<?xml version="1.0" encoding="UTF-8"?><rss version="2.0"
	xmlns:content="http://purl.org/rss/1.0/modules/content/"
	xmlns:wfw="http://wellformedweb.org/CommentAPI/"
	xmlns:dc="http://purl.org/dc/elements/1.1/"
	xmlns:atom="http://www.w3.org/2005/Atom"
	xmlns:sy="http://purl.org/rss/1.0/modules/syndication/"
	xmlns:slash="http://purl.org/rss/1.0/modules/slash/"
	>

<channel>
	<title>Security Advisory &#8211; First Hackers News</title>
	<atom:link href="https://firsthackersnews.com/category/security-advisory/feed/" rel="self" type="application/rss+xml" />
	<link>https://firsthackersnews.com</link>
	<description>Latest cybersecurity news, real attacks, and practical IOCs—made simple and actionable.</description>
	<lastBuildDate>Thu, 02 Jul 2026 20:36:52 +0000</lastBuildDate>
	<language>en-US</language>
	<sy:updatePeriod>
	hourly	</sy:updatePeriod>
	<sy:updateFrequency>
	1	</sy:updateFrequency>
	<generator>https://wordpress.org/?v=6.9.4</generator>

<image>
	<url>https://firsthackersnews.com/wp-content/uploads/2026/03/cropped-FHN_512x512-32x32.png</url>
	<title>Security Advisory &#8211; First Hackers News</title>
	<link>https://firsthackersnews.com</link>
	<width>32</width>
	<height>32</height>
</image> 
	<item>
		<title>Claude Cowork Sandbox Flaw Allows Root Access</title>
		<link>https://firsthackersnews.com/claude-cowork-sandbox/</link>
					<comments>https://firsthackersnews.com/claude-cowork-sandbox/#respond</comments>
		
		<dc:creator><![CDATA[FHN]]></dc:creator>
		<pubDate>Thu, 02 Jul 2026 20:36:41 +0000</pubDate>
				<category><![CDATA[Application Security]]></category>
		<category><![CDATA[Cyber threat]]></category>
		<category><![CDATA[cyberattack]]></category>
		<category><![CDATA[Cybercriminals]]></category>
		<category><![CDATA[Cybersecurity]]></category>
		<category><![CDATA[Internet Security]]></category>
		<category><![CDATA[malicious cyber actors]]></category>
		<category><![CDATA[Secuirty Update]]></category>
		<category><![CDATA[Security Advisory]]></category>
		<category><![CDATA[vulnerability]]></category>
		<guid isPermaLink="false">https://firsthackersnews.com/?p=11966</guid>

					<description><![CDATA[<p>Security researchers have uncovered a vulnerability chain in Anthropic&#8217;s Claude Cowork Sandbox that allows a local attacker to</p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/claude-cowork-sandbox/">Claude Cowork Sandbox Flaw Allows Root Access</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<p>Security researchers have uncovered a vulnerability chain in <strong>Anthropic&#8217;s Claude Cowork Sandbox</strong> that allows a local attacker to bypass multiple security protections and execute arbitrary commands as <strong>root</strong> inside the product&#8217;s isolated Linux sandbox.</p>



<p>Although the attack requires local code execution on the host system, the research demonstrates that several built-in security mechanisms can be bypassed, ultimately leading to full administrative control within the sandbox.</p>



<h2 class="wp-block-heading"><strong>How Claude Cowork Protects Its Sandbox</strong></h2>



<p>Claude Cowork Sandbox is designed to help users build applications and automate tasks using Claude Code within an isolated environment.</p>



<p>On Windows, the platform runs workloads inside a <strong>Hyper-V-based Ubuntu virtual machine</strong> protected by several security layers, including:</p>



<ul class="wp-block-list">
<li>Hyper-V isolated Ubuntu VM</li>



<li>Authenticode-based named pipe authentication</li>



<li>Bubblewrap sandbox namespaces</li>



<li>Per-session unprivileged Linux users</li>



<li>Seccomp filtering</li>



<li>Domain-restricted outbound network access</li>
</ul>



<p>These protections are intended to isolate workloads and prevent unauthorized access to the underlying environment.</p>



<h2 class="wp-block-heading"><strong>Researchers Found a Way Around the Protections</strong></h2>



<p>According to research published by <strong>Armadin</strong>, the attack targeted the <strong>CoworkVMService</strong>, a Local System service responsible for managing communication between Windows and the Ubuntu virtual machine.</p>



<p>The service uses a named pipe and validates that only applications digitally signed by <strong>Anthropic</strong> can communicate with it.</p>



<p>Researchers attempted to bypass the signature validation but found that the authentication checks correctly rejected forged signatures and invalid trust chains.</p>



<p>Instead, they identified another attack path.</p>



<h2 class="wp-block-heading"><strong>DLL Sideloading Enabled Code Execution</strong></h2>



<p>Researchers discovered that <strong>claude.exe</strong> loads <strong>USERENV.dll</strong> from its application directory before loading the legitimate Windows system library.</p>



<p>By placing a malicious <strong>USERENV.dll</strong> alongside the application, they successfully performed <strong>DLL sideloading</strong>, allowing arbitrary code to execute inside the trusted Anthropic process.</p>



<p>Because the malicious code was running within the signed application, it successfully passed the service&#8217;s identity verification.</p>



<h2 class="wp-block-heading"><strong>Root Access Achieved Through RPC Manipulation</strong></h2>



<p>After gaining code execution, researchers analyzed the application&#8217;s JSON-based RPC protocol used to communicate with the virtual machine.</p>



<p>The protocol exposed several methods, including:</p>



<ul class="wp-block-list">
<li>configure</li>



<li>startVM</li>



<li>isGuestConnected</li>



<li>spawn</li>
</ul>



<p>While most security controls continued to function correctly, researchers discovered that two parameters—<strong>isResume</strong> and <strong>allowedDomains</strong>—were forwarded directly to the sandbox daemon without sufficient validation.</p>



<p>By fuzzing the RPC interface, they reconstructed the parameter structure and identified a logic flaw.</p>



<p>Normally, setting <strong>isResume</strong> to <strong>false</strong> creates a new unprivileged Linux user.</p>



<p>However, when <strong>isResume</strong> was set to <strong>true</strong>, the existing user validation was skipped entirely.</p>



<p>This allowed researchers to specify any username, including <strong>root</strong>, and execute commands with root privileges inside the sandbox.</p>



<h2 class="wp-block-heading"><strong>Security Impact</strong></h2>



<p>The vulnerability demonstrates that multiple security boundaries can be bypassed once an attacker gains local code execution.</p>



<p>Although Anthropic&#8217;s threat model assumes local access is already required, the research highlights how privilege escalation can occur even inside heavily sandboxed AI environments.</p>



<p>Successful exploitation could allow an attacker to:</p>



<ul class="wp-block-list">
<li>Execute commands as root inside the Linux sandbox.</li>



<li>Bypass intended privilege restrictions.</li>



<li>Gain unrestricted administrative access within the virtual machine.</li>



<li>Circumvent multiple sandbox security controls.</li>
</ul>



<p>The issue was successfully demonstrated against <strong>Claude Desktop for Windows version 1.9255.2.0</strong>.</p>



<p>As AI-powered development environments continue to evolve, this research serves as a reminder that sandbox implementations should be regularly reviewed to ensure privilege boundaries cannot be bypassed through chained vulnerabilities.</p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/claude-cowork-sandbox/">Claude Cowork Sandbox Flaw Allows Root Access</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://firsthackersnews.com/claude-cowork-sandbox/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
		<item>
		<title>Attackers Target Oracle E-Business Suite Flaw</title>
		<link>https://firsthackersnews.com/oracle-ebs-flaw/</link>
					<comments>https://firsthackersnews.com/oracle-ebs-flaw/#respond</comments>
		
		<dc:creator><![CDATA[FHN]]></dc:creator>
		<pubDate>Thu, 02 Jul 2026 17:23:48 +0000</pubDate>
				<category><![CDATA[Application Security]]></category>
		<category><![CDATA[Cybersecurity]]></category>
		<category><![CDATA[Internet Security]]></category>
		<category><![CDATA[Secuirty Update]]></category>
		<category><![CDATA[Security Advisory]]></category>
		<category><![CDATA[vulnerability]]></category>
		<category><![CDATA[Vulnerability Research]]></category>
		<category><![CDATA[Active Exploitation]]></category>
		<category><![CDATA[CVE-2026-46817]]></category>
		<category><![CDATA[cybersecurity]]></category>
		<category><![CDATA[Enterprise Security]]></category>
		<category><![CDATA[oracle]]></category>
		<category><![CDATA[Oracle EBS]]></category>
		<category><![CDATA[Oracle Security]]></category>
		<category><![CDATA[security update]]></category>
		<category><![CDATA[threat intelligence]]></category>
		<guid isPermaLink="false">https://firsthackersnews.com/?p=11958</guid>

