โŒ

Normal view

Ransomware crims got a month-long head start on Check Point VPN 0-day that now has a fix

8 June 2026 at 19:10
Check Point released an emergency fix on Monday for a critical authentication bypass vulnerability affecting its Remote Access VPN and Mobile Access deployments - but attackers, including ransomware criminals, got a month-long head start. Attacks against the bug, tracked as CVE-2026-50751, began on May 7, according to Check Point VP of research Lotem Finkelstein, and picked up in early June. The security software vendor spotted suspicious activity and began investigating the zero-day on June 4, Finkelstein said in a Monday blog. โ€œWe have observed indications that exploitation has been limited to a relatively small number of targeted organizations (several dozen globally), primarily over the past few days,โ€ Finkelstein wrote, adding that, in at least one case, investigators observed post-compromise activity associated with a Qilin ransomware affiliate. This same ransomware scum is also likely exploiting other VPN-related vulnerabilities in Palo Alto Networks, Fortinet, and F5 products, Finkelstein said. CVE-2026-50751 is due to a logic-flow weakness in the Remote Access and Mobile Access certificate validation process, and it allows remote attackers to bypass authentication and establish a remote access VPN connection without a user password. It affects Mobile Access/SSL VPNs, Remote Access VPNs, and Spark Firewalls configured to use the deprecated IKEv1 key exchange protocol. While investigating CVE-2026-50751 and affected VPN components, Check Point found another vulnerability, CVE-2026-50752, in its Security Gateways and Spark Firewall products. Itโ€™s due to a bug in the certificate validation logic of the deprecated IKEv1 key exchange method, and can lead to man-in-the-middle attacks on the VPN site-to-site configuration. Check Point says that it hasnโ€™t received any reports of in-the-wild exploitation of CVE-2026-50752. Check Point urges customers running vulnerable gateways and firewalls to apply the hotfixes, and the vendor also provided alternative mitigation options with instructions in the security advisories. The software provider also published a list of indicators of compromise, including attacker IPs, and recommends customers search Check Point SmartConsole logs for possible VPN certificate authentication attempts associated with observed attacker infrastructure and certificate subject names for at least May 7 through June 5. ยฎ

Meta Blocks NSO Group's New WhatsApp Phishing Attack, Files Contempt Order

Meta on Monday said it detected and blocked spear-phishing attempts linked to Israeli spyware vendor NSO Group. In addition, the tech giant said it's filing a federal court contempt order against the company for violating a permanent injunction that barred it from targeting WhatsApp and its users. "They tried to trick people into clicking on malicious links to drive them to external websites

Critical Zcash Vulnerability Found and Fixed

8 June 2026 at 19:06

If youโ€™re a userโ€”owner?โ€”of this cryptocurrency, this is important:

On May 29, the security researcher Taylor Hornby found a critical vulnerability in Zcash Orchard privacy pool using Claude Opus 4.8. The Zcash team hired Hornby specifically to look for this kind of issue. He found one fast enough to be embarrassing.

The Orchard pool is the newest and most advanced shielded transaction system in the cryptocurrency Zcash. Introduced in 2022, it allows users to send and receive ZEC while keeping transaction details private. It uses zero-knowledge proofs to validate transactions without revealing amounts or participants. The bug: a specific check that was supposed to validate transaction inputs wasnโ€™t actually enforcing the rules it appeared to enforce. An attacker could have exploited the flaw to feed false inputs into that check and generate ZEC from nothing, with the zero-knowledge proof system blessing the fraudulent transaction as valid.

Itโ€™s fixed; thatโ€™s the good news. The bad news is that thereโ€™s no way of knowing if anyone exploited the vulnerability to steal money. And this fragility is the fundamental problem that makes blockchain such a bad idea.

