🔐 IT News Analyzer

// AI-powered news analysis

Latest Top 10 Articles

1
Miasma Malware Targets npm Packages and GitHub Actions in Supply Chain Attack

Miasma Malware Targets npm Packages and GitHub Actions in Supply Chain Attack

Cybersecurity researchers have flagged yet another evolution of the supply chain attack linked to the Mini Shai-Hulud, Miasma, and Hades malware family that has compromised a new set of npm packages, even as it has propagated to the Go ecosystem. "The latest activity includes malicious npm releases affecting LeoPlatform and RStreams packages, GitHub Actions workflow abuse, and a related Go module compromise involving the Verana Blockchain project," Socket said . The end goal of the campaign, as before, is to harvest developer or maintainer credentials and weaponize the stolen data to spread across package registries, repositories, and trusted developer workflows. The list of affected packages is below - hexo-deployer-wrangler@1.0.4 hexo-shoka-swiper@0.1.10 leo-auth@4.0.6 leo-aws@2.0.4 leo-cache@1.0.2 leo-cdk-lib@0.0.2 leo-cli@3.0.3 leo-config@1.1.1 leo-connector-elasticsearch@2.0.6 leo-connector-mongo@3.0.8 leo-connector-mysql@3.0.3 ...

Jun 26, 2026
2
Microsoft Warns of Photo ZIP Phishing Campaign Targeting Hotels with Node.js Implant

Microsoft Warns of Photo ZIP Phishing Campaign Targeting Hotels with Node.js Implant

An active phishing campaign has been targeting hotel and other hospitality organizations across Europe and Asia since April 2026, using photo-themed ZIP files to drop a Node.js implant and dig into front-desk machines, Microsoft says. The company has not attributed the activity to a known threat actor, and the operators' end goal is still unclear. The lure plays to how hotels work. Phishing emails carry the display name "Booking Manager (via Calendly)" and reference guest complaints, bedbug infestations, room inquiries, health inspections, and stay reviews. The lures came in Japanese, Danish, and Dutch, with Japanese the most common. The subject line names no recipient or property, which points to high-volume, list-driven sending rather than tailored spear phishing. The pressure is reputational: complaints, final warnings, threatened inspections. The delivery is the interesting part. The operators route messages through Calendly's email notification system a...

Jun 26, 2026
4
Russia Used Cellebrite on Jailed Activist's iPhone Months After Sales Cutoff

Russia Used Cellebrite on Jailed Activist's iPhone Months After Sales Cutoff

Russian authorities used Cellebrite's UFED forensic tools to break into the iPhone of detained opposition activist Andrey Pivovarov in June 2021, three months after Cellebrite said it would stop selling its tools and services to Russia and Belarus. The finding, published  June 25 by the Citizen Lab , rests on two things that rarely line up: traces on the phone itself and an official Russian government report that names the tool. Investigators searched the extracted data for political contacts, opposition figures, and the names of activist organizations. This was not remote spyware. It was a forensic tool run on a seized device in custody, used to build a case in a political prosecution. Pivovarov ran Open Russia , an opposition group the Kremlin had branded "undesirable," a label that turned continued involvement into a criminal offense. He was  pulled off a flight  at St. Petersburg airport on May 31, 2021, and his iPhone 12 and MacBook were confiscated. He neve...

Jun 26, 2026
5
Google Details Turla's New STOCKSTAY Backdoor Used in Ukraine Espionage Attacks

Google Details Turla's New STOCKSTAY Backdoor Used in Ukraine Espionage Attacks

The Russian state-sponsored threat actor known as Turla has been attributed to a previously undocumented .NET backdoor called STOCKSTAY that has been deployed against government and military organizations in Ukraine, and entities that have an interest in Italian foreign policy. Describing the Windows backdoor as continually developed by the hacking group, Google Threat Intelligence Group (GTIG) said the cyber espionage tool shares significant code and functional overlaps with Kazuar , a staple implant put to use by the adversary since 2017. Suspected development activity of malware dates back to December 2022. "STOCKSTAY is a multi-component backdoor written in .NET, using the Windows Forms framework, which communicates with its command-and-control (C2) via a secure WebSocket connection, utilizing the open-source websocket-sharp library," GTIG said . "STOCKSTAY consists of several distinct components that communicate with one another via an inter-process commu...

