{"id":1117,"date":"2026-06-08T14:39:36","date_gmt":"2026-06-08T14:39:36","guid":{"rendered":"https:\/\/cybercolombia.co\/index.php\/2026\/06\/08\/instagram-account-hacks-android-zero-day-github-worm-and-more-cyberdefensa-mx\/"},"modified":"2026-06-08T14:39:36","modified_gmt":"2026-06-08T14:39:36","slug":"instagram-account-hacks-android-zero-day-github-worm-and-more-cyberdefensa-mx","status":"publish","type":"post","link":"https:\/\/cybercolombia.co\/index.php\/2026\/06\/08\/instagram-account-hacks-android-zero-day-github-worm-and-more-cyberdefensa-mx\/","title":{"rendered":"Instagram Account Hacks, Android Zero-Day, GitHub Worm and More \u2013 CYBERDEFENSA.MX"},"content":{"rendered":"<div id=\"articlebody\">\n<p>Monday again. The weekend was meant to be quiet. It wasn\u2019t. Last week had poisoned packages, a broken AI helper, and a worm tearing through repos. The ugly part: basic tricks still worked.<\/p>\n<p>A chatbot got fooled. A bot token got leaked inside the malware. The same old mistakes showed up again. And while everyone chased the loud stuff, quieter attackers sat in inboxes for months, reading mail and stealing it bit by bit.<\/p>\n<p>Lots to cover. Grab coffee. Read up.<\/p>\n<h2 style=\"text-align: left;\"><b>\u26a1 Threat of the Week<\/b><\/h2>\n<p><b>Miasma Worm Hits 73 Microsoft GitHub Repositories in Supply Chain Attack <\/b>\u2013 Microsoft\u2019s GitHub repositories became the latest to fall victim to the ongoing Miasma self-replicating supply chain attack campaign. The incident impacted 73 Microsoft repositories across four of its GitHub organizations, including Azure, Azure-Samples, Microsoft, and MicrosoftDocs. The development prompted GitHub to disable access to those repositories. Miasma is assessed to be a variant of the Mini Shai-Hulud worm that TeamPCP publicly released in mid-May 2026.<\/p>\n<h2 style=\"text-align: left;\"><b>\ud83d\udd14 Top News<\/b><\/h2>\n<ul>\n<li><b><a href=\"https:\/\/thehackernews.com\/2026\/06\/google-june-2026-android-update-patches.html\">Google Fixes Android Framework Flaw Under Exploitation <\/a><\/b>\u2013 Google released patches for 124 security vulnerabilities impacting its Android operating system for the month of June 2026, including one high-severity flaw in the Framework component that has come under active exploitation. Tracked as CVE-2025-48595 (CVSS score: 8.4), the security flaw has been described as a case of privilege escalation without requiring any user interaction. The vulnerability impacts devices running Android versions 14, 15, 16, and 16 QPR2 (Quarterly Platform Release 2). Google has acknowledged there are indications that CVE-2025-48595 may be under \u00ablimited, targeted exploitation.\u00bb As is typically the case, the tech giant did not reveal any specifics about who may have been behind the activity, the targets affected, and the scale of such efforts.<\/li>\n<li><b>U.S. Action Disrupts Investment Fraud Schemes <\/b>\u2013 The U.S. Department of Justice announced the results of a sweeping action undertaken by government authorities and private sector companies to combat cyber-enabled and cryptocurrency fraud targeting Americans. The \u00abDisruption Week\u00bb operation led to the takedown of millions of social media, email, and internet access accounts used by transnational cybercrime groups in Southeast Asia to defraud victims. Private sector entities voluntarily froze over $3.8 million in cryptocurrency involved in the laundering of funds stolen from Americans. The efforts are part of an ongoing U.S. government initiative called Scam Center Strike Force, which aims to dismantle transnational criminal organizations running cyber-enabled fraud and \u00abpig butchering\u00bb (aka romance baiting) scams from compounds in Southeast Asia, along with the human trafficking and money laundering operations that fuel the illicit enterprise.