					<description><![CDATA[<p>Security researchers have identified around 950 internet-facing Oracle EBS Flaw instances following expanded internet scanning, while attackers have</p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/oracle-ebs-flaw/">Attackers Target Oracle E-Business Suite Flaw</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<p>Security researchers have identified around <strong>950 internet-facing Oracle EBS Flaw</strong> instances following expanded internet scanning, while attackers have already begun exploiting <strong>CVE-2026-46817</strong> in real-world attacks.</p>



<p>The findings were shared by <strong>The Shadowserver Foundation</strong>, which recently enhanced its scanning capabilities through domain-based fingerprinting in collaboration with <strong>Validin</strong>. Although the scan did not verify whether every exposed system is vulnerable, it highlights a large number of publicly accessible Oracle EBS deployments that could become potential targets.</p>



<h2 class="wp-block-heading"><strong>Active Exploitation Detected</strong></h2>



<p>Researchers at <strong>DefusedCyber</strong> have observed active exploitation attempts targeting <strong>CVE-2026-46817</strong>, indicating that threat actors are already scanning for vulnerable Oracle E-Business Suite servers.</p>



<p>The vulnerability was addressed in Oracle&#8217;s <strong>May 2026 Critical Patch Update (CPU)</strong>. While Oracle has released limited technical details, the flaw is considered serious because Oracle EBS often manages sensitive business information, including financial, HR, and operational data.</p>



<p>Compromising these systems could allow attackers to gain unauthorized access, steal sensitive information, or move laterally across enterprise networks.</p>



<h2 class="wp-block-heading"><strong>Exposure and Security Recommendations</strong></h2>



<p>Shadowserver&#8217;s public dashboard provides visibility into exposed Oracle EBS systems worldwide, while its <strong>Device ID</strong> reporting service helps organizations identify internet-facing Oracle E-Business Suite instances within their environments.</p>



<p>To reduce the risk of compromise, organizations should:</p>



<ul class="wp-block-list">
<li>Apply Oracle&#8217;s latest security patches immediately.</li>



<li>Restrict public access to Oracle EBS servers.</li>



<li>Enable strong authentication and access controls.</li>



<li>Monitor logs for suspicious activity.</li>



<li>Deploy Web Application Firewall (WAF) protections.</li>



<li>Segment Oracle EBS servers from critical internal networks.</li>
</ul>



<p>With hundreds of Oracle E-Business Suite instances exposed and attackers actively exploiting <strong>CVE-2026-46817</strong>, organizations should prioritize patching and review externally accessible systems before they become targets of compromise.</p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/oracle-ebs-flaw/">Attackers Target Oracle E-Business Suite Flaw</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://firsthackersnews.com/oracle-ebs-flaw/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
		<item>
		<title>New ARToken Panel Targets Microsoft 365 Tokens</title>
		<link>https://firsthackersnews.com/artoken-panel-microsoft-365-tokens/</link>
					<comments>https://firsthackersnews.com/artoken-panel-microsoft-365-tokens/#respond</comments>
		
		<dc:creator><![CDATA[FHN]]></dc:creator>
		<pubDate>Thu, 02 Jul 2026 16:32:22 +0000</pubDate>
				<category><![CDATA[Cybersecurity]]></category>
		<category><![CDATA[Microsoft]]></category>
		<category><![CDATA[Secuirty Update]]></category>
		<category><![CDATA[Security Advisory]]></category>
		<category><![CDATA[ARToken]]></category>
		<category><![CDATA[business email compromise]]></category>
		<category><![CDATA[Cisco Talos]]></category>
		<category><![CDATA[cybersecurity]]></category>
		<category><![CDATA[Device Code Phishing]]></category>
		<category><![CDATA[EvilTokens]]></category>
		<category><![CDATA[microsoft 365]]></category>
		<category><![CDATA[PhaaS]]></category>
		<category><![CDATA[threat intelligence]]></category>
		<category><![CDATA[Token Theft]]></category>
		<guid isPermaLink="false">https://firsthackersnews.com/?p=11954</guid>

					<description><![CDATA[<p>Security researchers at Cisco Talos have uncovered a phishing-as-a-service (PhaaS) platform called ARToken that appears to be closely</p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/artoken-panel-microsoft-365-tokens/">New ARToken Panel Targets Microsoft 365 Tokens</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<p>Security researchers at <strong>Cisco Talos</strong> have uncovered a phishing-as-a-service (PhaaS) platform called <strong>ARToken</strong> that appears to be closely linked to the previously identified <strong>EvilTokens</strong> infrastructure.</p>



<p>The platform provides cybercriminals with an advanced web-based dashboard that simplifies Microsoft 365 account compromise. It supports device code phishing, Primary Refresh Token (PRT) persistence, mailbox takeover, Business Email Compromise (BEC), and SharePoint data theft through an easy-to-use interface.</p>



<p>Researchers found that ARToken contains more than <strong>80 API endpoints</strong>, giving attackers a wide range of tools to manage phishing campaigns and compromised accounts.</p>



<h2 class="wp-block-heading"><strong>What Makes ARToken Dangerous?</strong></h2>



<p>ARToken offers a complete post-compromise toolkit that allows attackers to maintain access to Microsoft 365 accounts even after credentials have been changed.</p>



<p>Some of its key capabilities include:</p>



<ul class="wp-block-list">
<li>Device code phishing attacks</li>



<li>Primary Refresh Token (PRT) setup and renewal</li>



<li>Token import and export</li>



<li>Mailbox takeover</li>



<li>Business Email Compromise (BEC) operations</li>



<li>SharePoint and OneDrive file access</li>



<li>Cloudflare Workers integration for phishing pages</li>



<li>Automated inbox rule creation</li>



<li>Mass BCC email campaigns</li>
</ul>



<p>Researchers discovered these features after analyzing the platform&#8217;s <strong>1.7 MB React JavaScript bundle</strong>, which exposed the application&#8217;s client-side logic and API endpoints without requiring authentication.</p>



<h2 class="wp-block-heading"><strong>Similarities to EvilTokens</strong></h2>



<p>Cisco Talos found multiple technical similarities between ARToken and the EvilTokens platform.</p>



<p>Both platforms:</p>



<ul class="wp-block-list">
<li>Use Microsoft device code authentication phishing.</li>



<li>Return similar device authentication parameters such as <strong>device_code</strong>, <strong>user_code</strong>, <strong>verification_uri</strong>, and <strong>expires_in</strong>.</li>



<li>Support the <strong>clientMode: &#8220;broker&#8221;</strong> parameter, which uses Microsoft&#8217;s Windows Authentication Manager (WAM) to obtain Primary Refresh Tokens (PRTs).</li>



<li>Follow similar deployment methods using Cloudflare Workers.</li>



<li>Operate as multi-tenant phishing-as-a-service platforms with subscription-based access and affiliate dashboards.</li>
</ul>



<p>These similarities strongly suggest that ARToken is built on, or heavily inspired by, the EvilTokens infrastructure.</p>



<h2 class="wp-block-heading"><strong>Advanced Anti-Analysis Techniques</strong></h2>



<p>ARToken also includes several techniques designed to prevent automated analysis and security research.</p>



<p>These include:</p>



<ul class="wp-block-list">
<li>User-Agent verification</li>



<li>Detection of browser automation tools</li>



<li>Browser feature fingerprinting</li>



<li>Screen size and window validation</li>



<li>Mouse and touch interaction checks</li>



<li>Runtime payload decryption using XOR encryption</li>
</ul>



<p>These protections make the platform more difficult for automated security tools and sandboxes to analyze.</p>



<h2 class="wp-block-heading"><strong>How the Phishing Campaign Works</strong></h2>



<p>Researchers observed phishing emails impersonating a legitimate contractor to target accounts payable employees.</p>



<p>The emails contained SharePoint links that appeared legitimate but redirected victims to attacker-controlled Microsoft 365 environments.</p>



<p>Other characteristics of the campaign included:</p>



<ul class="wp-block-list">
<li>Cloudflare Workers hosting phishing pages</li>



<li>Reply-chain hijacking techniques</li>



<li>Unique email variations to bypass detection</li>



<li>Failed SPF, DKIM, and DMARC authentication</li>



<li>Victims directed to <strong>microsoft.com/devicelogin</strong> and instructed to enter a device code supplied by the attacker</li>
</ul>



<p>Once the device code is entered, attackers obtain access tokens without requiring the victim&#8217;s password.</p>



<h2 class="wp-block-heading"><strong>Additional Post-Compromise Features</strong></h2>



<p>Beyond stealing tokens, ARToken provides attackers with several tools to manage compromised accounts.</p>



<p>These include:</p>



<ul class="wp-block-list">
<li>Continuous mailbox monitoring</li>



<li>Automated inbox rule creation</li>



<li>Bulk token import and export</li>



<li>Shared token management with role-based permissions</li>



<li>Dynamic phishing lure customization</li>



<li>SharePoint site management</li>



<li>Cloudflare Workers deployment directly from the dashboard</li>
</ul>



<p>These features allow attackers to maintain long-term access and streamline Business Email Compromise operations.</p>



