Supply Chain Attack
Socket disclosed TrapDoor, a coordinated attack that planted more than 34 malicious packages across npm, PyPI, and Crates.io at once. Its novel move: poisoned .cursorrules and CLAUDE.md files designed to trick a developer's AI coding assistant.
Supply Chain Attack
A coordinated attack on Packagist, the PHP package registry, poisoned eight Composer packages by hiding malicious code in package.json — the JavaScript manifest — instead of composer.json, exploiting the blind spot where PHP and JavaScript toolchains coexist but are reviewed separately.
Supply Chain Attack
Researchers found more than 700 malicious version tags published across the Laravel-Lang PHP project on May 22-23, 2026 — yet the official repositories were never modified. The attacker pointed Git tags at a fork they controlled to drop a credential stealer.
Supply Chain Attack
An automated campaign called Megalodon pushed 5,718 malicious commits to 5,561 GitHub repositories in six hours, hiding secret-stealing payloads inside CI/CD workflow files. It weaponizes the merge — the most routine action in software development.
Nation-State Cyber Threats
Palo Alto Networks' Unit 42 is tracking Screening Serpens, an Iran-nexus APT that fuses DLL sideloading with AppDomainManager hijacking to make .NET applications switch off their own security mechanisms, then deploys six new RATs across the U.S., Israel, and the UAE.
Policy & Government
Canadian authorities arrested Jacob Butler, 23, of Ottawa, known online as 'Dort,' the alleged operator of the KimWolf DDoS-for-hire botnet. The US has charged him and is seeking extradition. KimWolf allegedly grew to nearly two million infected devices.
Policy & Government
A Europol- and Eurojust-coordinated operation dismantled First VPN — a service Europol calls the most widely used in the cybercrime underground — arresting an admin, seizing 33 servers, and identifying thousands of cybercrime-linked users. The intelligence yield is the story.
Nation-State Cyber Threats
Lumen's Black Lotus Labs disclosed Showboat, a modular Linux backdoor a China-affiliated espionage operation has used to sit inside Middle East and Central Asia telecom networks for roughly four years. A SOCKS5-proxy foothold inside a carrier is a persistent window into a region's traffic.
Cyber Attacks
GitHub confirmed TeamPCP (UNC6780) exfiltrated roughly 3,800 internal repositories after an employee installed a poisoned Visual Studio Code extension. The same actor behind the Mini Shai-Hulud worm listed the data for $50,000+ on BreachForums — framed as a sale, not a ransom.
Nation-State Cyber Threats
ESET documented Webworm, a China-aligned APT that pivoted from Asia to European governments. Its two new backdoors — EchoCreep and GraphWorm — run command-and-control entirely on Discord and Microsoft OneDrive, hiding inside the trusted cloud traffic every enterprise allowlists.
Threat Actors
Leaked database reveals a structured cybercrime market connecting access brokers to 14 RaaS affiliates targeting US government and finance sectors in 40% of listings. MOSCOW / WASHINGTON, D.C. — A massive leak of the RAMP (Ransomware Access and Market Place) database has pulled back the curtain on Russia’s most structured
Data Breaches
Quorum Cyber analysis reveals ransomware (+21%), hacktivism (+75%), and data breaches (+73%) converging on research-rich academic targets. EDINBURGH, UK — Global higher education is facing a "convergence of threats" as a new analysis from Quorum Cyber reveals a staggering 63% year-over-year increase in verified cyberattacks. Between November 2024 and