Last updated: July 6, 2026 at 12:53 AM UTC
All 559 Vulnerability 199 Breach 107 Threat 246 Defense 7

Instagram AI recovery flaw let attackers hijack 20,000 accounts

Meta has confirmed that attackers took over 20,225 Instagram accounts by abusing a flaw in its AI-assisted account recovery tool, called High Touch Support. A bug meant the system never checked that the email address someone supplied actually belonged to the account, so an attacker could request a password reset for any account and have the link sent to their own inbox, then walk in, unless the target had two-factor authentication on. High-profile accounts, reportedly including the Obama White House and US Space Force personnel, were hijacked and sold on the dark web. Meta has secured the accounts and is fixing the verification check before relaunching the tool.

Check
Confirm two-factor authentication is enabled on your Instagram and other Meta accounts, and review login activity and linked email addresses for unauthorized changes since mid-April.
Affected
Instagram accounts (about 20,225 confirmed), particularly high-value or verified accounts without two-factor authentication, that could be reset through the flawed High Touch Support recovery tool.
Fix
Turn on two-factor authentication, review and remove unrecognized linked emails and active sessions, and reset your password. Meta has secured affected accounts and is patching the recovery flow.

Meta disrupts new NSO spyware phishing aimed at WhatsApp users

Meta says it caught and shut down fresh spear-phishing attempts linked to Israeli spyware maker NSO Group that tried to lure WhatsApp users into clicking malicious links leading to sites outside the app, mirroring the one-click attacks NSO has used to plant its Pegasus spyware. Meta also found and removed NSO-created test accounts and groups, and published the malicious domains involved. The company is now asking a US federal court to hold NSO in contempt for violating the permanent injunction issued last year barring it from targeting WhatsApp. High-risk users such as journalists, activists, and officials are the usual targets of this kind of mercenary spyware.

Check
Block the NSO-linked phishing domains Meta published at your web and DNS gateways, and review whether high-risk staff received WhatsApp messages pushing links to external sites.
Affected
WhatsApp users targeted by one-click social-engineering links, especially high-risk individuals like journalists, activists, and government officials who are typical mercenary-spyware targets.
Fix
Avoid clicking links in unsolicited WhatsApp messages, enable Lockdown Mode on iOS and Android for high-risk users, keep devices fully updated, and block the published malicious domains.

New C0XMO botnet exploits DD-WRT router flaw, wipes rival malware

Fortinet has uncovered a new botnet called C0XMO, built from the long-running Gafgyt malware family, that breaks into devices by exploiting an old flaw (CVE-2021-27137) in the UPnP service of DD-WRT router firmware. A booby-trapped network request gives the attacker code execution with no login needed. Once in, C0XMO digs in with hidden files and cron jobs that re-run it every 15 minutes, then hunts down and deletes rival botnets and even researchers' security tools to keep the device to itself. A separate scanner spreads it across many chip types (ARM, MIPS, x86, and more), and infected devices are wired up to launch 19 kinds of denial-of-service floods.

Check
Audit routers and IoT devices for DD-WRT firmware vulnerable to CVE-2021-27137, and hunt Linux hosts for hidden .sys files, 15-minute cron jobs, and modified shell profiles.
Affected
DD-WRT router firmware with the vulnerable UPnP/SSDP service (CVE-2021-27137) reachable on UDP port 1900, plus Linux and IoT devices with weak Telnet or SSH credentials.
Fix
Update DD-WRT firmware to a fixed build, disable UPnP and internet-facing Telnet/SSH, set strong unique admin credentials, and remove the malware's cron jobs and hidden payloads.

Silent Ransom Group hits law firms with fake IT support calls

Mandiant has detailed how the extortion crew Silent Ransom Group (also tracked as Luna Moth and UNC3753) is breaking into US law firms and other professional-services companies through phone calls rather than malware. Attackers send a harmless-looking invoice or data-migration email, then call the target pretending to be internal IT support, talk them into starting a screen-share, and get them to install a remote management tool that hands over access. From there, Mandiant has seen data located, staged, and stolen in under an hour. The group skips encryption entirely, instead threatening to leak stolen files unless paid. A recent FBI alert added in-person office visits to the playbook.

Check
Review RMM and remote-access tool installs from the past month tied to inbound IT support calls, and flag invoice or data-migration emails sent from consumer addresses.
Affected
US law firms and financial and professional-services organizations whose staff can be phoned and talked into screen-sharing or installing remote management software.
Fix
Require staff to verify any IT support contact through a known internal channel before granting access, restrict who can install RMM tools, and enforce phishing-resistant MFA.

Five Eyes warns China is recruiting officials via fake job offers

The Five Eyes intelligence agencies (US, UK, Canada, Australia, and New Zealand) issued a joint bulletin, "Safeguarding Our Secrets," warning that Chinese military intelligence officers are posing as recruiters on sites like LinkedIn, Indeed, and Upwork. Fronting as think tanks, consultancies, or HR firms, they post fake jobs such as foreign-policy or defense-analyst roles, then use the interview process to pressure targets into handing over classified or non-public information. The agencies say current and former government, military, defense-contractor, research, and journalist personnel are all in scope, with extra focus on those tied to the Indo-Pacific. The goal is harvesting privileged military, political, and economic intelligence.

Check
Brief staff in sensitive government, defense, and research roles to scrutinize unsolicited recruiter and consulting approaches, and check whether anyone has shared non-public information during one.
Affected
Current and former Five Eyes government, military, defense-contractor, policy, research, and journalist personnel with access to classified or privileged information, especially those linked to the Indo-Pacific.
Fix
Verify recruiters and employers through official channels before engaging, never discuss sensitive work in interviews, and report suspected approaches to your security team or national agency.

