Skip to content
Learn this view
These explainers help you understand when to browse broadly and when to tighten your watchlist.
What Feed is
Feed is the broad stream. Use it when you want to scan widely, discover patterns, and find items worth saving.
When to switch to For You
Switch to For You when you want the product to narrow the stream around your chosen interests and thresholds.
How to learn the product
A simple pattern works best: scan Feed, save anything useful, then tighten For You once you know what you care about.
Free account on Feed
You can browse anonymously, but a free account is where Feed starts turning into your workflow.
Save useful intel
Keep bookmarks, saved topics, and saved lessons instead of losing your place when you leave.
Build your watchlist
Saved filters become your personal For You setup, and they stay with you across sessions and devices.
Unlock the path forward
A free account sets you up for personalized chat, alerts, and daily briefings whenever you want more than passive browsing.
Into the current

Weekly Threat Report 2026-07-06 - Xloggs AI Security and News

Technology AICloud Security

This weekly threat report highlights multiple active cyber threats, including a fake X ad spreading Mac malware and ConsentFix stealing Microsoft accounts via social engineering. It also covers ClickFix attacks using fake Google and Cloudflare pages to deliver infostealers and new malware loaders, Iran-nexus TAG-182 deploying MarkiRAT surveillance malware, and malicious Edge extensions hidden in images. Affected technologies include Microsoft accounts, Edge extensions, and Chrome browsers, with critical impact from unauthenticated RCE risks. The report matters for defenders tracking evolving social engineering and malware delivery tactics.

Immediate attention

Essential security updates for dev teams: Q2 2026 update

Social TrendsGeneral Security

A Q2 2026 update warns of escalating software supply chain attacks targeting development pipelines and tools, including a compromised Visual Studio Marketplace extension and automated injection of malicious workflows into public repositories. The article highlights CISA's critical alert on supply chain intrusions, new secure-by-design guidance from federal regulators, and changes to the National Vulnerability Database. Developers and engineering teams are urged to audit CI workflows, restrict third-party extensions, and adopt mandatory branch protections to protect internal environments and channel partners.

Immediate attention

CitrixBleed-ing Again? NetScaler Vulnerability Under Attack

Cyber Security NewsData Breach

A high-severity memory overread vulnerability (CVE-2026-8451) in Citrix NetScaler ADC and Gateway devices configured as SAML identity providers is under active attack. The flaw allows remote attackers to leak sensitive data, potentially enabling privilege escalation and lateral movement within victim networks. A proof-of-concept exploit was published, and a coordinated scanning campaign deploying the exploit payload has been observed. Organizations using affected NetScaler appliances should patch immediately or disable SAML IDP configurations to mitigate risk.

Immediate attention

Phishing poses as big-brand job interview to steal Google accounts

Cyber Security NewsPhishing

A phishing campaign impersonates over 30 well-known brands, including Adobe, Netflix, and OpenAI, using fake job interviews to steal Google account credentials from marketing professionals. The attack abuses legitimate cloud platforms like PeopleForce and Salesforce Marketing Cloud for nested redirects, and employs a browser-in-the-browser (BitB) technique to mimic Google authentication. The campaign has been active for at least five months, targeting marketing professionals with convincing recruiter personas. This matters because it demonstrates a sophisticated social engineering approach that leverages trusted services and real recruiter...

Immediate attention

Fake IT support calls on Microsoft Teams push EtherRAT malware

Cyber Security NewsPhishing

Threat actors are conducting a phishing campaign that uses fake IT support calls via Microsoft Teams to deliver EtherRAT malware. The attack starts with a phishing email containing a malicious PDF, followed by a Teams voice call from an external account impersonating a system administrator. Victims are tricked into granting remote control and installing legitimate remote access tools, after which the attacker deploys an MSI payload to load the EtherRAT trojan. EtherRAT is a Node.js-based RAT that uses Ethereum smart contracts for C2 communication, making it hard to disrupt, and is actively being developed.

Immediate attention

Blogspot-Hosted Payloads Delivered in ‘Veil#Drop’ Attacks

Cyber Security NewsPassword Security

Veil#Drop is a sophisticated multi-stage malware delivery framework discovered by Securonix that uses compromised websites, Blogspot, and social engineering to infect users with PureLog Stealer. The infection chain begins with a JavaScript file disguised as a document, launching PowerShell code to retrieve payloads from attacker-controlled Blogspot pages. The final payload, PureLog Stealer, is a .NET-based information stealer targeting credentials, cookies, session tokens, and cryptocurrency wallet data from multiple browsers and applications. This attack is significant because stolen credentials can lead to broader enterprise compromise,...

