[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fnd1EjKkCIsIvFZHnqTmlmyQPZJNkrZ2IUmjhmKtJndo":3},{"article":4,"iocs":57},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":34,"category":35,"article_tags":39},"c3c00a56-9c63-40e2-88e8-8a77faf0eb19","ThreatsDay Bulletin: Worm Code Leaked, AI Agent Phished, Claude Action Patch + 28 New Stories","threatsday-bulletin-worm-code-leaked-ai-agent-phished-claude-action-patch-28-new-a22c3f","It's been one of those weeks. You expect the usual noise: recycled malware, sloppy attacks, another easy target getting hit. Instead, there's a supply chain attack kit in a public repo, a $5,000-a-month RAT that clones browsers, and research showing AI agents can be tricked into leaking real credentials. The bigger problem is how polished this all looks now. Mule networks run like SaaS.","This bulletin covers a range of recent cyber threats, including a supply chain attack kit found in a public repository and research showing AI agents can be tricked into revealing credentials. It also highlights the prevalence of infostealers, with over 3.3 billion stolen credentials exposed, and details a new MaaS RAT called SilabRAT focused on financial gain. Additionally, North Korean threat actors are noted for nearly half of all state-sponsored intrusions into the tech sector, and the U.S. has seized 13 domains linked to alleged Chinese intelligence collection.","Worm code leaked, AI agents phished, and 28 other security stories.","ThreatsDay Bulletin: Worm Code Leaked, AI Agent Phished, Claude Action Patch + 28 New Stories Ravie LakshmananJun 11, 2026Hacking News \u002F Cybersecurity News It's been one of those weeks. You expect the usual noise: recycled malware, sloppy attacks, another easy target getting hit. Instead, there's a supply chain attack kit in a public repo, a $5,000-a-month RAT that clones browsers, and research showing AI agents can be tricked into leaking real credentials. The bigger problem is how polished this all looks now. Mule networks run like SaaS. Deepfake KYC bypass is sold as a feature. Endpoint tools can be quietly weakened using built-in OS settings, with no exploit needed. Here's the full list of threats, tools, flaws, and updates worth knowing. 3.3B identity records exposed How Infostealers Fuel Identity-Based Attacks A new analysis from Flashpoint has revealed that \"more than 11.1 million devices were infected with infostealers last year, fueling a supply of over 3.3 billion stolen credentials, session cookies, cloud tokens, and other forms of identity data now circulating across illicit markets.\" There are over 30 unique infostealer strains actively listed for sale across illicit marketplaces, forums, and underground communities, indicating the \"scale and accessibility of the modern malware-as-a-service ecosystem.\" Lumma, Acreed, Rhadamanthys, Vidar, and StealC were the most prolific stealers in 2025. India, Brazil, Indonesia, Vietnam, the Philippines, and the U.S. were the top six countries affected by stealer malware during the same period. MaaS RAT targets credentials New SilabRAT Spotted A threat actor named \"o1oo1\" has advertised an advanced remote access trojan (RAT) named SilabRAT that's sold under a malware-as-a-service (MaaS) model for $5,000 a month on darknet forums since September 2025. \"SilabRAT is heavily focused on financial gain through credential theft,\" Group-IB said. \"It offers stability and is capable of bypassing existing security measures.\" Delivered via ClickFix campaigns using Hijack Loader, the malware uses Hidden Virtual Network Computing (HVNC) to facilitate remote control capabilities, employs techniques like Browser Profile Cloning to replicate a user's browser profile (user agent, extensions, storage, and other fingerprinting attributes) to the attacker's system, and can identify wallet addresses or extract cryptocurrency-related artifacts. The Russian-speaking malware developer and vendor, \"o1oo1,\" has been active since late 2020, previously launching a service called AsmCrypt. 47% of tech intrusions North Korean Hackers Behind Nearly 50% of Tech Industry Hacks CrowdStrike has revealed that a North Korean threat actor known as Famous Chollima, which is behind the long-running IT worker and Contagious Interview campaign, accounted for 47% of all state-sponsored hands-on-keyboard operations against the tech sector between April 2025 and March 2026. Hands-on intrusions refer to cyber attacks in which a human operator controls and interacts with a system rather than relying solely on malware. \"In their IT worker infiltration campaigns, they sought fraudulent employment at tech companies across North America, Europe, and Asia,\" the cybersecurity company said. 13 domains seized U.S. Takes Down 13 Domains Linked to Alleged Chinese Intelligence Collection The U.S. Department of Justice has announced the seizure of 13 internet domains masquerading as consulting companies used to target U.S. persons, including current and former security clearance holders with access to classified and sensitive U.S. government information. \"These domain seizures offer a glimpse at how foreign actors can use promises of easy money to lure Americans into revealing sensitive or classified information that they are duty-bound to protect,\" said Assistant Attorney General for National Security John A. Eisenberg. \"Anyone approached online with offers of easy income for vague 'consulting' work should treat those overtures with extreme caution and remain vigilant for warning signs of malicious targeting.