<h2 class="wp-block-heading"><strong>Security Recommendations</strong></h2>



<p>Organizations using Microsoft 365 should take immediate steps to reduce the risk of device code phishing attacks.</p>



<p>Recommended security measures include:</p>



<ul class="wp-block-list">
<li>Monitor for unusual device registration activity.</li>



<li>Audit Primary Refresh Token (PRT) creation and renewal.</li>



<li>Revoke active sessions if compromise is suspected.</li>



<li>Enforce Conditional Access policies.</li>



<li>Monitor mailbox rule creation and suspicious email forwarding.</li>



<li>Be cautious of unexpected SharePoint links, even if they appear legitimate.</li>



<li>Train users to recognize device code phishing attempts.</li>
</ul>



<p>Because <strong>Primary Refresh Tokens (PRTs)</strong> can remain valid even after a password change, organizations should immediately revoke active sessions and tokens whenever a compromise is detected to prevent attackers from maintaining persistent access.</p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/artoken-panel-microsoft-365-tokens/">New ARToken Panel Targets Microsoft 365 Tokens</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://firsthackersnews.com/artoken-panel-microsoft-365-tokens/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
		<item>
		<title>Malicious Extension Swaps Crypto Wallet Addresses</title>
		<link>https://firsthackersnews.com/malicious-browser-extension-crypto/</link>
					<comments>https://firsthackersnews.com/malicious-browser-extension-crypto/#respond</comments>
		
		<dc:creator><![CDATA[FHN]]></dc:creator>
		<pubDate>Wed, 01 Jul 2026 17:15:03 +0000</pubDate>
				<category><![CDATA[Cyber threat]]></category>
		<category><![CDATA[Cybercriminals]]></category>
		<category><![CDATA[Cybersecurity]]></category>
		<category><![CDATA[malicious cyber actors]]></category>
		<category><![CDATA[Security Advisory]]></category>
		<category><![CDATA[Security Update]]></category>
		<category><![CDATA[Bitcoin]]></category>
		<category><![CDATA[Blockchain security]]></category>
		<category><![CDATA[browser extension]]></category>
		<category><![CDATA[Browser Security]]></category>
		<category><![CDATA[chromium]]></category>
		<category><![CDATA[Crypto theft]]></category>
		<category><![CDATA[crypto wallet]]></category>
		<category><![CDATA[cryptocurrency]]></category>
		<category><![CDATA[cybersecurity]]></category>
		<category><![CDATA[Ethereum]]></category>
		<category><![CDATA[google chrome]]></category>
		<category><![CDATA[malicious browser extension]]></category>
		<category><![CDATA[Malware]]></category>
		<category><![CDATA[threat intelligence]]></category>
		<guid isPermaLink="false">https://firsthackersnews.com/?p=11944</guid>

					<description><![CDATA[<p>Cybersecurity researchers have uncovered a sophisticated campaign distributing a malicious Chromium-based browser extension that silently replaces cryptocurrency wallet</p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/malicious-browser-extension-crypto/">Malicious Extension Swaps Crypto Wallet Addresses</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<p>Cybersecurity researchers have uncovered a sophisticated campaign distributing a malicious Chromium-based browser extension that silently replaces cryptocurrency wallet addresses during transactions. Disguised as a lightweight <strong>&#8220;Google Notes&#8221;</strong> extension, the malware is designed to steal digital assets without alerting the victim.</p>



<p>The attack is delivered through unsigned installers written in both <strong>.NET</strong> and <strong>Golang</strong>. Instead of installing the extension through an official browser store, the malware directly modifies Chromium browser files to install the extension and maintain persistence.</p>



<h2 class="wp-block-heading"><strong>How the Attack Works</strong></h2>



<p>Once executed, the installer searches for Chromium-based browsers such as <strong>Google Chrome, Microsoft Edge, Brave</strong>, and other compatible browsers. It terminates running browser processes and modifies the <strong>Preferences</strong> and <strong>Secure Preferences</strong> files to register the malicious extension.</p>



<figure class="wp-block-image size-full"><img fetchpriority="high" decoding="async" width="1024" height="818" src="https://firsthackersnews.com/wp-content/uploads/2026/07/image.png" alt="" class="wp-image-11945" srcset="https://firsthackersnews.com/wp-content/uploads/2026/07/image-177x142.png 177w, https://firsthackersnews.com/wp-content/uploads/2026/07/image-300x240.png 300w, https://firsthackersnews.com/wp-content/uploads/2026/07/image-768x614.png 768w, https://firsthackersnews.com/wp-content/uploads/2026/07/image.png 1024w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Source : McAfee</em></figcaption></figure>



<p>Researchers found that the malware recalculates browser integrity values, allowing the extension to bypass certain security checks on older Chromium versions. On newer versions, the attackers rely on social engineering or developer mode to enable the extension. After installation, the installer removes itself, leaving very few traces on the infected system.</p>



<p>Unlike traditional malware that connects to a hardcoded command-and-control server, the extension uses an <strong>EtherHiding</strong> technique. It queries a public blockchain RPC endpoint and retrieves an encoded value from a smart contract, which is decoded at runtime to obtain the active backend server. This approach allows attackers to change their infrastructure without updating the malware itself, making detection and takedown more difficult.</p>



<h2 class="wp-block-heading"><strong>Wallet Address Replacement and Detection</strong></h2>



<p>The extension requests broad permissions, including access to websites, browsing history, and clipboard data. It continuously monitors copy-and-paste activity and uses cryptocurrency-specific patterns to identify wallet addresses for multiple blockchains, including:</p>



<ul class="wp-block-list">
<li>Bitcoin (BTC)</li>



<li>Ethereum (ETH)</li>



<li>Bitcoin Cash (BCH)</li>



<li>Ripple (XRP)</li>



<li>Dash (DASH)</li>



<li>Solana (SOL)</li>
</ul>



<p>When a wallet address is copied, the extension sends it to the attacker&#8217;s backend using an embedded API key. The server responds with an attacker-controlled wallet address, which immediately replaces the original address in the clipboard. If the victim pastes the address without verifying it, the cryptocurrency is transferred directly to the attacker&#8217;s wallet.</p>



<p>Researchers also found that the installer contains embedded configuration data, including API keys, extension settings, supported wallet types, and blockchain RPC endpoints. The malicious extension is downloaded separately during installation, allowing attackers to update components without modifying the installer.</p>



<p>The campaign has affected users across multiple regions, with researchers observing a notable concentration of infections in India, suggesting opportunistic targeting of cryptocurrency users rather than a region-specific operation.</p>



<p>To reduce the risk of compromise, users should install browser extensions only from official stores, avoid running unsigned installers, carefully review requested permissions, and always verify the first and last few characters of a cryptocurrency wallet address before completing a transaction. </p>



<p>Security teams should also monitor for unauthorized changes to Chromium <strong>Secure Preferences</strong> files, unexpected browser configuration modifications, and unusual blockchain RPC traffic associated with <strong>EtherHiding</strong> infrastructure.</p>



