In today’s cybersecurity news…
Apple pushes new patches over DarkSword
Apple told Wired it’s releasing rare “backported” security patches for iOS 18 to protect users from the DarkSword hacking tool, which can silently compromise iPhones via infected websites, marking a shift from its usual policy of requiring upgrades to the latest OS. The move follows widespread exploitation of DarkSword and similar tools, which researchers say have been used in espionage and cybercrime campaigns, and comes after criticism that millions of users who hadn’t upgraded to iOS 26 were left exposed. (Wired)
FBI declares suspected Chinese hack of US surveillance ‘major incident’
The Federal Bureau of Investigation has classified a suspected China-linked breach of a sensitive internal surveillance system as a “major cyber incident,” indicating significant national security risk. Officials say hackers likely accessed law enforcement data, including surveillance records and personally identifiable information, after exploiting a third-party ISP vendor. The designation suggests a serious compromise of FBI systems and underscores growing sophistication of Chinese cyber operations. (Politico)
Cisco source code stolen in Trivy-linked breach
Cisco was breached after attackers used stolen credentials from the Trivy supply chain attack to access its internal development environment, exfiltrating source code from more than 300 GitHub repositories, including AI-related projects and customer data. The attack leveraged a malicious GitHub Actions plugin to steal credentials and AWS keys, enabling unauthorized activity across internal systems. Cisco has contained the incident and is rotating credentials, while researchers link the broader campaign to the TeamPCP group targeting developer ecosystems. (BleepingComputer)
Mercor hit by cyberattack tied to compromise of LiteLLM project
Mercor said it was hit by a supply chain attack tied to the compromised open-source project LiteLLM, which was linked to a group known as TeamPCP. The incident may also connect to claims by extortion group Lapsus$, which says it accessed Mercor data, with samples showing Slack and internal platform content. Mercor says it contained the breach and is investigating with third-party forensics, but it’s still unclear how data was obtained or how many companies were affected. (TechCrunch)
Huge thanks to our sponsor, ThreatLocker
Cambodia extradites alleged cyber scam linchpin
Li Xiong, a key figure in a Southeast Asian cyber scam network, has been extradited from Cambodia to China as part of a broader crackdown on fraud operations. Authorities say he helped run infrastructure tied to a multibillion-dollar scam ecosystem linked to figures like Chen Zhi, with Huione Group accused by the U.S. Treasury of laundering at least $4 billion, including funds tied to North Korean cybercrime. The move comes as Cambodia intensifies efforts to dismantle scam compounds and financial networks enabling large-scale online fraud. (The Record)
Hasbro says hack may take ‘several weeks’ to recover
Hasbro disclosed a cyberattack detected March 28 that forced it to take some systems offline, with recovery expected to take several weeks. The company says core operations like orders and shipping continue under contingency plans, but parts of its website remain down and it’s unclear if data was stolen. Hasbro has brought in external cybersecurity experts and is still investigating the scope of the breach. (TechCrunch)
Venom Stealer commoditizes ClickFix attacks
Researchers at BlackFog report a new malware-as-a-service platform called Venom Stealer that automates ClickFix-style social engineering attacks, lowering the barrier for cybercriminals. The tool builds a persistent data-theft pipeline that continuously harvests credentials, session data, and cryptocurrency wallets, using user-executed commands to evade detection and silently escalate privileges. Sold via subscription and actively updated, the platform highlights the growing commoditization of advanced attack chains, with defenders urged to restrict scripting tools and monitor outbound traffic. (Dark Reading)
Microsoft warns of WhatsApp-delivered VBS malware
Microsoft warns of a campaign using WhatsApp to deliver malicious VBS files that initiate multi-stage infections on Windows systems. The malware uses renamed legitimate tools, cloud-hosted payloads (AWS, Tencent Cloud, Backblaze), and a User Account Control bypass to gain elevated privileges, install persistent MSI packages, and enable remote access via tools like AnyDesk. Microsoft says the attack combines social engineering with “living-off-the-land” techniques to evade detection and maintain long-term control. (The Hacker News)