Find notable cyber news and cases, enriched with sources, timelines, and signals.

Recent notable Happenings and Cases

Hide ▲
Last updated: 21:32 13/07/2026 UTC
Last updated: 16:02 13/07/2026 UTC

Latest updates

Browse →

Nihon Kotsu taxi dispatch and booking service disruption

Service Disruption

Updated: 13.07.2026 23:18 · First: 13.07.2026 23:18 · 📰 1 src / 1 articles · H score: 1

Nihon Kotsu's car hire, web booking, reservation management, and telephone dispatch services remain unavailable, disrupting taxi access for customers. The outage also affects some internal systems and forces customers to use alternate booking channels.

Nihon Kotsu hit by network compromise

Incident

Updated: 13.07.2026 23:18 · First: 13.07.2026 23:18 · 📰 1 src / 1 articles · H score: 25

Japan's Nihon Kotsu confirmed a cyberattack that compromised internal systems and left its taxi dispatch service offline, disrupting core operations. The outage also affected car hire, web booking, reservation management, and some internal systems. The company is still investigating whether any data was leaked, while emergency containment steps remain in place.

Jscrambler hit by network compromise

Incident

Updated: 13.07.2026 22:44 · First: 13.07.2026 22:44 · 📰 1 src / 1 articles · H score: 15

The Jscrambler npm package suffered an unauthorized publication of a malicious version that exposed developers to infostealer theft risk. The bad release stayed live for two hours and was downloaded 1,479 times, widening the blast radius to secrets, cloud credentials, and wallet data. Jscrambler said the incident stemmed from compromised npm publishing credentials, then revoked access, deprecated the package, and released 8.22.

Jscrambler 8.14.0 malicious preinstall infostealer release

Malware Activity

Updated: 11.07.2026 20:59 · First: 11.07.2026 20:59 · 📰 2 src / 2 articles · H score: 9

The jscrambler 8.14.0 npm release now ships a malicious preinstall hook that runs a Rust infostealer during install, putting developer and CI secrets at risk on Windows, macOS, and Linux. The package executes without any import or CLI call, so a routine dependency install is enough to trigger theft. The payload targets cloud credentials, browser sessions, wallets, password-manager data, and AI-tool API keys. The release was later replaced by a clean 8.15.0, but any system that already installed 8.14.0 may have exposed secrets.

CrashStealer meeting-PIN delivery campaign

Campaign

Updated: 13.07.2026 22:04 · First: 13.07.2026 22:04 · 📰 1 src / 1 articles · H score: 35

The CrashStealer campaign is delivering a signed, Apple-notarized installer from a fake software site gated by a meeting PIN, narrowing infection opportunities to a select visitor cohort while improving stealth. The first-stage payload is Werkbit Setup, and the operation was observed in early July after tracking began in May. That access-limited delivery path makes the campaign harder to detect and more likely to reach intended targets.

CrashStealer macOS information stealer activity

Malware Activity

Updated: 13.07.2026 20:36 · First: 13.07.2026 20:36 · 📰 2 src / 2 articles · H score: 10

CrashStealer is a macOS information-stealing malware that was tracked in May and seen in attacks in early July. It impersonates Apple's crash-reporting tool by using a fake CrashReporter.app name, a com.apple.crashreporter.helper LaunchAgent, and a signed, Apple-notarized installer to help bypass Gatekeeper. The malware collects keychain data, browser credentials, and data from more than 80 crypto wallet extensions and 14 password managers, then encrypts exfiltrated files with AES-256-GCM before uploading them to a C2 server.

ModHeader browser extension hidden browsing-history collector

Malware Activity

Updated: 13.07.2026 20:17 · First: 13.07.2026 20:17 · 📰 1 src / 1 articles · H score: 42

The ModHeader browser extension shipped a hidden browsing-history collector in its official store version, exposing about 1.6 million installs to covert domain and header logging. The collector was dormant because its allow-list shipped empty, and no proof shows it actually exfiltrated browsing domains. The code still built a device fingerprint, encrypted visited domains, and prepared daily uploads to api.stanfordstudies[.]com. Google and Microsoft removed the listings from Chrome Web Store and Edge on July 10 and July 3.

