A new phishing threat is exploiting OAuth consent, allowing attackers to bypass traditional MFA protections and compromise user accounts.

Key Points:

• EvilTokens, a phishing-as-a-service platform, has compromised over 340 Microsoft 365 organizations.
• Attackers exploit OAuth consent screens to obtain valid refresh tokens without needing user passwords.
• Tokens issued through this method can survive password resets, extending the window of vulnerability.
• Consent phishing blurs the lines of authorized data access, creating complex risk scenarios.
• Emerging AI-driven security solutions could enhance visibility and control over OAuth grants and integrations.

In February 2026, a phishing platform named EvilTokens emerged, quickly targeting Microsoft 365 organizations across various countries. It employs a moderately sophisticated tactic whereby users receive prompts to complete their normal MFA challenges, mistakenly believing they are engaging in a routine log-in process. Instead, they unknowingly grant attackers access to refresh tokens linked to their mailbox, drive, calendar, and other resources. This method bypasses password entry and ulterior MFA prompts, rendering traditional security measures ineffective against such phishing attacks.

The nature of OAuth grants means that actors can secure long-term access without triggering alarms typical of credential theft. These refresh tokens remain valid well into the future, depending on tenant configurations, making traditional password management protocols less effective. Furthermore, the rising prevalence of MFA and authorized consents leads users to click through prompts without fully understanding the implications, allowing attackers to bridge access points across various applications and heightening potential risks. As organizations continue to adapt to this evolving threat landscape, they must recognize and treat OAuth consent as critical to their identity management and security framework.

How can organizations better educate employees about the risks of OAuth consent to prevent consent phishing?

Learn More: The Hacker News

Want to stay updated on the latest cyber threats?

👉 Subscribe to /r/PwnHub

SeekYou – unified host intelligence across 15 sources, runs free on Cloudflare.
- Built a tool that takes any IP, domain, or ASN and queries 15 sources in parallel: open ports, CVEs, BGP, RDAP, cert history, passive DNS, 5 threat feeds, exposed buckets, Wayback snapshots — all in one report.
- 4-layer parallel execution (total time ≈ slowest source, not sum of all).
- KV caching per source, circuit breakers, per-IP rate limiting.
- Typed diff engine — get alerted when ports open, CVEs appear, or certs expire on monitored hosts.
- Runs entirely on Cloudflare free tier (~5k lookups/day).
Source: https://github.com/Teycir/SeekYou (https://github.com/Teycir/SeekYou)

Recent healthcare data breaches have affected millions of individuals, exposing sensitive personal and medical information.

Key Points:

• New York City Health and Hospitals Corporation breach affects 1.8 million individuals.
• Erie Family Health Centers in Chicago reports 570,000 impacted due to hackers accessing their network.
• Florida Physician Specialists breach impacts 276,000 individuals in a two-day attack.
• Coastal Carolina Health Care and Western Orthopaedics breaches each affect approximately 110,000 people.
• Breach at Nacogdoches Memorial Hospital shows conflicting data, reporting up to 2.5 million affected.

Recent disclosures have highlighted significant breaches across several healthcare organizations in the United States, with millions of individuals' personal and medical information at risk. The New York City Health and Hospitals Corporation reported the largest incident, confirming unauthorized access from November 2025 to February 2026, impacting 1.8 million individuals. The breach involved sensitive data, including personal health and financial information, a serious concern given the potential for identity theft and fraud.

Similarly, the Erie Family Health Centers breach indicates that 570,000 individuals were affected due to a cyber attack that took place between December 2025 and January 2026. Information compromised in this case ranged from names and Social Security numbers to medical details. Other notable incidents include breaches at Florida Physician Specialists and Coastal Carolina Health Care, suggesting a pattern of vulnerabilities within the healthcare sector.

While various organizations have reported breaches affecting hundreds of thousands, caution should be taken as reported figures might change, evidenced by discrepancies such as the 2.5 million individuals initially indicated to be affected at Nacogdoches Memorial Hospital. The lack of claims from known cybercrime groups adds to the confusion of attributing these breaches, maintaining a high level of concern regarding cybersecurity in healthcare.

What measures do you think healthcare organizations should implement to better protect patient data?

Learn More: Security Week

Want to stay updated on the latest cyber threats?

👉 Subscribe to /r/PwnHub

A newly uncovered Windows 0-day vulnerability allows attackers to gain SYSTEM privileges on fully patched systems, posing significant security risks.

Key Points:

• MiniPlasma affects all versions of Windows by exploiting the Cloud Files Mini Filter Driver.
• The flaw was initially reported in 2020 and thought to be patched, but remains unaddressed.
• It allows attackers to execute commands with SYSTEM privileges, significantly compromising system integrity.

The recently disclosed MiniPlasma vulnerability is a serious security risk as it allows attackers to escalate their privileges to SYSTEM levels on fully patched Windows systems. This 0-day flaw resides in the 'cldflt.sys' driver, specifically within the 'HsmOsBlockPlaceholderAccess' routine. Despite being reported to Microsoft in September 2020 and believed to have been patched by December 2020, further investigation by security researcher Chaotic Eclipse has revealed that the problem persists unaddressed. The original proof-of-concept from Google Project Zero still functions, indicating a troubling failure in addressing the vulnerability.

The implications of this exploit are profound, particularly as it potentially affects all Windows versions. It enables attackers to open a command prompt with SYSTEM privileges, providing them with extensive control over the target system. Recent reports confirm that MiniPlasma operates effectively on Windows 11, suggesting that even the latest updates do not mitigate this risk. Furthermore, the timing of its discovery coincides with another privilege escalation flaw recently addressed by Microsoft, raising concerns about the adequacy of existing security measures and the persistence of unpatched vulnerabilities across platforms.

