💸 Polymarket says hackers stole users’ crypto after a third-party vendor was compromised. The company says it contained the issue and will contact and refund affected users. Blockchain monitors estimate about $3 million stolen from multiple victims.

🇮🇳 Tata Electronics says it suffered a cyberattack that affected some IT systems. The company says operations were not disrupted. A hacker group called World Leaks claimed it leaked manufacturing files, including alleged Apple component data.

🔓 LastPass says hackers stole OAuth tokens from Klue and used them to access customer data in its Salesforce system. The breach did not affect LastPass products or customer vaults, but names, contacts, addresses, and CRM details may be exposed. LastPass rotated tokens, cut Klue access, warned customers, and notified law enforcement.

→ Klue says hackers stole credential from 2022 that led to customer data breaches

🇨🇦 ⚡ Canadian electricity provider London Hydro says hackers accessed its systems and may have taken some customers' personal and account information. The data possibly exposed includes names, addresses, emails, phone numbers, account and billing details, and meter information. The company reports no financial or highly sensitive data was accessed and warns customers to watch for phishing or suspicious activity.

💸 An attacker tricked the JaredFromSubway MEV bot with fake tokens and pools and stole $15 million — The bot auto-approved attacker contracts, letting them drain WETH, USDC, and USDT. JaredFromSubway offered increasing bounties and is negotiating with a white-hat group to recover funds.

🇺🇸 Xsolis, a healthcare technology vendor, suffered a targeted phishing attack on January 22, 2026 that exposed data for 1,396,519 patients. The breach may have included names, contact details, Social Security numbers, insurance and medical treatment information. Xsolis contained the incident, reset passwords, added security measures, and offered affected people 12 months of identity monitoring.

🇵🇱 Polish police arrested four people in a SIM‑swapping ring that stole millions by hijacking phone numbers and crypto accounts. The arrests followed an investigation with help from the FBI and HSI. Suspects face charges including organized crime, hacking, and money laundering, with up to 25 years in prison.

🇺🇸 ⚖ Nathan Austad, 21, known as "Snoopy", was sentenced to 18 months in prison for his role in the November 2022 DraftKings hack. He and co-conspirators compromised about 60,000 accounts, added payment methods to 1,600 accounts, and stole roughly $600,000. Austad was also ordered to forfeit $463,684, pay $1,327,061 in restitution, and serve three years of supervised release.

🇺🇸 ❌ Microsoft and law enforcement used a single court order to disrupt two criminal tools at once: the Amadey botnet and the StealC infostealer. They treated both as one conspiracy, taking down over 200 command-and-control servers. The move aims to make attacks harder to mount and rebuild.

🇺🇸 ❌ The U.S. Justice Department seized a cloud account used by HuiOne Group subsidiaries that helped launder billions from crypto scams. HuiOne ran a Telegram marketplace selling crimeware, data, money‑laundering services, and tools for deepfakes and human trafficking. U.S. authorities and Treasury sanctions say these networks enabled massive fraud and continue to spawn successor markets.

🇩🇿 ⚖ 🇺🇸 An Algerian man nicknamed "SPOX" was extradited from Spain and charged in the U.S. for running two online cybercrime marketplaces. Prosecutors say his sites sold phishing kits and stolen credentials, victimizing about 5,600 people and moving roughly $900,000 in cryptocurrency. He faces a conspiracy to commit bank fraud charge that carries up to 30 years in prison.

🇬🇧 ⚖ Two young men pleaded guilty to hacking Transport for London, causing months of disruption and £39m in costs. The attack began on 31 August 2024 and affected about 10 million customers. They admitted reckless, unauthorised access and will be sentenced on 15 July.

🗓️ {Cyber,Info}Sec Events — A community-maintained list of infosec conferences worldwide. Subscribe to the ICS calendar feed to get events straight into your calendar, or follow @[email protected] on Mastodon for weekly digests. Contributions and ⭐ welcome!

