-->
#1 Trusted Cybersecurity News Platform
Followed by 5.70+ million
The Hacker News Logo
Get the Latest News
cybersecurity

The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

How Pentera Turns AI Security Workflows into Validation Engines

How Pentera Turns AI Security Workflows into Validation Engines

Jul 14, 2026 Artificial Intelligence / Security Agent
AI security agents are starting to influence real security decisions. They summarize findings, prioritize remediation, recommend next steps, and help teams move faster. But most still rely on fragmented risk signals: scanner output, severity scores, threat intelligence, configuration findings, and exposure data. That fragmentation matters because attackers do not move through environments one tool category at a time. They chain exposures across identities, networks, cloud assets, applications, and security controls. If the AI workflow only sees isolated findings, it cannot understand whether those findings create a real attack path. As AI-powered attackers accelerate exploitation, security teams need more than faster AI-assisted workflows. They need workflows grounded in evidence that can prove which risks are exploitable. These systems can correlate information and identify patterns, but without validation, they cannot answer the question security teams ultimately care about: C...
OAuth Client ID Spoofing Lets Attackers Validate Stolen Microsoft Entra Credentials

OAuth Client ID Spoofing Lets Attackers Validate Stolen Microsoft Entra Credentials

Jul 14, 2026 Cloud Security / Identity Security
At least two distinct threat actors are weaponizing a novel evasion technique called OAuth client ID spoofing in cloud campaigns, while slipping past telemetry. The activity allows users to enumerate user accounts and validate stolen credentials in Microsoft Entra ID environments, without ever generating a successful sign-in event that would otherwise alert defenders. And bad actors have begun to exploit this gap to obtain unauthorized access to an organization's cloud services. "A blind spot in cloud sign-in telemetry: Entra ID returns different error responses depending on whether a supplied OAuth client ID is valid," Proofpoint said in a statement. "Attackers exploit this to infer valid usernames and correct passwords at scale, effectively checking stolen credential lists without logging a successful login." In other words, the attacks leverage the OAuth client ID, a globally unique identifier (GUID) assigned to applications when requesting access to ...
Grok Build Uploaded Entire Git Repositories to xAI Storage, Not Just Files It Read

Grok Build Uploaded Entire Git Repositories to xAI Storage, Not Just Files It Read

Jul 14, 2026 Artificial Intelligence / Data Privacy
xAI's Grok Build coding CLI was uploading entire Git repositories, full commit history and all, to a Google Cloud Storage bucket run by xAI, not just the files a coding task needed. A researcher publishing as cereblab , testing version 0.2.93 , captured one of those uploads, cloned the git bundle out of the intercepted request, and pulled back a file the agent had been told in plain terms not to open. The upload rode a separate channel from the model itself, and the byte split is hard to argue with. On a 12 GB repo of files the model never read, model-turn traffic to /v1/responses came to about 192 KB while the storage channel to /v1/storage moved 5.10 GiB, a roughly 27,800x gap between what the model needed and what left the machine. That storage upload ran as 73 chunks of about 75 MB, every one returning HTTP 200, and across the researcher's size sweep the volume tracked total repo size. The destination bucket, grok-code-session-traces , is named in the binary and ...
cyber security

The AI Security Starter Pack

websiteWizAI Security / Cloud Security
Unlock 7 of the most widely used AI security resources in one place. Each asset provides practical tools for securing AI apps, models, and agents.
cyber security

11 real-world stories proving how identity drift opens active attack paths

websiteXM CyberIdentity Security / Exposure Management
Learn how attackers leverage privilege drift to reach critical assets across 11 architectural teardowns.
U.S. Sanctions First VPN Service and Malware Cryptor Seller Over Ransomware Support

U.S. Sanctions First VPN Service and Malware Cryptor Seller Over Ransomware Support

Jul 14, 2026 Network Security / Cyber Espionage
The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) has designated two individuals and a VPN service provider for enabling ransomware actors' and other cybercriminals' malicious activities, including ransomware attacks against Americans. The VPN, named First VPN Service ( 1VPNS ), has been accused of offering its tools to ransomware groups, along with its 45-year-old Ukrainian administrator, Dmytro Rashevskyi. The department has also sanctioned Yegeniy Vladimirovich Silayev, a Belarusian national, for selling cryptors to help conceal ransomware and other malware as safe programs to avoid being detected by security tools. First VPN was dismantled in May 2026 as part of a joint law enforcement operation by European and North American authorities for assisting criminal actors to obscure the origins of ransomware attacks, data theft, scanning, and denial-of-service attacks. The service had been operational since 2014, advertising that it neither keeps...
148 npm Packages Disguised as Student Proxies Turned Browsers Into a DDoS Botnet

