Artificial intelligence has officially transitioned from an experimental hacking novelty into an industrial-scale weapon for cybercriminals.
Google Threat Intelligence Group (GTIG) adversaries are now actively using generative AI models to discover vulnerabilities and engineer functional zero-day exploits.
Threat actors are exploiting the growing reliance on artificial intelligence tools by distributing state-linked espionage malware through a new social engineering campaign dubbed InstallFix.
Also known as the Fake Claude Installer threat, this sophisticated operation targets developers and professional users searching for Anthropic’s Claude AI assistant.
Attackers use deceptive Google Ads to promote fake, pixel-perfect installation pages that trick victims into running malicious command-line instructions, leading to severe system compromises.
This campaign specifically capitalizes on the modern developer habit of executing terminal commands directly from the internet without thorough inspection, expanding the pool of potential victims beyond traditional targets.
The Iranian state-sponsored hacking group known as MuddyWater (aka Mango Sandstorm, Seedworm, and Static Kitten) has been attributed to a ransomware attack in what has been described as a "false flag" operation.
The attack, observed by Rapid7 in early 2026, has been found to leverage social engineering techniques via Microsoft Teams to initiate the infection sequence. Although the incident initially appeared to be consistent with a ransomware-as-a-service (RaaS) group operating under the Chaos brand, evidence points to it being a targeted state-backed attack that masquerades as opportunistic extortion.
"The campaign was characterized by a high-touch social engineering phase conducted via Microsoft Teams, where the attackers utilized interactive screen-sharing to harvest credentials and manipulate multi-factor authentication (MFA)," Rapid7 said in a report shared with The Hacker News.
"Once inside, the group bypassed traditional ransomware workflows, forgoing file encryption in favor of data exfiltration and long-term persistence via remote management tools like DWAgent."
A critical remote code execution vulnerability in the Google Gemini CLI and its associated GitHub Action. Assigned a maximum severity score of CVSS 10.0, the flaw allowed unprivileged external attackers to execute commands directly on host systems.
This vulnerability effectively turned automated CI/CD pipelines into potential attack vectors in the supply chain.
Unlike typical AI exploits, this did not rely on prompt injection or model manipulation.
Instead, it was an infrastructure-level exploit that triggered before the AI agents’ sandbox could even initialize.
Google has released the Android Security Bulletin for May 2026, addressing a highly critical vulnerability that allows attackers to execute code remotely without any user interaction.
Published on May 4, 2026, the latest security update focuses heavily on a severe flaw located within the Android System component. Threat actors can exploit this vulnerability to gain remote shell access to a targeted mobile device.
​
Hackread - Cybersecurity News, Data Breaches, AI and More
New DHL Phishing Scam Uses 11-Step Attack Chain to Steal Passwords
Security Phishing Scam Scams and Fraud
New DHL Phishing Scam Uses 11-Step Attack Chain to Steal Passwords
Forcepoint’s X-Labs reports an 11-step DHL phishing scam that uses fake OTP codes and EmailJS to harvest user credentials and device telemetry.
by
Deeba Ahmed
April 28, 2026
2 minute read
Researchers from Forcepoint’s X-Labs team recently found a phishing campaign designed to steal login credentials from users. In this campaign, what grabbed researchers’ attention was that the threat actors used the DHL brand name to trick users into revealing their passwords through an 11-step attack chain.
The Email Lure
The campaign begins with a spoofed email that appears to be from DHL Express with this subject line: “DHL EXPRESS WAYBILL CONFIRMATION REQUIRED,” asking the victim to confirm a waybill or shipment. According to researchers, there’s a huge giveaway of a scam as the display name is DHL EXPRESS, whereas the sender domain is cupelva.com. This means the email passed DKIM authentication for the attacker’s domain, which helps it bypass some security filters.
Upon clicking the link, the victim is sent to a fake parcel OTP page at perfectgoc.com. This page shows a fake verification step that displays a six-digit number generated locally by JavaScript. Researchers noted that this isn’t a real security check because the system doesn’t send an SMS or email, and instead, asks the user to type in the number appearing on their screen to generate a false sense of trust. This page also includes a two-second delay to mimic real data processing.
“The campaign targets individuals rather than specific organizations and shows no geographic concentration. What makes it worth examining is the OTP mechanic: a trust-building layer with no real authentication behind it, engineered entirely to lower the victim’s guard before the actual theft begins,” Forecepoint researchers explained in the blog post, shared with Hackread.com.
Cyber Infidelity is much more common then back in the old days where smartphones did not exist. Thirsty Accounts on Instagram, Facebook and other hidden profiles your significant other might have access to and communicate with. Here is a breakdown of the do's and don't s when seeking our Cyber Services to track down activity of your significant other.
