Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7

Polymarket users lose nearly $3 million in website supply-chain attack

The crypto prediction market Polymarket says attackers stole close to $3 million from users after compromising a third-party vendor and injecting a malicious script into the platform's website. The script ran on the live site and prompted users connecting their wallets to approve transactions that drained their funds; researchers traced roughly $2.94 million taken from around a dozen accounts and bridged into Ethereum. Because the attack rode in through a trusted frontend dependency rather than Polymarket's own systems, it was invisible to users. Polymarket removed the dependency, contained the incident, and pledged full refunds. It was the platform's second security incident in two months.

Check
Review the third-party scripts and dependencies loaded by your web frontends, and confirm you would detect unauthorized changes to them; users should be wary of unexpected wallet-signing prompts.
Affected
Web platforms that load third-party frontend dependencies, and their users; a single compromised vendor can inject wallet-draining or credential-stealing code that runs as trusted, first-party code in the browser.
Fix
Pin and integrity-check third-party scripts with Subresource Integrity, monitor frontend code for unauthorized changes, vet and limit vendor dependencies, and warn users to scrutinize every wallet-signing or credential prompt.

American Tower breach surfaces on Have I Been Pwned with 216,000 accounts

Data from a breach of American Tower, one of the largest wireless communications infrastructure companies, has been indexed by Have I Been Pwned, which added 216,601 affected accounts. The extortion group ShinyHunters is linked to the incident, consistent with its sweeping 2026 campaign that has used social engineering against staff to reach corporate systems and exfiltrate data at major enterprises. American Tower operates critical telecom infrastructure, making any exposure of employee or partner data a concern for follow-on phishing and targeted attacks. Exposed contact details are commonly reused for convincing phishing against affected individuals and the organization.

Check
People connected to American Tower should check Have I Been Pwned for their email and stay alert to phishing referencing the company; the organization should review how the data was accessed.
Affected
Individuals whose data was exposed in the American Tower breach (216,601 accounts indexed); exposed contact information supports targeted phishing against a company operating critical communications infrastructure.
Fix
Reset and avoid reusing affected passwords, enable phishing-resistant MFA, and treat unexpected messages referencing American Tower with caution. Organizations should harden help desks and accounts against social-engineering-driven access.

Attackers abuse OpenAI organization invites to phish data from security firms

Push Security reports that attackers are creating OpenAI organizations that impersonate legitimate companies and inviting employees, including at cybersecurity firms, to join them, aiming to trick people into entering sensitive company information into chats and projects under attacker control. The danger is that the invitations come from OpenAI's own infrastructure, so they are genuine messages and slip past email security controls that would catch ordinary phishing. It is a reminder that trusted SaaS platforms can be turned into phishing channels through their normal invitation features, where the message itself is legitimate even though the inviting organization is fraudulent. Verification of unexpected invites is the key defense.

Check
Tell staff to treat unexpected invitations to join an organization on OpenAI or other SaaS platforms with suspicion, and monitor which external organizations employees' work accounts have joined.
Affected
Employees, including at security firms, who receive genuine-looking organization invitations from SaaS platforms; data typed into an attacker-controlled organization's chats or projects is exposed to the attacker.
Fix
Train staff to verify unexpected SaaS organization invitations through a separate channel, monitor SaaS organization memberships, and set policies on which platforms and tenants employees may join with work accounts.

Hotel phishing campaign launders email authentication to drop a Node.js implant

Microsoft is tracking a phishing campaign hitting hotels across Europe and Asia since April, using guest-complaint and inspection-themed emails to get front-desk staff to open photo-themed ZIP files. The lures pass email authentication through what Microsoft calls authentication laundering, routing messages through Calendly's notification system and Google redirects so they appear legitimate. The ZIP hides a shortcut posing as an image that runs obfuscated PowerShell, quietly installs a legitimate Node.js runtime, and launches a JavaScript implant called TonRAT. TonRAT resolves its command servers through a blockchain API, communicates over encrypted WebSockets on unusual ports, disables Microsoft Defender for itself, and persists through the registry. The attackers' ultimate goal is still unclear.

Check
Alert front-desk staff to complaint-themed emails carrying photo ZIP files, and hunt for Node.js running from user paths, new Defender exclusions, and beacons to non-standard ports such as 8443 or 56001.
Affected
Hotels and hospitality organizations in Europe and Asia whose reception and reservations staff open image or document attachments; the campaign laundered email authentication and installs a persistent Node.js implant.
Fix
Block and alert on the campaign's domains and ports, restrict execution of shortcut files from archives, monitor for unauthorized Node.js runtimes and Defender exclusions, and remove both registry persistence keys during cleanup.

FBI warns Russian hackers now steal Signal backup recovery keys to hijack accounts

The FBI and CISA have updated an earlier warning about Russian intelligence targeting Signal accounts, noting the operators have added a step: tricking targets into handing over their Signal backup recovery key. With that key, an attacker can restore the account's backup, read its private and group message history, and take over the account, and the key keeps working afterward. The campaign uses social engineering against high-value targets such as government officials, military personnel, and journalists. It reflects a broader shift toward stealing the recovery and session secrets that sit behind multi-factor authentication rather than attacking the login directly.

Check
High-risk users should review who could have prompted them to share a Signal backup or recovery key, and check Signal for unexpected linked devices or signs their account history was restored elsewhere.
Affected
Signal users targeted by Russian intelligence, especially officials, military personnel, journalists, and activists; a stolen backup recovery key exposes full message history and grants lasting account takeover.
Fix
Never share your Signal backup or recovery key, store it offline, regenerate it if you suspect exposure, verify linked devices, and distrust anyone guiding you through backup steps.

