Last updated: July 6, 2026 at 12:53 AM UTC
All 559 Vulnerability 199 Breach 107 Threat 246 Defense 7

Fake 'UK Visa Portal' third-party (Active Leadgen LLC) exposed 100,000 passports and selfies on public AWS S3

TechCrunch has flagged a public AWS S3 bucket operated by a UAE-registered third-party site, UK Visa Portal (Active Leadgen LLC), that exposed at least 100,000 passport scans and selfies belonging to people who paid extra to apply for UK electronic travel authorizations. The site is not the official GOV.UK service; users could complete the same application directly on GOV.UK in minutes for free. The third party reportedly responded with legal threats instead of remediation. The dataset is now in the wild and creates substantial identity-document compromise risk - passport scans plus selfies enable KYC bypass against banks, exchanges, and government services.

Check
Brief staff that 'UK Visa Portal' and similar third-party visa-help sites are not GOV.UK and may leak documents. Anyone who uploaded a passport to ukvisaportal.com should treat it as compromised.
Affected
100,000+ individuals (and counting) who used Active Leadgen LLC's UK Visa Portal site. Passport scans plus selfies enable KYC bypass against banks, exchanges, and government services.
Fix
Affected individuals: report passport as potentially compromised; consider replacement. Banks/exchanges: tighten document-plus-liveness verification against AI-generated impersonations using leaked identity documents.

FBI warns of fake FIFA World Cup 2026 sites (fiffa.com, alt-TLDs) collecting payment data ahead of June 11 kickoff

The FBI has issued a public service announcement warning of hundreds of fake FIFA-themed phishing and fraud sites ahead of the 2026 World Cup running June 11 to July 19 in the US, Canada, and Mexico. Domains include fiffa[.]com and alternative TLDs (.org, .xyz, .live, .sale) plus fake employment portals like jobs-fifa[.]com and fifa-hiring[.]com. The fraudulent sites collect names, addresses, phone numbers, and banking/payment details; the data is used for fake-ticket sales, hospitality-package scams, identity theft, and fraudulent account creation. Group-IB and Bitdefender confirmed parallel malvertising via Google Search, Facebook, Telegram, and WhatsApp, with one major operation attributed to a Chinese-speaking gang.

Check
Add FIFA-themed lookalike domains (fiffa.com, fifa-*[.]com, fifa with alt-TLDs) to email and web filters. Brief staff that the only official site is fifa.com - any other is suspicious.
Affected
Anyone considering buying World Cup tickets, hospitality packages, or FIFA-related employment ahead of June 11. Chinese-speaking gangs and Russian-speaking operations target English, Spanish, and Portuguese speakers.
Fix
Source tickets only via fifa.com or authorized partner sites. Pay via credit card or escrow for chargeback protection. Report fake FIFA sites to FBI IC3. Apply Group-IB and Bitdefender IoCs.

CrowdStrike, Google, Shadowserver disrupt GlassWorm botnet by cutting four resilient C2 channels - Solana memos, BitTorrent DHT, Google Calendar, direct VPS

CrowdStrike, Google, and The Shadowserver Foundation have disrupted the GlassWorm developer-supply-chain botnet by simultaneously cutting four resilient command-and-control channels. Active since October 2025, GlassWorm spread through malicious OpenVSX and VS Code extensions, GitHub repos, and npm packages (one March campaign hit 400+ artifacts), stealing crypto wallets and developer credentials. Its C2 was built to resist takedown: server addresses encoded in Solana transaction memo fields, configuration stored in the BitTorrent DHT, Base64 C2 paths hidden in Google Calendar event titles, and direct VPS connections for payload delivery. All four had to fall at once. Infected hosts now beacon to CrowdStrike's sinkhole at 164.92.88[.]210.

Check
Run CrowdStrike's published YARA rules across developer workstations and build servers. Search network logs for beacons to 164.92.88[.]210 (CrowdStrike sinkhole) indicating prior GlassWorm infection.
Affected
Developers who installed malicious OpenVSX or VS Code extensions, or pulled compromised GitHub repos and npm packages since October 2025. 400+ artifacts hit in the March campaign alone.
Fix
Remediate any host beaconing to the sinkhole. Audit installed OpenVSX/VS Code extensions against known-bad lists. Rotate crypto wallets and developer credentials exposed on infected machines.

FBI flash alert: Silent Ransom Group (Luna Moth/UNC3753) sends operatives in person to plug USB drives into US law firm computers

The FBI has issued a flash alert warning that the Silent Ransom Group (also tracked as Luna Moth, Chatty Spider, and UNC3753) is now sending operatives physically to US law firms to steal data. SRG actors first pose as internal IT over phone or phishing email and try to get an employee to grant a remote-desktop session; if that fails, they dispatch someone in person to plug a USB drive or external hard drive into the target's computer. The group, formed from Conti/BazarCall operators after the 2022 Conti shutdown, has targeted US legal and financial firms since 2023, extorting victims via its leak site.

