EmbedEdit
Placeholder
Meta and Yandex are de-anonymizing Android users’ web browsing identifiers
Research group LocalMess posted on its GitHub page a lengthy explanation of how Meta and Yandex are exploiting Android’s browser-to-app communication to de-anonymize users by linking web activity to app identities through Meta Pixel and Yandex Metrica trackers. This method bypasses both Android and browser privacy protections by abusing localhost ports, letting Facebook, Instagram, and Yandex apps harvest unique web identifiers. Google says the practice violates Play Store rules and is working on fixes; Meta and Yandex claim they’re pausing or ending the behavior amid ongoing discussions.
LummaC2 fractures as Acreed malware becomes top dog
LummaC2, a malware-as-a-service infostealer first seen in 2022 and used by threat groups lost its dominance after a coordinated law enforcement operation in late May. Check Point Research says Lumma’s developers are trying to recover, but its reputation may be permanently damaged. But a new stealer called Acreed, first observed by Webz researchers on February 10th has surged in popularity. According to ReliaQuest, Acreed now leads credential theft activity on the Russian Market, a top dark web platform, with more than 4,000 uploaded logs in its first week.
Hewlett Packard Enterprise warns of critical StoreOnce auth bypass
Hewlett Packard Enterprise has patched eight vulnerabilities in its StoreOnce backup software, including a critical auth bypass flaw with a CVSS score of 9.8. The bug stems from a faulty authentication method and can enable remote exploitation of other linked flaws—three RCEs, two directory traversal issues, and one SSRF bug. All versions before v4.3.11 are affected, with no mitigations offered beyond upgrading. The flaws were reported in October 2024 and fixed after seven months. No exploitation has been publicly found.
Vodafone Hit by Record German Data Fine Over Rogue Agents
Germany’s Federal Commissioner for Data Protection fined Vodafone €45 million for GDPR violations. The regulator said third-party sales agents acting on Vodafone’s behalf committed fraud via fake or altered contracts. Vodafone was fined €15M for failing to monitor these partners, but then another €30M for weak customer authentication that let unauthorized parties access eSIM profiles. Vodafone said the issues stemmed from “insufficient data protection checks” but claims it has since overhauled systems under new leadership.
Huge thanks to our sponsor, Conveyor
Your team probably spends hours daily juggling the back and forth of completing these security requests.
That’s why Conveyor created Sue, the first AI Agent for Customer Trust. Sue doesn’t just handle completing security questionnaires and sending SOC 2 to prospects – she manages all the communication and follow-up too.
You simply get notified when everything’s done so you can do a quick review.
Stop wrangling cats and see what Sue can do for you at www.conveyor.com.
‘Crocodilus’ sharpens its teeth on Android users
The Android banking malware “Crocodilus” has expanded from Turkey to multiple regions including Spain, Poland, and parts of South America and Asia. It spreads via fake apps, ads, and browser updates, and now adds fake contacts, steals crypto wallet seed phrases, and uses obfuscation to evade detection. ThreatFabric, which first spotted Crocodilus in test campaigns in March, warns it’s rapidly evolving into a serious global threat.
Exclusive: One-third of top U.S. cyber force has left since Trump took office
Axios reports that nearly 1,000 people in the U.S. Cybersecurity and Infrastructure Security Agency (CISA) workforce have left in the latest US administration. This includes 600 recent voluntary buyouts and 174 deferred resignations, with additional cuts hitting contract teams like election integrity and DEI units. Critics warn the loss of key figures and shrinking resources could undermine U.S. cyber defenses amid rising threats. CISA leadership says it’s still mission-ready.
(Axios)
Coinbase breach tied to bribed TaskUs support agents in India
A Coinbase data breach disclosed in May has been linked to bribed customer support agents at Indian outsourcing firm TaskUs. Reuters reports two TaskUs employees were caught stealing names, emails, SSNs, and ID scans, and passing it to attackers in exchange for bribes. The breach was first detected in January, months before Coinbase made it public. Coinbase refused a $20M ransom, offering a bounty to identify the attackers instead. Nearly 70,000 customers were affected, and losses may reach $400M. TaskUs has since shut down its Coinbase operations in India.
The UK Brings Cyberwarfare Out of the Closet
The UK published its 2025 Strategic Defence Review on June 2nd, openly committing for the first time to cyberwarfare as part of integrated military operations. The review proposes a centralized CyberEM command to coordinate cyber, AI, and electromagnetic capabilities across land, sea, air, and digital domains, citing 90,000 gray zone cyberattacks on UK military networks over the past two years. It also introduces the “targeting web,” a new AI-driven system for rapid, cross-domain decision-making and attacks, inspired by lessons from the war in Ukraine.
Malicious RubyGems pose as Fastlane to steal Telegram API data
Socket researchers discovered two malicious RubyGems masquerading as legitimate Fastlane CI/CD plugins. The packages reroute Telegram API traffic to attacker-controlled servers, harvesting sensitive data like bot tokens, message content, files, and proxy credentials. The attack exploits typosquatting and mimics the real plugin’s functionality and documentation. Socket warns the gems are still live, and developers should uninstall them, revoke affected bot tokens, rebuild binaries, and block affected traffic.