Last updated: July 6, 2026 at 12:53 AM UTC
All 559 Vulnerability 199 Breach 107 Threat 246 Defense 7

Megalodon GitHub Actions attack scans 5,561 repos for CI/CD secrets; polymarketdev publishes nine wallet-stealer npm packages

SafeDep has detailed Megalodon, a GitHub Actions attack that scans 5,561 repositories for usable CI/CD secrets and credentials by submitting malicious pull requests that contain crafted workflow files. The campaign appears unrelated to the recent TeamPCP supply-chain wave. Separately, a throwaway npm account 'polymarketdev' published nine packages within 30 seconds (polymarket-trading-cli, polymarket-terminal, polymarket-trade, polymarket-auto-trade, polymarket-copy-trading, polymarket-bot, polymarket-claude-code, polymarket-ai-agent, polymarket-trader) that, on postinstall, present a fake wallet onboarding prompt and exfiltrate Ethereum and Polygon private keys to a Cloudflare Worker at polymarketbot.polymarketdev.workers[.]dev. The malicious packages remain live on npm at time of publication.

Check
Search GitHub Actions audit logs for unfamiliar workflow files added via pull requests since May 21. Search npm install logs for any polymarket-* package.
Affected
5,561 GitHub repositories specifically targeted by Megalodon malicious pull requests. Any Ethereum or Polygon developer who installed polymarket-* npm packages exposed wallet keys.
Fix
Restrict workflows triggered by pull_request_target. Pin GitHub Actions to full commit SHAs not tags. Treat any system that ran polymarket-* packages as compromised; rotate wallet keys immediately.

Netherlands seizes 800 servers of Stark Industries successor WorkTitans/THE.Hosting - links to NoName057(16) Russian hacktivists

The Dutch Financial Crime Investigation Service (FIOD) has arrested two men and seized 800 servers during raids on data centers in Dronten and Schiphol-Rijk that hosted infrastructure for cyberattacks, disinformation, and influence operations tied to sanctioned Russian and Belarusian entities. The 57-year-old company director and a 39-year-old connectivity provider face charges of indirectly providing economic resources to EU-sanctioned parties. The web hosting company Stark Industries was sanctioned by the EU last May; investigators say its infrastructure was simply transferred to a newly created Dutch company called WorkTitans B.V., trading under THE.Hosting. Mirhosting, which provided physical colocation and connectivity, denies knowingly supporting illegal operations.

Check
Search egress logs for connections to Stark Industries or THE.Hosting / WorkTitans IP ranges since 2022. Cross-reference with NoName057(16) DDoS infrastructure published by national CERTs.
Affected
Targets of pro-Russian disinformation, DDoS, and influence operations - particularly EU government, banking, and critical-infrastructure sectors. NoName057(16) frequently targets Ukrainian allies.
Fix
Block known Stark Industries / WorkTitans / Mirhosting IP ranges at the perimeter where there is no legitimate business need. Refresh DDoS protection runbooks for NoName057(16) campaigns.

Google leaks unfixed Chromium flaw - Service Workers run JavaScript after browser closes, enabling silent botnet on Chrome, Edge, Brave

Google has accidentally published the technical details of an unfixed Chromium vulnerability that lets a malicious webpage run JavaScript on a visitor's device even after the browser is closed. The issue, originally reported by researcher Lyra Rebane in December 2022, abuses a Service Worker download task that never terminates. It was marked 'fixed' on February 12 and the bug tracker went public on May 20 after the 14-week visibility timer expired, but Rebane re-tested the latest Chrome Dev 150 and Edge 148 and confirmed the bug still works. Microsoft Edge no longer shows a download prompt, making the persistence completely silent. All Chromium-based browsers are affected.

Check
Inventory Chromium-based browsers (Chrome, Edge, Brave, Opera, Vivaldi, Arc) and check current Service Worker activity at chrome://serviceworker-internals/ for unexpected background fetches surviving browser close.
Affected
All Chromium-based browsers including Chrome Dev 150 and Edge 148 (and earlier). Confirmed bug in Service Worker handling. The Edge variant is silent (no download prompt).
Fix
No vendor patch yet. Until one ships: enforce a Chrome/Edge policy that blocks background-fetch or restricts service-worker scopes. Educate users to manually unregister Service Workers via chrome://serviceworker-internals/.

