Attackers hijacked more than 400 packages in the Arch User Repository (AUR), the community add-on store for Arch Linux, in a supply-chain attack dubbed Atomic Arch. Rather than exploiting a flaw, they adopted abandoned packages and quietly edited the build recipe (PKGBUILD) to pull in a malicious npm package, atomic-lockfile, at install time. The payload is a Rust credential stealer that grabs browser logins, SSH keys, crypto wallets, and developer tokens; when run as root it also loads an eBPF rootkit that hides its processes, files, and network connections. Only the AUR is affected, not Arch's official repositories. The package names and histories looked completely normal.
Sygnia has detailed Operation Highland, a campaign in which the China-linked group Velvet Ant hid inside the Linux authentication stack itself for close to a decade, with traces back to 2016. Instead of dropping detectable malware, the attackers replaced the trusted PAM login module (pam_unix.so) and OpenSSH binaries with backdoored versions, found in nine distinct variants. Some accepted a hardcoded secret password; others silently logged real usernames, passwords, and every command typed, with a hidden switch to turn logging off. Because login programs are trusted and rarely inspected, the activity looked like normal administration and evaded scanners on a network with no direct internet access.
Google has filed suit against a Chinese cybercrime network it says abused its Gemini AI to mass-produce phishing text messages and fake websites targeting Americans. The group runs a phishing-as-a-service kit called Outsider and used Gemini to generate fraudulent pages and large smishing campaigns. The texts impersonate trusted brands, warning of "brokerage account issues" or dangling carrier "rewards," and link to lookalike sites that harvest personal and financial details. Google says the lawsuit aims to dismantle the network's infrastructure. The case underscores how criminals are folding mainstream AI tools into industrialized phishing operations.
The Gentlemen, a ransomware-as-a-service operation tracked by Microsoft as Storm-2697, has been upgraded with a self-spreading mode and now claims 478 victims across dozens of countries and industries. Written in Go and obfuscated to evade analysis, its optional --spread switch turns a single-machine infection into a network worm that deploys the encryptor to every reachable system, using stolen or reused credentials to move laterally. A --wipe switch destroys recoverable data and forensic traces. On each host it disables Defender, weakens firewall and authentication settings, and adds scheduled tasks for persistence. Initial access often comes through compromised Fortinet edge-device credentials.
In an unusual misinformation campaign, fraudulent data-breach notices were submitted to Maine's official Attorney General breach portal and published before anyone verified them, forcing named companies to issue denials. One filing falsely claimed a Discord breach affecting more than 10 million people, submitted not by a company representative but by an individual using a personal Gmail address, a placeholder phone number, and impossible dates. Because the portal is public and a listing does not mean a breach is confirmed, the fakes can spread fear, damage reputations, and seed convincing phishing lures. It highlights how trusted disclosure channels can be weaponized.
Researchers at BlackFog have detailed OnyxC2, a new malware-as-a-service sold on cybercrime forums that packages professional-grade data theft for as little as $250 a month, with a $500 premium tier adding hidden-desktop control and a $6,000 buyout option. It ships with a polished control panel and ready-made lures disguised as FinePrint, Windows Settings, a fake Windows update, and a game installer. Its payloads slipped past VirusTotal scanning when first uploaded and were still undetected weeks later, and builds use AES-256 encryption. The low price and turnkey design lower the barrier for less-skilled criminals to run capable infostealing campaigns.
Lumen's Black Lotus Labs warns that JDY, a covert botnet tied to Chinese state-linked groups including Volt Typhoon, has more than doubled to over 1,500 hacked home and small-office routers, firewalls, and IoT devices. Unlike a DDoS botnet, JDY is a distributed scanning network: it fingerprints exposed services across the internet and flags systems vulnerable to newly disclosed bugs, often within hours of disclosure. It keeps a heavy focus on the US, especially military and associated networks, and survived the 2024 FBI takedown of its parent KV-botnet. Because traffic comes from thousands of ordinary residential IPs, simple IP blocking does not stop it.
Mackay Sugar, Australia's second-largest sugar producer, has shut down two of its Queensland mills after a cybersecurity incident, halting production and stopping sugarcane harvesting at the peak of the season. The company confirmed the attack on Wednesday and has brought in outside cybersecurity experts and local authorities to investigate and restore systems. It has not yet said who was responsible or whether data was stolen, but the operational shutdown is consistent with a ransomware attack. The incident is the latest example of attackers disrupting food and agriculture operations, a sector whose industrial systems are increasingly targeted for maximum pressure.
Trend Micro reports that at least two Russia-aligned groups, including Gamaredon, are exploiting a WinRAR flaw that was patched nearly a year ago to attack Ukrainian military and government organizations. The attacks start with emails carrying a booby-trapped RAR archive that abuses a path-traversal bug (CVE-2025-8088) to silently drop a malicious shortcut into the Windows Startup folder using NTFS Alternate Data Streams. One cluster, tracked by Ukraine's CERT-UA as UAC-0226, then installs an updated GiftedCrook stealer that grabs browser passwords, session cookies, and documents before deleting itself. The campaigns are a reminder that unpatched WinRAR remains a reliable foothold for attackers.
The ongoing Shai-Hulud supply-chain campaign has struck again, this time trojanizing 19 Python packages on PyPI, many of them popular bioinformatics tools like Dynamo, Spateo, CoolBox, and Napari-UFISH that have been downloaded hundreds of thousands of times. Discovered by Socket, the wave pushed 37 malicious package versions from what looks like a single compromised maintainer, each carrying code that steals developer secrets such as cloud keys and tokens, then uses them to spread further. PyPI has quarantined affected releases. The credential-stealing behavior and tactics match earlier Shai-Hulud activity tied to the group TeamPCP, whose worm code leaked publicly last month.