All news in category “Incidents and Data Breaches”

🛡️ Dutch authorities arrested two co-owners of related hosting companies and seized over 800 servers on May 18, alleging they operated infrastructure used by Russia for cyberattacks and influence operations targeting the EU. The arrests follow investigative reporting that linked MIRhosting and WorkTitans to Stark Industries, an ISP sanctioned by the EU for facilitating DDoS, proxy, and anonymity services tied to Russia-backed actors. Officials searched businesses and data centers and charged the suspects with violating sanctions law by making economic resources available to sanctioned entities. Both suspects deny wrongdoing and one company says it has paused services to the implicated client pending internal review.

🔒 The FBI warns about the Kali365 phishing-as-a-service platform that abuses OAuth device code authentication to hijack Microsoft 365 and Microsoft Entra accounts. Distributed via Telegram since April 2026, Kali365 enables low-skilled attackers to bypass MFA by tricking victims into authorizing device codes, then capturing OAuth tokens to access mailboxes and cloud apps. Researchers observed campaigns using phishing emails, AI-generated lures, and real-time dashboards, while the FBI advises blocking device code flows and preserving forensic evidence.

🛡️ The FBI has identified a new phishing-as-a-service platform called Kali365, first seen in April 2026, that is being distributed primarily via Telegram. The service furnishes AI-generated lures, automated templates and real-time tracking dashboards to enable attackers — including low-skill actors — to capture OAuth tokens and bypass MFA for Microsoft 365 accounts. Victims are tricked into pasting device codes into the legitimate Microsoft verification page, unintentionally authorizing attacker devices and granting persistent access to services such as Outlook, Teams and OneDrive. The FBI recommends restricting or blocking device code flow, implementing conditional access policies, blocking authentication transfer and protecting emergency access accounts.

🛡️ Researchers uncovered a large-scale campaign exploiting a critical SQL injection (CVE-2026-26980) in Ghost CMS to inject malicious JavaScript that triggers ClickFix attack flows. More than 700 domains — including university portals, media outlets, fintech firms, and personal blogs — were affected. The flaw impacts Ghost 3.24.0 through 6.19.0 and allows unauthenticated actors to exfiltrate admin API keys. Administrators are urged to upgrade to 6.19.1+, rotate keys, and scan sites for injected scripts.

🔒 The FBI warns of phishing campaigns using Kali365 to harvest Microsoft 365 OAuth access tokens and bypass multi-factor authentication. Attackers trick users into entering a code on a legitimate Microsoft page, which instead authorizes the attacker’s device to access the victim’s account. The FBI advises IT teams to deploy conditional access policies and block authentication transfer to reduce exposure.

🔎 Authorities across Europe and North America announced a coordinated operation that dismantled First VPN, a criminal virtual private network service used to obscure ransomware, data theft, scanning, and DDoS activity. Led by France and the Netherlands with support from many countries and agencies since December 2021, investigators executed concurrent actions in May 2026, seizing servers, domains, and infrastructure while interviewing the service administrator. Europol and the FBI say First VPN marketed anonymity to cybercriminals on Russian-language forums, offered multiple protocols and payment methods, and provided exit nodes across 27 countries used by at least 25 ransomware groups.

🔎 Financial crime investigators in the Netherlands (FIOD) arrested two men and seized 800 servers linked to a web hosting company accused of enabling cyberattacks, interference operations, and disinformation campaigns. Authorities say the suspects provided resources indirectly to Russian and Belarusian entities sanctioned by the EU, and that infrastructure was moved to a front company after sanctions. Raids recovered servers, laptops, phones, and records across multiple Dutch data centers.

🛡️ European investigators dismantled First VPN in a joint operation led by France and the Netherlands, assisted by Europol and Eurojust. The service, widely promoted in Russia, was used by criminals for ransomware, fraud, and data theft to conceal identities and infrastructure. While the takedown is seen as warranted, experts warn that broad restrictions on VPNs risk harming legitimate privacy and business uses and could face legal challenges.

📄 The Belarus-aligned threat actor Ghostwriter (aka UAC-0057/UNC1151) is using Prometheus e-learning themed phishing lures targeting Ukrainian government entities. CERT-UA reports the campaign, active since spring 2026, uses PDF links to deliver a ZIP with JavaScript that stages multiple payloads: OYSTERFRESH, OYSTERBLUES, and OYSTERSHUCK. The operation harvests system data and ultimately deploys Cobalt Strike, with advice to restrict wscript.exe for standard users to reduce risk.

🔍 Canadian and U.S. authorities arrested 23-year-old Jacob Butler (aka "Dort") in Ottawa under an extradition warrant after unsealing a criminal complaint in the District of Alaska linking him to the KimWolf DDoS botnet. Investigators tied Butler to the botnet through IP address logs, transaction records, and online messages, and he now faces a charge of aiding and abetting computer intrusions with a potential 10-year sentence. KimWolf operated as a DDoS-for-hire service that enslaved nearly two million devices and powered attacks up to nearly 30 Tbps, causing substantial global disruption and financial losses.

