TechCrunch has flagged a public AWS S3 bucket operated by a UAE-registered third-party site, UK Visa Portal (Active Leadgen LLC), that exposed at least 100,000 passport scans and selfies belonging to people who paid extra to apply for UK electronic travel authorizations. The site is not the official GOV.UK service; users could complete the same application directly on GOV.UK in minutes for free. The third party reportedly responded with legal threats instead of remediation. The dataset is now in the wild and creates substantial identity-document compromise risk - passport scans plus selfies enable KYC bypass against banks, exchanges, and government services.
The FBI has issued a public service announcement warning of hundreds of fake FIFA-themed phishing and fraud sites ahead of the 2026 World Cup running June 11 to July 19 in the US, Canada, and Mexico. Domains include fiffa[.]com and alternative TLDs (.org, .xyz, .live, .sale) plus fake employment portals like jobs-fifa[.]com and fifa-hiring[.]com. The fraudulent sites collect names, addresses, phone numbers, and banking/payment details; the data is used for fake-ticket sales, hospitality-package scams, identity theft, and fraudulent account creation. Group-IB and Bitdefender confirmed parallel malvertising via Google Search, Facebook, Telegram, and WhatsApp, with one major operation attributed to a Chinese-speaking gang.
CrowdStrike, Google, and The Shadowserver Foundation have disrupted the GlassWorm developer-supply-chain botnet by simultaneously cutting four resilient command-and-control channels. Active since October 2025, GlassWorm spread through malicious OpenVSX and VS Code extensions, GitHub repos, and npm packages (one March campaign hit 400+ artifacts), stealing crypto wallets and developer credentials. Its C2 was built to resist takedown: server addresses encoded in Solana transaction memo fields, configuration stored in the BitTorrent DHT, Base64 C2 paths hidden in Google Calendar event titles, and direct VPS connections for payload delivery. All four had to fall at once. Infected hosts now beacon to CrowdStrike's sinkhole at 164.92.88[.]210.
The FBI has issued a flash alert warning that the Silent Ransom Group (also tracked as Luna Moth, Chatty Spider, and UNC3753) is now sending operatives physically to US law firms to steal data. SRG actors first pose as internal IT over phone or phishing email and try to get an employee to grant a remote-desktop session; if that fails, they dispatch someone in person to plug a USB drive or external hard drive into the target's computer. The group, formed from Conti/BazarCall operators after the 2022 Conti shutdown, has targeted US legal and financial firms since 2023, extorting victims via its leak site.
Israeli firm Gambit Security has forensically linked the late-March attack on the Los Angeles County Metropolitan Transportation Authority to Iran's Ministry of Intelligence and Security (MOIS), despite the attackers branding themselves as the pro-Iran hacktivist collective 'Ababil of Minab.' The group posted videos claiming it wiped hundreds of terabytes and stole over a terabyte of files. LA Metro confirmed the breach on April 2, 2026, and had to check hundreds of servers for compromise before bringing them back online. The case illustrates a recurring pattern of state operations wearing a hacktivist costume to provide deniability while targeting critical infrastructure.
OX Security has flagged a malicious npm package, mouse5212-super-formatter (campaign codenamed Malware-Slop), designed to exfiltrate files from /mnt/user-data - the directory Anthropic's Claude uses to handle uploads and outputs. The package presents itself as an 'archive deployment sync' utility but, during the postinstall stage, authenticates to GitHub using a token found in the victim's environment (or a hard-coded fallback), creates an attacker-controlled repository, and recursively uploads every local file. It writes a fake 'network connections' log to disguise the theft. The package leaked its own GitHub token, suggesting AI-generated malware with poor OPSEC. It has ~676 downloads and remains live on npm.
WatchGuard and ESET have documented two parallel banking-malware campaigns hitting Windows and Android users across Iberia and Latin America. The Windows campaign delivers Grandoreiro - an actively evolving banking trojan operating since 2016 that targets thousands of institutions across 45 countries - via DLL side-loading of four legitimate applications, using Delphi 11-built DLLs that abuse the sgcWebSockets library for WebRTC peer-to-peer C2 over STUN and ICE protocols to blend with web-conferencing traffic. Named targets include Abanca, Banco de Portugal, BBVA PT, Caixa Geral, Santander, plus Revolut and Wise. A companion campaign delivers the BTMOB RAT to Android users in Brazil.
Noscope has disclosed CVE-2026-27771 (CVSS 8.2), a flaw in the self-hosted Gitea version-control platform that lets unauthenticated remote attackers pull private container images with no account, password, or prior access. The 'private' designation on a container repository simply failed to enforce. It affects all Gitea versions before 1.26.2 and went undetected for nearly four years; Noscope estimates 30,000+ exposed deployments across 30+ countries, with most exposure in China, the US, Germany, France, and the UK, spanning healthcare, aerospace, retail, and ISPs. Forgejo is confirmed affected, and any Gitea fork should be treated as vulnerable until verified. Technical details were withheld to allow patching.
Microsoft has warned of an active cryptojacking campaign that surfaces malicious download sites through AI chatbot recommendations, extending SEO poisoning beyond conventional search. Attackers impersonate legitimate system utilities - CrystalDiskInfo, HWMonitor, Display Driver Uninstaller, FurMark, K-Lite Codec Pack, PDFgear - to target users with high-performance GPUs, prioritizing mining yield per host over mass infection. Beyond mining, the operators deploy ScreenConnect for persistent remote access enabling data theft, lateral movement, or ransomware. Victims who ask LLM-based tools for software-download recommendations are served links to attacker domains on subdomains of gleeze[.]com, hosted via Dynu dynamic DNS. Microsoft says it has detected and blocked the activity.
CISA has added three vulnerabilities to its Known Exploited Vulnerabilities catalog based on active-exploitation evidence. Two formally recognize the TeamPCP supply-chain wave that dominated mid-May: CVE-2026-45321 (TanStack) and CVE-2026-48027 (Nx Console embedded malicious code), the latter tied to the trojanized VS Code extension that led to GitHub's own 3,800-repo internal breach. The third, CVE-2026-8398, is an embedded-malicious-code flaw in the Daemon Tools Lite disc-imaging utility. FCEB agencies must remediate all three by the BOD 22-01 deadline; CISA urges all organizations to prioritize them. The additions confirm the supply-chain compromises moved from disclosure to documented in-the-wild exploitation.