The Hacker News
โœ”
162K subscribers
3.43K photos
22 videos
4 files
9.4K links
โญ Official THN Telegram Channel โ€” A trusted, widely read, independent source for breaking news and tech coverage about cybersecurity and hacking.

๐Ÿ“จ Contact: admin@thehackernews.com

๐ŸŒ Website: https://thehackernews.com
Download Telegram
AI can generate polished vulnerability reports, payloads, and severity scores in seconds.

That does not prove the bug is reachable, exploitable, or even real. Without validation, faster testing becomes faster noise.

Why offensive security still runs on proof: https://thehackernews.com/2026/07/ai-can-find-bugs-but-human-knowledge.html
๐Ÿ‘3๐Ÿ”ฅ2๐Ÿค”2
โš ๏ธ Stupig can run SYSTEM commands from the Windows logon screen before anyone signs in.

The previously unreported backdoor surfaced alongside Daxin on a #Taiwan manufacturerโ€™s host, where the intrusion may have gone unnoticed for 13 years.

How it hides inside Windows logon: https://thehackernews.com/2026/07/daxin-resurfaces-in-taiwan-alongside.html
๐Ÿ”ฅ6๐Ÿคฏ4๐Ÿ˜2๐Ÿ‘1
๐Ÿ›‘ Claude Code, Codex, Gemini CLI, and three browser agents were vulnerable to an attack that makes forged data look trusted.

It could lead to wrong clicks or running an attackerโ€™s command, even when the user is asked to approve the action.

Why current defenses miss it: https://thehackernews.com/2026/07/new-agent-data-injection-attack-can.html
๐Ÿค”3๐Ÿ”ฅ2
๐Ÿ›‘ ClickLock Stealer turns a Mac into a password trap.

Cancel its fake prompt, and at the next login it kills Finder, Terminal, Activity Monitor, and major browsers every 210 milliseconds until a valid password is entered.

The desktop comes back. One implant stays.

How the trap works: https://thehackernews.com/2026/07/new-clicklock-macos-stealer-kills-apps.html
๐Ÿ”ฅ5
๐Ÿ”ฅ Hidden Infrastructure Exposed: ANY.RUN Reveals Hijacked Gov Websites Delivering Malware.

ANY.RUN's latest threat investigation uncovered previously undocumented backdoors and relationships behind the active PhantomEnigma campaign.

By connecting hundreds of seemingly unrelated sandbox sessions, the analysts exposed the full scope of attacks targeting banks and public agencies.

Read the exclusive report โ†“ https://thehackernews.com/2026/07/20-hijacked-government-websites.html
๐Ÿ”ฅ5๐Ÿ˜1
๐Ÿšจ ClickFix now delivers TELEPUZ, a new modular Windows malware.

Paste the command behind a fake browser fix, and it can steal browser cookies, log keystrokes, capture screenshots, and run operator commands.

How the attack chain gets there: https://thehackernews.com/2026/07/new-telepuz-malware-spreads-via.html
๐Ÿ”ฅ4
โšก A flaw in #n8nโ€™s Enterprise token exchange could let a valid JWT from one trusted issuer log its holder into an account tied to another.

The token is valid. The account is not theirs. The victimโ€™s password never enters the picture.

Here's how the identity check failed: https://thehackernews.com/2026/07/n8n-token-exchange-flaw-could-let.html
๐Ÿ˜6
๐ŸŽฎ Game-cheat spyware
๐Ÿงฉ Fake installer RATs
โฑ๏ธ Network encrypted in under 24 hours

Also this week:
โ–ธ 290 fake GitHub repos
โ–ธ Chrome Sync stalking
โ–ธ OAuth phishing
โ–ธ Windows EDR bypasses
โ–ธ Major fraud busts
โ–ธ 3,900 threat servers mapped

Read the full ThreatsDay Bulletin: https://thehackernews.com/2026/07/threatsday-game-cheat-spyware-24-hour.html
๐Ÿ‘4๐Ÿ”ฅ2
๐Ÿ›‘ Two Scattered Spider hackers have been sentenced to 5.5 years each for the ยฃ29 million TfL attack.

The intrusion left 148 systems inoperable, disrupted Dial-a-Ride and payment services, and forced all 27,000 employees into the office for password resets.

Here's how investigators tied them to the attack: https://thehackernews.com/2026/07/two-scattered-spider-hackers-get-55.html
๐Ÿ‘11๐Ÿ˜6๐Ÿ‘4๐Ÿ”ฅ1๐Ÿคฏ1
Phishing pages aren't the attack. They're the last step.

Before that there's a funnel: search ads, social content, fake storefronts, AI creative. Built like real marketing, because it is real marketing. Just pointed at fraud instead of conversions.

Bolster AI's CEO Rod Schultz and Lead Security Analyst Lauren Barer break down how these funnels work and what to catch before fraud spreads in our webinar.

