Malware

Threat actors are actively exploiting a critical security flaw in Everest Forms Pro, a WordPress plugin with about 4,000 active installations, to execute arbitrary code, leading to a complete site…

Ravie LakshmananJun 05, 2026Threat Intelligence / Cloud Security The threat actor known as PCPJack has hijacked cloud servers associated with Amazon Web Services (AWS), Google Cloud, and Microsoft Azure to…

Swati KhandelwalJun 04, 2026Malware / Open Source Cybersecurity researchers have flagged a large-scale operation that impersonates open-source and freeware projects to funnel unsuspecting users through a Traffic Distribution System (TDS)…

Planning a holiday should be exciting, fun, and not a cybersecurity risk. But booking flights, hotels, and rental properties often means sharing sensitive personal and financial information across multiple platforms….

Swati KhandelwalJun 04, 2026Vulnerability / AI Security A security researcher found a flaw in Anthropic’s Claude Code GitHub Action that let an attacker take over vulnerable public repositories running it,…

Swati KhandelwalJun 04, 2026Vulnerability / Network Security Cisco has patched a bug in Unified Communications Manager that lets an unauthenticated attacker on the network write files to the box and,…

Customer service chatbots have one job: get the user what they’re asking for without bothering a human. Meta’s new AI support assistant took that brief a little too seriously. Over…

A new batch of fake payment invoices is being staged right now, and we caught the campaign while it was still being put together. The emails impersonate PayPal, Amazon, and…

Swati KhandelwalJun 03, 2026Vulnerability / Artificial Intelligence A single poisoned notification from WhatsApp, Slack, SMS, Signal, Instagram, or Messenger could have hijacked Google Gemini’s voice assistant on Android and made…

Ravie LakshmananJun 03, 2026Malware / Microsoft Defender Cybersecurity researchers have flagged a new malspam campaign that makes use of Google’s DoubleClick domain as a way to evade detection and ultimately…

Have you ever gotten a phone call and had a gut feeling that those random digits looked extra suspicious? It happens to millions of people every day. While many people…

Ravie LakshmananJun 03, 2026Vulnerability / Software Development Cybersecurity researchers have disclosed a one-click attack via Microsoft Visual Studio Code (VS Code) that makes it possible to steal a user’s GitHub…

Phishing has changed. Slowly but surely, cybercriminals are turning to infostealers instead. Traditional phishing hasn’t gone away. Far from it. But many attackers are no longer focused solely on tricking…

Cybersecurity researchers have flagged a new campaign targeting Minecraft players via YouTube to spread malware capable of gaining control of victims’ systems. The Minecraft-focused malware-as-a-service (MaaS) campaign has been codenamed…

Sometimes it happens. You’re happily playing a game on your phone or laptop when suddenly alarms pop up out of nowhere: “Your device is infected!” “Your iCloud is full!” “Your…

A new scam is targeting people who publish Chrome extensions. The scam arrives as an official-looking “copyright removal request” claiming your extension is about to be removed from the Chrome…

AI-driven exploitation timelines are rapidly shrinking, and they are not going to stop shrinking. Vulnerabilities are being discovered, reproduced, and weaponized faster than ever in the history of enterprise security….

California has sued the former shell of DNA testing company 23andMe over alleged security failures and misleading statements surrounding its 2023 data breach. On May 27, 2026, Attorney General Rob…

Ravie LakshmananJun 02, 2026Identity Security / Data Protection Password manager Dashlane has disclosed that “fewer than” 20 users on the personal subscription plan had their encrypted vaults downloaded following a…

Ravie LakshmananJun 02, 2026Vulnerability / Mobile Security Google on Monday released patches for 124 security vulnerabilities impacting its Android operating system for the month of June 2026, including one high-severity…

Last week on Malwarebytes Labs: Payment apps are watching what you say (Lock and Code S07E11) Scammers pretending to be Microsoft had help from US executives 700+ education and tech…

A new Mini Shai-Hulud supply chain attack campaign, codenamed Miasma, has compromised @redhat-cloud-services packages to steal credentials and secrets from developer machines and deliver a self-propagating worm. “This is effectively…

Ravie LakshmananJun 01, 2026Cybersecurity / Hacking Monday hit like a cron job with anger issues. A busted auth path here, a repo-side faceplant there, some “patched-ish” thing already getting chewed…

A fake website impersonating BlueWallet (a real Bitcoin wallet) is targeting Mac users with a simple but effective attack. BlueWallet itself has not been compromised. Instead, cybercriminals have stolen the…

A new cyber espionage campaign codenamed Operation Dragon Weave has been observed targeting officials and citizens in the Czech Republic and Taiwan to deliver an AdaptixC2 agent. According to Seqrite…

Does it sometimes take your phone a few minutes to accomplish one simple task? That can be wildly frustrating. But you’re in luck, because we’ve got a free tool that…

This week on the Lock and Code podcast… In the United States today, you can have your bank account closed, your credit cards cancelled, and your online payments revoked for…

Ravie LakshmananMay 31, 2026IoT Security / Network Security Dutch authorities have announced the takedown of a botnet that enslaved millions of infected devices, including computers, tablets, smartphones, and IoT devices,…

Ravie LakshmananMay 30, 2026Vulnerability / Network Security Palo Alto Networks has warned that a recently disclosed medium-severity security flaw impacting PAN-OS and Prisma Access has come under active exploitation in…