Ransomware sends Illinois high school on an early summer vacation

8 June 2026 at 17:46
An Illinois high school won't reopen until Wednesday at the earliest after suffering a ransomware attack on Sunday, June 7. Evanston Township High School (ETHS), located 14 miles north of Chicago, said it would be closed today and tomorrow, and that the closure also affected summer school, sports camps, and on-campus activities, which are all canceled. "Upon discovering the incident, we immediately activated our incident response procedures and engaged external cyber breach attorneys and cybersecurity forensic experts to assist with the investigation and recovery process," ETHS said in a statement issued via a dedicated information page. "We are working with these specialists to determine precisely what information may have been accessed or acquired and to restore normal systems operations as quickly as possible. The district is cooperating with the Federal Bureau of Investigation (FBI) as part of the ongoing investigation." It said that phone systems are down and staff have limited access to emails. Children and their families may also not be able to access certain online resources, all of which suggests the institution may still be in the containment phase of remediation. Among the online resources currently offline is Home Access Center, which is powered by PowerSchool. PowerSchool itself was was at the center of a cybersecurity disaster in late 2024. However, ETHS has not linked the platform to the ransomware attack. All staff other than safety and operations workers were told to work from home, although their work will be limited since, for the time being, they're locked out of the district's Google accounts and "other network systems, including eSchool." "We understand this situation is disruptive and appreciate your patience and flexibility," ETHS went on to say. "Additional updates and instructions will be provided as they become available." No major ransomware group has claimed responsibility for the intrusion at the high school yet. Education under attack The ETHS incident follows a separate attack on the education sector disclosed on June 4 that affected 13 schools in Powys, Wales. Powys Council set up its own information page about the attack, although it has not revealed much, saying it is awaiting the outcome of investigations by external specialists. However, it said the attack has affected "some school systems" and personal data belonging to both staff and pupils was accessed. The council identified 13 affected schools, although the compromised data only appears to have been taken from one of these, according to current information. Its information page repeatedly uses the phrase "because of the sensitive nature of the data." The council cites this as the reason for not revealing information such as which schools were affected, how many individuals are affected, what types of data have been accessed, and whether this included sensitive or safeguarding-related data. It also refused to say whether the attack involved ransomware or who was responsible for it. However, it said the risk of identity fraud would vary by individual, hinting that different types of personal data may have been accessed. Powys Council confirmed that all schools across the region remain open, and the cyberattack does not affect their day-to-day safety or operations. Education remains a strong target for cybercriminals. Given the sensitivity of the data these organizations store, it makes the sector one of the most attractive for financially motivated criminals looking for an extortion payment. In the UK, the Information Commissioner's Office said that between 2022 and 2024, pupils were responsible for 57 percent of 214 school data breaches, often using stolen login details. ยฎ

Americans lost nearly $900 million to AI-powered scams, FBI says

8 June 2026 at 17:02

The 2025 Federal Bureau of Investigation (FBI) Internet Crime Report shows that Americans reported $893,346,472 in AIโ€‘related scam losses.

Those losses stem from 22,364 AI-related complaints. And these figures represent only the reported losses, which may well be the proverbial tip of the iceberg.

The main drivers behind the rise in AI-powered scams are voice cloning, deepfake images and videos, and AIโ€‘generated scripts. These tools have supercharged classic fraud schemes such as romance scams, kidnapping and extortion calls, fake influencers, and government impersonation.

Michael Machtinger, deputy assistant director of the FBI Cyber Division, told theย Wall Street Journal:

โ€œAI-created fraudulent communications can look very official and very legitimate to even the most trained individuals.โ€

The FBI and financial institutions recommend verifying identities via official contact channels. One of their biggest concerns is government impersonation scams, which have evolved from crude IRS giftโ€‘card phone calls into sophisticated, multiโ€‘channel operations that combine spoofed caller ID, stolen agency logos, and AIโ€‘generated audio and video of public officials.

This report, and others like it, shows how AI is being weaponized to automate research on victims, generate convincing scripts, and create highly believable deepfake personas at scale.

AI is also increasingly used in business email compromise (BEC), romance scams, and impersonation fraud. In BEC cases involving AI, losses have already reached tens of millions of dollars for businesses alone.

