<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0"><channel>
    <title>Omniware Threat Intel</title>
    <link>https://omniware.org/threat-intel</link>
    <description>Auto-summarized cybersecurity advisories for compliance-driven teams.</description>
    <item>
      <title>Fake IT support calls on Microsoft Teams push EtherRAT malware</title>
      <link>https://omniware.org/threat-intel/bleeping-fake-it-support-calls-on-microsoft-teams-push-etherrat-malware</link>
      <guid isPermaLink="true">https://omniware.org/threat-intel/bleeping-fake-it-support-calls-on-microsoft-teams-push-etherrat-malware</guid>
      <category>general</category>
      <pubDate>Tue, 07 Jul 2026 06:13:40 GMT</pubDate>
      <description>Threat actors are conducting social engineering campaigns using Microsoft Teams to distribute EtherRAT, a Node.js-based remote access trojan. According to Palo Alto Networks&apos; Unit 42, the attack chain begins with phishing emails containing malicious PDF attachments labeled as &quot;Employee Survey.&quot; Afte</description>
    </item>
    <item>
      <title>Phishing poses as big-brand job interview to steal Google accounts</title>
      <link>https://omniware.org/threat-intel/bleeping-phishing-poses-as-big-brand-job-interview-to-steal-google-accounts</link>
      <guid isPermaLink="true">https://omniware.org/threat-intel/bleeping-phishing-poses-as-big-brand-job-interview-to-steal-google-accounts</guid>
      <category>general</category>
      <pubDate>Tue, 07 Jul 2026 06:13:28 GMT</pubDate>
      <description>A phishing campaign is impersonating over 30 major brands—including Adobe, Netflix, Coca-Cola, and OpenAI—to steal Google account credentials from marketing professionals. The attackers pose as recruiters conducting fake job interviews, using real names and pictures of legitimate company staff to bu</description>
    </item>
    <item>
      <title>⚡ Weekly Recap: Proxy Botnets, Browser Ransomware, AI Agent Tricks, Fake PoC Malware and More</title>
      <link>https://omniware.org/threat-intel/thn-weekly-recap-proxy-botnets-browser-ransomware-ai-agent-tricks-fake-poc-malwa</link>
      <guid isPermaLink="true">https://omniware.org/threat-intel/thn-weekly-recap-proxy-botnets-browser-ransomware-ai-agent-tricks-fake-poc-malwa</guid>
      <category>general</category>
      <pubDate>Tue, 07 Jul 2026 06:13:16 GMT</pubDate>
      <description>The weekly threat recap highlights multiple attack vectors exploiting trust mechanisms across consumer and enterprise systems. Google and the FBI disrupted the NetNut residential proxy botnet, which compromised an estimated 2 million devices globally—primarily smart TVs and streaming boxes—by distri</description>
    </item>
    <item>
      <title>CVE-2026-14622: A vulnerability was found in jairiidriss restaurant-website-php-mysql up to 5214</title>
      <link>https://omniware.org/threat-intel/cve-cve-2026-14622-a-vulnerability-was-found-in-jairiidriss-restaurant-website-p</link>
      <guid isPermaLink="true">https://omniware.org/threat-intel/cve-cve-2026-14622-a-vulnerability-was-found-in-jairiidriss-restaurant-website-p</guid>
      <category>compliance</category>
      <pubDate>Mon, 06 Jul 2026 06:59:35 GMT</pubDate>
      <description>A missing authentication vulnerability was identified in jairiidriss restaurant-website-php-mysql affecting the AJAX Endpoint component at the /admin/ajax_files file. According to MITRE&apos;s National Vulnerability Database, the vulnerability allows remote manipulation without authentication. The produc</description>
    </item>
    <item>
      <title>FortiBleed Credential Theft Linked to INC and Lynx Ransomware Operations</title>
      <link>https://omniware.org/threat-intel/thn-fortibleed-credential-theft-linked-to-inc-and-lynx-ransomware-operations</link>
      <guid isPermaLink="true">https://omniware.org/threat-intel/thn-fortibleed-credential-theft-linked-to-inc-and-lynx-ransomware-operations</guid>
      <category>defense</category>
      <pubDate>Mon, 06 Jul 2026 06:59:22 GMT</pubDate>
      <description>Security researchers at SOCRadar have attributed the FortiBleed credential-theft campaign to operators working with INC Ransom and Lynx ransomware groups. The campaign scanned approximately 11,250 FortiGate portals across 150+ countries, achieving admin-level access on 409 targets and completing the</description>
    </item>
    <item>
      <title>JadePuffer ransomware used AI agent to automate entire attack</title>
      <link>https://omniware.org/threat-intel/bleeping-jadepuffer-ransomware-used-ai-agent-to-automate-entire-attack</link>
      <guid isPermaLink="true">https://omniware.org/threat-intel/bleeping-jadepuffer-ransomware-used-ai-agent-to-automate-entire-attack</guid>
      <category>general</category>
      <pubDate>Mon, 06 Jul 2026 06:59:10 GMT</pubDate>
      <description>Researchers have documented what appears to be the first ransomware operation conducted entirely by an LLM agent. The attack, attributed to JadePuffer, reportedly used an AI agent to automate the full attack lifecycle—from initial reconnaissance through encryption and ransom demands. The operation d</description>
