SecurityWeek’s weekly cybersecurity information roundup affords a concise overview of essential developments that won’t obtain full standalone protection however stay related to the broader risk panorama.
This curated abstract highlights key tales throughout vulnerability disclosures, rising assault strategies, coverage updates, trade studies, and different noteworthy occasions to assist readers keep a well-rounded consciousness of the evolving cybersecurity surroundings.
Listed here are this week’s highlights:
Trump Cellular knowledge breach
Telephone supplier Trump Cellular has confirmed that clients’ names, addresses, electronic mail addresses, cellphone numbers, and different knowledge was uncovered to the web. The corporate reportedly stated a third-party platform supplier was answerable for the publicity.
Russian hackers’ deep attain in Treasury emails
Paperwork introduced in a Freedom of Info Act lawsuit filed by Bloomberg Information towards the US authorities present that the Russian state-sponsored APT answerable for the 2019-2020 SolarWinds provide chain assault had deep entry to Treasury emails. The hackers reportedly targeted on solely eight electronic mail accounts linked to 300 different electronic mail addresses. The Treasury had roughly 94,000 individuals on the time.
VS Code Distant SSH extension vulnerability
A distant code execution (RCE) vulnerability within the Visible Studio Code (VS Code) Distant‑SSH extension may enable attackers to pivot to distant methods, safety researcher Suman Kumar Chakraborty warns. The difficulty exists as a result of, upon initiating a Distant SSH connection, the extension writes a bootstrap shell script to the Temp listing. An attacker with entry to the system can modify the script earlier than it’s transmitted and executed on the distant server, to deploy a reverse shell.
UK Visa Portal exposes over 100,000 paperwork
Immigration portal UK Visa Portal publicly uncovered over 100,000 paperwork of people that utilized for a UK visa, TechCrunch studies. Not affiliated with the UK authorities, the web site requires candidates to add selfies and passports, and to pay a price for acquiring visas. The uncovered information have been saved in an AWS S3 bucket and have been secured earlier this week.
LinkedIn phishing marketing campaign abuses Adobe Goal
Phishers are posing as LinkedIn in a brand new phishing marketing campaign posing as a enterprise inquiry. The emails comprise faux contract attachments masquerading as PDFs. In actual fact, they’re HTML information directing victims to the Adobe Goal A/B testing platform. The attackers are abusing Adobe Goal to trace customers and serve them faux login pages to steal their credentials earlier than redirecting them to LinkedIn.
2026 FIFA World Cup in attackers’ crosshairs
Simply because the 2026 FIFA World Cup is about to kick off, Group-IB has found over 4,300 fraudulent domains impersonating FIFA, together with a classy phishing marketing campaign run by Chinses-speaking hacking group Ghost Stadium. The risk actor has arrange over 300 domains, together with a pixel-perfect clone of the reputable FIFA website. The phishers may trigger a whole lot of thousands and thousands of {dollars} in losses.
Veeam, Notepad++, Roundcube patches
Veeam this week resolved two high-severity vulnerabilities in its Backup & Replication product, warning they might result in privilege escalation and arbitrary file writes. Notepad++ patched three safety points, together with two resulting in arbitrary code execution. The most recent Roudcube safety updates repair eight flaws, together with unauthenticated SQL injection and arbitrary file delete bugs.
CISA responds to current provide chain assaults
The US cybersecurity company CISA has expanded its KEV catalog with three vulnerabilities describing current software program provide chain assaults. These embrace Daemon Instruments Lite, TanStack, and Nx Console (which led to the 3.800 inner GitHub repositories hack). CISA additionally issued an alert on the Megalodon and Nx Console assaults, urging organizations to hunt for and remediate potential compromises. NPM invalidated granular entry tokens in response to those assaults.
Provide chain assault hits 176 NPM packages
Sonatype warns of a provide chain assault involving 176 malicious NPM packages containing postinstall scripts designed to put in information-stealing malware on the victims’ computer systems. The malware harvests and exfiltrates credentials, system and listing data, surroundings variables, CI/CD secrets and techniques, and different tokens and delicate data. All malicious packages have the model quantity 99.99.99.
Contractor jailed for hacking former employer
Maxwell Schultz, 36, of Columbus, Ohio, was sentenced to 24 months in federal jail for hacking into his employer’s community after his contract was terminated in Might 2021. Impersonating one other contractor, he obtained login credentials, accessed the previous employer’s methods, and executed a script that reset roughly 2,500 passwords, locking out workers and contractors and inflicting greater than $862,000 in losses. Schultz pleaded responsible in November 2025.
Associated: In Different Information: Industrial Router Exploitation, CISA KEV Nomination Kind, Fuel Station Hacking