For a broader look at why AI is simultaneously fueling scams like these and becoming indispensable to defending against them, see my article AI: Threat, tool, or both?

It explains how both defenders and criminals use AI to find vulnerabilities, and why security vendors increasingly rely on AI to process vast amounts of telemetry, detect anomalies, and keep pace with threats that โ€œno longer move at human speed.โ€

How to stay safe

Consumer protection agencies have documented a growing list of the ways scammers are using AI to try to rip people off. The main problem is that we can no longer take it at face value that the person weโ€™re talking to is who they claim to be.

Government agencies and financial institutions recommend that you:

  • Be skeptical of urgent payment demands, especially those involving cryptocurrency or gift cards
  • Limit the amount of voice and video content you share publicly, as it can be reused by scammers
  • Report incidents quickly to your bank(s) and IC3.gov

Pro tip: Malwarebytes Scam Guard can help you determine whether a message is a scam and guide you through the next steps.


Something feel off? Check it before you click.ย ย 

Malwarebytes Scam Guardย helps youย analyzeย suspicious links, texts, and screenshots instantly.ย ย 

Available withย Malwarebytes Premium Securityย for all your devices, and in theย Malwarebytes app for iOS and Android.ย ย 

Try it free โ†’ย 

Critical Check Point VPN Flaw Exploited to Bypass Passwords in IKEv1 Setups

Check Point has warned of active exploitation of a critical vulnerability impacting Remote Access VPN and Mobile Access deployments that are configured to use the deprecated IKEv1 key exchange protocol. The vulnerability, tracked as CVE-2026-50751 (CVSS score: 9.3), is a case of a logic flow weakness in certificate validation that allows an unauthenticated remote attacker to bypass user

GitHub nukes 70+ Microsoft repos, breaks CI/CD pipelines, following suspected worm infections

8 June 2026 at 15:56
Microsoftโ€™s GitHub temporarily disabled over 70 repositories after they were reportedly compromised by a worm in the latest open source supply chain attack. The code shack took down 73 repos within the space of 105 seconds after its alarms were tripped on Friday, June 5, after detecting signs of the Miasma worm infecting its projects, according to StepSecurityโ€™s co-founder and CTO, Ashish Kurmi. โ€œOur priority is to protect customers and the broader ecosystem. We temporarily removed some repositories as we investigated potential malicious content," a Microsoft spokesperson told us on Wednesday, two days after this story was originally published. "All of these repos have been restored after review. As part of our investigation, we notified a small number of customers who may have pulled down content from the affected repositories. We will continue to investigate, and if anything further is identified that requires customer action, we will reach out directly through our established support channels.โ€ Users reported issues quickly on Friday, after visits to those repos all resulted in the same message displayed, indicating that they had been disabled due to terms of service violations. According to StepSecurityโ€™s analysis, the attack kicked off after a compromised contributor account pushed a malicious commit to Azure/durabletask. The commit dropped configuration files that triggered remote code execution on machines when a developer opened the repo in an IDE or AI coding tool, such as Claude Code, Gemini CLI, and Cursor. Several developers soon reported broken CI/CD pipelines, a support thread showed, although a moderator said at the time this was due to โ€œan internal management issue.โ€ "The repo that most immediately caused issues was Azure/functions-action,โ€ Kurmi wrote, used to deploy code to Azure. With it being taken down, every workflow that referenced Azure/functions-action@v1 stopped resolving. GitHub stepped in a few hours after the repos were infected by the malicious commit. Its automated detections kicked in and disabled the repos in under two minutes, in two separate waves. However, it was the borking of the durabletask family that hinted at the bigger picture, that the attack was indeed a re-opening of the previous Miasma worm attack that hit Microsoft last month. Microsoftโ€™s durabletask PyPi package was a previous target of the Miasma worm on May 19. Within a 35-minute window, three versions of the package were uploaded to PyPi, which planted infostealers on developersโ€™ machines, specifically sniffing out cloud secrets and developer tool configurations on Linux systems. Crucially, the re-targeting of durabletask suggests the tokens associated with the compromised developer account used to execute the PyPi attack were not fully rotated, allowing an attacker to gain access and push commits to GitHub, Kurmi said. It was either that, or the contributor was re-compromised through the worm's own propagation loop, or a different contributor's token was used but the attacker altered the metadata to make it look like a repeated attack. Security shop Snyk described Miasma as a descendant of the Mini Shai Hulud worm. Itโ€™s the same one that ravaged open source packages over at the npm registry, including Red Hatโ€™s, earlier this month. Cybercrime group TeamPCP claimed responsibility for developing Mini Shai Hulud, which itself is named after an earlier worm of the same name, sans โ€œmini.โ€ However, because TeamPCP open-sourced Mini Shai Hulud, itโ€™s difficult to tell whether it was also behind Miasma or if someone else took the reins on the follow-up project. StepSecurity also reported that two days before the Microsoft attack, the same worm was making a nuisance of itself at npm, compromising more than 50 packages, including a Vapi.ai SDK with more than 408,000 monthly downloads.ยฎ Updated on June 10 with new comment from Microsoft and the fact that the repos have now been restored.