Check
Brief reception and staff at law/finance firms: verify any in-person 'IT support' visit through a known internal channel before granting access. Alert SOC to unexpected USB-storage mounts.
Affected
US law firms and financial-services organizations. SRG poses as internal IT via phone/phishing, escalating to physical USB-drive theft if remote-access social engineering fails.
Fix
Enforce device-control policy blocking unauthorized USB mass storage. Require multi-channel verification for IT-support remote-access requests. Lock workstations and restrict physical access. Run callback-phishing awareness training.

Iranian intelligence (MOIS) behind LA Metro hack disguised as 'Ababil of Minab' hacktivists - hundreds of terabytes wiped

Israeli firm Gambit Security has forensically linked the late-March attack on the Los Angeles County Metropolitan Transportation Authority to Iran's Ministry of Intelligence and Security (MOIS), despite the attackers branding themselves as the pro-Iran hacktivist collective 'Ababil of Minab.' The group posted videos claiming it wiped hundreds of terabytes and stole over a terabyte of files. LA Metro confirmed the breach on April 2, 2026, and had to check hundreds of servers for compromise before bringing them back online. The case illustrates a recurring pattern of state operations wearing a hacktivist costume to provide deniability while targeting critical infrastructure.

Check
Critical-infrastructure and transit operators: treat 'hacktivist' claims of destructive attacks as possible state-operation cover. Hunt for wiper precursors and bulk-deletion activity. Validate offline backup integrity.
Affected
US critical infrastructure, especially transit authorities. Iran's MOIS uses fake-hacktivist fronts (here, Ababil of Minab) to claim destructive attacks while preserving deniability.
Fix
Maintain tested offline backups resilient to wipers. Segment OT/IT networks. Monitor for mass-deletion and destructive commands. Coordinate with CISA and ISACs on Iranian APT indicators.

Malicious npm package 'mouse5212-super-formatter' steals files from Claude AI /mnt/user-data directory, exfiltrates to attacker GitHub via postinstall

OX Security has flagged a malicious npm package, mouse5212-super-formatter (campaign codenamed Malware-Slop), designed to exfiltrate files from /mnt/user-data - the directory Anthropic's Claude uses to handle uploads and outputs. The package presents itself as an 'archive deployment sync' utility but, during the postinstall stage, authenticates to GitHub using a token found in the victim's environment (or a hard-coded fallback), creates an attacker-controlled repository, and recursively uploads every local file. It writes a fake 'network connections' log to disguise the theft. The package leaked its own GitHub token, suggesting AI-generated malware with poor OPSEC. It has ~676 downloads and remains live on npm.

Check
Search npm install logs and CI/CD for mouse5212-super-formatter. On any host that ran it, audit /mnt/user-data access and outbound GitHub API calls. Rotate exposed GitHub tokens.
Affected
Developers and AI-tooling users who installed mouse5212-super-formatter (676 downloads, still live). Systems with Claude's /mnt/user-data directory and a GitHub token in the environment are the target.
Fix
Remove the package and pin dependencies via lockfile. Rotate every GitHub token reachable from affected hosts. Treat uploaded/output files in /mnt/user-data as potentially exfiltrated.

Grandoreiro banking trojan and BTMOB Android RAT hit Iberia and Latin America - DLL side-loading, WebRTC P2P, targets Wise and Revolut

WatchGuard and ESET have documented two parallel banking-malware campaigns hitting Windows and Android users across Iberia and Latin America. The Windows campaign delivers Grandoreiro - an actively evolving banking trojan operating since 2016 that targets thousands of institutions across 45 countries - via DLL side-loading of four legitimate applications, using Delphi 11-built DLLs that abuse the sgcWebSockets library for WebRTC peer-to-peer C2 over STUN and ICE protocols to blend with web-conferencing traffic. Named targets include Abanca, Banco de Portugal, BBVA PT, Caixa Geral, Santander, plus Revolut and Wise. A companion campaign delivers the BTMOB RAT to Android users in Brazil.

Check
Hunt Windows endpoints for DLL side-loading of mingwm10.dll, libwebp.dll, libffi-6.dll, or libpng15.dll. Inspect outbound WebRTC/STUN/ICE traffic to unexpected peers. Check for Delphi-built DLLs.
Affected
Banking customers and finance staff in Spain, Portugal, Mexico (Windows/Grandoreiro) and Brazil (Android/BTMOB). Named targets include Abanca, Santander, Banco de Portugal, Revolut, and Wise.
Fix
Apply WatchGuard and ESET IoCs. Block known C2 peers. Train finance staff against phishing links delivering ZIP archives. Deploy mobile threat defense on Android devices accessing banking apps.