\" These sham companies advertised generic consulting or analyst jobs on platforms like Upwork, Expertia AI, Hubstaff Talent, Wellfound, and Post Job Free that sought to recruit current or former U.S. government and U.S. military employees to lend their expertise to unspecified clients. The recruiters then pressured candidates to part with confidential information and reports from \"insider\" sources in exchange for cryptocurrency payments. The announcement comes after the Five Eyes intelligence alliance countries warned of China aggressively using job platforms to target people for information. In a statement shared with Reuters, the Chinese Embassy in Washington condemned the allegations and called them fabricated. Supply-chain toolkit exposed Miasma Toolkit Leaks Briefly The Miasma credential-stealing attack framework was briefly made available for free on GitHub, after multiple repositories with the name \"Miasma-Open-Source-Release\" began appearing since June 8, 2026. According to SafeDep, the source code has been published through compromised developer accounts. \"The Miasma codebase appears to be larger than a supply chain worm,\" SafeDep said. \"It is a full supply chain attack toolkit that allows the operator to execute various attacks via stolen credentials against arbitrary or targeted packages on public registries (PyPI, npm, RubyGems), JFrog Artifactory, GitHub repositories and GitHub Actions, AI coding tools config poisoning, SSH-based lateral movement, and other attack vectors.\" As opposed to relying on conventional command-and-control (C2) infrastructure, the malware employs three independent C2 channels using GitHub commit search, each with a different search string and crypto key: \"DontRevokeOrItGoesBoom\" to discover attacker-controlled personal access tokens (PATs) for data exfiltration, \"TheBeautifulSandsOfTime\" to deliver JavaScript, and \"firedalazer\" to deliver Python script URLs that act as a remote code execution backdoor. Miasma is assessed to be a variant of the Shai-Hulud worm. The campaign has since morphed into a Python variant called Hades, which represents the latest evolution of the sustained software supply chain campaign. As of last week, a total of 304 components have been impacted by Miasma. Search uploads retained Google Announces Changes to Search Settings Google has revealed that it intends to save the images, files, audio, and video users upload to Search under a new \"Search Services History\" setting. This can include images, files, and audio\u002Fvideo recordings, such as Google Lens images, content you upload, and recordings from Search Live, Translate speaking practice, and voice searches, per Google. The tech giant said the Search Services History setting will be used to \"provide, develop, and improve its services,\" including its AI models, as well as offer personalized suggestions and ads if the new \"Personalized Recommendations\" option is switched on. These two settings are separate from Google's Web & App Activity. Cross-platform RAT emerges New Cross-Platform RAT SStar Agent Emerges Iru has analyzed a new cross-platform RAT called SStar Agent that's designed for both Windows and macOS systems. \"The macOS builds are heavily instrumented surveillance tools focused on recon and exfiltration, while the Windows build layers on a keyboard hook, clipboard monitor, and remote mouse\u002Fkeyboard control,\" the company said. \"Notably, the malware includes a large POST request via endpoint \u002Fapi\u002Ftelemetry\u002Freport that constantly monitors and exfiltrates the entire directory tree to monitor files of interest. The gap between the Windows and macOS versions indicates this is still a work in progress.\" The malware is delivered by means of a poisoned npm package named \"tw-style-utils.\" The lure is a bogus Web3 engineering take-home assessment, a GitHub repository (\"star45674\u002Fsmart-contract-engineer-role\") that's likely distributed to targe","https:\u002F\u002Fthehackernews.com\u002F2026\u002F06\u002Fthreatsday-bulletin-worm-code-leaked-ai.html","https:\u002F\u002Fblogger.googleusercontent.com\u002Fimg\u002Fb\u002FR29vZ2xl\u002FAVvXsEjwRILGY9KcqTFlus6q7_YKlkzrx_LNXb7KS96PijLOM63YqrZIcvxXaf9j0i-sJhst_yL59b7pq32rwcHSSByX7dzVRXSv_dRnrAYqn0Hpps_G7odqCYu8BEonGPMlUkCAz-d0q2No-ojqaZou-b06UwZxzq0oV5CthkgjmTdTBU1JEkWRLV28PwRR5UW7\u002Fs1600\u002Ftt.png","2026-06-11T13:20:41+00:00","2026-06-11T14:00:13.217484+00:00",8,[18,21,24,26,29,32],{"name":19,"type":20},"Famous Chollima","threat_actor",{"name":22,"type":23},"IT worker","campaign",{"name":25,"type":23},"Contagious Interview",{"name":27,"type":28},"SilabRAT","product",{"name":30,"type":31},"Group-IB","vendor",{"name":33,"type":31},"Flashpoint","e7b231c8-5f79-4465-8d38-1ef13aea5a14",{"id":34,"icon":36,"name":37,"slug":38},null,"Threat Intelligence","threat-intelligence",[40,45,50,55],{"category":41},{"id":42,"icon":36,"name":43,"slug":44},"26b0b636-0e31-4db1-bffb-61bdf9f20a58","Supply Chain","supply-chain",{"category":46},{"id":47,"icon":36,"name":48,"slug":49},"6cbdd207-aaa1-4176-9534-e156b125e917","Nation-state","nation-state",{"category":51},{"id":52,"icon":36,"name":53,"slug":54},"89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5","Malware","malware",{"category":56},{"id":34,"icon":36,"name":37,"slug":38},[58,60,63,65,67,69,71,74],{"type":54,"value":27,"context":59},"Advanced remote access trojan (RAT) sold as malware-as-a-service.",{"type":54,"value":61,"context":62},"Lumma","Prolific infostealer strain.",{"type":54,"value":64,"context":62},"Acreed",{"type":54,"value":66,"context":62},"Rhadamanthys",{"type":54,"value":68,"context":62},"Vidar",{"type":54,"value":70,"context":62},"StealC",{"type":54,"value":72,"context":73},"Hijack Loader","Loader used in ClickFix campaigns to deliver SilabRAT.",{"type":54,"value":75,"context":76},"AsmCrypt","Previous service launched by SilabRAT developer 'o1oo1'."]