New SharkLoader Malware Deploys Cobalt Strike in StrikeShark Cyberattacks

Mass npm Supply Chain Attack: 20 Leo Platform Packages Compromised

Vào ngày 24/6/2026, tin tặc đã phát tán phiên bản độc hại của 20 package npm thuộc hệ sinh thái Leo Platform chỉ trong vòng chưa đầy 3 giây, sử dụng toolkit 'Phantom Gyp' tương tự chiến dịch Miasma trước đó. Phần mềm độc hại đánh cắp bí mật từ GitHub Actions, kho lưu trữ đa đám mây (AWS, GCP, Azure), registry package, HashiCorp Vault, Kubernetes và trình quản lý mật khẩu, sau đó exfiltrate qua token GitHub của nạn nhân để tránh bị phát hiện. Nó còn hoạt động như một worm trong chuỗi cung ứng, tự động phát tán phiên bản độc hại các package mà nạn nhân có quyền publish bằng cách vượt qua xác thực 2FA.

Lập trình viên nên đọc bài này để hiểu cách một cuộc tấn công supply chain mới sử dụng các kỹ thuật phức tạp—như obfuscation và evasion Bun—để tránh phát hiện và khai thác quyền truy cập vào các hệ thống quan trọng từ các gói npm phổ biến, từ đó cảnh báo về rủi ro khi sử dụng các thư viện công cộng mà không kiểm tra nguồn gốc và bảo mật.

StrikeShark: a new campaign involving a custom SharkLoader and Cobalt Strike Beacon

Kaspersky researchers have uncovered a previously undocumented malware campaign called StrikeShark, which uses a custom loader named SharkLoader to deploy Cobalt Strike Beacon on compromised systems. Initial access is gained through exploitation of vulnerabilities in internet-facing applications (Microsoft Exchange ProxyLogon, Openfire, GeoServer, Fortinet, Cisco, and others) as well as dropper executables disguised as legitimate software like Google Update and Cisco AnyConnect. SharkLoader employs DLL sideloading via a legitimate Windows binary (SystemSettings.exe), uses 'Perfect DLL Hijacking' to bypass the Windows loader lock, and deploys multiple API hooks via Microsoft Detours and MinHook to evade memory scanning. The Cobalt Strike Beacon is encrypted with Blowfish and AES, reflectively loaded in memory, and executed in a suspended thread. Post-compromise activity includes Active Directory enumeration, credential dumping from LSASS and NTDS, and use of open-source tools (FScan, Searchall, Pillager) associated with Chinese-speaking developers. Victims span government entities, diplomatic organizations, and software development companies across Indonesia, Taiwan, Lebanon, Syria, Hong Kong, Colombia, and more. Attribution remains preliminary with low confidence pointing to a Chinese-speaking threat actor.

Women in CyberSecurity Launches Just Hacking Program To Address Skills Gaps

Women in CyberSecurity (WiCyS) has launched the Just Hacking Program, a technical training initiative targeting practical cybersecurity skills gaps identified through workforce research. The program launches with three courses: AI-assisted cyber defense operations (using Anthropic's Claude for blue team work, starting July 6), script-based malware analysis (late August), and web application penetration testing covering OWASP Top 10 (October). Curriculum was shaped by a Skillrex assessment of WiCyS members across 60 competencies. Research also found WiCyS members have a 32% lower attrition rate than Fortune 500 benchmarks, and that high-impact training practices could save over $125,000 per employee through faster hiring and longer retention. Courses are open to WiCyS members in good standing and require roughly 5–7 hours per week.

Multiple @immobiliarelabs Backstage Plugins Compromised on npm

Multiple npm packages maintained by Immobiliare Labs — four Backstage plugins for GitLab integration and LDAP authentication — were found carrying a malicious payload on June 26, 2026. Compromised patch versions were published simultaneously across all supported release series within a 30-second window. The attack uses a binding.gyp node-gyp hook to execute a 5 MB obfuscated index.js at install time, bypassing tools that only monitor postinstall scripts. The payload employs three obfuscation layers (ROT-2 cipher, AES-128-GCM, obfuscator.io) and downloads the Bun runtime to evade Node.js security monitoring hooks. It harvests credentials from GitHub Actions, AWS, GCP, Azure, Kubernetes, HashiCorp Vault, package registries, password managers, and SSH keys. A function called infectHost attempts persistence by injecting into AI coding assistant configs including Claude Code, Cursor, GitHub Copilot, VS Code, and Aider. The payload also contains supply chain worm capabilities to republish modified packages using stolen registry tokens.

Gaslight macOS Malware Is a Warning Shot at the AI Security Stack

The Gaslight macOS malware, attributed to a North Korean-linked threat cluster, is a Rust-based backdoor notable for embedding 38 fabricated prompt injection messages designed to confuse LLM-assisted malware triage tools. While it hasn't successfully bypassed any production AI analysis platform yet, it represents a deliberate iteration on earlier single-injection prototypes — signaling that adversaries are actively developing techniques to exploit AI-assisted security workflows. The attack targets the output stage of analysis pipelines rather than sandboxes, pushing LLM agents to abort sessions before flagging malicious behavior. Defenders are advised to treat malware content as adversarial input, sanitize raw strings before they reach model context, and maintain human review at the output stage. Specific IOCs including a LaunchAgent label, Telegram C2 traffic patterns, and SHA-256 hashes are provided.

US seizes hundreds of FIFA World Cup illegal streaming domains

The U.S. Justice Department seized nearly 400 web domains used to illegally stream 2026 FIFA World Cup matches, as part of Operation Offsides — a coordinated global effort involving international law enforcement and private sector partners including FIFA, NBCUniversal, and Warner Bros. Authorities targeted servers and domains across multiple countries including Peru, Bulgaria, Croatia, Romania, Poland, and Colombia. Officials also warned that illegal streaming sites expose viewers to malware and data theft risks. The action follows a related shutdown of 44 domains tied to the PirloTV sports piracy network, which generated over 950 million visits annually.

The Gentlemen RaaS: rapid growth and a new ransomware variant

Kaspersky researchers provide a detailed technical analysis of The Gentlemen, a rapidly growing ransomware-as-a-service (RaaS) group that ranked among the top 10 ransomware actors in the first half of 2026. The group uses a Go-based ransomware with a custom obfuscator, a Go-based backdoor using Yamux for C2 communication, and a newly discovered C-based ransomware variant still in development. Their TTPs include exploiting internet-facing VPNs and firewalls, BYOVD attacks using multiple vulnerable drivers to kill EDR/AV products, lateral movement via GPO deployment and PsExec, network sniffing with netsh, and Active Directory reconnaissance with SharpADWS. The Go ransomware uses Curve25519 + XChaCha20 encryption while the new C variant uses AES256-GCM + RSA via OpenSSL. Targets span manufacturing, IT, healthcare, finance, and logistics across Brazil, China, Indonesia, Taiwan, and Thailand. Full IOCs including hashes, C2 IPs, and vulnerable driver hashes are provided.