🦷 A data breach at dental benefits administrator DentaQuest exposed information from about 2.6 million accounts — The leaked 234 GB dataset included names, emails, phone numbers, IDs, insurance details, genders, and birthdates. People affected should watch for phishing and other scams.

🇺🇸 Weil Gotshal reportedly paid $18–$20 million to stop hackers from publishing stolen client documents. The firm says the breach involved a limited number of files and did not disrupt its network. Weil notified affected clients, launched an investigation, and involved law enforcement.

🔓 Dashlane says hackers brute-forced its two-factor authentication and accessed about 20 customer accounts — The attackers :un, which can only be opened with each user’s master password. Dashlane notified affected users and says it has taken steps to reduce future risk.

→ Can't make sense of Dashlane's vault theft notification? You're not alone.

📥 🤑 Hackers accessed a senior executive’s Outlook mailbox at a major global stock exchange and stole data for about 150 days. They used disguised malware, cloud services like Dropbox and OneDrive, and persistent fake system tasks to avoid detection. Security firms suspect espionage and released IoCs to help others detect similar attacks.

→ More breaches:

🇨🇳 💼 Five Eyes intelligence agencies warn China’s military intelligence uses LinkedIn and other job sites to recruit government and military insiders. Recruiters pose as consultants, ask for reports, and pay via third-party platforms to obtain sensitive information. These operations have led to prosecutions, job losses, and cleared personnel losing security access.

🇨🇳 🎣 China-linked cybercrime group TA4922 has expanded phishing attacks to the U.K., Germany, Italy, South Africa and other countries. They use HR, tax and business lures to deliver malware like Atlas RAT, RomulusLoader and SilentRunLoader to steal credentials and data. Proofpoint says TA4922 is likely financially motivated but has tools that could also enable surveillance or be sold to espionage groups.

🇧🇬 🇪🇺 European and international police dismantled nine organized crime groups and arrested 29 people in Operation KRATOS 2. The seven-month raid, led by Bulgaria with Europol and partners from 13 countries, removed over 27,000 illegal streaming URLs and flagged hundreds of thousands more infringing links. Authorities said the networks earned big profits, hid servers across borders, and exposed users to malware and data theft.

🇪🇸 Spanish police arrested a person accused of leaking sensitive personal data of employees from key state bodies, including INCIBE and the National Police. Officers raided the suspect’s home and seized computers to find forensic evidence and possible co-conspirators. Authorities say the data came from aggregated sources and published on doxing forums, and more arrests may follow.

🇺🇸 🗳 Tina Peters, convicted for breaking into Mesa County election systems, gave a defiant interview after her sentence was commuted. She said she will keep fighting in court to clear her record and repeated false claims about election fraud. The commutation drew praise from conservatives and strong criticism from Democrats and election officials.

→ Election threats are focused on campaign systems, not voting machines

🇪🇺 🇷🇺 European intelligence officials say Russian spy agencies are aggressively stealing Western technology and defense secrets as sanctions squeeze its economy. They use fake companies, middlemen, cyberattacks and hackers to acquire machine tools, software, space and weapons-related tech. Officials warn this risks helping Russia improve its weapons and enabling attacks on critical infrastructure.

🗓️ {Cyber,Info}Sec Events — A community-maintained list of infosec conferences worldwide. Subscribe to the ICS calendar feed to get events straight into your calendar, or follow @[email protected] on Mastodon for weekly digests. Contributions and ⭐ welcome!

🇪🇺 ☁ The EU is proposing rules to favor European cloud and AI services and limit reliance on non‑EU providers. New assurance levels could bar firms subject to foreign laws, which would hit U.S. cloud vendors because of the U.S. Cloud Act. Critics say the plan risks discrimination and fragmentation while supporters call it needed tech sovereignty.

🇺🇸 🫂 DHS Secretary Markwayne Mullin told Congress CISA should ideally have about 2,800 staff, up from roughly 2,200 now. The agency once had about 3,400 employees before cuts and faces more proposed reductions. Mullin said CISA can meet its mission by using partnerships and grants while a new director is expected to be nominated soon.

🇷🇺 🪆 🇺🇦 Russian group Gamaredon is exploiting a WinRAR flaw (CVE-2025-8088) to deliver an HTA payload that installs VBScript downloaders. Those downloaders deploy a worm (GammaWorm) that persists, hides via LNK and ADS, and a stealer (GammaSteel) that exfiltrates files to AWS S3 or attacker servers. The campaign targets Ukrainian government and military networks and can be reused to drop additional malware.

→ FSB’s matryoshka #3/3 – Gamaredon’s gifts that keeps unpacking – GammaSteel

🦀 A new Rust-based malware called IronWorm infected 36 npm packages to steal credentials and keys. It hides with an eBPF rootkit, uses Tor, and can self-publish trojaned packages using stolen npm secrets. Researchers stopped the attack early and urge developers to update packages, rotate keys, and enable 2FA.

🆔 ❌ French and Spanish police shut down an online marketplace selling fake EU identity documents used by migrant smugglers. Officers arrested a suspect in Alicante and seized equipment and about 800 counterfeit IDs. Europol says document fraud fuels migrant smuggling and new EU efforts aim to improve cross‑border investigations.

👾 WeedHack is a large malware campaign that has infected over 116,000 Minecraft players since January. The malware is spread via fake Minecraft mods and YouTube/SEO-poisoned links and acts as a malware-as-a-service infostealer. It steals credentials, browser data, crypto wallets, and can give remote control, and some paid tiers add keylogging and webcam access.

