Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7

Google Drive now auto-detects ransomware and pauses sync - 14x better detection than beta

Google moved its AI-powered ransomware detection for Google Drive from beta to general availability, enabled by default for all paid Workspace users. When ransomware encrypts files on a synced desktop, Drive immediately pauses syncing to protect cloud copies, alerts both the user and IT admins, and offers bulk file restoration to roll back to pre-infection versions. Google says the GA model catches 14 times more infections than the beta, covering a wider range of encryption patterns at faster detection speeds.

Check
Verify your Google Workspace deployment is running Google Drive for desktop v114 or later to get full detection alerts.
Affected
Google Workspace organizations on business, enterprise, education, or frontline licenses. Personal Google accounts get file restoration but not ransomware detection.
Fix
Ensure Drive for desktop v114+ is deployed across endpoints. Confirm ransomware detection is enabled in Admin console (Apps > Google Workspace > Settings for Drive and Docs > Malware and Ransomware). Test the file restoration workflow with your incident response team before you need it.

NoVoice Android rootkit hid inside 50+ Google Play apps - 2.3 million downloads, survives factory reset

McAfee uncovered a rootkit campaign called Operation NoVoice that distributed malware through more than 50 legitimate-looking apps on Google Play - cleaners, games, and gallery tools - downloaded at least 2.3 million times. Once opened, the apps silently profile the device and download root exploits targeting Android vulnerabilities patched between 2016 and 2021. After rooting, the malware replaces core system libraries so every app the user opens runs attacker code. It survives factory resets on older devices because the payload lives on the system partition.

Check
Check your Android fleet for devices running security patch levels older than May 2021, and audit for any of the removed apps.
Affected
Android devices with security patch level before 2021-05-01. The rootkit primarily targets older or unpatched devices, though patched devices that installed the apps may have been exposed to other payloads.
Fix
Update Android devices to security patch level 2021-05-01 or later. Devices confirmed infected on Android 7 or older require a full firmware reflash - factory reset will not remove the rootkit. Remove any apps matching the McAfee IOC list. Consider MDM policies that block app installs from unknown or low-reputation publishers.

EvilTokens phishing kit commoditizes Microsoft device code attacks for business email compromise

A new phishing-as-a-service kit called EvilTokens is being sold on Telegram, turning OAuth device code phishing against Microsoft accounts into a turnkey attack. Victims receive emails with PDFs or HTML files containing QR codes or links to pages impersonating Adobe, DocuSign, or SharePoint. The kit captures Microsoft authentication tokens in real time - bypassing MFA - and gives attackers persistent access for business email compromise. The developer says Gmail and Okta support is coming next.

Check
Review your Microsoft Entra ID logs for unusual device code authentication flows, especially from unfamiliar locations or devices.
Affected
Any organization using Microsoft 365 with users who may click on phishing emails disguised as document-sharing notifications.
Fix
Restrict or disable the device code authentication flow in Microsoft Entra ID conditional access policies if your organization doesn't need it. Deploy phishing-resistant MFA (FIDO2 hardware keys). Train finance, HR, and sales teams to recognize fake document verification pages. Monitor for anomalous token grants in Entra ID sign-in logs.

Apple breaks policy to push DarkSword patches to millions more iOS 18 iPhones

In an unusual move, Apple expanded iOS 18.7.7 to cover far more devices on April 1 - breaking its normal practice of using security updates to push users to the newest OS. Around 20% of iPhones remain on iOS 18 (some by choice, some because they can't run iOS 26), and Apple now considers the DarkSword threat serious enough to backport protections rather than leave those users exposed. The update covers iPhone XR through iPhone 16e and multiple iPad generations. Devices with Automatic Updates enabled get it without user action.

Check
Check your MDM for any managed iPhones or iPads still running iOS 18.4 through 18.7 without the 18.7.7 update.
Affected
iPhones and iPads running iOS/iPadOS 18.4 through 18.7 that haven't received the 18.7.7 update. Roughly 20% of all iPhones are still on iOS 18.
Fix
Push iOS 18.7.7 via MDM or ensure Automatic Updates is enabled. For maximum protection, upgrade to iOS 26.4 or enable Lockdown Mode on high-risk devices. Apple confirms Lockdown Mode blocks DarkSword attacks.

CrystalRAT malware-as-a-service sells remote access, crypto theft, and keylogging on Telegram

Kaspersky researchers uncovered CrystalRAT, a new malware-as-a-service sold via Telegram and promoted on YouTube with a tiered subscription model. Built in Go, it combines remote access via VNC, keylogging, clipboard hijacking for crypto wallet theft, browser credential stealing from Chromium/Yandex/Opera, and data harvesting from Steam, Discord, and Telegram. Each buyer gets a uniquely encrypted build using ChaCha20, making detection harder. Kaspersky warns that new versions are still shipping, and the victim count is likely to grow.