<\/li>\n<li><b>China-Linked TA4922 Broadens Focus to Europe, Africa <\/b>\u2013 A new Chinese-speaking cybercrime group has expanded its reach from East Asia into Europe and Africa, while rapidly overhauling the malware it employs to hack into corporate networks. The actor, tracked as TA4922, is financially motivated and focused on gaining remote access to victim systems for data theft, fraud, and the resale of access. Some elements of the threat actor\u2019s tactics overlap with Silver Fox and Void Arachne. Its operations are unusually varied, leveraging malware delivery, credential phishing, and credit card theft across different campaigns. While historical attacks targeted Japan, the actor has also targeted organizations in Taiwan, Korea, Singapore, and India, the U.K., Germany, Italy, and South Africa. The lures are localized, impersonating tax authorities, finance departments and human resources teams in the target\u2019s own language to distribute Atlas RAT, RomulusLoader, and SilentRunLoader through DLL side-loading techniques.<\/li>\n<li><b>OP-512 Targets Microsoft IIS Servers with Custom Web Shell Framework <\/b>\u2013 A previously unreported threat cluster dubbed OP-512 has been observed targeting Microsoft Internet Information Services (IIS) servers to deploy a bespoke web shell framework. The espionage-focused activity has been assessed as originating from China. \u00abOP-512 was highly likely conducting espionage through a compromised Internet Information Services (IIS) web server on an organization whose sector and geography align with China-linked intelligence priorities,\u00bb ReliaQuest said. The web shell framework facilitates file management and authenticated command execution.<\/li>\n<li><b>Hackers Spied on a Stock Exchange Executive\u2019s Outlook Mailbox for 5 Months <\/b>\u2013 Unknown threat actors managed to spy on a senior member of an unnamed global stock exchange for at least five months. There are still several unanswered questions, like who was behind it and how they obtained initial access. However, what\u2019s evident is that the attacker spent several months inside the Outlook mailbox and likely accessed sensitive information. The goal of the operation was most likely cyber espionage, but details are scant on which stock exchange was targeted. The earliest sign of malicious activity was observed on October 10, 2025. The attack led to the deployment of a mailbox stealer that ran in 2-4 week intervals to hoover up email data. The captured information was exfiltrated via Dropbox and Microsoft OneDrive Personal, transferring only small batches at a time to avoid raising any red flags. The data exfiltration runs lasted through March 2026.<\/li>\n<\/ul>\n<h2 style=\"text-align: left;\"><b>\u200e\ufe0f\ud83d\udd25 Trending CVEs<\/b><\/h2>\n<p>Bugs drop weekly, and the gap between a patch and an exploit is shrinking fast. These are the heavy hitters for the week: high-severity, widely used, or already being poked at in the wild.<\/p>\n<p>Check the list, patch what you have, and hit the ones marked urgent first \u2013 CVE-2026-28318 (SolarWinds Serv-U), from CVE-2026-39210 through CVE-2026-39217 (FFmpeg), CVE-2026-20245 (Cisco Catalyst SD-WAN Manager), CVE-2026-20230 (Cisco Unified Communications Manager), CVE-2026-3300 (Everest Forms Pro plugin), CVE-2025-48595 (Google Android) <a href=\"https:\/\/kb.cert.org\/vuls\/id\/158530\">CVE-2026-8501<\/a> (PCTCore64.sys), <a href=\"https:\/\/kb.cert.org\/vuls\/id\/615987\">CVE-2026-10629<\/a> (Verizon IMS network), <a href=\"https:\/\/kb.cert.org\/vuls\/id\/265691\">CVE-2026-7299<\/a> (Appsmith), <a href=\"https:\/\/kb.cert.org\/vuls\/id\/873170\">CVE-2026-10621, CVE-2026-10622<\/a> (Collibra Agent), <a href=\"https:\/\/www.rapid7.com\/blog\/post\/ve-cve-2026-0826-critical-unauthenticated-stack-buffer-overflow-hp-poly-vvx-trio-voip-phones-fixed\/\">CVE-2026-0826<\/a> (<a href=\"https:\/\/www.rapid7.com\/blog\/post\/ve-cve-2026-0826-how-an-old-bug-can-feed-ai-powered-impersonation\/\">HP Poly Voice<\/a>), <a href=\"https:\/\/www.wordfence.com\/blog\/2026\/06\/unauthenticated-privilege-escalation-vulnerability-patched-in-kirki-wordpress-plugin\/\">CVE-2026-8206<\/a> (<a href=\"https:\/\/aretiq.ai\/research\/vul260602-cve-2026-8206-themeum-kirki-wordpress-plugin-password-reset-email-redirect-privilege-escalation\/\">Themeum Kirki \u2013 Freeform Page Builder, Website Builder &amp; Customizer plugin<\/a>), <a href=\"https:\/\/www.zeroday.cloud\/blog\/redis-cve-2026-23479-deep-dive\">CVE-2026-23479<\/a>, <a href=\"https:\/\/www.zeroday.cloud\/blog\/redis-cve-2026-23631-dark-replica\">CVE-2026-23631<\/a> aka DarkReplica, <a