🕵🏻‍♂️ [InfoSec MASHUP] 02/2026

🔓 BREACHES & SECURITY INCIDENTS

🇺🇸 Sedgwick confirmed a cyberattack at its subsidiary Sedgwick Government Solutions. The company says the incident hit an isolated file transfer system and did not affect wider networks or claims servers. The TridentLocker ransomware group claims it stole and leaked data from the subsidiary.

🇺🇸 Brightspeed is investigating claims that the hacking group Crimson Collective stole data from its systems. The group says it exfiltrated personal and account information for over 1 million customers and showed proof to cyber experts. Brightspeed says it is looking into the report and will inform customers, employees and authorities.

🇬🇷 ✈️ Greece shut its airspace after noise disrupted air traffic communications, grounding and diverting many flights. Officials say a cyberattack is unlikely but investigations are ongoing. Authorities formed a multiagency committee and said passenger safety was never at risk.

💸 Ledger says some customers had names and contact details exposed after a breach at payment processor Global-e — Ledger’s own network and crypto wallet seed phrases were not affected, and no payment information was leaked. Affected customers will get direct notices and are warned to watch for phishing.

🔓️ ☁️ NordVPN says a recent claim that its development servers were breached is false — Attackers accessed only dummy data from a third-party test environment, not NordVPN production systems or customer information. The company contacted the vendor and confirmed no real credentials or sensitive data were exposed.

→ More breaches:

• 377,000 Impacted by Data Breach at Texas Gas Station Firm

• Illinois Department of Human Services data breach affects 700K people

🔗 Partners and Affiliates

🔐 NordVPN Threat Protection Pro™ Campaign (July 2 - August 13)

With its user-friendly interface, robust security features, and commitment to privacy, NordVPN continues to be a popular choice for individuals seeking online protection and unrestricted internet access.

Special Offer: get up to 73% off with a 2-year plan!

🥷🏻 CYBERCRIME, CYBER ESPIONAGE, APT’s

🇷🇺 🇺🇦 Russia-aligned hackers (UAC-0184/Hive0156) are using Viber to send malicious ZIP files to Ukrainian military and government targets. The ZIPs contain shortcut files that run a PowerShell script to load Hijack Loader, which then evades detection and deploys Remcos RAT. Remcos gives attackers remote control, data theft, and persistence on compromised systems.

🇹🇼 🇨🇳 Taiwan says China ran an intensified cyberoffensive in 2025, with about 2.63 million intrusion attempts per day. Attacks targeted government, energy, hospitals, telecoms, and suppliers to steal data and technology. Taiwan and some U.S. experts warn these attacks tie to political and military pressure on the island.

🇺🇸 Ilya Lichtenstein, who pleaded guilty to laundering billions in bitcoin from the 2016 Bitfinex hack, has been released early from prison. His release was credited to the First Step Act signed by President Trump. Lichtenstein says he wants to work in cybersecurity and prove critics wrong.

🗓️ {Cyber,Info}Sec Events: My list of past and future {cyber,info}sec related events — Feel free to contribute by submitting issues or pull requests (and don’t forget to star the project); Thanks! 😉

👨🏻‍⚖️ 👀 GOVERNMENT, POLITICS, AND PRIVACY

🇺🇸 📺️ A Texas court issued a temporary restraining order stopping Samsung from collecting audio and visual data from Texas smart TVs. The court found Samsung’s ACR enrollment practices deceptive, using confusing prompts and dark patterns that prevent informed consent. The order could set a precedent for broader action against TV data-collection practices.

🇺🇸 🚪 The Trump administration is withdrawing the U.S. from several international cybersecurity organizations. Critics say this move weakens global coordination and hands influence to adversaries. Supporters call the groups wasteful and say the U.S. should stop funding them.

🇬🇧 💰️ The UK is investing over £210 million in a new Government Cyber Action Plan to strengthen public sector cyber defenses. It creates a Government Cyber Unit, sets minimum security standards, and requires better incident response across departments. Major firms will join a Software Security Ambassador Scheme as the government tightens laws to protect critical services.

🇺🇸 🗑️ California launched DROP, a tool that lets residents send one request asking registered data brokers to delete their personal information. Brokers must begin processing requests in August 2026 and have 90 days to comply, though some data and first-party records are exempt. Brokers who don’t comply face fines of $200 per day.

🗑️ A hacktivist called “Martha Root” wiped three white supremacist websites live on stage at the Chaos Communication Congress. Root also scraped and published user data from one site, exposing precise locations and profiles. The sites’ operator complained and vowed revenge, while a leak collective holds the full dataset for vetted journalists.

🥸 Fraud has industrialized into a global security threat that drains trillions and supports organized crime and hostile states. Governments and companies must stop treating it as customer service and instead fight it like cyberwarfare with real-time intelligence sharing and coordinated responses. An international public‑private task force aims to build those systemic defenses across finance, tech, and law enforcement.

🔗 Partners and Affiliates

🌐 Stay connected and secure on the go with Airalo's global eSIMs — Use the code NEWTOAIRALO15 if you’re new to Airalo to get an additional 15% discount.

