โ ๏ธ Researchers found raw LLM reasoning and an AI safety disclaimer left inside TuxBot v3 Evolution.
The unfinished IoT botnet packs 1,496 Telnet credential pairs and exploit code for more than 30 device families.
What already works: https://thehackernews.com/2026/07/tuxbot-v3-evolution-shows-signs-of-llm.html
The unfinished IoT botnet packs 1,496 Telnet credential pairs and exploit code for more than 30 device families.
What already works: https://thehackernews.com/2026/07/tuxbot-v3-evolution-shows-signs-of-llm.html
๐7๐ฅ3
๐จ Zoom has patched a 9.8-rated Windows flaw that could let an unauthenticated attacker take over accounts via network access.
CVE-2026-53412 affects the Desktop Client, VDI Client, and Meeting SDK.
Affected versions and update details: https://thehackernews.com/2026/07/zoom-patches-critical-windows-flaw-that.html
CVE-2026-53412 affects the Desktop Client, VDI Client, and Meeting SDK.
Affected versions and update details: https://thehackernews.com/2026/07/zoom-patches-critical-windows-flaw-that.html
๐7๐4๐ฅ1๐ค1
A valid login is not always enough.
A password may let someone read an account, but not change payout details. OIDC AMR, ACR, and SAML AuthnContext help applications decide when stronger proof is required.
How each signal works: https://thehackernews.com/expert-insights/2026/07/authncontext-and-amr-we-remember-what.html
A password may let someone read an account, but not change payout details. OIDC AMR, ACR, and SAML AuthnContext help applications decide when stronger proof is required.
How each signal works: https://thehackernews.com/expert-insights/2026/07/authncontext-and-amr-we-remember-what.html
๐ฅ2
โก OpenAI built an AI model to attack its own AI models.
GPT-Red develops prompt injections automatically. In one test, it got an AI vending machine to order a $100 item for $0.50 and cancel another customerโs order.
Read more on GPT-Red ยป https://thehackernews.com/2026/07/openais-gpt-red-automates-prompt.html
GPT-Red develops prompt injections automatically. In one test, it got an AI vending machine to order a $100 item for $0.50 and cancel another customerโs order.
Read more on GPT-Red ยป https://thehackernews.com/2026/07/openais-gpt-red-automates-prompt.html
๐14๐ฅ2
๐ ALERT - Pull one certificate from a Shark robot vacuum, and it could run root commands on other Shark vacuums across the same AWS region.
In 24 hours, a researcher saw 673,816 devices return Exec_Response, which he treats as confirmation that they support the command handler.
Read how it worked - https://thehackernews.com/2026/07/unpatched-shark-vacuum-flaw-could-let.html
In 24 hours, a researcher saw 673,816 devices return Exec_Response, which he treats as confirmation that they support the command handler.
Read how it worked - https://thehackernews.com/2026/07/unpatched-shark-vacuum-flaw-could-let.html
๐ฅ7๐6
AI can generate polished vulnerability reports, payloads, and severity scores in seconds.
That does not prove the bug is reachable, exploitable, or even real. Without validation, faster testing becomes faster noise.
Why offensive security still runs on proof: https://thehackernews.com/2026/07/ai-can-find-bugs-but-human-knowledge.html
That does not prove the bug is reachable, exploitable, or even real. Without validation, faster testing becomes faster noise.
Why offensive security still runs on proof: https://thehackernews.com/2026/07/ai-can-find-bugs-but-human-knowledge.html
๐3๐ฅ2๐ค2
โ ๏ธ Stupig can run SYSTEM commands from the Windows logon screen before anyone signs in.
The previously unreported backdoor surfaced alongside Daxin on a #Taiwan manufacturerโs host, where the intrusion may have gone unnoticed for 13 years.
How it hides inside Windows logon: https://thehackernews.com/2026/07/daxin-resurfaces-in-taiwan-alongside.html
The previously unreported backdoor surfaced alongside Daxin on a #Taiwan manufacturerโs host, where the intrusion may have gone unnoticed for 13 years.
How it hides inside Windows logon: https://thehackernews.com/2026/07/daxin-resurfaces-in-taiwan-alongside.html
๐ฅ5๐คฏ4๐2๐1
๐ Claude Code, Codex, Gemini CLI, and three browser agents were vulnerable to an attack that makes forged data look trusted.
It could lead to wrong clicks or running an attackerโs command, even when the user is asked to approve the action.
Why current defenses miss it: https://thehackernews.com/2026/07/new-agent-data-injection-attack-can.html
It could lead to wrong clicks or running an attackerโs command, even when the user is asked to approve the action.
Why current defenses miss it: https://thehackernews.com/2026/07/new-agent-data-injection-attack-can.html
๐ค3๐ฅ2
๐ ClickLock Stealer turns a Mac into a password trap.
Cancel its fake prompt, and at the next login it kills Finder, Terminal, Activity Monitor, and major browsers every 210 milliseconds until a valid password is entered.
The desktop comes back. One implant stays.
How the trap works: https://thehackernews.com/2026/07/new-clicklock-macos-stealer-kills-apps.html
Cancel its fake prompt, and at the next login it kills Finder, Terminal, Activity Monitor, and major browsers every 210 milliseconds until a valid password is entered.
The desktop comes back. One implant stays.
How the trap works: https://thehackernews.com/2026/07/new-clicklock-macos-stealer-kills-apps.html
๐ฅ5
๐ฅ Hidden Infrastructure Exposed: ANY.RUN Reveals Hijacked Gov Websites Delivering Malware.
ANY.RUN's latest threat investigation uncovered previously undocumented backdoors and relationships behind the active PhantomEnigma campaign.
By connecting hundreds of seemingly unrelated sandbox sessions, the analysts exposed the full scope of attacks targeting banks and public agencies.