    </item>
    <item>
      <title>CVE-2026-20896: Gitea Docker image versions up to and including 1.26.2 use REVERSE_PROXY_TRUSTED</title>
      <link>https://omniware.org/threat-intel/cve-cve-2026-20896-gitea-docker-image-versions-up-to-and-including-1-26-2-use-re</link>
      <guid isPermaLink="true">https://omniware.org/threat-intel/cve-cve-2026-20896-gitea-docker-image-versions-up-to-and-including-1-26-2-use-re</guid>
      <category>general</category>
      <pubDate>Sun, 05 Jul 2026 17:21:45 GMT</pubDate>
      <description>Gitea Docker image versions up to and including 1.26.2 contain a misconfiguration where REVERSE_PROXY_TRUSTED_PROXIES is set to * by default. This allows any source IP to impersonate users when reverse-proxy authentication headers such as X-WEBAUTH-USER are enabled. According to the CVE record, the </description>
    </item>
    <item>
      <title>CVE-2026-12481: A vulnerability in keras-team/keras version 3.14.0 allows for arbitrary code exe</title>
      <link>https://omniware.org/threat-intel/cve-cve-2026-12481-a-vulnerability-in-keras-team-keras-version-3-14-0-allows-for</link>
      <guid isPermaLink="true">https://omniware.org/threat-intel/cve-cve-2026-12481-a-vulnerability-in-keras-team-keras-version-3-14-0-allows-for</guid>
      <category>general</category>
      <pubDate>Sun, 05 Jul 2026 17:21:35 GMT</pubDate>
      <description>A vulnerability in keras-team/keras version 3.14.0 allows arbitrary code execution through improper deserialization handling in the Lambda layer. The `_raise_for_lambda_deserialization()` function fails to enforce safe-mode protections when `safe_mode` is set to `None` (its default value), conflatin</description>
    </item>
    <item>
      <title>U.S. Government Entity Paid Kairos $1 Million in Data-Theft Extortion Case</title>
      <link>https://omniware.org/threat-intel/thn-u-s-government-entity-paid-kairos-1-million-in-data-theft-extortion-case</link>
      <guid isPermaLink="true">https://omniware.org/threat-intel/thn-u-s-government-entity-paid-kairos-1-million-in-data-theft-extortion-case</guid>
      <category>general</category>
      <pubDate>Sun, 05 Jul 2026 17:21:20 GMT</pubDate>
      <description>A U.S. government entity paid approximately $1 million to the group Kairos to prevent the publication of stolen files, according to a case study by Rakesh Krishnan published by Ransom-ISAC. The analysis, based on leaked negotiation chat logs and blockchain records, indicates the victim was Union Cou</description>
    </item>
    <item>
      <title>ThreatsDay: AI Compute Hijacking, Apple Email Flaw, BlueHammer Ransomware + 14 Stories</title>
      <link>https://omniware.org/threat-intel/thn-threatsday-ai-compute-hijacking-apple-email-flaw-bluehammer-ransomware-14-st</link>
      <guid isPermaLink="true">https://omniware.org/threat-intel/thn-threatsday-ai-compute-hijacking-apple-email-flaw-bluehammer-ransomware-14-st</guid>
      <category>general</category>
      <pubDate>Sat, 04 Jul 2026 06:46:15 GMT</pubDate>
      <description>TheHackerNews reported on multiple security findings this week spanning AI systems, email services, and ransomware campaigns. A phishing campaign targets small businesses globally with fake law enforcement investigation emails, directing victims to password-protected archives hosted on Proton Drive </description>
    </item>
    <item>
      <title>Unpatched Flaws Disclosed in Filesystem Bundled Into Millions of Embedded Devices</title>
      <link>https://omniware.org/threat-intel/thn-unpatched-flaws-disclosed-in-filesystem-bundled-into-millions-of-embedded-de</link>
      <guid isPermaLink="true">https://omniware.org/threat-intel/thn-unpatched-flaws-disclosed-in-filesystem-bundled-into-millions-of-embedded-de</guid>
      <category>defense</category>
      <pubDate>Sat, 04 Jul 2026 06:46:02 GMT</pubDate>
      <description>Security firm runZero has disclosed seven vulnerabilities in FatFs, a filesystem library used in millions of embedded devices including security cameras, drones, industrial controllers, hardware crypto wallets, and real-time operating systems. The flaws range from CVSS 4.6 to 7.6 (Medium to High sev</description>
    </item>
    <item>
      <title>NetNut proxy network disrupted, 2 million infected devices cut off</title>
      <link>https://omniware.org/threat-intel/bleeping-netnut-proxy-network-disrupted-2-million-infected-devices-cut-off</link>
      <guid isPermaLink="true">https://omniware.org/threat-intel/bleeping-netnut-proxy-network-disrupted-2-million-infected-devices-cut-off</guid>
      <category>general</category>
      <pubDate>Sat, 04 Jul 2026 06:45:51 GMT</pubDate>
      <description>Google and law enforcement, including the FBI, disrupted NetNut (also known as Popa), a residential proxy botnet estimated to control at least two million compromised devices globally, including smart TVs and streaming boxes. The network was powered by trojanized applications and botnets such as Bad</description>
    </item>
    <item>
      <title>DHS confirms hackers breached HSIN info-sharing platform</title>