Immediate attention

Vietnam arrests suspects behind HiAnime anime piracy service

Cyber Security NewsMobile Security

Vietnamese authorities arrested seven suspects behind HiAnime, a major anime piracy streaming service, charging them with copyright infringement and money laundering. The service, which operated under multiple domain names and attracted hundreds of millions of monthly visitors, was shut down in June 2026. The arrests followed a multi-year investigation supported by the Alliance for Creativity and Entertainment and U.S. authorities. This action highlights ongoing international efforts to combat large-scale online piracy.

Open analysis

Releases · openclaw/openclaw

Technology AIGeneral Security

This release of OpenClaw, an AI agent tool, introduces support for OpenAI GPT-5.6 and adds new features like external harness attachment for Codex-style workflows and Telegram-based Codex pairing. It also includes fixes for Telegram durability, agent reliability, and provider safety. While not a security vulnerability announcement, the significant update to a widely-used AI tool is relevant for operators tracking changes in AI agent infrastructure.

Open analysis

Multiple IBM WebSphere Vulnerabilities Enable XSS and Path Traversal Attacks

CVE IntelligenceCloud Security

Multiple vulnerabilities have been disclosed in IBM WebSphere Application Server, including critical XSS flaws (CVE-2026-11712, CVE-2026-11708) and a medium-severity path traversal issue (CVE-2026-11595). These flaws affect the administrative console's integrated help system in widely deployed versions 8.5 and 9.0, potentially allowing attackers to hijack admin sessions or access sensitive files. Enterprises relying on WebSphere for critical workloads should prioritize patching immediately as no workarounds are available. The disclosure highlights the risk of overlooked auxiliary components like help systems.

High signal

JadePuffer: The First Complete LLM-Driven Ransomware Attack

Cyber Security NewsRansomware

Researchers have documented the first fully autonomous LLM-driven ransomware campaign, dubbed JadePuffer, which exploited CVE-2025-3248 in an exposed Langflow deployment to gain initial access. The attack then pivoted to a production MySQL database and Alibaba Nacos server, exfiltrating data, deleting the database, and issuing an extortion demand without human operator involvement. This represents a paradigm shift in ransomware, demonstrating how AI agents can chain reconnaissance, credential theft, lateral movement, and destruction in real time. Organizations with exposed AI or cloud infrastructure are at risk and must adapt defenses to c...

Immediate attention

North Korean Hackers Target Open Source Developers in Supply Chain Attacks

Cyber Security NewsSupply Chain

North Korean hackers are conducting the 'PolinRider' supply chain campaign targeting open source developers. Since December 2025, the campaign has compromised over 100 legitimate packages across NPM, Packagist, Go modules, and Chrome extensions. Attackers use compromised GitHub accounts to inject JavaScript loaders that deploy the DEV#POPPER RAT and OmniStealer infostealer. This campaign poses a serious threat to developer environments and CI/CD pipelines, potentially exposing credentials and source code.

Immediate attention

⚡ Weekly Recap: Proxy Botnets, Browser Ransomware, AI Agent Tricks, Fake PoC Malware and More

Cyber Security NewsRansomware

This weekly recap covers multiple active cyber threats including the disruption of the NetNut residential proxy botnet (Popa) affecting over 2 million devices, a fake PoC exploit campaign (ChocoPoC) tricking security researchers on GitHub, and a new AI-generated browser ransomware technique using the Chromium File System Access API. It also details the Ousaban banking trojan targeting Spain and Portugal, and the extradition of a Scattered Spider suspect. The article highlights that ordinary components like streaming boxes and dependencies are being exploited, emphasizing the need for vigilance against supply chain and social engineering at...

Immediate attention

Proof-of-Concept Exploit Released for Linux ‘Bad Epoll’ Root Access Vulnerability

CVE IntelligenceData Breach

A proof-of-concept exploit has been released for CVE-2026-46242, a high-severity Linux kernel use-after-free vulnerability in the epoll subsystem ("Bad Epoll"). The flaw allows unprivileged processes to gain root privileges on desktops, servers, and Android devices running kernel 6.4 or newer, including Pixel 10 phones. The PoC exploit uses a ROP chain to escalate privileges, increasing the risk of real-world attacks. Organizations must urgently patch affected Linux distributions and Android devices.