<h2 class="wp-block-heading"><strong>IOCs</strong></h2>



<figure class="wp-block-table"><table class="has-fixed-layout"><tbody><tr><td><strong>Type</strong>&nbsp;</td><td><strong>Category</strong>&nbsp;</td><td><strong>Value</strong>&nbsp;</td></tr><tr><td>SHA-256&nbsp;</td><td>.NET Installer (BaseZipInstaller)&nbsp;</td><td>2735e12030c195fb5454e4736c51b55b59664b93cae9f4bd5317afcd9c2af0bf&nbsp;053620962047f50a91c6e8d1a6519eccc41fab51473f033086b4d816abe8bcb0&nbsp;&nbsp;</td></tr><tr><td>SHA-256&nbsp;</td><td>Golang-compiled Installer Variant&nbsp;</td><td>11be4c47ff049322de41743f62544cafd32d67e24ad653b7ebedf8ebd63e0962  &nbsp;1432393691b415d0cd4680d9cee73e60896fbe63300d9f0355c96e91817e4b1d  &nbsp;</td></tr><tr><td>URL&nbsp;</td><td>Payload distribution&nbsp;</td><td>hxxps://google-services[.]cc/base[.]zip&nbsp;</td></tr><tr><td>Domain&nbsp;</td><td>Command-and-Control (resolved via smart contract)&nbsp;</td><td>devops-offensive[.]cc&nbsp;Zebregts[.]com&nbsp;</td></tr><tr><td>BTC wallet&nbsp;</td><td>Crypto wallet&nbsp;</td><td>3JvDBvKbS6YYMKjV3R9e9Zfd67f467fNLy&nbsp;1BbhVBxpniuZuAL1gGZnEMdQhmz9JGWpyT&nbsp;3AcPNVh7NyESwX3ECymy3rkdH4Ke2c26Tj&nbsp;1BVTrB47erypG3tevi1U9Fv6BbNUBEiuiX&nbsp;</td></tr><tr><td>Artifact&nbsp;</td><td>Sideload target&nbsp;</td><td>Chromium Secure Preferences file (Chrome, Edge, Brave, Opera profiles)&nbsp;</td></tr><tr><td>Extension files&nbsp;</td><td>manifest.json&nbsp;&nbsp;crypto-patterns.js&nbsp;&nbsp;Interceptor.js&nbsp;&nbsp;content-script.j&nbsp;&nbsp;&nbsp;cache.js&nbsp;&nbsp;&nbsp;domain-resolver.js&nbsp;&nbsp;service-worker.js&nbsp;&nbsp;api-client.js&nbsp;</td><td>ed2599d6a8f30d5eaf14ad7f855aece0acdf7efa4a148eb18e4d9f0d8e2cd90c&nbsp;&nbsp;daf82c67e8e5df6bbd5370172ac9374aa7dce48af05496e8ec3dba7b602c619b&nbsp;&nbsp;6eb2f07265dd95cacd39dfcf0705786b97f3e173cf4e9b3dfe7bad141c9a9dd5&nbsp;&nbsp;a2ffdbedc5c9f5400a2b1cf5d35f5ec1df06a74d0345f1035bcf75d36ed73e01&nbsp;&nbsp;&nbsp;eb84ba4a0cd95655a021865d4fec93ae3393f86cc9848810ed0b49035b1c5e2c&nbsp;&nbsp;6aaba685669d779ef8be8f7f4231096cfafd0ef386f3897c5e2106c177724fc8&nbsp;&nbsp;&nbsp;2599064901308a97540af29197ed0b38702bbee38d6dbbfa61cf9eb5878353f3&nbsp;&nbsp;ab450927b37e1b68e2be68832c354ac600e86e2545a904d4ca0ea283f2600cc2&nbsp;&nbsp;&nbsp;</td></tr></tbody></table></figure>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/malicious-browser-extension-crypto/">Malicious Extension Swaps Crypto Wallet Addresses</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://firsthackersnews.com/malicious-browser-extension-crypto/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
		<item>
		<title>WhatsApp Introduces Usernames for Private Messaging</title>
		<link>https://firsthackersnews.com/whatsapp-usernames/</link>
					<comments>https://firsthackersnews.com/whatsapp-usernames/#respond</comments>
		
		<dc:creator><![CDATA[FHN]]></dc:creator>
		<pubDate>Mon, 29 Jun 2026 22:17:34 +0000</pubDate>
				<category><![CDATA[Cyber threat]]></category>
		<category><![CDATA[cyberattack]]></category>
		<category><![CDATA[Cybercriminals]]></category>
		<category><![CDATA[Cybersecurity]]></category>
		<category><![CDATA[malicious cyber actors]]></category>
		<category><![CDATA[Security Advisory]]></category>
		<category><![CDATA[Security Update]]></category>
		<category><![CDATA[Chat Security]]></category>
		<category><![CDATA[cybersecurity]]></category>
		<category><![CDATA[Digital Privacy]]></category>
		<category><![CDATA[Messaging]]></category>
		<category><![CDATA[Meta]]></category>
		<category><![CDATA[mobile security]]></category>
		<category><![CDATA[Online Privacy]]></category>
		<category><![CDATA[privacy]]></category>
		<category><![CDATA[Privacy Features]]></category>
		<category><![CDATA[Secure Messaging]]></category>
		<category><![CDATA[social media]]></category>
		<category><![CDATA[Technology News]]></category>
		<category><![CDATA[whatsapp]]></category>
		<category><![CDATA[WhatsApp Usernames]]></category>
		<guid isPermaLink="false">https://firsthackersnews.com/?p=11937</guid>

					<description><![CDATA[<p>WhatsApp has introduced a new username feature designed to improve user privacy by allowing people to communicate without</p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/whatsapp-usernames/">WhatsApp Introduces Usernames for Private Messaging</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<p>WhatsApp has introduced a new username feature designed to improve user privacy by allowing people to communicate without sharing their phone numbers. The update marks one of the platform&#8217;s most significant privacy enhancements, giving users greater control over how they connect with others.</p>



<p>Instead of exchanging phone numbers, users will be able to share a unique username when starting new conversations. This feature is especially useful when joining community groups, networking at events, or interacting with people for the first time.</p>



<p>The rollout is being introduced in phases, with users able to reserve their preferred usernames before the feature becomes widely available.</p>



<h2 class="wp-block-heading"><strong>How the Username Feature Works</strong></h2>



<p>Once the feature is enabled, new contacts will only see a user&#8217;s username instead of their phone number. Existing chats and contacts will continue to function normally, and users who prefer sharing phone numbers can continue using WhatsApp as they always have.</p>



<p>To prevent impersonation and abuse, WhatsApp has introduced several rules for creating usernames:</p>



<ul class="wp-block-list">
<li>Usernames must be <strong>3–35 characters</strong> long.</li>



<li>Only lowercase letters, numbers, periods, and underscores are allowed.</li>



<li>Every username must include at least one letter.</li>



<li>Usernames that resemble website domains, such as <strong>.com</strong> or <strong>.in</strong>, are not permitted.</li>



<li>Each username must be unique, and users can choose to match their existing Instagram or Facebook handle for consistent branding.</li>
</ul>



<p>WhatsApp has also added an optional <strong>username key</strong>, a four-digit PIN-like code that provides an additional layer of privacy. New contacts must enter this code before they can send a message, helping reduce spam and unwanted conversations. Existing contacts are not affected by this requirement.</p>



<h2 class="wp-block-heading"><strong>Improved Privacy and User Protection</strong></h2>



<p>Unlike many social media platforms, WhatsApp usernames are not searchable through a public directory. Users cannot browse or discover other usernames unless they already know the exact handle, significantly reducing unsolicited messages and unwanted contact.</p>



<p>The feature is available across Android, iOS, Windows, and WhatsApp Web as the rollout expands globally. Users can reserve a username by navigating to <strong>Settings → Account → Username</strong> on the latest version of the app. WhatsApp also provides username suggestions if a preferred handle has already been taken.</p>



<p>The new system is particularly beneficial for creators, businesses, and organizations, allowing them to use the same username across WhatsApp, Instagram, and Facebook for a consistent online identity.</p>



<p>By moving from phone number-based communication to username-based messaging, WhatsApp is strengthening user privacy while reducing unnecessary exposure of personal contact information. The update also brings the platform closer to privacy-focused messaging services that have long supported handle-based communication.</p>



<p></p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/whatsapp-usernames/">WhatsApp Introduces Usernames for Private Messaging</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://firsthackersnews.com/whatsapp-usernames/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
		<item>
		<title>Langflow Vulnerability Deploys Monero Miner</title>
		<link>https://firsthackersnews.com/langflow-rce-exploit-monero-cryptominer/</link>
					<comments>https://firsthackersnews.com/langflow-rce-exploit-monero-cryptominer/#respond</comments>
		
		<dc:creator><![CDATA[FHN]]></dc:creator>
		<pubDate>Mon, 29 Jun 2026 16:04:00 +0000</pubDate>
				<category><![CDATA[Security Advisory]]></category>
		<category><![CDATA[Security Update]]></category>
		<category><![CDATA[vulnerability]]></category>
		<category><![CDATA[Vulnerability Reports]]></category>
		<category><![CDATA[Vulnerability Research]]></category>
		<category><![CDATA[AI security]]></category>
		<category><![CDATA[cloud security]]></category>
		<category><![CDATA[CVE-2026-33017]]></category>
		<category><![CDATA[cybersecurity]]></category>
		<category><![CDATA[Langflow]]></category>
		<category><![CDATA[Langflow RCE]]></category>
		<category><![CDATA[Linux malware]]></category>
		<category><![CDATA[LLM Security]]></category>
		<category><![CDATA[Monero Cryptominer]]></category>
		<category><![CDATA[RAG Security]]></category>
		<category><![CDATA[remote code execution]]></category>
		<category><![CDATA[security update]]></category>
		<category><![CDATA[threat intelligence]]></category>
		<category><![CDATA[XMRig]]></category>
		<guid isPermaLink="false">https://firsthackersnews.com/?p=11931</guid>

					<description><![CDATA[<p>Cybersecurity researchers have identified an active campaign exploiting CVE-2026-33017, a critical remote code execution (RCE) vulnerability in Langflow,</p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/langflow-rce-exploit-monero-cryptominer/">Langflow Vulnerability Deploys Monero Miner</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<p>Cybersecurity researchers have identified an active campaign exploiting <strong>CVE-2026-33017</strong>, a critical remote code execution (RCE) vulnerability in Langflow, to compromise internet-facing AI servers and deploy a customized Monero (XMR) cryptominer. </p>