      <link>https://omniware.org/threat-intel/bleeping-dhs-confirms-hackers-breached-hsin-info-sharing-platform</link>
      <guid isPermaLink="true">https://omniware.org/threat-intel/bleeping-dhs-confirms-hackers-breached-hsin-info-sharing-platform</guid>
      <category>defense</category>
      <pubDate>Fri, 03 Jul 2026 15:33:32 GMT</pubDate>
      <description>The Department of Homeland Security confirmed a cyberattack on the Homeland Security Information Network (HSIN), an unclassified information-sharing platform used by federal, state, local, and private-sector partners. According to DHS and reporting by Nextgov, the intrusion occurred between late May</description>
    </item>
    <item>
      <title>Google Disrupts NetNut Residential Proxy Network Spanning 2 Million Home Devices</title>
      <link>https://omniware.org/threat-intel/thn-google-disrupts-netnut-residential-proxy-network-spanning-2-million-home-dev</link>
      <guid isPermaLink="true">https://omniware.org/threat-intel/thn-google-disrupts-netnut-residential-proxy-network-spanning-2-million-home-dev</guid>
      <category>general</category>
      <pubDate>Fri, 03 Jul 2026 15:33:22 GMT</pubDate>
      <description>Google&apos;s Threat Intelligence Group, working with the FBI, Lumen, and others, has significantly degraded NetNut (also tracked as Popa), a residential proxy network estimated to span at least 2 million compromised home devices including smart TVs and streaming boxes. The network allows attackers to re</description>
    </item>
    <item>
      <title>Ransomware Groups Turn to Citrix Bleed 2, BYOVD, and Supply Chain Credentials</title>
      <link>https://omniware.org/threat-intel/thn-ransomware-groups-turn-to-citrix-bleed-2-byovd-and-supply-chain-credentials</link>
      <guid isPermaLink="true">https://omniware.org/threat-intel/thn-ransomware-groups-turn-to-citrix-bleed-2-byovd-and-supply-chain-credentials</guid>
      <category>general</category>
      <pubDate>Fri, 03 Jul 2026 15:33:01 GMT</pubDate>
      <description>Threat actors affiliated with the Anubis ransomware-as-a-service operation have been observed exploiting Citrix Bleed 2 (CVE-2025-5777, CVSS 9.3) to gain initial access to target environments, according to Arctic Wolf. The attackers combine this vulnerability with valid VPN credentials—sourced throu</description>
    </item>
    <item>
      <title>CISA: Microsoft SharePoint RCE flaw now actively exploited</title>
      <link>https://omniware.org/threat-intel/bleeping-cisa-microsoft-sharepoint-rce-flaw-now-actively-exploited</link>
      <guid isPermaLink="true">https://omniware.org/threat-intel/bleeping-cisa-microsoft-sharepoint-rce-flaw-now-actively-exploited</guid>
      <category>defense</category>
      <pubDate>Thu, 02 Jul 2026 16:53:31 GMT</pubDate>
      <description>The U.S. Cybersecurity and Infrastructure Security Agency (CISA) reported that a high-severity Microsoft SharePoint remote code execution vulnerability (CVE-2026-45659) is now being actively exploited in the wild. The flaw stems from unsafe deserialization of untrusted data and allows authenticated </description>
    </item>
    <item>
      <title>FortiBleed credential-theft campaign linked to Lynx ransomware</title>
      <link>https://omniware.org/threat-intel/bleeping-fortibleed-credential-theft-campaign-linked-to-lynx-ransomware</link>
      <guid isPermaLink="true">https://omniware.org/threat-intel/bleeping-fortibleed-credential-theft-campaign-linked-to-lynx-ransomware</guid>
      <category>general</category>
      <pubDate>Thu, 02 Jul 2026 16:53:23 GMT</pubDate>
      <description>A credential-theft campaign dubbed &quot;FortiBleed&quot; has been linked to members of the INC and Lynx ransomware-as-a-service groups. Researchers discovered an exposed server containing credentials stolen from more than 73,000 Fortinet devices, along with downloaded FortiGate configuration files and infras</description>
    </item>
    <item>
      <title>Medtronic notifies customers impacted by ShinyHunters data breach</title>
      <link>https://omniware.org/threat-intel/bleeping-medtronic-notifies-customers-impacted-by-shinyhunters-data-breach</link>
      <guid isPermaLink="true">https://omniware.org/threat-intel/bleeping-medtronic-notifies-customers-impacted-by-shinyhunters-data-breach</guid>
      <category>healthcare</category>
      <pubDate>Thu, 02 Jul 2026 16:53:12 GMT</pubDate>
      <description>Medtronic, a global medical device manufacturer, is notifying customers of a data breach affecting its corporate IT systems. According to the company&apos;s notification, unauthorized actors accessed certain systems between April 13 and April 19, 2026, after the company discovered unusual activity on Apr</description>
    </item>
    <item>
      <title>Citrix Patches Six NetScaler Flaws Allowing File Read and Denial-of-Service</title>
      <link>https://omniware.org/threat-intel/thn-citrix-patches-six-netscaler-flaws-allowing-file-read-and-denial-of-service</link>
      <guid isPermaLink="true">https://omniware.org/threat-intel/thn-citrix-patches-six-netscaler-flaws-allowing-file-read-and-denial-of-service</guid>
      <category>defense</category>
