Last updated: July 6, 2026 at 12:53 AM UTC
All 559 Vulnerability 199 Breach 107 Threat 246 Defense 7

Polyfill.io resurfaces, injecting fake login prompts on Toshiba and Muji sites

Toshiba and Muji have warned website visitors that suspicious sign-in screens appearing on their sites could harvest credentials, advising anyone who entered login data to change their passwords. The pop-ups were generated by the external polyfill[.]io service, which injected malicious code via its CDN after the domain was bought by a Chinese entity in 2024 - an incident that affected more than 100,000 websites. Japanese outlets report Zojirushi, FiNC Technologies, Ishiyaku Publishers, and Hobonichi were also hit, and a researcher observed Samsung Smart TVs and sites showing the prompt on June 1. Polyfill is a JavaScript compatibility CDN for legacy browsers; affected sites should remove all polyfill[.]io references immediately.

Check
Grep your web properties and third-party tags for any references to polyfill[.]io (scripts, CDN links, GTM containers). Check Samsung/IoT and legacy-browser-support code paths. Review recent customer credential-reset reports.
Affected
Any website still loading scripts from polyfill[.]io - the CDN compromised in 2024 and now serving credential-harvesting login prompts. Toshiba, Muji, Samsung Smart TVs, and several Japanese brands were hit.
Fix
Remove all polyfill[.]io references immediately and replace with a trusted fork (e.g. Cloudflare or Fastly mirrors). Force-reset credentials for any users who may have entered them into injected prompts.

Claude Code GitHub Action flaw let one malicious issue hijack repos via prompt injection and OIDC token theft - bot-trigger bypass

Researcher RyotaK has disclosed a now-patched flaw in Anthropic's Claude Code GitHub Action, which drops Claude into CI/CD to triage issues and review PRs with broad repo permissions. The action's trigger check waved through any actor whose name ended in [bot] - but anyone can register a GitHub App and use its token to open an issue on a public repo. Agent mode lacked the human-actor check tag mode had. The attacker then used indirect prompt injection in an issue to make Claude read /proc/self/environ and write back the OIDC credentials, which can be replayed for an installation token with write access. Anthropic's example workflow shipped with allowed_non_write_users: '*'.

Check
Audit repos using Claude Code GitHub Action: update to the patched version, and check workflows for allowed_non_write_users set to '*'. Review public run summaries for leaked secrets.
Affected
Repositories using vulnerable Claude Code GitHub Action versions, especially in agent mode or with allowed_non_write_users: '*' copied from Anthropic's example. Public repos are exposed to [bot]-triggered prompt-injection attacks.
Fix
Update the Claude Code action to the fixed release. Remove allowed_non_write_users: '*', restrict triggers to write-access humans, and rotate any OIDC-derived tokens. Avoid posting task output to public run summaries.

Cisco Unified CM critical SSRF CVE-2026-20230 lets unauthenticated attackers write files and escalate to root - public PoC, WebDialer required

Cisco has patched CVE-2026-20230, a critical server-side request forgery flaw in Unified Communications Manager (formerly CallManager), the central control system for Cisco IP telephony. An unauthenticated remote attacker can send a crafted HTTP request to write files to the underlying OS and later elevate to root - Cisco rated it Critical despite the CVSS score because of that root-escalation potential. Cisco's PSIRT is aware of public proof-of-concept exploit code but has not seen active exploitation yet. The flaw only affects systems with the WebDialer service enabled, which is off by default. There are no workarounds; admins should upgrade to 14SU6 or 15SU5, or disable WebDialer until patched.

Check
Inventory Cisco Unified CM deployments and check whether WebDialer is enabled (Tools > Service Activation > CTI Services). Confirm version against fixed 14SU6 or 15SU5. Monitor for crafted HTTP requests.
Affected
Cisco Unified CM systems with the WebDialer service enabled (off by default). CVE-2026-20230 allows unauthenticated SSRF to write files and escalate to root. Public PoC exists; no active exploitation yet.
Fix
Upgrade to Unified CM 14SU6 or 15SU5. If patching must wait, disable the Cisco WebDialer Web Service via Service Activation to block exploitation. No other workaround exists.

IronWorm Rust npm worm hits 36 packages, steals Anthropic/OpenAI/AWS credentials via eBPF rootkit and Tor; GitHub Actions used for exfil

JFrog has documented IronWorm, a new npm supply-chain worm that has infected 36 packages with an infostealer targeting 86 environment variables and 20 credential files - including OpenAI, AWS, Anthropic, and npm credentials, Vault configs, SSH keys, and Exodus wallet files. Written in Rust, it hides behind an eBPF kernel rootkit and communicates over Tor. It self-propagates using stolen npm Trusted Publishing secrets to trojanize the victim's own packages. JFrog found the same commit names as Shai-Hulud (commit author 'claude,' timestamps faked up to 13 years old) and suspects an evolution of TeamPCP's payload. Notably, it exfiltrates secrets by uploading them as innocuous-looking GitHub Actions build artifacts, avoiding external C2.

