Cybersecurity Landscape Sees Surge in Novel Threats and Exploits
The digital realm is facing a barrage of evolving cyber threats and sophisticated attack vectors this week, keeping security professionals and everyday users on high alert. From illicit fake cell towers broadcasting phishing texts to developers inadvertently downloading malicious tools, the cybersecurity landscape is more dynamic and challenging than ever. Millions of unprotected servers, unpatched legacy software, and new exploitation kits are contributing to a complex threat environment, demanding constant vigilance. This surge in malicious activity highlights the continuous arms race between cybercriminals and cybersecurity defenders, necessitating an adaptive and informed approach to online safety.
Fake Cell Towers Facilitate SMS Phishing
Canadian authorities have apprehended three individuals for operating an SMS blaster device that impersonated a cellular tower to distribute phishing text messages. These devices work by emitting signals that trick nearby mobile phones into connecting, subsequently delivering fraudulent messages appearing to originate from trusted organizations. As reported, the primary goal of these messages is to prompt recipients to click on malicious links leading to fake websites designed to harvest sensitive personal information, including banking credentials and passwords. Officials stated that tens of thousands of devices connected to the blaster over several months, marking the first documented instance of such technology being used in Canada. The accused face 44 charges in connection with the operation.
New npm Package Steals Developer Data
A recent supply chain attack exploited an npm package designed to mimic TanStack, distributing malicious versions capable of exfiltrating environment variables from developers’ machines during installation. Identified by Socket, the package, named “tanstack,” was found to silently steal critical environment variable files such as .env, .env.local, and .env.production. The stolen data is then sent to an attacker-controlled endpoint. The malicious package is attributed to a user named “sh20raj,” with versions 2.0.4 through 2.0.7 confirmed as compromised. This incident underscores the ongoing risks associated with open-source software dependencies.
Browser Extensions Legally Sell User Data
An analysis by LayerX has revealed that numerous networks of browser extensions are actively collecting and reselling user data. Unlike malicious extensions that conceal their activities, the 80 identified extensions explicitly state in their privacy policies that they gather and sell data from users who install them. These include a network of 24 media extensions, installed on over 800,000 devices, which collect viewing data and demographic information from major streaming platforms. Additionally, 12 ad blockers, with a combined user base exceeding 5.5 million, openly engage in the sale of user data. Nearly 50 other extensions, collectively used by over 100,000 users, also collect and resell browsing data.
Komari Agent Leveraged in Real-World Attacks
Huntress has reported that unidentified threat actors utilized stolen VPN credentials to gain access to a Windows workstation within an undisclosed organization. Employing Impacket’s smbexec.py for initial access, the attackers deployed a SYSTEM-level backdoor using the Komari agent, a Go-based remote control and monitoring tool. This marks the first publicly documented instance of Komari being abused in a live intrusion, highlighting a growing trend of threat actors adopting publicly available and legitimate tools for malicious purposes. Komari is designed as a bidirectional control channel, featuring out-of-the-box capabilities for arbitrary command execution, interactive reverse shells, and network probing, all facilitated over a TLS-fronted WebSocket.
Next-Generation Phishing Kits Emerge
Two new sophisticated phishing kits, named Saiga 2FA and Phoenix System, have been linked to escalating email and SMS phishing campaigns. According to Barracuda, Saiga 2FA surpasses traditional adversary-in-the-middle (AitM) techniques by incorporating tools for extracting and analyzing mailbox content. The company described Saiga 2FA as an evolving platform that integrates infrastructure, automation, and post-compromise capabilities for highly targeted campaigns. Meanwhile, Phoenix System has been associated with over 2,500 phishing domains since January 2025, employing IP-based filtering and geofencing for precise targeting. Group-IB indicated that these campaigns are delivered via SMS, potentially utilizing fake Base Transceiver Stations (BTS) to bypass carrier filtering and display messages under trusted brands.