Register for the webinar here: https://thn.news/mythos-webcast
๐Ÿ‘3
Microsoft patched a SharePoint flaw after attackers had already exploited it as a zero-day.

CVE-2026-58644 affects every supported on-premises SharePoint version and can lead to remote code execution.

CISA has now added it to KEV.

Here's what SharePoint admins need to check: https://thehackernews.com/2026/07/cisa-adds-exploited-sharepoint-rce-zero.html
๐Ÿ˜3๐Ÿ‘1
๐Ÿšจ New GoSerpent malware has targeted government and diplomatic entities across Southeast Asia since late 2025.

It gives attackers long-term access, steals credentials, collects sensitive files, and routes traffic through compromised hosts.

Inside the campaign: https://thehackernews.com/2026/07/new-goserpent-malware-targets-southeast.html
๐Ÿ˜5๐Ÿ”ฅ1
๐Ÿ›‘ A single command pasted into Windows Run can give ACR Stealer your browser passwords, live session tokens, PDFs, and Microsoft 365 files.

One ClickFix chain hides its payload inside a JPEG and runs almost entirely in memory.

See how it gets in and what it steals: https://thehackernews.com/2026/07/acr-stealer-uses-clickfix-lures-to.html
๐Ÿ”ฅ9๐Ÿ‘6
โšก Armenia has detained a Russian tourist on a U.S. extradition request for a REvil #ransomware suspect with the same name.

His lawyers say authorities have the wrong man.

The wanted Ermakov reportedly cannot leave Russia and has checked in with the prison service every month since 2024.

Hereโ€™s what happened: https://thehackernews.com/2026/07/armenia-detains-russian-tourist-on-us.html
๐Ÿ˜7๐Ÿ‘2๐Ÿ‘2๐Ÿ˜ฑ2
๐Ÿ”ฅ European Union (EU) has ordered Google to open #Android features to rival AI assistants, including the camera, microphone, screen contents, locked-screen hotwords, and background app control.

Consent still applies. For six features, Google cannot require certification.

Here's what changes, and when - https://thehackernews.com/2026/07/eu-orders-google-to-open-android-mic.html
๐Ÿ˜ฑ6๐Ÿค”5๐Ÿ”ฅ3๐Ÿคฏ2
Military autonomy is not just a platform race. It is an information infrastructure challenge.

Drones, vessels, satellites, AI systems, and allies must exchange trusted mission data across platforms and security domains.

Why the future force depends on what connects it: https://thehackernews.com/2026/07/the-race-to-field-military-autonomy-is.html
๐Ÿ‘3๐Ÿ”ฅ1
๐Ÿšจ A fake coding test can be the whole attack.

North Korea-linked hackers are hiding malware across ordinary-looking SVG flag images. Run the project, and it assembles an OtterCookie-aligned toolkit that steals browser credentials, crypto wallet data, files, and clipboard contents, then opens a SocketIO backdoor.

Read the full attack chain: https://thehackernews.com/2026/07/north-korea-linked-hackers-hide.html
๐Ÿ”ฅ7๐Ÿคฏ5๐Ÿ˜4โšก3
This media is not supported in your browser
VIEW IN TELEGRAM
๐Ÿšจ Attackers are targeting the datacenters that train, host, and serve AI, not just the AI models themselves.

Lava has released FORGE: The Top 10 Data Center & AI Infrastructure Security Risks: https://thn.news/forge-framework

Built with security leaders and practitioners across neoclouds, HPC, and enterprise security โ€” open, free, and made to evolve.
๐Ÿ‘12๐Ÿ”ฅ1
๐Ÿšจ CylindricalCanine breached two DigiCert support workstations with a fake screenshot ZIP.

The group obtained EV code-signing certificates to sign Zhong Stealer. DigiCert revoked 60, including 27 linked to the group.

Read how the support chat breach led to signed malware: https://thehackernews.com/2026/07/goldeneyedog-subgroup-linked-to.html
๐Ÿ”ฅ4
๐Ÿ›‘ New NadMesh botnet malware hunts exposed AI services for AWS keys and Kubernetes tokens.

It targets ComfyUI, Ollama, n8n, Gradio, and MCP deployments, pulling cloud credentials, Docker configs, and model access from compromised hosts.

How the botnet works and survives removal: https://thehackernews.com/2026/07/new-nadmesh-botnet-hunts-exposed-ai.html
๐Ÿ”ฅ2
โš ๏ธ Seven malicious npm packages are targeting Vite developers.

They stay quiet during installation. Import one, and it starts a RAT delivery chain that can steal credentials, exfiltrate files, and open a reverse shell.

The attacker stores the delivery path in public blockchain transactions.

See the affected packages and full attack chain: https://thehackernews.com/2026/07/seven-malicious-vite-npm-packages-use.html
๐Ÿ”ฅ1