Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7

Tata Electronics confirms breach as extortion gang leaks Apple and Tesla files

Tata Electronics, the Indian manufacturer that assembles roughly a third of Apple's iPhones in India, has confirmed a cyberattack affecting part of its IT systems after the extortion group World Leaks began leaking stolen data. The group claims to have taken around 200,000 files, including confidential Apple and Tesla manufacturing and component design documents, internal emails, years of event logs, and copies of employee passports, some belonging to foreign nationals. Researchers say the data has been on the dark web since at least June 10, and a ransom was demanded. World Leaks, a rebrand of the Hunters International group, also claimed breaches at Nike and Dell.

Check
Manufacturers and their partners should review how design documents, supplier data, and employee identity records are segmented and monitored, and watch for phishing or fraud using leaked passport and email data.
Affected
Tata Electronics, its employees whose passports and emails were exposed, and partners like Apple and Tesla whose confidential design and manufacturing documents were reportedly included in the roughly 200,000 leaked files.
Fix
Segment and tightly control access to sensitive design and HR data, monitor for large data exfiltration, enforce phishing-resistant MFA, and prepare partners for downstream phishing and fraud using the leaked information.

macOS ClickFix attack uses Terminal trick to silently install Atomic Stealer

Palo Alto's Unit 42 found a new macOS campaign that uses the ClickFix trick, a fake CAPTCHA or verification page, to get users to paste a command into Terminal. The command quietly downloads a disk image, mounts it without showing it in Finder, finds the app inside, and launches it, installing the Atomic macOS Stealer (AMOS). The malware then shows a fake system password prompt and steals browser credentials and cookies from many Chromium and Firefox-based browsers, cryptocurrency wallet data, Keychain contents, messaging app data, and documents. The single-command approach is stealthier than older campaigns that relied on the victim manually opening a downloaded image.

Check
Warn Mac users never to paste website-supplied commands into Terminal to pass a CAPTCHA, and watch endpoints for unexpected hdiutil mounts and curl downloads to the /tmp folder.
Affected
macOS users tricked by fake CAPTCHA or verification pages into running a Terminal command; crypto-wallet holders and anyone with browser-stored credentials and Keychain secrets are the main targets.
Fix
Train users to recognize ClickFix lures, restrict or monitor Terminal use on managed Macs, deploy endpoint protection that detects AMOS behavior, and store crypto wallets and secrets in hardware-backed protection.

Fake AI agent skill slips past every scanner to reach 26,000 agents

Security firm AIR showed how easily AI agent skills can be weaponized by building a benign-looking design skill, publishing it to marketplaces, and promoting it with an Instagram ad until it reached roughly 26,000 agents, including some on corporate accounts. Every skill-scanning tool they tested, including offerings from Cisco and Nvidia, marked it safe. The trick is that the skill itself stays clean but tells the agent to fetch instructions from an external page the attacker controls, which passes review while pointing at harmless content and can be swapped for a malicious install script later. Skills load into an agent with the same authority as a user's prompt.

Check
Inventory which AI agent skills your team has installed, especially any that instruct agents to fetch instructions or scripts from external URLs, and review what local access those agents have.
Affected
Teams using AI agents that install third-party skills, particularly skills that pull instructions from external sites; a one-time safety scan cannot catch content that changes after review.
Fix
Restrict agents to vetted skills from trusted sources, distrust skills that fetch external instructions, monitor agent access to privileged local resources, and never rely on a single scan to judge safety.

Malicious npm packages mimic PostCSS tools to plant Windows remote-access trojan

JFrog found malicious npm packages that impersonate PostCSS build tools to drop a multi-stage Windows remote-access trojan on developer machines. One package, postcss-minify-selector-parser, is named to look like the widely used postcss-selector-parser library, which sees over 127 million weekly downloads, and even lists the real package as a dependency to seem plausible during a quick review. Once installed, it writes and runs a PowerShell script that pulls down the trojan. A second cluster of five packages delivers a dropper during npm install, with one server-side component that only serves the payload to victims matching a specific signature. Affected developers should remove the packages and rotate credentials.