🇺🇸 ☑ The FCC approved new rules to strengthen cybersecurity for the Emergency Alert System and Wireless Emergency Alerts — The rules require basic cyber hygiene, stronger authentication, and faster security updates to prevent hijacked warnings. The FCC also updated undersea cable rules, adding oversight and streamlined reviews for providers that meet high security standards.

🇷🇺 📲 Researchers say Russian authorities used Cellebrite phone-cracking tools to access the phone of jailed human rights activist Andrey Pivovarov even after Cellebrite ended its contract with Russia. Citizen Lab found evidence the phone was accessed in mid-2021 and that data may have helped surveil other dissidents. Cellebrite says any use of its old hardware in Russia after March 2021 is unauthorized and now ineffective.

🍎 🇰🇵 Researchers discovered a new macOS malware called Gaslight that steals data and maintains control via a Telegram-based command channel. It embeds a prompt-injection payload that aims to fool AI analysis tools into aborting or refusing to analyze it. SentinelOne links the Rust implant to North Korea-aligned actors and notes it exfiltrates browser, system, and keychain data.

🍎 A new ClickFix campaign tricks Mac users into pasting a Terminal command that downloads and silently mounts a malicious DMG. The DMG installs the Atomic macOS Stealer, which grabs browser credentials, crypto wallets, Keychain items, messaging data, and documents. Users should never run unknown Terminal commands or follow fake CAPTCHA/system fix instructions.

🐀 A threat actor called Woodgnat (aka KongTuke) is using a new RAT called Mistic to gain access to many organizations and sell that access to ransomware groups. Mistic is deployed as a sideloaded DLL and can download/upload files, run code, steal credentials, and self-terminate. The group uses compromised sites, social engineering, and Teams helpdesk lures to trick victims into running malicious PowerShell commands.

🐀 Researchers found malicious npm packages pretending to be PostCSS tools that install a Windows remote access trojan (RAT). The packages drop a PowerShell script that downloads a ZIP with VBScript, a Python runtime, and native modules that steal Chrome data, run commands, and communicate with a C2 server. Users should remove the packages, delete any artifacts, and rotate credentials.

🇰🇵 North Korean state-backed hackers (Sapphire Sleet) injected a malicious typosquat dependency into 141 Mastra npm packages during a 45-minute window on June 17. The malware ran at install time, targeted Windows/macOS/Linux, and aimed to steal system data and crypto-wallets. Users who ran npm install/update then should remove affected versions, scan for malware, and rotate secrets.

🏰 Researchers found a new loader called OXLOADER that uses malicious Google Ads to trick users into running a fake installer and fetch CastleStealer. The attack hides its code with strong obfuscation, uses Storj-hosted files, and avoids targets in CIS countries. OXLOADER is new but well engineered, giving it low detection and time to operate.

🤖 🕸 A new malware called AryStinger has infected about 4,300 old home routers to build a reconnaissance and proxy network. Infected devices scan, fingerprint targets, tunnel traffic, and relay commands for attackers while hiding their location. Owners should retire unsupported routers, check for unknown binaries and C2 connections, and disable remote admin.

🔐 OpenAI released GPT-5.5-Cyber and an updated Codex Security plugin to help defenders find, validate, and patch software vulnerabilities faster. They also launched Patch the Planet to support open-source projects and scale patch development with human oversight. The moves aim to close the gap between rapid AI-driven discovery and slower patching while keeping maintainers in control.

→ IBM announced it has joined the OpenAI Daybreak Cyber Partner Program

→ The White House is asking OpenAI to slow roll the release of its new model over safety concerns

🐛 Four serious vulnerabilities in the open-source Dify AI platform could let attackers steal other customers’ data in multi-tenant cloud setups. These flaws let attackers read private chats, access files, and call internal APIs across tenants. Dify 1.14.2 fixes the issues; users should update immediately and apply WAF rules for extra protection.

🐛 The Anthropic AI model called Mythos found vulnerabilities in highly classified U.S. government systems during tests. The testing was part of Project Glasswing with U.S. agencies, though finding flaws did not mean they were immediately exploited. The move has sparked tensions with the government, which restricted access to Anthropic’s models over security concerns.

