THREATWATCH.

A supply-chain campaign called Miasma compromised @redhat-cloud-services npm packages with obfuscated preinstall code that hunts for GitHub Actions secrets, npm tokens, cloud credentials, Kubernetes and Vault material, SSH keys, and Git credentials. The report says the malware can also add persistence through Claude Code session hooks, VS Code tasks, and GitHub workflow changes, so removing node_modules is not enough cleanup.

Attackers are exploiting CVE-2026-8732 in WP Maps Pro 6.1.0 and older to create administrator accounts on WordPress sites without authentication. WordPress plugin flaws still matter because a small business website often has payment forms, customer records, SEO value, and enough trust to become a malware or phishing launchpad.

Exploit code was published for a critical Flowise vulnerability that can execute arbitrary code on self-hosted servers after a user imports a malicious chatflow. AI workflow builders should be treated as code execution surfaces, especially when they are exposed to teams that import community templates quickly.

Sysdig observed an attacker exploiting an internet-exposed Marimo notebook via CVE-2026-39987, harvesting cloud credentials, retrieving an SSH private key from AWS Secrets Manager, and dumping an internal PostgreSQL database. Command structure, value handoffs, and leaked planning text suggested LLM-agent-driven post-exploitation.

Google released the June 2026 Android security update with fixes for 124 vulnerabilities. The most urgent item is CVE-2025-48595, a high-severity Framework privilege-escalation flaw that Google says has seen active exploitation and can be triggered without user interaction on affected Android 14, 15, 16, and 16 QPR2 devices.

CISA added Oracle WebLogic Server CVE-2024-21182 to its Known Exploited Vulnerabilities catalog after evidence of active exploitation. The operational point is simple: once an enterprise middleware bug reaches KEV, teams should move from severity debate to exposed-instance discovery, patching, isolation, and log review.

Researchers attributed a Ukraine-focused campaign to Gamaredon that weaponizes WinRAR CVE-2025-8088, a path traversal flaw, to launch GammaPhish and retrieve GammaLoad downloaders for later GammaWorm and GammaSteel payloads. Archive tools remain a phishing execution surface, not harmless desktop clutter.

Researchers reported that codexui-android, a functional npm package advertised as a remote web UI for OpenAI Codex, exfiltrated ~/.codex/auth.json tokens to a fake Sentry-looking endpoint. The same chain was tied to Android apps with tens of thousands of installs, making AI developer tooling a direct credential-theft target rather than a side story.

KrebsOnSecurity reported that attackers circulated instructions for tricking Meta's AI support assistant into adding a new email address during Instagram account recovery. Meta said the issue was resolved and impacted accounts were being secured, but the story is a useful warning: AI support flows that can change account recovery data are security-critical automation, not harmless chat widgets.

Researchers disclosed CIFSwitch, a Linux kernel local privilege escalation flaw involving forged CIFS authentication key descriptions and the kernel keyring. It is local rather than remote, but root escalation bugs matter whenever an attacker has already landed through phishing, exposed services, or developer workstations.

Palo Alto Networks warned that CVE-2026-0257, a medium-severity authentication bypass affecting PAN-OS and Prisma Access GlobalProtect deployments, is being exploited in the wild. The severity label is deceptively calm: authentication bypass on a remote access edge service should be triaged as internet-facing perimeter risk until patched or mitigated.

Microsoft reported a dependency-confusion campaign using 33 malicious npm packages to collect reconnaissance data from developer and build environments. The packages used believable internal-sounding names, inflated versions, and postinstall hooks; Microsoft said the current payload is recon-only, but the architecture supports selective follow-on exfiltration or backdoor deployment.

Arctic Wolf observed attackers exploiting FortiClient EMS CVE-2026-35616 to alter VPN scripting workflows and deliver EKZ Infostealer as a fake Fortinet endpoint update. The malware targets browser cookies, credentials, and autofill data, so remediation requires session revocation as well as password resets.

WithSecure attributed persistent Ukraine-focused attacks to a previously undocumented Russian-speaking group dubbed GREYVIBE. Reported tactics include spear-phishing, fake CAPTCHA pages, malicious JavaScript, and AI-assisted infrastructure and payload work aligned with Russian intelligence interests.

