Find notable cyber news and cases, enriched with sources, timelines, and signals.

Recent notable Happenings and Cases

Hide ▲
Last updated: 15:17 10/07/2026 UTC
Last updated: 19:25 09/07/2026 UTC

Latest updates

Browse →

Rossen G. Iossifov had assets seized in Rossen G. Iossifov seized-crypto laundering case

Law Enforcement

Updated: 10.07.2026 18:30 · First: 10.07.2026 18:30 · 📰 1 src / 1 articles · H score: 25

Federal prosecutors charged Rossen G. Iossifov in the Eastern District of Kentucky over a money laundering case involving $290,000 in seized cryptocurrency, pushing a cybercrime prosecution tied to stolen fraud proceeds back into court.

GigaWiper modular backdoor with wiping and espionage capabilities

Malware Activity

Updated: 10.07.2026 18:30 · First: 10.07.2026 18:30 · 📰 1 src / 1 articles · H score: 22

The newly analyzed GigaWiper backdoor combines espionage and destructive wiping functions, giving operators a single implant that can control, sabotage, and erase infected systems. Microsoft said the tool also includes fake ransomware behavior and multiple destructive commands, expanding the impact of a single compromise. The finding raises concern because the malware unifies capabilities that are usually spread across separate tools. The result is a more flexible platform for covert access and system destruction.

GigaWiper reuses multiple malware lineages in a unified destructive backdoor

Technical Analysis

Updated: 10.07.2026 18:30 · First: 10.07.2026 18:30 · 📰 1 src / 1 articles · H score: 22

Microsoft's July 9 analysis of GigaWiper shows a modular backdoor that merges espionage, C2, and destructive wiping into one implant, widening the damage a single payload can cause. The research concluded the tool was assembled by combining and reimplementing components from Crucio ransomware, FlockWiper, and a third unrecovered framework. The findings provide reusable technical context for spotting similar multi-function malware and understanding how its destructive commands are organized.

Tangem crypto wallet card unpatchable laser password reset security flaw

Vulnerability

Updated: 10.07.2026 17:51 · First: 10.07.2026 17:51 · 📰 1 src / 1 articles · H score: 34

A Tangem crypto wallet card vulnerability lets a precisely timed laser pulse reset the card's password, creating a path for a thief with the physical card to take control of the wallet. The flaw sits in the Samsung S3D232A chip recovery logic and affects every card sold because Tangem cards cannot take software updates. The research was disclosed to Tangem on February 10, 2026 and remains unpatchable.

OpenClaw 2026.6.6 security update for three flaws

Security Patch Release

Updated: 10.07.2026 17:19 · First: 10.07.2026 17:19 · 📰 1 src / 1 articles · H score: 31

OpenClaw maintainers shipped version 2026.6.6 to fix three security flaws that could enable credential theft, privilege escalation, and arbitrary code execution on the host. Two of the issues are command-injection bugs and the third is a path traversal/link-following flaw. The release reduces risk for deployments where lower-trust input can reach the affected paths.

OpenClaw command-injection, path-traversal, and link-following flaws (multiple vulnerabilities)

Vulnerability

Updated: 10.07.2026 17:19 · First: 10.07.2026 17:19 · 📰 1 src / 1 articles · H score: 33

OpenClaw now has three patched high-severity vulnerabilities that can lead to credential theft, privilege escalation, and arbitrary code execution on the host. The set includes two command-injection flaws and one path traversal/link-following bug, with fixes in version 2026.6.6. A researcher said the issues can be triggered from an external WhatsApp message when lower-trust input reaches the affected paths.

Prompt-injection proof-of-concept enables silent RCE in Claude Code and Codex

Technical Analysis

Updated: 10.07.2026 16:45 · First: 10.07.2026 16:45 · 📰 1 src / 1 articles · H score: 28

Researchers demonstrated a proof-of-concept exploit that can force remote code execution in Anthropic’s Claude Code and OpenAI’s Codex, exposing a trust-boundary flaw in AI coding agents. The attack uses multi-stage prompt injection inside an untrusted repository to make attacker text look like normal task context. In auto-mode/auto-review, the agents can be pushed to run a supposed security.sh workflow that actually launches hidden code. The result is silent execution on a victim machine during a defensive scan.

