Malware everywhere, this time Arch Linux users were the target of malicious packages: "It was bad enough when finding out more than 400 AUR packages for Arch Linux users had been infected with malware but now that number has risen to around 900 a few hours ago and now in the end at more than 1,500 user-contributed packages."

🚨 AUR malware (atomic-lockfile/lockfile-js/nextfile-js, 1500 pkgs). Bash script that detects by behavior, not name lists: npm/bun in .install hooks, shell obfuscation, /tmp payloads. Read-only. 🔗 gist.github.com/l33tm4st3r/f… #ArchLinux #infosec

Source: discourse.ifin.network/t/400…

🚨 CYBER INTELLIGENCE ALERT: 🇪🇸 [UNCONFIRMED / CRITICAL] SALE OF ACCESS TO PUBLIC ADMINISTRATION — SPAIN [STATUS: UNCONFIRMED L] A recent post has been detected on underground forums by the threat actor calling himself "kr0x6," announcing the sale of exclusive access to the infrastructure of an entity belonging to the Spanish Public Administration. Threat Actor: kr0x6 Target: Unspecified entity of the Spanish Public Administration 📂 Details of the Level of Compromise (Access and Exfiltrated Data) The perpetrator claims to have deep control over the institution's systems, exposing critical vectors for financial and operational manipulation: Infrastructure Access: Remote Code Execution (RCE) capability and compromised access to the webmail system. Financial Systems: Direct access to the entity's internal payment and billing programs. Data Exfiltration: Database dump consisting of 179 tables and 45.3 GB of compressed files, which include invoices and user/citizen records. Cryptographic Compromise: Theft of the official electronic certificate used by the entity to sign invoices submitted to the Spanish Tax Agency. ⚠️ Security Considerations and Imminent Risk Direct SEPA Fraud: The attacker explicitly states that, from the compromised payment program, it is possible to modify the bank details of employees or suppliers to divert funds via SEPA transfers. The attacker estimates that up to $91,000 USD can be diverted immediately. Tax Institutional Impersonation: The theft of the official electronic certificate allows the purchaser of this access to impersonate the digital identity of the affected public administration. This facilitates the commission of large-scale tax fraud, the issuance of false invoices, or the alteration of tax records with complete technical and cryptographic legitimacy. 🛡️ Recommended Actions (Strategic and Defensive Levels) Blocking and Auditing SEPA Transfers: Spanish public entities must immediately implement a two-factor authentication protocol (manual approval) for any recent changes to the destination bank accounts (IBANs) linked to employee payroll or supplier payments. Preventive Certificate Revocation: Audit the use of electronic certificates (such as those issued by the FNMT) linked to invoicing with the Tax Agency. If anomalous signatures, access, or connections are detected, the compromised certificate must be revoked immediately. VECERT TOOLS Strategic Monitoring Tools & Intelligence Platform: 🌐 analyzer.vecert.io Security Verification & Monitoring: 🛡️ monitor.vecert.io #CyberSecurity 🔐 #Spain 🇪🇸 #InitialAccessBroker 🏴‍☠️ #SEPAFraud 💸 #DataBreach 📁 #ThreatIntelligence 📊 #VECERT 🏢

Nightmare Eclipse guy has returned (as is tradition) and has released another Microsoft Windows zero day (as is tradition). > releases zero day > spells rogue wrong in file > "rogeplanet" smh github.com/MSNightmare/Rogue…

Midnight Eclipse is back on GitHub

🚨 CYBER INTELLIGENCE ALERT: ⚠️ NEW THREAT ALERT — RAIDFORUMS RESURGENCE [STATUS: THREAT ACTIVITY / ILLICIT COMMUNITY EMERGENCE] Activity has been identified on threat intelligence channels alerting to the resurgence of the RaidForums platform, now under the domain raidforums(.)wtf. Identification: The site is being promoted under the premise of being "back under new management." Purpose: It is described as a space that seeks to encourage the growth of a "serious community," which, historically in this context, refers to the sale of leaked databases, hacking tools, and cybercrime. Evidence: The promotion of this domain has been detected through channels such as "Mossad Leaks." ⚠️ Security Considerations High Risk: The reappearance of this brand is a critical point of concern for security operations, as RaidForums has historically been the epicenter of the mass distribution of exfiltrated data. Recommended Action: SOC/CTI teams are advised to monitor this domain as a potential source of new security incidents and data breaches, given that sites of this type quickly attract high-profile malicious actors. #CyberSecurity 🔐 #RaidForums #ThreatIntelligence 📊 #DataBreach 📁 #UndergroundMarket #VECERT 🏢 #UnderInvestigation ⚠️

The two mentioned ELF binaries uploaded @abuse_ch bazaar.abuse.ch/sample/ea586… bazaar.abuse.ch/sample/87fde…

Trend Micro Deep Security Agent Research: Forcing bmhook/tmhook Reloads to Open a Protection Bypass Window Full research: matheuzsecurity.github.io/ha… #rootkit #linux #edr #poc

> protect the kids > look inside > mass surveillance

Meta is moving from one security failure to another. A few hours ago, a new logic bug dropped in the Web Reset flow, leaking sensitive account data before getting hit with an emergency hotfix. This is what happens when you fire the experts and rely on brain-dead AI to run core infrastructure. Meta’s security is an absolute circus. #cybersecurity #meta #instagram

‼️🚨 BREAKING: Sony PlayStation's age-verification partner Yoti is reporting GrapheneOS users to authorities for using GrapheneOS, due to "past security concerns."

github.com/crixpwn/CVE-2026-… It has been a month since the patch was released, so I am releasing this. enjoy it

FreeBSD 14.x kernel local privilege escalation via setcred(2) (@venglin) fatgid.io #infosec

Envoy has released patches intended to mitigate HTTP/2 Bomb. We are validating the fix more carefully and will update if we identify any remaining gaps. github.com/envoyproxy/envoy/…

Reconnaissance on Your Local Mobile Network Earlier we talked about the Chinese hackers breaking into our telecom systems. To defend yourself we have been advocating for a private 4G/5G low-cost base station, that you can set up yourself. And here is an article on how to do recon on your local mobile network with Falcon. This is only a glimpse of what's going to be covered soon in the upcoming training Build Your Own Mobile 4G Base Station (Jun 16-18) hackers-arise.com/mobile-net… @three_cube @_aircorridor #apt #telecom

Unpatched NTLM Leakage in Windows search: URI Handler, Same Bug, No CVE, No Fix huntress.com/blog/unpatched-…

The fix for Meta's AI bot vulnerability was apparently: - remove the feature from the UI ❌ - leave the API endpoint accessible ✅ I wish I was joking.

The Nightmare Eclipse effect is in full swing. Another researcher decides to release his 1-click GitHub token stealer publicly after his bad interaction with MSRC

Introducing HTTP/2 Bomb: a remote DoS in nginx, Apache httpd, Microsoft IIS, Envoy, and Cloudflare Pingora. A single client pins 32GB of server memory in 10s. Found by Codex. Blog post: blog.calif.io/p/codex-discov… PoCs: github.com/califio/publicati…