<?xml version='1.0' encoding='UTF-8' ?>
<rss version='2.0'>
<channel>
<title>Ransom Feed | Daily News</title>
<link>https://ransomfeed.it/news.php</link>
<description>Cybersecurity and Ransomware global news <img referrerpolicy="no-referrer-when-downgrade" src="https://matomo.ransomfeed.it/matomo.php?idsite=1&amp;rec=1" style="border:0" alt="" /></description>
<language>en-us</language>
<item xmlns:dc='ns:1'>
<title>Mustang Panda Deploys SolidPDFCreator Stage-1 Backdoor Against India Targets</title>
<link>https://ransomfeed.it/news.php?id_news=nid&amp;nid=402</link>
<guid>69cb3ea317a32c4e6143e665fdb20b14</guid>
<id>402</id>
<pubDate>Mon, 13 Jul 2026 15:09:31</pubDate>
<dc:creator>RansomFeed</dc:creator>
<description><![CDATA[<img src="https://ransomfeed.it/img/thumb-daily-news.png"> Researchers identified a Windows DLL backdoor dubbed <strong>SolidPDFCreator</strong> and attributed it to the China-linked threat group <strong>Mustang Panda</strong>, describing the malware as a <strong>stage-1 backdoor</strong> used in a campaign targeting entities in India. The sample was tied to <strong>&quot;Target India – Campaign 3&quot;</strong> and documented as an early-access implant intended to establish an initial foothold on compromised systems.<br>
<br>
Available reporting describes the malware as a DLL-based payload and provides core triage details including file type, size, hashes, compiler characteristics, and binary section information. The publication of these indicators gives defenders material to hunt for related activity and assess whether Mustang Panda infrastructure or tooling associated with <strong>SolidPDFCreator</strong> is present in their Windows environments.. <img referrerpolicy="no-referrer-when-downgrade" src="https://www.ransomfeed.it/matomo/matomo.php?idsite=1&amp;rec=1&amp;action_name=RSS-DAILY-NEWS" style="border:0" alt="" /><br /><br />Fonte: <i>https://mallory.ai/stories/019f5b97-b731-757f-9232-4d37594e27e2</i>]]></description>
</item>
<item xmlns:dc='ns:1'>
<title>OAuth Client ID Spoofing Enables Stealthy Microsoft Entra Account Enumeration</title>
<link>https://ransomfeed.it/news.php?id_news=nid&amp;nid=401</link>
<guid>816b112c6105b3ebd537828a39af4818</guid>
<id>401</id>
<pubDate>Mon, 13 Jul 2026 15:08:25</pubDate>
<dc:creator>RansomFeed</dc:creator>
<description><![CDATA[<img src="https://ransomfeed.it/img/thumb-daily-news.png"> Proofpoint reported that attackers are increasingly abusing <strong>OAuth client ID spoofing</strong> against Microsoft Entra ID to enumerate accounts and validate credentials without registering a legitimate OAuth application. The activity relies on Resource Owner Password Credentials (ROPC) authentication requests that use spoofed or random <code>client<em>id</code> values, allowing attackers to distinguish invalid usernames, valid usernames with incorrect passwords, and in some cases valid username-password pairs based on Microsoft Entra <code>AADSTS</code> error responses.<br>
<br>
Proofpoint said it observed at least two large-scale campaigns, <strong>UNK</em>pyreq2323</strong> and <strong>UNK_OutFlareAZ</strong>, using different infrastructure, user agents, and client ID generation patterns, indicating the technique is being adopted by multiple threat actors. Microsoft’s published Entra error code behavior helps explain how responses such as <code>AADSTS700016</code> can leak authentication state, and defenders were urged to review Entra sign-in logs for blank or missing application names or IDs and to treat some apparent failed logins as possible signs of successful credential validation by an attacker.. <img referrerpolicy="no-referrer-when-downgrade" src="https://www.ransomfeed.it/matomo/matomo.php?idsite=1&amp;rec=1&amp;action_name=RSS-DAILY-NEWS" style="border:0" alt="" /><br /><br />Fonte: <i>https://mallory.ai/stories/019f5abb-4b51-7c60-87e6-1a798468d7f8</i>]]></description>
</item>
<item xmlns:dc='ns:1'>
<title>Ghostcommit Uses PNG-Hidden Prompts to Make AI Coding Agents Leak Secrets</title>
<link>https://ransomfeed.it/news.php?id_news=nid&amp;nid=400</link>
<guid>18d8042386b79e2c279fd162df0205c8</guid>
<id>400</id>
<pubDate>Mon, 13 Jul 2026 15:08:02</pubDate>
<dc:creator>RansomFeed</dc:creator>
<description><![CDATA[<img src="https://ransomfeed.it/img/thumb-daily-news.png"> Researchers disclosed <strong>Ghostcommit</strong>, a proof-of-concept software supply-chain attack that hides prompt-injection instructions inside a PNG image referenced by an <code>AGENTS.md</code> file, allowing malicious pull requests to appear benign during review. In the demonstrated scenario, AI code reviewers such as Cursor Bugbot and CodeRabbit did not meaningfully inspect image content, so the pull request could be merged even though the real instructions were concealed in the image rather than visible text.<br>
<br>
After merge, the attack is triggered when a developer later asks a coding agent to perform a routine task and the agent reads the hidden image instructions, accesses repository secrets such as the <code>.env</code> file, encodes the contents as integer tuples, and inserts them into source code in a way that can evade typical secret scanners. Researchers from the University of Missouri-Kansas City&#039;s ASSET Research Group said exploitation depended more on the coding harness than the underlying model, with Cursor and Antigravity leaking secrets across multiple models while <strong>Claude Code</strong> consistently refused; they reported the issue to vendors and built a multimodal GitHub review app that detected nearly all tested variants, including image-based attacks, with no false positives in their evaluation.. <img referrerpolicy="no-referrer-when-downgrade" src="https://www.ransomfeed.it/matomo/matomo.php?idsite=1&amp;rec=1&amp;action_name=RSS-DAILY-NEWS" style="border:0" alt="" /><br /><br />Fonte: <i>https://mallory.ai/stories/019f50a6-03b8-72f2-b359-ff29c2feb3a5</i>]]></description>
</item>
<item xmlns:dc='ns:1'>
<title>Allies Attribute Turla Espionage and Router Intrusions to Russia’s FSB Centre 16</title>
<link>https://ransomfeed.it/news.php?id_news=nid&amp;nid=403</link>
<guid>bbf94b34eb32268ada57a3be5062fe7d</guid>
<id>403</id>
<pubDate>Mon, 13 Jul 2026 15:05:36</pubDate>
<dc:creator>RansomFeed</dc:creator>
<description><![CDATA[<img src="https://ransomfeed.it/img/thumb-daily-news.png"> The UK, France, the EU, and partner cyber agencies publicly attributed a broad cyber-espionage campaign to <strong>FSB Centre 16</strong>, linking the Russian intelligence unit to both the long-running <strong>Turla</strong> intrusion set and active exploitation of internet-facing routers and network devices. UK and allied authorities warned that the actor is scanning globally for poorly configured infrastructure, abusing default or weak <strong>SNMP</strong> credentials and known Cisco-related weaknesses such as <strong>Smart Install</strong> and web-management flaws to seize control of devices, with critical sectors including communications, defence, energy, financial services, government, and healthcare identified as high-risk targets.<br>
<br>
French authorities said entities in France, including ministries and organizations in the diplomatic, defence, justice, and technology sectors, were targeted and compromised using Turla tradecraft that has been active since at least 2004. The coordinated disclosures were accompanied by formal attribution statements from France and the EU, while the UK said EU member states and London also attributed the December 2025 attack on Poland’s energy grid to FSB Centre 16 and announced sanctions against 24 individuals and entities tied to Russian destructive cyber and hybrid operations. Defenders were urged to harden network devices by adopting <strong>SNMPv3</strong>, disabling legacy SNMP versions, enforcing strong unique passwords, and restricting access to management interfaces.. <img referrerpolicy="no-referrer-when-downgrade" src="https://www.ransomfeed.it/matomo/matomo.php?idsite=1&amp;rec=1&amp;action_name=RSS-DAILY-NEWS" style="border:0" alt="" /><br /><br />Fonte: <i>https://mallory.ai/stories/019f5abb-5619-7aae-accc-87ddc094fc21</i>]]></description>
