Last updated: July 6, 2026 at 12:53 AM UTC
All 559 Vulnerability 199 Breach 107 Threat 246 Defense 7

Trapdoor Android ad fraud: 455 apps, 24M downloads, 659M daily bid requests, selective activation via attribution tools

HUMAN Security has detailed Trapdoor, an Android ad-fraud and malvertising operation that pushed 455 apps with more than 24 million combined Play Store downloads and drove an average of 659 million daily ad-bid requests, three-quarters of them from US devices. The operators run their own ad campaigns to recruit victims, then use legitimate install-attribution tools to switch on fraud only for users who came in through those campaigns, suppressing the bad behavior for anyone who installed organically - which kept Google's reviewers and most security researchers in the dark. Google has now removed all identified apps from the Play Store.

Check
Use MDM to inventory any Trapdoor app from HUMAN's published list on managed Android devices. Look for outbound traffic to HTML5 cashout domains in your DNS logs.
Affected
Android users who downloaded Trapdoor apps after clicking attribution-tagged ads. The campaign is invisible to users who installed the same apps organically.
Fix
MDM-uninstall the named apps and block their package IDs. Restrict Android sideloading on managed devices. Review attribution-provider settings to limit click campaigns' ability to flag malicious behavior.

Drupal shipping highly critical core security update today (May 20, 17:00-21:00 UTC) - PSA-2026-05-18, severity 20/25, unauthenticated

Drupal is releasing an emergency core security update on May 20 between 17:00 and 21:00 UTC. Pre-disclosure advisory PSA-2026-05-18 rates the issue 'highly critical' (20 of 25 on Drupal's scoring) and notes access complexity 'None' and authentication 'None' - meaning the underlying flaw is unauthenticated and easy to trigger. Patches will land for the supported 11.3.x, 11.2.x, 10.6.x, and 10.5.x branches, plus emergency patches for EOL 11.1.x and 10.4.x. Drupal 7 is not affected. Drupal 8 and 9 will only get best-effort manual patch files. The Drupal Security Team warns working exploits may follow within hours of disclosure.

Check
Inventory all Drupal sites and their exact versions. Flag any site on Drupal 8 or 9 since these need manual best-effort patches and a planned upgrade.
Affected
All supported Drupal core 11.x and 10.x; pre-patched 11.1.x and 10.4.x EOL branches available; Drupal 8/9 best-effort only. Drupal 7 is not affected.
Fix
Pre-upgrade to 11.1.9 or 10.4.9 today before the security release lands. Apply the patch the moment it ships and plan an upgrade to 11.3 or 10.6 within the next quarter.

SEPPmail Secure Email Gateway RCE chain allows attacker to read all mail traffic and persist on the gateway

Researchers have disclosed a chain of vulnerabilities in SEPPmail Secure Email Gateway that lets an attacker turn unauthenticated web requests into remote code execution by inflating the SEPPMaillog file past its 10,000 KB limit, which forces newsyslog to rotate logs and signal syslogd to reload its configuration. Combined with the other flaws in the chain, the attacker reads all mail traffic on the appliance and persists indefinitely. SEPPmail has patched CVE-2026-44128 in version 15.0.2.1, CVE-2026-44126 in 15.0.3, and the rest in 15.0.4. The disclosure follows last month's CVE-2026-27441 (CVSS 9.5) OS command-execution fix in the same appliance.

Check
Inventory SEPPmail Secure Email Gateway appliances and exact versions. Pull web access logs for unusually large or repeated requests that could bloat SEPPMaillog past its rotation threshold.
Affected
SEPPmail appliances on versions earlier than 15.0.4. Last month's CVE-2026-27441 (CVSS 9.5) OS-command-execution flaw in the same product remains relevant if unpatched.
Fix
Upgrade SEPPmail to 15.0.4 immediately. If you cannot, restrict admin and webmail interfaces to a management VLAN behind VPN and monitor log file sizes for unusual growth.

Huawei VRP router zero-day crashed Luxembourg's entire telecom network for 3+ hours (July 2025, disclosed now)

Recorded Future News has connected last summer's three-hour POST Luxembourg outage - which took down landline, 4G, and 5G networks across the country and left residents unable to dial emergency services - to a zero-day in Huawei enterprise routers running VRP. Specially crafted network traffic merely passing through caused the routers to enter a continuous restart loop. Luxembourg's prosecutor concluded no one had targeted Luxembourg specifically; the data was just transit traffic. Huawei has not assigned a CVE for the bug and routes its enterprise advisories through a restricted customer portal rather than publicly, leaving operators with little ability to track exposure.

