Active Netlogon RCE, npm Codex tokens, Chrome autofill bypass
Researchers at Aikido Security revealed that the popular npm package codexui-android, a remote UI for OpenAI Codex, silently reads developers' auth.json files and sends the OAuth token bundle to a malicious server. The covert exfiltration, present only in the published package, has affected thousands of users and enables indefinite token reuse.
The Centre for Cybersecurity Belgium (CCB) warns that CVE‑2026‑41089, a critical Remote Code Execution bug in Windows Netlogon, is now being actively exploited. The unauthenticated flaw lets attackers send crafted network packets to domain controllers and gain SYSTEM‑level code execution. Patches are available for all Windows Server versions from 2012 onward.
A new technique shows that attackers can steal saved passwords via HTML injection even when a site enforces a strict Content Security Policy that blocks JavaScript. By injecting a fake form, Chrome’s password autofill fills it, and the attacker exfiltrates the credentials using the Referer header, requiring only a single click.
Research by Quarkslab shows that unauthenticated access to GPON Optical Line Terminals (OLTs) can let attackers hijack ISP networks. By exploiting exposed OLT interfaces, an attacker can pivot to the cloud‑based fleet manager and compromise the entire infrastructure. The findings highlight a critical security gap in telecom equipment used for FTTH services.
Researcher Asim Manizada disclosed CIFSwitch, a logic flaw in the Linux kernel’s CIFS client that lets an unprivileged process forge a cifs.spnego key request. The bug, present since 2007, triggers a privileged upcall and grants root on a range of distributions. A patch and mitigations are now available.
A security researcher reproduced the 2023 jabber.ru lawful TLS interception by chaining the acme.sh command‑injection vulnerability (CVE‑2023‑38198) with compromised network routing. The proof‑of‑concept shows how an unpatched acme.sh server can enable a covert man‑in‑the‑middle, exposing risks in state‑mandated wiretaps.
Sekoia’s Threat Detection & Research team maps Gamaredon’s GammaPhish and GammaWorm toolkit, showing how the Russian‑linked group hides malicious code in legitimate Windows features and trusted services like Telegram and Cloudflare. The analysis reveals a multi‑stage, USB‑spreading infection chain designed for long‑term espionage against Ukrainian government and infrastructure.
Researchers at GoDaddy uncovered a campaign that infected about 2,000 WordPress sites, using hidden Unicode characters in Steam Community profile comments to embed command‑and‑control data. The encoded payload fetches malicious JavaScript from a stealthy domain and opens a backdoor that executes PHP code via specially crafted POST requests.
On June 1, 2026, 96 versions of 32 @redhat-cloud-services npm packages were compromised via a trusted-publishing bypass, embedding the Mini Shai-Hulud-derived “Miasma” worm that steals CI/CD credentials. The attack, linked to the open-source TeamPCP toolkit, has prompted urgent rotation of cloud, SSH and npm secrets for affected users.
Researchers discovered that attackers used instructions posted on Telegram to fool Meta’s AI‑powered support assistant into resetting passwords, allowing them to take over Instagram accounts belonging to the Obama White House and the Chief Master Sergeant of the U.S. Space Force. The compromised accounts were defaced with pro‑Iranian imagery, highlighting risks in automated support systems.
Dutch authorities seized over 200 servers and took offline a botnet of more than 17 million compromised computers, tablets and smartphones. The network was operated via the ASOCKS residential proxy service and was used for cyber‑attacks, demonstrating the scale of botnet abuse.
The ShinyHunters extortion group released data on roughly 5 million Charter Communications customers after the telecom refused to pay a ransom. The leak includes email addresses, names, phone numbers, and physical addresses, but the company says no sensitive personal or network information was taken. Charter has activated its security response and is cooperating with authorities.
Spanish National Police arrested a person responsible for mass doxing of employees from INCIBE, the National Police, Civil Guard, and other state bodies, citing national security risks. The operation, ordered by Madrid Investigative Court No. 22, seized computers and devices from the suspect’s home and may lead to further arrests.
Praetorian’s research shows that large language models can be used to automatically generate variants of offensive tools that avoid known EDR signatures, effectively reducing detection footprints. By prompting LLMs to rewrite code and strip identifiable strings, adversaries can evade traditional signature‑based defenses with minimal manual effort.
Subscribe free