Last updated: July 6, 2026 at 12:53 AM UTC
All 559 Vulnerability 199 Breach 107 Threat 246 Defense 7

GitHub ships npm 11.15.0 with 2FA-gated staging, OIDC trusted publishing, and per-source install flags in response to TeamPCP wave

GitHub has shipped npm CLI 11.15.0 introducing a 'staging' workflow that lets maintainers run 'npm stage publish' to push a candidate to a staging area before going live - with the constraint that the package must already exist on the registry and have 2FA enabled on the account. Three new install flags (--allow-file, --allow-remote, --allow-directory) extend the existing --allow-git to give developers an explicit allowlist for every non-registry install source. GitHub is also encouraging maintainers to pair staging with trusted publishing via OIDC. The changes respond to the TeamPCP supply-chain wave that compromised hundreds of packages over the past several weeks.

Check
Inventory developer machines using npm CLI. Upgrade to 11.15.0+ to access the staging workflow. Identify high-impact packages your team publishes and require 2FA on those maintainer accounts.
Affected
Any npm publisher whose tokens or maintainer accounts could be hijacked. The TeamPCP wave hit 600+ packages in one hour on May 19 by abusing maintainer accounts.
Fix
Adopt 'npm stage publish' for production packages. Enable 2FA on all maintainer accounts. Configure trusted publishing via OIDC where supported. Apply --allow-file / --allow-remote / --allow-directory selectively in CI.

FBI warns of Kali365 phishing-as-a-service: OAuth device-code consent abuse against Microsoft 365 since April, $250-$2,000/year

The FBI has issued a warning about Kali365, a phishing-as-a-service platform that fueled large Microsoft 365 attacks in April. Instead of stealing passwords, Kali365 customers trigger Microsoft device-login requests and trick victims into completing the authorization, capturing OAuth access and refresh tokens that grant immediate mailbox access. Arctic Wolf, which infiltrated the system, says Kali365 sells in three tiers from $250 for 30 days to $2,000 for the year and generates branded phishing lures impersonating Adobe, DocuSign, and SharePoint in dozens of languages. Threat actors set malicious inbox rules to suppress security notifications and extend dwell time.

Check
Search Microsoft 365 audit logs for unfamiliar device-login completions and OAuth consent grants since April 1. Hunt for inbox rules that auto-delete or hide security-team email addresses.
Affected
Any Microsoft 365 tenant where users can complete device-login flows initiated by an attacker. Adobe, DocuSign, and SharePoint-themed lures are the primary social engineering vector.
Fix
Block device-code flow in Conditional Access for non-mobile platforms. Enforce phishing-resistant FIDO2 MFA. Train users to verify the device-login codes they approve. Audit OAuth-granted apps quarterly.

Italian Guardia di Finanza dismantles CINEMAGOAL piracy app that harvested fresh auth codes from legit Netflix, Disney+, Spotify subscriptions every 3 minutes

Italian Guardia di Finanza has dismantled CINEMAGOAL, an unusual piracy operation whose customers installed an app on their devices that authenticated directly to legitimate Netflix, Disney+, Spotify, Sky, and DAZN. A network of virtual machines in Italy captured fresh authentication and decryption codes from real subscriptions (opened under false identities) every three minutes and redistributed them to subscribers, who streamed at full quality with their real IPs masked. Operation 'Tutto Chiaro' executed 100 searches across Italy, seized servers in France and Germany, and identified about 70 resellers. The first 1,000 subscribers have been fined between €154 and €5,000.

Check
If you run an enterprise streaming or subscription product: search for accounts authenticating from Italian VM ranges with abnormally short session intervals (every 3 minutes) tied to suspicious billing details.
Affected
Streaming and content platforms (Netflix, Disney+, Spotify, Sky, DAZN are named victims). Subscribers signing up under fake identities, then sharing rotating auth tokens, is the core abuse pattern.
Fix
Add device-binding to subscription sessions so a captured token does not work elsewhere. Throttle simultaneous-stream limits at the network level. Strengthen identity verification at subscription signup.

Anthropic Mythos Preview AI finds 10,000+ high-severity flaws in widely used software; Cyber Verification Program launched

Anthropic has unveiled Claude Mythos Preview, a research-only AI model purpose-built for security tasks, and disclosed that it has used the model to find more than 10,000 high-severity vulnerabilities in widely used open-source and commercial software. Mythos has also been adapted to build end-to-end exploit chains and, in one Glasswing partner-bank case, helped block a $1.5 million fraudulent wire transfer. Anthropic is urging defenders to shorten patch windows because models with similar capability will soon be broadly available. It has launched a Cyber Verification Program that lets vetted researchers use the model without guardrails for legitimate vulnerability research, red teaming, and penetration testing.