href=\"https:\/\/www.zeroday.cloud\/blog\/redis-cve-2026-25243-deep-dive\">CVE-2026-25243<\/a>, <a href=\"https:\/\/www.zeroday.cloud\/blog\/redis-five-cves-overview\">CVE-2026-25588, CVE-2026-25589<\/a> (Redis), <a href=\"https:\/\/community.acer.com\/en\/kb\/articles\/19673\">CVE-2026-49200, CVE-2026-49201<\/a> (Acer Wave 7 routers), <a href=\"https:\/\/kb.cert.org\/vuls\/id\/595768\">CVE-2026-8874, CVE-2026-8876, CVE-2026-8878, CVE-2026-8879, CVE-2026-8881, CVE-2026-8888, CVE-2026-8889<\/a> (Securly), <a href=\"https:\/\/chromereleases.googleblog.com\/2026\/06\/stable-channel-update-for-desktop.html\">CVE-2026-10881, CVE-2026-10882, CVE-2026-10883<\/a> (Google Chrome), <a href=\"https:\/\/support.broadcom.com\/web\/ecx\/support-content-notification\/-\/external\/content\/SecurityAdvisories\/0\/37513\">CVE-2026-41722, CVE-2026-41723, CVE-2026-41724<\/a> (Broadcom VMware Cloud Foundation Operations), <a href=\"https:\/\/bishopfox.com\/blog\/popping-root-on-unifi-os-server-unauthenticated-rce-chain-detection-analysis\">CVE-2026-34908, CVE-2026-34909<\/a> (UniFi OS Server), <a href=\"https:\/\/pluto.security\/blog\/unauthenticated-remote-code-execution-in-huggingface-transformers-via-config-injection\/\">CVE-2026-4372<\/a> (Hugging Face), <a href=\"https:\/\/www.zerodayinitiative.com\/advisories\/ZDI-26-331\/\">CVE-2026-45495<\/a> (Microsoft Edge), <a href=\"https:\/\/lists.apache.org\/thread\/j9vmlc410ht5f28fc98gx75jcbq62j00\">CVE-2026-42253<\/a> (Apache ActiveMQ), <a href=\"https:\/\/hub.ivanti.com\/s\/article\/Security-Advisory-Ivanti-Neurons-for-ITSM-CVE-2026-9614?language=en_US\">CVE-2026-9614<\/a> (Ivanti ISTM), <a href=\"https:\/\/github.com\/laravel\/framework\/security\/advisories\/GHSA-5vg9-5847-vvmq\">CVE-2026-48019<\/a> (laravel\/framework), <a href=\"https:\/\/www.cisa.gov\/news-events\/ics-advisories\/icsa-26-148-06\">CVE-2026-5386<\/a> (KMW CCTV security cameras), <a href=\"https:\/\/www.tp-link.com\/us\/support\/faq\/5102\/\">CVE-2026-5509<\/a> (TP-Link Archer BE450 v1 and Archer BE7200 v1), <a href=\"https:\/\/specterops.io\/blog\/2026\/06\/01\/cve-2026-4387-strongdm-state-file-reuse\/\">CVE-2026-4387<\/a> (StrongDM), <a href=\"https:\/\/www.ibm.com\/support\/pages\/node\/7274072\">CVE-2026-8633<\/a> (IBM WebSphere), and <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2026-9739\">CVE-2026-9739<\/a> (MCP Toolbox).<\/p>\n<h2 style=\"text-align: left;\"><b>\ud83c\udfa5 Cybersecurity Webinars<\/b><\/h2>\n<ul>\n<li><a href=\"https:\/\/thehacker.news\/validate-automated-pentesting\">Learn How to Validate What Your SIEM, EDR, and SOC Catch<\/a> \u2192 Automated pentesting finds flaws. It doesn\u2019t prove your defenses caught them. Join Picus experts to learn where testing falls short, why \u00abclean\u00bb reports can mislead, and how validation shows what your SIEM, EDR, and SOC actually detect.<\/li>\n<li><a href=\"https:\/\/thehacker.news\/outpacing-mythos-cyberattacks\">Stop AI-Powered Attacks Before They Spread<\/a> \u2192 AI is making cyberattacks faster, harder to spot, and easier to scale. This webinar shows why old defenses fail against threats like Mythos-and how Zero Trust helps block movement, limit damage, and stop attacks before they grow.<\/li>\n<li><a href=\"https:\/\/thehacker.news\/securing-ai-use\">Learn How to Detect and Stop Risky AI Use in Real Time<\/a> \u2192 AI tools are spreading through the workplace faster than security teams can control. Every pasted file, prompt, or piece of code can expose sensitive data to systems that the business never approved. This webinar shows how to detect risky AI use, stop leaks in real time, and keep company data out of uncontrolled AI tools.