Last updated: July 6, 2026 at 12:53 AM UTC
All 559 Vulnerability 199 Breach 107 Threat 246 Defense 7

Dashlane locks out users after external brute-force attack triggers automated account suspensions; no system compromise, accounts restored

Password manager Dashlane locked out multiple users after an external brute-force attack triggered its automated account-suspension defenses. Affected users received emails about suspicious access requests and device-registration codes from foreign locations they did not initiate, prompting confusion about whether the messages were themselves phishing. Dashlane confirmed the suspensions were a built-in security response to credential-stuffing-style login attempts and said there is no evidence its systems were compromised. The company opened an investigation on May 31 at 15:19 UTC and marked it resolved by 22:30 UTC, with all affected accounts unsuspended. The episode shows account-lockout defenses working as designed, though the user-experience and phishing-confusion fallout is real.

Check
If your team uses Dashlane and saw lockouts, confirm accounts are restored and that the device-registration emails were legitimate, not phishing. Verify no unauthorized devices were registered.
Affected
Dashlane users targeted by external credential-stuffing/brute-force. No Dashlane system compromise reported; risk is account-takeover attempts and phishing confusion from legitimate-but-unexpected security emails.
Fix
Enable the strongest available MFA on Dashlane. Use a unique high-entropy master password. Treat unexpected device-registration codes as suspicious and verify via Dashlane's status page, not email links.

Operation Dragon Weave: China-aligned spear-phishing hits Czech and Taiwan officials with Rust RUSTCLOAK loader and Azure-hosted AdaptixC2

Seqrite Labs has documented Operation Dragon Weave, a China-aligned cyber-espionage campaign targeting government, research, academic, technology, and financial-services organizations in the Czech Republic and Taiwan. Spear-phishing emails carry ZIP attachments that trigger one of two infection chains: a malicious LNK file masquerading as a PDF that runs PowerShell, or a self-contained Rust dropper launched directly. Both extract RuntimeBroker_update.exe, which DLL-sideloads a malicious UnityPlayer.dll to deploy a Rust loader called RUSTCLOAK. RUSTCLOAK decrypts and runs the final payload, an AdaptixC2 agent codenamed AZUREVEIL that uses Microsoft Azure Blob Storage for command-and-control. The use of legitimate cloud services for C2 and Rust tooling complicates detection.

Check
Hunt for LNK files masquerading as PDFs, RuntimeBroker_update.exe, and DLL side-loading of UnityPlayer.dll. Search egress for AdaptixC2 traffic to Azure Blob Storage endpoints. Apply Seqrite IoCs.
Affected
Government, research, academic, technology, and financial-services organizations in the Czech Republic and Taiwan - Dragon Weave's named targets. Spear-phishing with ZIP attachments is the delivery vector.
Fix
Block ZIP-with-LNK email attachments at the gateway. Restrict PowerShell for standard users. Hunt for RUSTCLOAK and AZUREVEIL indicators. Monitor anomalous outbound Azure Blob Storage connections.

Hackers social-engineer Meta's new AI account-recovery bot to hijack high-value Instagram handles; MFA-enabled accounts were unaffected

Krebs on Security reports that attackers social-engineered Meta's newly-deployed conversational AI account-recovery assistant to hijack high-value, short Instagram handles allegedly worth over half a million dollars. Meta had rolled out the AI layer to reduce friction in common recovery workflows - relinking emails, triggering password resets, verifying ownership - that previously required weeks of back-and-forth with automated ticketing. Just as human support staff can be tricked into granting unauthorized access, the AI assistant proved equally eager to help and vulnerable to manipulation. Meta pushed an emergency patch over the weekend and says no back-end database was breached. Critically, the exploit failed against any account with MFA enabled.

Check
For high-value social accounts, enable phishing-resistant MFA (passkey or security key) now. Review whether any platforms you depend on use AI bots for sensitive account-recovery workflows.
Affected
High-value Instagram accounts without MFA. More broadly, any platform deploying AI chatbots for account recovery creates a social-engineerable attack surface, just like human support staff.
Fix
Enable the strongest MFA available - even SMS codes blocked this exploit. Treat AI-driven account-recovery flows as a new attack surface and require step-up verification for high-value account changes.

