Massive "Megalodon" Supply Chain Attack Hits 5,000 GitHub Repos; Lazarus Group & Iranian APTs Deploy New Malware

Phishing Campaign Uses JavaScript and Process Hollowing to Deploy PureLogs Data Stealer

Security researchers at FortiGuard Labs have uncovered a new phishing campaign distributing a variant of the PureLogs data-stealing malware. The attack begins with a deceptive email containing a malicious RAR archive. The attack chain involves obfuscated JavaScript, PowerShell, and the process hollowing of a legitimate Windows process (MsBuild.exe) to inject and execute the malware. This multi-stage approach is designed to evade detection and steal a wide range of sensitive information from compromised Microsoft Windows systems.

purelogsphishingmalwareinfostealerprocess hollowing +2 more

PureLogs Malware Variant Delivered via Multi-Stage Phishing Attack

GlassWorm Malware Infrastructure Dismantled in Coordinated Takedown

CrowdStrike, Google, and Shadowserver Disrupt "GlassWorm" Developer-Targeted Supply Chain Attack

A collaborative effort by CrowdStrike, Google, and the Shadowserver Foundation has successfully disrupted the command-and-control (C2) infrastructure of the GlassWorm malware campaign. Active since early 2025, GlassWorm targeted software developers using trojanized VS Code extensions and malicious npm/Python packages. The campaign aimed to steal developer credentials, crypto wallets, and deploy a JavaScript RAT named GlassWormRAT. The operators, believed to be Russia-based, were described as well-resourced and persistent.

glasswormsupply chain attacktakedowncrowdstrikegoogle +3 more

GlassWorm Malware Infrastructure Dismantled in Coordinated Takedown

Taiwan's Government Issues Warning on Cybersecurity Risks of Chinese Mobile Apps

MEDIUM

Taiwan's Ministry of Digital Affairs Flags Amap, bilibili, and Others for Excessive Data Collection

Taiwan's Ministry of Digital Affairs (MODA) has issued a public warning about the significant cybersecurity and data privacy risks associated with four popular Chinese-made mobile apps: Amap, bilibili, iQIYI, and BIMOBIMO. An investigation by the Administration for Cyber Security (ACS) found that the apps request extensive, often unnecessary, permissions and transmit user data back to China. Officials warned that under Chinese law, the parent companies could be compelled to turn this data over to Beijing, posing a national security risk.

taiwanchinamobile securitydata privacyamap +3 more

4 min read

Taiwan's Government Issues Warning on Cybersecurity Risks of Chinese Mobile Apps

The Oncology Institute Confirms Patient Data Exposed in Vendor Supply Chain Breach

Vendor Security Incident Leads to Patient Data Exposure at The Oncology Institute

The Oncology Institute, a major US provider of cancer care, has confirmed that patient data was exposed due to a cybersecurity incident at one of its IT software vendors. The breach was first hinted at in an SEC filing in November 2025, but the vendor, through administrator Kroll, only recently confirmed that systems containing patient data were accessed by an unauthorized party. This supply chain incident highlights the significant risks healthcare organizations face from their third-party vendors and the potential for delayed breach notifications.

data breachhealthcarehipaasupply chain attackvendor risk +1 more

The Oncology Institute Confirms Patient Data Exposed in Vendor Supply Chain Breach

FBI Links "First VPN Service" to Ransomware Gangs and Dark Web Activity

FBI Issues Advisory on "First VPN Service" and Recommends Layered Defensive Controls

The FBI has issued a public advisory linking the "First VPN Service" with a wide range of malicious cyber activities, including its use by ransomware gangs, botnet operators, and criminals on the dark web. The agency is urging organizations to implement a series of layered defensive controls to mitigate the threat posed by malicious actors abusing this and similar VPN services. Recommendations include mandating multi-factor authentication, monitoring for anomalous session activity, and hardening remote access services.

fbivpnransomwarebotnetdark web +2 more

4 min read

FBI Links "First VPN Service" to Ransomware Gangs and Dark Web Activity

Israel's State Comptroller Report Reveals "Severe" Cybersecurity Gaps in Emergency Agencies

Widespread Cybersecurity Deficiencies Found in Israeli Government and Emergency Services

A damning report from Israel's State Comptroller, Matanyahu Englman, has exposed significant and widespread cybersecurity vulnerabilities across the country's emergency agencies and critical government bodies. The report highlights compromised databases, vulnerable systems, and a critical lack of coordination. Key issues identified include fragmented authentication systems across major agencies like the Tax Authority and Defense Ministry, which increases inefficiency and cyber risk. The findings have been described as "highly severe," pointing to systemic weaknesses in Israel's national cybersecurity posture.

israelcybersecuritygovernmentvulnerabilityaudit +1 more

4 min read

Israel's State Comptroller Report Reveals "Severe" Cybersecurity Gaps in Emergency Agencies

Krispy Kreme Reaches $1.6M Settlement for 2024 Data Breach

MEDIUM

Krispy Kreme Agrees to $1.6 Million Class-Action Settlement After 2024 Cyberattack

