Normal view

Compromised jscrambler 8.14.0 npm Release Drops Rust Infostealer During Install

11 July 2026 at 17:59
The jscrambler npm package was compromised, and simply installing its 8.14.0 release runs an infostealer on your machine. Published on July 11, 2026, the malicious version carries a preinstall hook that drops and executes a native binary, one build each for Windows, macOS, and Linux. Socket flagged the release six minutes after it was published. If you or one of your

Hackers Weaponize Balochistan Police Portal in Multi-Group Espionage Campaigns

11 July 2026 at 17:49
Cybersecurity researchers have disclosed details of sustained cyber espionage activity against several Pakistani law enforcement organizations undertaken by suspected China- and India-aligned threat actors between February 2024 and April 2026. "At Balochistan Police, the compromised assets included servers hosting web applications that manage police and citizen data, such as criminal and

Critical Zimbra Flaw Could Let Crafted Emails Run Malicious Code in User Sessions

11 July 2026 at 06:45
Zimbra is urging customers to apply updates to address a critical security vulnerability impacting the Classic Web Client that could result in arbitrary code execution. The vulnerability has been described as a case of stored cross-site scripting (XSS) that could allow specially crafted emails to execute malicious scripts in a user's session. It has yet to be assigned a CVE identifier. "The

Closing the Timing Gap: Defensive Temporal Observability

Lately I’ve been thinking about time.

Uptime, pulse checks, execution time, response time. We’ve always treated these as health metrics. They tell us whether a system is alive, responsive, and performing as expected. But what if they’re also security metrics?

That idea isn’t entirely new. At the network layer, covert timing channels, beaconing detection, and behavioral baselining have shown us for decades that the intervals between events matter. Attackers have long understood that rhythm carries information. More recently, researchers have demonstrated timing side-channel attacks against LLMs, using cache latency to infer private prompts and token cadence to fingerprint model outputs.

What I find interesting is the imbalance. Most of the research asks, “How can timing be exploited?” Very little asks, “How can timing help us defend?”

A 2026 systematic survey of LLM-agent security identifies temporal anomaly detection infrastructure as an open research gap, noting that current agent deployment frameworks don’t even support the behavioral baselines such an approach would require. Even then, the discussion largely focuses on session-level behavior. The rhythm within a single execution, the space between observable events, remains largely unexplored.

Maybe time isn’t just metadata, maybe it’s another dimension of observability that we’ve been overlooking.

Time tells you duration and speed. But read carefully, it also reveals location, choke points, and absences, the things that didn’t happen when they should have.

I’ve started exploring this in my own observability work, measuring behavioral changes & entropy across inter-arrival intervals and treating rhythm as signal rather than noise to smooth away.

Curious to know who else is working on the defensive side of temporal behavior, especially for agentic systems or any thoughts or opinions on this topic.

Reference: “A Systematic Survey of Security Threats and Defenses in LLM-Based AI Agents: A Layered Attack Surface Framework,” arXiv:2604.23338 (2026). https://arxiv.org/abs/2604.23338

submitted by /u/Standard-964
[link] [comments]

Can AI-generated adversaries break TTP-based attribution? (arXiv 2026)

Cyber Threat Intelligence (CTI) has traditionally attributed attacks through Tactics, Techniques and Procedures (TTPs).

In this paper we evaluate whether that assumption still holds when AI agents are explicitly configured to emulate known threat groups.

We configured AI agents to reproduce the behavior of APT28, APT29, APT41, APT44 and Lazarus inside enterprise and military cyber ranges.

Our results suggest that sufficiently capable AI agents can reproduce TTP patterns closely enough to make attribution based solely on behavioral evidence significantly more difficult.

We'd be interested in feedback from practitioners working on CTI, attribution or adversary emulation.

submitted by /u/Obvious-Language4462
[link] [comments]

Towards CSI: What's the best harness? (arXiv 2026)

We studied a question that receives surprisingly little attention:

Does the agent harness matter as much as the underlying LLM?

We benchmarked five different cybersecurity scaffolds while keeping the model fixed (alias2-mini) across all 33 CyBench challenges.

Key findings:

  • No single scaffold performs best across every challenge.
  • Combining heterogeneous scaffolds consistently improves coverage.
  • A shared blackboard architecture solves 19/33 challenges (57.6%), outperforming every individual harness while reducing execution time.