Silver Fox MODBEACON Rust RAT activity

Malware Activity

Updated: 10.07.2026 16:15 · First: 10.07.2026 16:15 · 📰 1 src / 1 articles · H score: 23

The Silver Fox ecosystem has been tied to MODBEACON, a Rust-based remote access trojan that gives operators encrypted C2 and modular control over infected hosts. The malware is being pushed through counterfeit installers and bogus ZIP archives seeded by SEO poisoning, broadening exposure across technology, education, and state-owned enterprises. The design supports plugin loading, scheduled-task persistence, and follow-on payload expansion, raising the risk of stealthy long-term compromise. The C2 transport reuses Xray/V2Ray-style components and runs through Amazon and Cloudflare CDN infrastructure.

Silver Fox counterfeit-installer SEO-poisoning campaign across Asia

Campaign

Updated: 10.07.2026 16:15 · First: 10.07.2026 16:15 · 📰 1 src / 1 articles · H score: 32

Silver Fox is running a counterfeit-installer SEO-poisoning campaign that delivers malware across Asia and puts technology, education, and state-owned enterprise users at renewed risk. The operation uses bogus installer downloads and repeated search poisoning to drive infections. It shows sustained distribution activity rather than a one-off lure.

GodDamn ransomware PoisonX BYOVD activity

Malware Activity

Updated: 09.07.2026 13:43 · First: 09.07.2026 13:43 · 📰 2 src / 2 articles · H score: 14

GodDamn ransomware, part of the Hyadina family, has evolved into a Windows intrusion chain that uses AnyDesk, credential theft, and the PoisonX kernel driver to disable endpoint defenses before encrypting files. Public reporting places the latest variant in May 2026 and ties it to an early June 2026 intrusion in which operators used PsExec for lateral movement and repeated the deployment across at least 10 hosts. The activity shows a reusable ransomware workflow that reduces detection, expands access, and ends with file encryption and ransom notes.

China- and India-linked cyberespionage campaign against Pakistani law enforcement

Campaign

Updated: 10.07.2026 14:55 · First: 10.07.2026 14:55 · 📰 1 src / 1 articles · H score: 29

Cyberespionage groups linked to China and India ran a Feb 2024–Apr 2026 campaign against Pakistani law enforcement, reaching police systems that held sensitive records and citizen-facing data. The operation hit Balochistan Police most heavily and exposed servers tied to biometric databases, criminal case files, and personnel records. The intrusions used PlugX, ShadowPad, Cobalt Strike, and Remcos, and some access was delivered through fake software updates on a public complaint portal.

XQUIC XRING remote crash security flaw

Vulnerability

Updated: 10.07.2026 14:47 · First: 10.07.2026 14:47 · 📰 1 src / 1 articles · H score: 1

XQUIC's XRING flaw leaves HTTP/3 servers exposed to remote crashes through valid QPACK traffic, with no patch available. The bug needs no login and no malformed packets, and FoxIO says about 260 bytes of ordinary traffic can take the server process down. Any server embedding XQUIC and serving HTTP/3 with default QPACK settings is exposed, including embedders such as Tengine.

Zimbra Classic Web Client stored XSS cross-site scripting flaw

Vulnerability

Updated: 10.07.2026 14:47 · First: 10.07.2026 14:47 · 📰 1 src / 1 articles · H score: 22

Zimbra's Classic Web Client stored cross-site scripting (XSS) flaw was patched in Zimbra 10.1.19, closing a path that could expose session data, account settings, and mailbox information. The issue is triggered by specially crafted emails opened in the Classic UI and had no CVE ID yet at release time. Zimbra told customers using the Classic Web Client to upgrade as soon as possible.

Zimbra Classic Web Client stored XSS security update

Security Patch Release

Updated: 10.07.2026 14:47 · First: 10.07.2026 14:47 · 📰 1 src / 1 articles · H score: 32

Zimbra released ZCS v10.1.19 to patch a stored XSS flaw in the Classic Web Client, narrowing exposure for users of that interface. The bug could be triggered through specially crafted emails and could expose session data, account settings, or mailbox information if opened. Zimbra told customers to upgrade as soon as possible because the issue affects only Classic Web Client users and had no CVE ID yet.

SNOWLIGHT-to-VShell remote-access backdoor chain

Malware Activity

Updated: 10.07.2026 14:30 · First: 10.07.2026 14:30 · 📰 1 src / 1 articles · H score: 51

The SNOWLIGHT dropper was used to install VShell, giving operators covert remote access on compromised hosts and hiding the backdoor as [kworker/0:2] in process lists. The chain combines delivery and stealth, making post-compromise control harder to spot. It represents a focused malware activity thread centered on persistence and concealment.