What steps should users take to protect their systems from known and unknown vulnerabilities like MiniPlasma?

Learn More: The Hacker News

Want to stay updated on the latest cyber threats?

👉 Subscribe to /r/PwnHub

Last week, the TeamPCP threat group shocked the security community by dumping the full source code of their Shai-Hulud worm onto GitHub—even offering a $1,000 "bounty competition" on BreachForums for the biggest supply chain hack. The fallout is already here.

Researchers at Ox Security have caught the first wave of copycat packages hitting the npm registry, racking up over 2,600 downloads via aggressive typosquatting.

The "Devouring" Self-Propagation Mechanics: Named after the Dune sandworms, Shai-Hulud is highly dangerous because it targets developer environments and CI/CD pipelines to self-propagate:

1. It infects a developer's workstation via typosquatted dependencies.
2. It harvests npm tokens, GitHub personal access tokens (PATs), AWS keys, and Kubernetes secrets.
3. It uses the stolen credentials to automatically inject its payload into the victim’s legitimate repositories, publishing tainted updates on their behalf to infect downstream targets.

The First Discovered Clones:

A threat actor using the handle deadcode09284814 pushed four un-obfuscated packages, utilizing the leaked source code with customized C2 servers:

• chalk-tempalte: A direct, un-obfuscated clone of the Shai-Hulud worm. Drops stolen credentials to a new public GitHub repo titled "A Mini Sha1-Hulud has Appeared" and a C2 at 87e0bbc636999b[.]lhr[.]life.
• axois-utils: Deviates from the worm structure to deploy a Go-based DDoS botnet called Phantom Bot (establishing persistence via Windows Startup and scheduled tasks).
• deadcode09284814/axios-util & color-style-utils: Standard infostealers grabbing cloud environment variables.

Defensive Actions & Blue Team IoCs:

If you run a JS shop, check your environment for:

• Outbound hits to 87e0bbc636999b[.]lhr[.]life or 80[.]200[.]28[.]28:2222.
• Malicious hooks or file creations within IDEs or Coding Agents (like Claude Code configuration states).
• Audit for any repository initialization patterns matching the "Mini Sha1-Hulud" exfil pattern.

Full Technical Analysis & Complete Hash List: https://www.technadu.com/first-shai-hulud-worm-clones-emerge-in-npm-supply-chain/627948/

Recent security updates from Ivanti, Fortinet, SAP, VMware, and n8n address critical vulnerabilities that pose significant risks to users.

Key Points:

• Ivanti Xtraction has a critical flaw (CVE-2026-8043) allowing client-side attacks.
• Fortinet's vulnerabilities (CVE-2026-44277, CVE-2026-26083) could enable unauthorized code execution.
• SAP's SQL injection and missing authentication flaws (CVE-2026-34260, CVE-2026-34263) threaten application confidentiality.
• VMware Fusion's flaw (CVE-2026-41702) allows local privilege escalation for non-administrative users.
• n8n faces multiple vulnerabilities (CVE-2026-42231 to CVE-2026-44790) risking remote code execution.

A series of patches has been released by major tech companies to address critical vulnerabilities across their platforms. Ivanti has identified a significant flaw in its Xtraction product, where a remote authenticated attacker could exploit improper file access, leading to sensitive data exposure or client-side attacks. This highlights the ongoing struggle to maintain software security in environments that are increasingly targeted by cybercriminals.

Fortinet also addressed substantial risks in its FortiAuthenticator and FortiSandbox products, with vulnerabilities allowing unauthorized code execution that could compromise entire systems. SAP has reported issues that stem from SQL injection possibilities and excessive permissions allowing changes to configurations, potentially exposing sensitive data and disrupting services. Meanwhile, VMware's update addresses a potentially damaging flaw that could enable local users to gain elevated privileges, posing significant risks on machines where the software is installed. Lastly, n8n has unveiled numerous serious vulnerabilities that could allow extensive exploitation possibilities, including remote code execution and accessing sensitive server files, pending patch application.

What steps can organizations take to better protect themselves against such widespread vulnerabilities?

Learn More: The Hacker News

Want to stay updated on the latest cyber threats?

👉 Subscribe to /r/PwnHub

7-Eleven has confirmed a data breach after the ShinyHunters hacker group claimed to have stolen sensitive information from its systems.

Key Points:

• 7-Eleven detected an intrusion on April 8, affecting systems storing franchisee documents.
• Unspecified personal information was compromised, with only two residents in Maine reported as affected.
• ShinyHunters claimed to have taken over 600,000 records, threatening to leak the data unless a ransom was paid by April 21.

7-Eleven, the leading convenience store chain globally, has reported a confirmed data breach stemming from a recent intrusion into its systems. The breach was first indicated by the hacker group ShinyHunters, who boasted of stealing significant data set, including sensitive personal and corporate information. The company has started notifying affected parties about the incident, which was detected during a routine security check on April 8. Although the specific number of individuals impacted has not been disclosed, the company noted that only two residents from Maine were affected, suggesting a limited scope for this breach.

This incident highlights the escalating threats posed by cybercriminals, particularly the ShinyHunters group, which has been increasingly targeting Salesforce instances of major organizations. Their tactics typically involve phishing and exploiting third-party application misconfigurations rather than exploiting inherent vulnerabilities within Salesforce itself. Following the breach, ShinyHunters has issued ransom demands and has made threats to publicly release the stolen data if their demands are not met. This poses a risk not only to the immediate victims but also raises concerns about broader implications for data security across the franchise landscape.

What measures do you think companies should take to protect themselves from similar data breaches?

Learn More: Security Week

Want to stay updated on the latest cyber threats?

👉 Subscribe to /r/PwnHub