<p>The campaign highlights a growing trend in which threat actors are shifting their focus from traditional Linux servers to AI platforms that power Large Language Model (LLM) applications and Retrieval-Augmented Generation (RAG) workflows.</p>



<p>The vulnerability affects <strong>Langflow versions up to 1.8.2</strong>, has received a <strong>CVSS score of 9.8</strong>, and has been added to <strong>CISA&#8217;s Known Exploited Vulnerabilities (KEV)</strong> catalog due to active exploitation. The issue has been addressed in <strong>Langflow version 1.9.0</strong>.</p>



<h2 class="wp-block-heading"><strong>How the Attack Works</strong></h2>



<p>The vulnerability exists in Langflow&#8217;s public workflow execution endpoint, where insufficient input validation allows attackers to inject and execute malicious Python code without authentication. Researchers also noted that <strong>AUTO_LOGIN</strong> is enabled by default, allowing unauthenticated users to obtain a superuser token and create public workflows, making exploitation significantly easier on exposed servers.</p>



<p>The attack begins with automated reconnaissance. Threat actors rapidly scan internet-facing Langflow instances using multiple browser user-agent strings while probing endpoints such as <strong>/health</strong>, <strong>/api/v1/version</strong>, and <strong>/manifest.json</strong>. This approach helps identify vulnerable systems while reducing the likelihood of detection.</p>



<p>Once a vulnerable server is identified, attackers exploit the flaw by sending a specially crafted request that downloads and executes a malicious shell script. Researchers observed the same workflow identifier being reused across multiple attacks, suggesting the campaign is highly automated.</p>



<p>The shell script acts as a dropper, creating hidden directories, downloading the primary malware, and launching it in the background. It also searches for SSH keys, known hosts, and active SSH agent sessions in an attempt to spread laterally to additional Linux systems.</p>



<h2 class="wp-block-heading"><strong>Cryptominer Deployment and Persistence</strong></h2>



<p>The primary payload is a UPX-packed Go binary designed to establish persistence while preparing the system for cryptocurrency mining.</p>



<p>Researchers observed the malware performing several actions after execution:</p>



<ul class="wp-block-list">
<li>Downloading a customized XMRig-based Monero miner.</li>



<li>Terminating dozens of competing cryptomining processes already running on the system.</li>



<li>Removing backdoor accounts left behind by previous malware campaigns.</li>



<li>Increasing system resource limits to improve mining performance.</li>
</ul>



<p>To avoid detection, the malware disables several Linux security controls, including <strong>AppArmor</strong>, <strong>SELinux</strong>, <strong>UFW</strong>, <strong>iptables</strong>, the Linux <strong>NMI watchdog</strong>, and Alibaba Cloud&#8217;s <strong>Aliyun</strong> security agent. It also clears system logs, removes file protection attributes, and modifies system settings to make forensic analysis more difficult.</p>



<p>For long-term persistence, the malware creates scheduled cron jobs and watchdog processes that automatically restore the miner if it is removed. It also locks critical files and directories, making cleanup significantly more challenging.</p>



<p>The customized Monero miner is installed inside a hidden directory and connects to attacker-controlled mining infrastructure over <strong>TCP port 3333</strong>. Researchers also observed regular heartbeat communications with command-and-control servers, allowing attackers to monitor infected systems and maintain control of the campaign.</p>



<h2 class="wp-block-heading"><strong>Why AI Servers Are Being Targeted</strong></h2>



<p>Langflow is commonly integrated with cloud platforms, AI models, databases, and external APIs. As a result, compromised servers often contain valuable API keys, cloud credentials, database passwords, and SSH keys.</p>



<p>During the attacks, researchers observed threat actors searching for environment files and sensitive credentials that could enable lateral movement or provide access to additional enterprise resources. This makes the impact far greater than unauthorized cryptocurrency mining alone.</p>



<h2 class="wp-block-heading">Security Recommendations</h2>



<p>Organizations using Langflow should immediately upgrade to <strong>version 1.9.0 or later</strong> and ensure that vulnerable instances are not directly accessible from the internet.</p>



<p>Security teams should also:</p>



<ul class="wp-block-list">
<li>Restrict public access to Langflow deployments.</li>



<li>Monitor for unusual API requests and unexpected Python execution.</li>



<li>Review systems for unauthorized cron jobs, background processes, and persistence mechanisms.</li>



<li>Rotate exposed API keys, SSH credentials, and cloud secrets if compromise is suspected.</li>



<li>Investigate unusual outbound connections and signs of cryptocurrency mining activity.</li>
</ul>



<p>The rapid exploitation of <strong>CVE-2026-33017</strong> demonstrates how quickly attackers weaponize vulnerabilities in AI platforms. As organizations continue adopting AI technologies, securing AI infrastructure should become a core part of enterprise cybersecurity strategies, alongside continuous monitoring, timely patch management, and strong access controls.</p>



<h2 class="wp-block-heading"><strong>IoCs</strong></h2>



<p><strong>File Hashes (SHA-256)</strong></p>



<figure class="wp-block-table"><table class="has-fixed-layout"><thead><tr><th class="has-text-align-left" data-align="left">Hash</th><th class="has-text-align-left" data-align="left">Description</th></tr></thead><tbody><tr><td><code>71af8bd9b8019b7e5f460ce4c5c14ff7716a2c2faaaf1f274ceaa54cb89723bc</code></td><td><code>lambsys.elf</code>&nbsp;– Go/UPX, 296 KB, 2026 variant</td></tr><tr><td><code>33588aa446984d3340cab686d38f2aa85a70eb3f76c459da3eef0304592b99df</code></td><td><code>lambsys.elf</code>&nbsp;– 2024 old variant</td></tr><tr><td><code>ddde47bf00324075c7eeb0b9d0ff0a5d1b95bfc619aca4b5def85263838212f2</code></td><td><code>procq</code>&nbsp;– customized XMRig miner</td></tr></tbody></table></figure>



<p><strong>Network Indicators</strong></p>



<figure class="wp-block-table"><table class="has-fixed-layout"><thead><tr><th class="has-text-align-left" data-align="left">Indicator</th><th class="has-text-align-left" data-align="left">Type</th><th class="has-text-align-left" data-align="left">Description</th></tr></thead><tbody><tr><td><code>83[.]142[.]209[.]214</code></td><td>IP / C2</td><td>Primary C2 and payload staging server</td></tr><tr><td><code>hxxp[://]83[.]142[.]209[.]214/status.php</code></td><td>URL</td><td>C2 heartbeat beacon endpoint</td></tr><tr><td><code>hxxp[://]83[.]142[.]209[.]214/setup_status.php</code></td><td>URL</td><td>C2 secondary status endpoint</td></tr><tr><td><code>hxxp[://]83[.]142[.]209[.]214:8080/isp.sh</code></td><td>URL</td><td>Dropper script delivery</td></tr><tr><td><code>hxxp[://]83[.]142[.]209[.]214:8080/lambsys</code></td><td>URL</td><td>Main malware binary delivery</td></tr><tr><td><code>hxxp[://]83[.]142[.]209[.]214:8080/ks.tar</code></td><td>URL</td><td>XMRig miner payload archive</td></tr><tr><td><code>hxxp[://]94[.]156[.]64[.]241/r.php</code></td><td>URL</td><td>Legacy C2 (2024 variant)</td></tr><tr><td><code>ipinfo[.]io (34[.]117[.]59[.]81)</code></td><td>Domain</td><td>Geo-IP check pre-mining</td></tr><tr><td><code>Go-http-client/1.1</code></td><td>User-Agent</td><td>C2 beacon UA</td></tr><tr><td><code>SystemMonitor/6.25.0 (Linux x86_64) libuv/1.24.1 gcc/8.3.0</code></td><td>User-Agent</td><td>XMRig pool login spoofed UA</td></tr><tr><td>Ports:&nbsp;<code>3333, 4444, 5555, 6666, 7777, 3347, 14444, 14433, 56415, 9999, 13531, 3380</code></td><td>TCP Ports</td><td>Mining pool ports killed and used</td></tr></tbody></table></figure>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/langflow-rce-exploit-monero-cryptominer/">Langflow Vulnerability Deploys Monero Miner</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://firsthackersnews.com/langflow-rce-exploit-monero-cryptominer/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
		<item>
		<title>Splunk Secure Gateway RCE Vulnerability Discovered</title>
		<link>https://firsthackersnews.com/splunk-secure-gateway-rce/</link>
					<comments>https://firsthackersnews.com/splunk-secure-gateway-rce/#respond</comments>
		
