Breaches, ransomware and regulation — analysed the day they break, with the practical lessons your team can act on. Free to read, no account required.

QiAnXin's XLab team has identified a Rust-written, two-stage botnet called RustDuck quietly enlisting home routers, IP cameras, Android TV boxes, and exposed Linux servers into a DDoS-for-hire operation. The headline isn't the size of the swarm. It's how fast the code is changing.

Microsoft's threat research team caught a malicious Chrome extension impersonating Perplexity AI — one that silently intercepted omnibox input, character by character, before users ever saw a search result.

JFrog researchers found attackers who compromised two legitimate npm maintainer accounts and built a Go module cluster to deliver a Python stealer — hiding execution inside VS Code workspace task definitions rather than the lifecycle hooks most tools actually scan.

Four security developments from one week paint a coherent picture: surveillance tools reach beyond their intended users, AI threats are operational not theoretical, Mac endpoints carry real risk, and social-engineering crews face real prison time.

Australia's domestic intelligence chief confirmed a foreign state actor had harvested valid login credentials from privileged IT accounts inside a critical infrastructure operator — and was positioned for sabotage, not passive surveillance.

Palo Alto Networks Unit 42 has identified a previously unknown implant — TinyRCT — deployed by an intrusion cluster called CL-STA-1062 against state-owned energy enterprises and government ministries across Southeast Asia.

GRU and FSB-linked operators impersonated tech-support staff and trusted contacts to hijack Signal, Telegram, and WhatsApp accounts belonging to soldiers, politicians, and activists in Ukraine, Europe, and the United States.

Kaspersky researchers tracking a campaign called StrikeShark have identified a previously undocumented loader family dropping Cobalt Strike Beacon on a diplomatic organization in Indonesia and government targets in Taiwan — a targeting profile that points squarely to state-sponsored espionage.

The FBI and CISA have updated their advisory on Russian intelligence operators targeting Signal users, warning that attackers have shifted tactics from linked-device hijacking to stealing the Backup Recovery Key — a credential that grants permanent, silent access to a user's full message history.

The former Coinbase security chief takes over at Uber — a company whose breach record, regulatory scrutiny, and expanding data footprint make the hire one of the more consequential CISO appointments in recent memory.

A widely installed ad-blocking extension holds code that can fetch and run arbitrary JavaScript on any page a user visits. No malicious payload has been observed yet. That 'yet' is the problem.

A threat group called Woodgnat has deployed a custom in-memory backdoor since at least April 2025, quietly auctioning enterprise access to some of the most active ransomware gangs operating today.

A financially motivated initial access broker has been running brute-force and credential-stuffing attacks against internet-exposed FortiGate appliances since February 2026 — and the TTPs are textbook, repeatable, and preventable.

An active, multi-continent campaign sends malicious Visual Basic Script files over WhatsApp to sideload commercial remote-monitoring software — and most endpoint controls never fire.

Attackers compromised ShapedPlugin's build and distribution pipeline, silently delivering malicious code to paying customers who did everything right.

A new INTERPOL threat report finds cybercrime accelerating across Asia and the South Pacific, with phishing driving initial access, ransomware hitting under-resourced nations hardest, and generative AI removing the last natural barriers to mass fraud.

Researchers from Synthient and Qurium traced four years of Android TV box traffic-relaying back to infrastructure connected to NetNut, the residential proxy service owned by Israel's Alarum Technologies — raising hard questions about where legitimate proxy networks end and silent botnets begin.

BabaDeda, Lorem Ipsum, and Potemkin loaders all use the same clipboard-paste attack pattern — and education and finance organizations absorbed the bulk of April 2026 hits.

A bucket-squatting vulnerability in the Google Cloud Vertex AI Python SDK let an unauthenticated attacker intercept ML model uploads and run arbitrary code inside Google's managed serving infrastructure — no project credentials required.

The DPRK-linked threat cluster known as Contagious Interview has added a deceptively simple new lure to its arsenal: a polite request to review some code.

Attackers rewrote PKGBUILD scripts across more than 400 Arch User Repository packages, turning the normal build process into a credential-harvesting operation — with a kernel-level rootkit waiting for any build that ran as root.

A China-nexus threat actor planted rogue authentication modules on victim networks and stayed undetected for close to ten years — by targeting the one layer most incident-response playbooks quietly trust.

The FBI, Google, and Lumen's Black Lotus Labs jointly knocked a Chinese phishing-as-a-service operation offline after it registered nearly one million malicious domains. The AI angle is real — but narrower than headlines suggest.

No malware, no nation-state tradecraft — just valid credentials that nobody revoked. A disgruntled ex-employee deleted accounts and disrupted classrooms for months before federal charges ended it.

Attackers hijacked more than 400 community-maintained Arch User Repository packages this week, silently modifying build scripts to drop a Rust-based credential harvester — and, when the build ran as root, an eBPF rootkit capable of hiding itself from every standard Linux detection tool.

The extortion crew tracked as UNC6240 spent May 27 through June 9 inside university PeopleSoft environments — stealing student records, HR files, and financial data — while Oracle's advisory sat unpublished.

A federal jury awarded Meta roughly $168 million in May after NSO's Pegasus spyware abused a WhatsApp voice-call flaw in 2019. Now Meta says NSO's operators are back — this time with social-engineering lures — and is asking a judge to hold the vendor in contempt.

A self-replicating campaign is chaining stolen developer tokens into an ever-widening blast radius — and Microsoft's own GitHub organizations were not immune.

A financially motivated extortion crew is impersonating IT staff over the phone, tricking employees into handing over remote access, and exfiltrating privileged client files before most firms even open a help ticket.

A reverse-engineering of Bright Data's iOS SDK reveals how consumer apps — including always-on televisions — quietly enlist household devices as exit nodes in a massive residential proxy network increasingly serving AI data demands.

JFrog researchers caught two parallel attacks inside the npm registry — one hiding inside the Linux kernel, the other replicating across 50-plus packages by hijacking maintainer credentials.

A threat actor quietly converted compromised business workloads on three major cloud platforms into a verified mail-relay network, refreshing its inventory every five minutes and burning victims' IP reputations in the process.

A China-linked threat crew is cycling through commodity and custom malware at an unusually fast clip — and it has started targeting organizations far outside its traditional Asia-Pacific base.

A May 18 coordinated takedown froze $3.8 million in crypto and pulled millions of social-media and email accounts linked to Southeast Asian fraud compounds. The dollar figure is almost beside the point.

A malware-as-a-service operation active since January 2026 is using YouTube tutorials and fake Minecraft clients to silently hand attackers full remote control of victims' machines — and the infection count keeps climbing.
Sign up and start training your team in minutes. No sales calls, no demos — just pick a plan and go. Phishing simulations, video courses, and certificates from day one.