Anthropic to give EU cybersecurity agency ENISA access to Mythos via Project Glasswing - first non-US/UK entity, terms still negotiating

Anthropic is set to give the EU's cybersecurity agency ENISA access to its restricted Mythos model through Project Glasswing - making ENISA the first EU institution and first entity outside the US and UK to join. The move, communicated to the European Commission over the weekend, ends a weeks-long standoff after euro-area finance ministers, the ECB, and member states demanded access on learning Mythos had found flaws in systems European banks, governments, and critical infrastructure rely on. Terms covering data sovereignty, sharing findings with member states, and the scope of systems ENISA may test are still being negotiated. BNP Paribas and Mistral continue building a European alternative.

Check
EU-based organizations: track ENISA's Mythos access as a future channel for coordinated vulnerability findings affecting European infrastructure. Factor frontier-AI vulnerability discovery into your patch-SLA planning.
Affected
European banks, governments, and critical-infrastructure operators whose systems Mythos has already flagged but whose findings were not previously visible to any EU institution until ENISA's access.
Fix
Compress patch cycles in anticipation of AI-surfaced vulnerability disclosures. Engage national CERTs and ENISA channels as they mature. Assume similarly capable models will broaden access over coming months.

Dutch police dismantle 17-million-device botnet linked to Asocks proxy service, seize 200+ servers at local hosting provider

Dutch authorities have taken offline a botnet of at least 17 million infected computers, tablets, and smartphones, seizing more than 200 servers at a Netherlands-based hosting provider. The action was led by the National Police with the National Cyber Security Centre (NCSC). Local media link the infrastructure to Asocks, a service that advertises itself as a universal residential-proxy provider - the kind of proxy network used to launder malicious traffic, run credential-stuffing and ad fraud, and anonymize attacks. The hosting provider took the botnet offline once it was confirmed to be supporting criminal activity. Authorities have not formally named the botnet or announced arrests.

Check
Check whether your network egress or fraud logs show traffic to or from Asocks residential-proxy exit nodes. Review IoT and endpoint fleets for proxyware infections feeding such services.
Affected
17 million compromised devices (computers, tablets, smartphones) conscripted into the proxy botnet. Organizations targeted via proxied credential-stuffing, ad fraud, and anonymized attacks routed through residential IPs.
Fix
Block known Asocks infrastructure once IoCs are published. Hunt for proxyware and residential-proxy SDKs on managed devices. Add residential-proxy ASNs to fraud-scoring and bot-detection rules.

WithSecure: Russia-linked GREYVIBE targets Ukraine with AI-assisted malware via PhantomMail, PhantomRelay RAT, and ClickFix fake-CAPTCHA chains

WithSecure has attributed persistent attacks against Ukraine and Ukraine-related entities since at least August 2025 to GREYVIBE, a previously undocumented Russian-speaking group operating in the Russian time zone and aligned with Kremlin intelligence interests. Victims span military, government, civilian, and business organizations. The group uses spear-phishing (PhantomMail, delivering JavaScript loaders from Google Drive and 4sync), a PowerShell RAT called PhantomRelay, and ClickFix-style fake-CAPTCHA pages (PhantomClick) impersonating Zoom and a fake adult-club site (PrincessClub). WithSecure describes GREYVIBE as low-to-moderately sophisticated, hampered by repeated OPSEC mistakes, but increasingly relying on generative AI and LLMs to accelerate malware development. Some members have ties to the broader Russian cybercrime ecosystem.

Check
Hunt for PhantomRelay PowerShell RAT activity and JavaScript loaders from Google Drive or 4sync links. Block known GREYVIBE ClickFix domains impersonating Zoom. Apply WithSecure IoCs.
Affected
Ukrainian military, government, civilian, and business organizations and Ukraine-related entities. Delivery via spear-phishing, fake CAPTCHA pages, and fraudulent adult-club websites since August 2025.
Fix
Block GREYVIBE C2 and loader-hosting domains per WithSecure. Restrict PowerShell for standard users. Train staff against ClickFix fake-CAPTCHA 'paste this command' prompts. Monitor Google Drive/4sync archive downloads.

Google Chrome rolls out Device Bound Session Credentials to all users, binding cookies to TPM/Secure Enclave against theft

Google has made Device Bound Session Credentials (DBSC) generally available in Chrome, rolling it out to all users to blunt session-cookie theft. First announced in 2024 and in beta since April, DBSC cryptographically binds session cookies to a specific device using the hardware security chip - the TPM on Windows or the Secure Enclave on macOS. Because the public/private keys are generated inside the security chip and never leave it, stolen cookies become useless on any other machine, defeating the infostealer-to-account-takeover pipeline that bypasses MFA. Google frames it as a shift from reactive detection to proactive prevention. The protection is most effective where sites adopt the DBSC server-side protocol.