Millions of Remote Access Servers Exposed Online
Forescout’s latest analysis indicates that approximately 1.8 million Remote Desktop Protocol (RDP) servers and 1.6 million Virtual Network Computing (VNC) servers are exposed to the internet. China leads in exposed RDP servers (22%) and VNC servers (70%), followed by the U.S. and Germany. Among servers mapped to specific industries, retail, services, and education top RDP exposure, while education, services, and healthcare lead VNC exposure. Compounding these risks, 18% of exposed RDP servers run end-of-life Windows versions, over 19,000 RDP servers remain vulnerable to the BlueKeep exploit, and nearly 60,000 VNC servers lack authentication. Alarmingly, over 670 exposed VNC servers with disabled authentication provide direct access to Operational Technology (OT) and Industrial Control Systems (ICS) panels.
Unpatched RPC Vulnerability Allows Privilege Escalation
A newly identified vulnerability in Windows systems, dubbed PhantomRPC, permits local privilege escalation through the abuse of the operating system’s Remote Procedure Call (RPC) architecture. This flaw stems from an architectural weakness in how RPC handles connections to unavailable services. Exploiting PhantomRPC requires an attacker with limited local access to first compromise a privileged service running under the Network Service identity. The attacker then deploys a fake RPC server with the same interface identifier and exposed endpoint, intercepts specific requests, and impersonates the targeted service to elevate their privileges to SYSTEM. Kaspersky, which discovered the weakness, reported four potential exploitation paths. Microsoft has indicated it will not address the issue, citing the prerequisite of an initial compromise.
Vidar Dominates Information Stealer Market
The information stealer known as Vidar, now in its second iteration (Vidar Stealer 2.0), has ascended to the top of the information stealer market following law enforcement takedowns of Lumma and Rhadamanthys. Intrinsec noted that Vidar capitalized on the resulting disruption, attributing its rise partly to the release of version 2.0 and collaborations with Telegram channels. Advertised by a user named “Loadbaks” on underground forums, recent campaigns have distributed malware that uses deceptive links in YouTube videos promoting fake software to direct users to Mediafire pages. These pages serve as a distribution point for executables that download and run the credential harvesting malware. Stolen credentials are subsequently monetized on underground marketplaces.
Critical Vulnerabilities Uncovered in Healthcare Platform
OpenEMR, a widely used open-source electronic medical records platform, has disclosed 38 critical security vulnerabilities that have since been patched. These vulnerabilities, ranging from medium to critical severity, include authorization flaws, cross-site scripting (XSS), SQL injection, path traversal, and insufficient session management. Two distinct critical vulnerabilities, CVE-2026-24908 and CVE-2026-23627, could have been exploited to access and modify patient and provider data, posing significant health and regulatory risks. AISLE reported that severe SQL injection vulnerabilities, combined with modest database privileges, could have led to full database compromise, large-scale PHI exfiltration, and remote code execution. OpenEMR serves over 100,000 medical providers globally.
Legacy TLS Deprecation Moves Forward
Microsoft has announced plans to begin blocking legacy TLS connections for POP and IMAP email clients in Exchange Online in July 2026. The company stated that support for older TLS versions, specifically TLS 1.0 and TLS 1.1, will be fully deprecated for these protocols, as they are no longer considered secure. This move follows a gradual phase-out initiated years ago, where users could opt-in to use these legacy endpoints. Microsoft expects that only customers who have explicitly chosen to use these older, insecure protocols will be affected by the deprecation.
Robinhood Account Creation Abused for Phishing
Threat actors are exploiting the online trading platform Robinhood’s account creation process to send phishing emails that bypass spam filters. These emails, originating from a spoofed “noreply@robinhood[.]com” address, falsely warn of suspicious activity and prompt users to click a link for security verification, leading to a phishing site. Robinhood confirmed that this was an abuse of their account creation flow, not a breach of their systems or customer accounts, and that personal information and funds were not impacted. The attackers reportedly created new Robinhood accounts using modified existing Gmail addresses through the “dot trick” technique, which leverages Gmail’s indifference to periods in usernames while Robinhood treats each variation as a distinct user.