Jun 26, 2026
6
Chrome Ad Blocker with 10M+ Installs Found with Dormant Script Injection Capability

Chrome Ad Blocker with 10M+ Installs Found with Dormant Script Injection Capability

An analysis of a popular Google Chrome ad block extension for YouTube has uncovered the ability to execute arbitrary JavaScript code. According to Island, the extension, named Adblock for YouTube (ID: cmedhionkhpnakcndndgjdbohmhepckk), has more than 10 million installs and carries a Featured badge on the Chrome Web Store. The extension description states that it allows users to prevent web page elements like ads, including preroll ads, from being displayed on the video sharing platform, as well as on external sites that load YouTube. While the add-on offers the promised functionality, it also features capabilities to run arbitrary JavaScript code. "It also contains the architectural ingredients for arbitrary JavaScript execution on any website, activated by a single server-side configuration change, without an extension update, without a store review, and without any visible sign that something has changed," researchers Oleg Zaytsev and Shachar Gritzman said in a re...

Jun 25, 2026
8
ThreatsDay Bulletin: Smart TV Proxyware, 24-Year curl Bug, AI Crime Forums + 13 More Stories

ThreatsDay Bulletin: Smart TV Proxyware, 24-Year curl Bug, AI Crime Forums + 13 More Stories

It’s dumb out there again. This week has the usual smell of prod on fire and nobody wanting to admit who left the door open — old creds still working, trusted apps doing sketchy crap, browser tricks jumping the fence, and “normal” workflows turning into phishing pipes because apparently email was not enough hell already. The worst part is how cheap some of it feels. Not elite. Not cinematic. Just stale secrets, fake updates, lazy trust, and random boxes quietly becoming someone else’s infrastructure. Same internet, fresh headache. Let’s get into it.

Jun 25, 2026
9
Surviving the Mythos Era: Richard Bejtlich on the Case for NDR

Surviving the Mythos Era: Richard Bejtlich on the Case for NDR

Despite the abundance of telemetry at analysts’ disposal, many security operations teams struggle to answer a few basic questions during incident investigation: What happened? What evidence do we have? How do we know we’re seeing it all, in context? Answering these questions requires teams to go beyond alerts, the most common basis for initial triage. But investigations (and their outcomes) require defensible evidence, not assumptions, which is what alerts tend to offer.  Alerts are becoming less useful as vulnerability discovery accelerates (a.k.a., the Mythos Era). Most organizations can’t investigate the volume of new findings with existing workflows. Even with increased automation, SecOps teams need validated evidence of active exploit and exposure, not more raw telemetry. As AI expedites both attacks and defense, security teams need to lay the groundwork that allows them to validate findings, understand attacker behavior, and stop suspicious traffic before it results in...

Jun 25, 2026
10
New Gaslight macOS Malware Uses Prompt Injection to Disrupt AI-Assisted Analysis

New Gaslight macOS Malware Uses Prompt Injection to Disrupt AI-Assisted Analysis

A previously undocumented Rust-based macOS implant and information stealer has been found to embed a prompt injection payload designed to trick a malware analyst's artificial intelligence (AI) tools and trick it into aborting or refusing an analysis of the artifact. The malware has been codenamed Gaslight owing to this deceptive behavior. It's been assessed with high confidence that the tool is the work of North Korea-aligned threat actors. "Its most notable feature is an embedded cascade of fabricated system-failure messages, designed to make an LLM-assisted triage agent doubt its own session," SentinelOne researcher Phil Stokes said in a technical report. "It attacks the agent's perception, rather than the sandbox it runs in." Central to the malware's architecture is a Telegram bot API based command-and-control (C2) channel that enters into a polling loop, allowing the operator to issue instructions over an interactive shell and return the...

Jun 25, 2026