ThreatsDay Bulletin: Smart TV Proxyware, 24-Year curl Bug, AI Crime Forums + 13 More Stories

AISLE said it discovered six vulnerabilities in curl, which range from “classic memory-lifetime issues to logic bugs in how libcurl decides whether a connection, credential, or host identity is still valid.” One of the notable vulnerabilities is CVE-2026-8932, which allows the library to “reuse a previously created connection even when some mTLS config-related option had been changed that should have prohibited reuse.” AISLE described it as the oldest curl vulnerability reported so far, adding that it has been shipped in releases since curl version 7.7, which was released on March 22, 2001. The identified flaws have been addressed in version 8.21.0.

A critical security flaw has been disclosed in self-hosted versions of Hoppscotch(CVE-2026-50160, CVSS score: 10.0), an open source API platform, that can result in complete compromise. Offgrid Security’s autonomous AI security agent, Kiro, has been credited with discovering the bug. “The POST /v1/onboarding/config endpoint allows an unauthenticated attacker to inject arbitrary InfraConfig keys — including JWT_SECRET and SESSION_SECRET — into the database via mass assignment,” the project maintainers said. “These keys are not declared in the SaveOnboardingConfigRequest DTO, but because the NestJS ValidationPipe does not strip extra properties, they pass through to the service layer, where Object.entries(dto) iterates all keys without restriction.” A successful exploitation leads to full server compromise and persistent access that survives password resets. OffGrid Security told The Hacker News that four independent weaknesses are combined to allow an unauthenticated attacker to overwrite the JWT signing key in a single HTTP request, and the exploit requires no credentials. The issue has been fixed in hoppscotch-backend version 2026.5.0.

A new report from Spur Intelligence has revealed that more than one-third of LG and Samsung smart TV apps it reviewed contain proxyware that can relay third-party traffic through the TV owner’s internet connection with users’ consent. The company said it scanned 6,038 apps across LG webOS and Samsung Tizen and found 2,058 that contain residential proxy software. This includes clocks, screensavers, games, fish tanks, and other low-utility apps. On LG webOS, 42.5% of apps carried such code. On Samsung Tizen, the rate was 26.9%. Across both platforms, it reached 34.1%. Bright Data, Massive, and Oxylabs take up the top three SDK providers for webOS and Tizen. “Smart TVs are almost ideal proxy hosts. They sit on the same home network as everything else, but they do not feel like computers, so people rarely audit them like computers,” Spur said. “There is no battery drain to notice, no cellular bill to spike, no app switcher full of suspicious background activity. A TV can stay plugged in, signed in, and online for years while the user thinks of it as furniture.” The threat intelligence firm said this dynamic also changes the consent equation, as users may not realize what it actually means to sell access to their residential IP address. “Technically, these applications are compliant with gaining consent based on how they inform the user,” Spur CTO Alastair Parr told The Hacker News. “However, there is often no verification that the user is either of age or authorized to provide consent on the device. The reality is that there are likely many smart TVs scattered across office spaces and residential homes, quietly part of these networks, without the responsible owners’ awareness or consent.” Amazon’s Device and System Abuse Policy explicitly bars apps that facilitate proxy services for third parties. Similar protections have been enabled by Roku as well. However, LG and Samsung are yet to enforce an equivalent policy.

An initial access broker (IAB) affiliated with Payouts King ransomware has been observed masquerading as IT personnel in social engineering attacks conducted via Microsoft Teams to deliver a malicious Microsoft Edge browser extension dubbed Edgecution. “The technique utilizes a malicious Microsoft Edge browser extension that exploits the Chrome native messaging protocol to interact with host-native applications beyond the confines of the browser sandbox,” Zscaler ThreatLabz said. “By abusing this interface, the attackers gain direct host access, enabling them to manipulate the local filesystem, launch processes, and execute arbitrary code on the compromised host.” The malware has two components: a Microsoft Edge browser extension named “Edge Monitoring Agent” that beacons to a command-and-control (C2) server and relays host-based commands to a Python-based backdoor, which can collect system information, enumerate running processes, provide filesystem access, and execute arbitrary Python code and shell commands. The extension will be invisible to a user as it’s loaded in a headless Microsoft Edge browser. A similar attack chain involving a Chromium-based extension codenamed SNOWBELT was detailed by Google-owned Mandiant in April 2026.