      <pubDate>Wed, 01 Jul 2026 09:42:35 GMT</pubDate>
      <description>Citrix released security updates addressing six vulnerabilities in NetScaler ADC and NetScaler Gateway. The flaws range from CVSS 6.9 to 8.8 and include memory overflow issues, insufficient input validation, and file-read vulnerabilities. Affected configurations include SAML IDP, gateway/AAA virtual</description>
    </item>
    <item>
      <title>Oracle E-Business Suite Flaw CVE-2026-46817 Actively Exploited in the Wild</title>
      <link>https://omniware.org/threat-intel/thn-oracle-e-business-suite-flaw-cve-2026-46817-actively-exploited-in-the-wild</link>
      <guid isPermaLink="true">https://omniware.org/threat-intel/thn-oracle-e-business-suite-flaw-cve-2026-46817-actively-exploited-in-the-wild</guid>
      <category>defense</category>
      <pubDate>Wed, 01 Jul 2026 09:42:23 GMT</pubDate>
      <description>Oracle E-Business Suite versions 12.2.3 through 12.2.15 are affected by CVE-2026-46817, a critical privilege management and authentication flaw in Oracle Payments (CVSS 9.8). According to Defused Cyber, the vulnerability allows unauthenticated attackers with network access via HTTP to compromise Ora</description>
    </item>
    <item>
      <title>Insurance giant Aflac discloses data breach after subsidiary hack</title>
      <link>https://omniware.org/threat-intel/bleeping-insurance-giant-aflac-discloses-data-breach-after-subsidiary-hack</link>
      <guid isPermaLink="true">https://omniware.org/threat-intel/bleeping-insurance-giant-aflac-discloses-data-breach-after-subsidiary-hack</guid>
      <category>fintech</category>
      <pubDate>Wed, 01 Jul 2026 09:42:12 GMT</pubDate>
      <description>Aflac, a Fortune 500 supplemental insurance provider, disclosed a data breach affecting its Japan subsidiary on June 30, 2026. Threat actors gained unauthorized access to Aflac Japan&apos;s systems between June 15 and June 25, 2026, affecting 4.38 million customers. The attackers accessed files containin</description>
    </item>
    <item>
      <title>NAIC says public data stolen in ShinyHunters&apos; PeopleSoft breach</title>
      <link>https://omniware.org/threat-intel/bleeping-naic-says-public-data-stolen-in-shinyhunters-peoplesoft-breach</link>
      <guid isPermaLink="true">https://omniware.org/threat-intel/bleeping-naic-says-public-data-stolen-in-shinyhunters-peoplesoft-breach</guid>
      <category>compliance</category>
      <pubDate>Tue, 30 Jun 2026 18:36:51 GMT</pubDate>
      <description>The National Association of Insurance Commissioners (NAIC) confirmed that the ShinyHunters extortion group breached its Oracle PeopleSoft systems by exploiting a zero-day vulnerability (CVE-2026-35273). The unauthorized access occurred in June 2026. NAIC states that the stolen data consisted of publ</description>
    </item>
    <item>
      <title>Nissan discloses employee data breach linked to Oracle zero-day attacks</title>
      <link>https://omniware.org/threat-intel/bleeping-nissan-discloses-employee-data-breach-linked-to-oracle-zero-day-attacks</link>
      <guid isPermaLink="true">https://omniware.org/threat-intel/bleeping-nissan-discloses-employee-data-breach-linked-to-oracle-zero-day-attacks</guid>
      <category>general</category>
      <pubDate>Tue, 30 Jun 2026 18:36:43 GMT</pubDate>
      <description>Nissan disclosed a data breach affecting current and former employees after threat actors exploited an Oracle PeopleSoft zero-day vulnerability. According to breach notifications filed with the California Attorney General&apos;s Office, the attack was part of a broader campaign attributed to the ShinyHun</description>
    </item>
    <item>
      <title>CISA: Windows BlueHammer flaw now exploited by ransomware gangs</title>
      <link>https://omniware.org/threat-intel/bleeping-cisa-windows-bluehammer-flaw-now-exploited-by-ransomware-gangs</link>
      <guid isPermaLink="true">https://omniware.org/threat-intel/bleeping-cisa-windows-bluehammer-flaw-now-exploited-by-ransomware-gangs</guid>
      <category>defense</category>
      <pubDate>Tue, 30 Jun 2026 18:36:35 GMT</pubDate>
      <description>CISA confirmed that ransomware gangs have begun exploiting CVE-2026-33825, a high-severity Microsoft Defender privilege escalation vulnerability dubbed BlueHammer. The flaw allows an authorized local attacker to escalate privileges and access the Security Account Manager (SAM) database containing pa</description>
    </item>
    <item>
      <title>CVE-2026-13486: A vulnerability was determined in SourceCodester Class and Exam Timetabling Syst</title>
      <link>https://omniware.org/threat-intel/cve-cve-2026-13486-a-vulnerability-was-determined-in-sourcecodester-class-and-ex</link>
      <guid isPermaLink="true">https://omniware.org/threat-intel/cve-cve-2026-13486-a-vulnerability-was-determined-in-sourcecodester-class-and-ex</guid>
      <category>general</category>
      <pubDate>Mon, 29 Jun 2026 11:46:59 GMT</pubDate>
      <description>A SQL injection vulnerability was identified in SourceCodester&apos;s Class and Exam Timetabling System version 1.0, affecting the /preview6.php file. The vulnerability exists in the course_year_section parameter and can be exploited remotely without authentication or user interaction. The exploit has be</description>
