The Hacker News
βœ”
162K subscribers
3.33K photos
21 videos
4 files
9.29K links
⭐ Official THN Telegram Channel β€” A trusted, widely read, independent source for breaking news and tech coverage about cybersecurity and hacking.

πŸ“¨ Contact: admin@thehackernews.com

🌐 Website: https://thehackernews.com
Download Telegram
This media is not supported in your browser
VIEW IN TELEGRAM
#ThreatsDay this week reads like attackers opened the junk drawer of the internet and found everything still plugged in:

🧠 exposed AI compute
πŸ“§ email privacy gaps
🧩 fake browser extensions
πŸ€– meeting bots
πŸ“‹ clipboard tricks
πŸ›‘οΈ Defender flaws
🎭 fake INTERPOL ransomware

Just an Empire State Building-sized amount of trust left unattended - https://thehackernews.com/2026/07/threatsday-ai-compute-hijacking-apple.html
πŸ”₯8πŸ€”2πŸ‘1
⚠️ Armored Likho targeted power and government agencies.

Kaspersky says the attacks span Russia, Brazil, and Kazakhstan, using BusySnake Stealer, GitHub-hosted payloads, Go2Tunnel reverse tunneling, and patched CVE-2025-9491 LNK abuse.

How the stealer chain works: https://thehackernews.com/2026/07/armored-likho-targets-government.html
πŸ”₯4😁4πŸ€”3
πŸ›‘ Six malicious npm packages mimicked Rollup polyfill tools.

Experts link them to North Korea-linked actors. They used hidden install-time execution and JSONKeeper fetches to load payloads for remote access and browser, wallet, cloud, SSH, and npm secret theft.

Read: https://thehackernews.com/2026/07/north-korea-linked-npm-packages-mimic.html
πŸ”₯3
πŸ›‘ Avalon turns a PDF-themed .LNK into CrownX ransomware.

Proton Drive β†’ ISO image β†’ MSBuild β†’ ETW tampering β†’ HTTPS payload.

By the ransom note, credentials, C2, and recovery disruption are already in play.

Inside the attack chain: https://thehackernews.com/2026/07/new-avalon-malware-framework-packs.html
πŸ”₯5⚑3
This media is not supported in your browser
VIEW IN TELEGRAM
⚑ New "Bad Epoll" (CVE-2026-46242) vulnerability affects #Linux 6.4+ kernels and may reach newer #Android devices.

It can turn a local user into root; the PoC hit 99% reliability and may trigger from Chrome’s renderer sandbox.

πŸ”— Read how the bug works: https://thehackernews.com/2026/07/new-bad-epoll-linux-kernel-flaw-lets.html
πŸ‘8😱5🀯2⚑1
πŸ‘€ New UNPATCHED FatFs vulnerabilities hit a filesystem library bundled into potentially MILLIONS of embedded devices.

Malformed USB drives, SD cards, or update files can trigger memory corruption, crashes, leaks, or hangs.

Read details here: https://thehackernews.com/2026/07/unpatched-flaws-disclosed-in-filesystem.html
πŸ”₯7🀯5
⚠️ 108 malicious packages and extensions were published across npm, Packagist, Go, and Chrome.

North Korea-linked PolinRider uses obfuscated JavaScript loaders, VS Code auto-run tasks, and blockchain services to fetch DEV#POPPER RAT and OmniStealer.

Inside the attack chain: https://thehackernews.com/2026/07/north-korean-hackers-publish-108.html
🀯15πŸ”₯4πŸ‘2⚑1πŸ‘1
πŸ›‘ A U.S. government entity paid Kairos about $1 million in #Bitcoin.

The payment was made to keep stolen files from being leaked, according to a Ransom-ISAC case study.

This was not a lock-and-key ransomware case. The pressure point was the stolen data itself.

Read the story: https://thehackernews.com/2026/07/us-government-entity-paid-kairos-group.html
😁33πŸ”₯10⚑4πŸ€”3πŸ‘1😱1
πŸ›‘ Malicious AI skills can bypass scanners.

SKILLCLOAK hides payloads in folders scanners often skip, then rebuilds them only when the agent runs the skill.

In tests, its packing trick bypassed all 8 scanners more than 90% of the time.

Read how the cloaking works: https://thehackernews.com/2026/07/new-skillcloak-technique-lets-malicious.html
😁8⚑4πŸ”₯4πŸ‘2
This media is not supported in your browser
VIEW IN TELEGRAM
🚨 A zero-click Opera GX flaw let malicious sites silently install GX Mods and leak data exposed in pages the victim visited.

In a PoC, researchers used CSS to rebuild a signed-in user’s Gmail address after one visit.