148 npm Packages Disguised as Student Proxies Turned Browsers Into a DDoS Botnet

Jul 14, 2026 Browser Security / Malvertising
A campaign of 148 npm packages disguised as student web proxies turned visitors' browsers into a distributed denial-of-service botnet for roughly two weeks in May, according to new research from JFrog. The packages did not go after the developers who might install them. The operators used the registry as free hosting for a booby-trapped proxy site and let the students who came to dodge school web filters supply the attack traffic. The packages shipped under names like charlie-kirk, ilovefemboys, and miguelphonk, each carrying a proxy app branded "Lucide" and dressed as a tutoring landing page called Riverbend Tutoring or Northstar Tutoring. On the surface, the proxy worked, letting students slip past content filters to reach games and blocked sites. Underneath, it loaded a remote code loader whose payload the operators could swap at will, plus a WebSocket flood generator built to speak the Wisp proxy protocol. Anyone who opened a page joined the swarm without ...
Microsoft Maps Three Salesforce Attack Paths Tied to a Year of ShinyHunters Activity

Microsoft Maps Three Salesforce Attack Paths Tied to a Year of ShinyHunters Activity

Jul 14, 2026 SaaS Security / Identity Security
Attackers whose methods line up with the data-extortion group  ShinyHunters  have spent the past year walking into corporate Salesforce environments without exploiting a single flaw in the platform. The way in has been the trust the organization had already extended, usually through the OAuth connections that tie Salesforce to the apps and third-party vendors around it. In  research published July 13 , Microsoft mapped the campaigns, which ran from mid-2025 into mid-2026, to three distinct techniques. It also worked with Salesforce to roll out new detection and governance tooling aimed at addressing the activity authentication logs miss. That is what makes this hard to catch. When the access comes from a real user who approved a connected app, or from an integration the company already trusts, the traffic reads as ordinary use, and sign-in and authentication monitoring barely registers it. What matters is what the app or account does once it is in, and that is ex...
CrashStealer macOS Malware Uses Notarized Dropper to Pass Gatekeeper Checks

CrashStealer macOS Malware Uses Notarized Dropper to Pass Gatekeeper Checks

Jul 13, 2026 Endpoint Security / Cybercrime
Cybersecurity researchers have flagged a new macOS information stealer called CrashStealer that's capable of harvesting sensitive data from compromised systems. Unlike other information stealers that are built on AppleScript droppers or Objective-C-based wrappers, CrashStealer is implemented in native C++, according to Jamf Threat Labs. "It validates the victim's login password locally before harvesting, collects broadly across browsers, cryptocurrency wallets, password managers, and the keychain, encrypts what it collects with AES-GCM before exfiltrating over libcurl, and persists by copying and re-signing itself," security researcher Thijs Xhaflaire said in a report shared with The Hacker News. CrashStealer is said to be distributed by means of a signed and Apple-notarized dropper that's distributed as a disk image file named "Werkbit.app." Because both the disk image and binary are notarized and carry a valid developer ID ("Emil Grigorov...
Google and Microsoft Pull ModHeader With 1.6 Million Installs After Dormant Collector Found

Google and Microsoft Pull ModHeader With 1.6 Million Installs After Dormant Collector Found

Jul 13, 2026 Browser Security / Web Security
Google and Microsoft have pulled ModHeader , a popular header-editing extension with roughly 1.6 million installs across Chrome and Edge, after researchers found a hidden browsing-history collector built into its official store version. The collector was dormant. An empty allow-list kept it switched off, and no proof has emerged that it ever gathered or sent a single browsing domain. The analysis came from  Stripe OLT , a UK security firm, which checked the code against Google's own Web Store signature and confirmed the collector shipped inside the genuine extension, not a counterfeit. Its review covers the Chrome build and its roughly 900,000 users; third-party trackers put another 700,000 or so on Edge. Microsoft pulled the Edge listing on July 3, and Google removed the Chrome one a week later, on July 10. Version 7.0.18 (extension ID idgpnmonknjnojddfkpgkljpfnnfcklj) still edits HTTP headers as advertised. The same minified background code also contains a...
⚡ Weekly Recap: ShareFile Threat, Citrix Bleed 2 Ransomware, AI Coding Attacks, and More

⚡ Weekly Recap: ShareFile Threat, Citrix Bleed 2 Ransomware, AI Coding Attacks, and More

Jul 13, 2026 Cybersecurity / Hacking
Somewhere right now, a security tool is quietly finding bugs faster than any human can fix them. That's supposed to be the good news. The catch is that the attackers have the same tools, pointed the other way, and they don't file tickets. That's the shape of this week. Trusted code turns on the people who installed it. Old bugs from last year are still landing because the fix sat in a queue too long. Fake installers, poisoned packages, systems left facing the open internet, and helpful little AI assistants running instructions that were never yours. The gap between "patch exists" and "already exploited" keeps shrinking, and nobody's closing it. None of it is exotic. That's what wears you down. Same ordinary mistakes, just happening faster than we can keep up. Here's the full mess, top to bottom. ⚡ Threat of the Week Progress Tells ShareFile Customers to Shut Down Storage Zone Controllers — Progress urged customers to shut down Win...
New MemGhost Attack Plants Persistent False Memories in AI Agents Through One Email

New MemGhost Attack Plants Persistent False Memories in AI Agents Through One Email