    </item>
    <item>
      <title>CVE-2026-13485: A vulnerability was found in SourceCodester Class and Exam Timetabling System 1.</title>
      <link>https://omniware.org/threat-intel/cve-cve-2026-13485-a-vulnerability-was-found-in-sourcecodester-class-and-exam-ti</link>
      <guid isPermaLink="true">https://omniware.org/threat-intel/cve-cve-2026-13485-a-vulnerability-was-found-in-sourcecodester-class-and-exam-ti</guid>
      <category>general</category>
      <pubDate>Mon, 29 Jun 2026 11:46:55 GMT</pubDate>
      <description>SourceCodester Class and Exam Timetabling System version 1.0 contains a SQL injection vulnerability in the /preview.php file. The flaw allows remote attackers to manipulate the course_year_section parameter to inject arbitrary SQL commands. According to the NVD record, a public exploit is available,</description>
    </item>
    <item>
      <title>CVE-2026-8095: The Frontend File Manager Plugin plugin for WordPress is vulnerable to Authentic</title>
      <link>https://omniware.org/threat-intel/cve-cve-2026-8095-the-frontend-file-manager-plugin-plugin-for-wordpress-is-vulne</link>
      <guid isPermaLink="true">https://omniware.org/threat-intel/cve-cve-2026-8095-the-frontend-file-manager-plugin-plugin-for-wordpress-is-vulne</guid>
      <category>saas</category>
      <pubDate>Mon, 29 Jun 2026 11:46:42 GMT</pubDate>
      <description>The Frontend File Manager Plugin for WordPress (versions up to 23.6) contains an authenticated arbitrary file deletion vulnerability. The flaw stems from a case-sensitive bypass in the wpfm_dir_path parameter sanitization within the wpfm_file_meta_update AJAX handler. An attacker supplying the param</description>
    </item>
    <item>
      <title>The Gentlemen RaaS Uses GentleKiller EDR Framework Targeting 400 Security Processes</title>
      <link>https://omniware.org/threat-intel/thn-the-gentlemen-raas-uses-gentlekiller-edr-framework-targeting-400-security-pr</link>
      <guid isPermaLink="true">https://omniware.org/threat-intel/thn-the-gentlemen-raas-uses-gentlekiller-edr-framework-targeting-400-security-pr</guid>
      <category>defense</category>
      <pubDate>Sun, 28 Jun 2026 07:42:37 GMT</pubDate>
      <description>The Gentlemen ransomware-as-a-service operation has developed and distributed a suite of endpoint detection and response (EDR) killer tools to its affiliates, centered on a framework called GentleKiller. According to ESET research, GentleKiller exists in eight variants that target 400 processes asso</description>
    </item>
    <item>
      <title>OpenAI Previews GPT-5.6 Sol With Restricted Access and Stronger Cyber Safeguards</title>
      <link>https://omniware.org/threat-intel/thn-openai-previews-gpt-5-6-sol-with-restricted-access-and-stronger-cyber-safegu</link>
      <guid isPermaLink="true">https://omniware.org/threat-intel/thn-openai-previews-gpt-5-6-sol-with-restricted-access-and-stronger-cyber-safegu</guid>
      <category>general</category>
      <pubDate>Sun, 28 Jun 2026 07:42:24 GMT</pubDate>
      <description>OpenAI released three versions of GPT-5.6—Sol, Terra, and Luna—as a limited preview to a small group of government-approved partners. Sol is the flagship model and is positioned as the most capable for cybersecurity tasks, including vulnerability research and code review. According to OpenAI, the mo</description>
    </item>
    <item>
      <title>Clean GitHub repo tricks AI coding agents into running malware</title>
      <link>https://omniware.org/threat-intel/bleeping-clean-github-repo-tricks-ai-coding-agents-into-running-malware</link>
      <guid isPermaLink="true">https://omniware.org/threat-intel/bleeping-clean-github-repo-tricks-ai-coding-agents-into-running-malware</guid>
      <category>general</category>
      <pubDate>Sun, 28 Jun 2026 07:42:12 GMT</pubDate>
      <description>Researchers at Mozilla&apos;s Zero Day Investigative Network demonstrated a technique where AI coding agents (specifically Claude Code) can be tricked into executing malicious payloads from seemingly benign GitHub repositories. The attack chains three innocuous components: a clean repository with standar</description>
    </item>
    <item>
      <title>Polymarket customers lose $3 million in supply-chain attack</title>
      <link>https://omniware.org/threat-intel/bleeping-polymarket-customers-lose-3-million-in-supply-chain-attack</link>
      <guid isPermaLink="true">https://omniware.org/threat-intel/bleeping-polymarket-customers-lose-3-million-in-supply-chain-attack</guid>
      <category>fintech</category>
      <pubDate>Sat, 27 Jun 2026 08:15:06 GMT</pubDate>
      <description>Polymarket, a cryptocurrency prediction market platform, experienced a supply-chain attack in which malicious JavaScript was injected into its frontend through a compromised third-party vendor dependency. The injected code tricked users into approving fraudulent transactions on the official website.</description>
    </item>
    <item>
