{"id":21726,"date":"2026-04-06T14:51:55","date_gmt":"2026-04-06T12:51:55","guid":{"rendered":"https:\/\/kordon.app\/?p=21726"},"modified":"2026-04-06T14:51:57","modified_gmt":"2026-04-06T12:51:57","slug":"latest-interesting-cybersecurity-news-2026-06-04","status":"publish","type":"post","link":"https:\/\/kordon.app\/et\/latest-interesting-cybersecurity-news-2026-06-04\/","title":{"rendered":"Latest Interesting Cybersecurity News &#8211; 2026-06-04"},"content":{"rendered":"\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><strong>I go through about 25 cybersecurity news portals and blogs every week and pull out the most interesting stories. <\/strong>Then I turn them into this short, digestible summary, so you can stay up to date without trying to follow 25 different sources yourself. \ud83d\ude31<\/p>\n\n\n\n<p>My aim is to create a summary that gives you the gist without needing to open up the source article. But if you do want to dig deeper, all the sources covering the event are linked below each story.<\/p>\n\n\n\n<p><strong>If you enjoy these, come back next Monday<\/strong><\/p>\n\n\n\n<p><strong>scroll to the bottom to subscribe to the e-mail newsletter.<\/strong><\/p>\n<\/blockquote>\n\n\n\n<h2 class=\"wp-block-heading\">1. Some &#8220;Leaked&#8221; Claude Code repos on GitHub were hiding infostealer malware<\/h2>\n\n\n\n<pre class=\"wp-block-verse\">After Anthropic accidentally exposed the source code for Claude Code, <b>hackers reposted \u201cleaked\u201d copies on GitHub that contained infostealer malware<\/b> alongside legitimate mirrors. Anthropic has been issuing copyright takedowns to remove the leak, but the incident shows how quickly high-demand developer tooling can become a malware delivery lure when users are primed to copy\/paste install commands. &nbsp; &nbsp;<\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><b>Some GitHub repos claiming to host the Claude Code leak were modified to include infostealer malware<\/b><\/li>\n\n\n<li><b>Attackers registered typosquat\/internal-looking npm package names<\/b> (audio-capture-napi, color-diff-napi, image-processor-napi, modifiers-napi, url-handler-napi) under the account \u201cpacifier136,\u201d initially as empty stubs consistent with \u201creserve-then-poison\u201d supply-chain tactics.<\/li>\n\n\n<li><b>The exposed npm release was Claude Code version 2.1.88<\/b>, which users reported contained a source map file enabling access to nearly 2,000 TypeScript files (512,000+ lines); the version is no longer available on npm.<\/li>\n\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><b>Warn developers not to run or build from \u201cClaude Code leak\u201d GitHub repos<\/b> (especially forks claiming to be \u201cfixed\u201d or \u201ccompiled\u201d), and treat any such clone-and-run instructions as untrusted software.<\/li>\n\n\n<li><b>Block and\/or alert on the typosquat npm packages<\/b> audio-capture-napi, color-diff-napi, image-processor-napi, modifiers-napi, and url-handler-napi in your dependency controls and artifact proxy.<\/li>\n\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/www.wired.com\/story\/security-news-this-week-hackers-are-posting-the-claude-code-leak-with-bonus-malware\/\">WIRED<\/a>, <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/claude-code-leak-used-to-push-infostealer-malware-on-github\/\">BleepingComputer<\/a>, <a href=\"https:\/\/thehackernews.com\/2026\/04\/claude-code-tleaked-via-npm-packaging.html\">The Hacker News<\/a>, <a href=\"https:\/\/www.csoonline.com\/article\/4152830\/anthropic-employee-error-exposes-claude-code-source-2.html\">CSO Online<\/a>, <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/claude-code-leak-used-to-push-infostealer-malware-on-github\/\">BleepingComputer<\/a>, <a href=\"https:\/\/thehackernews.com\/2026\/04\/claude-code-tleaked-via-npm-packaging.html\">The Hacker News<\/a>, <a href=\"https:\/\/www.csoonline.com\/article\/4152830\/anthropic-employee-error-exposes-claude-code-source-2.html\">CSO Online<\/a>, <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/claude-code-leak-used-to-push-infostealer-malware-on-github\/\">BleepingComputer<\/a>, <a href=\"https:\/\/thehackernews.com\/2026\/04\/claude-code-tleaked-via-npm-packaging.html\">The Hacker News<\/a>, <a href=\"https:\/\/www.csoonline.com\/article\/4152830\/anthropic-employee-error-exposes-claude-code-source-2.html\">CSO Online<\/a><\/p>\n\n\n\n\n\n<h2 class=\"wp-block-heading\">2. ImageMagick turns a single image upload into full server compromise on most default Linux configurations<\/h2>\n\n\n\n<pre class=\"wp-block-verse\"><b>Researchers behind pwn.ai <\/b>report a multi-step ImageMagick attack chain where <b>crafted uploads are mis-identified and routed into Ghostscript\/ImageMagick code paths that enable arbitrary file read\/write and, in some setups, RCE<\/b>. The write primitive can be escalated by combining Ghostscript\u2019s ability to write into \/tmp with ImageMagick\u2019s MSL scripting features to move a webshell-like payload into a web-accessible location.