🦠 MALWARE & THREATS

🪱 🎠 Researchers found three malicious npm packages that installed a new malware called NodeCordRAT. NodeCordRAT steals Chrome credentials, API tokens, and crypto seed phrases and uses Discord for command-and-control. The packages were removed after researchers traced them to a user named ":" and linked postinstall scripts to the RAT.

🧩 Researchers found two Chrome extensions with ~900,000 users that steal ChatGPT and DeepSeek chats plus browsing data and send them to attacker servers. The extensions scrape chat DOM elements and exfiltrate full conversations every 30 minutes after asking for “anonymous” analytics permission. Users should remove suspicious extensions and avoid installing unknown add-ons to protect sensitive data.

🐍 Researchers found a new Python-based malware called VVS Stealer that steals Discord tokens, browser data, and screenshots. It is obfuscated with Pyarmor, sold cheaply on Telegram, and persists by adding itself to Windows startup. The stealer also injects code into Discord to hijack active sessions and spread via compromised business infrastructure.

🤖 🧰 AI, CRYPTO, TECH & TOOLS

🔞 X’s Grok AI has been used to create and share nonconsensual sexualized deepfakes, sparking public outrage. Legal experts say existing federal and state laws — including the Take It Down Act and anti‑CSAM rules — could expose Musk and X to fines, lawsuits, or criminal charges. Enforcement is uncertain, but state attorneys general and regulators may still pursue action even if federal responses are slow.

❤️‍🩹 OpenAI launched ChatGPT Health, a private space for health conversations. The company says health data in that space will not be used to train its foundation models. ChatGPT Health warns it is not a replacement for medical advice and is rolling out broadly except in the EEA, UK, and Switzerland.

🇻🇪 📺️ A U.S. raid in Caracas that captured Nicolás Maduro created an information vacuum — AI-made images and long‑debunked conspiracies about voting machines and U.S. oil grabs spread quickly online. Bad actors used the chaos to push familiar narratives and sway supporters.

🐛 🧠 VULNERABILITIES, RESEARCH, AND THREAT INTELLIGENCE

➝ From the Patching Department:

• Cisco Patches ISE Security Vulnerability After Public PoC Exploit Release

🔓️ ☁️ Security researchers found multiple critical flaws in Coolify that let attackers run commands as root and fully compromise self-hosted servers. Most issues affect beta versions and fixes are available in newer releases. About 52,890 Coolify hosts are exposed worldwide, so users should update immediately.

💥 A critical command injection bug (CVE-2026-0625) in old D-Link DSL routers is being actively exploited. The flaw lets unauthenticated attackers run commands via the dnscfg.cgi endpoint, and affected models are end-of-life with no patches. D-Link urges users to replace these routers or isolate them on segmented, non-critical networks.

🩹 Veeam released updates fixing a critical RCE bug (CVE-2025-59470, CVSS 9.0) in Backup & Replication. The flaw and three related vulnerabilities let privileged Backup/Tape roles run or write files as postgres or root. Users should update to version 13.0.1.1071 immediately.

🔓️ A firmware bug in the TOTOLINK EX200 can make the device start an unauthenticated root telnet service. An attacker who can access the web management interface could trigger this and take full control. TOTOLINK has not patched the device, so users should limit admin access or upgrade.

🪲 🩹 Researchers found a critical, no-auth remote code execution bug (CVE-2026-21858) in n8n that affects about 100,000 servers and could let attackers take full control. A patch (v1.121.1+) was released, but public disclosure was delayed and a proof-of-concept is circulating. Security experts warn urgent updates are needed because n8n often holds sensitive credentials and workflows.

💬 🔓️ Researchers found a WhatsApp flaw that lets attackers infer a user’s device and operating system from metadata. Meta has started randomizing key IDs for Android to reduce this fingerprinting but the method can still distinguish iPhones. WhatsApp says the issue is low severity but has fixed related bugs and paid a bug bounty.

🛰️ ICS, OT & IoT

♿️ Researchers found a critical Bluetooth flaw in WHILL Model C2 and F electric wheelchairs that lets attackers pair without authentication and control the chairs. They demonstrated remote takeover, disabling safety limits and even driving a wheelchair off stairs in a video. WHILL issued a patch, but researchers could not verify its effectiveness.

🇨🇳 A China-linked hacking group called UAT-7290 is targeting telecommunications providers and has expanded into Southeastern Europe. They exploit edge network devices using one-day bugs, SSH brute force, and Linux malware to gain access and persist. The group also builds Operational Relay Boxes that other China-aligned actors reuse.

🕸️ 💥 A massive botnet called Kimwolf infected over two million Android TV boxes to run DDoS attacks and sell residential proxies. Investigations link Kimwolf and an earlier Aisuru botnet to the same operators, hosting providers (like Resi Rack and 3XK Tech), and proxy services (ByteConnect/Plainproxies and Maskify). The botnet’s operators used evasive tools like ENS records to resist takedowns while monetizing infected devices for fraud and scraping.

💬 CONNECT

Follow me on Mastodon for quick daily updates and bite-sized content.

Prefer using an RSS feed? Add Infosec MASHUP to your feed here.

Enjoying our newsletter? Forward it to a colleague—
it’s one of the best ways to support us.

Thanks for reading today’s newsletter, and if you're enjoying it and want to support my work, you can buy me a coffee ☕ over at https://www.buymeacoffee.com/0x58

See you next time!

-X.