π¨ Four malware clusters targeted Pakistani police with PlugX, ShadowPad, Remcos, and Cobalt Strike.
At Balochistan Police, attackers used a hacked complaint portal to deliver malware.
Read the full report: https://thehackernews.com/2026/07/hackers-weaponize-balochistan-police.html
At Balochistan Police, attackers used a hacked complaint portal to deliver malware.
Read the full report: https://thehackernews.com/2026/07/hackers-weaponize-balochistan-police.html
π₯10π3π±2
π ALERT - The official #jscrambler npm package has been compromised.
Version 8.14.0 drops a Rust infostealer during npm install, stealing cloud keys, crypto wallets, browser logins, and AI coding-tool and MCP credentials.
Read analysis and what to do: https://thehackernews.com/2026/07/compromised-jscrambler-8140-npm-release.html
Version 8.14.0 drops a Rust infostealer during npm install, stealing cloud keys, crypto wallets, browser logins, and AI coding-tool and MCP credentials.
Read analysis and what to do: https://thehackernews.com/2026/07/compromised-jscrambler-8140-npm-release.html
π10π€―8π2π₯1π€1
UPDATE: jscrambler npm compromise hit five versions, not one.
Socket links 8.14.0, 8.16.0, 8.17.0, 8.18.0, and 8.20.0 to the same actor. Jscrambler says a stolen publishing credential was used.
Later versions moved beyond preinstall, so --ignore-scripts would not block them. Upgrade to 8.22.0 and audit affected systems.
Read: https://thehackernews.com/2026/07/compromised-jscrambler-8140-npm-release.html
Socket links 8.14.0, 8.16.0, 8.17.0, 8.18.0, and 8.20.0 to the same actor. Jscrambler says a stolen publishing credential was used.
Later versions moved beyond preinstall, so --ignore-scripts would not block them. Upgrade to 8.22.0 and audit affected systems.
Read: https://thehackernews.com/2026/07/compromised-jscrambler-8140-npm-release.html
π9β‘2π₯2
π¨ Joomla sites running iCagenda or Balbooa Forms face two exploited CVSS 10.0 flaws now in CISAβs KEV catalog.
Both allow attackers to upload PHP files and execute code on affected servers.
What the attacks looked like and what admins should check: https://thehackernews.com/2026/07/icagenda-and-balbooa-forms-joomla-flaws.html
Both allow attackers to upload PHP files and execute code on affected servers.
What the attacks looked like and what admins should check: https://thehackernews.com/2026/07/icagenda-and-balbooa-forms-joomla-flaws.html
π₯8π4
π One open directory exposed three Microsoft 365 phishing operations.
The operations used two paths into #Microsoft 365: Evilginx session theft and device code phishing. One campaign logged 218 captured accounts across 12 countries, 94% of them corporate mailboxes.
Read the full investigation: http://thehackernews.com/2026/07/misconfigured-server-reveals-three.html
The operations used two paths into #Microsoft 365: Evilginx session theft and device code phishing. One campaign logged 218 captured accounts across 12 countries, 94% of them corporate mailboxes.
Read the full investigation: http://thehackernews.com/2026/07/misconfigured-server-reveals-three.html
π6π4π₯2π2
β οΈ An attacker used compromised credentials to access a domain-joined Windows Server over RDP, then ran a suspected AI-generated PowerShell script to map Active Directory.
The script was noisy, aggressive, and oddly helpful.
Read how researchers traced it: https://thehackernews.com/2026/07/attacker-uses-suspected-ai-generated.html
The script was noisy, aggressive, and oddly helpful.
Read how researchers traced it: https://thehackernews.com/2026/07/attacker-uses-suspected-ai-generated.html
π₯6π3π€2
AI SOCs do not fail because Claude or Codex are useless. They fail when teams use them for the wrong job.
Research cited in this article says 98% of alerts can be resolved autonomously, while less than 2% warrant human review.
The problem is where the human and agent judgment starts.
Learn more: https://thehackernews.com/2026/07/thinking-fast-and-slow-in-soc-case-for.html
Research cited in this article says 98% of alerts can be resolved autonomously, while less than 2% warrant human review.
The problem is where the human and agent judgment starts.
Learn more: https://thehackernews.com/2026/07/thinking-fast-and-slow-in-soc-case-for.html
π5π₯3
β‘ Meta just filed a patent for an Artificial Intelligence (AI) that listens through your day and logs how you're feeling.