Gitea CVE-2026-27771 (CVSS 8.2) lets unauthenticated attackers pull private container images - ~30,000 deployments exposed for four years, Forgejo affected

Noscope has disclosed CVE-2026-27771 (CVSS 8.2), a flaw in the self-hosted Gitea version-control platform that lets unauthenticated remote attackers pull private container images with no account, password, or prior access. The 'private' designation on a container repository simply failed to enforce. It affects all Gitea versions before 1.26.2 and went undetected for nearly four years; Noscope estimates 30,000+ exposed deployments across 30+ countries, with most exposure in China, the US, Germany, France, and the UK, spanning healthcare, aerospace, retail, and ISPs. Forgejo is confirmed affected, and any Gitea fork should be treated as vulnerable until verified. Technical details were withheld to allow patching.

Check
Inventory self-hosted Gitea and Forgejo instances and confirm version. Check whether the container registry is internet-exposed. Review registry pull logs for unauthenticated access to private images.
Affected
All Gitea versions before 1.26.2 and confirmed-affected Forgejo, plus unverified Gitea forks. ~30,000 exposed deployments across 30+ countries in healthcare, aerospace, retail, and ISP sectors.
Fix
Upgrade Gitea to 1.26.2 immediately. Temporary workaround: set [service].REQUIRE_SIGNIN_VIEW=true (unsuitable if some containers must stay public). Rotate any secrets baked into exposed private images.

Microsoft: cryptojacking campaign uses AI chatbot recommendations and SEO poisoning to push fake GPU utilities, deploys ScreenConnect persistence

Microsoft has warned of an active cryptojacking campaign that surfaces malicious download sites through AI chatbot recommendations, extending SEO poisoning beyond conventional search. Attackers impersonate legitimate system utilities - CrystalDiskInfo, HWMonitor, Display Driver Uninstaller, FurMark, K-Lite Codec Pack, PDFgear - to target users with high-performance GPUs, prioritizing mining yield per host over mass infection. Beyond mining, the operators deploy ScreenConnect for persistent remote access enabling data theft, lateral movement, or ransomware. Victims who ask LLM-based tools for software-download recommendations are served links to attacker domains on subdomains of gleeze[.]com, hosted via Dynu dynamic DNS. Microsoft says it has detected and blocked the activity.

Check
Hunt for ScreenConnect installs you did not authorize and traffic to gleeze[.]com subdomains or Dynu dynamic-DNS hosts. Flag downloads of GPU/hardware utilities from non-official domains.
Affected
Users with high-performance GPUs who download system utilities (CrystalDiskInfo, HWMonitor, FurMark, etc.) via search results or AI chatbot recommendations. Gaming, engineering, and ML workstations at highest risk.
Fix
Block gleeze[.]com and known Dynu C2 at egress. Source utilities only from official vendor sites. Educate users that AI-chatbot download links can be SEO-poisoned. Monitor GPU-utilization anomalies.

CISA adds three to KEV: TanStack CVE-2026-45321 and Nx Console CVE-2026-48027 (TeamPCP) plus Daemon Tools Lite CVE-2026-8398

CISA has added three vulnerabilities to its Known Exploited Vulnerabilities catalog based on active-exploitation evidence. Two formally recognize the TeamPCP supply-chain wave that dominated mid-May: CVE-2026-45321 (TanStack) and CVE-2026-48027 (Nx Console embedded malicious code), the latter tied to the trojanized VS Code extension that led to GitHub's own 3,800-repo internal breach. The third, CVE-2026-8398, is an embedded-malicious-code flaw in the Daemon Tools Lite disc-imaging utility. FCEB agencies must remediate all three by the BOD 22-01 deadline; CISA urges all organizations to prioritize them. The additions confirm the supply-chain compromises moved from disclosure to documented in-the-wild exploitation.

Check
Confirm TanStack (CVE-2026-45321) and Nx Console (CVE-2026-48027) remediation from the mid-May supply-chain wave is complete. Inventory Daemon Tools Lite installs for CVE-2026-8398.
Affected
Organizations exposed to the TeamPCP supply-chain compromises (TanStack, Nx Console) and any endpoint running a vulnerable Daemon Tools Lite disc-imaging build. Federal agencies bound by BOD 22-01.
Fix
Remediate all three by CISA's KEV deadline. Verify Nx Console is 18.100.0+ and TanStack dependencies are clean. Remove or update Daemon Tools Lite. Rotate credentials from the supply-chain incidents.