Codemado open-directory operator toolkit leak

Data Leak

Updated: 13.07.2026 18:30 · First: 13.07.2026 18:30 · 📰 1 src / 1 articles · H score: 18

A misconfigured Budapest VPS exposed codemado's phishing toolkit, leaking session material and credential artifacts that could enable account hijacking. The readable directory included phishing configurations, credential logs, RMM installers, and Telegram session files. The exposed files tied the operator to an active Evilginx-based phishing ecosystem and created immediate operational risk for anyone using the compromised infrastructure.

The Quarry PaaS ecosystem and RockyBelling's promotion of MaDoO Blaster

Threat Actor Meta

Updated: 13.07.2026 18:30 · First: 13.07.2026 18:30 · 📰 1 src / 1 articles · H score: 14

The Quarry was tied to MaDoO Blaster, showing a phishing-as-a-service ecosystem that packages AiTM tooling for sale. The operation was run by RockyBelling, who promoted the tool to his customers. The setup reflects a low-barrier criminal market where components are sold on Telegram and functional phishing infrastructure can be assembled quickly.

Joomla extensions arbitrary file upload (multiple vulnerabilities, actively exploited)

Vulnerability

Updated: 13.07.2026 08:36 · First: 13.07.2026 08:36 · 📰 2 src / 2 articles · H score: 59

CISA added CVE-2026-48939 and CVE-2026-56291 to the KEV catalog, confirming zero-day exploitation of two Joomla extension flaws that allow arbitrary file upload and code execution. The affected extensions are iCagenda and Balbooa Forms, both rated 10.0 CVSS. The exposed attack path can lead to PHP code execution or unauthenticated remote code execution on internet-facing sites.

Joomla iCagenda and Balbooa Forms active RCE exploitation wave

Exploitation Wave

Updated: 13.07.2026 18:20 · First: 13.07.2026 18:20 · 📰 1 src / 1 articles · H score: 42

Joomla sites were hit by an active exploitation wave against iCagenda and Balbooa Forms upload flaws, enabling remote code execution and full website takeover. The activity used automated attacks before patches were available, raising the risk of web shell installation and data theft across exposed sites.

CISA KEV directive for Joomla extension flaws

Public Sector Action

Updated: 13.07.2026 18:20 · First: 13.07.2026 18:20 · 📰 1 src / 1 articles · H score: 36

CISA added the Joomla extension flaws to the KEV catalog and ordered federal agencies to apply updates or mitigations within three days, tightening remediation timelines for systems exposed to CVE-2026-48939 and CVE-2026-56291.

CISA recommends continuous secrets scanning and stronger key management after GitHub leak

Defensive Guidance

Updated: 13.07.2026 18:03 · First: 13.07.2026 18:03 · 📰 1 src / 1 articles · H score: 26

CISA now recommends continuous secrets scanning and stronger key management after a contractor left internal credentials in a public GitHub repository for nearly six months. The guidance targets organizations that store secrets in code or cloud-linked repositories and need faster detection of exposed credentials. It also underscores the need for clear external reporting paths and prompt secret rotation when exposure is found.

China- and India-nexus espionage campaign targeting Pakistani police

Campaign

Updated: 13.07.2026 17:45 · First: 13.07.2026 17:45 · 📰 1 src / 1 articles · H score: 35

A China- and India-nexus espionage campaign targeted Pakistani law enforcement over an extended period, putting sensitive police and identity records at risk. The operation focused on Balochistan Police and reached systems used for biometric records, criminal case files, and tenant registrations. One actor also compromised the force’s Complaint Management System (CMS) and used implants to blend into a portal update. The activity points to sustained intelligence collection against a high-value policing target set.

Balochistan Police hit by network compromise

Incident

Updated: 11.07.2026 20:49 · First: 11.07.2026 20:49 · 📰 2 src / 2 articles · H score: 25

Balochistan Police suffered a long-running compromise of police infrastructure and a public-facing Complaint Management System (CMS), with exposure spanning June 2, 2024 to April 9, 2026. The affected environment included systems handling criminal records, biometric records, personnel records, and complaint workflows, and the CMS at cms.balochistanpolice.gov[.]pk was used by both officers and citizens. Attackers uploaded cms_plugin.exe implants, including a Rust stager that showed "Update Complete! Please refresh the page," and a .NET loader that masqueraded as 360Safe.exe and reflectively loaded AsyncRAT. The activity is tied in reporting to China-nexus and India-nexus espionage operations, with observed tooling including PlugX, ShadowPad, Cobalt Strike, Remcos, and AsyncRAT.