Not a mood check here and there, but a timestamped record of your emotions, keyed to where you are and what you're doing.
And it doesn't stop at your voice.
What else it reads, and whether Meta is actually building it: https://thehackernews.com/2026/07/meta-files-patent-for-ai-that-can.html
Not a mood check here and there, but a timestamped record of your emotions, keyed to where you are and what you're doing.
And it doesn't stop at your voice.
What else it reads, and whether Meta is actually building it: https://thehackernews.com/2026/07/meta-files-patent-for-ai-that-can.html
π€―17π±8π€6π₯3π2
π¨ Forg365 targets Microsoft 365 with device code and AitM phishing.
This $400/month service can use a legitimate Microsoft sign-in to authorize an attacker-controlled session, with tools for post-compromise mailbox operations.
How the attack works: https://thehackernews.com/2026/07/forg365-phaas-targets-microsoft-365.html
This $400/month service can use a legitimate Microsoft sign-in to authorize an attacker-controlled session, with tools for post-compromise mailbox operations.
How the attack works: https://thehackernews.com/2026/07/forg365-phaas-targets-microsoft-365.html
π4π₯2
π [New] One email could rewrite what an inbox-reading AI assistant remembers about you.
MemGhost adds false information to an AI agentβs memory and changes what it says later. In #OpenClaw lab tests, the change could stay hidden from the user.
How it works, and what limits it: https://thehackernews.com/2026/07/new-memghost-attack-plants-persistent.html
MemGhost adds false information to an AI agentβs memory and changes what it says later. In #OpenClaw lab tests, the change could stay hidden from the user.
How it works, and what limits it: https://thehackernews.com/2026/07/new-memghost-attack-plants-persistent.html
β‘3π₯2π2
Media is too big
VIEW IN TELEGRAM
"AI changed both sides of this fight.β Stephen Sims is keynoting AND teaching at Network Security 2026, bringing offensive security expertise straight into the classroom. Caesars Palace, Vegas | Sept 21β26.
His code SIMS777 = $777 off any course π https://thn.news/cyber-training-sans
His code SIMS777 = $777 off any course π https://thn.news/cyber-training-sans
π3π₯1π1
β‘ THN Recap: Before you start the week, know what's out there:
βͺοΈ ShareFile servers pulled offline
βͺοΈ npm package hijacked to drop infostealer
βͺοΈ Critical Zimbra email flaw patched
βͺοΈ GigaWiper backdoor wipes disks
βͺοΈ 1.4M WordPress sites targeted
βͺοΈ Citrix Bleed 2 leads to ransomware
βͺοΈ AI coding assistants tricked into malware
βͺοΈ Django flaw actively exploited
βͺοΈ Fake VPN installer drops RAT
βͺοΈ Helix crew hits SharePoint data
Full recap β https://thehackernews.com/2026/07/weekly-recap-sharefile-threat-citrix.html
βͺοΈ ShareFile servers pulled offline
βͺοΈ npm package hijacked to drop infostealer
βͺοΈ Critical Zimbra email flaw patched
βͺοΈ GigaWiper backdoor wipes disks
βͺοΈ 1.4M WordPress sites targeted
βͺοΈ Citrix Bleed 2 leads to ransomware
βͺοΈ AI coding assistants tricked into malware
βͺοΈ Django flaw actively exploited
βͺοΈ Fake VPN installer drops RAT
βͺοΈ Helix crew hits SharePoint data
Full recap β https://thehackernews.com/2026/07/weekly-recap-sharefile-threat-citrix.html
β‘4π₯1π1π€1
π¨ Google and Microsoft pulled ModHeader after researchers found a dormant browsing-history collector inside its genuine store build.
The extension had roughly 1.6 million installs across Chrome and Edge, with most of the collection pipeline already in place.
Here's how it stayed hidden - https://thehackernews.com/2026/07/google-and-microsoft-pull-modheader.html
The extension had roughly 1.6 million installs across Chrome and Edge, with most of the collection pipeline already in place.
Here's how it stayed hidden - https://thehackernews.com/2026/07/google-and-microsoft-pull-modheader.html
π₯7
CrashStealer uses a signed and Apple-notarized macOS dropper to pass Gatekeeper checks.
Once launched, it can steal browser credentials, wallet data, password manager records, files, and keychain material.