Competitive intelligence company Klue has revealed that a credential dating back to 2022, which was used as part of a limited pilot, was exploited by the Icarus extortionists to steal Salesforce data from its corporate customers, including several cybersecurity companies. In a statement shared with TechCrunch, the company said the credential was “originally provided to a third-party in 2022, for a limited pilot.” Klue did not share specifics about the purpose of the pilot, the duration for which it ran, or the identity of the third-party to whom the company gave the credentials. It’s also unclear why the credential wasn’t revoked immediately, assuming the pilot had concluded. Questions remain about how the attackers managed to acquire this legacy credential in the first place. A number of companies have come forward to confirm they have had limited Salesforce information stolen during the attack, including 8×8, BeyondTrust, Gong, Jamf, HackerOne, Insurity, LastPass, OneTrust, Pendo, Recorded Future, Snyk, Sprout Social, and Tanium.

NCC Group said it has found growing evidence of nation-state actors increasingly leveraging tools and tactics traditionally associated with financially motivated cybercrime to disguise their espionage and intelligence-gathering operations, blurring the line between the two sets of activities. “Historically, organisations could draw a relatively clear distinction between ransomware attacks driven by financial gain and nation-state operations designed to support strategic objectives. That distinction is becoming increasingly difficult to make,” Matt Hull, VP of Cyber Intelligence and Response at NCC Group, said. “What we’re seeing is a convergence of criminal and state-backed activity. Threat actors are sharing infrastructure, adopting common tooling and, in some cases, deliberately operating behind established ransomware brands to obscure attribution and delay response efforts.”

Google said it’s expanding the existing “Super Admin password reset” alert into a broader Admin password reset alert in Alert Center. “Previously, this rule only triggered alerts when a super admin’s password was changed,” the company said. “With this update, the alert will now cover password resets for all administrator roles within your organization. This update provides admins with better visibility and control over the security of their organization’s privileged accounts. Monitoring password changes for all admin roles provides a higher level of oversight to respond more quickly to potential account compromises or unauthorized changes.” The change is applicable to all Google Workspace customers.

A new ClickFix campaign has been observed tricking users into copying malicious commands and pasting them to the Terminal app that silently downloads and mounts a malicious DMG file. The disk image file contains a self-signed information stealer that can harvest a user’s system password, data from web browsers, wallets, messaging apps, and Keychain, exfiltrate the data, set up LaunchAgent persistence, and tamper with Ledger Live and Trezor Suite installations by replacing legitimate components to hijack cryptocurrency wallet information. The stealer is assessed to belong to the Atomic macOS Stealer (AMOS) lineage, particularly a variant called Odyssey, per Palo Alto Networks Unit 42. The development comes as the cybersecurity company detailed another multi-step ClickFix attack that employs techniques like brandsquatting to deliver a cross-platform trojan with browser-credential stealing, remote shell, live screen streaming, keylogger, file manager, and SSH tunneling capabilities. 

Thalha Jubair, 20, from East London, and Owen Flowers, 18, from Walsall, have been convicted in the U.K. for orchestrating a cyber attack on Transport for London (TfL) in 2024, costing $38.2 million in losses. The two defendants, who were members of the online criminal collective known as Scattered Spider, were arrested last September but pleaded not guilty to their crimes during a court appearance in November 2025. They are now scheduled for sentencing on July 16, 2026. “Scattered Spider is a prolific criminal group that engages in data extortion and other criminal activities, utilizing social engineering techniques and SIM swap attacks, to obtain credentials, install remote access tools, and/or bypass multi-factor authentication,” the U.S. Federal Bureau of Investigation (FBI) said.

Abdellah Belmili (aka Dila Belmili or SPOX), a 26-year-old Algerian national, has been arrested, charged, and extradited from Spain to the U.S. on charges of conspiracy to commit bank fraud. SPOX is alleged to have acted as an administrator for a cybercrime marketplace (“www.market0day[.]com”) as well as created phishing kits that have been used to compromise major U.S. financial institutions. “Between September and November 2020, Belmili advertised the marketplace and facilitated some of the customer support for the marketplace on his personal Telegram channel @SpoxCoder,” the U.S. Justice Department said. “In late December 2020, after several customers complained that they had not received their purchases from www.market0day[.]com, Belmili replied that he was no longer the administrator, and instead had opened up a new marketplace – www.spoxy[.]us, advertising the new marketplace – www.spoxy.us,  advertising the new marketplace as a ‘new store for bulk SMS.’ ‘Bulk SMS’ typically refers to sending phishing or other fraudulent messages via text message.” Approximately 5,600 U.S. and international victims have been identified.