      <title>Miasma Malware Targets npm Packages and GitHub Actions in Supply Chain Attack</title>
      <link>https://omniware.org/threat-intel/thn-miasma-malware-targets-npm-packages-and-github-actions-in-supply-chain-attac</link>
      <guid isPermaLink="true">https://omniware.org/threat-intel/thn-miasma-malware-targets-npm-packages-and-github-actions-in-supply-chain-attac</guid>
      <category>saas</category>
      <pubDate>Sat, 27 Jun 2026 08:14:56 GMT</pubDate>
      <description>Cybersecurity researchers have identified a new wave of supply chain attacks targeting npm packages and GitHub Actions, attributed to the Mini Shai-Hulud/Miasma/Hades malware family. The campaign compromised multiple npm packages associated with LeoPlatform and RStreams, as well as a Go module belon</description>
    </item>
    <item>
      <title>CISA sets urgent deadline to fix Cisco flaw exploited in attacks</title>
      <link>https://omniware.org/threat-intel/bleeping-cisa-sets-urgent-deadline-to-fix-cisco-flaw-exploited-in-attacks</link>
      <guid isPermaLink="true">https://omniware.org/threat-intel/bleeping-cisa-sets-urgent-deadline-to-fix-cisco-flaw-exploited-in-attacks</guid>
      <category>defense</category>
      <pubDate>Sat, 27 Jun 2026 08:14:21 GMT</pubDate>
      <description>The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has set an urgent deadline of June 28 for federal agencies to patch two critical vulnerabilities. CVE-2026-20230 affects Cisco Unified Communications Manager Server and is a server-side request forgery (SSRF) flaw exploitable remotely </description>
    </item>
    <item>
      <title>Google Details Turla&apos;s New STOCKSTAY Backdoor Used in Ukraine Espionage Attacks</title>
      <link>https://omniware.org/threat-intel/thn-google-details-turla-s-new-stockstay-backdoor-used-in-ukraine-espionage-atta</link>
      <guid isPermaLink="true">https://omniware.org/threat-intel/thn-google-details-turla-s-new-stockstay-backdoor-used-in-ukraine-espionage-atta</guid>
      <category>defense</category>
      <pubDate>Fri, 26 Jun 2026 09:32:13 GMT</pubDate>
      <description>Google Threat Intelligence Group has documented a previously unknown .NET backdoor called STOCKSTAY attributed to Russian state-sponsored actor Turla. The malware targets government and military organizations in Ukraine, as well as entities with interests in Italian foreign policy. Development activ</description>
    </item>
    <item>
      <title>Amadey and StealC Malware Network Disrupted, 27M Stolen Credentials Recovered</title>
      <link>https://omniware.org/threat-intel/thn-amadey-and-stealc-malware-network-disrupted-27m-stolen-credentials-recovered</link>
      <guid isPermaLink="true">https://omniware.org/threat-intel/thn-amadey-and-stealc-malware-network-disrupted-27m-stolen-credentials-recovered</guid>
      <category>general</category>
      <pubDate>Fri, 26 Jun 2026 09:32:02 GMT</pubDate>
      <description>Law enforcement agencies from the Netherlands, Canada, Germany, and the U.S., working with Bitdefender, Bitsight, ESET, and Microsoft, disrupted criminal infrastructure supporting Amadey and StealC malware. The operation dismantled 326 servers and 142 domains, recovered approximately 27 million stol</description>
    </item>
    <item>
      <title>Poland busts SIM-swapping gang tied to millions in crypto theft</title>
      <link>https://omniware.org/threat-intel/bleeping-poland-busts-sim-swapping-gang-tied-to-millions-in-crypto-theft</link>
      <guid isPermaLink="true">https://omniware.org/threat-intel/bleeping-poland-busts-sim-swapping-gang-tied-to-millions-in-crypto-theft</guid>
      <category>fintech</category>
      <pubDate>Fri, 26 Jun 2026 09:31:49 GMT</pubDate>
      <description>Polish authorities arrested four members of an organized cybercrime group accused of conducting SIM-swapping attacks that resulted in millions of dollars in cryptocurrency theft. The Polish Cybercrime Bureau (CBZC), working with the FBI and Homeland Security Investigations, found that the suspects b</description>
    </item>
    <item>
      <title>Malicious Edge extension abuses Native Messaging as bridge to malware</title>
      <link>https://omniware.org/threat-intel/bleeping-malicious-edge-extension-abuses-native-messaging-as-bridge-to-malware</link>
      <guid isPermaLink="true">https://omniware.org/threat-intel/bleeping-malicious-edge-extension-abuses-native-messaging-as-bridge-to-malware</guid>
      <category>general</category>
      <pubDate>Thu, 25 Jun 2026 16:23:13 GMT</pubDate>
      <description>A malicious Microsoft Edge extension called &quot;Edgecution&quot; has been used to deploy a Python-based backdoor by exploiting Chrome&apos;s Native Messaging protocol, which allows browser extensions to communicate with native desktop applications. According to Zscaler researchers, the attack begins with social </description>
    </item>
    <item>
      <title>Cisco Catalyst SD-WAN Zero-Day CVE-2026-20245 Exploited to Gain Root Access</title>
      <link>https://omniware.org/threat-intel/thn-cisco-catalyst-sd-wan-zero-day-cve-2026-20245-exploited-to-gain-root-access</link>