This is a very popular one , no we don't hack your partners devices or accounts. It is illegal , the only exception though is if the phone was purchased by you and under the same account. Again this depends on state and international laws.
Yes we can track anonymous accounts , we have been getting very creative getting identities and if this is for divorce proceedings to gain proof for infidelity cases. We have a report ready and respect the chain of custody to gather digital footprints to assist with your case.
We will interview you , we will check to see if you have any bad intentions to abuse our services and will alert authorities in your state if there is an existing restraining order against you.
We will give a cyber consultation on how to proceed forward legally and refer you to legal points of resources within your district. Our mission is to protect you and have you stay within legal grounds and not face fines or possible overturn of your case. We do not however offer pro-bono services.
We will not give you information of the account or individual your partner is cheating with unless legal is involved and contracts are signed. No legal, no contracts, then no service.
Last to gain access to messages and emails , you will need a subpoena however if you pay for their email storage or subscription then it's legal to gain those messages or connected to an llc you control.
I hope this clears up when you seek a Cyber Investigator.
Have an Excellent Cyber Wednesday!
OpenAI’s comparable tools are available to government agencies, CISA is yet to access them either, the staffers said. Soon after Anthropic unveiled Mythos, OpenAI released GPT 5.5 and opened up its Trusted Cyber Access program, where vetted cybersecurity teams can use its advanced AI models for finding and fixing software flaws. OpenAI said both state and federal government agencies protecting critical infrastructure could get access to its Trusted Access for Cyber program, the same as commercial companies, but declined to say who had joined.
The invite: The landing page that leads to an installer
The landing page leans heavily into the party theme, but instead of showing event details, the page nudges the user toward opening a file. None of them look dangerous on their own, but together they keep the user focused on the “invitation” file:
A bold “You’re Invited!” headline
The suggestion that a friend had sent the invitation
A message saying the invitation is best viewed on a Windows laptop or desktop
A countdown suggesting your invitation is already “downloading”
A message implying urgency and social proof (“I opened mine and it was so easy!”)
Within seconds, the browser is redirected to download RSVPPartyInvitationCard.msi
The page even triggers the download automatically to keep the victim moving forward without stopping to think.
This MSI file isn’t an invitation. It’s an installer.
​
Vercel has disclosed a significant security incident after threat actors gained unauthorized access to internal systems, with a hacker group reportedly attempting to sell stolen data for $2 million on underground forums.
Vercel, one of the most widely used frontend cloud platforms powering millions of developer deployments, confirmed the breach in an official security bulletin published on April 18–19, 2026.
The company stated it is actively investigating the incident with the help of cybersecurity firm Mandiant and has notified law enforcement authorities.
The intrusion traces back to a compromise of Context.ai, a third-party AI tool used by a Vercel employee. Attackers leveraged a malicious or compromised Google Workspace OAuth app associated with Context.ai to hijack the employee’s Google Workspace account.
For those that are experimenting with A.I ,including Anthropic. Just keep in mind to follow safety precautions as for skills available for open claw because at least 25 percent of those skills are malware.
Open Source A.I or Licensed,is officially a hot target for malicious actors. Even to the point that you are facing off against an A.I agent. Now we have to implement our own A.I to counteract fast speed attacks that a normal advanced pentester can't.
Make sure your Firewall only allows SSH tunneling for safety measures and loading your dashboard should only be accessible to you unless in group projects.
Also tell your A.I agent that only take commands from you as malicious actors don't circumvent your privileges.
Have fun but play smart!
Mod Team
A critical flaw in Anthropic’s Model Context Protocol (MCP) exposes over 150 million downloads to potential compromise. The vulnerability could enable full system takeover across up to 200,000 servers.
The OX Security Research team identified the flaw as a fundamental design decision embedded in Anthropic’s official MCP SDKs across every supported programming language, including Python, TypeScript, Java, and Rust.
Unlike a traditional coding bug, this vulnerability is architectural, meaning any developer building on Anthropic’s MCP foundation unknowingly inherits the exposure from the ground up.
The flaw enables Arbitrary Command Execution (RCE) on any system running a vulnerable MCP implementation.
Cybersecurity researchers have identified 22 new vulnerabilities in popular models of serial-to-IP converters from Lantronix and Silex that could be exploited to hijack susceptible devices and tamper with data exchanged by them.
The vulnerabilities have been collectively codenamed BRIDGE:BREAK by Forescout Research Vedere Labs, which identified nearly 20,000 Serial-to-Ethernet converters exposed online globally.
"Some of these vulnerabilities allow attackers to take full control of mission-critical devices connected via serial links," the cybersecurity company said in a report shared with The Hacker News.
Serial-to-IP converters are hardware devices that enable users to remotely access, control, and manage any serial device over an IP network or the internet by "bridging" legacy applications and industrial control systems (ICS) that operate over TCP/IP.