		<dc:creator><![CDATA[FHN]]></dc:creator>
		<pubDate>Mon, 29 Jun 2026 09:47:00 +0000</pubDate>
				<category><![CDATA[Cyber threat]]></category>
		<category><![CDATA[cyberattack]]></category>
		<category><![CDATA[Cybercriminals]]></category>
		<category><![CDATA[Cybersecurity]]></category>
		<category><![CDATA[malicious cyber actors]]></category>
		<category><![CDATA[Remote code execution]]></category>
		<category><![CDATA[Security Advisory]]></category>
		<category><![CDATA[Security Update]]></category>
		<category><![CDATA[vulnerability]]></category>
		<category><![CDATA[Authentication]]></category>
		<category><![CDATA[CVE-2026-20251]]></category>
		<category><![CDATA[cybersecurity]]></category>
		<category><![CDATA[deserialization]]></category>
		<category><![CDATA[Enterprise Security]]></category>
		<category><![CDATA[python]]></category>
		<category><![CDATA[rce]]></category>
		<category><![CDATA[remote code execution]]></category>
		<category><![CDATA[security update]]></category>
		<category><![CDATA[Splunk]]></category>
		<category><![CDATA[Splunk Secure Gateway]]></category>
		<category><![CDATA[Splunk Security]]></category>
		<category><![CDATA[threat intelligence]]></category>
		<guid isPermaLink="false">https://firsthackersnews.com/?p=11928</guid>

					<description><![CDATA[<p>A high-severity vulnerability, CVE-2026-20251, has been identified in Splunk Secure Gateway (SSG), potentially allowing authenticated users with low-level</p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/splunk-secure-gateway-rce/">Splunk Secure Gateway RCE Vulnerability Discovered</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<p>A high-severity vulnerability, <strong>CVE-2026-20251</strong>, has been identified in Splunk Secure Gateway (SSG), potentially allowing authenticated users with low-level privileges to execute arbitrary code on affected systems. The flaw carries a <strong>CVSS score of 8.8</strong> and poses a significant risk to organizations using Splunk Secure Gateway in enterprise environments.</p>



<p>According to security researchers, the vulnerability is caused by unsafe deserialization of user-controlled data, allowing specially crafted input to be executed on the server.</p>



<h2 class="wp-block-heading"><strong>How the Vulnerability Works</strong></h2>



<p>The issue exists in the way Splunk Secure Gateway processes alert data stored in its KV Store. A low-privileged authenticated user can submit a specially crafted JSON payload through the Splunk REST API.</p>



<p>Due to weaknesses in the application&#8217;s validation process, the malicious data is accepted as legitimate and passed to the deserialization component. This enables attackers to execute arbitrary Python code with the privileges of the Splunk service account.</p>



<p>Researchers found that the validation logic fails to inspect all fields within the submitted JSON document. As a result, attackers can bypass security checks by embedding malicious content inside otherwise valid data structures.</p>



<p>A successful attack requires only a valid low-privileged Splunk account and does not rely on user interaction, making the vulnerability particularly dangerous in shared enterprise environments.</p>



<p><strong>Below is a simplified proof-of-concept (PoC) demonstrating how the vulnerability can be exploited using a benign command:</strong></p>



<p>import jsonpickle </p>



<p>import subprocess </p>



<p>payload = {     </p>



<p>&#8220;py/object&#8221;: &#8220;spacebridgeapp.data.alert_data.Alert&#8221;,</p>



<p>     &#8220;notification&#8221;:         </p>



<p>&#8220;py/reduce&#8221;: </p>



<p>[             </p>



<p>{&#8220;py/function&#8221;: &#8220;subprocess.check_output&#8221;},             </p>



<p>{&#8220;py/tuple&#8221;: [[&#8220;uname&#8221;, &#8220;-a&#8221;]]}         </p>



<p>]     </p>



<p>} </p>



<p>} </p>



<p>encoded = jsonpickle.encode(payload) </p>



<p>decoded = jsonpickle.decode(encoded, safe=True) </p>



<p>print(decoded)</p>



<p><code>subprocess.check_output(["uname", "-a"])</code> command during data deserialization. This confirms that enabling the <code>safe=True</code> option in <strong>jsonpickle</strong> does not fully prevent exploitation.</p>



<p>The flaw affects <strong>Splunk Secure Gateway</strong> versions <strong>3.8.x, 3.9.x, and 3.10.x</strong>, along with <strong>Splunk Enterprise</strong> versions released before <strong>10.0.7, 10.2.4, and 10.4.0</strong>. Splunk has fixed the issue in <strong>Secure Gateway versions 3.8.67, 3.9.20, and 3.10.6</strong>.</p>



<h2 class="wp-block-heading"><strong>Security Recommendations</strong></h2>



<p>To reduce the risk of exploitation, organizations should:</p>



<ul class="wp-block-list">
<li><strong>Apply the latest Splunk Secure Gateway security patches</strong> immediately.</li>



<li><strong>Upgrade to the fixed versions:</strong> SSG <strong>3.8.67</strong>, <strong>3.9.20</strong>, or <strong>3.10.6</strong>, and supported Splunk Enterprise releases.</li>



<li><strong>Disable the Secure Gateway app</strong> if it is not actively being used.</li>



<li><strong>Restrict KV Store write permissions</strong> to trusted administrators only.</li>



<li><strong>Enforce the principle of least privilege</strong> by limiting access to authorized users.</li>



<li><strong>Avoid deserializing untrusted data</strong> with <code>jsonpickle</code> or similar libraries without proper validation.</li>



<li><strong>Implement input validation and class allow-listing</strong> to prevent unsafe deserialization.</li>



<li><strong>Monitor Splunk logs</strong> for unusual activity or unauthorized changes to the KV Store.</li>
</ul>



<p>Following these best practices can help organizations reduce the risk of remote code execution and strengthen the overall security of their Splunk environment.</p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/splunk-secure-gateway-rce/">Splunk Secure Gateway RCE Vulnerability Discovered</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://firsthackersnews.com/splunk-secure-gateway-rce/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
		<item>
		<title>Fake Shopify Invoices Steal User Credentials</title>
		<link>https://firsthackersnews.com/shopify-fake-invoice-scam/</link>
					<comments>https://firsthackersnews.com/shopify-fake-invoice-scam/#respond</comments>
		
		<dc:creator><![CDATA[FHN]]></dc:creator>
		<pubDate>Fri, 26 Jun 2026 17:39:13 +0000</pubDate>
				<category><![CDATA[Application Security]]></category>
		<category><![CDATA[Cyber threat]]></category>
		<category><![CDATA[cyberattack]]></category>
		<category><![CDATA[Cybercriminals]]></category>
		<category><![CDATA[Cybersecurity]]></category>
		<category><![CDATA[Internet Security]]></category>
		<category><![CDATA[malicious cyber actors]]></category>
		<category><![CDATA[Security Advisory]]></category>
		<category><![CDATA[Security Update]]></category>
		<category><![CDATA[Consumer Security]]></category>
		<category><![CDATA[credential theft]]></category>
		<category><![CDATA[cybersecurity]]></category>
		<category><![CDATA[Fake Invoice Scam]]></category>
		<category><![CDATA[fraud]]></category>
		<category><![CDATA[Information security]]></category>
		<category><![CDATA[online scam]]></category>
		<category><![CDATA[Phishing]]></category>
		<category><![CDATA[Scam Alert]]></category>
		<category><![CDATA[Shop App]]></category>
		<category><![CDATA[Shopify]]></category>
		<category><![CDATA[social engineering]]></category>
		<category><![CDATA[threat intelligence]]></category>
		<category><![CDATA[vishing]]></category>
		<guid isPermaLink="false">https://firsthackersnews.com/?p=11923</guid>

					<description><![CDATA[<p>Cybersecurity researchers have uncovered a new phishing campaign in which scammers abuse Shopify and its Shop order-tracking app</p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/shopify-fake-invoice-scam/">Fake Shopify Invoices Steal User Credentials</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<p>Cybersecurity researchers have uncovered a new phishing campaign in which scammers abuse Shopify and its Shop order-tracking app to deliver fake invoices directly to users. Instead of relying on traditional phishing emails, attackers are placing fraudulent purchase notifications inside a trusted shopping application, making the scam appear more convincing.</p>



<p>The fake invoices often impersonate well-known brands such as Norton, McAfee, Apple, and PayPal, creating a false sense of urgency by claiming that expensive products or subscriptions have been purchased.</p>



<h2 class="wp-block-heading"><strong>How the Scam Works</strong></h2>



<p>The Shop app automatically collects order information from connected email accounts and Shop Pay transactions, allowing users to view all their purchases in one place. Attackers appear to be exploiting this functionality or related merchant processes to insert fake orders into users&#8217; purchase history.</p>



<figure class="wp-block-image size-large"><img decoding="async" width="1024" height="576" src="https://firsthackersnews.com/wp-content/uploads/2026/06/image-4-1024x576.png" alt="" class="wp-image-11924" srcset="https://firsthackersnews.com/wp-content/uploads/2026/06/image-4-300x169.png 300w, https://firsthackersnews.com/wp-content/uploads/2026/06/image-4-768x432.png 768w, https://firsthackersnews.com/wp-content/uploads/2026/06/image-4-1024x576.png 1024w, https://firsthackersnews.com/wp-content/uploads/2026/06/image-4-1536x864.png 1536w, https://firsthackersnews.com/wp-content/uploads/2026/06/image-4.png 1600w" sizes="(max-width: 1024px) 100vw, 1024px" /><figcaption class="wp-element-caption"><em>Source: Gen Digital</em></figcaption></figure>