<\/li>\n<\/ul>\n<h2 style=\"text-align: left;\"><b>\ud83d\udcf0 Around the Cyber World<\/b><\/h2>\n<ul>\n<li><b>Five Eyes Warns of China Exploiting LinkedIn to Target Security Personnel <\/b>\u2013 Chinese military intelligence services are using LinkedIn and other professional networking sites like Indeed and Upwork to recruit people with access to government, military, foreign policy, or sensitive economic information, the U.S. and its Five Eyes intelligence partners <a href=\"https:\/\/www.mi5.gov.uk\/five-eyes-joint-bulletin-safeguarding-our-secrets\">said<\/a> in an advisory. The aim is to acquire privileged military, political and economic intelligence that can provide China with a strategic and tactical advantage over the Five Eyes, per the advisory. \u00abThese actors use an aggressive online recruitment strategy whereby intelligence officers or their affiliates pose as employees of private consultancies, think tanks, or human resources firms, and place online job advertisements for foreign policy and defense analysts,\u00bb the agencies said. Bloomberg <a href=\"https:\/\/www.bloomberg.com\/news\/articles\/2026-06-03\/us-and-five-eyes-allies-warn-of-linkedin-china-spying-threat\">reported<\/a> that China has been <a href=\"https:\/\/www.washingtonpost.com\/world\/2026\/06\/03\/us-allies-say-china-is-using-job-platforms-target-security-personnel\/\">targeting<\/a> Five Eyes nationals with security clearance, particularly those working in foreign affairs, security, and intelligence, and military personnel, including people stationed in the Asia-Pacific region, as well as journalists, academics, and think-tank employees with knowledge of unclassified information. Targets are offered payments in exchange for increasingly privileged information. Payments may arrive through a number of online platforms, including reputable services like PayPal, Zelle, and Wise, or via Western Union and cryptocurrency.<\/li>\n<li><b>Over 20K Accounts Likely Impacted in Instagram Attack Campaign <\/b>\u2013 Meta has <a href=\"https:\/\/www.maine.gov\/agviewer\/content\/ag\/985235c7-cb95-4be2-8792-a1252b4f8318\/686120c8-63be-4e3c-b7ed-466d65b672f5.html\">revealed<\/a> that 20,225 Instagram accounts may have been impacted in a recent attack abusing an AI-powered support tool. The attacks involved compromising the accounts simply by asking Meta\u2019s chatbot to link their own email address to the targeted account. This enabled unauthorized third parties to reset the account password and take control of it. Many of the high-profile accounts were then sold on the dark web. The exploitation of the High Touch Support (HTS) tool was discovered on May 31, 2026. It\u2019s currently what personal information, if any, the threat actors may have accessed. The use of the tool has since been disabled. The development comes as a vulnerability was <a href=\"https:\/\/x.com\/vxunderground\/status\/2063360297247572365?ref_src=twsrc%5Etfw\">disclosed<\/a> in Instagram\u2019s web-based password reset flow that exposed unredacted email addresses and phone numbers associated with user accounts when providing a user name as input.<\/li>\n<li><b>Hola Browser for Windows Compromised to Deliver Cryptocurrency Miner <\/b>\u2013 Sophos discovered an XMRig cryptocurrency miner binary bundled within a certified version of the Hola Browser installer for Windows. Hola attributed the anomaly to a supply chain compromise affecting its \u00abupdate distribution pipeline,\u00bb which allowed the unauthorized payload to evade detection. \u00abThis was a supply chain compromise, and critically, no user data was accessed, exfiltrated, or compromised at any point during this incident affecting 0.1% of users,\u00bb Hola said. \u00abWe have since completely rebuilt our distribution pipeline, implemented advanced code-signing verification, and introduced tighter access controls and continuous monitoring across our infrastructure.\u00bb<\/li>\n<li><b>Malicious npm Packages Target Trusted Brands <\/b>\u2013 A threat actor has been deploying dozens of malicious packages to npm targeting AI companies, luxury brands, and venture capital firms. These packages drop a new malware strain that impersonates an AI coding tool. The malicious code is launched by means of a post-install hook. \u00abWhen the binary payloads are run, a terminal window pops up and prompts the user for user information and OpenAI or Anthropic API keys,\u00bb OpenSourceMalware <a href=\"https:\/\/opensourcemalware.com\/blog\/stardrop-attack\">said<\/a>. \u00abMeanwhile, in the background, the malware is already harvesting ~\/.local\/share\/stardrop\/auth.json and other files for credentials.