Check
Audit your patch SLAs: how fast does a critical CVE move from vendor advisory to production? Aim for under 72 hours on internet-facing services.
Affected
Any organization that relies on adversaries lacking time to develop exploits. Mythos and similar models (OpenAI's GPT-5.5-Cyber) compress the exploit-development timeline dramatically.
Fix
Shorten patch testing and deployment cycles. Harden default configurations. Enforce phishing-resistant MFA. Apply for the Anthropic Cyber Verification Program if you do legitimate vulnerability research.

Laravel-Lang PHP packages compromised - autoload payload steals AWS, Azure, GCP, K8s, Vault, crypto wallets across Linux, macOS, Windows

Aikido Security and Socket have disclosed that several packages in the Laravel-Lang PHP ecosystem were compromised and used to ship a ~5,900-line PHP credential stealer that runs automatically the moment any consumer of the package boots. The dropper registers itself in composer.json under autoload.files, so no class instantiation or method call is needed - the payload triggers on every PHP request. It harvests AWS, Azure, GCP, Kubernetes, HashiCorp Vault, Jenkins, GitLab, GitHub Actions, CircleCI, browser data, password-manager vaults, SSH keys, crypto wallets, and VPN configs, then AES-encrypts the bundle and exfiltrates to flipboxstudio[.]info/exfil. The script then deletes itself to limit forensic recovery.

Check
Audit composer.lock files and Laravel deployments for any laravel-lang/* package installed since 2026-05-15. Search egress logs for traffic to flipboxstudio[.]info. Check src/helpers.php for unfamiliar code.
Affected
Any PHP application that pulled in a compromised laravel-lang package via Composer. The autoload trigger means the payload runs on every request, not just on first use.
Fix
Roll back to a known-clean laravel-lang version and pin via composer.lock. Rotate every cloud credential, SSH key, browser-stored token, and password-vault item reachable from affected hosts.

Ghostwriter (UAC-0057/UNC1151) targets Ukrainian government with Prometheus learning-platform lure, OYSTERSHUCK/OYSTERBLUES, Cobalt Strike payload

CERT-UA has documented a fresh Ghostwriter campaign (also tracked as UAC-0057 and UNC1151) using PDF lures themed around Prometheus, a Ukrainian online learning platform, to target Ukrainian government organizations. The phishing email contains a link to a ZIP that drops a JavaScript file (OYSTERFRESH), which displays a decoy document, writes an encrypted payload (OYSTERBLUES) to the Windows Registry, and downloads a loader (OYSTERSHUCK) that decodes and runs OYSTERBLUES. The final payload is Cobalt Strike. Ghostwriter is a Belarus-linked threat group that has been hitting Ukrainian targets continuously since 2022. CERT-UA recommends restricting wscript.exe for standard user accounts.

Check
Search Windows endpoints in Ukraine-facing operations for wscript.exe execution chains spawning JavaScript files. Look for HTTP POST exfiltration to unfamiliar C2 hosts after PDF email opens.
Affected
Ukrainian government organizations and contractors. Ghostwriter has been Russia and Belarus's most persistent Ukrainian-government-focused APT since 2022. PDF and ZIP attachments are the primary delivery vector.
Fix
Restrict wscript.exe execution for standard user accounts via AppLocker or WDAC. Block .js attachment delivery at the email gateway. Hunt for Cobalt Strike beacons in Ukraine-related operations.

Megalodon GitHub Actions attack scans 5,561 repos for CI/CD secrets; polymarketdev publishes nine wallet-stealer npm packages

SafeDep has detailed Megalodon, a GitHub Actions attack that scans 5,561 repositories for usable CI/CD secrets and credentials by submitting malicious pull requests that contain crafted workflow files. The campaign appears unrelated to the recent TeamPCP supply-chain wave. Separately, a throwaway npm account 'polymarketdev' published nine packages within 30 seconds (polymarket-trading-cli, polymarket-terminal, polymarket-trade, polymarket-auto-trade, polymarket-copy-trading, polymarket-bot, polymarket-claude-code, polymarket-ai-agent, polymarket-trader) that, on postinstall, present a fake wallet onboarding prompt and exfiltrate Ethereum and Polygon private keys to a Cloudflare Worker at polymarketbot.polymarketdev.workers[.]dev. The malicious packages remain live on npm at time of publication.