<p>These fraudulent orders typically display costly items, including antivirus subscriptions, smartphones, or gift cards. The invoices also include fake customer support phone numbers hidden within product descriptions, shipping details, or order notes.</p>



<p>When victims call the number, they are connected to scammers posing as customer support representatives. The attackers then attempt to steal sensitive information such as login credentials, payment card details, one-time passwords, or convince victims to install remote access software.</p>



<p>Researchers emphasized that there is currently <strong>no evidence that Shopify or the Shop app has been breached</strong>. Instead, the campaign appears to abuse legitimate platform features to distribute fraudulent content.</p>



<h2 class="wp-block-heading"><strong>How to Stay Safe</strong></h2>



<p>Users should always verify unexpected purchase notifications before taking any action. If an invoice appears suspicious, check your bank account or the official service provider directly instead of calling phone numbers listed in the receipt.</p>



<p>To reduce the risk of becoming a victim:</p>



<ul class="wp-block-list">
<li>Verify purchases through official websites or banking apps.</li>



<li>Never call support numbers included in unexpected invoices.</li>



<li>Report suspicious orders through the Shop app or Shopify&#8217;s abuse channels.</li>



<li>Avoid installing software at the request of unknown callers.</li>
</ul>



<p>This campaign demonstrates how cybercriminals are increasingly exploiting trusted platforms instead of relying solely on phishing emails. As users become more cautious of email scams, attackers are shifting their focus to legitimate applications where fraudulent content is less likely to raise suspicion.</p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/shopify-fake-invoice-scam/">Fake Shopify Invoices Steal User Credentials</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://firsthackersnews.com/shopify-fake-invoice-scam/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
		<item>
		<title>Langflow RCE Vulnerability: Unauthenticated Code Execution Risk</title>
		<link>https://firsthackersnews.com/langflow-rce-vulnerability/</link>
					<comments>https://firsthackersnews.com/langflow-rce-vulnerability/#respond</comments>
		
		<dc:creator><![CDATA[FHN]]></dc:creator>
		<pubDate>Fri, 26 Jun 2026 04:33:26 +0000</pubDate>
				<category><![CDATA[Cyber threat]]></category>
		<category><![CDATA[Cybersecurity]]></category>
		<category><![CDATA[Security Advisory]]></category>
		<category><![CDATA[Security Update]]></category>
		<category><![CDATA[vulnerability]]></category>
		<category><![CDATA[Vulnerability Research]]></category>
		<category><![CDATA[AI Applications]]></category>
		<category><![CDATA[AI security]]></category>
		<category><![CDATA[cloud security]]></category>
		<category><![CDATA[CVE-2026-33017]]></category>
		<category><![CDATA[cybersecurity]]></category>
		<category><![CDATA[DevSecOps]]></category>
		<category><![CDATA[Langflow]]></category>
		<category><![CDATA[LLM Security]]></category>
		<category><![CDATA[python]]></category>
		<category><![CDATA[rce]]></category>
		<category><![CDATA[remote code execution]]></category>
		<category><![CDATA[security update]]></category>
		<category><![CDATA[threat intelligence]]></category>
		<guid isPermaLink="false">https://firsthackersnews.com/?p=11919</guid>

					<description><![CDATA[<p>A critical security vulnerability, CVE-2026-33017, has been discovered in Langflow, an open-source platform used to build AI workflows,</p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/langflow-rce-vulnerability/">Langflow RCE Vulnerability: Unauthenticated Code Execution Risk</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<p>A critical security vulnerability, <strong>CVE-2026-33017</strong>, has been discovered in Langflow, an open-source platform used to build AI workflows, large language model (LLM) applications, and Retrieval-Augmented Generation (RAG) pipelines. Researchers report that the flaw is already being actively exploited, allowing attackers to execute arbitrary Python code on vulnerable servers without requiring authentication.</p>



<p>Because Langflow is commonly integrated with AI services, databases, and cloud platforms, successful exploitation could expose sensitive data and provide attackers with extensive control over affected environments.</p>



<h2 class="wp-block-heading"><strong>How the Vulnerability Is Exploited</strong></h2>



<p>The vulnerability exists in a publicly accessible API endpoint responsible for building workflow components. Due to insufficient input validation, attackers can inject malicious Python code into specially crafted requests. The injected code is then executed on the server, enabling full remote code execution.</p>



<p>Security researchers observed exploitation attempts within hours of the vulnerability becoming public. Rather than relying on publicly available proof-of-concept exploits, attackers quickly developed their own techniques based on details released in the security advisory.</p>



<p>Early attacks focused on identifying vulnerable servers and executing basic system commands. As the campaign evolved, attackers expanded their activity to collect sensitive information, inspect server environments, and download additional malicious payloads.</p>



<h2 class="wp-block-heading"><strong>Active Exploitation Raises Security Concerns</strong></h2>



<p>Researchers found that attackers attempted to access configuration files, database information, API keys, cloud credentials, and other sensitive resources stored on compromised systems. Since Langflow environments often connect to external AI services and cloud infrastructure, stolen credentials could enable further attacks beyond the initially compromised server.</p>



<p>The investigation also revealed coordinated attack infrastructure, with multiple threat actors using similar command-and-control servers and data exfiltration techniques. Temporary callback domains were frequently used to verify successful exploitation while avoiding detection.</p>



<h2 class="wp-block-heading"><strong>Recommended Actions</strong></h2>



<ul class="wp-block-list">
<li>Update Langflow to the latest patched version immediately.</li>



<li>Restrict public access to Langflow instances whenever possible.</li>



<li>Monitor systems for unusual API requests and unexpected command execution.</li>



<li>Review cloud credentials, API keys, and environment files for potential exposure.</li>
</ul>



<p>The rapid exploitation of CVE-2026-33017 demonstrates how quickly threat actors weaponize newly disclosed vulnerabilities. Organizations operating internet-facing AI applications should prioritize timely patching, continuous monitoring, and network segmentation to reduce the risk of compromise.</p>



<p><strong>Ioc</strong></p>



<p><strong>Source IPs</strong></p>



<figure class="wp-block-table"><table class="has-fixed-layout"><thead><tr><th class="has-text-align-left" data-align="left">IP</th><th class="has-text-align-left" data-align="left">Location (Geo)</th><th class="has-text-align-left" data-align="left">ASN / Provider</th><th class="has-text-align-left" data-align="left">Observed Activity</th></tr></thead><tbody><tr><td>77.110.106.154</td><td>DE (Frankfurt)</td><td>AEZA GROUP LLC</td><td>Nuclei scan against Langflow, Interactsh-based callback RCE</td></tr><tr><td>209.97.165.247</td><td>SG (Singapore)</td><td>DigitalOcean</td><td>Nuclei scan, Interactsh callback test of&nbsp;<code>id</code>&nbsp;command</td></tr><tr><td>188.166.209.86</td><td>SG (Singapore)</td><td>DigitalOcean</td><td>Nuclei scan, Interactsh callback, identical Python RCE payload</td></tr><tr><td>205.237.106.117</td><td>FR (Paris)</td><td>PUSHPKT OU</td><td>Nuclei scan with rotated User-Agent strings, Interactsh exfil</td></tr><tr><td>83.98.164.238</td><td>NL (Lelystad)</td><td>Accenture B.V.</td><td>Custom exploit script, recon (<code>ls</code>,&nbsp;<code>cat /etc/passwd</code>), stage-2</td></tr><tr><td>173.212.205.251</td><td>FR (Lauterbourg)</td><td>Contabo GmbH</td><td>Custom exploit, env/credential harvesting, dropper hosting</td></tr></tbody></table></figure>



<p><strong>C2 and Staging Infrastructure</strong></p>



<figure class="wp-block-table"><table class="has-fixed-layout"><thead><tr><th class="has-text-align-left" data-align="left">Indicator</th><th class="has-text-align-left" data-align="left">Type</th><th class="has-text-align-left" data-align="left">Geo / Provider</th><th class="has-text-align-left" data-align="left">Context</th></tr></thead><tbody><tr><td>143.110.183.86:8080</td><td>C2 server</td><td>IN, DigitalOcean</td><td>Receives base64-encoded exfiltrated command output</td></tr><tr><td>173.212.205.251:8443</td><td>Dropper host</td><td>FR, Contabo GmbH</td><td>Serves stage-2 payload from path&nbsp;<code>/z</code></td></tr></tbody></table></figure>



<p><strong>Malicious Dropper URLs</strong></p>



<figure class="wp-block-table"><table class="has-fixed-layout"><thead><tr><th class="has-text-align-left" data-align="left">URL</th><th class="has-text-align-left" data-align="left">Role</th><th class="has-text-align-left" data-align="left">Notes</th></tr></thead><tbody><tr><td>http://143.110.183.86:8080/</td><td>C2 / exfil endpoint</td><td>Receives HTTP exfil from Python RCE</td></tr><tr><td>http://173.212.205.251:8443/z</td><td>Stage-2 dropper</td><td>Bash-executed payload delivery</td></tr></tbody></table></figure>