</item>
<item xmlns:dc='ns:1'>
<title>CERT Polska Discloses Four Vulnerabilities in GNU gawk</title>
<link>https://ransomfeed.it/news.php?id_news=nid&amp;nid=399</link>
<guid>352fe25daf686bdb4edca223c921acea</guid>
<id>399</id>
<pubDate>Mon, 13 Jul 2026 14:05:21</pubDate>
<dc:creator>RansomFeed</dc:creator>
<description><![CDATA[<img src="https://ransomfeed.it/img/thumb-daily-news.png"> CERT Polska disclosed four vulnerabilities in <strong>GNU gawk</strong>, tracked as <code>CVE-2026-40467</code>, <code>CVE-2026-40468</code>, <code>CVE-2026-40469</code>, and <code>CVE-2026-40553</code>. The issues were highlighted in a CERT Polska advisory and later amplified by security reporting, identifying the widely used pattern-scanning and text-processing utility as affected software.<br>
<br>
Public reporting provides only limited detail so far, with no technical breakdown, exploitation evidence, or impact assessment included in the referenced notices. Organizations using GNU gawk should review the CERT Polska advisory, identify affected deployments, and prioritize vendor guidance or updates as more remediation details become available.. <img referrerpolicy="no-referrer-when-downgrade" src="https://www.ransomfeed.it/matomo/matomo.php?idsite=1&amp;rec=1&amp;action_name=RSS-DAILY-NEWS" style="border:0" alt="" /><br /><br />Fonte: <i>https://mallory.ai/stories/019f5b28-bfb0-7acf-99f4-71bd82994a80</i>]]></description>
</item>
<item xmlns:dc='ns:1'>
<title>Debian 13.6 Ships Broad Security Fixes and Secure Boot Certificate Updates</title>
<link>https://ransomfeed.it/news.php?id_news=nid&amp;nid=398</link>
<guid>b7b16ecf8ca53723593894116071700c</guid>
<id>398</id>
<pubDate>Mon, 13 Jul 2026 02:06:43</pubDate>
<dc:creator>RansomFeed</dc:creator>
<description><![CDATA[<img src="https://ransomfeed.it/img/thumb-daily-news.png"> Debian has released <strong>Debian 13.6</strong> as a point update focused on security and maintenance, alongside <strong>Debian 12.15</strong> for the previous stable branch. Debian 13.6 bundles roughly <strong>120 security updates</strong> and more than <strong>120 bug fixes</strong>, with patches affecting the Linux kernel and widely deployed packages including <strong>Nginx, Redis, FFmpeg, Thunderbird, Chromium, PHP, Postfix, Samba, wireless-regdb,</strong> and <strong>Wireshark</strong>. The update is intended to bring existing installations current rather than introduce a new major version.<br>
<br>
A notable change in Debian 13.6 is an updated <strong><code>shim-signed</code></strong> and <strong><code>fwupd 2.0.20</code></strong> stack to support newer Microsoft UEFI Secure Boot certificate chains and updates to Secure Boot <strong>CA, KEK, and DBX</strong> databases after expiration issues with the default UEFI Secure Boot CA used on many PCs. Debian also reverted or removed the legacy <strong><code>geoip-database</code></strong> package because newer GeoLite data was found incompatible with Debian Free Software Guidelines and the older dataset had become outdated, pushing migration toward maintained alternatives such as <strong>GeoLite2</strong>.. <img referrerpolicy="no-referrer-when-downgrade" src="https://www.ransomfeed.it/matomo/matomo.php?idsite=1&amp;rec=1&amp;action_name=RSS-DAILY-NEWS" style="border:0" alt="" /><br /><br />Fonte: <i>https://mallory.ai/stories/019f51b7-da1b-7b72-b763-0a04a088ac18</i>]]></description>
</item>
<item xmlns:dc='ns:1'>
<title>Ryuk Operator Pleads Guilty as BlackCat Negotiator Gets Prison Sentence</title>
<link>https://ransomfeed.it/news.php?id_news=nid&amp;nid=397</link>
<guid>e46de7e1bcaaced9a54f1e9d0d2f800d</guid>
<id>397</id>
<pubDate>Mon, 13 Jul 2026 01:06:48</pubDate>
<dc:creator>RansomFeed</dc:creator>
<description><![CDATA[<img src="https://ransomfeed.it/img/thumb-daily-news.png"> U.S. prosecutors announced two significant ransomware case outcomes: Armenian national <strong>Karen Serobovich Vardanyan</strong> pleaded guilty to conspiracy and computer fraud for helping compromise U.S. organizations and deploy <strong>Ryuk</strong> ransomware, while Florida resident <strong>Angelo Martino</strong> was sentenced to <strong>70 months</strong> for assisting the <strong>BlackCat/ALPHV</strong> gang. Court records say Vardanyan provided initial access to victim networks between November 2019 and April 2020, with victims including a Michigan company, a technology firm in Wilsonville, Oregon, and a Texas school. Prosecutors linked Vardanyan and his co-conspirators to roughly <strong>1,610 bitcoin</strong> in ransom payments, valued at about <strong>$15 million</strong> at the time.<br>
<br>
Vardanyan was arrested in Kyiv in April 2025, extradited to the United States in 2025, and now faces up to <strong>15 years in prison</strong>, fines of <strong>$250,000 per charge</strong>, and more than <strong>$1.1 million</strong> in restitution; sentencing is scheduled for September 2026. In the separate BlackCat/ALPHV case, Martino was convicted for abusing his position as a ransomware negotiator to share confidential victim negotiation information with attackers, and his co-conspirators <strong>Ryan Goldberg</strong> and <strong>Kevin Martin</strong> had already received four-year prison terms. The cases underscore continued U.S. efforts to disrupt both ransomware operators and the support networks that enable extortion campaigns.. <img referrerpolicy="no-referrer-when-downgrade" src="https://www.ransomfeed.it/matomo/matomo.php?idsite=1&amp;rec=1&amp;action_name=RSS-DAILY-NEWS" style="border:0" alt="" /><br /><br />Fonte: <i>https://mallory.ai/stories/019f4d36-dce5-75ea-904c-04dc8b8f6d93</i>]]></description>
</item>
<item xmlns:dc='ns:1'>
<title>Keycloak fixes FGAPv2 privilege escalation and multiple access control flaws</title>
<link>https://ransomfeed.it/news.php?id_news=nid&amp;nid=396</link>
<guid>f8c1f23d6a8d8d7904fc0ea8e066b3bb</guid>
<id>396</id>
<pubDate>Mon, 13 Jul 2026 00:53:06</pubDate>
<dc:creator>RansomFeed</dc:creator>
<description><![CDATA[<img src="https://ransomfeed.it/img/thumb-daily-news.png"> Keycloak disclosed and patched a high-severity privilege escalation flaw, <strong>CVE-2026-9795</strong>, in its Fine-Grained Admin Permissions v2 (<code>FGAPv2</code>) feature after researchers reported that a delegated administrator could bypass missing authorization checks in the admin REST API and add arbitrary realm roles to a client’s scope mapping. That weakness allowed limited administrators to inject elevated roles such as <code>realm-admin</code> into tokens later issued to users authenticating through the affected client, creating a path to downstream privilege escalation in deployments running Keycloak <code>26.2.0</code> and later with <code>FGAPv2</code> enabled.<br>
<br>
The issue was later listed as fixed in Keycloak release <code>26.6.4</code>, alongside several other security bugs including <strong>CVE-2026-9099</strong>, <strong>CVE-2026-9083</strong>, <strong>CVE-2026-9086</strong>, <strong>CVE-2026-9705</strong>, <strong>CVE-2026-9799</strong>, <strong>CVE-2026-9800</strong>, and <strong>CVE-2026-11800</strong>. Red Hat also shipped security updates for its Keycloak <code>26.4.11</code> images and operator on OpenShift, addressing a broad set of vulnerabilities across the Admin REST API, Account REST API, OIDC dynamic client registration, UMA authorization, token handling, redirect validation, and scope processing, with impacts ranging from information disclosure and SSRF to account takeover, policy bypass, and denial of service.. <img referrerpolicy="no-referrer-when-downgrade" src="https://www.ransomfeed.it/matomo/matomo.php?idsite=1&amp;rec=1&amp;action_name=RSS-DAILY-NEWS" style="border:0" alt="" /><br /><br />Fonte: <i>https://mallory.ai/stories/019f4df5-0b3a-78dd-b762-c6d2c348e533</i>]]></description>
</item>
<item xmlns:dc='ns:1'>