\u00bb<\/li>\n<li><b>2 npm Packages Deliver Epsilon Stealer <\/b>\u2013 Two malicious npm packages, turbo-axios and faster-axios, targeted developers searching for the popular axios HTTP client. \u00abBoth are trojanized copies of the real axios source with a single addition: a postinstall hook that fetches and eval()s remote JavaScript,\u00bb SafeDep <a href=\"https:\/\/safedep.io\/malicious-faster-axios-npm-epsilon-stealer\/\">said<\/a>. \u00abThe chain terminates in Epsilon Stealer, a malware-as-a-service (MaaS) Electron infostealer that harvests browser credentials, crypto wallets, and messaging sessions, then opens a persistent WebSocket channel for arbitrary command execution.\u00bb<\/li>\n<li><b>Malicious npm Package Leaks Own Telegram Bot Token <\/b>\u2013 In a related development, OX Security flagged a malicious npm package named cms-store-ren that exfiltrates data to Telegram, while leaking its own bot API token in the process. \u00abcms-store-ren is a malicious npm package that collects data from developers\u2019 machines and then sends them to a Telegram channel,\u00bb OX Security <a href=\"https:\/\/www.ox.security\/blog\/malware-slop-2-malicious-npm-package-leaks-its-own-bots-telegram-private-token\/\">said<\/a>. \u00abIt also downloads a potentially malicious JavaScript file from a remote server and tries to execute it, although this behavior wasn\u2019t yet weaponized. The package acts as a downloader\/loader whose primary purpose is to fetch and execute a second-stage payload while reporting successful infections back to the malicious actor.\u00bb<\/li>\n<li><b>Fake Document Factory Taken Down in Spain <\/b>\u2013 French and Spanish authorities, with support from Europol, dismantled an online marketplace selling fake identity documents to migrant smuggling rings operating in Europe to evade border controls, fraudulently obtain residence rights, and facilitate secondary movements within the region. The counterfeit document production facility, located in Alicante, Spain, led to one arrest and the seizure of approximately 800 forged European documents, document-production equipment, digital devices, a vehicle, and \u20ac1,580 in cash. \u00abThe search of the apartment, rented under a false name, uncovered a fully operational counterfeit document workshop, highlighting the industrial-scale production methods increasingly used by organised crime groups involved in document fraud,\u00bb Europol <a href=\"https:\/\/www.europol.europa.eu\/media-press\/newsroom\/news\/fake-document-factory-dismantled-in-spain-around-800-ids-seized\">said<\/a>.<\/li>\n<li><b>Former IBM Executive Accuses Company of Covering Up Hacks <\/b>\u2013 A former IBM cybersecurity executive <a href=\"https:\/\/www.bloomberg.com\/news\/articles\/2026-06-04\/ibm-at-t-accused-by-whistleblower-of-covering-up-foreign-hacks\">accused<\/a> the company of getting hacked three times in the previous decade by foreign governments and then covering up the breaches. William Barlow, who was IBM\u2019s vice president of threat intelligence until August 2019, said IBM concluded Chinese hackers breached its core network between 2013 and 2016, but that the software company went on to conceal the incidents and never publicly disclosed them. Breaches at two other IBM subsidiaries were also covered up in a similar manner, a lawsuit unsealed last week revealed.<\/li>\n<li><b>Gafgyt Botnet Variant Targets DD-WRT Router <\/b>\u2013 A new variant of the Gafgyt botnet called C0XMO is now targeting DD-WRT router firmware by exploiting a stack buffer overflow vulnerability (CVE-2021-27137). \u00abUnlike earlier versions, this malware separates its lateral movement into a standalone Python script,\u00bb Fortinet FortiGuard Labs <a href=\"https:\/\/www.fortinet.com\/blog\/threat-research\/inside-cross-platform-propagation-of-new-gafgyt-variant-c0xmo\">said<\/a>. \u00abThis approach helps the attacker target various system architectures and device types more efficiently.\u00bb The activity was discovered in March 2026 in connection with an attack targeting a Japanese technology firm. Once C0XMO is delivered and executed on the victim host, it sets up persistence, terminates competing processes and red teaming utilities, and then establishes a connection with a remote server to accept DDoS attack commands against specific targets. It also comes with a scanner to facilitate lateral movement via SSH, Telnet, Android Debug Bridge (ADB), and other HTTP-based exploits (e.g., CVE-2025-34054, CVE-2016-15047, CVE-2015-2051, CVE-2022-35914, and CVE-2021-27137).