šŸ” IT News Analyzer

// AI-powered news analysis

Latest Top 10 Articles

1
U.S. Government Entity Paid Kairos $1 Million in Data-Theft Extortion Case

U.S. Government Entity Paid Kairos $1 Million in Data-Theft Extortion Case

A U.S. government entity paid about $1 million to keep stolen files from being leaked, according to a newĀ  case study by Rakesh Krishnan for Ransom-ISAC , built on a leaked negotiation chat and the blockchain trail the payment left. The odd part: the group that took the money calls itself Kairos , but it may not be a ransomware gang at all. Krishnan found no sign that it ever locked a single machine: no encryptor, no locker, no demand for a decryption key. The threat was simpler. Steal the files, then charge the victim not to publish them. Krishnan does not name the victim, but the chat points to Union County, Ohio. The proof-of-theft files carry names likeĀ Union.xlsx,Ā 1 union co psi template.doc, and a final archive calledĀ union.rar. The victim calls itself a small county with limited resources. The attacker leans on one folder in particular, marked "prosecutors office," warning that leaking it would help criminals dodge charges. The clues fit a real case. I...

ī ‚Jul 04, 2026
2
North Korean Hackers Publish 108 Malicious Packages and Extensions in PolinRider Campaign

North Korean Hackers Publish 108 Malicious Packages and Extensions in PolinRider Campaign

The North Korean threat actors linked to the Contagious Interview campaign have been observed publishing 108 unique packages and web browser extensions spanning npm, Packagist, Go, and Google Chrome as part of an ongoing activity referred to as PolinRider . "The campaign remains active, and new malicious packages are likely to continue appearing as threat actors compromise maintainer accounts, modify legitimate repositories, and publish infected package versions where they retain or obtain registry access," Socket security researcher Karlo Zanki said in an analysis published this week. The 162 malicious release artifacts span multiple release versions corresponding to 108 unique packages and extensions, including 19 npm libraries, 10 Composer packages, 61 Go modules, and one Google Chrome extension. Contagious Interview is the moniker assigned to a North Korea-aligned campaign that weaponizes job recruitment to target software developers and individuals working i...

ī ‚Jul 04, 2026
4
Unpatched Flaws Disclosed in Filesystem Bundled Into Millions of Embedded Devices

Unpatched Flaws Disclosed in Filesystem Bundled Into Millions of Embedded Devices

Security firm runZero hasĀ disclosed seven vulnerabilitiesĀ inĀ  FatFs , a small filesystem library that lets a device read and write the FAT and exFAT formats used on USB drives and SD cards. The flaws matter because FatFs is nearly everywhere. It ships inside the firmware that runs security cameras, drones, industrial controllers, hardware crypto wallets, and other devices built on real-time operating systems. On the worst-affected systems, an attacker who gets a booby-trapped USB drive, SD card, or update file onto a device can corrupt its memory and run their own code. Many embedded devices lack the memory protections found on phones and desktops, which is why runZero says "any physical access leads to a jailbreak." A public kiosk, a camera with an SD slot, an ATM, or a voting machine with a USB port should not hand over full control after a moment of physical access, but here it can. All seven bugs work the same basic way. The device tries to read a storage vo...

ī ‚Jul 03, 2026
5
New

New "Bad Epoll" Linux Kernel Flaw Lets Unprivileged Users Gain Root, Hits Android

A newly disclosed Linux kernel flaw called Bad Epoll (CVE-2026-46242) lets an ordinary user with no special access take full control of a machine as root. It affects Linux desktops, servers, and Android, and a fix is out. Bad Epoll sits in the same small stretch of kernel code where Anthropic's most powerful AI model, Mythos , recently found a different bug. The AI caught one flaw and missed this one. A researcher, Jaeyoung Chung, found it and built a working attack. How the Bug Works Epoll is a standard Linux feature that lets a program watch many files or network connections at once. Servers, network services, and web browsers all lean on it. You cannot simply switch it off. Bad Epoll is a "use-after-free" bug. Two parts of the kernel try to clean up the same internal object at the same time. One frees the memory while the other is still writing into it. That brief collision lets an attacker corrupt kernel memory, then climb from a normal account up to root...

