šŸ” IT News Analyzer

// AI-powered news analysis

Latest Top 10 Articles

1
Junior Hacker Used Tailscale and OpenSSH to Keep Access After His C2 Went Offline

Junior Hacker Used Tailscale and OpenSSH to Keep Access After His C2 Went Offline

A French-speaking attacker broke into a small French automotive business, planted a keylogger, and stole banking and email credentials. Ordinary stuff, until one move near the end. Before his command-and-control server went dark, he installed OpenSSH and Tailscale on a victim's machine, building a way back in that did not run through the C2 at all. When the Havoc server went offline the next day, his access did not. Eighteen days later, the C2 came back, his agents reconnected on their own, and he carried on. Cato NetworksĀ captured the whole operation command by command, 339 of them over 33 days, after the operator left his SSH keys and a step-by-step playbook in an open storage bucket. The write-up, published Tuesday by Cato CTRL researcher Vitaly Simonovich, is a rare view of an intrusion from the operator's keyboard rather than the forensic leftovers. Researchers' lesson is blunt: pulling a C2 server offline is not remediation if the attacker has already built a...

ī ‚Jun 17, 2026
2
Malicious JetBrains Plugins Steal AI API Keys as Chrome Extensions Capture Chatbot Chats

Malicious JetBrains Plugins Steal AI API Keys as Chrome Extensions Capture Chatbot Chats

Cybersecurity researchers have flagged a "coordinated malware campaign" on the JetBrains Marketplace that has published no less than 15 malicious plugins capable of exfiltrating artificial intelligence (AI) provider keys. "Every plugin poses as an AI coding assistant built on DeepSeek and other large language models, offering chat, commit messages, code review, bug finding, and unit tests," Aikido Security researcher Ilyas Makari said . "They function exactly as advertised. However, the AI provider API key you enter gets exfiltrated to a server controlled by the attacker." The activity is said to have been ongoing since the end of October 2025, with new plugins released as recently as June 10, 2026. Two of the plugins, CodeGPT AI Assistant and DeepSeek AI Assist, have more than 25,000 downloads each, although it's not clear if the counts are authentic or if they have been inflated to fake their popularity. The complete list of plugins is below -...

ī ‚Jun 17, 2026
4
Adversarial Exposure Validation Turns Security Visibility into Confident Prioritization

Adversarial Exposure Validation Turns Security Visibility into Confident Prioritization

For security teams, the findings never stop, but confidence in knowing which ones matter is becoming harder to maintain. The problem is no longer visibility. It's validation. Security teams must decide which findings warrant action while operating under constant pressure and incomplete information. Increasingly, the challenge is not discovering potential risks. It is determining which risks deserve attention first. Visibility Got Us Here. Validation Moves Us Forward. The security industry has spent the better part of a decade improving visibility. Vulnerability scanners, cloud security posture tools, endpoint detection, attack surface platforms, code analysis, and threat intelligence feeds all contribute to a more complete understanding of the attack surface. The investment has been enormous, and it has largely worked. Modern enterprises can see their environments in ways that would have seemed remarkable ten years ago. Yet improved visibility has not automatically transla...

ī ‚Jun 17, 2026
5
The Top 10 Attack Surface Exposures in 2026

The Top 10 Attack Surface Exposures in 2026

Breaches don't always start with a zero-day. An exposed admin panel can get brute-forced, or credentials reused from a previous attack. But when a vulnerability does drop ā€” like MongoBleed earlier this year, which let attackers pull credentials and session tokens from server memory without authentication ā€” anything internet-facing is immediately at risk. With time-to-exploit now down to a single day, the question isn't just how fast you can patch. It's why the service was exposed in the first place. The team at Intruder analyzed 3,000 attack surfaces to find out how much of a typical organization's attack surface consists of services that have no reason to be there. We grouped what we found into four categories ā€” HTTP panels, risky ports and services, databases, and publicly accessible files and information. The full findings, including breakdowns by company size and industry, are in our 2026 Attack Surface Management Index . How widespread is the problem? ...