Learn how β€œjust styling” crossed sites: https://thehackernews.com/2026/07/opera-gx-flaw-let-malicious-sites-auto.html
😁8πŸ‘3πŸ‘1πŸ”₯1
⚠️ New Java RAT is being sold as MaaS.

QuimaRAT is built to run on Windows, #Linux, and #macOS, with encrypted plugins, OS-specific persistence, C2 rotation via Pastebin, and a browser-cache loader for staging payloads.

Read: https://thehackernews.com/2026/07/new-java-based-quimarat-maas-built-to.html
πŸ”₯10πŸ‘8⚑2
🚨 New TrojPix attack can leak data from an air-gapped PC through its video cable.

It uses user-level malware to turn invisible pixel changes into radio signals from a video cable, leaking data at up to 8.1 Mbps.

Learn how TrojPix turns pixels into a radio leak: https://thehackernews.com/2026/07/new-trojpix-attack-leaks-data-from-air.html
πŸ”₯5😱2
🚨 A suspected China-nexus campaign is targeting Indian taxpayers, tax professionals, and finance teams with fake Income Tax Department emails.

Operation DragonReturn leads victims to a fake tax-filing utility that uses DLL sideloading, JPG payload concealment, and DCRat.Attribution remains unclear.

Read: https://thehackernews.com/2026/07/suspected-china-nexus-hackers-use-fake.html
😁6πŸ€”4πŸ”₯2🀯1
AI SOC can mean a chat box bolted onto a SIEM, or agents that handle detection, triage, investigation, and response on their own data foundation.

The label tells you little. The POC has to show what is actually doing the work.

Read this for the six checks that tell them apart: https://thehackernews.com/2026/07/how-to-evaluate-ai-soc-platform-in-2026.html
πŸ‘1πŸ”₯1
AI does not just make phishing cleaner. It changes the clock.

Guy Segal, CEO at Sygnia, frames the real gap: incident response plans were designed for slower, human-led attacks, while AI can compress recon, deception, payload changes, and the path to business impact.

See where your IR plan breaks when AI compresses the timeline: https://thehackernews.com/expert-insights/2026/07/ai-speed-attacks-are-forcing-rethink-of.html
πŸ‘3πŸ”₯1πŸ€”1
πŸ›‘ A streaming box. A browser prompt. A fake repo. An AI agent reading the wrong thing.

This week’s cyber risks did not look exotic. That was the problem.

Monday Recap: proxy botnets, browser ransomware research, AI agent tricks, fake PoC malware, ClickFix attacks, and more.

Read the full recap: https://thehackernews.com/2026/07/monday-recap-proxy-botnets-browser.html
πŸ”₯4πŸ‘3
πŸ” It’s easier to log in than hack in.

Attackers don’t need a zero-day if weak, reused, or compromised passwords are already sitting in Active Directory.

Specops’ Password Auditing Guide shows how to uncover hidden password risks, spot policy gaps, and start auditing AD with a free tool.

Download the guide to learn more: https://thn.news/audit-active-directory
πŸ‘5πŸ‘1
🚨 CVE-2026-20896 saw its first in-the-wild attempt 13 days after disclosure.

The Gitea Docker flaw lets reachable containers trust spoofed X-WEBAUTH-USER headers when reverse proxy auth is enabled.

See which setups are exposed and where the probe stopped: https://thehackernews.com/2026/07/threat-actors-probe-gitea-docker-flaw.html
πŸ”₯4πŸ‘3
πŸ”₯ A new 16-year-old #Linux KVM flaw lets a rooted nested VM crash the x86 host and take down other tenants on the same machine.

Dubbed "Januscape" (CVE-2026-53359), the bug sits in KVM’s shadow MMU.

Researcher says a full guest-to-host escape exploit also exists in a controlled setup; only the host-crash PoC is public.

Explained here: https://thehackernews.com/2026/07/16-year-old-linux-kvm-flaw-lets-guest.html
πŸ”₯13πŸ‘2
🚨 Iran-linked Cavern Manticore is targeting Israeli government and IT organizations with 'Cavern,' a modular .NET C2 framework.

Researchers say the group abused RMM tools, then used DLL side-loading, NativeAOT modules, and AppDomain isolation to hide post-compromise activity.

How Cavern works: https://thehackernews.com/2026/07/iran-linked-hackers-use-new-cavern-c2.html
πŸ‘12πŸ‘11πŸ”₯4⚑2πŸ€”1🀯1
⚠️ BeyondTrust fixed four RS and PRA flaws. Two are critical pre-auth bugs that could let unauthenticated attackers bypass access controls, but only under specific auth configurations.

No exploitation is reported. RS 25.3.3 and PRA 25.3.3 carry the fixes.

Check which setups need patching: https://thehackernews.com/2026/07/beyondtrust-patches-critical-auth.html
πŸ”₯3