🇬🇧 🇺🇸 A hacker redirected a contractor payment and stole £700,000 from Zephyr Energy’s U.S. subsidiary. The company says the incident is contained and operations are normal. Zephyr is working with banks and added extra security to try to recover the funds.

💸 Bitcoin Depot said hackers stole about 50.9 bitcoin, worth roughly $3.6 million, after an intrusion on March 23. The company says customer platforms were not affected and the incident is under investigation. Bitcoin Depot may face reputational, legal, and recovery costs and has insurance that may or may not cover the loss.

🚂 Eurail says attackers stole personal data of about 308,777 people in a December 2025 breach. Stolen details may include names, passport numbers, IBANs, health data, and contact info. Affected customers are urged to watch for scams, change passwords, and monitor bank accounts.

🇺🇸 🚓 Hackers stole and leaked a large cache of sensitive Los Angeles Police Department documents, including personnel files, internal affairs records, and unredacted discovery materials. The leak, blamed on extortion gang World Leaks and totaling about 7.7 terabytes and 337,000 files, appeared on a leak site then was removed. The LAPD says its systems were not breached and it is working with the LA City Attorney’s Office to investigate.

🇺🇸 Wynn Resorts says a 2025 hack by the ShinyHunters group affected 21,775 employees. The attackers stole HR data, possibly including SSNs, and later claimed they deleted it. Affected workers are being offered free credit monitoring and identity-theft protection.

❄ 🇮🇱 A SaaS integrator was breached and stolen authentication tokens were used to steal data from over a dozen companies. Most attacks targeted Snowflake customers, who experienced unusual activity and had some accounts locked as a precaution. The extortion group ShinyHunters claims responsibility and says the incident ties to Anodot.

🇩🇪 The Qilin ransomware group stole data from the German political party Die Linke and is threatening to leak it. Die Linke says member records were not taken and has notified police while working with IT experts. The party and observers warn the attack may be politically motivated and part of hybrid warfare.

👀 📰 Researchers say a hack-for-hire campaign used Android spyware to target journalists and activists in the Middle East and North Africa. The attacks, traced to shared infrastructure linked to the Bitter group, used spearphishing via fake social accounts. Victims feel threatened and groups warn such spying endangers journalists, sources, and press freedom.

🇷🇺 Russian state-linked hackers (Fancy Bear/APT28) broke into thousands of home and small-business routers worldwide. They redirected users’ internet traffic to steal passwords and login tokens. Authorities and researchers say the campaign hit many countries and targeted outdated MicroTik and TP-Link devices.

🇩🇪 🇷🇺 German police say a 31-year-old Russian, Daniil Shchukin, led the GandCrab and REvil ransomware groups from 2019 to 2021. He and associates carried out about 130 extortion attempts, causing over $40 million in damage and collecting more than $2 million in ransoms in 25 cases. Shchukin, known by several aliases, is believed to be in Russia and has been linked in past arrests and investigations.

🇨🇳 Microsoft says Storm-1175, the China-based cybercrime group, uses n-day and zero-day exploits to quickly deploy Medusa ransomware. The group moves from initial access to data theft and ransomware in days or even 24 hours, often chaining exploits and disabling defenses. Their attacks have hit healthcare, education, finance and other sectors across multiple countries and abused many known vulnerabilities.

🇨🇳 🇪🇺 China‑linked TA416 resumed targeting European government and diplomatic bodies since mid‑2025, using OAuth redirection, fake Cloudflare pages, web bugs, and updated PlugX backdoors. They spread malware via phishing links, cloud storage (Azure, Google Drive), compromised SharePoint, and MSBuild/C# project files with DLL side‑loading. TA416 also expanded into the Middle East after late‑2025, showing adaptive, long‑term intelligence‑collection operations tied to geopolitical events.

🗓️ {Cyber,Info}Sec Events — A community-maintained list of infosec conferences worldwide. Subscribe to the ICS calendar feed to get events straight into your calendar, or follow @[email protected] on Mastodon for weekly digests. Contributions and ⭐ welcome!

🇺🇸 💸 The Trump administration proposes cutting the Cybersecurity and Infrastructure Security Agency budget by about $707 million for 2027. Officials say the cuts will refocus CISA on core federal network and infrastructure protection and eliminate duplicative programs. Critics warn the cuts come after staff losses and amid rising major cyberattacks, and accuse the administration of politicizing CISA.

🇺🇸 ⚖ A judge sentenced Bryan Fleming, maker of stalkerware pcTattleTale, to supervised release and a $5,000 fine after his guilty plea. His software secretly recorded texts, calls, location, web activity, and video from victims’ devices. pcTattleTale shut down in 2024 after a data breach.

🧩 A malicious VS Code extension named specstudio.code-wakatime-activity-tracker hides a Zig-compiled native binary that infects all IDEs on a developer's machine. The binary downloads and silently installs a fake extension that steals data, fetches commands via Solana, and deploys a RAT and a malicious Chrome extension. If you installed specstudio.code-wakatime-activity-tracker or floktokbok.autoimport assume compromise and rotate all secrets.

🇹🇼 Security researchers tracked a new threat cluster, UAT-10362, using spear-phishing to target Taiwanese NGOs and universities. The attackers deploy a Lua-based stager called LucidRook via DLL side-loading and droppers (LucidPawn/LucidKnight) to collect and exfiltrate data. The campaign uses geo-checks, obfuscation, and public or compromised infrastructure, showing stealthy, targeted tradecraft.

