# Today's Top Stories
July 05, 2026
-
1BleepingComputer general Jul 04JadePuffer ransomware used AI agent to automate entire attack
Researchers documented the first known ransomware operation — dubbed JadePuffer — conducted entirely by an LLM agent, automating the full attack chain without human intervention. This represents a qualitative shift in ransomware tradecraft, demonstrating that AI agents can now autonomously execute complex, multi-stage intrusions including initial access, lateral movement, and payload deployment.
-
2SecurityWeek general Jul 03Agentic AI Used to Conduct Ransomware Attack via Langflow
A separate but related report from SecurityWeek details how an agentic AI leveraged Langflow — a visual LLM orchestration framework — to automate a ransomware attack by combining known exploitation techniques with real-time LLM reasoning. This corroborates the JadePuffer findings and signals that LLM-driven attack automation via accessible tools like Langflow is a reproducible and emerging threat vector.
-
3SecurityWeek general Jul 03Critical Cursor AI Code Editor Flaws Could Lead to OS-Level Remote Code Execution
A set of critical vulnerabilities dubbed DuneSlide in the Cursor AI code editor enable zero-click prompt injection attacks that escape the application's sandbox and achieve OS-level remote code execution. Given Cursor's growing adoption among developers, these flaws pose supply-chain-adjacent risks where malicious code or untrusted prompts in a developer's workflow could fully compromise the host machine.
-
4The Hacker News general Jul 03Unpatched Flaws Disclosed in Filesystem Bundled Into Millions of Embedded Devices
Security firm runZero disclosed seven unpatched vulnerabilities in FatFs, a FAT/exFAT filesystem library embedded in firmware across millions of devices including security cameras, drones, industrial controllers, and hardware crypto wallets. Because FatFs ships as source code integrated directly into vendor firmware, coordinated patching is structurally difficult, leaving a vast and largely unmeasurable attack surface exposed.
-
5BleepingComputer general Jul 03NetNut proxy network disrupted, 2 million infected devices cut off
A joint operation involving Google disrupted NetNut, a residential proxy network that had compromised approximately 2 million Android devices — including smart TVs and streaming boxes — routing malicious traffic through them. The takedown severs access to a large-scale proxy infrastructure used to anonymize attacks and highlights continued abuse of consumer IoT devices as proxy nodes.
-
ADSponsoredProtect Your Business
Expert cybersecurity solutions to safeguard your organization from evolving threats.
Get Protected → -
6The Hacker News general Jul 04North Korean Hackers Publish 108 Malicious Packages and Extensions in PolinRider Campaign
The North Korean threat group behind Contagious Interview published 108 malicious packages and browser extensions across npm, Packagist, Go, and the Chrome Web Store in a campaign called PolinRider, compromising maintainer accounts to inject malware. The campaign remains active with new packages continuing to appear, posing a direct supply chain risk to developers using these ecosystems.
-
7The Hacker News general Jul 04U.S. Government Entity Paid Kairos $1 Million in Data-Theft Extortion Case
A U.S. government entity paid approximately $1 million in extortion to a group calling itself Kairos to prevent stolen files from being leaked, according to a Ransom-ISAC case study by Rakesh Krishnan built on leaked negotiation chats and blockchain transaction trails. Notably, Kairos shows no evidence of ever deploying ransomware encryption — operating purely as a data-theft extortion actor — complicating traditional ransomware-focused defenses and incident response playbooks.
-
8BleepingComputer general Jul 03ARToken PhaaS exposes EvilTokens' Microsoft 365 phishing toolkit
A new phishing-as-a-service platform called ARToken has been identified operating as an affiliate of the EvilTokens PhaaS ecosystem, offering a toolkit specifically designed to bypass Microsoft 365 defenses and harvest credentials at scale. The discovery exposes the structured affiliate model underpinning modern PhaaS operations, where modular toolkits lower the barrier for credential-harvesting campaigns targeting enterprise M365 environments.
-
9The Hacker News general Jul 03New Avalon Malware Framework Packs CrownX Ransomware Capabilities
Researchers uncovered Avalon, a previously undocumented modular malware framework that delivers CrownX ransomware via multi-stage phishing chains capable of bypassing traditional security controls. Avalon consolidates credential harvesting, lateral movement, remote access, backup/recovery disruption, and ransomware execution into a single framework, making it a comprehensive threat requiring defense-in-depth controls across multiple kill-chain stages.
-
10The Hacker News general Jul 03Armored Likho Targets Government Agencies, Power Sector with BusySnake Stealer
Kaspersky attributed a previously undocumented threat actor called Armored Likho to targeted cyberattacks against government agencies and electric power sector organizations in Russia, Brazil, and Kazakhstan, deploying a stealer dubbed BusySnake. The group blends financially motivated campaigns against individuals with structured espionage operations against critical infrastructure, complicating attribution and suggesting a dual-purpose operational model.