Lidl online shop customer data leak at service provider

Data Leak

Updated: 13.07.2026 17:19 · First: 13.07.2026 17:19 · 📰 1 src / 1 articles · H score: 28

Lidl confirmed that customer data from its online shop was stolen in a service-provider breach, exposing shoppers in Germany, Belgium, and the Netherlands. The stolen set includes names, phone numbers, email addresses, dates of birth, and customer numbers, while the online shop's system itself was not affected. Lidl said it cannot yet rule out broader exposure of passwords or payment information, and it warned customers about phishing and identity fraud.

MemGhost stealth memory injection against OpenClaw personal agents

Technical Analysis

Updated: 13.07.2026 16:49 · First: 13.07.2026 16:49 · 📰 1 src / 1 articles · H score: 23

Researchers demonstrated MemGhost, a one-email prompt-injection technique that can plant a persistent false memory in OpenClaw-style personal agents, letting an attacker steer later-session answers without visible consent. The lab results show the attack can survive into future sessions and remain hidden, raising the risk of durable context poisoning in agents that read inboxes and write their own memory files.

NCA charges five in Russian Coms cybercrime case

Law Enforcement

Updated: 13.07.2026 16:23 · First: 13.07.2026 16:23 · 📰 1 src / 1 articles · H score: 35

UK authorities charged five people in the Russian Coms scam-call case, escalating a cybercrime prosecution tied to caller ID spoofing and over 1.8 million scam calls. The suspects are due in Westminster Magistrates' Court on Friday, August 14. The charges expand legal exposure around a platform used to impersonate banks, telecoms, and law enforcement.

Russian Coms caller-ID spoofing platform evolved into a sold criminal service

Threat Actor Meta

Updated: 13.07.2026 16:23 · First: 13.07.2026 16:23 · 📰 1 src / 1 articles · H score: 43

Investigators documented Russian Coms as a monetized caller-ID spoofing platform that let criminals hide their identity and scale scam calls across more than 107 countries. The service’s 2020 launch, shift from handset to web app, and paid subscription model show a criminal service ecosystem built for fraud facilitation and impersonation.

GPPStorm Google Partners enrollment phishing campaign

Campaign

Updated: 13.07.2026 16:03 · First: 13.07.2026 16:03 · 📰 1 src / 1 articles · H score: 33

GPPStorm is a phishing campaign that uses bogus Google Partners and Google Premier Partner enrollment workflows to push recipients to a fake Google sign-in page and steal credentials in real time. The lure mimics a legitimate partner-enrollment flow, making the login prompt appear credible. The campaign puts Google account holders at immediate account-takeover risk because captured credentials can be used as soon as they are entered. It combines a named operation, a branded lure, and a direct credential-capture flow.

Forg365 PhaaS industrializes Microsoft 365 credential theft and session hijacking

Threat Actor Meta

Updated: 13.07.2026 16:03 · First: 13.07.2026 16:03 · 📰 1 src / 1 articles · H score: 36

Forg365 has emerged as a subscription-based phishing platform that lowers the barrier to Microsoft 365 account theft while scaling session hijacking and mailbox abuse. The ecosystem packages lure creation, delivery, evasion, token handling, and post-compromise tooling for low-skill affiliates at industrial scale.

Microsoft Entra OAuth Client ID spoofing campaign

Campaign

Updated: 13.07.2026 16:00 · First: 13.07.2026 16:00 · 📰 1 src / 1 articles · H score: 35

A Microsoft Entra ID targeting campaign is using OAuth Client ID spoofing to evade Entra sign-in logs and gain stealthy access to cloud services, increasing the chance that malicious logins go undetected. Proofpoint says it has tracked multiple large-scale campaigns affecting millions of user accounts across thousands of tenants. The activity relies on the ROPC flow and blank application fields to obscure authentication attempts.

Progress ShareFile access disruption during security threat investigation

Service Disruption

Updated: 13.07.2026 15:05 · First: 13.07.2026 15:05 · 📰 1 src / 1 articles · H score: 1

Progress ShareFile experienced a customer-access disruption after Progress Software identified a credible external security threat targeting Storage Zone Controllers. The company temporarily disabled access for affected accounts and told customers to shut down the hosting server while it investigated, creating an immediate availability and operational impact for enterprise file-sharing users.