WP-SHELLSTORM webshell access brokerage campaign

Campaign

Updated: 10.07.2026 14:30 · First: 10.07.2026 14:30 · 📰 1 src / 1 articles · H score: 71

The WP-SHELLSTORM campaign exposed its own infrastructure, revealing a webshell access brokerage that targeted WordPress and Joomla sites at scale and backdoored thousands of sites. The exposed files contained webshells, exploit scripts, scan results, command history, and target lists naming more than 1.4 million websites. The operation relied on automated scanning of public flaws such as CVE-2026-3844 to plant backdoors for later resale. Separate files show an earlier phase that harvested cloud credentials and other secrets from corporate Java systems before the large-scale webshell push.

Pink new extortion brand within The Com

Threat Actor Meta

Updated: 08.07.2026 19:47 · First: 08.07.2026 19:47 · 📰 2 src / 2 articles · H score: 31

Pink is a The Com-linked extortion brand associated with O-UNC-066 that is now being used in a voice-based phishing campaign against Microsoft 365 users. The activity sends targets to a panel-controlled phishing kit that mimics Entra passkey enrollment and captures credentials and MFA responses so the attacker can register an unauthorized passkey and gain account access. Okta says the campaign has targeted food and beverage, technology, healthcare, automotive, construction, and aviation organizations, and the brand is linked to a data leak site operating since April 2026 under the name Pink.

Wallet software weak recovery-phrase generation actively exploited security flaw

Vulnerability

Updated: 10.07.2026 12:00 · First: 10.07.2026 12:00 · 📰 1 src / 1 articles · H score: 31

Coinspect disclosed Ill Bloom, a weak-randomness recovery-phrase flaw in crypto wallet software that is actively exploited and can let attackers derive wallet addresses and drain funds. The issue is concentrated in older or lesser-known mobile wallets, while hardware devices and most mainstream software wallets are not affected. A confirmed May 27 sweep drained about $3.1 million from 431 wallets.

NHS patient-data unauthorized-access guidance

Advisory/Mitigation

Updated: 10.07.2026 12:00 · First: 10.07.2026 12:00 · 📰 1 src / 1 articles · H score: 7

The NHS issued patient-data unauthorized-access guidance that tells healthcare organizations to tighten monitoring, reporting, and access controls across staff systems. The rollout pairs a staff campaign with concrete mitigations to reduce improper viewing of medical records. It raises the operational bar for internal access by pushing least privilege, MFA, and role-based access controls. The guidance targets both human behavior and system design to stop unauthorized access before it happens.

NHS awareness campaign and guidance on unauthorized patient-data access

Public Sector Action

Updated: 10.07.2026 12:00 · First: 10.07.2026 12:00 · 📰 1 src / 1 articles · H score: 8

The NHS launched a new awareness-raising campaign and guidance to curb unauthorized access to patient data across staff and healthcare organizations. The initiative warns that unlawful access can lead to jail time, loss of employment, and referral to the ICO and police for criminal prosecution. It also pushes controls such as least privilege, MFA, role-based access controls, and monitoring in electronic patient record systems. The rollout follows recent insider cases involving 11 staff sacked, 14 written warnings, and an investigation into about 40 staff at a Cambridgeshire hospital.

Angelo Martino BlackCat ransomware sentencing

Law Enforcement

Updated: 10.07.2026 11:17 · First: 10.07.2026 11:17 · 📰 2 src / 2 articles · H score: 36

Angelo Martino was sentenced to 70 months in prison for helping target U.S. companies in BlackCat (ALPHV) ransomware attacks. The sentence increases criminal exposure for a former DigitalMint employee who worked inside ransomware negotiation activity. It also adds to the penalties already imposed on other negotiators tied to the same cybercrime scheme.

OpenMandriva Linux project hit by cyberattack

Incident

Updated: 10.07.2026 01:14 · First: 10.07.2026 01:14 · 📰 1 src / 1 articles · H score: 32

The OpenMandriva Linux project is recovering from an attempted internal sabotage that deleted repositories and published an empty package that could have damaged user systems. The destructive changes hit GitHub and the Cooker development branch, affecting GNOME and Cosmic packages. The project is restoring content and running a full system audit to check for more unauthorized changes.

