> TritonInfoSec News

# Archive

Browse past daily curated stories

Jun 30 Jun 27 Jun 26 Jun 25 Jun 24 Jun 23 Jun 21 Jun 20 Jun 19 Jun 18 Jun 17 Jun 16 Jun 15 Jun 14 Jun 13 Jun 12 Jun 11 Jun 10 Jun 09 Jun 08 Jun 07 Jun 06 Jun 02 May 31 May 30 May 29 May 28 May 27 May 26 May 24

Tuesday, June 30, 2026

  1. 1
    0
    BleepingComputer general
    U.S. offers $10 million for hackers targeting WhatsApp, Signal users

    The U.S. Department of State is offering up to $10 million for information identifying members of UNC5792 and UNC4221, two Russia-linked hacking groups that have been socially engineering their way into Signal and WhatsApp accounts of U.S. government officials, military leaders, and allied personnel since at least March. The operation represents a significant escalation in Russian intelligence targeting of encrypted messaging platforms used by high-value targets. Security teams should review messaging app security hygiene and linked device configurations for personnel in sensitive roles.

  2. 2
    0
    BleepingComputer general
    Critical SimpleHelp flaw exploited to deploy new stealer malware

    Threat actors are actively exploiting CVE-2026-48558, a critical authentication bypass flaw in SimpleHelp remote support software, to deploy Djinn Stealer — a previously undocumented cross-platform infostealer targeting Windows, macOS, and Linux systems. Djinn specifically targets cloud and AI credentials, including those linking development and admin environments to broader enterprise infrastructure. Organizations using SimpleHelp should patch immediately, as active exploitation is confirmed and the stealer's cross-platform reach amplifies the blast radius.

  3. 3
    0
    BleepingComputer general
    Hackers now exploit critical Oracle E-Business flaw in attacks

    Active exploitation of CVE-2026-46817, a critical vulnerability in Oracle E-Business Suite (EBS) financial applications, has been confirmed by threat intelligence firm Defused. Oracle EBS is widely deployed in enterprise finance environments, making this a high-priority patch target for organizations running the platform. This follows a broader pattern of Oracle product exploitation, including the ShinyHunters group's attacks on Oracle PeopleSoft systems.

  4. 4
    0
    BleepingComputer general
    Nissan discloses employee data breach linked to Oracle zero-day attacks

    Nissan has disclosed a data breach affecting current and former employees after threat actors exploited a zero-day vulnerability in Oracle PeopleSoft, an attack campaign previously attributed to the ShinyHunters extortion group. The breach is part of a larger wave of Oracle PeopleSoft zero-day exploitations that also hit the National Association of Insurance Commissioners (NAIC), which reported theft of publicly available data, outdated logs, and configuration files. ShinyHunters claimed to have exfiltrated 3.1 TB of data from NAIC alone, underscoring the scale of this ongoing campaign.

  5. 5
    0
    The Hacker News general
    Microsoft Removes 119 Edge Extensions That Hid Malware in Images and Fonts

    Microsoft identified and removed 119 malicious extensions from the Edge Add-ons store, tied to a single threat actor dubbed StegoAd that has been active since at least 2021. The extensions hid credential-stealing payloads inside ordinary image and font files using steganography, activating days after installation to avoid detection and conduct ad fraud. The multi-year persistence of this campaign on an official store underscores supply chain risks in browser extension ecosystems.

  6. 6
    0
    The Hacker News general
    Public PoC Released for Critical libssh2 CVE-2026-55200 Client-Side SSH Flaw

    A public proof-of-concept has been released for CVE-2026-55200, a CVSS 4.0 score 9.2 memory corruption flaw in libssh2 affecting all versions up to and including 1.11.1. The vulnerability is client-side — a malicious or compromised SSH server can trigger arbitrary code execution on connecting clients with no credentials or user interaction required. Given libssh2's widespread use as an embedded SSH library, defenders should prioritize patching any systems or applications linking against versions ≤1.11.1.

  7. 7
    0
    The Hacker News general
    Mustang Panda Uses Zoho WorkDrive as Command Channel in Indian Government Attacks

    China-aligned APT group Mustang Panda is conducting two active espionage campaigns against Indian government networks and hydropower sector targets, deploying new malware while abusing Zoho WorkDrive as a command-and-control channel to blend traffic with legitimate cloud services. Acronis Threat Research Unit confirmed active compromises on machines used by senior Indian administrative staff. The use of a legitimate SaaS platform for C2 complicates network-based detection and highlights the need for behavioral monitoring over pure traffic blocking.

  8. 8
    0
    The Hacker News general
    Gamaredon Expands Ukraine Attacks with New Malware and Cloud Service Abuse

    Russian APT group Gamaredon conducted 35 distinct spear-phishing campaigns against Ukrainian targets throughout 2025, primarily in the second half of the year, according to ESET research. The group has expanded its malware arsenal and is abusing legitimate cloud services as part of its ongoing cyber operations against Ukraine. The breadth and persistence of these campaigns — averaging roughly three per month — illustrates Gamaredon's role as one of Russia's most operationally active threat actors targeting Ukrainian government and military entities.

  9. 9
    0
    The Hacker News general
    236,000 DCloud Uni-App Sites Used in Crypto Scams, Phishing, and Wallet Drainers

    Infoblox researchers identified over 236,000 websites built using the legitimate Chinese open-source framework DCloud Uni-App as infrastructure for investment scams, pig-butchering operations, WhatsApp phishing networks, fake gambling platforms, and crypto wallet drainers. The abuse of a widely used cross-platform development framework as a scam template engine enables rapid, multilingual fraud deployment at scale. Threat hunters should add DCloud Uni-App-based indicators to fraud detection rulesets given the volume of malicious deployments.

  10. 10
    0
    The Hacker News general
    Hijacked npm and Go Packages Use VS Code Tasks to Deploy Python Infostealer

    JFrog researchers uncovered two hijacked npm packages and a cluster of Go packages engineered to deliver a Python-based infostealer on Windows, Linux, and macOS by exploiting VS Code task execution rather than npm lifecycle scripts — a technique apparently designed to bypass npm v12's new security hardenings. The attack targets developer environments directly through the software supply chain, making it particularly dangerous for organizations that trust internal build pipelines. Security teams should audit VS Code task configurations and monitor for unexpected Python process spawning in CI/CD environments.