      <guid isPermaLink="true">https://omniware.org/threat-intel/thn-cisco-catalyst-sd-wan-zero-day-cve-2026-20245-exploited-to-gain-root-access</guid>
      <category>general</category>
      <pubDate>Thu, 25 Jun 2026 16:23:03 GMT</pubDate>
      <description>According to Mandiant research, a high-severity vulnerability in Cisco Catalyst SD-WAN (CVE-2026-20245, CVSS 7.8) was exploited as a zero-day for at least two months before public disclosure. The flaw allows an authenticated local attacker with netadmin privileges to execute arbitrary commands with </description>
    </item>
    <item>
      <title>Mandiant reveals how Cisco SD-WAN zero-day attacks gained root access</title>
      <link>https://omniware.org/threat-intel/bleeping-mandiant-reveals-how-cisco-sd-wan-zero-day-attacks-gained-root-access</link>
      <guid isPermaLink="true">https://omniware.org/threat-intel/bleeping-mandiant-reveals-how-cisco-sd-wan-zero-day-attacks-gained-root-access</guid>
      <category>defense</category>
      <pubDate>Thu, 25 Jun 2026 16:22:49 GMT</pubDate>
      <description>Mandiant has disclosed technical details on how attackers exploited CVE-2026-20245, a high-severity command injection flaw in Cisco Catalyst SD-WAN Manager, Controller, and Validator components, to gain root access on targeted devices. The vulnerability allows authenticated attackers to execute arbi</description>
    </item>
    <item>
      <title>CISA warns of max severity Ubiquiti flaws exploited in attacks</title>
      <link>https://omniware.org/threat-intel/bleeping-cisa-warns-of-max-severity-ubiquiti-flaws-exploited-in-attacks</link>
      <guid isPermaLink="true">https://omniware.org/threat-intel/bleeping-cisa-warns-of-max-severity-ubiquiti-flaws-exploited-in-attacks</guid>
      <category>general</category>
      <pubDate>Wed, 24 Jun 2026 16:39:12 GMT</pubDate>
      <description>The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned of active exploitation of multiple maximum-severity flaws in Ubiquiti UniFi OS and Lantronix serial-to-ethernet servers. Three Ubiquiti vulnerabilities (CVE-2026-34908, CVE-2026-34909, CVE-2026-34910) allow unauthenticated r</description>
    </item>
    <item>
      <title>Amadey, StealC malware operations disrupted in Operation Endgame action</title>
      <link>https://omniware.org/threat-intel/bleeping-amadey-stealc-malware-operations-disrupted-in-operation-endgame-action</link>
      <guid isPermaLink="true">https://omniware.org/threat-intel/bleeping-amadey-stealc-malware-operations-disrupted-in-operation-endgame-action</guid>
      <category>general</category>
      <pubDate>Wed, 24 Jun 2026 16:39:00 GMT</pubDate>
      <description>Microsoft, Europol, and international law enforcement partners have disrupted infrastructure supporting the Amadey and StealC malware operations in Operation Endgame. The coordinated action took down 326 servers and 142 domains across agencies in Canada, Denmark, Germany, the Netherlands, the United</description>
    </item>
    <item>
      <title>Healthtech firm Xolis suffers data breach impacting 1.4 million people</title>
      <link>https://omniware.org/threat-intel/bleeping-healthtech-firm-xolis-suffers-data-breach-impacting-1-4-million-people</link>
      <guid isPermaLink="true">https://omniware.org/threat-intel/bleeping-healthtech-firm-xolis-suffers-data-breach-impacting-1-4-million-people</guid>
      <category>healthcare</category>
      <pubDate>Wed, 24 Jun 2026 16:38:49 GMT</pubDate>
      <description>Healthcare technology company Xsolis disclosed a data breach affecting approximately 1.4 million individuals. The company detected unauthorized network activity on January 22, 2026, resulting from a targeted phishing attack that occurred two days earlier. The breach exposed sensitive personal and me</description>
    </item>
    <item>
      <title>GitHub Updates actions/checkout to Block Common Pwn Request Attack Patterns</title>
      <link>https://omniware.org/threat-intel/thn-github-updates-actions-checkout-to-block-common-pwn-request-attack-patterns</link>
      <guid isPermaLink="true">https://omniware.org/threat-intel/thn-github-updates-actions-checkout-to-block-common-pwn-request-attack-patterns</guid>
      <category>saas</category>
      <pubDate>Tue, 23 Jun 2026 15:18:47 GMT</pubDate>
      <description>GitHub has updated the &quot;actions/checkout&quot; action to block common pwn request attack patterns in CI/CD workflows. Effective June 18, 2026, version 7 of actions/checkout refuses to fetch fork pull request code in pull_request_target and certain workflow_run workflows by default. The protection applies</description>
    </item>
    <item>
      <title>FortiBleed campaign used custom FortiGate sniffer to steal credentials</title>
      <link>https://omniware.org/threat-intel/bleeping-fortibleed-campaign-used-custom-fortigate-sniffer-to-steal-credentials</link>
      <guid isPermaLink="true">https://omniware.org/threat-intel/bleeping-fortibleed-campaign-used-custom-fortigate-sniffer-to-steal-credentials</guid>
      <category>general</category>
      <pubDate>Tue, 23 Jun 2026 15:18:35 GMT</pubDate>