How the attack chain works: https://thehackernews.com/2026/07/crashstealer-macos-malware-uses.html
Once launched, it can steal browser credentials, wallet data, password manager records, files, and keychain material.
How the attack chain works: https://thehackernews.com/2026/07/crashstealer-macos-malware-uses.html
π6π₯2
π¨ Hackers spent a year stealing data from #Salesforce environments without exploiting a single platform flaw.
#Microsoft mapped the ShinyHunters-linked activity to trusted OAuth apps, stolen vendor tokens, and misconfigured guest access while sign-in monitoring stayed quiet.
How the three attack paths worked: https://thehackernews.com/2026/07/microsoft-maps-year-long-shinyhunters.html
#Microsoft mapped the ShinyHunters-linked activity to trusted OAuth apps, stolen vendor tokens, and misconfigured guest access while sign-in monitoring stayed quiet.
How the three attack paths worked: https://thehackernews.com/2026/07/microsoft-maps-year-long-shinyhunters.html
π€―14π₯4π€4π2
π¨ 148 npm packages disguised as student web proxies turned visitorsβ browsers into a DDoS botnet.
The code never ran at install time. It waited inside working proxy sites, beyond scanners focused on install-time behavior.
Here's how the campaign worked: https://thehackernews.com/2026/07/148-npm-packages-disguised-as-student.html
The code never ran at install time. It waited inside working proxy sites, beyond scanners focused on install-time behavior.
Here's how the campaign worked: https://thehackernews.com/2026/07/148-npm-packages-disguised-as-student.html
π7π₯7π2
πͺ U.S. sanctions hit First VPN, its administrator, and a cryptor seller over support for #ransomware attacks on American businesses, hospitals, financial firms, and local governments.
The VPN was dismantled in May 2026 after allegedly helping attackers hide their origins.
How the operation worked: https://thehackernews.com/2026/07/us-sanctions-first-vpn-service-and.html
The VPN was dismantled in May 2026 after allegedly helping attackers hide their origins.
How the operation worked: https://thehackernews.com/2026/07/us-sanctions-first-vpn-service-and.html
π₯9π3π€3
π Grok Build uploaded entire Git repositories, full commit history and all, to xAI storage, not just the files the agent read.
A captured bundle contained a file the agent had been explicitly told not to open.
What was uploaded, and which secrets users should rotate: https://thehackernews.com/2026/07/grok-build-uploads-entire-git.html
A captured bundle contained a file the agent had been explicitly told not to open.
What was uploaded, and which secrets users should rotate: https://thehackernews.com/2026/07/grok-build-uploads-entire-git.html
π16π€―10π₯4π€2π1
β οΈ Attackers can validate stolen #Microsoft Entra credentials without generating a successful sign-in event.
Researchers tracked two campaigns using spoofed OAuth client IDs, including one that targeted over 2 million users. App-scoped detections may miss it.
Read why Entra logs may miss it: https://thehackernews.com/2026/07/oauth-client-id-spoofing-lets-attackers.html
Researchers tracked two campaigns using spoofed OAuth client IDs, including one that targeted over 2 million users. App-scoped detections may miss it.
Read why Entra logs may miss it: https://thehackernews.com/2026/07/oauth-client-id-spoofing-lets-attackers.html
π8
π¨ Researchers tested 85 browser crypto wallets representing 35.16 million Chrome Web Store users.
Some linked separate addresses, kept exposing previously granted addresses after logout, or enabled tracking across unrelated sites.
How it works: https://thehackernews.com/2026/07/study-of-85-crypto-wallet-extensions.html
Some linked separate addresses, kept exposing previously granted addresses after logout, or enabled tracking across unrelated sites.
How it works: https://thehackernews.com/2026/07/study-of-85-crypto-wallet-extensions.html
π₯8
This media is not supported in your browser
VIEW IN TELEGRAM
π 11 old Microsoft-signed UEFI shims could let attackers with admin access bypass Secure Boot and run code before the OS starts.
Microsoft revoked the vulnerable shims in June 2026, but systems without the revocation update may still accept them.
Read how the bypass works: https://thehackernews.com/2026/07/11-old-microsoft-signed-linux-uefi.html
Microsoft revoked the vulnerable shims in June 2026, but systems without the revocation update may still accept them.
Read how the bypass works: https://thehackernews.com/2026/07/11-old-microsoft-signed-linux-uefi.html
π5π3π₯1