Krispy Kreme has agreed to a $1.6 million class-action settlement following a 2024 cyberattack that exposed customer data, including names, Social Security numbers, and financial account information. Under the settlement, customers who can document financial loss may receive up to $3,500, while others whose data was exposed can claim $75. The settlement also includes a year of free credit monitoring. The company denies any wrongdoing but has agreed to strengthen its cybersecurity protocols as part of the deal.

krispy kremedata breachsettlementclass actionretail +1 more

3 min read

Krispy Kreme Reaches $1.6M Settlement for 2024 Data Breach

Updated Articles (5)

CISO Role Crisis: Demands, Legal Risks, and Shortages Make Position Untenable

INFORMATIONAL

Report: CISO Role Faces Crisis Amidst Expanding Responsibilities, Personal Legal Liability, and Severe Talent Shortage

A recent report from Cybersecurity Ventures and Sophos quantifies the CISO crisis, revealing the average tenure for a CISO in a large enterprise has plummeted to just 18-26 months, significantly shorter than other C-suite roles. This high turnover is driven by extreme stress, burnout, and a disconnect with other executives. The report also highlights the added complexity of AI, which acts as both a defensive tool and an attacker's weapon, alongside projected cybercrime damages reaching $12 trillion by 2031. This rapid churn leads to a lack of strategic consistency, loss of institutional knowledge, and increased organizational risk, further underscoring the untenable nature of the CISO position.

May 8, 2026

CISOLeadershipCybersecurity WorkforceBurnoutGovernance +2 more

3 min read

CISO Role Crisis: Demands, Legal Risks, and Shortages Make Position Untenable

Iranian APT Screening Serpens Unleashes New RATs in Espionage Campaign Against US, Israel, and UAE

Unit 42 Tracks Iranian APT Screening Serpens' 2026 Espionage Campaigns Targeting Tech and Defense Sectors

Further analysis of the Screening Serpens campaign reveals additional methods for detecting AppDomainManager hijacking. Security teams should monitor for modifications to the registry key HKLM\SOFTWARE\Microsoft\.NETFramework\appDomainManagerAssembly and the environment variable COMPLUS_appDomainManagerAssembly. The APT group is also tracked under the alias 'Iranian Dream Job'. These details provide more specific hunting opportunities for the previously reported espionage activities.

May 22, 2026

Screening SerpensIranAPTRATAppDomainManager +5 more

6 min read

Iranian APT Screening Serpens Unleashes New RATs in Espionage Campaign Against US, Israel, and UAE

Megalodon Attack: 5,561 GitHub Repos Compromised in Automated CI/CD Onslaught

CRITICAL

TeamPCP's 'Megalodon' Campaign Injects Malicious CI/CD Workflows into Thousands of GitHub Projects

Further analysis of the Megalodon supply chain attack reveals that the threat actor, TeamPCP, primarily utilized fake pull requests to inject malicious GitHub Actions workflows into over 5,500 public repositories. This method allowed the attackers to integrate their malicious code directly into the CI/CD pipelines, enabling the exfiltration of sensitive credentials and secrets when the pull requests were merged. The attack specifically targeted the CI/CD configuration files, rather than the application's source code, highlighting a sophisticated abuse of legitimate automation tools to compromise development environments.

May 25, 2026

MegalodonTeamPCPCI/CDGitHub ActionsWiper +1 more

6 min read

Megalodon Attack: 5,561 GitHub Repos Compromised in Automated CI/CD Onslaught

Lazarus Group Unleashes 'RemotePE' Memory-Only RAT in Attacks on Financial and Crypto Firms

North Korea's Lazarus Group Uses New 'RemotePE' Malware to Evade Detection in Financial Sector Attacks

Further details on the Lazarus Group's RemotePE campaign reveal new fraudulent domains, `calendly[.]live` and `picktime[.]live`, used in social engineering attacks. Attackers are impersonating trading firm employees on Telegram to lure victims to these malicious scheduling websites. The update also clarifies that the 'PE' in RemotePE likely refers to its ability to load Portable Executable files in memory, and highlights additional capabilities such as keylogging (T1056.001) and deploying further tools. The group is noted to overlap with other North Korean clusters like AppleJeus, Citrine Sleet, and UNC4736.

May 25, 2026

Lazarus GroupRemotePEFileless MalwareMemory-only RATCryptocurrency +2 more

Lazarus Group Unleashes 'RemotePE' Memory-Only RAT in Attacks on Financial and Crypto Firms

Instructure Pays Off ShinyHunters to Delete Data of 275M Canvas Users

CRITICAL

Instructure Reaches Deal with ShinyHunters After Massive Canvas Breach Affects 9,000 Schools

Ed-tech giant Instructure is now facing multiple class-action lawsuits in the U.S. District Court in Utah. These legal actions allege negligence in protecting user data following the two data breaches on April 29 and May 7, 2026, which targeted the 'Free for Teachers' platform. The lawsuits highlight the severe legal and reputational fallout from the security failures, despite Instructure's claim of reaching an agreement with the threat actor to delete the stolen data. This development significantly escalates the financial and operational impact on Instructure, further eroding trust among its user base of students, parents, and educators.

May 13, 2026