The U.S. Department of Justice led Operation Offsides, an international crackdown that seized nearly 400 websites illegally streaming 2026 FIFA World Cup matches. The operation involved coordination with media companies including FIFA, NBC Universal, and Warner Brothers, and targeted piracy hubs in Peru, Bulgaria, Croatia, Romania, Poland, and Colombia. Beyond copyright violations, authorities warned that illegal streaming sites expose viewers to malware, phishing, and data theft. Separately, cybersecurity firms like Malwarebytes and Arctic Wolf documented dozens of fake streaming sites serving ad loops, redirects, and Windows stealers, while Darktrace reported that 84% of professional sports organizations experienced a cyber incident in the past year.
Nguồn: https://securityboulevard.com/2026/06/doj-seizes-almost-400-websites-illegally-streaming-world-cup-games. 8sync News chỉ tóm tắt và dẫn link; bản quyền nội dung thuộc tác giả và nguồn gốc.
Vào ngày 24/6/2026, tin tặc đã phát tán phiên bản độc hại của 20 package npm thuộc hệ sinh thái Leo Platform chỉ trong vòng chưa đầy 3 giây, sử dụng toolkit 'Phantom Gyp' tương tự chiến dịch Miasma trước đó. Phần mềm độc hại đánh cắp bí mật từ GitHub Actions, kho lưu trữ đa đám mây (AWS, GCP, Azure), registry package, HashiCorp Vault, Kubernetes và trình quản lý mật khẩu, sau đó exfiltrate qua token GitHub của nạn nhân để tránh bị phát hiện. Nó còn hoạt động như một worm trong chuỗi cung ứng, tự động phát tán phiên bản độc hại các package mà nạn nhân có quyền publish bằng cách vượt qua xác thực 2FA.
Lập trình viên nên đọc bài này để hiểu cách một cuộc tấn công supply chain mới sử dụng các kỹ thuật phức tạp—như obfuscation và evasion Bun—để tránh phát hiện và khai thác quyền truy cập vào các hệ thống quan trọng từ các gói npm phổ biến, từ đó cảnh báo về rủi ro khi sử dụng các thư viện công cộng mà không kiểm tra nguồn gốc và bảo mật.
Các nhà nghiên cứu của Mozilla 0DIN phát hiện ra cách tấn công tinh vi khiến các AI coding agent như Claude Code vô tình chạy malware từ kho GitHub sạch. Kẻ tấn công sử dụng ba thành phần hợp pháp: kho chứa tiêu chuẩn, gói Python gây lỗi và hướng dẫn chạy lệnh init, cùng script init tải payload từ record DNS TXT do kẻ tấn công kiểm soát. AI agent tự động sửa lỗi sẽ vô tình kích hoạt toàn bộ chuỗi tấn công, tạo ra reverse shell với quyền của nhà phát triển.
Lập trình viên nên đọc bài này để hiểu cách các công cụ AI tự động hóa có thể bị lừa bằng các kỹ thuật social engineering nhẹ nhàng trong mã nguồn, từ đó bảo vệ dự án của mình khỏi các cuộc tấn công không trực tiếp mà vẫn có thể gây thiệt hại nghiêm trọng.
Troy Hunt and Scott Helme have launched 'Why no Passkeys?', a site inspired by their 8-year-old 'Why no HTTPS?' project that publicly tracked websites failing to implement HTTPS. The new site aims to similarly shame companies that haven't adopted passkeys, encouraging community pressure by country. Scott built the project largely solo using Claude Code, following Troy's original intent after a phishing incident prompted him to register the domain.
Cyble Research and Intelligence Labs has identified a new Android malware family called Glitch SPY, distributed via a fake Polish apartment rental website that tricks users into sideloading an APK. The dropper is the known Brokewell Android Loader, which installs the Glitch SPY payload. Once installed, the RAT abuses Android Accessibility Service to auto-grant permissions and supports over 70 C&C commands covering live screen streaming, keylogging, SMS/contact/call log theft, camera and microphone surveillance, file management, shell execution, and remote browser control. A crypto-clipper module silently replaces copied cryptocurrency wallet addresses (ETH, TRON, Bitcoin) with attacker-controlled ones. A hidden remote browser runs on the victim's device using their IP and cookies, enabling stealthy web-based account takeover. The Builder module allows operators to generate customized payloads with configurable names, icons, and decoy URLs, indicating a reusable multi-campaign platform still under active development.
Kaspersky researchers detail Umbrij, a new .NET malware tool used by the ToddyCat APT group to steal OAuth tokens from corporate Gmail accounts. The tool uses DLL sideloading via legitimate binaries (Bitdefender, Visual Studio, Google Desktop) to execute, then launches Chromium-based browsers in headless mode with remote debugging enabled. It connects via the DevTools protocol using Puppeteer Sharp, navigates to a Google OAuth authorization page using the client ID of legitimate Google Workspace tools (GWMMO/GWSMO), and automates clicks to grant permissions — capturing the resulting OAuth authorization code. The technique, dubbed Shadow Token via Remote Debug (STRD), exploits existing authenticated browser sessions to silently obtain API access tokens without triggering EPP/EDR alerts. Detection guidance includes monitoring for DLL loads from vulnerable apps, browser launches with remote debugging flags, and auditing third-party Google account permissions. Mitigation includes disabling browser developer tools via Group Policy and revoking unauthorized OAuth grants.
China-linked threat actor Mustang Panda has been running two concurrent espionage campaigns targeting Indian government entities and the hydropower sector. The campaigns deploy new malware implants — SHARDLOADER, MINIRECON, and ZOHOMURK — with ZOHOMURK abusing Zoho WorkDrive as a command-and-control channel to blend malicious traffic with legitimate cloud activity. Attack chains use hydropower- and government-themed lure documents delivered via compressed archives, leveraging DLL side-loading. Attribution is high-confidence based on code overlaps with prior Mustang Panda tooling. CISOs are advised to monitor cloud service traffic for anomalies, hunt for DLL side-loading behavior, and model threats around geopolitical and infrastructure-themed lures.
The U.S. Department of State is offering up to $10 million through its Rewards for Justice program for information on two Russian-linked hacking groups, UNC5792 and UNC4221, targeting Signal and WhatsApp users. These groups conduct phishing campaigns impersonating Signal support agents to steal backup recovery keys, compromising thousands of accounts belonging to U.S./NATO officials, military personnel, journalists, and NGOs. The encryption itself has not been broken — attackers exploit human factors instead. CISOs are advised to train users never to share recovery keys, apply stronger protections for high-risk staff, and review encrypted messaging policies for sensitive workflows.
The UNC1151 (Ghostwriter) threat group ran a targeted phishing campaign against Belarusian pro-democracy politician Yury Hubarevich using a fake Google account-security warning in Russian. The attack chain used a compromised Ukrainian site to redirect victims to a fake Gmail login page that employed a real-time WebSocket connection to capture credentials and MFA codes, effectively bypassing SMS-based and OTP multi-factor authentication. Researchers at Censys traced the campaign through certificate artifacts and infrastructure pivoting to a broader phishing network targeting users in Belarus and Ukraine, including users of regional portals. Key takeaways for security teams include prioritizing phishing-resistant MFA (hardware keys/passkeys) for high-risk users, training users to verify account warnings via official channels rather than email links, and monitoring certificate reuse and domain naming patterns to uncover related phishing infrastructure.