<\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><b>This attack works across most default server configurations<\/b> \u2014 Ubuntu, Debian, RHEL, Amazon Linux, and most Docker images all ship with the vulnerable &#8220;open&#8221; policy. Even hardened configurations using the &#8220;limited&#8221; or &#8220;secure&#8221; policy have known bypasses.&nbsp;<\/li>\n\n\n<li><div><b>The attack starts with uploading a malicious file disguised as a regular image<\/b> to trigger ImageMagick&#8217;s PostScript processing engine.<\/div><\/li>\n\n\n<li><div><b>ImageMagick routes the file to Ghostscript for processing<\/b> \u2014 the EPT file format used to trigger the exploit is not on any policy blocklist by default.<\/div><\/li>\n\n\n<li><div><b>The file contains embedded PostScript instructions that tell Ghostscript to write a webshell to \/tmp.<\/b><\/div><\/li>\n\n\n<li><div><b>ImageMagick&#8217;s own MSL scripting feature then reads the webshell from \/tmp and copies it to a web-accessible location,<\/b> bypassing Ghostscript&#8217;s sandbox entirely.<\/div><\/li>\n\n\n<li><div>The attacker now has <b>a publicly accessible URL that executes commands on the server with full remote code execution<\/b>.<\/div><\/li>\n\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>If PDF uploads from untrusted sources is required, find an alternative way for processing them. <b>As of now, safe PDF processing through ImageMagick and Ghostscript is not possible.<\/b><\/li>\n\n\n<li><b>Check if you&#8217;re exposed. <\/b>You accept file uploads from untrusted sources and use ImageMagick + Ghostscript to processes them. (Examples: Very common on WordPress sites)<\/li>\n\n\n<li><div><div><b>Switch to &#8220;secure&#8221; policy for ImageMagick, then explicitly add PDF and EPT to the blocklist.&nbsp;<\/b><\/div><\/div><\/li>\n\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/pwn.ai\/blog\/imagemagick-from-arbitrary-file-read-to-rce-in-every-policy-zeroday\">pwn.ai<\/a><\/p>\n\n\n\n\n\n<h2 class=\"wp-block-heading\">3. Google Drive Cuts Sync to Stop Ransomware Spreading to the Cloud<\/h2>\n\n\n\n<pre class=\"wp-block-verse\">Google has moved Google Drive\u2019s ransomware detection and file restoration features into general availability, using Drive for desktop to <b>spot ransomware activity on an endpoint and<\/b> <b>automatically pause sync to prevent encrypted files from propagating into Google Workspace<\/b>.&nbsp;<div><br><\/div><div>Google says an updated AI model improves coverage and speed, detecting <b>14\u00d7 more infections than the September 2025 beta<\/b>.<\/div><\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The mechanism is driven by <b>Google Drive for desktop detecting ransomware behavior locally<\/b> and then stopping synchronization as an automated containment step.<\/li>\n\n\n<li>When detections occur, Google Drive sends <b>warning emails to the impacted user and domain administrators<\/b>, and also raises dedicated alerts in the Admin console security center.<\/li>\n\n\n<li>The new restoration workflow lets users <b>select multiple affected files and bulk-revert to pre-infection versions<\/b> via a recovery interface.<\/li>\n\n\n<li>Both features are <b>enabled by default<\/b> and can be managed per Organizational Unit in the Google Workspace Admin console.<\/li>\n\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Confirm <b>ransomware detection is enabled for the relevant Organizational Units<\/b> in the Google Workspace Admin console (Drive and Docs settings) and aligns with your licensing tier.<\/li>\n\n\n<li><b>Set min-release-age (or equivalent) in your global package manager<\/b> (npm, yarn, bun, pnpm) config to delay installing newly published versions.<\/li>\n\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/cybersecuritynews.com\/google-drive-ransomware-detection-2\/\">Cybersecurity News<\/a><\/p>\n\n\n\n\n\n<h2 class=\"wp-block-heading\">4. macOS Tahoe 26.4 adds a Terminal paste warning to slow ClickFix-style \u201ccopy\/paste\u201d command attacks<\/h2>\n\n\n\n<pre class=\"wp-block-verse\">Apple added a new macOS Tahoe 26.4 Terminal protection that <b>delays execution and warns users when they paste potentially risky commands<\/b>. The feature targets ClickFix-style social engineering, where attackers convince users to paste commands themselves\u2014sidestepping many traditional security prompts because the action is user-initiated.