CISA Warns of Active Attacks Exploiting Android, Linux Bugs

Article Link: https://www.bleepingcomputer.com/news/security/cisa-warns-of-active-attacks-exploiting-android-linux-bugs/

• CISA has added two vulnerabilities affecting Android devices and Linux systems to its Known Exploited Vulnerabilities (KEV) catalog, confirming that attackers are actively using them in real-world attacks.
• One vulnerability is an integer overflow flaw in Android versions 14 through 16 that can be used to escalate privileges without user interaction. The second impacts Linux and would enable attacks to bypass namespace isolation and gain root access on host systems.
• Successful exploitation could grant elevated privileges, enable container breakout attacks, and provide attackers with deeper control over affected Android devices and Linux systems, potentially leading to broader compromise of enterprise infrastructure.
• Organizations utilizing Android devices or Linux-based servers should conduct threat hunting exercises to identify indicators of compromise on systems running affected versions.

Google DoubleClick Abused in New Malspam Campaign to Deliver DesckVB RAT

Article Link: https://thehackernews.com/2026/06/google-doubleclick-abused-in-new.html

• Researchers at Huntress have uncovered a phishing campaign that abuses Google’s DoubleClick advertising infrastructure to make malicious emails and links appear more trustworthy. These links are then used to deliver the DesckVB remote access trojan (RAT).
• Victims are tricked into opening an email attachment that redirects through legitimate Google-owned domains before landing on a personalized phishing page. The attack then delivers malware through a multi-stage download process designed to evade detection.
• The phishing kit customizes lures using the recipient’s email address, company branding, and location data, allowing attackers to scale campaigns without creating organization-specific phishing pages.
• Once installed, DesckVB RAT can give attackers remote control of infected systems, enabling data theft, command execution, deployment of additional malware, and long-term persistence while avoiding security monitoring.
• Strengthen email security controls, deploy SPF, DKIM, and DMARC protections, sandbox suspicious attachments and links, and consider restricting script-based file execution to reduce the risk of malware delivery.

VS Code Vulnerability Allows One-Click GitHub Token Theft

Article Link: https://www.securityweek.com/vs-code-vulnerability-allows-one-click-github-token-theft/

• A security researcher disclosed a critical zero-day vulnerability in Visual Studio Code that could allow attackers to steal users’ GitHub authentication tokens through a malicious Jupyter notebook.
• The attack targets the browser-based github.dev environment. A specially crafted notebook can simulate user keystrokes, install a malicious extension, and extract the victim’s GitHub access token after the notebook is opened.
• The attack requires minimal user interaction, just opening a malicious link, and abuses trusted development workflows involving notebooks, extensions, and GitHub-integrated tooling.
• A stolen GitHub token could grant attackers write access to repositories accessible by the victim, including private and organizational repositories. This creates risks of source code theft, repository tampering, and supply-chain compromise.
• Microsoft released a fix for the github.dev attack path shortly after public disclosure. However, the researcher claims a related attack scenario affecting the desktop version of VS Code may remain unpatched and could potentially enable remote code execution with additional user interaction.

Phishing Campaigns Evolve as Cybercriminals Turn to Infostealer Malware

Article Link: https://cyberpress.org/phishing-campaigns-deploy-infostealers/

• Cybercriminals are increasingly shifting from traditional credential-phishing websites to deploying infostealer malware, which silently extracts passwords, session cookies, browser data, and cryptocurrency wallet information directly from infected devices.
• The widespread adoption of MFA has made password theft less effective. Infostealers can steal active session cookies, allowing attackers to hijack authenticated sessions and potentially bypass MFA protections.
• Common infection vectors targeting organizations include employee-focused phishing, malvertising on trusted platforms, and fake software updates that mimic legitimate vendors. Attackers also exploit deceptive error pages and distribute malware via unauthorized or pirated software.
• Stolen credentials and session tokens are often sold through the cybercrime ecosystem, enabling account takeover, business email compromise, financial fraud, data theft, and ransomware attacks. A single infected device can provide access to multiple corporate and personal accounts.
• Additional information: https://www.malwarebytes.com/blog/threat-intel/2026/06/infostealers-are-becoming-the-go-to-phishing-payload

Stock Exchange Executive’s Outlook Account Targeted in Credential Theft Attack

Article Link: https://cyberpress.org/executive-outlook-credentials-targeted/

• Threat actors conducted a targeted five-month espionage campaign against a senior executive at a major global stock exchange, focusing exclusively on compromising and monitoring the executive’s Microsoft Outlook mailbox rather than moving laterally across the corporate environment.
• After gaining privileged access to the executive’s device, the attackers established persistence using disguised system services and scheduled tasks. They then deployed a custom email-stealing tool to continuously extract Outlook mailbox data from the locally cached mailbox.
• The attackers were able to avoid detection by exfiltrating small batches of data, rotating filenames, and using trusted cloud services such as Dropbox and OneDrive. They also used hard-coded Microsoft IP addresses to bypass DNS-based security controls.
• The compromise provided long-term access to sensitive executive communications, including strategic discussions, negotiations, market-moving information, and calendar data, enabling attackers to build a detailed picture of the organization’s operations and future plans.
• Most security coverage focuses on ransomware and operational disruption, where attackers shut systems down or encrypt data. This campaign shows a quieter but equally serious risk: long-term email espionage that can expose sensitive executive communications and strategic decisions without any visible business interruption.

High-Profile Instagram AI Chatbot Breach Spotlights Security Risks of Automation

Article Link: https://www.reuters.com/legal/government/high-profile-meta-ai-chatbot-breach-spotlights-security-risks-automation-2026-06-03/

• Attackers exploited Meta’s AI-powered Instagram support chatbot to gain unauthorized access to multiple high-profile accounts, including a dormant Obama White House page, Sephora, and a U.S. Space Force official account.
• The chatbot was manipulated via prompt injection-style techniques into resetting account credentials without proper identity verification, effectively abusing its high-trust account recovery privileges.
• The incident highlights the risk in delegating sensitive security functions (like account recovery) to AI systems that can be socially engineered or manipulated, especially when guardrails and verification controls are insufficient.
• Victims were locked out of accounts, requiring manual recovery, while the breach raised broader concerns about AI-driven authentication flows, leading to reputational damage, user trust concerns, and investor scrutiny of Meta’s AI strategy.
• Security experts warn this is not isolated to Meta, similar agent manipulation attacks are expected to increase as AI systems gain more autonomy over sensitive actions across platforms.

Attackers Are Exploiting Palo Alto Networks Defect That Initially Flew Under the Radar

Article Link: https://cyberscoop.com/palo-alto-networks-cve-2026-0257-exploited-vulnerability/

• An actively exploited authentication-bypass vulnerability in Palo Alto Networks firewalls is being used in the wild to gain unauthorized VPN access to affected systems.
• The flaw allows remote attackers to forge authentication cookies using publicly exposed certificate-related data in certain configurations, enabling access via a simple HTTP request without valid credentials.
• Even though it was initially rated medium severity, the flaw affects edge devices that secure network perimeters, making it a prime target for attackers seeking initial enterprise access.
• Exploitation has been observed in multiple waves, with victims emerging quickly after disclosure. Even limited successful attacks can provide attackers with VPN-level access and a foothold inside corporate networks.
• Security researchers and government agencies, including CISA, have confirmed active exploitation and are urging immediate patching or mitigation, as attackers continue to opportunistically target unpatched systems.