Calypso (Red Lamassu) Chinese APT hits APAC and Middle East telcos with Showboat Linux SOCKS5 backdoor and JMFBackdoor Windows RAT

Lumen Black Lotus Labs and PwC Threat Intelligence have detailed a Chinese cyber-espionage campaign tied to the Calypso group (also tracked as Red Lamassu) that has been hitting telecommunications providers across Asia Pacific and parts of the Middle East since mid-2022. The operators run a Linux post-exploitation framework called Showboat (or kworker) that doubles as a SOCKS5 proxy and port-forwarder, plus a Windows RAT called JMFBackdoor delivered via DLL-sideloading of fltMC.exe + FLTLIB.dll. Showboat retrieves a 'hide' command from public dead-drops like Pastebin to mask its process. The tooling appears to be shared across multiple China-aligned clusters targeting distinct victim sets.

Check
Hunt telco environments for processes named kworker or fltMC.exe with anomalous DLL loads (FLTLIB.dll). Inspect outbound traffic for SOCKS5 traffic to unexpected destinations. Check Pastebin requests.
Affected
Telecommunications providers across Asia Pacific and the Middle East. Multiple China-aligned clusters share the Showboat and JMFBackdoor tooling and certificate-generation patterns across distinct victim sets.
Fix
Block dead-drop dependencies by restricting Pastebin and similar code-paste domains at egress. Hunt for fltMC.exe sideloaded with non-Microsoft FLTLIB.dll. Apply Lumen Black Lotus Labs and PwC IoCs.

Cisco patches CVSS 10.0 Secure Workload flaw (CVE-2026-20223): unauthenticated REST API access grants Site Admin across tenants

Cisco has patched a maximum-severity flaw, CVE-2026-20223, in the internal REST APIs of Cisco Secure Workload (formerly Tetration), the zero-trust microsegmentation platform used to stop lateral movement in enterprise environments. Insufficient authentication on the affected endpoints lets an unauthenticated remote attacker craft a request that returns sensitive data and modifies configuration with Site Admin privileges across tenant boundaries. Cisco's PSIRT says there is no evidence of in-the-wild exploitation yet and no workaround exists. The on-prem fixed releases are 3.10.8.3 and 4.0.3.17; the SaaS deployment has already been patched. Sites running 3.9 or earlier must migrate to a fixed release.

Check
Inventory Cisco Secure Workload (Tetration) on-prem deployments and their version. Check whether SaaS is in use (already auto-patched). Review API access logs for unauthenticated calls succeeding.
Affected
Cisco Secure Workload 3.10.x before 3.10.8.3, 4.0.x before 4.0.3.17, and any 3.9 or earlier release. SaaS deployment already fixed by Cisco. No workaround available.
Fix
Upgrade on-prem to 3.10.8.3 or 4.0.3.17. Sites on 3.9 or earlier must migrate to a fixed release. No workaround - patching is the only option.

First VPN service taken offline by Europol - 33 servers in 27 countries seized, Ukrainian operator questioned, used in ransomware

A joint operation between French, Dutch and 14 other authorities, coordinated by Europol and Eurojust, has taken down First VPN, a privacy-focused VPN service that was advertised on cybercrime forums as a no-logs option that ignored law enforcement requests. Authorities seized 33 servers across 27 countries, took down the 1vpns.com, 1vpns.net, 1vpns.org domains and the onion mirrors, and questioned a Ukrainian suspect. Investigators infiltrated the infrastructure before takedown and pulled the user database, sharing 506 user identifications and 83 intelligence packages internationally. Europol says the service name turned up in nearly every major cybercrime investigation it has supported in recent years.

Check
Search VPN allowlists and detection alerts for users connecting from First VPN exit IPs in the last two years. Check 1vpns.com / 1vpns.net / 1vpns.org references in firewall and proxy logs.
Affected
Investigators or threat hunters whose historical IoC sets included First VPN exit IPs. 506 specific users have been internationally referred; affected parties should expect law-enforcement contact.
Fix
Refresh detection rules with seized First VPN exit IPs once Europol shares them. If your historical attacker IoCs included First VPN nodes, re-correlate against the freshly identified users.

Alleged Kimwolf IoT botmaster 'Dort' arrested in Ottawa, charged in US and Canada - swatting attacks against researchers cited

Krebs on Security reports that Jacob Butler, the 18-year-old Ottawa resident allegedly known online as 'Dort,' has been arrested and charged in both the US and Canada with running the Kimwolf IoT botnet. KrebsOnSecurity unmasked Butler as the operator on February 28 by tying together his email addresses, forum registrations, and public Telegram and Discord posts. Dort later threatened and swatted researchers including Synthient's Ben Brundage. Ontario Provincial Police executed a search warrant in Ottawa on March 19 and seized devices. Kimwolf competed with Aisuru, JackSkid, and Mossad for the same vulnerable-IoT population. Butler faces up to 10 years if extradited and convicted in the US.

