LodeHQSubscribe →

ModHeader spy, RabbitMQ OAuth flaw, VPN sanctions

Infosec · 2026-07-13

Vulnerabilities & Exploits
Unauthenticated RabbitMQ OAuth leak lets attackers hijack the broker2 MIN

RabbitMQ’s management endpoint exposed the OAuth client secret to anyone without authentication (CVE-2026-5721, CVSS 8.7). An attacker who grabs the secret can impersonate the broker to an identity provider and seize admin control over queues, messages, and users. Patching to v4.3.0 or later and locking down the management UI mitigates the risk.

Threats & Malware
Scans Target AI Model Context Protocol Servers with Valid Handshakes7 MIN

Internet-wide scans are now probing Model Context Protocol (MCP) servers and AI assistant config files. Researchers observed 200+ AI‑focused requests from 49 distinct IPs, each sending a valid MCP handshake, indicating attackers are mapping exposed LLM endpoints before trying to hijack them.

Misconfigured Python Server Exposes Three Active Evilginx Phishing Campaigns Targeting Microsoft 36533 MIN

French researchers uncovered a publicly exposed Python HTTP server that revealed the full toolset of three separate Evilginx‑based phishing operators targeting Microsoft 365 users. The dump included configs, logs, RMM installers and Telegram sessions, showing how each actor bypasses MFA with custom AiTM setups. The find highlights the danger of simple misconfigurations exposing entire attack infrastructures.

Former ransomware negotiator gets 70‑month sentence for double‑crossing victims2 MIN

Angelo Martino, who billed companies as a ransomware negotiator, secretly passed their insurance limits and negotiation strategies to the BlackCat gang, inflating ransom demands. He was convicted of conspiracy to extort and sentenced to 70 months in federal prison, sending a warning that insiders who aid ransomware will face stiff penalties.

US Treasury sanctions VPN provider powering ransomware operations6 MIN

The U.S. Treasury has sanctioned First VPN Service (1VPNS) and its Ukrainian administrator for providing ransomware groups with anonymizing infrastructure. It also targeted a Belarusian seller of “cryptors,” tools that hide malware. The action severs a critical supply‑chain node and signals an aggressive U.S. stance against cyber‑crime enablers.

Google, Microsoft yank ModHeader after hidden spy module found17 MIN

Researchers uncovered a dormant spying module in the official ModHeader extension that harvested visited domains, encrypted them, and posted to an external server. Google and Microsoft removed the 1.6 million‑install tool from Chrome and Edge stores, warning users to uninstall immediately.

CrashStealer uses notarized Mac dropper to slip past Gatekeeper and steal credentials19 MIN

CrashStealer is a native C++ macOS infostealer masquerading as Apple’s crash‑reporting framework. It arrives in a signed, notarized DMG called “Werkbit Setup,” which clears Gatekeeper and then installs the payload that harvests browsers, crypto wallets, password managers and the keychain, encrypting the loot with AES‑GCM before exfiltration. This shows attackers can exploit Apple’s notarization to bypass macOS defenses.

Iran‑linked Cavern Manticore Deploys Modular .NET C2 via SysAid Update Abuse30 MIN

Check Point Research uncovered a new .NET‑based command‑and‑control framework used by the Iran‑MOIS‑backed group Cavern Manticore. The actors hijack SysAid’s legitimate software‑update feature to sideload a malicious DLL, then load additional native and managed modules for reconnaissance, data exfiltration, and lateral movement. The modular design lets operators tailor payloads per victim and hampers analysis.

Breaches & Industry News
Progress forces on-prem ShareFile servers offline amid undisclosed threat2 MIN

Progress Software ordered all on‑prem ShareFile Storage Zone Controller servers shut down, citing a credible external security threat despite finding no evidence of breach. Administrators must power off the Windows hosts immediately, preserving logs for a later investigation. The move underscores the heightened risk to self‑hosted file‑sharing platforms after the 2023 MOVEit fallout.

Privacy, Policy & Governance
NSA restores TAO name, signaling a shift back to aggressive cyber ops3 MIN

The agency has renamed its Office of Computer Network Operations to Tailored Access Operations, undoing the 2016 NSA21 split. Under Deputy Director Tim Kosiba, the move reunites developers and operators to speed up exploit development ahead of rising AI-driven threats.

UK and EU Sanction Russia’s FSB Centre 16 Over Failed Poland Grid Attack4 MIN

The UK and EU jointly announced their first coordinated cyber‑sanctions, naming Russia’s FSB Centre 16 as the culprit behind the December 2025 attack that threatened to plunge half a million Poles into darkness. The package bars 24 individuals and groups, signalling a new escalation in Western response to state‑sponsored hacking.

Research & Tools
One‑email MemGhost Attack Poisones AI Assistants’ Persistent Memory2 MIN

Researchers show that a single crafted email can force a persistent AI assistant to silently store false information, altering its future replies and actions. Their MemGhost tool automates the payload, achieving up to 87% success on popular agents, exposing a new vector for long‑term compromise of personal AI agents.

Tempolocus maps timestamps to likely attacker locations for faster attribution6 MIN

Tempolocus lets analysts turn raw timestamps, like PE TimeDateStamp values, into probabilistic location guesses by profiling weekly or yearly activity patterns. By ranking timezone offsets and holiday calendars, it highlights likely countries, giving threat intel teams a cheap, data‑driven clue for attribution.

Get Infosec in your inbox, every issue.
Subscribe free
Privacy · Terms · About · Contact
© 2026 LodeHQ