AI Phishing Is Crushing SOCs with Alert Volume: How to Reduce Tier 1 Overload

Phishing has always been a numbers game. AI has turned it into a volume machine. Attackers can now create convincing emails, fake login pages, and tailored lures in minutes. Every polished message adds another case for Tier 1 to review, another link to inspect, and another alert that cannot be dismissed at a glance. As the queue grows, a credential theft attempt or malware delivery can easily

โšก Weekly Recap: Instagram Account Hacks, Android Zero-Day, GitHub Worm and More

Monday again. The weekend was meant to be quiet. It wasn't. Last week had poisoned packages, a broken AI helper, and a worm tearing through repos. The ugly part: basic tricks still worked. A chatbot got fooled. A bot token got leaked inside the malware. The same old mistakes showed up again. And while everyone chased the loud stuff, quieter attackers sat in inboxes for months, reading mail and

NSO Group back in Meta's crosshairs after alleged WhatsApp targeting

8 June 2026 at 14:10
Meta has asked a federal judge to hold Israeli spyware maker NSO Group in contempt of court after claiming it caught the surveillance vendor targeting WhatsApp users again despite a permanent injunction ordering it to stop. In a blog post on Monday, Meta said it had disrupted "NSO-linked social engineering attempts" after investigating reports from users. According to the company, the activity involved attempts to lure targets into clicking malicious links that redirected them to websites outside WhatsApp, as well as the creation of test accounts and groups on the messaging platform. "We successfully disrupted NSO-linked social engineering attempts after investigating user reports," Meta said. "They tried to trick people into clicking on malicious links to drive them to external websites outside of WhatsApp, similar to previously reported 1-click phishing campaigns linked to NSO." WhatsApp also published a handful of domains it linked to the campaign, including ikhwancast[.]com, ghazacast[.]com, and fr24cast[.]com, and said it was releasing indicators to help organizations identify related activity. The move marks the latest chapter in the long-running legal battle between Meta and the Israeli spyware maker. A US court found NSO liable in December 2024 for hacking WhatsApp users via its Pegasus spyware. In May 2025, a jury awarded Meta roughly $168 million in damages, but the judge later cut that to $4 million while issuing a permanent injunction barring NSO from targeting WhatsApp or its users. Meta, however, says NSO didn't get the memo. "Last year, WhatsApp made history by securing a landmark verdict and permanent injunction barring NSO Group ... from targeting WhatsApp and its users ever again," the company wrote. "Today, we're asking the court to hold them in contempt of that order." The company provided few technical details about the activity, such as when it occurred, how many users were targeted, whether any compromises were successful, or how it attributed the operation to NSO. Meta did not respond to The Registerโ€™s questions. However, the blog post adopts a hard line on the spyware industry than previous updates, repeatedly describing commercial spyware as a national security issue. "When a malicious company on the US government's Entity List continues to defy US courts, existing restrictions must remain firmly in place," WhatsApp wrote. "Easing them would undermine US national security and put American companies and billions of people worldwide who depend on secure communications at risk." If Meta's allegations are accurate, the episode suggests that a court loss is not enough to persuade a spyware vendor to leave a high-value target alone. ยฎ