Socket found malicious versions of a NuGet package posing as a Sicoob SDK that exfiltrate client IDs and PFX certificates used for Brazilian banking integrations. The same reporting also covered malicious npm packages aimed at cloud secrets, reinforcing that package registries remain a credential-theft channel, not just a dependency risk.

California's attorney general sued 23andMe, now operating under Chrome Holding Co., over alleged failures tied to the 2023 breach exposing genetic and personal data. The privacy lesson is still ugly: credential stuffing becomes much higher impact when the account contains family, ancestry, and health-adjacent data.

Google released Chrome 148 with fixes for 151 vulnerabilities, including critical-severity defects that could potentially lead to remote code execution. Browser patching remains one of the highest-leverage personal and enterprise security controls because the browser is both the document viewer and the app runtime.

Push Security documented the LLMShare campaign, where attackers use Google ads to route victims to legitimate ChatGPT shared pages that render fake outage notices and push malware disguised as the ChatGPT desktop app. The attack abuses the reputation of chatgpt.com rather than relying on lookalike domains.

Permiso Security disclosed ChatGPhish, a technique where attacker-controlled web content summarized by ChatGPT can cause Markdown links, remote images, fake alerts, and QR codes to render inside the trusted ChatGPT UI. The important shift is UI trust: the assistant becomes a phishing presentation layer for untrusted source content.

Microsoft detailed the Mini Shai-Hulud campaign, where typosquatted npm packages spoofed OpenSearch metadata, used inflated version numbers, and ran install-time hooks to target cloud and CI/CD credentials. This is the part of supply-chain risk that hurts developers directly: a typo or dependency-resolution mistake can execute before application code ever imports the package.

Researchers flagged Weedhack, a malware-as-a-service campaign aimed at Minecraft players through YouTube lures, alongside CountLoader infections reportedly reaching 86,000 systems and miners spread through pirated content. Gaming and modding ecosystems remain a soft path into personal devices because users expect downloads, launchers, and community tools.

Help Net Security covered Agent Threat Rules, an open YAML rule format for detecting AI-agent threats across coding assistants, MCP servers, and multi-agent frameworks. The pitch is useful: agent security needs portable detections for prompt injection, tool poisoning, credential misuse, and suspicious execution patterns rather than one-off vendor dashboards.

A Cloud Security Alliance survey reported by Help Net Security says eight in ten organizations suffered an application security incident tied to a known vulnerability in the past year. The useful takeaway is not another dashboard: teams need inventories and patch paths good enough to answer whether a newly exploited bug is actually present in production.

Dashlane disclosed that an external actor brute-forced selected personal-plan accounts, registered new devices in a small number of cases, and downloaded encrypted vault copies for fewer than 20 users. Dashlane says its internal systems were not affected and notified the impacted users directly; users should still review registered devices, keep 2FA on, and use a strong master password.

Help Net Security covered BadBone, a research attack that plants a dormant backdoor in a backbone AI model and activates only after downstream prompt-learning customization plus a trigger input. Six published defenses missed most poisoned configurations, which makes model provenance and post-customization testing part of the AI supply-chain problem.

EDRi and civil-society groups called on EU institutions, governments, universities, and public bodies not to participate in or legitimize ISS World Europe in Prague. The statement frames the closed surveillance trade fair as a marketplace for spyware, mass monitoring, and data-harvesting tools linked to repression against journalists, activists, migrants, and political opponents.

Help Net Security reported that OpenAI is requiring stronger authentication, including passkeys through Yubico, for users of its most powerful AI models. The operational lesson is simple: high-capability AI accounts now look more like privileged admin accounts, so phishing-resistant authentication belongs in the default control set.

OWASP Agent Memory Guard screens agent memory reads and writes for prompt injection markers, secrets, protected-key tampering, and size anomalies. Help Net Security reported benchmark results of 92.5% recall, 100% precision, and 59 microsecond median latency across 55 test cases, which makes memory poisoning feel less like theory and more like an operational control plane problem.

DataGrail's Privacy and AI Trends Report 2026 says 145 AI-related laws were enacted by state legislatures in 2025 and more than 1,000 additional bills were introduced or revised. The same report found that 63.6% of popular business software providers advertising AI capabilities did not disclose third-party AI subprocessors in legal documentation, leaving privacy teams with blind spots around where personal data flows.