A new phishing campaign is abusing Outlook Groups and Microsoft 365 collaboration features to “make malicious activity appear routine,” Fortra said. The attack involves adding targets to an attacker-controlled Microsoft 365 group and then using the group mailbox, shared files, or fake calendar invites (aka CalPhishing) to facilitate credential theft, token capture, or malware delivery. “The technique shifts malicious intent away from a single phishing email into a trusted productivity workflow,” the company said. “A user may see what looks like a normal group addition, internal update, shared resource, or calendar item before being pushed toward an action.” 

A new analysis from Sophos has revealed that AI has emerged as a hot button topic in underground communities, as threat actors debate its potential for malware and tool development, while some express concerns about the technology reducing work opportunities. This includes posts selling API keys for generative AI tools, advertising solutions that can enhance social engineering, AI-enabled malware (e.g., ApexAI, Metatron, and PolyEngine), discussing jailbreaks for public AI models to bypass censorship and other safeguards using techniques like role-play framing, multi-stage prompting, and contextual manipulation, and offers to hire or partner with prompt engineers. Threat actors have also discussed the use of public AI assistants for intrusion activity, as well as marketed a tool called Leak Bazaar that claims to use AI to triage and sift through mountains of stolen data before it can be packaged and exchanged with other threat actors. Not all have embraced AI with open arms, however, with some outlining skepticism and worries about how the rise of AI could “reshape roles, pricing, and competitive advantage within the cybercrime economy.”

Censys has uncovered just over 8,500 REDCap instances globally as of June 16, 2026, with most of them located in the U.S., the U.K., Germany, and Australia. REDCap, short for Research Electronic Data Capture, is a web application used by research institutions globally to hold clinical trial data, participant records, and other sensitive research information. Last week, Google Threat Intelligence Group (GTIG) attributed a year-plus espionage campaign against North American academic, medical, and military research institutions to UNC6508, a China-nexus actor. The intrusion set leveraged internet-facing REDCap servers as an initial access vector to deploy a backdoor called INFINITERED to exfiltrate sensitive data. Exactly how these servers are hacked is unconfirmed. The earliest known compromise dates to September 2023.

A report from Human Rights Watch has revealed that a Bulgaria-based surveillance technology firm named Circles sold its tools to countries that were likely to use them for repression or to commit serious human rights violations. Documents describe licenses for exports of Circles’ technology to Azerbaijan, Bahrain, Brazil, Dominican Republic, El Salvador, Ghana, Guatemala, Israel, Jordan, Malaysia, Mexico, Morocco, Panama, Serbia, and the U.A.E. Clients included intelligence services, military and police bodies, regional governments, and private companies, Human Rights Watch said. That said, it’s currently not known whether the technology was actually exported. “Nonetheless, issuing the licenses demonstrates a major flaw in how individual governments implement E.U. export controls for surveillance technology,” the non-profit said. “The controls are intended to limit exports of surveillance technology to destinations where there is a likelihood it could be used to violate rights, and to provide transparency about what exports take place.”

A campaign that impersonates popular software brand names has leveraged the Browser-in-the-Browser (BitB) technique to distribute malicious payloads by means of a reusable phishing kit. It makes use of a draggable pop-up with a spoofed URL to serve a fake software update warning. “The campaign uses social engineering to trick victims into downloading and manually executing a malicious installer (e.g., an .exe payload),” Unit 42 said. “The pages simulate a stalled document load and present an ‘out of date’ software error.” Earlier this month, Unit 42 disclosed details of a second BitB campaign involving at least 10 unique domains that was used to steal Microsoft 365 credentials using a draggable, OS/browser-fingerprinted pop-up with a spoofed OAuth URL. In this attack, victims who click a Microsoft sign-in button are presented with what appears to be a standard login page designed to harvest credentials.