In today’s cybersecurity news…
Fraud gang steals from World Cup fans
Researchers at Group-IB say a Chinese-speaking fraud network dubbed GHOST STADIUM has set up more than 300 fake FIFA ticketing sites across thousands of domains to target fans ahead of the 2026 World Cup. The phishing pages reportedly mimic FIFA’s login flow to steal credentials and payment details, then redirect victims to the real site, while some can trigger password resets to lock users out and resell legitimate tickets. (The Record)
Pentagon says US military targeted by location
Reuters reports that U.S. military officials say adversaries are using commercially available location data to surveil and potentially target American troops in active war zones. A bipartisan group of lawmakers warned the Pentagon that data harvested through the adtech ecosystem can reveal troop movements and patterns, creating risks ranging from missile and drone attacks to counterintelligence exposure. The Pentagon is being urged to disable ad IDs on military devices, restrict location sharing, and move personnel away from tools like Google Chrome. (Reuters)
IBM and Red Hat commit to “Project Lightwell”
IBM and Red Hat have invested $5 billion and assigned more than 20,000 engineers to Project Lightwell, a new initiative focused on securing open source software used across enterprise supply chains. This centers on an AI-powered “enterprise clearinghouse” that will identify, prioritize and validate vulnerabilities in widely used open source projects, then work with maintainers to develop and distribute secure patches through commercial subscriptions. Major financial institutions like Bank of America, JPMorganChase and Visa are backing the effort. (SecurityWeek)
Microsoft slams GitHub zero-day disclosures
Microsoft is criticizing a researcher known as Chaotic Eclipse who published details and proof-of-concept code for multiple Windows flaws, bypassing Microsoft’s disclosure process. The company said three of the bugs, affecting components including Defender and BitLocker, are being actively exploited and warned that releasing details before patches are available puts customers at greater risk. The dispute escalated after the researcher’s GitHub and GitLab accounts hosting the code were removed. (The Hacker News)
Huge thanks to our sponsor, Guardsquare
Cruise giant Carnival confirms data breach
Carnival Corporation says a cyberattack in April exposed personal data of 6 million people after attackers compromised an employee account and accessed part of the company’s IT systems. The stolen information includes names, contact details, and in some cases dates of birth, passport and driver’s license numbers. ShinyHunters has claimed the breach, and says it published millions of records. (The Record)
Gogs allows arbitrary code
Open-source self-hosted Git service Gogs has a critical unpatched vulnerability that can let any authenticated user execute arbitrary code on the server by abusing Git’s rebase function with a malicious branch name. Security firm Rapid7 warns it could let attackers access every repository on a server, steal credentials, move deeper into a network and potentially expose other users’ private code. Windows, Linux and macOS deployments are all affected. It’s recommended to disable open registration or repository creation until a fix is available. (The Hacker News)
GreyVibe attackers use ChatGPT and Gemini
Researchers at WithSecure say a likely Russian-linked threat group called GreyVibe has been using ChatGPT and Gemini to create realistic phishing lures, fake websites, and even parts of its malware toolkit in campaigns aimed mainly at Ukraine-related targets. The group has used custom Windows and Android malware to steal files, credentials, location data and communications across military, government and business sectors. The operation seems to align with Russian interests but doesn’t act like a typical state-backed campaign. (BleepingComputer)
Typosquatting, or realistic package impersonation?
Sonatype reports that attackers are moving beyond typosquatting in open source repositories and instead are publishing malicious packages that look like legitimate plugins, SDKs or config tools developers would expect to see. An analysis of more than 4,300 malicious packages showed 91% using naming tactics targeting ecosystems like React, ESLint and Tailwind. The packages are known to steal credentials or system data and can install backdoors. Sonatype warns that typo detection alone is no longer enough, and that teams need closer scrutiny of new dependencies and publisher behavior. (Infosecurity Magazine)