Check
Alert staff about fake software cracks and activators - the most common delivery vector for CrystalRAT infections.
Affected
Windows users who download software from unofficial sources. Current victims are primarily in Russia, but the MaaS model means geographic expansion is expected.
Fix
Block known CrystalRAT C2 infrastructure at the network level. Ensure endpoint detection tools are updated with Kaspersky's published IOCs. Train staff to verify crypto wallet addresses before confirming transfers - clipboard hijacking swaps addresses silently.

Axios npm package compromised - cross-platform RAT deployed via hijacked maintainer account

Attackers hijacked the npm account of Axios's lead maintainer and published two poisoned versions of one of JavaScript's most popular libraries - 83 million weekly downloads. Versions 1.14.1 and 0.30.4 inject a hidden dependency called plain-crypto-js that drops a cross-platform RAT targeting macOS, Windows, and Linux. The malware phones home within seconds of npm install, then deletes itself to avoid detection. Both release branches were hit within 39 minutes of each other.

Check
Check if any project or CI/CD pipeline installed Axios in the last 48 hours.
Affected
axios 1.14.1 and 0.30.4 on npm. Also @shadanai/openclaw and @qqbrowser/openclaw-qbot which bundle the same payload.
Fix
Downgrade to axios 1.14.0 or 0.30.3. Remove plain-crypto-js from node_modules. Rotate all credentials on affected systems. Block sfrclak[.]com and 142.11.206.73 on port 8000.

Cisco breached through Trivy supply chain attack - source code and AWS keys stolen

The TeamPCP supply chain campaign has claimed its biggest victim yet. Attackers used credentials stolen from the Trivy vulnerability scanner compromise to breach Cisco's internal development environment, stealing source code belonging to both Cisco and its customers. Multiple AWS keys were also taken and used for unauthorized activity across Cisco's cloud accounts. The company expects continued fallout from the follow-on LiteLLM and Checkmarx compromises in the same campaign.

Check
If your CI/CD pipelines used Trivy, LiteLLM, or Checkmarx KICS between March 19-27, audit for unauthorized access immediately.
Affected
Any organization that ran compromised versions of Trivy (v0.69.4+), LiteLLM (1.82.7-1.82.8), or Checkmarx KICS GitHub Actions during the exposure windows.
Fix
Pin Trivy to v0.69.3, trivy-action to v0.35.0, setup-trivy to v0.2.6. Rotate all pipeline secrets, AWS keys, SSH keys, and tokens. Block scan.aquasecurtiy[.]org and 45.148.10.212. Search GitHub orgs for repositories named tpcp-docs - their presence means data was exfiltrated.

CareCloud confirms hackers accessed patient health records in 8-hour breach

Healthcare software company CareCloud disclosed to the SEC that hackers breached one of its six electronic health record environments on March 16, gaining access to patient medical data for approximately eight hours. The company serves over 40,000 healthcare providers. It's still investigating whether data was exfiltrated, but classified the incident as material on March 24 due to the sensitivity of the records. No ransomware group has claimed the attack.

Check
If your organization uses CareCloud Health for EHR, contact CareCloud for specifics on whether your environment was affected.
Affected
CareCloud Health EHR platform users. One of six EHR environments was compromised.
Fix
Monitor for CareCloud's breach notification updates. Review access logs for unusual activity around March 16. Ensure MFA is enforced on all EHR system access. Prepare for potential patient notification requirements.

Chinese hackers exploited TrueConf video conferencing zero-day to backdoor Southeast Asian governments (CVE-2026-3502)

Check Point uncovered Operation TrueChaos - a Chinese-nexus espionage campaign that turned a video conferencing platform's update mechanism into a malware delivery system. The attackers compromised a central on-premises TrueConf server used by a government IT department, then swapped the legitimate client update with a weaponized package that deployed the Havoc post-exploitation framework. Every connected government agency pulled the poisoned update automatically, no individual endpoint compromise needed.

Check
Check if your organization uses TrueConf for video conferencing, especially in on-premises deployments.
Affected
TrueConf Windows client versions 8.1.0 through 8.5.2. On-premises deployments are at highest risk since the attack requires control of the TrueConf server.
Fix
Update TrueConf Windows client to version 8.5.3 or later. Audit TrueConf servers for unauthorized modifications. Check endpoints for IOCs: unsigned trueconf_windows_update.exe, files named poweriso.exe or 7z-x64.dll, and connections to 43.134.90.60, 43.134.52.221, or 47.237.15.197.

Fortinet FortiClient EMS SQL injection actively exploited - no authentication required (CVE-2026-21643)

A CVSS 9.1 SQL injection flaw in Fortinet's FortiClient Endpoint Management Server is now being exploited in the wild - four days before anyone flagged it publicly. An attacker only needs one crafted HTTP request with a malicious Site header to execute arbitrary SQL against the backing PostgreSQL database, no credentials required. Roughly 1,000 to 2,400 FortiClient EMS instances are exposed to the internet, mostly in the US and Europe.

Check
Check if you run FortiClient EMS with its web interface exposed to the internet.
Affected
FortiClient EMS 7.4.4 with multi-tenant mode enabled. Single-site deployments are not affected.
Fix
Upgrade to FortiClient EMS 7.4.5 or later. Restrict access to the EMS administrative interface immediately.