Check
Check developer machines and build systems for the named malicious npm packages and any unexpected PowerShell activity or dropped executables that started during a recent npm install.
Affected
Developers who installed the lookalike PostCSS packages or the related five-package cluster; the payload is a Windows remote-access trojan that runs at install time on developer and build machines.
Fix
Remove the malicious packages and their artifacts, rotate credentials from affected machines, pin and verify dependencies, block install-time scripts in CI, and watch for typosquatted names close to popular libraries.

Squidbleed flaw in Squid proxy leaks other users' credentials by default

Researchers at Calif.io disclosed Squidbleed, a Heartbleed-style memory leak in the widely used Squid web proxy that exposes one user's cleartext HTTP traffic, including passwords, cookies, and session tokens, to anyone else allowed to use the same proxy. The flaw (CVE-2026-47729) is a heap over-read in Squid's decades-old FTP directory parser and is present in the default configuration of every Squid version. To exploit it, an attacker needs proxy access and must point the proxy at an FTP server they control. Only cleartext HTTP and TLS-intercepting setups are exposed; normal HTTPS tunnels are not. A proof-of-concept is public.

Check
Inventory every Squid proxy in your environment, including instances embedded in appliances or run by vendors, and check whether FTP support is enabled and whether the proxy terminates TLS for inspection.
Affected
All Squid proxy versions in their default configuration (CVE-2026-47729), especially shared proxies on corporate, campus, or public networks; cleartext HTTP and TLS-terminating inspection setups have traffic exposed.
Fix
Disable FTP support in Squid, which removes this attack surface at no cost since browsers no longer use it, and apply the upstream patch once your distribution ships a verified fix.

DifyTap flaws let attackers read other tenants' AI chats on Dify

Zafran Security disclosed four vulnerabilities, collectively named DifyTap, in Dify, a popular open-source platform for building AI agents and workflows. Two are critical, two need no authentication, and three allow cross-tenant access on Dify's multi-tenant cloud, meaning one customer could quietly read another's private AI conversations and model responses, a covert exfiltration channel. The flaws include an authorization bypass that exposes any application's trace data (CVE-2026-41947), a path traversal into the internal Plugin Daemon API (CVE-2026-41948), and a file-preview authorization bypass (CVE-2026-41949). Most were fixed in Dify 1.14.2, but the path-traversal flaw remains unpatched pending the next release.

Check
Determine whether your organization uses Dify, self-hosted or on its cloud, identify the running version, and review whether AI conversations or application data could have been accessed across tenant or user boundaries.
Affected
Dify deployments before version 1.14.2 (CVE-2026-41947, CVE-2026-41949) and all versions for the still-unpatched path traversal (CVE-2026-41948); multi-tenant and cloud setups face cross-tenant AI-chat exposure.
Fix
Update Dify to 1.14.2 or later now, watch for the forthcoming fix for the path-traversal flaw, restrict access to Dify's internal Plugin Daemon, and avoid putting sensitive data in shared multi-tenant instances.

FFmpeg PixelSmash flaw enables code execution on media servers via crafted videos

FFmpeg has patched PixelSmash, a heap overflow in the MagicYUV video decoder of its libavcodec library that a crafted AVI, MKV, or MOV file can trigger, even during automated thumbnail generation or media scanning. The flaw (CVE-2026-8461) can crash applications or, where address-space randomization is disabled or bypassed, lead to remote code execution; researchers demonstrated full code execution on a Jellyfin media server. Because FFmpeg is embedded almost everywhere video is processed, the bug reaches many self-hosted tools, including Jellyfin, Kodi, Emby, Nextcloud, PhotoPrism, and OBS Studio. The fix shipped in FFmpeg 8.1.2, and several affected projects have updated or added mitigations.

