Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: impersonation (3 articles)Clear

Ransomware crews pose as Interpol to pressure small businesses into paying

Dark Reading reports a ransomware campaign that leans on impersonating Interpol to pressure small businesses, using straightforward social engineering rather than sophisticated tooling. By dressing up their demands as communications from the international police organization, the attackers try to intimidate owners and staff who may lack dedicated security teams into believing they are in legal trouble and paying up. The campaign spans several regions, including the United States, Europe, and the Middle East. It is a reminder that authority-themed impersonation remains effective against smaller organizations, where a convincing-looking notice can short-circuit normal caution and verification.

Check
Warn staff, especially at smaller organizations, that law-enforcement bodies like Interpol do not demand payment by email or pop-up, and that any such message should be verified through official channels before acting.
Affected
Small and mid-sized businesses without dedicated security teams, across the US, Europe, and the Middle East; attackers use Interpol-themed intimidation to rush victims into paying rather than verifying the demand's legitimacy.
Fix
Train employees to recognize authority-impersonation scams, verify any law-enforcement contact independently, maintain tested offline backups, and give staff a clear, judgment-free way to report suspicious demands before they act.

Attackers abuse OpenAI organization invites to phish data from security firms

Push Security reports that attackers are creating OpenAI organizations that impersonate legitimate companies and inviting employees, including at cybersecurity firms, to join them, aiming to trick people into entering sensitive company information into chats and projects under attacker control. The danger is that the invitations come from OpenAI's own infrastructure, so they are genuine messages and slip past email security controls that would catch ordinary phishing. It is a reminder that trusted SaaS platforms can be turned into phishing channels through their normal invitation features, where the message itself is legitimate even though the inviting organization is fraudulent. Verification of unexpected invites is the key defense.

Check
Tell staff to treat unexpected invitations to join an organization on OpenAI or other SaaS platforms with suspicion, and monitor which external organizations employees' work accounts have joined.
Affected
Employees, including at security firms, who receive genuine-looking organization invitations from SaaS platforms; data typed into an attacker-controlled organization's chats or projects is exposed to the attacker.
Fix
Train staff to verify unexpected SaaS organization invitations through a separate channel, monitor SaaS organization memberships, and set policies on which platforms and tenants employees may join with work accounts.

Attackers planted 73 fake VS Code extensions on Open VSX as 'sleepers' that pretended to be popular tools, then quietly turned malicious

Socket reported 73 newly identified malicious extensions on Open VSX, the marketplace used by VS Code, Cursor, and Windsurf editors. The extensions impersonate popular developer tools - same name, same icon, but published by newly-created GitHub accounts with empty repositories. Instead of being malicious from day one, they sit harmlessly for weeks gathering downloads and trust, then push a 'normal' update that silently installs malware. Six of the 73 extensions have already activated; the rest are still in the sleeper phase. The campaign is part of GlassWorm, an ongoing supply-chain attack family that has been working its way through npm, GitHub, and editor extension marketplaces since 2025.

Check
Check every developer machine and CI runner for editor extensions, verify each publisher matches the official one, and remove anything you can't account for.
Affected
Developers using VS Code, Cursor, Windsurf, or other Open VSX-compatible editors who installed extensions in the past two months. Particularly risky if your team installs popular extensions by name without checking publisher namespace, or auto-updates extensions without review. Sleeper extensions look identical to legitimate ones, so visual checks alone are insufficient.
Fix
List installed extensions in each editor and cross-check the publisher against the legitimate one (microsoft.* for Microsoft tools, the original project's GitHub for others). Remove any with newly-created publishers or mismatched namespaces. Disable auto-update on extensions in higher-risk environments. Allowlist approved extensions in managed dev environments. Socket's GlassWorm v2 page tracks the 73 by name.