Read the exclusive report โ https://thehackernews.com/2026/07/20-hijacked-government-websites.html
ANY.RUN's latest threat investigation uncovered previously undocumented backdoors and relationships behind the active PhantomEnigma campaign.
By connecting hundreds of seemingly unrelated sandbox sessions, the analysts exposed the full scope of attacks targeting banks and public agencies.
Read the exclusive report โ https://thehackernews.com/2026/07/20-hijacked-government-websites.html
๐ฅ4๐1
๐จ ClickFix now delivers TELEPUZ, a new modular Windows malware.
Paste the command behind a fake browser fix, and it can steal browser cookies, log keystrokes, capture screenshots, and run operator commands.
How the attack chain gets there: https://thehackernews.com/2026/07/new-telepuz-malware-spreads-via.html
Paste the command behind a fake browser fix, and it can steal browser cookies, log keystrokes, capture screenshots, and run operator commands.
How the attack chain gets there: https://thehackernews.com/2026/07/new-telepuz-malware-spreads-via.html
๐ฅ4
โก A flaw in #n8nโs Enterprise token exchange could let a valid JWT from one trusted issuer log its holder into an account tied to another.
The token is valid. The account is not theirs. The victimโs password never enters the picture.
Here's how the identity check failed: https://thehackernews.com/2026/07/n8n-token-exchange-flaw-could-let.html
The token is valid. The account is not theirs. The victimโs password never enters the picture.
Here's how the identity check failed: https://thehackernews.com/2026/07/n8n-token-exchange-flaw-could-let.html
๐5
๐ฎ Game-cheat spyware
๐งฉ Fake installer RATs
โฑ๏ธ Network encrypted in under 24 hours
Also this week:
โธ 290 fake GitHub repos
โธ Chrome Sync stalking
โธ OAuth phishing
โธ Windows EDR bypasses
โธ Major fraud busts
โธ 3,900 threat servers mapped
Read the full ThreatsDay Bulletin: https://thehackernews.com/2026/07/threatsday-game-cheat-spyware-24-hour.html
๐งฉ Fake installer RATs
โฑ๏ธ Network encrypted in under 24 hours
Also this week:
โธ 290 fake GitHub repos
โธ Chrome Sync stalking
โธ OAuth phishing
โธ Windows EDR bypasses
โธ Major fraud busts
โธ 3,900 threat servers mapped
Read the full ThreatsDay Bulletin: https://thehackernews.com/2026/07/threatsday-game-cheat-spyware-24-hour.html
๐3
๐ Two Scattered Spider hackers have been sentenced to 5.5 years each for the ยฃ29 million TfL attack.
The intrusion left 148 systems inoperable, disrupted Dial-a-Ride and payment services, and forced all 27,000 employees into the office for password resets.
Here's how investigators tied them to the attack: https://thehackernews.com/2026/07/two-scattered-spider-hackers-get-55.html
The intrusion left 148 systems inoperable, disrupted Dial-a-Ride and payment services, and forced all 27,000 employees into the office for password resets.
Here's how investigators tied them to the attack: https://thehackernews.com/2026/07/two-scattered-spider-hackers-get-55.html
๐11๐5๐2๐ฅ1๐คฏ1
Phishing pages aren't the attack. They're the last step.
Before that there's a funnel: search ads, social content, fake storefronts, AI creative. Built like real marketing, because it is real marketing. Just pointed at fraud instead of conversions.
Bolster AI's CEO Rod Schultz and Lead Security Analyst Lauren Barer break down how these funnels work and what to catch before fraud spreads in our webinar.
Register for the webinar here: https://thn.news/mythos-webcast
Before that there's a funnel: search ads, social content, fake storefronts, AI creative. Built like real marketing, because it is real marketing. Just pointed at fraud instead of conversions.
Bolster AI's CEO Rod Schultz and Lead Security Analyst Lauren Barer break down how these funnels work and what to catch before fraud spreads in our webinar.
Register for the webinar here: https://thn.news/mythos-webcast
Microsoft patched a SharePoint flaw after attackers had already exploited it as a zero-day.
CVE-2026-58644 affects every supported on-premises SharePoint version and can lead to remote code execution.
CISA has now added it to KEV.
Here's what SharePoint admins need to check: https://thehackernews.com/2026/07/cisa-adds-exploited-sharepoint-rce-zero.html
CVE-2026-58644 affects every supported on-premises SharePoint version and can lead to remote code execution.
CISA has now added it to KEV.
Here's what SharePoint admins need to check: https://thehackernews.com/2026/07/cisa-adds-exploited-sharepoint-rce-zero.html
๐จ New GoSerpent malware has targeted government and diplomatic entities across Southeast Asia since late 2025.
It gives attackers long-term access, steals credentials, collects sensitive files, and routes traffic through compromised hosts.
Inside the campaign: https://thehackernews.com/2026/07/new-goserpent-malware-targets-southeast.html
It gives attackers long-term access, steals credentials, collects sensitive files, and routes traffic through compromised hosts.
Inside the campaign: https://thehackernews.com/2026/07/new-goserpent-malware-targets-southeast.html
๐ A single command pasted into Windows Run can give ACR Stealer your browser passwords, live session tokens, PDFs, and Microsoft 365 files.
One ClickFix chain hides its payload inside a JPEG and runs almost entirely in memory.
See how it gets in and what it steals: https://thehackernews.com/2026/07/acr-stealer-uses-clickfix-lures-to.html
One ClickFix chain hides its payload inside a JPEG and runs almost entirely in memory.
See how it gets in and what it steals: https://thehackernews.com/2026/07/acr-stealer-uses-clickfix-lures-to.html
๐2๐ฅ2