Nightclub operator RCI breach exposes 40,000 records via website IDOR flaw

RCI Hospitality, one of the largest US adult-nightclub operators, has confirmed that a breach exposed the personal data of 40,178 people, mostly independent contractors. Attackers got in through an insecure direct object reference (IDOR) flaw on one of the company's IIS web servers, a common web bug where simply changing an ID number in a web address lets you pull up someone else's record. The intrusion began March 19 and was spotted four days later. Stolen data includes names, dates of birth, Social Security numbers, and driver's license numbers. RCI says no customer or financial systems were touched, and the data has not yet appeared publicly.

Check
If you received an RCI breach notice or worked with RCI, watch for identity fraud. Developers should test their own web apps for IDOR by altering record IDs in authenticated requests.
Affected
Roughly 40,178 people, mostly independent contractors of RCI Hospitality, whose names, birth dates, Social Security numbers, and driver's license numbers sat in the breached IIS web server.
Fix
Affected individuals should enroll in any offered credit monitoring and freeze their credit. Similar orgs should add server-side authorization checks on every object reference and pen-test for IDOR.

AI agent finds 21 FFmpeg zero-days, public exploit code released

A security startup's autonomous AI agent scanned FFmpeg, the open-source media library built into countless video and audio tools, and turned up 21 previously unknown bugs, each with working proof-of-concept code that crashes or corrupts memory when the software processes a malicious media file. Several flaws are 15 to 20 years old; one dates back to 2003. Nine already carry CVE numbers (CVE-2026-39210 through CVE-2026-39218), and the rest are fixed but not yet numbered. The whole run cost about $1,000. Because FFmpeg sits inside browsers, media servers, and apps everywhere, any product that decodes untrusted video could be at risk.

Check
Inventory software and services that bundle FFmpeg or libav, especially media servers and transcoding pipelines that decode untrusted, user-supplied video or audio files.
Affected
FFmpeg builds containing the affected parsers and demuxers (TS, VP9, DASH, and others). Nine flaws tracked as CVE-2026-39210 through CVE-2026-39218; remaining bugs fixed but unnumbered.
Fix
Apply upstream fixes by updating to the newest official FFmpeg build; distributions are shipping patches now. Rebuild any app that statically bundles FFmpeg against the fixed code.

Chrome patches record 429 flaws, including a sandbox-escape RCE

Google shipped Chrome 149 with fixes for 429 security bugs, the most ever in a single Chrome release. More than 100 are rated critical or high. The worst, an out-of-bounds read and write in the ANGLE graphics engine that Chrome uses to render web pages, lets a booby-trapped website break out of the browser's protective sandbox and run code on the victim's computer; Google paid a $97,000 bounty for it. None are confirmed under attack yet, but a sandbox escape is the kind of bug attackers race to weaponize, so patching before that happens matters.

Check
Check the Chrome version on every managed endpoint (chrome://version or your MDM inventory) and confirm Chromium-based browsers like Edge and Brave are also updated.
Affected
Google Chrome before version 149 on Windows, macOS, and Linux. Worst flaw CVE-2026-10881 (CVSS 9.6), an ANGLE out-of-bounds read and write enabling sandbox escape.
Fix
Update Chrome to version 149 or later and relaunch to apply it. Push the update through enterprise policy and patch Edge, Brave, and other Chromium browsers.

Miasma worm hits 73 Microsoft GitHub repos, targets AI coding tools

The self-spreading Miasma worm, a variant of the Shai-Hulud malware linked to the group TeamPCP, has reached Microsoft's own code. Using a stolen access token, attackers pushed a malicious commit into the Azure durabletask repository, and GitHub disabled 73 repositories across four Microsoft organizations including Azure and MicrosoftDocs. The twist: the planted code runs automatically when a developer opens the project in an AI coding assistant like Claude Code, Cursor, Gemini CLI, or VS Code, then harvests cloud and developer credentials and uses them to infect more projects. It hides the trigger inside a build file (binding.gyp) that most security tools ignore.

Check
Search your GitHub orgs for commits, public repos, or build files matching Miasma naming patterns, and review AI coding agent configs (binding.gyp, agent rules) for unexpected auto-run payloads.
Affected
Organizations using npm, PyPI, or GitHub alongside AI coding assistants (Claude Code, Cursor, Gemini CLI, VS Code). Stolen maintainer tokens enable backdoored package and repo publishing.
Fix
Rotate GitHub, npm, and cloud credentials exposed to affected projects. Remove malicious commits and configs, enforce 2FA and short-lived tokens, and block install-time scripts in CI.

HVAC distributor Baker breach exposes 102,000 accounts to ShinyHunters

Baker Distributing, one of the largest US wholesalers of heating, cooling, and refrigeration equipment, has been hit by the extortion group ShinyHunters, which stole company data and posted it after the company did not pay. Breach-tracking service Have I Been Pwned has now confirmed 102,935 affected accounts; the gang originally claimed more than 260,000 stolen records pulled from Salesforce and internal SharePoint sites, including HR documents. ShinyHunters has been on a tear this year, breaking into corporate SaaS accounts by tricking IT help desks into resetting credentials. Exposed personal and business data fuels follow-on phishing aimed at Baker's customers and staff.

Check
If you work with or for Baker Distributing, check whether your email appears in Have I Been Pwned and watch inboxes for HVAC or invoice-themed phishing referencing the breach.
Affected
Baker Distributing employees, contractors, and business customers whose personal and corporate data sat in the breached Salesforce and SharePoint systems; 102,935 accounts confirmed.
Fix
Reset passwords reused with Baker accounts and enable phishing-resistant MFA. For your own org, lock down help-desk identity resets with callback verification to blunt ShinyHunters-style social engineering.