ī ‚Jun 17, 2026
6
144 Mastra npm Packages Compromised via Hijacked Contributor Account

144 Mastra npm Packages Compromised via Hijacked Contributor Account

As many as 144 npm packages associated with the Mastra namespace ("@mastra/*"), a popular open-source JavaScript and TypeScript framework for building artificial intelligence (AI) applications, have been compromised as part of a software supply chain attack codenamed easy-day-js , per findings from Endor Labs , JFrog , SafeDep , Socket , and StepSecurity . "A single npm account (ehindero) mass-published more than 140 malicious packages across the Mastra scope within a short window on 2026-06-17," Socket said. The infected packages themselves do not include malicious code. Instead, it's introduced by means of a third-party library named "easy-day-js" that has been added to each package's dependency list in what has been described as an automated publishing campaign spanning 88 minutes. In its analysis, SafeDep described "easy-day-js" as a clone of the "dayjs" date library that downloads and runs a cryptocurrency-stealing...

ī ‚Jun 17, 2026
8
CISA Warns of Actively Exploited Joomla JCE Flaw Allowing PHP Code Execution

CISA Warns of Actively Exploited Joomla JCE Flaw Allowing PHP Code Execution

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a maximum-severity security flaw impacting Widget Factory Joomla Content Editor (JCE) to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The vulnerability, tracked as CVE-2026-48907 (CVSS score: 10.0), is a case of improper access control that could facilitate arbitrary code execution. "Widget Factory Joomla Content Editor contains an improper access control vulnerability which could allow for upload and execution of PHP code via the creation of new editor profiles for unauthenticated users," CISA said . According to a description of the vulnerability published on CVE.org, the issue resides in the JCE editor extension for Joomla, allowing a bad actor to create new editor profiles for unauthenticated users, effectively paving the way for PHP code upload and execution. The issue impacts JCE versions from 1.0.0 through 2.9.99.4. It has been pa...

ī ‚Jun 17, 2026
9
Google Vertex AI SDK Flaw Let Attackers Hijack Model Uploads via Bucket Squatting

Google Vertex AI SDK Flaw Let Attackers Hijack Model Uploads via Bucket Squatting

A flaw in the Google Cloud Vertex AI SDK for Python let an attacker with no access to a victim's project hijack the victim's machine learning model upload and run code inside Google's serving infrastructure. Palo Alto Networks Unit 42, which found and reported the bug through Google's bug bounty program, calls the technique " Pickle in the Middle " and said it saw no exploitation in the wild. Google has patched it; if you use the SDK, update to version 1.148.0 or later. The attacker needed only a Google Cloud project of their own and the victim's project ID, which is often public. No credentials, no phishing, no foothold in the target. The flaw was in how the SDK chose a temporary Cloud Storage bucket for model uploads. If a user did not set a bucket, the SDK generated a predictable name from the project ID and region, such asĀ  project-vertex-staging-region . It checked whether that bucket existed, but not whether the victim owned it. Because buc...

ī ‚Jun 16, 2026
10
ClickFix Campaigns Expand Malware Delivery With New Loaders and Fake Update Lures

ClickFix Campaigns Expand Malware Delivery With New Loaders and Fake Update Lures

Cybersecurity researchers have flagged multiple ClickFix campaigns that deliver three malware loaders called BabaDeda Loader , Lorem Ipsum Loader , and Potemkin , per independent reports from Morphisec , BlueVoyant , and Huntress , respectively. Attacks involving BabaDeda Loader, observed in April 2026, have targeted education and financial organizations. "Earlier BabaDeda activity was known for concealing malicious payloads inside legitimate looking installer packages," Morphisec researcher Shmuel Uzan said. "This new framework keeps that same code genome but expands it into a far more capable loader built for stealth, evasion, and payload flexibility." The starting point of the attacks is a ClickFix social engineering attack that deceives users into running attacker-supplied PowerShell commands to deliver the loader, which is then used to drop information stealers and remote access trojans (RATs) by combining well-known techniques like hidden PowerShell, i...

ī ‚Jun 16, 2026