This week starts small. A token leaks. A bad package slips in. A login trick works. An old tool shows up again. At first, it feels like the usual mess. Then you see the pattern: attackers are not always breaking in. They are using the parts we already trust. That is what makes it worrying. The danger is in normal things now - updates, apps, cloud buttons, support chats, trusted accounts. AI does not make the attacks magic. It just helps people try more things, faster. Here's what showed up this week. 47 zero-days exposed The Pwn2Own Berlin 2026 hacking contest has concluded, with security researchers collecting $1,298,250 in rewards after exploiting 47 zero-day flaws in various products from Windows, Linux, VMware, and NVIDIA. DEVCORE won the event with 50.5 Master of Pwn points and $505,000 in rewards throughout the three-day contest after hacking Microsoft SharePoint, Microsoft Exchange, Microsoft Edge, and Windows 11. STARLabs SG and Out Of Bounds followed with $242,500 (25 points) and $95,750 (12.75 points). Agentic AI security warning The U.K. National Cyber Security Centre (NCSC) has released new guidance for organizations to implement adequate security controls when rolling out agentic artificial intelligence (AI) tools in enterprise environments. "If an agent is over-privileged or poorly designed, a single failure can quickly become a serious incident," NCSC said . "It is crucial, therefore, to think before you deploy." Signal alternative pushed The Polish government is urging public officials and "entities within the National Cybersecurity System" to stop using Signal, instead directing them to use an encrypted messenger called mSzyfr developed by a leading Polish research organization, citing social engineering attacks orchestrated by advanced persistent threat (APT) groups. The development comes as multiple governments have warned of a rise in social engineering attacks, including efforts that involve threat actors impersonating Signal support, to take control of victims' accounts. Fraud suspects unmasked The Dutch police said the identity of 74 of 100 suspects has been unmasked following the launch of an initiative called Game Over?! that displays blurred photos of 100 suspected fraudsters on billboards at various public places, as well as in television and online advertisements, giving the criminals two weeks to surrender before the images are unblurred. Of these, 34 suspects voluntarily reported to authorities, while the remaining suspects were identified through information provided by the public. The youngest suspect is only 14, and the oldest is 42 years old. Game Over?! was launched in March 2026. Espionage admission U.S President Donald Trump said he and Chinese President Xi Jinping discussed cyber attacks and espionage activities carried out by both nations during the bilateral meetings last week. "They're talking about the spying. Well, we do it too," Trump said during his return flight to the U.S. "We spy like hell on them too," adding "I told him, 'we do a lot of stuff to you that you don't know about and you're doing things to us that we probably do know about.'" While Trump did not elaborate on the attacks carried out against China, the acknowledgement comes as China has been accused of conducting sweeping intrusions into U.S. networks. Ransomware hits Korea The ransomware family known as Gunra has targeted five South Korean companies since it was first discovered in April 2025, S2W said. "When Gunra ransomware was first discovered, it utilized Conti-based ransomware," the South Korean security vendor noted . "However, after transitioning to a RaaS (Ransomware-as-a-Service) model, the group developed and utilized its own ransomware." As of March 2026, the group has claimed 32 victims. Composer token leak Composer, a dependency manager for the PHP programming language, has urged its users to update Composer to version 2.9.8 or 2.2.28 (LTS). "The new releases fix a vulnerability where Composer leaks the full contents of GitHub Actions issued GITHUB_TOKEN's or GitHub App installation tokens to the GitHub Actions logs," Composer said. The vulnerability has been assigned the CVE identifier CVE-2026-45793 (CVSS score: 7.5). The development came after GitHub introduced a new format for these tokens as of late last month. "The new format, including a - (hyphen) fails Composer's validation and leads to disclosure of the GITHUB_TOKEN in logs," Composer said. As workarounds, it's advised to disable any GitHub Actions workflow that runs Composer commands until Composer has been updated. Linux rootkit persists In July 2022, cybersecurity firm Intezer detailed a Linux malware named OrBit that implements advanced evasion techniques, gains persistence on the machine by hooking key functions, provides the threat actors with remote access capabilities over SSH, harvests credentials, and logs TTY commands. Nearly four years later, several new artifacts of the userland rootkit have been identified, indicating that the