Check
Search GitHub Actions audit logs for unfamiliar workflow files added via pull requests since May 21. Search npm install logs for any polymarket-* package.
Affected
5,561 GitHub repositories specifically targeted by Megalodon malicious pull requests. Any Ethereum or Polygon developer who installed polymarket-* npm packages exposed wallet keys.
Fix
Restrict workflows triggered by pull_request_target. Pin GitHub Actions to full commit SHAs not tags. Treat any system that ran polymarket-* packages as compromised; rotate wallet keys immediately.

Netherlands seizes 800 servers of Stark Industries successor WorkTitans/THE.Hosting - links to NoName057(16) Russian hacktivists

The Dutch Financial Crime Investigation Service (FIOD) has arrested two men and seized 800 servers during raids on data centers in Dronten and Schiphol-Rijk that hosted infrastructure for cyberattacks, disinformation, and influence operations tied to sanctioned Russian and Belarusian entities. The 57-year-old company director and a 39-year-old connectivity provider face charges of indirectly providing economic resources to EU-sanctioned parties. The web hosting company Stark Industries was sanctioned by the EU last May; investigators say its infrastructure was simply transferred to a newly created Dutch company called WorkTitans B.V., trading under THE.Hosting. Mirhosting, which provided physical colocation and connectivity, denies knowingly supporting illegal operations.

Check
Search egress logs for connections to Stark Industries or THE.Hosting / WorkTitans IP ranges since 2022. Cross-reference with NoName057(16) DDoS infrastructure published by national CERTs.
Affected
Targets of pro-Russian disinformation, DDoS, and influence operations - particularly EU government, banking, and critical-infrastructure sectors. NoName057(16) frequently targets Ukrainian allies.
Fix
Block known Stark Industries / WorkTitans / Mirhosting IP ranges at the perimeter where there is no legitimate business need. Refresh DDoS protection runbooks for NoName057(16) campaigns.

Calypso (Red Lamassu) Chinese APT hits APAC and Middle East telcos with Showboat Linux SOCKS5 backdoor and JMFBackdoor Windows RAT

Lumen Black Lotus Labs and PwC Threat Intelligence have detailed a Chinese cyber-espionage campaign tied to the Calypso group (also tracked as Red Lamassu) that has been hitting telecommunications providers across Asia Pacific and parts of the Middle East since mid-2022. The operators run a Linux post-exploitation framework called Showboat (or kworker) that doubles as a SOCKS5 proxy and port-forwarder, plus a Windows RAT called JMFBackdoor delivered via DLL-sideloading of fltMC.exe + FLTLIB.dll. Showboat retrieves a 'hide' command from public dead-drops like Pastebin to mask its process. The tooling appears to be shared across multiple China-aligned clusters targeting distinct victim sets.

Check
Hunt telco environments for processes named kworker or fltMC.exe with anomalous DLL loads (FLTLIB.dll). Inspect outbound traffic for SOCKS5 traffic to unexpected destinations. Check Pastebin requests.
Affected
Telecommunications providers across Asia Pacific and the Middle East. Multiple China-aligned clusters share the Showboat and JMFBackdoor tooling and certificate-generation patterns across distinct victim sets.
Fix
Block dead-drop dependencies by restricting Pastebin and similar code-paste domains at egress. Hunt for fltMC.exe sideloaded with non-Microsoft FLTLIB.dll. Apply Lumen Black Lotus Labs and PwC IoCs.

First VPN service taken offline by Europol - 33 servers in 27 countries seized, Ukrainian operator questioned, used in ransomware

A joint operation between French, Dutch and 14 other authorities, coordinated by Europol and Eurojust, has taken down First VPN, a privacy-focused VPN service that was advertised on cybercrime forums as a no-logs option that ignored law enforcement requests. Authorities seized 33 servers across 27 countries, took down the 1vpns.com, 1vpns.net, 1vpns.org domains and the onion mirrors, and questioned a Ukrainian suspect. Investigators infiltrated the infrastructure before takedown and pulled the user database, sharing 506 user identifications and 83 intelligence packages internationally. Europol says the service name turned up in nearly every major cybercrime investigation it has supported in recent years.

Check
Search VPN allowlists and detection alerts for users connecting from First VPN exit IPs in the last two years. Check 1vpns.com / 1vpns.net / 1vpns.org references in firewall and proxy logs.
Affected
Investigators or threat hunters whose historical IoC sets included First VPN exit IPs. 506 specific users have been internationally referred; affected parties should expect law-enforcement contact.
Fix
Refresh detection rules with seized First VPN exit IPs once Europol shares them. If your historical attacker IoCs included First VPN nodes, re-correlate against the freshly identified users.