Research
-
Fake Next.js interview projects backdoor developer machines
Fake Next.js repositories and coding tests are being used to trigger remote code execution on developer machines. Malicious JavaScript runs when projects are opened or run then installs backdoors and exfiltrates data.
-
Suspected Chinese cyberespionage used Google Sheets API to hide C2 in campaign affecting 53 organisations
A suspected Chinese threat actor used Google Sheets API calls for command-and-control in a global campaign that affected 53 organisations in 42 countries since 2023. A technical analysis details the GRIDTIDE backdoor and mitigation steps.
-
1Campaign cloaking service helps malicious Google Ads evade detection
1Campaign is a cloaking service that helps malicious Google Ads pass automated screening and remain online for years. One observed campaign filtered 99.4% of visitors while redirecting a small fraction to attacker-controlled pages.
-
RoguePilot flaw in GitHub Codespaces could have leaked GITHUB_TOKEN, researcher says
A flaw named RoguePilot let attackers hide Copilot instructions in a GitHub issue to manipulate Codespaces and leak a privileged GITHUB_TOKEN. Orca Security published a technical analysis and Microsoft patched the issue after disclosure.
-
Lazarus Group uses Medusa ransomware in Middle East attack
A technical report by Broadcom’s Symantec and Carbon Black Threat Hunter Team reported that the Lazarus Group used Medusa ransomware in a Middle East attack and attempted an unsuccessful strike against a U.S. healthcare organization.
-
UnsolicitedBooker uses LuciDoor and MarsSnake to target Central Asian telecoms
UnsolicitedBooker deployed LuciDoor and MarsSnake backdoors against telecom companies in Kyrgyzstan and Tajikistan using phishing and multiple loaders between September 2025 and January 2026.
-
Anthropic reports three firms used 24,000 fake accounts to extract Claude in over 16 million exchanges
Anthropic reported that three China based AI firms used about 24,000 fraudulent accounts to run distillation campaigns against Claude that produced over 16 million exchanges targeting reasoning, coding and tool use capabilities.
-
Security analysis finds vulnerabilities in popular mental health apps on Google Play
A technical analysis by Oversecured found vulnerabilities in popular Android mental health apps that can expose conversation histories and mood data. Affected apps have tens of millions of combined downloads and the flaws remain unpatched.
-
APT28 targets Western and Central Europe with document beacons and webhook exfiltration
APT28 ran Operation MacroMaze from September 2025 to January 2026 targeting Western and Central Europe, using spear-phishing documents that beacon to webhook hosts and exfiltrate command output through browser-based HTML forms.
-
Pirated software lure spreads wormable XMRig miner that uses BYOVD to boost hashrate
Trellix reported a cryptojacking campaign that used pirated software bundles to deliver a wormable XMRig miner on Windows hosts. The malware uses a vulnerable driver to raise mining hashrate and spread via removable media during November and early December 2025.