<title>Google and FBI Disrupt NetNut Residential Proxy Network Used by Malware Operators</title>
<link>https://ransomfeed.it/news.php?id_news=nid&amp;nid=395</link>
<guid>1543843a4723ed2ab08e18053ae6dc5b</guid>
<id>395</id>
<pubDate>Tue, 07 Jul 2026 14:10:18</pubDate>
<dc:creator>RansomFeed</dc:creator>
<description><![CDATA[<img src="https://ransomfeed.it/img/thumb-daily-news.png"> Google said it disrupted <strong>NetNut</strong>—also known as <strong>Popa</strong>—a large residential proxy network that investigators linked to malware delivery, command-and-control activity, and efforts by cybercriminal and espionage actors to mask their origin IP addresses while accessing victim environments. Working with the <strong>FBI</strong>, <strong>Lumen</strong>, and other partners, Google disabled accounts and services allegedly used by the operation, shared technical intelligence on NetNut SDKs and backend infrastructure, and used <strong>Google Play Protect</strong> against apps that incorporated the NetNut SDK. Google estimated the network relied on at least <strong>2 million devices</strong> and said <strong>316 threat clusters</strong> used suspected NetNut exit nodes during a single week in June.<br>
<br>
The coordinated action also included FBI seizures of NetNut-associated domains, a move that parent company <strong>Alarum Technologies</strong> said disrupted part of the service and could materially affect operations and financial results if the outage persists. Google said the operation significantly degraded the network and cut its available device pool by millions, describing the move as part of a broader campaign against malicious proxy providers after an earlier action against <strong>IPIDEA</strong>. The disruption is being viewed as a blow not only to a botnet-linked service but also to the broader supply of residential proxy infrastructure relied on by multiple threat actors.. <img referrerpolicy="no-referrer-when-downgrade" src="https://www.ransomfeed.it/matomo/matomo.php?idsite=1&amp;rec=1&amp;action_name=RSS-DAILY-NEWS" style="border:0" alt="" /><br /><br />Fonte: <i>https://mallory.ai/stories/019f36e8-0635-7787-8724-2441a8f208df</i>]]></description>
</item>
<item xmlns:dc='ns:1'>
<title>Alibaba Bans Claude Code Over Alleged Hidden China-Detection Logic</title>
<link>https://ransomfeed.it/news.php?id_news=nid&amp;nid=394</link>
<guid>28f0b864598a1291557bed248a998d4e</guid>
<id>394</id>
<pubDate>Tue, 07 Jul 2026 14:09:10</pubDate>
<dc:creator>RansomFeed</dc:creator>
<description><![CDATA[<img src="https://ransomfeed.it/img/thumb-daily-news.png"> Alibaba has ordered employees to stop using Anthropic’s <strong>Claude Code</strong> for work and reportedly directed them to remove other Anthropic products, classifying the software as high risk over alleged security vulnerabilities and backdoor concerns. Internal guidance said the ban would take effect on July 10, with staff told to switch to Alibaba’s internal <strong>Qoder</strong> platform instead. The move followed claims that Claude Code contained concealed environment-detection logic that checked proxy settings and system time zones against lists associated with Chinese companies including Alibaba, Baidu, ByteDance, Ant Group, and Moonshot AI.<br>
<br>
The allegations originated from a June 30 Reddit reverse-engineering post that said the logic had been present since Claude Code version <code>2.1.91</code> and encoded detection results through subtle changes to internal system prompts rather than explicit telemetry, making monitoring difficult. Anthropic had not publicly confirmed the issue in full, but an engineer reportedly said the mechanism was an experiment aimed at preventing reseller abuse, unauthorized access, and model distillation, and that the code was removed on July 1. The dispute comes amid broader tensions between the companies after Anthropic accused operators linked to Alibaba’s Qwen lab of using fraudulent accounts in a large-scale model distillation effort.. <img referrerpolicy="no-referrer-when-downgrade" src="https://www.ransomfeed.it/matomo/matomo.php?idsite=1&amp;rec=1&amp;action_name=RSS-DAILY-NEWS" style="border:0" alt="" /><br /><br />Fonte: <i>https://mallory.ai/stories/019f2887-a9f5-7ec2-927a-d3afc0fc3535</i>]]></description>
</item>
<item xmlns:dc='ns:1'>
<title>Multiple Open Source Projects Disclose High-Impact RCE, Injection, and Traversal Flaws</title>
<link>https://ransomfeed.it/news.php?id_news=nid&amp;nid=393</link>
<guid>70c639df5e30bdee440e4cdf599fec2b</guid>
<id>393</id>
<pubDate>Tue, 07 Jul 2026 07:21:42</pubDate>
<dc:creator>RansomFeed</dc:creator>
<description><![CDATA[<img src="https://ransomfeed.it/img/thumb-daily-news.png"> Several open source projects disclosed serious vulnerabilities affecting developer and infrastructure tooling, including remote code execution, SQL injection, server-side request forgery, prompt-driven query injection, and path traversal. <strong>Coder Workspace Agent</strong> patched <code>GHSA-QRWJ-VH9X-GW5V</code>, a cross-agent SSRF flaw that let an authenticated attacker controlling one workspace agent abuse HTTP <code>307</code>/<code>308</code> redirects to replay privileged requests to another agent, enabling cross-tenant file access, file writes, and command execution; fixes were released in versions <code>v2.34.4</code>, <code>v2.33.10</code>, <code>v2.32.9</code>, and <code>v2.29.19 ESR</code>. <strong>Coolify</strong> disclosed a critical authenticated command injection issue tied to unsafe handling of deployment fields such as <code>dockerfile<em>location</code>, allowing RCE and secrets exposure through deployment logs, while <strong>OpenRemote</strong> fixed <code>GHSA-cgfv-jrfp-2r7v</code>, an authenticated SQL injection bug in datapoint crosstab export that could expose other tenants’ data, Keycloak configuration, and encrypted credentials.<br>
<br>
Additional disclosures affected AI and package-management components. <strong>Langroid</strong> fixed a prompt-injection-driven flaw in <code>Neo4jChatAgent</code> that executed LLM-generated Cypher without validation, allowing unauthorized graph operations and possible OS-level impact when dangerous Neo4j procedures were enabled; the issue was resolved in version <code>0.65.5</code> with new safety controls that were also extended to <code>ArangoChatAgent</code>. <strong>pnpm</strong> also reported a path traversal weakness in <code>configDependencies</code> processing from <code>pnpm-lock.yaml</code>, where a malicious repository could force symlink creation outside <code>node</em>modules/.pnpm-config</code> even with <code>--ignore-scripts</code>, creating a filesystem write primitive within or potentially beyond the project directory.. <img referrerpolicy="no-referrer-when-downgrade" src="https://www.ransomfeed.it/matomo/matomo.php?idsite=1&amp;rec=1&amp;action_name=RSS-DAILY-NEWS" style="border:0" alt="" /><br /><br />Fonte: <i>https://mallory.ai/stories/019f3a1e-9c92-7c90-a9b3-258ef7b78180</i>]]></description>
</item>
<item xmlns:dc='ns:1'>
<title>Adobe ColdFusion RDS File-Write Flaw Faces Active Exploitation</title>
<link>https://ransomfeed.it/news.php?id_news=nid&amp;nid=392</link>
<guid>f73b76ce8949fe29bf2a537cfa420e8f</guid>
<id>392</id>
<pubDate>Tue, 07 Jul 2026 04:04:58</pubDate>
<dc:creator>RansomFeed</dc:creator>
<description><![CDATA[<img src="https://ransomfeed.it/img/thumb-daily-news.png"> Adobe ColdFusion is facing active exploitation of <strong>CVE-2026-48282</strong>, a maximum-severity flaw tied to <strong>RDS arbitrary file write</strong> that can be abused without privileges on unpatched servers. The Canadian Centre for Cyber Security warned that open-source reporting indicates in-the-wild attacks, while Adobe has issued security updates and urged administrators to patch immediately because of the high risk of compromise. Affected releases include <strong>ColdFusion 2025.9, 2023.20, and earlier</strong>, and internet scanning data from Shadowserver shows nearly <strong>800</strong> ColdFusion instances exposed online, though the number still vulnerable is unclear.<br>