Injective Labs SDK project GitHub repository hit by network compromise

Incident

Updated: 09.07.2026 23:10 · First: 09.07.2026 23:10 · 📰 1 src / 1 articles · H score: 21

The Injective Labs SDK project suffered a GitHub repository compromise that let attackers publish a malicious @injectivelabs/sdk-ts v1.20.21 package, putting developers' wallet secrets at risk. The compromised release was tied to suspicious activity on June 8 and could steal private keys and mnemonic seed phrases from systems that used the SDK. A clean v1.20.23 release followed, but the malicious package had already been downloaded 310 times before deprecation.

GitHub API enumeration campaign targeting corporate organizations

Campaign

Updated: 09.07.2026 21:38 · First: 09.07.2026 21:38 · 📰 1 src / 1 articles · H score: 17

A GitHub API reconnaissance campaign is systematically mapping corporate organizations, repositories, and user accounts across multiple companies, expanding the risk of follow-on abuse. The operators mix automated scraping tooling with legitimate-sounding user agents and long-dormant ghost accounts to blend into normal API traffic. They also reuse compromised OAuth tokens and personal access tokens (PATs) from legitimate users. In some cases, the activity has progressed from public-data collection to private-repository cloning.

Single organization's private GitHub repository cloned after confirmed access

Data Leak

Updated: 09.07.2026 21:38 · First: 09.07.2026 21:38 · 📰 1 src / 1 articles · H score: 12

Confirmed access to a private GitHub repository belonging to one organization marks a concrete data exposure and raises the risk of source-code or internal-content theft. The attackers took steps to clone the repository, showing that the operation moved beyond public reconnaissance. The event widens the impact of the broader GitHub abuse activity because protected repository data was reached, not just public metadata.

GigaWiper / BLUERABBIT destructive Windows backdoor activity

Malware Activity

Updated: 09.07.2026 21:08 · First: 09.07.2026 21:08 · 📰 1 src / 1 articles · H score: 31

The GigaWiper / BLUERABBIT malware activity now combines disk wiping, fake ransomware, and spyware backdoor functions on Windows, increasing the chance that one intrusion can monitor, destroy, or irreversibly disable infected machines. The implant is written in Go, masquerades as OneDrive, and can run a OneDrive Update scheduled task while hiding its state in the registry. It also routes command traffic through RabbitMQ, Redis, and MinIO, which can make the activity harder to spot on networks that already use those services.

Helix vishing and SharePoint data-extortion campaign

Campaign

Updated: 09.07.2026 20:08 · First: 09.07.2026 20:08 · 📰 1 src / 1 articles · H score: 38

The Helix campaign is using vishing, device-code phishing, and MFA abuse to break into SharePoint environments and steal files, exposing victim organizations to extortion. Operators then add a new authenticator app for persistence and rapidly enumerate content before exfiltration. The stolen data can be used to threaten publication or sold to other cybercriminals.

GitHub npm GAT publish-token mitigation guidance

Advisory/Mitigation

Updated: 09.07.2026 19:49 · First: 09.07.2026 19:49 · 📰 1 src / 1 articles · H score: 25

GitHub is steering npm users away from long-lived publish tokens as npm GATs that bypass 2FA lose direct publishing and sensitive-management abilities. The recommended path is to move automated releases to trusted publishing (OIDC) or staged publishing with human approval. GitHub says the changes begin in early August 2026 and continue with a second phase in January 2027, leaving a short window to migrate publishing workflows.

GitHub npm version 12 hardens installs and token management

Security Tool/Service

Updated: 09.07.2026 19:49 · First: 09.07.2026 19:49 · 📰 1 src / 1 articles · H score: 11

GitHub released npm version 12, making install-time scripts opt-in by default and tightening package publishing controls to reduce supply-chain risk. The update also strips sensitive powers from 2FA-bypass granular access tokens (GATs), limiting token abuse in account and organization management. Developers must now explicitly approve trusted scripts, and automated publishing is being pushed toward trusted publishing (OIDC) or staged publishing with human approval.

Malicious npm and PyPI payment SDK typosquat packages

Malware Activity

Updated: 09.07.2026 18:09 · First: 09.07.2026 18:09 · 📰 1 src / 1 articles · H score: 40

The 17 malicious npm and PyPI packages targeted Paysafe, Skrill, and Neteller SDKs to steal system information and developer secrets, then send the data to an Ngrok endpoint. The package set sits in a software supply-chain path that can reach developers who install apparently legitimate payment tooling. The activity increases the risk of credential theft and downstream compromise in payment-adjacent development environments.