Last updated: July 6, 2026 at 12:53 AM UTC
All 559 Vulnerability 199 Breach 107 Threat 246 Defense 7

Over 400 Arch Linux AUR packages hijacked to drop stealer and rootkit

Attackers hijacked more than 400 packages in the Arch User Repository (AUR), the community add-on store for Arch Linux, in a supply-chain attack dubbed Atomic Arch. Rather than exploiting a flaw, they adopted abandoned packages and quietly edited the build recipe (PKGBUILD) to pull in a malicious npm package, atomic-lockfile, at install time. The payload is a Rust credential stealer that grabs browser logins, SSH keys, crypto wallets, and developer tokens; when run as root it also loads an eBPF rootkit that hides its processes, files, and network connections. Only the AUR is affected, not Arch's official repositories. The package names and histories looked completely normal.

Check
List AUR packages installed or updated since June 9 and diff their PKGBUILD and install scripts, flagging any that invoke npm, pip, or cargo for no clear reason.
Affected
Arch Linux and Arch-based systems where AUR packages were installed or updated on or after June 9 via helpers like yay or paru; root installs also expose an eBPF rootkit.
Fix
Remove affected packages and rotate all credentials, SSH keys, tokens, and wallets from the host. If a package ran as root, rebuild the machine; the rootkit makes in-place cleanup untrustworthy.

China-linked Velvet Ant hid in Linux login software for nearly a decade

Sygnia has detailed Operation Highland, a campaign in which the China-linked group Velvet Ant hid inside the Linux authentication stack itself for close to a decade, with traces back to 2016. Instead of dropping detectable malware, the attackers replaced the trusted PAM login module (pam_unix.so) and OpenSSH binaries with backdoored versions, found in nine distinct variants. Some accepted a hardcoded secret password; others silently logged real usernames, passwords, and every command typed, with a hidden switch to turn logging off. Because login programs are trusted and rarely inspected, the activity looked like normal administration and evaded scanners on a network with no direct internet access.

Check
Integrity-check PAM modules (pam_unix.so) and OpenSSH binaries on Linux hosts against known-good hashes from your distribution, and watch for logins succeeding with unexpected or hardcoded credentials.
Affected
Linux environments, especially internal servers and appliances without endpoint detection, where attackers with prior access can replace authentication binaries; high-value, long-dwell espionage targets are most at risk.
Fix
Reinstall PAM and OpenSSH from trusted distribution packages, rotate all credentials that may have been harvested, deploy file-integrity monitoring on authentication binaries, and extend detection to appliances lacking EDR.

Google sues Chinese network for weaponizing Gemini AI in smishing scams

Google has filed suit against a Chinese cybercrime network it says abused its Gemini AI to mass-produce phishing text messages and fake websites targeting Americans. The group runs a phishing-as-a-service kit called Outsider and used Gemini to generate fraudulent pages and large smishing campaigns. The texts impersonate trusted brands, warning of "brokerage account issues" or dangling carrier "rewards," and link to lookalike sites that harvest personal and financial details. Google says the lawsuit aims to dismantle the network's infrastructure. The case underscores how criminals are folding mainstream AI tools into industrialized phishing operations.

Check
Remind staff and yourself to treat unexpected texts about account problems or rewards as suspect, and review mobile-threat and link-protection telemetry for spikes in smishing referencing banks or carriers.
Affected
Mobile users, especially in the US, targeted by SMS phishing impersonating banks, brokerages, and phone carriers via the Outsider phishing-as-a-service kit; financial and personal data are the goal.
Fix
Never click links in unsolicited texts; navigate to institutions directly. Enable carrier and device spam filtering, report smishing, and use phishing-resistant MFA so stolen passwords alone cannot unlock accounts.

