🇺🇸 📲 Trump Mobile leaked customers’ personal data, including names, mailing addresses, and emails. YouTubers who ordered the T1 phone were alerted by a researcher and say the information is still exposed online. Trump Mobile has not responded and customers report silence from the company.

🧩 GitHub says a malicious VS Code extension on an employee's device led to the breach of about 3,800 internal repositories — The extension was removed, the device isolated, and GitHub found no sign customers outside those repos were affected. The hacker group called TeamPCP claims the theft and is trying to sell the data.

😱 A security researcher found many plain-text passwords and cloud keys for CISA and DHS in publicly accessible GitHub spreadsheets. The exposed credentials came from a contractor’s employee and could have allowed access to government systems. CISA has not confirmed a breach or said whether the keys were revoked.

⏬ Hackers stole a privileged GitHub token from Grafana Labs and downloaded its private codebase. They used a misconfigured GitHub Action and tried to extort the company, which refused to pay. Grafana says no customer data was accessed and it has remediated the issue.

→ The popular GitHub Action actions-cool/issues-helper has been compromised

→ Grafana breach caused by missed token rotation after TanStack attack

🏪 🇺🇸 7-Eleven confirmed a data breach after the ShinyHunters hacker group claimed to have stolen franchisee documents. The company says an intrusion was detected on April 8 and some personal information from franchise applications was exposed. ShinyHunters says it took over 600,000 Salesforce records and tried to sell the data after demanding a ransom.

→ More Breaches:

🇪🇺 ❌ European authorities shut down First VPN and arrested its alleged administrator. The VPN was used by cybercriminals for data theft, fraud, and ransomware. Investigators seized servers, user data, and found thousands linked to crimes.

🇨🇦 ⚖ 🇺🇸 Canadian police arrested 23-year-old Jacob Butler, aka “Dort”, accused of running Kimwolf, a massive IoT botnet. Kimwolf enslaved millions of devices to launch record DDoS attacks and was linked to swatting and doxing. Butler faces charges in Canada and the U.S. and is awaiting extradition and court hearings.

🇺🇦 🇺🇸 Ukrainian cyberpolice, with U.S. help, identified an 18-year-old from Odesa as the operator of an infostealer malware scheme. The malware stole session tokens and credentials from users of a California online store, affecting 28,000 accounts and enabling $721,000 in unauthorized purchases. Authorities searched the suspect’s homes and seized devices and financial evidence while the investigation continues.

💳 The dark web marketplace B1ack’s Stash released 4.6 million stolen credit card records for free after sellers resold its data. The dump includes full card details, billing info, emails, phones and IPs. Security researchers warn the records will likely fuel widespread online fraud and phishing.

☁ ❌ Microsoft seized infrastructure and disrupted a cybercrime service that created and sold over 1,000 fake code-signing certificates to make malware look legitimate. The group, called Fox Tempest, sold signing-as-a-service to multiple ransomware and malware operators worldwide. Microsoft removed accounts, took down sites and virtual machines to raise the cost and disrupt this criminal marketplace.

🇺🇸 🏧 💸 The FBI says Americans lost over $388 million to scams using crypto ATMs in 2025. Scammers trick people into depositing cash at kiosks and sending funds to attacker-controlled wallets. Losses rose sharply, especially among people over 50, prompting warnings and some state bans.

🌍 ❌ Interpol led Operation Ramz across 13 Middle East and North Africa countries to disrupt cybercrime. The four-month effort seized servers, arrested 201 people, and identified 382 suspects tied to nearly 4,000 victims. Authorities and private partners shared data and dismantled phishing, malware, and fraud operations.

🗓️ {Cyber,Info}Sec Events — A community-maintained list of infosec conferences worldwide. Subscribe to the ICS calendar feed to get events straight into your calendar, or follow @[email protected] on Mastodon for weekly digests. Contributions and ⭐ welcome!

🇵🇱 💬 Poland told officials to stop using Signal after repeated account takeovers linked to state-backed attackers. The hacks used social engineering, fake support messages, and malicious QR codes rather than breaking Signal’s encryption. Officials will move to domestic, government-controlled messaging platforms to protect sensitive communications.

🦋 🇷🇺 Bluesky says the Kremlin hacked many accounts to spread Russian propaganda — Victims found fake news videos posted from their profiles without permission. Researchers and the company tracked the operation and linked it to Russian influence efforts.

🇲🇾 Researchers say a suspected Malaysian government-linked campaign used hidden command-and-control systems for years. The attackers masked servers and limited access to avoid detection, suggesting state-style espionage.

🐧 🔙 🚪 🇨🇳 Researchers uncovered Showboat, a Linux backdoor used since 2022 to target a Middle East telecom and other networks. The modular malware gives attackers a remote shell, file transfer, and a SOCKS5 proxy to reach internal systems. Evidence links its infrastructure to China-affiliated groups and shows compromises in multiple countries.

📦 🪱 Researchers found four malicious npm packages that deliver info-stealers and a Golang DDoS bot called Phantom Bot. One package clones the open-source Shai-Hulud worm and sends stolen data to attacker-controlled servers. Users should uninstall the packages, rotate secrets, remove malicious configs, and block the suspicious domains.

