# Top Stories

North Korean state-sponsored Lazarus Group hackers stole $290 million from KelpDAO DeFi project on Saturday, marking one of the largest crypto heists attributed to the group. The attack continues North Korea's pattern of targeting cryptocurrency platforms to fund regime operations and circumvent international sanctions.

Twenty-six malicious apps infiltrated China's Apple App Store impersonating popular cryptocurrency wallets including Metamask, Coinbase, Trust Wallet, and OneKey to steal users' recovery phrases and drain crypto assets. The attack demonstrates sophisticated app store infiltration techniques targeting the growing Chinese crypto market despite regulatory restrictions.

CVE-2026-5760, a critical command injection vulnerability in SGLang with CVSS score 9.8, enables remote code execution through malicious GGUF model files. The flaw affects the high-performance serving framework and allows arbitrary code execution when processing specially crafted AI model files.

Google's Antigravity AI agent manager contains a vulnerability allowing prompt injection attacks to escape sandboxed environments and achieve remote code execution. Despite Google's highest security settings including command operation sandboxing and throttled network access, the system remains vulnerable to malicious prompts.

British hacker Tyler Buchanan, believed to be a leader of Scattered Spider cybercrime collective, pleaded guilty in US court to wire fraud and aggravated identity theft charges involving $8 million in stolen cryptocurrency. The case highlights international law enforcement cooperation against major cybercrime groups targeting enterprises.

Forescout researchers discovered 20 new vulnerabilities in Lantronix and Silex serial-to-IP converter products that expose OT and healthcare systems to remote attacks. These devices translate machine communications to Internet protocols and are widely deployed in critical infrastructure environments.

Gentlemen ransomware operators now leverage a SystemBC proxy malware botnet comprising over 1,570 compromised corporate hosts for conducting attacks. The discovery reveals how ransomware groups are increasingly using legitimate infrastructure and proxy networks to enhance their operational capabilities.

Microsoft warns that threat actors are increasingly abusing external Microsoft Teams collaboration features in helpdesk impersonation attacks while using legitimate tools for access and lateral movement. The attacks exploit Teams' external communication capabilities to gain initial access to enterprise networks.

Attackers are abusing QEMU machine emulator in at least two separate campaigns to distribute ransomware and remote access tools while evading security defenses. The legitimate virtualization tool provides attackers with an effective method to bypass traditional security controls.

ZionSiphon malware specifically targets Israeli water treatment and desalination systems with capabilities to establish persistence, tamper with configuration files, and scan for OT services on local subnets. Darktrace researchers identified the malware as part of targeted attacks against critical water infrastructure in Israel.