Curl's largest security release fixes 18 flaws, including a 25-year-old bug

The curl project shipped its largest-ever security release, version 8.21.0, fixing 18 vulnerabilities, among them a flaw that had gone unnoticed for 25 years. That bug (CVE-2026-8932) lets an application reuse an existing connection even after its client certificate or key changed, allowing an authentication bypass; it affects software built on the libcurl library rather than the command-line tool. Other fixes address credential confusion, memory-corruption bugs, and improper host validation. Most are rated medium or low, but libcurl is embedded in an enormous range of products, from IoT devices to CI/CD pipelines and cars, so the practical reach is large and easy to overlook.

Check
Identify where curl and especially the libcurl library are used across your applications, devices, containers, and build pipelines, since most exposure comes from embedded libcurl rather than the command-line tool.
Affected
Applications and devices built on libcurl before version 8.21.0 (CVE-2026-8932 and others); those using mutual TLS with changing client certificates face an authentication-bypass risk through connection reuse.
Fix
Update to curl and libcurl 8.21.0, rebuild and redeploy software that bundles libcurl, and prioritize systems using mutual TLS or handling credentials, including embedded and IoT devices that update slowly.

DPRK macOS malware Gaslight plants fake errors to derail AI-assisted analysis

SentinelOne detailed Gaslight, a Rust-based macOS backdoor and information stealer tied with high confidence to North Korea, whose standout trick targets the analyst rather than the sandbox. The sample embeds a block of 38 fabricated "system" messages, formatted to mimic the prompt scaffolding of an AI triage assistant, that try to make an LLM-assisted analysis tool doubt its session and abort, truncate, or refuse the analysis. Beyond that, Gaslight steals browser data, Keychain secrets, and command history, using a Telegram bot for command and control and self-redacting its bot token from its own output. It is an early example of malware built to weaponize the AI tools now common in reverse engineering.

Check
If you use AI or LLM tools in malware triage, review whether sample contents are passed to the model as trusted input, and check macOS hosts for the Telegram-based persistence described.
Affected
macOS users targeted by this North Korea-linked stealer, and analysts whose AI-assisted triage pipelines can be manipulated when malicious sample text is fed to the model as if it were instructions.
Fix
Treat the contents of analyzed samples as adversarial input, never as instructions, and isolate hostile text from AI models. On endpoints, hunt for the published indicators and suspicious com.apple-style LaunchAgents.

Chrome ad blocker with 10 million installs hides dormant code-injection capability

Researchers at Island found that a popular Chrome extension, "Adblock for YouTube," with more than 10 million installs and a Featured badge, contains the machinery to run arbitrary JavaScript on any website the user visits. The extension works as advertised, but it can fetch a rule from its server that creates script elements with attacker-supplied content, giving access to page data, sessions, and forms. The capability is dormant, not absent: switching it on takes a single server-side change, with no extension update and no store review. The add-on changed ownership years ago, requests access to all sites, and is linked to other extensions previously pulled for malware.

Check
Inventory browser extensions across the organization, flag high-permission ones like ad blockers that request access to all sites, and identify extensions that fetch configuration or rules from external servers.
Affected
Anyone using the 'Adblock for YouTube' Chrome extension or similar high-install add-ons with all-site access and server-controlled logic; a single server change could turn them into code-injection tools.
Fix
Remove or restrict extensions whose permissions exceed their purpose, prefer those with self-contained rules over server-controlled ones, enforce an extension allowlist, and monitor for ownership and permission changes.

Bluekit phishing service adds browser-in-the-middle to steal logins and sessions

The Bluekit phishing-as-a-service platform has added a browser-in-the-middle technique that streams a real login page's contents to the victim over a WebSocket, capturing not just passwords but session cookies that let attackers bypass multi-factor authentication. Netcraft reports nearly 70 new Bluekit hostnames in the past week. The kit, which markets dozens of templates for services like Outlook, Gmail, GitHub, and crypto wallets and includes an AI assistant built on a safety-stripped open-weight model, layers on heavy evasion: randomized page styling to defeat screenshot detection, frequently rotating obfuscated code, custom CAPTCHAs, browser fingerprinting, and detection of proxies and security crawlers. Operators can watch victims in real time as they log in.

Check
Hunt for the Bluekit signals Netcraft lists, including randomized CSS filters on top-level elements, periodically rotated obfuscated JavaScript, and WebSocket traffic carrying encrypted data on login pages, across email and proxy logs.
Affected
Users of widely targeted services like Outlook, Gmail, GitHub, and crypto wallets; stolen session cookies let attackers replay authenticated sessions and bypass multi-factor authentication entirely.
Fix
Move to phishing-resistant, hardware-backed authentication like passkeys or FIDO2 keys, which resist session-theft phishing, shorten session lifetimes, monitor for anomalous session reuse, and train staff on login-page verification.

Scammers abuse Shopify's Shop app to plant fake receipts for callback phishing

Attackers are abusing Shop, the order-tracking app from Shopify, by getting fake purchase receipts to appear in users' order histories, then using them to lure victims into callback phishing. Because the bogus orders show up inside a legitimate, trusted app rather than in an easily spotted scam email, they look convincing. The fake receipts typically reference an unexpected charge and a phone number to call to dispute it; when the victim calls, the scammers pose as support staff and walk them into handing over sensitive information or account access. It is a twist on callback phishing that borrows credibility from a real shopping platform.

Check
Warn users that unexpected orders or receipts appearing in the Shop app may be fake, and that any phone number prompting them to call about a charge should be treated as suspicious.
Affected
Shop app users who see unfamiliar purchase receipts in their order history; the goal is to provoke a panicked phone call where scammers extract payment details, credentials, or remote access.
Fix
Verify charges only through official banking and merchant channels, never the phone number in an unexpected receipt, and report suspicious entries. Organizations should add callback phishing to security-awareness training.