🇷🇺 🎣 Russian APT28 has been running spear-phishing attacks against Ukraine and NATO allies to deploy a new malware suite called PRISMEX. PRISMEX uses steganography, COM hijacking, and cloud services, and was spread using fast weaponization of zero-day Windows flaws. The campaign appears aimed at espionage and possible sabotage of military, logistics, and critical services.

🧩 Malicious actors published 36 Strapi-focused NPM packages that deliver payloads like Redis remote code execution, Docker escapes, credential harvesting, and reverse shells. SafeDep says the campaign specifically targets Guardarian cryptocurrency payment systems and seeks wallet files, API modules, and database access. Infected users should immediately rotate all credentials and secrets.

🇺🇦 🎠 Ukraine's CERT-UA warned of a phishing campaign that impersonated the agency to spread a remote access trojan called AGEWHEEZE. The attackers sent password‑protected ZIPs to many targets and claimed to have emailed 1 million ukr.net accounts. The campaign mostly failed, with only a few infections found and CERT-UA helping affected organizations.

🔎 🐛 Anthropic released Claude Mythos, a powerful new AI that greatly improves coding and agentic reasoning. It found thousands of old and critical software vulnerabilities, showing huge benefits for defense but also big risks if misused. Anthropic launched Project Glasswing with major tech partners to use Mythos to secure critical software before attackers can exploit it.

🔓 🍎 Researchers at RSAC found a way to bypass Apple Intelligence’s guardrails using two tricks: Neural Execs prompt injection and Unicode right-to-left manipulation. They used these methods to make the on-device LLM produce offensive content and potentially access private app data, succeeding on 76% of test prompts. Apple was notified in October 2025 and released protections in iOS 26.4 and macOS 26.4; no real-world abuse has been seen.

🪄🤖 Google DeepMind researchers show that malicious web content can trick autonomous AI agents and make them act against their goals. They identify six classes of "agent traps" that hide commands, manipulate memory and behavior, or exploit group dynamics and humans-in-the-loop. Defenses include model hardening, runtime checks, better web hygiene, and shared standards and benchmarks.

➝ From the Patching Department:

🅰 💥 Attackers have been exploiting an unpatched Adobe Reader zero-day since at least December using malicious PDFs. The exploit can steal local data and may enable remote code execution just by opening a file. Users should avoid PDFs from untrusted sources and Adobe is working on a patch.

🪶 A 13-year-old RCE vulnerability in Apache ActiveMQ Classic (CVE-2026-34197) lets attackers invoke management operations via Jolokia to fetch remote configs and run OS commands. Chained with older flaws (CVE-2022-41678 and sometimes CVE-2024-32114), it can bypass authentication and lead to remote code execution. Fixes are in ActiveMQ Classic 5.19.4 and 6.2.3; update immediately.

😶 Researchers at Noma Security disclosed "GrafanaGhost," a vulnerability that silently steals data from Grafana by chaining multiple security bypasses. The attack uses crafted URLs and prompt injection to trick Grafana’s AI and exfiltrate data without user interaction or visible alerts. Grafana Labs was notified and issued a fix.

🚢 A high-severity Docker Engine bug (CVE-2026-34040) lets attackers bypass authorization plugins by sending a padded API request that strips the request body. This can let them create privileged containers, mount the host filesystem, and steal credentials. Update to Docker 29.3.1 or use rootless mode and restrict Docker API access.

🔎 ☁ A botnet campaign is scanning internet-exposed ComfyUI instances and exploiting unsafe custom nodes to run attacker Python code. Compromised hosts are enrolled in Monero and Conflux miners and a Hysteria V2 proxy botnet, with persistence and cleanup mechanisms. Over 1,000 public ComfyUI instances are reachable, making opportunistic cryptomining profitable for the attackers.

🐛 A critical CVSS 10.0 code-injection bug in Flowise (CVE-2025-59528) lets attackers run arbitrary JavaScript and gain full Node.js privileges. Over 12,000 internet-facing Flowise instances are exposed and active exploitation has been observed. Flowise patched the issue in version 3.0.6, but many systems remain at risk.

🇰🇵 💻 A viral video shows an interviewer asking a suspected North Korean job applicant to insult Kim Jong Un. The applicant freezes, acts confused, and leaves the call. The trick can expose some fake North Korean workers but does not always work.

🔓 A researcher leaked working exploit code for an unpatched Windows local privilege escalation called BlueHammer. The bug lets attackers gain SYSTEM or elevated admin access by abusing a TOCTOU and path confusion, though the PoC has reliability issues. Microsoft has not patched it and gave no comment.

🇮🇷 🇺🇸 U.S. agencies warn Iran-backed hackers are targeting American critical infrastructure to cause disruption. They have attacked industrial control systems like SCADA and PLCs, causing operational and financial harm. The activity is seen as an escalation linked to recent conflicts involving Iran.

Follow me on Mastodon for quick daily updates and bite-sized content.

Prefer using an RSS feed? Add Infosec MASHUP to your feed here.

Enjoying our newsletter? Forward it to a colleague—
it’s one of the best ways to support us.

Thanks for reading today’s newsletter, and if you're enjoying it and want to support my work, you can buy me a coffee ☕ over at https://www.buymeacoffee.com/0x58

See you next time!

-X.