<br>
Separate reporting on <strong>CVE-2026-48276</strong> highlights a closely related ColdFusion attack path in which an unauthenticated attacker uploads a malicious <strong>CFML</strong> payload through an unrestricted file-upload weakness, writes a web shell into a web-accessible location, and then triggers it with an HTTP request to gain code execution. That issue was described as critical with a <strong>CVSS v3.1</strong> score reflecting full impact to confidentiality, integrity, and availability, and its documented root causes included poor filename and extension validation and storing uploads under the web root. Public detection content has also appeared for <strong>CVE-2026-48282</strong>, underscoring defender focus on identifying exposed and unpatched ColdFusion systems.. <img referrerpolicy="no-referrer-when-downgrade" src="https://www.ransomfeed.it/matomo/matomo.php?idsite=1&amp;rec=1&amp;action_name=RSS-DAILY-NEWS" style="border:0" alt="" /><br /><br />Fonte: <i>https://mallory.ai/stories/019f3755-ff1e-7e51-886d-1d5833807fe3</i>]]></description>
</item>
<item xmlns:dc='ns:1'>
<title>France to End Certification of Non-Quantum-Safe Encryption Products</title>
<link>https://ransomfeed.it/news.php?id_news=nid&amp;nid=391</link>
<guid>5a4b25aaed25c2ee1b74de72dc03c14e</guid>
<id>391</id>
<pubDate>Tue, 07 Jul 2026 02:06:23</pubDate>
<dc:creator>RansomFeed</dc:creator>
<description><![CDATA[<img src="https://ransomfeed.it/img/thumb-daily-news.png"> France&#039;s cybersecurity agency, <strong>ANSSI</strong>, said it will stop certifying security products that lack <strong>post-quantum</strong> or quantum-resistant encryption beginning in <strong>2027</strong>. Because ANSSI certification is required for products used by French government agencies and critical infrastructure operators, the policy will effectively force a phaseout of older encryption technologies across those sectors.<br>
<br>
ANSSI official Samih Souissi said the move is intended to accelerate France&#039;s transition to quantum-safe cryptography as concerns grow over future attacks against current encryption standards. The agency also signaled a broader market shift by urging businesses to prioritize purchasing quantum-safe products by <strong>2030</strong>, extending pressure beyond the public sector and regulated operators.. <img referrerpolicy="no-referrer-when-downgrade" src="https://www.ransomfeed.it/matomo/matomo.php?idsite=1&amp;rec=1&amp;action_name=RSS-DAILY-NEWS" style="border:0" alt="" /><br /><br />Fonte: <i>https://mallory.ai/stories/019f371d-29b6-7520-8a0b-0df354c15fad</i>]]></description>
</item>
<item xmlns:dc='ns:1'>
<title>Teen Arrested for Bandai Channel Attack That Canceled 46,000 Subscriptions</title>
<link>https://ransomfeed.it/news.php?id_news=nid&amp;nid=389</link>
<guid>c86a7ee3d8ef0b551ed58e354a836f2b</guid>
<id>389</id>
<pubDate>Tue, 07 Jul 2026 01:07:27</pubDate>
<dc:creator>RansomFeed</dc:creator>
<description><![CDATA[<img src="https://ransomfeed.it/img/thumb-daily-news.png"> Japanese police arrested a 15-year-old high school student from Saitama Prefecture for allegedly carrying out a sustained cyberattack against <strong>Bandai Channel</strong>, the anime streaming service operated by Bandai Namco Filmworks. Investigators said the suspect exploited a server-side flaw, analyzed network traffic, and used a custom malicious program reportedly developed with assistance from <strong>ChatGPT</strong> to gain unauthorized backend access, cancel <strong>46,812</strong> member registrations, and collect member data including email addresses and nicknames.<br>
<br>
The attack disrupted Bandai Channel in November 2025 and forced the company to suspend the service for more than a month while it repaired systems, refunded subscribers, and implemented stronger security measures before restoring operations in December. Police said the teenager continued the activity after being blocked by repeatedly changing IP addresses, and later identified him through communication record analysis; the suspect reportedly admitted the allegations and said he acted out of technical curiosity rather than any grudge, while the company said it had not confirmed any public leak of personal data or secondary fraud.. <img referrerpolicy="no-referrer-when-downgrade" src="https://www.ransomfeed.it/matomo/matomo.php?idsite=1&amp;rec=1&amp;action_name=RSS-DAILY-NEWS" style="border:0" alt="" /><br /><br />Fonte: <i>https://mallory.ai/stories/019f371d-52c4-7802-8cb7-d3ff3b1f5ad9</i>]]></description>
</item>
<item xmlns:dc='ns:1'>
<title>OpenSSH 10.4 fixes multiple flaws and adds optional post-quantum signatures</title>
<link>https://ransomfeed.it/news.php?id_news=nid&amp;nid=390</link>
<guid>a01a0380ca3c61428c26a231f0e49a09</guid>
<id>390</id>
<pubDate>Tue, 07 Jul 2026 00:06:13</pubDate>
<dc:creator>RansomFeed</dc:creator>
<description><![CDATA[<img src="https://ransomfeed.it/img/thumb-daily-news.png"> OpenSSH has released <strong>version 10.4</strong> with eight security fixes affecting both client and server components, including <code>sftp</code>, <code>scp</code>, <code>sshd</code>, <code>ssh</code>, <code>ssh-agent</code>, and cryptographic verification logic. The update addresses path traversal-style and file redirection issues that could let a malicious server write files outside intended locations, a <strong>pre-authentication denial-of-service</strong> condition in <code>sshd</code>, a client-side <strong>use-after-free</strong> bug, and gaps in authentication delay enforcement. The release also replaces the wildcard matcher with an NFA-based implementation to remove exponential worst-case behavior.<br>
<br>
The release introduces experimental support for a composite post-quantum signature scheme combining <strong>ML-DSA 44</strong> with <strong>Ed25519</strong>, available only when explicitly enabled and configured. OpenSSH also hardened protocol handling by disconnecting peers that send non-KEX messages during post-authentication rekeying and made seccomp sandbox initialization failures fatal on Linux. Maintainers warned that some changes may break existing deployments, including mixed-case output from <code>sshd -G</code>, stricter transport-layer behavior, and the new sandbox failure handling.. <img referrerpolicy="no-referrer-when-downgrade" src="https://www.ransomfeed.it/matomo/matomo.php?idsite=1&amp;rec=1&amp;action_name=RSS-DAILY-NEWS" style="border:0" alt="" /><br /><br />Fonte: <i>https://mallory.ai/stories/019f37c4-f905-7a75-ba72-735830fd429b</i>]]></description>
</item>
<item xmlns:dc='ns:1'>
<title>Microsoft Edge Patches Multiple High-Severity RCE and Security Bypass Flaws</title>
<link>https://ransomfeed.it/news.php?id_news=nid&amp;nid=387</link>
<guid>8efb100a295c0c690931222ff4467bb8</guid>
<id>387</id>
<pubDate>Mon, 06 Jul 2026 06:04:35</pubDate>
<dc:creator>RansomFeed</dc:creator>
<description><![CDATA[<img src="https://ransomfeed.it/img/thumb-daily-news.png"> Microsoft Edge (Chromium-based) has received fixes for multiple high-severity vulnerabilities, including remote code execution flaws <code>CVE-2026-58289</code>, <code>CVE-2026-58293</code>, <code>CVE-2026-58285</code>, <code>CVE-2026-58288</code>, <code>CVE-2026-57974</code>, <code>CVE-2026-58284</code>, <code>CVE-2026-58287</code>, <code>CVE-2026-57981</code>, and <code>CVE-2026-56645</code>, as well as the security feature bypass issue <code>CVE-2026-57983</code>. Public records attribute the issues to Microsoft and rate them from high to critical severity, with CVSS scores reaching <strong>9.0</strong> for <code>CVE-2026-58289</code> and several others scoring in the <strong>8.1-8.8</strong> range.<br>
<br>
