A threat group exploited a Next.js flaw to compromise 766+ hosts and steal cloud credentials at scale.

Using automated scripts, attackers extracted AWS secrets, SSH keys, and API tokens, all managed through a central dashboard for reuse.

Attackers are weaponizing the Claude Code leak.

Fake GitHub repos now deploy Vidar Stealer and GhostSocks, using trojanized builds that look legitimate.

It turns out Axios npm was compromised via a targeted UNC1069 social engineering attack.

Attackers used a fake Slack + Teams setup to install malware, steal npm credentials, and publish trojanized versions (1.14.1, 0.30.4).

Aftermath of one month of war; 6% decrease in Microsoft stock value

Microsoft stock value in the past month, after the start of the imposed war, has dropped from about $398.55 at the beginning of March to $369.37 on April 1.

Hacktivist group “Mobir” claims responsibility for a cyberattack targeting the UAE Space Agency, alleging the network was taken offline. The group cites UAE cooperation with Israel and the U.S. as motive and warns of further attacks.

#TGITM @TheGhostITM

U.S. officials are investigating a major cyber incident attributed to state actors targeting an internal FBI system containing sensitive law enforcement data. Reports say attackers leveraged commercial ISP infrastructure. Congress was notified in early March.

Israeli sources report over 4,000 cyberattacks during the early phase of the recent conflict, involving 60+ hacktivist groups. Activity includes DDoS, intrusions, and supply chain targeting, with growing use of social engineering against economic sectors.

Cyber Disputes the Israeli report; our own investigation identified over 100,000 cyberattacks conducted by hacktivist groups during Ramadan. Involving 100+ hacktivist groups.

Handala has exposed the identities of 50 senior officers from Israel’s elite Unit 9900 — a key geospatial intelligence unit behind drone surveillance, satellite mapping, and targeted operations. A major escalation in cyber warfare narratives.

#TGITM @TheGhostITM

Handala announces a major breach: identities of 50 top Unit 9900 officers revealed. The group says this shatters the unit’s “invincibility” and sends a message to all cyber warfare actors.

#TGITM @TheGhostITM

Handala announced that this disclosure marks the end of the "myth of invincibility" of this unit and serves as a warning to all players in the cyber warfare arena.

#TGITM @TheGhostITM

Handala team disclosed the identities of 50 senior officers of the Israel Unit 9900. Unit 9900 is one of the powerful geospatial intelligence divisions in the world, which collects strategic information using drone images, satellite imagery, and 3D maps, and uses it in targeted assassination operations.

#TGITM @TheGhostITM

“NoVoice” malware spreads via 50+ Google Play apps, ~2.3M devices impacted

Exploits older Android flaws to gain root-level access — no suspicious permissions required.

Persistence is severe; even factory reset may not remove it.

Enables data theft, account takeover, and continuous C2 communication.

Update devices. Audit apps. Stay vigilant.

“Kourosh Shield” claims breach targeting Komala-linked individuals in Europe

Group alleges access to infrastructure and sensitive datasets, including identities, communications, and network metadata of 52 individuals.

Partial data reportedly released; further disclosures expected.

Claims remain unverified — potential leak monitoring ongoing.

LinkedIn under scrutiny for hidden extension scanning

Reports reveal use of browser fingerprinting scripts to detect installed Chrome extensions and gather device signals.

LinkedIn confirms the practice, citing security and abuse prevention.

Raises fresh concerns over user privacy vs platform defense.

Qilin ransomware claims cyberattack on Germany’s Die Linke party.

Group threatens data leak.

CENTCOM heavy silence.

The 24-hour silence of this official account has attracted media attention.

Fortinet is warning of active exploitation of CVE-2026-35616 (CVSS 9.1) in FortiClient EMS.

The flaw lets unauthenticated attackers bypass API controls and run code. This is the second critical EMS flaw exploited in weeks.

36 npm packages posing as Strapi plugins were used to deliver malware that runs on install.

They exploited Redis and PostgreSQL, stole credentials, and deployed backdoors via postinstall scripts with full user or CI/CD access.