CyberSecured News

Developers relying on OpenAI's Codex tools just got a harsh reminder that convenience in the AI ecosystem can come at a steep price. Security researchers uncovered a slick supply chain operation that quietly siphoned authentication tokens from users of a seemingly helpful remote web interface package. The attack highlights how adversaries are embedding themselves in legitimate-looking tools that target those building with advanced AI models. The compromised npm package, codexui-android, positioned itself as a handy interface for interacting with Codex remotely. It racked up tens of thousands of weekly downloads by promising an easy way to run the AI coding assistant without local heavy lifting. For roughly the past month, however, versions starting from 0.1.82 included code that pulled sensitive credential files from users' systems and shipped them off to an attacker-controlled server disguised as a monitoring service. This wasn't some fly-by-night typosquatting effort. T...

The FBI put out a fresh alert this week highlighting how the Silent Ransom Group has taken social engineering to the streets. These operators are no longer content with remote tricks alone. They are now sending people directly to victim sites to plug in USB drives and walk off with sensitive files from law firm computers across the United States. This shift marks a bolder phase for the crew, also tracked as Luna Moth. They start with the usual playbook, calling or emailing staff while pretending to be internal IT support. Once they have the target on the line, they push for remote desktop access. If that fails, the next step is dispatching someone in person to gain physical entry and connect external storage devices. The goal is straightforward: grab data fast and use it for extortion later. Law firms have been prime targets for this group since at least early 2023. Their client files often contain high-value information that carries serious leverage in ransom demands. After snatchin...

   A swift and sneaky malware operation hit the open source world hard last week, poisoning thousands of GitHub repositories in a matter of hours. Dubbed Megalodon, the campaign slipped malicious code into more than 5,500 projects, targeting the very workflows developers rely on to build and deploy software. This kind of supply chain compromise strikes at the foundation of modern development, where one tainted repo can ripple out to countless downstream users and enterprises. The attack unfolded on May 18 over a tight six-hour window. Operators used fake accounts and forged identities to push over 5,700 commits laced with credential-stealing payloads. These hits focused on GitHub Actions workflows, the automation scripts that handle everything from testing to deployment. Once in place, the malware quietly exfiltrated secrets like API keys, SSH credentials, cloud tokens, and source code details back to a command server. Some versions added a dormant backdoor that stayed hidden...

  Recent activity tied to the Iranian threat group known as Nimbus Manticore shows a clear evolution in how state-backed cyber campaigns are being conducted against Western and regional targets. Rather than relying exclusively on traditional phishing emails, operators linked to Iran’s Islamic Revolutionary Guard Corps are increasingly blending social engineering, fake software distribution, and manipulated search rankings to compromise organizations tied to aviation, telecommunications, software development, and energy infrastructure. Security researchers tracking the campaigns observed multiple delivery methods across recent operations, including fraudulent job recruitment messaging, spoofed video meeting invitations, and malicious software installers disguised as legitimate tools. One operation reportedly involved a fake Oracle SQL Developer download page designed to infect users who searched for common developer software through major search engines. The shift matters because ...

Dutch authorities delivered a sharp blow to Russian cyber infrastructure last week, seizing roughly 800 servers and arresting two men accused of providing critical hosting services that powered cyberattacks, influence operations, and disinformation efforts aimed at the European Union. The operation targeted co-owners of two related hosting firms that had taken control of infrastructure previously tied to Stark Industries Solutions, a provider the EU sanctioned in 2025 for its role as a launchpad for Russian intelligence activities. Investigators from the Netherlands' FIOD financial crimes agency moved in on May 18, detaining a 57-year-old man in Amsterdam and a 39-year-old in The Hague on charges of violating EU sanctions by supplying resources to banned entities. This takedown highlights a basic truth in the cyber domain: adversaries do not operate in a vacuum. They rely on willing or negligent service providers in the West who prioritize profit over security and national intere...

Anthropic revealed Friday that its new defensive initiative, Project Glasswing, has already uncovered more than 10,000 high and critical software vulnerabilities in just over a month. The effort is aimed at protecting the digital infrastructure that modern economies, governments, and critical industries increasingly rely on. At the center of the program is Claude Mythos Preview, an advanced AI model built specifically to identify weaknesses in widely used software before attackers can exploit them. Rather than releasing the capability publicly, Anthropic has limited access to a small group of trusted security partners focused on defending high-value systems and infrastructure. So far, the project has identified over 6,200 serious vulnerabilities across more than 1,000 open-source projects. Validation efforts confirmed 1,726 legitimate security flaws, including 1,094 rated high or critical severity. One example is CVE-2026-5194 affecting WolfSSL, a vulnerability with a severity score of...

  Law enforcement agencies delivered a solid blow to the cybercrime underground this week with the arrest of a Canadian man accused of running one of the more aggressive DDoS-for-hire operations in recent memory. Jacob Butler, operating under the handle "Dort," was taken into custody in Ottawa and now faces charges in both Canada and the United States for his alleged role in building and managing the Kimwolf botnet. According to details released by the Department of Justice, Butler is linked to a network that commandeered millions of Internet of Things devices worldwide. These compromised gadgets, ranging from routers to security cameras and other poorly secured connected hardware, formed a powerful swarm capable of launching devastating distributed denial-of-service assaults. Reports indicate the botnet issued thousands of attack commands before its command infrastructure was disrupted, with individual floods reaching staggering volumes up to 31.4 terabits per second. This...