Advisories from Microsoft and HKCERT indicate the flaws affect Microsoft Edge and require prompt patching through the browser&#039;s latest security updates. While some metadata inconsistently marks the bugs as not remotely exploitable, the listed attack characteristics for several entries include low attack complexity, no privileges required, and in many cases user interaction, making browser update compliance and rapid deployment a priority for enterprise defenders.. <img referrerpolicy="no-referrer-when-downgrade" src="https://www.ransomfeed.it/matomo/matomo.php?idsite=1&amp;rec=1&amp;action_name=RSS-DAILY-NEWS" style="border:0" alt="" /><br /><br />Fonte: <i>https://mallory.ai/stories/019f2a76-66fe-762c-84ef-84f97feb5e08</i>]]></description>
</item>
<item xmlns:dc='ns:1'>
<title>Malicious npm Rollup Polyfills Linked to Lazarus Target Developer Environments</title>
<link>https://ransomfeed.it/news.php?id_news=nid&amp;nid=386</link>
<guid>39461a19e9eddfb385ea76b26521ea48</guid>
<id>386</id>
<pubDate>Mon, 06 Jul 2026 04:05:07</pubDate>
<dc:creator>RansomFeed</dc:creator>
<description><![CDATA[<img src="https://ransomfeed.it/img/thumb-daily-news.png"> Researchers identified a malicious npm supply-chain campaign that impersonated Rollup polyfill tooling to compromise developer workstations and CI/build systems. The primary packages, <strong><code>rollup-packages-polyfill-core</code></strong> and <strong><code>rollup-runtime-polyfill-core</code></strong>, mimicked legitimate Rollup-related projects and used staged dependencies including <strong><code>swift-parse-stream</code></strong>, <strong><code>quirky-token</code></strong>, <strong><code>react-icon-svgs</code></strong>, and <strong><code>rollup-plugin-polyfill-connect</code></strong> to trigger a multi-stage infection chain. The malware fetched obfuscated code from JSONKeeper, decrypted additional payloads retrieved from <strong><code>216.126.236.244</code></strong>, and executed them locally while using evasive checks to avoid some analysis and cloud development environments.<br>
<br>
The final payloads gave attackers remote access and enabled theft of browser data, crypto-wallet information, files, clipboard contents, and other developer secrets such as source code, tokens, SSH keys, and cloud credentials. JFrog said the layered package structure, lookalike naming, and tradecraft resemble earlier Lazarus-linked npm operations, while additional reporting tied the activity to a broader North Korea-linked supply-chain effort referred to as <strong>PolinRider</strong>. Some malicious packages were replaced with security-holding versions, but others remained available at the time of reporting, prompting guidance to remove the packages, treat affected hosts as compromised, rotate credentials, and block related outbound traffic.. <img referrerpolicy="no-referrer-when-downgrade" src="https://www.ransomfeed.it/matomo/matomo.php?idsite=1&amp;rec=1&amp;action_name=RSS-DAILY-NEWS" style="border:0" alt="" /><br /><br />Fonte: <i>https://mallory.ai/stories/019f1b39-0a61-7fb2-bb3d-434f2cffeebf</i>]]></description>
</item>
<item xmlns:dc='ns:1'>
<title>Medtronic Data Breach Exposed Personal and Health Information in ShinyHunters Attack</title>
<link>https://ransomfeed.it/news.php?id_news=nid&amp;nid=385</link>
<guid>dc912a253d1e9ba40e2c597ed2376640</guid>
<id>385</id>
<pubDate>Sun, 05 Jul 2026 23:04:47</pubDate>
<dc:creator>RansomFeed</dc:creator>
<description><![CDATA[<img src="https://ransomfeed.it/img/thumb-daily-news.png"> Medtronic disclosed that unauthorized actors accessed certain corporate IT systems between April 13 and April 19, exposing personal and health-related information tied to <strong>3,834,294 individuals</strong>. The company said the incident was detected after unusual activity on April 15 and attributed in public reporting to the <strong>ShinyHunters</strong> extortion group, which claimed to have stolen about <strong>9 million records</strong> and briefly listed Medtronic on its Tor-based leak site before the post disappeared. Exposed data may include names, contact details, dates of birth, Social Security numbers, and other health-related information.<br>
<br>
Medtronic said it found <strong>no impact</strong> on medical devices, patient safety, hospital customer networks, manufacturing and distribution operations, financial systems, or care delivery, and added that it has no evidence the stolen data was publicly released online. The company has engaged external cybersecurity experts, notified law enforcement and regulators, and is warning affected people to watch for phishing, social engineering, and unauthorized account activity while offering <strong>24 months</strong> of credit monitoring, dark web monitoring, and identity theft recovery services.. <img referrerpolicy="no-referrer-when-downgrade" src="https://www.ransomfeed.it/matomo/matomo.php?idsite=1&amp;rec=1&amp;action_name=RSS-DAILY-NEWS" style="border:0" alt="" /><br /><br />Fonte: <i>https://mallory.ai/stories/019f311b-8791-78ea-90c4-894329798c83</i>]]></description>
</item>
<item xmlns:dc='ns:1'>
<title>Linux Kernel Flaws Expose Systems to Local Root Escalation</title>
<link>https://ransomfeed.it/news.php?id_news=nid&amp;nid=384</link>
<guid>0584ce565c824b7b7f50282d9a19945b</guid>
<id>384</id>
<pubDate>Sun, 05 Jul 2026 19:07:08</pubDate>
<dc:creator>RansomFeed</dc:creator>
<description><![CDATA[<img src="https://ransomfeed.it/img/thumb-daily-news.png"> Researchers disclosed two separate Linux kernel privilege-escalation flaws that can give local attackers <strong>root</strong> access across a wide range of systems, including servers, desktops, and Android devices. One bug, <strong><code>CVE-2026-46242</code></strong> or <strong>Bad Epoll</strong>, is a use-after-free race in the kernel&#039;s <code>epoll</code> subsystem that was reportedly exploited through Google&#039;s kernelCTF program and shown to be broadly reachable because <code>epoll</code> is a core component that cannot be disabled. The flaw was introduced by a 2023 kernel change, and reporting said an initial patch attempt was insufficient before a correct fix was merged weeks later, leaving defenders dependent on upstream fixes and vendor backports.<br>
<br>
A second flaw, <strong><code>CVE-2026-43456</code></strong>, affects the kernel&#039;s <code>net/bonding</code> subsystem and stems from a type-confusion condition dating back to 2007. Researchers said the bug can be exploited with high reliability for local root by abusing incompatible <code>header<em>ops</code> handling in bonded network devices, enabling controlled memory corruption and eventual code execution. The issue reportedly affects Linux versions <strong>2.6.24 through 6.12.77</strong> and requires <strong><code>CAP</em>NET_ADMIN</code></strong> privileges; mitigations include applying the March 2026 patch, or temporarily disabling unprivileged user namespaces or the bonding module where feasible.. <img referrerpolicy="no-referrer-when-downgrade" src="https://www.ransomfeed.it/matomo/matomo.php?idsite=1&amp;rec=1&amp;action_name=RSS-DAILY-NEWS" style="border:0" alt="" /><br /><br />Fonte: <i>https://mallory.ai/stories/019f2b1a-8651-7e8a-bbe4-9bb9f7ce315c</i>]]></description>
</item>
<item xmlns:dc='ns:1'>
<title>PolinRider Supply Chain Campaign Hijacks Developer Packages and Uses Blockchain Dead Drops</title>
<link>https://ransomfeed.it/news.php?id_news=nid&amp;nid=388</link>
<guid>d9fc5b73a8d78fad3d6dffe419384e70</guid>
<id>388</id>
<pubDate>Sun, 05 Jul 2026 19:06:38</pubDate>
<dc:creator>RansomFeed</dc:creator>
<description><![CDATA[<img src="https://ransomfeed.it/img/thumb-daily-news.png"> Researchers reported a broad software supply chain campaign targeting developers and cryptocurrency users through hijacked packages, browser extensions, and compromised maintainer accounts across ecosystems including <strong>npm</strong>, <strong>Go</strong>, <strong>Chrome</strong>, and <strong>Packagist</strong>. Socket linked the activity to North Korean actors associated with the <strong>Contagious Interview</strong> operation and identified 108 malicious packages and extensions spanning 162 release artifacts, while JFrog separately analyzed hijacked npm packages <code>html-to-gutenberg</code> <code>4.2.11</code> and <code>fetch-page-assets</code> <code>1.2.9</code> that were uploaded with malicious code. The activity appears to rely on account hijacking rather than compromise of GitHub itself, and some attacker infrastructure reportedly remains active even after certain packages were removed.<br>