Check
Audit npm dependencies and CI for the 36 IronWorm-affected packages and preinstall scripts dropping Rust ELF binaries. Search build artifacts for disguised secret files. Rotate npm, AWS, OpenAI, Anthropic credentials.
Affected
Developers and CI systems that installed IronWorm-trojanized npm packages. It steals OpenAI/AWS/Anthropic/npm credentials, Vault configs, SSH keys, and wallets, then self-propagates via stolen Trusted Publishing secrets.
Fix
Remove affected packages, pin via lockfile, and rotate every credential reachable from affected hosts. Hunt for eBPF rootkit artifacts and Tor traffic. Review GitHub Actions build artifacts for exfiltrated secrets.

PCPJack hijacks 230 AWS, Google Cloud, and Azure servers into covert SMTP relay network using Sliver and Chisel, removes TeamPCP

SentinelOne and Hunt.io have detailed PCPJack, a credential-theft framework that hijacks cloud servers across AWS, Google Cloud, and Azure into a covert SMTP relay network - while terminating artifacts of the rival TeamPCP group. Built around a Sliver-integrated SMTP proxy toolkit with Chisel tunneling for multiple Linux architectures, it drops a hidden binary at /var/tmp/.xs and assigns each Sliver beacon a SOCKS5 port derived from an MD5 of its UUID. A deployer script runs an SMTP 'quality gate' probing outbound smtp.gmail.com:587 - hosts that cannot relay email are discarded. A C2-side Python daemon continuously prunes Chisel tunnels for SMTP capability. Around 230 servers were compromised.

Check
Hunt cloud Linux hosts for /var/tmp/.xs, Sliver and Chisel binaries, and outbound SMTP probes to smtp.gmail.com:587. Check for cron or systemd persistence. Apply SentinelOne and Hunt.io IoCs.
Affected
Internet-reachable cloud servers (AWS, Google Cloud, Azure) that attackers can compromise and that have outbound SMTP capability - the criterion PCPJack uses to select hosts for its relay network.
Fix
Block unneeded outbound SMTP (port 587/25) from cloud workloads. Remove Sliver/Chisel artifacts and persistence. Restrict egress, monitor for SOCKS5 tunneling, and rotate credentials on affected hosts.

UN World Food Programme Gaza registration platform breached - personal data of ~600,000 Palestinian households stolen, phishing warning issued

The UN World Food Programme - the world's largest humanitarian organization - has disclosed that its self-registration application for Palestine, used to register Gaza residents for assistance, was breached. Attackers accessed beneficiaries' names, ID numbers, phone numbers, and location data (including neighborhood information recorded at registration). The WFP says the intrusion occurred May 14 and exposed data for roughly 600,000 Palestinian households in Gaza. It has temporarily suspended the registration platform and stressed that assistance will continue uninterrupted. The agency warned beneficiaries to be wary of anyone claiming to represent the WFP and requesting information or money, and not to click suspicious links - a clear phishing-risk signal.

Check
Humanitarian and NGO operators: review self-registration and beneficiary platforms for exposure. If you work with WFP Gaza data, treat names, IDs, phone numbers, and locations as compromised.
Affected
Roughly 600,000 Palestinian households in Gaza whose WFP registration data (names, ID numbers, phone numbers, locations) was stolen in the May 14 breach. High risk of targeted phishing and fraud.
Fix
Affected beneficiaries: ignore unsolicited WFP-themed requests for information or money and avoid suspicious links. NGOs: harden registration platforms, minimize stored PII, and segment beneficiary databases.

Hola Browser for Windows compromised in supply-chain attack delivering undeclared Monero miner disguised as HolaMonitorService.exe

The Windows version of the Chromium-based Hola Browser has been compromised in a supply-chain attack that delivered an undeclared cryptocurrency miner. The compromise was caught during AppEsteem certification checks, with Sophos and others finding an uncertified, unsigned, obfuscated executable, me.exe, under C:\Program Files\Hola\. Analysis identified it as a Monero miner: it adds a Windows Defender exclusion, copies itself to Program Files as HolaMonitorService.exe, creates an auto-starting service named hola_monitor_svc, and runs when the machine is idle. Hola - the Israeli company behind Hola VPN, long controversial for turning free users into proxies - confirmed the compromise (independently detected by Sygnia) but says only about 0.1% of users were affected.