malware is being actively refined and maintained by its operators. "We discovered two parallel lineages: a full-featured 'Lineage A' build that tracks closely with the 2022 original, and a lite 'Lineage B' fork that drops entire capability domains (PAM, pcap, TCP-port hiding) in exchange for a smaller footprint," researcher Nicole Fishbein said . "Along the way, the operators rotate XOR keys, shuffle install paths, swap backdoor credentials, add auditd-evasion hooks, and eventually bolt on a service-side PAM impersonation primitive." OrBit has been put to use by Blockade Spider, a cybercrime group running Embargo ransomware campaigns. It's assessed that OrBit is a fork of an open-source rootkit called Medusa , which first publicly surfaced in December 2022. "Based on this information, there are two options: either the Medusa author published a privately-circulated rootkit source that had already been deployed operationally, or the earliest OrBit sample was built from a pre-publication snapshot of the same tree," Intezer said. "Either way, the 2022 OrBit sample and the December 2022 Medusa source tree are the same codebase. This suggests that the backdoor was created before its public release and has since been selectively forked, configured, and redeployed by multiple operators over four years." AI-driven intrusions surge Two emerging campaigns, dubbed SHADOW-AETHER-040 and SHADOW-AETHER-064, have independently deployed agentic AI with "strikingly similar tactics" to facilitate intrusion operations against governments and financial organizations in Latin America. "Both campaigns established traffic tunnels to victim systems, enabling AI agents to conduct malicious attacks directly into victim internal network environments via ProxyChains and SSH," Trend Micro said . "The AI agents dynamically generated multiple hacking tools and scripts, rather than relying on pre-built hacking tools. This reduced the likelihood of detection by traditional security solutions that rely on known tool signatures." The two activity clusters are said to be the work of separate entities. The attackers bypassed AI safety controls by framing their requests as authorized penetration testing and red teaming exercises. Undertaken by a Spanish-speaking threat actor, SHADOW-AETHER-040 has compromised six government entities in Mexico between December 27, 2025, and January 4, 2026. This activity is consistent with Gambit Security's report about large-scale compromise of multiple Mexican government organizations between December 2025 and February 2026 by an unknown adversary using Anthropic's Claude and OpenAI's GPT AI models to carry out the intrusion activities. According to Dragos, which is tracking the activity as TAT26-12, one of these attacks targeted a municipal water and drainage utility in January 2026, leading to an unsuccessful attempt to breach its operational technology environment. "Claude acted as the primary technical executor and independently identified the OT environment's relevance to critical infrastructure, assessed its potential as a crown jewel asset, and investigated possible access pathways to breach the IT-OT boundary," Dragos said . The second campaign, linked to a Portuguese-speaking hacking crew named SHADOW-AETHER-064, has been active since April and has singled out financial organizations in Brazil. The findings show how commercial AI tools are compressing the traditional attack kill chain, accelerating tasks like reconnaissance and exploit development that historically required significant time and operator expertise. Like in the case of VoidLink , while the tools assembled for these attacks may not be particularly sophisticated or novel, the speed at which AI models generate and improve upon them is operationally significant, essentially collapsing what would have taken days or weeks of manual development effort into hours. Mythos intel sharing expands According to the Wall Street Journal, Anthropic has begun letting users of its Mythos AI model share cybersecurity threats with others who may face similar vulnerabilities. "Last week, Anthropic began telling the companies they could share information about cyber threats and Mythos findings with other entities as long as it was done responsibly," a spokesperson for the company was quoted as saying. "As the program has matured, we've adapted them to ensure key information can be shared broadly - including outside the program - for maximum defensive impact." The development comes as Cloudflare said Mythos is a "real step forward" and is capable of chaining "small attack primitives together into a working exploit." It's also equipped to find vulnerabilities and prove they are exploitable. The web infrastructure and security company also said it has designed a multi-stage vulnerability discovery harness to scan codebases across "runtime, edge data path, protocol stack, control plane, and the open-source projects we depend on." Just like Microsoft's MDASH, different agents handle