Errata
FIFA World Cup 2026 Scams Are Already Live: Fake Sites, Banking Malware, and Stolen Logins - Recent reports describe thousands of lookalike FIFA domains, banking malware hidden inside pirate streaming apps, and at least one operation that copies FIFA’s login page well enough to take over real accounts.
Dashlane explains how attackers managed to download encrypted password vaults - Ars Technica - In response, Dashlane’s automated security systems operated as intended, triggering an automatic lockout of the targeted accounts to protect those users. Before the attack was fully mitigated, the threat actor was able to brute force and generate valid tokens for fewer than 20 personal plan customers, allowing them to register a new device on those accounts and download copies of users’ encrypted vaults.
Massachusetts votes to pass new privacy rights bill that bans sale of precise location data | TechCrunch - Massachusetts lawmakers have voted to pass privacy protections that grant the state’s residents new rights over accessing and deleting their data held by big tech giants. The bill also bans companies from selling their users’ precise location data.
Attackers had month-long head start on patched Check Point VPN zero-day - Attacks against the bug, tracked as CVE-2026-50751, began on May 7, according to Check Point VP of research Lotem Finkelstein, and picked up in early June. The security software vendor spotted suspicious activity and began investigating the zero-day on June 4, Finkelstein said in a Monday blog.
Techniques
Fake Sites Mimicking Open-Source Tools Rank High on Google to Deliver Malware via TDS - “The sites are well-designed and often look like legitimate project portals at a glance, sometimes referencing real upstream resources,” Check Point security researcher Alexey Bukhteyev said in a breakdown of the campaign. “The deception is not in the page content alone, it’s in what happens when a user interacts.”
Google and FBI warn of ransomware group that sends fake IT workers to hack victims in person | TechCrunch - A ransomware gang has escalated its attacks on law firms by sometimes sending fake IT workers in person to the victims’ offices, where the imposters steal data directly from the victims’ computers using USB drives or help other gang members connect to the computers remotely, according to Google and the FBI.
Suspected Norks send 250+ fake dev job pitches to steal crypto - Like earlier phishing expeditions from the Norks, including the Contagious Interview campaign, this one uses developer recruitment or code review lures to target victims, primarily in technology, education, business services, and financial services, and ultimately steal credentials and cryptocurrency.
AI
OpenAI’s Codex chains decade-old DoS techniques into HTTP/2 Bomb - Luong says Codex chained two existing DoS attack techniques that have been known for more than a decade - HPACK compression bomb and Slowloris-style hold - and warns that upwards of 880,000 websites supporting HTTP/2 and running one of the vulnerable web servers may be affected.
OpenAI unveils Lockdown Mode to protect sensitive data from prompt injection attacks | TechCrunch - The company says that even with Lockdown Mode turned on, ChatGPT could still be vulnerable to prompt injections — which could, for example, “appear in cached web content or in an uploaded file, and could still affect the behavior or accuracy of a response.”
Claude Code GitHub Action Flaw Let One Malicious Issue Hijack Repositories - The trigger check had a hole. It waved through any actor whose name ended in [bot], on the assumption that GitHub Apps are trusted things admins install. Trouble is, anyone can register a GitHub App, install it on a repo they own, and use its token to open an issue or pull request on any public repository. The action saw “a bot” and let the attacker’s content through. Tag mode had an extra check to confirm the actor was a real human; agent mode didn’t, which left it open.
Free AI model powers self-spreading worm in enterprise test network - “People need to understand that it’s not just the biggest and most powerful AI models that pose security concerns – a whole other area of threat has been vastly underestimated,” University of Toronto computer engineering professor Nicolas Papernot told The Register.
WhatsApp, Slack Notifications Could Hijack Google Gemini on Android - A single poisoned notification from WhatsApp, Slack, SMS, Signal, Instagram, or Messenger could have hijacked Google Gemini’s voice assistant on Android and made it open a victim’s connected windows, fake a message from their boss, push the phone into a Zoom call, or quietly poison its long-term memory. Yair found a way around the new defenses. Google has since patched it, SafeBreach lists no CVE for the issue, and there is no evidence that the technique was ever used in the wild.
War
Russian spy agency says foreign spies turned officials’ smartphones into surveillance devices - the Federal Security Service (FSB) claimed foreign intelligence agencies implanted malware on the mobile devices of high-ranking Russian officials, allowing operators to steal data, intercept conversations, and secretly activate microphones and cameras to monitor targets and their surroundings.
Pentagon raised threat of Israeli spying on U.S. to highest level, sources say - The designation stems from concerns within the Pentagon that Israel is making a particular effort to surveil top U.S. officials to get information on the Trump administration’s internal deliberations and decision-making on the conflicts in the Middle East, the officials said.
France probes compromise of gov messaging platform after account hijack - The incident came to light on June 7 when France’s National Cybersecurity Agency (ANSSI) detected suspicious activity on Tchap, the government’s homegrown messaging service used across ministries and public sector organizations. The French Digital Affairs Directorate (DINUM), which operates the platform, said it immediately began investigating the compromise and moved to block the affected account.
Microsoft
Microsoft Fixes One-Click GitHub Dev Attack That Let Attackers Steal OAuth Tokens - In a nutshell, the vulnerability allows attackers to install malicious VS Code extensions that steal GitHub OAuth tokens when they are passed to GitHub.dev by exploiting a message-passing mechanism between the main VS Code window and webviews. Webviews are used to render Markdown previews or edit Jupyter notebooks.
Microsoft’s open source tools were hacked to steal passwords of AI developers | TechCrunch - At least 70 projects belonging to Microsoft have been “disabled,” per a message loading when trying to access the projects’ pages on GitHub, a code-hosting site that Microsoft owns. “Access to this repository has been disabled by GitHub Staff due to a violation of GitHub’s terms of service.” This is Microsoft’s second known breach over the past few weeks that has allowed hackers to compromise its open source projects.
More Info… GitHub nukes 70+ Microsoft repos amid suspected worm attack Miasma Worm Hits 73 Microsoft GitHub Repositories in Major Supply Chain Attack For the 2nd time in weeks, Microsoft packages laced with credential stealer - Ars Technica
WhatsApp says it caught new spyware attacks linked to NSO Group in violation of court order | TechCrunch - On Monday, the Meta-owned chat app announced that it “caught and disrupted spear phishing attempts linked to NSO” after an investigation prompted by user reports. “They tried to trick people into clicking on malicious links to drive them to external websites outside of WhatsApp,” the company wrote. “We also caught them creating test accounts and groups on WhatsApp, which we took down.”