Check
Inventory Huawei VRP-based routers (NetEngine, AR series, CloudEngine) and software versions. Confirm direct access to Huawei's restricted customer portal so you receive enterprise advisories.
Affected
Huawei enterprise routers running VRP that process untrusted internet traffic. Service providers are most exposed; downstream enterprise customers face transit risk.
Fix
Apply the latest Huawei VRP updates via your customer portal. Where possible, deploy multi-vendor diversity at network borders so a single buggy product cannot take down your entire WAN.

CISA contractor leaked AWS GovCloud admin keys and dozens of plaintext passwords on public GitHub

A contractor with administrative access at CISA, the US agency that tells everyone else how to do cybersecurity, ran a public GitHub repository called Private-CISA that exposed administrative AWS GovCloud keys, plaintext passwords in CSVs for internal CISA systems, and credentials to the agency's internal artifactory. The owner had even disabled GitHub's default secret-scanning protections. Researcher Philippe Caturegli of Seralys validated that the AWS keys still worked against three high-privilege GovCloud accounts and could have given an attacker a launchpad to deploy backdoors into CISA's internal build pipelines. CISA says it is investigating and has seen no evidence of compromise.

Check
Search your GitHub org for repos named after internal projects, scan public-fork history with TruffleHog or GitGuardian, and verify GitHub push-protection is enabled at the org level.
Affected
Any organization where individual administrators can publish secrets to public GitHub repositories and override the default push-protection settings. CISA itself was the named victim.
Fix
Enforce GitHub Advanced Security push-protection and secret scanning at the org level. Rotate any AWS keys whose hashes appear in public commits. Treat developer GitHub accounts as Tier-0 identities.

INTERPOL Operation Ramz disrupts MENA cybercrime: 201 arrests, 53 servers seized, 3,867 victims identified

INTERPOL says a coordinated operation called Ramz, run across 13 Middle East and North Africa countries, has produced 201 arrests, seized 53 servers, and identified 3,867 victims. Algerian authorities took down a phishing-as-a-service operation; Moroccan officials seized hard drives loaded with banking data and phishing kits; and Jordanian police uncovered 15 people running a fraudulent trading platform who turned out to be trafficking victims forced into the work. Group-IB and Team Cymru contributed intelligence on over 5,000 compromised accounts, including some tied to government systems. Participating countries included Algeria, Bahrain, Egypt, Iraq, Jordan, Lebanon, Libya, Morocco, Oman, Palestine, Qatar, Tunisia, and the UAE.

Check
Review phishing and credential-theft alerts for matches against the IP ranges in INTERPOL's advisory, especially for users with MENA business or travel ties.
Affected
Organizations with users, customers, or business operations in the 13 named MENA countries. Roughly 5,000 compromised accounts (including some tied to government infrastructure) were identified.
Fix
Force credential rotation for users matching the IoCs Group-IB shared. Coordinate with your local CSIRT for country-specific victim lists. Reinforce phishing-awareness training in MENA-facing teams.

Leaked Shai-Hulud worm source code reused in four malicious npm packages, one adds Phantom Bot DDoS

After TeamPCP dumped the Shai-Hulud worm's source code on GitHub last week with the note 'Here We Go Again - Let the Carnage Continue,' a new actor under the npm name deadcode09284814 has published four malicious packages typosquatting Axios and friends. One package, chalk-tempalte, contains an almost-unmodified copy of the leaked worm, exfiltrating GitHub tokens, cloud configs, and crypto wallet data to a remote C2 and creating a public GitHub repo titled 'A Mini Sha1-Hulud has Appeared.' Another package, axois-utils, adds a Go-based DDoS bot called Phantom Bot that floods HTTP, TCP, and UDP. OXsecurity, which discovered the campaign, counted about 2,678 combined downloads.

Check
Search package lock files and CI/CD logs for installs of chalk-tempalte, @deadcode09284814/axios-util, axois-utils, or color-style-utils. Check your GitHub accounts for any repo named 'A Mini Sha1-Hulud has Appeared.'
Affected
Any organization whose developers install Node.js packages by name from npm without lockfile pinning or pre-publish vetting, especially those typosquatting the popular axios library.
Fix
Uninstall the four packages and rotate all developer GitHub tokens, npm tokens, and cloud credentials on affected machines. Block the C2 hosts 87e0bbc636999b.lhr.life and 80.200.28.28:2222 at egress.