EU and UK sanctions Russian GRU-linked cyber actors

Regulatory/Legal Action

Updated: 13.07.2026 14:19 · First: 13.07.2026 14:19 · 📰 1 src / 1 articles · H score: 44

The Council of the European Union and the UK imposed new sanctions on Russian individuals and entities tied to cyber and hybrid operations, tightening legal pressure on GRU-linked actors and associated networks. The measures cover nine individuals and four entities in the EU package and 24 individuals and entities in the UK action, with officials linking the targets to attacks and influence activity across Europe.

AI-assisted attacker tradecraft speeds up AD enumeration and cloud extortion operations

Technical Analysis

Updated: 13.07.2026 14:02 · First: 13.07.2026 14:02 · 📰 1 src / 1 articles · H score: 27

Researchers documented AI-assisted attacker tradecraft that accelerated Active Directory enumeration and AWS cloud intrusion workflows, reducing the effort needed to turn routine access into discovery, exfiltration, and extortion pressure. The findings show that familiar techniques become more operationally dangerous when attackers can generate and adapt tooling faster.

AI-generated PowerShell Active Directory reconnaissance script

Malware Activity

Updated: 09.07.2026 17:00 · First: 09.07.2026 17:00 · 📰 2 src / 2 articles · H score: 23

An AI-generated PowerShell script was used in a real Windows intrusion, showing how one-off malware can automate Active Directory reconnaissance and evade signature-based detection. The attacker logged in with stolen credentials, then used the script to enumerate directory data and stage it for theft. The activity expanded from reconnaissance into spreadsheet-based collection and exfiltration, increasing the risk of internal environment exposure. The script’s unusual, LLM-shaped code also made traditional file-hash and signature defenses ineffective.

Cybersecurity agencies from 12 countries fresh warning / joint advisory for published on 2026-07-13

Public Sector Action

Updated: 13.07.2026 13:40 · First: 13.07.2026 13:40 · 📰 1 src / 1 articles · H score: 53

Cybersecurity agencies from 12 countries issued a fresh advisory urging defenders to harden vulnerable routers amid active targeting by a Russian state-sponsored cyber unit. The guidance matters because the unit is scanning for devices with default or weak SNMP passwords and community strings, creating a live exposure window for critical sectors. Agencies warned that communications, defence, energy, financial services, government and healthcare organizations should take immediate mitigation steps.

EU sanctions Russian cyber actors over espionage campaign

Regulatory/Legal Action

Updated: 13.07.2026 13:00 · First: 13.07.2026 13:00 · 📰 1 src / 1 articles · H score: 26

The European Union imposed sanctions on Russian military intelligence officers, hackers and private companies on Monday, escalating pressure over a yearslong cyber espionage campaign. The measures target nine people and four entities linked to online spying and sabotage activity against critical infrastructure and government networks. The affected activity spans at least nine countries, including France, Germany, Poland, Cyprus, the Netherlands, Austria, Slovakia, Romania and Finland. The action increases legal and financial pressure on the network and its support structure across the EU and partner states.

FSB 16th Centre yearslong cyber espionage campaign against European governments and critical infrastructure

Campaign

Updated: 13.07.2026 13:00 · First: 13.07.2026 13:00 · 📰 2 src / 2 articles · H score: 42

FSB 16th Centre is tied to a yearslong cyberespionage campaign against European governments and critical infrastructure across at least nine countries. The Council of the European Union now publicly identified the unit as controlling groups including Turla, and said the activity has targeted public-sector and defense networks since 2010. The campaign has also included disruption-oriented activity against heating and power plants, putting essential services at risk. The latest EU sanctions reinforce the severity and persistence of the operation.

NSA/FBI/CISA router hardening advisory

Advisory/Mitigation

Updated: 13.07.2026 12:32 · First: 13.07.2026 12:32 · 📰 1 src / 1 articles · H score: 33

NSA, FBI, CISA and 15 allied agencies issued a joint router hardening advisory after hackers targeted vulnerable and poorly configured routers in critical infrastructure networks. The guidance tells defenders to upgrade to SNMPv3, disable Cisco Smart Install, enforce strong unique passwords, and block TFTP and SNMP at edge firewalls. It also calls for software and firmware updates and replacing end-of-life devices.