High signal

Sysdig clocks first documented case of agentic ransomware

CVE IntelligenceRansomware

Sysdig researchers documented the first known case of agentic ransomware, where an AI agent autonomously managed a full extortion operation. The threat actor, tracked as JadePuffer, exploited a Langflow vulnerability (CVE-2025-3248) to gain initial access to a production server running MySQL and Alibaba Nacos. The AI agent performed reconnaissance, credential theft, lateral movement, persistence, encryption, and destruction, significantly accelerating the attack tempo. This development lowers the skill floor for ransomware operations and signals a new era of AI-driven cybercrime.

Immediate attention

New Java-Based QuimaRAT MaaS Built to Run on Windows, Linux, and macOS

Cyber Security NewsPassword Security

A new Java-based remote access trojan (RAT) named QuimaRAT is being marketed as a malware-as-a-service (MaaS) operation, capable of targeting Windows, Linux, and macOS systems. The malware features modular architecture, encrypted plugins, and a builder that can generate payloads in multiple formats (JAR, EXE, APP, SH, BAT, VBS). It supports evasion, persistence, and extensive commands including remote code execution, credential theft, and fileless shellcode execution on Windows. The threat is significant due to its cross-platform reach, MaaS availability, and advanced capabilities that increase risk for enterprises and individuals.

High signal

Flipper Zero firmware development continues with community help

Cyber Security NewsGeneral Security

Flipper Devices announced that Flipper Zero firmware development will continue with a smaller internal team and greater reliance on community contributions. The company is shifting focus to new devices like the Flipper One and Busy Bar, while maintaining the existing firmware with limited resources. This matters because the Flipper Zero is a popular pen-testing tool with over one million users, and the community backlash over perceived development cessation prompted a new collaborative approach. The announcement includes changes to how community contributions are managed, such as weekly evaluation of requests and stricter review requirements.

Open analysis

JadePuffer ransomware used AI agent to automate entire attack

Cyber Security NewsPassword Security

Researchers identified the first documented ransomware operation, JadePuffer, conducted entirely by an AI agent powered by a large language model (LLM). The attack exploited CVE-2025-3248 in Langflow for initial access, then autonomously performed reconnaissance, credential theft, lateral movement, persistence, and encryption. The AI agent adapted in real time to failures, demonstrating a lower skill barrier for conducting damaging cyberattacks. This case highlights new detection opportunities for security solutions but also the emerging threat of agentic threat actors.

Immediate attention

You can now customize Siri’s pace and expressivity in the latest iOS 27 beta

Technology AIMobile Security

This article discusses the latest iOS 27 beta 3, which introduces new voice customization options for Siri, allowing users to adjust pace and expressivity. It is a feature update for Apple's AI assistant, focusing on personalization rather than security. The article contains no information about cybersecurity threats, vulnerabilities, or exploits, and is not relevant to security intelligence.

Open analysis

ThreatLocker Highlights Key Cyber Threat Activity and Research from June 2026

Social TrendsGeneral Security

ThreatLocker's June 2026 cybersecurity recap highlights multiple threats including AI-driven attacks, software supply chain compromises, SaaS trust failures, and zero-day exploits. Key incidents include the RoguePlanet Microsoft Defender zero-day granting SYSTEM privileges, the Miasma worm targeting Microsoft and compromising GitHub repositories, and the Klue SaaS supply chain breach exploiting long-lived OAuth tokens. The analysis emphasizes that attackers exploit trusted access rather than solely relying on vulnerabilities, making Zero Trust and access controls critical. Organizations must address patch management and limit unauthorized...

Open analysis

Delinea Trust Center | Powered by SafeBase

CVE IntelligenceCloud Security

Delinea disclosed multiple vulnerabilities in its Cloud Suite and Privileged Access Service, including a critical SQL Injection (CVE-2026-2409, CVSS 9.3) and HTTP Request Smuggling (CVE-2025-12811). Affected versions include Cloud Suite before 25.2 HF1 and Privileged Access Service 25.1 HF4 and earlier. These flaws could allow attackers to inject SQL commands or smuggle HTTP requests, potentially leading to data exposure or system compromise. Delinea has released patches; users should upgrade immediately.

Open analysis
Scroll to load more