🪱 Attackers hijacked Red Hat’s official npm account and published malicious packages. Over 30 packages contained a worm that steals credentials and spreads to other machines. The supply-chain compromise is still active and widely trusted by developers.

🇵🇰 🇦🇫 Researchers say the Pakistan-linked SideCopy group used Pashto-language spear-phishing to target Afghanistan’s Ministry of Finance with Xeno RAT. The attack used a malicious LNK file that fetched an HTA to run obfuscated JavaScript and install Xeno RAT 1.8.7, which can steal data and control the system. This activity fits a broader pattern of Transparent Tribe operations against South Asian government and military targets.

🤖 A malicious npm package named codexui-android and linked Android apps stole OpenAI Codex auth tokens by reading ~/.codex/auth.json and sending them to attacker servers. The package was a functional, actively developed tool with over 29,000 weekly downloads and the exfiltration persisted across versions. Stolen refresh tokens allow persistent account impersonation, exposing developer workflows and supply-chain risks.

🇪🇺 Anthropic has offered EU cybersecurity agency ENISA controlled access to its Mythos vulnerability-finding AI through Project Glasswing. European agencies and banks are negotiating access as experts warn these models can rapidly find many software flaws. OpenAI and other companies are also discussing limited access to similar cyber-focused models.

→ Anthropic Expanding Mythos Access to 150 New Organizations

🇺🇸 🤖 Anthropic sent about six engineers to the NSA to help the agency use its cybersecurity AI, Mythos — It is unclear if Mythos or the engineers are being used in actual hacking operations. The reports follow earlier claims the NSA used Mythos despite a federal ban and Anthropic limiting access over security concerns.

🔉 Researchers found a critical flaw in Google’s Gemini voice assistant that let attackers inject commands via normal messaging notifications. The Fake Context Alignment attack hid instructions in WhatsApp, Slack, and SMS messages so Gemini would act without the user knowing. Google patched the issue after disclosure, but researchers warn prompt-injection risks remain as assistants gain deeper device access.

💰 🇮🇷 ❌ The U.S. Treasury blacklisted Nobitex, Iran’s largest crypto exchange, for helping fund terrorism and evade sanctions. Officials say Nobitex processed over half of Iran’s crypto inflows in 2025 and moved funds tied to the IRGC and ransomware actors. The sanctions freeze U.S.-held assets and bar U.S. persons from dealing with the exchange and its executives.

💰 🌏 ❌ The U.S. Justice Department led a global operation that disrupted Southeast Asian crypto and online fraud networks. Private companies and police froze over $3.8 million in stolen cryptocurrency and took down millions of scam accounts and servers. Authorities identified suspects, made arrests, and warned these scams steal victims’ savings and often involve trafficked workers in scam compounds.

🇺🇸 The Trump administration issued a scaled-back AI executive order that favors voluntary industry cooperation over strict rules. Companies may give the government access to frontier models for up to 30 days, with protections for confidentiality and intellectual property. The order also creates an interagency cybersecurity clearinghouse led by Treasury to coordinate testing and threat benchmarks.

→ DOD wants to integrate cyber in all operations, and integrate security into AI

🤖 Hackers used a trick to make Meta’s AI support bot add a new email and reset Instagram passwords. High-profile accounts were briefly defaced with pro-Iran messages. Enabling strong MFA (like passkeys or security keys) would have stopped the attack.

➝ From the Patching Department:

💣 Calif researchers discovered an HTTP/2 Bomb exploit that can crash major web servers in seconds. It chains an HPACK compression bomb with a Slowloris-style hold to exhaust memory and bypass limits. The attack affects many default NGINX, Apache, IIS, Envoy, and Cloudflare Pingora setups and can be run from a home connection.

💥 CISA warns that a two-year-old Oracle WebLogic bug (CVE-2024-21182) is now being exploited in the wild. The flaw allows remote, unauthenticated attackers to access or steal data from vulnerable servers. CISA added it to its Known Exploited Vulnerabilities list and told agencies to fix it immediately.

🐧 A 19-year-old bug in the Linux kernel’s CIFS subsystem lets low-privileged users gain root access. The flaw lets attackers supply fake key descriptions so cifs.upcall runs as root and loads attacker-controlled NSS code. Major distributions have released fixes and a PoC was published to help validate patches.

💥 🔓 Hackers are actively exploiting a Palo Alto GlobalProtect VPN bug (CVE-2026-0257) to bypass authentication and gain VPN access. The flaw affects devices with authentication override cookies enabled and reused certificates, letting attackers forge valid cookies. Update PAN-OS now or disable the override feature and use separate certificates to stop the attacks.

⛽ 🇺🇸 Over 900 automatic tank gauge systems in the U.S. are exposed online and vulnerable to attacks. Federal agencies warn attackers can change settings, disable alerts, and risk leaks or damage. Organizations are urged to restrict internet access, change defaults, and apply security controls.

⚠ CISA launched CI Fortify to help industrial control operators plan for and rehearse surviving major cyberattacks that cut them off from networks. The guidance focuses on keeping critical services like water and power running without internet or remote control. CISA must coordinate with other agencies, vendors, and service providers to make the plan practical.

Follow me on Mastodon for quick daily updates and bite-sized content.

Prefer using an RSS feed? Add Infosec MASHUP to your feed here.

Enjoying our newsletter? Forward it to a colleague—
it’s one of the best ways to support us.

Thanks for reading today’s newsletter, and if you're enjoying it and want to support my work, you can buy me a coffee ☕ over at https://www.buymeacoffee.com/0x58

See you next time!

-X.