The Hardest Fork

Mythos is real. I know a big chunk of the industry thinks it's a marketing stunt, and I get why. I get it. But I've seen the findings, and they're bad. These aren't "whoops, this line right here is wrong, and that's RCE." They're novel combinations of a few dozen issues out of thousands of things every SAST scanner already finds, chained together into something much worse. It's real creativity,

Anthropicโ€™s Project Glasswing Update

8 June 2026 at 13:01

In April, Anthropic initated Project Glasswing. The idea was to let companies use their new model to find and fix vulnerabilities in their own software. It was a fantastic PR move, and so many press outlets have uncritically parroted Anthropicโ€™s claims that itโ€™s now common wisdom that Mythos is better at finding software vulnerabilities than other models. Which is just not true.

In any case, Anthropic has published a Project Glasswing status report. Itโ€™s finding a lot of vulnerabilities in softwareโ€”yay! Some of them are even dangerous. But almost none of them has been patched. Itโ€™s weird. Thereโ€™s something fishy about the data that I donโ€™t understand. That Anthropic refuses to release detailsโ€”that it just says โ€œtrust usโ€โ€”is a big problem here.

Pirated PC games are delivering password-stealing malware

8 June 2026 at 12:53

A new Windows malware campaign hides inside pirated PC games and modified installers for franchises like Far Cry, Need for Speed, FIFA, and Assassinโ€™s Creed.

Researchers estimate that more than 400,000 devices worldwide have been infected, with around 30,000 users in the US.

The infection method is simple and effective. Users are lured into installing a fully functional free game. While the cracked and repacked game appears to work, the malware installs silently in the background.

The strain is being called โ€œRenEngine loaderโ€ and sometimes referred to as Renโ€™Py because parts of the malicious code are embedded in a legitimate Renโ€™Py launcher used to run some visual novel games. When the launcher runs, it decompresses the game files and secretly starts the infection chain.

Renโ€™Py is a legitimate, open-source visual novel engine used by developers to make story-driven games with text, images, sound, and interactive choices. The malware in this case isย notย Renโ€™Py itself. Attackers are abusing the engine or its launcher as a delivery method to hide malicious code inside pirated game installs.

In practice, the primary infection vector is software piracy. Victims download cracked games or repacked installers from unofficial sites, then run what looks like a normal game launcher or setup file. In reality, theyโ€™re infecting their computer with a malware loader.

At the time of writing, this loader is trying to deliver an infostealer called ARC, which can grab saved browser passwords, cookies, cryptocurrency wallets, autofill data, system details, and clipboard contents.

But weโ€™ve also seen other payloads being dropped, including Rhadamanthys stealer, Async Remote Access Trojan (RAT), and Backdoor.XWorm, which can expand the damage from credential theft to full remote control of the machine. That can mean account takeovers, financial fraud, crypto theft, and deeper compromise of personal or work data.

Worst of all, a user may not realize they are infected until usernames and passwords have been stolen or the machine starts behaving strangely.ย 

How to stay safe

The most important lesson here is that โ€œfreeโ€ cracked software is often a delivery mechanism for malware, not a bargain. Once a loader like this is on the machine, the real goal is usually to steal credentials or install a secondary payload that is more persistent and more damaging.

Some other general advice to stay safe:

  • Donโ€™t download installers from unofficial sources.
  • Use real-time, up-to-date anti-malware protection to block loaders.
  • Keep your software up to date, especially Microsoft patches and other security-related programs.

If you think your computer is infected and want to make sure, follow the instructions posted here. The amazing volunteers on our forums will help you through the process of cleaning your machine.


We donโ€™t just report on threatsโ€”we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices byย downloading Malwarebytes today.

โŒ