Check
Identify self-hosted media and file-handling services that bundle FFmpeg, check their FFmpeg version, and determine whether they automatically process or generate thumbnails from user-supplied video files.
Affected
Applications using FFmpeg before 8.1.2 with the MagicYUV decoder enabled (CVE-2026-8461), including media servers like Jellyfin, Emby, Kodi, Nextcloud, PhotoPrism, and OBS Studio that ingest untrusted video files.
Fix
Update to FFmpeg 8.1.2 or later, or update the bundled application that ships it. Where patching lags, disable the MagicYUV decoder or block untrusted AVI, MKV, and MOV uploads until fixed.

WhatsApp malware spreads fake invoices that install remote-access admin tools

Kaspersky is tracking an active campaign that spreads through WhatsApp by hijacking real accounts and sending their contacts a script file disguised as a business or financial document, with no accompanying message. If a Windows user opens it, the script disables User Account Control protections and silently installs ManageEngine Endpoint Central, a legitimate IT remote-management tool, configured to connect to attacker servers and hand them remote control of the machine. Using trusted contacts and signed, legitimate software helps the attack slip past suspicion and many security tools. The campaign spans several countries, with most confirmed victims in Malaysia, and how the WhatsApp accounts are compromised is still unknown.

Check
Warn staff to treat unexpected document or invoice files sent over WhatsApp as suspect, even from known contacts, and watch for remote-management tools installed outside approved IT processes.
Affected
Windows users who receive and open script files sent through compromised WhatsApp contacts; the campaign is global, with most confirmed victims in Malaysia, and abuses legitimate remote-management software for access.
Fix
Verify unexpected files through a separate channel before opening, block script attachments, allowlist approved remote-management software and alert on unauthorized installs, and keep User Account Control enabled with endpoint protection active.

OXLOADER malvertising poses as Node.js installer to drop an infostealer

Elastic Security Labs detailed OXLOADER, a previously undocumented Windows loader that reaches victims through malicious Google Ads impersonating the Node.js download page and other developer tools. A developer searching for Node.js clicks a sponsored result, lands on a convincing fake site, and runs a script that quietly installs the loader, which then deploys an in-memory infostealer called CastleStealer to harvest credentials and other data. OXLOADER is heavily obfuscated, runs several anti-analysis checks, and skips machines set to Russian or in Russian-aligned regions, pointing to a financially motivated Russian-speaking operator. Google removed the advertiser account, but the technique of buying ads against developer searches remains widespread.

Check
Remind developers and staff not to install tools from sponsored search ads, and check endpoints for unexpected installs that began with a downloaded Node.js or developer-tool installer from a non-official site.
Affected
Developers and technical users who search for tools like Node.js and click sponsored ads leading to fake download sites; the payload is an infostealer that harvests credentials and sensitive data.
Fix
Download developer tools only from official project sites or package managers, use ad-blocking or DNS filtering to cut malvertising, and deploy endpoint detection that flags in-memory loaders and credential-stealing behavior.

Attacker drains Ethereum MEV bot JaredFromSubway using fake-token honeypot

An attacker drained the well-known Ethereum trading bot JaredFromSubway by patiently baiting it into a trap rather than exploiting a software bug. Over several weeks, the attacker deployed 66 fake token contracts and sham liquidity pools mimicking WETH, USDC, and USDT, structured so the bot's automated logic treated them as profitable opportunities and granted token-spending approvals to attacker-controlled contracts. Later trades left those approvals active, and a single transaction then swept the bot's real funds. Security firms estimate the loss near $7.5 million, while the operator claims around $15 million. It is a reminder that standing token approvals in automated systems are dangerous even when the underlying contracts are sound.

Check
If you run automated trading or other systems that grant token or spending permissions, review where standing approvals exist, whether they are scoped, and whether they are revoked after each use.
Affected
Operators of automated on-chain trading bots and similar systems that grant token-spending approvals based on automated logic; attackers can manipulate that logic with fake but convincing opportunities to win lasting permissions.
Fix
Scope and time-limit token approvals, revoke them immediately after use, validate counterparties beyond surface-level profitability signals, and monitor for unusual approval grants so automated systems cannot be tricked into arming attackers.