<p><strong>Interactsh Callback Domains (Samples)</strong></p>



<figure class="wp-block-table"><table class="has-fixed-layout"><thead><tr><th class="has-text-align-left" data-align="left">Domain</th><th class="has-text-align-left" data-align="left">TLD</th><th class="has-text-align-left" data-align="left">Usage</th></tr></thead><tbody><tr><td>d6tcpc6flblph01gdcb0ku9ixih393m54.oast.live</td><td>.oast.live</td><td>OOB validation of&nbsp;<code>id</code>&nbsp;command output</td></tr><tr><td>d6tcpe7nsv6kk9rdrpggi37zmjfxw9imr.oast.me</td><td>.oast.me</td><td>Automated Nuclei-driven callback</td></tr><tr><td>d6td5s9qte0bea7273e0wuou77jjx77uk.oast.pro</td><td>.oast.pro</td><td>RCE payload result exfiltration</td></tr><tr><td>d6tgbe1qte0a8rkffb3gqabqm8517exd3.oast.fun</td><td>.oast.fun</td><td>Ephemeral callback for scanning activity</td></tr></tbody></table></figure>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/langflow-rce-vulnerability/">Langflow RCE Vulnerability: Unauthenticated Code Execution Risk</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://firsthackersnews.com/langflow-rce-vulnerability/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
		<item>
		<title>Microsoft Teams-Themed Attack Deploys Remote Access Tool</title>
		<link>https://firsthackersnews.com/microsoft-teams-phishing-remote-access-tools/</link>
					<comments>https://firsthackersnews.com/microsoft-teams-phishing-remote-access-tools/#respond</comments>
		
		<dc:creator><![CDATA[FHN]]></dc:creator>
		<pubDate>Wed, 24 Jun 2026 17:32:20 +0000</pubDate>
				<category><![CDATA[Cyber threat]]></category>
		<category><![CDATA[Cybersecurity]]></category>
		<category><![CDATA[Microsoft]]></category>
		<category><![CDATA[Security Advisory]]></category>
		<category><![CDATA[Security Update]]></category>
		<category><![CDATA[Windows Security]]></category>
		<category><![CDATA[credential theft]]></category>
		<category><![CDATA[cyber threats]]></category>
		<category><![CDATA[cybersecurity]]></category>
		<category><![CDATA[email security]]></category>
		<category><![CDATA[Enterprise Security]]></category>
		<category><![CDATA[Information security]]></category>
		<category><![CDATA[Malware]]></category>
		<category><![CDATA[microsoft teams]]></category>
		<category><![CDATA[Microsoft Teams Phishing]]></category>
		<category><![CDATA[phishing attack]]></category>
		<category><![CDATA[phishing campaign]]></category>
		<category><![CDATA[RAT]]></category>
		<category><![CDATA[Remote Access Software]]></category>
		<category><![CDATA[remote access tool]]></category>
		<category><![CDATA[Security Awareness]]></category>
		<category><![CDATA[social engineering]]></category>
		<category><![CDATA[threat intelligence]]></category>
		<guid isPermaLink="false">https://firsthackersnews.com/?p=11909</guid>

					<description><![CDATA[<p>Security researchers have uncovered an active phishing campaign that leverages Microsoft Teams-themed lures to distribute legitimate remote access</p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/microsoft-teams-phishing-remote-access-tools/">Microsoft Teams-Themed Attack Deploys Remote Access Tool</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></description>
										<content:encoded><![CDATA[
<p>Security researchers have uncovered an active phishing campaign that leverages Microsoft Teams-themed lures to distribute legitimate remote access software configured for unauthorized access. By impersonating trusted workplace collaboration services, threat actors are increasing the likelihood that users will interact with malicious links and download compromised installers. This significant threat highlights the dangers of Microsoft Teams phishing.</p>



<p>The campaign primarily targets users with notifications related to meeting transcripts, recordings, and shared documents. These messages direct victims to professionally crafted phishing pages designed to closely resemble legitimate Microsoft Teams and productivity service interfaces, making Microsoft Teams phishing a critical concern for end-users.</p>



<h2 class="wp-block-heading">Attack Chain Relies on Trusted Infrastructure</h2>



<p>The threat actors behind the campaign are using a combination of compromised business websites and cloud-hosted infrastructure to host phishing content and malware delivery mechanisms. Researchers observed malicious pages hosted on legitimate domains belonging to organizations such as hotels, law firms, schools, healthcare providers, and other small businesses across multiple countries.</p>



<p>Once a victim downloads and executes the installer, the malware deploys a legitimate remote access tool that has been preconfigured with attacker-controlled settings. This approach enables cybercriminals to establish remote connectivity while reducing suspicion, as the software itself is not inherently malicious.</p>



<p>To improve operational resilience, the attackers frequently rotate domains, infrastructure, and lure themes, allowing them to target different departments and organizations while minimizing the impact of takedowns.</p>



<h2 class="wp-block-heading">Persistence and Evasion Capabilities</h2>



<p>Analysis of the installer revealed several defense-evasion techniques designed to hinder detection and analysis. These include environment checks, anti-debugging mechanisms, delayed execution routines, and obfuscated components intended to complicate forensic investigations.</p>



<figure class="wp-block-image size-full"><img decoding="async" width="774" height="317" src="https://firsthackersnews.com/wp-content/uploads/2026/06/image-3.png" alt="" class="wp-image-11910" srcset="https://firsthackersnews.com/wp-content/uploads/2026/06/image-3-300x123.png 300w, https://firsthackersnews.com/wp-content/uploads/2026/06/image-3-768x315.png 768w, https://firsthackersnews.com/wp-content/uploads/2026/06/image-3.png 774w" sizes="(max-width: 774px) 100vw, 774px" /><figcaption class="wp-element-caption">Malicious download (Source : CYFIRMA).</figcaption></figure>



<p>Following installation, the malware establishes multiple persistence mechanisms to ensure long-term access to compromised systems. Researchers observed the creation of Windows services, registry modifications, and authentication-related components that enable the threat actors to maintain access and potentially harvest credentials.</p>



<p><strong>MITRE FRAMEWORK</strong></p>



<figure class="wp-block-table"><table class="has-fixed-layout"><tbody><tr><td><strong>Tactic</strong></td><td><strong>Technique ID</strong></td><td><strong>Technique Name</strong></td></tr><tr><td>Initial Access</td><td>T1566.002</td><td>Phishing: Spear phishing Link</td></tr><tr><td>Execution</td><td>T1204.002</td><td>User Execution: Malicious File</td></tr><tr><td>Persistence</td><td>T1543.003</td><td>Create or Modify System Process: Windows Service</td></tr><tr><td>Persistence</td><td>T1547.002</td><td>Boot or Logon Autostart Execution: Authentication Package</td></tr><tr><td>Persistence</td><td>T1546.015</td><td>Event Triggered Execution: Component Object Model Hijacking</td></tr><tr><td>Credential Access</td><td>T1556</td><td>Modify Authentication Process</td></tr><tr><td>Discovery</td><td>T1120</td><td>Peripheral Device Discovery</td></tr><tr><td>Stealth</td><td>T1497.001</td><td>Virtualization/Sandbox Evasion: System Checks</td></tr><tr><td>Stealth</td><td>T1497.003</td><td>Virtualization/Sandbox Evasion: Time Based Evasion</td></tr><tr><td>Command and control</td><td>T1219</td><td>Remote Access Tool</td></tr></tbody></table></figure>



<h3 class="wp-block-heading">Key Security Concerns</h3>



<ul class="wp-block-list">
<li>Abuse of trusted Microsoft Teams branding to increase phishing success.</li>



<li>Use of legitimate remote access software for unauthorized system access.</li>



<li>Hosting of phishing infrastructure on compromised business websites.</li>



<li>Multiple persistence mechanisms designed to survive remediation efforts.</li>
</ul>



<p>The campaign highlights a growing trend in cybercrime operations where attackers increasingly rely on trusted platforms, reputable domains, and legitimate software to evade traditional security controls. Organizations should treat unexpected file downloads, meeting notifications, and transcript-sharing requests with caution, even when they appear to originate from familiar services or trusted websites.</p>
<p>The post <a rel="nofollow" href="https://firsthackersnews.com/microsoft-teams-phishing-remote-access-tools/">Microsoft Teams-Themed Attack Deploys Remote Access Tool</a> appeared first on <a rel="nofollow" href="https://firsthackersnews.com">First Hackers News</a>.</p>
]]></content:encoded>
					
					<wfw:commentRss>https://firsthackersnews.com/microsoft-teams-phishing-remote-access-tools/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
	</channel>
</rss>