Social Media Scams Show Dramatic Increase
The U.S. Federal Trade Commission (FTC) has issued a warning regarding a substantial increase in losses from social media scams, which exceeded $2.1 billion in 2025. Scams originating on Facebook accounted for $794 million of these losses, more than any other platform. The FTC reported that nearly 30% of individuals who lost money to a scam in 2025 indicated that it began on social media, representing an eightfold increase since 2020. The accessibility of billions of users globally makes social media an attractive vector for scammers, who can exploit user accounts, leverage posted information, or use targeted advertising tools to reach potential victims.
Billions of Compromised Credentials Tracked
KELA reported tracking 2.86 billion compromised credentials globally in 2025, including usernames, passwords, session tokens, and various forms of breached data found on cybercrime marketplaces. At least 347 million of these credentials were initially obtained by information stealers operating on approximately 3.9 million infected machines. This large-scale exposure of credentials poses a significant risk of account takeovers and further malicious activities.
arXiv Papers Found to Leak Sensitive Data
An analysis of 2.7 million submissions to the arXiv preprint service revealed that accompanying files often contain unnecessary data, expose embedded metadata such as usernames and hardware details, and leak irrelevant content within source code comments. The research identified backups, Git repositories with editing histories, and configuration files containing API keys. Comments within LaTeX sources also exposed private conversations and to-do items that authors did not intend to disclose publicly. Furthermore, unrestricted URLs to external resources, security tokens, and private keys were found. Researchers have released a tool called ALC-NG to help comprehensively clean such files.
Record Surge in Privacy Fines Issued
U.S. states collectively issued $3.45 billion in privacy-related fines to companies in 2025, a cumulative amount exceeding the total from the previous five years combined, according to Gartner. The firm noted that regulators are increasingly shifting their focus from awareness campaigns to full-scale enforcement, a trend anticipated to continue through 2026 and beyond. This substantial increase in fines signifies a heightened regulatory stance on data privacy compliance.
WordPress Plugin Backdoor Uncovered
Anchor Hosting has identified a backdoor within the Quick Page/Post Redirect plugin for WordPress, which has over 70,000 installations. Versions 5.2.1 and 5.2.2 of the plugin, released between 2020 and 2021, contain a covert self-update mechanism that facilitates arbitrary code execution by contacting a third-party domain. To evade detection by site administrators, the backdoor is designed to trigger only for logged-out users. The plugin’s repository has been temporarily closed pending a full security review.
Qinglong Flaws Abused for Cryptomining
Two authentication bypass vulnerabilities in Qinglong, an open-source timed task management platform, are being exploited to deploy cryptocurrency miners. The flaws, CVE-2026-3965 and CVE-2026-4047, enable attackers to bypass authentication and achieve remote code execution. Snyk reported that exploitation began weeks before formal reporting of the vulnerabilities. Users reported a hidden process named “.fullgc” consuming significant CPU resources, potentially an attempt to blend in with legitimate system processes. These issues have since been addressed.
Trivy Hack Linked to Repository Breach
Checkmarx has stated that a cybersecurity incident involving the Trivy scanner is the “likely vector that enabled the attackers to obtain credentials and to gain unauthorized access to our GitHub repositories.” This access allowed attackers to interact with Checkmarx’s GitHub environment and publish malicious code to certain artifacts. The company acknowledged that data stolen from the GitHub repository was subsequently published on the dark web by the LAPSUS$ cybercrime group, indicating a sophisticated and multi-stage attack chain.
npm Stealer Attributed to North Korean Group
The North Korean threat actor known as Famous Chollima has been linked to an npm package named js-logger-pack. This package contains a WebSocket stealer that is activated via a postinstall hook. According to SafeDep, the payload operates as a long-running WebSocket agent that installs the attacker’s RSA key, exfiltrates Telegram Desktop session data, drains credentials from numerous crypto wallets and browsers, steals configuration files and tokens, and runs a native keylogger with persistence mechanisms across Windows, macOS, and Linux. The sophistication of this attack highlights the persistent threat posed by state-sponsored actors.