different responsibilities: "hunter" agents identify candidate vulnerabilities, others argue for or against their exploitability, while a deduplication stage collapses findings that share the same root cause. A tracer agent checks whether attacker-controlled input actually reaches the bug from outside the system, while a final "reporting" agent writes a structured report. Calls now encrypted Discord has announced that all voice and video calls through the communication platform are now protected by default with end-to-end encryption (E2EE). The solution is powered by the DAVE protocol. "The DAVE protocol is open, and the implementation is open-source ,". Discord said. "As of early March 2026, every voice and video call on Discord, whether in DMs, group DMs, voice channels, or Go Live streams, is end-to-end encrypted by default." Discord said there are no plans to extend it to text messages. "Many of the features people use on Discord were built on the assumption that text isn't end-to-end encrypted, and rebuilding them to work with encryption is a meaningful engineering challenge," it added. Azure identities abused Microsoft has shed light on a "methodical, sophisticated, and multi-layered attack" orchestrated by Storm-2949 with an aim to exfiltrate sensitive data from an unnamed organization's high-value assets. The attack, which is notable for abusing Microsoft's Self-Service Password Reset ( SSPR ) process to trick the target into completing multi-factor authentication (MFA) prompts, led to the exfiltration of data from Microsoft 365 applications, file-hosting services, and Azure-hosted production environments. The social engineering attack targeted IT personnel and senior leadership so as to compromise their identities for post-compromise actions. The attacker is also said to have conducted discovery activities, installed ScreenConnect, and attempted to disable Microsoft Defender Antivirus protections. "Storm-2949 didn't rely on traditional malware and other on-premises tactics, techniques, and procedures (TTPs),". Microsoft said . "Instead, they leveraged legitimate cloud and Azure management features to gain control-plane and data-plane access, which they then used to execute code remotely on VMs, and access sensitive cloud resources such as Key Vaults and storage accounts, among others. These activities allowed them to move laterally across cloud and endpoint environments while blending into expected administrative behavior." App Store fraud blocked Apple said its App Store stopped over $2.2 billion in potentially fraudulent transactions and rejected over 2 million problematic app submissions in 2025. "Last year, Apple's systems also successfully rejected 1.1 billion fraudulent customer account creations - blocking bad actors at the outset - and deactivated an additional 40.4 million customer accounts for fraud and abuse," Apple said . "In 2025, Apple terminated 193,000 developer accounts over fraud concerns and rejected more than 138,000 developer enrollments. To further protect users from harmful software, Apple in 2025 detected and blocked 28,000 illegitimate apps on pirate storefronts, which include malware, pornography apps, gambling apps, and pirated versions of legitimate apps from the App Store." Apple also rejected over 22,000 submissions for containing hidden or undocumented features and more than 443,000 submissions for privacy violations. In the last month alone, the iPhone maker said it prevented 2.9 million attempts to install or launch apps distributed illicitly outside the App Store or approved alternative app marketplaces. Fraud routing exposed Two U.S. nationals, CEO Adam Young, 42, of Miami, and Harrison Gevirtz, 33, of Las Vegas, have pleaded guilty to running a business that provided services to customers engaged in widespread telemarketing and tech-support fraud schemes targeting victims across the country. The services, which included telephone numbers, call routing services, call tracking, and call forwarding services, were offered to customers who engaged in tech-support fraud schemes. They are scheduled to be sentenced on June 16, 2026. The investigation also led to the conviction of five India-based telemarketing fraudsters and a former employee of their call routing company (Sahil Narang, Chirag Sachdeva, Abrar Anjum, Manish Kumar, and Jagmeet Singh Virk) for targeting and defrauding Americans. "Call centers based in India utilized Young and Gervitz's business to route their 'tech fraud' scheme calls and, in some instances, advised those fraudsters on methods intended to reduce complaints and prevent account terminations," the U.S. Justice Department said . The schemes used deceptive pop-up messages to falsely convince users that their computers had been infected with viruses or malware, urging them to contact a number to address the issue. In reality, the numbers connected the victims to call centers, where they were duped into paying hun

Source: The Hacker News

Read Original Source →