<\/li>\n<li><b>Malicious PyPI Package Drops Backdoor <\/b>\u2013 Parsimonius, a malicious typosquat of the parsimonious Python package, \u00abincorporated the legitimate parsimonious parsing functionality to avoid suspicion while simultaneously deploying a Telegram-based backdoor,\u00bb Zscaler <a href=\"https:\/\/x.com\/threatlabz\/status\/2062651665598337319\">said<\/a>. \u00abOnce installed, the backdoor provided attackers with remote access capabilities and facilitated the theft of sensitive data, including .env files and bot authentication tokens.\u00bb The package racked up 2,474 downloads, prior to it being removed.<\/li>\n<li><b>VECT Ransomware Suffers From New Flaws <\/b>\u2013 A new analysis of the Windows version of VECT ransomware has uncovered additional vulnerabilities that \u00abcan leave files renamed, partially encrypted, inconsistently modified, or damaged in ways the attacker\u2019s own decryptor cannot reliably reverse,\u00bb Morphisec <a href=\"https:\/\/www.morphisec.com\/blog\/vect-ransomware-that-cant-decrypt\/\">revealed<\/a>. \u00abThese bugs change the recovery picture. A VECT incident does not necessarily produce one clean class of encrypted files. The same .vect suffix can represent several outcomes: a file that was only renamed, a file encrypted in a single pass, a large file with only selected regions modified, or a file left inconsistent by failed writes or shared-state races.\u00bb<\/li>\n<li><b>Handala Brand Used for Physical and Influence Operations <\/b>\u2013 Recorded Future has revealed that Iran\u2019s Ministry of Intelligence (MOIS) has likely expanded the use of its Handala persona to include external physical and influence operations targeting U.S. and Israeli interests, bringing cyber, physical, and influence personas under a single umbrella. The threat intelligence company said it observed significant overlaps in the online activities of Handala Hack Team, a new Handala-branded persona named \u00abHandala Popular Resistance Front,\u00bb and three influence operations networks dubbed VIPEmployment, MOISIRAN, and Brave Israel. \u00abNotably, the HPRF and the three influence operations networks all almost certainly share a modus operandi: their administrators solicit individuals to conduct physical attacks and espionage targeting U.S. and Israeli entities, on behalf of Iranian intelligence agencies, for a financial reward,\u00bb Recorded Future <a href=\"https:\/\/www.recordedfuture.com\/research\/iran-handala-physical-threats\">said<\/a>. \u00abBy encompassing these groups under the Handala brand, MOIS likely seeks to take advantage of Handala\u2019s global recognition to amplify its solicitation efforts.\u00bb<\/li>\n<li><b>New Android Trojan OverlayPhantom Spotted <\/b>\u2013 A new Android banking trojan referred to as OverlayPhantom has been observed targeting more than 180 apps across 10 countries via malicious URLs, aiming to steal credentials via fake overlays and real-time screen sharing. \u00abThe malware employs a two-stage infection chain, using a dropper application that impersonates trusted platforms, including the official Austrian government identity application, ID Austria, and the widely used consumer platform TikTok, to deceive victims into installing it,\u00bb Cyble <a href=\"https:\/\/cyble.com\/blog\/overlayphantom-android-banking-trojan\/\">said<\/a>. \u00abOnce deployed, OverlayPhantom masquerades as \u2018Google Play Services\u2019 and abuses Android\u2019s accessibility service to gain persistent, elevated control of the infected device.\u00bb The malware is equipped to run over 30 remote commands to enable automated gestures, clipboard manipulation, credential theft, and data exfiltration. Targets of the malware include financial and cryptocurrency apps serving users in the U.S., Australia, Germany, France, Belgium, Finland, the Netherlands, Italy, Spain, and the U.K.