🎣 Tycoon2FA phishing kit now uses device-code phishing to hijack Microsoft 365 accounts — Attackers trick victims into entering device codes on microsoft.com/devicelogin after clicking Trustifi tracking links. eSentire urges disabling unused device-code flows, tightening OAuth consent, and monitoring Entra logs.

ℹ 🍎 A new SHub macOS infostealer variant called Reaper uses AppleScript to show fake Apple security updates and installs a backdoor. It steals browser data, crypto wallets, password manager files, iCloud and Telegram data, and grabs sensitive documents. The malware hides its payload, avoids macOS protections, and keeps persistence via a LaunchAgent for ongoing remote access.

🐬 🐧 Flipper Devices announced Flipper One, a Linux-powered gadget for hackers with Ethernet, USB, Wi‑Fi 6E, M.2 expansion, and HDMI for use as a router, desktop, or media box. It runs an eight-core RK3576 Linux CPU plus a microcontroller, 8GB RAM, and aims to support local AI and modular add-ons, though much software is still in development. The company invites developers to help build FlipperOS and tools, and expects a base price under $350.

🩹 A researcher found a Claude Code network sandbox bypass that could let attackers exfiltrate data. Anthropic quietly patched the SOCKS5 null-byte issue and a related bug in early 2025 and says the fix was shipped before the report. The researcher is upset no CVE was assigned to Claude Code or mentioned in release notes.

🔐 🤝 1Password and OpenAI built an integration so AI coding agents can use credentials without exposing them in prompts, code, or repos. Credentials are issued just-in-time, scoped to the task, and kept in 1Password’s encrypted runtime so they never enter the model’s context. This lets teams use Codex safely while keeping control and auditability of secrets.

🇪🇺 The European Commission says it is preparing to defend the EU against AI models that can find and exploit cybersecurity bugs. Officials plan to use the EU Cybersecurity Reserve, new laws, and a Tech Sovereignty Package to boost defenses and reduce dependence on foreign tools. Lawmakers want faster action, access to powerful models, and stricter rules, but some requests were not answered.

🐛 🦞 Four flaws in the OpenClaw AI assistant, called "Claw Chain", can be chained to escape the sandbox and install backdoors on hosts. An attacker who gets code execution inside the agent can read secrets, escalate to owner privileges, and write files outside the sandbox. Over 60,000 public OpenClaw instances may be exposed, and patches were released after disclosure.

➝ From the Patching Department:

🩹 Microsoft released mitigations for YellowKey, a zero-day that can bypass BitLocker when an attacker with physical access boots into recovery using a malicious USB. The exploit uses an FsTx payload to delete winpeshl.ini and spawn a shell that exposes encrypted data. Microsoft’s fixes stop autofstx.exe from auto-running in WinRE and advise adding a BitLocker PIN.

🐧 A new Linux local root exploit called DirtyDecrypt (aka DirtyCBC) has a public proof-of-concept that can gain root on systems with CONFIG_RXGK enabled. It mainly affects rolling or upstream-following distros like Fedora, Arch, and openSUSE Tumbleweed. Users should install the latest kernel updates or apply the temporary module-disabling mitigation.

💥 A researcher released MiniPlasma, an exploit for a 2020 Windows Cloud Filter driver flaw (CVE-2020-17103) that can escalate privileges. The researcher says the original Google Project Zero PoC still works, suggesting the bug may be unpatched or patches reverted. Tests show MiniPlasma can spawn a System shell on Windows 11 with May 2026 updates.

💥 A critical NGINX flaw called Nginx Rift (CVE-2026-42945) enables a heap buffer overflow in the rewrite module. Proof-of-concept code is public and attackers have begun remote exploitation, mainly causing crashes and potential DoS. If ASLR is disabled, the bug can allow remote code execution, so immediate patching is urgent.

🤑 Pwn2Own Berlin 2026 awarded white hat hackers $1.3 million for 47 vulnerabilities across Windows, Linux, VMware, Nvidia, and AI products. The top teams, Devcore and StarLabs SG, took nearly $750,000 with high-value exploits on Microsoft and VMware. Many AI-targeted hacks paid out, some teams failed, and several researchers disclosed findings directly to vendors.

🩹 Universal Robots patched a critical OS command-injection flaw (CVE-2026-8153) in its PolyScope 5 dashboard. An unauthenticated attacker with network access to the Dashboard Server could run commands and take over a cobot. On flat, unsegmented networks this could lead to compromise of multiple robots and connected equipment.

🦠 🚀 Researchers say the fast16 malware was built to sabotage nuclear weapons simulations. It secretly altered high-explosive simulation results in LS-DYNA and AUTODYN to corrupt uranium-compression tests. The tool predates Stuxnet and shows early, sophisticated state-level sabotage of industrial software.

Follow me on Mastodon for quick daily updates and bite-sized content.

Prefer using an RSS feed? Add Infosec MASHUP to your feed here.

Enjoying our newsletter? Forward it to a colleague—
it’s one of the best ways to support us.

Thanks for reading today’s newsletter, and if you're enjoying it and want to support my work, you can buy me a coffee ☕ over at https://www.buymeacoffee.com/0x58

See you next time!

-X.