<br>
The malware chain used unusual delivery and evasion techniques aimed at developer workstations, including a <strong>VS Code folder-open task</strong> instead of standard npm lifecycle scripts, JavaScript hidden in a fake font file, and encrypted payload retrieval from blockchain transaction data on <strong>TRON</strong>, <strong>Aptos</strong>, and <strong>BNB Smart Chain</strong>. Researchers said the campaign deployed components including <strong>BeaverTail</strong>, <strong>DEV#POPPER RAT</strong>, <strong>OmniStealer</strong>, a <code>socket.io</code> backdoor, and a Python infostealer to steal browser credentials, password-manager contents, cryptocurrency wallet data, developer secrets, and operating system credential-store material across <strong>Windows</strong>, <strong>macOS</strong>, and <strong>Linux</strong>. Security firms warned that affected developer systems and credentials should be treated as fully compromised.. <img referrerpolicy="no-referrer-when-downgrade" src="https://www.ransomfeed.it/matomo/matomo.php?idsite=1&amp;rec=1&amp;action_name=RSS-DAILY-NEWS" style="border:0" alt="" /><br /><br />Fonte: <i>https://mallory.ai/stories/019f30fa-51d2-72b1-8e27-0f0d5481f4e6</i>]]></description>
</item>
<item xmlns:dc='ns:1'>
<title>PamStealer macOS Infostealer Uses Fake Maccy Apps and PAM Password Validation</title>
<link>https://ransomfeed.it/news.php?id_news=nid&amp;nid=382</link>
<guid>4f6ffe13a5d75b2d6a3923922b3922e5</guid>
<id>382</id>
<pubDate>Fri, 03 Jul 2026 11:12:54</pubDate>
<dc:creator>RansomFeed</dc:creator>
<description><![CDATA[<img src="https://ransomfeed.it/img/thumb-daily-news.png"> Researchers have identified <strong>PamStealer</strong>, a previously unseen macOS malware family distributed through fake websites impersonating the legitimate <strong>Maccy</strong> clipboard manager. The infection begins with a trojanized disk image and a compiled AppleScript lure that tells users to press Command-R in Script Editor, a step that executes malicious code while sidestepping macOS <code>com.apple.quarantine</code> protections. The malware then deploys a Rust-based second stage that downloads additional payloads, steals browser data, clipboard contents, iCloud Keychain information, and login credentials, and sends the data to attacker-controlled infrastructure over encrypted command-and-control channels.<br>
<br>
PamStealer stands out for validating stolen passwords locally through macOS <strong>Pluggable Authentication Modules (PAM)</strong>, repeatedly prompting victims until the correct password is entered before exfiltration. Researchers said the malware is environment-aware, targets Apple Silicon systems, avoids analysis environments, and excludes devices tied to several Eastern European locales and time zones. It also delays Full Disk Access prompts, establishes persistence, and hides app bundles by impersonating Finder or Software Update components, while displaying decoy error messages to make victims think the fake application simply failed to launch.. <img referrerpolicy="no-referrer-when-downgrade" src="https://www.ransomfeed.it/matomo/matomo.php?idsite=1&amp;rec=1&amp;action_name=RSS-DAILY-NEWS" style="border:0" alt="" /><br /><br />Fonte: <i>https://mallory.ai/stories/019f2474-8b2b-78be-bc1e-79ba465501e1</i>]]></description>
</item>
<item xmlns:dc='ns:1'>
<title>Pegasus Infected European Parliament Spyware Investigator’s iPhone</title>
<link>https://ransomfeed.it/news.php?id_news=nid&amp;nid=381</link>
<guid>00ec53c4682d36f5c4359f4ae7bd7ba1</guid>
<id>381</id>
<pubDate>Fri, 03 Jul 2026 10:05:32</pubDate>
<dc:creator>RansomFeed</dc:creator>
<description><![CDATA[<img src="https://ransomfeed.it/img/thumb-daily-news.png"> Citizen Lab found that the iPhone of former European Parliament member <strong>Stelios Kouloglou</strong> was infected twice with NSO Group’s <strong>Pegasus</strong> spyware, in <strong>October 2022</strong> and <strong>March 2023</strong>, while he served on the Parliament’s <strong>PEGA Committee</strong> investigating spyware abuse across Europe. Researchers said the attacks used a <strong>zero-click</strong> exploit against an Apple iPhone vulnerability that had been patched but not installed on the device, potentially giving the operator access to private messages, location data, photos, and even ambient audio without any user interaction.<br>
<br>
The infections occurred during sensitive PEGA work, including hearings and draft reporting on alleged spyware abuses in Cyprus, Greece, Hungary, Poland, and Spain, intensifying concerns that commercial spyware was used against a lawmaker scrutinizing its misuse. Citizen Lab did not name the government behind the operation, but said the same Pegasus-linked email address and infrastructure overlapped with an earlier cluster targeting Russian- and Belarusian-speaking journalists and opposition figures, strongly suggesting a common operator with cross-border reach; Kouloglou has said he believes he was targeted because of his committee role and plans to sue <strong>NSO Group</strong>.. <img referrerpolicy="no-referrer-when-downgrade" src="https://www.ransomfeed.it/matomo/matomo.php?idsite=1&amp;rec=1&amp;action_name=RSS-DAILY-NEWS" style="border:0" alt="" /><br /><br />Fonte: <i>https://mallory.ai/stories/019f2661-c82b-729e-97fe-86fa8824fe70</i>]]></description>
</item>
<item xmlns:dc='ns:1'>
<title>Anthropic Publishes Claude Fable 5 Cyber Safeguards and Jailbreak Severity Framework</title>
<link>https://ransomfeed.it/news.php?id_news=nid&amp;nid=383</link>
<guid>beed13602b9b0e6ecb5b568ff5058f07</guid>
<id>383</id>
<pubDate>Fri, 03 Jul 2026 08:05:43</pubDate>
<dc:creator>RansomFeed</dc:creator>
<description><![CDATA[<img src="https://ransomfeed.it/img/thumb-daily-news.png"> Anthropic said it has globally re-deployed <strong>Claude Fable 5</strong> with updated cybersecurity controls and released new technical details on how the model handles cyber-related prompts. The company said the system uses safety classifiers to sort requests into <strong>prohibited</strong>, <strong>high-risk dual-use</strong>, <strong>low-risk dual-use</strong>, and <strong>benign</strong> categories rather than blocking all security activity, allowing some defensive and educational use while aiming to stop harmful assistance. Anthropic said prohibited requests include malware development, ransomware, wipers, data exfiltration, defense evasion, offensive infrastructure such as <code>C2</code>, destructive attacks, and cyber-physical sabotage, and that the model applies a larger safety margin than earlier versions to reduce dangerous outputs even if that increases false positives.<br>
<br>
Anthropic also published an early draft <strong>Cyber Jailbreak Severity (CJS)</strong> framework, developed with <strong>Glasswing</strong>, to rate AI jailbreaks from <code>CJS-0</code> to <code>CJS-4</code> based on capability gain, breadth of impact, ease of weaponization, and discoverability. The company said the framework is intended to create a shared vocabulary for assessing jailbreak risk across industry and government, particularly for cases involving high-uplift vulnerability discovery or exploit generation. Anthropic invited external feedback through a dedicated contact channel and launched a <strong>HackerOne</strong> bug bounty program for researchers to report potential cyber jailbreaks affecting Fable 5.. <img referrerpolicy="no-referrer-when-downgrade" src="https://www.ransomfeed.it/matomo/matomo.php?idsite=1&amp;rec=1&amp;action_name=RSS-DAILY-NEWS" style="border:0" alt="" /><br /><br />Fonte: <i>https://mallory.ai/stories/019f2550-3b4f-798f-868c-cbeec9a07f6f</i>]]></description>
</item>
<item xmlns:dc='ns:1'>
<title>ChocoPoC RAT Spread Through Trojanized GitHub PoC Exploit Repositories</title>
