #Salesforce #SaaS #ThreatIntelligence #Extortion #CloudSecurity

11. Amazon Q Developer Extension Flaw Enables Cloud Credential Theft

• Original URL: [https://cisoseries.com/cybersecurity-news-cisas-cisco-deadline-chinas-mythos-competitor-amazon-q-flaw/](https://cisoseries.com/cybersecurity-news-cisas-cisco-deadline-chinas-mythos-competitor-amazon-q-flaw/)
• Summary: Security researchers at Wiz have publicly disclosed a high-severity flaw within Amazon’s Q Developer AI-assisted coding extension for Visual Studio Code that opens developers up to immediate cloud credential theft. The underlying vulnerability stems from the extension’s behavior of automatically evaluating workspace configuration parameters without checking for manual user authorization when a new project folder is initialized. By enticing software engineers to clone an intentionally booby-trapped repository, attackers can force the IDE extension to execute automated system commands in the background to harvest local cloud access keys.
• Keywords: #AmazonQ #Wiz #Vulnerability #CloudSecurity #AISecurity #VSCode #DevSecOps #CredentialTheft

12. Qihoo 360 Announces Tulongfeng Multi-Agent Swarm to Challenge US AI Security

• Original URL: [https://cisoseries.com/cybersecurity-news-cisas-cisco-deadline-chinas-mythos-competitor-amazon-q-flaw/](https://cisoseries.com/cybersecurity-news-cisas-cisco-deadline-chinas-mythos-competitor-amazon-q-flaw/)
• Summary: Chinese cybersecurity giant Qihoo 360 has unveiled its newest defensive security platform, dubbed “Tulongfeng,” engineered as an adversarial alternative to frontier American code evaluation tools like Anthropic’s Claude Mythos. Presented at the Beijing Cybersecurity Conference, the platform leverages a highly specialized multi-agent swarm trained exclusively on Qihoo’s massive internal repository of historical malware variants and software bugs. The developer team claims this custom architecture is finding critical vulnerabilities across open-source and enterprise-tier platforms at machine speeds, bypassing the computational overhead of generic LLMs.
• Keywords: #ArtificialIntelligence #Qihoo360 #Tulongfeng #VulnerabilityHunting #ZeroDay #TechGeopolitics #AIModel #Infosec

13. KDDI Data Breach Impacts Up to 14.2 Million Accounts in Japan

• Original URL: [https://www.bleepingcomputer.com/news/security/data-breach-exposes-up-to-142-million-email-logins-at-six-isps/](https://www.bleepingcomputer.com/news/security/data-breach-exposes-up-to-142-million-email-logins-at-six-isps/)
• Summary: Major Japanese telecommunications operator KDDI Corporation has disclosed a massive data breach affecting up to 14.2 million email accounts spread across six distinct internet service providers (ISPs). Cybercriminals successfully compromised the systems by exploiting a newly identified software vulnerability within a shared third-party email administration module utilized by the networks. KDDI has patched the direct system vulnerability and is actively coordinating with data privacy authorities to notify impacted subscribers of potential credential theft and incoming phishing risks.
• Keywords: #DataBreach #TelecomSecurity #KDDI #DataPrivacy #JapanCyber #Vulnerability #SupplyChainRisk #EmailSecurity

14. Active Exploitation Alert Issued for Cisco CUCM SSRF-RCE Flaw

• Original URL: [https://www.rescana.com/post/klue-supply-chain-breach-exposes-oauth-tokens-and-salesforce-data-in-multi-stage-cybersecurity-incident-june-2026](https://www.rescana.com/post/klue-supply-chain-breach-exposes-oauth-tokens-and-salesforce-data-in-multi-stage-cybersecurity-incident-june-2026)
• Summary: Threat monitors have issued an updated advisory following the rapid weaponization of CVE-2026-20230, a server-side request forgery (SSRF) flaw in Cisco’s Unified Communications Manager (CUCM). Within 24 hours of public exploitation proof-of-concepts, automated exploitation scripts were detected scanning the internet and actively dropping weaponized HTTP requests onto enterprise servers. Attackers are currently leveraging the unauthenticated flaw to write arbitrary system files directly onto endpoints, which can lead to localized remote code execution (RCE) and full communication server compromise.
• Keywords: #Cisco #CUCM #ExploitAlert #SSRF #RemoteCodeExecution #ZeroDay #PatchManagement #NetworkHardening

15. JP Morgan Warns Cybersecurity Now Outpaces Credit Risks for Major US Banks

• Original URL: [https://uk.finance.yahoo.com/news/jp-morgan-warns-cybersecurity-bigger-110200388.html](https://uk.finance.yahoo.com/news/jp-morgan-warns-cybersecurity-bigger-110200388.html)
• Summary: In a comprehensive analytical briefing sent to institutional investors, JP Morgan’s European equity research group has warned that systemic cybersecurity threats now pose a fundamentally greater risk to banking stability than traditional credit default risks. The firm highlights that while conventional loan losses and asset risks are heavily modeled and calculated within current banking valuations, the financial and reputational liabilities of automated ransomware or infrastructure hacks remain dangerously understated. The report calls for regulatory bodies to introduce market valuation premiums for financial institutions that demonstrate quantifiable cyber-resilience frameworks.
• Keywords: #BankingSecurity #FinSec #JPMorgan #RiskManagement #Ransomware #FinancialServices #CyberEconomics #EnterpriseRisk