Check
Inventory Windows endpoints for Hola Browser installs. Check for me.exe or HolaMonitorService.exe under C:\Program Files\Hola\, the hola_monitor_svc service, and Defender exclusion rules. Hunt for Monero-miner traffic.
Affected
Windows users who installed or updated Hola Browser during the compromise window. The undeclared Monero miner adds a Defender exclusion, persists as a service, and runs when idle.
Fix
Remove Hola Browser and the me.exe / HolaMonitorService.exe miner, delete the hola_monitor_svc service, and remove the malicious Defender exclusion. Block the mining pool and monitor for residual persistence.

FlutterShell macOS backdoor spreads via Google and YouTube ads from verified shell companies - CL-CRI-1089 / TamperedChef adware-to-backdoor

Palo Alto Networks Unit 42 has documented FlutterShell, a Flutter-built macOS backdoor distributed through malicious Google and YouTube ads served by a network of Google-verified shell companies. It is the latest stage of the CL-CRI-1089 cluster and part of the broader TamperedChef / EvilAI campaigns that push trojanized productivity software. The ads lure macOS users in the US, Canada, Australia, France, and Germany into installing fake desktop apps. Beyond adware, FlutterShell supports arbitrary shell-command execution, file-system manipulation, and environment-variable exfiltration, and on launch modifies Chrome config files to force browser traffic through an attacker-controlled intermediary. Activity was seen as recently as March 2026.

Check
Warn macOS users that Google/YouTube ads for productivity apps may be malicious. Hunt for Flutter-built apps that modify Chrome config files. Apply Unit 42 IoCs.
Affected
macOS users in the US, Canada, Australia, France, and Germany lured by malvertised fake desktop apps. FlutterShell adds backdoor command execution and Chrome-hijacking on top of adware.
Fix
Source software only from official vendor sites, not search ads. Apply Unit 42 IoCs and block the ad domains. Restore Chrome config on affected Macs and remove the apps.

Magecart skimmer abuses Stripe API and Google Tag Manager to host payload and exfiltrate cards, bypassing CSP on Magento checkouts

Sansec has discovered a new Magecart card-skimming campaign that abuses Stripe's API infrastructure and Google Tag Manager to host both the skimmer payload and the stolen data. Because online stores trust googletagmanager.com and api.stripe.com by default, the skimmer slips past Content Security Policy rules and network filters that would flag an unknown skimmer domain. Malicious code embedded in a legitimate-looking GTM container activates at checkout, queries a Stripe customer record, reads JavaScript from its metadata, and runs it via new Function(). It targets Magento/Adobe Commerce checkout pages, capturing card number, expiry, CVV, name, billing address, email, and phone, then XOR-obfuscates and stores the data locally before exfiltrating through Stripe.

Check
Audit Magento/Adobe Commerce checkout pages for unfamiliar Google Tag Manager containers and JavaScript reading from api.stripe.com customer-record metadata. Review GTM container change history for unauthorized edits.
Affected
Magento/Adobe Commerce stores using Google Tag Manager. The skimmer hides in GTM containers and routes payload and stolen cards through trusted api.stripe.com, bypassing CSP and network filters.
Fix
Lock down GTM container edit access and review all containers. Apply strict CSP and Subresource Integrity, and monitor checkout pages for unauthorized scripts. Treat trusted-domain traffic as a skimmer vector.

Hackers spied on a stock exchange executive's Outlook mailbox for five months via malicious OAuth app and inbox-rule persistence

Researchers have detailed a cyber-espionage campaign in which attackers maintained access to a global stock exchange executive's Microsoft Outlook mailbox for roughly five months. The intrusion relied on a malicious OAuth application and inbox-rule persistence to quietly read and forward mail while evading detection. By abusing OAuth consent rather than stealing a password, the attackers retained access that survived password changes and looked like routine application traffic in logs. The five-month dwell time on a single high-value executive points to a patient, intelligence-driven operation rather than opportunistic crime. The case reinforces the now-recurring pattern of OAuth-app abuse and malicious inbox rules as the core of stealthy Microsoft 365 mailbox compromise.

Check
Audit Microsoft 365 for unfamiliar OAuth app consents and mailbox inbox rules, especially on executive accounts. Review consent-grant and rule-creation logs for the past six months.
Affected
High-value Microsoft 365 mailboxes, particularly executives. OAuth-consent abuse plus malicious inbox rules grants persistent, password-change-surviving access that blends into normal application traffic.
Fix
Restrict third-party OAuth app consent to admin approval. Alert on new mailbox-forwarding rules. Enforce phishing-resistant MFA and periodically review granted OAuth applications on sensitive accounts.