Normal view

Received — 14 July 2026 The Hacker News

CrashStealer macOS Malware Uses Notarized Dropper to Pass Gatekeeper Checks

13 July 2026 at 17:36
Cybersecurity researchers have flagged a new macOS information stealer called CrashStealer that's capable of harvesting sensitive data from compromised systems. Unlike other information stealers that are built on AppleScript droppers or Objective-C-based wrappers, CrashStealer is implemented in native C++, according to Jamf Threat Labs. "It validates the victim's login password locally before

Google and Microsoft Pull ModHeader With 1.6 Million Installs After Dormant Collector Found

13 July 2026 at 17:17
Google and Microsoft have pulled ModHeader, a popular header-editing extension with roughly 1.6 million installs across Chrome and Edge, after researchers found a hidden browsing-history collector built into its official store version. The collector was dormant. An empty allow-list kept it switched off, and no proof has emerged that it ever gathered or sent a single browsing domain. The

⚡ Weekly Recap: ShareFile Threat, Citrix Bleed 2 Ransomware, AI Coding Attacks, and More

13 July 2026 at 15:05
Somewhere right now, a security tool is quietly finding bugs faster than any human can fix them. That's supposed to be the good news. The catch is that the attackers have the same tools, pointed the other way, and they don't file tickets. That's the shape of this week. Trusted code turns on the people who installed it. Old bugs from last year are still landing because the fix sat in a queue too

New MemGhost Attack Plants Persistent False Memories in AI Agents Through One Email

13 July 2026 at 13:49
Give an AI assistant a memory and access to your inbox, and you hand an attacker a way to rewrite what it thinks it knows about you. A single email can trick that agent into saving a false "fact" about the user, hide the change, and quietly steer its answers in later sessions. When it works, the person reads an ordinary-looking reply and never learns their assistant was tampered with. The

Received — 13 July 2026 The Hacker News

Forg365 PhaaS Targets Microsoft 365 with Device Code and AitM Session Theft

13 July 2026 at 13:03
A new phishing-as-a-service (PhaaS) operation called Forg365 is using a combination of device code phishing, adversary-in-the-middle (AitM) tactics, antibot evasion, artificial intelligence (AI)-assisted lure creation, and post-compromise mailbox operations targeting Microsoft 365 accounts. Distributed via Telegram and costing $400 a month (or $3,800 per year), attack chains leverage phishing

Meta Files Patent for AI That Can Listen All Day and Track How You're Feeling

13 July 2026 at 11:54
Meta has filed a patent application for an AI that listens to your voice throughout the day, works out how it thinks you are feeling from the way you sound, and keeps a timestamped log of every read. Each read gets pinned to the moment it happened: the time, your location, what you were doing, even how you were using your phone. Some versions in the filing would listen all day; others would

Thinking Fast and Slow in the SOC: The Case for Combining Autonomous AI with Analyst Copilots

13 July 2026 at 11:37
A few days ago, I was sitting with the CISO of a Fortune 50 company, walking through how his security team was thinking about AI agents in the SOC. Smart team. Serious program. They had already connected Claude to a few detection tools and were seeing real value in specific investigations. But as we mapped out the broader architecture, something kept nagging at me. The design they were building

Attacker Uses Suspected AI-Generated PowerShell Script to Map Active Directory

13 July 2026 at 11:02
Cybersecurity researchers have flagged an intrusion in which an unknown threat actor leveraged a vibe-coded PowerShell script for Active Directory (AD) enumeration. "The script looked for the Domain Controller (DC) and mapped users, computers, and domains, before creating a directory and exporting out a number of files, and finally creating AD_Report.html to measure the success of the

Misconfigured Server Reveals Three Evilginx Phishing Operations Targeting Microsoft 365

13 July 2026 at 07:30
An attacker running a live Microsoft 365 phishing operation left a Python web server listening on a public port with directory listing switched on. The command that did it: python3 -m http.server 8080, was still sitting in the readable .bash_history. From that one lapse, French security firm Lexfo lifted the operator's entire toolkit and pivoted through it to two more

iCagenda and Balbooa Forms Joomla Flaws Reportedly Exploited as Zero-Days

13 July 2026 at 05:36
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two maximum-severity security flaws impacting iCagenda and Balbooa extensions for Joomla to its Known Exploited Vulnerabilities (KEV) catalog, following reports of zero-day exploitation in the wild. The vulnerabilities, both rated 10.0 on the CVSS scoring system, are below - CVE-2026-48939 - A vulnerability in the