DirtyDecrypt Linux kernel root escalation PoC released - rxgk pagecache write affects Fedora, Arch, openSUSE Tumbleweed

A working proof-of-concept exploit for a recently patched Linux kernel local privilege escalation is now public. Researchers at V12 found the bug in May and were told it had already been fixed in the mainline kernel on April 25, matching CVE-2026-31635 per Tharros analyst Will Dormann. The flaw is a missing copy-on-write check in rxgk_decrypt_skb, the kernel routine that decrypts RxGK packets for the Andrew File System. Exploitation requires CONFIG_RXGK, limiting impact to leading-edge distros like Fedora, Arch Linux, and openSUSE Tumbleweed. DirtyDecrypt joins Dirty Frag, Fragnesia, and Copy Fail in a recent wave of Linux LPE disclosures.

Check
Run 'uname -r' across your Linux fleet, flag hosts on Fedora, Arch, openSUSE Tumbleweed, or any mainline kernel with CONFIG_RXGK. Search audit logs for unexpected setuid execs since 2026-04-25.
Affected
Linux kernels built with CONFIG_RXGK enabled, primarily Fedora, Arch Linux, and openSUSE Tumbleweed. Distributions on long-term stable kernels (RHEL, Debian stable, Ubuntu LTS) are not typically affected.
Fix
Apply your distribution's latest kernel updates. Temporary mitigation (also breaks AFS and IPsec VPNs): blacklist esp4, esp6, and rxrpc via /etc/modprobe.d/, unload with rmmod, drop the page cache.

SHub Reaper macOS infostealer spoofs Apple, Google, and Microsoft in one chain - backdoor, wallet hijack, document theft

SentinelOne has documented a new variant of the SHub macOS infostealer family called Reaper. Victims are lured through fake WeChat and Miro installers hosted on typo-squatted Microsoft domains, then prompted to run what looks like an Apple security update. Reaper avoids macOS Tahoe's new Terminal protections by routing its commands through the applescript:// URL scheme. Once running, it steals browser credentials, crypto wallets, dev configs, iCloud data, and Telegram sessions, replaces legitimate Exodus, Ledger, and Trezor wallet apps with backdoored copies, and installs a persistent fake Google Software Update LaunchAgent that gives the attacker an ongoing remote shell. Files larger than 85MB are uploaded in 70MB chunks.

Check
Hunt macOS endpoints for LaunchAgents named com.google.keystone.agent.plist that point at unsigned scripts in ~/Library/Application Support/Google/GoogleUpdate.app/, and search proxy logs for traffic to hebsbsbzjsjshduxbs.xyz.
Affected
macOS users who can be social-engineered into running an installer or AppleScript prompt outside the App Store. Heavily targets developer, finance, and crypto-holding personas.
Fix
Remove the malicious LaunchAgent and persistence script. Rotate all credentials in the browser keychain, crypto wallets, iCloud, Telegram, and any tokens in shell history or .gitconfig. Enforce MDM blocking unsigned LaunchAgents.

ShinyHunters drains 7-Eleven's Salesforce: 600K+ records, franchisee documents, ransom refused

7-Eleven has confirmed that an unauthorized party reached systems holding its franchisee documents on April 8, 2026. The extortion group ShinyHunters claims it stole more than 600,000 Salesforce records of personal and corporate information, posted samples on its Tor leak site, and demanded payment by April 21 or it would publish everything. 7-Eleven says the leaked files came from franchise applications and that it is notifying affected individuals. The breach fits the pattern ShinyHunters has run against Google, Cisco, Vimeo, Rockstar Games, Instructure, Zara, and the European Commission since mid-2025 - all delivered through compromised Salesforce instances rather than direct break-ins.

Check
Audit Connected Apps and OAuth consents in Salesforce. Review login history for unfamiliar IPs and service-account sessions that exported large record sets in the last 90 days. Verify MFA on every API user.
Affected
Organizations running Salesforce without Conditional Access on API users, without IP allowlisting on integration users, or with high-privilege Connected Apps that have not been reviewed in the last quarter.
Fix
Revoke unused Connected Apps and refresh tokens. Enforce MFA and IP restrictions on every Salesforce identity. Apply Shield Event Monitoring to alert on bulk exports and report downloads. Rotate API keys with broad permissions.