<link>https://ransomfeed.it/news.php?id_news=nid&amp;nid=380</link>
<guid>bca82e41ee7b0833588399b1fcd177c7</guid>
<id>380</id>
<pubDate>Fri, 03 Jul 2026 07:30:56</pubDate>
<dc:creator>RansomFeed</dc:creator>
<description><![CDATA[<img src="https://ransomfeed.it/img/thumb-daily-news.png"> A malware campaign dubbed <strong>ChocoPoC</strong> used fake or trojanized GitHub proof-of-concept exploit repositories for newly disclosed CVEs to infect cybersecurity researchers, penetration testers, and bug hunters. Researchers at Sekoia and YesWeHack said the visible exploit code often appeared benign, while the real payload was introduced through malicious PyPI dependencies including <code>frint</code> and <code>skytext</code>. The package chain decrypted and executed code that fetched the final Python-based remote access trojan from a Mapbox dataset, and investigators linked at least seven repositories to the operation. The activity appears to have relied largely on compromised accounts to publish the poisoned packages and repositories, with <code>skytext</code> alone drawing roughly 2,400 downloads, mostly on Linux systems.<br>
<br>
Once activated, ChocoPoC provided remote shell and Python execution, stole browser credentials and files, uploaded data, enumerated processes, and collected host details such as network configuration and shell history. The malware was designed to evade casual review and simple sandboxing by delaying activation until the PoC was run, while also using DNS-over-HTTPS to resolve infrastructure and <code>91.132.163.78</code> for larger uploads. Investigators said related activity may date back to late 2025 through earlier packages such as <code>slogsec</code> and <code>logcrypt.cryptography</code>, raising concern that compromises of researcher workstations could create downstream supply-chain risk for trusted security tooling and frameworks.. <img referrerpolicy="no-referrer-when-downgrade" src="https://www.ransomfeed.it/matomo/matomo.php?idsite=1&amp;rec=1&amp;action_name=RSS-DAILY-NEWS" style="border:0" alt="" /><br /><br />Fonte: <i>https://mallory.ai/stories/019f1f86-22f7-7331-8f9c-27cd301ce16f</i>]]></description>
</item>
<item xmlns:dc='ns:1'>
<title>Apple Hide My Email Flaw Exposes Users’ Real Email Addresses</title>
<link>https://ransomfeed.it/news.php?id_news=nid&amp;nid=379</link>
<guid>a02ffd91ece5e7efeb46db8f10a74059</guid>
<id>379</id>
<pubDate>Fri, 03 Jul 2026 02:05:49</pubDate>
<dc:creator>RansomFeed</dc:creator>
<description><![CDATA[<img src="https://ransomfeed.it/img/thumb-daily-news.png"> A reported vulnerability in Apple’s iCloud+ <strong>Hide My Email</strong> service allows an attacker with only a relay alias to uncover the user’s real email address, defeating a privacy feature widely used to mask identity. Researcher <strong>Tyler Murphy</strong> of EasyOptOuts said he disclosed the issue to Apple in June 2025, and multiple outlets reported that <strong>404 Media</strong> independently verified the flaw by recovering a reporter’s actual Apple ID email from a newly created alias. Public reporting says the issue requires no account compromise, special access, or social engineering, raising risks of phishing, spam correlation, account linkage, and exposure of personal details through people-search services.<br>
<br>
Apple reportedly acknowledged the bug in 2025 and later told Murphy that a system change had addressed it, but follow-up testing found the deanonymization still worked more than a year after disclosure. Murphy said volunteer testing showed all tested aliases were reversible, though the full scope across the user base remains unclear, and exact exploitation details were withheld while Apple continued investigating. As of the reports, Apple had not issued a public advisory or CVE, and separate coverage noted that Apple’s planned migration of masked addresses to the <code>@private.icloud.com</code> domain could make Hide My Email aliases easier for websites and apps to identify and block.. <img referrerpolicy="no-referrer-when-downgrade" src="https://www.ransomfeed.it/matomo/matomo.php?idsite=1&amp;rec=1&amp;action_name=RSS-DAILY-NEWS" style="border:0" alt="" /><br /><br />Fonte: <i>https://mallory.ai/stories/019f1e04-8ca0-7064-aa71-1f2a3c97e955</i>]]></description>
</item>
<item xmlns:dc='ns:1'>
<title>Anubis Ransomware Expanded Through Forum Branding and CitrixBleed 2 Intrusions</title>
<link>https://ransomfeed.it/news.php?id_news=nid&amp;nid=373</link>
<guid>ffd52f3c7e12435a724a8f30fddadd9c</guid>
<id>373</id>
<pubDate>Wed, 01 Jul 2026 15:16:16</pubDate>
<dc:creator>RansomFeed</dc:creator>
<description><![CDATA[<img src="https://ransomfeed.it/img/thumb-daily-news.png"> The <strong>Anubis</strong> ransomware operation has grown into a structured cybercriminal ecosystem that combines public branding, affiliate recruitment, and multi-platform extortion services. Researchers linked the group’s leak sites, onion infrastructure, forum accounts, and the recurring <strong>&quot;Anubis Media&quot;</strong> persona into a unified operation that promoted ransomware and data-extortion offerings across underground communities including <strong>XSS</strong>, <strong>BreachForums</strong>, <strong>ReHub</strong>, and <strong>RAMP</strong>, as well as <strong>X</strong>. The group reportedly listed <strong>83 victims</strong> between February 2025 and June 2026, sought corporate access in the United States, Canada, Europe, and Australia, and advertised support for <strong>Windows, Linux, NAS, and ESXi</strong> environments with capabilities such as privilege escalation, shadow copy removal, network-wide deployment, and multiple encryption modes.<br>
<br>
Separate incident reporting tied Anubis-linked intrusions to practical affiliate tradecraft centered on stolen <strong>VPN credentials</strong> and exploitation of <strong>CitrixBleed 2</strong> (<code>CVE-2025-5777</code>) on Citrix NetScaler appliances. In observed attacks, operators blended into normal administration by deploying legitimate remote-management tools including <strong>ScreenConnect, Zoho Assist, MeshAgent, Remotely, UltraVNC, Total Software Deployment,</strong> and <strong>mRemoteNG</strong>, then moved laterally with <strong>RDP, SMB,</strong> and <strong>PsExec</strong>. They also harvested credentials with <strong>Mimikatz</strong>, browser password exports, and <code>ntds.dit</code> theft, used tools such as <strong>S3 Browser, rclone, s5cmd, WinSCP,</strong> and <strong>PuTTY</strong> for exfiltration staging, and in some cases established fallback access through <strong>cloudflared</strong>, authenticated proxies, and <strong>SSH SOCKS</strong> tunnels, including activity involving Synology NAS devices.. <img referrerpolicy="no-referrer-when-downgrade" src="https://www.ransomfeed.it/matomo/matomo.php?idsite=1&amp;rec=1&amp;action_name=RSS-DAILY-NEWS" style="border:0" alt="" /><br /><br />Fonte: <i>https://mallory.ai/stories/019f1d2a-4f07-7c99-9993-d7767fa6cb01</i>]]></description>
</item>
<item xmlns:dc='ns:1'>
<title>Silent Swap Browser Extension Hijacks Crypto Wallet Addresses</title>
<link>https://ransomfeed.it/news.php?id_news=nid&amp;nid=374</link>
<guid>ad972f10e0800b49d76fed33a21f6698</guid>
<id>374</id>
<pubDate>Wed, 01 Jul 2026 15:15:51</pubDate>
<dc:creator>RansomFeed</dc:creator>
<description><![CDATA[<img src="https://ransomfeed.it/img/thumb-daily-news.png"> Researchers reported an active <strong>Silent Swap</strong> campaign that distributes a fake <strong>&quot;Google Notes&quot;</strong> browser extension to steal cryptocurrency by replacing copied wallet addresses with attacker-controlled ones during transactions. The operation uses unsigned <strong>.NET</strong> and <strong>Golang</strong> installers to silently sideload the malicious extension into Chromium-based browsers including <strong>Chrome, Edge, Brave, and Opera</strong>, where it monitors clipboard activity and browser input for wallet strings across multiple blockchains and swaps them in real time.<br>