Jul 13, 2026 AI Security / Data Integrity
Give an AI assistant a memory and access to your inbox, and you hand an attacker a way to rewrite what it thinks it knows about you. A single email can trick that agent into saving a false "fact" about the user, hide the change, and quietly steer its answers in later sessions. When it works, the person reads an ordinary-looking reply and never learns their assistant was tampered with. The researchers named the attack  stealth memory injection  and built a tool that writes the emails automatically. The paper, "When Claws Remember but Do Not Tell,"  landed on arXiv on 6 July 2026 . First, what these assistants do A personal agent is an AI assistant that sticks around. Instead of forgetting everything when a chat ends, it keeps notes about you in files: your preferences, your contacts, and what you asked it to do. It reads those notes at the start of every new session, which is why it feels like it knows you. Many of these agents can also act for you, readin...
Forg365 PhaaS Targets Microsoft 365 with Device Code and AitM Session Theft

Forg365 PhaaS Targets Microsoft 365 with Device Code and AitM Session Theft

Jul 13, 2026 Email Security / Artificial Intelligence
A new phishing-as-a-service (PhaaS) operation called Forg365 is using a combination of device code phishing , adversary-in-the-middle (AitM) tactics, antibot evasion, artificial intelligence (AI)-assisted lure creation, and post-compromise mailbox operations targeting Microsoft 365 accounts. Distributed via Telegram and costing $400 a month (or $3,800 per year), attack chains leverage phishing lures that make use of legitimate email delivery infrastructure, such as Amazon Simple Email Service (Amazon SES) and Twilio SendGrid, to imitate a redirection chain that blends into regular email traffic before it ends in Forg365-controlled domains. "The panel exposes a mature operator workflow: accounts, links, invitations, OAuth app configuration, redirect links, SVG generation, campaign sending, SMTP profiles, SMTP rotation, AI email generation, token vaulting, account intelligence, keyword alerts, viewer links, and browser-extension support," ZeroBEC said . The email securi...
Meta Files Patent for AI That Can Listen All Day and Track How You're Feeling

Meta Files Patent for AI That Can Listen All Day and Track How You're Feeling

Jul 13, 2026 Artificial Intelligence / Privacy
Meta has filed a patent application for an AI that listens to your voice throughout the day, works out how it thinks you are feeling from the way you sound, and keeps a timestamped log of every read. Each read gets pinned to the moment it happened: the time, your location, what you were doing, even how you were using your phone. Some versions in the filing would listen all day; others would check in only at set times. None of these ships in a product today, and Meta has not announced one; a filing like this stakes a claim on an idea long before anyone commits to building it. The application,  US 2026/0182881 , was filed by Meta Platforms in December 2025 and published on July 2. It names a single inventor, Lachlan Dunn , and traces back to a provisional filing from December 2024. The patent-analysis site  Patentlyze  flagged the filing first. Its title pairs two ideas, emotional state analysis and real-time fitness coaching. The claims show the first is the ...
Thinking Fast and Slow in the SOC: The Case for Combining Autonomous AI with Analyst Copilots

Thinking Fast and Slow in the SOC: The Case for Combining Autonomous AI with Analyst Copilots

Jul 13, 2026 Artificial Intelligence / Security Operations
A few days ago, I was sitting with the CISO of a Fortune 50 company, walking through how his security team was thinking about AI agents in the SOC. Smart team. Serious program. They had already connected Claude to a few detection tools and were seeing real value in specific investigations. But as we mapped out the broader architecture, something kept nagging at me. The design they were building was going to work beautifully for a tiny percentage of alerts that genuinely needed deep human judgment. It was going to completely ignore the rest. On the flight home, I picked up a book I had not touched in a few years. Daniel Kahneman's Thinking, Fast and Slow. Kahneman is one of the rare people who genuinely changed how we understand human decision-making. He spent his career as a psychologist studying how people actually think, as opposed to how economists assumed they did. In 2002, he won the Nobel Prize in Economics, which tells you something about how far his work traveled beyond ...
Attacker Uses Suspected AI-Generated PowerShell Script to Map Active Directory

Attacker Uses Suspected AI-Generated PowerShell Script to Map Active Directory

Jul 13, 2026 Artificial Intelligence / Threat Intelligence
Cybersecurity researchers have flagged an intrusion in which an unknown threat actor leveraged a vibe-coded PowerShell script for Active Directory (AD) enumeration. "The script looked for the Domain Controller (DC) and mapped users, computers, and domains, before creating a directory and exporting out a number of files, and finally creating AD_Report.html to measure the success of the enumeration attempt," Huntress researchers Jevon Ang and Dray Agha said . The attack chain involved the threat actor establishing Remote Desktop Protocol (RDP) access onto a domain-joined Windows Server with a set of pre-compromised credentials, followed by staging the tools in the "C:\ProgramData\" folder. The incident took place in early June 2026. This included an artificial intelligence (AI)-generated payload to map the Active Directory environment. The assessment is based on various telltale signs, such as the prompt iteration title, placeholder strings, over-engineered cod...
⚡ Top Stories This Week
Expert Insights Articles Videos
Cybersecurity Resources