Check
Confirm managed Chrome fleets are updated to the DBSC-capable release. For your own web properties, evaluate adopting the server-side DBSC protocol to bind user sessions to device hardware.
Affected
Organizations relying on session cookies without device binding remain exposed to infostealer-driven account takeover that bypasses MFA. DBSC only protects sessions where both browser and server support it.
Fix
Roll out DBSC-capable Chrome via policy. Implement the DBSC server-side protocol on high-value web apps. Pair with phishing-resistant MFA and short session lifetimes for defense in depth.

Signal phishing campaign impersonates Support to steal backup recovery keys from journalists and activists, enabling full message decryption

Security researchers are warning of a phishing campaign that impersonates Signal Support over text message to steal users' backup recovery keys, specifically targeting journalists and activists. Once an attacker obtains the recovery key, they can decrypt the victim's entire message-history backup. The campaign relies purely on social engineering - there is no flaw in Signal's cryptography - tricking targets into handing over the secret that protects their encrypted backups. The targeting of journalists and activists points to surveillance-motivated actors rather than financially-driven crime. Signal users should treat any unsolicited 'Support' contact requesting recovery keys or codes as hostile, since Signal never asks for them.

Check
Brief journalists, activists, and high-risk staff that Signal never requests backup recovery keys. Treat any 'Signal Support' text asking for keys or codes as a phishing attempt and report it.
Affected
Signal users - particularly journalists and activists targeted by surveillance-motivated actors. The attack is pure social engineering; Signal's encryption is not broken, but a handed-over recovery key decrypts all backups.
Fix
Never share Signal recovery keys or codes with anyone. Enable registration lock. For high-risk users, store recovery keys offline and verify any support contact through official Signal channels only.

Anthropic confirms public Mythos rollout in 'coming weeks' - claimed more powerful than Opus 4.8, guardrails developed during preview

Anthropic has confirmed it will roll out Claude Mythos-class models to the general public in the coming weeks. Mythos was originally announced in April as a restricted preview available only to select security researchers and partners; Anthropic cited significant security risks if released too broadly. The company now says it has developed sufficient guardrails. Anthropic frames the trade-off as compressing the attacker advantage: 'in the short term, this could be attackers, if frontier labs aren't careful... in the long term, defenders will more efficiently direct resources and use these models to fix bugs.' Pricing and tier availability are not yet disclosed.

Check
Update internal AI-tool governance policies to cover Mythos-class capability tier. Identify which teams (security research, code audit, IR) would benefit from access once it ships.
Affected
Organizations with patch SLAs measured in weeks. Mythos-class models may surface unpatched flaws at attacker-tool speed; defenders need to compress SLAs to keep pace.
Fix
Tighten patch cycles on internet-facing services. Enroll qualifying security researchers in Anthropic's Cyber Verification Program. Draft internal disclosure policy before broad enablement.

JINX-0164 targets crypto firms with LinkedIn recruiter lures and macOS AUDIOFIX malware - lateral move into CI/CD code distribution

Wiz has documented JINX-0164, a previously undocumented financially-motivated threat actor targeting cryptocurrency firms via recruitment-themed social engineering and bespoke macOS malware since at least mid-2025. The chain starts with credible LinkedIn profiles offering virtual meetings; victims are steered to a rogue teleconference page that delivers a malicious 'meeting client.' A bash script then pulls AUDIOFIX, a Python-based macOS infostealer and RAT, from apple.driver-store[.]com. The payload is architecture-aware (Intel and Apple Silicon), saved as ChromeUpdater, masquerades as the system audio daemon coreaudiod, and persists via launchctl. AUDIOFIX moves laterally from developer laptops into code-distribution and CI/CD infrastructure, modifying source code to steal wallets at scale.

Check
Train developer and finance teams against LinkedIn recruiter approaches followed by 'meeting client' downloads. Hunt macOS endpoints for ChromeUpdater, coreaudiod imposters, and launchctl-loaded LaunchDaemons.
Affected
Cryptocurrency firms and crypto-adjacent developers using macOS, especially with access to CI/CD or code-distribution infrastructure. LinkedIn recruitment lures are the dominant initial vector.
Fix
Apply Wiz IoCs including apple.driver-store[.]com. Restrict launchctl persistence to known LaunchDaemons. Require strong identity attestation before any new meeting-client install. Audit CI/CD signing keys.