      <description>Security researchers at SOCRadar report an ongoing campaign, dubbed &quot;FortiBleed,&quot; targeting Fortinet FortiGate firewalls worldwide. According to the report, the campaign has compromised more than 430,000 FortiGate devices since at least February 2026. Attackers gained administrative access via crede</description>
    </item>
    <item>
      <title>LastPass confirms data breach in Klue supply chain attack</title>
      <link>https://omniware.org/threat-intel/bleeping-lastpass-confirms-data-breach-in-klue-supply-chain-attack</link>
      <guid isPermaLink="true">https://omniware.org/threat-intel/bleeping-lastpass-confirms-data-breach-in-klue-supply-chain-attack</guid>
      <category>saas</category>
      <pubDate>Tue, 23 Jun 2026 15:18:12 GMT</pubDate>
      <description>LastPass confirmed a data breach affecting customer information stored in its Salesforce environment. The incident occurred after the Icarus extortion group compromised Klue, a third-party market intelligence platform that integrated with LastPass&apos;s Salesforce and Gong systems. Attackers obtained OA</description>
    </item>
    <item>
      <title>Microsoft links Mastra AI supply chain attack to North Korean hackers</title>
      <link>https://omniware.org/threat-intel/bleeping-microsoft-links-mastra-ai-supply-chain-attack-to-north-korean-hackers</link>
      <guid isPermaLink="true">https://omniware.org/threat-intel/bleeping-microsoft-links-mastra-ai-supply-chain-attack-to-north-korean-hackers</guid>
      <category>general</category>
      <pubDate>Mon, 22 Jun 2026 19:30:15 GMT</pubDate>
      <description>Microsoft attributed a supply chain attack on the Mastra AI npm package environment to Sapphire Sleet, a North Korean state-sponsored group also known as BlueNoroff. Attackers compromised an npm maintainer account with publishing privileges and used it to release malicious updates across more than 1</description>
    </item>
    <item>
      <title>Klue OAuth breach victim list grows as Icarus hackers claim attack</title>
      <link>https://omniware.org/threat-intel/bleeping-klue-oauth-breach-victim-list-grows-as-icarus-hackers-claim-attack</link>
      <guid isPermaLink="true">https://omniware.org/threat-intel/bleeping-klue-oauth-breach-victim-list-grows-as-icarus-hackers-claim-attack</guid>
      <category>saas</category>
      <pubDate>Mon, 22 Jun 2026 19:30:05 GMT</pubDate>
      <description>Klue, a market intelligence platform, disclosed a security incident on June 12 in which attackers obtained OAuth tokens used to connect Klue integrations to customers&apos; Salesforce environments. According to Klue CEO Jason Smith, an attacker gained access through a compromised legacy credential associ</description>
    </item>
    <item>
      <title>ShapedPlugin WordPress Pro Plugins Backdoored in Supply Chain Attack</title>
      <link>https://omniware.org/threat-intel/thn-shapedplugin-wordpress-pro-plugins-backdoored-in-supply-chain-attack</link>
      <guid isPermaLink="true">https://omniware.org/threat-intel/thn-shapedplugin-wordpress-pro-plugins-backdoored-in-supply-chain-attack</guid>
      <category>saas</category>
      <pubDate>Mon, 22 Jun 2026 19:29:40 GMT</pubDate>
      <description>Multiple WordPress plugins from ShapedPlugin were compromised in a supply chain attack after threat actors tampered with the vendor&apos;s build and distribution pipeline, injecting backdoor code into Pro plugin releases. The affected plugins include Product Slider Pro for WooCommerce (versions before 3.</description>
    </item>
    <item>
      <title>Texas govt data breach exposes over 3 million driver’s licenses</title>
      <link>https://omniware.org/threat-intel/bleeping-texas-govt-data-breach-exposes-over-3-million-driver-s-licenses</link>
      <guid isPermaLink="true">https://omniware.org/threat-intel/bleeping-texas-govt-data-breach-exposes-over-3-million-driver-s-licenses</guid>
      <category>compliance</category>
      <pubDate>Fri, 19 Jun 2026 18:38:20 GMT</pubDate>
      <description>The Texas Parks and Wildlife Department (TPWD) disclosed a data breach affecting its license system vendor that exposed personal information for approximately 3.087 million hunting and fishing license customers. The Texas Cyber Command discovered the intrusion and investigated the unauthorized acces</description>
    </item>
    <item>
      <title>Klue OAuth breach linked to &apos;Icarus&apos; Salesforce data theft attacks</title>
      <link>https://omniware.org/threat-intel/bleeping-klue-oauth-breach-linked-to-icarus-salesforce-data-theft-attacks</link>
      <guid isPermaLink="true">https://omniware.org/threat-intel/bleeping-klue-oauth-breach-linked-to-icarus-salesforce-data-theft-attacks</guid>
      <category>saas</category>
      <pubDate>Fri, 19 Jun 2026 18:38:12 GMT</pubDate>
      <description>Market intelligence platform Klue experienced an OAuth breach that exposed Salesforce CRM data across multiple customer organizations. According to ReliaQuest and Huntress research, attackers compromised Klue&apos;s Battlecards integration service accounts and obtained OAuth tokens granting access to cus</description>
    </item>
</channel></rss>