Received — 12 July 2026 The Hacker News

Compromised jscrambler 8.14.0 npm Release Drops Rust Infostealer During Install

11 July 2026 at 17:59
The jscrambler npm package was compromised, and simply installing its 8.14.0 release runs an infostealer on your machine. Published on July 11, 2026, the malicious version carries a preinstall hook that drops and executes a native binary, one build each for Windows, macOS, and Linux. Socket flagged the release six minutes after it was published. If you or one of your

Hackers Weaponize Balochistan Police Portal in Multi-Group Espionage Campaigns

11 July 2026 at 17:49
Cybersecurity researchers have disclosed details of sustained cyber espionage activity against several Pakistani law enforcement organizations undertaken by suspected China- and India-aligned threat actors between February 2024 and April 2026. "At Balochistan Police, the compromised assets included servers hosting web applications that manage police and citizen data, such as criminal and

Received — 11 July 2026 The Hacker News

Critical Zimbra Flaw Could Let Crafted Emails Run Malicious Code in User Sessions

11 July 2026 at 06:45
Zimbra is urging customers to apply updates to address a critical security vulnerability impacting the Classic Web Client that could result in arbitrary code execution. The vulnerability has been described as a case of stored cross-site scripting (XSS) that could allow specially crafted emails to execute malicious scripts in a user's session. It has yet to be assigned a CVE identifier. "The

Received — 10 July 2026 The Hacker News

URGENT - Progress Tells ShareFile Customers to Shut Down Storage Zone Controllers Over Security Threat

10 July 2026 at 16:30
Progress Software has told ShareFile customers to shut down the Windows servers running their Storage Zone Controllers, confirming to The Hacker News that it is responding to a "credible external security threat." The company has temporarily disabled access to the affected accounts, a step it says it took "out of an abundance of caution" while it works with internal and external security

Injective Labs GitHub Compromise Pushes Wallet-Key-Stealing npm Packages

10 July 2026 at 16:29
Unknown threat actors compromised the Injective Labs SDK project's GitHub repository and leveraged it to publish a malicious package on the npm registry to steal cryptocurrency wallet private keys and mnemonic seed phrases. The compromised version, @injectivelabs/sdk-ts@1.20.21, came embedded with fake telemetry functionality that exfiltrated data from cryptocurrency wallets. The version was

Six New U-Boot Flaws Could Let Malicious Images Crash Devices or Run Code at Boot

10 July 2026 at 15:57
Researchers at firmware security firm Binarly have found six new flaws in U-Boot, the small program that starts up hardware as varied as home routers, smart cameras, and the management chips inside data-center servers. Four of the bugs can crash a device. The other two could let an attacker who slips a malicious image in front of the bootloader run their own code, before the device

Laser Attack Resets Tangem Wallet Passwords on Cards That Can't Be Patched

10 July 2026 at 14:51
Researchers at Ledger's Donjon security team have shown that a precisely timed laser pulse, aimed at the chip inside a Tangem crypto wallet card, can reset the card's password to anything the attacker picks. No old password. No backup card. Once it is reset, whoever did it controls the wallet and can move the coins out. This is not an emergency for most owners. The attack needs

Researcher Details WhatsApp-to-Host Attack Chain Using Three OpenClaw Flaws

10 July 2026 at 14:19
Details have emerged about three now-patched security flaws in the OpenClaw personal artificial intelligence (AI) assistant that, if successfully exploited, could enable credential theft, privilege escalation, and arbitrary code execution on the host. A brief description of the high-severity vulnerabilities is as follows - GHSA-hjr6-g723-hmfm (CVSS score: 8.8) - An operating system

New MODBEACON RAT Uses gRPC Streaming for Encrypted C2 Traffic

10 July 2026 at 13:15
The China-linked cybercrime group known as Silver Fox has been attributed to a new Rust-based remote access trojan (RAR) called MODBEACON. Chinese cybersecurity company QiAnXin said that while the threat cluster may appear like a low-sophistication, high-activity operation that propagates malware via counterfeit installers using SEO poisoning techniques, it belies their true organizational

Unpatched XRING Flaw in XQUIC Lets Remote Clients Crash HTTP/3 Servers

10 July 2026 at 11:47
A single wrong variable on one line in XQUIC, Alibaba's QUIC and HTTP/3 library, lets any remote client crash the server with a short burst of completely legal traffic. There is no patch. FoxIO researcher Sébastien Féry disclosed the flaw on July 8 and nicknamed it XRING. He says it needs no login and no malformed packets: about 260 bytes of ordinary QPACK traffic takes the server

❌