ī ‚Jul 03, 2026
6
New Avalon Malware Framework Packs CrownX Ransomware Capabilities

New Avalon Malware Framework Packs CrownX Ransomware Capabilities

Cybersecurity researchers have discovered a previously undocumented modular malware framework codenamed Avalon that's distributed by means of a multi-stage phishing chain capable of bypassing traditional security controls. Avalon combines credential collection, lateral movement, remote access, recovery disruption, and ransomware execution, bringing together diverse functions under one umbrella. The ransomware component has been internally named CrownX.Ā  "The attack began with a spoofed legal document email directing recipients to a password protected archive on Proton Drive," Blackpoint Cyber researchers Nevan Beal and Sam Decker said . "Malicious content was embedded inside an ISO image rather than attached directly, reducing the likelihood of detection at the email layer." Should the email recipient interact with a document-themed Windows Shortcut ("Secure Document CA-283505.pdf.lnk") inside the mounted image, it triggers a staged malware s...

ī ‚Jul 03, 2026
8
North Korea-Linked npm Packages Mimic Rollup Polyfills to Steal Developer Secrets

North Korea-Linked npm Packages Mimic Rollup Polyfills to Steal Developer Secrets

Threat actors with ties to North Korea have been linked to a fresh set of malicious npm packages that masquerade as Rollup polyfill tooling to facilitate remote access and data theft. According to JFrog, the packages "rollup-packages-polyfill-core" and "rollup-runtime-polyfill-core" mimic the legitimate " rollup-plugin-polyfill-node " project, down to the description, repository metadata, and package shape. "The lookalike packages place themselves in the same rollup, polyfill, core, and node naming space, which can look plausible during a quick dependency review," JFrog said in a technical write-up of the campaign. The campaign also involves four other packages, all of which have since been removed from the npm registry - quirky-token react-icon-svgs rollup-plugin-polyfill-connect swift-parse-stream What's noteworthy here is that "rollup-packages-polyfill-core" installs and loads "swift-parse-stream,...

ī ‚Jul 03, 2026
9
Armored Likho Targets Government Agencies, Power Sector with BusySnake Stealer

Armored Likho Targets Government Agencies, Power Sector with BusySnake Stealer

A previously undocumented threat actor known as Armored Likho has been attributed to cyber attacks targeting government agencies and the electric power sector across Russia, Brazil, and Kazakhstan. "Armored Likho blends financially motivated campaigns targeting private individuals with targeted cyber espionage aimed at organizations," Kaspersky said in a technical analysis published today. "Their toolkit features obfuscated, modular RATs and infostealers specifically engineered to bypass dynamic analysis." The attacks are also characterized by the use of tools like Go2Tunnel for remote access and network tunneling. The wide variety of tools in its arsenal allows the threat actor to maintain persistent access to compromised hosts, steal credentials and sensitive data, and dynamically deliver modules tailored to the victim's profile. The Russian cybersecurity vendor said Armored Likho shares possible overlaps with a threat cluster tracked by BI.ZONE under...

ī ‚Jul 03, 2026
10
European Parliament Member Investigating Spyware Was Hacked With Pegasus

European Parliament Member Investigating Spyware Was Hacked With Pegasus

A new report from the Citizen Lab has revealed that former Member of the European Parliament Stelios Kouloglou had his mobile device repeatedly hacked with the notorious Pegasus spyware while serving on a committee that was tasked with investigating the abuse of such commercial surveillance tools in the bloc. "Through forensic analysis of his device, we found that the attackers could have had access to confidential documents and committee deliberations," the Citizen Lab researchers John Scott-Railton, Bill Marczak, Bahr Abdul Razzak, Kate Pundyk, Siena Anstis, and Ron Deibert said . The infections have not been attributed to a particular government at this time, and there is no evidence that the Greek government is behind the activity. However, the Canadian interdisciplinary research laboratory noted that it identified an overlap between the first infection and a previous campaign targeting Russian and Belarusian-speaking exiled journalists and activists in Europe. ...

ī ‚Jul 03, 2026