The Gentlemen ransomware adds worm-like spread, tops 478 victims

The Gentlemen, a ransomware-as-a-service operation tracked by Microsoft as Storm-2697, has been upgraded with a self-spreading mode and now claims 478 victims across dozens of countries and industries. Written in Go and obfuscated to evade analysis, its optional --spread switch turns a single-machine infection into a network worm that deploys the encryptor to every reachable system, using stolen or reused credentials to move laterally. A --wipe switch destroys recoverable data and forensic traces. On each host it disables Defender, weakens firewall and authentication settings, and adds scheduled tasks for persistence. Initial access often comes through compromised Fortinet edge-device credentials.

Check
Hunt for The Gentlemen's persistence markers (scheduled tasks named UpdateSystem or UpdateUser, Run keys GupdateS and GupdateU), and audit Fortinet edge devices for compromised or reused credentials.
Affected
Windows-based organizations, plus Linux, NAS, BSD, and ESXi systems; networks with flat segmentation and shared credentials are most exposed to the worm-like lateral spread.
Fix
Enforce unique credentials and phishing-resistant MFA, segment networks to limit lateral movement, keep offline tested backups, patch and monitor Fortinet edge devices, and harden Defender against tampering.

Attackers post fake breach notices to Maine's public disclosure portal

In an unusual misinformation campaign, fraudulent data-breach notices were submitted to Maine's official Attorney General breach portal and published before anyone verified them, forcing named companies to issue denials. One filing falsely claimed a Discord breach affecting more than 10 million people, submitted not by a company representative but by an individual using a personal Gmail address, a placeholder phone number, and impossible dates. Because the portal is public and a listing does not mean a breach is confirmed, the fakes can spread fear, damage reputations, and seed convincing phishing lures. It highlights how trusted disclosure channels can be weaponized.

Check
Monitor state breach-notification portals for filings naming your organization, and verify any breach claim about a vendor or partner through that company's official channels before acting on it.
Affected
Any organization that can be named in a fraudulent filing, and the public and journalists who treat a portal listing as confirmation; the underlying portal trust model is the weakness.
Fix
Establish monitoring and a rapid-denial process for fake filings, brief staff and customers to confirm breach notices via official sources, and press regulators to add basic submitter verification.

Cheap OnyxC2 service puts enterprise-grade data theft within easy reach

Researchers at BlackFog have detailed OnyxC2, a new malware-as-a-service sold on cybercrime forums that packages professional-grade data theft for as little as $250 a month, with a $500 premium tier adding hidden-desktop control and a $6,000 buyout option. It ships with a polished control panel and ready-made lures disguised as FinePrint, Windows Settings, a fake Windows update, and a game installer. Its payloads slipped past VirusTotal scanning when first uploaded and were still undetected weeks later, and builds use AES-256 encryption. The low price and turnkey design lower the barrier for less-skilled criminals to run capable infostealing campaigns.

Check
Watch endpoints for execution of lure-style installers impersonating FinePrint, Windows Settings, or Windows updates from untrusted sources, and hunt for unexplained outbound data transfers and hidden-desktop activity.
Affected
Organizations whose staff can be tricked into running disguised installers; the low cost and bundled lures widen the pool of attackers able to deploy capable infostealers.
Fix
Restrict software installation to approved sources, enforce application allow-listing and EDR with behavioral detection, train staff on disguised-installer lures, and monitor for and block anomalous data exfiltration.

China-linked JDY botnet scans US military networks for fresh flaws

Lumen's Black Lotus Labs warns that JDY, a covert botnet tied to Chinese state-linked groups including Volt Typhoon, has more than doubled to over 1,500 hacked home and small-office routers, firewalls, and IoT devices. Unlike a DDoS botnet, JDY is a distributed scanning network: it fingerprints exposed services across the internet and flags systems vulnerable to newly disclosed bugs, often within hours of disclosure. It keeps a heavy focus on the US, especially military and associated networks, and survived the 2024 FBI takedown of its parent KV-botnet. Because traffic comes from thousands of ordinary residential IPs, simple IP blocking does not stop it.

