Malware

Line-art of a ZIP folder opening to a shortcut-file icon; a phishing hook threads into a ministry building marked with a single flat red dot.

Nation-State Cyber Threats

SideCopy Hits Afghanistan's Finance Ministry With Xeno RAT in Operation XENOFISCAL

Seqrite Labs says the Pakistan-aligned group SideCopy likely ran Operation XENOFISCAL, a spear-phishing campaign that hit Afghanistan's Ministry of Finance and provincial finance offices with the open-source Xeno RAT, delivered through a Pashto-language ZIP-and-LNK lure.

02 Jun 2026

Line-art of npm package boxes linked by pipes as a creeping vine-like blight spreads across them; one box at the leading edge carries a single flat red dot.

Supply Chain Attack

Mini Shai-Hulud 'Miasma' Variant Compromises 32 Red Hat Cloud Services npm Packages

A compromised Red Hat employee GitHub account pushed a new 'Miasma' build of the Mini Shai-Hulud worm into 32 Cloud Services npm packages. Red Hat says the code was internal-only and never reached customers; any pipeline that installed a poisoned version should rotate its secrets.

02 Jun 2026

Line-art of a macOS app window emerging from a butterfly motif, wired to an outbound data arrow; an ad banner above it carries a single flat red dot.

Malware

Unit 42 Details Operation FlutterBridge, a macOS Malvertising Campaign Dropping FlutterShell

Unit 42 documented Operation FlutterBridge, a macOS malvertising campaign that uses hundreds of Google-verified ads to drop FlutterShell — a new backdoor built with Google's Flutter framework that adds shell execution, file manipulation and AI-summarization-based exfiltration to adware.

02 Jun 2026

Line-art of a rack of test-bench computer screens wired to a central orchestrator node; one screen displays a shield icon marked with a single flat red dot.

Artificial Intelligence (AI)

Sophos Uncovers an AI-Orchestrated Lab Built to Test and Refine EDR-Evasion Malware

Sophos documented a threat actor using AI agents — including a Claude Opus 4.5 coordinator — to run a lab testing malware against Sophos, CrowdStrike and Microsoft Defender. Notably, the lab's own claims of rising evasion success were not borne out by Sophos's data.

02 Jun 2026

Line-art map of two generic landmasses connected by a thin curved line passing over a small document icon; the document carries one flat red dot.

Nation-State Cyber Threats

Operation Dragon Weave Targets Czech Republic and Taiwan With AdaptixC2 Spear-Phishing

Seqrite Labs disclosed Operation Dragon Weave, a China-aligned cyber-espionage campaign delivering an AdaptixC2 agent against government, research, academic, technology, and financial-services targets in the Czech Republic and Taiwan via spear-phishing ZIPs.

01 Jun 2026

Line-art generic document with thin faint lines extending behind it like hidden layers; one of the hidden layers carries a single flat red dot.

Nation-State Cyber Threats

Gamaredon Hides a Fileless GammaWorm Inside NTFS Alternate Data Streams to Spy on Ukraine

Sekoia documented an FSB-linked Gamaredon campaign whose GammaWorm hides fileless VBScript modules inside NTFS Alternate Data Streams to spy on Ukrainian government, military, and critical-infrastructure targets while leaving almost no trace on disk.

01 Jun 2026

Line-art generic package-box icon with a small key icon hanging off it by a thin chain; the key carries a red dot.

Supply Chain Attack

codexui-android npm Package Is Quietly Stealing OpenAI Codex Tokens From 29,000 Weekly Users

The npm package codexui-android, a remote web UI for OpenAI Codex with 29,000 weekly downloads, has been exfiltrating users' Codex authentication tokens to an attacker server for the past month. The package is still live on npm.

01 Jun 2026

Line-art row of near-identical small package boxes on a shelf, each with a tiny lookalike label; a small key icon hangs from one box, and a red dot sits on the key.

Supply Chain Attack

Microsoft Names 'Mini Shai-Hulud' Wave of 14 npm Typosquats Stealing Cloud and CI/CD Secrets

Microsoft Threat Intelligence has named a new npm supply-chain wave the Mini Shai-Hulud campaign. A single maintainer alias, vpmdhaj, published 14 typosquatted packages in four hours that harvest AWS, HashiCorp Vault, npm, and GitHub Actions secrets from CI/CD runners.

31 May 2026

Line-art split path: a package-box source with two arrows, one to a private-internal circle, one to a public-registry shelf; red dot on the public branch.

Supply Chain Attack

Microsoft Names 33 Malicious npm Packages in a Dependency-Confusion Recon Campaign

Microsoft Threat Intelligence disclosed 33 malicious npm packages published under three aliases attributed to a single operator. The packages abuse dependency confusion to fingerprint developer and build environments and ship a server-toggled reconnaissance payload.

30 May 2026

Line-art central server rack with connector lines fanning down to a row of small endpoint laptop icons; one flat red dot sits on the server.

Vulnerabilities

FortiClient EMS CVE-2026-35616 Is Now Pushing the EKZ Credential Stealer, Arctic Wolf Says

Arctic Wolf says threat actors are exploiting the patched FortiClient EMS flaw CVE-2026-35616 to deploy EKZ, a previously unreported credential stealer disguised as a Fortinet endpoint update and pushed across managed endpoints through the EMS management pathway itself.

29 May 2026

Line-art video-meeting window with four small participant tiles and a thin tunnel connecting it to a separate node; one participant tile carries a red dot.

Nation-State Cyber Threats

Kimsuky Used a Fake Webex Page to Deliver an HTTPSpy Variant to the South Korean Military

ENKI says Kimsuky ran a March-April 2026 wave against South Korean military and corporate targets, delivering an HTTPSpy variant through a fake Webex meeting page wired to a real scheduled event and a new infection-verification technique it calls JSONPing.

29 May 2026

Line-art tree of small file icons fanning out from a central master file holding a small key; a red dot marks the master key at the centre.

Ransomware

Microsoft Names Storm-2697 Behind The Gentlemen Ransomware: Go Encryptor, Ephemeral Keys

Microsoft Threat Intelligence has named the operators of The Gentlemen ransomware Storm-2697, and its new deep technical analysis dissects a Go encryptor that uses per-file ephemeral keys and an aggressive self-propagation module.

29 May 2026

See all