<br>
The malware reportedly abuses Chromium trust mechanisms by altering <strong>Secure Preferences</strong> and related settings files, recalculating integrity values so the extension appears legitimately installed without user approval. Researchers said the campaign also uses <strong>EtherHiding</strong>-style blockchain-based command-and-control, querying a smart contract through public RPC infrastructure to resolve active C2 domains such as <code>devops-offensive[.]cc</code> and <code>Zebregts[.]com</code>, complicating detection and takedown. The activity has been linked to the <strong>CountLoader</strong> threat actor, with infections observed globally and a heavier concentration in <strong>India</strong>, while dynamic per-victim wallet mapping and published hashes, domains, payload URLs, and Bitcoin wallet indicators suggest a broad effort to monetize consumer cryptocurrency transactions.. <img referrerpolicy="no-referrer-when-downgrade" src="https://www.ransomfeed.it/matomo/matomo.php?idsite=1&amp;rec=1&amp;action_name=RSS-DAILY-NEWS" style="border:0" alt="" /><br /><br />Fonte: <i>https://mallory.ai/stories/019f1d98-6910-746a-8c03-18327effb078</i>]]></description>
</item>
<item xmlns:dc='ns:1'>
<title>Adobe Patches Critical ColdFusion RCE Flaws and Campaign Classic Bug</title>
<link>https://ransomfeed.it/news.php?id_news=nid&amp;nid=375</link>
<guid>f61d6947467ccd3aa5af24db320235dd</guid>
<id>375</id>
<pubDate>Wed, 01 Jul 2026 15:12:31</pubDate>
<dc:creator>RansomFeed</dc:creator>
<description><![CDATA[<img src="https://ransomfeed.it/img/thumb-daily-news.png"> Adobe has released Priority 1 security updates for <strong>ColdFusion</strong> and <strong>Adobe Campaign Classic</strong> to fix multiple high-severity vulnerabilities, including seven flaws rated <code>CVSS 10.0</code>. In ColdFusion, the patched issues affect versions <code>2025.9</code>, <code>2023.20</code>, and earlier, and include improper input validation (<code>CVE-2026-48281</code>, <code>CVE-2026-48277</code>), unrestricted file upload (<code>CVE-2026-48276</code>, <code>CVE-2026-48283</code>), and path traversal (<code>CVE-2026-48282</code>) bugs that could allow unauthenticated remote code execution without user interaction. Additional ColdFusion flaws include a path traversal issue with arbitrary file read and limited write access (<code>CVE-2026-48313</code>), an SSRF bug (<code>CVE-2026-48285</code>), and user-interaction issues such as reflected XSS (<code>CVE-2026-48307</code>) and improper input validation tied to malicious files (<code>CVE-2026-48315</code>).<br>
<br>
Adobe also patched <code>CVE-2026-48286</code> in <strong>Adobe Campaign Classic</strong>, an incorrect authorization flaw affecting version <code>7.4.3</code> and earlier that can lead to arbitrary code execution on on-premises instances. Adobe said it is not aware of in-the-wild exploitation of the specific vulnerabilities, but assigned the updates a <strong>Priority 1</strong> rating, indicating they are being targeted or are at high risk of being targeted, and urged administrators to patch within 72 hours. Recommended versions include <strong>ColdFusion 2025 Update 10</strong>, <strong>ColdFusion 2023 Update 21</strong>, and <strong>Campaign Classic 7.4.4 / build 9397 or later</strong>.. <img referrerpolicy="no-referrer-when-downgrade" src="https://www.ransomfeed.it/matomo/matomo.php?idsite=1&amp;rec=1&amp;action_name=RSS-DAILY-NEWS" style="border:0" alt="" /><br /><br />Fonte: <i>https://mallory.ai/stories/019f1cba-dbec-7d13-84af-d33305908eb0</i>]]></description>
</item>
<item xmlns:dc='ns:1'>
<title>Citrix NetScaler Flaws Expose ADC and Gateway to Remote DoS and Memory Errors</title>
<link>https://ransomfeed.it/news.php?id_news=nid&amp;nid=376</link>
<guid>142949df56ea8ae0be8b5306971900a4</guid>
<id>376</id>
<pubDate>Wed, 01 Jul 2026 15:07:10</pubDate>
<dc:creator>RansomFeed</dc:creator>
<description><![CDATA[<img src="https://ransomfeed.it/img/thumb-daily-news.png"> Citrix published a security advisory for <strong>NetScaler ADC</strong> and <strong>NetScaler Gateway</strong>, warning that multiple high-severity vulnerabilities can be exploited remotely in specific deployments and configurations. The advisory, highlighted by the Canadian Centre for Cyber Security, affects the <code>14.1</code> and <code>13.1</code> release lines as well as certain <strong>NetScaler FIPS</strong> and <strong>NDcPP</strong> editions, and references six CVEs including <code>CVE-2026-8451</code>, <code>CVE-2026-8452</code>, <code>CVE-2026-8655</code>, and <code>CVE-2026-13474</code>. Administrators were urged to review Citrix’s bulletin and move affected systems to fixed versions.<br>
<br>
The disclosed flaws include a malformed HTTP/2 request issue that can trigger denial of service when HTTP/2 is enabled on affected LB, CS, VPN virtual servers or services (<code>CVE-2026-13474</code>); multiple memory overflow vulnerabilities tied to Oracle load balancer, DNS proxy, and DNS recursive resolver deployments (<code>CVE-2026-8655</code>); a memory overread caused by insufficient input validation when NetScaler is configured as a <strong>SAML Identity Provider</strong> (<code>CVE-2026-8451</code>); and a separate memory overflow vulnerability affecting <strong>Gateway</strong> or <strong>AAA</strong> virtual servers, including <strong>SSL VPN</strong>, <strong>ICA Proxy</strong>, <strong>CVPN</strong>, and <strong>RDP Proxy</strong> deployments (<code>CVE-2026-8452</code>). Recommended mitigations include applying Citrix security updates, disabling HTTP/2 or vulnerable Gateway features where not required, reviewing exposed virtual server and HTTP profile configurations, and monitoring for anomalous behavior.. <img referrerpolicy="no-referrer-when-downgrade" src="https://www.ransomfeed.it/matomo/matomo.php?idsite=1&amp;rec=1&amp;action_name=RSS-DAILY-NEWS" style="border:0" alt="" /><br /><br />Fonte: <i>https://mallory.ai/stories/019f1914-2f30-7f5f-9e51-43de4b987eb5</i>]]></description>
</item>
<item xmlns:dc='ns:1'>
<title>Azure CLI Password Spray Bypassed Conditional Access in Microsoft 365 Accounts</title>
<link>https://ransomfeed.it/news.php?id_news=nid&amp;nid=378</link>
<guid>8bf1211fd4b7b94528899de0a43b9fb3</guid>
<id>378</id>
<pubDate>Wed, 01 Jul 2026 12:06:54</pubDate>
<dc:creator>RansomFeed</dc:creator>
<description><![CDATA[<img src="https://ransomfeed.it/img/thumb-daily-news.png"> A large-scale password spray campaign targeted Microsoft 365 environments through <strong>Azure CLI</strong> logins, generating more than <strong>81 million authentication attempts</strong> and compromising at least <strong>78 accounts across 64 organizations</strong>, according to Huntress. The attackers abused the deprecated OAuth <strong>Resource Owner Password Credentials</strong> (<code>ROPC</code>) flow to validate stolen username-password pairs and obtain user-delegated tokens, relying on previously breached credentials that had not been rotated.<br>
<br>
The activity was observed between mid and late June and in some cases succeeded even where <strong>MFA</strong> and <strong>Conditional Access</strong> were enabled, because policies were misconfigured or did not fully cover Azure CLI <code>ROPC</code> authentication. Huntress said most attempts originated from the IPv6 range <code>2a0a:d683::/32</code>, associated with <strong>LSHIY LLC</strong> (<code>AS32167</code>), and reported a more than <strong>155-fold</strong> increase in credential-spray volume across its customer base over six months. Defenders were urged to enforce MFA for all users, cloud apps, and client app types, and to restrict Azure CLI access for non-admin users.. <img referrerpolicy="no-referrer-when-downgrade" src="https://www.ransomfeed.it/matomo/matomo.php?idsite=1&amp;rec=1&amp;action_name=RSS-DAILY-NEWS" style="border:0" alt="" /><br /><br />Fonte: <i>https://mallory.ai/stories/019f1c4c-8e4d-7048-ad8e-fdac1af514fc</i>]]></description>
</item>
</channel>
</rss>