Paper: https://arxiv.org/pdf/2605.28334

Happy to answer technical questions or discuss the benchmarking methodology.

submitted by /u/Obvious-Language4462
[link] [comments]

Destructive Windows backdoor stuffs multiple wipers and ransomware code into a single package

10 July 2026 at 17:35
A newly identified destructive Windows backdoor combines ransomware-like encryption with multiple data-wiping features, according to Microsoft. Last October, the Redmond threat-hunting team first spotted attacks using the Golang-based implant they've named GigaWiper. Its developers stuffed multiple malware families into the software as on-demand commands, giving criminals a Swiss Army knife of command-and-control (C2) and destructive capabilities, including multiple wiping commands and file encryption without any possibility of decryption. “The consolidation of multiple destructive capabilities into a modular backdoor reflects a notable shift in wiper malware, which are typically designed purely to destroy rather than to extort and carry real-world consequences,” Microsoft Threat Intelligence wrote in a Thursday blog. Microsoft declined to answer The Register's questions about the scale and scope of GigaWiper attacks. In the blog, Redmond’s malware analysts said they uncovered two types of GigaWiper samples in victims’ environments, and both are unstripped portable executable files written in Golang. One is a standalone wiper that operates at the physical disk level, as opposed to deleting individual files. It overwrites raw disk content, removes partition metadata, and then reboots the system using Windows shutdown functionality with restart and zero-delay. The second sample is the more interesting one. It includes the same disk-wiping functionality, but that’s just one component of the backdoor. This malware also establishes persistence and sets up C2 communication using RabbitMQ over AMQP for receiving commands from the C2 server, and Redis for updating command status and output. GigaWiper also organizes its commands into different categories, including "always run" for tasks such as continuous screen recording, "manage command" for system management functions, and separate "special command" and "shell command" modes for executing additional functionality. These include the standalone wiper command, along with another command that disables Windows recovery, triggers a blue screen of death (BSOD), and leaves the device unable to boot. It also has a destructive command based largely on Crucio ransomware. It encrypts files with randomly generated keys that are never saved, which means victim organizations will never be able to decrypt these files. Another command bulk encrypts or decrypts files with AES-256 in Cipher Block Chaining (CBC) mode, while a different command uses MinIO Client (mc) to upload stolen files to remote storage. The malware also runs PowerShell commands, takes screen shots and recordings of the compromised device, collects system info, clears Windows event logs, and allows remote control over the system along with keyboard and mouse control - among other capabilities that attackers can use at will. According to Redmond, GigaWiper combines components from at least three previously separate malware families, including Crucio ransomware, a Go reimplementation of FlockWiper, and a standalone disk wiper. “Overall, these findings show the evolution of the actor’s tooling over time,” the security sleuths wrote. “Functionality was merged into a single robust backdoor, granting the actor more ways to control and destroy infected systems.” ®

URGENT - Progress Tells ShareFile Customers to Shut Down Storage Zone Controllers Over Security Threat

10 July 2026 at 16:30
Progress Software has told ShareFile customers to shut down the Windows servers running their Storage Zone Controllers, confirming to The Hacker News that it is responding to a "credible external security threat." The company has temporarily disabled access to the affected accounts, a step it says it took "out of an abundance of caution" while it works with internal and external security

Injective Labs GitHub Compromise Pushes Wallet-Key-Stealing npm Packages

10 July 2026 at 16:29
Unknown threat actors compromised the Injective Labs SDK project's GitHub repository and leveraged it to publish a malicious package on the npm registry to steal cryptocurrency wallet private keys and mnemonic seed phrases. The compromised version, @injectivelabs/sdk-ts@1.20.21, came embedded with fake telemetry functionality that exfiltrated data from cryptocurrency wallets. The version was

Six New U-Boot Flaws Could Let Malicious Images Crash Devices or Run Code at Boot

10 July 2026 at 15:57
Researchers at firmware security firm Binarly have found six new flaws in U-Boot, the small program that starts up hardware as varied as home routers, smart cameras, and the management chips inside data-center servers. Four of the bugs can crash a device. The other two could let an attacker who slips a malicious image in front of the bootloader run their own code, before the device

Laser Attack Resets Tangem Wallet Passwords on Cards That Can't Be Patched

10 July 2026 at 14:51
Researchers at Ledger's Donjon security team have shown that a precisely timed laser pulse, aimed at the chip inside a Tangem crypto wallet card, can reset the card's password to anything the attacker picks. No old password. No backup card. Once it is reset, whoever did it controls the wallet and can move the coins out. This is not an emergency for most owners. The attack needs

Researcher Details WhatsApp-to-Host Attack Chain Using Three OpenClaw Flaws

10 July 2026 at 14:19
Details have emerged about three now-patched security flaws in the OpenClaw personal artificial intelligence (AI) assistant that, if successfully exploited, could enable credential theft, privilege escalation, and arbitrary code execution on the host. A brief description of the high-severity vulnerabilities is as follows - GHSA-hjr6-g723-hmfm (CVSS score: 8.8) - An operating system

❌