<\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><b>Apple did not document the new mechanism in the macOS Tahoe 26.4 release notes<\/b>, and users first reported it in the 26.4 release candidate.<\/li>\n\n\n<li>The warning message states <b>no damage has been done because execution was halted<\/b> and notes that scammers often distribute malicious instructions via multiple channels.<\/li>\n\n\n<li>Based on user reports, the alert is triggered when <b>commands are copied from Safari and pasted into Terminal<\/b>.<\/li>\n\n\n<li>One tester reported the warning may be <b>shown only once per session<\/b>, with subsequent pastes (including dangerous examples) not prompting again.<\/li>\n\n\n<li>Another user observed the system may perform <b>some form of command risk analysis<\/b>, as innocuous commands did not trigger the warning.<\/li>\n\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Update Macs to <b>macOS Tahoe 26.4<\/b> where feasible to gain the Terminal paste warning behavior.<\/li>\n\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/apple-adds-macos-terminal-warning-to-block-clickfix-attacks\/\">BleepingComputer<\/a><\/p>\n\n\n\n\n\n<h2 class=\"wp-block-heading\">5. Compromised Axios npm releases pulled in a hidden dependency that installed a cross-platform RAT<\/h2>\n\n\n\n<pre class=\"wp-block-verse\">Attackers hijacked an Axios maintainer\u2019s npm account and published compromised Axios versions that <b>silently installed a cross-platform RAT via a hidden dependency and postinstall script<\/b>.<br>Axios is one of the most downloaded open-source libraries on the internet \u2014 it's a JavaScript HTTP client used to make API requests from both browsers and Node.js servers. With roughly&nbsp;<strong>60 million weekly downloads on npm<\/strong><br><\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The trojanized releases were <b>axios v1.14.1 and v0.30.4<\/b>, which added the runtime dependency plain-crypto-js@4.2.1 rather than modifying Axios source code.<\/li>\n\n\n<li>The malicious dependency used an obfuscated Node.js dropper that <b>called out to sfrclak[.]com:8000<\/b>, disguising requests with npm-like paths (packages.npm[.]org\/product0\/1\/2 depending on OS).<\/li>\n\n\n<li>Delivered payloads were OS-specific but aligned to one framework: <b>Mach-O (macOS), PowerShell-based RAT (Windows), and Python RAT (Linux)<\/b>, all beaconing roughly every 60 seconds and supporting commands including runscript and self-terminate.<\/li>\n\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Add a control to reduce recurrence, such as <b>blocking\/alerting on npm lifecycle script execution (postinstall) in CI<\/b> except for explicitly approved packages.<\/li>\n\n\n<li>Immediately <b>identify and remove axios v1.14.1 and v0.30.4<\/b> from builds and lockfiles; rebuild\/redeploy from known-good dependencies.<\/li>\n\n\n<li>Hunt for installation artifacts and dependency presence, including <b>node_modules\/plain-crypto-js<\/b> and any outbound connections to sfrclak[.]com:8000.<\/li>\n\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/hackers-compromise-axios-npm-package-to-drop-cross-platform-malware\/\">BleepingComputer<\/a>, <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2026\/04\/01\/mitigating-the-axios-npm-supply-chain-compromise\/\">Microsoft Security Blog<\/a>, <a href=\"https:\/\/thehackernews.com\/2026\/04\/unc1069-social-engineering-of-axios.html\">The Hacker News<\/a>, <a href=\"https:\/\/www.csoonline.com\/article\/4152696\/attackers-trojanize-axios-http-library-in-highest-impact-npm-supply-chain-attack.html\">CSO Online<\/a>, <a href=\"https:\/\/socket.dev\/blog\/axios-maintainer-confirms-social-engineering-behind-npm-compromise?utm_medium=feed\">Socket<\/a>, <a href=\"https:\/\/unit42.paloaltonetworks.com\/axios-supply-chain-attack\/\">Unit 42<\/a><\/p>\n\n\n\n\n\n<h2 class=\"wp-block-heading\">6. LinkedIn JavaScript fingerprints Chrome users by probing 6,000+ installed browser extensions<\/h2>\n\n\n\n<pre class=\"wp-block-verse\">Researchers reported that <b>LinkedIn runs a background scan for thousands of Chrome extension IDs every time users visit the site in Chromium-based browsers<\/b>, then transmits the results back to LinkedIn as tracking telemetry.&nbsp;<div><br><\/div><div><b>The mechanism uses both direct resource probes <\/b>(to confirm whether specific extensions are installed) and <b>DOM inspection<\/b> (to spot extension artifacts), <b>raising concerns about undisclosed browser fingerprinting.&nbsp;<\/b><\/div><\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The hardcoded target list reportedly grew from <b>5,459 extensions (Dec 2025) to 6,167 (Feb 2026)<\/b>, and includes a specific internal resource path per extension that is expected to be web-accessible.