Check
Inventory internet-facing routers, firewalls, and IoT devices, especially Ubiquiti, DrayTek, Hikvision, and Linksys gear, for end-of-life models and missing patches that JDY scans for after disclosure.
Affected
Internet-exposed SOHO routers, firewalls, and IoT devices, particularly end-of-life hardware; US military and associated networks are a stated focus of the reconnaissance.
Fix
Patch edge devices promptly after vendor disclosures, replace end-of-life hardware, disable remote management where unneeded, and rely on behavioral rather than IP-based detection for scanning activity.

Cyberattack halts Australia's second-largest sugar producer mid-harvest

Mackay Sugar, Australia's second-largest sugar producer, has shut down two of its Queensland mills after a cybersecurity incident, halting production and stopping sugarcane harvesting at the peak of the season. The company confirmed the attack on Wednesday and has brought in outside cybersecurity experts and local authorities to investigate and restore systems. It has not yet said who was responsible or whether data was stolen, but the operational shutdown is consistent with a ransomware attack. The incident is the latest example of attackers disrupting food and agriculture operations, a sector whose industrial systems are increasingly targeted for maximum pressure.

Check
Food, agriculture, and manufacturing operators should review how cleanly their IT and operational-technology networks are separated, and confirm a ransomware shutdown of IT could not halt production lines.
Affected
Industrial and agricultural organizations where a compromise of business IT systems can cascade into operational-technology environments and force a full production shutdown, as happened at Mackay Sugar's mills.
Fix
Segment IT from operational-technology networks, keep offline tested backups, rehearse ransomware recovery for production systems, and pre-arrange incident-response and authority contacts before an attack hits.

Russia-aligned groups exploit old WinRAR flaw to hit Ukrainian targets

Trend Micro reports that at least two Russia-aligned groups, including Gamaredon, are exploiting a WinRAR flaw that was patched nearly a year ago to attack Ukrainian military and government organizations. The attacks start with emails carrying a booby-trapped RAR archive that abuses a path-traversal bug (CVE-2025-8088) to silently drop a malicious shortcut into the Windows Startup folder using NTFS Alternate Data Streams. One cluster, tracked by Ukraine's CERT-UA as UAC-0226, then installs an updated GiftedCrook stealer that grabs browser passwords, session cookies, and documents before deleting itself. The campaigns are a reminder that unpatched WinRAR remains a reliable foothold for attackers.

Check
Check the WinRAR version on Windows endpoints, and review email gateways and endpoint logs for inbound RAR archives and new shortcuts written to Startup folders via alternate data streams.
Affected
Windows systems with WinRAR versions before the CVE-2025-8088 fix, particularly organizations receiving RAR email attachments; Ukrainian government and military entities are the current targets.
Fix
Update WinRAR to the latest version that fixes CVE-2025-8088, block or sandbox inbound RAR attachments at the email gateway, and alert staff to unexpected archive lures.

New Shai-Hulud wave poisons 19 scientific Python packages on PyPI

The ongoing Shai-Hulud supply-chain campaign has struck again, this time trojanizing 19 Python packages on PyPI, many of them popular bioinformatics tools like Dynamo, Spateo, CoolBox, and Napari-UFISH that have been downloaded hundreds of thousands of times. Discovered by Socket, the wave pushed 37 malicious package versions from what looks like a single compromised maintainer, each carrying code that steals developer secrets such as cloud keys and tokens, then uses them to spread further. PyPI has quarantined affected releases. The credential-stealing behavior and tactics match earlier Shai-Hulud activity tied to the group TeamPCP, whose worm code leaked publicly last month.

Check
Search Python environments, lock files, and CI build logs for the 19 affected packages (including Dynamo, Spateo, CoolBox, U-FISH, Napari-UFISH) installed during the malicious window.
Affected
Developers and research teams that installed the trojanized versions of the 19 PyPI scientific packages, especially bioinformatics workflows pulling Dynamo, Spateo, CoolBox, U-FISH, or Napari-UFISH.
Fix
Remove the malicious versions and pin to known-good releases, then rotate every developer, cloud, and CI credential exposed on machines that installed them. Rebuild from trusted sources.