Check
Search EDR and netflow telemetry for outbound connections from IoT devices to known Kimwolf, Aisuru, JackSkid, and Mossad C2 sets. Inventory unpatched IoT devices on residential and SMB networks.
Affected
IoT devices - mostly routers, NVRs, and consumer IP cameras - vulnerable to the unpatched flaws Kimwolf was using to spread. Synthient helped patch the underlying weakness earlier this year.
Fix
Update firmware on all IoT and network-edge devices and disable WAN-side admin interfaces. Block known Kimwolf C2 ranges. Monitor for the lateral spread patterns documented by Synthient.

CISA adds two to KEV: Langflow CVE-2025-34291 (Flodric botnet) and Trend Micro Apex One CVE-2026-34926 (directory traversal)

CISA has added two new entries to its Known Exploited Vulnerabilities catalog. CVE-2025-34291 is an origin-validation/CORS chain in Langflow, a popular open-source AI agent framework, that lets a malicious webpage exfiltrate refresh tokens and reach the code-validation endpoint for full RCE. Active exploitation began on January 23, 2026, and threat actors have been deploying the Flodric botnet through compromised instances. CVE-2026-34926 is a directory-traversal flaw in Trend Micro Apex One (On-Premise) that allows file read or write outside the intended path. FCEB agencies must remediate by June 11 per BOD 22-01; CISA urges all organisations to do the same.

Check
Inventory Langflow deployments and confirm version is 1.9.3 or later (CVE-2025-34291 patched). Inventory Trend Micro Apex One On-Premise deployments and check patch level for CVE-2026-34926.
Affected
Langflow before 1.9.3 (Flodric botnet seen exploiting in the wild). Trend Micro Apex One On-Premise (specific affected versions per Trend's KA-0023430 advisory). Internet-facing instances are at highest risk.
Fix
Upgrade Langflow to 1.9.3+ and Apex One per Trend Micro's KA-0023430. FCEB agencies must remediate by June 11. Restrict the affected admin consoles to management networks behind VPN.

Aikido shows Google API keys keep working up to 23 minutes after deletion; Google closes report as 'won't fix'

Aikido Security's Joe Leon has documented that standard Google Cloud API keys keep working for up to 23 minutes after they are deleted from the GCP console, with a median revocation window of 16 minutes. Over 10 trials across two days, the team kept sending authenticated requests at 3-5 per second; one trial saw 79% of requests succeed one minute after deletion. During this window, an attacker holding a leaked key retains full access to any enabled API on the project, including Gemini file dumps, BigQuery, and Maps. Google closed the bug report as 'won't fix.' Service-account deletions propagate in around 5 seconds; only standard API keys are slow.

Check
Review your GCP secret-rotation runbooks. Identify any service that uses standard API keys versus service accounts. Audit GCP audit logs for authenticated calls following a recent key deletion.
Affected
Any organization that uses standard Google Cloud API keys and assumes deletion provides immediate revocation. Service accounts (5-second propagation) and Gemini's newer API key format (~1 minute) not affected.
Fix
Migrate from standard API keys to service accounts where possible. Treat a deleted Google API key as live for 30 minutes during leak response. Combine deletion with key rotation.

Underminr domain-fronting attack hijacks brand reputations via CDN trust - 42% of websites globally, 51% in US, vulnerable

ADAMnetworks researchers have disclosed Underminr, a domain-fronting attack that abuses how major content delivery networks resolve HTTP requests, letting an attacker route malicious traffic so it appears to come from trusted brand domains. Protective DNS filters see the DNS lookup for the legitimate site and wave it through. ADAMnetworks estimates 42% of websites globally are vulnerable, 51% in the US, around one-third in Eastern Europe, and under 9% in China's heavily-regulated internet. The researchers say attackers are already using the technique. Boutique security-focused CDNs that perform domain verification are not vulnerable; the larger general-purpose providers carry most of the exposure.

Check
Inventory CDN providers and check whether each performs domain verification (validates Host header at edge). Search egress logs for traffic resolving a trusted domain but landing on attacker infrastructure.
Affected
Roughly 42% of websites worldwide, 51% in the US, hosted on CDNs that do not perform strict Host-header verification. Boutique CDNs that verify ownership are not vulnerable.
Fix
Move sensitive properties to CDNs that perform strict domain verification. Audit Protective DNS allowlists and pair them with TLS SNI or HTTP-Host inspection downstream. Treat domain-only allowlists as weak.