<\/li>\n\n\n<li>Detected IDs are sent as <b>AedEvent and SpectroscopyEvent payloads to https:\/\/www.linkedin.com\/li\/track<\/b><\/li>\n\n\n<li><b>LinkedIn confirmed the scanning but denied harm, calling the report &#8220;plain wrong&#8221;<\/b> and trying to discredit it by attributing the claim to a developer whose account was banned for scraping.<\/li>\n\n\n<li><b>Linkedin framed it as anti-scraping protection<\/b> \u2014 but the scan list includes tools that probably are not scraping anything (grammar tools, pharmacy software, and Amazon schedulers)<\/li>\n\n\n<li><strong>LinkedIn has made no commitments in response,<\/strong>&nbsp;no plans to update to their privacy policy, adding an opt-out mechanism, or plans to stop the scanning.<\/li>\n\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/browsergate.eu\/how-it-works\/\">browsergate.eu<\/a>, <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/linkedin-secretly-scans-for-6-000-plus-chrome-extensions-collects-data\/\">BleepingComputer<\/a>, <a href=\"https:\/\/hackread.com\/browsergate-linkedin-track-browser-extensions-user-pc\/\">Hackread<\/a><\/p>\n\n\n\n\n\n<h2 class=\"wp-block-heading\">7. EvilTokens PhaaS drives 37\u00d7 surge in Microsoft device-code phishing that bypasses password capture<\/h2>\n\n\n\n<pre class=\"wp-block-verse\">Researchers report a sharp <b>37x rise in Microsoft 365 \u201cdevice code\u201d phishing, <\/b>where victims are tricked into completing a legitimate Microsoft device-login flow that <b>hands attackers valid access and refresh tokens without stealing the password<\/b>.&nbsp;<div><br><\/div><div>The newly popular <b>EvilTokens \u201cphishing-as-a-service\u201d kit productizes this technique <\/b>with BEC-focused features and Telegram-based automation, accelerating adoption across criminal communities.<\/div><\/pre>\n\n\n\n<p><strong>Key Details<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>EvilTokens templates impersonate common business lures (e.g., document signature\/viewing, quarantine\/security notices, calendar\/SharePoint\/voicemail themes)<\/li>\n\n\n<li><b>Victims enter the code on a real microsoft.com login page; the code is tied to the attacker&#8217;s pre-registered device<\/b><\/li>\n\n\n<li>Attackers obtain OAuth access and refresh tokens (not necessarily raw credentials),&nbsp;<b>allowing persistent access<\/b>&nbsp;to Outlook, Teams, OneDrive<\/li>\n\n\n<li><strong>The EvilToken kit automatically upgrades stolen refresh tokens to Primary Refresh Tokens (PRTs)<\/strong>&nbsp;\u2014 granting silent 90-day SSO access across all Microsoft 365 apps and bypassing MFA with no further victim interaction required<\/li>\n\n<\/ul>\n\n\n\n<p><strong>Next Steps<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><b>Create an allowlist of authorized OAuth apps<\/b> in your tenant<\/li>\n\n\n<li><b>Disable device code flow in conditional access if not required<\/b><\/li>\n\n\n<li><b>Inventory and audit OAuth integrations and their scopes<\/b><\/li>\n\n<\/ul>\n\n\n\n<p><strong>Read more at <\/strong><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/device-code-phishing-attacks-surge-37x-as-new-kits-spread-online\/\">BleepingComputer<\/a>, <a href=\"https:\/\/www.csoonline.com\/article\/4153742\/eviltokens-abuses-microsoft-device-code-flow-for-account-takeovers.html\">CSO Online<\/a>, <a href=\"https:\/\/blog.sekoia.io\/new-widespread-eviltokens-kit-device-code-phishing-as-a-service-part-1\/\">Sekoia<\/a><\/p>\n\n\n\n\n\n<h2 class=\"wp-block-heading\">Subscribe<\/h2>\n\n\n\n<p>Subscribe to receive this weekly cybersecurity news summary to your inbox every Monday.<\/p>\n\n\n                <div class=\"ml-embedded\" data-form=\"pKq7EM\"><\/div>\n            ","protected":false},"excerpt":{"rendered":"<p>Latest interesting cybersecurity news from April 2026<\/p>","protected":false},"author":1,"featured_media":21729,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[32],"tags":[],"class_list":["post-21726","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/posts\/21726","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/comments?post=21726"}],"version-history":[{"count":2,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/posts\/21726\/revisions"}],"predecessor-version":[{"id":21730,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/posts\/21726\/revisions\/21730"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/media\/21729"}],"wp:attachment":[{"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/media?parent=21726"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/categories?post=21726"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kordon.app\/et\/wp-json\/wp\/v2\/tags?post=21726"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}