🇺🇸 🔐 The Trump administration will issue orders to speed up the federal shift to quantum-resistant encryption and to boost the domestic quantum computing industry. Agencies may be forced to meet a new deadline around 2029–2030 for civilian networks and must report to OMB if they miss it. The actions aim to steer federal funding and research to help U.S. quantum companies compete.

➝ From the Patching Department:

🔎 Mandiant revealed that attackers abused a Cisco SD-WAN command-injection flaw (CVE-2026-20245) to create a rogue root account named "troot" and gain full control of devices. The intrusions began with unauthorized SD-WAN peering and likely used earlier authentication bypasses to access admin interfaces. Mandiant urges collecting diagnostics, checking for rogue peering, and applying Cisco's security updates.

💥 CISA warns attackers are exploiting three critical Ubiquiti UniFi OS vulnerabilities (CVE-2026-34908/34909/34910) that allow bypassing authentication, accessing files, and performing command injection. Ubiquiti released patches in UniFi OS Server 5.0.8, but reports and analyses show these flaws were likely used in automated in-the-wild attacks to create rogue admin accounts. CISA added them to its KEV list and urges urgent patching within three days.

📲 Researchers found an eight-year-old high-severity flaw in Samsung KNOX that affected Galaxy S9 through S25 and many A-series phones. The bug is a race-condition use-after-free in the kernel that could be triggered by an untrusted app to corrupt kernel memory. Samsung patched it in the January 2026 update, so users should install updates immediately.

🍎 📲 Researchers disclosed Usbliter8, a new BootROM exploit that permanently bypasses Apple’s secure boot on iPhones with A12/A13 chips and some Apple Watches. The attack needs physical USB access and lets an attacker run unsigned code with full processor privileges, though it does not directly break the Secure Enclave. The exploit cannot be fixed by software updates and the researchers published proof-of-concept code.

🔥 🧱 🩸 A Russian initial-access broker is running the FortiBleed campaign to harvest credentials from over 430,000 FortiGate firewalls and other devices. They compromise exposed appliances, deploy a Golang sniffer to capture and crack authentication data, then sell access or use it for further intrusions. The operation has exposed millions of credentials and targeted MSPs, SMBs, and high-value organizations including a NATO-aligned contractor.

🦑 Researchers found a memory-leak bug in Squid Proxy, dubbed Squidbleed, that dates back to 1997. The flaw can expose other users' cleartext HTTP request data (like passwords and tokens) if the proxy handles FTP and is shared by many users. A patch is available and disabling FTP in Squid stops the risk.

💥 A critical flaw (CVE-2025-67038) in Lantronix EDS5000 serial-to-IP devices lets unauthenticated attackers run root commands and is being exploited in the wild, CISA says. The bug is part of the BRIDGE:BREAK set of serial-to-IP vulnerabilities that can let attackers manipulate sensors, spread laterally, and exfiltrate data. Thousands of Lantronix devices are internet-exposed, though it’s unclear how many are vulnerable or which sectors are being targeted.

🗒 NIST released an updated draft of its IoT product cybersecurity guidelines and is asking for public comments through August 24. The update clarifies how IoT products should be treated in risk assessments and aligns requirements with current threats. Organizations are urged to use the guidance and related NIST risk-management publications when integrating IoT products.

🇨🇦 Canada’s spy agency got a judge-approved warrant to access and neutralize two foreign-run botnets on Canadian servers, routers, and IoT devices. The court found the threat imminent and allowed CSIS to alter or destroy botnet data while avoiding targeting people or content. The operation highlights risks from unmaintained consumer gear and leaves open legal questions about warrantless IP collection.

Follow me on Mastodon for quick daily updates and bite-sized content.

Prefer using an RSS feed? Add Infosec MASHUP to your feed here.

Enjoying our newsletter? Forward it to a colleague—
it’s one of the best ways to support us.

Thanks for reading today’s newsletter, and if you're enjoying it and want to support my work, you can buy me a coffee ☕ over at https://www.buymeacoffee.com/0x58

See you next time!

-X.