Microsoft Patches Two Zero-Days Amid Wave of Breaches and State-Sponsored Cyberespionage Campaigns

Ericsson Reports Supply Chain Data Breach Affecting 15,000 Individuals in US Operations

Telecommunications giant Ericsson has reported a data breach impacting approximately 15,000 individuals associated with its US operations. The incident was not a direct breach of Ericsson's systems but originated from a compromise at an unnamed third-party service provider. The breach occurred in April 2025, but the investigation only concluded in February 2026. An unauthorized party gained access to files containing sensitive personal information, including names, addresses, Social Security numbers, driver's license numbers, and financial data, highlighting the significant risks posed by supply chain security vulnerabilities.

Data BreachSupply Chain AttackThird-Party RiskPIITelecommunications

4 min read

Data Breach

Supply Chain Attack

APT28 Hits Ukrainian Military with Custom 'BeardShell' Malware in Two-Year Espionage Campaign

CRITICAL

Russian GRU Hackers (APT28) Target Ukrainian Military with Advanced Custom Implants in Long-Running Cyberespionage Operation

The Russian state-sponsored threat group APT28, also known as Fancy Bear, has been conducting a persistent cyberespionage campaign against the Ukrainian military for nearly two years. Research from ESET reveals the group, attributed to Russia's GRU, has been using a sophisticated toolkit of custom malware since at least April 2024. The campaign employs paired implants, including a backdoor named 'BeardShell' and a heavily modified version of the open-source C2 framework 'Covenant'. The operation also deployed the 'SlimAgent' keylogger, demonstrating the group's continued investment in developing advanced tools for strategic intelligence gathering.

APT28Fancy BearGRUCyberespionageUkraine +3 more

APT28 Hits Ukrainian Military with Custom 'BeardShell' Malware in Two-Year Espionage Campaign

Cyberattack

Malware

State-Aligned Hackers from China, Iran, Belarus Escalate Espionage in Middle East

Heightened Middle East Conflict Drives Surge in Cyber-Espionage from Multiple State-Aligned Threat Actors

A new report from Proofpoint reveals a significant uptick in cyber-espionage campaigns targeting government and diplomatic entities in the Middle East. Threat actors with suspected alignments to China (UNK_InnerAmbush), Iran (TA402, TA453), Belarus (TA473), and Hamas are opportunistically using a regional conflict as lure content for strategic intelligence collection. These campaigns often use compromised government email accounts, such as one from Iraq's Ministry of Foreign Affairs, to send highly credible phishing emails, demonstrating a complex and multi-faceted cyber-threat landscape in the region.

CyberespionageState-SponsoredAPTMiddle EastProofpoint +1 more

State-Aligned Hackers from China, Iran, Belarus Escalate Espionage in Middle East

Cyberattack

Phishing

First-Ever 'Wormable' Malware in npm History Detailed in Analysis of 2025 Supply Chain Attacks

CRITICAL

Analysis of 2025 npm Supply Chain Attacks Reveals 'Shai-Hulud' Worm and Compromise of 'Chalk', 'Debug' Packages

A detailed analysis of major JavaScript supply chain attacks from late 2025 reveals a significant escalation in threat actor sophistication. The campaigns included the compromise of massively popular npm packages like 'Chalk' and 'Debug,' which collectively see two billion weekly downloads, with payloads designed to steal cryptocurrency. Another campaign featured the 'Shai-Hulud' worm, described as the first wormable malware in npm's history. This malware executed during the `npm install` process, stealing developer credentials like npm tokens, GitHub PATs, and AWS keys, and then publishing them to a public repository, highlighting a severe threat to the software development lifecycle.

Supply Chain AttacknpmJavaScriptMalwareWorm +1 more

Supply Chain Attack

Malware

Threat Intelligence

Critical Nginx UI Flaw (CVE-2026-27944) Allows Unauthenticated Backup Theft and Decryption

CRITICAL

Critical Information Disclosure Vulnerability in Nginx UI (CVE-2026-27944) Exposes System Backups

A critical information disclosure vulnerability, CVE-2026-27944, has been discovered in Nginx UI, a popular web interface for managing Nginx servers. The flaw, which has a CVSS score of 9.8, allows a remote, unauthenticated attacker to download a full system backup. Compounding the issue, the API endpoint also discloses the encryption key in a response header, allowing for immediate decryption of the stolen backup. The backup can contain highly sensitive data, including user credentials, session tokens, and SSL private keys. Users are urged to update to the patched version, Nginx UI 2.3.3, immediately.

VulnerabilityCriticalNginxInformation DisclosureCVE

4 min read

Critical Nginx UI Flaw (CVE-2026-27944) Allows Unauthenticated Backup Theft and Decryption

Vulnerability

Patch Management

Canadian Retail Giant Loblaw Investigates Data Breach Exposing Customer Info

MEDIUM

Loblaw Notifies Customers of Data Breach Affecting Names, Phone Numbers, and Email Addresses

Loblaw Companies Limited, Canada's largest food and pharmacy retailer, has announced it is investigating a data breach after detecting suspicious activity on its network. The company stated that an unauthorized third party accessed a non-critical segment of its network and exfiltrated basic customer information, including names, phone numbers, and email addresses. Loblaw has assured customers that more sensitive data such as passwords, financial information, and health data were not compromised. As a precaution, the company has logged all customers out of their accounts, requiring them to sign back in.

Data BreachRetailCanadaPII

3 min read

Data Breach

Regulatory

Russian State Hackers Target Signal & WhatsApp Accounts of High-Value Individuals

Dutch Intelligence Warns of Russian Phishing Campaign to Hijack Signal and WhatsApp Accounts

Dutch intelligence agencies AIVD and MIVD have issued a warning about a large-scale phishing campaign by Russian state-backed hackers aimed at compromising the Signal and WhatsApp accounts of high-value targets. The campaign targets government officials, military personnel, and journalists. The attacks do not exploit software vulnerabilities but rely on social engineering to trick victims into sharing SMS verification codes or scanning malicious QR codes to link an attacker's device. This allows the attackers to take over the account or silently monitor all communications.

PhishingSocial EngineeringSignalWhatsAppState-Sponsored +1 more

4 min read

Russian State Hackers Target Signal & WhatsApp Accounts of High-Value Individuals

Phishing

Mobile Security

ShinyHunters Linked to Voice Phishing Campaign Targeting Okta Admins to Steal SaaS Data

Voice Phishing Campaign Attributed to ShinyHunters Targets Okta to Pivot and Exfiltrate SaaS Data

A 2026 cyberattack campaign is using voice phishing (vishing) and social engineering to compromise Okta administrator accounts, with TTPs consistent with the ShinyHunters threat group. According to Obsidian Security, attackers socially engineer IT help desks or users over the phone to gain initial access. Once in, they immediately enroll their own MFA device (often an emulated Android device with Okta FastPass) to establish persistence. With persistent access to the identity provider, the attackers then pivot to connected single sign-on (SSO) applications to perform high-volume data exfiltration, highlighting a coordinated attack across the identity and SaaS layers.

VishingPhishingShinyHuntersScattered SpiderOkta +2 more

Phishing