07 Jul
I’ve been putting together these cybersecurity news roundups since April. My goal is to make it quickly scannable and actionable for cybersecurity specialists and I guess enthusiasts?.
I try to focus on new novel types of attacks, threats and industry shaping developments. I try to avoid reporting on “happens every day” types of things.
Some weeks I struggle to keep the selection under 20 and some weeks like this, 10 is all it takes to get the gist of it.
If you have been reading these and have some feedback, I’d love to get it, to make it more useful, comment, or DM me on LinkedIn.
Also, you can now subscribe to get these summaries to your inbox ~ once a week. Scroll down to subscribe.
1. Like SEO, LLMs May Soon Fall Prey to Phishing Scams
Security researchers warn that just as attackers have manipulated search engine optimization (SEO) to poison search results, similar techniques could soon target large language models (LLMs), exploiting AI-generated responses to lead users to phishing sites or malicious content. This highlights emerging AI-targeted social engineering threats.
Next Steps
- Advise employees to be cautious about links in LLM responses
- Advice employees always to navigate to the service directly when loging in, and not to use a link from a search result or LLM response.
Read more at Dark Reading, CSO Online
2. Scope, Scale of Spurious North Korean IT Workers Emerges
Microsoft warns that thousands of North Korean IT workers posing as legitimate remote employees have infiltrated technology, manufacturing, and transportation sectors globally to steal data and generate illicit revenue, evidencing a sustained hybrid cybercrime and espionage threat.
Read more at Dark Reading (1), Dark Reading (2), The Hacker News
3. Critical Vulnerability in Anthropic’s MCP Exposes Developer Machines to Remote Exploits
A critical security vulnerability (CVE-2025-49596) was discovered in Anthropic's Model Context Protocol (MCP) Inspector project, allowing remote code execution on developer machines and potentially granting attackers full system control, posing a significant risk for AI development environments.
Next Steps
- Upgrade all MCP Inspector instances to version 0.14.1 or later
Read more at The Hacker News
4. New Flaw in IDEs Like Visual Studio Code Lets Malicious Extensions Bypass Verified Status
A study by OX Security shows that Visual Studio Code, IntelliJ IDEA and other IDEs use weak HTTP‐based checks to mark extensions as "verified,” allowing attackers to craft VSIX packages that spoof trusted publishers and execute arbitrary code. This sideloading abuse exposes developer workstations - where source code and credentials often live - to remote code execution risks.
Next Steps
- Require and verify digital signatures on all installed extensions.
Read more at The Hacker News
5. FileFix Attack Exploits Windows Browser Features to Bypass Mark-of-the-Web Protection
A new sophisticated attack named FileFix 2.0 exploits a vulnerability in Windows browsers' webpage saving features to bypass the Mark-of-the-Web (MOTW) security mechanism, allowing malicious code execution via legitimate functions, posing serious risk for Windows users against stealthy browser-based attacks.
Next Steps
- Train employees not to Save As documents from the Internet or at least not to do so with files with the .hta extension that would allow silent execution of malicious scripts.
Read more at Cybersecurity News
6. Qantas Data Breach Impacts Up to 6 Million Customers
Australian airline Qantas disclosed a data breach impacting up to six million customers, exposing personal information such as names, email addresses, phone numbers, birthdates, and frequent flyer numbers due to a compromised third-party platform; no financial or passport data was affected.
Read more at SecurityWeek, CSO Online
7. Patch now: Citrix Bleed 2 vulnerability actively exploited in the wild
A critical out-of-bounds read vulnerability (CVE-2025-5777) in Citrix NetScaler ADC and Gateway devices known as "Citrix Bleed 2" is under active exploitation, enabling attackers to hijack sessions and bypass multifactor authentication, posing severe risks to enterprise networks; urgent patching and session termination are advised.
Next Steps
- Deploy Citrix June 17 patches for all affected NetScaler ADC/Gateway builds.
Read more at CSO Online, SecurityWeek
8. Scattered Spider Shifts Focus to Airlines with Strikes on Hawaiian and WestJet
The cybercrime group Scattered Spider, known for sophisticated social engineering, has shifted its attacks to the airline industry, with confirmed incidents on Hawaiian Airlines and WestJet. The group exploits helpdesk identity processes to bypass MFA and steal sensitive data, posing a significant threat during peak travel seasons.
Read more at CSO Online, Dark Reading
9. US DOJ makes progress combatting North Korean remote IT worker schemes
The US Department of Justice has disrupted North Korean remote IT worker schemes by arresting facilitators, seizing financial accounts, fraudulent websites, and computers tied to 'laptop farms' used to lend legitimacy to illicit workers.
Read more at CSO Online, The Hacker News, Dark Reading
10. Criminals take malicious AI to the next level
Criminals are fine-tuning malicious AI models (named WormGPT and FraudGPT) with breached data to enhance fraud schemes, including phishing and deepfake services, and offering prompt engineering-as-a-service to bypass mainstream AI safeguards.
Read more at CSO Online
English 
Estonian