<\/li>\n<li><b>Fake Copyright Infringement Notice Emails Lead to Credential Theft <\/b>\u2013 Threat actors are using <a href=\"https:\/\/www.malwarebytes.com\/blog\/threat-intel\/2026\/06\/these-convincing-copyright-notices-are-designed-to-steal-google-logins\">official-looking copyright removal requests<\/a> to target Chrome extension developers, warning them of imminent removal and urging them to appeal by clicking on a link (\u00abdmca-chrome-extensions[.]click\u00bb) within 48 hours. \u00abAfter you enter your extension\u2019s ID to \u2018verify\u2019 it, the page pulls in your extension\u2019s real name and icon,\u00bb Malwarebytes said. \u00abBut it\u2019s all part of a phishing attack designed to steal your Google username and password.\u00bb Other campaigns have been found to use <a href=\"https:\/\/www.malwarebytes.com\/blog\/threat-intel\/2026\/06\/pirated-pc-games-are-delivering-password-stealing-malware\">pirated PC games and modified installers<\/a> for franchises like Far Cry, Need for Speed, FIFA, and Assassin\u2019s Creed to distribute a Windows <a href=\"https:\/\/www.malwarebytes.com\/blog\/threat-intel\/2026\/06\/infostealers-are-becoming-the-go-to-phishing-payload\">password-stealing malware<\/a>; fake <a href=\"https:\/\/www.malwarebytes.com\/blog\/threat-intel\/2026\/06\/we-found-this-fake-invoice-campaign-while-scammers-were-still-building-it\">payment invoices<\/a> that trick recipients into calling a bogus customer support agent as part of refund scams; counterfeit websites impersonating <a href=\"https:\/\/www.malwarebytes.com\/blog\/threat-intel\/2026\/06\/fake-bluewallet-steals-passwords-accounts-and-crypto-from-macs\">BlueWallet<\/a> and <a href=\"https:\/\/www.malwarebytes.com\/blog\/threat-intel\/2026\/05\/fake-chatgpt-download-site-infects-windows-and-mac-users-with-malware\">OpenAI ChatGPT<\/a> to deliver a macOS stealer and clipper. For Windows systems, the website mimicking ChatGPT is used to deliver a credential-stealing malware loader, while Mac users get Odyssey Stealer, a fork of Atomic Stealer (AMOS).<\/li>\n<li><b>Bypassing Malicious Skill Scanners <\/b>\u2013 Trail of Bit said it was able to bypass <a href=\"https:\/\/github.com\/openclaw\/clawhub\/blob\/c3c885ec10161ad35fbe78678ccc3f8c34e03ffd\/convex\/lib\/securityPrompt.ts\">ClawHub\u2019s malicious skill detector<\/a>, <a href=\"https:\/\/github.com\/cisco-ai-defense\/skill-scanner\">Cisco\u2019s agent skill scanner<\/a>, and scanners integrated into skills.sh to push rogue skills to public skill marketplaces and steal sensitive data from developer systems. One of the malicious skills used prompt injection to \u00abconvince the guard model that the malicious payload is nothing to worry about,\u00bb the company <a href=\"https:\/\/blog.trailofbits.com\/2026\/06\/03\/the-sorry-state-of-skill-distribution\/\">said<\/a>. \u00abThe skill tells the agent to configure its package managers (npm and yarn) to use an attacker-controlled registry, but dresses the subterfuge up in the language of corporate environment configurations and virtual private network access to convince the LLM analyzer the change is innocuous.\u00bb The takeaway here is that trust can never be outsourced to a third-party scanner and that they cannot reliably detect malicious content in agent skills. To counter the risks, organizations are recommended to curate skill marketplaces for their employees and agents using trustworthy open-source collections.<\/li>\n<li><b>Phishing Campaigns Drop Remcos RAT <\/b>\u2013 Payment slip-themed phishing emails are being used to <a href=\"https:\/\/www.jumpsec.com\/guides\/blacktoad-network-manipulation-in-an-autoit-payload\/\">distribute<\/a> a link pointing an external file-hosting service like MediaFire, which triggers the download of a screen saver (.SCR) file, which kicks off a multi-stage chain that ends in the deployment of Remcos RAT by means of an AutoIt script after performing anti-analysis checks. The activity has been attributed by JUMPSEC to a threat group called BlackToad, which is likely an affiliate of the broader Nigerian e-crime ecosystem that\u2019s tracked as SilverTerrier with its own set of targeting lures and tradecraft. It also exhibits some infrastructure overlap with a cluster documented by Agoda Engineering as <a href=\"https:\/\/medium.com\/agoda-engineering\/strengthening-cybersecurity-a-multi-layered-approach-to-prevent-advanced-threats-in-travel-49fe6e28d23c\">BoredFluff<\/a>, which targeted hotel staff in 2024 through fake guest enquiries to deliver Remcos RAT through a malware loader named GuLoader.