🛡️ The U.S. Department of Justice announced the arrest of 23-year-old Canadian Jacob Butler (aka Dort) for allegedly operating the Kimwolf DDoS botnet, a variant of AISURU. The botnet enslaved devices like digital photo frames and webcams and was offered via a cybercrime-as-a-service model to launch global attacks, including against DoD network addresses. Authorities linked Butler through IP, account data, and Discord messages, and charged him with aiding and abetting computer intrusion.

🔒 A security report details how a group used Anthropic’s Mythos AI model to discover a kernel memory corruption vulnerability and develop an exploit targeting Apple’s M5 platform. The article summarizes the incident and notes it was posted on May 21, 2026. It highlights implications for macOS security and the role of advanced AI tools in vulnerability discovery. The piece is concise and focused on the exploit’s origin and significance.

🔒 GitHub said hackers accessed approximately 3,800 internal repositories after a developer installed a malicious version of the Nx Console Visual Studio Code extension that was poisoned during last week's TanStack npm supply-chain attack. The intrusion, linked to the actor known as TeamPCP, used stolen CI/CD credentials to move into multiple projects including UiPath, Guardrails AI and OpenSearch. GitHub secured the compromised device, rotated high-impact secrets and continues log analysis and monitoring to detect follow-on activity.

🔒 GitHub confirmed an intrusion into internal repositories after an employee device was compromised by a poisoned version of the Nx Console VS Code extension published as nrwl.angular-console. The attacker, tracked as TeamPCP, exfiltrated approximately 3,800 repositories; GitHub says it rotated critical secrets and is monitoring for follow-on activity. The trojanized release was available for only 18 minutes but delivered a credential stealer targeting 1Password, Anthropic Claude Code, npm, GitHub and AWS.

🔍 Ukrainian cyberpolice, working with U.S. law enforcement, say they identified an 18-year-old from Odesa suspected of running an infostealer operation that infected customers of a California online store between 2024 and 2025. The malware harvested browser sessions, credentials, and payment information, compromising 28,000 accounts. Attackers used 5,800 accounts to make unauthorized purchases totaling about $721,000, and authorities executed searches seizing phones, computers, storage media, bank cards, and cryptocurrency-related evidence while the investigation continues.

🔒 Microsoft disclosed an active supply-chain attack that compromised an @antv npm maintainer account and published malicious versions of charting libraries, including echarts-for-react. The obfuscated ~499 KB JavaScript payload executes during npm install and targets GitHub Actions runners to harvest secrets from GitHub, AWS, HashiCorp Vault, npm, Kubernetes and 1Password by scraping process memory and enumerating secret stores. The campaign leverages privilege escalation, dual-channel exfiltration, and SLSA provenance forgery to evade detection; GitHub removed malicious packages and invalidated exposed tokens.

⚠ GitHub confirmed attackers exfiltrated code from roughly 3,800 internal repositories after a compromised employee device and a poisoned VS Code extension were used to gain access. The company detected and contained the compromise on May 19, removed the malicious extension, isolated the endpoint, and began incident response. A threat actor calling itself TeamPCP posted lists of stolen repos and claimed responsibility, threatening to leak the data if not sold. GitHub is rotating secrets, analyzing logs, and said it will publish a full incident report when investigations conclude.

🔐 Grafana confirmed its recent data breach stemmed from a single missed GitHub workflow token that was exfiltrated after malicious TanStack npm packages executed in its CI/CD environment. The company detected the intrusion on May 1, rotated most tokens, and launched its incident response, but one token was overlooked and allowed attackers repository access. Grafana says source code wasn't altered and no customer production systems were impacted.

📱 Zimperium's zLabs uncovered a 10-month Android malware campaign that used nearly 250 fake apps to enroll victims in premium carrier billing services across Malaysia, Thailand, Romania and Croatia. The operation, running from March 2025 to January 2026, included three variants that ranged from cookie- and SMS-harvesting to a fully automated subscription flow against DiGi. The most advanced variant abused Google's SMS Retriever API, forced traffic onto cellular, loaded hidden carrier billing pages and intercepted one‑time passwords. Users are advised to avoid sideloading apps, verify installed apps and review mobile bills for unexplained charges.

🚨 The Mini Shai-Hulud worm resurfaced in a coordinated supply-chain wave that published 639 malicious versions across 323 npm packages tied to the AntV visualization ecosystem on 19 May, lasting roughly an hour. Analysis by Socket and updates from Microsoft show the payload added preinstall hooks executing an obfuscated Bun bundle to harvest cloud and CI secrets. Many affected packages are high-download dependencies and the compromised maintainer account held rights to over 500 packages. Responders should pin pre-19 May versions, rotate exposed credentials and audit GitHub for forged repository activity.