Research
-
Researchers flag 73 fake VS Code extensions tied to GlassWorm campaign
Researchers flagged 73 fake Visual Studio Code extensions on Open VSX tied to the GlassWorm campaign. Six were confirmed malicious, while the rest were sleeper packages designed to build trust before delivering malware.
-
Fake CAPTCHA scam used SMS charges, Keitaro abused in 120 campaigns
Researchers said fake CAPTCHA pages have been used since at least 2020 to trigger costly international SMS traffic, while more than 120 other campaigns abused Keitaro TDS for malware, crypto theft and investment scams.
-
Microsoft fixes Entra ID role flaw that could let users take over service principals
Microsoft fixed an Entra ID role flaw that could let users with the Agent ID Administrator role take over non-agent service principals, add credentials and potentially escalate privileges, according to a Silverfort technical analysis.
-
LMDeploy flaw exploited within 13 hours of disclosure, researchers say
LMDeploy flaw CVE-2026-33626 was exploited within 13 hours of disclosure, researchers said. The SSRF issue could expose cloud credentials and internal services, and early attacks probed metadata, databases and loopback targets.
-
Tropic Trooper campaign uses trojanized SumatraPDF to deploy AdaptixC2
A campaign tied to Tropic Trooper is using a trojanized SumatraPDF reader to deploy AdaptixC2 and, in some cases, Visual Studio Code tunnels for remote access against targets in Taiwan, South Korea and Japan.
-
SentinelOne finds old malware that may have aimed to sabotage engineering software
SentinelOne says it found old malware that may have been built to sabotage engineering and physics simulation software. The sample appears to predate Stuxnet by years and may have targeted precision calculation tools used in several technical fields.
-
UNC6692 Uses Microsoft Teams Help Desk Impersonation to Push Custom Malware
UNC6692 used Microsoft Teams help desk impersonation, email bombing and a custom malware chain to target corporate users, according to Mandiant. The activity included credential harvesting, remote access, tunneling and later-stage network movement.
-
Bitwarden CLI hit by npm supply chain compromise in Checkmarx-linked campaign
Bitwarden said its CLI package was briefly compromised on npm on April 22, 2026, in a supply chain attack that targeted developer secrets and CI/CD credentials through version 2026.4.0.
-
China-linked GopherWhisper infiltrates Mongolian government systems, ESET says
ESET says a China-aligned group called GopherWhisper targeted Mongolian government institutions, infecting about 12 systems and using Discord, Slack, Outlook and file.io for control and exfiltration.
-
Malicious npm packages spread self-propagating worm through stolen developer tokens
Researchers found a self-propagating npm supply chain worm in April 2026 that stole developer secrets, reused npm tokens to publish poisoned packages and also included PyPI propagation logic.
