In today’s cybersecurity news…
Feds seize alleged cyber-scam infrastructure
The U.S. government has seized cloud infrastructure allegedly used by subsidiaries of the Cambodian conglomerate Huione Group, said to play a key role in supporting online investment scams, money laundering, human trafficking, and marketplaces for stolen data. This follows last year’s decision to cut Huione off from the U.S. financial system after FinCEN said the company laundered at least $4 billion in illicit funds between 2021 and 2025, including proceeds tied to North Korean cybercrime. The FBI and international partners have been disrupting the Southeast Asian scam industry by targeting not just the scammers themselves, but the infrastructure that helps them operate. (The Record)
Dragos unveils AI for OT security
OT security company Dragos has launched EmberAI, an assistant trained specifically on industrial systems like power grids, factories, and other critical infrastructure. Dragos specializes in protecting those kinds of operational technology environments, and says the tool can answer questions in plain English, pull together threat and vulnerability data, identify likely attackers, and help security teams understand what’s happening faster. Cybersecurity firms are increasingly building AI tools around their own specialized datasets and expertise, rather than relying solely on general-purpose AI models. (SecurityWeek)
Scattered Spider hackers plead guilty
Two alleged members of the cybercrime group Scattered Spider, a 20-year-old and 18-year-old, pleaded guilty in the UK to charges tied to the 2024 hack of Transport for London, which disrupted the city’s transit network. Prosecutors say the pair were involved in an even broader cybercrime operation linked to SIM swapping, SMS phishing, ransomware attacks, and intrusions at more than 100 organizations, with U.S. authorities alleging Scattered Spider collected at least $115 million in ransom payments. (Krebs on Security)
Fake AI agent skill passes security scans
Here’s a reminder that AI agents can create entirely new supply chain risks. Security firm AIR says it created a fake AI agent skill, got it approved by a popular marketplace, promoted it with Instagram ads, and ultimately reached about 26,000 agents, all while passing every security scanner it tested. The skill itself looked harmless, but it pointed to an external website that could be changed later, exposing a blind spot in how agent skills are vetted. This highlights how today’s AI security checks often examine the code submitted for review, but not the external instructions an agent may fetch and follow later. (The Hacker News)
Huge thanks to our sponsor, Guardsquare
Lookalike npm package hides multi-stage Windows RAT
JFrog researchers found a malicious npm package masquerading as the widely used JavaScript library postcss-selector-parser, using a nearly identical name to slip past casual reviews. The package executed code as soon as it was imported, downloading and installing a multi-stage Windows remote access trojan that could steal Chrome passwords, provide remote shell access, transfer files, and maintain persistence on infected machines. It’s yet another example of attackers moving beyond simple typosquatting with highly convincing lookalike packages that turn routine software dependencies into supply chain attack vectors. (Infosecurity Magazine)
“SPOX” charged with running cybercrime marketplaces
An Algerian man known online as “SPOX” was extradited to the U.S. and charged with running two cybercrime marketplaces that allegedly sold phishing kits, stolen financial credentials, compromised email access, and other fraud tools. Prosecutors say Abdellah Belmili created around 600 phishing kits that targeted major banks and payment services, collected data from roughly 5,600 victims, and funneled about $900,000 through cryptocurrency accounts between 2020 and 2023. Investigators also allege he built backdoors into phishing kits sold to other attackers to keep stealing data even after the kits changed hands. (Cyberscoop)
Mushrooming malicious pull requests threaten dev workflows
Researchers at Novee say they’ve uncovered a widespread CI/CD security weakness dubbed “Cordyceps” that could let attackers use malicious pull requests to compromise software supply chains. The issue stems from overly permissive automated workflows that can expose high-privilege tokens and signing keys, and Novee found hundreds of potentially vulnerable repositories, including projects from Microsoft, Google, Cloudflare, Apache, and the Python Software Foundation. There’s no evidence the technique has been exploited in the wild so far. (Dark Reading)
Purchase scam tactic headed for the World Cup
Recorded Future reports that scammers are increasingly hijacking legitimate websites to capture people searching for World Cup tickets, merchandise, and other event-related deals. Instead of creating scam sites that need to rank in search results, the attackers compromise trusted websites, inject fake product pages, and quietly redirect search visitors to fraudulent stores that take payments and then steal credit card data. The tactic is difficult to detect because the scam domains themselves don’t appear in search results. One operation Recorded Future tracked generated roughly 17 million visits in 2026 alone. (Recorded Future)