<\/li>\n<li><b>Pink, a New Com-Affiliated Actor <\/b>\u2013 A new cybercrime brand called Pink (aka CL-CRI-1147), is leveraging vishing for initial access with the primary objective of data theft and extortion. It\u2019s assessed to be part of the broader Com ecosystem, embracing techniques similar to those of ShinyHunters and CL-CRI-1116 (Blackfile\/Redact). The group\u2019s data leak site went live on May 31, 2026. \u00abThe threat actor leverages vishing for initial access, impersonating internal IT personnel to convince a user to input credentials into a phishing site, allowing the actor to gain access to the victim\u2019s account and MFA,\u00bb Palo Alto Networks Unit 42 <a href=\"https:\/\/github.com\/PaloAltoNetworks\/Unit42-timely-threat-intel\/blob\/main\/2026-06-03-Pink-Extortion-Brand-Activity.txt\">said<\/a>. \u00abAfter gaining access to the victim\u2019s account, the actor rapidly identifies and exfiltrates data from platforms like SharePoint and OneDrive, similar to other Com-affiliated groups.\u00bb The threat actor has also been found to make use of compromised victim accounts to send their initial extortion email as well as internal Teams messages. According to <a href=\"https:\/\/www.theregister.com\/cyber-crime\/2026\/06\/04\/pink-is-the-latest-goon-squad-to-use-fake-helpdesk-calls-to-steal-creds\/5251434\">Google<\/a>, the activity maps to a threat group it calls UNC6671.<\/li>\n<\/ul>\n<h2 style=\"text-align: left;\"><b>\ud83d\udd27 Cybersecurity Tools<\/b><\/h2>\n<ul>\n<li><a href=\"https:\/\/github.com\/aliasrobotics\/cai\">CAI<\/a> \u2192 It is an open-source framework for building AI agents that help with cybersecurity work, from security testing and vulnerability discovery to defense automation. It supports 300+ AI models and includes built-in tools for tasks like reconnaissance, exploitation, privilege escalation, and security assessment.<\/li>\n<li><a href=\"https:\/\/github.com\/safedep\/pmg\">PMG<\/a> \u2192 It is a free, open-source tool that blocks malicious open-source packages before they install. It sits in front of package managers like npm, pip, and Poetry, checks packages with SafeDep threat intelligence, and helps protect developers and AI coding agents from supply-chain attacks.<\/li>\n<\/ul>\n<p><i>Disclaimer: This is strictly for research and learning. It hasn\u2019t been through a formal security audit, so don\u2019t just blindly drop it into production. Read the code, break it in a sandbox first, and make sure whatever you\u2019re doing stays on the right side of the law.<\/i><\/p>\n<h2 style=\"text-align: left;\"><b>Conclusion<\/b><\/h2>\n<p>That\u2019s the week. Nothing here is new. Same tricks. Same shortcuts. Same open inboxes. That\u2019s what makes it worse. Patch what matters first. Warn the people who click everything. Back up the important stuff.<\/p>\n<p>Then log off for a bit. It\u2019ll be messy again by next Monday.<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Monday again. The weekend was meant to be quiet. It wasn\u2019t. Last week had poisoned packages, a broken AI helper, and a worm tearing through repos. The ugly part: basic tricks still worked. A chatbot got fooled. A bot token got leaked inside the malware. The same old mistakes showed up again. And while everyone [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[25,5],"tags":[2969,75,24,931,2206,879,1161,64],"class_list":["post-1117","post","type-post","status-publish","format-standard","hentry","category-noticias","category-trending","tag-account","tag-android","tag-cyberdefensa-mx","tag-github","tag-hacks","tag-instagram","tag-worm","tag-zeroday"],"_links":{"self":[{"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/posts\/1117","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/comments?post=1117"}],"version-history":[{"count":0,"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/posts\/1117\/revisions"}],"wp:attachment":[{"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/media?parent=1117"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/categories?post=1117"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybercolombia.co\/index.php\/wp-json\/wp\/v2\/tags?post=1117"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}